2 files changed, 71 insertions, 2 deletions
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2024-28755-and-CVE-2024-28836.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2024-28755-and-CVE-2024-28836.patch
new file mode 100644
index 0000000000..8a2d38c23f
--- /dev/null
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2024-28755-and-CVE-2024-28836.patch
@@ -0,0 +1,67 @@
+From ad736991bb59211118a29fe115367c24495300c2 Mon Sep 17 00:00:00 2001
+From: Janos Follath <janos.follath@arm.com>
+Date: Fri, 9 Feb 2024 16:04:59 +0000
+Subject: [PATCH] Merge pull request #1177 from
+ ronald-cron-arm/tls-max-version-reset
+Reset properly the TLS maximum negotiable version
+CVE: CVE-2024-28755
+CVE: CVE-2024-28836
+Upstream-Status: Backport [https://github.com/Mbed-TLS/mbedtls/commit/ad736991bb59211118a29fe115367c24495300c2]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ library/ssl_tls.c |  1 +
+ tests/ssl-opt.sh  | 24 ++++++++++++++++++++++++
+ 2 files changed, 25 insertions(+)
+diff --git a/library/ssl_tls.c b/library/ssl_tls.c
+index cfb2798182..f3c701818b 100644
+--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
+@@ -1539,6 +1539,7 @@ int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial)
+     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+     ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
+    ssl->tls_version = ssl->conf->max_tls_version;
+     mbedtls_ssl_session_reset_msg_layer(ssl, partial);
+diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
+index 48b3c0cb26..448bd3825f 100755
+--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
+@@ -11307,6 +11307,30 @@ run_test    "TLS 1.3: Default" \
+             -s "ECDH/FFDH group: " \
+             -s "selected signature algorithm ecdsa_secp256r1_sha256"
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Establish TLS 1.2 then TLS 1.3 session" \
+            "$P_SRV" \
+            "( $P_CLI force_version=tls12; \
+               $P_CLI force_version=tls13 )" \
+            0 \
+            -s "Protocol is TLSv1.2" \
+            -s "Protocol is TLSv1.3" \
+
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
+run_test    "Establish TLS 1.3 then TLS 1.2 session" \
+            "$P_SRV" \
+            "( $P_CLI force_version=tls13; \
+               $P_CLI force_version=tls12 )" \
+            0 \
+            -s "Protocol is TLSv1.3" \
+            -s "Protocol is TLSv1.2" \
+
+ requires_openssl_tls1_3_with_compatible_ephemeral
+ requires_config_enabled MBEDTLS_DEBUG_C
+ requires_config_enabled MBEDTLS_SSL_CLI_C
+--
+2.40.0
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb
index 2fedac48cf..829d54307a 100644
--- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb
@@ -25,8 +25,10 @@ SECTION = "libs"
 S = "${WORKDIR}/git"
 SRCREV = "daca7a3979c22da155ec9dce49ab1abf3b65d3a9"
 SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master \
-        file://0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch \
+           file://0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch \
-        file://run-ptest"
+           file://run-ptest \
+           file://CVE-2024-28755-and-CVE-2024-28836.patch \
+          "
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
 inherit cmake update-alternatives ptest

diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2024-28755-and-CVE-2024-28836.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2024-28755-and-CVE-2024-28836.patch new file mode 100644 index 0000000000..8a2d38c23f --- /dev/null +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2024-28755-and-CVE-2024-28836.patch
@@ -0,0 +1,67 @@
		1	From ad736991bb59211118a29fe115367c24495300c2 Mon Sep 17 00:00:00 2001
		2	From: Janos Follath <janos.follath@arm.com>
		3	Date: Fri, 9 Feb 2024 16:04:59 +0000
		4	Subject: [PATCH] Merge pull request #1177 from
		5	ronald-cron-arm/tls-max-version-reset
		6
		7	Reset properly the TLS maximum negotiable version
		8
		9	CVE: CVE-2024-28755
		10	CVE: CVE-2024-28836
		11	Upstream-Status: Backport [https://github.com/Mbed-TLS/mbedtls/commit/ad736991bb59211118a29fe115367c24495300c2]
		12
		13	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		14	---
		15	library/ssl_tls.c \| 1 +
		16	tests/ssl-opt.sh \| 24 ++++++++++++++++++++++++
		17	2 files changed, 25 insertions(+)
		18
		19	diff --git a/library/ssl_tls.c b/library/ssl_tls.c
		20	index cfb2798182..f3c701818b 100644
		21	--- a/library/ssl_tls.c
		22	+++ b/library/ssl_tls.c
		23	@@ -1539,6 +1539,7 @@ int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial)
		24	int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
		25
		26	ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
		27	+ ssl->tls_version = ssl->conf->max_tls_version;
		28
		29	mbedtls_ssl_session_reset_msg_layer(ssl, partial);
		30
		31	diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
		32	index 48b3c0cb26..448bd3825f 100755
		33	--- a/tests/ssl-opt.sh
		34	+++ b/tests/ssl-opt.sh
		35	@@ -11307,6 +11307,30 @@ run_test "TLS 1.3: Default" \
		36	-s "ECDH/FFDH group: " \
		37	-s "selected signature algorithm ecdsa_secp256r1_sha256"
		38
		39	+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
		40	+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
		41	+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
		42	+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
		43	+run_test "Establish TLS 1.2 then TLS 1.3 session" \
		44	+ "$P_SRV" \
		45	+ "( $P_CLI force_version=tls12; \
		46	+ $P_CLI force_version=tls13 )" \
		47	+ 0 \
		48	+ -s "Protocol is TLSv1.2" \
		49	+ -s "Protocol is TLSv1.3" \
		50	+
		51	+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
		52	+requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
		53	+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
		54	+requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
		55	+run_test "Establish TLS 1.3 then TLS 1.2 session" \
		56	+ "$P_SRV" \
		57	+ "( $P_CLI force_version=tls13; \
		58	+ $P_CLI force_version=tls12 )" \
		59	+ 0 \
		60	+ -s "Protocol is TLSv1.3" \
		61	+ -s "Protocol is TLSv1.2" \
		62	+
		63	requires_openssl_tls1_3_with_compatible_ephemeral
		64	requires_config_enabled MBEDTLS_DEBUG_C
		65	requires_config_enabled MBEDTLS_SSL_CLI_C
		66	--
		67	2.40.0


diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb index 2fedac48cf..829d54307a 100644 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb
@@ -25,8 +25,10 @@ SECTION = "libs"
25	S = "${WORKDIR}/git"	25	S = "${WORKDIR}/git"
26	SRCREV = "daca7a3979c22da155ec9dce49ab1abf3b65d3a9"	26	SRCREV = "daca7a3979c22da155ec9dce49ab1abf3b65d3a9"
27	SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master \	27	SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master \
28	file://0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch \	28	file://0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch \
29	file://run-ptest"	29	file://run-ptest \
		30	file://CVE-2024-28755-and-CVE-2024-28836.patch \
		31	"
30	UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"	32	UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
31		33
32	inherit cmake update-alternatives ptest	34	inherit cmake update-alternatives ptest