mbedtls: Update to version 3.6.0

This adds support for mbedtls 3.6.0.
The 3.6 version is the next LTS version of mbedtls.
This version supports TLS 1.3.

This switches to download using git. The codeload tar file misses some
git submodules.

Add some extra options added in mbedtls 3.6.0.

The size of the compressed ipkg increases:
230933 bin/packages/mips_24kc/base/libmbedtls13_2.28.7-r2_mips_24kc.ipk
300154 bin/packages/mips_24kc/base/libmbedtls14_3.6.0-r1_mips_24kc.ipk

The removed patch was integrated upstream.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit is contained in:
Hauke Mehrtens 2023-11-09 00:00:09 +01:00
parent 00a1671248
commit 0e06642643
4 changed files with 63 additions and 206 deletions

View File

@ -187,6 +187,43 @@ config MBEDTLS_VERSION_FEATURES
bool "MBEDTLS_VERSION_FEATURES" bool "MBEDTLS_VERSION_FEATURES"
default n default n
config MBEDTLS_PSA_CRYPTO_CLIENT
bool "MBEDTLS_PSA_CRYPTO_CLIENT"
config MBEDTLS_DEPRECATED_WARNING
bool "MBEDTLS_DEPRECATED_WARNING"
default n
config MBEDTLS_SSL_PROTO_TLS1_2
bool "MBEDTLS_SSL_PROTO_TLS1_2"
default y
config MBEDTLS_SSL_PROTO_TLS1_3
bool "MBEDTLS_SSL_PROTO_TLS1_3"
select MBEDTLS_PSA_CRYPTO_CLIENT
select MBEDTLS_HKDF_C
default y
config MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
bool "MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE"
depends on MBEDTLS_SSL_PROTO_TLS1_3
default y
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
bool "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED"
depends on MBEDTLS_SSL_PROTO_TLS1_3
default y
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
bool "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED"
depends on MBEDTLS_SSL_PROTO_TLS1_3
default y
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
bool "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED"
depends on MBEDTLS_SSL_PROTO_TLS1_3
default y
comment "Build Options" comment "Build Options"
config MBEDTLS_ENTROPY_FORCE_SHA256 config MBEDTLS_ENTROPY_FORCE_SHA256
@ -195,6 +232,7 @@ config MBEDTLS_ENTROPY_FORCE_SHA256
config MBEDTLS_SSL_RENEGOTIATION config MBEDTLS_SSL_RENEGOTIATION
bool "MBEDTLS_SSL_RENEGOTIATION" bool "MBEDTLS_SSL_RENEGOTIATION"
depends on MBEDTLS_SSL_PROTO_TLS1_2
default n default n
endif endif

