diff options
Diffstat (limited to 'package/libs/mbedtls')
| -rw-r--r-- | package/libs/mbedtls/Config.in | 193 | ||||
| -rw-r--r-- | package/libs/mbedtls/Makefile | 112 | ||||
| -rw-r--r-- | package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch | 197 | ||||
| -rw-r--r-- | package/libs/mbedtls/patches/101-remove-test.patch | 15 | ||||
| -rw-r--r-- | package/libs/mbedtls/patches/200-config.patch | 245 |
5 files changed, 474 insertions, 288 deletions
diff --git a/package/libs/mbedtls/Config.in b/package/libs/mbedtls/Config.in new file mode 100644 index 00000000000..9fbe9f8a4a0 --- /dev/null +++ b/package/libs/mbedtls/Config.in @@ -0,0 +1,193 @@ +if PACKAGE_libmbedtls + +comment "Option details in source code: include/mbedtls/mbedtls_config.h" + +comment "Ciphers - unselect old or less-used ciphers to reduce binary size" + +config MBEDTLS_AES_C + bool "MBEDTLS_AES_C" + default y + +config MBEDTLS_CAMELLIA_C + bool "MBEDTLS_CAMELLIA_C" + default n + +config MBEDTLS_CCM_C + bool "MBEDTLS_CCM_C" + default n + +config MBEDTLS_CMAC_C + bool "MBEDTLS_CMAC_C (old but used by hostapd)" + default y + +config MBEDTLS_DES_C + bool "MBEDTLS_DES_C (old but used by hostapd)" + default y + +config MBEDTLS_GCM_C + bool "MBEDTLS_GCM_C" + default y + +config MBEDTLS_NIST_KW_C + bool "MBEDTLS_NIST_KW_C (old but used by hostapd)" + default y + +config MBEDTLS_RIPEMD160_C + bool "MBEDTLS_RIPEMD160_C" + default n + +config MBEDTLS_XTEA_C + bool "MBEDTLS_XTEA_C" + default n + +config MBEDTLS_RSA_NO_CRT + bool "MBEDTLS_RSA_NO_CRT" + default y + +config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_PSK_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED" + default n + +comment "Curves - unselect old or less-used curves to reduce binary size" + +config MBEDTLS_ECP_DP_SECP192R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP192R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP224R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP224R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP256R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP256R1_ENABLED" + default y + +config MBEDTLS_ECP_DP_SECP384R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP384R1_ENABLED" + default y + +config MBEDTLS_ECP_DP_SECP521R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP521R1_ENABLED" + default y + +config MBEDTLS_ECP_DP_SECP192K1_ENABLED + bool "MBEDTLS_ECP_DP_SECP192K1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP224K1_ENABLED + bool "MBEDTLS_ECP_DP_SECP224K1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP256K1_ENABLED + bool "MBEDTLS_ECP_DP_SECP256K1_ENABLED" + default y + +config MBEDTLS_ECP_DP_BP256R1_ENABLED + bool "MBEDTLS_ECP_DP_BP256R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_BP384R1_ENABLED + bool "MBEDTLS_ECP_DP_BP384R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_BP512R1_ENABLED + bool "MBEDTLS_ECP_DP_BP512R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_CURVE25519_ENABLED + bool "MBEDTLS_ECP_DP_CURVE25519_ENABLED" + default y + +config MBEDTLS_ECP_DP_CURVE448_ENABLED + bool "MBEDTLS_ECP_DP_CURVE448_ENABLED" + default n + +comment "Build Options - unselect features to reduce binary size" + +config MBEDTLS_CERTS_C + bool "MBEDTLS_CERTS_C" + default n + +config MBEDTLS_CIPHER_MODE_OFB + bool "MBEDTLS_CIPHER_MODE_OFB" + default n + +config MBEDTLS_CIPHER_MODE_XTS + bool "MBEDTLS_CIPHER_MODE_XTS" + default n + +config MBEDTLS_DEBUG_C + bool "MBEDTLS_DEBUG_C" + default n + +config MBEDTLS_HKDF_C + bool "MBEDTLS_HKDF_C" + default n + +config MBEDTLS_PLATFORM_C + bool "MBEDTLS_PLATFORM_C" + default n + +config MBEDTLS_SELF_TEST + bool "MBEDTLS_SELF_TEST" + default n + +config MBEDTLS_SSL_TRUNCATED_HMAC + bool "MBEDTLS_SSL_TRUNCATED_HMAC" + default n + +config MBEDTLS_VERSION_C + bool "MBEDTLS_VERSION_C" + default n + +config MBEDTLS_VERSION_FEATURES + bool "MBEDTLS_VERSION_FEATURES" + default n + +comment "Build Options" + +config MBEDTLS_ENTROPY_FORCE_SHA256 + bool "MBEDTLS_ENTROPY_FORCE_SHA256" + default y + +config MBEDTLS_SSL_RENEGOTIATION + bool "MBEDTLS_SSL_RENEGOTIATION" + default n + +endif diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile index 2bac22b6acd..ad13bbe8463 100644 --- a/package/libs/mbedtls/Makefile +++ b/package/libs/mbedtls/Makefile @@ -8,21 +8,72 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mbedtls -PKG_VERSION:=2.16.10 -PKG_RELEASE:=1 -PKG_USE_MIPS16:=0 +PKG_VERSION:=2.28.7 +PKG_RELEASE:=2 +PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=96257bb03b30300b2f35f861ffe204ed957e9fd0329d80646fe57fc49f589b29 +PKG_HASH:=1df6073f0cf6a4e1953890bf5e0de2a8c7e6be50d6d6c69fa9fefcb1d14e981a PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=gpl-2.0.txt PKG_CPE_ID:=cpe:/a:arm:mbed_tls -PKG_CONFIG_DEPENDS := \ - CONFIG_LIBMBEDTLS_DEBUG_C \ - CONFIG_LIBMBEDTLS_HKDF_C +MBEDTLS_BUILD_OPTS_CURVES= \ + CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_CURVE448_ENABLED + +MBEDTLS_BUILD_OPTS_CIPHERS= \ + CONFIG_MBEDTLS_AES_C \ + CONFIG_MBEDTLS_CAMELLIA_C \ + CONFIG_MBEDTLS_CCM_C \ + CONFIG_MBEDTLS_CMAC_C \ + CONFIG_MBEDTLS_DES_C \ + CONFIG_MBEDTLS_GCM_C \ + CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \ + CONFIG_MBEDTLS_NIST_KW_C \ + CONFIG_MBEDTLS_RIPEMD160_C \ + CONFIG_MBEDTLS_RSA_NO_CRT \ + CONFIG_MBEDTLS_XTEA_C + +MBEDTLS_BUILD_OPTS= \ + $(MBEDTLS_BUILD_OPTS_CURVES) \ + $(MBEDTLS_BUILD_OPTS_CIPHERS) \ + CONFIG_MBEDTLS_CERTS_C \ + CONFIG_MBEDTLS_CIPHER_MODE_OFB \ + CONFIG_MBEDTLS_CIPHER_MODE_XTS \ + CONFIG_MBEDTLS_DEBUG_C \ + CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256 \ + CONFIG_MBEDTLS_HKDF_C \ + CONFIG_MBEDTLS_PLATFORM_C \ + CONFIG_MBEDTLS_SELF_TEST \ + CONFIG_MBEDTLS_SSL_RENEGOTIATION \ + CONFIG_MBEDTLS_SSL_TRUNCATED_HMAC \ + CONFIG_MBEDTLS_VERSION_C \ + CONFIG_MBEDTLS_VERSION_FEATURES + +PKG_CONFIG_DEPENDS := $(MBEDTLS_BUILD_OPTS) include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/cmake.mk @@ -44,28 +95,11 @@ $(call Package/mbedtls/Default) SUBMENU:=SSL TITLE+= (library) ABI_VERSION:=12 + MENU:=1 endef define Package/libmbedtls/config -config LIBMBEDTLS_DEBUG_C - depends on PACKAGE_libmbedtls - bool "Enable debug functions" - default n - help - This option enables mbedtls library's debug functions. - - It increases the uncompressed libmbedtls binary size - by around 60 KiB (for an ARMv5 platform). - - Usually, you don't need this, so don't select this if you're unsure. - -config LIBMBEDTLS_HKDF_C - depends on PACKAGE_libmbedtls - bool "Enable the HKDF algorithm (RFC 5869)" - default n - help - This option adds support for the Hashed Message Authentication Code - (HMAC)-based key derivation function (HKDF). + source "$(SOURCE)/Config.in" endef define Package/mbedtls-util @@ -87,30 +121,22 @@ This package contains mbedtls helper programs for private key and CSR generation (gen_key, cert_req) endef -TARGET_CFLAGS += -ffunction-sections -fdata-sections TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) CMAKE_OPTIONS += \ + -DCMAKE_POSITION_INDEPENDENT_CODE=ON \ -DUSE_SHARED_MBEDTLS_LIBRARY:Bool=ON \ -DENABLE_TESTING:Bool=OFF \ -DENABLE_PROGRAMS:Bool=ON -define Build/Configure - $(Build/Configure/Default) - - awk 'BEGIN { rc = 1 } \ - /#define