From: MAntoniak <47522782+MAntoniak@users.noreply.github.com> Date: Thu, 8 Feb 2024 20:12:49 +0000 (+0100) Subject: mbedtls: support TLS 1.3 X-Git-Tag: curl-8_8_0~111 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1ea7dce08d7dda985b0ddb153c7cf84c710a01ba;p=thirdparty%2Fcurl.git mbedtls: support TLS 1.3 Closes #13539 --- diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index a90db9e977..ec0b10dd9a 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -122,6 +122,10 @@ struct mbed_ssl_backend_data { #define mbedtls_strerror(a,b,c) b[0] = 0 #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && MBEDTLS_VERSION_NUMBER >= 0x03060000 +#define TLS13_SUPPORT +#endif + #if defined(THREADING_SUPPORT) static mbedtls_entropy_context ts_entropy; @@ -262,7 +266,12 @@ static CURLcode mbedtls_version_from_curl( *mbedver = MBEDTLS_SSL_VERSION_TLS1_2; return CURLE_OK; case CURL_SSLVERSION_TLSv1_3: +#ifdef TLS13_SUPPORT + *mbedver = MBEDTLS_SSL_VERSION_TLS1_3; + return CURLE_OK; +#else break; +#endif } return CURLE_SSL_CONNECT_ERROR; @@ -309,7 +318,11 @@ set_ssl_version_min_max(struct Curl_cfilter *cf, struct Curl_easy *data) struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); #if MBEDTLS_VERSION_NUMBER >= 0x03020000 mbedtls_ssl_protocol_version mbedtls_ver_min = MBEDTLS_SSL_VERSION_TLS1_2; +#ifdef TLS13_SUPPORT + mbedtls_ssl_protocol_version mbedtls_ver_max = MBEDTLS_SSL_VERSION_TLS1_3; +#else mbedtls_ssl_protocol_version mbedtls_ver_max = MBEDTLS_SSL_VERSION_TLS1_2; +#endif #elif MBEDTLS_VERSION_NUMBER >= 0x03000000 int mbedtls_ver_min = MBEDTLS_SSL_MINOR_VERSION_3; int mbedtls_ver_max = MBEDTLS_SSL_MINOR_VERSION_3; @@ -333,7 +346,11 @@ set_ssl_version_min_max(struct Curl_cfilter *cf, struct Curl_easy *data) switch(ssl_version_max) { case CURL_SSLVERSION_MAX_NONE: case CURL_SSLVERSION_MAX_DEFAULT: +#ifdef TLS13_SUPPORT + ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_3; +#else ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2; +#endif break; } @@ -358,6 +375,17 @@ set_ssl_version_min_max(struct Curl_cfilter *cf, struct Curl_easy *data) mbedtls_ver_max); #endif +#ifdef TLS13_SUPPORT + if(mbedtls_ver_min == MBEDTLS_SSL_VERSION_TLS1_3) { + mbedtls_ssl_conf_authmode(&backend->config, MBEDTLS_SSL_VERIFY_REQUIRED); + } + else { + mbedtls_ssl_conf_authmode(&backend->config, MBEDTLS_SSL_VERIFY_OPTIONAL); + } +#else + mbedtls_ssl_conf_authmode(&backend->config, MBEDTLS_SSL_VERIFY_OPTIONAL); +#endif + return result; } @@ -483,6 +511,16 @@ mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) return CURLE_NOT_BUILT_IN; } +#ifdef TLS13_SUPPORT + ret = psa_crypto_init(); + if(ret != PSA_SUCCESS) { + mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); + failf(data, "mbedTLS psa_crypto_init returned (-0x%04X) %s", + -ret, errorbuf); + return CURLE_SSL_CONNECT_ERROR; + } +#endif /* TLS13_SUPPORT */ + #ifdef THREADING_SUPPORT mbedtls_ctr_drbg_init(&backend->ctr_drbg); @@ -730,8 +768,6 @@ mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) return CURLE_SSL_CONNECT_ERROR; } - mbedtls_ssl_conf_authmode(&backend->config, MBEDTLS_SSL_VERIFY_OPTIONAL); - mbedtls_ssl_conf_rng(&backend->config, mbedtls_ctr_drbg_random, &backend->ctr_drbg); @@ -1167,8 +1203,11 @@ static ssize_t mbed_recv(struct Curl_cfilter *cf, struct Curl_easy *data, if(ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) return 0; - *curlcode = (ret == MBEDTLS_ERR_SSL_WANT_READ) ? - CURLE_AGAIN : CURLE_RECV_ERROR; + *curlcode = ((ret == MBEDTLS_ERR_SSL_WANT_READ) +#ifdef TLS13_SUPPORT + || (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) +#endif + ) ? CURLE_AGAIN : CURLE_RECV_ERROR; return -1; } diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py index dfe8673e2b..8d41eb2863 100644 --- a/tests/http/test_17_ssl_use.py +++ b/tests/http/test_17_ssl_use.py @@ -77,7 +77,8 @@ class TestSSLUse: exp_resumed = 'Initial' # rustls does not support sessions, TODO if env.curl_uses_lib('bearssl') and tls_max == '1.3': pytest.skip('BearSSL does not support TLSv1.3') - if env.curl_uses_lib('mbedtls') and tls_max == '1.3': + if env.curl_uses_lib('mbedtls') and tls_max == '1.3' and \ + not env.curl_lib_version_at_least('mbedtls', '3.6.0'): pytest.skip('mbedtls does not support TLSv1.3') curl = CurlClient(env=env)