View File

@ -8,13 +8,14 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=mbedtls PKG_NAME:=mbedtls
PKG_VERSION:=2.28.8 PKG_VERSION:=3.6.0
PKG_RELEASE:=1 PKG_RELEASE:=1
PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)? PKG_SOURCE_URL=https://github.com/Mbed-TLS/mbedtls.git
PKG_HASH:=4fef7de0d8d542510d726d643350acb3cdb9dc76ad45611b59c9aa08372b4213 PKG_SOURCE_VERSION:=2ca6c285a0dd3f33982dd57299012dacab1ff206
PKG_MIRROR_HASH:=a684012126590b4e0b6ab41e244cc2af0d2bcfc4b6c94bf42fc37d2d08f0553e
PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE:=GPL-2.0-or-later
PKG_LICENSE_FILES:=gpl-2.0.txt PKG_LICENSE_FILES:=gpl-2.0.txt
@ -55,7 +56,10 @@ MBEDTLS_BUILD_OPTS_CIPHERS= \
CONFIG_MBEDTLS_NIST_KW_C \ CONFIG_MBEDTLS_NIST_KW_C \
CONFIG_MBEDTLS_RIPEMD160_C \ CONFIG_MBEDTLS_RIPEMD160_C \
CONFIG_MBEDTLS_RSA_NO_CRT \ CONFIG_MBEDTLS_RSA_NO_CRT \
CONFIG_MBEDTLS_XTEA_C CONFIG_MBEDTLS_XTEA_C \
CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
MBEDTLS_BUILD_OPTS= \ MBEDTLS_BUILD_OPTS= \
$(MBEDTLS_BUILD_OPTS_CURVES) \ $(MBEDTLS_BUILD_OPTS_CURVES) \
@ -73,7 +77,12 @@ MBEDTLS_BUILD_OPTS= \
CONFIG_MBEDTLS_THREADING_C \ CONFIG_MBEDTLS_THREADING_C \
CONFIG_MBEDTLS_THREADING_PTHREAD \ CONFIG_MBEDTLS_THREADING_PTHREAD \
CONFIG_MBEDTLS_VERSION_C \ CONFIG_MBEDTLS_VERSION_C \
CONFIG_MBEDTLS_VERSION_FEATURES CONFIG_MBEDTLS_VERSION_FEATURES \
CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT \
CONFIG_MBEDTLS_DEPRECATED_WARNING \
CONFIG_MBEDTLS_SSL_PROTO_TLS1_2 \
CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 \
CONFIG_MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
PKG_CONFIG_DEPENDS := $(MBEDTLS_BUILD_OPTS) PKG_CONFIG_DEPENDS := $(MBEDTLS_BUILD_OPTS)
@ -96,7 +105,7 @@ $(call Package/mbedtls/Default)
CATEGORY:=Libraries CATEGORY:=Libraries
SUBMENU:=SSL SUBMENU:=SSL
TITLE+= (library) TITLE+= (library)
ABI_VERSION:=13 ABI_VERSION:=21
MENU:=1 MENU:=1
endef endef
@ -137,7 +146,7 @@ define Build/Prepare
$(if $(strip $(foreach opt,$(MBEDTLS_BUILD_OPTS),$($(opt)))), $(if $(strip $(foreach opt,$(MBEDTLS_BUILD_OPTS),$($(opt)))),
$(foreach opt,$(MBEDTLS_BUILD_OPTS), $(foreach opt,$(MBEDTLS_BUILD_OPTS),
$(PKG_BUILD_DIR)/scripts/config.py \ $(PKG_BUILD_DIR)/scripts/config.py \
-f $(PKG_BUILD_DIR)/include/mbedtls/config.h \ -f $(PKG_BUILD_DIR)/include/mbedtls/mbedtls_config.h \
$(if $($(opt)),set,unset) $(patsubst CONFIG_%,%,$(opt))),) $(if $($(opt)),set,unset) $(patsubst CONFIG_%,%,$(opt))),)
endef endef
@ -150,6 +159,12 @@ define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/lib $(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.so* $(1)/usr/lib/ $(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.so* $(1)/usr/lib/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.a $(1)/usr/lib/ $(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.a $(1)/usr/lib/
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
$(CP) \
$(PKG_INSTALL_DIR)/usr/lib/pkgconfig/mbedcrypto.pc \
$(PKG_INSTALL_DIR)/usr/lib/pkgconfig/mbedtls.pc \
$(PKG_INSTALL_DIR)/usr/lib/pkgconfig/mbedx509.pc \
$(1)/usr/lib/pkgconfig/
endef endef
define Package/libmbedtls/install define Package/libmbedtls/install

