From d679b15d31bd0b68dd88c3cf4d084cce02903627 Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Mon, 3 Apr 2023 00:52:52 +0200 Subject: [PATCH] mbedtls: Update to version 2.28.3 This only fixes minor problems. Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3 The 100-fix-compile.patch patch was merged upstream, see: https://github.com/Mbed-TLS/mbedtls/issues/6243 https://github.com/Mbed-TLS/mbedtls/pull/7013 The code style of all files in mbedtls 2.28.3 was changed. I took a new version of the 100-x509-crt-verify-SAN-iPAddress.patch patch from this pull request: https://github.com/Mbed-TLS/mbedtls/pull/6475 Signed-off-by: Hauke Mehrtens --- package/libs/mbedtls/Makefile | 6 +- .../mbedtls/patches/100-fix-compile.patch | 22 --- .../100-x509-crt-verify-SAN-iPAddress.patch | 164 ++++++++++-------- 3 files changed, 93 insertions(+), 99 deletions(-) delete mode 100644 package/libs/mbedtls/patches/100-fix-compile.patch diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile index f86d4891908..a6a7ac39e91 100644 --- a/package/libs/mbedtls/Makefile +++ b/package/libs/mbedtls/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mbedtls -PKG_VERSION:=2.28.2 -PKG_RELEASE:=2 +PKG_VERSION:=2.28.3 +PKG_RELEASE:=1 PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=bc55232bf71fd66045122ba9050a29ea7cb2e8f99b064a9e6334a82f715881a0 +PKG_HASH:=bdf7c5bbdc338da3edad89b2885d4f8668f9a6fffeba6ec17a60333e36dade6f PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=gpl-2.0.txt diff --git a/package/libs/mbedtls/patches/100-fix-compile.patch b/package/libs/mbedtls/patches/100-fix-compile.patch deleted file mode 100644 index 411d3716994..00000000000 --- a/package/libs/mbedtls/patches/100-fix-compile.patch +++ /dev/null @@ -1,22 +0,0 @@ -Fix a compile problem introduced in commit 331c3421d1f0 ("Address review comments") - -Bug report: https://github.com/Mbed-TLS/mbedtls/issues/6243 - ---- a/programs/ssl/ssl_server2.c -+++ b/programs/ssl/ssl_server2.c -@@ -2529,7 +2529,6 @@ int main( int argc, char *argv[] ) - } - key_cert_init2 = 2; - #endif /* MBEDTLS_ECDSA_C */ -- } - - #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( opt.key_opaque != 0 ) -@@ -2558,6 +2557,7 @@ int main( int argc, char *argv[] ) - } - #endif /* MBEDTLS_USE_PSA_CRYPTO */ - #endif /* MBEDTLS_CERTS_C */ -+ } - - mbedtls_printf( " ok (key types: %s - %s)\n", mbedtls_pk_get_name( &pkey ), mbedtls_pk_get_name( &pkey2 ) ); - #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ diff --git a/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch b/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch index 357ec446491..c9802eac191 100644 --- a/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch +++ b/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch @@ -1,17 +1,17 @@ -From 272d48fe7a2ff00285d4ee166d3a9beca1d5122f Mon Sep 17 00:00:00 2001 +From eb9d4fdf1846e688d51d86a9a50f0312aca2af25 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Sun, 23 Oct 2022 19:48:18 -0400 -Subject: [PATCH 1/4] x509 crt verify SAN iPAddress +Subject: [PATCH] x509 crt verify SAN iPAddress Signed-off-by: Glenn Strauss --- include/mbedtls/x509_crt.h | 2 +- - library/x509_crt.c | 115 +++++++++++++++++++++++++++++-------- - 2 files changed, 93 insertions(+), 24 deletions(-) + library/x509_crt.c | 126 ++++++++++++++++++++++++++++++------- + 2 files changed, 103 insertions(+), 25 deletions(-) --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h -@@ -597,7 +597,7 @@ int