From 32885839d99ad4549528a63b4c11f5fc44eff226bc5ebd25b4aff3bea45965e6 Mon Sep 17 00:00:00 2001
From: Martin Pluskal <mpluskal@suse.com>
Date: Tue, 22 Dec 2020 10:24:25 +0000
Subject: [PATCH] Accepting request 858114 from
 home:dirkmueller:branches:security:tls

- update to 2.25.0:
  * This release of Mbed TLS provides bug fixes, minor enhancements and new
  features. This release includes fixes for security issues.
  * see https://github.com/ARMmbed/mbedtls/releases/tag/v2.25.0
  * The functions mbedtls_cipher_auth_encrypt() and
  mbedtls_cipher_auth_decrypt() would write past the minimum documented size
  of the output buffer when used with NIST_KW. As a result, code using those
  functions as documented with NIST_KW could have a buffer overwrite of up to
  15 bytes, with consequences ranging up to arbitrary code execution
  depending on the location of the output buffer.
  * Limit the size of calculations performed by mbedtls_mpi_exp_mod to
  MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating
  Diffie-Hellman key pairs. Credit to OSS-Fuzz.

  * A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
  which is how most uses of randomization in asymmetric cryptography (including
  key generation, intermediate value randomization and blinding) are implemented.
  This could cause failures or the silent use of non-random values. A random
  generator can fail if it needs reseeding and cannot not obtain entropy, or due
  to an internal failure (which, for Mbed TLS's own CTR_DRBG or HMAC_DRBG, can
  only happen due to a misconfiguration).

  * Fix a compliance issue whereby we were not checking the tag on the algorithm
  parameters (only the size) when comparing the signature in the description part
  of the cert to the real signature. This meant that a NULL algorithm parameters
  entry would look identical to an array of REAL (size zero) to the library and
  thus the certificate would be considered valid. However, if the parameters do
  not match in any way then the certificate should be considered invalid, and
  indeed OpenSSL marks these certs as invalid when mbedtls did not. Many thanks
  to guidovranken who found this issue via differential fuzzing and reported it

OBS-URL: https://build.opensuse.org/request/show/858114
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=22
---
 baselibs.conf   |  2 +-
 mbedtls.changes | 43 +++++++++++++++++++++++++++++++++++++++++++
 mbedtls.spec    |  4 ++--
 v2.24.0.tar.gz  |  3 ---
 v2.25.0.tar.gz  |  3 +++
 5 files changed, 49 insertions(+), 6 deletions(-)
 delete mode 100644 v2.24.0.tar.gz
 create mode 100644 v2.25.0.tar.gz

diff --git a/baselibs.conf b/baselibs.conf
index a891abe..bbe6294 100644
--- a/baselibs.conf
+++ b/baselibs.conf
@@ -1,3 +1,3 @@
 libmbedtls13
 libmbedx509-1
-libmbedcrypto5
+libmbedcrypto6
diff --git a/mbedtls.changes b/mbedtls.changes
index 9fca37d..b4ca75c 100644
--- a/mbedtls.changes
+++ b/mbedtls.changes
@@ -1,3 +1,46 @@
+-------------------------------------------------------------------
+Tue Dec 22 10:11:45 UTC 2020 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.25.0:
+  * This release of Mbed TLS provides bug fixes, minor enhancements and new
+  features. This release includes fixes for security issues. 
+  * see https://github.com/ARMmbed/mbedtls/releases/tag/v2.25.0
+
+  * The functions mbedtls_cipher_auth_encrypt() and
+  mbedtls_cipher_auth_decrypt() would write past the minimum documented size
+  of the output buffer when used with NIST_KW. As a result, code using those
+  functions as documented with NIST_KW could have a buffer overwrite of up to
+  15 bytes, with consequences ranging up to arbitrary code execution
+  depending on the location of the output buffer.
+
+  * Limit the size of calculations performed by mbedtls_mpi_exp_mod to
+  MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating
+  Diffie-Hellman key pairs. Credit to OSS-Fuzz.
+  
+  * A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
+  which is how most uses of randomization in asymmetric cryptography (including
+  key generation, intermediate value randomization and blinding) are implemented.
+  This could cause failures or the silent use of non-random values. A random
+  generator can fail if it needs reseeding and cannot not obtain entropy, or due
+  to an internal failure (which, for Mbed TLS's own CTR_DRBG or HMAC_DRBG, can
+  only happen due to a misconfiguration).
+  
+  * Fix a compliance issue whereby we were not checking the tag on the algorithm
+  parameters (only the size) when comparing the signature in the description part
+  of the cert to the real signature. This meant that a NULL algorithm parameters
+  entry would look identical to an array of REAL (size zero) to the library and
+  thus the certificate would be considered valid. However, if the parameters do
+  not match in any way then the certificate should be considered invalid, and
+  indeed OpenSSL marks these certs as invalid when mbedtls did not. Many thanks
+  to guidovranken who found this issue via differential fuzzing and reported it
+  in #3629.
+  
+  * Zeroising of local buffers and variables which are used for calculations in
+  mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(),
+  mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process()
+  functions to erase sensitive data from memory. Reported by Johan Malmgren and
+  Johan Uppman Bruce from Sectra.
+
 -------------------------------------------------------------------
 Wed Sep  9 11:24:12 UTC 2020 - Dirk Mueller <dmueller@suse.com>
 
diff --git a/mbedtls.spec b/mbedtls.spec
index 7c0fd37..5a97022 100644
--- a/mbedtls.spec
+++ b/mbedtls.spec
@@ -17,10 +17,10 @@
 
 
 %define lib_tls    libmbedtls13
-%define lib_crypto libmbedcrypto5
+%define lib_crypto libmbedcrypto6
 %define lib_x509   libmbedx509-1
 Name:           mbedtls
-Version:        2.24.0
+Version:        2.25.0
 Release:        0
 Summary:        Libraries for crypto and SSL/TLS protocols
 License:        Apache-2.0
diff --git a/v2.24.0.tar.gz b/v2.24.0.tar.gz
deleted file mode 100644
index 4b550eb..0000000
--- a/v2.24.0.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d436ae4892bd80329ca18a3960052fbb42d3f1f46c7519711d6763621ca6cfa0
-size 3911881
diff --git a/v2.25.0.tar.gz b/v2.25.0.tar.gz
new file mode 100644
index 0000000..e54056b
--- /dev/null
+++ b/v2.25.0.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f838f670f51070bc6b4ebf0c084affd9574652ded435b064969f36ce4e8b586d
+size 3994316