--- /dev/null
+--- a/src/mod_mbedtls.c
++++ b/src/mod_mbedtls.c
+@@ -3431,6 +3431,9 @@ static const int suite_ECJPAKE[] = {
+ #endif
+
+ #if MBEDTLS_VERSION_NUMBER < 0x04000000 /* mbedtls 4.0.0 */
++#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+ static const int suite_AES_256[] = {
+ /* All AES-256 suites */
+ #ifdef MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+@@ -3454,8 +3457,12 @@ static const int suite_AES_256[] = {
+ #endif
+ };
+ #endif
++#endif
+
+ #if MBEDTLS_VERSION_NUMBER < 0x04000000 /* mbedtls 4.0.0 */
++#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+ static const int suite_CAMELLIA_256[] = {
+ /* All CAMELLIA-256 suites */
+ #ifdef MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+@@ -3473,8 +3480,12 @@ static const int suite_CAMELLIA_256[] =
+ #endif
+ };
+ #endif
++#endif
+
+ #if MBEDTLS_VERSION_NUMBER < 0x04000000 /* mbedtls 4.0.0 */
++#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+ static const int suite_ARIA_256[] = {
+ /* All ARIA-256 suites */
+ #ifdef MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+@@ -3497,8 +3508,12 @@ static const int suite_ARIA_256[] = {
+ #endif
+ };
+ #endif
++#endif
+
+ #if MBEDTLS_VERSION_NUMBER < 0x04000000 /* mbedtls 4.0.0 */
++#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+ static const int suite_AES_128[] = {
+ /* All AES-128 suites */
+ #ifdef MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+@@ -3522,8 +3537,12 @@ static const int suite_AES_128[] = {
+ #endif
+ };
+ #endif
++#endif
+
+ #if MBEDTLS_VERSION_NUMBER < 0x04000000 /* mbedtls 4.0.0 */
++#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+ static const int suite_CAMELLIA_128[] = {
+ /* All CAMELLIA-128 suites */
+ #ifdef MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+@@ -3541,8 +3560,12 @@ static const int suite_CAMELLIA_128[] =
+ #endif
+ };
+ #endif
++#endif
+
+ #if MBEDTLS_VERSION_NUMBER < 0x04000000 /* mbedtls 4.0.0 */
++#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+ static const int suite_ARIA_128[] = {
+ /* All ARIA-128 suites */
+ #ifdef MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+@@ -3565,6 +3588,7 @@ static const int suite_ARIA_128[] = {
+ #endif
+ };
+ #endif
++#endif
+
+ #ifdef MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+ static const int suite_RSA_PSK[] = {
+@@ -4593,11 +4617,15 @@ mod_mbedtls_ssl_conf_ciphersuites (serve
+ /sizeof(*suite_AES_256_ephemeral)));
+ if (-1 == nids) return 0;
+ #if MBEDTLS_VERSION_NUMBER < 0x04000000 /* mbedtls 4.0.0 */
++ #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+ nids = mod_mbedtls_ssl_append_ciphersuite(srv, ids, nids, idsz,
+ suite_AES_256,
+ (int)(sizeof(suite_AES_256)/sizeof(*suite_AES_256)));
+ if (-1 == nids) return 0;
+ #endif
++ #endif
+ /* XXX: not done: AES256 PSK suites */
+ if (nlen == sizeof("AES256")-1) continue;
+ }
+@@ -4610,11 +4638,15 @@ mod_mbedtls_ssl_conf_ciphersuites (serve
+ /sizeof(*suite_AES_128_ephemeral)));
+ if (-1 == nids) return 0;
+ #if MBEDTLS_VERSION_NUMBER < 0x04000000 /* mbedtls 4.0.0 */
++ #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+ nids = mod_mbedtls_ssl_append_ciphersuite(srv, ids, nids, idsz,
+ suite_AES_128,
+ (int)(sizeof(suite_AES_128)/sizeof(*suite_AES_128)));
+ if (-1 == nids) return 0;
+ #endif
++ #endif
+ /* XXX: not done: AES128 PSK suites */
+ continue;
+ }
+@@ -4627,12 +4659,16 @@ mod_mbedtls_ssl_conf_ciphersuites (serve
+ /sizeof(*suite_CAMELLIA_256_ephemeral)));
+ if (-1 == nids) return 0;
+ #if MBEDTLS_VERSION_NUMBER < 0x04000000 /* mbedtls 4.0.0 */
