diff --git a/6.12/package/libs/mbedtls/Config.in b/6.12/package/libs/mbedtls/Config.in new file mode 100644 index 00000000..ad0ecb6e --- /dev/null +++ b/6.12/package/libs/mbedtls/Config.in @@ -0,0 +1,200 @@ +if PACKAGE_libmbedtls + +comment "Option details in source code: include/mbedtls/mbedtls_config.h" + +comment "Ciphers - unselect old or less-used ciphers to reduce binary size" + +config MBEDTLS_AES_C + bool "MBEDTLS_AES_C" + default y + +config MBEDTLS_CAMELLIA_C + bool "MBEDTLS_CAMELLIA_C" + default n + +config MBEDTLS_CCM_C + bool "MBEDTLS_CCM_C" + default n + +config MBEDTLS_CMAC_C + bool "MBEDTLS_CMAC_C (old but used by hostapd)" + default y + +config MBEDTLS_DES_C + bool "MBEDTLS_DES_C (old but used by hostapd)" + default y + +config MBEDTLS_GCM_C + bool "MBEDTLS_GCM_C" + default y + +config MBEDTLS_NIST_KW_C + bool "MBEDTLS_NIST_KW_C (old but used by hostapd)" + default y + +config MBEDTLS_RIPEMD160_C + bool "MBEDTLS_RIPEMD160_C" + default n + +config MBEDTLS_XTEA_C + bool "MBEDTLS_XTEA_C" + default n + +config MBEDTLS_RSA_NO_CRT + bool "MBEDTLS_RSA_NO_CRT" + default y + +config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_PSK_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED" + default n + +comment "Curves - unselect old or less-used curves to reduce binary size" + +config MBEDTLS_ECP_DP_SECP192R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP192R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP224R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP224R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP256R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP256R1_ENABLED" + default y + +config MBEDTLS_ECP_DP_SECP384R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP384R1_ENABLED" + default y + +config MBEDTLS_ECP_DP_SECP521R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP521R1_ENABLED" + default y + +config MBEDTLS_ECP_DP_SECP192K1_ENABLED + bool "MBEDTLS_ECP_DP_SECP192K1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP224K1_ENABLED + bool "MBEDTLS_ECP_DP_SECP224K1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP256K1_ENABLED + bool "MBEDTLS_ECP_DP_SECP256K1_ENABLED" + default y + +config MBEDTLS_ECP_DP_BP256R1_ENABLED + bool "MBEDTLS_ECP_DP_BP256R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_BP384R1_ENABLED + bool "MBEDTLS_ECP_DP_BP384R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_BP512R1_ENABLED + bool "MBEDTLS_ECP_DP_BP512R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_CURVE25519_ENABLED + bool "MBEDTLS_ECP_DP_CURVE25519_ENABLED" + default y + +config MBEDTLS_ECP_DP_CURVE448_ENABLED + bool "MBEDTLS_ECP_DP_CURVE448_ENABLED" + default n + +comment "Build Options - unselect features to reduce binary size" + +config MBEDTLS_CERTS_C + bool "MBEDTLS_CERTS_C" + default n + +config MBEDTLS_CIPHER_MODE_OFB + bool "MBEDTLS_CIPHER_MODE_OFB" + default n + +config MBEDTLS_CIPHER_MODE_XTS + bool "MBEDTLS_CIPHER_MODE_XTS" + default n + +config MBEDTLS_DEBUG_C + bool "MBEDTLS_DEBUG_C" + default n + +config MBEDTLS_HKDF_C + bool "MBEDTLS_HKDF_C" + default n + +config MBEDTLS_PLATFORM_C + bool "MBEDTLS_PLATFORM_C" + default n + +config MBEDTLS_SELF_TEST + bool "MBEDTLS_SELF_TEST" + default n + +config MBEDTLS_SSL_TRUNCATED_HMAC + bool "MBEDTLS_SSL_TRUNCATED_HMAC" + default n + +config MBEDTLS_THREADING_C + bool "MBEDTLS_THREADING_C" + default y + +config MBEDTLS_THREADING_PTHREAD + def_bool MBEDTLS_THREADING_C + +config MBEDTLS_VERSION_C + bool "MBEDTLS_VERSION_C" + default n + +config MBEDTLS_VERSION_FEATURES + bool "MBEDTLS_VERSION_FEATURES" + default n + +comment "Build Options" + +config MBEDTLS_ENTROPY_FORCE_SHA256 + bool "MBEDTLS_ENTROPY_FORCE_SHA256" + default y + +config MBEDTLS_SSL_RENEGOTIATION + bool "MBEDTLS_SSL_RENEGOTIATION" + default n + +endif diff --git a/6.12/package/libs/mbedtls/Makefile b/6.12/package/libs/mbedtls/Makefile new file mode 100644 index 00000000..502bf65f --- /dev/null +++ b/6.12/package/libs/mbedtls/Makefile @@ -0,0 +1,164 @@ +# +# Copyright (C) 2011-2015 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=mbedtls +PKG_VERSION:=2.28.7 +PKG_RELEASE:=2 +PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)? +PKG_HASH:=1df6073f0cf6a4e1953890bf5e0de2a8c7e6be50d6d6c69fa9fefcb1d14e981a + +PKG_LICENSE:=GPL-2.0-or-later +PKG_LICENSE_FILES:=gpl-2.0.txt +PKG_CPE_ID:=cpe:/a:arm:mbed_tls + +MBEDTLS_BUILD_OPTS_CURVES= \ + CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_CURVE448_ENABLED + +MBEDTLS_BUILD_OPTS_CIPHERS= \ + CONFIG_MBEDTLS_AES_C \ + CONFIG_MBEDTLS_CAMELLIA_C \ + CONFIG_MBEDTLS_CCM_C \ + CONFIG_MBEDTLS_CMAC_C \ + CONFIG_MBEDTLS_DES_C \ + CONFIG_MBEDTLS_GCM_C \ + CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \ + CONFIG_MBEDTLS_NIST_KW_C \ + CONFIG_MBEDTLS_RIPEMD160_C \ + CONFIG_MBEDTLS_RSA_NO_CRT \ + CONFIG_MBEDTLS_XTEA_C + +MBEDTLS_BUILD_OPTS= \ + $(MBEDTLS_BUILD_OPTS_CURVES) \ + $(MBEDTLS_BUILD_OPTS_CIPHERS) \ + CONFIG_MBEDTLS_CERTS_C \ + CONFIG_MBEDTLS_CIPHER_MODE_OFB \ + CONFIG_MBEDTLS_CIPHER_MODE_XTS \ + CONFIG_MBEDTLS_DEBUG_C \ + CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256 \ + CONFIG_MBEDTLS_HKDF_C \ + CONFIG_MBEDTLS_PLATFORM_C \ + CONFIG_MBEDTLS_SELF_TEST \ + CONFIG_MBEDTLS_SSL_RENEGOTIATION \ + CONFIG_MBEDTLS_SSL_TRUNCATED_HMAC \ + CONFIG_MBEDTLS_THREADING_C \ + CONFIG_MBEDTLS_THREADING_PTHREAD \ + CONFIG_MBEDTLS_VERSION_C \ + CONFIG_MBEDTLS_VERSION_FEATURES + +PKG_CONFIG_DEPENDS := $(MBEDTLS_BUILD_OPTS) + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/cmake.mk + +define Package/mbedtls/Default + TITLE:=Embedded SSL + URL:=https://tls.mbed.org +endef + +define Package/mbedtls/Default/description +The aim of the mbedtls project is to provide a quality, open-source +cryptographic library written in C and targeted at embedded systems. +endef + +define Package/libmbedtls +$(call Package/mbedtls/Default) + SECTION:=libs + CATEGORY:=Libraries + SUBMENU:=SSL + TITLE+= (library) + ABI_VERSION:=13 + MENU:=1 +endef + +define Package/libmbedtls/config + source "$(SOURCE)/Config.in" +endef + +define Package/mbedtls-util +$(call Package/mbedtls/Default) + SECTION:=utils + CATEGORY:=Utilities + TITLE+= (utilities) + DEPENDS:=+libmbedtls +endef + +define Package/libmbedtls/description +$(call Package/mbedtls/Default/description) +This package contains the mbedtls library. +endef + +define Package/mbedtls-util/description +$(call Package/mbedtls/Default/description) +This package contains mbedtls helper programs for private key and +CSR generation (gen_key, cert_req) +endef + +TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) + +CMAKE_OPTIONS += \ + -DCMAKE_POSITION_INDEPENDENT_CODE=ON \ + -DUSE_SHARED_MBEDTLS_LIBRARY:Bool=ON \ + -DENABLE_TESTING:Bool=OFF \ + -DENABLE_PROGRAMS:Bool=ON + +define Build/Prepare + $(call Build/Prepare/Default) + + $(if $(strip $(foreach opt,$(MBEDTLS_BUILD_OPTS),$($(opt)))), + $(foreach opt,$(MBEDTLS_BUILD_OPTS), + $(PKG_BUILD_DIR)/scripts/config.py \ + -f $(PKG_BUILD_DIR)/include/mbedtls/config.h \ + $(if $($(opt)),set,unset) $(patsubst CONFIG_%,%,$(opt))),) +endef + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include + $(CP) $(PKG_INSTALL_DIR)/usr/include/mbedtls $(1)/usr/include/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.so* $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.a $(1)/usr/lib/ +endef + +define Package/libmbedtls/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.so.