mptcp/openmptcprouter
1
0
Fork 0
mirror of https://github.com/Ysurac/openmptcprouter.git synced 2025-02-12 11:21:55 +00:00
Code Issues Releases Wiki Activity

Remove mbedtls on 6.12

Browse source
This commit is contained in:
Ycarus (Yannick Chabanois) 2025-01-11 20:39:41 +01:00
parent 9ae665f923
commit bb40e6224f
4 changed files with 0 additions and 576 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

200
6.12/package/libs/mbedtls/Config.in
View file

@ -1,200 +0,0 @@
if PACKAGE_libmbedtls
comment "Option details in source code: include/mbedtls/mbedtls_config.h"
comment "Ciphers - unselect old or less-used ciphers to reduce binary size"
config MBEDTLS_AES_C
bool "MBEDTLS_AES_C"
default y
config MBEDTLS_CAMELLIA_C
bool "MBEDTLS_CAMELLIA_C"
default n
config MBEDTLS_CCM_C
bool "MBEDTLS_CCM_C"
default n
config MBEDTLS_CMAC_C
bool "MBEDTLS_CMAC_C (old but used by hostapd)"
default y
config MBEDTLS_DES_C
bool "MBEDTLS_DES_C (old but used by hostapd)"
default y
config MBEDTLS_GCM_C
bool "MBEDTLS_GCM_C"
default y
config MBEDTLS_NIST_KW_C
bool "MBEDTLS_NIST_KW_C (old but used by hostapd)"
default y
config MBEDTLS_RIPEMD160_C
bool "MBEDTLS_RIPEMD160_C"
default n
config MBEDTLS_XTEA_C
bool "MBEDTLS_XTEA_C"
default n
config MBEDTLS_RSA_NO_CRT
bool "MBEDTLS_RSA_NO_CRT"
default y
config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_PSK_ENABLED"
default y
config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED"
default n
config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED"
default y
config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED"
default n
config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED"
default n
config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED"
default n
config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED"
default y
config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED"
default y
config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED"
default n
config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
bool "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED"
default n
comment "Curves - unselect old or less-used curves to reduce binary size"
config MBEDTLS_ECP_DP_SECP192R1_ENABLED
bool "MBEDTLS_ECP_DP_SECP192R1_ENABLED"
default n
config MBEDTLS_ECP_DP_SECP224R1_ENABLED
bool "MBEDTLS_ECP_DP_SECP224R1_ENABLED"
default n
config MBEDTLS_ECP_DP_SECP256R1_ENABLED
bool "MBEDTLS_ECP_DP_SECP256R1_ENABLED"
default y
config MBEDTLS_ECP_DP_SECP384R1_ENABLED
bool "MBEDTLS_ECP_DP_SECP384R1_ENABLED"
default y
config MBEDTLS_ECP_DP_SECP521R1_ENABLED
bool "MBEDTLS_ECP_DP_SECP521R1_ENABLED"
default y
config MBEDTLS_ECP_DP_SECP192K1_ENABLED
bool "MBEDTLS_ECP_DP_SECP192K1_ENABLED"
default n
config MBEDTLS_ECP_DP_SECP224K1_ENABLED
bool "MBEDTLS_ECP_DP_SECP224K1_ENABLED"
default n
config MBEDTLS_ECP_DP_SECP256K1_ENABLED
bool "MBEDTLS_ECP_DP_SECP256K1_ENABLED"
default y
config MBEDTLS_ECP_DP_BP256R1_ENABLED
bool "MBEDTLS_ECP_DP_BP256R1_ENABLED"
default n
config MBEDTLS_ECP_DP_BP384R1_ENABLED
bool "MBEDTLS_ECP_DP_BP384R1_ENABLED"
default n
config MBEDTLS_ECP_DP_BP512R1_ENABLED
bool "MBEDTLS_ECP_DP_BP512R1_ENABLED"
default n
config MBEDTLS_ECP_DP_CURVE25519_ENABLED
bool "MBEDTLS_ECP_DP_CURVE25519_ENABLED"
default y
config MBEDTLS_ECP_DP_CURVE448_ENABLED
bool "MBEDTLS_ECP_DP_CURVE448_ENABLED"
default n
comment "Build Options - unselect features to reduce binary size"
config MBEDTLS_CERTS_C
bool "MBEDTLS_CERTS_C"
default n
config MBEDTLS_CIPHER_MODE_OFB
bool "MBEDTLS_CIPHER_MODE_OFB"
default n
config MBEDTLS_CIPHER_MODE_XTS
bool "MBEDTLS_CIPHER_MODE_XTS"
default n
config MBEDTLS_DEBUG_C
bool "MBEDTLS_DEBUG_C"
default n
config MBEDTLS_HKDF_C
bool "MBEDTLS_HKDF_C"
default n
config MBEDTLS_PLATFORM_C
bool "MBEDTLS_PLATFORM_C"
default n
config MBEDTLS_SELF_TEST
bool "MBEDTLS_SELF_TEST"
default n
config MBEDTLS_SSL_TRUNCATED_HMAC
bool "MBEDTLS_SSL_TRUNCATED_HMAC"
default n
config MBEDTLS_THREADING_C
bool "MBEDTLS_THREADING_C"
default y
config MBEDTLS_THREADING_PTHREAD
def_bool MBEDTLS_THREADING_C
config MBEDTLS_VERSION_C
bool "MBEDTLS_VERSION_C"
default n
config MBEDTLS_VERSION_FEATURES
bool "MBEDTLS_VERSION_FEATURES"
default n
comment "Build Options"
config MBEDTLS_ENTROPY_FORCE_SHA256
bool "MBEDTLS_ENTROPY_FORCE_SHA256"
default y
config MBEDTLS_SSL_RENEGOTIATION
bool "MBEDTLS_SSL_RENEGOTIATION"
default n
endif

164
6.12/package/libs/mbedtls/Makefile
View file

@ -1,164 +0,0 @@
#
# Copyright (C) 2011-2015 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=mbedtls
PKG_VERSION:=2.28.7
PKG_RELEASE:=2
PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)?
PKG_HASH:=1df6073f0cf6a4e1953890bf5e0de2a8c7e6be50d6d6c69fa9fefcb1d14e981a
PKG_LICENSE:=GPL-2.0-or-later
PKG_LICENSE_FILES:=gpl-2.0.txt
PKG_CPE_ID:=cpe:/a:arm:mbed_tls
MBEDTLS_BUILD_OPTS_CURVES= \
CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED \
CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED \
CONFIG_MBEDTLS_ECP_DP_CURVE448_ENABLED
MBEDTLS_BUILD_OPTS_CIPHERS= \
CONFIG_MBEDTLS_AES_C \
CONFIG_MBEDTLS_CAMELLIA_C \
CONFIG_MBEDTLS_CCM_C \
CONFIG_MBEDTLS_CMAC_C \
CONFIG_MBEDTLS_DES_C \
CONFIG_MBEDTLS_GCM_C \
CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED \
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \
CONFIG_MBEDTLS_NIST_KW_C \
CONFIG_MBEDTLS_RIPEMD160_C \
CONFIG_MBEDTLS_RSA_NO_CRT \
CONFIG_MBEDTLS_XTEA_C
MBEDTLS_BUILD_OPTS= \
$(MBEDTLS_BUILD_OPTS_CURVES) \
$(MBEDTLS_BUILD_OPTS_CIPHERS) \
CONFIG_MBEDTLS_CERTS_C \
CONFIG_MBEDTLS_CIPHER_MODE_OFB \
CONFIG_MBEDTLS_CIPHER_MODE_XTS \
CONFIG_MBEDTLS_DEBUG_C \
CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256 \
CONFIG_MBEDTLS_HKDF_C \
CONFIG_MBEDTLS_PLATFORM_C \
CONFIG_MBEDTLS_SELF_TEST \
CONFIG_MBEDTLS_SSL_RENEGOTIATION \
CONFIG_MBEDTLS_SSL_TRUNCATED_HMAC \
CONFIG_MBEDTLS_THREADING_C \
CONFIG_MBEDTLS_THREADING_PTHREAD \
CONFIG_MBEDTLS_VERSION_C \
CONFIG_MBEDTLS_VERSION_FEATURES
PKG_CONFIG_DEPENDS := $(MBEDTLS_BUILD_OPTS)
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/cmake.mk
define Package/mbedtls/Default
TITLE:=Embedded SSL
URL:=https://tls.mbed.org
endef
define Package/mbedtls/Default/description
The aim of the mbedtls project is to provide a quality, open-source
cryptographic library written in C and targeted at embedded systems.
endef
define Package/libmbedtls
$(call Package/mbedtls/Default)
SECTION:=libs
CATEGORY:=Libraries
SUBMENU:=SSL
TITLE+= (library)
ABI_VERSION:=13
MENU:=1
endef
define Package/libmbedtls/config
source "$(SOURCE)/Config.in"
endef
define Package/mbedtls-util
$(call Package/mbedtls/Default)
SECTION:=utils
CATEGORY:=Utilities
TITLE+= (utilities)
DEPENDS:=+libmbedtls
endef
define Package/libmbedtls/description
$(call Package/mbedtls/Default/description)
This package contains the mbedtls library.
endef
define Package/mbedtls-util/description
$(call Package/mbedtls/Default/description)
This package contains mbedtls helper programs for private key and
CSR generation (gen_key, cert_req)
endef
TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS))
CMAKE_OPTIONS += \
-DCMAKE_POSITION_INDEPENDENT_CODE=ON \
-DUSE_SHARED_MBEDTLS_LIBRARY:Bool=ON \
-DENABLE_TESTING:Bool=OFF \
-DENABLE_PROGRAMS:Bool=ON
define Build/Prepare
$(call Build/Prepare/Default)
$(if $(strip $(foreach opt,$(MBEDTLS_BUILD_OPTS),$($(opt)))),
$(foreach opt,$(MBEDTLS_BUILD_OPTS),
$(PKG_BUILD_DIR)/scripts/config.py \
-f $(PKG_BUILD_DIR)/include/mbedtls/config.h \
$(if $($(opt)),set,unset) $(patsubst CONFIG_%,%,$(opt))),)
endef
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include
$(CP) $(PKG_INSTALL_DIR)/usr/include/mbedtls $(1)/usr/include/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.so* $(1)/usr/lib/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.a $(1)/usr/lib/
endef
define Package/libmbedtls/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.so.* $(1)/usr/lib/
endef
define Package/mbedtls-util/install
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/gen_key $(1)/usr/bin/
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/cert_req $(1)/usr/bin/
endef
$(eval $(call BuildPackage,libmbedtls))
$(eval $(call BuildPackage,mbedtls-util))

197
6.12/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch
View file

@ -1,197 +0,0 @@
From eb9d4fdf1846e688d51d86a9a50f0312aca2af25 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Sun, 23 Oct 2022 19:48:18 -0400
Subject: [PATCH] x509 crt verify SAN iPAddress
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
---
include/mbedtls/x509_crt.h | 2 +-
library/x509_crt.c | 126 ++++++++++++++++++++++++++++++-------
2 files changed, 103 insertions(+), 25 deletions(-)
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -608,7 +608,7 @@ int mbedtls_x509_crt_verify_info(char *b
* \param cn The expected Common Name. This will be checked to be
* present in the certificate's subjectAltNames extension or,
* if this extension is absent, as a CN component in its
- * Subject name. Currently only DNS names are supported. This
+ * Subject name. DNS names and IP addresses are supported. This
* may be \c NULL if the CN need not be verified.
* \param flags The address at which to store the result of the verification.
* If the verification couldn't be completed, the flag value is
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -57,6 +57,10 @@
#if defined(MBEDTLS_HAVE_TIME)
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+#define WIN32_LEAN_AND_MEAN
+#ifndef _WIN32_WINNT
+#define _WIN32_WINNT 0x0600
+#endif
#include <windows.h>
#else
#include <time.h>
@@ -3002,6 +3006,61 @@ find_parent:
}
}
+#ifdef _WIN32
+#ifdef _MSC_VER
+#pragma comment(lib, "ws2_32.lib")
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#elif (defined(__MINGW32__) || defined(__MINGW64__)) && _WIN32_WINNT >= 0x0600
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#endif
+#elif defined(__sun)
+/* Solaris requires -lsocket -lnsl for inet_pton() */
+#elif defined(__has_include)
+#if __has_include(<sys/socket.h>)
+#include <sys/socket.h>
+#endif
+#if __has_include(<arpa/inet.h>)
+#include <arpa/inet.h>
+#endif
+#endif
+
+/* Use whether or not AF_INET6 is defined to indicate whether or not to use
+ * the platform inet_pton() or a local implementation (below). The local
+ * implementation may be used even in cases where the platform provides
+ * inet_pton(), e.g. when there are different includes required and/or the
+ * platform implementation requires dependencies on additional libraries.
+ * Specifically, Windows requires custom includes and additional link
+ * dependencies, and Solaris requires additional link dependencies.
+ * Also, as a coarse heuristic, use the local implementation if the compiler
+ * does not support __has_include(), or if the definition of AF_INET6 is not
+ * provided by headers included (or not) via __has_include() above. */
+#ifndef AF_INET6
+
+#define x509_cn_inet_pton(cn, dst) (0)
+
+#else
+
+static int x509_inet_pton_ipv6(const char *src, void *dst)
+{
+ return inet_pton(AF_INET6, src, dst) == 1 ? 0 : -1;
+}
+
+static int x509_inet_pton_ipv4(const char *src, void *dst)
+{
+ return inet_pton(AF_INET, src, dst) == 1 ? 0 : -1;
+}
+
+#endif /* AF_INET6 */
+
+static size_t x509_cn_inet_pton(const char *cn, void *dst)
+{
+ return strchr(cn, ':') == NULL
+ ? x509_inet_pton_ipv4(cn, dst) == 0 ? 4 : 0
+ : x509_inet_pton_ipv6(cn, dst) == 0 ? 16 : 0;
+}
+
/*
* Check for CN match
*/
@@ -3022,24 +3081,51 @@ static int x509_crt_check_cn(const mbedt
return -1;
}
+static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san,
+ const char *cn, size_t cn_len)
+{
+ uint32_t ip[4];
+ cn_len = x509_cn_inet_pton(cn, ip);
+ if (cn_len == 0) {
+ return -1;
+ }
+
+ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
+ const unsigned char san_type = (unsigned char) cur->buf.tag &
+ MBEDTLS_ASN1_TAG_VALUE_MASK;
+ if (san_type == MBEDTLS_X509_SAN_IP_ADDRESS &&
+ cur->buf.len == cn_len && memcmp(cur->buf.p, ip, cn_len) == 0) {
+ return 0;
+ }
+ }
+
+ return -1;
+}
+
/*
* Check for SAN match, see RFC 5280 Section 4.2.1.6
*/
-static int x509_crt_check_san(const mbedtls_x509_buf *name,
+static int x509_crt_check_san(const mbedtls_x509_sequence *san,
const char *cn, size_t cn_len)
{
- const unsigned char san_type = (unsigned char) name->tag &
- MBEDTLS_ASN1_TAG_VALUE_MASK;
-
- /* dNSName */
- if (san_type == MBEDTLS_X509_SAN_DNS_NAME) {
- return x509_crt_check_cn(name, cn, cn_len);
+ int san_ip = 0;
+ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
+ switch ((unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) {
+ case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */
+ if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) {
+ return 0;
+ }
+ break;
+ case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */
+ san_ip = 1;
+ break;
+ /* (We may handle other types here later.) */
+ default: /* Unrecognized type */
+ break;
+ }
}
- /* (We may handle other types here later.) */
-
- /* Unrecognized type */
- return -1;
+ return san_ip ? x509_crt_check_san_ip(san, cn, cn_len) : -1;
}
/*
@@ -3050,31 +3136,23 @@ static void x509_crt_verify_name(const m
uint32_t *flags)
{
const mbedtls_x509_name *name;
- const mbedtls_x509_sequence *cur;
size_t cn_len = strlen(cn);
if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) {
- for (cur = &crt->subject_alt_names; cur != NULL; cur = cur->next) {
- if (x509_crt_check_san(&cur->buf, cn, cn_len) == 0) {
- break;
- }
- }
-
- if (cur == NULL) {
- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
+ if (x509_crt_check_san(&crt->subject_alt_names, cn, cn_len) == 0) {
+ return;
}
} else {
for (name = &crt->subject; name != NULL; name = name->next) {
if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 &&
x509_crt_check_cn(&name->val, cn, cn_len) == 0) {
- break;
+ return;
}
}
- if (name == NULL) {
- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
- }
}
+
+ *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
}
/*

15
6.12/package/libs/mbedtls/patches/101-remove-test.patch
View file

@ -1,15 +0,0 @@
--- a/programs/CMakeLists.txt
+++ b/programs/CMakeLists.txt
@@ -1,12 +1,8 @@
add_subdirectory(aes)
-if (NOT WIN32)
- add_subdirectory(fuzz)
-endif()
add_subdirectory(hash)
add_subdirectory(pkey)
add_subdirectory(psa)
add_subdirectory(random)
add_subdirectory(ssl)
-add_subdirectory(test)
add_subdirectory(util)
add_subdirectory(x509)