mbedtls: bump minimum version required to 3.2.0

3.2.0 was released on July 11, 2022.

Ref: #18161
Closes #18254

diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 29205881f36e1a971001d84f43916ccd2a444e68..5b3d90ea00094c7dd6fefd5dac33bf6e92ea338b 100644 (file)
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -113,17 +113,21 @@ jobs:
           - name: 'mbedtls'
             install_packages: libnghttp2-dev
             install_steps: mbedtls
-            PKG_CONFIG_PATH: /home/runner/mbedtls/lib/pkgconfig  # Requires v3.6.0 or v2.28.8
+            PKG_CONFIG_PATH: /home/runner/mbedtls/lib/pkgconfig  # Requires v3.6.0
             generate: -DCURL_USE_MBEDTLS=ON -DENABLE_DEBUG=ON
 
-          - name: 'mbedtls-pkg MultiSSL'
+          - name: 'mbedtls-pkg MultiSSL !pc'
             install_packages: libnghttp2-dev libmbedtls-dev
-            generate: -DCURL_USE_MBEDTLS=ON -DENABLE_DEBUG=ON -DCURL_DEFAULT_SSL_BACKEND=mbedtls -DCURL_USE_OPENSSL=ON -DBUILD_LIBCURL_DOCS=OFF -DBUILD_MISC_DOCS=OFF -DENABLE_CURL_MANUAL=OFF
-
-          - name: 'mbedtls-pkg !pc'
-            install_packages: libnghttp2-dev libmbedtls-dev
-            install_steps: skipall
-            generate: -DCURL_USE_MBEDTLS=ON -DENABLE_DEBUG=ON -DCURL_USE_PKGCONFIG=OFF -DCURL_COMPLETION_FISH=ON -DCURL_COMPLETION_ZSH=ON
+            install_steps: mbedtls skipall
+            generate: >-
+              -DCURL_USE_MBEDTLS=ON -DENABLE_DEBUG=ON -DCURL_DEFAULT_SSL_BACKEND=mbedtls
+              -DMBEDTLS_INCLUDE_DIR=/home/runner/mbedtls/include
+              -DMBEDTLS_LIBRARY=/home/runner/mbedtls/lib/libmbedtls.a
+              -DMBEDX509_LIBRARY=/home/runner/mbedtls/lib/libmbedx509.a
+              -DMBEDCRYPTO_LIBRARY=/home/runner/mbedtls/lib/libmbedcrypto.a
+              -DCURL_USE_PKGCONFIG=OFF -DCURL_USE_OPENSSL=ON
+              -DBUILD_LIBCURL_DOCS=OFF -DBUILD_MISC_DOCS=OFF -DENABLE_CURL_MANUAL=OFF
+              -DCURL_COMPLETION_FISH=ON -DCURL_COMPLETION_ZSH=ON
 
           - name: 'awslc'
             install_packages: zlib1g-dev

diff --git a/CMake/FindMbedTLS.cmake b/CMake/FindMbedTLS.cmake
index fcd6afb3ab6b7a51fbb19467e2da529a264cd710..4b5a6121f193e6a2d75f5e3bbc427b3478528cef 100644 (file)
--- a/CMake/FindMbedTLS.cmake
+++ b/CMake/FindMbedTLS.cmake
@@ -71,23 +71,13 @@ else()
   find_library(MBEDCRYPTO_LIBRARY NAMES "mbedcrypto" "libmbedcrypto")
 
   unset(MBEDTLS_VERSION CACHE)
-  if(MBEDTLS_INCLUDE_DIR)
-    if(EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h")  # 3.x
-      set(_version_header "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h")
-    elseif(EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h")  # 2.x
-      set(_version_header "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h")
-    else()
-      unset(_version_header)
-    endif()
-    if(_version_header)
-      set(_version_regex "#[\t ]*define[\t ]+MBEDTLS_VERSION_STRING[\t ]+\"([0-9.]+)\"")
-      file(STRINGS "${_version_header}" _version_str REGEX "${_version_regex}")
-      string(REGEX REPLACE "${_version_regex}" "\\1" _version_str "${_version_str}")
-      set(MBEDTLS_VERSION "${_version_str}")
-      unset(_version_regex)
-      unset(_version_str)
-      unset(_version_header)
-    endif()
+  if(MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h")
+    set(_version_regex "#[\t ]*define[\t ]+MBEDTLS_VERSION_STRING[\t ]+\"([0-9.]+)\"")
+    file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h" _version_str REGEX "${_version_regex}")
+    string(REGEX REPLACE "${_version_regex}" "\\1" _version_str "${_version_str}")
+    set(MBEDTLS_VERSION "${_version_str}")
+    unset(_version_regex)
+    unset(_version_str)
   endif()
 
