Diff below updates mbedtls to 2.16.8, which is a security update and addresses: - Local side channel attack on RSA and static Diffie-Hellman - Local side channel attack on classical CBC decryption in (D)TLS
Other changes are listed at https://github.com/ARMmbed/mbedtls/blob/mbedtls-2.16.8/ChangeLog Minor of libmbedtls has been bumped because of the addition of a symbol. 'make test' runs successfully. Run tested in combination with openvpn. I think it makes sense to backport this update to 6.8. Comments/OK diff --git security/polarssl/Makefile security/polarssl/Makefile index 08cc08597b0..730506a218f 100644 --- security/polarssl/Makefile +++ security/polarssl/Makefile @@ -6,11 +6,11 @@ COMMENT= SSL library with an intuitive API and readable source code GH_ACCOUNT= ARMmbed GH_PROJECT= mbedtls -GH_TAGNAME= mbedtls-2.16.7 +GH_TAGNAME= mbedtls-2.16.8 DISTNAME= ${GH_TAGNAME} # check SOVERSION -SHARED_LIBS += mbedtls 6.1 # 12 +SHARED_LIBS += mbedtls 6.2 # 12 SHARED_LIBS += mbedcrypto 4.4 # 3 SHARED_LIBS += mbedx509 3.1 # 0 diff --git security/polarssl/distinfo security/polarssl/distinfo index eabb0429882..6e67c2b2560 100644 --- security/polarssl/distinfo +++ security/polarssl/distinfo @@ -1,2 +1,2 @@ -SHA256 (mbedtls-2.16.7.tar.gz) = R4a30WdvXk0kjzp/LShEaHbWSWJjTwYP8huSxpDPvoY= -SIZE (mbedtls-2.16.7.tar.gz) = 2658294 +SHA256 (mbedtls-2.16.8.tar.gz) = BHtAZ/IacpR90d/9fD8QatjlLYWHe3ffVYKWRY9gMKM= +SIZE (mbedtls-2.16.8.tar.gz) = 2662927 diff --git security/polarssl/patches/patch-include_mbedtls_config_h security/polarssl/patches/patch-include_mbedtls_config_h index 4879266224e..c0a53a75e38 100644 --- security/polarssl/patches/patch-include_mbedtls_config_h +++ security/polarssl/patches/patch-include_mbedtls_config_h @@ -6,7 +6,7 @@ www/hiawatha. Index: include/mbedtls/config.h --- include/mbedtls/config.h.orig +++ include/mbedtls/config.h -@@ -1732,7 +1732,7 @@ +@@ -1766,7 +1766,7 @@ * * Uncomment this to enable pthread mutexes. */ @@ -15,7 +15,7 @@ Index: include/mbedtls/config.h /** * \def MBEDTLS_VERSION_FEATURES -@@ -2928,7 +2928,7 @@ +@@ -2962,7 +2962,7 @@ * * Enable this layer to allow use of mutexes within mbed TLS */ diff --git security/polarssl/patches/patch-tests_suites_host_test_function security/polarssl/patches/patch-tests_suites_host_test_function index 2c87c7d9122..eba6ac005c7 100644 --- security/polarssl/patches/patch-tests_suites_host_test_function +++ security/polarssl/patches/patch-tests_suites_host_test_function @@ -5,7 +5,7 @@ Can't take the address of stdout. Index: tests/suites/host_test.function --- tests/suites/host_test.function.orig +++ tests/suites/host_test.function -@@ -401,9 +401,6 @@ int execute_tests( int argc , const char ** argv ) +@@ -402,9 +402,6 @@ int execute_tests( int argc , const char ** argv ) /* Store for proccessed integer params. */ int int_params[50]; void *pointer; @@ -15,7 +15,7 @@ Index: tests/suites/host_test.function #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \ !defined(TEST_SUITE_MEMORY_BUFFER_ALLOC) -@@ -548,20 +545,6 @@ int execute_tests( int argc , const char ** argv ) +@@ -549,21 +546,6 @@ int execute_tests( int argc , const char ** argv ) test_info.result = TEST_RESULT_SUCCESS; test_info.paramfail_test_state = PARAMFAIL_TESTSTATE_IDLE; @@ -25,7 +25,7 @@ Index: tests/suites/host_test.function - */ - if( !option_verbose ) - { -- stdout_fd = redirect_output( &stdout, "/dev/null" ); +- stdout_fd = redirect_output( stdout, "/dev/null" ); - if( stdout_fd == -1 ) - { - /* Redirection has failed with no stdout so exit */ @@ -33,15 +33,17 @@ Index: tests/suites/host_test.function - } - } -#endif /* __unix__ || __APPLE__ __MACH__ */ - +- function_id = strtoul( params[0], NULL, 10 ); if ( (ret = check_test( function_id )) == DISPATCH_TEST_SUCCESS ) -@@ -573,13 +556,6 @@ int execute_tests( int argc , const char ** argv ) + { +@@ -573,14 +555,6 @@ int execute_tests( int argc , const char ** argv ) + ret = dispatch_test( function_id, (void **)( params + 1 ) ); } } - +- -#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__)) -- if( !option_verbose && restore_output( &stdout, stdout_fd ) ) +- if( !option_verbose && restore_output( stdout, stdout_fd ) ) - { - /* Redirection has failed with no stdout so exit */ - exit( 1 ); @@ -50,14 +52,3 @@ Index: tests/suites/host_test.function } -@@ -666,10 +642,6 @@ int execute_tests( int argc , const char ** argv ) - mbedtls_memory_buffer_alloc_free(); - #endif - --#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__)) -- if( stdout_fd != -1 ) -- close_output( stdout ); --#endif /* __unix__ || __APPLE__ __MACH__ */ - - return( total_errors != 0 ); - } diff --git security/polarssl/pkg/PLIST security/polarssl/pkg/PLIST index ce257f39af8..896e9cff7c6 100644 --- security/polarssl/pkg/PLIST +++ security/polarssl/pkg/PLIST @@ -130,5 +130,6 @@ share/examples/mbedtls/README @bin share/examples/mbedtls/ssl_mail_client @bin share/examples/mbedtls/ssl_pthread_server @bin share/examples/mbedtls/ssl_server +@bin share/examples/mbedtls/ssl_server2 @bin share/examples/mbedtls/strerror @bin share/examples/mbedtls/udp_proxy