Files
Sergio Ammirata c694d51223 contrib/mbedtls: refresh bundled source to 2.28.10
Replace the bundled Mbed TLS 2.26.0 sources with the 2.28.10 release
(last LTS in the 2.x series, released 2025-03-24). 2.28.x is a strict
ABI-compatible continuation of the 2.x line, so no librist code change
is required; the bundled subset (crypto-only, no TLS/X.509/debug) keeps
the same exclusion list as before.

What this brings in:

  * CVE-2025-27809: TLS clients without mbedtls_ssl_set_hostname() can
    no longer be silently impersonated by any cert-authenticated server.
  * CVE-2025-27810: TLS 1.2 Finished message could be miscalculated on
    allocator/HW failure, breaking the handshake's integrity guarantee.
  * CVE-2024-45157: PSA HMAC_DRBG selection regression.
  * Several years of fixes across AES, ECP, MPI, RSA, PK, PKCS5,
    bignum constant-time routines, Windows-specific build issues, and
    the new constant_time.c side-channel-hardening primitives that are
    now used pervasively throughout the crypto core.

What this required on the librist side:

  * meson.build (contrib/mbedtls): add 5 new crypto sources that the
    crypto core now hard-depends on:
      - library/constant_time.c
      - library/psa_crypto_aead.c
      - library/psa_crypto_cipher.c
      - library/psa_crypto_hash.c
      - library/psa_crypto_mac.c
    No previously-listed sources were removed upstream, and librist's
    classic-API usage (AES-CTR, CTR-DRBG, entropy, SHA-256, PBKDF2,
    MPI) is unchanged.

  * library/timing.c: re-apply the downstream "widen hardclock gate
    from defined(_MSC_VER) to defined(_WIN32)" patch (originally
    6495392) so MinGW and Clang-Windows builds keep using
    QueryPerformanceCounter for mbedtls_timing_hardclock(). Upstream
    Mbed TLS 2.28 still gates this on _MSC_VER only.

  * refresh_mbedtls_source.sh: point at subprojects/mbedtls-2.28.10/.

Two files removed by upstream between 2.26 and 2.28 and dropped here
accordingly: psa_crypto_service_integration.h and ssl_invasive.h.
Also drop the stale library/libmbedcrypto.a build artifact that was
checked in by accident with the original 2.26.0 import.
2026-04-24 23:24:17 -04:00
..
2020-05-28 16:35:40 +02:00
2020-08-28 15:00:03 +02:00
2025-10-08 08:03:03 +02:00