[mbedtls] Upgrade mbedTLS to version 3.5.2

This version includes fixes for two CVEs affecting Mbed TLS: * CVE-2024-23170: severity Medium, * CVE-2024-23775: severity Low. Signed-off-by: Kailun Qin <kailun.qin@intel.com>
gramineproject · Feb 7, 2024 · 6c868c3 · 6c868c3
1 parent 0546de9
commit 6c868c3
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 25 deletions.
diff --git a/meson.build b/meson.build
@@ -225,7 +225,7 @@ tomlc99_src = tomlc99_proj.get_variable('tomlc99_src')
 
 uthash_dep = subproject('uthash-2.1.0').get_variable('uthash_dep')
 
-mbedtls_proj = subproject('mbedtls-mbedtls-3.5.0')
+mbedtls_proj = subproject('mbedtls-mbedtls-3.5.2')
 mbedtls_static_dep = mbedtls_proj.get_variable('mbedtls_static_dep')
 mbedtls_pal_dep = mbedtls_proj.get_variable('mbedtls_pal_dep')
 

diff --git a/subprojects/mbedtls-mbedtls-3.5.0.wrap b/subprojects/mbedtls-mbedtls-3.5.0.wrap
diff --git a/subprojects/mbedtls-mbedtls-3.5.2.wrap b/subprojects/mbedtls-mbedtls-3.5.2.wrap
@@ -0,0 +1,11 @@
+[wrap-file]
+directory = mbedtls-mbedtls-3.5.2
+source_url = https://github.com/ARMmbed/mbedtls/archive/mbedtls-3.5.2.tar.gz
+source_fallback_url = https://packages.gramineproject.io/distfiles/mbedtls-3.5.2.tar.gz
+source_filename = mbedtls-3.5.2.tar.gz
+source_hash = eedecc468b3f8d052ef05a9d42bf63f04c8a1c50d1c5a94c251c681365a2c723
+
+patch_directory = mbedtls
+
+# this unpacks the sources to `mbedtls-mbedtls-3.5.2/mbedtls-mbedtls-3.5.2`
+lead_directory_missing = true
diff --git a/subprojects/packagefiles/curl-8.5.0/meson.build b/subprojects/packagefiles/curl-8.5.0/meson.build
@@ -13,7 +13,7 @@ curl = custom_target('curl',
         meson.build_root() / 'subprojects',
     ],
 
-    depends: subproject('mbedtls-mbedtls-3.5.0').get_variable('mbedtls_curl_libs'),
+    depends: subproject('mbedtls-mbedtls-3.5.2').get_variable('mbedtls_curl_libs'),
     output: curl_libs_output,
 )
 

diff --git a/subprojects/packagefiles/mbedtls/gramine.patch b/subprojects/packagefiles/mbedtls/gramine.patch
@@ -2,7 +2,7 @@
 # progress via issue https://github.com/ARMmbed/mbedtls/issues/3141.
 
 diff --git a/library/ssl_tls.c b/library/ssl_tls.c
-index fc3fb85d75ff6cd25431494f9bd3660d3c2e370f..b935278e673d659ffb346ec35a3d9ea93bf16ee4 100644
+index cfb27981821363b83ea957e776b0f04e9e38100b..adaa87df3a74a346f03578f6e63e21517a81572d 100644
 --- a/library/ssl_tls.c
 +++ b/library/ssl_tls.c
 @@ -4392,11 +4392,13 @@ int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,

diff --git a/subprojects/packagefiles/mbedtls/include/mbedtls/config-pal.h b/subprojects/packagefiles/mbedtls/include/mbedtls/config-pal.h
@@ -3,7 +3,7 @@
  * Copyright (C) 2021 Intel Corp.
  */
 
-/* This mbedTLS config is for v3.5.0 and assumes Intel x86-64 CPU with AESNI and SSE2 support */
+/* This mbedTLS config is for v3.5.2 and assumes Intel x86-64 CPU with AESNI and SSE2 support */
 