   include(FindPackageHandleStandardArgs)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 50db8602d7f42edac4ecc2e45e5ef067da330365..5e0bf4bf98563a706067721f5dc505af3bcbf5cd 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -802,6 +802,9 @@ endif()
 
 if(CURL_USE_MBEDTLS)
   find_package(MbedTLS REQUIRED)
+  if(MBEDTLS_VERSION VERSION_LESS 3.2.0)
+    message(FATAL_ERROR "mbedTLS v3.2.0 or newer is required.")
+  endif()
   set(_ssl_enabled ON)
   set(USE_MBEDTLS ON)
   list(APPEND CURL_LIBS ${MBEDTLS_LIBRARIES})

diff --git a/docs/INTERNALS.md b/docs/INTERNALS.md
index a0b1adc9ed9ed4d526d6cc6ffcd5891fa874cbd8..de993c3e4bcd45e91b99fc0fbff6d71d13d5c477 100644 (file)
--- a/docs/INTERNALS.md
+++ b/docs/INTERNALS.md
@@ -27,6 +27,7 @@ versions of libs and build tools.
  - OpenSSL      1.0.2a
  - LibreSSL     2.9.1
  - GnuTLS       3.1.10
+ - mbedTLS      3.2.0
  - zlib         1.2.5.2
  - libssh2      1.2.8
  - c-ares       1.6.0

diff --git a/lib/md4.c b/lib/md4.c
index 57545dde93db63800882e70ebee5e5ab06201380..ab40c41b25a8372b3d089b6c05eb3be700349100 100644 (file)
--- a/lib/md4.c
+++ b/lib/md4.c
@@ -53,15 +53,10 @@
 
 #ifdef USE_MBEDTLS
 #include <mbedtls/version.h>
-#if MBEDTLS_VERSION_NUMBER >= 0x03000000
-#include <mbedtls/mbedtls_config.h>
-#else
-#include <mbedtls/config.h>
-#endif
-#if(MBEDTLS_VERSION_NUMBER >= 0x02070000) && \
-   (MBEDTLS_VERSION_NUMBER < 0x03000000)
-  #define HAS_MBEDTLS_RESULT_CODE_BASED_FUNCTIONS
+#if MBEDTLS_VERSION_NUMBER < 0x03020000
+  #error "mbedTLS 3.2.0 or later required"
 #endif
+#include <mbedtls/mbedtls_config.h>
 #endif /* USE_MBEDTLS */
 
 /* When OpenSSL or wolfSSL is available, we use their MD4 functions. */
@@ -220,12 +215,7 @@ static void MD4_Update(MD4_CTX *ctx, const void *data, unsigned long size)
 static void MD4_Final(unsigned char *result, MD4_CTX *ctx)
 {
   if(ctx->data) {
-#ifndef HAS_MBEDTLS_RESULT_CODE_BASED_FUNCTIONS
     mbedtls_md4(ctx->data, ctx->size, result);
-#else
-    (void)mbedtls_md4_ret(ctx->data, ctx->size, result);
-#endif
-
     Curl_safefree(ctx->data);
     ctx->size = 0;
   }

diff --git a/lib/md5.c b/lib/md5.c
index fea20377fe9bb441e9bdcab81a1dea459bab6d56..625670965a1cb7afc7deca7c0bb1ea1dceb15c9f 100644 (file)
--- a/lib/md5.c
+++ b/lib/md5.c
@@ -36,10 +36,8 @@
 
 #ifdef USE_MBEDTLS
 #include <mbedtls/version.h>
-
-#if(MBEDTLS_VERSION_NUMBER >= 0x02070000) && \
-   (MBEDTLS_VERSION_NUMBER < 0x03000000)
-  #define HAS_MBEDTLS_RESULT_CODE_BASED_FUNCTIONS
+#if MBEDTLS_VERSION_NUMBER < 0x03020000
+  #error "mbedTLS 3.2.0 or later required"
 #endif
 #endif /* USE_MBEDTLS */
 
