diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2024-28755-and-CVE-2024-28836.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2024-28755-and-CVE-2024-28836.patch new file mode 100644 index 0000000000..8a2d38c23f --- /dev/null +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2024-28755-and-CVE-2024-28836.patch @@ -0,0 +1,67 @@ +From ad736991bb59211118a29fe115367c24495300c2 Mon Sep 17 00:00:00 2001 +From: Janos Follath +Date: Fri, 9 Feb 2024 16:04:59 +0000 +Subject: [PATCH] Merge pull request #1177 from + ronald-cron-arm/tls-max-version-reset + +Reset properly the TLS maximum negotiable version + +CVE: CVE-2024-28755 +CVE: CVE-2024-28836 +Upstream-Status: Backport [https://github.com/Mbed-TLS/mbedtls/commit/ad736991bb59211118a29fe115367c24495300c2] + +Signed-off-by: Yogita Urade +--- + library/ssl_tls.c | 1 + + tests/ssl-opt.sh | 24 ++++++++++++++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/library/ssl_tls.c b/library/ssl_tls.c +index cfb2798182..f3c701818b 100644 +--- a/library/ssl_tls.c ++++ b/library/ssl_tls.c +@@ -1539,6 +1539,7 @@ int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial) + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + ssl->state = MBEDTLS_SSL_HELLO_REQUEST; ++ ssl->tls_version = ssl->conf->max_tls_version; + + mbedtls_ssl_session_reset_msg_layer(ssl, partial); + +diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh +index 48b3c0cb26..448bd3825f 100755 +--- a/tests/ssl-opt.sh ++++ b/tests/ssl-opt.sh +@@ -11307,6 +11307,30 @@ run_test "TLS 1.3: Default" \ + -s "ECDH/FFDH group: " \ + -s "selected signature algorithm ecdsa_secp256r1_sha256" + ++requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 ++requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 ++requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED ++requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT ++run_test "Establish TLS 1.2 then TLS 1.3 session" \ ++ "$P_SRV" \ ++ "( $P_CLI force_version=tls12; \ ++ $P_CLI force_version=tls13 )" \ ++ 0 \ ++ -s "Protocol is TLSv1.2" \ ++ -s "Protocol is TLSv1.3" \ ++ ++requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 ++requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 ++requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED ++requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT ++run_test "Establish TLS 1.3 then TLS 1.2 session" \ ++ "$P_SRV" \ ++ "( $P_CLI force_version=tls13; \ ++ $P_CLI force_version=tls12 )" \ ++ 0 \ ++ -s "Protocol is TLSv1.3" \ ++ -s "Protocol is TLSv1.2" \ ++ + requires_openssl_tls1_3_with_compatible_ephemeral + requires_config_enabled MBEDTLS_DEBUG_C + requires_config_enabled MBEDTLS_SSL_CLI_C +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb index 2fedac48cf..829d54307a 100644 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb @@ -25,8 +25,10 @@ SECTION = "libs" S = "${WORKDIR}/git" SRCREV = "daca7a3979c22da155ec9dce49ab1abf3b65d3a9" SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master \ - file://0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch \ - file://run-ptest" + file://0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch \ + file://run-ptest \ + file://CVE-2024-28755-and-CVE-2024-28836.patch \ + " UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d+(\.\d+)+)" inherit cmake update-alternatives ptest