Skip to content

Commit

Permalink
Update MbedTLS 3.4.0 -> 3.6.2 and set it as default
Browse files Browse the repository at this point in the history
  This is needed only because of the patches. 0001 works
  as-is (although with fuzz 2, not exactly) but 0002 hunk #4
  would fail and had to apply it manually. Otherwise, patches
  are identical.

Signed-off-by: George Poulios <[email protected]>
  • Loading branch information
gpoulios committed Nov 29, 2024
1 parent 21f5bc9 commit cead745
Show file tree
Hide file tree
Showing 3 changed files with 66 additions and 51 deletions.
Original file line number Diff line number Diff line change
@@ -1,22 +1,31 @@
From e40fdc9238384ee62013c41d74cb4d47ae8c1aad Mon Sep 17 00:00:00 2001
From: makejian <makejian@xiaomi.com>
Date: Mon, 11 Sep 2023 19:40:04 +0800
Subject: [PATCH] mbedtls/entropy_poll: use 'getrandom' to get the system
From b82b0c314d78d44f717a69924e7a60d8d43eb200 Mon Sep 17 00:00:00 2001
From: George Poulios <gpoulios@census-labs.com>
Date: Fri, 29 Nov 2024 10:32:54 +0200
Subject: [PATCH 1/2] mbedtls/entropy_poll: use 'getrandom' to get the system
entropy

VELAPLATFO-16390
Original patch:
From e40fdc9238384ee62013c41d74cb4d47ae8c1aad Mon Sep 17 00:00:00 2001
From: makejian <[email protected]>
Date: Mon, 11 Sep 2023 19:40:04 +0800
Subject: [PATCH] mbedtls/entropy_poll: use 'getrandom' to get the system
entropy

Change-Id: I885969c441cd174f5eedf8c9ce17b89e501148c8
Signed-off-by: makejian <[email protected]>
VELAPLATFO-16390

Change-Id: I885969c441cd174f5eedf8c9ce17b89e501148c8
Signed-off-by: makejian <[email protected]>

Signed-off-by: George Poulios <[email protected]>
---
library/entropy_poll.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git mbedtls/library/entropy_poll.c mbedtls/library/entropy_poll.c
index b5024c83f..e9431e812 100644
--- mbedtls/library/entropy_poll.c
+++ mbedtls/library/entropy_poll.c
@@ -103,10 +103,11 @@ static int getrandom_wrapper(void *buf, size_t buflen, unsigned int flags)
diff --git a/library/entropy_poll.c b/library/entropy_poll.c
index 611768cd85..a26e154db1 100644
--- a/library/entropy_poll.c
+++ b/library/entropy_poll.c
@@ -95,10 +95,11 @@ static int getrandom_wrapper(void *buf, size_t buflen, unsigned int flags)
#endif /* SYS_getrandom */
#endif /* __linux__ || __midipix__ */

Expand Down
82 changes: 44 additions & 38 deletions crypto/mbedtls/0002-mbedtls-add-mbedtls-x509-crt-pool.patch
Original file line number Diff line number Diff line change
@@ -1,9 +1,17 @@
From e9eeb5721637faa451f66bbb2789046b9a7963d5 Mon Sep 17 00:00:00 2001
From: makejian <makejian@xiaomi.com>
Date: Fri, 18 Aug 2023 15:52:45 +0800
Subject: [PATCH 1/2] mbedtls: add mbedtls x509 crt pool
From f846c8fb13238a4db1f7d5e1a9ebce459c21faf7 Mon Sep 17 00:00:00 2001
From: George Poulios <gpoulios@census-labs.com>
Date: Fri, 29 Nov 2024 10:33:57 +0200
Subject: [PATCH 2/2] mbedtls: add mbedtls x509 crt pool

Signed-off-by: makejian <[email protected]>
Original patch:
From e9eeb5721637faa451f66bbb2789046b9a7963d5 Mon Sep 17 00:00:00 2001
From: makejian <[email protected]>
Date: Fri, 18 Aug 2023 15:52:45 +0800
Subject: [PATCH 1/2] mbedtls: add mbedtls x509 crt pool

Signed-off-by: makejian <[email protected]>

Signed-off-by: George Poulios <[email protected]>
---
include/mbedtls/threading.h | 4 +
library/threading.c | 3 +
Expand All @@ -14,13 +22,13 @@ Signed-off-by: makejian <[email protected]>
create mode 100644 library/x509_crt_pool.c
create mode 100644 library/x509_crt_pool.h

diff --git mbedtls/include/mbedtls/threading.h mbedtls/include/mbedtls/threading.h
index 1b9c7ced2..e3986cd67 100644
--- mbedtls/include/mbedtls/threading.h
+++ mbedtls/include/mbedtls/threading.h
@@ -108,6 +108,10 @@ extern mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex;
extern mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex;
#endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
diff --git a/include/mbedtls/threading.h b/include/mbedtls/threading.h
index d50d04ead1..9fffe6705d 100644
--- a/include/mbedtls/threading.h
+++ b/include/mbedtls/threading.h
@@ -128,6 +128,10 @@ extern mbedtls_threading_mutex_t mbedtls_threading_psa_globaldata_mutex;
extern mbedtls_threading_mutex_t mbedtls_threading_psa_rngdata_mutex;
#endif

+#if defined(MBEDTLS_X509_CRT_POOL)
+extern mbedtls_threading_mutex_t mbedtls_threading_x509crtpool_mutex;
Expand All @@ -29,24 +37,24 @@ index 1b9c7ced2..e3986cd67 100644
#endif /* MBEDTLS_THREADING_C */

#ifdef __cplusplus
diff --git mbedtls/library/threading.c mbedtls/library/threading.c
index 130c6963d..c91df6f6a 100644
--- mbedtls/library/threading.c
+++ mbedtls/library/threading.c
@@ -189,5 +189,8 @@ mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex MUTEX_INIT;
#if defined(THREADING_USE_GMTIME)
mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex MUTEX_INIT;
diff --git a/library/threading.c b/library/threading.c
index 85db243f21..da500193f5 100644
--- a/library/threading.c
+++ b/library/threading.c
@@ -191,5 +191,8 @@ mbedtls_threading_mutex_t mbedtls_threading_key_slot_mutex MUTEX_INIT;
mbedtls_threading_mutex_t mbedtls_threading_psa_globaldata_mutex MUTEX_INIT;
mbedtls_threading_mutex_t mbedtls_threading_psa_rngdata_mutex MUTEX_INIT;
#endif
+#if defined(MBEDTLS_X509_CRT_POOL)
+mbedtls_threading_mutex_t mbedtls_threading_x509crtpool_mutex MUTEX_INIT;
+#endif

#endif /* MBEDTLS_THREADING_C */
diff --git mbedtls/library/x509_crt.c mbedtls/library/x509_crt.c
index cf62532f2..8d058a092 100644
--- mbedtls/library/x509_crt.c
+++ mbedtls/library/x509_crt.c
@@ -78,6 +78,10 @@
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 53cdcf0266..dd3c83a91a 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -71,6 +71,10 @@
#endif /* !_WIN32 || EFIX64 || EFI32 */
#endif

Expand All @@ -57,9 +65,9 @@ index cf62532f2..8d058a092 100644
/*
* Item in a verification chain: cert and flags for it
*/
@@ -995,6 +999,12 @@ static int x509_crt_parse_der_core(mbedtls_x509_crt *crt,
@@ -1113,6 +1117,12 @@ static int x509_crt_parse_der_core(mbedtls_x509_crt *crt,
end = crt_end = p + len;
crt->raw.len = crt_end - buf;
crt->raw.len = (size_t) (crt_end - buf);
if (make_copy != 0) {
+#if defined(MBEDTLS_X509_CRT_POOL)
+ crt->raw.p = p = x509_crt_pool_ref_buf(buf, crt->raw.len);
Expand All @@ -70,32 +78,31 @@ index cf62532f2..8d058a092 100644
/* Create and populate a new buffer for the raw field. */
crt->raw.p = p = mbedtls_calloc(1, crt->raw.len);
if (crt->raw.p == NULL) {
@@ -1002,6 +1012,7 @@ static int x509_crt_parse_der_core(mbedtls_x509_crt *crt,
@@ -1120,6 +1130,7 @@ static int x509_crt_parse_der_core(mbedtls_x509_crt *crt,
}

memcpy(crt->raw.p, buf, crt->raw.len);
+#endif
crt->own_buffer = 1;

p += crt->raw.len - len;
@@ -2839,8 +2850,12 @@ void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
mbedtls_asn1_sequence_free(cert_cur->certificate_policies.next);
@@ -3246,7 +3257,11 @@ void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
mbedtls_asn1_sequence_free(cert_cur->authority_key_id.authorityCertIssuer.next);

if (cert_cur->raw.p != NULL && cert_cur->own_buffer) {
+#if defined(MBEDTLS_X509_CRT_POOL)
+ x509_crt_pool_unref_buf(cert_cur->raw.p);
+#else
mbedtls_platform_zeroize(cert_cur->raw.p, cert_cur->raw.len);
mbedtls_free(cert_cur->raw.p);
mbedtls_zeroize_and_free(cert_cur->raw.p, cert_cur->raw.len);
+#endif
}

cert_prv = cert_cur;
diff --git mbedtls/library/x509_crt_pool.c mbedtls/library/x509_crt_pool.c
diff --git a/library/x509_crt_pool.c b/library/x509_crt_pool.c
new file mode 100644
index 000000000..da00c88a8
index 0000000000..da00c88a85
--- /dev/null
+++ mbedtls/library/x509_crt_pool.c
+++ b/library/x509_crt_pool.c
@@ -0,0 +1,142 @@
+/*
+ * X.509 certificate pool
Expand Down Expand Up @@ -239,11 +246,11 @@ index 000000000..da00c88a8
+}
+
+#endif /* MBEDTLS_X509_CRT_POOL */
diff --git mbedtls/library/x509_crt_pool.h mbedtls/library/x509_crt_pool.h
diff --git a/library/x509_crt_pool.h b/library/x509_crt_pool.h
new file mode 100644
index 000000000..8592761de
index 0000000000..8592761de4
--- /dev/null
+++ mbedtls/library/x509_crt_pool.h
+++ b/library/x509_crt_pool.h
@@ -0,0 +1,30 @@
+/**
+ * \file x509_crt_pool.h
Expand Down Expand Up @@ -277,4 +284,3 @@ index 000000000..8592761de
+#endif /* mbedtls_x509_crt_pool.h */
--
2.40.0

2 changes: 1 addition & 1 deletion crypto/mbedtls/Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ if CRYPTO_MBEDTLS

config MBEDTLS_VERSION
string "Mbed TLS Version"
default "3.4.0"
default "3.6.2"

config MBEDTLS_DEBUG_C
bool "This module provides debugging functions."
Expand Down

0 comments on commit cead745

Please sign in to comment.