From patchwork Sat Aug 15 17:48:53 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hauke Mehrtens X-Patchwork-Id: 1345312 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=hauke-m.de Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=vghq05Gl; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BTSWq6cbYz9sTF for ; Sun, 16 Aug 2020 03:50:31 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=0HSXy5nQbQZL0SbnLh3L8x8DYgoIaNeR9SH4VLXtDP4=; b=vghq05GlI/KZ0c/H0///o+jWZa TQOts+/+QrUwQ7yBvFeGRIANOvlB12ZxFILi6GeHFxCoiaXNyAoc+PB/sva83czoBm7iJU9k5ZSKk 4fIU3NwCVqn359hweO4YipaYY3uqQmD5jOna+/NvgwUt2KbzhJhFTtoA/Bd15AwHPlEBYdGbzqnw8 ha5SdAn8A6TD93B5YE+L0QKOWkOoJ6ihNGyID6TO2ZlCfTzGYy/wOTvFCIwdlTPNw22imLpF4Nfdd Z7j++fEz+zUDp3PdsPo71nCLRconFjo94zOOeWHhecDXbcMEdFzxTnUbDVveiNcATEdOCVR4mJgYf oP2hkNaA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1k70Ik-0002tN-Pu; Sat, 15 Aug 2020 17:49:06 +0000 Received: from mout-p-201.mailbox.org ([2001:67c:2050::465:201]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1k70Ii-0002t1-4t for openwrt-devel@lists.openwrt.org; Sat, 15 Aug 2020 17:49:05 +0000 Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4BTSV46X26zQkm6; Sat, 15 Aug 2020 19:49:00 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter04.heinlein-hosting.de (spamfilter04.heinlein-hosting.de [80.241.56.122]) (amavisd-new, port 10030) with ESMTP id fct4UkmqoyHA; Sat, 15 Aug 2020 19:48:56 +0200 (CEST) From: Hauke Mehrtens To: openwrt-devel@lists.openwrt.org Subject: [PATCH] mbedtls: Update to version 2.16.7 Date: Sat, 15 Aug 2020 19:48:53 +0200 Message-Id: <20200815174853.24473-1-hauke@hauke-m.de> MIME-Version: 1.0 X-MBO-SPAM-Probability: X-Rspamd-Score: -6.73 / 15.00 / 15.00 X-Rspamd-Queue-Id: 9BDDC17F1 X-Rspamd-UID: ee8bad X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200815_134904_331064_F05EC077 X-CRM114-Status: GOOD ( 16.83 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2001:67c:2050:0:0:0:465:201 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hauke Mehrtens Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This fixes multiple minor security problems. Signed-off-by: Hauke Mehrtens --- package/libs/mbedtls/Makefile | 8 ++-- package/libs/mbedtls/patches/200-config.patch | 46 +++++++++---------- 2 files changed, 27 insertions(+), 27 deletions(-) diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile index 04f80f471553..8ba0d5002f50 100644 --- a/package/libs/mbedtls/Makefile +++ b/package/libs/mbedtls/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mbedtls -PKG_VERSION:=2.16.6 +PKG_VERSION:=2.16.7 PKG_RELEASE:=1 PKG_USE_MIPS16:=0 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz -PKG_SOURCE_URL:=https://tls.mbed.org/download/ -PKG_HASH:=80a484df42f32dbe95665cd4b18ce0dd14b6c67dfd561d36d1475802e41eb3ed +PKG_SOURCE:=v$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/ARMmbed/mbedtls/archive/ +PKG_HASH:=c95b11557ee97d2bdfd48cd57cf9b648a6cddd2ca879e3c35c4e7525f2871992 PKG_BUILD_PARALLEL:=1 PKG_LICENSE:=GPL-2.0-or-later diff --git a/package/libs/mbedtls/patches/200-config.patch b/package/libs/mbedtls/patches/200-config.patch index 298fa4aa7964..70d178feb8ea 100644 --- a/package/libs/mbedtls/patches/200-config.patch +++ b/package/libs/mbedtls/patches/200-config.patch @@ -1,6 +1,6 @@ --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h -@@ -633,14 +633,14 @@ +@@ -658,14 +658,14 @@ * * Enable Output Feedback mode (OFB) for symmetric ciphers. */ @@ -17,7 +17,7 @@ /** * \def MBEDTLS_CIPHER_NULL_CIPHER -@@ -757,19 +757,19 @@ +@@ -782,19 +782,19 @@ * * Comment macros to disable the curve and functions for it */ @@ -46,7 +46,7 @@ /** * \def MBEDTLS_ECP_NIST_OPTIM -@@ -871,7 +871,7 @@ +@@ -918,7 +918,7 @@ * See dhm.h for more details. * */ @@ -55,7 +55,7 @@ /** * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -@@ -891,7 +891,7 @@ +@@ -938,7 +938,7 @@ * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA */ @@ -64,7 +64,7 @@ /** * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED -@@ -916,7 +916,7 @@ +@@ -963,7 +963,7 @@ * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA */ @@ -73,7 +73,7 @@ /** * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED -@@ -1050,7 +1050,7 @@ +@@ -1097,7 +1097,7 @@ * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */ @@ -82,7 +82,7 @@ /** * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED -@@ -1074,7 +1074,7 @@ +@@ -1121,7 +1121,7 @@ * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */ @@ -91,7 +91,7 @@ /** * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED -@@ -1178,7 +1178,7 @@ +@@ -1225,7 +1225,7 @@ * This option is only useful if both MBEDTLS_SHA256_C and * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used. */ @@ -100,7 +100,7 @@ /** * \def MBEDTLS_ENTROPY_NV_SEED -@@ -1273,14 +1273,14 @@ +@@ -1320,14 +1320,14 @@ * Uncomment this macro to disable the use of CRT in RSA. * */ @@ -117,7 +117,7 @@ /** * \def MBEDTLS_SHA256_SMALLER -@@ -1434,7 +1434,7 @@ +@@ -1481,7 +1481,7 @@ * configuration of this extension). * */ @@ -126,7 +126,7 @@ /** * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO -@@ -1609,7 +1609,7 @@ +@@ -1656,7 +1656,7 @@ * * Comment this macro to disable support for SSL session tickets */ @@ -135,7 +135,7 @@ /** * \def MBEDTLS_SSL_EXPORT_KEYS -@@ -1639,7 +1639,7 @@ +@@ -1686,7 +1686,7 @@ * * Comment this macro to disable support for truncated HMAC in SSL */ @@ -144,7 +144,7 @@ /** * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT -@@ -1698,7 +1698,7 @@ +@@ -1745,7 +1745,7 @@ * * Comment this to disable run-time checking and save ROM space */ @@ -153,7 +153,7 @@ /** * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 -@@ -2028,7 +2028,7 @@ +@@ -2075,7 +2075,7 @@ * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */ @@ -162,7 +162,7 @@ /** * \def MBEDTLS_ARIA_C -@@ -2094,7 +2094,7 @@ +@@ -2141,7 +2141,7 @@ * This module enables the AES-CCM ciphersuites, if other requisites are * enabled as well. */ @@ -171,7 +171,7 @@ /** * \def MBEDTLS_CERTS_C -@@ -2106,7 +2106,7 @@ +@@ -2153,7 +2153,7 @@ * * This module is used for testing (ssl_client/server). */ @@ -180,7 +180,7 @@ /** * \def MBEDTLS_CHACHA20_C -@@ -2214,7 +2214,7 @@ +@@ -2261,7 +2261,7 @@ * \warning DES is considered a weak cipher and its use constitutes a * security risk. We recommend considering stronger ciphers instead. */ @@ -189,7 +189,7 @@ /** * \def MBEDTLS_DHM_C -@@ -2377,7 +2377,7 @@ +@@ -2424,7 +2424,7 @@ * This module adds support for the Hashed Message Authentication Code * (HMAC)-based key derivation function (HKDF). */ @@ -198,7 +198,7 @@ /** * \def MBEDTLS_HMAC_DRBG_C -@@ -2687,7 +2687,7 @@ +@@ -2734,7 +2734,7 @@ * * This module enables abstraction of common (libc) functions. */ @@ -207,7 +207,7 @@ /** * \def MBEDTLS_POLY1305_C -@@ -2708,7 +2708,7 @@ +@@ -2755,7 +2755,7 @@ * Caller: library/md.c * */ @@ -216,7 +216,7 @@ /** * \def MBEDTLS_RSA_C -@@ -2815,7 +2815,7 @@ +@@ -2862,7 +2862,7 @@ * * Requires: MBEDTLS_CIPHER_C */ @@ -225,7 +225,7 @@ /** * \def MBEDTLS_SSL_CLI_C -@@ -2915,7 +2915,7 @@ +@@ -2962,7 +2962,7 @@ * * This module provides run-time version information. */ @@ -234,7 +234,7 @@ /** * \def MBEDTLS_X509_USE_C -@@ -3025,7 +3025,7 @@ +@@ -3072,7 +3072,7 @@ * Module: library/xtea.c * Caller: */