From d767eaf9d96de808225c37549412afcea55647b5d7b2a88411c8e234fb913bef Mon Sep 17 00:00:00 2001
From: Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
Date: Fri, 4 Nov 2022 20:48:59 +0000
Subject: [PATCH] Accepting request 1033587 from home:mia:branches:security:tls

- Update to 2.28.1: (CVE-2022-35409)
  Default behavior changes
  * mbedtls_cipher_set_iv will now fail with ChaCha20 and
    ChaCha20+Poly1305 for IV lengths other than 12. The library was
    silently overwriting this length with 12, but did not inform
    the caller about it.
    gh#Mbed-TLS/mbedtls#4301
  Features
  * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA
    crypto feature requirements in the file named by the new macro
    MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default
    psa/crypto_config.h. Furthermore you may name an additional
    file to include after the main file with the macro
    MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.
  Security
  * Zeroize dynamically-allocated buffers used by the PSA Crypto
    key storage module before freeing them. These buffers contain
    secret key material, and could thus potentially leak the key
    through freed heap.
  * Fix a potential heap buffer overread in TLS 1.2 server-side
    when MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created
    with mbedtls_pk_setup_opaque()) is provisioned, and a static
    ECDH ciphersuite is selected. This may result in an application
    crash or potentially an information leak.
  * Fix a buffer overread in DTLS ClientHello parsing in servers
    with MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled.
    An unauthenticated client or a man-in-the-middle could cause a
    DTLS server to read up to 255 bytes after the end of the SSL
    input buffer. The buffer overread only happens when
    MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that
    depends on the exact configuration: 258 bytes if using
    mbedtls_ssl_cookie_check(), and possibly up to 571 bytes with
    a custom cookie check function.
    Reported by the Cybeats PSI Team.
  Bugfix
  * Fix a memory leak if mbedtls_ssl_config_defaults() is called
    twice.
  * Fix several bugs (warnings, compiler and linker errors, test
    failures) in reduced configurations when MBEDTLS_USE_PSA_CRYPTO
    is enabled.
  * Fix a bug in (D)TLS curve negotiation: when
    MBEDTLS_USE_PSA_CRYPTO was enabled and an ECDHE-ECDSA or
    ECDHE-RSA key exchange was used, the client would fail to check
    that the curve selected by the server for ECDHE was indeed one
    that was offered. As a result, the client would accept any
    curve that it supported, even if that curve was not allowed
    according to its configuration.
    gh#Mbed-TLS/mbedtls#5291
  * Fix unit tests that used 0 as the file UID. This failed on some
    implementations of PSA ITS.
    gh#Mbed-TLS/mbedtls#3838
  * Fix API violation in mbedtls_md_process() test by adding a call
    to mbedtls_md_starts().
    gh#Mbed-TLS/mbedtls#2227
  * Fix compile errors when MBEDTLS_HAVE_TIME is not defined.
    Add tests to catch bad uses of time.h.
  * Fix bug in the alert sending function
    mbedtls_ssl_send_alert_message() potentially leading to
    corrupted alert messages being sent in case the function needs
    to be re-called after initially returning
    MBEDTLS_SSL_WANT_WRITE.
    gh#Mbed-TLS/mbedtls#1916
  * In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled
    but none of MBEDTLS_SSL_HW_RECORD_ACCEL,
    MBEDTLS_SSL_EXPORT_KEYS or MBEDTLS_DEBUG_C, DTLS handshakes
    using CID would crash due to a null pointer dereference.
    Fix this.
    gh#Mbed-TLS/mbedtls#3998
  * Fix incorrect documentation of mbedtls_x509_crt_profile. The
    previous documentation stated that the allowed_pks field
    applies to signatures only, but in fact it does apply to the
    public key type of the end entity certificate, too.
    gh#Mbed-TLS/mbedtls#1992
  * Fix PSA cipher multipart operations using ARC4. Previously, an
    IV was required but discarded. Now, an IV is rejected, as it
    should be.
  * Fix undefined behavior in mbedtls_asn1_find_named_data(), where
    val is not NULL and val_len is zero. psa_raw_key_agreement()
    now returns PSA_ERROR_BUFFER_TOO_SMALL when applicable.
    gh#Mbed-TLS/mbedtls#5735
  * Fix a bug in the x25519 example program where the removal of
    MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run.
    gh#Mbed-TLS/mbedtls#4901
    gh#Mbed-TLS/mbedtls#3191
  * Encode X.509 dates before 1/1/2000 as UTCTime rather than
    GeneralizedTime.
    gh#Mbed-TLS/mbedtls#5465
  * Fix order value of curve x448.
  * Fix string representation of DNs when outputting values
    containing commas and other special characters, conforming to
    RFC 1779.
    gh#Mbed-TLS/mbedtls#769
  * Silence a warning from GCC 12 in the selftest program.
    gh#Mbed-TLS/mbedtls#5974
  * Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of
    0.
  * Fix resource leaks in mbedtls_pk_parse_public_key() in low
    memory conditions.
  * Fix server connection identifier setting for outgoing encrypted
    records on DTLS 1.2 session resumption. After DTLS 1.2 session
    resumption with connection identifier, the Mbed TLS client now
    properly sends the server connection identifier in encrypted
    record headers.
    gh#Mbed-TLS/mbedtls#5872
  * Fix a null pointer dereference when performing some operations
    on zero represented with 0 limbs (specifically
    mbedtls_mpi_mod_int() dividing by 2, and
    mbedtls_mpi_write_string() in base 2).
  * Fix record sizes larger than 16384 being sometimes accepted
    despite being non-compliant. This could not lead to a buffer
    overflow. In particular, application data size was already
    checked correctly.

OBS-URL: https://build.opensuse.org/request/show/1033587
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=36
---
 mbedtls-2.28.0.tar.gz |   3 --
 mbedtls-2.28.1.tar.gz |   3 ++
 mbedtls.changes       | 121 ++++++++++++++++++++++++++++++++++++++++++
 mbedtls.spec          |   4 +-
 4 files changed, 126 insertions(+), 5 deletions(-)
 delete mode 100644 mbedtls-2.28.0.tar.gz
 create mode 100644 mbedtls-2.28.1.tar.gz

diff --git a/mbedtls-2.28.0.tar.gz b/mbedtls-2.28.0.tar.gz
deleted file mode 100644
index e1348b7..0000000
--- a/mbedtls-2.28.0.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6519579b836ed78cc549375c7c18b111df5717e86ca0eeff4cb64b2674f424cc
-size 3711231
diff --git a/mbedtls-2.28.1.tar.gz b/mbedtls-2.28.1.tar.gz
new file mode 100644
index 0000000..6e7b75e
--- /dev/null
+++ b/mbedtls-2.28.1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6797a7b6483ef589deeab8d33d401ed235d7be25eeecda1be8ddfed406d40ff4
+size 3914247
diff --git a/mbedtls.changes b/mbedtls.changes
index c2e491b..c3d8694 100644
--- a/mbedtls.changes
+++ b/mbedtls.changes
@@ -1,3 +1,124 @@
+-------------------------------------------------------------------
+Fri Nov  4 16:53:36 UTC 2022 - Mia Herkt <mia@0x0.st>
+
+- Update to 2.28.1: (CVE-2022-35409)
+  Default behavior changes
+
+  * mbedtls_cipher_set_iv will now fail with ChaCha20 and
+    ChaCha20+Poly1305 for IV lengths other than 12. The library was
+    silently overwriting this length with 12, but did not inform
+    the caller about it.
+    gh#Mbed-TLS/mbedtls#4301
+
+  Features
+  * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA
+    crypto feature requirements in the file named by the new macro
+    MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default
+    psa/crypto_config.h. Furthermore you may name an additional
+    file to include after the main file with the macro
+    MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.
+
+  Security
+  * Zeroize dynamically-allocated buffers used by the PSA Crypto
+    key storage module before freeing them. These buffers contain
+    secret key material, and could thus potentially leak the key
+    through freed heap.
+  * Fix a potential heap buffer overread in TLS 1.2 server-side
+    when MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created
+    with mbedtls_pk_setup_opaque()) is provisioned, and a static
+    ECDH ciphersuite is selected. This may result in an application
+    crash or potentially an information leak.
+  * Fix a buffer overread in DTLS ClientHello parsing in servers
+    with MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled.
+    An unauthenticated client or a man-in-the-middle could cause a
+    DTLS server to read up to 255 bytes after the end of the SSL
+    input buffer. The buffer overread only happens when
+    MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that
+    depends on the exact configuration: 258 bytes if using
+    mbedtls_ssl_cookie_check(), and possibly up to 571 bytes with
+    a custom cookie check function.
+    Reported by the Cybeats PSI Team.
+
+  Bugfix
+  * Fix a memory leak if mbedtls_ssl_config_defaults() is called
+    twice.
+  * Fix several bugs (warnings, compiler and linker errors, test
+    failures) in reduced configurations when MBEDTLS_USE_PSA_CRYPTO
+    is enabled.
