# renovate: datasource=github-tags depName=wolfSSL/wolfssl versioning=semver extractVersion=^v?(?<version>.+)-stable$ registryUrl=https://github.com
WOLFSSL_VERSION: 5.8.2
# renovate: datasource=github-tags depName=Mbed-TLS/mbedtls versioning=semver registryUrl=https://github.com
- MBEDTLS_VERSION: 3.6.4
+ MBEDTLS_VERSION: 4.0.0
+ # renovate: datasource=github-tags depName=Mbed-TLS/mbedtls versioning=semver:^3.0.0 registryUrl=https://github.com
+ MBEDTLS_VERSION_PREV: 3.6.4
# renovate: datasource=github-tags depName=awslabs/aws-lc versioning=semver registryUrl=https://github.com
AWSLC_VERSION: 1.61.4
# renovate: datasource=github-tags depName=google/boringssl versioning=semver registryUrl=https://github.com
install_steps: mbedtls pytest
configure: CC=clang LDFLAGS=-Wl,-rpath,/home/runner/mbedtls/lib --with-mbedtls=/home/runner/mbedtls --enable-debug --with-fish-functions-dir --with-zsh-functions-dir
- - name: 'mbedtls'
+ - name: 'mbedtls-prev'
install_packages: libnghttp2-dev libuv1-dev
- install_steps: mbedtls
- PKG_CONFIG_PATH: /home/runner/mbedtls/lib/pkgconfig # Requires v3.6.0
+ install_steps: mbedtls-prev pytest
+ PKG_CONFIG_PATH: /home/runner/mbedtls-prev/lib/pkgconfig # Requires v3.6.0
generate: -DCURL_USE_MBEDTLS=ON -DCURL_USE_LIBUV=ON -DENABLE_DEBUG=ON
- name: 'mbedtls-pkg MultiSSL !pc'
- name: 'cache mbedtls'
if: ${{ contains(matrix.build.install_steps, 'mbedtls') }}
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
- id: cache-mbedtls
+ id: cache-mbedtls-threadsafe
env:
cache-name: cache-mbedtls-threadsafe
with:
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MBEDTLS_VERSION }}
- name: 'build mbedtls'
- if: ${{ contains(matrix.build.install_steps, 'mbedtls') && steps.cache-mbedtls.outputs.cache-hit != 'true' }}
+ if: ${{ contains(matrix.build.install_steps, 'mbedtls') && steps.cache-mbedtls-threadsafe.outputs.cache-hit != 'true' }}
run: |
curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \
--location "https://github.com/Mbed-TLS/mbedtls/releases/download/mbedtls-${MBEDTLS_VERSION}/mbedtls-${MBEDTLS_VERSION}.tar.bz2" | tar -xj
cmake --build .
cmake --install .
- - name: 'cache openldap-static'
+ - name: 'cache mbedtls (prev)'
+ if: ${{ contains(matrix.build.install_steps, 'mbedtls-prev') }}
+ uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+ id: cache-mbedtls-threadsafe-prev
+ env:
+ cache-name: cache-mbedtls-threadsafe-prev
+ with:
+ path: ~/mbedtls-prev
+ key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MBEDTLS_VERSION }}
+
+ - name: 'build mbedtls (prev)'
+ if: ${{ contains(matrix.build.install_steps, 'mbedtls-prev') && steps.cache-mbedtls-threadsafe-prev.outputs.cache-hit != 'true' }}
+ run: |
+ curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \
+ --location "https://github.com/Mbed-TLS/mbedtls/releases/download/mbedtls-${MBEDTLS_VERSION_PREV}/mbedtls-${MBEDTLS_VERSION_PREV}.tar.bz2" | tar -xj
+ cd "mbedtls-${MBEDTLS_VERSION_PREV}"
+ ./scripts/config.py set MBEDTLS_THREADING_C
+ ./scripts/config.py set MBEDTLS_THREADING_PTHREAD
+ cmake -B . -G Ninja -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DCMAKE_INSTALL_PREFIX=/home/runner/mbedtls-prev \
+ -DENABLE_PROGRAMS=OFF -DENABLE_TESTING=OFF
+ cmake --build .
