Support for the 2.16 branch of mbedtls has been dropped, and a new LTS
branch is provided. Diff below updates our port to the first release of
this branch.
Shared libraries require a bump (libmbedx509 only received some
additions).
Testing:
- all tests pass on amd64
- build tested several consumers
Test/comments/OKs are welcome.
diff --git Makefile Makefile
index b4e6042f273..2b1d5d9b45c 100644
--- Makefile
+++ Makefile
@@ -1,17 +1,16 @@
-PORTROACH= limit:^2\.16
+PORTROACH= limit:^2\.28
COMMENT= SSL library with an intuitive API and readable source code
GH_ACCOUNT= ARMmbed
GH_PROJECT= mbedtls
-GH_TAGNAME= mbedtls-2.16.12
+GH_TAGNAME= mbedtls-2.28.0
DISTNAME= ${GH_TAGNAME}
-REVISION= 0
# check SOVERSION
-SHARED_LIBS += mbedtls 6.2 # 12
-SHARED_LIBS += mbedcrypto 4.4 # 3
-SHARED_LIBS += mbedx509 3.1 # 0
+SHARED_LIBS += mbedtls 7.0
+SHARED_LIBS += mbedcrypto 5.0
+SHARED_LIBS += mbedx509 3.2
CATEGORIES= security
diff --git distinfo distinfo
index 4244a5ea094..247a6448be4 100644
--- distinfo
+++ distinfo
@@ -1,2 +1,2 @@
-SHA256 (mbedtls-2.16.12.tar.gz) = CvtKTOW3cfL7htrueGNi++SChfBbc80gX0aiJOwDF4M=
-SIZE (mbedtls-2.16.12.tar.gz) = 2702190
+SHA256 (mbedtls-2.28.0.tar.gz) = 9kQkjyPPBDFc+btY2IxMlHHBbKBTPs8z+G+3dJo+X6Y=
+SIZE (mbedtls-2.28.0.tar.gz) = 3712239
diff --git patches/patch-CMakeLists_txt patches/patch-CMakeLists_txt
index 151d8f8a21e..a8b60213410 100644
--- patches/patch-CMakeLists_txt
+++ patches/patch-CMakeLists_txt
@@ -1,21 +1,21 @@
Index: CMakeLists.txt
--- CMakeLists.txt.orig
+++ CMakeLists.txt
-@@ -131,8 +131,6 @@ if(CMAKE_COMPILER_IS_GNU)
- if (GCC_VERSION VERSION_GREATER 4.8 OR GCC_VERSION VERSION_EQUAL 4.8)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow")
+@@ -200,8 +200,6 @@ if(CMAKE_COMPILER_IS_GNU)
+ if (GCC_VERSION VERSION_GREATER 7.0 OR GCC_VERSION VERSION_EQUAL 7.0)
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat-overflow=2
-Wformat-truncation")
endif()
- set(CMAKE_C_FLAGS_RELEASE "-O2")
- set(CMAKE_C_FLAGS_DEBUG "-O0 -g3")
set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage")
- set(CMAKE_C_FLAGS_ASAN "-Werror -fsanitize=address -fno-common
-O3")
- set(CMAKE_C_FLAGS_ASANDBG "-Werror -fsanitize=address -fno-common -O1
-g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ")
-@@ -142,8 +140,6 @@ endif(CMAKE_COMPILER_IS_GNU)
+ set(CMAKE_C_FLAGS_ASAN "-fsanitize=address -fno-common
-fsanitize=undefined -fno-sanitize-recover=all -O3")
+ set(CMAKE_C_FLAGS_ASANDBG "-fsanitize=address -fno-common
-fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer
-fno-optimize-sibling-calls")
+@@ -211,8 +209,6 @@ endif(CMAKE_COMPILER_IS_GNU)
if(CMAKE_COMPILER_IS_CLANG)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W
-Wdeclaration-after-statement -Wwrite-strings -Wpointer-arith
-Wimplicit-fallthrough -Wshadow")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings
-Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2
-Wno-format-nonliteral")
- set(CMAKE_C_FLAGS_RELEASE "-O2")
- set(CMAKE_C_FLAGS_DEBUG "-O0 -g3")
set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage")
- set(CMAKE_C_FLAGS_ASAN "-Werror -fsanitize=address -fno-common
-fsanitize=undefined -fno-sanitize-recover=all -O3")
- set(CMAKE_C_FLAGS_ASANDBG "-Werror -fsanitize=address -fno-common
-fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer
-fno-optimize-sibling-calls ")
+ set(CMAKE_C_FLAGS_ASAN "-fsanitize=address -fno-common
-fsanitize=undefined -fno-sanitize-recover=all -O3")
+ set(CMAKE_C_FLAGS_ASANDBG "-fsanitize=address -fno-common
-fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer
-fno-optimize-sibling-calls")
diff --git patches/patch-include_mbedtls_config_h
patches/patch-include_mbedtls_config_h
index de88a79559a..cff2bc391ef 100644
--- patches/patch-include_mbedtls_config_h
+++ patches/patch-include_mbedtls_config_h
@@ -4,7 +4,7 @@ www/hiawatha.
