Enclosed a diff for bringing mbedtls to 2.13.0. This release fixes an issue in the X.509 module which could lead to a buffer overread during certificate extensions parsing. Changelog can be found at https://tls.mbed.org/tech-updates/releases/mbedtls-2.13.0-2.7.6-and-2.1.15-released
libmbedtls requires a bump as a symbol has been removed (and new ones have been added). Tested with its consumers, and 'make test' runs successfully (amd64). Comments/OK? Index: Makefile =================================================================== RCS file: /cvs/ports/security/polarssl/Makefile,v retrieving revision 1.22 diff -u -p -r1.22 Makefile --- Makefile 8 Aug 2018 12:51:09 -0000 1.22 +++ Makefile 19 Sep 2018 16:37:23 -0000 @@ -2,11 +2,11 @@ COMMENT= SSL library with an intuitive API and readable source code -DISTNAME= mbedtls-2.12.0 +DISTNAME= mbedtls-2.13.0 EXTRACT_SUFX= -gpl.tgz # check SOVERSION -SHARED_LIBS += mbedtls 4.0 # 11 +SHARED_LIBS += mbedtls 5.0 # 12 SHARED_LIBS += mbedcrypto 3.0 # 3 SHARED_LIBS += mbedx509 2.0 # 0 Index: distinfo =================================================================== RCS file: /cvs/ports/security/polarssl/distinfo,v retrieving revision 1.15 diff -u -p -r1.15 distinfo --- distinfo 8 Aug 2018 12:51:09 -0000 1.15 +++ distinfo 19 Sep 2018 16:37:23 -0000 @@ -1,2 +1,2 @@ -SHA256 (mbedtls-2.12.0-gpl.tgz) = hmHRmolqWnojLtAax/Bc8Ow1FHmPGAdsLJ75ZfvrWig= -SIZE (mbedtls-2.12.0-gpl.tgz) = 2376449 +SHA256 (mbedtls-2.13.0-gpl.tgz) = oI3fCKrlX8T0j7xigfywi8XFPtU//RU1XuDXXsMrU64= +SIZE (mbedtls-2.13.0-gpl.tgz) = 2419726 Index: patches/patch-CMakeLists_txt =================================================================== RCS file: /cvs/ports/security/polarssl/patches/patch-CMakeLists_txt,v retrieving revision 1.6 diff -u -p -r1.6 patch-CMakeLists_txt --- patches/patch-CMakeLists_txt 8 Aug 2018 12:51:09 -0000 1.6 +++ patches/patch-CMakeLists_txt 19 Sep 2018 16:37:23 -0000 @@ -2,7 +2,7 @@ $OpenBSD: patch-CMakeLists_txt,v 1.6 201 Index: CMakeLists.txt --- CMakeLists.txt.orig +++ CMakeLists.txt -@@ -107,8 +107,6 @@ if(CMAKE_COMPILER_IS_GNU) +@@ -108,8 +108,6 @@ if(CMAKE_COMPILER_IS_GNU) if (GCC_VERSION VERSION_GREATER 4.8 OR GCC_VERSION VERSION_EQUAL 4.8) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow") endif() @@ -11,7 +11,7 @@ Index: CMakeLists.txt set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage") set(CMAKE_C_FLAGS_ASAN "-Werror -fsanitize=address -fno-common -O3") set(CMAKE_C_FLAGS_ASANDBG "-Werror -fsanitize=address -fno-common -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ") -@@ -118,8 +116,6 @@ endif(CMAKE_COMPILER_IS_GNU) +@@ -119,8 +117,6 @@ endif(CMAKE_COMPILER_IS_GNU) if(CMAKE_COMPILER_IS_CLANG) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow") Index: patches/patch-tests_suites_host_test_function =================================================================== RCS file: patches/patch-tests_suites_host_test_function diff -N patches/patch-tests_suites_host_test_function --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-tests_suites_host_test_function 19 Sep 2018 16:37:23 -0000 @@ -0,0 +1,63 @@ +$OpenBSD$ + +Can't take the address of stdout. + +Index: tests/suites/host_test.function +--- tests/suites/host_test.function.orig ++++ tests/suites/host_test.function +@@ -400,9 +400,6 @@ int execute_tests( int argc , const char ** argv ) + /* Store for proccessed integer params. */ + int int_params[50]; + void *pointer; +-#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__)) +- int stdout_fd = -1; +-#endif /* __unix__ || __APPLE__ __MACH__ */ + + #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \ + !defined(TEST_SUITE_MEMORY_BUFFER_ALLOC) +@@ -547,20 +544,6 @@ int execute_tests( int argc , const char ** argv ) + { + test_info.failed = 0; + +-#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__)) +- /* Suppress all output from the library unless we're verbose +- * mode +- */ +- if( !option_verbose ) +- { +- stdout_fd = redirect_output( &stdout, "/dev/null" ); +- if( stdout_fd == -1 ) +- { +- /* Redirection has failed with no stdout so exit */ +- exit( 1 ); +- } +- } +-#endif /* __unix__ || __APPLE__ __MACH__ */ + + function_id = strtol( params[0], NULL, 10 ); + if ( (ret = check_test( function_id )) == DISPATCH_TEST_SUCCESS ) +@@ -572,13 +555,6 @@ int execute_tests( int argc , const char ** argv ) + } + } + +-#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__)) +- if( !option_verbose && restore_output( &stdout, stdout_fd ) ) +- { +- /* Redirection has failed with no stdout so exit */ +- exit( 1 ); +- } +-#endif /* __unix__ || __APPLE__ __MACH__ */ + + } + +@@ -662,10 +638,6 @@ int execute_tests( int argc , const char ** argv ) + mbedtls_memory_buffer_alloc_free(); + #endif + +-#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__)) +- if( stdout_fd != -1 ) +- close_output( stdout ); +-#endif /* __unix__ || __APPLE__ __MACH__ */ + + return( total_errors != 0 ); + } Index: patches/patch-tests_suites_main_test_function =================================================================== RCS file: patches/patch-tests_suites_main_test_function diff -N patches/patch-tests_suites_main_test_function --- patches/patch-tests_suites_main_test_function 8 Aug 2018 12:51:09 -0000 1.4 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,40 +0,0 @@ -$OpenBSD: patch-tests_suites_main_test_function,v 1.4 2018/08/08 12:51:09 bket Exp $ - -XXX can't take the address of stdout - -Index: tests/suites/main_test.function ---- tests/suites/main_test.function.orig -+++ tests/suites/main_test.function -@@ -447,32 +447,7 @@ int main(int argc, const char *argv[]) - { - test_info.failed = 0; - --#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__)) -- /* Suppress all output from the library unless we're verbose -- * mode -- */ -- if( !option_verbose ) -- { -- stdout_fd = redirect_output( &stdout, "/dev/null" ); -- if( stdout_fd == -1 ) -- { -- platform_teardown(); -- /* Redirection has failed with no stdout so exit */ -- exit( 1 ); -- } -- } --#endif /* __unix__ || __APPLE__ __MACH__ */ -- - ret = dispatch_test( cnt, params ); -- --#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__)) -- if( !option_verbose && restore_output( &stdout, stdout_fd ) ) -- { -- /* Redirection has failed with no stdout so exit */ -- platform_teardown(); -- exit( 1 ); -- } --#endif /* __unix__ || __APPLE__ __MACH__ */ - - } -