NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/mbedtls: security bump to version 2.7.12

Browse Source 
Fixes the following security vulnerabilities:

2.7.12:

- Fix a missing error detection in ECJPAKE.  This could have caused a
  predictable shared secret if a hardware accelerator failed and the other
  side of the key exchange had a similar bug.

- When writing a private EC key, use a constant size for the private value,
  as specified in RFC 5915.  Previously, the value was written as an ASN.1
  INTEGER, which caused the size of the key to leak about 1 bit of
  information on average and could cause the value to be 1 byte too large
  for the output buffer.

- The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
  implement blinding.  Because of this for the same key and message the same
  blinding value was generated.  This reduced the effectiveness of the
  countermeasure and leaked information about the private key through side
  channels.  Reported by Jack Lloyd.

2.7.11:

- Make mbedtls_ecdh_get_params return an error if the second key belongs to
  a different group from the first.  Before, if an application passed keys
  that belonged to different group, the first key's data was interpreted
  according to the second group, which could lead to either an error or a
  meaningless output from mbedtls_ecdh_get_params.  In the latter case, this
  could expose at most 5 bits of the private key.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Peter Korsgaard 2019-09-26 12:31:45 +02:00
parent 9c5d229dee
commit 85596ae5f0
2 changed files with 4 additions and 4 deletions
package/mbedtls
mbedtls.hashmbedtls.mk

6
package/mbedtls/mbedtls.hash
View File

@ -1,5 +1,5 @@
# From https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.0-2.7.9-and-2.1.18-released
sha1 70dc65f3f6f6b2392b821163be7f1f634f0012c8 mbedtls-2.7.9-apache.tgz
sha256 18e57260b46579245744adb79c2924194dad36aac38c2d0be9e749b9181c706f mbedtls-2.7.9-apache.tgz
# From https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.3-and-2.7.12-released
sha1 ce1af75d497cc03fe5c8e8e15fbf583d9dfbacd1 mbedtls-2.7.12-apache.tgz
sha256 d3a36dbc9f607747daa6875c1ab2e41f49eff5fc99d3436b4f3ac90c89f3c143 mbedtls-2.7.12-apache.tgz
# Locally calculated
sha256 cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30 apache-2.0.txt

2
package/mbedtls/mbedtls.mk
View File

@ -5,7 +5,7 @@
################################################################################
MBEDTLS_SITE = https://tls.mbed.org/code/releases
MBEDTLS_VERSION = 2.7.9
MBEDTLS_VERSION = 2.7.12
MBEDTLS_SOURCE = mbedtls-$(MBEDTLS_VERSION)-apache.tgz
MBEDTLS_CONF_OPTS = \
-DENABLE_PROGRAMS=$(if $(BR2_PACKAGE_MBEDTLS_PROGRAMS),ON,OFF) \