MBEDTLS_DEBUG_C/ { $$$$0 = "$(if $(CONFIG_LIBMBEDTLS_DEBUG_C),,// )#define MBEDTLS_DEBUG_C"; rc = 0 } \ - { print } \ - END { exit(rc) }' $(PKG_BUILD_DIR)/include/mbedtls/config.h \ - >$(PKG_BUILD_DIR)/include/mbedtls/config.h.new && \ - mv $(PKG_BUILD_DIR)/include/mbedtls/config.h.new $(PKG_BUILD_DIR)/include/mbedtls/config.h - - awk 'BEGIN { rc = 1 } \ - /#define MBEDTLS_HKDF_C/ { $$$$0 = "$(if $(CONFIG_LIBMBEDTLS_HKDF_C),,// )#define MBEDTLS_HKDF_C"; rc = 0 } \ - { print } \ - END { exit(rc) }' $(PKG_BUILD_DIR)/include/mbedtls/config.h \ - >$(PKG_BUILD_DIR)/include/mbedtls/config.h.new && \ - mv $(PKG_BUILD_DIR)/include/mbedtls/config.h.new $(PKG_BUILD_DIR)/include/mbedtls/config.h +define Build/Prepare + $(call Build/Prepare/Default) + + $(if $(strip $(foreach opt,$(MBEDTLS_BUILD_OPTS),$($(opt)))), + $(foreach opt,$(MBEDTLS_BUILD_OPTS), + $(PKG_BUILD_DIR)/scripts/config.py \ + -f $(PKG_BUILD_DIR)/include/mbedtls/config.h \ + $(if $($(opt)),set,unset) $(patsubst CONFIG_%,%,$(opt))),) endef define Build/InstallDev diff --git a/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch b/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch new file mode 100644 index 00000000000..4ad2e8c7dbe --- /dev/null +++ b/package/libs/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch @@ -0,0 +1,197 @@ +From eb9d4fdf1846e688d51d86a9a50f0312aca2af25 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstrauss@gluelogic.com> +Date: Sun, 23 Oct 2022 19:48:18 -0400 +Subject: [PATCH] x509 crt verify SAN iPAddress + +Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> +--- + include/mbedtls/x509_crt.h | 2 +- + library/x509_crt.c | 126 ++++++++++++++++++++++++++++++------- + 2 files changed, 103 insertions(+), 25 deletions(-) + +--- a/include/mbedtls/x509_crt.h ++++ b/include/mbedtls/x509_crt.h +@@ -608,7 +608,7 @@ int mbedtls_x509_crt_verify_info(char *b + * \param cn The expected Common Name. This will be checked to be + * present in the certificate's subjectAltNames extension or, + * if this extension is absent, as a CN component in its +- * Subject name. Currently only DNS names are supported. This ++ * Subject name. DNS names and IP addresses are supported. This + * may be \c NULL if the CN need not be verified. + * \param flags The address at which to store the result of the verification. + * If the verification couldn't be completed, the flag value is +--- a/library/x509_crt.c ++++ b/library/x509_crt.c +@@ -57,6 +57,10 @@ + + #if defined(MBEDTLS_HAVE_TIME) + #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) ++#define WIN32_LEAN_AND_MEAN ++#ifndef _WIN32_WINNT ++#define _WIN32_WINNT 0x0600 ++#endif + #include <windows.h> + #else + #include <time.h> +@@ -3002,6 +3006,61 @@ find_parent: + } + } + ++#ifdef _WIN32 ++#ifdef _MSC_VER ++#pragma comment(lib, "ws2_32.lib") ++#include <winsock2.h> ++#include <ws2tcpip.h> ++#elif (defined(__MINGW32__) || defined(__MINGW64__)) && _WIN32_WINNT >= 0x0600 ++#include <winsock2.h> ++#include <ws2tcpip.h> ++#endif ++#elif defined(__sun) ++/* Solaris requires -lsocket -lnsl for inet_pton() */ ++#elif defined(__has_include) ++#if __has_include(<sys/socket.h>) ++#include <sys/socket.h> ++#endif ++#if __has_include(<arpa/inet.h>) ++#include <arpa/inet.h> ++#endif ++#endif ++ ++/* Use whether or not AF_INET6 is defined to indicate whether or not to use ++ * the platform inet_pton() or a local implementation (below). The local ++ * implementation may be used even in cases where the platform provides ++ * inet_pton(), e.g. when there are different includes required and/or the ++ * platform implementation requires