Index: include/mbedtls/config.h
--- include/mbedtls/config.h.orig
+++ include/mbedtls/config.h
-@@ -1783,7 +1783,7 @@
+@@ -2129,7 +2129,7 @@
*
* Uncomment this to enable pthread mutexes.
*/
@@ -12,8 +12,8 @@ Index: include/mbedtls/config.h
+#define MBEDTLS_THREADING_PTHREAD
/**
- * \def MBEDTLS_VERSION_FEATURES
-@@ -2979,7 +2979,7 @@
+ * \def MBEDTLS_USE_PSA_CRYPTO
+@@ -3452,7 +3452,7 @@
*
* Enable this layer to allow use of mutexes within mbed TLS
*/
diff --git patches/patch-tests_suites_host_test_function
patches/patch-tests_suites_host_test_function
deleted file mode 100644
index d4b645540ab..00000000000
--- patches/patch-tests_suites_host_test_function
+++ /dev/null
@@ -1,52 +0,0 @@
-Can't take the address of stdout.
-
-Index: tests/suites/host_test.function
---- tests/suites/host_test.function.orig
-+++ tests/suites/host_test.function
-@@ -402,9 +402,6 @@ int execute_tests( int argc , const char ** argv )
- /* Store for proccessed integer params. */
- int32_t int_params[50];
- void *pointer;
--#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
-- int stdout_fd = -1;
--#endif /* __unix__ || __APPLE__ __MACH__ */
-
- #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \
- !defined(TEST_SUITE_MEMORY_BUFFER_ALLOC)
-@@ -553,21 +550,6 @@ int execute_tests( int argc , const char ** argv )
- test_info.result = TEST_RESULT_SUCCESS;
- test_info.paramfail_test_state = PARAMFAIL_TESTSTATE_IDLE;
-
--#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
-- /* Suppress all output from the library unless we're verbose
-- * mode
-- */
-- if( !option_verbose )
-- {
-- stdout_fd = redirect_output( stdout, "/dev/null" );
-- if( stdout_fd == -1 )
-- {
-- /* Redirection has failed with no stdout so exit */
-- exit( 1 );
-- }
-- }
--#endif /* __unix__ || __APPLE__ __MACH__ */
--
- function_id = strtoul( params[0], NULL, 10 );
- if ( (ret = check_test( function_id )) ==
DISPATCH_TEST_SUCCESS )
- {
-@@ -577,14 +559,6 @@ int execute_tests( int argc , const char ** argv )
- ret = dispatch_test( function_id, (void **)( params +
1 ) );
- }
- }
--
--#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
-- if( !option_verbose && restore_output( stdout, stdout_fd ) )
-- {
-- /* Redirection has failed with no stdout so exit */
-- exit( 1 );
-- }
--#endif /* __unix__ || __APPLE__ __MACH__ */
-
- }
-
diff --git pkg/PLIST pkg/PLIST
index 21fecb4fe16..c892e543f5b 100644
--- pkg/PLIST
+++ pkg/PLIST
@@ -21,6 +21,8 @@ include/mbedtls/cipher_internal.h
include/mbedtls/cmac.h
include/mbedtls/compat-1.3.h
include/mbedtls/config.h
+include/mbedtls/config_psa.h
+include/mbedtls/constant_time.h
include/mbedtls/ctr_drbg.h
include/mbedtls/debug.h
include/mbedtls/des.h
@@ -58,6 +60,7 @@ include/mbedtls/platform.h
include/mbedtls/platform_time.h
include/mbedtls/platform_util.h
include/mbedtls/poly1305.h
+include/mbedtls/psa_util.h
include/mbedtls/ripemd160.h
include/mbedtls/rsa.h
