Diff below updates mbedtls to 2.16.8, which is a security update and
addresses:
- Local side channel attack on RSA and static Diffie-Hellman
- Local side channel attack on classical CBC decryption in (D)TLS
Other changes are listed at
https://github.com/ARMmbed/mbedtls/blob/mbedtls-2.16.8/ChangeLog
Minor of libmbedtls has been bumped because of the addition of a symbol.
'make test' runs successfully. Run tested in combination with openvpn.
I think it makes sense to backport this update to 6.8.
Comments/OK
diff --git security/polarssl/Makefile security/polarssl/Makefile
index 08cc08597b0..730506a218f 100644
--- security/polarssl/Makefile
+++ security/polarssl/Makefile
@@ -6,11 +6,11 @@ COMMENT= SSL library with an intuitive API and readable
source code
GH_ACCOUNT=ARMmbed
GH_PROJECT=mbedtls
-GH_TAGNAME=mbedtls-2.16.7
+GH_TAGNAME=mbedtls-2.16.8
DISTNAME= ${GH_TAGNAME}
# check SOVERSION
-SHARED_LIBS += mbedtls 6.1 # 12
+SHARED_LIBS += mbedtls 6.2 # 12
SHARED_LIBS += mbedcrypto4.4 # 3
SHARED_LIBS += mbedx509 3.1 # 0
diff --git security/polarssl/distinfo security/polarssl/distinfo
index eabb0429882..6e67c2b2560 100644
--- security/polarssl/distinfo
+++ security/polarssl/distinfo
@@ -1,2 +1,2 @@
-SHA256 (mbedtls-2.16.7.tar.gz) = R4a30WdvXk0kjzp/LShEaHbWSWJjTwYP8huSxpDPvoY=
-SIZE (mbedtls-2.16.7.tar.gz) = 2658294
+SHA256 (mbedtls-2.16.8.tar.gz) = BHtAZ/IacpR90d/9fD8QatjlLYWHe3ffVYKWRY9gMKM=
+SIZE (mbedtls-2.16.8.tar.gz) = 2662927
diff --git security/polarssl/patches/patch-include_mbedtls_config_h
security/polarssl/patches/patch-include_mbedtls_config_h
index 4879266224e..c0a53a75e38 100644
--- security/polarssl/patches/patch-include_mbedtls_config_h
+++ security/polarssl/patches/patch-include_mbedtls_config_h
@@ -6,7 +6,7 @@ www/hiawatha.
Index: include/mbedtls/config.h
--- include/mbedtls/config.h.orig
+++ include/mbedtls/config.h
-@@ -1732,7 +1732,7 @@
+@@ -1766,7 +1766,7 @@
*
* Uncomment this to enable pthread mutexes.
*/
@@ -15,7 +15,7 @@ Index: include/mbedtls/config.h
/**
* \def MBEDTLS_VERSION_FEATURES
-@@ -2928,7 +2928,7 @@
+@@ -2962,7 +2962,7 @@
*
* Enable this layer to allow use of mutexes within mbed TLS
*/
diff --git security/polarssl/patches/patch-tests_suites_host_test_function
security/polarssl/patches/patch-tests_suites_host_test_function
index 2c87c7d9122..eba6ac005c7 100644
--- security/polarssl/patches/patch-tests_suites_host_test_function
+++ security/polarssl/patches/patch-tests_suites_host_test_function
@@ -5,7 +5,7 @@ Can't take the address of stdout.
Index: tests/suites/host_test.function
--- tests/suites/host_test.function.orig
+++ tests/suites/host_test.function
-@@ -401,9 +401,6 @@ int execute_tests( int argc , const char ** argv )
+@@ -402,9 +402,6 @@ int execute_tests( int argc , const char ** argv )
/* Store for proccessed integer params. */
int int_params[50];
void *pointer;
@@ -15,7 +15,7 @@ Index: tests/suites/host_test.function
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \
!defined(TEST_SUITE_MEMORY_BUFFER_ALLOC)
-@@ -548,20 +545,6 @@ int execute_tests( int argc , const char ** argv )
+@@ -549,21 +546,6 @@ int execute_tests( int argc , const char ** argv )
test_info.result = TEST_RESULT_SUCCESS;
test_info.paramfail_test_state = PARAMFAIL_TESTSTATE_IDLE;
@@ -25,7 +25,7 @@ Index: tests/suites/host_test.function
- */
-if( !option_verbose )
-{
--stdout_fd = redirect_output( , "/dev/null" );
+-stdout_fd = redirect_output( stdout, "/dev/null" );
-if( stdout_fd == -1 )
-{
-/* Redirection has failed with no stdout so exit */
@@ -33,15 +33,17 @@ Index: tests/suites/host_test.function
-}
-}
-#endif /* __unix__ || __APPLE__ __MACH__ */
-
+-
function_id = strtoul( params[0], NULL, 10 );
if ( (ret = check_test( function_id )) ==
DISPATCH_TEST_SUCCESS )
-@@ -573,13 +556,6 @@ int execute_tests( int argc , const char ** argv )
+ {
+@@ -573,14 +555,6 @@ int execute_tests( int argc , const char ** argv )
+ ret = dispatch_test( function_id, (void **)( params +
1 ) );
}
}
-
+-
-#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
--if( !option_verbose && restore_output( , stdout_fd ) )
+-if( !option_verbose && restore_output( stdout, stdout_fd ) )
-{
-/* Redirection has failed with no stdout so exit */
-exit( 1 );
@@ -50,14 +52,3 @@ Index: tests/suites/host_test.function
}
-@@ -666,10 +642,6 @@ int execute_tests( int argc , const char **