[LEDE-DEV] mbedtls: update to 2.6.0 CVE-2017-14032

Message ID	1504289069-11044-1-git-send-email-kevin@darbyshire-bryant.me.uk
State	Accepted
Headers	show Return-Path: <lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> To: lede-dev@lists.infradead.org Date: Fri, 1 Sep 2017 19:04:29 +0100 Message-Id: <1504289069-11044-1-git-send-email-kevin@darbyshire-bryant.me.uk> MIME-Version: 1.0 Received-SPF: None (protection.outlook.com: darbyshire-bryant.me.uk does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; HE1PR07MB1033; 23:VF5AijW4rJp2i/Cnm7td831tovCUYxlhRKkoUZLex?= nM4/e0UGVvPkd7F82LRX11FRH8+ZpX/Ps/io1QIo23xHRYkp836W1DotYGke6VyTcCe1vY1ivWCD5n7W4d/vbZ67wM2a+zpJZ+Hx9Z28VAl7Ddy/mNcFTOPCoDI7rzSnIk2XRfwJweAj5PjgT59nFc0Mj+T7ncd0ovwFlSmgqa7QdmYPQKdED5/48RDibl+JlQSMahPP906ym4MRQ5byvtaQ2uAEzRWvgybg++QdXekm7ErRuoiIXWnpQn2xGCzxf6tfC1FIZLpPE6ZgcEIIRWVIWCXhG9QgmRr7awg1Hb9lGPVW8Dhva3TADjo0W+ur2ggv8UMz2m74MK7zmiFWLVwQ7nQNH+c19aj8FwuJhzdosJXJ8LFJwWKWImx+U4BB7gTNhxuSqsbFBDnLCoNS0/auLZM810LY/Hhu2w6EnlHGcxlXupSCL5ky3itnQsbDJVi7ChlsQxStMG63Qnx/EEdXwQR12xfPTd7MArovIZ8VQrnk/vGF89eZ7M4M/dU2woECZiy6QyhhGevGme+IRUF0BEvq8owavongTLgudmNx6+zHfWH5hFWVCZfwWU2fGoo6ASIlCXDeCehEofSb0YqBIJ5QL5OgNygbOVkaTTrHTYHWRQOqmADJ03sHBhmvHIl+EaoepNAM/CJmg5pob67JwtSiKvQGaNml9xErox24q6FIz1a4htdozrtdhJN5+z4Etqj9udLns/KCnJ+kmM5kfRkVfq7yUb6GQCyAFRxrxGBTKkkZqYNG0UVc4FMGvQEUhHfRqW7CntxzxunoqQnfOGbnT8+CwVCF6W8/KDYS0U3ogu2XeQo6GEpl7YWiH9rPD3VrdUF9rf5Y9BicEm9/d7Nxy7Lnesm6drlae1bcaDIXX6dsnlxYlQ3J47Bkq5mIKPm63CFvCYXM4o4x+RoOc7l0TOszE+e2FucWyVz77qCZ6i5MoS6xaLP+/z1ap7zCAaQ3nP06xjEK+sA5YlOsVaN0F6XfhrmGJRokc/8kNYq3VTM12apRaNFDtDHpdgwpDKeH/pFV6tU6ONF4hD2jrqlndJS8+SmaZTt/hWZcYl7BPC9mLz4q1lNNpm7lRdoIlaJC/diegmjoardKBg/5j4LEl9meaf3FcUwQQfQk+e47afiwRCk6l5X1XjNlaYlIvzA0ICQm+50SGnH6T6E9xMDwyMKkOQJ9DgiUrbo7wmg7t9WVwMO5IPZZbxBj+iwP7RQddDRIeM6fMalwuJ2 X-Microsoft-Exchange-Diagnostics: 1; HE1PR07MB1033; 6:ugMfDDkwdovss+ofXCHNAIzBdd+tQtyauc+OD8E/SBwPmkGnWEm6u2aKx+uIbIYHctqLkTkhvIGHw/NcY7nnf03xT6TR3i2jjqhF0Yl5o+EL+Z3tPdteBdSLJVoOCcAQP7tyf6j2kScm8csyrkL0IKkpmTunpvj0R+2qpNhxASOsq/F6qsuZcVKsuxZ6DwRMF5YMddj71B4OR/oh+okPOdrL3C/s8o2Jim0PI2hu2f/TwFUyiH49wLx4hT4R1vX5d48+UlgGSXpB7Xkb112E7Nfn0FAyBlNOfn2+P4s3GlT0qk/bpiXS3L98rgIeYIRzNq4TShYQIriziZQU9cdExA==; 5:CUI6HmQxNqQGbIeIY3S4D2oCquC2rCfAwrpEmYPHlqMYWx2ku8yD7/TuYaCUrV/7jd5wM9qJwolF25YKceLUcIac5w2CJ/aid9SyClBPBsa7I40KSNVVGg47YyGmOlFlW7562WZNfs0x6bvYffOmjQ==; 24:xrSXMIFB0HdvZXsD7yWNGd6S2knda3kucCYdXXOMFSkqWSH/Wb0CiZoTlX5GUCLUU7IXkK7FmdHi01iaEiRAkL75+9sQTnjaiTKG7LQU298=; 7:pHOVsK40Oq1VV4Sr/McwKQBWBgyMmUMCghVArhx9L2pXN5NJ4m0jDHP44Ork4TJr3AJzeTbJXIBForzJyf+nFmGNWCjg6sx/ATpAxXtkmb+w3J8YKcWyUAR/EHdpauscRIA7lUsn1EY0VkpEa27CgGVIXcSqL1nvx9dwemB9ZpIun5V1RbDfEg1YKKJax9b8LqlBn6Uor8rlhNWXE5YtywrgK3bSE1avkK+5ORrQRqc= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM summary: Content analysis details: (-2.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [104.47.1.82 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [104.47.1.82 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders Subject: [LEDE-DEV] [PATCH] mbedtls: update to 2.6.0 CVE-2017-14032 Precedence: list Cc: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Lede-dev" <lede-dev-bounces@lists.infradead.org> Errors-To: lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	[LEDE-DEV] mbedtls: update to 2.6.0 CVE-2017-14032 \| expand [LEDE-DEV] mbedtls: update to 2.6.0 CVE-2017-14032

