[mbedtls] fix version check to correctly handle mbedtls v3.x and v4.0 (#12861)

Previously, version checks used `<= 0x03060500` to guard mbedtls v3.x APIs, incorrectly treating any version above 3.6.5 (e.g. 3.6.6+) as v4.0. Replace these checks with `< 0x04000000` to properly cover all v3.x releases.
2026-06-06 05:24:51 +00:00 · 2026-04-10 04:18:26 +08:00
parent 51353c41d5
commit b3ab4df0e8
5 changed files with 17 additions and 17 deletions
@@ -48,7 +48,7 @@

 #if OPENTHREAD_CONFIG_TLS_ENABLE
 #include <mbedtls/debug.h>
-#if (MBEDTLS_VERSION_NUMBER >= 0x03000000) && (MBEDTLS_VERSION_NUMBER <= 0x03060500)
+#if (MBEDTLS_VERSION_NUMBER >= 0x03000000) && (MBEDTLS_VERSION_NUMBER < 0x04000000)
 #include <mbedtls/ecjpake.h>
 #include "crypto/mbedtls.hpp"
 #endif
@@ -150,7 +150,7 @@ template <> otError TcpExample::Process<Cmd("init")>(Arg aArgs[])

            mbedtls_ssl_init(&mSslContext);
            mbedtls_ssl_config_init(&mSslConfig);
-#if (MBEDTLS_VERSION_NUMBER <= 0x03060500)
+#if (MBEDTLS_VERSION_NUMBER < 0x04000000)
            mbedtls_ssl_conf_rng(&mSslConfig, Crypto::MbedTls::CryptoSecurePrng, nullptr);
 #endif
            mbedtls_ssl_conf_authmode(&mSslConfig, MBEDTLS_SSL_VERIFY_NONE);
@@ -164,7 +164,7 @@ template <> otError TcpExample::Process<Cmd("init")>(Arg aArgs[])
            mbedtls_ssl_conf_max_version(&mSslConfig, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
 #endif

-#if (MBEDTLS_VERSION_NUMBER >= 0x03000000) && (MBEDTLS_VERSION_NUMBER <= 0x03060500)
+#if (MBEDTLS_VERSION_NUMBER >= 0x03000000) && (MBEDTLS_VERSION_NUMBER < 0x04000000)
            int rv = mbedtls_pk_parse_key(&mPKey, reinterpret_cast<const unsigned char *>(sSrvKey), sSrvKeyLength,
                                          nullptr, 0, Crypto::MbedTls::CryptoSecurePrng, nullptr);
 #else
@@ -45,7 +45,7 @@
 #include <mbedtls/version.h>
 #include <mbedtls/x509_crt.h>

-#if (MBEDTLS_VERSION_NUMBER <= 0x03060500)
+#if (MBEDTLS_VERSION_NUMBER < 0x04000000)
 #include <mbedtls/ctr_drbg.h>
 #include <mbedtls/entropy.h>
 #endif
@@ -163,7 +163,7 @@ private:
    mbedtls_ssl_config  mSslConfig;
    mbedtls_x509_crt    mSrvCert;
    mbedtls_pk_context  mPKey;
-#if (MBEDTLS_VERSION_NUMBER <= 0x03060500)
+#if (MBEDTLS_VERSION_NUMBER < 0x04000000)
    mbedtls_entropy_context mEntropy;
 #endif
 #endif // OPENTHREAD_CONFIG_TLS_ENABLE
@@ -34,7 +34,7 @@
 #include <openthread/random_crypto.h>

 #include <mbedtls/version.h>
-#if (MBEDTLS_VERSION_NUMBER <= 0x03060500)
+#if (MBEDTLS_VERSION_NUMBER < 0x04000000)
 #include <mbedtls/ctr_drbg.h>
 #endif

@@ -33,7 +33,7 @@

 #include "mbedtls.hpp"