 #pragma once
 

diff --git a/subprojects/packagefiles/mbedtls/meson.build b/subprojects/packagefiles/mbedtls/meson.build
@@ -1,4 +1,4 @@
-project('mbedtls', 'c', version: '3.5.0')
+project('mbedtls', 'c', version: '3.5.2')
 
 cc = meson.get_compiler('c')
 host_has_glibc = cc.get_define('__GLIBC__', prefix: '#include <features.h>') != ''
@@ -23,7 +23,7 @@ mbedtls_libs = custom_target('mbedtls',
     command: [
         find_program('compile-gramine.sh'),
         '@CURRENT_SOURCE_DIR@',
-        '@CURRENT_SOURCE_DIR@/mbedtls-mbedtls-3.5.0',
+        '@CURRENT_SOURCE_DIR@/mbedtls-mbedtls-3.5.2',
         meson.current_build_dir(),
         '@PRIVATE_DIR@',
         '@OUTPUT@',
@@ -32,7 +32,7 @@ mbedtls_libs = custom_target('mbedtls',
         'SHARED=1',
     ],
 
-    input: ['mbedtls-mbedtls-3.5.0/Makefile', 'gramine.patch'],
+    input: ['mbedtls-mbedtls-3.5.2/Makefile', 'gramine.patch'],
 
     # NOTE we need real sonames here (.so.N, not .so), please keep synced with
     # mbedtls/library/Makefile, variables SOEXT_{TLS,X509,CRYPTO}
@@ -69,22 +69,22 @@ endif
 
 # We rely on the fact that for `mbedtls_gramine` package, we don't need any changes in the default
 # mbedTLS headers
-install_subdir('mbedtls-mbedtls-3.5.0/include/mbedtls', install_dir: get_option('includedir') / 'gramine')
-install_subdir('mbedtls-mbedtls-3.5.0/include/psa', install_dir: get_option('includedir') / 'gramine')
+install_subdir('mbedtls-mbedtls-3.5.2/include/mbedtls', install_dir: get_option('includedir') / 'gramine')
+install_subdir('mbedtls-mbedtls-3.5.2/include/psa', install_dir: get_option('includedir') / 'gramine')
 
 mbedtls_pal_libs = custom_target('mbedtls_pal',
     command: [
         find_program('compile-pal.sh'),
         '@CURRENT_SOURCE_DIR@',
-        '@CURRENT_SOURCE_DIR@/mbedtls-mbedtls-3.5.0',
+        '@CURRENT_SOURCE_DIR@/mbedtls-mbedtls-3.5.2',
         meson.current_build_dir(),
         '@PRIVATE_DIR@',
         '@OUTPUT@',
         '--',
         'SUFFIX=_pal',
     ],
 
-    input: ['mbedtls-mbedtls-3.5.0/Makefile', 'gramine.patch'],
+    input: ['mbedtls-mbedtls-3.5.2/Makefile', 'gramine.patch'],
 
     output: [
         'libmbedcrypto_pal.a',
@@ -99,14 +99,14 @@ mbedtls_curl_libs = custom_target('mbedtls_curl',
     command: [
         find_program('compile-curl.sh'),
         '@CURRENT_SOURCE_DIR@',
-        '@CURRENT_SOURCE_DIR@/mbedtls-mbedtls-3.5.0',
+        '@CURRENT_SOURCE_DIR@/mbedtls-mbedtls-3.5.2',
         meson.current_build_dir(),
         '@PRIVATE_DIR@',
         meson.build_root() / 'subprojects',
         '@OUTPUT@',
     ],
 
-    input: ['mbedtls-mbedtls-3.5.0/Makefile', 'gramine.patch'],
+    input: ['mbedtls-mbedtls-3.5.2/Makefile', 'gramine.patch'],
 
     output: [
         'libmbedcrypto.a',
@@ -117,7 +117,7 @@ mbedtls_curl_libs = custom_target('mbedtls_curl',
     build_by_default: true,
 )
 
-mbedtls_inc = include_directories('include', 'mbedtls-mbedtls-3.5.0/include')
+mbedtls_inc = include_directories('include', 'mbedtls-mbedtls-3.5.2/include')
 
 mbedtls_static_dep = declare_dependency(
     link_with: [mbedtls_libs[6], mbedtls_libs[7], mbedtls_libs[8]],