Message ID

1504289069-11044-1-git-send-email-kevin@darbyshire-bryant.me.uk

State

Accepted

Headers

From: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
To: lede-dev@lists.infradead.org
Date: Fri,  1 Sep 2017 19:04:29 +0100
Message-Id: <1504289069-11044-1-git-send-email-kevin@darbyshire-bryant.me.uk>
MIME-Version: 1.0
Received-SPF: None (protection.outlook.com: darbyshire-bryant.me.uk does not
	designate permitted sender hosts)
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Sep 2017 18:04:56.3432
	(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB1033
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20170901_110523_677359_0B36D7E5 
X-CRM114-Status: UNSURE (   7.97  )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -2.0 (--)
X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary:
	Content analysis details:   (-2.0 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/,
	no trust [104.47.1.82 listed in list.dnswl.org]
	-0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
	[104.47.1.82 listed in wl.mailspike.net]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's
	domain -0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
Subject: [LEDE-DEV] [PATCH] mbedtls: update to 2.6.0 CVE-2017-14032
X-BeenThere: lede-dev@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <lede-dev.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/lede-dev>,
	<mailto:lede-dev-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/lede-dev/>
List-Post: <mailto:lede-dev@lists.infradead.org>
List-Help: <mailto:lede-dev-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/lede-dev>,
	<mailto:lede-dev-request@lists.infradead.org?subject=subscribe>
Cc: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Lede-dev" <lede-dev-bounces@lists.infradead.org>
Errors-To: lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

[LEDE-DEV] mbedtls: update to 2.6.0 CVE-2017-14032 | expand

Commit Message

Kevin Darbyshire-Bryant Sept. 1, 2017, 6:04 p.m. UTC

Fixed an authentication bypass issue in SSL/TLS. When the TLS
authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the
peer's X.509 certificate chain had more than
MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when
it was not trusted. This could be triggered remotely on both the client
and server side. (Note, with the authentication mode set by
mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake
was correctly aborted).

