fixes #1478 mbedTLS 3.0 is not API compatible with 2.x

3 files changed, 41 insertions, 9 deletions

diff --git a/src/supplemental/tls/mbedtls/tls.c b/src/supplemental/tls/mbedtls/tls.c
index 1f9453c1..a216b3a6 100644
--- a/src/supplemental/tls/mbedtls/tls.c
+++ b/src/supplemental/tls/mbedtls/tls.c
@@ -1,5 +1,5 @@
 //
-// Copyright 2020 Staysail Systems, Inc. <info@staysail.tech>
+// Copyright 2021 Staysail Systems, Inc. <info@staysail.tech>
 // Copyright 2018 Capitar IT Group BV <info@capitar.com>
 // Copyright 2019 Devolutions <info@devolutions.net>
 //
@@ -44,13 +44,13 @@ static nni_mtx                  rng_lock;
 #endif
 
 struct nng_tls_engine_conn {
-	void *              tls; // parent conn
+	void               *tls; // parent conn
 	mbedtls_ssl_context ctx;
 };
 
 struct nng_tls_engine_config {
 	mbedtls_ssl_config cfg_ctx;
-	char *             server_name;
+	char              *server_name;
 	mbedtls_x509_crt   ca_certs;
 	mbedtls_x509_crl   crl;
 	int                min_ver;
@@ -104,14 +104,29 @@ static struct {
 	int tls;
 	int nng;
 } tls_errs[] = {
+#ifdef MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE
 	{ MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE, NNG_EPEERAUTH },
+#endif
+#ifdef MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED
 	{ MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED, NNG_EPEERAUTH },
+#endif
+#ifdef MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED
 	{ MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED, NNG_EPEERAUTH },
+#endif
+#ifdef MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE
 	{ MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE, NNG_EPEERAUTH },
+#endif
 	{ MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY, NNG_ECONNREFUSED },
 	{ MBEDTLS_ERR_SSL_ALLOC_FAILED, NNG_ENOMEM },
 	{ MBEDTLS_ERR_SSL_TIMEOUT, NNG_ETIMEDOUT },
 	{ MBEDTLS_ERR_SSL_CONN_EOF, NNG_ECLOSED },
+// MbedTLS 3.0 error codes
+#ifdef MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE
+	{ MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE, NNG_EPEERAUTH },
+#endif
+#ifdef MBEDTLS_ERR_SSL_BAD_CERTIFICATE
+	{ MBEDTLS_ERR_SSL_BAD_CERTIFICATE, NNG_EPEERAUTH },
+#endif
 	// terminator
 	{ 0, 0 },
 };
@@ -337,7 +352,7 @@ config_server_name(nng_tls_engine_config *cfg, const char *name)
 	if ((dup = nni_strdup(name)) == NULL) {
 		return (NNG_ENOMEM);
 	}
-	if (cfg->server_name) {
+	if (cfg->server_name != NULL) {
 		nni_strfree(cfg->server_name);
 	}
 	cfg->server_name = dup;
@@ -395,7 +410,7 @@ config_own_cert(nng_tls_engine_config *cfg, const char *cert, const char *key,
 {
 	size_t         len;
 	const uint8_t *pem;
-	pair *         p;
+	pair          *p;
 	int            rv;
 
 	if ((p = NNI_ALLOC_STRUCT(p)) == NULL) {
@@ -413,8 +428,13 @@ config_own_cert(nng_tls_engine_config *cfg, const char *cert, const char *key,
 
