From: Hauke Mehrtens Date: Wed, 8 Nov 2023 23:00:09 +0000 (+0100) Subject: mbedtls: Update to version 3.6.0 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=0e06642643862d7b6d1edfd6e0e26dad3eae0cbc;p=openwrt%2Fstaging%2Fthess.git mbedtls: Update to version 3.6.0 This adds support for mbedtls 3.6.0. The 3.6 version is the next LTS version of mbedtls. This version supports TLS 1.3. This switches to download using git. The codeload tar file misses some git submodules. Add some extra options added in mbedtls 3.6.0. The size of the compressed ipkg increases: 230933 bin/packages/mips_24kc/base/libmbedtls13_2.28.7-r2_mips_24kc.ipk 300154 bin/packages/mips_24kc/base/libmbedtls14_3.6.0-r1_mips_24kc.ipk The removed patch was integrated upstream. Signed-off-by: Hauke Mehrtens --- diff --git a/package/libs/mbedtls/Config.in b/package/libs/mbedtls/Config.in index ad0ecb6e61..e80c342636 100644 --- a/package/libs/mbedtls/Config.in +++ b/package/libs/mbedtls/Config.in @@ -187,6 +187,43 @@ config MBEDTLS_VERSION_FEATURES bool "MBEDTLS_VERSION_FEATURES" default n +config MBEDTLS_PSA_CRYPTO_CLIENT + bool "MBEDTLS_PSA_CRYPTO_CLIENT" + +config MBEDTLS_DEPRECATED_WARNING + bool "MBEDTLS_DEPRECATED_WARNING" + default n + +config MBEDTLS_SSL_PROTO_TLS1_2 + bool "MBEDTLS_SSL_PROTO_TLS1_2" + default y + +config MBEDTLS_SSL_PROTO_TLS1_3 + bool "MBEDTLS_SSL_PROTO_TLS1_3" + select MBEDTLS_PSA_CRYPTO_CLIENT + select MBEDTLS_HKDF_C + default y + +config MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE + bool "MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE" + depends on MBEDTLS_SSL_PROTO_TLS1_3 + default y + +config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + bool "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED" + depends on MBEDTLS_SSL_PROTO_TLS1_3 + default y + +config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + bool "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED" + depends on MBEDTLS_SSL_PROTO_TLS1_3 + default y + +config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + bool "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED" + depends on MBEDTLS_SSL_PROTO_TLS1_3 + default y + comment "Build Options" config MBEDTLS_ENTROPY_FORCE_SHA256 @@ -195,6 +232,7 @@ config MBEDTLS_ENTROPY_FORCE_SHA256 config MBEDTLS_SSL_RENEGOTIATION bool "MBEDTLS_SSL_RENEGOTIATION" + depends on MBEDTLS_SSL_PROTO_TLS1_2 default n endif diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile index 459c9924bd..f6713f42f5 100644 --- a/package/libs/mbedtls/Makefile +++ b/package/libs/mbedtls/Makefile @@ -8,13 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mbedtls -PKG_VERSION:=2.28.8 +PKG_VERSION:=3.6.0 PKG_RELEASE:=1 PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=4fef7de0d8d542510d726d643350acb3cdb9dc76ad45611b59c9aa08372b4213 +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL=https://github.com/Mbed-TLS/mbedtls.git +PKG_SOURCE_VERSION:=2ca6c285a0dd3f33982dd57299012dacab1ff206 +PKG_MIRROR_HASH:=a684012126590b4e0b6ab41e244cc2af0d2bcfc4b6c94bf42fc37d2d08f0553e PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=gpl-2.0.txt @@ -55,7 +56,10 @@ MBEDTLS_BUILD_OPTS_CIPHERS= \ CONFIG_MBEDTLS_NIST_KW_C \ CONFIG_MBEDTLS_RIPEMD160_C \ CONFIG_MBEDTLS_RSA_NO_CRT \ - CONFIG_MBEDTLS_XTEA_C + CONFIG_MBEDTLS_XTEA_C \ + CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ + CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED MBEDTLS_BUILD_OPTS= \ $(MBEDTLS_BUILD_OPTS_CURVES) \ @@ -73,7 +77,12 @@ MBEDTLS_BUILD_OPTS= \ CONFIG_MBEDTLS_THREADING_C \ CONFIG_MBEDTLS_THREADING_PTHREAD \ CONFIG_MBEDTLS_VERSION_C \ - CONFIG_MBEDTLS_VERSION_FEATURES + CONFIG_MBEDTLS_VERSION_FEATURES \ + CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT \ + CONFIG_MBEDTLS_DEPRECATED_WARNING \ + CONFIG_MBEDTLS_SSL_PROTO_TLS1_2 \ + CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 \ + CONFIG_MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE PKG_CONFIG_DEPENDS := $(MBEDTLS_BUILD_OPTS) @@ -96,7 +105,7 @@ $(call Package/mbedtls/Default) CATEGORY:=Libraries SUBMENU:=SSL TITLE+= (library) - ABI_VERSION:=13 + ABI_VERSION:=21 MENU:=1 endef @@ -137,7 +146,7 @@ define Build/Prepare $(if $(strip $(foreach opt,$(MBEDTLS_BUILD_OPTS),$($(opt)))), $(foreach opt,$(MBEDTLS_BUILD_OPTS), $(PKG_BUILD_DIR)/scripts/config.py \ - -f $(PKG_BUILD_DIR)/include/mbedtls/config.h \ + -f $(PKG_BUILD_DIR)/include/mbedtls/mbedtls_config.h \ $(if $($(opt)),set,unset) $(patsubst CONFIG_%,%,$(opt))),) endef @@ -150,6 +159,12 @@ define Build/InstallDev $(INSTALL_DIR) $(1)/usr/lib $(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.so* $(1)/usr/lib/ $(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.a $(1)/usr/lib/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(CP) \ + $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/mbedcrypto.pc \ + $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/mbedtls.pc \ + $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/mbedx509.pc \ + $(1)/usr/lib/pkgconfig/ endef define Package/libmbedtls/install diff --git a/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch b/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch deleted file mode 100644 index 808450c0dd..0000000000 --- a/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch +++ /dev/null @@ -1,197 +0,0 @@ -From eb9d4fdf1846e688d51d86a9a50f0312aca2af25 Mon Sep 17 00:00:00 2001 -From: Glenn Strauss -Date: Sun, 23 Oct 2022 19:48:18 -0400 -Subject: [PATCH] x509 crt verify SAN iPAddress - -Signed-off-by: Glenn Strauss ---- - include/mbedtls/x509_crt.h | 2 +- - library/x509_crt.c | 126 ++++++++++++++++++++++++++++++------- - 2 files changed, 103 insertions(+), 25 deletions(-) - ---- a/include/mbedtls/x509_crt.h -+++ b/include/mbedtls/x509_crt.h -@@ -596,7 +596,7 @@ int mbedtls_x509_crt_verify_info(char *b - * \param cn The expected Common Name. This will be checked to be - * present in the certificate's subjectAltNames extension or, - * if this extension is absent, as a CN component in its -- * Subject name. Currently only DNS names are supported. This -+ * Subject name. DNS names and IP addresses are supported. This - * may be \c NULL if the CN need not be verified. - * \param flags The address at which to store the result of the verification. - * If the verification couldn't be completed, the flag value is ---- a/library/x509_crt.c -+++ b/library/x509_crt.c -@@ -45,6 +45,10 @@ - - #if defined(MBEDTLS_HAVE_TIME) - #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) -+#define WIN32_LEAN_AND_MEAN -+#ifndef _WIN32_WINNT -+#define _WIN32_WINNT 0x0600 -+#endif - #include - #else - #include -@@ -2990,6 +2994,61 @@ find_parent: - } - } - -+#ifdef _WIN32 -+#ifdef _MSC_VER -+#pragma comment(lib, "ws2_32.lib") -+#include -+#include -+#elif (defined(__MINGW32__) || defined(__MINGW64__)) && _WIN32_WINNT >= 0x0600 -+#include -+#include -+#endif -+#elif defined(__sun) -+/* Solaris requires -lsocket -lnsl for inet_pton() */ -+#elif defined(__has_include) -+#if __has_include() -+#include -+#endif -+#if __has_include() -+#include -+#endif -+#endif -+ -+/* Use whether or not AF_INET6 is defined to indicate whether or not to use -+ * the platform inet_pton() or a local implementation (below). The local -+ * implementation may be used even in cases where the platform provides -+ * inet_pton(), e.g. when there are different includes required and/or the -+ * platform implementation requires dependencies on additional libraries. -+ * Specifically, Windows requires custom includes and additional link -+ * dependencies, and Solaris requires additional link dependencies. -+ * Also, as a coarse heuristic, use the local implementation if the compiler -+ * does not support __has_include(), or if the definition of AF_INET6 is not -+ * provided by headers included (or not) via __has_include() above. */ -+#ifndef AF_INET6 -+ -+#define x509_cn_inet_pton(cn, dst) (0) -+ -+#else -+ -+static int x509_inet_pton_ipv6(const char *src, void *dst) -+{ -+ return inet_pton(AF_INET6, src, dst) == 1 ? 0 : -1; -+} -+ -+static int x509_inet_pton_ipv4(const char *src, void *dst) -+{ -+ return inet_pton(AF_INET, src, dst) == 1 ? 0 : -1; -+} -+ -+#endif /* AF_INET6 */ -+ -+static size_t x509_cn_inet_pton(const char *cn, void *dst) -+{ -+ return strchr(cn, ':') == NULL -+ ? x509_inet_pton_ipv4(cn, dst) == 0 ? 4 : 0 -+ : x509_inet_pton_ipv6(cn, dst) == 0 ? 16 : 0; -+} -+ - /* - * Check for CN match - */ -@@ -3010,24 +3069,51 @@ static int x509_crt_check_cn(const mbedt - return -1; - } - -+static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san, -+ const char *cn, size_t cn_len) -+{ -+ uint32_t ip[4]; -+ cn_len = x509_cn_inet_pton(cn, ip); -+ if (cn_len == 0) { -+ return -1; -+ } -+ -+ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) { -+ const unsigned char san_type = (unsigned char) cur->buf.tag & -+ MBEDTLS_ASN1_TAG_VALUE_MASK; -+ if (san_type == MBEDTLS_X509_SAN_IP_ADDRESS && -+ cur->buf.len == cn_len && memcmp(cur->buf.p, ip, cn_len) == 0) { -+ return 0; -+ } -+ } -+ -+ return -1; -+} -+ - /* - * Check for SAN match, see RFC 5280 Section 4.2.1.6 - */ --static int x509_crt_check_san(const mbedtls_x509_buf *name, -+static int x509_crt_check_san(const mbedtls_x509_sequence *san, - const char *cn, size_t cn_len) - { -- const unsigned char san_type = (unsigned char) name->tag & -- MBEDTLS_ASN1_TAG_VALUE_MASK; -- -- /* dNSName */ -- if (san_type == MBEDTLS_X509_SAN_DNS_NAME) { -- return x509_crt_check_cn(name, cn, cn_len); -+ int san_ip = 0; -+ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) { -+ switch ((unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) { -+ case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */ -+ if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) { -+ return 0; -+ } -+ break; -+ case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */ -+ san_ip = 1; -+ break; -+ /* (We may handle other types here later.) */ -+ default: /* Unrecognized type */ -+ break; -+ } - } - -- /* (We may handle other types here later.) */ -- -- /* Unrecognized type */ -- return -1; -+ return san_ip ? x509_crt_check_san_ip(san, cn, cn_len) : -1; - } - - /* -@@ -3038,31 +3124,23 @@ static void x509_crt_verify_name(const m - uint32_t *flags) - { - const mbedtls_x509_name *name; -- const mbedtls_x509_sequence *cur; - size_t cn_len = strlen(cn); - - if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) { -- for (cur = &crt->subject_alt_names; cur != NULL; cur = cur->next) { -- if (x509_crt_check_san(&cur->buf, cn, cn_len) == 0) { -- break; -- } -- } -- -- if (cur == NULL) { -- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; -+ if (x509_crt_check_san(&crt->subject_alt_names, cn, cn_len) == 0) { -+ return; - } - } else { - for (name = &crt->subject; name != NULL; name = name->next) { - if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 && - x509_crt_check_cn(&name->val, cn, cn_len) == 0) { -- break; -+ return; - } - } - -- if (name == NULL) { -- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; -- } - } -+ -+ *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; - } - - /* diff --git a/package/libs/mbedtls/patches/101-remove-test.patch b/package/libs/mbedtls/patches/101-remove-test.patch index e43f8757d7..5ac5e7c1e8 100644 --- a/package/libs/mbedtls/patches/101-remove-test.patch +++ b/package/libs/mbedtls/patches/101-remove-test.patch @@ -1,7 +1,8 @@ --- a/programs/CMakeLists.txt +++ b/programs/CMakeLists.txt -@@ -1,12 +1,8 @@ +@@ -1,13 +1,9 @@ add_subdirectory(aes) + add_subdirectory(cipher) -if (NOT WIN32) - add_subdirectory(fuzz) -endif()