298977887/lede
1
0
Fork 0
mirror of https://github.com/coolsnowwolf/lede.git synced 2025-04-16 14:23:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

mbedtls: Update to version 2.28.3

Browse Source 
This only fixes minor problems.
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3

The 100-fix-compile.patch patch was merged upstream.
The code style of all files in mbedtls 2.28.3 was changed.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit is contained in:
Hauke Mehrtens 2023-04-03 00:52:52 +02:00 committed by AmadeusGhost
parent b06d1b8ec6
commit 3713f8b5b1
3 changed files with 93 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
package/libs/mbedtls/Makefile
View File

@ -8,13 +8,13 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=mbedtls PKG_NAME:=mbedtls
PKG_VERSION:=2.28.2 PKG_VERSION:=2.28.3
PKG_RELEASE:=2 PKG_RELEASE:=1
PKG_USE_MIPS16:=0 PKG_USE_MIPS16:=0
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)? PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)?
PKG_HASH:=bc55232bf71fd66045122ba9050a29ea7cb2e8f99b064a9e6334a82f715881a0 PKG_HASH:=bdf7c5bbdc338da3edad89b2885d4f8668f9a6fffeba6ec17a60333e36dade6f
PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE:=GPL-2.0-or-later
PKG_LICENSE_FILES:=gpl-2.0.txt PKG_LICENSE_FILES:=gpl-2.0.txt

22
package/libs/mbedtls/patches/100-fix-compile.patch
View File

@ -1,22 +0,0 @@
Fix a compile problem introduced in commit 331c3421d1f0 ("Address review comments")
Bug report: https://github.com/Mbed-TLS/mbedtls/issues/6243
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -2529,7 +2529,6 @@ int main( int argc, char *argv[] )
}
key_cert_init2 = 2;
#endif /* MBEDTLS_ECDSA_C */
- }
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( opt.key_opaque != 0 )
@@ -2558,6 +2557,7 @@ int main( int argc, char *argv[] )
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_CERTS_C */
+ }
mbedtls_printf( " ok (key types: %s - %s)\n", mbedtls_pk_get_name( &pkey ), mbedtls_pk_get_name( &pkey2 ) );
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */

164
package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch
View File

@ -1,17 +1,17 @@
From 272d48fe7a2ff00285d4ee166d3a9beca1d5122f Mon Sep 17 00:00:00 2001 From eb9d4fdf1846e688d51d86a9a50f0312aca2af25 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com> From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Sun, 23 Oct 2022 19:48:18 -0400 Date: Sun, 23 Oct 2022 19:48:18 -0400
Subject: [PATCH 1/4] x509 crt verify SAN iPAddress Subject: [PATCH] x509 crt verify SAN iPAddress
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
--- ---
include/mbedtls/x509_crt.h | 2 +- include/mbedtls/x509_crt.h | 2 +-
library/x509_crt.c | 115 +++++++++++++++++++++++++++++-------- library/x509_crt.c | 126 ++++++++++++++++++++++++++++++-------
2 files changed, 93 insertions(+), 24 deletions(-) 2 files changed, 103 insertions(+), 25 deletions(-)
--- a/include/mbedtls/x509_crt.h --- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h
@@ -597,7 +597,7 @@ int mbedtls_x509_crt_verify_info( char * @@ -608,7 +608,7 @@ int mbedtls_x509_crt_verify_info(char *b
* \param cn The expected Common Name. This will be checked to be * \param cn The expected Common Name. This will be checked to be
* present in the certificate's subjectAltNames extension or, * present in the certificate's subjectAltNames extension or,
* if this extension is absent, as a CN component in its * if this extension is absent, as a CN component in its
@ -22,12 +22,30 @@ Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
* If the verification couldn't be completed, the flag value is * If the verification couldn't be completed, the flag value is
--- a/library/x509_crt.c --- a/library/x509_crt.c
+++ b/library/x509_crt.c +++ b/library/x509_crt.c
@@ -2986,6 +2986,54 @@ find_parent: @@ -57,6 +57,10 @@
#if defined(MBEDTLS_HAVE_TIME)
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+#define WIN32_LEAN_AND_MEAN
+#ifndef _WIN32_WINNT
+#define _WIN32_WINNT 0x0600
+#endif
#include <windows.h>
#else
#include <time.h>
@@ -2995,6 +2999,61 @@ find_parent:
} }
} }
+#ifdef _WIN32 +#ifdef _WIN32
+/* ??? */ +#ifdef _MSC_VER
+#pragma comment(lib, "ws2_32.lib")
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#elif (defined(__MINGW32__) || defined(__MINGW64__)) && _WIN32_WINNT >= 0x0600
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#endif
+#elif defined(__sun) +#elif defined(__sun)
+/* Solaris requires -lsocket -lnsl for inet_pton() */ +/* Solaris requires -lsocket -lnsl for inet_pton() */
+#elif defined(__has_include) +#elif defined(__has_include)
@ -51,128 +69,126 @@ Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
+ * provided by headers included (or not) via __has_include() above. */ + * provided by headers included (or not) via __has_include() above. */
+#ifndef AF_INET6 +#ifndef AF_INET6
+ +
+#define x509_cn_inet_pton( cn, dst ) ( 0 ) +#define x509_cn_inet_pton(cn, dst) (0)
+ +
+#else +#else
+ +
+static int x509_inet_pton_ipv6( const char *src, void *dst ) +static int x509_inet_pton_ipv6(const char *src, void *dst)
+{ +{
+ return( inet_pton( AF_INET6, src, dst ) == 1 ? 0 : -1 ); + return inet_pton(AF_INET6, src, dst) == 1 ? 0 : -1;
+} +}
+ +
+static int x509_inet_pton_ipv4( const char *src, void *dst ) +static int x509_inet_pton_ipv4(const char *src, void *dst)
+{ +{
+ return( inet_pton( AF_INET, src, dst ) == 1 ? 0 : -1 ); + return inet_pton(AF_INET, src, dst) == 1 ? 0 : -1;
+} +}
+ +
+#endif /* AF_INET6 */ +#endif /* AF_INET6 */
+ +
+static size_t x509_cn_inet_pton( const char *cn, void *dst ) +static size_t x509_cn_inet_pton(const char *cn, void *dst)
+{ +{
+ return( strchr( cn, ':' ) == NULL + return strchr(cn, ':') == NULL
+ ? x509_inet_pton_ipv4( cn, dst ) == 0 ? 4 : 0 + ? x509_inet_pton_ipv4(cn, dst) == 0 ? 4 : 0
+ : x509_inet_pton_ipv6( cn, dst ) == 0 ? 16 : 0 ); + : x509_inet_pton_ipv6(cn, dst) == 0 ? 16 : 0;
+} +}
+ +
/* /*
* Check for CN match * Check for CN match
*/ */
@@ -3008,23 +3056,51 @@ static int x509_crt_check_cn( const mbed @@ -3015,24 +3074,51 @@ static int x509_crt_check_cn(const mbedt
return( -1 ); return -1;
} }
+static int x509_crt_check_san_ip( const mbedtls_x509_sequence *san, +static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san,
+ const char *cn, size_t cn_len ) + const char *cn, size_t cn_len)
+{ +{
+ uint32_t ip[4]; + uint32_t ip[4];
+ cn_len = x509_cn_inet_pton( cn, ip ); + cn_len = x509_cn_inet_pton(cn, ip);
+ if( cn_len == 0 ) + if (cn_len == 0) {
+ return( -1 ); + return -1;
+
+ for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next )
