From: Sergio R. Caprile <scaprile@cesanta.com>
Date: Fri, 12 Dec 2025 22:32:42 +0000 (-0300)
Subject: Add support for MbedTLS 4
X-Git-Url: https://git.feebdaed.xyz/?a=commitdiff_plain;h=e15056a9e4d1250e3e0f12f5dac51bf76a8a1617;p=0xmirror%2Fmongoose.git

Add support for MbedTLS 4
---

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 7d32f72a..8da9406a 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -163,7 +163,7 @@ jobs:
     name: macos SSL=${{ matrix.ssl }} TFLAGS=${{ matrix.select }}
     env:
       SSL: ${{ matrix.ssl }}
-      TFLAGS: ${{ matrix.select }} -DMQTT_LOCALHOST ${{ matrix.env.tflags }} -DNO_ABORT -Wno-sign-conversion # Workaround for MbedTLS 3.5.0
+      TFLAGS: ${{ matrix.select }} -DMQTT_LOCALHOST ${{ matrix.env.tflags }} -DNO_ABORT -Wno-sign-conversion -Wno-undef # Workarounds for MbedTLS
       HOMEBREW_NO_AUTO_UPDATE: 1
     steps:
     - uses: actions/checkout@v4
diff --git a/mongoose.c b/mongoose.c
index 55ed7435..4e7541c5 100644
--- a/mongoose.c
+++ b/mongoose.c
@@ -15265,7 +15265,8 @@ void mg_tls_ctx_free(struct mg_mgr *mgr) {
 
 #if MG_TLS == MG_TLS_MBED
 
-#if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x03000000
+#if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x03000000 && \
+    MBEDTLS_VERSION_NUMBER < 0x04000000
 #define MG_MBEDTLS_RNG_GET , mg_mbed_rng, NULL
 #else
 #define MG_MBEDTLS_RNG_GET
@@ -15278,11 +15279,14 @@ static int mg_tls_err(struct mg_connection *c, int rc) {
   return rc;
 }
 
+#if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x04000000
+#else
 static int mg_mbed_rng(void *ctx, unsigned char *buf, size_t len) {
   mg_random(buf, len);
   (void) ctx;
   return 0;
 }
+#endif
 
 static bool mg_load_cert(struct mg_str str, mbedtls_x509_crt *p) {
   int rc;
@@ -15320,7 +15324,7 @@ void mg_tls_free(struct mg_connection *c) {
 #endif
 #if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x03000000 && \
     defined(MBEDTLS_PSA_CRYPTO_C)
-    mbedtls_psa_crypto_free(); // https://github.com/Mbed-TLS/mbedtls/issues/9223#issuecomment-2144898336
+    mbedtls_psa_crypto_free();  // https://github.com/Mbed-TLS/mbedtls/issues/9223#issuecomment-2144898336
 #endif
     mg_free(tls);
     c->tls = NULL;
@@ -15398,7 +15402,11 @@ void mg_tls_init(struct mg_connection *c, const struct mg_tls_opts *opts) {
     mg_error(c, "tls defaults %#x", -mg_tls_err(c, rc));
     goto fail;
   }
+#if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x04000000
+  MG_INFO(("PSA is in control of random number generation"));
+#else
   mbedtls_ssl_conf_rng(&tls->conf, mg_mbed_rng, c);
+#endif
 