View File

@ -1,197 +0,0 @@
From eb9d4fdf1846e688d51d86a9a50f0312aca2af25 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Sun, 23 Oct 2022 19:48:18 -0400
Subject: [PATCH] x509 crt verify SAN iPAddress
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
---
include/mbedtls/x509_crt.h | 2 +-
library/x509_crt.c | 126 ++++++++++++++++++++++++++++++-------
2 files changed, 103 insertions(+), 25 deletions(-)
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -596,7 +596,7 @@ int mbedtls_x509_crt_verify_info(char *b
* \param cn The expected Common Name. This will be checked to be
* present in the certificate's subjectAltNames extension or,
* if this extension is absent, as a CN component in its
- * Subject name. Currently only DNS names are supported. This
+ * Subject name. DNS names and IP addresses are supported. This
* may be \c NULL if the CN need not be verified.
* \param flags The address at which to store the result of the verification.
* If the verification couldn't be completed, the flag value is
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -45,6 +45,10 @@
#if defined(MBEDTLS_HAVE_TIME)
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+#define WIN32_LEAN_AND_MEAN
+#ifndef _WIN32_WINNT
+#define _WIN32_WINNT 0x0600
+#endif
#include <windows.h>
#else
#include <time.h>
@@ -2990,6 +2994,61 @@ find_parent:
}
}
+#ifdef _WIN32
+#ifdef _MSC_VER
+#pragma comment(lib, "ws2_32.lib")
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#elif (defined(__MINGW32__) || defined(__MINGW64__)) && _WIN32_WINNT >= 0x0600
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#endif
+#elif defined(__sun)
+/* Solaris requires -lsocket -lnsl for inet_pton() */
+#elif defined(__has_include)
+#if __has_include(<sys/socket.h>)
+#include <sys/socket.h>
+#endif
+#if __has_include(<arpa/inet.h>)
+#include <arpa/inet.h>
+#endif
+#endif
+
+/* Use whether or not AF_INET6 is defined to indicate whether or not to use
+ * the platform inet_pton() or a local implementation (below). The local
+ * implementation may be used even in cases where the platform provides
+ * inet_pton(), e.g. when there are different includes required and/or the
+ * platform implementation requires dependencies on additional libraries.
+ * Specifically, Windows requires custom includes and additional link
+ * dependencies, and Solaris requires additional link dependencies.
+ * Also, as a coarse heuristic, use the local implementation if the compiler
+ * does not support __has_include(), or if the definition of AF_INET6 is not
+ * provided by headers included (or not) via __has_include() above. */
+#ifndef AF_INET6
+
+#define x509_cn_inet_pton(cn, dst) (0)
+
+#else
+
+static int x509_inet_pton_ipv6(const char *src, void *dst)
+{
+ return inet_pton(AF_INET6, src, dst) == 1 ? 0 : -1;
+}
+
+static int x509_inet_pton_ipv4(const char *src, void *dst)
+{
+ return inet_pton(AF_INET, src, dst) == 1 ? 0 : -1;
+}
+
+#endif /* AF_INET6 */
+
+static size_t x509_cn_inet_pton(const char *cn, void *dst)
+{
+ return strchr(cn, ':') == NULL
+ ? x509_inet_pton_ipv4(cn, dst) == 0 ? 4 : 0
+ : x509_inet_pton_ipv6(cn, dst) == 0 ? 16 : 0;
+}
+
/*
* Check for CN match
*/
@@ -3010,24 +3069,51 @@ static int x509_crt_check_cn(const mbedt
return -1;
}
+static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san,
+ const char *cn, size_t cn_len)
+{
+ uint32_t ip[4];
+ cn_len = x509_cn_inet_pton(cn, ip);
+ if (cn_len == 0) {
+ return -1;
+ }
+
+ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
+ const unsigned char san_type = (unsigned char) cur->buf.tag &
+ MBEDTLS_ASN1_TAG_VALUE_MASK;
+ if (san_type == MBEDTLS_X509_SAN_IP_ADDRESS &&
+ cur->buf.len == cn_len && memcmp(cur->buf.p, ip, cn_len) == 0) {
+ return 0;
+ }
+ }
+
+ return -1;
+}
+
/*
* Check for SAN match, see RFC 5280 Section 4.2.1.6
*/
-static int x509_crt_check_san(const mbedtls_x509_buf *name,
+static int x509_crt_check_san(const mbedtls_x509_sequence *san,
const char *cn, size_t cn_len)
{
- const unsigned char san_type = (unsigned char) name->tag &
- MBEDTLS_ASN1_TAG_VALUE_MASK;
-
- /* dNSName */
- if (san_type == MBEDTLS_X509_SAN_DNS_NAME) {
- return x509_crt_check_cn(name, cn, cn_len);
+ int san_ip = 0;
+ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
+ switch ((unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) {
+ case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */
+ if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) {
+ return 0;
+ }
+ break;
+ case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */
+ san_ip = 1;
+ break;
+ /* (We may handle other types here later.) */
+ default: /* Unrecognized type */
+ break;
+ }
}
- /* (We may handle other types here later.) */
-
- /* Unrecognized type */
- return -1;
+ return san_ip ? x509_crt_check_san_ip(san, cn, cn_len) : -1;
}
/*
@@ -3038,31 +3124,23 @@ static void x509_crt_verify_name(const m
uint32_t *flags)
{
const mbedtls_x509_name *name;
- const mbedtls_x509_sequence *cur;
size_t cn_len = strlen(cn);
if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
- for (cur = &crt->subject_alt_names; cur != NULL; cur = cur->next) {
- if (x509_crt_check_san(&cur->buf, cn, cn_len) == 0) {
- break;
- }
- }
-
- if (cur == NULL) {
- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
+ if (x509_crt_check_san(&crt->subject_alt_names, cn, cn_len) == 0) {
+ return;
}
} else {
for (name = &crt->subject; name != NULL; name = name->next) {
if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 &&
x509_crt_check_cn(&name->val, cn, cn_len) == 0) {
- break;
+ return;
}
}
- if (name == NULL) {
- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
- }
}
+
+ *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
}
/*

View File

@ -1,7 +1,8 @@
--- a/programs/CMakeLists.txt --- a/programs/CMakeLists.txt
+++ b/programs/CMakeLists.txt +++ b/programs/CMakeLists.txt
@@ -1,12 +1,8 @@ @@ -1,13 +1,9 @@
add_subdirectory(aes) add_subdirectory(aes)
add_subdirectory(cipher)
-if (NOT WIN32) -if (NOT WIN32)
- add_subdirectory(fuzz) - add_subdirectory(fuzz)
-endif() -endif()