+ {
+ const unsigned char san_type = (unsigned char) cur->buf.tag &
+ MBEDTLS_ASN1_TAG_VALUE_MASK;
+ if( san_type == MBEDTLS_X509_SAN_IP_ADDRESS &&
+ cur->buf.len == cn_len && memcmp( cur->buf.p, ip, cn_len ) == 0 )
+ return( 0 );
+ } + }
+ +
+ return( -1 ); + for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
+ const unsigned char san_type = (unsigned char) cur->buf.tag &
+ MBEDTLS_ASN1_TAG_VALUE_MASK;
+ if (san_type == MBEDTLS_X509_SAN_IP_ADDRESS &&
+ cur->buf.len == cn_len && memcmp(cur->buf.p, ip, cn_len) == 0) {
+ return 0;
+ }
+ }
+
+ return -1;
+} +}
+ +
/* /*
* Check for SAN match, see RFC 5280 Section 4.2.1.6 * Check for SAN match, see RFC 5280 Section 4.2.1.6
*/ */
-static int x509_crt_check_san( const mbedtls_x509_buf *name, -static int x509_crt_check_san(const mbedtls_x509_buf *name,
+static int x509_crt_check_san( const mbedtls_x509_sequence *san, +static int x509_crt_check_san(const mbedtls_x509_sequence *san,
const char *cn, size_t cn_len ) const char *cn, size_t cn_len)
{ {
- const unsigned char san_type = (unsigned char) name->tag & - const unsigned char san_type = (unsigned char) name->tag &
- MBEDTLS_ASN1_TAG_VALUE_MASK; - MBEDTLS_ASN1_TAG_VALUE_MASK;
- -
- /* dNSName */ - /* dNSName */
- if( san_type == MBEDTLS_X509_SAN_DNS_NAME ) - if (san_type == MBEDTLS_X509_SAN_DNS_NAME) {
- return( x509_crt_check_cn( name, cn, cn_len ) ); - return x509_crt_check_cn(name, cn, cn_len);
-
- /* (We may handle other types here later.) */
+ int san_ip = 0; + int san_ip = 0;
+ for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next ) + for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
+ { + switch ((unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) {
+ switch( (unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK ) + case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */
+ { + if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) {
+ case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */ + return 0;
+ if( x509_crt_check_cn( &cur->buf, cn, cn_len ) == 0 ) + }
+ return( 0 ); + break;
+ break; + case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */
+ case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */ + san_ip = 1;
+ san_ip = 1; + break;
+ break; + /* (We may handle other types here later.) */
+ /* (We may handle other types here later.) */ + default: /* Unrecognized type */
+ default: /* Unrecognized type */ + break;
+ break;
+ } + }
+ } }
- /* (We may handle other types here later.) */
-
- /* Unrecognized type */ - /* Unrecognized type */
- return( -1 ); - return -1;
+ return( san_ip ? x509_crt_check_san_ip( san, cn, cn_len ) : -1 ); + return san_ip ? x509_crt_check_san_ip(san, cn, cn_len) : -1;
} }
/* /*
@@ -3035,19 +3111,12 @@ static void x509_crt_verify_name( const @@ -3043,31 +3129,23 @@ static void x509_crt_verify_name(const m
uint32_t *flags ) uint32_t *flags)
{ {
const mbedtls_x509_name *name; const mbedtls_x509_name *name;
- const mbedtls_x509_sequence *cur; - const mbedtls_x509_sequence *cur;
size_t cn_len = strlen( cn ); size_t cn_len = strlen(cn);
if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME ) if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
{ - for (cur = &crt->subject_alt_names; cur != NULL; cur = cur->next) {
- for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next ) - if (x509_crt_check_san(&cur->buf, cn, cn_len) == 0) {
- {
- if( x509_crt_check_san( &cur->buf, cn, cn_len ) == 0 )
- break; - break;
- }
- } - }
- -
- if( cur == NULL ) - if (cur == NULL) {
- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; - *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
+ if( x509_crt_check_san( &crt->subject_alt_names, cn, cn_len ) == 0 ) + if (x509_crt_check_san(&crt->subject_alt_names, cn, cn_len) == 0) {
+ return; + return;
} }
else } else {
{ for (name = &crt->subject; name != NULL; name = name->next) {
@@ -3056,13 +3125,13 @@ static void x509_crt_verify_name( const if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 &&
if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 && x509_crt_check_cn(&name->val, cn, cn_len) == 0) {
x509_crt_check_cn( &name->val, cn, cn_len ) == 0 )
{
- break; - break;
+ return; + return;
} }
} }
- if( name == NULL ) - if (name == NULL) {
- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; - *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
- }
} }
+ +
+ *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; + *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;