[{"id":1762256,"web_url":"http://patchwork.ozlabs.org/comment/1762256/","msgid":"","list_archive_url":null,"date":"2017-09-03T12:45:38","subject":"Re: [LEDE-DEV] [PATCH] mbedtls: update to 2.6.0 CVE-2017-14032","submitter":{"id":66631,"url":"http://patchwork.ozlabs.org/api/people/66631/","name":"Magnus Kroken","email":"mkroken@gmail.com"},"content":"On 01.09.2017 20:04, Kevin Darbyshire-Bryant wrote:\n> compile & run tested: ar71xx - archer C7 v2\n> \n\nTested-by: Magnus Kroken \n\nRuntim-tested on powerpc/mpc85xx.\n\nTests run:\nConnect to uhttpd with TLS - successful\nDownload HTTPS URL with uclient-fetch - successful\nConnect to openvpn-mbedtls server - successful\n\n/Magnus\n\n> \n> package/libs/mbedtls/Makefile | 4 +--\n> package/libs/mbedtls/patches/200-config.patch | 52 +++++++++++++--------------\n> 2 files changed, 28 insertions(+), 28 deletions(-)\n> \n> diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile\n> index 4cceb74..0e33831 100644\n> --- a/package/libs/mbedtls/Makefile\n> +++ b/package/libs/mbedtls/Makefile\n> @@ -8,13 +8,13 @@\n> include $(TOPDIR)/rules.mk\n> \n> PKG_NAME:=mbedtls\n> -PKG_VERSION:=2.5.1\n> +PKG_VERSION:=2.6.0\n> PKG_RELEASE:=1\n> PKG_USE_MIPS16:=0\n> \n> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz\n> PKG_SOURCE_URL:=https://tls.mbed.org/download/\n> -PKG_HASH:=312f020006f0d8e9ede3ed8e73d907a629baf6475229703941769372ab0adee2\n> +PKG_HASH:=a99959d7360def22f9108d2d487c9de384fe76c349697176b1f22370080d5810\n> \n> PKG_BUILD_PARALLEL:=1\n> PKG_LICENSE:=GPL-2.0+\n> diff --git a/package/libs/mbedtls/patches/200-config.patch b/package/libs/mbedtls/patches/200-config.patch\n> index 39de3cc..5fbd6b1 100644\n> --- a/package/libs/mbedtls/patches/200-config.patch\n> +++ b/package/libs/mbedtls/patches/200-config.patch\n> @@ -1,6 +1,6 @@\n> --- a/include/mbedtls/config.h\n> +++ b/include/mbedtls/config.h\n> -@@ -191,7 +191,7 @@\n> +@@ -220,7 +220,7 @@\n> *\n> * Uncomment to get errors on using deprecated functions.\n> */\n> @@ -9,7 +9,7 @@\n> \n> /* \\} name SECTION: System support */\n> \n> -@@ -504,17 +504,17 @@\n> +@@ -539,17 +539,17 @@\n> *\n> * Comment macros to disable the curve and functions for it\n> */\n> @@ -35,7 +35,7 @@\n> #define MBEDTLS_ECP_DP_CURVE25519_ENABLED\n> \n> /**\n> -@@ -539,8 +539,8 @@\n> +@@ -574,8 +574,8 @@\n> * Requires: MBEDTLS_HMAC_DRBG_C\n> *\n> * Comment this macro to disable deterministic ECDSA.\n> @@ -45,7 +45,7 @@\n> \n> /**\n> * \\def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED\n> -@@ -586,7 +586,7 @@\n> +@@ -621,7 +621,7 @@\n> * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA\n> * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA\n> */\n> @@ -54,7 +54,7 @@\n> \n> /**\n> * \\def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED\n> -@@ -605,8 +605,8 @@\n> +@@ -640,8 +640,8 @@\n> * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256\n> * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA\n> * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA\n> @@ -64,7 +64,7 @@\n> \n> /**\n> * \\def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED\n> -@@ -631,7 +631,7 @@\n> +@@ -666,7 +666,7 @@\n> * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA\n> * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA\n> */\n> @@ -73,7 +73,7 @@\n> \n> /**\n> * \\def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED\n> -@@ -758,7 +758,7 @@\n> +@@ -793,7 +793,7 @@\n> * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256\n> * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384\n> */\n> @@ -82,7 +82,7 @@\n> \n> /**\n> * \\def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED\n> -@@ -782,7 +782,7 @@\n> +@@ -817,7 +817,7 @@\n> * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256\n> * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384\n> */\n> @@ -91,7 +91,7 @@\n> \n> /**\n> * \\def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED\n> -@@ -886,7 +886,7 @@\n> +@@ -921,7 +921,7 @@\n> * This option is only useful if both MBEDTLS_SHA256_C and\n> * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.\n> */\n> @@ -100,7 +100,7 @@\n> \n> /**\n> * \\def MBEDTLS_ENTROPY_NV_SEED\n> -@@ -980,14 +980,14 @@\n> +@@ -1015,14 +1015,14 @@\n> * Uncomment this macro to disable the use of CRT in RSA.\n> *\n> */\n> @@ -117,7 +117,7 @@\n> \n> /**\n> * \\def MBEDTLS_SHA256_SMALLER\n> -@@ -1003,7 +1003,7 @@\n> +@@ -1038,7 +1038,7 @@\n> *\n> * Uncomment to enable the smaller implementation of SHA256.\n> */\n> @@ -126,7 +126,7 @@\n> \n> /**\n> * \\def MBEDTLS_SSL_ALL_ALERT_MESSAGES\n> -@@ -1122,8 +1122,8 @@\n> +@@ -1157,8 +1157,8 @@\n> * misuse/misunderstand.\n> *\n> * Comment this to disable support for renegotiation.\n> @@ -136,7 +136,7 @@\n> \n> /**\n> * \\def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO\n> -@@ -1297,8 +1297,8 @@\n> +@@ -1332,8 +1332,8 @@\n> * callbacks are provided by MBEDTLS_SSL_TICKET_C.\n> *\n> * Comment this macro to disable support for SSL session tickets\n> @@ -146,7 +146,7 @@\n> \n> /**\n> * \\def MBEDTLS_SSL_EXPORT_KEYS\n> -@@ -1328,7 +1328,7 @@\n> +@@ -1363,7 +1363,7 @@\n> *\n> * Comment this macro to disable support for truncated HMAC in SSL\n> */\n> @@ -155,7 +155,7 @@\n> \n> /**\n> * \\def MBEDTLS_THREADING_ALT\n> -@@ -1362,8 +1362,8 @@\n> +@@ -1397,8 +1397,8 @@\n> * Requires: MBEDTLS_VERSION_C\n> *\n> * Comment this to disable run-time checking and save ROM space\n> @@ -165,7 +165,7 @@\n> \n> /**\n> * \\def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3\n> -@@ -1684,7 +1684,7 @@\n> +@@ -1719,7 +1719,7 @@\n> * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256\n> * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256\n> */\n> @@ -174,7 +174,7 @@\n> \n> /**\n> * \\def MBEDTLS_CCM_C\n> -@@ -1698,7 +1698,7 @@\n> +@@ -1733,7 +1733,7 @@\n> * This module enables the AES-CCM ciphersuites, if other requisites are\n> * enabled as well.\n> */\n> @@ -183,7 +183,7 @@\n> \n> /**\n> * \\def MBEDTLS_CERTS_C\n> -@@ -1710,7 +1710,7 @@\n> +@@ -1745,7 +1745,7 @@\n> *\n> * This module is used for testing (ssl_client/server).\n> */\n> @@ -192,7 +192,7 @@\n> \n> /**\n> * \\def MBEDTLS_CIPHER_C\n> -@@ -1763,7 +1763,7 @@\n> +@@ -1798,7 +1798,7 @@\n> *\n> * This module provides debugging functions.\n> */\n> @@ -201,7 +201,7 @@\n> \n> /**\n> * \\def MBEDTLS_DES_C\n> -@@ -1788,8 +1788,8 @@\n> +@@ -1823,8 +1823,8 @@\n> * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA\n> *\n> * PEM_PARSE uses DES/3DES for decrypting encrypted keys.\n> @@ -211,7 +211,7 @@\n> \n> /**\n> * \\def MBEDTLS_DHM_C\n> -@@ -1943,8 +1943,8 @@\n> +@@ -1978,8 +1978,8 @@\n> * Requires: MBEDTLS_MD_C\n> *\n> * Uncomment to enable the HMAC_DRBG random number geerator.\n> @@ -221,7 +221,7 @@\n> \n> /**\n> * \\def MBEDTLS_MD_C\n> -@@ -2221,7 +2221,7 @@\n> +@@ -2256,7 +2256,7 @@\n> * Caller: library/md.c\n> *\n> */\n> @@ -230,7 +230,7 @@\n> \n> /**\n> * \\def MBEDTLS_RSA_C\n> -@@ -2299,8 +2299,8 @@\n> +@@ -2334,8 +2334,8 @@\n> * Caller:\n> *\n> * Requires: MBEDTLS_SSL_CACHE_C\n> @@ -240,7 +240,7 @@\n> \n> /**\n> * \\def MBEDTLS_SSL_COOKIE_C\n> -@@ -2321,8 +2321,8 @@\n> +@@ -2356,8 +2356,8 @@\n> * Caller:\n> *\n> * Requires: MBEDTLS_CIPHER_C\n> @@ -250,7 +250,7 @@\n> \n> /**\n> * \\def MBEDTLS_SSL_CLI_C\n> -@@ -2421,8 +2421,8 @@\n> +@@ -2456,8 +2456,8 @@\n> * Module: library/version.c\n> *\n> * This module provides run-time version information.\n> @@ -260,7 +260,7 @@\n> \n> /**\n> * \\def MBEDTLS_X509_USE_C\n> -@@ -2532,7 +2532,7 @@\n> +@@ -2567,7 +2567,7 @@\n> * Module: library/xtea.c\n> * Caller:\n> */\n>","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org; spf=none (mailfrom)\n\tsmtp.mailfrom=lists.infradead.org (client-ip=65.50.211.133;\n\thelo=bombadil.infradead.org;\n\tenvelope-from=lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n\treceiver=)","ozlabs.org; dkim=pass (2048-bit key;\n\tunprotected) header.d=lists.infradead.org\n\theader.i=@lists.infradead.org header.b=\"BMkwkhQD\"; \n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n\tunprotected) header.d=gmail.com header.i=@gmail.com\n\theader.b=\"QhLl4zGY\"; dkim-atps=neutral"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n\t[65.50.211.133])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256\n\tbits)) (No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xlXm14NfWz9s7c\n\tfor ;\n\tSun, 3 Sep 2017 22:46:24 +1000 (AEST)","from localhost ([127.0.0.1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux))\n\tid 1doUHv-0001tQ-41; Sun, 03 Sep 2017 12:46:07 +0000","from mail-qt0-x243.google.com ([2607:f8b0:400d:c0d::243])\n\tby bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux))\n\tid 1doUHr-0001qv-JF\n\tfor lede-dev@lists.infradead.org; Sun, 03 Sep 2017 12:46:06 +0000","by mail-qt0-x243.google.com with SMTP id h15so2926255qta.0\n\tfor ;\n\tSun, 03 Sep 2017 05:45:41 -0700 (PDT)","from [172.16.1.187] (113.229.16.62.customer.cdi.no.\n\t[62.16.229.113]) by smtp.gmail.com with ESMTPSA id\n\tu195sm2324568qka.37.2017.09.03.05.45.38\n\tfor \n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tSun, 03 Sep 2017 05:45:39 -0700 (PDT)"],"DKIM-Signature":["v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20170209; h=Sender:Content-Type:\n\tContent-Transfer-Encoding:List-Subscribe:List-Help:List-Post:List-Archive:\n\tList-Unsubscribe:List-Id:Subject:In-Reply-To:MIME-Version:Date:Message-ID:\n\tFrom:References:To:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:\n\tResent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;\n\tbh=OjK9oQnk1ay3DRkTPv3cNow+VteEeTBvJRCX2BMuGlY=;\n\tb=BMkwkhQDHDcxSsGjaAAxk+Pqd\n\ti2MiWWksfaLogshLmmpSm7SAlR1AgE/ocrU70KlqlVPfg3z/peLZ15j24lkN3+YhnVCi6ZQSsDFie\n\t74XPUDPjFsvnetdKCjjAU9Paj8P6P0kDpQut8+pGL7JTLAaHN7ocDFaRTkbF8GHmgHyccrGHZG4Fh\n\tgDVTDv8mwc9+AvkKV1BkIIR1/4UAz6pFvDUQOm+jR4yAGMU4jop+u55L4XMb4Rx5oqRgT6f45c19m\n\t66bpOpJCfHE1e/pMdBUQqw2Nr+lwzeERSNlBsxkMXmIsXj1uikicelECsM/9eI7JNWzLhntwOWFXU\n\tfnccLtCoQ==;","v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;\n\th=subject:to:references:from:message-id:date:user-agent:mime-version\n\t:in-reply-to:content-language:content-transfer-encoding;\n\tbh=HupT4ehWc/nrJSEkAQy4zsTTbcEB0V/frISyB50eg4E=;\n\tb=QhLl4zGY7UJvSUV0KcVLAV8+0AfGhMSbAmTySEURR73femS2HNfRJEHQZrQznSLqln\n\tUHpcgzeJ/UpoFoiohrirYs+o1yICC1NqSzLctY9VXJfuysNRuwaThxabSQz9Tx43oVNM\n\t7eIlxY0UHP4U7TU7jFo1e+ZeA3mat0UqHOo6Mj6DrrVHTl6Cjr1rrWedgNSHbxD8z86I\n\tqDbdcgpfjpA3D3HdKNL5raIm7nmhklv+G+13jB/YW9a+zFkOvi526J3aTzKmpBNGvpfW\n\t8qe2RoL6yOZc+KMXSo8cMK9/u5/7KDN9b0AIiV30AkhDd0Yp6OtrXJnfWqjB+TQXsF7r\n\tAiJw=="],"X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:subject:to:references:from:message-id:date\n\t:user-agent:mime-version:in-reply-to:content-language\n\t:content-transfer-encoding;\n\tbh=HupT4ehWc/nrJSEkAQy4zsTTbcEB0V/frISyB50eg4E=;\n\tb=Am6uw+/pokRRCdGC3BYDxW7UfdG9gk6/7DIZkcAQV8dpb+Uq3Mc0cTUqyEe5cz1RWb\n\tBPRD7oUE9UIIgmiGpStw9TjhWrwTOBGfIBLKldBd7pSv9YWcCmfkhAoGzSJxdIUrgJby\n\tlJmArzpmRwe17bq7zxYAKGq/kkg2GWXiirdzeahJ1o6TMw5E3fitL5/Ags/otBOXuuV7\n\tyAPTyVpNHY0DVg7sSTZoh0Qst9nXmi7vgdWTDAyPRtoRdLGWZM08E7wdAUOq6x1fnNhx\n\tN92UropzexLjZ0oO534YpfLeqs6+ZQLzxQ8WVkF7sy124maQqA7ZKX1Ea/aKiJQjpDUr\n\tkNHQ==","X-Gm-Message-State":"AHPjjUjbs2LVa+N7xdx96T3C/7nfnwtHfxr/2kHNdIGxM56lNe0q6U7k\n\trN5Bau8xe1tFavoQbkE=","X-Google-Smtp-Source":"ADKCNb7bCa/J024H89biFUdsaiyeJGLwBaS1XllJ8e6LzNeEB4fXODF5Yu0rPfIFhOo96OM/kg3jDQ==","X-Received":"by 10.200.47.229 with SMTP id m34mr11503081qta.55.1504442740399; \n\tSun, 03 Sep 2017 05:45:40 -0700 (PDT)","To":"lede-dev@lists.infradead.org","References":"<1504289069-11044-1-git-send-email-kevin@darbyshire-bryant.me.uk>","From":"Magnus Kroken ","Message-ID":"","Date":"Sun, 3 Sep 2017 14:45:38 +0200","User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101\n\tThunderbird/52.3.0","MIME-Version":"1.0","In-Reply-To":"<1504289069-11044-1-git-send-email-kevin@darbyshire-bryant.me.uk>","Content-Language":"en-US","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20170903_054603_810299_96991278 ","X-CRM114-Status":"GOOD ( 10.89 )","X-Spam-Score":"-2.0 (--)","X-Spam-Report":"SpamAssassin version 3.4.1 on bombadil.infradead.org summary:\n\tContent analysis details: (-2.0 points)\n\tpts rule name description\n\t---- ----------------------\n\t--------------------------------------------------\n\t-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/,\n\tno\n\ttrust [2607:f8b0:400d:c0d:0:0:0:243 listed in] [list.dnswl.org]\n\t-0.0 SPF_PASS SPF: sender matches SPF record\n\t0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail\n\tprovider (mkroken[at]gmail.com)\n\t-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n\t[score: 0.0000]\n\t-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature\n\t0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n\tnot necessarily valid\n\t-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n\tauthor's domain","Subject":"Re: [LEDE-DEV] [PATCH] mbedtls: update to 2.6.0 CVE-2017-14032","X-BeenThere":"lede-dev@lists.infradead.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Transfer-Encoding":"7bit","Content-Type":"text/plain; charset=\"us-ascii\"; Format=\"flowed\"","Sender":"\"Lede-dev\" ","Errors-To":"lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"}}]