++ #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+ nids = mod_mbedtls_ssl_append_ciphersuite(srv, ids, nids, idsz,
+ suite_CAMELLIA_256,
+ (int)(sizeof(suite_CAMELLIA_256)
+ /sizeof(*suite_CAMELLIA_256)));
+ if (-1 == nids) return 0;
+ #endif
++ #endif
+ /* XXX: not done: CAMELLIA256 PSK suites */
+ if (nlen == sizeof("CAMELLIA256")-1) continue;
+ }
+@@ -4645,12 +4681,16 @@ mod_mbedtls_ssl_conf_ciphersuites (serve
+ /sizeof(*suite_CAMELLIA_128_ephemeral)));
+ if (-1 == nids) return 0;
+ #if MBEDTLS_VERSION_NUMBER < 0x04000000 /* mbedtls 4.0.0 */
++ #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+ nids = mod_mbedtls_ssl_append_ciphersuite(srv, ids, nids, idsz,
+ suite_CAMELLIA_128,
+ (int)(sizeof(suite_CAMELLIA_128)
+ /sizeof(*suite_CAMELLIA_128)));
+ if (-1 == nids) return 0;
+ #endif
++ #endif
+ /* XXX: not done: CAMELLIA128 PSK suites */
+ continue;
+ }
+@@ -4663,11 +4703,15 @@ mod_mbedtls_ssl_conf_ciphersuites (serve
+ /sizeof(*suite_ARIA_256_ephemeral)));
+ if (-1 == nids) return 0;
+ #if MBEDTLS_VERSION_NUMBER < 0x04000000 /* mbedtls 4.0.0 */
++ #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+ nids = mod_mbedtls_ssl_append_ciphersuite(srv, ids, nids, idsz,
+ suite_ARIA_256,
+ (int)(sizeof(suite_ARIA_256)/sizeof(*suite_ARIA_256)));
+ if (-1 == nids) return 0;
+ #endif
++ #endif
+ /* XXX: not done: ARIA256 PSK suites */
+ if (nlen == sizeof("ARIA256")-1) continue;
+ }
+@@ -4680,11 +4724,15 @@ mod_mbedtls_ssl_conf_ciphersuites (serve
+ /sizeof(*suite_ARIA_128_ephemeral)));
+ if (-1 == nids) return 0;
+ #if MBEDTLS_VERSION_NUMBER < 0x04000000 /* mbedtls 4.0.0 */
++ #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) \
++ || defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+ nids = mod_mbedtls_ssl_append_ciphersuite(srv, ids, nids, idsz,
+ suite_ARIA_128,
+ (int)(sizeof(suite_ARIA_128)/sizeof(*suite_ARIA_128)));
+ if (-1 == nids) return 0;
+ #endif
++ #endif
+ /* XXX: not done: ARIA128 PSK suites */
+ continue;
+ }
+++ /dev/null
-From 37fe7397bc24c710437bef5f58cda87bd49f3d0b Mon Sep 17 00:00:00 2001
-From: Glenn Strauss <gstrauss@gluelogic.com>
-Date: Sat, 29 Nov 2025 00:41:28 -0500
-Subject: [PATCH] [mod_mbedtls] EC certs require drbg init
-
-EC certs require drbg init with mbedtls >= 3.0.0
-in addition to MBEDTLS_USE_PSA_CRYPTO requiring drbg init
-
-x-ref:
- "mbedtls error with ec certificates"
- https://redmine.lighttpd.net/boards/2/topics/12097
- "mod_mbedtls: ECDSA OpenSSL certificates do not work with lighttpd + mbedTLS/PSA (MBEDTLS_USE_PSA_CRYPTO)"
- https://redmine.lighttpd.net/issues/3288
----
- src/mod_mbedtls.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/src/mod_mbedtls.c
-+++ b/src/mod_mbedtls.c
-@@ -1229,7 +1229,7 @@ __attribute_noinline__
- static void *
- network_mbedtls_load_pemfile (server *srv, const buffer *pemfile, const buffer *privkey)
- {
-- #if defined(MBEDTLS_USE_PSA_CRYPTO)
-+ #if MBEDTLS_VERSION_NUMBER >= 0x03000000 /* mbedtls 3.0.0 */
- if (!mod_mbedtls_init_once_mbedtls(srv))
- return NULL;
- #endif
-@@ -2120,7 +2120,7 @@ SETDEFAULTS_FUNC(mod_mbedtls_set_default
- __attribute_fallthrough__
- case 2: /* ssl.ca-file */
- case 3: /* ssl.ca-dn-file */
-- #if defined(MBEDTLS_USE_PSA_CRYPTO)
-+ #if MBEDTLS_VERSION_NUMBER >= 0x03000000 /* mbedtls 3.0.0 */
- if (!mod_mbedtls_init_once_mbedtls(srv)) return HANDLER_ERROR;
- #endif /* else defer; not necessary for pemfile parsing */
- if (!buffer_is_blank(cpv->v.b)) {
git.99rst.org / openwrt-packages.git / commitdiff