diff options
author | Beniamin Sandu <beniaminsandu@gmail.com> | 2023-11-01 19:26:29 +0000 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-11-03 10:49:47 -0400 |
commit | 579558c87f25c74519f1fb9716952480f97087e7 (patch) | |
tree | 63207891bb124f64d9cd979ac3f12d319a22afad | |
parent | 8274d201cbe36b2fc5feb409b4fc9f84d85afa97 (diff) | |
download | meta-openembedded-579558c87f25c74519f1fb9716952480f97087e7.tar.gz |
mbedtls: upgrade 3.4.0 -> 3.5.0
* Includes security fix for CVE-2023-43615 - Buffer overread in TLS stream cipher suites
* Includes security fix for CVE-2023-45199 - Buffer overflow in TLS handshake parsing with ECDH
* Includes aesce compilation fixes
Full changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.5.0
The extra patch fixes x86 32-bit builds.
Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch | 87 | ||||
-rw-r--r-- | meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch | 33 | ||||
-rw-r--r-- | meta-networking/recipes-connectivity/mbedtls/mbedtls/0002-aesce-use-correct-target-attribute-when-building-wit.patch | 34 | ||||
-rw-r--r-- | meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.0.bb (renamed from meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb) | 10 |
4 files changed, 89 insertions, 75 deletions
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch new file mode 100644 index 000000000..5030fb99f --- /dev/null +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From 80d3e73ad0648f558a067a9dbfe3bc80e6b614f8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Beniamin Sandu <beniaminsandu@gmail.com> | ||
3 | Date: Mon, 30 Oct 2023 19:15:56 +0000 | ||
4 | Subject: [PATCH] AES-NI: use target attributes for x86 32-bit intrinsics | ||
5 | |||
6 | This way we build with 32-bit gcc/clang out of the box. | ||
7 | We also fallback to assembly for 64-bit clang-cl if needed cpu | ||
8 | flags are not provided, instead of throwing an error. | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/Mbed-TLS/mbedtls/commit/800f2b7c020678a84abfa9688962b91c36e6693d] | ||
11 | |||
12 | Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com> | ||
13 | --- | ||
14 | library/aesni.c | 20 ++++++++++++++++++++ | ||
15 | library/aesni.h | 8 +++++--- | ||
16 | 2 files changed, 25 insertions(+), 3 deletions(-) | ||
17 | |||
18 | diff --git a/library/aesni.c b/library/aesni.c | ||
19 | index 5f25a8249..481fa3822 100644 | ||
20 | --- a/library/aesni.c | ||
21 | +++ b/library/aesni.c | ||
22 | @@ -41,6 +41,17 @@ | ||
23 | #include <immintrin.h> | ||
24 | #endif | ||
25 | |||
26 | +#if defined(MBEDTLS_ARCH_IS_X86) | ||
27 | +#if defined(MBEDTLS_COMPILER_IS_GCC) | ||
28 | +#pragma GCC push_options | ||
29 | +#pragma GCC target ("pclmul,sse2,aes") | ||
30 | +#define MBEDTLS_POP_TARGET_PRAGMA | ||
31 | +#elif defined(__clang__) | ||
32 | +#pragma clang attribute push (__attribute__((target("pclmul,sse2,aes"))), apply_to=function) | ||
33 | +#define MBEDTLS_POP_TARGET_PRAGMA | ||
34 | +#endif | ||
35 | +#endif | ||
36 | + | ||
37 | #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) | ||
38 | /* | ||
39 | * AES-NI support detection routine | ||
40 | @@ -396,6 +407,15 @@ static void aesni_setkey_enc_256(unsigned char *rk_bytes, | ||
41 | } | ||
42 | #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */ | ||
43 | |||
44 | +#if defined(MBEDTLS_POP_TARGET_PRAGMA) | ||
45 | +#if defined(__clang__) | ||
