Skip to content

Fix build with mbedtls v3.6 PSA but without TLS 1.3 or session tickets #16044

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Fix build with mbedtls v3.6 PSA but without TLS 1.3 or session tickets #16044

wants to merge 3 commits into from

Conversation

misch7
Copy link
Contributor

@misch7 misch7 commented Jan 18, 2025

Problems

  1. Build fails when support for session tickets is disabled (thus HAS_SESSION_TICKETS undefined in lib/vtls/mbedtls.c).
  2. Runtime error for all TLS connections when built with MBEDTLS_USE_PSA_CRYPTO but without TLS 1.3 support:
$ ./build/bin/curl --insecure --verbose --head https://curl.se
* ssl_handshake returned: (-0x3E80) PK - Bad input parameters to function
curl: (35) ssl_handshake returned: (-0x3E80) PK - Bad input parameters to function

Solutions

  1. mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets requires the conditionals that are already covered by HAS_SESSION_TICKETS, see include/mbedtls/ssl.h (and the lines above).
    MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED always resolves to 1 because it is only meant as a boolean parameter for the function.

  2. When Mbed TLS is built with PSA, it must always be initialized regardless of the TLS 1.3 support.

@github-actions github-actions bot added the TLS label Jan 18, 2025
bagder
bagder reviewed Jan 18, 2025
View reviewed changes
@bagder
Copy link
Member

bagder commented Jan 19, 2025

Ah, can you just rebase this again and force-push? I believe my symbol fix in the mean time made it conflict a little.

@misch7 misch7 force-pushed the fix/mbedtls-3.6-build-psa branch from 86fd6dd to 656fed0 Compare January 19, 2025 14:51
@misch7
Copy link
Contributor Author

misch7 commented Jan 19, 2025

Ah, can you just rebase this again and force-push? I believe my symbol fix in the mean time made it conflict a little.

Done and also fancier now with less commits. ^^

bagder
bagder reviewed Jan 20, 2025
View reviewed changes
@bagder bagder closed this in 11ea103 Jan 29, 2025
@bagder
Copy link
Member

bagder commented Jan 29, 2025

Thanks!

@bagder
Copy link
Member

bagder commented Jan 29, 2025

Related blog post, since @misch7 also happened to become curl commit author number 1337

https://daniel.haxx.se/blog/2025/01/29/a-1337-curl-author/

@misch7
Copy link
Contributor Author

misch7 commented Jan 30, 2025

Thank you @bagder ! I feel honoured and I also want take the opportunity to thank you for curl as well as all fellow contributors of the past and the future.

pps83 pushed a commit to pps83/curl that referenced this pull request Apr 26, 2025
@misch7 @pps83
mbedtls: PSA can be used independently of TLS 1.3 (avoid runtime errors)
03a5deb 
Closes curl#16044
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@icing icing icing left review comments

@bagder bagder bagder approved these changes

Assignees
No one assigned
Labels
TLS
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@misch7 @bagder @icing