mbedtls: check for feature macros instead of version

Drop three interim macros and mbedTLS version checks in favor of feature macros defined by mbedTLS itself. These mbedTLS features require mbedTLS 3.6.0/3.6.1 for production. Earlier versions may have partial/experimental support for them, disabled by default and (AFAICS) without documented build options to enable them. One feature guard already used the native macro instead of the interim one before this patch. (`MBEDTLS_SSL_SESSION_TICKETS`) Ref: https://github.com/curl/curl/pull/18254#issuecomment-3182668817 Closes #18271
2026-04-15 00:51:42 +03:00 · 2025-08-13 10:20:10 +02:00 · 2025-08-13 10:20:10 +02:00 · d63e40f8e6
commit d63e40f8e6
parent d10880eac8
1 changed files with 13 additions and 26 deletions
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@ -107,19 +107,6 @@ struct mbed_ssl_backend_data {
 #define mbedtls_strerror(a,b,c) b[0] = 0
 #endif

-/* PSA can be used independently of TLS 1.3 */
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && MBEDTLS_VERSION_NUMBER >= 0x03060000
-#define HAS_PSA_SUPPORT
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && MBEDTLS_VERSION_NUMBER >= 0x03060000
-#define HAS_TLS13_SUPPORT
-#endif
-
-#if defined(HAS_TLS13_SUPPORT) && defined(MBEDTLS_SSL_SESSION_TICKETS)
-#define HAS_SESSION_TICKETS
-#endif
-
 #ifdef HAS_THREADING_SUPPORT
 static mbedtls_entropy_context ts_entropy;

@ -260,7 +247,7 @@ mbed_set_ssl_version_min_max(struct Curl_easy *data,

  mbedtls_ssl_protocol_version ver_min = MBEDTLS_SSL_VERSION_TLS1_2;
  mbedtls_ssl_protocol_version ver_max =
-#ifdef HAS_TLS13_SUPPORT
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
    MBEDTLS_SSL_VERSION_TLS1_3
 #else
    MBEDTLS_SSL_VERSION_TLS1_2
@ -276,7 +263,7 @@ mbed_set_ssl_version_min_max(struct Curl_easy *data,
    ver_min = MBEDTLS_SSL_VERSION_TLS1_2;
    break;
  case CURL_SSLVERSION_TLSv1_3:
-#ifdef HAS_TLS13_SUPPORT
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
    ver_min = MBEDTLS_SSL_VERSION_TLS1_3;
    break;
 #endif
@ -290,7 +277,7 @@ mbed_set_ssl_version_min_max(struct Curl_easy *data,
  case CURL_SSLVERSION_MAX_DEFAULT:
  case CURL_SSLVERSION_MAX_NONE:
  case CURL_SSLVERSION_MAX_TLSv1_3:
-#ifdef HAS_TLS13_SUPPORT
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
    ver_max = MBEDTLS_SSL_VERSION_TLS1_3;
    break;
 #endif
@ -363,7 +350,7 @@ mbed_set_selected_ciphers(struct Curl_easy *data,
  if(!selected)
    return CURLE_OUT_OF_MEMORY;

-#ifndef HAS_TLS13_SUPPORT
+#ifndef MBEDTLS_SSL_PROTO_TLS1_3
  (void)ciphers13, (void)j;
 #else
  if(!ciphers13) {
@ -411,7 +398,7 @@ add_ciphers:
    selected[count++] = id;
  }

-#ifdef HAS_TLS13_SUPPORT
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
  if(ciphers == ciphers13 && ciphers12) {
    ciphers = ciphers12;
    goto add_ciphers;
@ -760,7 +747,7 @@ mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
    return CURLE_SSL_CONNECT_ERROR;
  }

-#if defined(HAS_SESSION_TICKETS) && MBEDTLS_VERSION_NUMBER >= 0x03060100
+#ifdef MBEDTLS_SSL_SESSION_TICKETS
  /* New in mbedTLS 3.6.1, need to enable, default is now disabled */
  mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(&backend->config,
    MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED);
@ -799,7 +786,7 @@ mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
                      mbedtls_bio_cf_read,
                      NULL /*  rev_timeout() */);

-#ifndef HAS_TLS13_SUPPORT
+#ifndef MBEDTLS_SSL_PROTO_TLS1_3
  if(conn_config->cipher_list) {
    CURLcode result = mbed_set_selected_ciphers(data, backend,
                                                conn_config->cipher_list,
@ -1149,7 +1136,7 @@ static CURLcode mbed_send(struct Curl_cfilter *cf, struct Curl_easy *data,
    CURL_TRC_CF(data, cf, "mbedtls_ssl_write(len=%zu) -> -0x%04X",
                len, -nwritten);
    result = ((nwritten == MBEDTLS_ERR_SSL_WANT_WRITE)
-#ifdef HAS_TLS13_SUPPORT
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
      || (nwritten == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET)
 #endif
      ) ? CURLE_AGAIN : CURLE_SEND_ERROR;
@ -1219,7 +1206,7 @@ static CURLcode mbedtls_shutdown(struct Curl_cfilter *cf,
     * WANT_READ, but has not encountered an EAGAIN. */
    if(ret == MBEDTLS_ERR_SSL_WANT_READ)
      ret = mbedtls_ssl_read(&backend->ssl, buf, sizeof(buf));
-#ifdef HAS_TLS13_SUPPORT
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3
    if(ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET)
      continue;
 #endif
@ -1301,7 +1288,7 @@ static CURLcode mbed_recv(struct Curl_cfilter *cf, struct Curl_easy *data,
    CURL_TRC_CF(data, cf, "mbedtls_ssl_read(len=%zu) -> -0x%04X",
                buffersize, -nread);
    switch(nread) {
-#ifdef HAS_SESSION_TICKETS
+#ifdef MBEDTLS_SSL_SESSION_TICKETS
    case MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET:
      mbed_new_session(cf, data);
      FALLTHROUGH();
@ -1431,7 +1418,7 @@ static int mbedtls_init(void)
 #ifdef HAS_THREADING_SUPPORT
  entropy_init_mutex(&ts_entropy);
 #endif
-#ifdef HAS_PSA_SUPPORT
+#ifdef MBEDTLS_USE_PSA_CRYPTO  /* requires mbedTLS 3.6.0+ */
  {
    int ret;
 #ifdef HAS_THREADING_SUPPORT
@ -1444,7 +1431,7 @@ static int mbedtls_init(void)
    if(ret != PSA_SUCCESS)
      return 0;
  }
-#endif /* HAS_PSA_SUPPORT */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
  return 1;
 }

@ -1498,7 +1485,7 @@ const struct Curl_ssl Curl_ssl_mbedtls = {
  SSLSUPP_CERTINFO |
  SSLSUPP_PINNEDPUBKEY |
  SSLSUPP_SSL_CTX |
-#ifdef HAS_TLS13_SUPPORT
+#ifdef MBEDTLS_SSL_PROTO_TLS1_3  /* requires mbedTLS 3.6.0+ */
  SSLSUPP_TLS13_CIPHERSUITES |
 #endif
  SSLSUPP_HTTPS_PROXY |