-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[mbedtls] Upgrade mbedTLS to version 3.6.2 #2039
base: master
Are you sure you want to change the base?
[mbedtls] Upgrade mbedTLS to version 3.6.2 #2039
Conversation
This upgrade includes fixes for four CVEs that affect Mbed TLS but not Gramine: * CVE-2024-45158: we don't use affected functions: `mbedtls_ecdsa_der_to_raw()` or `mbedtls_ecdsa_raw_to_der()`. * CVE-2024-45159: we don't enable TLS 1.3 for internal Gramine PAL crypto/TLS and control server certificates (that don't use `keyUsage` or `extKeyUsage` extensions) in the `ra-tls-mbedtls` CI-example. * CVE-2024-45157: we don't enable the affected configuration: `MBEDTLS_PSA_HMAC_DRBG_MD_TYPE`. * CVE-2024-49195: we use `mbedtls_pk_write_key_der()` with a buffer that is large enough for the content. Signed-off-by: Kailun Qin <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: 0 of 7 files reviewed, 2 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel)
-- commits
line 14 at r1:
Pls see https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-10-1/#vulnerability and
gramine/tools/sgx/ra-tls/ra_tls_attest.c
Lines 651 to 670 in 5e2f18f
uint8_t* output_buf = NULL; | |
size_t output_buf_size = 4096; /* enough for any public key in DER format */ | |
output_buf = malloc(output_buf_size); | |
if (!output_buf) { | |
ret = MBEDTLS_ERR_X509_ALLOC_FAILED; | |
goto out; | |
} | |
ret = create_key_and_crt(&key, NULL, der_crt, der_crt_size); | |
if (ret < 0) { | |
goto out; | |
} | |
/* populate der_key; note that der_crt was already populated */ | |
int size = mbedtls_pk_write_key_der(&key, output_buf, output_buf_size); | |
if (size < 0) { | |
ret = size; | |
goto out; | |
} |
Code quote:
* CVE-2024-49195: we use `mbedtls_pk_write_key_der()` with a buffer that
is large enough for the content.
subprojects/mbedtls-3.6.2.wrap
line 4 at r1 (raw file):
directory = mbedtls-3.6.2 source_url = https:/Mbed-TLS/mbedtls/releases/download/mbedtls-3.6.2/mbedtls-3.6.2.tar.bz2 source_fallback_url = https://packages.gramineproject.io/distfiles/mbedtls-3.6.2.tar.bz2
@woju: Sorry to bother again, but a newer mbedTLS (v3.6.2) was just released: https:/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.2. Would you pls help mirror this file? Thanks!
Code quote:
https://packages.gramineproject.io/distfiles/mbedtls-3.6.2.tar.bz2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 7 of 7 files at r1, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel) (waiting on @woju)
subprojects/mbedtls-3.6.2.wrap
line 4 at r1 (raw file):
Previously, kailun-qin (Kailun Qin) wrote…
@woju: Sorry to bother again, but a newer mbedTLS (v3.6.2) was just released: https:/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.2. Would you pls help mirror this file? Thanks!
@woju And https://packages.gramineproject.io/distfiles/mbedtls-3.6.1.tar.bz2 can be removed (as we just skip this version in favor of the newer one).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 7 of 7 files at r1, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel) (waiting on @woju)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 7 of 7 files at r1, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion, not enough approvals from maintainers (1 more required) (waiting on @dimakuv, @kailun-qin, and @mkow)
subprojects/mbedtls-3.6.2.wrap
line 4 at r1 (raw file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
@woju And https://packages.gramineproject.io/distfiles/mbedtls-3.6.1.tar.bz2 can be removed (as we just skip this version in favor of the newer one).
Done. I'll keep 3.6.1, it's just 5 MB.
Description of the changes
This upgrade includes fixes for four CVEs that affect Mbed TLS but not Gramine:
mbedtls_ecdsa_der_to_raw()
ormbedtls_ecdsa_raw_to_der()
.keyUsage
orextKeyUsage
extensions) in thera-tls-mbedtls
CI-example.MBEDTLS_PSA_HMAC_DRBG_MD_TYPE
.mbedtls_pk_write_key_der()
with a buffer that is large enough for the content.Closes #2024.
How to test this PR?
CI.
This change is