46 | +#pragma clang attribute pop | ||
47 | +#elif defined(__GNUC__) | ||
48 | +#pragma GCC pop_options | ||
49 | +#endif | ||
50 | +#undef MBEDTLS_POP_TARGET_PRAGMA | ||
51 | +#endif | ||
52 | + | ||
53 | #else /* MBEDTLS_AESNI_HAVE_CODE == 1 */ | ||
54 | |||
55 | #if defined(__has_feature) | ||
56 | diff --git a/library/aesni.h b/library/aesni.h | ||
57 | index ba1429029..37ae02c82 100644 | ||
58 | --- a/library/aesni.h | ||
59 | +++ b/library/aesni.h | ||
60 | @@ -50,6 +50,10 @@ | ||
61 | #if defined(__GNUC__) && defined(__AES__) && defined(__PCLMUL__) | ||
62 | #define MBEDTLS_AESNI_HAVE_INTRINSICS | ||
63 | #endif | ||
64 | +/* For 32-bit, we only support intrinsics */ | ||
65 | +#if defined(MBEDTLS_ARCH_IS_X86) && (defined(__GNUC__) || defined(__clang__)) | ||
66 | +#define MBEDTLS_AESNI_HAVE_INTRINSICS | ||
67 | +#endif | ||
68 | |||
69 | /* Choose the implementation of AESNI, if one is available. | ||
70 | * | ||
71 | @@ -60,13 +64,11 @@ | ||
72 | #if defined(MBEDTLS_AESNI_HAVE_INTRINSICS) | ||
73 | #define MBEDTLS_AESNI_HAVE_CODE 2 // via intrinsics | ||
74 | #elif defined(MBEDTLS_HAVE_ASM) && \ | ||
75 | - defined(__GNUC__) && defined(MBEDTLS_ARCH_IS_X64) | ||
76 | + (defined(__GNUC__) || defined(__clang__)) && defined(MBEDTLS_ARCH_IS_X64) | ||
77 | /* Can we do AESNI with inline assembly? | ||
78 | * (Only implemented with gas syntax, only for 64-bit.) | ||
79 | */ | ||
80 | #define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly | ||
81 | -#elif defined(__GNUC__) | ||
82 | -# error "Must use `-mpclmul -msse2 -maes` for MBEDTLS_AESNI_C" | ||
83 | #else | ||
84 | #error "MBEDTLS_AESNI_C defined, but neither intrinsics nor assembly available" | ||
85 | #endif | ||
86 | -- | ||
87 | 2.34.1 | ||
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch deleted file mode 100644 index d98d8fa57..000000000 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | From 2246925e3cb16183e25d4e2cfd13fb800df86270 Mon Sep 17 00:00:00 2001 | ||
2 | From: Beniamin Sandu <beniaminsandu@gmail.com> | ||
3 | Date: Sun, 25 Jun 2023 19:58:08 +0300 | ||
4 | Subject: [PATCH] aesce: do not specify an arch version when enabling crypto | ||
5 | instructions | ||
6 | |||
7 | Building mbedtls with different aarch64 tuning variations revealed | ||
8 | that we should use the crypto extensions without forcing a particular | ||
9 | architecture version or core, as that can create issues. | ||
10 | |||
11 | Upstream-Status: Submitted [https://github.com/Mbed-TLS/mbedtls/pull/7834] | ||
12 | |||
13 | Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com> | ||
14 | --- | ||
15 | library/aesce.c | 2 +- | ||
16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/library/aesce.c b/library/aesce.c | ||
19 | index fe056dc4c..843de3973 100644 | ||
20 | --- a/library/aesce.c | ||
21 | +++ b/library/aesce.c | ||
22 | @@ -60,7 +60,7 @@ | ||
23 | # error "A more recent GCC is required for MBEDTLS_AESCE_C" | ||
24 | # endif | ||
25 | # pragma GCC push_options | ||
26 | -# pragma GCC target ("arch=armv8-a+crypto") | ||
27 | +# pragma GCC target ("+crypto") | ||
28 | # define MBEDTLS_POP_TARGET_PRAGMA | ||
29 | # else | ||
30 | # error "Only GCC and Clang supported for MBEDTLS_AESCE_C" | ||
31 | -- | ||
32 | 2.25.1 | ||
33 | |||
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/0002-aesce-use-correct-target-attribute-when-building-wit.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/0002-aesce-use-correct-target-attribute-when-building-wit.patch deleted file mode 100644 index 4775c8ddb..000000000 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls/0002-aesce-use-correct-target-attribute-when-building-wit.patch +++ /dev/null | |||
@@ -1,34 +0,0 @@ | |||
1 | From 03d3523f974536f2358047382aadb0d4cc762f8a Mon Sep 17 00:00:00 2001 | ||
2 | From: Beniamin Sandu <beniaminsandu@gmail.com> | ||
3 | Date: Mon, 26 Jun 2023 12:07:21 +0300 | ||
4 | Subject: [PATCH] aesce: use correct target attribute when building with clang | ||
5 | |||
6 | Seems clang has its own issues when it comes to crypto extensions, | ||
7 | and right now the best way to avoid them is to accurately enable | ||
8 | the needed instructions instead of the broad crypto feature. | ||
9 | |||
10 | E.g.: https://github.com/llvm/llvm-project/issues/61645 | ||
11 | |||
12 | Upstream-Status: Pending | ||
13 | |||
14 | Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com> | ||
15 | --- | ||
16 | library/aesce.c | 2 +- | ||
17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/library/aesce.c b/library/aesce.c | ||
20 | index 843de3973..7bea088ba 100644 | ||
21 | --- a/library/aesce.c | ||
22 | +++ b/library/aesce.c | ||
23 | @@ -53,7 +53,7 @@ | ||
24 | # if __clang_major__ < 4 | ||
25 | # error "A more recent Clang is required for MBEDTLS_AESCE_C" | ||
26 | # endif | ||
27 | -# pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function) | ||
28 | +# pragma clang attribute push (__attribute__((target("aes"))), apply_to=function) | ||
29 | # define MBEDTLS_POP_TARGET_PRAGMA | ||
30 | # elif defined(__GNUC__) | ||
31 | # if __GNUC__ < 6 | ||
32 | -- | ||
33 | 2.25.1 | ||
34 | |||
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.0.bb index 3a355bb43..d57e717bd 100644 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.0.bb | |||
@@ -23,10 +23,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" | |||
23 | SECTION = "libs" | 23 | SECTION = "libs" |
24 | 24 | ||
25 | S = "${WORKDIR}/git" | 25 | S = "${WORKDIR}/git" |
26 | SRCREV = "1873d3bfc2da771672bd8e7e8f41f57e0af77f33" | 26 | SRCREV = "1ec69067fa1351427f904362c1221b31538c8b57" |
27 | SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master \ | 27 | SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master \ |
28 | file://0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch \ | 28 | file://0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch \ |
29 | file://0002-aesce-use-correct-target-attribute-when-building-wit.patch \ | ||
30 | file://run-ptest" | 29 | file://run-ptest" |
31 | 30 | ||
32 | inherit cmake update-alternatives ptest | 31 | inherit cmake update-alternatives ptest |
@@ -61,11 +60,6 @@ BBCLASSEXTEND = "native nativesdk" | |||
61 | 60 | ||
62 | CVE_PRODUCT = "mbed_tls" | 61 | CVE_PRODUCT = "mbed_tls" |
63 | 62 | ||
64 | # Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 | ||
65 | CVE_CHECK_IGNORE += "CVE-2021-43666" | ||
66 | # Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c | ||
67 | CVE_CHECK_IGNORE += "CVE-2021-45451" | ||
68 | |||
69 | # Strip host paths from autogenerated test files | 63 | # Strip host paths from autogenerated test files |
70 | do_compile:append() { | 64 | do_compile:append() { |
71 | sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || : | 65 | sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || : |