ExternalVendorCode/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2025-02-07 11:30:37 +00:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity

mbedtls: Update to 2.28.8

Browse Source 
This contains a fix for:
CVE-2024-28960: An issue was discovered in Mbed TLS 2.18.0 through 2.28.x
before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto
API mishandles shared memory.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit is contained in:
Hauke Mehrtens 2024-04-21 17:40:09 +02:00
parent 9599a85dc2
commit 360ac07eb9
2 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
package/libs/mbedtls/Makefile
View File

@ -8,13 +8,13 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=mbedtls PKG_NAME:=mbedtls
PKG_VERSION:=2.28.7 PKG_VERSION:=2.28.8
PKG_RELEASE:=2 PKG_RELEASE:=1
PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)? PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)?
PKG_HASH:=1df6073f0cf6a4e1953890bf5e0de2a8c7e6be50d6d6c69fa9fefcb1d14e981a PKG_HASH:=4fef7de0d8d542510d726d643350acb3cdb9dc76ad45611b59c9aa08372b4213
PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE:=GPL-2.0-or-later
PKG_LICENSE_FILES:=gpl-2.0.txt PKG_LICENSE_FILES:=gpl-2.0.txt

10
package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch
View File

@ -11,7 +11,7 @@ Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
--- a/include/mbedtls/x509_crt.h --- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h
@@ -608,7 +608,7 @@ int mbedtls_x509_crt_verify_info(char *b @@ -596,7 +596,7 @@ int mbedtls_x509_crt_verify_info(char *b
* \param cn The expected Common Name. This will be checked to be * \param cn The expected Common Name. This will be checked to be
* present in the certificate's subjectAltNames extension or, * present in the certificate's subjectAltNames extension or,
* if this extension is absent, as a CN component in its * if this extension is absent, as a CN component in its
@ -22,7 +22,7 @@ Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
* If the verification couldn't be completed, the flag value is * If the verification couldn't be completed, the flag value is
--- a/library/x509_crt.c --- a/library/x509_crt.c
+++ b/library/x509_crt.c +++ b/library/x509_crt.c
@@ -57,6 +57,10 @@ @@ -45,6 +45,10 @@
#if defined(MBEDTLS_HAVE_TIME) #if defined(MBEDTLS_HAVE_TIME)
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
@ -33,7 +33,7 @@ Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
#include <windows.h> #include <windows.h>
#else #else
#include <time.h> #include <time.h>
@@ -3002,6 +3006,61 @@ find_parent: @@ -2990,6 +2994,61 @@ find_parent:
} }
} }
@ -95,7 +95,7 @@ Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
/* /*
* Check for CN match * Check for CN match
*/ */
@@ -3022,24 +3081,51 @@ static int x509_crt_check_cn(const mbedt @@ -3010,24 +3069,51 @@ static int x509_crt_check_cn(const mbedt
return -1; return -1;
} }
@ -158,7 +158,7 @@ Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
} }
/* /*
@@ -3050,31 +3136,23 @@ static void x509_crt_verify_name(const m @@ -3038,31 +3124,23 @@ static void x509_crt_verify_name(const m
uint32_t *flags) uint32_t *flags)
{ {
const mbedtls_x509_name *name; const mbedtls_x509_name *name;