Re: SECURITY UPDATE security/polarssl

[Theo Buehler]

On Tue, Sep 08, 2020 at 09:35:24PM +0200, Bjorn Ketelaars wrote:
> On Wed 02/09/2020 17:41, Bjorn Ketelaars wrote:
> > Diff below updates mbedtls to 2.16.8, which is a security update and
> > addresses:
> > - Local side channel attack on RSA and static Diffie-Hellman
> > - Local side channel attack on classical CBC decryption in (D)TLS
> > 
> > Other changes are listed at
> > https://github.com/ARMmbed/mbedtls/blob/mbedtls-2.16.8/ChangeLog
> > 
> > Minor of libmbedtls has been bumped because of the addition of a symbol.
> > 
> > 'make test' runs successfully. Run tested in combination with openvpn.
> > 
> > I think it makes sense to backport this update to 6.8.
> > 
> > Comments/OK
> 
> 
> Ping!
> 

Built & successfully ran regress on amd64 and sparc64. Looked at the
diff to 2.16.7 and can confirm that it's a minor bump.

ok tb

Backporting seems to make sense but I'm not familiar with the process.

Re: SECURITY UPDATE security/polarssl

[Bjorn Ketelaars]

On Wed 02/09/2020 17:41, Bjorn Ketelaars wrote:
> Diff below updates mbedtls to 2.16.8, which is a security update and
> addresses:
> - Local side channel attack on RSA and static Diffie-Hellman
> - Local side channel attack on classical CBC decryption in (D)TLS
> 
> Other changes are listed at
> https://github.com/ARMmbed/mbedtls/blob/mbedtls-2.16.8/ChangeLog
> 
> Minor of libmbedtls has been bumped because of the addition of a symbol.
> 
> 'make test' runs successfully. Run tested in combination with openvpn.
> 
> I think it makes sense to backport this update to 6.8.
> 
> Comments/OK


Ping!

SECURITY UPDATE security/polarssl

[Bjorn Ketelaars]

Diff below updates mbedtls to 2.16.8, which is a security update and
addresses:
- Local side channel attack on RSA and static Diffie-Hellman
- Local side channel attack on classical CBC decryption in (D)TLS

Other changes are listed at
https://github.com/ARMmbed/mbedtls/blob/mbedtls-2.16.8/ChangeLog

Minor of libmbedtls has been bumped because of the addition of a symbol.

'make test' runs successfully. Run tested in combination with openvpn.

I think it makes sense to backport this update to 6.8.

Comments/OK


diff --git security/polarssl/Makefile security/polarssl/Makefile
index 08cc08597b0..730506a218f 100644
--- security/polarssl/Makefile
+++ security/polarssl/Makefile
@@ -6,11 +6,11 @@ COMMENT=  SSL library with an intuitive API and readable 
source code
 
 GH_ACCOUNT=ARMmbed
 GH_PROJECT=mbedtls
-GH_TAGNAME=mbedtls-2.16.7
+GH_TAGNAME=mbedtls-2.16.8
 DISTNAME=  ${GH_TAGNAME}
 
 # check SOVERSION
-SHARED_LIBS +=  mbedtls   6.1 # 12
+SHARED_LIBS +=  mbedtls   6.2 # 12
 SHARED_LIBS +=  mbedcrypto4.4 # 3
 SHARED_LIBS +=  mbedx509  3.1 # 0
 
diff --git security/polarssl/distinfo security/polarssl/distinfo
index eabb0429882..6e67c2b2560 100644
--- security/polarssl/distinfo
+++ security/polarssl/distinfo
@@ -1,2 +1,2 @@
-SHA256 (mbedtls-2.16.7.tar.gz) = R4a30WdvXk0kjzp/LShEaHbWSWJjTwYP8huSxpDPvoY=
-SIZE (mbedtls-2.16.7.tar.gz) = 2658294
+SHA256 (mbedtls-2.16.8.tar.gz) = BHtAZ/IacpR90d/9fD8QatjlLYWHe3ffVYKWRY9gMKM=
+SIZE (mbedtls-2.16.8.tar.gz) = 2662927
diff --git security/polarssl/patches/patch-include_mbedtls_config_h 
security/polarssl/patches/patch-include_mbedtls_config_h
index 4879266224e..c0a53a75e38 100644
--- security/polarssl/patches/patch-include_mbedtls_config_h
+++ security/polarssl/patches/patch-include_mbedtls_config_h
@@ -6,7 +6,7 @@ www/hiawatha.
 Index: include/mbedtls/config.h
 --- include/mbedtls/config.h.orig
 +++ include/mbedtls/config.h
-@@ -1732,7 +1732,7 @@
+@@ -1766,7 +1766,7 @@
   *
   * Uncomment this to enable pthread mutexes.
   */
@@ -15,7 +15,7 @@ Index: include/mbedtls/config.h
  
  /**
   * \def MBEDTLS_VERSION_FEATURES
-@@ -2928,7 +2928,7 @@
+@@ -2962,7 +2962,7 @@
   *
   * Enable this layer to allow use of mutexes within mbed TLS
   */
diff --git security/polarssl/patches/patch-tests_suites_host_test_function 
security/polarssl/patches/patch-tests_suites_host_test_function
index 2c87c7d9122..eba6ac005c7 100644
--- security/polarssl/patches/patch-tests_suites_host_test_function
+++ security/polarssl/patches/patch-tests_suites_host_test_function
@@ -5,7 +5,7 @@ Can't take the address of stdout.
 Index: tests/suites/host_test.function
 --- tests/suites/host_test.function.orig
 +++ tests/suites/host_test.function
-@@ -401,9 +401,6 @@ int execute_tests( int argc , const char ** argv )
+@@ -402,9 +402,6 @@ int execute_tests( int argc , const char ** argv )
  /* Store for proccessed integer params. */
  int int_params[50];
  void *pointer;
@@ -15,7 +15,7 @@ Index: tests/suites/host_test.function
  
  #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \
  !defined(TEST_SUITE_MEMORY_BUFFER_ALLOC)
-@@ -548,20 +545,6 @@ int execute_tests( int argc , const char ** argv )
+@@ -549,21 +546,6 @@ int execute_tests( int argc , const char ** argv )
  test_info.result = TEST_RESULT_SUCCESS;
  test_info.paramfail_test_state = PARAMFAIL_TESTSTATE_IDLE;
  
@@ -25,7 +25,7 @@ Index: tests/suites/host_test.function
 - */
 -if( !option_verbose )
 -{
--stdout_fd = redirect_output( , "/dev/null" );
+-stdout_fd = redirect_output( stdout, "/dev/null" );
 -if( stdout_fd == -1 )
 -{
 -/* Redirection has failed with no stdout so exit */
@@ -33,15 +33,17 @@ Index: tests/suites/host_test.function
 -}
 -}
 -#endif /* __unix__ || __APPLE__ __MACH__ */
- 
+-
  function_id = strtoul( params[0], NULL, 10 );
  if ( (ret = check_test( function_id )) == 
DISPATCH_TEST_SUCCESS )
-@@ -573,13 +556,6 @@ int execute_tests( int argc , const char ** argv )
+ {
+@@ -573,14 +555,6 @@ int execute_tests( int argc , const char ** argv )
+ ret = dispatch_test( function_id, (void **)( params + 
1 ) );
  }
  }
- 
+-
 -#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
--if( !option_verbose && restore_output( , stdout_fd ) )
+-if( !option_verbose && restore_output( stdout, stdout_fd ) )
 -{
 -/* Redirection has failed with no stdout so exit */
 -exit( 1 );
@@ -50,14 +52,3 @@ Index: tests/suites/host_test.function
  
  }
  
-@@ -666,10 +642,6 @@ int execute_tests( int argc , const char **