+  * Fix a bug in (D)TLS curve negotiation: when
+    MBEDTLS_USE_PSA_CRYPTO was enabled and an ECDHE-ECDSA or
+    ECDHE-RSA key exchange was used, the client would fail to check
+    that the curve selected by the server for ECDHE was indeed one
+    that was offered. As a result, the client would accept any
+    curve that it supported, even if that curve was not allowed
+    according to its configuration.
+    gh#Mbed-TLS/mbedtls#5291
+  * Fix unit tests that used 0 as the file UID. This failed on some
+    implementations of PSA ITS.
+    gh#Mbed-TLS/mbedtls#3838
+  * Fix API violation in mbedtls_md_process() test by adding a call
+    to mbedtls_md_starts().
+    gh#Mbed-TLS/mbedtls#2227
+  * Fix compile errors when MBEDTLS_HAVE_TIME is not defined.
+    Add tests to catch bad uses of time.h.
+  * Fix bug in the alert sending function
+    mbedtls_ssl_send_alert_message() potentially leading to
+    corrupted alert messages being sent in case the function needs
+    to be re-called after initially returning
+    MBEDTLS_SSL_WANT_WRITE.
+    gh#Mbed-TLS/mbedtls#1916
+  * In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled
+    but none of MBEDTLS_SSL_HW_RECORD_ACCEL,
+    MBEDTLS_SSL_EXPORT_KEYS or MBEDTLS_DEBUG_C, DTLS handshakes
+    using CID would crash due to a null pointer dereference.
+    Fix this.
+    gh#Mbed-TLS/mbedtls#3998
+  * Fix incorrect documentation of mbedtls_x509_crt_profile. The
+    previous documentation stated that the allowed_pks field
+    applies to signatures only, but in fact it does apply to the
+    public key type of the end entity certificate, too.
+    gh#Mbed-TLS/mbedtls#1992
+  * Fix PSA cipher multipart operations using ARC4. Previously, an
+    IV was required but discarded. Now, an IV is rejected, as it
+    should be.
+  * Fix undefined behavior in mbedtls_asn1_find_named_data(), where
+    val is not NULL and val_len is zero. psa_raw_key_agreement()
+    now returns PSA_ERROR_BUFFER_TOO_SMALL when applicable.
+    gh#Mbed-TLS/mbedtls#5735
+  * Fix a bug in the x25519 example program where the removal of
+    MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run.
+    gh#Mbed-TLS/mbedtls#4901
+    gh#Mbed-TLS/mbedtls#3191
+  * Encode X.509 dates before 1/1/2000 as UTCTime rather than
+    GeneralizedTime.
+    gh#Mbed-TLS/mbedtls#5465
+  * Fix order value of curve x448.
+  * Fix string representation of DNs when outputting values
+    containing commas and other special characters, conforming to
+    RFC 1779.
+    gh#Mbed-TLS/mbedtls#769
+  * Silence a warning from GCC 12 in the selftest program.
+    gh#Mbed-TLS/mbedtls#5974
+  * Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of
+    0.
+  * Fix resource leaks in mbedtls_pk_parse_public_key() in low
+    memory conditions.
+  * Fix server connection identifier setting for outgoing encrypted
+    records on DTLS 1.2 session resumption. After DTLS 1.2 session
+    resumption with connection identifier, the Mbed TLS client now
+    properly sends the server connection identifier in encrypted
+    record headers.
+    gh#Mbed-TLS/mbedtls#5872
+  * Fix a null pointer dereference when performing some operations
+    on zero represented with 0 limbs (specifically
+    mbedtls_mpi_mod_int() dividing by 2, and
+    mbedtls_mpi_write_string() in base 2).
+  * Fix record sizes larger than 16384 being sometimes accepted
+    despite being non-compliant. This could not lead to a buffer
+    overflow. In particular, application data size was already
+    checked correctly.
+
+
 -------------------------------------------------------------------
 Mon Jan 17 13:11:33 UTC 2022 - Guillaume GARDET <guillaume.gardet@opensuse.org>
 
diff --git a/mbedtls.spec b/mbedtls.spec
index a4a53cf..d2a8ac2 100644
--- a/mbedtls.spec
+++ b/mbedtls.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package mbedtls
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
 %define lib_crypto libmbedcrypto7
 %define lib_x509   libmbedx509-1
 Name:           mbedtls
-Version:        2.28.0
+Version:        2.28.1
 Release:        0
 Summary:        Libraries for crypto and SSL/TLS protocols
 License:        Apache-2.0