mbedtls: Update to version 3.6.0

This adds support for mbedtls 3.6.0.
The 3.6 version is the next LTS version of mbedtls.
This version supports TLS 1.3.

This switches to download using git. The codeload tar file misses some
git submodules.

Add some extra options added in mbedtls 3.6.0.

The size of the compressed ipkg increases:
230933 bin/packages/mips_24kc/base/libmbedtls13_2.28.7-r2_mips_24kc.ipk
300154 bin/packages/mips_24kc/base/libmbedtls14_3.6.0-r1_mips_24kc.ipk

The removed patch was integrated upstream.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

diff --git a/package/libs/mbedtls/Config.in b/package/libs/mbedtls/Config.in
index ad0ecb6e611aa8281971290a60bd1297aca5e145..e80c342636ca271a34c1c5d99cc241f1edc530ac 100644 (file)
--- a/package/libs/mbedtls/Config.in
+++ b/package/libs/mbedtls/Config.in
@@ -187,6 +187,43 @@ config MBEDTLS_VERSION_FEATURES
        bool "MBEDTLS_VERSION_FEATURES"
        default n
 
+config MBEDTLS_PSA_CRYPTO_CLIENT
+       bool "MBEDTLS_PSA_CRYPTO_CLIENT"
+
+config MBEDTLS_DEPRECATED_WARNING
+       bool "MBEDTLS_DEPRECATED_WARNING"
+       default n
+
+config MBEDTLS_SSL_PROTO_TLS1_2
+       bool "MBEDTLS_SSL_PROTO_TLS1_2"
+       default y
+
+config MBEDTLS_SSL_PROTO_TLS1_3
+       bool "MBEDTLS_SSL_PROTO_TLS1_3"
+       select MBEDTLS_PSA_CRYPTO_CLIENT
+       select MBEDTLS_HKDF_C
+       default y
+
+config MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+       bool "MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE"
+       depends on MBEDTLS_SSL_PROTO_TLS1_3
+       default y
+
+config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+       bool "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED"
+       depends on MBEDTLS_SSL_PROTO_TLS1_3
+       default y
+
+config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+       bool "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED"
+       depends on MBEDTLS_SSL_PROTO_TLS1_3
+       default y
+
+config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+       bool "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED"
+       depends on MBEDTLS_SSL_PROTO_TLS1_3
+       default y
+
 comment "Build Options"
 
 config MBEDTLS_ENTROPY_FORCE_SHA256
@@ -195,6 +232,7 @@ config MBEDTLS_ENTROPY_FORCE_SHA256
 
 config MBEDTLS_SSL_RENEGOTIATION
        bool "MBEDTLS_SSL_RENEGOTIATION"
+       depends on MBEDTLS_SSL_PROTO_TLS1_2
        default n
 
 endif

diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile
index 459c9924bde07bd8345a18bb286f062d2e0fe65f..f6713f42f557f8dd309032a9056a44f58bb3b13c 100644 (file)
--- a/package/libs/mbedtls/Makefile
+++ b/package/libs/mbedtls/Makefile
@@ -8,13 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.28.8
+PKG_VERSION:=3.6.0
 PKG_RELEASE:=1
 PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto
 
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=4fef7de0d8d542510d726d643350acb3cdb9dc76ad45611b59c9aa08372b4213
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL=https://github.com/Mbed-TLS/mbedtls.git
+PKG_SOURCE_VERSION:=2ca6c285a0dd3f33982dd57299012dacab1ff206
+PKG_MIRROR_HASH:=a684012126590b4e0b6ab41e244cc2af0d2bcfc4b6c94bf42fc37d2d08f0553e
 
 PKG_LICENSE:=GPL-2.0-or-later
 PKG_LICENSE_FILES:=gpl-2.0.txt
@@ -55,7 +56,10 @@ MBEDTLS_BUILD_OPTS_CIPHERS= \
   CONFIG_MBEDTLS_NIST_KW_C \
   CONFIG_MBEDTLS_RIPEMD160_C \
   CONFIG_MBEDTLS_RSA_NO_CRT \
-  CONFIG_MBEDTLS_XTEA_C
+  CONFIG_MBEDTLS_XTEA_C \
+  CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \
+  CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
+  CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 
 MBEDTLS_BUILD_OPTS= \
   $(MBEDTLS_BUILD_OPTS_CURVES) \
@@ -73,7 +77,12 @@ MBEDTLS_BUILD_OPTS= \
   CONFIG_MBEDTLS_THREADING_C \
   CONFIG_MBEDTLS_THREADING_PTHREAD \
   CONFIG_MBEDTLS_VERSION_C \
-  CONFIG_MBEDTLS_VERSION_FEATURES
+  CONFIG_MBEDTLS_VERSION_FEATURES \
+  CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT \
+  CONFIG_MBEDTLS_DEPRECATED_WARNING \
+  CONFIG_MBEDTLS_SSL_PROTO_TLS1_2 \
+  CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 \
+  CONFIG_MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 
 PKG_CONFIG_DEPENDS := $(MBEDTLS_BUILD_OPTS)
 
