helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-04-02 02:49:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

mbedtls: upgrade 3.4.0 -> 3.5.0

Browse Source 
* Includes security fix for CVE-2023-43615 - Buffer overread in TLS stream cipher suites
* Includes security fix for CVE-2023-45199 - Buffer overflow in TLS handshake parsing with ECDH
* Includes aesce compilation fixes

Full changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.5.0

The extra patch fixes x86 32-bit builds.

Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Beniamin Sandu 2023-11-01 19:26:29 +00:00 committed by Armin Kuster
parent 8274d201cb
commit 579558c87f
4 changed files with 89 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch Normal file
View File

@ -0,0 +1,87 @@
From 80d3e73ad0648f558a067a9dbfe3bc80e6b614f8 Mon Sep 17 00:00:00 2001
From: Beniamin Sandu <beniaminsandu@gmail.com>
Date: Mon, 30 Oct 2023 19:15:56 +0000
Subject: [PATCH] AES-NI: use target attributes for x86 32-bit intrinsics
This way we build with 32-bit gcc/clang out of the box.
We also fallback to assembly for 64-bit clang-cl if needed cpu
flags are not provided, instead of throwing an error.
Upstream-Status: Backport [https://github.com/Mbed-TLS/mbedtls/commit/800f2b7c020678a84abfa9688962b91c36e6693d]
Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
---
library/aesni.c | 20 ++++++++++++++++++++
library/aesni.h | 8 +++++---
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/library/aesni.c b/library/aesni.c
index 5f25a8249..481fa3822 100644
--- a/library/aesni.c
+++ b/library/aesni.c
@@ -41,6 +41,17 @@
#include <immintrin.h>
#endif
+#if defined(MBEDTLS_ARCH_IS_X86)
+#if defined(MBEDTLS_COMPILER_IS_GCC)
+#pragma GCC push_options
+#pragma GCC target ("pclmul,sse2,aes")
+#define MBEDTLS_POP_TARGET_PRAGMA
+#elif defined(__clang__)
+#pragma clang attribute push (__attribute__((target("pclmul,sse2,aes"))), apply_to=function)
+#define MBEDTLS_POP_TARGET_PRAGMA
+#endif
+#endif
+
#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
/*
* AES-NI support detection routine
@@ -396,6 +407,15 @@ static void aesni_setkey_enc_256(unsigned char *rk_bytes,
}
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+#if defined(MBEDTLS_POP_TARGET_PRAGMA)
+#if defined(__clang__)
+#pragma clang attribute pop
+#elif defined(__GNUC__)
+#pragma GCC pop_options
+#endif
+#undef MBEDTLS_POP_TARGET_PRAGMA
+#endif
+
#else /* MBEDTLS_AESNI_HAVE_CODE == 1 */
#if defined(__has_feature)
diff --git a/library/aesni.h b/library/aesni.h
index ba1429029..37ae02c82 100644
--- a/library/aesni.h
+++ b/library/aesni.h
@@ -50,6 +50,10 @@
#if defined(__GNUC__) && defined(__AES__) && defined(__PCLMUL__)
#define MBEDTLS_AESNI_HAVE_INTRINSICS
#endif
+/* For 32-bit, we only support intrinsics */
+#if defined(MBEDTLS_ARCH_IS_X86) && (defined(__GNUC__) || defined(__clang__))
+#define MBEDTLS_AESNI_HAVE_INTRINSICS
+#endif
/* Choose the implementation of AESNI, if one is available.
*
@@ -60,13 +64,11 @@
#if defined(MBEDTLS_AESNI_HAVE_INTRINSICS)
#define MBEDTLS_AESNI_HAVE_CODE 2 // via intrinsics
#elif defined(MBEDTLS_HAVE_ASM) && \
- defined(__GNUC__) && defined(MBEDTLS_ARCH_IS_X64)
+ (defined(__GNUC__) || defined(__clang__)) && defined(MBEDTLS_ARCH_IS_X64)
/* Can we do AESNI with inline assembly?
* (Only implemented with gas syntax, only for 64-bit.)
*/
#define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly
-#elif defined(__GNUC__)
-# error "Must use `-mpclmul -msse2 -maes` for MBEDTLS_AESNI_C"
#else
#error "MBEDTLS_AESNI_C defined, but neither intrinsics nor assembly available"
#endif
--
2.34.1

