mbedtls: update to 2.16.8

This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues and the most notable of them
are described in more detail in the security advisories.

* Local side channel attack on RSA and static Diffie-Hellman
* Local side channel attack on classical CBC decryption in (D)TLS
* When checking X.509 CRLs, a certificate was only considered as revoked
if its revocationDate was in the past according to the local clock if
available.

Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry picked from commit 66893063ab)

package/libs/mbedtls/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.16.7
+PKG_VERSION:=2.16.8
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=c95b11557ee97d2bdfd48cd57cf9b648a6cddd2ca879e3c35c4e7525f2871992
+PKG_HASH:=fe9e3b15c3375943bdfebbbb20dd6b4f1147b3b5d926248bd835d73247407430
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0+

package/libs/mbedtls/patches/200-config.patch

@@ -1,6 +1,6 @@
 --- a/include/mbedtls/config.h
 +++ b/include/mbedtls/config.h
-@@ -658,14 +658,14 @@
+@@ -692,14 +692,14 @@
   *
   * Enable Output Feedback mode (OFB) for symmetric ciphers.
   */
@@ -17,7 +17,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_NULL_CIPHER
-@@ -782,19 +782,19 @@
+@@ -816,19 +816,19 @@
   *
   * Comment macros to disable the curve and functions for it
   */
@@ -46,7 +46,7 @@
  
  /**
   * \def MBEDTLS_ECP_NIST_OPTIM
-@@ -865,7 +865,7 @@
+@@ -899,7 +899,7 @@
   *
   * Comment this macro to disable deterministic ECDSA.
   */
@@ -55,7 +55,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
-@@ -918,7 +918,7 @@
+@@ -952,7 +952,7 @@
   *             See dhm.h for more details.
   *
   */
@@ -64,7 +64,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-@@ -938,7 +938,7 @@
+@@ -972,7 +972,7 @@
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
   */
@@ -73,7 +73,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-@@ -963,7 +963,7 @@
+@@ -997,7 +997,7 @@
   *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
   */
@@ -82,7 +82,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-@@ -1097,7 +1097,7 @@
+@@ -1131,7 +1131,7 @@
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -91,7 +91,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-@@ -1121,7 +1121,7 @@
+@@ -1155,7 +1155,7 @@
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -100,7 +100,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-@@ -1225,7 +1225,7 @@
+@@ -1259,7 +1259,7 @@
   * This option is only useful if both MBEDTLS_SHA256_C and
   * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
   */
@@ -109,7 +109,7 @@
  
  /**
   * \def MBEDTLS_ENTROPY_NV_SEED
-@@ -1320,14 +1320,14 @@
+@@ -1354,14 +1354,14 @@
   * Uncomment this macro to disable the use of CRT in RSA.
   *
   */
@@ -126,7 +126,7 @@
  
  /**
   * \def MBEDTLS_SHA256_SMALLER
-@@ -1343,7 +1343,7 @@
+@@ -1377,7 +1377,7 @@
   *
   * Uncomment to enable the smaller implementation of SHA256.
   */
@@ -135,7 +135,7 @@
  
  /**
   * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
-@@ -1481,7 +1481,7 @@
+@@ -1515,7 +1515,7 @@
   *          configuration of this extension).
   *
   */
@@ -144,7 +144,7 @@
  
  /**
   * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
-@@ -1656,7 +1656,7 @@
+@@ -1690,7 +1690,7 @@
   *
   * Comment this macro to disable support for SSL session tickets
   */
@@ -153,7 +153,7 @@
  
  /**
   * \def MBEDTLS_SSL_EXPORT_KEYS
-@@ -1686,7 +1686,7 @@
+@@ -1720,7 +1720,7 @@
   *
   * Comment this macro to disable support for truncated HMAC in SSL
   */
@@ -162,7 +162,7 @@
  
  /**
   * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
-@@ -1745,7 +1745,7 @@
+@@ -1779,7 +1779,7 @@
   *
   * Comment this to disable run-time checking and save ROM space
   */
@@ -171,7 +171,7 @@
  
  /**
   * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-@@ -2075,7 +2075,7 @@
+@@ -2109,7 +2109,7 @@
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
   */
@@ -180,7 +180,7 @@
  
  /**
   * \def MBEDTLS_ARIA_C
-@@ -2141,7 +2141,7 @@
+@@ -2175,7 +2175,7 @@
   * This module enables the AES-CCM ciphersuites, if other requisites are
   * enabled as well.
   */
@@ -189,7 +189,7 @@
  
  /**
   * \def MBEDTLS_CERTS_C
-@@ -2153,7 +2153,7 @@
+@@ -2187,7 +2187,7 @@
   *
   * This module is used for testing (ssl_client/server).
   */
@@ -198,7 +198,7 @@
  
  /**
   * \def MBEDTLS_CHACHA20_C
-@@ -2162,7 +2162,7 @@
+@@ -2196,7 +2196,7 @@
   *
   * Module:  library/chacha20.c
   */
@@ -207,7 +207,7 @@
  
  /**
   * \def MBEDTLS_CHACHAPOLY_C
-@@ -2173,7 +2173,7 @@
+@@ -2207,7 +2207,7 @@
   *
   * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
   */
@@ -216,7 +216,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_C
-@@ -2232,7 +2232,7 @@
+@@ -2266,7 +2266,7 @@
   *
   * This module provides debugging functions.
   */
@@ -225,7 +225,7 @@
  
  /**
   * \def MBEDTLS_DES_C
-@@ -2261,7 +2261,7 @@
+@@ -2295,7 +2295,7 @@
   * \warning   DES is considered a weak cipher and its use constitutes a
   *            security risk. We recommend considering stronger ciphers instead.
   */
@@ -234,7 +234,7 @@
  
  /**
   * \def MBEDTLS_DHM_C
-@@ -2424,7 +2424,7 @@
+@@ -2458,7 +2458,7 @@
   * This module adds support for the Hashed Message Authentication Code
   * (HMAC)-based key derivation function (HKDF).
   */
@@ -243,7 +243,7 @@
  
  /**
   * \def MBEDTLS_HMAC_DRBG_C
-@@ -2438,7 +2438,7 @@
+@@ -2472,7 +2472,7 @@
   *
   * Uncomment to enable the HMAC_DRBG random number geerator.
   */
@@ -252,7 +252,7 @@
  
  /**
   * \def MBEDTLS_NIST_KW_C
-@@ -2734,7 +2734,7 @@
+@@ -2768,7 +2768,7 @@
   *
   * This module enables abstraction of common (libc) functions.
   */
@@ -261,7 +261,7 @@
  
  /**
   * \def MBEDTLS_POLY1305_C
-@@ -2744,7 +2744,7 @@
+@@ -2778,7 +2778,7 @@
   * Module:  library/poly1305.c
   * Caller:  library/chachapoly.c
   */
@@ -270,7 +270,7 @@
  
  /**
   * \def MBEDTLS_RIPEMD160_C
-@@ -2755,7 +2755,7 @@
+@@ -2789,7 +2789,7 @@
   * Caller:  library/md.c
   *
   */
@@ -279,7 +279,7 @@
  
  /**
   * \def MBEDTLS_RSA_C
-@@ -2862,7 +2862,7 @@
+@@ -2896,7 +2896,7 @@
   *
   * Requires: MBEDTLS_CIPHER_C
   */
@@ -288,7 +288,7 @@
  
  /**
   * \def MBEDTLS_SSL_CLI_C
-@@ -2962,7 +2962,7 @@
+@@ -2996,7 +2996,7 @@
   *
   * This module provides run-time version information.
   */
@@ -297,7 +297,7 @@
  
  /**
   * \def MBEDTLS_X509_USE_C
-@@ -3072,7 +3072,7 @@
+@@ -3106,7 +3106,7 @@
   * Module:  library/xtea.c
   * Caller:
   */

package/libs/mbedtls/patches/300-soversion-compatibility.patch

@@ -4,8 +4,8 @@
  
  if(USE_SHARED_MBEDTLS_LIBRARY)
      add_library(mbedcrypto SHARED ${src_crypto})
--    set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.7 SOVERSION 3)
-+    set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.7 SOVERSION 1)
+-    set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.8 SOVERSION 3)
++    set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.8 SOVERSION 1)
      target_link_libraries(mbedcrypto ${libs})
  
      add_library(mbedx509 SHARED ${src_x509})
@@ -13,8 +13,8 @@
      target_link_libraries(mbedx509 ${libs} mbedcrypto)
  
      add_library(mbedtls SHARED ${src_tls})
--    set_target_properties(mbedtls PROPERTIES VERSION 2.16.7 SOVERSION 12)
-+    set_target_properties(mbedtls PROPERTIES VERSION 2.16.7 SOVERSION 10)
+-    set_target_properties(mbedtls PROPERTIES VERSION 2.16.8 SOVERSION 12)
++    set_target_properties(mbedtls PROPERTIES VERSION 2.16.8 SOVERSION 10)
      target_link_libraries(mbedtls ${libs} mbedx509)
  
      install(TARGETS mbedtls mbedx509 mbedcrypto