From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Sat, 27 Dec 2025 06:14:14 +0000 (-0500)
Subject: lighttpd: mbedtls 3.x EC certs require drbg init
X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=ff9fe4b10184d8b13cf8a9555f91c3d767135061;p=feed%2Fpackages.git

lighttpd: mbedtls 3.x EC certs require drbg init

EC certs require drbg init with mbedtls >= 3.0.0
in addition to MBEDTLS_USE_PSA_CRYPTO requiring drbg init

x-ref:
  "mbedtls error with ec certificates"
  https://redmine.lighttpd.net/boards/2/topics/12097
  "mod_mbedtls: ECDSA OpenSSL certificates do not work with lighttpd + mbedTLS/PSA (MBEDTLS_USE_PSA_CRYPTO)"
  https://redmine.lighttpd.net/issues/3288

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
---

diff --git a/net/lighttpd/patches/030-mod_mbedtls-EC-certs-require-drbg-init.patch b/net/lighttpd/patches/030-mod_mbedtls-EC-certs-require-drbg-init.patch
new file mode 100644
index 0000000000..656d9d81c7
--- /dev/null
+++ b/net/lighttpd/patches/030-mod_mbedtls-EC-certs-require-drbg-init.patch
@@ -0,0 +1,37 @@
+From 37fe7397bc24c710437bef5f58cda87bd49f3d0b Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sat, 29 Nov 2025 00:41:28 -0500
+Subject: [PATCH] [mod_mbedtls] EC certs require drbg init
+
+EC certs require drbg init with mbedtls >= 3.0.0
+in addition to MBEDTLS_USE_PSA_CRYPTO requiring drbg init
+
+x-ref:
+  "mbedtls error with ec certificates"
+  https://redmine.lighttpd.net/boards/2/topics/12097
+  "mod_mbedtls: ECDSA OpenSSL certificates do not work with lighttpd + mbedTLS/PSA (MBEDTLS_USE_PSA_CRYPTO)"
+  https://redmine.lighttpd.net/issues/3288
+---
+ src/mod_mbedtls.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/src/mod_mbedtls.c
++++ b/src/mod_mbedtls.c
+@@ -1229,7 +1229,7 @@ __attribute_noinline__
+ static void *
+ network_mbedtls_load_pemfile (server *srv, const buffer *pemfile, const buffer *privkey)
+ {
+-  #if defined(MBEDTLS_USE_PSA_CRYPTO)
++  #if MBEDTLS_VERSION_NUMBER >= 0x03000000 /* mbedtls 3.0.0 */
+     if (!mod_mbedtls_init_once_mbedtls(srv))
+         return NULL;
+   #endif
+@@ -2120,7 +2120,7 @@ SETDEFAULTS_FUNC(mod_mbedtls_set_default
+                 __attribute_fallthrough__
+               case 2: /* ssl.ca-file */
+               case 3: /* ssl.ca-dn-file */
+-               #if defined(MBEDTLS_USE_PSA_CRYPTO)
++               #if MBEDTLS_VERSION_NUMBER >= 0x03000000 /* mbedtls 3.0.0 */
+                 if (!mod_mbedtls_init_once_mbedtls(srv)) return HANDLER_ERROR;
+                #endif /* else defer; not necessary for pemfile parsing */
+                 if (!buffer_is_blank(cpv->v.b)) {