coap-mbedtls.c: Support 3.6.0 Mbed TLS

TLS1.3 is enabled by defeualt in 3.6.0. This PR fixes the supported encryption algorithms as well as handling a new session ticket indication for coaps+tcp://. However, if client certificates are not defined, then MbedTLS fails with no certificate CA, even if the CA Cert is presented along with the Server Cert during the processing of the server certificate and fails with "SSL - No CA Chain is set, but required to operate" when coaps+tcp:// is used. Workaround (with examples/coap-client) is to set the -R options (when the -c option is not set), or to programmatically call coap_context_set_pki_root_cas();
obgm · Jul 4, 2024 · 01ba051 · 01ba051
1 parent cab876a
commit 01ba051
Showing 1 changed file with 23 additions and 1 deletion.
diff --git a/src/coap_mbedtls.c b/src/coap_mbedtls.c
@@ -425,12 +425,19 @@ cert_verify_callback_mbedtls(void *data, mbedtls_x509_crt *crt,
                       "Self-signed",
                       cn ? cn : "?", depth);
       }
+    } else if (self_signed) {
+      if (!setup_data->verify_peer_cert) {
+        *flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED;
+        coap_log_info("   %s: %s: overridden: '%s' depth %d\n",
+                      coap_session_str(c_session),
+                      "Self-signed", cn ? cn : "?", depth);
+      }
     } else {
       if (!setup_data->verify_peer_cert) {
         *flags &= ~MBEDTLS_X509_BADCERT_NOT_TRUSTED;
         coap_log_info("   %s: %s: overridden: '%s' depth %d\n",
                       coap_session_str(c_session),
-                      "The certificate's CA does not match", cn ? cn : "?", depth);
+                      "The certificate's CA is not trusted", cn ? cn : "?", depth);
       }
     }
   }
@@ -1139,6 +1146,12 @@ set_ciphersuites(mbedtls_ssl_config *conf, coap_enc_method_t method) {
           /* Minimum of TLS1.2 required - skip */
         }
 #endif /* MBEDTLS_VERSION_NUMBER >= 0x03020000 */
+#if MBEDTLS_VERSION_NUMBER >= 0x03060000
+        else if (cur->min_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3) {
+          psk_count++;
+          pki_count++;
+        }
+#endif /* MBEDTLS_VERSION_NUMBER >= 0x03060000 */
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
         else if (coap_ssl_ciphersuite_uses_psk(cur)) {
           psk_count++;
@@ -1182,6 +1195,14 @@ set_ciphersuites(mbedtls_ssl_config *conf, coap_enc_method_t method) {
           /* Minimum of TLS1.2 required - skip */
         }
 #endif /* MBEDTLS_VERSION_NUMBER >= 0x03020000 */
+#if MBEDTLS_VERSION_NUMBER >= 0x03060000
+        else if (cur->min_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3) {
+          *psk_list = *list;
+          psk_list++;
+          *pki_list = *list;
+          pki_list++;
+        }
+#endif /* MBEDTLS_VERSION_NUMBER >= 0x03060000 */
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
         else if (coap_ssl_ciphersuite_uses_psk(cur)) {
           *psk_list = *list;
@@ -2525,6 +2546,7 @@ coap_tls_read(coap_session_t *c_session, uint8_t *data, size_t data_len) {
         m_env->sent_alert = 1;
         c_session->dtls_event = COAP_EVENT_DTLS_CLOSED;
         break;
+      case MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET:
       case MBEDTLS_ERR_SSL_WANT_READ:
         errno = EAGAIN;
         ret = 0;