dependencies on additional libraries. ++ * Specifically, Windows requires custom includes and additional link ++ * dependencies, and Solaris requires additional link dependencies. ++ * Also, as a coarse heuristic, use the local implementation if the compiler ++ * does not support __has_include(), or if the definition of AF_INET6 is not ++ * provided by headers included (or not) via __has_include() above. */ ++#ifndef AF_INET6 ++ ++#define x509_cn_inet_pton(cn, dst) (0) ++ ++#else ++ ++static int x509_inet_pton_ipv6(const char *src, void *dst) ++{ ++ return inet_pton(AF_INET6, src, dst) == 1 ? 0 : -1; ++} ++ ++static int x509_inet_pton_ipv4(const char *src, void *dst) ++{ ++ return inet_pton(AF_INET, src, dst) == 1 ? 0 : -1; ++} ++ ++#endif /* AF_INET6 */ ++ ++static size_t x509_cn_inet_pton(const char *cn, void *dst) ++{ ++ return strchr(cn, ':') == NULL ++ ? x509_inet_pton_ipv4(cn, dst) == 0 ? 4 : 0 ++ : x509_inet_pton_ipv6(cn, dst) == 0 ? 16 : 0; ++} ++ + /* + * Check for CN match + */ +@@ -3022,24 +3081,51 @@ static int x509_crt_check_cn(const mbedt + return -1; + } + ++static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san, ++ const char *cn, size_t cn_len) ++{ ++ uint32_t ip[4]; ++ cn_len = x509_cn_inet_pton(cn, ip); ++ if (cn_len == 0) { ++ return -1; ++ } ++ ++ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) { ++ const unsigned char san_type = (unsigned char) cur->buf.tag & ++ MBEDTLS_ASN1_TAG_VALUE_MASK; ++ if (san_type == MBEDTLS_X509_SAN_IP_ADDRESS && ++ cur->buf.len == cn_len && memcmp(cur->buf.p, ip, cn_len) == 0) { ++ return 0; ++ } ++ } ++ ++ return -1; ++} ++ + /* + * Check for SAN match, see RFC 5280 Section 4.2.1.6 + */ +-static int x509_crt_check_san(const mbedtls_x509_buf *name, ++static int x509_crt_check_san(const mbedtls_x509_sequence *san, + const char *cn, size_t cn_len) + { +- const unsigned char san_type = (unsigned char) name->tag & +- MBEDTLS_ASN1_TAG_VALUE_MASK; +- +- /* dNSName */ +- if (san_type == MBEDTLS_X509_SAN_DNS_NAME) { +- return x509_crt_check_cn(name, cn, cn_len); ++ int san_ip = 0; ++ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) { ++ switch ((unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) { ++ case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */ ++ if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) { ++ return 0; ++ } ++ break; ++ case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */ ++ san_ip = 1; ++ break; ++ /* (We may handle other types here later.) */ ++ default: /* Unrecognized type */ ++ break; ++ } + } + +- /* (We may handle other types here later.) */ +- +- /* Unrecognized type */ +- return -1; ++ return san_ip ? x509_crt_check_san_ip(san, cn, cn_len) : -1; + } + + /* +@@ -3050,31 +3136,23 @@ static void x509_crt_verify_name(const m + uint32_t *flags) + { + const mbedtls_x509_name *name; +- const mbedtls_x509_sequence *cur; + size_t cn_len = strlen(cn); + + if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) { +- for (cur = &crt->subject_alt_names; cur != NULL; cur = cur->next) { +- if (x509_crt_check_san(&cur->buf, cn, cn_len) == 0) { +- break; +- } +- } +- +- if (cur == NULL) { +- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; ++ if (x509_crt_check_san(&crt->subject_alt_names, cn, cn_len) == 0) { ++ return; + } + } else { + for (name = &crt->subject; name != NULL; name = name->next) { + if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 && + x509_crt_check_cn(&name->val, cn, cn_len) == 0) { +- break; ++ return; + } + } + +- if (name == NULL) { +- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; +- } + } ++ ++ *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; + } + + /* diff --git a/package/libs/mbedtls/patches/101-remove-test.patch b/package/libs/mbedtls/patches/101-remove-test.patch new file mode 100644 index 00000000000..e43f8757d71 --- /dev/null +++ b/package/libs/mbedtls/patches/101-remove-test.patch @@ -0,0 +1,15 @@ +--- a/programs/CMakeLists.txt ++++ b/programs/CMakeLists.txt +@@ -1,12 +1,8 @@ + add_subdirectory(aes) +-if (NOT WIN32) +- add_subdirectory(fuzz) +-endif() + add_subdirectory(hash) + add_subdirectory(pkey) + add_subdirectory(psa) + add_subdirectory(random) + add_subdirectory(ssl) +-add_subdirectory(test) + add_subdirectory(util) + add_subdirectory(x509) diff --git a/package/libs/mbedtls/patches/200-config.patch b/package/libs/mbedtls/patches/200-config.patch deleted file mode 100644 index 1e3d41f0eba..00000000000 --- a/package/libs/mbedtls/patches/200-config.patch +++ /dev/null @@ -1,245 +0,0 @@ ---- a/include/mbedtls/config.h -+++ b/include/mbedtls/config.h -@@ -692,14 +692,14 @@ - * - * Enable Output Feedback mode (OFB) for symmetric ciphers. - */ --#define MBEDTLS_CIPHER_MODE_OFB -+//#define MBEDTLS_CIPHER_MODE_OFB - - /** - * \def MBEDTLS_CIPHER_MODE_XTS - * - * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES. - */ --#define MBEDTLS_CIPHER_MODE_XTS -+//#define MBEDTLS_CIPHER_MODE_XTS - - /** - * \def MBEDTLS_CIPHER_NULL_CIPHER -@@ -816,19 +816,19 @@ - * - * Comment macros to disable the curve and functions for it - */ --#define MBEDTLS_ECP_DP_SECP192R1_ENABLED --#define MBEDTLS_ECP_DP_SECP224R1_ENABLED -+//#define MBEDTLS_ECP_DP_SECP192R1_ENABLED -+//#define MBEDTLS_ECP_DP_SECP224R1_ENABLED - #define MBEDTLS_ECP_DP_SECP256R1_ENABLED - #define MBEDTLS_ECP_DP_SECP384R1_ENABLED --#define MBEDTLS_ECP_DP_SECP521R1_ENABLED --#define MBEDTLS_ECP_DP_SECP192K1_ENABLED --#define MBEDTLS_ECP_DP_SECP224K1_ENABLED -+//#define MBEDTLS_ECP_DP_SECP521R1_ENABLED -+//#define MBEDTLS_ECP_DP_SECP192K1_ENABLED -+//#define MBEDTLS_ECP_DP_SECP224K1_ENABLED - #define MBEDTLS_ECP_DP_SECP256K1_ENABLED --#define MBEDTLS_ECP_DP_BP256R1_ENABLED --#define MBEDTLS_ECP_DP_BP384R1_ENABLED --#define MBEDTLS_ECP_DP_BP512R1_ENABLED -+//#define MBEDTLS_ECP_DP_BP256R1_ENABLED -+//#define MBEDTLS_ECP_DP_BP384R1_ENABLED -+//#define MBEDTLS_ECP_DP_BP512R1_ENABLED - #define MBEDTLS_ECP_DP_CURVE25519_ENABLED --#define MBEDTLS_ECP_DP_CURVE448_ENABLED -+//#define MBEDTLS_ECP_DP_CURVE448_ENABLED - - /** - * \def MBEDTLS_ECP_NIST_OPTIM -@@ -952,7 +952,7 @@ - * See dhm.h for more details. - * - */ --#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED -+//#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED - - /** - * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -@@ -972,7 +972,7 @@ - * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA - */ --#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -+//#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED - - /** - * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED -@@ -997,7 +997,7 @@ - * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA - */ --#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED -+//#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED - - /** - * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED -@@ -1131,7 +1131,7 @@ - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 - */ --#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED -+//#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED - - /** - * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED -@@ -1155,7 +1155,7 @@ - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 - */ --#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED -+//#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - - /** - * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED -@@ -1259,7 +1259,7 @@ - * This option is only useful if both MBEDTLS_SHA256_C and - * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used. - */ --//#define MBEDTLS_ENTROPY_FORCE_SHA256 -+#define MBEDTLS_ENTROPY_FORCE_SHA256 - - /** - * \def MBEDTLS_ENTROPY_NV_SEED -@@ -1354,14 +1354,14 @@ - * Uncomment this macro to disable the use of CRT in RSA. - * - */ --//#define MBEDTLS_RSA_NO_CRT -+#define MBEDTLS_RSA_NO_CRT - - /** - * \def MBEDTLS_SELF_TEST - * - * Enable the checkup functions (*_self_test). - */ --#define MBEDTLS_SELF_TEST -+//#define MBEDTLS_SELF_TEST - - /** - * \def MBEDTLS_SHA256_SMALLER -@@ -1515,7 +1515,7 @@ - * configuration of this extension). - * - */ --#define MBEDTLS_SSL_RENEGOTIATION -+//#define MBEDTLS_SSL_RENEGOTIATION - - /** - * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO -@@ -1690,7 +1690,7 @@ - * - * Comment this macro to disable support for SSL session tickets - */ --#define MBEDTLS_SSL_SESSION_TICKETS -+//#define MBEDTLS_SSL_SESSION_TICKETS - - /** - * \def MBEDTLS_SSL_EXPORT_KEYS -@@ -1720,7 +1720,7 @@ - * - * Comment this macro to disable support for truncated HMAC in SSL - */ --#define MBEDTLS_SSL_TRUNCATED_HMAC -+//#define MBEDTLS_SSL_TRUNCATED_HMAC - - /** - * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT -@@ -1796,7 +1796,7 @@ - * - * Comment this to disable run-time checking and save ROM space - */ --#define MBEDTLS_VERSION_FEATURES -+//#define MBEDTLS_VERSION_FEATURES - - /** - * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 -@@ -2126,7 +2126,7 @@ - * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 - */ --#define MBEDTLS_CAMELLIA_C -+//#define MBEDTLS_CAMELLIA_C - - /** - * \def MBEDTLS_ARIA_C -@@ -2192,7 +2192,7 @@ - * This module enables the AES-CCM ciphersuites, if other requisites are - * enabled as well. - */ --#define MBEDTLS_CCM_C -+//#define MBEDTLS_CCM_C - - /** - * \def MBEDTLS_CERTS_C -@@ -2204,7 +2204,7 @@ - * - * This module is used for testing (ssl_client/server). - */ --#define MBEDTLS_CERTS_C -+//#define MBEDTLS_CERTS_C - - /** - * \def MBEDTLS_CHACHA20_C -@@ -2312,7 +2312,7 @@ - * \warning DES is considered a weak cipher and its use constitutes a - * security risk. We recommend considering stronger ciphers instead. - */ --#define MBEDTLS_DES_C -+//#define MBEDTLS_DES_C - - /** - * \def MBEDTLS_DHM_C -@@ -2475,7 +2475,7 @@ - * This module adds support for the Hashed Message Authentication Code - * (HMAC)-based key derivation function (HKDF). - */ --#define MBEDTLS_HKDF_C -+//#define MBEDTLS_HKDF_C - - /** - * \def MBEDTLS_HMAC_DRBG_C -@@ -2785,7 +2785,7 @@ - * - * This module enables abstraction of common (libc) functions. - */ --#define MBEDTLS_PLATFORM_C -+//#define MBEDTLS_PLATFORM_C - - /** - * \def MBEDTLS_POLY1305_C -@@ -2806,7 +2806,7 @@ - * Caller: library/md.c - * - */ --#define MBEDTLS_RIPEMD160_C -+//#define MBEDTLS_RIPEMD160_C - - /** - * \def MBEDTLS_RSA_C -@@ -2913,7 +2913,7 @@ - * - * Requires: MBEDTLS_CIPHER_C - */ --#define MBEDTLS_SSL_TICKET_C -+//#define MBEDTLS_SSL_TICKET_C - - /** - * \def MBEDTLS_SSL_CLI_C -@@ -3013,7 +3013,7 @@ - * - * This module provides run-time version information. - */ --#define MBEDTLS_VERSION_C -+//#define MBEDTLS_VERSION_C - - /** - * \def MBEDTLS_X509_USE_C -@@ -3123,7 +3123,7 @@ - * Module: library/xtea.c - * Caller: - */ --#define MBEDTLS_XTEA_C -+//#define MBEDTLS_XTEA_C - - /* \} name SECTION: mbed TLS modules */ - |