33
meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch
View File

@ -1,33 +0,0 @@
From 2246925e3cb16183e25d4e2cfd13fb800df86270 Mon Sep 17 00:00:00 2001
From: Beniamin Sandu <beniaminsandu@gmail.com>
Date: Sun, 25 Jun 2023 19:58:08 +0300
Subject: [PATCH] aesce: do not specify an arch version when enabling crypto
instructions
Building mbedtls with different aarch64 tuning variations revealed
that we should use the crypto extensions without forcing a particular
architecture version or core, as that can create issues.
Upstream-Status: Submitted [https://github.com/Mbed-TLS/mbedtls/pull/7834]
Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
---
library/aesce.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/library/aesce.c b/library/aesce.c
index fe056dc4c..843de3973 100644
--- a/library/aesce.c
+++ b/library/aesce.c
@@ -60,7 +60,7 @@
# error "A more recent GCC is required for MBEDTLS_AESCE_C"
# endif
# pragma GCC push_options
-# pragma GCC target ("arch=armv8-a+crypto")
+# pragma GCC target ("+crypto")
# define MBEDTLS_POP_TARGET_PRAGMA
# else
# error "Only GCC and Clang supported for MBEDTLS_AESCE_C"
--
2.25.1

34
meta-networking/recipes-connectivity/mbedtls/mbedtls/0002-aesce-use-correct-target-attribute-when-building-wit.patch
View File

@ -1,34 +0,0 @@
From 03d3523f974536f2358047382aadb0d4cc762f8a Mon Sep 17 00:00:00 2001
From: Beniamin Sandu <beniaminsandu@gmail.com>
Date: Mon, 26 Jun 2023 12:07:21 +0300
Subject: [PATCH] aesce: use correct target attribute when building with clang
Seems clang has its own issues when it comes to crypto extensions,
and right now the best way to avoid them is to accurately enable
the needed instructions instead of the broad crypto feature.
E.g.: https://github.com/llvm/llvm-project/issues/61645
Upstream-Status: Pending
Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
---
library/aesce.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/library/aesce.c b/library/aesce.c
index 843de3973..7bea088ba 100644
--- a/library/aesce.c
+++ b/library/aesce.c
@@ -53,7 +53,7 @@
# if __clang_major__ < 4
# error "A more recent Clang is required for MBEDTLS_AESCE_C"
# endif
-# pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function)
+# pragma clang attribute push (__attribute__((target("aes"))), apply_to=function)
# define MBEDTLS_POP_TARGET_PRAGMA
# elif defined(__GNUC__)
# if __GNUC__ < 6
--
2.25.1

10
meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb → meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.0.bb
View File

@ -23,10 +23,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
SECTION = "libs" SECTION = "libs"
S = "${WORKDIR}/git" S = "${WORKDIR}/git"
SRCREV = "1873d3bfc2da771672bd8e7e8f41f57e0af77f33" SRCREV = "1ec69067fa1351427f904362c1221b31538c8b57"
SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master \ SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master \
file://0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch \ file://0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch \
file://0002-aesce-use-correct-target-attribute-when-building-wit.patch \
file://run-ptest" file://run-ptest"
inherit cmake update-alternatives ptest inherit cmake update-alternatives ptest
@ -61,11 +60,6 @@ BBCLASSEXTEND = "native nativesdk"
CVE_PRODUCT = "mbed_tls" CVE_PRODUCT = "mbed_tls"
# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310
CVE_CHECK_IGNORE += "CVE-2021-43666"
# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c
CVE_CHECK_IGNORE += "CVE-2021-45451"
# Strip host paths from autogenerated test files # Strip host paths from autogenerated test files
do_compile:append() { do_compile:append() {
sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || : sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || :