mirror of
https://git.busybox.net/buildroot.git
synced 2025-01-09 22:14:20 +08:00
package/mbedtls: security bump to version 2.28.2
Fix the following security issues:
- Fix potential heap buffer overread and overwrite in DTLS if
MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
- An adversary with access to precise enough information about memory
accesses (typically, an untrusted operating system attacking a secure
enclave) could recover an RSA private key after observing the victim
performing a single private-key operation if the window size used for
the exponentiation was 3 or smaller.
Drop patch (already in version:
9d9d45c6b2)
https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Fabrice Fontaine
Peter Korsgaard
parent
9febd64bb0
commit
c2baa583c3
@ -1,74 +0,0 @@
|
|||||||
From a0ae2ba37ca479c6edddec8634b25686be965e0d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Korsgaard <peter@korsgaard.com>
|
|
||||||
Date: Mon, 27 Aug 2018 22:50:57 +0200
|
|
||||||
Subject: [PATCH] bn_mul.h: fix x86 PIC inline ASM compilation with GCC < 5
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Fixes #1910
|
|
||||||
|
|
||||||
With ebx added to the MULADDC_STOP clobber list to fix #1550, the inline
|
|
||||||
assembly fails to build with GCC < 5 in PIC mode with the following error:
|
|
||||||
|
|
||||||
include/mbedtls/bn_mul.h:46:13: error: PIC register clobbered by ‘ebx’ in ‘asm’
|
|
||||||
|
|
||||||
This is because older GCC versions treated the x86 ebx register (which is
|
|
||||||
used for the GOT) as a fixed reserved register when building as PIC.
|
|
||||||
|
|
||||||
This is fixed by an improved register allocator in GCC 5+. From the release
|
|
||||||
notes:
|
|
||||||
|
|
||||||
Register allocation improvements: Reuse of the PIC hard register, instead of
|
|
||||||
using a fixed register, was implemented on x86/x86-64 targets. This
|
|
||||||
improves generated PIC code performance as more hard registers can be used.
|
|
||||||
|
|
||||||
https://www.gnu.org/software/gcc/gcc-5/changes.html
|
|
||||||
|
|
||||||
As a workaround, detect this situation and disable the inline assembly,
|
|
||||||
similar to the MULADDC_CANNOT_USE_R7 logic.
|
|
||||||
|
|
||||||
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
||||||
Upstream: https://github.com/ARMmbed/mbedtls/pull/1986
|
|
||||||
---
|
|
||||||
include/mbedtls/bn_mul.h | 18 +++++++++++++++++-
|
|
||||||
1 file changed, 17 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/include/mbedtls/bn_mul.h b/include/mbedtls/bn_mul.h
|
|
||||||
index b587317d9..74a2d29be 100644
|
|
||||||
--- a/include/mbedtls/bn_mul.h
|
|
||||||
+++ b/include/mbedtls/bn_mul.h
|
|
||||||
@@ -50,13 +50,29 @@
|
|
||||||
#if defined(__GNUC__) && \
|
|
||||||
( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 )
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * GCC < 5.0 treated the x86 ebx (which is used for the GOT) as a
|
|
||||||
+ * fixed reserved register when building as PIC, leading to errors
|
|
||||||
+ * like: bn_mul.h:46:13: error: PIC register clobbered by ‘ebx’ in ‘asm’
|
|
||||||
+ *
|
|
||||||
+ * This is fixed by an improved register allocator in GCC 5+. From the
|
|
||||||
+ * release notes:
|
|
||||||
+ * Register allocation improvements: Reuse of the PIC hard register,
|
|
||||||
+ * instead of using a fixed register, was implemented on x86/x86-64
|
|
||||||
+ * targets. This improves generated PIC code performance as more hard
|
|
||||||
+ * registers can be used.
|
|
||||||
+ */
|
|
||||||
+#if defined(__GNUC__) && __GNUC__ < 5 && defined(__PIC__)
|
|
||||||
+#define MULADDC_CANNOT_USE_EBX
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Disable use of the i386 assembly code below if option -O0, to disable all
|
|
||||||
* compiler optimisations, is passed, detected with __OPTIMIZE__
|
|
||||||
* This is done as the number of registers used in the assembly code doesn't
|
|
||||||
* work with the -O0 option.
|
|
||||||
*/
|
|
||||||
-#if defined(__i386__) && defined(__OPTIMIZE__)
|
|
||||||
+#if defined(__i386__) && defined(__OPTIMIZE__) && !defined(MULADDC_CANNOT_USE_EBX)
|
|
||||||
|
|
||||||
#define MULADDC_INIT \
|
|
||||||
asm( \
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
||||||
@ -1,4 +1,4 @@
|
|||||||
# From https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.1:
|
# From https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.2:
|
||||||
sha256 6797a7b6483ef589deeab8d33d401ed235d7be25eeecda1be8ddfed406d40ff4 mbedtls-2.28.1.tar.gz
|
sha256 bc55232bf71fd66045122ba9050a29ea7cb2e8f99b064a9e6334a82f715881a0 mbedtls-2.28.2.tar.gz
|
||||||
# Locally calculated
|
# Locally calculated
|
||||||
sha256 cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30 LICENSE
|
sha256 cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30 LICENSE
|
||||||
|
|||||||
@ -4,7 +4,7 @@
|
|||||||
#
|
#
|
||||||
################################################################################
|
################################################################################
|
||||||
|
|
||||||
MBEDTLS_VERSION = 2.28.1
|
MBEDTLS_VERSION = 2.28.2
|
||||||
MBEDTLS_SITE = $(call github,ARMmbed,mbedtls,v$(MBEDTLS_VERSION))
|
MBEDTLS_SITE = $(call github,ARMmbed,mbedtls,v$(MBEDTLS_VERSION))
|
||||||
MBEDTLS_CONF_OPTS = \
|
MBEDTLS_CONF_OPTS = \
|
||||||
-DCMAKE_C_FLAGS="$(TARGET_CFLAGS) -std=c99" \
|
-DCMAKE_C_FLAGS="$(TARGET_CFLAGS) -std=c99" \
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user