+ cmake --install .
+
+ - name: 'cache openldap (static)'
if: ${{ contains(matrix.build.install_steps, 'openldap-static') }}
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
id: cache-openldap-static
# These conditions must match those in lib/curl_setup.h.
if(NOT CURL_DISABLE_NTLM AND
(USE_OPENSSL OR
- USE_MBEDTLS OR
+ (USE_MBEDTLS AND MBEDTLS_VERSION VERSION_LESS 4.0.0) OR
USE_GNUTLS OR
USE_WIN32_CRYPTO OR
(USE_WOLFSSL AND HAVE_WOLFSSL_DES_ECB_ENCRYPT)))
use_curl_ntlm_core=no
if test "x$CURL_DISABLE_NTLM" != "x1"; then
- if test "x$OPENSSL_ENABLED" = "x1" -o "x$MBEDTLS_ENABLED" = "x1" \
+ if test "x$OPENSSL_ENABLED" = "x1" \
-o "x$GNUTLS_ENABLED" = "x1" \
-o "x$USE_WIN32_CRYPTO" = "x1" \
-o "x$HAVE_WOLFSSL_DES_ECB_ENCRYPT" = "x1"; then
use_curl_ntlm_core=yes
+ elif test "x$MBEDTLS_ENABLED" = "x1" && test "$mbedtls_4" = "0"; then
+ use_curl_ntlm_core=yes
fi
if test "x$use_curl_ntlm_core" = "xyes" \
1. USE_OPENSSL
2. USE_WOLFSSL
3. USE_GNUTLS
- 4. -
- 5. USE_MBEDTLS
- 6. USE_OS400CRYPTO
- 7. USE_WIN32_CRYPTO
+ 4. USE_MBEDTLS
+ 5. USE_OS400CRYPTO
+ 6. USE_WIN32_CRYPTO
This ensures that:
- the same SSL branch gets activated throughout this source
#ifndef NO_DES3
#define USE_OPENSSL_DES
#endif
+#elif defined(USE_MBEDTLS)
+ #include <mbedtls/version.h>
+ #if MBEDTLS_VERSION_NUMBER < 0x04000000
+ #define USE_MBEDTLS_DES
+ #endif
#endif
#ifdef USE_OPENSSL_DES
# include <nettle/des.h>
-#elif defined(USE_MBEDTLS)
+#elif defined(USE_MBEDTLS_DES)
# include <mbedtls/des.h>
des_set_key(des, (const uint8_t *) key);
}
-#elif defined(USE_MBEDTLS)
+#elif defined(USE_MBEDTLS_DES)
static bool encrypt_des(const unsigned char *in, unsigned char *out,
const unsigned char *key_56)
des_encrypt(&des, 8, results + 8, plaintext);
setup_des_key(keys + 14, &des);
des_encrypt(&des, 8, results + 16, plaintext);
-#elif defined(USE_MBEDTLS) || defined(USE_OS400CRYPTO) || \
+#elif defined(USE_MBEDTLS_DES) || defined(USE_OS400CRYPTO) || \
defined(USE_WIN32_CRYPTO)
encrypt_des(plaintext, results, keys);
encrypt_des(plaintext, results + 8, keys + 7);
des_encrypt(&des, 8, lmbuffer, magic);
setup_des_key(pw + 7, &des);
des_encrypt(&des, 8, lmbuffer + 8, magic);
-#elif defined(USE_MBEDTLS) || defined(USE_OS400CRYPTO) || \
+#elif defined(USE_MBEDTLS_DES) || defined(USE_OS400CRYPTO) || \
defined(USE_WIN32_CRYPTO)
encrypt_des(magic, lmbuffer, pw);
encrypt_des(magic, lmbuffer + 8, pw + 7);
# endif
#endif
+#ifdef USE_MBEDTLS
+#include <mbedtls/version.h>
+#if MBEDTLS_VERSION_NUMBER < 0x03020000
+ #error "mbedTLS 3.2.0 or later required"
+#endif
+#endif
+
#if defined(USE_WOLFSSL) && defined(USE_GNUTLS)
/* Avoid defining unprefixed wolfSSL SHA macros colliding with nettle ones */
#define NO_OLD_WC_NAMES
/* Single point where USE_NTLM definition might be defined */
#ifndef CURL_DISABLE_NTLM
-# if defined(USE_OPENSSL) || defined(USE_MBEDTLS) || \
+# if defined(USE_OPENSSL) || \
defined(USE_GNUTLS) || \
+ (defined(USE_MBEDTLS) && MBEDTLS_VERSION_NUMBER < 0x04000000) || \
defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) || \
(defined(USE_WOLFSSL) && defined(HAVE_WOLFSSL_DES_ECB_ENCRYPT))
# define USE_CURL_NTLM_CORE
#include "easy_lock.h"
+#ifdef USE_MBEDTLS
+#include <psa/crypto.h>
+#endif
+
/* The last 2 #include files should be in this order */
#include "curl_memory.h"
#include "memdebug.h"
static char *leakpointer;
#endif
+static CURLcode crypto_init(void)
+{
+#ifdef USE_MBEDTLS
+ psa_status_t status;
+ status = psa_crypto_init();
+ if(status != PSA_SUCCESS)
+ return CURLE_FAILED_INIT;
+#endif
+ return CURLE_OK;
+}
+
+static void crypto_cleanup(void)
+{
+#ifdef USE_MBEDTLS
+ mbedtls_psa_crypto_free();
+#endif
+}
+
/**
* curl_global_init() globally initializes curl given a bitwise set of the
* different features of what to initialize.
goto fail;
}
+ if(crypto_init()) {
+ DEBUGF(curl_mfprintf(stderr, "Error: crypto_init failed\n"));
+ goto fail;
+ }
+
if(!Curl_ssl_init()) {
DEBUGF(curl_mfprintf(stderr, "Error: Curl_ssl_init failed\n"));
goto fail;
Curl_ssh_cleanup();
+ crypto_cleanup();
+
#ifdef DEBUGBUILD
free(leakpointer);
#endif
#ifdef USE_MBEDTLS
#include <mbedtls/version.h>
-#if MBEDTLS_VERSION_NUMBER < 0x03020000
- #error "mbedTLS 3.2.0 or later required"
-#endif
+#if MBEDTLS_VERSION_NUMBER < 0x04000000 && defined(MBEDTLS_MD4_C)
+#define USE_MBEDTLS_MD4
#include <mbedtls/mbedtls_config.h>
-#endif /* USE_MBEDTLS */
+#endif
+#endif
/* When OpenSSL or wolfSSL is available, we use their MD4 functions. */
#if defined(USE_WOLFSSL) && !defined(WOLFSSL_NO_MD4)
#include <wincrypt.h>
#elif defined(USE_GNUTLS)
#include <nettle/md4.h>
-#elif(defined(USE_MBEDTLS) && defined(MBEDTLS_MD4_C))
+#elif defined(USE_MBEDTLS_MD4)
#include <mbedtls/md4.h>
#endif
md4_digest(ctx, MD4_DIGEST_SIZE, result);
}
-#elif(defined(USE_MBEDTLS) && defined(MBEDTLS_MD4_C))
+#elif defined(USE_MBEDTLS_MD4)
struct md4_ctx {
void *data;
#include "curl_hmac.h"
#include "curlx/warnless.h"
-#ifdef USE_MBEDTLS
-#include <mbedtls/version.h>
-#if MBEDTLS_VERSION_NUMBER < 0x03020000
- #error "mbedTLS 3.2.0 or later required"
-#endif
-#endif /* USE_MBEDTLS */
-
#ifdef USE_OPENSSL
#include <openssl/opensslconf.h>
#if !defined(OPENSSL_NO_MD5) && !defined(OPENSSL_NO_DEPRECATED_3_0)
#endif
#endif
+#ifdef USE_MBEDTLS
+ #include <psa/crypto_config.h>
+ #if defined(PSA_WANT_ALG_MD5) && PSA_WANT_ALG_MD5 /* mbedTLS 4+ */
+ #define USE_MBEDTLS_MD5
+ #endif
+#endif
+
#ifdef USE_GNUTLS
#include <nettle/md5.h>
#elif defined(USE_OPENSSL_MD5)
#include <openssl/md5.h>
#elif defined(USE_WOLFSSL_MD5)
#include <wolfssl/openssl/md5.h>
-#elif defined(USE_MBEDTLS)
-#include <mbedtls/md5.h>
+#elif defined(USE_MBEDTLS_MD5)
+#include <psa/crypto.h>
#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \
(__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040) && \
defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && \
(void)wolfSSL_MD5_Final(digest, ctx);
}
-#elif defined(USE_MBEDTLS)
+#elif defined(USE_MBEDTLS_MD5)
