commit bac9f1bfb00d70064052e6ab04eb7d9cb89dc1e1
author Janos Follath <janos.follath@arm.com> Wed Jan 29 14:49:23 2020 +0000
committer Janos Follath <janos.follath@arm.com> Wed Jan 29 14:49:23 2020 +0000
tree df078690906b7383e83a9519ef0316e2cd538dab
parent 1f10f2e282b6249ce6e22380c8afdd8c2bf8047e
parent 75aab5276f9490b6b0220daee23ff4423a59495d

Merge pull request #3001 from  from gilles-peskine-arm/coverity-20200115-2.16 into mbedtls-2.16

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index 6a1c637..f03b83d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,22 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
-= mbed TLS 2.16.5 branch released xxxx-xx-xx
+= mbed TLS 2.16.X branch released XXXX-XX-XX
 
 Bugfix
+   * Allow loading symlinked certificates. Fixes #3005. Reported and fixed
+     by Jonathan Bennett <JBennett@incomsystems.biz> via #3008.
    * Fix an unchecked call to mbedtls_md() in the x509write module.
 
+Security
+   * Fix potential memory overread when performing an ECDSA signature
+     operation. The overread only happens with cryptographically low
+     probability (of the order of 2^-n where n is the bitsize of the curve)
+     unless the RNG is broken, and could result in information disclosure or
+     denial of service (application crash or extra resource consumption).
+     Found by Auke Zeilstra and Peter Schwabe, using static analysis.
+
+Bugfix
+
 = mbed TLS 2.16.4 branch released 2020-01-15
 
 Security

doxygen/input/doc_mainpage.h

diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h
index a6126f3..de43cdf 100644
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@@ -24,7 +24,7 @@
  */
 
 /**
- * @mainpage mbed TLS v2.16.3 source code documentation
+ * @mainpage mbed TLS v2.16.4 source code documentation
  *
  * This documentation describes the internal structure of mbed TLS.  It was
  * automatically generated from specially formatted comment blocks in

doxygen/mbedtls.doxyfile

diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index 904c1e7..61b6415 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -28,7 +28,7 @@
 # identify the project. Note that if you do not use Doxywizard you need
 # to put quotes around the project name if it contains spaces.
 
-PROJECT_NAME           = "mbed TLS v2.16.3"
+PROJECT_NAME           = "mbed TLS v2.16.4"
 
 # The PROJECT_NUMBER tag can be used to enter a project or revision number.
 # This could be handy for archiving the generated documentation or

include/mbedtls/version.h

diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h
index b4eef71..aeffb16 100644
--- a/include/mbedtls/version.h
+++ b/include/mbedtls/version.h
@@ -40,16 +40,16 @@
  */
 #define MBEDTLS_VERSION_MAJOR  2
 #define MBEDTLS_VERSION_MINOR  16
-#define MBEDTLS_VERSION_PATCH  3
+#define MBEDTLS_VERSION_PATCH  4
 
 /**
  * The single version number has the following structure:
  *    MMNNPP00
  *    Major version | Minor version | Patch version
  */
-#define MBEDTLS_VERSION_NUMBER         0x02100300
-#define MBEDTLS_VERSION_STRING         "2.16.3"
-#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.16.3"
+#define MBEDTLS_VERSION_NUMBER         0x02100400
+#define MBEDTLS_VERSION_STRING         "2.16.4"
+#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.16.4"
 
 #if defined(MBEDTLS_VERSION_C)
 

library/CMakeLists.txt

diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 9330cff..c952918 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -165,15 +165,15 @@
 
 if(USE_SHARED_MBEDTLS_LIBRARY)
     add_library(mbedcrypto SHARED ${src_crypto})
-    set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.3 SOVERSION 3)
+    set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.4 SOVERSION 3)
     target_link_libraries(mbedcrypto ${libs})
 
     add_library(mbedx509 SHARED ${src_x509})
-    set_target_properties(mbedx509 PROPERTIES VERSION 2.16.3 SOVERSION 0)
+    set_target_properties(mbedx509 PROPERTIES VERSION 2.16.4 SOVERSION 0)
     target_link_libraries(mbedx509 ${libs} mbedcrypto)
 
     add_library(mbedtls SHARED ${src_tls})
-    set_target_properties(mbedtls PROPERTIES VERSION 2.16.3 SOVERSION 12)
+    set_target_properties(mbedtls PROPERTIES VERSION 2.16.4 SOVERSION 12)
     target_link_libraries(mbedtls ${libs} mbedx509)
 
     install(TARGETS mbedtls mbedx509 mbedcrypto

library/ecdsa.c

diff --git a/library/ecdsa.c b/library/ecdsa.c
index 3cf3d7c..6b72e0d 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -297,7 +297,7 @@
     *p_sign_tries = 0;
     do
     {
-        if( *p_sign_tries++ > 10 )
+        if( (*p_sign_tries)++ > 10 )
         {
             ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
             goto cleanup;
@@ -310,7 +310,7 @@
         *p_key_tries = 0;
         do
         {
-            if( *p_key_tries++ > 10 )
+            if( (*p_key_tries)++ > 10 )
             {
                 ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
                 goto cleanup;

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 9c2e365..a4202be 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1366,7 +1366,7 @@
             goto cleanup;
         }
 
-        if( !S_ISREG( sb.st_mode ) )
+        if( !( S_ISREG( sb.st_mode ) || S_ISLNK( sb.st_mode ) ) )
             continue;
 
         // Ignore parse errors

tests/suites/test_suite_version.data

diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data
index c3189c8..f7dd90c 100644
--- a/tests/suites/test_suite_version.data
+++ b/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
 Check compiletime library version
-check_compiletime_version:"2.16.3"
+check_compiletime_version:"2.16.4"
 
 Check runtime library version
-check_runtime_version:"2.16.3"
+check_runtime_version:"2.16.4"
 
 Check for MBEDTLS_VERSION_C
 check_feature:"MBEDTLS_VERSION_C":0