mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-25 08:21:14 +00:00
7f64f5b11a
This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for following security issues: * Timing side channel in private key RSA operations (CVE-2024-23170) Mbed TLS is vulnerable to a timing side channel in private key RSA operations. This side channel could be sufficient for an attacker to recover the plaintext. A local attacker or a remote attacker who is close to the victim on the network might have precise enough timing measurements to exploit this. It requires the attacker to send a large number of messages for decryption. * Buffer overflow in mbedtls_x509_set_extension() (CVE-2024-23775) When writing x509 extensions we failed to validate inputs passed in to mbedtls_x509_set_extension(), which could result in an integer overflow, causing a zero-length buffer to be allocated to hold the extension. The extension would then be copied into the buffer, causing a heap buffer overflow. Fixes: CVE-2024-23170, CVE-2024-23775 References: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/ References: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/ Signed-off-by: orangepizza <tjtncks@gmail.com> Signed-off-by: Petr Štetiar <ynezz@true.cz> [formal fixes] (cherry picked from commit920414ca88
) (cherry picked from commitb5c728948c
)
137 lines
3.8 KiB
Makefile
137 lines
3.8 KiB
Makefile
#
|
|
# Copyright (C) 2011-2015 OpenWrt.org
|
|
#
|
|
# This is free software, licensed under the GNU General Public License v2.
|
|
# See /LICENSE for more information.
|
|
#
|
|
|
|
include $(TOPDIR)/rules.mk
|
|
|
|
PKG_NAME:=mbedtls
|
|
PKG_VERSION:=2.28.7
|
|
PKG_RELEASE:=1
|
|
PKG_USE_MIPS16:=0
|
|
|
|
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
|
PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)?
|
|
PKG_HASH:=1df6073f0cf6a4e1953890bf5e0de2a8c7e6be50d6d6c69fa9fefcb1d14e981a
|
|
|
|
PKG_LICENSE:=GPL-2.0-or-later
|
|
PKG_LICENSE_FILES:=gpl-2.0.txt
|
|
PKG_CPE_ID:=cpe:/a:arm:mbed_tls
|
|
|
|
PKG_CONFIG_DEPENDS := \
|
|
CONFIG_LIBMBEDTLS_DEBUG_C \
|
|
CONFIG_LIBMBEDTLS_HKDF_C
|
|
|
|
include $(INCLUDE_DIR)/package.mk
|
|
include $(INCLUDE_DIR)/cmake.mk
|
|
|
|
define Package/mbedtls/Default
|
|
TITLE:=Embedded SSL
|
|
URL:=https://tls.mbed.org
|
|
endef
|
|
|
|
define Package/mbedtls/Default/description
|
|
The aim of the mbedtls project is to provide a quality, open-source
|
|
cryptographic library written in C and targeted at embedded systems.
|
|
endef
|
|
|
|
define Package/libmbedtls
|
|
$(call Package/mbedtls/Default)
|
|
SECTION:=libs
|
|
CATEGORY:=Libraries
|
|
SUBMENU:=SSL
|
|
TITLE+= (library)
|
|
ABI_VERSION:=12
|
|
endef
|
|
|
|
define Package/libmbedtls/config
|
|
config LIBMBEDTLS_DEBUG_C
|
|
depends on PACKAGE_libmbedtls
|
|
bool "Enable debug functions"
|
|
default n
|
|
help
|
|
This option enables mbedtls library's debug functions.
|
|
|
|
It increases the uncompressed libmbedtls binary size
|
|
by around 60 KiB (for an ARMv5 platform).
|
|
|
|
Usually, you don't need this, so don't select this if you're unsure.
|
|
|
|
config LIBMBEDTLS_HKDF_C
|
|
depends on PACKAGE_libmbedtls
|
|
bool "Enable the HKDF algorithm (RFC 5869)"
|
|
default n
|
|
help
|
|
This option adds support for the Hashed Message Authentication Code
|
|
(HMAC)-based key derivation function (HKDF).
|
|
endef
|
|
|
|
define Package/mbedtls-util
|
|
$(call Package/mbedtls/Default)
|
|
SECTION:=utils
|
|
CATEGORY:=Utilities
|
|
TITLE+= (utilities)
|
|
DEPENDS:=+libmbedtls
|
|
endef
|
|
|
|
define Package/libmbedtls/description
|
|
$(call Package/mbedtls/Default/description)
|
|
This package contains the mbedtls library.
|
|
endef
|
|
|
|
define Package/mbedtls-util/description
|
|
$(call Package/mbedtls/Default/description)
|
|
This package contains mbedtls helper programs for private key and
|
|
CSR generation (gen_key, cert_req)
|
|
endef
|
|
|
|
TARGET_CFLAGS += -ffunction-sections -fdata-sections
|
|
TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS))
|
|
|
|
CMAKE_OPTIONS += \
|
|
-DUSE_SHARED_MBEDTLS_LIBRARY:Bool=ON \
|
|
-DENABLE_TESTING:Bool=OFF \
|
|
-DENABLE_PROGRAMS:Bool=ON
|
|
|
|
define Build/Configure
|
|
$(Build/Configure/Default)
|
|
|
|
awk 'BEGIN { rc = 1 } \
|
|
/#define MBEDTLS_DEBUG_C/ { $$$$0 = "$(if $(CONFIG_LIBMBEDTLS_DEBUG_C),,// )#define MBEDTLS_DEBUG_C"; rc = 0 } \
|
|
{ print } \
|
|
END { exit(rc) }' $(PKG_BUILD_DIR)/include/mbedtls/config.h \
|
|
>$(PKG_BUILD_DIR)/include/mbedtls/config.h.new && \
|
|
mv $(PKG_BUILD_DIR)/include/mbedtls/config.h.new $(PKG_BUILD_DIR)/include/mbedtls/config.h
|
|
|
|
awk 'BEGIN { rc = 1 } \
|
|
/#define MBEDTLS_HKDF_C/ { $$$$0 = "$(if $(CONFIG_LIBMBEDTLS_HKDF_C),,// )#define MBEDTLS_HKDF_C"; rc = 0 } \
|
|
{ print } \
|
|
END { exit(rc) }' $(PKG_BUILD_DIR)/include/mbedtls/config.h \
|
|
>$(PKG_BUILD_DIR)/include/mbedtls/config.h.new && \
|
|
mv $(PKG_BUILD_DIR)/include/mbedtls/config.h.new $(PKG_BUILD_DIR)/include/mbedtls/config.h
|
|
endef
|
|
|
|
define Build/InstallDev
|
|
$(INSTALL_DIR) $(1)/usr/include
|
|
$(CP) $(PKG_INSTALL_DIR)/usr/include/mbedtls $(1)/usr/include/
|
|
$(INSTALL_DIR) $(1)/usr/lib
|
|
$(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.so* $(1)/usr/lib/
|
|
$(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.a $(1)/usr/lib/
|
|
endef
|
|
|
|
define Package/libmbedtls/install
|
|
$(INSTALL_DIR) $(1)/usr/lib
|
|
$(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.so.* $(1)/usr/lib/
|
|
endef
|
|
|
|
define Package/mbedtls-util/install
|
|
$(INSTALL_DIR) $(1)/usr/bin
|
|
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/gen_key $(1)/usr/bin/
|
|
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/cert_req $(1)/usr/bin/
|
|
endef
|
|
|
|
$(eval $(call BuildPackage,libmbedtls))
|
|
$(eval $(call BuildPackage,mbedtls-util))
|