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
---

compile & run tested: ar71xx - archer C7 v2


 package/libs/mbedtls/Makefile                 |  4 +--
 package/libs/mbedtls/patches/200-config.patch | 52 +++++++++++++--------------
 2 files changed, 28 insertions(+), 28 deletions(-)

Comments

Magnus Kroken Sept. 3, 2017, 12:45 p.m. UTC | #1

On 01.09.2017 20:04, Kevin Darbyshire-Bryant wrote:
> compile & run tested: ar71xx - archer C7 v2
> 

Tested-by: Magnus Kroken <mkroken@gmail.com>

Runtim-tested on powerpc/mpc85xx.

Tests run:
Connect to uhttpd with TLS - successful
Download HTTPS URL with uclient-fetch - successful
Connect to openvpn-mbedtls server - successful

/Magnus

> 
>   package/libs/mbedtls/Makefile                 |  4 +--
>   package/libs/mbedtls/patches/200-config.patch | 52 +++++++++++++--------------
>   2 files changed, 28 insertions(+), 28 deletions(-)
> 
> diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile
> index 4cceb74..0e33831 100644
> --- a/package/libs/mbedtls/Makefile
> +++ b/package/libs/mbedtls/Makefile
> @@ -8,13 +8,13 @@
>   include $(TOPDIR)/rules.mk
>   
>   PKG_NAME:=mbedtls
> -PKG_VERSION:=2.5.1
> +PKG_VERSION:=2.6.0
>   PKG_RELEASE:=1
>   PKG_USE_MIPS16:=0
>   
>   PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
>   PKG_SOURCE_URL:=https://tls.mbed.org/download/
> -PKG_HASH:=312f020006f0d8e9ede3ed8e73d907a629baf6475229703941769372ab0adee2
> +PKG_HASH:=a99959d7360def22f9108d2d487c9de384fe76c349697176b1f22370080d5810
>   
>   PKG_BUILD_PARALLEL:=1
>   PKG_LICENSE:=GPL-2.0+
> diff --git a/package/libs/mbedtls/patches/200-config.patch b/package/libs/mbedtls/patches/200-config.patch
> index 39de3cc..5fbd6b1 100644
> --- a/package/libs/mbedtls/patches/200-config.patch
> +++ b/package/libs/mbedtls/patches/200-config.patch
> @@ -1,6 +1,6 @@
>   --- a/include/mbedtls/config.h
>   +++ b/include/mbedtls/config.h
> -@@ -191,7 +191,7 @@
> +@@ -220,7 +220,7 @@
>     *
>     * Uncomment to get errors on using deprecated functions.
>     */
> @@ -9,7 +9,7 @@
>    
>    /* \} name SECTION: System support */
>    
> -@@ -504,17 +504,17 @@
> +@@ -539,17 +539,17 @@
>     *
>     * Comment macros to disable the curve and functions for it
>     */
> @@ -35,7 +35,7 @@
>    #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
>    
>    /**
> -@@ -539,8 +539,8 @@
> +@@ -574,8 +574,8 @@
>     * Requires: MBEDTLS_HMAC_DRBG_C
>     *
>     * Comment this macro to disable deterministic ECDSA.
> @@ -45,7 +45,7 @@
>    
>    /**
>     * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
> -@@ -586,7 +586,7 @@
> +@@ -621,7 +621,7 @@
>     *      MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
>     *      MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
>     */
> @@ -54,7 +54,7 @@
>    
>    /**
>     * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
> -@@ -605,8 +605,8 @@
> +@@ -640,8 +640,8 @@
>     *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
>     *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
>     *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
> @@ -64,7 +64,7 @@
>    
>    /**
>     * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
> -@@ -631,7 +631,7 @@
> +@@ -666,7 +666,7 @@
>     *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
>     *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
>     */
> @@ -73,7 +73,7 @@
>    
>    /**
>     * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
> -@@ -758,7 +758,7 @@
> +@@ -793,7 +793,7 @@
>     *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
>     *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
>     */
> @@ -82,7 +82,7 @@
>    
>    /**
>     * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
> -@@ -782,7 +782,7 @@
> +@@ -817,7 +817,7 @@
>     *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
>     *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
>     */
> @@ -91,7 +91,7 @@