   if (opts->ca.len == 0 || mg_strcmp(opts->ca, mg_str("*")) == 0) {
     // NOTE: MBEDTLS_SSL_VERIFY_NONE is not supported for TLS1.3 on client side
@@ -15450,7 +15458,7 @@ size_t mg_tls_pending(struct mg_connection *c) {
 long mg_tls_recv(struct mg_connection *c, void *buf, size_t len) {
   struct mg_tls *tls = (struct mg_tls *) c->tls;
   long n = mbedtls_ssl_read(&tls->ssl, (unsigned char *) buf, len);
-  if (!c->is_tls_hs && buf == NULL && n == 0) return 0; // TODO(): MIP
+  if (!c->is_tls_hs && buf == NULL && n == 0) return 0;  // TODO(): MIP
   if (n == MBEDTLS_ERR_SSL_WANT_READ || n == MBEDTLS_ERR_SSL_WANT_WRITE)
     return MG_IO_WAIT;
 #if defined(MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET)
@@ -15474,10 +15482,11 @@ long mg_tls_send(struct mg_connection *c, const void *buf, size_t len) {
       (n == MBEDTLS_ERR_SSL_WANT_READ || n == MBEDTLS_ERR_SSL_WANT_WRITE);
   if (was_throttled) return MG_IO_WAIT;  // flushed throttled data instead
   if (c->is_tls_throttled) {
-    tls->throttled_buf = (unsigned char *)buf; // MbedTLS code actually ignores
-    tls->throttled_len = len; //  these, but let's play API rules
-    return (long) len;  // already encripted that when throttled
-  } // if last chunk fails to be sent, it needs to be flushed
+    tls->throttled_buf =
+        (unsigned char *) buf;  // MbedTLS code actually ignores
+    tls->throttled_len = len;   //  these, but let's play API rules
+    return (long) len;          // already encripted that when throttled
+  }  // if last chunk fails to be sent, it needs to be flushed
   if (n <= 0) return MG_IO_ERR;
   return n;
 }
@@ -15485,8 +15494,10 @@ long mg_tls_send(struct mg_connection *c, const void *buf, size_t len) {
 void mg_tls_flush(struct mg_connection *c) {
   struct mg_tls *tls = (struct mg_tls *) c->tls;
   if (c->is_tls_throttled) {
-    long n = mbedtls_ssl_write(&tls->ssl, tls->throttled_buf, tls->throttled_len);
-    c->is_tls_throttled = (n == MBEDTLS_ERR_SSL_WANT_READ || n == MBEDTLS_ERR_SSL_WANT_WRITE);
+    long n =
+        mbedtls_ssl_write(&tls->ssl, tls->throttled_buf, tls->throttled_len);
+    c->is_tls_throttled =
+        (n == MBEDTLS_ERR_SSL_WANT_READ || n == MBEDTLS_ERR_SSL_WANT_WRITE);
   }
 }
 
@@ -15498,9 +15509,14 @@ void mg_tls_ctx_init(struct mg_mgr *mgr) {
 #ifdef MBEDTLS_SSL_SESSION_TICKETS
     int rc;
     mbedtls_ssl_ticket_init(&ctx->tickets);
+#if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x04000000
+    if ((rc = mbedtls_ssl_ticket_setup(&ctx->tickets, PSA_ALG_GCM,
+                                       PSA_KEY_TYPE_AES, 128, 86400))
+#else
     if ((rc = mbedtls_ssl_ticket_setup(&ctx->tickets, mg_mbed_rng, NULL,
-                                       MBEDTLS_CIPHER_AES_128_GCM, 86400)) !=
-        0) {
+                                       MBEDTLS_CIPHER_AES_128_GCM, 86400))
+#endif
+        != 0) {
       MG_ERROR((" mbedtls_ssl_ticket_setup %#x", -rc));
     }
 #endif
diff --git a/src/tls_mbed.c b/src/tls_mbed.c
index ac7321e2..ed416b17 100644
--- a/src/tls_mbed.c
+++ b/src/tls_mbed.c
@@ -6,7 +6,8 @@
 
 #if MG_TLS == MG_TLS_MBED
 
-#if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x03000000
+#if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x03000000 && \
+    MBEDTLS_VERSION_NUMBER < 0x04000000
 #define MG_MBEDTLS_RNG_GET , mg_mbed_rng, NULL
 #else
 #define MG_MBEDTLS_RNG_GET
@@ -19,11 +20,14 @@ static int mg_tls_err(struct mg_connection *c, int rc) {
   return rc;
 }
 
+#if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x04000000
+#else
 static int mg_mbed_rng(void *ctx, unsigned char *buf, size_t len) {
   mg_random(buf, len);
   (void) ctx;
   return 0;
 }
+#endif
 
 static bool mg_load_cert(struct mg_str str, mbedtls_x509_crt *p) {
   int rc;
@@ -61,7 +65,7 @@ void mg_tls_free(struct mg_connection *c) {
 #endif
 #if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x03000000 && \
     defined(MBEDTLS_PSA_CRYPTO_C)
-    mbedtls_psa_crypto_free(); // https://github.com/Mbed-TLS/mbedtls/issues/9223#issuecomment-2144898336
+    mbedtls_psa_crypto_free();  // https://github.com/Mbed-TLS/mbedtls/issues/9223#issuecomment-2144898336
 #endif
     mg_free(tls);
     c->tls = NULL;
@@ -139,7 +143,11 @@ void mg_tls_init(struct mg_connection *c, const struct mg_tls_opts *opts) {
     mg_error(c, "tls defaults %#x", -mg_tls_err(c, rc));
     goto fail;
   }
+#if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x04000000
+  MG_INFO(("PSA is in control of random number generation"));
+#else
   mbedtls_ssl_conf_rng(&tls->conf, mg_mbed_rng, c);
+#endif
 
