mbedtls: support TLS 1.3

Closes #13539

diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index a90db9e9773c9c19c97963d52109d66aed1449d2..ec0b10dd9a9f88310114f3c0a964de3f9beec0c3 100644 (file)
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -122,6 +122,10 @@ struct mbed_ssl_backend_data {
 #define mbedtls_strerror(a,b,c) b[0] = 0
 #endif
 
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && MBEDTLS_VERSION_NUMBER >= 0x03060000
+#define TLS13_SUPPORT
+#endif
+
 #if defined(THREADING_SUPPORT)
 static mbedtls_entropy_context ts_entropy;
 
@@ -262,7 +266,12 @@ static CURLcode mbedtls_version_from_curl(
     *mbedver = MBEDTLS_SSL_VERSION_TLS1_2;
     return CURLE_OK;
   case CURL_SSLVERSION_TLSv1_3:
+#ifdef TLS13_SUPPORT
+    *mbedver = MBEDTLS_SSL_VERSION_TLS1_3;
+    return CURLE_OK;
+#else
     break;
+#endif
   }
 
   return CURLE_SSL_CONNECT_ERROR;
@@ -309,7 +318,11 @@ set_ssl_version_min_max(struct Curl_cfilter *cf, struct Curl_easy *data)
   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
 #if MBEDTLS_VERSION_NUMBER >= 0x03020000
   mbedtls_ssl_protocol_version mbedtls_ver_min = MBEDTLS_SSL_VERSION_TLS1_2;
+#ifdef TLS13_SUPPORT
+  mbedtls_ssl_protocol_version mbedtls_ver_max = MBEDTLS_SSL_VERSION_TLS1_3;
+#else
   mbedtls_ssl_protocol_version mbedtls_ver_max = MBEDTLS_SSL_VERSION_TLS1_2;
+#endif
 #elif MBEDTLS_VERSION_NUMBER >= 0x03000000
   int mbedtls_ver_min = MBEDTLS_SSL_MINOR_VERSION_3;
   int mbedtls_ver_max = MBEDTLS_SSL_MINOR_VERSION_3;
@@ -333,7 +346,11 @@ set_ssl_version_min_max(struct Curl_cfilter *cf, struct Curl_easy *data)
   switch(ssl_version_max) {
     case CURL_SSLVERSION_MAX_NONE:
     case CURL_SSLVERSION_MAX_DEFAULT:
+#ifdef TLS13_SUPPORT
+      ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_3;
+#else
       ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
+#endif
       break;
   }
 
@@ -358,6 +375,17 @@ set_ssl_version_min_max(struct Curl_cfilter *cf, struct Curl_easy *data)
                                mbedtls_ver_max);
 #endif
 
+#ifdef TLS13_SUPPORT
+  if(mbedtls_ver_min == MBEDTLS_SSL_VERSION_TLS1_3) {
+    mbedtls_ssl_conf_authmode(&backend->config, MBEDTLS_SSL_VERIFY_REQUIRED);
+  }
+  else {
+    mbedtls_ssl_conf_authmode(&backend->config, MBEDTLS_SSL_VERIFY_OPTIONAL);
+  }
+#else
+  mbedtls_ssl_conf_authmode(&backend->config, MBEDTLS_SSL_VERIFY_OPTIONAL);
+#endif
+
   return result;
 }
 
@@ -483,6 +511,16 @@ mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
     return CURLE_NOT_BUILT_IN;
   }
 
+#ifdef TLS13_SUPPORT
+  ret = psa_crypto_init();
+  if(ret != PSA_SUCCESS) {
+    mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
+    failf(data, "mbedTLS psa_crypto_init returned (-0x%04X) %s",
+          -ret, errorbuf);
+    return CURLE_SSL_CONNECT_ERROR;
+  }
+#endif /* TLS13_SUPPORT */
+
 #ifdef THREADING_SUPPORT
   mbedtls_ctr_drbg_init(&backend->ctr_drbg);
 
@@ -730,8 +768,6 @@ mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
     return CURLE_SSL_CONNECT_ERROR;
   }
 
-  mbedtls_ssl_conf_authmode(&backend->config, MBEDTLS_SSL_VERIFY_OPTIONAL);
-
   mbedtls_ssl_conf_rng(&backend->config, mbedtls_ctr_drbg_random,
                        &backend->ctr_drbg);
 
@@ -1167,8 +1203,11 @@ static ssize_t mbed_recv(struct Curl_cfilter *cf, struct Curl_easy *data,
     if(ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY)
       return 0;
 
-    *curlcode = (ret == MBEDTLS_ERR_SSL_WANT_READ) ?
-      CURLE_AGAIN : CURLE_RECV_ERROR;
+    *curlcode = ((ret == MBEDTLS_ERR_SSL_WANT_READ)
+#ifdef TLS13_SUPPORT
+              || (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET)
+#endif
+    ) ? CURLE_AGAIN : CURLE_RECV_ERROR;
     return -1;
   }
 

diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
index dfe8673e2b72f9e6ead542f16314ef1132232d88..8d41eb28630ea638801edfd80980ed4997f84db0 100644 (file)
--- a/tests/http/test_17_ssl_use.py
+++ b/tests/http/test_17_ssl_use.py
@@ -77,7 +77,8 @@ class TestSSLUse:
             exp_resumed = 'Initial'  # rustls does not support sessions, TODO
         if env.curl_uses_lib('bearssl') and tls_max == '1.3':
             pytest.skip('BearSSL does not support TLSv1.3')
-        if env.curl_uses_lib('mbedtls') and tls_max == '1.3':
+        if env.curl_uses_lib('mbedtls') and tls_max == '1.3' and \
+                not env.curl_lib_version_at_least('mbedtls', '3.6.0'):
             pytest.skip('mbedtls does not support TLSv1.3')
 
         curl = CurlClient(env=env)