mbedtls_x509_crt_verify_info( char * +@@ -608,7 +608,7 @@ int mbedtls_x509_crt_verify_info(char *b * \param cn The expected Common Name. This will be checked to be * present in the certificate's subjectAltNames extension or, * if this extension is absent, as a CN component in its @@ -22,12 +22,30 @@ Signed-off-by: Glenn Strauss * If the verification couldn't be completed, the flag value is --- a/library/x509_crt.c +++ b/library/x509_crt.c -@@ -2986,6 +2986,54 @@ find_parent: +@@ -57,6 +57,10 @@ + + #if defined(MBEDTLS_HAVE_TIME) + #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) ++#define WIN32_LEAN_AND_MEAN ++#ifndef _WIN32_WINNT ++#define _WIN32_WINNT 0x0600 ++#endif + #include + #else + #include +@@ -2995,6 +2999,61 @@ find_parent: } } +#ifdef _WIN32 -+/* ??? */ ++#ifdef _MSC_VER ++#pragma comment(lib, "ws2_32.lib") ++#include ++#include ++#elif (defined(__MINGW32__) || defined(__MINGW64__)) && _WIN32_WINNT >= 0x0600 ++#include ++#include ++#endif +#elif defined(__sun) +/* Solaris requires -lsocket -lnsl for inet_pton() */ +#elif defined(__has_include) @@ -51,128 +69,126 @@ Signed-off-by: Glenn Strauss + * provided by headers included (or not) via __has_include() above. */ +#ifndef AF_INET6 + -+#define x509_cn_inet_pton( cn, dst ) ( 0 ) ++#define x509_cn_inet_pton(cn, dst) (0) + +#else + -+static int x509_inet_pton_ipv6( const char *src, void *dst ) ++static int x509_inet_pton_ipv6(const char *src, void *dst) +{ -+ return( inet_pton( AF_INET6, src, dst ) == 1 ? 0 : -1 ); ++ return inet_pton(AF_INET6, src, dst) == 1 ? 0 : -1; +} + -+static int x509_inet_pton_ipv4( const char *src, void *dst ) ++static int x509_inet_pton_ipv4(const char *src, void *dst) +{ -+ return( inet_pton( AF_INET, src, dst ) == 1 ? 0 : -1 ); ++ return inet_pton(AF_INET, src, dst) == 1 ? 0 : -1; +} + +#endif /* AF_INET6 */ + -+static size_t x509_cn_inet_pton( const char *cn, void *dst ) ++static size_t x509_cn_inet_pton(const char *cn, void *dst) +{ -+ return( strchr( cn, ':' ) == NULL -+ ? x509_inet_pton_ipv4( cn, dst ) == 0 ? 4 : 0 -+ : x509_inet_pton_ipv6( cn, dst ) == 0 ? 16 : 0 ); ++ return strchr(cn, ':') == NULL ++ ? x509_inet_pton_ipv4(cn, dst) == 0 ? 4 : 0 ++ : x509_inet_pton_ipv6(cn, dst) == 0 ? 16 : 0; +} + /* * Check for CN match */ -@@ -3008,23 +3056,51 @@ static int x509_crt_check_cn( const mbed - return( -1 ); +@@ -3015,24 +3074,51 @@ static int x509_crt_check_cn(const mbedt + return -1; } -+static int x509_crt_check_san_ip( const mbedtls_x509_sequence *san, -+ const char *cn, size_t cn_len ) ++static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san, ++ const char *cn, size_t cn_len) +{ + uint32_t ip[4]; -+ cn_len = x509_cn_inet_pton( cn, ip ); -+ if( cn_len == 0 ) -+ return( -1 ); -+ -+ for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next ) -+ { -+ const unsigned char san_type = (unsigned char) cur->buf.tag & -+ MBEDTLS_ASN1_TAG_VALUE_MASK; -+ if( san_type == MBEDTLS_X509_SAN_IP_ADDRESS && -+ cur->buf.len == cn_len && memcmp( cur->buf.p, ip, cn_len ) == 0 ) -+ return( 0 ); ++ cn_len = x509_cn_inet_pton(cn, ip); ++ if (cn_len == 0) { ++ return -1; + } + -+ return( -1 ); ++ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) { ++ const unsigned char san_type = (unsigned char) cur->buf.tag & ++ MBEDTLS_ASN1_TAG_VALUE_MASK; ++ if (san_type == MBEDTLS_X509_SAN_IP_ADDRESS && ++ cur->buf.len == cn_len && memcmp(cur->buf.p, ip, cn_len) == 0) { ++ return 0; ++ } ++ } ++ ++ return -1; +} + /* * Check for SAN