>    
>    /**
>     * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
> -@@ -886,7 +886,7 @@
> +@@ -921,7 +921,7 @@
>     * This option is only useful if both MBEDTLS_SHA256_C and
>     * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
>     */
> @@ -100,7 +100,7 @@
>    
>    /**
>     * \def MBEDTLS_ENTROPY_NV_SEED
> -@@ -980,14 +980,14 @@
> +@@ -1015,14 +1015,14 @@
>     * Uncomment this macro to disable the use of CRT in RSA.
>     *
>     */
> @@ -117,7 +117,7 @@
>    
>    /**
>     * \def MBEDTLS_SHA256_SMALLER
> -@@ -1003,7 +1003,7 @@
> +@@ -1038,7 +1038,7 @@
>     *
>     * Uncomment to enable the smaller implementation of SHA256.
>     */
> @@ -126,7 +126,7 @@
>    
>    /**
>     * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
> -@@ -1122,8 +1122,8 @@
> +@@ -1157,8 +1157,8 @@
>     * misuse/misunderstand.
>     *
>     * Comment this to disable support for renegotiation.
> @@ -136,7 +136,7 @@
>    
>    /**
>     * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
> -@@ -1297,8 +1297,8 @@
> +@@ -1332,8 +1332,8 @@
>     * callbacks are provided by MBEDTLS_SSL_TICKET_C.
>     *
>     * Comment this macro to disable support for SSL session tickets
> @@ -146,7 +146,7 @@
>    
>    /**
>     * \def MBEDTLS_SSL_EXPORT_KEYS
> -@@ -1328,7 +1328,7 @@
> +@@ -1363,7 +1363,7 @@
>     *
>     * Comment this macro to disable support for truncated HMAC in SSL
>     */
> @@ -155,7 +155,7 @@
>    
>    /**
>     * \def MBEDTLS_THREADING_ALT
> -@@ -1362,8 +1362,8 @@
> +@@ -1397,8 +1397,8 @@
>     * Requires: MBEDTLS_VERSION_C
>     *
>     * Comment this to disable run-time checking and save ROM space
> @@ -165,7 +165,7 @@
>    
>    /**
>     * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
> -@@ -1684,7 +1684,7 @@
> +@@ -1719,7 +1719,7 @@
>     *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
>     *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
>     */
> @@ -174,7 +174,7 @@
>    
>    /**
>     * \def MBEDTLS_CCM_C
> -@@ -1698,7 +1698,7 @@
> +@@ -1733,7 +1733,7 @@
>     * This module enables the AES-CCM ciphersuites, if other requisites are
>     * enabled as well.
>     */
> @@ -183,7 +183,7 @@
>    
>    /**
>     * \def MBEDTLS_CERTS_C
> -@@ -1710,7 +1710,7 @@
> +@@ -1745,7 +1745,7 @@
>     *
>     * This module is used for testing (ssl_client/server).
>     */
> @@ -192,7 +192,7 @@
>    
>    /**
>     * \def MBEDTLS_CIPHER_C
> -@@ -1763,7 +1763,7 @@
> +@@ -1798,7 +1798,7 @@
>     *
>     * This module provides debugging functions.
>     */
> @@ -201,7 +201,7 @@
>    
>    /**
>     * \def MBEDTLS_DES_C
> -@@ -1788,8 +1788,8 @@
> +@@ -1823,8 +1823,8 @@
>     *      MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
>     *
>     * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
> @@ -211,7 +211,7 @@
>    
>    /**
>     * \def MBEDTLS_DHM_C
> -@@ -1943,8 +1943,8 @@
> +@@ -1978,8 +1978,8 @@
>     * Requires: MBEDTLS_MD_C
>     *
>     * Uncomment to enable the HMAC_DRBG random number geerator.
> @@ -221,7 +221,7 @@
>    
>    /**
>     * \def MBEDTLS_MD_C
> -@@ -2221,7 +2221,7 @@
> +@@ -2256,7 +2256,7 @@
>     * Caller:  library/md.c
>     *
>     */
> @@ -230,7 +230,7 @@
>    
>    /**
>     * \def MBEDTLS_RSA_C
> -@@ -2299,8 +2299,8 @@
> +@@ -2334,8 +2334,8 @@
>     * Caller:
>     *
>     * Requires: MBEDTLS_SSL_CACHE_C
> @@ -240,7 +240,7 @@
>    
>    /**
>     * \def MBEDTLS_SSL_COOKIE_C
> -@@ -2321,8 +2321,8 @@
> +@@ -2356,8 +2356,8 @@
>     * Caller:
>     *
>     * Requires: MBEDTLS_CIPHER_C
> @@ -250,7 +250,7 @@
>    
>    /**
>     * \def MBEDTLS_SSL_CLI_C
> -@@ -2421,8 +2421,8 @@
> +@@ -2456,8 +2456,8 @@
>     * Module:  library/version.c
>     *
>     * This module provides run-time version information.
> @@ -260,7 +260,7 @@
>    
>    /**
>     * \def MBEDTLS_X509_USE_C
> -@@ -2532,7 +2532,7 @@
> +@@ -2567,7 +2567,7 @@
>     * Module:  library/xtea.c
>     * Caller:
>     */
>

diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile
index 4cceb74..0e33831 100644
--- a/package/libs/mbedtls/Makefile
+++ b/package/libs/mbedtls/Makefile
@@ -8,13 +8,13 @@ 
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.5.1
+PKG_VERSION:=2.6.0
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
 PKG_SOURCE_URL:=https://tls.mbed.org/download/
-PKG_HASH:=312f020006f0d8e9ede3ed8e73d907a629baf6475229703941769372ab0adee2
+PKG_HASH:=a99959d7360def22f9108d2d487c9de384fe76c349697176b1f22370080d5810
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0+
diff --git a/package/libs/mbedtls/patches/200-config.patch b/package/libs/mbedtls/patches/200-config.patch
index 39de3cc..5fbd6b1 100644
--- a/package/libs/mbedtls/patches/200-config.patch
+++ b/package/libs/mbedtls/patches/200-config.patch
@@ -1,6 +1,6 @@ 
 --- a/include/mbedtls/config.h
 +++ b/include/mbedtls/config.h
-@@ -191,7 +191,7 @@
+@@ -220,7 +220,7 @@
   *
   * Uncomment to get errors on using deprecated functions.
   */
@@ -9,7 +9,7 @@ 
  
  /* \} name SECTION: System support */
  
-@@ -504,17 +504,17 @@
+@@ -539,17 +539,17 @@
   *
   * Comment macros to disable the curve and functions for it
   */
@@ -35,7 +35,7 @@ 
  #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
  
  /**
-@@ -539,8 +539,8 @@
+@@ -574,8 +574,8 @@
   * Requires: MBEDTLS_HMAC_DRBG_C
   *
   * Comment this macro to disable deterministic ECDSA.
@@ -45,7 +45,7 @@ 
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
-@@ -586,7 +586,7 @@
+@@ -621,7 +621,7 @@
   *      MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
   */
@@ -54,7 +54,7 @@ 
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-@@ -605,8 +605,8 @@
+@@ -640,8 +640,8 @@
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
@@ -64,7 +64,7 @@ 
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-@@ -631,7 +631,7 @@
+@@ -666,7 +666,7 @@
   *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
   */
@@ -73,7 +73,7 @@ 
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-@@ -758,7 +758,7 @@
+@@ -793,7 +793,7 @@
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -82,7 +82,7 @@ 
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-@@ -782,7 +782,7 @@
+@@ -817,7 +817,7 @@
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -91,7 +91,7 @@ 
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-@@ -886,7 +886,7 @@
+@@ -921,7 +921,7 @@
   * This option is only useful if both MBEDTLS_SHA256_C and
   * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
   */
@@ -100,7 +100,7 @@ 
  
  /**
   * \def MBEDTLS_ENTROPY_NV_SEED
-@@ -980,14 +980,14 @@
+@@ -1015,14 +1015,14 @@
   * Uncomment this macro to disable the use of CRT in RSA.
   *
   */
@@ -117,7 +117,7 @@ 
  
  /**
   * \def MBEDTLS_SHA256_SMALLER
-@@ -1003,7 +1003,7 @@
+@@ -1038,7 +1038,7 @@
   *
   * Uncomment to enable the smaller implementation of SHA256.
   */
@@ -126,7 +126,7 @@ 
  
  /**
   * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
-@@ -1122,8 +1122,8 @@
+@@ -1157,8 +1157,8 @@
   * misuse/misunderstand.
   *
   * Comment this to disable support for renegotiation.
@@ -136,7 +136,7 @@ 
  
  /**
   * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
-@@ -1297,8 +1297,8 @@
+@@ -1332,8 +1332,8 @@
   * callbacks are provided by MBEDTLS_SSL_TICKET_C.
   *
   * Comment this macro to disable support for SSL session tickets
@@ -146,7 +146,7 @@ 
  
  /**
   * \def MBEDTLS_SSL_EXPORT_KEYS
-@@ -1328,7 +1328,7 @@
+@@ -1363,7 +1363,7 @@
   *
   * Comment this macro to disable support for truncated HMAC in SSL
   */
@@ -155,7 +155,7 @@ 
  
  /**
   * \def MBEDTLS_THREADING_ALT
-@@ -1362,8 +1362,8 @@
+@@ -1397,8 +1397,8 @@
   * Requires: MBEDTLS_VERSION_C
   *
   * Comment this to disable run-time checking and save ROM space
@@ -165,7 +165,7 @@ 
  
  /**
   * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-@@ -1684,7 +1684,7 @@
+@@ -1719,7 +1719,7 @@
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
   */
@@ -174,7 +174,7 @@ 
  
  /**
   * \def MBEDTLS_CCM_C
-@@ -1698,7 +1698,7 @@
+@@ -1733,7 +1733,7 @@
   * This module enables the AES-CCM ciphersuites, if other requisites are
   * enabled as well.
   */
@@ -183,7 +183,7 @@ 
  
  /**
   * \def MBEDTLS_CERTS_C
-@@ -1710,7 +1710,7 @@
+@@ -1745,7 +1745,7 @@
   *
   * This module is used for testing (ssl_client/server).
   */
@@ -192,7 +192,7 @@ 
  
  /**
   * \def MBEDTLS_CIPHER_C
-@@ -1763,7 +1763,7 @@
+@@ -1798,7 +1798,7 @@
   *
   * This module provides debugging functions.
   */
@@ -201,7 +201,7 @@ 
  
  /**
   * \def MBEDTLS_DES_C
-@@ -1788,8 +1788,8 @@
+@@ -1823,8 +1823,8 @@
   *      MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
   *
   * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
@@ -211,7 +211,7 @@ 
  
  /**
   * \def MBEDTLS_DHM_C
-@@ -1943,8 +1943,8 @@
+@@ -1978,8 +1978,8 @@
   * Requires: MBEDTLS_MD_C
   *
   * Uncomment to enable the HMAC_DRBG random number geerator.
@@ -221,7 +221,7 @@ 
  
  /**
   * \def MBEDTLS_MD_C
-@@ -2221,7 +2221,7 @@
+@@ -2256,7 +2256,7 @@
   * Caller:  library/md.c
   *
   */
@@ -230,7 +230,7 @@ 
  
  /**
   * \def MBEDTLS_RSA_C
-@@ -2299,8 +2299,8 @@
+@@ -2334,8 +2334,8 @@
   * Caller:
   *
   * Requires: MBEDTLS_SSL_CACHE_C
@@ -240,7 +240,7 @@ 
  
  /**
   * \def MBEDTLS_SSL_COOKIE_C
-@@ -2321,8 +2321,8 @@
+@@ -2356,8 +2356,8 @@
   * Caller:
   *
   * Requires: MBEDTLS_CIPHER_C
@@ -250,7 +250,7 @@ 
  
  /**
   * \def MBEDTLS_SSL_CLI_C
-@@ -2421,8 +2421,8 @@
+@@ -2456,8 +2456,8 @@
   * Module:  library/version.c
   *
   * This module provides run-time version information.
@@ -260,7 +260,7 @@ 
  
  /**
   * \def MBEDTLS_X509_USE_C
-@@ -2532,7 +2532,7 @@
+@@ -2567,7 +2567,7 @@
   * Module:  library/xtea.c
   * Caller:
   */

[LEDE-DEV] mbedtls: update to 2.6.0 CVE-2017-14032

Commit Message

Comments

Patch