From 1883ba3175bb9018f37616e995e961c81d19e063 Mon Sep 17 00:00:00 2001 From: Benjamin Sergeant Date: Thu, 21 May 2026 15:49:38 -0700 Subject: [PATCH] Fix mbedTLS 4.x compatibility: guard removed APIs behind version checks mbedTLS 4.0 removed ctr_drbg/entropy headers and APIs in favour of the PSA Crypto RNG, and dropped the rng parameters from mbedtls_pk_parse_keyfile and mbedtls_ssl_conf_rng. Guard all affected includes and call-sites with MBEDTLS_VERSION_MAJOR < 4 preprocessor checks, and replace runtime version if-checks with compile-time #if for psa_crypto_init / mbedtls_psa_crypto_free. Fixes #577 Co-Authored-By: Claude Sonnet 4.6 --- ixwebsocket/IXSocketMbedTLS.cpp | 27 ++++++++++++++++----------- ixwebsocket/IXSocketMbedTLS.h | 7 ++++++- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/ixwebsocket/IXSocketMbedTLS.cpp b/ixwebsocket/IXSocketMbedTLS.cpp index 33843020..2866ce20 100644 --- a/ixwebsocket/IXSocketMbedTLS.cpp +++ b/ixwebsocket/IXSocketMbedTLS.cpp @@ -42,18 +42,18 @@ namespace ix mbedtls_ssl_init(&_ssl); mbedtls_ssl_config_init(&_conf); +#if MBEDTLS_VERSION_MAJOR < 4 mbedtls_ctr_drbg_init(&_ctr_drbg); mbedtls_entropy_init(&_entropy); +#endif mbedtls_x509_crt_init(&_cacert); mbedtls_x509_crt_init(&_cert); mbedtls_pk_init(&_pkey); - // Initialize the PSA Crypto API if required by the version of Mbed TLS (3.6.0). - // This allows the X.509/TLS libraries to use PSA for crypto operations. + // Initialize the PSA Crypto API for mbedTLS 3.6+ and all 4.x releases. // See: https://github.com/Mbed-TLS/mbedtls/blob/development/docs/use-psa-crypto.md - if (MBEDTLS_VERSION_MAJOR >= 3 && MBEDTLS_VERSION_MINOR >= 6 && MBEDTLS_VERSION_PATCH >= 0) - { - psa_crypto_init(); - } +#if MBEDTLS_VERSION_MAJOR >= 4 || (MBEDTLS_VERSION_MAJOR == 3 && MBEDTLS_VERSION_MINOR >= 6) + psa_crypto_init(); +#endif } bool SocketMbedTLS::loadSystemCertificates(std::string& errorMsg) @@ -112,6 +112,7 @@ namespace ix const char* pers = "IXSocketMbedTLS"; +#if MBEDTLS_VERSION_MAJOR < 4 if (mbedtls_ctr_drbg_seed(&_ctr_drbg, mbedtls_entropy_func, &_entropy, @@ -121,6 +122,7 @@ namespace ix errMsg = "Setting entropy seed failed"; return false; } +#endif if (mbedtls_ssl_config_defaults(&_conf, (isClient) ? MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER, @@ -131,7 +133,9 @@ namespace ix return false; } +#if MBEDTLS_VERSION_MAJOR < 4 mbedtls_ssl_conf_rng(&_conf, mbedtls_ctr_drbg_random, &_ctr_drbg); +#endif if (_tlsOptions.hasCertAndKey()) { @@ -140,7 +144,7 @@ namespace ix errMsg = "Cannot parse cert file '" + _tlsOptions.certFile + "'"; return false; } -#ifdef IXWEBSOCKET_USE_MBED_TLS_MIN_VERSION_3 +#if MBEDTLS_VERSION_MAJOR == 3 if (mbedtls_pk_parse_keyfile(&_pkey, _tlsOptions.keyFile.c_str(), "", mbedtls_ctr_drbg_random, &_ctr_drbg) < 0) #else if (mbedtls_pk_parse_keyfile(&_pkey, _tlsOptions.keyFile.c_str(), "") < 0) @@ -317,15 +321,16 @@ namespace ix mbedtls_ssl_free(&_ssl); mbedtls_ssl_config_free(&_conf); +#if MBEDTLS_VERSION_MAJOR < 4 mbedtls_ctr_drbg_free(&_ctr_drbg); mbedtls_entropy_free(&_entropy); +#endif mbedtls_x509_crt_free(&_cacert); mbedtls_x509_crt_free(&_cert); mbedtls_pk_free(&_pkey); - if (MBEDTLS_VERSION_MAJOR >= 3 && MBEDTLS_VERSION_MINOR >= 6 && MBEDTLS_VERSION_PATCH >= 0) - { - mbedtls_psa_crypto_free(); - } +#if MBEDTLS_VERSION_MAJOR >= 4 || (MBEDTLS_VERSION_MAJOR == 3 && MBEDTLS_VERSION_MINOR >= 6) + mbedtls_psa_crypto_free(); +#endif Socket::close(); } diff --git a/ixwebsocket/IXSocketMbedTLS.h b/ixwebsocket/IXSocketMbedTLS.h index 9dd73f50..2fb662d0 100644 --- a/ixwebsocket/IXSocketMbedTLS.h +++ b/ixwebsocket/IXSocketMbedTLS.h @@ -9,9 +9,12 @@ #include "IXSocket.h" #include "IXSocketTLSOptions.h" +#include +#if MBEDTLS_VERSION_MAJOR < 4 #include -#include #include +#endif +#include #include #include #include @@ -41,8 +44,10 @@ namespace ix private: mbedtls_ssl_context _ssl; mbedtls_ssl_config _conf; +#if MBEDTLS_VERSION_MAJOR < 4 mbedtls_entropy_context _entropy; mbedtls_ctr_drbg_context _ctr_drbg; +#endif mbedtls_x509_crt _cacert; mbedtls_x509_crt _cert; mbedtls_pk_context _pkey;