From 36148978f6acf9dd015cceedcd604e0a1bfda37e Mon Sep 17 00:00:00 2001 From: Beniamin Sandu Date: Fri, 5 Apr 2024 12:10:53 +0100 Subject: mbedtls: upgrade 3.5.2 -> 3.6.0 This is an LTS release. Includes security fixes: * CVE-2024-28960 - Insecure handling of shared memory in PSA Crypto APIs Full release notes: https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.0 Signed-off-by: Beniamin Sandu Signed-off-by: Khem Raj --- ...target-attributes-for-x86-32-bit-intrinsi.patch | 87 ---------------------- .../recipes-connectivity/mbedtls/mbedtls_3.5.2.bb | 78 ------------------- .../recipes-connectivity/mbedtls/mbedtls_3.6.0.bb | 82 ++++++++++++++++++++ 3 files changed, 82 insertions(+), 165 deletions(-) delete mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch delete mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.0.bb (limited to 'meta-networking') diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch deleted file mode 100644 index 5030fb99f9..0000000000 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 80d3e73ad0648f558a067a9dbfe3bc80e6b614f8 Mon Sep 17 00:00:00 2001 -From: Beniamin Sandu -Date: Mon, 30 Oct 2023 19:15:56 +0000 -Subject: [PATCH] AES-NI: use target attributes for x86 32-bit intrinsics - -This way we build with 32-bit gcc/clang out of the box. -We also fallback to assembly for 64-bit clang-cl if needed cpu -flags are not provided, instead of throwing an error. - -Upstream-Status: Backport [https://github.com/Mbed-TLS/mbedtls/commit/800f2b7c020678a84abfa9688962b91c36e6693d] - -Signed-off-by: Beniamin Sandu ---- - library/aesni.c | 20 ++++++++++++++++++++ - library/aesni.h | 8 +++++--- - 2 files changed, 25 insertions(+), 3 deletions(-) - -diff --git a/library/aesni.c b/library/aesni.c -index 5f25a8249..481fa3822 100644 ---- a/library/aesni.c -+++ b/library/aesni.c -@@ -41,6 +41,17 @@ - #include - #endif - -+#if defined(MBEDTLS_ARCH_IS_X86) -+#if defined(MBEDTLS_COMPILER_IS_GCC) -+#pragma GCC push_options -+#pragma GCC target ("pclmul,sse2,aes") -+#define MBEDTLS_POP_TARGET_PRAGMA -+#elif defined(__clang__) -+#pragma clang attribute push (__attribute__((target("pclmul,sse2,aes"))), apply_to=function) -+#define MBEDTLS_POP_TARGET_PRAGMA -+#endif -+#endif -+ - #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) - /* - * AES-NI support detection routine -@@ -396,6 +407,15 @@ static void aesni_setkey_enc_256(unsigned char *rk_bytes, - } - #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */ - -+#if defined(MBEDTLS_POP_TARGET_PRAGMA) -+#if defined(__clang__) -+#pragma clang attribute pop -+#elif defined(__GNUC__) -+#pragma GCC pop_options -+#endif -+#undef MBEDTLS_POP_TARGET_PRAGMA -+#endif -+ - #else /* MBEDTLS_AESNI_HAVE_CODE == 1 */ - - #if defined(__has_feature) -diff --git a/library/aesni.h b/library/aesni.h -index ba1429029..37ae02c82 100644 ---- a/library/aesni.h -+++ b/library/aesni.h -@@ -50,6 +50,10 @@ - #if defined(__GNUC__) && defined(__AES__) && defined(__PCLMUL__) - #define MBEDTLS_AESNI_HAVE_INTRINSICS - #endif -+/* For 32-bit, we only support intrinsics */ -+#if defined(MBEDTLS_ARCH_IS_X86) && (defined(__GNUC__) || defined(__clang__)) -+#define MBEDTLS_AESNI_HAVE_INTRINSICS -+#endif - - /* Choose the implementation of AESNI, if one is available. - * -@@ -60,13 +64,11 @@ - #if defined(MBEDTLS_AESNI_HAVE_INTRINSICS) - #define MBEDTLS_AESNI_HAVE_CODE 2 // via intrinsics - #elif defined(MBEDTLS_HAVE_ASM) && \ -- defined(__GNUC__) && defined(MBEDTLS_ARCH_IS_X64) -+ (defined(__GNUC__) || defined(__clang__)) && defined(MBEDTLS_ARCH_IS_X64) - /* Can we do AESNI with inline assembly? - * (Only implemented with gas syntax, only for 64-bit.) - */ - #define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly --#elif defined(__GNUC__) --# error "Must use `-mpclmul -msse2 -maes` for MBEDTLS_AESNI_C" - #else - #error "MBEDTLS_AESNI_C defined, but neither intrinsics nor assembly available" - #endif --- -2.34.1 diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb deleted file mode 100644 index d61c54edb8..0000000000 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb +++ /dev/null @@ -1,78 +0,0 @@ -SUMMARY = "Lightweight crypto and SSL/TLS library" -DESCRIPTION = "mbedtls is a lean open source crypto library \ -for providing SSL and TLS support in your programs. It offers \ -an intuitive API and documented header files, so you can actually \ -understand what the code does. It features: \ - \ - - Symmetric algorithms, like AES, Blowfish, Triple-DES, DES, ARC4, \ - Camellia and XTEA \ - - Hash algorithms, like SHA-1, SHA-2, RIPEMD-160 and MD5 \ - - Entropy pool and random generators, like CTR-DRBG and HMAC-DRBG \ - - Public key algorithms, like RSA, Elliptic Curves, Diffie-Hellman, \ - ECDSA and ECDH \ - - SSL v3 and TLS 1.0, 1.1 and 1.2 \ - - Abstraction layers for ciphers, hashes, public key operations, \ - platform abstraction and threading \ -" - -HOMEPAGE = "https://tls.mbed.org/" - -LICENSE = "Apache-2.0 | GPL-2.0-or-later" -LIC_FILES_CHKSUM = "file://LICENSE;md5=379d5819937a6c2f1ef1630d341e026d" - -SECTION = "libs" - -S = "${WORKDIR}/git" -SRCREV = "daca7a3979c22da155ec9dce49ab1abf3b65d3a9" -SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=master \ - file://0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch \ - file://run-ptest" -UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d+(\.\d+)+)" - -inherit cmake update-alternatives ptest - -PACKAGECONFIG ??= "shared-libs programs ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}" -PACKAGECONFIG[shared-libs] = "-DUSE_SHARED_MBEDTLS_LIBRARY=ON,-DUSE_SHARED_MBEDTLS_LIBRARY=OFF" -PACKAGECONFIG[programs] = "-DENABLE_PROGRAMS=ON,-DENABLE_PROGRAMS=OFF" -PACKAGECONFIG[werror] = "-DMBEDTLS_FATAL_WARNINGS=ON,-DMBEDTLS_FATAL_WARNINGS=OFF" -# Make X.509 and TLS calls use PSA -# https://github.com/Mbed-TLS/mbedtls/blob/development/docs/use-psa-crypto.md -PACKAGECONFIG[psa] = "" -PACKAGECONFIG[tests] = "-DENABLE_TESTING=ON,-DENABLE_TESTING=OFF" - -EXTRA_OECMAKE = "-DLIB_INSTALL_DIR:STRING=${libdir}" - -# For now the only way to enable PSA is to explicitly pass a -D via CFLAGS -CFLAGS:append = "${@bb.utils.contains('PACKAGECONFIG', 'psa', ' -DMBEDTLS_USE_PSA_CRYPTO', '', d)}" - -PROVIDES += "polarssl" -RPROVIDES:${PN} = "polarssl" - -PACKAGES =+ "${PN}-programs" -FILES:${PN}-programs = "${bindir}/" - -ALTERNATIVE:${PN}-programs = "hello" -ALTERNATIVE_LINK_NAME[hello] = "${bindir}/hello" - -BBCLASSEXTEND = "native nativesdk" - -CVE_PRODUCT = "mbed_tls" - -# Strip host paths from autogenerated test files -do_compile:append() { - sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || : - sed -i 's+${B}/++g' ${B}/tests/*.c 2>/dev/null || : -} - -# Export source files/headers needed by Arm Trusted Firmware -sysroot_stage_all:append() { - sysroot_stage_dir "${S}/library" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library" - sysroot_stage_dir "${S}/include" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/include" -} - -do_install_ptest () { - install -d ${D}${PTEST_PATH}/tests - cp -f ${B}/tests/test_suite_* ${D}${PTEST_PATH}/tests/ - find ${D}${PTEST_PATH}/tests/ -type f -name "*.c" -delete - cp -fR ${S}/tests/data_files ${D}${PTEST_PATH}/tests/ -} diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.0.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.0.bb new file mode 100644 index 0000000000..92a2de82a3 --- /dev/null +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.0.bb @@ -0,0 +1,82 @@ +SUMMARY = "Lightweight crypto and SSL/TLS library" +DESCRIPTION = "mbedtls is a lean open source crypto library \ +for providing SSL and TLS support in your programs. It offers \ +an intuitive API and documented header files, so you can actually \ +understand what the code does. It features: \ + \ + - Symmetric algorithms, like AES, Blowfish, Triple-DES, DES, ARC4, \ + Camellia and XTEA \ + - Hash algorithms, like SHA-1, SHA-2, RIPEMD-160 and MD5 \ + - Entropy pool and random generators, like CTR-DRBG and HMAC-DRBG \ + - Public key algorithms, like RSA, Elliptic Curves, Diffie-Hellman, \ + ECDSA and ECDH \ + - SSL v3 and TLS 1.0, 1.1 and 1.2 \ + - Abstraction layers for ciphers, hashes, public key operations, \ + platform abstraction and threading \ +" + +HOMEPAGE = "https://tls.mbed.org/" + +LICENSE = "Apache-2.0 | GPL-2.0-or-later" +LIC_FILES_CHKSUM = "file://LICENSE;md5=379d5819937a6c2f1ef1630d341e026d" + +SECTION = "libs" + +S = "${WORKDIR}/git" +SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=master \ + git://github.com/Mbed-TLS/mbedtls-framework.git;protocol=https;branch=main;destsuffix=git/framework;name=framework \ + file://run-ptest" + +SRCREV = "2ca6c285a0dd3f33982dd57299012dacab1ff206" +SRCREV_framework = "750634d3a51eb9d61b59fd5d801546927c946588" +SRCREV_FORMAT .= "_framework" + +UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d+(\.\d+)+)" + +inherit cmake update-alternatives ptest + +PACKAGECONFIG ??= "shared-libs programs ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}" +PACKAGECONFIG[shared-libs] = "-DUSE_SHARED_MBEDTLS_LIBRARY=ON,-DUSE_SHARED_MBEDTLS_LIBRARY=OFF" +PACKAGECONFIG[programs] = "-DENABLE_PROGRAMS=ON,-DENABLE_PROGRAMS=OFF" +PACKAGECONFIG[werror] = "-DMBEDTLS_FATAL_WARNINGS=ON,-DMBEDTLS_FATAL_WARNINGS=OFF" +# Make X.509 and TLS calls use PSA +# https://github.com/Mbed-TLS/mbedtls/blob/development/docs/use-psa-crypto.md +PACKAGECONFIG[psa] = "" +PACKAGECONFIG[tests] = "-DENABLE_TESTING=ON,-DENABLE_TESTING=OFF" + +EXTRA_OECMAKE = "-DLIB_INSTALL_DIR:STRING=${libdir}" + +# For now the only way to enable PSA is to explicitly pass a -D via CFLAGS +CFLAGS:append = "${@bb.utils.contains('PACKAGECONFIG', 'psa', ' -DMBEDTLS_USE_PSA_CRYPTO', '', d)}" + +PROVIDES += "polarssl" +RPROVIDES:${PN} = "polarssl" + +PACKAGES =+ "${PN}-programs" +FILES:${PN}-programs = "${bindir}/" + +ALTERNATIVE:${PN}-programs = "hello" +ALTERNATIVE_LINK_NAME[hello] = "${bindir}/hello" + +BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT = "mbed_tls" + +# Strip host paths from autogenerated test files +do_compile:append() { + sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || : + sed -i 's+${B}/++g' ${B}/tests/*.c 2>/dev/null || : +} + +# Export source files/headers needed by Arm Trusted Firmware +sysroot_stage_all:append() { + sysroot_stage_dir "${S}/library" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library" + sysroot_stage_dir "${S}/include" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/include" +} + +do_install_ptest () { + install -d ${D}${PTEST_PATH}/tests + cp -f ${B}/tests/test_suite_* ${D}${PTEST_PATH}/tests/ + find ${D}${PTEST_PATH}/tests/ -type f -name "*.c" -delete + cp -fR ${S}/tests/data_files ${D}${PTEST_PATH}/tests/ +} -- cgit 1.2.3-korg