 	pem = (const uint8_t *) key;
 	len = strlen(key) + 1;
-	rv  = mbedtls_pk_parse_key(&p->key, pem, len, (const uint8_t *) pass,
-            pass != NULL ? strlen(pass) : 0);
+#if MBEDTLS_VERSION_MAJOR < 3
+	rv = mbedtls_pk_parse_key(&p->key, pem, len, (const uint8_t *) pass,
+	    pass != NULL ? strlen(pass) : 0);
+#else
+	rv = mbedtls_pk_parse_key(&p->key, pem, len, (const uint8_t *) pass,
+	    pass != NULL ? strlen(pass) : 0, tls_random, NULL);
+#endif
 	if (rv != 0) {
 		rv = tls_mk_err(rv);
 		goto err;
@@ -448,12 +468,16 @@ config_version(nng_tls_engine_config *cfg, nng_tls_version min_ver,
 		return (NNG_ENOTSUP);
 	}
 	switch (min_ver) {
+#ifdef MBEDTLS_SSL_MINOR_VERSION_1
 	case NNG_TLS_1_0:
 		v1 = MBEDTLS_SSL_MINOR_VERSION_1;
 		break;
+#endif
+#ifdef MBEDTLS_SSL_MINOR_VERSION_2
 	case NNG_TLS_1_1:
 		v1 = MBEDTLS_SSL_MINOR_VERSION_2;
 		break;
+#endif
 	case NNG_TLS_1_2:
 		v1 = MBEDTLS_SSL_MINOR_VERSION_3;
 		break;
@@ -462,12 +486,16 @@ config_version(nng_tls_engine_config *cfg, nng_tls_version min_ver,
 	}
 
 	switch (max_ver) {
+#ifdef MBEDTLS_SSL_MINOR_VERSION_1
 	case NNG_TLS_1_0:
 		v2 = MBEDTLS_SSL_MINOR_VERSION_1;
 		break;
+#endif
+#ifdef MBEDTLS_SSL_MINOR_VERSION_2
 	case NNG_TLS_1_1:
 		v2 = MBEDTLS_SSL_MINOR_VERSION_2;
 		break;
+#endif
 	case NNG_TLS_1_2:
 	case NNG_TLS_1_3: // We lack support for 1.3, so treat as 1.2.
 		v2 = MBEDTLS_SSL_MINOR_VERSION_3;
diff --git a/src/supplemental/tls/tls_common.c b/src/supplemental/tls/tls_common.c
index 2ae50f15..404a8cf7 100644
--- a/src/supplemental/tls/tls_common.c
+++ b/src/supplemental/tls/tls_common.c
@@ -1374,7 +1374,7 @@ nng_tls_config_alloc(nng_tls_config **cfg_p, nng_tls_mode mode)
 		return (NNG_ENOTSUP);
 	}
 
-	size = NNI_ALIGN_UP(sizeof(*cfg) + eng->config_ops->size);
+	size = NNI_ALIGN_UP(sizeof(*cfg)) + eng->config_ops->size;
 
 	if ((cfg = nni_zalloc(size)) == NULL) {
 		return (NNG_ENOMEM);
diff --git a/src/supplemental/tls/tls_test.c b/src/supplemental/tls/tls_test.c
index 244f68ca..96d95fb6 100644
--- a/src/supplemental/tls/tls_test.c
+++ b/src/supplemental/tls/tls_test.c
@@ -28,7 +28,10 @@ test_tls_config_version(void)
 	NUTS_FAIL(nng_tls_config_version(cfg, NNG_TLS_1_0, NNG_TLS_1_3 + 1),
 	    NNG_ENOTSUP);
 
-	// Verify that we *can* configure some various ranges.
+	// Verify that we *can* configure some various ranges starting with
+	// TLS v1.2.  Note that some libraries no longer support TLS 1.0
+	// and TLS 1.1, so we don't test for them.
+#if 0
 	NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_0, NNG_TLS_1_0));
 	NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_0, NNG_TLS_1_1));
 	NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_0, NNG_TLS_1_2));
@@ -36,6 +39,7 @@ test_tls_config_version(void)
 	NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_1, NNG_TLS_1_1));
 	NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_1, NNG_TLS_1_2));
 	NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_1, NNG_TLS_1_3));
+#endif
 	NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_2, NNG_TLS_1_2));
 	NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_2, NNG_TLS_1_3));