[openwrt/openwrt] mbedtls: Update to version 2.28.3

LEDE Commits lede-commits at lists.infradead.org
Mon Apr 10 04:38:29 PDT 2023


hauke pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/d679b15d31bd0b68dd88c3cf4d084cce02903627

commit d679b15d31bd0b68dd88c3cf4d084cce02903627
Author: Hauke Mehrtens <hauke at hauke-m.de>
AuthorDate: Mon Apr 3 00:52:52 2023 +0200

    mbedtls: Update to version 2.28.3
    
    This only fixes minor problems.
    Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3
    
    The 100-fix-compile.patch patch was merged upstream, see:
    https://github.com/Mbed-TLS/mbedtls/issues/6243
    https://github.com/Mbed-TLS/mbedtls/pull/7013
    
    The code style of all files in mbedtls 2.28.3 was changed. I took a new
    version of the 100-x509-crt-verify-SAN-iPAddress.patch patch from this
    pull request: https://github.com/Mbed-TLS/mbedtls/pull/6475
    
    Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
---
 package/libs/mbedtls/Makefile                      |   6 +-
 package/libs/mbedtls/patches/100-fix-compile.patch |  22 ---
 .../100-x509-crt-verify-SAN-iPAddress.patch        | 158 ++++++++++++---------
 3 files changed, 90 insertions(+), 96 deletions(-)

diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile
index f86d489190..a6a7ac39e9 100644
--- a/package/libs/mbedtls/Makefile
+++ b/package/libs/mbedtls/Makefile
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.28.2
-PKG_RELEASE:=2
+PKG_VERSION:=2.28.3
+PKG_RELEASE:=1
 PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=bc55232bf71fd66045122ba9050a29ea7cb2e8f99b064a9e6334a82f715881a0
+PKG_HASH:=bdf7c5bbdc338da3edad89b2885d4f8668f9a6fffeba6ec17a60333e36dade6f
 
 PKG_LICENSE:=GPL-2.0-or-later
 PKG_LICENSE_FILES:=gpl-2.0.txt
diff --git a/package/libs/mbedtls/patches/100-fix-compile.patch b/package/libs/mbedtls/patches/100-fix-compile.patch
deleted file mode 100644
index 411d371699..0000000000
--- a/package/libs/mbedtls/patches/100-fix-compile.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Fix a compile problem introduced in commit 331c3421d1f0 ("Address review comments")
-
-Bug report: https://github.com/Mbed-TLS/mbedtls/issues/6243
-
---- a/programs/ssl/ssl_server2.c
-+++ b/programs/ssl/ssl_server2.c
-@@ -2529,7 +2529,6 @@ int main( int argc, char *argv[] )
-         }
-         key_cert_init2 = 2;
- #endif /* MBEDTLS_ECDSA_C */
--    }
- 
- #if defined(MBEDTLS_USE_PSA_CRYPTO)
-     if( opt.key_opaque != 0 )
-@@ -2558,6 +2557,7 @@ int main( int argc, char *argv[] )
-     }
- #endif /* MBEDTLS_USE_PSA_CRYPTO */
- #endif /* MBEDTLS_CERTS_C */
-+    }
- 
-     mbedtls_printf( " ok (key types: %s - %s)\n", mbedtls_pk_get_name( &pkey ), mbedtls_pk_get_name( &pkey2 ) );
- #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
diff --git a/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch b/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch
index 357ec44649..c9802eac19 100644
--- a/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch
+++ b/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch
@@ -1,17 +1,17 @@
-From 272d48fe7a2ff00285d4ee166d3a9beca1d5122f Mon Sep 17 00:00:00 2001
+From eb9d4fdf1846e688d51d86a9a50f0312aca2af25 Mon Sep 17 00:00:00 2001
 From: Glenn Strauss <gstrauss at gluelogic.com>
 Date: Sun, 23 Oct 2022 19:48:18 -0400
-Subject: [PATCH 1/4] x509 crt verify SAN iPAddress
+Subject: [PATCH] x509 crt verify SAN iPAddress
 
 Signed-off-by: Glenn Strauss <gstrauss at gluelogic.com>
 ---
  include/mbedtls/x509_crt.h |   2 +-
- library/x509_crt.c         | 115 +++++++++++++++++++++++++++++--------
- 2 files changed, 93 insertions(+), 24 deletions(-)
+ library/x509_crt.c         | 126 ++++++++++++++++++++++++++++++-------
+ 2 files changed, 103 insertions(+), 25 deletions(-)
 
 --- a/include/mbedtls/x509_crt.h
 +++ b/include/mbedtls/x509_crt.h
-@@ -597,7 +597,7 @@ int mbedtls_x509_crt_verify_info( char *
+@@ -608,7 +608,7 @@ int mbedtls_x509_crt_verify_info(char *b
   * \param cn       The expected Common Name. This will be checked to be
   *                 present in the certificate's subjectAltNames extension or,
   *                 if this extension is absent, as a CN component in its
@@ -22,12 +22,30 @@ Signed-off-by: Glenn Strauss <gstrauss at gluelogic.com>
   *                 If the verification couldn't be completed, the flag value is
 --- a/library/x509_crt.c
 +++ b/library/x509_crt.c
-@@ -2986,6 +2986,54 @@ find_parent:
+@@ -57,6 +57,10 @@
+ 
+ #if defined(MBEDTLS_HAVE_TIME)
+ #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
++#define WIN32_LEAN_AND_MEAN
++#ifndef _WIN32_WINNT
++#define _WIN32_WINNT 0x0600
++#endif
+ #include <windows.h>
+ #else
+ #include <time.h>
+@@ -2995,6 +2999,61 @@ find_parent:
      }
  }
  
 +#ifdef _WIN32
-+/* ??? */
++#ifdef _MSC_VER
++#pragma comment(lib, "ws2_32.lib")
++#include <winsock2.h>
++#include <ws2tcpip.h>
++#elif (defined(__MINGW32__) || defined(__MINGW64__)) && _WIN32_WINNT >= 0x0600
++#include <winsock2.h>
++#include <ws2tcpip.h>
++#endif
 +#elif defined(__sun)
 +/* Solaris requires -lsocket -lnsl for inet_pton() */
 +#elif defined(__has_include)
@@ -51,128 +69,126 @@ Signed-off-by: Glenn Strauss <gstrauss at gluelogic.com>
 + * provided by headers included (or not) via __has_include() above. */
 +#ifndef AF_INET6
 +
-+#define x509_cn_inet_pton( cn, dst ) ( 0 )
++#define x509_cn_inet_pton(cn, dst) (0)
 +
 +#else
 +
-+static int x509_inet_pton_ipv6( const char *src, void *dst )
++static int x509_inet_pton_ipv6(const char *src, void *dst)
 +{
-+    return( inet_pton( AF_INET6, src, dst ) == 1 ? 0 : -1 );
++    return inet_pton(AF_INET6, src, dst) == 1 ? 0 : -1;
 +}
 +
-+static int x509_inet_pton_ipv4( const char *src, void *dst )
++static int x509_inet_pton_ipv4(const char *src, void *dst)
 +{
-+    return( inet_pton( AF_INET, src, dst ) == 1 ? 0 : -1 );
++    return inet_pton(AF_INET, src, dst) == 1 ? 0 : -1;
 +}
 +
 +#endif /* AF_INET6 */
 +
-+static size_t x509_cn_inet_pton( const char *cn, void *dst )
++static size_t x509_cn_inet_pton(const char *cn, void *dst)
 +{
-+    return( strchr( cn, ':' ) == NULL
-+            ? x509_inet_pton_ipv4( cn, dst ) == 0 ? 4 : 0
-+            : x509_inet_pton_ipv6( cn, dst ) == 0 ? 16 : 0 );
++    return strchr(cn, ':') == NULL
++            ? x509_inet_pton_ipv4(cn, dst) == 0 ? 4 : 0
++            : x509_inet_pton_ipv6(cn, dst) == 0 ? 16 : 0;
 +}
 +
  /*
   * Check for CN match
   */
-@@ -3008,23 +3056,51 @@ static int x509_crt_check_cn( const mbed
-     return( -1 );
+@@ -3015,24 +3074,51 @@ static int x509_crt_check_cn(const mbedt
+     return -1;
  }
  