match, see RFC 5280 Section 4.2.1.6 */ --static int x509_crt_check_san( const mbedtls_x509_buf *name, -+static int x509_crt_check_san( const mbedtls_x509_sequence *san, - const char *cn, size_t cn_len ) +-static int x509_crt_check_san(const mbedtls_x509_buf *name, ++static int x509_crt_check_san(const mbedtls_x509_sequence *san, + const char *cn, size_t cn_len) { - const unsigned char san_type = (unsigned char) name->tag & - MBEDTLS_ASN1_TAG_VALUE_MASK; - - /* dNSName */ -- if( san_type == MBEDTLS_X509_SAN_DNS_NAME ) -- return( x509_crt_check_cn( name, cn, cn_len ) ); -- -- /* (We may handle other types here later.) */ +- if (san_type == MBEDTLS_X509_SAN_DNS_NAME) { +- return x509_crt_check_cn(name, cn, cn_len); + int san_ip = 0; -+ for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next ) -+ { -+ switch( (unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK ) -+ { -+ case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */ -+ if( x509_crt_check_cn( &cur->buf, cn, cn_len ) == 0 ) -+ return( 0 ); -+ break; -+ case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */ -+ san_ip = 1; -+ break; -+ /* (We may handle other types here later.) */ -+ default: /* Unrecognized type */ -+ break; ++ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) { ++ switch ((unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) { ++ case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */ ++ if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) { ++ return 0; ++ } ++ break; ++ case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */ ++ san_ip = 1; ++ break; ++ /* (We may handle other types here later.) */ ++ default: /* Unrecognized type */ ++ break; + } -+ } + } +- /* (We may handle other types here later.) */ +- - /* Unrecognized type */ -- return( -1 ); -+ return( san_ip ? x509_crt_check_san_ip( san, cn, cn_len ) : -1 ); +- return -1; ++ return san_ip ? x509_crt_check_san_ip(san, cn, cn_len) : -1; } /* -@@ -3035,19 +3111,12 @@ static void x509_crt_verify_name( const - uint32_t *flags ) +@@ -3043,31 +3129,23 @@ static void x509_crt_verify_name(const m + uint32_t *flags) { const mbedtls_x509_name *name; - const mbedtls_x509_sequence *cur; - size_t cn_len = strlen( cn ); + size_t cn_len = strlen(cn); - if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME ) - { -- for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next ) -- { -- if( x509_crt_check_san( &cur->buf, cn, cn_len ) == 0 ) + if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) { +- for (cur = &crt->subject_alt_names; cur != NULL; cur = cur->next) { +- if (x509_crt_check_san(&cur->buf, cn, cn_len) == 0) { - break; +- } - } - -- if( cur == NULL ) +- if (cur == NULL) { - *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; -+ if( x509_crt_check_san( &crt->subject_alt_names, cn, cn_len ) == 0 ) ++ if (x509_crt_check_san(&crt->subject_alt_names, cn, cn_len) == 0) { + return; - } - else - { -@@ -3056,13 +3125,13 @@ static void x509_crt_verify_name( const - if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 && - x509_crt_check_cn( &name->val, cn, cn_len ) == 0 ) - { + } + } else { + for (name = &crt->subject; name != NULL; name = name->next) { + if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 && + x509_crt_check_cn(&name->val, cn, cn_len) == 0) { - break; + return; } } -- if( name == NULL ) +- if (name == NULL) { - *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; +- } } + + *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;