@@ -96,7 +105,7 @@ $(call Package/mbedtls/Default)
   CATEGORY:=Libraries
   SUBMENU:=SSL
   TITLE+= (library)
-  ABI_VERSION:=13
+  ABI_VERSION:=21
   MENU:=1
 endef
 
@@ -137,7 +146,7 @@ define Build/Prepare
        $(if $(strip $(foreach opt,$(MBEDTLS_BUILD_OPTS),$($(opt)))),
         $(foreach opt,$(MBEDTLS_BUILD_OPTS),
         $(PKG_BUILD_DIR)/scripts/config.py \
-        -f $(PKG_BUILD_DIR)/include/mbedtls/config.h \
+        -f $(PKG_BUILD_DIR)/include/mbedtls/mbedtls_config.h \
         $(if $($(opt)),set,unset) $(patsubst CONFIG_%,%,$(opt))),)
 endef
 
@@ -150,6 +159,12 @@ define Build/InstallDev
        $(INSTALL_DIR) $(1)/usr/lib
        $(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.so* $(1)/usr/lib/
        $(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.a $(1)/usr/lib/
+       $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+       $(CP) \
+               $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/mbedcrypto.pc \
+               $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/mbedtls.pc \
+               $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/mbedx509.pc \
+               $(1)/usr/lib/pkgconfig/
 endef
 
 define Package/libmbedtls/install

diff --git a/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch b/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch
deleted file mode 100644 (file)
index 808450c..0000000
--- a/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch
+++ /dev/null
@@ -1,197 +0,0 @@
-From eb9d4fdf1846e688d51d86a9a50f0312aca2af25 Mon Sep 17 00:00:00 2001
-From: Glenn Strauss <gstrauss@gluelogic.com>
-Date: Sun, 23 Oct 2022 19:48:18 -0400
-Subject: [PATCH] x509 crt verify SAN iPAddress
-
-Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
----
- include/mbedtls/x509_crt.h |   2 +-
- library/x509_crt.c         | 126 ++++++++++++++++++++++++++++++-------
- 2 files changed, 103 insertions(+), 25 deletions(-)
-
---- a/include/mbedtls/x509_crt.h
-+++ b/include/mbedtls/x509_crt.h
-@@ -596,7 +596,7 @@ int mbedtls_x509_crt_verify_info(char *b
-  * \param cn       The expected Common Name. This will be checked to be
-  *                 present in the certificate's subjectAltNames extension or,
-  *                 if this extension is absent, as a CN component in its
-- *                 Subject name. Currently only DNS names are supported. This
-+ *                 Subject name. DNS names and IP addresses are supported. This
-  *                 may be \c NULL if the CN need not be verified.
-  * \param flags    The address at which to store the result of the verification.
-  *                 If the verification couldn't be completed, the flag value is
---- a/library/x509_crt.c
-+++ b/library/x509_crt.c
-@@ -45,6 +45,10 @@
- 
- #if defined(MBEDTLS_HAVE_TIME)
- #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
-+#define WIN32_LEAN_AND_MEAN
-+#ifndef _WIN32_WINNT
-+#define _WIN32_WINNT 0x0600
-+#endif
- #include <windows.h>
- #else
- #include <time.h>
-@@ -2990,6 +2994,61 @@ find_parent:
-     }
- }
- 
-+#ifdef _WIN32
-+#ifdef _MSC_VER
-+#pragma comment(lib, "ws2_32.lib")
-+#include <winsock2.h>
-+#include <ws2tcpip.h>
-+#elif (defined(__MINGW32__) || defined(__MINGW64__)) && _WIN32_WINNT >= 0x0600
-+#include <winsock2.h>
-+#include <ws2tcpip.h>
-+#endif
-+#elif defined(__sun)
-+/* Solaris requires -lsocket -lnsl for inet_pton() */
-+#elif defined(__has_include)
-+#if __has_include(<sys/socket.h>)
-+#include <sys/socket.h>
-+#endif
-+#if __has_include(<arpa/inet.h>)
-+#include <arpa/inet.h>
-+#endif
-+#endif
-+
-+/* Use whether or not AF_INET6 is defined to indicate whether or not to use
-+ * the platform inet_pton() or a local implementation (below).  The local
-+ * implementation may be used even in cases where the platform provides
-+ * inet_pton(), e.g. when there are different includes required and/or the
-+ * platform implementation requires dependencies on additional libraries.
-+ * Specifically, Windows requires custom includes and additional link
-+ * dependencies, and Solaris requires additional link dependencies.
-+ * Also, as a coarse heuristic, use the local implementation if the compiler
-+ * does not support __has_include(), or if the definition of AF_INET6 is not
-+ * provided by headers included (or not) via __has_include() above. */
-+#ifndef AF_INET6
-+
-+#define x509_cn_inet_pton(cn, dst) (0)
-+
-+#else
-+
-+static int x509_inet_pton_ipv6(const char *src, void *dst)
-+{
-+    return inet_pton(AF_INET6, src, dst) == 1 ? 0 : -1;
-+}
-+
-+static int x509_inet_pton_ipv4(const char *src, void *dst)
-+{
-+    return inet_pton(AF_INET, src, dst) == 1 ? 0 : -1;
-+}
-+
-+#endif /* AF_INET6 */
-+
-+static size_t x509_cn_inet_pton(const char *cn, void *dst)
-+{
-+    return strchr(cn, ':') == NULL
-+            ? x509_inet_pton_ipv4(cn, dst) == 0 ? 4 : 0
-+            : x509_inet_pton_ipv6(cn, dst) == 0 ? 16 : 0;
-+}
-+
- /*
-  * Check for CN match
-  */
-@@ -3010,24 +3069,51 @@ static int x509_crt_check_cn(const mbedt
-     return -1;
- }
- 
-+static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san,
-+                                 const char *cn, size_t cn_len)
-+{
-+    uint32_t ip[4];
-+    cn_len = x509_cn_inet_pton(cn, ip);
-+    if (cn_len == 0) {
-+        return -1;
-+    }
-+
-+    for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
-+        const unsigned char san_type = (unsigned char) cur->buf.tag &
-+                                       MBEDTLS_ASN1_TAG_VALUE_MASK;
-+        if (san_type == MBEDTLS_X509_SAN_IP_ADDRESS &&
-+            cur->buf.len == cn_len && memcmp(cur->buf.p, ip, cn_len) == 0) {
-+            return 0;
-+        }
-+    }
-+
-+    return -1;
-+}
-+
- /*
-  * Check for SAN match, see RFC 5280 Section 4.2.1.6
-  */
--static int x509_crt_check_san(const mbedtls_x509_buf *name,
-+static int x509_crt_check_san(const mbedtls_x509_sequence *san,
-                               const char *cn, size_t cn_len)
- {
--    const unsigned char san_type = (unsigned char) name->tag &
--                                   MBEDTLS_ASN1_TAG_VALUE_MASK;
--
--    /* dNSName */
--    if (san_type == MBEDTLS_X509_SAN_DNS_NAME) {
--        return x509_crt_check_cn(name, cn, cn_len);
-+    int san_ip = 0;
-+    for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
-+        switch ((unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) {
-+            case MBEDTLS_X509_SAN_DNS_NAME:                /* dNSName */
-+                if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) {
-+                    return 0;
-+                }
-+                break;
-+            case MBEDTLS_X509_SAN_IP_ADDRESS:              /* iPAddress */
-+                san_ip = 1;
-+                break;
-+            /* (We may handle other types here later.) */
-+            default: /* Unrecognized type */
-+                break;
-+        }
-     }
- 
--    /* (We may handle other types here later.) */
--
--    /* Unrecognized type */
--    return -1;
-+    return san_ip ? x509_crt_check_san_ip(san, cn, cn_len) : -1;
- }
- 
- /*
-@@ -3038,31 +3124,23 @@ static void x509_crt_verify_name(const m
-                                  uint32_t *flags)
- {
-     const mbedtls_x509_name *name;
--    const mbedtls_x509_sequence *cur;
-     size_t cn_len = strlen(cn);
- 
-     if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
--        for (cur = &crt->subject_alt_names; cur != NULL; cur = cur->next) {
--            if (x509_crt_check_san(&cur->buf, cn, cn_len) == 0) {
--                break;
--            }
--        }
--
--        if (cur == NULL) {
--            *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
-+        if (x509_crt_check_san(&crt->subject_alt_names, cn, cn_len) == 0) {
-+            return;
-         }
-     } else {
-         for (name = &crt->subject; name != NULL; name = name->next) {
-             if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 &&
-                 x509_crt_check_cn(&name->val, cn, cn_len) == 0) {
--                break;
-+                return;
-             }
-         }
- 
--        if (name == NULL) {
--            *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
--        }
-     }
-+
-+    *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
- }
- 
- /*

diff --git a/package/libs/mbedtls/patches/101-remove-test.patch b/package/libs/mbedtls/patches/101-remove-test.patch
index e43f8757d71702aadba7474a7d788f26c951116e..5ac5e7c1e85a11eb99b90e30c36b09d879642a9d 100644 (file)
--- a/package/libs/mbedtls/patches/101-remove-test.patch
+++ b/package/libs/mbedtls/patches/101-remove-test.patch
@@ -1,7 +1,8 @@
 --- a/programs/CMakeLists.txt
 +++ b/programs/CMakeLists.txt
-@@ -1,12 +1,8 @@
+@@ -1,13 +1,9 @@
  add_subdirectory(aes)
+ add_subdirectory(cipher)
 -if (NOT WIN32)
 -    add_subdirectory(fuzz)
 -endif()