crypto: mbedtls: Update mbedTLS to 2.7.0

[galak]

Due to a security advisory released on February 1st 2018[1], it's
advisable to update mbedTLS to 2.7.0.

The vulnerability, identified as CVE-2018-0488 and CVE-2018-0487, risk
remote code execution when truncated HMAC is enabled or when verifying
RSASSA-PSS signatures.

[1] https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01

Fixes: #6025

Signed-off-by: Kumar Gala [email protected]

[codecov-io]

Codecov Report

Merging #6033 into master will decrease coverage by 0.16%.
The diff coverage is 17.47%.

@@            Coverage Diff             @@
##           master    #6033      +/-   ##
==========================================
- Coverage   52.51%   52.34%   -0.17%     
==========================================
  Files         406      406              
  Lines       39683    39795     +112     
  Branches     7715     7776      +61     
==========================================
- Hits        20839    20832       -7     
- Misses      15663    15759      +96     
- Partials     3181     3204      +23

Impacted Files	Coverage Δ
ext/lib/crypto/mbedtls/library/ssl_srv.c	0% <ø> (ø)	⬆️
ext/lib/crypto/mbedtls/library/ccm.c	63.56% <ø> (ø)	⬆️
ext/lib/crypto/mbedtls/library/cipher.c	24.47% <ø> (ø)	⬆️
ext/lib/crypto/mbedtls/library/ecjpake.c	51.12% <ø> (ø)	⬆️
ext/lib/crypto/mbedtls/library/platform.c	31.81% <ø> (ø)	⬆️
.../crypto/mbedtls/include/mbedtls/ssl_ciphersuites.h	0% <ø> (ø)	⬆️
ext/lib/crypto/mbedtls/library/pk_wrap.c	0% <ø> (ø)	⬆️
ext/lib/crypto/mbedtls/library/hmac_drbg.c	1.92% <ø> (ø)	⬆️
ext/lib/crypto/mbedtls/include/mbedtls/pk.h	0% <ø> (ø)	⬆️
ext/lib/crypto/mbedtls/library/cmac.c	50.86% <ø> (ø)	⬆️
... and 15 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 30824c9...7888ad5. Read the comment docs.

you need to update the README ext/lib/crypto/mbedtls/README

[nashif]

update README

[lpereira]

In addition to updating the README file, please also shorten the link in the commit message: it's apparently too long for the bots to like it.

[nashif]

In addition to updating the README file, please also shorten the link in the commit message: it's apparently too long for the bots to like it.

hmm, i thought i had an exception for long URLs... need to look

[nashif]

hmm, i thought i had an exception for long URLs... need to look

fixed in #6034

[galak]

README updated, leaving URL alone - pending fix from Anas getting in.

Fixed README

[pfalcon]

Regarding URL shorteners, here's a recent (and pretty usual) case. I found an alleged data loss issue in mbedTLS, and researching it, saw it was "fixed" and, the the fix reverted then: Mbed-TLS/mbedtls@1fd00bf , Mbed-TLS/mbedtls@887bd50 . Maybe if the PolarSSL guys had that CI hook for requiring the full description in the commit message, there would be more information than reference to "ticket #18" in long-gone tracker. Likewise, if we don't try to workaround false positives with URL shorteners, maybe future developers will be able to understand our commit messages better.

(Yes, the original URL may be gone too, but a URL like https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01 certainly conveys more info than https://shrt.me/fOobAR).

So, thanks for going to fix that check!

[nashif]

recheck