@@ -161,15 +159,8 @@ typedef mbedtls_md5_context my_md5_ctx;
 
 static CURLcode my_md5_init(void *ctx)
 {
-#if (MBEDTLS_VERSION_NUMBER >= 0x03000000)
   if(mbedtls_md5_starts(ctx))
     return CURLE_OUT_OF_MEMORY;
-#elif defined(HAS_MBEDTLS_RESULT_CODE_BASED_FUNCTIONS)
-  if(mbedtls_md5_starts_ret(ctx))
-    return CURLE_OUT_OF_MEMORY;
-#else
-  (void)mbedtls_md5_starts(ctx);
-#endif
   return CURLE_OK;
 }
 
@@ -177,20 +168,12 @@ static void my_md5_update(void *ctx,
                           const unsigned char *data,
                           unsigned int length)
 {
-#ifndef HAS_MBEDTLS_RESULT_CODE_BASED_FUNCTIONS
   (void)mbedtls_md5_update(ctx, data, length);
-#else
-  (void)mbedtls_md5_update_ret(ctx, data, length);
-#endif
 }
 
 static void my_md5_final(unsigned char *digest, void *ctx)
 {
-#ifndef HAS_MBEDTLS_RESULT_CODE_BASED_FUNCTIONS
   (void)mbedtls_md5_finish(ctx, digest);
-#else
-  (void)mbedtls_md5_finish_ret(ctx, digest);
-#endif
 }
 
 #elif defined(AN_APPLE_OS)

diff --git a/lib/sha256.c b/lib/sha256.c
index ca026782a3d3e069f185ad7b5107dab58c669831..6f519add58a9fa525b538de5b362ac20b5030cad 100644 (file)
--- a/lib/sha256.c
+++ b/lib/sha256.c
@@ -38,9 +38,8 @@
 #include <nettle/sha.h>
 #elif defined(USE_MBEDTLS)
 #include <mbedtls/version.h>
-#if(MBEDTLS_VERSION_NUMBER >= 0x02070000) && \
-   (MBEDTLS_VERSION_NUMBER < 0x03000000)
-  #define HAS_MBEDTLS_RESULT_CODE_BASED_FUNCTIONS
+#if MBEDTLS_VERSION_NUMBER < 0x03020000
+  #error "mbedTLS 3.2.0 or later required"
 #endif
 #include <mbedtls/sha256.h>
 #elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \
@@ -134,11 +133,7 @@ typedef mbedtls_sha256_context my_sha256_ctx;
 
 static CURLcode my_sha256_init(void *ctx)
 {
-#ifndef HAS_MBEDTLS_RESULT_CODE_BASED_FUNCTIONS
   (void)mbedtls_sha256_starts(ctx, 0);
-#else
-  (void)mbedtls_sha256_starts_ret(ctx, 0);
-#endif
   return CURLE_OK;
 }
 
@@ -146,20 +141,12 @@ static void my_sha256_update(void *ctx,
                              const unsigned char *data,
                              unsigned int length)
 {
-#ifndef HAS_MBEDTLS_RESULT_CODE_BASED_FUNCTIONS
   (void)mbedtls_sha256_update(ctx, data, length);
-#else
-  (void)mbedtls_sha256_update_ret(ctx, data, length);
-#endif
 }
 
 static void my_sha256_final(unsigned char *digest, void *ctx)
 {
-#ifndef HAS_MBEDTLS_RESULT_CODE_BASED_FUNCTIONS
   (void)mbedtls_sha256_finish(ctx, digest);
-#else
-  (void)mbedtls_sha256_finish_ret(ctx, digest);
-#endif
 }
 
 #elif defined(AN_APPLE_OS)

diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 3280d9057c6768c979c6ea0076a436490f3ed4c7..06ae10232a14a3655b78a641dafc9efb6e914ec9 100644 (file)
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -37,11 +37,10 @@
 /* #define MBEDTLS_DEBUG */
 
 #include <mbedtls/version.h>
-#if MBEDTLS_VERSION_NUMBER >= 0x02040000
-#include <mbedtls/net_sockets.h>
-#else
-#include <mbedtls/net.h>
+#if MBEDTLS_VERSION_NUMBER < 0x03020000
+  #error "mbedTLS 3.2.0 or later required"
 #endif
+#include <mbedtls/net_sockets.h>
 #include <mbedtls/ssl.h>
 #include <mbedtls/x509.h>
 
