[LEDE-DEV] [PATCH] mbedtls: update to 2.6.0 CVE-2017-14032

Magnus Kroken mkroken at gmail.com
Sun Sep 3 05:45:38 PDT 2017 


On 01.09.2017 20:04, Kevin Darbyshire-Bryant wrote:
> compile & run tested: ar71xx - archer C7 v2
> 

Tested-by: Magnus Kroken <mkroken at gmail.com>

Runtim-tested on powerpc/mpc85xx.

Tests run:
Connect to uhttpd with TLS - successful
Download HTTPS URL with uclient-fetch - successful
Connect to openvpn-mbedtls server - successful

/Magnus

> 
>   package/libs/mbedtls/Makefile                 |  4 +--
>   package/libs/mbedtls/patches/200-config.patch | 52 +++++++++++++--------------
>   2 files changed, 28 insertions(+), 28 deletions(-)
> 
> diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile
> index 4cceb74..0e33831 100644
> --- a/package/libs/mbedtls/Makefile
> +++ b/package/libs/mbedtls/Makefile
> @@ -8,13 +8,13 @@
>   include $(TOPDIR)/rules.mk
>   
>   PKG_NAME:=mbedtls
> -PKG_VERSION:=2.5.1
> +PKG_VERSION:=2.6.0
>   PKG_RELEASE:=1
>   PKG_USE_MIPS16:=0
>   
>   PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
>   PKG_SOURCE_URL:=https://tls.mbed.org/download/
> -PKG_HASH:=312f020006f0d8e9ede3ed8e73d907a629baf6475229703941769372ab0adee2
> +PKG_HASH:=a99959d7360def22f9108d2d487c9de384fe76c349697176b1f22370080d5810
>   
>   PKG_BUILD_PARALLEL:=1
>   PKG_LICENSE:=GPL-2.0+
> diff --git a/package/libs/mbedtls/patches/200-config.patch b/package/libs/mbedtls/patches/200-config.patch
> index 39de3cc..5fbd6b1 100644
> --- a/package/libs/mbedtls/patches/200-config.patch
> +++ b/package/libs/mbedtls/patches/200-config.patch
> @@ -1,6 +1,6 @@
>   --- a/include/mbedtls/config.h
>   +++ b/include/mbedtls/config.h
> -@@ -191,7 +191,7 @@
> +@@ -220,7 +220,7 @@
>     *
>     * Uncomment to get errors on using deprecated functions.
>     */
> @@ -9,7 +9,7 @@
>    
>    /* \} name SECTION: System support */
>    
> -@@ -504,17 +504,17 @@
> +@@ -539,17 +539,17 @@
>     *
>     * Comment macros to disable the curve and functions for it
>     */
> @@ -35,7 +35,7 @@
>    #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
>    
>    /**
> -@@ -539,8 +539,8 @@
> +@@ -574,8 +574,8 @@
>     * Requires: MBEDTLS_HMAC_DRBG_C
>     *
>     * Comment this macro to disable deterministic ECDSA.
> @@ -45,7 +45,7 @@
>    
>    /**
>     * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
> -@@ -586,7 +586,7 @@
> +@@ -621,7 +621,7 @@
>     *      MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
>     *      MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
>     */
> @@ -54,7 +54,7 @@
>    
>    /**
>     * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
> -@@ -605,8 +605,8 @@
> +@@ -640,8 +640,8 @@
>     *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
>     *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
>     *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
> @@ -64,7 +64,7 @@
>    
>    /**
>     * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
> -@@ -631,7 +631,7 @@
> +@@ -666,7 +666,7 @@
>     *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
>     *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
>     */
> @@ -73,7 +73,7 @@
>    
>    /**
>     * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
> -@@ -758,7 +758,7 @@
> +@@ -793,7 +793,7 @@
>     *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
>     *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
>     */
> @@ -82,7 +82,7 @@
>    
>    /**
>     * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
> -@@ -782,7 +782,7 @@
> +@@ -817,7 +817,7 @@
>     *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
>     *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
>     */
> @@ -91,7 +91,7 @@
>    
>    /**
>     * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
> -@@ -886,7 +886,7 @@
> +@@ -921,7 +921,7 @@
>     * This option is only useful if both MBEDTLS_SHA256_C and
>     * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
>     */
> @@ -100,7 +100,7 @@
>    
>    /**
>     * \def MBEDTLS_ENTROPY_NV_SEED
> -@@ -980,14 +980,14 @@
> +@@ -1015,14 +1015,14 @@
>     * Uncomment this macro to disable the use of CRT in RSA.
>     *
>     */
> @@ -117,7 +117,7 @@
>    
>    /**
>     * \def MBEDTLS_SHA256_SMALLER
> -@@ -1003,7 +1003,7 @@
> +@@ -1038,7 +1038,7 @@
>     *
>     * Uncomment to enable the smaller implementation of SHA256.
>     */
> @@ -126,7 +126,7 @@
>    
>    /**
>     * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
> -@@ -1122,8 +1122,8 @@
> +@@ -1157,8 +1157,8 @@
>     * misuse/misunderstand.
>     *
>     * Comment this to disable support for renegotiation.
> @@ -136,7 +136,7 @@
>    
>    /**
>     * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
> -@@ -1297,8 +1297,8 @@
> +@@ -1332,8 +1332,8 @@
>     * callbacks are provided by MBEDTLS_SSL_TICKET_C.
>     *
>     * Comment this macro to disable support for SSL session tickets
> @@ -146,7 +146,7 @@
>    
>    /**
>     * \def MBEDTLS_SSL_EXPORT_KEYS
> -@@ -1328,7 +1328,7 @@
> +@@ -1363,7 +1363,7 @@
>     *
>     * Comment this macro to disable support for truncated HMAC in SSL
>     */
> @@ -155,7 +155,7 @@
>    
>    /**
>     * \def MBEDTLS_THREADING_ALT
> -@@ -1362,8 +1362,8 @@
> +@@ -1397,8 +1397,8 @@
>     * Requires: MBEDTLS_VERSION_C
>     *
>     * Comment this to disable run-time checking and save ROM space
> @@ -165,7 +165,7 @@
>    
>    /**
>     * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
> -@@ -1684,7 +1684,7 @@
> +@@ -1719,7 +1719,7 @@
>     *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
>     *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
>     */
> @@ -174,7 +174,7 @@
>    
>    /**
>     * \def MBEDTLS_CCM_C
> -@@ -1698,7 +1698,7 @@
> +@@ -1733,7 +1733,7 @@
>     * This module enables the AES-CCM ciphersuites, if other requisites are
>     * enabled as well.
>     */
> @@ -183,7 +183,7 @@
>    
>    /**
>     * \def MBEDTLS_CERTS_C
> -@@ -1710,7 +1710,7 @@
> +@@ -1745,7 +1745,7 @@
>     *
>     * This module is used for testing (ssl_client/server).
>     */
> @@ -192,7 +192,7 @@
>    
>    /**
>     * \def MBEDTLS_CIPHER_C
> -@@ -1763,7 +1763,7 @@
> +@@ -1798,7 +1798,7 @@
>     *
>     * This module provides debugging functions.
>     */
> @@ -201,7 +201,7 @@
>    
>    /**
>     * \def MBEDTLS_DES_C
> -@@ -1788,8 +1788,8 @@
> +@@ -1823,8 +1823,8 @@
>     *      MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
>     *
>     * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
> @@ -211,7 +211,7 @@
>    
>    /**
>     * \def MBEDTLS_DHM_C
> -@@ -1943,8 +1943,8 @@
> +@@ -1978,8 +1978,8 @@
>     * Requires: MBEDTLS_MD_C
>     *
>     * Uncomment to enable the HMAC_DRBG random number geerator.
> @@ -221,7 +221,7 @@
>    
>    /**
>     * \def MBEDTLS_MD_C
> -@@ -2221,7 +2221,7 @@
> +@@ -2256,7 +2256,7 @@
>     * Caller:  library/md.c
>     *
>     */
> @@ -230,7 +230,7 @@
>    
>    /**
>     * \def MBEDTLS_RSA_C
> -@@ -2299,8 +2299,8 @@
> +@@ -2334,8 +2334,8 @@
>     * Caller:
>     *
>     * Requires: MBEDTLS_SSL_CACHE_C
> @@ -240,7 +240,7 @@
>    
>    /**
>     * \def MBEDTLS_SSL_COOKIE_C
> -@@ -2321,8 +2321,8 @@
> +@@ -2356,8 +2356,8 @@
>     * Caller:
>     *
>     * Requires: MBEDTLS_CIPHER_C
> @@ -250,7 +250,7 @@
>    
>    /**
>     * \def MBEDTLS_SSL_CLI_C
> -@@ -2421,8 +2421,8 @@
> +@@ -2456,8 +2456,8 @@
>     * Module:  library/version.c
>     *
>     * This module provides run-time version information.
> @@ -260,7 +260,7 @@
>    
>    /**
>     * \def MBEDTLS_X509_USE_C
> -@@ -2532,7 +2532,7 @@
> +@@ -2567,7 +2567,7 @@
>     * Module:  library/xtea.c
>     * Caller:
>     */
>

More information about the Lede-dev mailing list