-+static int x509_crt_check_san_ip( const mbedtls_x509_sequence *san,
-+                                  const char *cn, size_t cn_len )
++static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san,
++                                 const char *cn, size_t cn_len)
 +{
 +    uint32_t ip[4];
-+    cn_len = x509_cn_inet_pton( cn, ip );
-+    if( cn_len == 0 )
-+        return( -1 );
++    cn_len = x509_cn_inet_pton(cn, ip);
++    if (cn_len == 0) {
++        return -1;
++    }
 +
-+    for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next )
-+    {
++    for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
 +        const unsigned char san_type = (unsigned char) cur->buf.tag &
 +                                       MBEDTLS_ASN1_TAG_VALUE_MASK;
-+        if( san_type == MBEDTLS_X509_SAN_IP_ADDRESS &&
-+            cur->buf.len == cn_len && memcmp( cur->buf.p, ip, cn_len ) == 0 )
-+            return( 0 );
++        if (san_type == MBEDTLS_X509_SAN_IP_ADDRESS &&
++            cur->buf.len == cn_len && memcmp(cur->buf.p, ip, cn_len) == 0) {
++            return 0;
++        }
 +    }
 +
-+    return( -1 );
++    return -1;
 +}
 +
  /*
   * Check for SAN match, see RFC 5280 Section 4.2.1.6
   */
--static int x509_crt_check_san( const mbedtls_x509_buf *name,
-+static int x509_crt_check_san( const mbedtls_x509_sequence *san,
-                                const char *cn, size_t cn_len )
+-static int x509_crt_check_san(const mbedtls_x509_buf *name,
++static int x509_crt_check_san(const mbedtls_x509_sequence *san,
+                               const char *cn, size_t cn_len)
  {
 -    const unsigned char san_type = (unsigned char) name->tag &
 -                                   MBEDTLS_ASN1_TAG_VALUE_MASK;
 -
 -    /* dNSName */
--    if( san_type == MBEDTLS_X509_SAN_DNS_NAME )
--        return( x509_crt_check_cn( name, cn, cn_len ) );
--
--    /* (We may handle other types here later.) */
+-    if (san_type == MBEDTLS_X509_SAN_DNS_NAME) {
+-        return x509_crt_check_cn(name, cn, cn_len);
 +    int san_ip = 0;
-+    for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next )
-+    {
-+        switch( (unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK )
-+        {
-+        case MBEDTLS_X509_SAN_DNS_NAME:                    /* dNSName */
-+            if( x509_crt_check_cn( &cur->buf, cn, cn_len ) == 0 )
-+                return( 0 );
-+            break;
-+        case MBEDTLS_X509_SAN_IP_ADDRESS:                  /* iPAddress */
-+            san_ip = 1;
-+            break;
-+        /* (We may handle other types here later.) */
-+        default: /* Unrecognized type */
-+            break;
++    for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
++        switch ((unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) {
++            case MBEDTLS_X509_SAN_DNS_NAME:                /* dNSName */
++                if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) {
++                    return 0;
++                }
++                break;
++            case MBEDTLS_X509_SAN_IP_ADDRESS:              /* iPAddress */
++                san_ip = 1;
++                break;
++            /* (We may handle other types here later.) */
++            default: /* Unrecognized type */
++                break;
 +        }
-+    }
+     }
  
+-    /* (We may handle other types here later.) */
+-
 -    /* Unrecognized type */
--    return( -1 );
-+    return( san_ip ? x509_crt_check_san_ip( san, cn, cn_len ) : -1 );
+-    return -1;
++    return san_ip ? x509_crt_check_san_ip(san, cn, cn_len) : -1;
  }
  
  /*
-@@ -3035,19 +3111,12 @@ static void x509_crt_verify_name( const
-                                   uint32_t *flags )
+@@ -3043,31 +3129,23 @@ static void x509_crt_verify_name(const m
+                                  uint32_t *flags)
  {
      const mbedtls_x509_name *name;
 -    const mbedtls_x509_sequence *cur;
-     size_t cn_len = strlen( cn );
+     size_t cn_len = strlen(cn);
  
-     if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
-     {
--        for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next )
--        {
--            if( x509_crt_check_san( &cur->buf, cn, cn_len ) == 0 )
+     if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
+-        for (cur = &crt->subject_alt_names; cur != NULL; cur = cur->next) {
+-            if (x509_crt_check_san(&cur->buf, cn, cn_len) == 0) {
 -                break;
+-            }
 -        }
 -
--        if( cur == NULL )
+-        if (cur == NULL) {
 -            *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
-+        if( x509_crt_check_san( &crt->subject_alt_names, cn, cn_len ) == 0 )
++        if (x509_crt_check_san(&crt->subject_alt_names, cn, cn_len) == 0) {
 +            return;
-     }
-     else
-     {
-@@ -3056,13 +3125,13 @@ static void x509_crt_verify_name( const
-             if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 &&
-                 x509_crt_check_cn( &name->val, cn, cn_len ) == 0 )
-             {
+         }
+     } else {
+         for (name = &crt->subject; name != NULL; name = name->next) {
+             if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 &&
+                 x509_crt_check_cn(&name->val, cn, cn_len) == 0) {
 -                break;
 +                return;
              }
          }
  
--        if( name == NULL )
+-        if (name == NULL) {
 -            *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
+-        }
      }
 +
 +    *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;




More information about the lede-commits mailing list