-typedef mbedtls_md5_context my_md5_ctx;
+typedef psa_hash_operation_t my_md5_ctx;
static CURLcode my_md5_init(void *ctx)
{
- if(mbedtls_md5_starts(ctx))
+ memset(ctx, 0, sizeof(my_md5_ctx));
+ if(psa_hash_setup(ctx, PSA_ALG_MD5) != PSA_SUCCESS)
return CURLE_OUT_OF_MEMORY;
return CURLE_OK;
}
const unsigned char *data,
unsigned int length)
{
- (void)mbedtls_md5_update(ctx, data, length);
+ (void)psa_hash_update(ctx, data, length);
}
static void my_md5_final(unsigned char *digest, void *ctx)
{
- (void)mbedtls_md5_finish(ctx, digest);
+ size_t actual_length;
+ (void)psa_hash_finish(ctx, digest, 16, &actual_length);
}
#elif defined(AN_APPLE_OS)
#include "curl_sha256.h"
#include "curl_hmac.h"
+#ifdef USE_MBEDTLS
+ #include <psa/crypto_config.h>
+ #if defined(PSA_WANT_ALG_SHA_256) && PSA_WANT_ALG_SHA_256 /* mbedTLS 4+ */
+ #define USE_MBEDTLS_SHA256
+ #endif
+#endif
+
#ifdef USE_OPENSSL
#include <openssl/evp.h>
#elif defined(USE_GNUTLS)
#include <nettle/sha.h>
-#elif defined(USE_MBEDTLS)
-#include <mbedtls/version.h>
-#if MBEDTLS_VERSION_NUMBER < 0x03020000
- #error "mbedTLS 3.2.0 or later required"
-#endif
-#include <mbedtls/sha256.h>
+#elif defined(USE_MBEDTLS_SHA256)
+#include <psa/crypto.h>
#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \
(__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040)) || \
(defined(__IPHONE_OS_VERSION_MAX_ALLOWED) && \
sha256_digest(ctx, SHA256_DIGEST_SIZE, digest);
}
-#elif defined(USE_MBEDTLS)
+#elif defined(USE_MBEDTLS_SHA256)
-typedef mbedtls_sha256_context my_sha256_ctx;
+typedef psa_hash_operation_t my_sha256_ctx;
static CURLcode my_sha256_init(void *ctx)
{
- (void)mbedtls_sha256_starts(ctx, 0);
+ memset(ctx, 0, sizeof(my_sha256_ctx));
+ if(psa_hash_setup(ctx, PSA_ALG_SHA_256) != PSA_SUCCESS)
+ return CURLE_OUT_OF_MEMORY;
return CURLE_OK;
}
const unsigned char *data,
unsigned int length)
{
- (void)mbedtls_sha256_update(ctx, data, length);
+ (void)psa_hash_update(ctx, data, length);
}
static void my_sha256_final(unsigned char *digest, void *ctx)
{
- (void)mbedtls_sha256_finish(ctx, digest);
+ size_t actual_length;
+ (void)psa_hash_finish(ctx, digest, CURL_SHA256_DIGEST_LENGTH,
+ &actual_length);
}
#elif defined(AN_APPLE_OS)
/* #define MBEDTLS_DEBUG */
#include <mbedtls/version.h>
-#if MBEDTLS_VERSION_NUMBER < 0x03020000
- #error "mbedTLS 3.2.0 or later required"
-#endif
+#include <psa/crypto_config.h>
#include <mbedtls/net_sockets.h>
#include <mbedtls/ssl.h>
#include <mbedtls/x509.h>
+#include <mbedtls/psa_util.h>
+
+#if MBEDTLS_VERSION_NUMBER < 0x04000000
+#define CURL_MBEDTLS_DRBG
+#endif
#include <mbedtls/error.h>
+#ifdef CURL_MBEDTLS_DRBG
#include <mbedtls/entropy.h>
#include <mbedtls/ctr_drbg.h>
-#include <mbedtls/sha256.h>
+#endif
#ifdef MBEDTLS_DEBUG
#include <mbedtls/debug.h>
#endif
#endif
struct mbed_ssl_backend_data {
+#ifdef CURL_MBEDTLS_DRBG
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
+#endif
mbedtls_ssl_context ssl;
mbedtls_x509_crt cacert;
mbedtls_x509_crt clicert;
#define mbedtls_strerror(a,b,c) b[0] = 0
#endif
-#ifdef HAS_THREADING_SUPPORT
+#if defined(CURL_MBEDTLS_DRBG) && defined(HAS_THREADING_SUPPORT)
static mbedtls_entropy_context ts_entropy;
static int entropy_init_initialized = 0;
return ret;
}
-#endif /* HAS_THREADING_SUPPORT */
+#endif /* CURL_MBEDTLS_DRBG && HAS_THREADING_SUPPORT */
#ifdef MBEDTLS_DEBUG
static void mbed_debug(void *context, int level, const char *f_name,
return CURLE_NOT_BUILT_IN;
}
+#ifdef CURL_MBEDTLS_DRBG
#ifdef HAS_THREADING_SUPPORT
mbedtls_ctr_drbg_init(&backend->ctr_drbg);
return CURLE_FAILED_INIT;
}
#endif /* HAS_THREADING_SUPPORT */
+#endif /* CURL_MBEDTLS_DRBG */
/* Load the trusted CA */
mbedtls_x509_crt_init(&backend->cacert);
if(ssl_config->key || ssl_config->key_blob) {
if(ssl_config->key) {
#ifdef MBEDTLS_FS_IO
+#if MBEDTLS_VERSION_NUMBER >= 0x04000000
+ ret = mbedtls_pk_parse_keyfile(&backend->pk, ssl_config->key,
+ ssl_config->key_passwd);
+ if(ret == 0 && !(mbedtls_pk_can_do_psa(&backend->pk,
+ PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH),
+ PSA_KEY_USAGE_SIGN_HASH) ||
+ mbedtls_pk_can_do_psa(&backend->pk,
+ MBEDTLS_PK_ALG_ECDSA(PSA_ALG_ANY_HASH),
+ PSA_KEY_USAGE_SIGN_HASH)))
+ ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
+#else
ret = mbedtls_pk_parse_keyfile(&backend->pk, ssl_config->key,
ssl_config->key_passwd,
mbedtls_ctr_drbg_random,
if(ret == 0 && !(mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_RSA) ||
mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_ECKEY)))
ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
+#endif
if(ret) {
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
const unsigned char *key_data =
(const unsigned char *)ssl_key_blob->data;
const char *passwd = ssl_config->key_passwd;
+#if MBEDTLS_VERSION_NUMBER >= 0x04000000
+ ret = mbedtls_pk_parse_key(&backend->pk, key_data, ssl_key_blob->len,
+ (const unsigned char *)passwd,
+ passwd ? strlen(passwd) : 0);
+ if(ret == 0 && !(mbedtls_pk_can_do_psa(&backend->pk,
+ PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH),
+ PSA_KEY_USAGE_SIGN_HASH) ||
+ mbedtls_pk_can_do_psa(&backend->pk,
+ MBEDTLS_PK_ALG_ECDSA(PSA_ALG_ANY_HASH),
+ PSA_KEY_USAGE_SIGN_HASH)))
+ ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
+#else
ret = mbedtls_pk_parse_key(&backend->pk, key_data, ssl_key_blob->len,
(const unsigned char *)passwd,
passwd ? strlen(passwd) : 0,
if(ret == 0 && !(mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_RSA) ||
mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_ECKEY)))
ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
+#endif
if(ret) {
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
return CURLE_SSL_CONNECT_ERROR;
}
-#ifdef MBEDTLS_SSL_SESSION_TICKETS
- /* New in mbedTLS 3.6.1, need to enable, default is now disabled */
+#if MBEDTLS_VERSION_NUMBER < 0x04000000 && defined(MBEDTLS_SSL_SESSION_TICKETS)
+ /* New in mbedTLS 3.6.1, need to enable, default is now disabled.
