From de4ef9d169a182350796afca778742bf68052af4 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@nbd.name>
Date: Thu, 18 Apr 2024 21:58:13 +0200
Subject: [PATCH] curl: fix SSL init with mbedtls 3.6

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 ...dtls_ssl_setup-after-RNG-callback-is.patch | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 net/curl/patches/100-mbedtls-call-mbedtls_ssl_setup-after-RNG-callback-is.patch

diff --git a/net/curl/patches/100-mbedtls-call-mbedtls_ssl_setup-after-RNG-callback-is.patch b/net/curl/patches/100-mbedtls-call-mbedtls_ssl_setup-after-RNG-callback-is.patch
new file mode 100644
index 0000000000..5f8dd940f3
--- /dev/null
+++ b/net/curl/patches/100-mbedtls-call-mbedtls_ssl_setup-after-RNG-callback-is.patch
@@ -0,0 +1,45 @@
+From: Kailun Qin <kailun.qin@intel.com>
+Date: Mon, 8 Apr 2024 05:13:56 -0400
+Subject: [PATCH] mbedtls: call mbedtls_ssl_setup() after RNG callback is set
+
+Since mbedTLS v3.6.0, the RNG check added in ssl_conf_check() will fail
+if no RNG is provided when calling mbedtls_ssl_setup().
+
+Therefore, mbedtls_ssl_conf_rng() needs to be called before the SSL
+context is passed to mbedtls_ssl_setup().
+
+Ref: https://github.com/Mbed-TLS/mbedtls/commit/b422cab052b51ec84758638d6783d6ba4fc60613
+
+Signed-off-by: Kailun Qin <kailun.qin@intel.com>
+Closes #13314
+---
+
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -602,10 +602,6 @@ mbed_connect_step1(struct Curl_cfilter *
+   }
+ 
+   mbedtls_ssl_init(&backend->ssl);
+-  if(mbedtls_ssl_setup(&backend->ssl, &backend->config)) {
+-    failf(data, "mbedTLS: ssl_init failed");
+-    return CURLE_SSL_CONNECT_ERROR;
+-  }
+ 
+   /* new profile with RSA min key len = 1024 ... */
+   mbedtls_ssl_conf_cert_profile(&backend->config,
+@@ -639,6 +635,15 @@ mbed_connect_step1(struct Curl_cfilter *
+ 
+   mbedtls_ssl_conf_rng(&backend->config, mbedtls_ctr_drbg_random,
+                        &backend->ctr_drbg);
++
++  ret = mbedtls_ssl_setup(&backend->ssl, &backend->config);
++  if(ret) {
++    mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
++    failf(data, "ssl_setup failed - mbedTLS: (-0x%04X) %s",
++          -ret, errorbuf);
++    return CURLE_SSL_CONNECT_ERROR;
++  }
++
+   mbedtls_ssl_set_bio(&backend->ssl, cf,
+                       mbedtls_bio_cf_write,
+                       mbedtls_bio_cf_read,
-- 
2.30.2