From patchwork Tue Sep 1 20:28:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Magnus Kroken X-Patchwork-Id: 1355347 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=owpDfYWw; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=k+w4eaWj; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BgzH90Q3Jz9sTR for ; Wed, 2 Sep 2020 06:31:00 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=PXscX6Eql7SUd3Q95cyrsPydies9oyqev19V4NeP+Bc=; b=owpDfYWwsVIddQBzncTjji8G8z g0jydgXxE8xm+SalEeg0Xz5NgUn3hoRj2Cu5CBB5zYMDRnDeljFsFtWdX4rnbwWULs/VFdMDU6Pm3 hO4lGovJWsswLRRIDPlyLt6T+bMmIY8sT2FPWfoDXyncPuW/ACJIFXkgW3vXTnZQ8nxr1Er+TRQE+ cMzr8eDNS6bFwQ+1oZPqvfORO27D7FqMvGi7WdLSQi2Sbt95TlIgQXPKc58Dtsg5pzjkwfyg8/JGP nUDdFPev64utLfjJYHmFQTWIgxhAYKIA75RdWmti3OmncFJyvloF0kxyc88kgUpHf/WkINKWc+gil NdXc4YAA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kDCtg-0000Hj-CG; Tue, 01 Sep 2020 20:28:52 +0000 Received: from mail-lj1-x236.google.com ([2a00:1450:4864:20::236]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kDCtc-0000Ee-PI for openwrt-devel@lists.openwrt.org; Tue, 01 Sep 2020 20:28:50 +0000 Received: by mail-lj1-x236.google.com with SMTP id k25so3138487ljg.9 for ; Tue, 01 Sep 2020 13:28:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=S6MN5YATvm0luAJlSwBYZpM2Kmdv/XblTKs7BoDOG90=; b=k+w4eaWjMVxEFOrDSppgzEXApmqPaF3yLLDXDyE7G2ARIGR7LwyvsjrFnwESOgBY3+ Jwn/La14d3d540WZS/Skcn+j9nzkIg9nbJ/kbee3tx0q9O8hP6C+fNNDbu7NCz6kLXl1 BKRZTeLG+yJq8Mox3lUg3Hh6WujPyZvTw3ZIkeRBLoeUQmYLDqhFFcXSwtzTe9bdeUym ssglGnGGz3al/bBiYzrvI0dnAXYSW0ZyX+RBfnUrGwHrZLOK2ak5wHAotI7+NE3pUCJI JvGLseYB+BN9y8nk8TxO6yaXxW5CI8/adrI4c+xtaRqodYPQBuiqC7baARD7z8aDYK1u QqTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=S6MN5YATvm0luAJlSwBYZpM2Kmdv/XblTKs7BoDOG90=; b=HkU4fAYo4jOCHGrmBFjR7x2hVfotr/y6AqGMx3HeqUuR2v5J/q2vL5EbBMDdwdy0vN TaD48crqCyv9fGsKcYPszTJHxGwluc47cgWQj/0HiG8ys30YyRS4IKcYt1DsN8h1hMVa q1UpduXvkzhDHfaIqXmiHqFGX7hQYOXIBB0+I+oYvRDIsbQ03N0qjwfPZp+p2smh6k/J cnEe4bHMcGu7V46H03w8ApMnXRophPAP4QIq8v0Z3G5R7SAN2O4oj1+xlOvxI4cicy4K S29zeiOD20ropQFuA1MoUlFeVNsyebyMwPQ+o9EHoYcUf/2shgyx0zedTCZ+5ARfsgSg dyXQ== X-Gm-Message-State: AOAM533bvNWBf67kUTd/CZO8Zy2VujkKxszLRS6qmUkzvwbuvNhwPG42 rvNHJODP7+TKx0nec1vhYT/fRX4xq+c= X-Google-Smtp-Source: ABdhPJwilUAtUh1cq+Ne5INMqdGVjIG+ys5/TvLIhN0Ddt1ogEFdsYbShz9BfbXgHL7gUfUp/aeXdg== X-Received: by 2002:a2e:9bc2:: with SMTP id w2mr1365316ljj.236.1598992122511; Tue, 01 Sep 2020 13:28:42 -0700 (PDT) Received: from localhost.localdomain (209.89-10-150.nextgentel.com. [89.10.150.209]) by smtp.gmail.com with ESMTPSA id z25sm489442ljz.13.2020.09.01.13.28.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Sep 2020 13:28:41 -0700 (PDT) From: Magnus Kroken To: openwrt-devel@lists.openwrt.org Subject: [PATCH] mbedtls: update to 2.16.8 Date: Tue, 1 Sep 2020 22:28:25 +0200 Message-Id: <20200901202825.31239-1-mkroken@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200901_162849_308052_36A47D2C X-CRM114-Status: GOOD ( 14.13 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:236 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [mkroken[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Magnus Kroken Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues and the most notable of them are described in more detail in the security advisories. * Local side channel attack on RSA and static Diffie-Hellman * Local side channel attack on classical CBC decryption in (D)TLS * When checking X.509 CRLs, a certificate was only considered as revoked if its revocationDate was in the past according to the local clock if available. Full release announcement: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 Signed-off-by: Magnus Kroken --- package/libs/mbedtls/Makefile | 4 +- package/libs/mbedtls/patches/200-config.patch | 46 +++++++++---------- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile index 0fa95ee6b5..27f50f8dde 100644 --- a/package/libs/mbedtls/Makefile +++ b/package/libs/mbedtls/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mbedtls -PKG_VERSION:=2.16.7 +PKG_VERSION:=2.16.8 PKG_RELEASE:=1 PKG_USE_MIPS16:=0 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=c95b11557ee97d2bdfd48cd57cf9b648a6cddd2ca879e3c35c4e7525f2871992 +PKG_HASH:=fe9e3b15c3375943bdfebbbb20dd6b4f1147b3b5d926248bd835d73247407430 PKG_BUILD_PARALLEL:=1 PKG_LICENSE:=GPL-2.0-or-later diff --git a/package/libs/mbedtls/patches/200-config.patch b/package/libs/mbedtls/patches/200-config.patch index 70d178feb8..4cdeed921d 100644 --- a/package/libs/mbedtls/patches/200-config.patch +++ b/package/libs/mbedtls/patches/200-config.patch @@ -1,6 +1,6 @@ --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h -@@ -658,14 +658,14 @@ +@@ -692,14 +692,14 @@ * * Enable Output Feedback mode (OFB) for symmetric ciphers. */ @@ -17,7 +17,7 @@ /** * \def MBEDTLS_CIPHER_NULL_CIPHER -@@ -782,19 +782,19 @@ +@@ -816,19 +816,19 @@ * * Comment macros to disable the curve and functions for it */ @@ -46,7 +46,7 @@ /** * \def MBEDTLS_ECP_NIST_OPTIM -@@ -918,7 +918,7 @@ +@@ -952,7 +952,7 @@ * See dhm.h for more details. * */ @@ -55,7 +55,7 @@ /** * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -@@ -938,7 +938,7 @@ +@@ -972,7 +972,7 @@ * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA */ @@ -64,7 +64,7 @@ /** * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED -@@ -963,7 +963,7 @@ +@@ -997,7 +997,7 @@ * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA */ @@ -73,7 +73,7 @@ /** * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED -@@ -1097,7 +1097,7 @@ +@@ -1131,7 +1131,7 @@ * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */ @@ -82,7 +82,7 @@ /** * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED -@@ -1121,7 +1121,7 @@ +@@ -1155,7 +1155,7 @@ * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */ @@ -91,7 +91,7 @@ /** * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED -@@ -1225,7 +1225,7 @@ +@@ -1259,7 +1259,7 @@ * This option is only useful if both MBEDTLS_SHA256_C and * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used. */ @@ -100,7 +100,7 @@ /** * \def MBEDTLS_ENTROPY_NV_SEED -@@ -1320,14 +1320,14 @@ +@@ -1354,14 +1354,14 @@ * Uncomment this macro to disable the use of CRT in RSA. * */ @@ -117,7 +117,7 @@ /** * \def MBEDTLS_SHA256_SMALLER -@@ -1481,7 +1481,7 @@ +@@ -1515,7 +1515,7 @@ * configuration of this extension). * */ @@ -126,7 +126,7 @@ /** * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO -@@ -1656,7 +1656,7 @@ +@@ -1690,7 +1690,7 @@ * * Comment this macro to disable support for SSL session tickets */ @@ -135,7 +135,7 @@ /** * \def MBEDTLS_SSL_EXPORT_KEYS -@@ -1686,7 +1686,7 @@ +@@ -1720,7 +1720,7 @@ * * Comment this macro to disable support for truncated HMAC in SSL */ @@ -144,7 +144,7 @@ /** * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT -@@ -1745,7 +1745,7 @@ +@@ -1779,7 +1779,7 @@ * * Comment this to disable run-time checking and save ROM space */ @@ -153,7 +153,7 @@ /** * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 -@@ -2075,7 +2075,7 @@ +@@ -2109,7 +2109,7 @@ * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */ @@ -162,7 +162,7 @@ /** * \def MBEDTLS_ARIA_C -@@ -2141,7 +2141,7 @@ +@@ -2175,7 +2175,7 @@ * This module enables the AES-CCM ciphersuites, if other requisites are * enabled as well. */ @@ -171,7 +171,7 @@ /** * \def MBEDTLS_CERTS_C -@@ -2153,7 +2153,7 @@ +@@ -2187,7 +2187,7 @@ * * This module is used for testing (ssl_client/server). */ @@ -180,7 +180,7 @@ /** * \def MBEDTLS_CHACHA20_C -@@ -2261,7 +2261,7 @@ +@@ -2295,7 +2295,7 @@ * \warning DES is considered a weak cipher and its use constitutes a * security risk. We recommend considering stronger ciphers instead. */ @@ -189,7 +189,7 @@ /** * \def MBEDTLS_DHM_C -@@ -2424,7 +2424,7 @@ +@@ -2458,7 +2458,7 @@ * This module adds support for the Hashed Message Authentication Code * (HMAC)-based key derivation function (HKDF). */ @@ -198,7 +198,7 @@ /** * \def MBEDTLS_HMAC_DRBG_C -@@ -2734,7 +2734,7 @@ +@@ -2768,7 +2768,7 @@ * * This module enables abstraction of common (libc) functions. */ @@ -207,7 +207,7 @@ /** * \def MBEDTLS_POLY1305_C -@@ -2755,7 +2755,7 @@ +@@ -2789,7 +2789,7 @@ * Caller: library/md.c * */ @@ -216,7 +216,7 @@ /** * \def MBEDTLS_RSA_C -@@ -2862,7 +2862,7 @@ +@@ -2896,7 +2896,7 @@ * * Requires: MBEDTLS_CIPHER_C */ @@ -225,7 +225,7 @@ /** * \def MBEDTLS_SSL_CLI_C -@@ -2962,7 +2962,7 @@ +@@ -2996,7 +2996,7 @@ * * This module provides run-time version information. */ @@ -234,7 +234,7 @@ /** * \def MBEDTLS_X509_USE_C -@@ -3072,7 +3072,7 @@ +@@ -3106,7 +3106,7 @@ * Module: library/xtea.c * Caller: */