Fix MBEDTLS_DEPRECATED_REMOVED build errors

This commit allows compiling OpenVPN with recent versions of mbed TLS
if MBEDTLS_DEPRECATED_REMOVED is defined.

Cherry-pick note:
- Adapt to still support TLS 1.0 and 1.1 which were removed in
  master.

Change-Id: If96c2ebd2af16b18ed34820e8c0531547e2076d9
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20240618120127.4564-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28771.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8eb397de3656402872f9c9584c6f703b87b50762)
Message-Id: <20250429154923.20921-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20250429154923.20921-1-gert@greenie.muc.de
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/mbedtls_compat.h

@@ -40,6 +40,7 @@
 #include <mbedtls/cipher.h>
 #include <mbedtls/ctr_drbg.h>
 #include <mbedtls/dhm.h>
+#include <mbedtls/ecp.h>
 #include <mbedtls/md.h>
 #include <mbedtls/pem.h>
 #include <mbedtls/pk.h>
@@ -51,6 +52,12 @@
     #include <psa/crypto.h>
 #endif
 
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+typedef uint16_t mbedtls_compat_group_id;
+#else
+typedef mbedtls_ecp_group_id mbedtls_compat_group_id;
+#endif
+
 static inline void
 mbedtls_compat_psa_crypto_init(void)
 {
@@ -64,6 +71,16 @@ mbedtls_compat_psa_crypto_init(void)
 #endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */
 }
 
+static inline mbedtls_compat_group_id
+mbedtls_compat_get_group_id(const mbedtls_ecp_curve_info *curve_info)
+{
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+    return curve_info->tls_id;
+#else
+    return curve_info->grp_id;
+#endif
+}
+
 /*
  * In older versions of mbedtls, mbedtls_ctr_drbg_update() did not return an
  * error code, and it was deprecated in favor of mbedtls_ctr_drbg_update_ret()
@@ -124,6 +141,36 @@ mbedtls_compat_pk_parse_keyfile(mbedtls_pk_context *ctx,
 }
 
 #if MBEDTLS_VERSION_NUMBER < 0x03020100
+typedef enum {
+    MBEDTLS_SSL_VERSION_UNKNOWN, /*!< Context not in use or version not yet negotiated. */
+    MBEDTLS_SSL_VERSION_TLS1_0 = 0x0301, /*!< (D)TLS 1.0 */
+    MBEDTLS_SSL_VERSION_TLS1_1 = 0x0302, /*!< (D)TLS 1.1 */
+    MBEDTLS_SSL_VERSION_TLS1_2 = 0x0303, /*!< (D)TLS 1.2 */
+    MBEDTLS_SSL_VERSION_TLS1_3 = 0x0304, /*!< (D)TLS 1.3 */
+} mbedtls_ssl_protocol_version;
+
+static inline void
+mbedtls_ssl_conf_min_tls_version(mbedtls_ssl_config *conf, mbedtls_ssl_protocol_version tls_version)
+{
+    int major = (tls_version >> 8) & 0xff;
+    int minor = tls_version & 0xff;
+    mbedtls_ssl_conf_min_version(conf, major, minor);
+}
+
+static inline void
+mbedtls_ssl_conf_max_tls_version(mbedtls_ssl_config *conf, mbedtls_ssl_protocol_version tls_version)
+{
+    int major = (tls_version >> 8) & 0xff;
+    int minor = tls_version & 0xff;
+    mbedtls_ssl_conf_max_version(conf, major, minor);
+}
+
+static inline void
+mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf, mbedtls_compat_group_id *groups)
+{
+    mbedtls_ssl_conf_curves(conf, groups);
+}
+
 static inline size_t
 mbedtls_cipher_info_get_block_size(const mbedtls_cipher_info_t *cipher)
 {

src/openvpn/ssl_mbedtls.c

@@ -401,7 +401,7 @@ tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
 
     /* Get number of groups and allocate an array in ctx */
     int groups_count = get_num_elements(groups, ':');
-    ALLOC_ARRAY_CLEAR(ctx->groups, mbedtls_ecp_group_id, groups_count + 1)
+    ALLOC_ARRAY_CLEAR(ctx->groups, mbedtls_compat_group_id, groups_count + 1)
 
     /* Parse allowed ciphers, getting IDs */
     int i = 0;
@@ -418,11 +418,15 @@ tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
         }
         else
         {
-            ctx->groups[i] = ci->grp_id;
+            ctx->groups[i] = mbedtls_compat_get_group_id(ci);
             i++;
         }
     }
-    ctx->groups[i] = MBEDTLS_ECP_DP_NONE;
+
+    /* Recent mbedtls versions state that the list of groups must be terminated
+     * with 0. Older versions state that it must be terminated with MBEDTLS_ECP_DP_NONE
+     * which is also 0, so this works either way. */
+    ctx->groups[i] = 0;
 
     gc_free(&gc);
 }
@@ -1049,47 +1053,40 @@ tls_version_max(void)
 }
 
 /**
- * Convert an OpenVPN tls-version variable to mbed TLS format (i.e. a major and
+ * Convert an OpenVPN tls-version variable to mbed TLS format
- * minor ssl version number).
  *
  * @param tls_ver       The tls-version variable to convert.
- * @param major         Returns the TLS major version in mbed TLS format.
+ *
- *                      Must be a valid pointer.
+ * @return Translated mbedTLS SSL version from OpenVPN TLS version.
- * @param minor         Returns the TLS minor version in mbed TLS format.
- *                      Must be a valid pointer.
  */
-static void
+static mbedtls_ssl_protocol_version
-tls_version_to_major_minor(int tls_ver, int *major, int *minor)
+tls_version_to_ssl_version(int tls_ver)
 {
-    ASSERT(major);
-    ASSERT(minor);
-
     switch (tls_ver)
     {
 #if defined(MBEDTLS_SSL_PROTO_TLS1)
         case TLS_VER_1_0:
-            *major = MBEDTLS_SSL_MAJOR_VERSION_3;
+            return MBEDTLS_SSL_VERSION_TLS1_0;
-            *minor = MBEDTLS_SSL_MINOR_VERSION_1;
-            break;
 #endif
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
         case TLS_VER_1_1:
-            *major = MBEDTLS_SSL_MAJOR_VERSION_3;
+            return MBEDTLS_SSL_VERSION_TLS1_1;
-            *minor = MBEDTLS_SSL_MINOR_VERSION_2;
-            break;
 #endif
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
         case TLS_VER_1_2:
-            *major = MBEDTLS_SSL_MAJOR_VERSION_3;
+            return MBEDTLS_SSL_VERSION_TLS1_2;
-            *minor = MBEDTLS_SSL_MINOR_VERSION_3;
+#endif
-            break;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+        case TLS_VER_1_3:
+            return MBEDTLS_SSL_VERSION_TLS1_3;
 #endif
 
         default:
             msg(M_FATAL, "%s: invalid or unsupported TLS version %d", __func__, tls_ver);
-            break;
+            return MBEDTLS_SSL_VERSION_UNKNOWN;
     }
 }
 
@@ -1170,7 +1167,7 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
 
     if (ssl_ctx->groups)
     {
-        mbedtls_ssl_conf_curves(ks_ssl->ssl_config, ssl_ctx->groups);
+        mbedtls_ssl_conf_groups(ks_ssl->ssl_config, ssl_ctx->groups);
     }
 
     /* Disable TLS renegotiations if the mbedtls library supports that feature.
@@ -1220,15 +1217,14 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
             &SSLF_TLS_VERSION_MIN_MASK;
 
         /* default to TLS 1.2 */
-        int major = MBEDTLS_SSL_MAJOR_VERSION_3;
+        mbedtls_ssl_protocol_version version = MBEDTLS_SSL_VERSION_TLS1_2;
-        int minor = MBEDTLS_SSL_MINOR_VERSION_3;
 
         if (configured_tls_version_min > TLS_VER_UNSPEC)
         {
-            tls_version_to_major_minor(configured_tls_version_min, &major, &minor);
+            version = tls_version_to_ssl_version(configured_tls_version_min);
         }
 
-        mbedtls_ssl_conf_min_version(ks_ssl->ssl_config, major, minor);
+        mbedtls_ssl_conf_min_tls_version(ks_ssl->ssl_config, version);
     }
 
     /* Initialize maximum TLS version */
@@ -1237,20 +1233,19 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
             (session->opt->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
             &SSLF_TLS_VERSION_MAX_MASK;
 
-        int major = 0;
+        mbedtls_ssl_protocol_version version = MBEDTLS_SSL_VERSION_UNKNOWN;
-        int minor = 0;
 
         if (configured_tls_version_max > TLS_VER_UNSPEC)
         {
-            tls_version_to_major_minor(configured_tls_version_max, &major, &minor);
+            version = tls_version_to_ssl_version(configured_tls_version_max);
         }
         else
         {
             /* Default to tls_version_max(). */
-            tls_version_to_major_minor(tls_version_max(), &major, &minor);
+            version = tls_version_to_ssl_version(tls_version_max());
         }
 
-        mbedtls_ssl_conf_max_version(ks_ssl->ssl_config, major, minor);
+        mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version);
     }
 
 #if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB

src/openvpn/ssl_mbedtls.h

@@ -39,6 +39,8 @@
 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
 #endif
 
+#include "mbedtls_compat.h"
+
 typedef struct _buffer_entry buffer_entry;
 
 struct _buffer_entry {
@@ -118,7 +120,7 @@ struct tls_root_ctx {
 #endif
     struct external_context external_key; /**< External key context */
     int *allowed_ciphers;       /**< List of allowed ciphers for this connection */
-    mbedtls_ecp_group_id *groups;     /**< List of allowed groups for this connection */
+    mbedtls_compat_group_id *groups;     /**< List of allowed groups for this connection */
     mbedtls_x509_crt_profile cert_profile; /**< Allowed certificate types */
 };