mbedtls: call mbedtls_ssl_setup() after RNG callback is set

Since mbedTLS v3.6.0, the RNG check added in ssl_conf_check() will fail
if no RNG is provided when calling mbedtls_ssl_setup().

Therefore, mbedtls_ssl_conf_rng() needs to be called before the SSL
context is passed to mbedtls_ssl_setup().

Ref: https://github.com/Mbed-TLS/mbedtls/commit/b422cab052b51ec84758638d6783d6ba4fc60613

Signed-off-by: Kailun Qin <kailun.qin@intel.com>
Closes #13314

diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index f4e041b1667a9648ccf8827d8de56ee8dbc0d9b6..438cb7c6fa10faae193290acee133f88bd0701fa 100644 (file)
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -602,10 +602,6 @@ mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
   }
 
   mbedtls_ssl_init(&backend->ssl);
-  if(mbedtls_ssl_setup(&backend->ssl, &backend->config)) {
-    failf(data, "mbedTLS: ssl_init failed");
-    return CURLE_SSL_CONNECT_ERROR;
-  }
 
   /* new profile with RSA min key len = 1024 ... */
   mbedtls_ssl_conf_cert_profile(&backend->config,
@@ -639,6 +635,15 @@ mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
 
   mbedtls_ssl_conf_rng(&backend->config, mbedtls_ctr_drbg_random,
                        &backend->ctr_drbg);
+
+  ret = mbedtls_ssl_setup(&backend->ssl, &backend->config);
+  if(ret) {
+    mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
+    failf(data, "ssl_setup failed - mbedTLS: (-0x%04X) %s",
+          -ret, errorbuf);
+    return CURLE_SSL_CONNECT_ERROR;
+  }
+
   mbedtls_ssl_set_bio(&backend->ssl, cf,
                       mbedtls_bio_cf_write,
                       mbedtls_bio_cf_read,