-#if (MBEDTLS_VERSION_NUMBER <= 0x03060500)
+#if (MBEDTLS_VERSION_NUMBER < 0x04000000)
 #include <mbedtls/ctr_drbg.h>
 #include <mbedtls/entropy.h>
 #endif
@@ -71,7 +71,7 @@ Error MbedTls::MapError(int aMbedTlsError)
    switch (aMbedTlsError)
    {
 #if OPENTHREAD_CONFIG_ECDSA_ENABLE
-#if (MBEDTLS_VERSION_NUMBER <= 0x03060500)
+#if (MBEDTLS_VERSION_NUMBER < 0x04000000)
    case MBEDTLS_ERR_ECP_BAD_INPUT_DATA:
    case MBEDTLS_ERR_MPI_BAD_INPUT_DATA:
 #endif
@@ -88,7 +88,7 @@ Error MbedTls::MapError(int aMbedTlsError)
    case MBEDTLS_ERR_PK_INVALID_PUBKEY:
    case MBEDTLS_ERR_PK_INVALID_ALG:
    case MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE:
-#if (MBEDTLS_VERSION_NUMBER <= 0x03060500)
+#if (MBEDTLS_VERSION_NUMBER < 0x04000000)
    case MBEDTLS_ERR_PK_BAD_INPUT_DATA:
 #endif
    case MBEDTLS_ERR_X509_SIG_MISMATCH:
@@ -107,7 +107,7 @@ Error MbedTls::MapError(int aMbedTlsError)
    case MBEDTLS_ERR_X509_INVALID_EXTENSIONS:
    case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
 #endif // MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-#if (MBEDTLS_VERSION_NUMBER <= 0x03060500)
+#if (MBEDTLS_VERSION_NUMBER < 0x04000000)
    case MBEDTLS_ERR_SSL_BAD_INPUT_DATA:
    case MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG:
    case MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG:
@@ -117,7 +117,7 @@ Error MbedTls::MapError(int aMbedTlsError)
        error = kErrorInvalidArgs;
        break;

-#if (MBEDTLS_VERSION_NUMBER <= 0x03060500)
+#if (MBEDTLS_VERSION_NUMBER < 0x04000000)
 #if OPENTHREAD_CONFIG_ECDSA_ENABLE
    case MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL:
    case MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL:
@@ -135,7 +135,7 @@ Error MbedTls::MapError(int aMbedTlsError)
    case PSA_ERROR_BUFFER_TOO_SMALL:
 #endif
    case MBEDTLS_ERR_SSL_WANT_WRITE:
-#if (MBEDTLS_VERSION_NUMBER <= 0x03060500)
+#if (MBEDTLS_VERSION_NUMBER < 0x04000000)
    case MBEDTLS_ERR_ENTROPY_MAX_SOURCES:
 #endif
        error = kErrorNoBufs;
@@ -143,13 +143,13 @@ Error MbedTls::MapError(int aMbedTlsError)

 #ifdef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
    case MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE:
-#if (MBEDTLS_VERSION_NUMBER <= 0x03060500)
+#if (MBEDTLS_VERSION_NUMBER < 0x04000000)
    case MBEDTLS_ERR_PK_SIG_LEN_MISMATCH:
 #endif
    case MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE:
    case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:
 #endif // MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-#if (MBEDTLS_VERSION_NUMBER <= 0x03060500)
+#if (MBEDTLS_VERSION_NUMBER < 0x04000000)
    case MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED:
    case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED:
    case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED:
@@ -158,7 +158,7 @@ Error MbedTls::MapError(int aMbedTlsError)
 #if (MBEDTLS_VERSION_NUMBER < 0x03000000)
    case MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED:
 #endif
-#if (MBEDTLS_VERSION_NUMBER <= 0x03060500)
+#if (MBEDTLS_VERSION_NUMBER < 0x04000000)
    case MBEDTLS_ERR_THREADING_BAD_INPUT_DATA:
 #endif
    case MBEDTLS_ERR_THREADING_MUTEX_ERROR:
@@ -199,7 +199,7 @@ Error SecureSession::Setup(void)
    }
 #endif

-#if (MBEDTLS_VERSION_NUMBER <= 0x03060500)
+#if (MBEDTLS_VERSION_NUMBER < 0x04000000)
    mbedtls_ssl_conf_rng(&mConf, Crypto::MbedTls::CryptoSecurePrng, nullptr);
 #endif
 #if (MBEDTLS_VERSION_NUMBER >= 0x03020000)
@@ -280,7 +280,7 @@ Error SecureSession::Setup(void)

        if (mIsServer)
        {
-#if (MBEDTLS_VERSION_NUMBER <= 0x03060500)
+#if (MBEDTLS_VERSION_NUMBER < 0x04000000)
            rval = mbedtls_ssl_cookie_setup(&mCookieCtx, Crypto::MbedTls::CryptoSecurePrng, nullptr);
 #else
            rval = mbedtls_ssl_cookie_setup(&mCookieCtx);