   if (opts->ca.len == 0 || mg_strcmp(opts->ca, mg_str("*")) == 0) {
     // NOTE: MBEDTLS_SSL_VERIFY_NONE is not supported for TLS1.3 on client side
@@ -191,7 +199,7 @@ size_t mg_tls_pending(struct mg_connection *c) {
 long mg_tls_recv(struct mg_connection *c, void *buf, size_t len) {
   struct mg_tls *tls = (struct mg_tls *) c->tls;
   long n = mbedtls_ssl_read(&tls->ssl, (unsigned char *) buf, len);
-  if (!c->is_tls_hs && buf == NULL && n == 0) return 0; // TODO(): MIP
+  if (!c->is_tls_hs && buf == NULL && n == 0) return 0;  // TODO(): MIP
   if (n == MBEDTLS_ERR_SSL_WANT_READ || n == MBEDTLS_ERR_SSL_WANT_WRITE)
     return MG_IO_WAIT;
 #if defined(MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET)
@@ -215,10 +223,11 @@ long mg_tls_send(struct mg_connection *c, const void *buf, size_t len) {
       (n == MBEDTLS_ERR_SSL_WANT_READ || n == MBEDTLS_ERR_SSL_WANT_WRITE);
   if (was_throttled) return MG_IO_WAIT;  // flushed throttled data instead
   if (c->is_tls_throttled) {
-    tls->throttled_buf = (unsigned char *)buf; // MbedTLS code actually ignores
-    tls->throttled_len = len; //  these, but let's play API rules
-    return (long) len;  // already encripted that when throttled
-  } // if last chunk fails to be sent, it needs to be flushed
+    tls->throttled_buf =
+        (unsigned char *) buf;  // MbedTLS code actually ignores
+    tls->throttled_len = len;   //  these, but let's play API rules
+    return (long) len;          // already encripted that when throttled
+  }  // if last chunk fails to be sent, it needs to be flushed
   if (n <= 0) return MG_IO_ERR;
   return n;
 }
@@ -226,8 +235,10 @@ long mg_tls_send(struct mg_connection *c, const void *buf, size_t len) {
 void mg_tls_flush(struct mg_connection *c) {
   struct mg_tls *tls = (struct mg_tls *) c->tls;
   if (c->is_tls_throttled) {
-    long n = mbedtls_ssl_write(&tls->ssl, tls->throttled_buf, tls->throttled_len);
-    c->is_tls_throttled = (n == MBEDTLS_ERR_SSL_WANT_READ || n == MBEDTLS_ERR_SSL_WANT_WRITE);
+    long n =
+        mbedtls_ssl_write(&tls->ssl, tls->throttled_buf, tls->throttled_len);
+    c->is_tls_throttled =
+        (n == MBEDTLS_ERR_SSL_WANT_READ || n == MBEDTLS_ERR_SSL_WANT_WRITE);
   }
 }
 
@@ -239,9 +250,14 @@ void mg_tls_ctx_init(struct mg_mgr *mgr) {
 #ifdef MBEDTLS_SSL_SESSION_TICKETS
     int rc;
     mbedtls_ssl_ticket_init(&ctx->tickets);
+#if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= 0x04000000
+    if ((rc = mbedtls_ssl_ticket_setup(&ctx->tickets, PSA_ALG_GCM,
+                                       PSA_KEY_TYPE_AES, 128, 86400))
+#else
     if ((rc = mbedtls_ssl_ticket_setup(&ctx->tickets, mg_mbed_rng, NULL,
-                                       MBEDTLS_CIPHER_AES_128_GCM, 86400)) !=
-        0) {
+                                       MBEDTLS_CIPHER_AES_128_GCM, 86400))
+#endif
+        != 0) {
       MG_ERROR((" mbedtls_ssl_ticket_setup %#x", -rc));
     }
 #endif