include/mbedtls/rsa_internal.h
@@ -78,6 +81,22 @@ include/mbedtls/x509_crl.h
include/mbedtls/x509_crt.h
include/mbedtls/x509_csr.h
include/mbedtls/xtea.h
+include/psa/
+include/psa/crypto.h
+include/psa/crypto_builtin_composites.h
+include/psa/crypto_builtin_primitives.h
+include/psa/crypto_compat.h
+include/psa/crypto_config.h
+include/psa/crypto_driver_common.h
+include/psa/crypto_driver_contexts_composites.h
+include/psa/crypto_driver_contexts_primitives.h
+include/psa/crypto_extra.h
+include/psa/crypto_platform.h
+include/psa/crypto_se_driver.h
+include/psa/crypto_sizes.h
+include/psa/crypto_struct.h
+include/psa/crypto_types.h
+include/psa/crypto_values.h
@static-lib lib/libmbedcrypto.a
@lib lib/libmbedcrypto.so.${LIBmbedcrypto_VERSION}
@static-lib lib/libmbedtls.a
@@ -95,11 +114,14 @@ share/examples/mbedtls/README
@bin share/examples/mbedtls/cert_write
@bin share/examples/mbedtls/crl_app
@bin share/examples/mbedtls/crypt_and_hash
+@bin share/examples/mbedtls/crypto_examples
@bin share/examples/mbedtls/dh_client
@bin share/examples/mbedtls/dh_genprime
@bin share/examples/mbedtls/dh_server
@bin share/examples/mbedtls/dtls_client
@bin share/examples/mbedtls/dtls_server
+@bin share/examples/mbedtls/ecdh_curve25519
+@bin share/examples/mbedtls/ecdsa
@bin share/examples/mbedtls/gen_entropy
@bin share/examples/mbedtls/gen_key
@bin share/examples/mbedtls/gen_random_ctr_drbg
@@ -107,6 +129,9 @@ share/examples/mbedtls/README
@bin share/examples/mbedtls/generic_sum
@bin share/examples/mbedtls/hello
@bin share/examples/mbedtls/key_app
+@bin share/examples/mbedtls/key_app_writer
+@bin share/examples/mbedtls/key_ladder_demo
+share/examples/mbedtls/key_ladder_demo.sh
@bin share/examples/mbedtls/load_roots
@bin share/examples/mbedtls/mini_client
@bin share/examples/mbedtls/mpi_demo
@@ -115,16 +140,20 @@ share/examples/mbedtls/README
@bin share/examples/mbedtls/pk_encrypt
@bin share/examples/mbedtls/pk_sign
@bin share/examples/mbedtls/pk_verify
+@bin share/examples/mbedtls/psa_constant_names
@bin share/examples/mbedtls/query_compile_time_config
@bin share/examples/mbedtls/req_app
@bin share/examples/mbedtls/rsa_decrypt
@bin share/examples/mbedtls/rsa_encrypt
@bin share/examples/mbedtls/rsa_genkey
@bin share/examples/mbedtls/rsa_sign
+@bin share/examples/mbedtls/rsa_sign_pss
@bin share/examples/mbedtls/rsa_verify
+@bin share/examples/mbedtls/rsa_verify_pss
@bin share/examples/mbedtls/selftest
@bin share/examples/mbedtls/ssl_client1
@bin share/examples/mbedtls/ssl_client2
+@bin share/examples/mbedtls/ssl_context_info
@bin share/examples/mbedtls/ssl_fork_server
@bin share/examples/mbedtls/ssl_mail_client
@bin share/examples/mbedtls/ssl_pthread_server
@@ -132,3 +161,4 @@ share/examples/mbedtls/README
@bin share/examples/mbedtls/ssl_server2
@bin share/examples/mbedtls/strerror
@bin share/examples/mbedtls/udp_proxy
+@bin share/examples/mbedtls/zeroize
