mbedtls: upgrade 3.4.0 -> 3.5.0

* Includes security fix for CVE-2023-43615 - Buffer overread in TLS stream cipher suites
* Includes security fix for CVE-2023-45199 - Buffer overflow in TLS handshake parsing with ECDH
* Includes aesce compilation fixes

Full changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.5.0

The extra patch fixes x86 32-bit builds.

Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

4 files changed, 89 insertions, 75 deletions

diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch
new file mode 100644
index 0000000000..5030fb99f9
--- /dev/null
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch
@@ -0,0 +1,87 @@
+From 80d3e73ad0648f558a067a9dbfe3bc80e6b614f8 Mon Sep 17 00:00:00 2001
+From: Beniamin Sandu <beniaminsandu@gmail.com>
+Date: Mon, 30 Oct 2023 19:15:56 +0000
+Subject: [PATCH] AES-NI: use target attributes for x86 32-bit intrinsics
+
+This way we build with 32-bit gcc/clang out of the box.
+We also fallback to assembly for 64-bit clang-cl if needed cpu
+flags are not provided, instead of throwing an error.
+
+Upstream-Status: Backport [https://github.com/Mbed-TLS/mbedtls/commit/800f2b7c020678a84abfa9688962b91c36e6693d]
+
+Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
+---
+ library/aesni.c | 20 ++++++++++++++++++++
+ library/aesni.h |  8 +++++---
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/library/aesni.c b/library/aesni.c
+index 5f25a8249..481fa3822 100644
+--- a/library/aesni.c
++++ b/library/aesni.c
+@@ -41,6 +41,17 @@
+ #include <immintrin.h>
+ #endif
+
++#if defined(MBEDTLS_ARCH_IS_X86)
++#if defined(MBEDTLS_COMPILER_IS_GCC)
++#pragma GCC push_options
++#pragma GCC target ("pclmul,sse2,aes")
++#define MBEDTLS_POP_TARGET_PRAGMA
++#elif defined(__clang__)
++#pragma clang attribute push (__attribute__((target("pclmul,sse2,aes"))), apply_to=function)
++#define MBEDTLS_POP_TARGET_PRAGMA
++#endif
++#endif
++
+ #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
+ /*
+  * AES-NI support detection routine
+@@ -396,6 +407,15 @@ static void aesni_setkey_enc_256(unsigned char *rk_bytes,
+ }
+ #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+
++#if defined(MBEDTLS_POP_TARGET_PRAGMA)
++#if defined(__clang__)
++#pragma clang attribute pop
++#elif defined(__GNUC__)
++#pragma GCC pop_options
++#endif
++#undef MBEDTLS_POP_TARGET_PRAGMA
++#endif
++
+ #else /* MBEDTLS_AESNI_HAVE_CODE == 1 */
+
+ #if defined(__has_feature)
+diff --git a/library/aesni.h b/library/aesni.h
+index ba1429029..37ae02c82 100644
+--- a/library/aesni.h
++++ b/library/aesni.h
+@@ -50,6 +50,10 @@
+ #if defined(__GNUC__) && defined(__AES__) && defined(__PCLMUL__)
+ #define MBEDTLS_AESNI_HAVE_INTRINSICS
+ #endif
++/* For 32-bit, we only support intrinsics */
++#if defined(MBEDTLS_ARCH_IS_X86) && (defined(__GNUC__) || defined(__clang__))
++#define MBEDTLS_AESNI_HAVE_INTRINSICS
++#endif
+
+ /* Choose the implementation of AESNI, if one is available.
+  *
+@@ -60,13 +64,11 @@
+ #if defined(MBEDTLS_AESNI_HAVE_INTRINSICS)
+ #define MBEDTLS_AESNI_HAVE_CODE 2 // via intrinsics
+ #elif defined(MBEDTLS_HAVE_ASM) && \
+-    defined(__GNUC__) && defined(MBEDTLS_ARCH_IS_X64)
++    (defined(__GNUC__) || defined(__clang__)) && defined(MBEDTLS_ARCH_IS_X64)
+ /* Can we do AESNI with inline assembly?
+  * (Only implemented with gas syntax, only for 64-bit.)
+  */
+ #define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly
+-#elif defined(__GNUC__)
+-#   error "Must use `-mpclmul -msse2 -maes` for MBEDTLS_AESNI_C"
+ #else
+ #error "MBEDTLS_AESNI_C defined, but neither intrinsics nor assembly available"
+ #endif
+--
+2.34.1
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch
deleted file mode 100644
index d98d8fa575..0000000000
--- a/meta-networking/recipes-connectivity/mbedtls/mbedtls/0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 2246925e3cb16183e25d4e2cfd13fb800df86270 Mon Sep 17 00:00:00 2001
-From: Beniamin Sandu <beniaminsandu@gmail.com>
-Date: Sun, 25 Jun 2023 19:58:08 +0300
-Subject: [PATCH] aesce: do not specify an arch version when enabling crypto
- instructions
-
-Building mbedtls with different aarch64 tuning variations revealed
-that we should use the crypto extensions without forcing a particular
-architecture version or core, as that can create issues.
-
-Upstream-Status: Submitted [https://github.com/Mbed-TLS/mbedtls/pull/7834]
-
-Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
----
- library/aesce.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/library/aesce.c b/library/aesce.c
-index fe056dc4c..843de3973 100644
---- a/library/aesce.c
-+++ b/library/aesce.c
-@@ -60,7 +60,7 @@
- #           error "A more recent GCC is required for MBEDTLS_AESCE_C"
- #       endif
- #       pragma GCC push_options
--#       pragma GCC target ("arch=armv8-a+crypto")
-+#       pragma GCC target ("+crypto")
- #       define MBEDTLS_POP_TARGET_PRAGMA
- #   else
- #       error "Only GCC and Clang supported for MBEDTLS_AESCE_C"
--- 
-2.25.1
-
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/0002-aesce-use-correct-target-attribute-when-building-wit.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/0002-aesce-use-correct-target-attribute-when-building-wit.patch
deleted file mode 100644
index 4775c8ddb7..0000000000
--- a/meta-networking/recipes-connectivity/mbedtls/mbedtls/0002-aesce-use-correct-target-attribute-when-building-wit.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 03d3523f974536f2358047382aadb0d4cc762f8a Mon Sep 17 00:00:00 2001
-From: Beniamin Sandu <beniaminsandu@gmail.com>
-Date: Mon, 26 Jun 2023 12:07:21 +0300
-Subject: [PATCH] aesce: use correct target attribute when building with clang
-
-Seems clang has its own issues when it comes to crypto extensions,
-and right now the best way to avoid them is to accurately enable
-the needed instructions instead of the broad crypto feature.
-
-E.g.: https://github.com/llvm/llvm-project/issues/61645
-
-Upstream-Status: Pending
-
-Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
----
- library/aesce.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/library/aesce.c b/library/aesce.c
-index 843de3973..7bea088ba 100644
---- a/library/aesce.c
-+++ b/library/aesce.c
-@@ -53,7 +53,7 @@
- #       if __clang_major__ < 4
- #           error "A more recent Clang is required for MBEDTLS_AESCE_C"
- #       endif
--#       pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function)
-+#       pragma clang attribute push (__attribute__((target("aes"))), apply_to=function)
- #       define MBEDTLS_POP_TARGET_PRAGMA
- #   elif defined(__GNUC__)
- #       if __GNUC__ < 6
--- 
-2.25.1
-
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.0.bb
index 3a355bb43f..d57e717bd8 100644
--- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.0.bb
@@ -23,10 +23,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
 SECTION = "libs"
 
 S = "${WORKDIR}/git"
-SRCREV = "1873d3bfc2da771672bd8e7e8f41f57e0af77f33"
+SRCREV = "1ec69067fa1351427f904362c1221b31538c8b57"
 SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master \
-	file://0001-aesce-do-not-specify-an-arch-version-when-enabling-c.patch \
-	file://0002-aesce-use-correct-target-attribute-when-building-wit.patch \
+	file://0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch \
 	file://run-ptest"
 
 inherit cmake update-alternatives ptest
@@ -61,11 +60,6 @@ BBCLASSEXTEND = "native nativesdk"
 
 CVE_PRODUCT = "mbed_tls"
 
-# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310
-CVE_CHECK_IGNORE += "CVE-2021-43666"
-# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c
-CVE_CHECK_IGNORE += "CVE-2021-45451"
-
 # Strip host paths from autogenerated test files
 do_compile:append() {
 	sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || :