Accepting request 880551 from home:Guillaume_G:branches:security:tls

- Update to 2.26.0:
  * * This release of Mbed TLS provides bug fixes, minor enhancements and new
  features. This release includes fixes for security issues.
  * see https://github.com/ARMmbed/mbedtls/releases/tag/v2.26.0
- Fix build with patch from https://github.com/ARMmbed/mbedtls/pull/4237

OBS-URL: https://build.opensuse.org/request/show/880551
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=26

mbedtls-2.25.0.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f838f670f51070bc6b4ebf0c084affd9574652ded435b064969f36ce4e8b586d
-size 3994316

mbedtls-2.26.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:37949e823c7e1f6695fc56858578df355da0770c284b1c1304cfc8b396d539cd
+size 4081036

mbedtls-4237.patch

@@ -0,0 +1,150 @@
+From 29b641688d038143a193c69eac4d6e8eacc934d8 Mon Sep 17 00:00:00 2001
+From: Paul Elliott <paul.elliott@arm.com>
+Date: Wed, 17 Mar 2021 13:02:02 +0000
+Subject: [PATCH 1/2] Fix printf format issue in programs
+
+Fix issues that were missed as part of previous printf attribute
+cleanup
+
+Signed-off-by: Paul Elliott <paul.elliott@arm.com>
+---
+ programs/random/gen_random_havege.c |  2 +-
+ programs/ssl/ssl_pthread_server.c   | 22 ++++++++++++----------
+ 2 files changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/programs/random/gen_random_havege.c b/programs/random/gen_random_havege.c
+index ccca7f3d470..e82e62769e8 100644
+--- a/programs/random/gen_random_havege.c
++++ b/programs/random/gen_random_havege.c
+@@ -81,7 +81,7 @@ int main( int argc, char *argv[] )
+         if( ( ret = mbedtls_havege_random( &hs, buf, sizeof( buf ) ) ) != 0 )
+         {
+             mbedtls_printf( " failed\n  !  mbedtls_havege_random returned -0x%04X",
+-                            -ret );
++                            ( unsigned int ) -ret );
+             goto exit;
+         }
+ 
+diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c
+index c8ab21522ed..c4c6ef1037b 100644
+--- a/programs/ssl/ssl_pthread_server.c
++++ b/programs/ssl/ssl_pthread_server.c
+@@ -142,7 +142,7 @@ static void *handle_ssl_connection( void *data )
+     if( ( ret = mbedtls_ssl_setup( &ssl, thread_info->config ) ) != 0 )
+     {
+         mbedtls_printf( "  [ #%ld ]  failed: mbedtls_ssl_setup returned -0x%04x\n",
+-                thread_id, -ret );
++                thread_id, ( unsigned int ) -ret );
+         goto thread_exit;
+     }
+ 
+@@ -158,7 +158,7 @@ static void *handle_ssl_connection( void *data )
+         if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+         {
+             mbedtls_printf( "  [ #%ld ]  failed: mbedtls_ssl_handshake returned -0x%04x\n",
+-                    thread_id, -ret );
++                    thread_id, ( unsigned int ) -ret );
+             goto thread_exit;
+         }
+     }
+@@ -195,7 +195,7 @@ static void *handle_ssl_connection( void *data )
+ 
+                 default:
+                     mbedtls_printf( "  [ #%ld ]  mbedtls_ssl_read returned -0x%04x\n",
+-                            thread_id, -ret );
++                            thread_id, ( unsigned int ) -ret );
+                     goto thread_exit;
+             }
+         }
+@@ -229,7 +229,7 @@ static void *handle_ssl_connection( void *data )
+         if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+         {
+             mbedtls_printf( "  [ #%ld ]  failed: mbedtls_ssl_write returned -0x%04x\n",
+-                    thread_id, ret );
++                    thread_id, ( unsigned int ) ret );
+             goto thread_exit;
+         }
+     }
+@@ -246,7 +246,7 @@ static void *handle_ssl_connection( void *data )
+             ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+         {
+             mbedtls_printf( "  [ #%ld ]  failed: mbedtls_ssl_close_notify returned -0x%04x\n",
+-                    thread_id, ret );
++                    thread_id, ( unsigned int ) ret );
+             goto thread_exit;
+         }
+     }
+@@ -263,7 +263,7 @@ static void *handle_ssl_connection( void *data )
+         char error_buf[100];
+         mbedtls_strerror( ret, error_buf, 100 );
+         mbedtls_printf("  [ #%ld ]  Last error was: -0x%04x - %s\n\n",
+-               thread_id, -ret, error_buf );
++               thread_id, ( unsigned int ) -ret, error_buf );
+     }
+ #endif
+ 
+@@ -408,7 +408,7 @@ int main( void )
+                                strlen( pers ) ) ) != 0 )
+     {
+         mbedtls_printf( " failed: mbedtls_ctr_drbg_seed returned -0x%04x\n",
+-                -ret );
++                ( unsigned int ) -ret );
+         goto exit;
+     }
+ 
+@@ -425,7 +425,7 @@ int main( void )
+                     MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
+     {
+         mbedtls_printf( " failed: mbedtls_ssl_config_defaults returned -0x%04x\n",
+-                -ret );
++                ( unsigned int ) -ret );
+         goto exit;
+     }
+ 
+@@ -470,7 +470,8 @@ int main( void )
+     {
+         char error_buf[100];
+         mbedtls_strerror( ret, error_buf, 100 );
+-        mbedtls_printf( "  [ main ]  Last error was: -0x%04x - %s\n", -ret, error_buf );
++        mbedtls_printf( "  [ main ]  Last error was: -0x%04x - %s\n", ( unsigned int ) -ret,
++                        error_buf );
+     }
+ #endif
+ 
+@@ -482,7 +483,8 @@ int main( void )
+     if( ( ret = mbedtls_net_accept( &listen_fd, &client_fd,
+                                     NULL, 0, NULL ) ) != 0 )
+     {
+-        mbedtls_printf( "  [ main ] failed: mbedtls_net_accept returned -0x%04x\n", ret );
++        mbedtls_printf( "  [ main ] failed: mbedtls_net_accept returned -0x%04x\n",
++                        ( unsigned int ) ret );
+         goto exit;
+     }
+ 
+
+From 2065a8d8af27c6cb1e40c9462b5933336dca7434 Mon Sep 17 00:00:00 2001
+From: Paul Elliott <paul.elliott@arm.com>
+Date: Wed, 17 Mar 2021 13:12:22 +0000
+Subject: [PATCH 2/2] Reduce level of -Wformat-truncation
+
+Reduce level of format truncation warnings due to issues with false
+positives (an unknown size buffer is always treated as size 1)
+
+Signed-off-by: Paul Elliott <paul.elliott@arm.com>
+---
+ CMakeLists.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 2ab2e01ebf0..14ca7b69625 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -198,7 +198,7 @@ if(CMAKE_COMPILER_IS_GNU)
+         endif()
+     endif()
+     if (GCC_VERSION VERSION_GREATER 7.0 OR GCC_VERSION VERSION_EQUAL 7.0)
+-      set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat-overflow=2 -Wformat-truncation=2")
++      set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat-overflow=2 -Wformat-truncation")
+     endif()
+     set(CMAKE_C_FLAGS_RELEASE     "-O2")
+     set(CMAKE_C_FLAGS_DEBUG       "-O0 -g3")

mbedtls.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon Mar 22 15:54:07 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Update to 2.26.0:
+  * * This release of Mbed TLS provides bug fixes, minor enhancements and new
+  features. This release includes fixes for security issues.
+  * see https://github.com/ARMmbed/mbedtls/releases/tag/v2.26.0
+- Fix build with patch from https://github.com/ARMmbed/mbedtls/pull/4237
+
 -------------------------------------------------------------------
 Tue Jan 19 20:25:34 UTC 2021 - Luigi Baldoni <aloisio@gmx.com>
 

mbedtls.spec

@@ -15,12 +15,11 @@
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
-
 %define lib_tls    libmbedtls13
 %define lib_crypto libmbedcrypto6
 %define lib_x509   libmbedx509-1
 Name:           mbedtls
-Version:        2.25.0
+Version:        2.26.0
 Release:        0
 Summary:        Libraries for crypto and SSL/TLS protocols
 License:        Apache-2.0
@@ -28,6 +27,8 @@ Group:          Development/Libraries/C and C++
 URL:            https://tls.mbed.org
 Source:         https://github.com/ARMmbed/mbedtls/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source99:       baselibs.conf
+# PATCH-FIX-UPSTREAM - https://github.com/ARMmbed/mbedtls/issues/4233
+Patch1:         mbedtls-4237.patch
 BuildRequires:  cmake
 BuildRequires:  ninja
 BuildRequires:  pkgconfig
@@ -87,7 +88,7 @@ a suite of libraries for cryptographic functions and the
 SSL/TLS protocol suite.
 
 %prep
-%autosetup
+%autosetup -p1
 sed -i 's|//\(#define MBEDTLS_ZLIB_SUPPORT\)|\1|' include/mbedtls/config.h
 sed -i 's|//\(#define MBEDTLS_HAVEGE_C\)|\1|' include/mbedtls/config.h
 sed -i 's|//\(#define MBEDTLS_THREADING_C\)|\1|' include/mbedtls/config.h