+ 4.0.0 enabled it by default for TLSv1.3. */
mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(&backend->config,
MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED);
#endif
if(ret != CURLE_OK)
return ret;
+#ifdef CURL_MBEDTLS_DRBG
mbedtls_ssl_conf_rng(&backend->config, mbedtls_ctr_drbg_random,
&backend->ctr_drbg);
+#endif
ret = mbedtls_ssl_setup(&backend->ssl, &backend->config);
if(ret) {
Curl_safefree(backend->ciphersuites);
mbedtls_ssl_config_free(&backend->config);
mbedtls_ssl_free(&backend->ssl);
+#ifdef CURL_MBEDTLS_DRBG
mbedtls_ctr_drbg_free(&backend->ctr_drbg);
#ifndef HAS_THREADING_SUPPORT
mbedtls_entropy_free(&backend->entropy);
-#endif /* HAS_THREADING_SUPPORT */
+#endif /* !HAS_THREADING_SUPPORT */
+#endif
backend->initialized = FALSE;
}
}
static CURLcode mbedtls_random(struct Curl_easy *data,
unsigned char *entropy, size_t length)
{
-#ifdef MBEDTLS_CTR_DRBG_C
- int ret;
- mbedtls_entropy_context ctr_entropy;
- mbedtls_ctr_drbg_context ctr_drbg;
- mbedtls_entropy_init(&ctr_entropy);
- mbedtls_ctr_drbg_init(&ctr_drbg);
+ psa_status_t status;
(void)data;
- ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func,
- &ctr_entropy, NULL, 0);
-
- if(!ret)
- ret = mbedtls_ctr_drbg_random(&ctr_drbg, entropy, length);
+ status = psa_generate_random(entropy, length);
- mbedtls_ctr_drbg_free(&ctr_drbg);
- mbedtls_entropy_free(&ctr_entropy);
-
- return ret == 0 ? CURLE_OK : CURLE_FAILED_INIT;
-#elif defined(MBEDTLS_HAVEGE_C)
- mbedtls_havege_state hs;
- mbedtls_havege_init(&hs);
- mbedtls_havege_random(&hs, entropy, length);
- mbedtls_havege_free(&hs);
- return CURLE_OK;
-#else
- return CURLE_NOT_BUILT_IN;
-#endif
+ return status == PSA_SUCCESS ? CURLE_OK : CURLE_FAILED_INIT;
}
static CURLcode mbedtls_connect(struct Curl_cfilter *cf,
{
if(!Curl_mbedtlsthreadlock_thread_setup())
return 0;
-#ifdef HAS_THREADING_SUPPORT
+#if defined(CURL_MBEDTLS_DRBG) && defined(HAS_THREADING_SUPPORT)
entropy_init_mutex(&ts_entropy);
#endif
-#ifdef MBEDTLS_USE_PSA_CRYPTO /* requires mbedTLS 3.6.0+ */
- {
- int ret;
-#ifdef HAS_THREADING_SUPPORT
- Curl_mbedtlsthreadlock_lock_function(0);
-#endif
- ret = psa_crypto_init();
-#ifdef HAS_THREADING_SUPPORT
- Curl_mbedtlsthreadlock_unlock_function(0);
-#endif
- if(ret != PSA_SUCCESS)
- return 0;
- }
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
return 1;
}
static void mbedtls_cleanup(void)
{
-#ifdef HAS_THREADING_SUPPORT
+#if defined(CURL_MBEDTLS_DRBG) && defined(HAS_THREADING_SUPPORT)
entropy_cleanup_mutex(&ts_entropy);
#endif