* $(1)/usr/lib/ +endef + +define Package/mbedtls-util/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/gen_key $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/cert_req $(1)/usr/bin/ +endef + +$(eval $(call BuildPackage,libmbedtls)) +$(eval $(call BuildPackage,mbedtls-util)) diff --git a/6.12/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch b/6.12/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch new file mode 100644 index 00000000..4ad2e8c7 --- /dev/null +++ b/6.12/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch @@ -0,0 +1,197 @@ +From eb9d4fdf1846e688d51d86a9a50f0312aca2af25 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Sun, 23 Oct 2022 19:48:18 -0400 +Subject: [PATCH] x509 crt verify SAN iPAddress + +Signed-off-by: Glenn Strauss +--- + include/mbedtls/x509_crt.h | 2 +- + library/x509_crt.c | 126 ++++++++++++++++++++++++++++++------- + 2 files changed, 103 insertions(+), 25 deletions(-) + +--- a/include/mbedtls/x509_crt.h ++++ b/include/mbedtls/x509_crt.h +@@ -608,7 +608,7 @@ int mbedtls_x509_crt_verify_info(char *b + * \param cn The expected Common Name. This will be checked to be + * present in the certificate's subjectAltNames extension or, + * if this extension is absent, as a CN component in its +- * Subject name. Currently only DNS names are supported. This ++ * Subject name. DNS names and IP addresses are supported. This + * may be \c NULL if the CN need not be verified. + * \param flags The address at which to store the result of the verification. + * If the verification couldn't be completed, the flag value is +--- a/library/x509_crt.c ++++ b/library/x509_crt.c +@@ -57,6 +57,10 @@ + + #if defined(MBEDTLS_HAVE_TIME) + #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) ++#define WIN32_LEAN_AND_MEAN ++#ifndef _WIN32_WINNT ++#define _WIN32_WINNT 0x0600 ++#endif + #include + #else + #include +@@ -3002,6 +3006,61 @@ find_parent: + } + } + ++#ifdef _WIN32 ++#ifdef _MSC_VER ++#pragma comment(lib, "ws2_32.lib") ++#include ++#include ++#elif (defined(__MINGW32__) || defined(__MINGW64__)) && _WIN32_WINNT >= 0x0600 ++#include ++#include ++#endif ++#elif defined(__sun) ++/* Solaris requires -lsocket -lnsl for inet_pton() */ ++#elif defined(__has_include) ++#if __has_include() ++#include ++#endif ++#if __has_include() ++#include ++#endif ++#endif ++ ++/* Use whether or not AF_INET6 is defined to indicate whether or not to use ++ * the platform inet_pton() or a local implementation (below). The local ++ * implementation may be used even in cases where the platform provides ++ * inet_pton(), e.g. when there are different includes required and/or the ++ * platform implementation requires dependencies on additional libraries. ++ * Specifically, Windows requires custom includes and additional link ++ * dependencies, and Solaris requires additional link dependencies. ++ * Also, as a coarse heuristic, use the local implementation if the compiler ++ * does not support __has_include(), or if the definition of AF_INET6 is not ++ * provided by headers included (or not) via __has_include() above. */ ++#ifndef AF_INET6 ++ ++#define x509_cn_inet_pton(cn, dst) (0) ++ ++#else ++ ++static int x509_inet_pton_ipv6(const char *src, void *dst) ++{ ++ return inet_pton(AF_INET6, src, dst) == 1 ? 0 : -1; ++} ++ ++static int x509_inet_pton_ipv4(const char *src, void *dst) ++{ ++ return inet_pton(AF_INET, src, dst) == 1 ? 