@@ -49,13 +48,9 @@
 #include <mbedtls/entropy.h>
 #include <mbedtls/ctr_drbg.h>
 #include <mbedtls/sha256.h>
-
-#if MBEDTLS_VERSION_MAJOR >= 2
-#  ifdef MBEDTLS_DEBUG
-#    include <mbedtls/debug.h>
-#  endif
-#endif /* MBEDTLS_VERSION_MAJOR >= 2 */
-
+#ifdef MBEDTLS_DEBUG
+#include <mbedtls/debug.h>
+#endif
 #include "cipher_suite.h"
 #include "../urldata.h"
 #include "../sendf.h"
@@ -263,11 +258,6 @@ mbed_set_ssl_version_min_max(struct Curl_easy *data,
    * function basically always sets TLS 1.2 as min/max, unless given
    * unsupported option values. */
 
-#if MBEDTLS_VERSION_NUMBER < 0x03020000
-  int ver_min = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
-  int ver_max = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
-#else
-  /* mbedTLS 3.2.0 (2022) introduced new methods for setting TLS version */
   mbedtls_ssl_protocol_version ver_min = MBEDTLS_SSL_VERSION_TLS1_2;
   mbedtls_ssl_protocol_version ver_max =
 #ifdef HAS_TLS13_SUPPORT
@@ -276,29 +266,14 @@ mbed_set_ssl_version_min_max(struct Curl_easy *data,
     MBEDTLS_SSL_VERSION_TLS1_2
 #endif
     ;
-#endif
 
   switch(conn_config->version) {
   case CURL_SSLVERSION_DEFAULT:
-#if MBEDTLS_VERSION_NUMBER < 0x03000000
   case CURL_SSLVERSION_TLSv1:
   case CURL_SSLVERSION_TLSv1_0:
-    ver_min = MBEDTLS_SSL_MINOR_VERSION_1;
-    break;
   case CURL_SSLVERSION_TLSv1_1:
-    ver_min = MBEDTLS_SSL_MINOR_VERSION_2;
-    break;
-#else
-  case CURL_SSLVERSION_TLSv1:
-  case CURL_SSLVERSION_TLSv1_0:
-  case CURL_SSLVERSION_TLSv1_1:
-#endif
   case CURL_SSLVERSION_TLSv1_2:
-#if MBEDTLS_VERSION_NUMBER < 0x03020000
-    ver_min = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
-#else
     ver_min = MBEDTLS_SSL_VERSION_TLS1_2;
-#endif
     break;
   case CURL_SSLVERSION_TLSv1_3:
 #ifdef HAS_TLS13_SUPPORT
@@ -320,37 +295,17 @@ mbed_set_ssl_version_min_max(struct Curl_easy *data,
     break;
 #endif
   case CURL_SSLVERSION_MAX_TLSv1_2:
-#if MBEDTLS_VERSION_NUMBER < 0x03020000
-    ver_max = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
-#else
     ver_max = MBEDTLS_SSL_VERSION_TLS1_2;
-#endif
-    break;
-#if MBEDTLS_VERSION_NUMBER < 0x03000000
-  case CURL_SSLVERSION_MAX_TLSv1_1:
-    ver_max = MBEDTLS_SSL_MINOR_VERSION_2;
     break;
-  case CURL_SSLVERSION_MAX_TLSv1_0:
-    ver_max = MBEDTLS_SSL_MINOR_VERSION_1;
-    break;
-#else
   case CURL_SSLVERSION_MAX_TLSv1_1:
   case CURL_SSLVERSION_MAX_TLSv1_0:
-#endif
   default:
     failf(data, "mbedTLS: unsupported maximum TLS version value");
     return CURLE_SSL_CONNECT_ERROR;
   }
 
-#if MBEDTLS_VERSION_NUMBER < 0x03020000
-  mbedtls_ssl_conf_min_version(&backend->config, MBEDTLS_SSL_MAJOR_VERSION_3,
-                               ver_min);
-  mbedtls_ssl_conf_max_version(&backend->config, MBEDTLS_SSL_MAJOR_VERSION_3,
-                               ver_max);
-#else
   mbedtls_ssl_conf_min_tls_version(&backend->config, ver_min);
   mbedtls_ssl_conf_max_tls_version(&backend->config, ver_max);
-#endif
 
   return CURLE_OK;
 }
@@ -360,7 +315,6 @@ mbed_set_ssl_version_min_max(struct Curl_easy *data,
    cipher suite present in other SSL implementations. Provide
    provisional support for specifying the cipher suite here. */
 #ifdef MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
-#if MBEDTLS_VERSION_NUMBER >= 0x03020000
 static int
 mbed_cipher_suite_get_str(uint16_t id, char *buf, size_t buf_size,
                           bool prefer_rfc)
@@ -371,7 +325,6 @@ mbed_cipher_suite_get_str(uint16_t id, char *buf, size_t buf_size,
     return Curl_cipher_suite_get_str(id, buf, buf_size, prefer_rfc);
   return 0;
 }
-#endif
 
 static uint16_t
 mbed_cipher_suite_walk_str(const char **str, const char **end)
@@ -499,8 +452,7 @@ add_ciphers:
 static void
 mbed_dump_cert_info(struct Curl_easy *data, const mbedtls_x509_crt *crt)
 {
-#if defined(CURL_DISABLE_VERBOSE_STRINGS) || \
-  (MBEDTLS_VERSION_NUMBER >= 0x03000000 && defined(MBEDTLS_X509_REMOVE_INFO))
+#if defined(CURL_DISABLE_VERBOSE_STRINGS) || defined(MBEDTLS_X509_REMOVE_INFO)
   (void)data, (void)crt;
 #else
   const size_t bufsize = 16384;
@@ -558,7 +510,7 @@ static int mbed_verify_cb(void *ptr, mbedtls_x509_crt *crt,
     *flags &= ~MBEDTLS_X509_BADCERT_CN_MISMATCH;
 
   if(*flags) {
-#if MBEDTLS_VERSION_NUMBER < 0x03000000 || !defined(MBEDTLS_X509_REMOVE_INFO)
+#ifndef MBEDTLS_X509_REMOVE_INFO
     char buf[128];
     mbedtls_x509_crt_verify_info(buf, sizeof(buf), "", *flags);
     failf(data, "mbedTLS: %s", buf);
@@ -727,15 +679,10 @@ mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
   if(ssl_config->key || ssl_config->key_blob) {
     if(ssl_config->key) {
 #ifdef MBEDTLS_FS_IO
-#if MBEDTLS_VERSION_NUMBER >= 0x03000000
       ret = mbedtls_pk_parse_keyfile(&backend->pk, ssl_config->key,
                                      ssl_config->key_passwd,
                                      mbedtls_ctr_drbg_random,
                                      &backend->ctr_drbg);
-#else
-      ret = mbedtls_pk_parse_keyfile(&backend->pk, ssl_config->key,
-                                     ssl_config->key_passwd);
-#endif
       if(ret == 0 && !(mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_RSA) ||
                        mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_ECKEY)))
         ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
@@ -756,17 +703,11 @@ mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
       const unsigned char *key_data =
         (const unsigned char *)ssl_key_blob->data;
       const char *passwd = ssl_config->key_passwd;
-#if MBEDTLS_VERSION_NUMBER >= 0x03000000
       ret = mbedtls_pk_parse_key(&backend->pk, key_data, ssl_key_blob->len,
                                  (const unsigned char *)passwd,
                                  passwd ? strlen(passwd) : 0,
                                  mbedtls_ctr_drbg_random,
                                  &backend->ctr_drbg);
-#else
-      ret = mbedtls_pk_parse_key(&backend->pk, key_data, ssl_key_blob->len,
-                                 (const unsigned char *)passwd,
-                                 passwd ? strlen(passwd) : 0);
-#endif
       if(ret == 0 && !(mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_RSA) ||
                        mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_ECKEY)))
         ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
@@ -1020,17 +961,14 @@ mbed_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data)
   }
   else if(ret) {
     char errorbuf[128];
-#if MBEDTLS_VERSION_NUMBER >= 0x03020000
     CURL_TRC_CF(data, cf, "TLS version %04X",
                 mbedtls_ssl_get_version_number(&backend->ssl));
-#endif
     mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
     failf(data, "ssl_handshake returned: (-0x%04X) %s",
           -ret, errorbuf);
     return CURLE_SSL_CONNECT_ERROR;
   }
 
-#if MBEDTLS_VERSION_NUMBER >= 0x03020000
   {
     char cipher_str[64];
     uint16_t cipher_id;
@@ -1040,10 +978,6 @@ mbed_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data)
     infof(data, "mbedTLS: %s Handshake complete, cipher is %s",
           mbedtls_ssl_get_version(&backend->ssl), cipher_str);
   }
-#else
-  infof(data, "mbedTLS: %s Handshake complete",
-        mbedtls_ssl_get_version(&backend->ssl));
-#endif
 
   if(pinnedpubkey) {
     int size;
@@ -1053,12 +987,7 @@ mbed_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data)
     unsigned char *pubkey = NULL;
 
     peercert = mbedtls_ssl_get_peer_cert(&backend->ssl);
-#if MBEDTLS_VERSION_NUMBER == 0x03000000
-    if(!peercert || !peercert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(p) ||
-       !peercert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(len)) {
-#else
     if(!peercert || !peercert->raw.p || !peercert->raw.len) {
-#endif
       failf(data, "Failed due to missing peer certificate");
       return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
     }
@@ -1080,24 +1009,13 @@ mbed_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data)
     /* Make a copy of our const peercert because mbedtls_pk_write_pubkey_der
        needs a non-const key, for now.
        https://github.com/Mbed-TLS/mbedtls/issues/396 */
-#if MBEDTLS_VERSION_NUMBER == 0x03000000
-    if(mbedtls_x509_crt_parse_der(p,
-                        peercert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(p),
-                        peercert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(len))) {
-#else
     if(mbedtls_x509_crt_parse_der(p, peercert->raw.p, peercert->raw.len)) {
-#endif
       failf(data, "Failed copying peer certificate");
       result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
       goto pinnedpubkey_error;
     }
 
-#if MBEDTLS_VERSION_NUMBER == 0x03000000
-    size = mbedtls_pk_write_pubkey_der(&p->MBEDTLS_PRIVATE(pk), pubkey,
-                                       PUB_DER_MAX_BYTES);
-#else
     size = mbedtls_pk_write_pubkey_der(&p->pk, pubkey, PUB_DER_MAX_BYTES);
-#endif
 
     if(size <= 0) {
       failf(data, "Failed copying public key from peer certificate");
@@ -1180,11 +1098,7 @@ mbed_new_session(struct Curl_cfilter *cf, struct Curl_easy *data)
     goto out;
   }
 
-#if MBEDTLS_VERSION_NUMBER >= 0x03020000
   ietf_tls_id = mbedtls_ssl_get_version_number(&backend->ssl);
-#else
-  ietf_tls_id = CURL_IETF_PROTO_UNKNOWN;
-#endif
   result = Curl_ssl_session_create(sdata, slen,
                                    ietf_tls_id,
                                    connssl->negotiated.alpn, 0, 0,
@@ -1485,16 +1399,12 @@ static CURLcode mbedtls_connect(struct Curl_cfilter *cf,
 
   if(ssl_connect_3 == connssl->connecting_state) {
     /* For tls1.3 we get notified about new sessions */
-#if MBEDTLS_VERSION_NUMBER >= 0x03020000
     struct ssl_connect_data *ctx = cf->ctx;
     struct mbed_ssl_backend_data *backend =
       (struct mbed_ssl_backend_data *)ctx->backend;
 
     if(mbedtls_ssl_get_version_number(&backend->ssl) <=
        MBEDTLS_SSL_VERSION_TLS1_2) {
-#else
-    {  /* no TLSv1.3 supported here */
-#endif
       retcode = mbed_new_session(cf, data);
       if(retcode)
         return retcode;
@@ -1564,17 +1474,9 @@ static CURLcode mbedtls_sha256sum(const unsigned char *input,
                                   size_t sha256len UNUSED_PARAM)
 {
   (void)sha256len;
-#if MBEDTLS_VERSION_NUMBER < 0x02070000
-  mbedtls_sha256(input, inputlen, sha256sum, 0);
-#else
   /* returns 0 on success, otherwise failure */
-#if MBEDTLS_VERSION_NUMBER >= 0x03000000
   if(mbedtls_sha256(input, inputlen, sha256sum, 0) != 0)
-#else
-  if(mbedtls_sha256_ret(input, inputlen, sha256sum, 0) != 0)
-#endif
     return CURLE_BAD_FUNCTION_ARGUMENT;
-#endif
   return CURLE_OK;
 }