(void)Curl_mbedtlsthreadlock_thread_cleanup();
unsigned char *sha256sum,
size_t sha256len)
{
- (void)sha256len;
- /* returns 0 on success, otherwise failure */
- if(mbedtls_sha256(input, inputlen, sha256sum, 0) != 0)
+#if defined(PSA_WANT_ALG_SHA_256) && PSA_WANT_ALG_SHA_256 /* mbedTLS 4+ */
+ psa_status_t status;
+ size_t sha256len_actual;
+ status = psa_hash_compute(PSA_ALG_SHA_256, input, inputlen,
+ sha256sum, sha256len,
+ &sha256len_actual);
+ if(status != PSA_SUCCESS)
return CURLE_BAD_FUNCTION_ARGUMENT;
return CURLE_OK;
+#else
+ (void)sha256len;
+ return Curl_sha256it(sha256sum, input, inputlen);
+#endif
}
static void *mbedtls_get_internals(struct ssl_connect_data *connssl,
if false; then
LIBCURL_PC_REQUIRES_PRIVATE="$LIBCURL_PC_REQUIRES_PRIVATE mbedtls mbedx509 mbedcrypto"
fi
+
+ mbedtls_4=0
+ AC_MSG_CHECKING([for mbedTLS >= v4])
+ AC_COMPILE_IFELSE([
+ AC_LANG_PROGRAM([[
+ #include <mbedtls/version.h>
+ ]],[[
+ #if (MBEDTLS_VERSION_NUMBER >= 0x04000000)
+ return 0;
+ #else
+ #error older than 4
+ #endif
+ ]])
+ ],[
+ mbedtls_4=1
+ AC_MSG_RESULT([yes])
+ ],[
+ AC_MSG_RESULT([no])
+ ])
fi
fi dnl mbedTLS not disabled
{
int errorcount = 0;
CURLFORMcode rc;
- int res;
+ CURLcode res = CURLE_OK;
+ int formres = 0;
struct curl_httppost *post = NULL;
struct curl_httppost *last = NULL;
size_t total_size = 0;
char buffer[] = "test buffer";
+ global_init(CURL_GLOBAL_ALL);
+
rc = curl_formadd(&post, &last, CURLFORM_COPYNAME, "name",
CURLFORM_COPYCONTENTS, "content", CURLFORM_END);
t1308_fail_unless(rc == 0, "curl_formadd returned error");
CURLFORM_PTRCONTENTS, buffer, CURLFORM_END);
t1308_fail_unless(rc == 0, "curl_formadd returned error");
- res = curl_formget(post, &total_size, print_httppost_callback);
- t1308_fail_unless(res == 0, "curl_formget returned error");
+ formres = curl_formget(post, &total_size, print_httppost_callback);
+ t1308_fail_unless(formres == 0, "curl_formget returned error");
t1308_fail_unless(total_size == 518, "curl_formget got wrong size back");
CURLFORM_END);
t1308_fail_unless(rc == 0, "curl_formadd returned error");
- res = curl_formget(post, &total_size, print_httppost_callback);
+ formres = curl_formget(post, &total_size, print_httppost_callback);
- t1308_fail_unless(res == 0, "curl_formget returned error");
+ t1308_fail_unless(formres == 0, "curl_formget returned error");
t1308_fail_unless(total_size == 899, "curl_formget got wrong size back");
curl_formfree(post);
+ curl_global_cleanup();
+
return errorcount ? TEST_ERR_FAILURE : CURLE_OK;
}
projects / thirdparty / curl.git / commitdiff
