lib/mbedtls: Update to mbedtls v3.6.2. #15547
Conversation
|
converting to draft. probably need to update defines to pull build mbedtls with needed functions. |
|
Code size report: |
5fdd5dd to
1dbca84
Compare
|
On |
The fix for this failure is most likely here: #14385 |
|
Should probably change this PR to upgrade to 3.6.2 to fix another security issue -- https://nvd.nist.gov/vuln/detail/CVE-2024-49195 |
Agree we should update, although this particular issue is in the (To reiterate, we should still update all the same.) |
1dbca84 to
4647093
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #15547 +/- ##
=======================================
Coverage 98.58% 98.58%
=======================================
Files 167 167
Lines 21596 21596
=======================================
Hits 21291 21291
Misses 305 305 ☔ View full report in Codecov by Sentry. |
|
#14385 was merged in Aug. I rebased to tip of master and modified the mbedtls submodule to point to mbedtls 3.6.2 (changed from 3.6.0 originally set in this PR) Two github CI tests fail: In CI coverage_32bit test ("unix port / coverage_32bit (pull_request)"): In CI annotations test ("Check commit message formatting / build (pull request)"): |
|
FYI: the coverage_32bit and thread_lock4 tests pass in CI on my branch (On my branch, the CI "coverage" test failed due to me not having a token with appropriate permissions. That test passed in the most recent CI run here.) |
|
Thanks for the update, @gstrauss!
Yes, the thread tests are a tiny bit flaky on unix CI. I've retried and it passed.
Yeah, thanks for pointing this out. It's not the force push exactly, I think the bug is caused when the PR branch is behind the tip of master (your branch is one commit behind, from about the time you rebased so no fault of yours). Will submit a fix for the CI bug, but please don't stress about it for this PR. The main thing with updating mbedTLS is on-device testing. I'll try to make time to do some soon. |
| @@ -79,6 +79,7 @@ | |||
| #define MBEDTLS_OID_C | |||
| #define MBEDTLS_PKCS5_C | |||
| #define MBEDTLS_PK_C | |||
| #define MBEDTLS_PK_HAVE_ECC_KEYS | |||
There was a problem hiding this comment.
Is this enabling a feature that wasn't enabled before? Or is this needed to retain the same set of features with the new mbedTLS version?
There was a problem hiding this comment.
needed to retain the same set of features with the new mbedTLS version
The latter. Some code moved to a new (separate) file with previously available features now exposed by a compile-time macro, as I noted in my second comment above (#15547 (comment))
Fixes the problem noted here micropython#15547 (comment) which is that because default CI HEAD for a PR is a (generated) merge commit into master branch HEAD, then if the PR branch isn't fully rebased then the commit check runs against commits from master as well! This PR also simplifies having to do a second fetch in order to find the merge base, by passing it in from GitHub's metadata instead. This work was funded through GitHub Sponsors. Signed-off-by: Angus Gratton <[email protected]>
Fixes the problem noted here micropython#15547 (comment) which is that because default CI HEAD for a PR is a (generated) merge commit into master branch HEAD, then if the PR branch isn't fully rebased then the commit check runs against commits from master as well! This PR also simplifies having to do a second fetch in order to find the merge base, by passing it in from GitHub's metadata instead. This work was funded through GitHub Sponsors. Signed-off-by: Angus Gratton <[email protected]>
Fixes the problem noted here micropython#15547 (comment) which is that because default CI HEAD for a PR is a (generated) merge commit into master branch HEAD, then if the PR branch isn't fully rebased then the commit check runs against commits from master as well! This PR also simplifies having to do a second fetch in order to find the merge base, by passing it in from GitHub's metadata instead. This work was funded through GitHub Sponsors. Signed-off-by: Angus Gratton <[email protected]>
Fixes the problem noted here micropython#15547 (comment) which is that because default CI HEAD for a PR is a (generated) merge commit into the master branch's current HEAD, then if the PR branch isn't fully rebased then the commit check runs against commits from master as well! Also drops running this check on push, the pull_request event is triggered by default on open and update ("synchronized" event), which probably covers the cases where this check should run. This work was funded through GitHub Sponsors. Signed-off-by: Angus Gratton <[email protected]>
Fixes the problem noted here micropython#15547 (comment) which is that because default CI HEAD for a PR is a (generated) merge commit into the master branch's current HEAD, then if the PR branch isn't fully rebased then the commit check runs against commits from master as well! Also drops running this check on push, the pull_request event is triggered by default on open and update ("synchronized" event), which probably covers the cases where this check should run. This work was funded through GitHub Sponsors. Signed-off-by: Angus Gratton <[email protected]>
Fixes the problem noted at micropython#15547 (comment) which is that, because default CI HEAD for a PR is a (generated) merge commit into the master branch's current HEAD, then if the PR branch isn't fully rebased then the commit check runs against commits from master as well! Also drops running this check on push, the pull_request event is triggered by default on open and update ("synchronized" event), which probably covers the cases where this check should run. This work was funded through GitHub Sponsors. Signed-off-by: Angus Gratton <[email protected]>
There was a problem hiding this comment.
Thanks @gstrauss for submitting and updating this!
I rebased this branch and flashed to an RPI_PICO_W board. net_inet and multi_net tests all pass.
|
Oh, I also had a quick look at the code size increase. It looks like a significant part is the new bignum API. MicroPython doesn't call any bignum interfaces from what I can tell, but IIUC mbedTLS currently uses a mixture of the old and new bignum APIs internally - https://mbed-tls.readthedocs.io/en/latest/project/long-term-plans/#bignum-redesign - so this may drop down again in the future. |
|
@projectgus should we put this in 1.25.0, or wait to 1.26.0? I'm happy either way, seems like a low risk change. |
If you're happy to have it in 1.25.0 then it seems like a reasonable choice to me. I think there is some chance of an issue just due to all the APIs that are moving around, but agree it's pretty low risk - and good to be up to date with security fixes. |
|
I tested this thoroughly on unix, PYBD_SF6, RPI_PICO2_W, running all possible combinations of WLAN tests against those three. Everything passes. Let's merge this! |
Signed-off-by: Glenn Strauss <[email protected]>
4647093 to
f2cd1a3
Compare
Fixes the problem noted at micropython#15547 (comment) which is that, because default CI HEAD for a PR is a (generated) merge commit into the master branch's current HEAD, then if the PR branch isn't fully rebased then the commit check runs against commits from master as well! Also drops running this check on push, the pull_request event is triggered by default on open and update ("synchronized" event), which probably covers the cases where this check should run. This work was funded through GitHub Sponsors. Signed-off-by: Angus Gratton <[email protected]>
Fixes the problem noted at micropython#15547 (comment) which is that, because default CI HEAD for a PR is a (generated) merge commit into the master branch's current HEAD, then if the PR branch isn't fully rebased then the commit check runs against commits from master as well! Also drops running this check on push, the pull_request event is triggered by default on open and update ("synchronized" event), which probably covers the cases where this check should run. This work was funded through GitHub Sponsors. Signed-off-by: Angus Gratton <[email protected]>
Fixes the problem noted at micropython#15547 (comment) which is that, because default CI HEAD for a PR is a (generated) merge commit into the master branch's current HEAD, then if the PR branch isn't fully rebased then the commit check runs against commits from master as well! Also drops running this check on push, the pull_request event is triggered by default on open and update ("synchronized" event), which probably covers the cases where this check should run. This work was funded through GitHub Sponsors. Signed-off-by: Angus Gratton <[email protected]>
Summary
lib/mbedtls: Update to mbedtls v3.6.2 for security fixes