From 8d3f6e80ccc62ac59af9e7d486155297e871abb4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Verschelde?= Date: Wed, 4 Dec 2024 15:44:47 +0100 Subject: [PATCH] mbedtls: Update to upstream version 2.28.9 (cherry picked from commit 881645fff9b8bb50a2078f52b4223f5ccc3d1180) --- thirdparty/README.md | 2 +- thirdparty/mbedtls/include/mbedtls/config.h | 34 +++++++++++++------ thirdparty/mbedtls/include/mbedtls/ecdh.h | 2 +- thirdparty/mbedtls/include/mbedtls/ecp.h | 2 +- thirdparty/mbedtls/include/mbedtls/version.h | 8 ++--- thirdparty/mbedtls/library/common.h | 15 ++++---- thirdparty/mbedtls/library/entropy_poll.c | 4 ++- thirdparty/mbedtls/library/oid.c | 1 + thirdparty/mbedtls/library/ssl_msg.c | 1 + thirdparty/mbedtls/library/ssl_tls.c | 1 + thirdparty/mbedtls/library/x509_crt.c | 1 + .../patches/windows-entropy-bcrypt.diff | 4 +-- 12 files changed, 47 insertions(+), 28 deletions(-) diff --git a/thirdparty/README.md b/thirdparty/README.md index c68695ebf..1eed347af 100644 --- a/thirdparty/README.md +++ b/thirdparty/README.md @@ -218,7 +218,7 @@ Files extracted from upstream source: ## mbedtls - Upstream: https://github.com/Mbed-TLS/mbedtls -- Version: 2.28.8 (5a764e5555c64337ed17444410269ff21cb617b1, 2024) +- Version: 2.28.9 (5e146adef63b326b04282252639bebc2730939c6, 2024) - License: Apache 2.0 File extracted from upstream release tarball: diff --git a/thirdparty/mbedtls/include/mbedtls/config.h b/thirdparty/mbedtls/include/mbedtls/config.h index 4842fd494..84af7f767 100644 --- a/thirdparty/mbedtls/include/mbedtls/config.h +++ b/thirdparty/mbedtls/include/mbedtls/config.h @@ -4020,22 +4020,34 @@ * Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the * PSA crypto subsystem. * - * If this option is unset: - * - If CTR_DRBG is available, the PSA subsystem uses it rather than HMAC_DRBG. - * - Otherwise, the PSA subsystem uses HMAC_DRBG with either - * #MBEDTLS_MD_SHA512 or #MBEDTLS_MD_SHA256 based on availability and - * on unspecified heuristics. + * If this option is unset, the library chooses a hash (currently between + * #MBEDTLS_MD_SHA512 and #MBEDTLS_MD_SHA256) based on availability and + * unspecified heuristics. + * + * \note The PSA crypto subsystem uses the first available mechanism amongst + * the following: + * - #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if enabled; + * - Entropy from #MBEDTLS_ENTROPY_C plus CTR_DRBG with AES + * if #MBEDTLS_CTR_DRBG_C is enabled; + * - Entropy from #MBEDTLS_ENTROPY_C plus HMAC_DRBG. + * + * A future version may reevaluate the prioritization of DRBG mechanisms. */ //#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256 /** \def MBEDTLS_PSA_KEY_SLOT_COUNT - * Restrict the PSA library to supporting a maximum amount of simultaneously - * loaded keys. A loaded key is a key stored by the PSA Crypto core as a - * volatile key, or a persistent key which is loaded temporarily by the - * library as part of a crypto operation in flight. * - * If this option is unset, the library will fall back to a default value of - * 32 keys. + * The maximum amount of PSA keys simultaneously in memory. This counts all + * volatile keys, plus loaded persistent keys. + * + * Currently, persistent keys do not need to be loaded all the time while + * a multipart operation is in progress, only while the operation is being + * set up. This may change in future versions of the library. + * + * Currently, the library traverses of the whole table on each access to a + * persistent key. Therefore large values may cause poor performance. + * + * This option has no effect when #MBEDTLS_PSA_CRYPTO_C is disabled. */ //#define MBEDTLS_PSA_KEY_SLOT_COUNT 32 diff --git a/thirdparty/mbedtls/include/mbedtls/ecdh.h b/thirdparty/mbedtls/include/mbedtls/ecdh.h index 6cc6cb92a..bf41a7029 100644 --- a/thirdparty/mbedtls/include/mbedtls/ecdh.h +++ b/thirdparty/mbedtls/include/mbedtls/ecdh.h @@ -299,7 +299,7 @@ int mbedtls_ecdh_read_params(mbedtls_ecdh_context *ctx, * \brief This function sets up an ECDH context from an EC key. * * It is used by clients and servers in place of the - * ServerKeyEchange for static ECDH, and imports ECDH + * ServerKeyExchange for static ECDH, and imports ECDH * parameters from the EC key information of a certificate. * * \see ecp.h diff --git a/thirdparty/mbedtls/include/mbedtls/ecp.h b/thirdparty/mbedtls/include/mbedtls/ecp.h index 33ea14d7e..1b55b612b 100644 --- a/thirdparty/mbedtls/include/mbedtls/ecp.h +++ b/thirdparty/mbedtls/include/mbedtls/ecp.h @@ -259,7 +259,7 @@ mbedtls_ecp_point; * range of 0..2^(2*pbits)-1, and transforms it in-place to an integer * which is congruent mod \p P to the given MPI, and is close enough to \p pbits * in size, so that it may be efficiently brought in the 0..P-1 range by a few - * additions or subtractions. Therefore, it is only an approximative modular + * additions or subtractions. Therefore, it is only an approximate modular * reduction. It must return 0 on success and non-zero on failure. * * \note Alternative implementations must keep the group IDs distinct. If diff --git a/thirdparty/mbedtls/include/mbedtls/version.h b/thirdparty/mbedtls/include/mbedtls/version.h index bbe76b173..66998bf56 100644 --- a/thirdparty/mbedtls/include/mbedtls/version.h +++ b/thirdparty/mbedtls/include/mbedtls/version.h @@ -26,16 +26,16 @@ */ #define MBEDTLS_VERSION_MAJOR 2 #define MBEDTLS_VERSION_MINOR 28 -#define MBEDTLS_VERSION_PATCH 8 +#define MBEDTLS_VERSION_PATCH 9 /** * The single version number has the following structure: * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x021C0800 -#define MBEDTLS_VERSION_STRING "2.28.8" -#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 2.28.8" +#define MBEDTLS_VERSION_NUMBER 0x021C0900 +#define MBEDTLS_VERSION_STRING "2.28.9" +#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 2.28.9" #if defined(MBEDTLS_VERSION_C) diff --git a/thirdparty/mbedtls/library/common.h b/thirdparty/mbedtls/library/common.h index 49e2c97ea..5565b307c 100644 --- a/thirdparty/mbedtls/library/common.h +++ b/thirdparty/mbedtls/library/common.h @@ -337,17 +337,18 @@ static inline const unsigned char *mbedtls_buffer_offset_const( #endif /* Always provide a static assert macro, so it can be used unconditionally. - * It will expand to nothing on some systems. - * Can be used outside functions (but don't add a trailing ';' in that case: - * the semicolon is included here to avoid triggering -Wextra-semi when - * MBEDTLS_STATIC_ASSERT() expands to nothing). - * Can't use the C11-style `defined(static_assert)` on FreeBSD, since it + * It will expand to nothing on some systems. */ +/* Can't use the C11-style `defined(static_assert)` on FreeBSD, since it * defines static_assert even with -std=c99, but then complains about it. */ #if defined(static_assert) && !defined(__FreeBSD__) -#define MBEDTLS_STATIC_ASSERT(expr, msg) static_assert(expr, msg); +#define MBEDTLS_STATIC_ASSERT(expr, msg) static_assert(expr, msg) #else -#define MBEDTLS_STATIC_ASSERT(expr, msg) +/* Make sure `MBEDTLS_STATIC_ASSERT(expr, msg);` is valid both inside and + * outside a function. We choose a struct declaration, which can be repeated + * any number of times and does not need a matching definition. */ +#define MBEDTLS_STATIC_ASSERT(expr, msg) \ + struct ISO_C_does_not_allow_extra_semicolon_outside_of_a_function #endif /* Suppress compiler warnings for unused functions and variables. */ diff --git a/thirdparty/mbedtls/library/entropy_poll.c b/thirdparty/mbedtls/library/entropy_poll.c index d60e2ee99..658248144 100644 --- a/thirdparty/mbedtls/library/entropy_poll.c +++ b/thirdparty/mbedtls/library/entropy_poll.c @@ -5,10 +5,12 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ -#if defined(__linux__) || defined(__midipix__) && !defined(_GNU_SOURCE) +#if defined(__linux__) || defined(__midipix__) /* Ensure that syscall() is available even when compiling with -std=c99 */ +#if !defined(_GNU_SOURCE) #define _GNU_SOURCE #endif +#endif #include "common.h" diff --git a/thirdparty/mbedtls/library/oid.c b/thirdparty/mbedtls/library/oid.c index 7d7f1bfda..2868ef94f 100644 --- a/thirdparty/mbedtls/library/oid.c +++ b/thirdparty/mbedtls/library/oid.c @@ -15,6 +15,7 @@ #include "mbedtls/rsa.h" #include "mbedtls/error.h" +#include #include #include diff --git a/thirdparty/mbedtls/library/ssl_msg.c b/thirdparty/mbedtls/library/ssl_msg.c index 5e8567959..1613a1e6b 100644 --- a/thirdparty/mbedtls/library/ssl_msg.c +++ b/thirdparty/mbedtls/library/ssl_msg.c @@ -29,6 +29,7 @@ #include "constant_time_internal.h" #include "mbedtls/constant_time.h" +#include #include #if defined(MBEDTLS_USE_PSA_CRYPTO) diff --git a/thirdparty/mbedtls/library/ssl_tls.c b/thirdparty/mbedtls/library/ssl_tls.c index c667a2923..614943410 100644 --- a/thirdparty/mbedtls/library/ssl_tls.c +++ b/thirdparty/mbedtls/library/ssl_tls.c @@ -4452,6 +4452,7 @@ static void ssl_remove_psk(mbedtls_ssl_context *ssl) ssl->handshake->psk_len); mbedtls_free(ssl->handshake->psk); ssl->handshake->psk_len = 0; + ssl->handshake->psk = NULL; } } diff --git a/thirdparty/mbedtls/library/x509_crt.c b/thirdparty/mbedtls/library/x509_crt.c index a3a4525b9..6728fa0ae 100644 --- a/thirdparty/mbedtls/library/x509_crt.c +++ b/thirdparty/mbedtls/library/x509_crt.c @@ -26,6 +26,7 @@ #include "mbedtls/oid.h" #include "mbedtls/platform_util.h" +#include #include #if defined(MBEDTLS_PEM_PARSE_C) diff --git a/thirdparty/mbedtls/patches/windows-entropy-bcrypt.diff b/thirdparty/mbedtls/patches/windows-entropy-bcrypt.diff index 2d743c7a1..5821f604b 100644 --- a/thirdparty/mbedtls/patches/windows-entropy-bcrypt.diff +++ b/thirdparty/mbedtls/patches/windows-entropy-bcrypt.diff @@ -1,10 +1,10 @@ Backported from: https://github.com/Mbed-TLS/mbedtls/pull/8047 diff --git a/thirdparty/mbedtls/library/entropy_poll.c b/thirdparty/mbedtls/library/entropy_poll.c -index cde49e66a0..4c5184686e 100644 +index 095fa9873d..3bbe88f88d 100644 --- a/thirdparty/mbedtls/library/entropy_poll.c +++ b/thirdparty/mbedtls/library/entropy_poll.c -@@ -39,32 +39,34 @@ +@@ -41,32 +41,34 @@ #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)