0 : -1; ++} ++ ++#endif /* AF_INET6 */ ++ ++static size_t x509_cn_inet_pton(const char *cn, void *dst) ++{ ++ return strchr(cn, ':') == NULL ++ ? x509_inet_pton_ipv4(cn, dst) == 0 ? 4 : 0 ++ : x509_inet_pton_ipv6(cn, dst) == 0 ? 16 : 0; ++} ++ + /* + * Check for CN match + */ +@@ -3022,24 +3081,51 @@ static int x509_crt_check_cn(const mbedt + return -1; + } + ++static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san, ++ const char *cn, size_t cn_len) ++{ ++ uint32_t ip[4]; ++ cn_len = x509_cn_inet_pton(cn, ip); ++ if (cn_len == 0) { ++ return -1; ++ } ++ ++ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) { ++ const unsigned char san_type = (unsigned char) cur->buf.tag & ++ MBEDTLS_ASN1_TAG_VALUE_MASK; ++ if (san_type == MBEDTLS_X509_SAN_IP_ADDRESS && ++ cur->buf.len == cn_len && memcmp(cur->buf.p, ip, cn_len) == 0) { ++ return 0; ++ } ++ } ++ ++ return -1; ++} ++ + /* + * Check for SAN match, see RFC 5280 Section 4.2.1.6 + */ +-static int x509_crt_check_san(const mbedtls_x509_buf *name, ++static int x509_crt_check_san(const mbedtls_x509_sequence *san, + const char *cn, size_t cn_len) + { +- const unsigned char san_type = (unsigned char) name->tag & +- MBEDTLS_ASN1_TAG_VALUE_MASK; +- +- /* dNSName */ +- if (san_type == MBEDTLS_X509_SAN_DNS_NAME) { +- return x509_crt_check_cn(name, cn, cn_len); ++ int san_ip = 0; ++ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) { ++ switch ((unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) { ++ case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */ ++ if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) { ++ return 0; ++ } ++ break; ++ case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */ ++ san_ip = 1; ++ break; ++ /* (We may handle other types here later.) */ ++ default: /* Unrecognized type */ ++ break; ++ } + } + +- /* (We may handle other types here later.) */ +- +- /* Unrecognized type */ +- return -1; ++ return san_ip ? x509_crt_check_san_ip(san, cn, cn_len) : -1; + } + + /* +@@ -3050,31 +3136,23 @@ static void x509_crt_verify_name(const m + uint32_t *flags) + { + const mbedtls_x509_name *name; +- const mbedtls_x509_sequence *cur; + size_t cn_len = strlen(cn); + + if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) { +- for (cur = &crt->subject_alt_names; cur != NULL; cur = cur->next) { +- if (x509_crt_check_san(&cur->buf, cn, cn_len) == 0) { +- break; +- } +- } +- +- if (cur == NULL) { +- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; ++ if (x509_crt_check_san(&crt->subject_alt_names, cn, cn_len) == 0) { ++ return; + } + } else { + for (name = &crt->subject; name != NULL; name = name->next) { + if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 && + x509_crt_check_cn(&name->val, cn, cn_len) == 0) { +- break; ++ return; + } + } + +- if (name == NULL) { +- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; +- } + } ++ ++ *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; + } + + /* diff --git a/6.12/package/libs/mbedtls/patches/101-remove-test.patch b/6.12/package/libs/mbedtls/patches/101-remove-test.patch new file mode 100644 index 00000000..e43f8757 --- /dev/null +++ b/6.12/package/libs/mbedtls/patches/101-remove-test.patch @@ -0,0 +1,15 @@ +--- a/programs/CMakeLists.txt ++++ b/programs/CMakeLists.txt +@@ -1,12 +1,8 @@ + add_subdirectory(aes) +-if (NOT WIN32) +- add_subdirectory(fuzz) +-endif() + add_subdirectory(hash) + add_subdirectory(pkey) + add_subdirectory(psa) + add_subdirectory(random) + add_subdirectory(ssl) +-add_subdirectory(test) + add_subdirectory(util) + add_subdirectory(x509)