Accepting request 593915 from devel:libraries:c_c++

- Update to version 2.8.0:
  * Security:
    + Defend against Bellcore glitch attacks by verifying the results of RSA private key operations.
    + Fix implementation of the truncated HMAC extension. The previous implementation allowed an offline 2^80 brute force attack on the HMAC key of a single, uninterrupted connection (with no resumption of the session).
    + Reject CRLs containing unsupported critical extensions. Found by Falko Strenzke and Evangelos Karatsiolis.
    + Fix a buffer overread in ssl_parse_server_key_exchange() that could cause a crash on invalid input.
    + Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a crash on invalid input.
  * Features:
    + Enable reading encrypted PEM files produced by software that uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli, OpenVPN Inc. Fixes #1339
    + Support public keys encoded in PKCS#1 format. #1122
  * New deprecations:
    + Compression and crypto don't mix. We don't recommend using compression and cryptography, and have deprecated support for record compression (configuration option MBEDTLS_ZLIB_SUPPORT).
  * Bugfix:
    + Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct. In the context of SSL, this resulted in handshake failure. Reported by daniel in the Mbed TLS forum. #1351
    + Fix setting version TLSv1 as minimal version, even if TLS 1 is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION and MBEDTLS_SSL_MIN_MINOR_VERSION instead of MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664
    + Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE only if __MINGW32__ is not defined. Fix suggested by Thomas Glanzmann and Nick Wilson on issue #355
    + Fix memory allocation corner cases in memory_buffer_alloc.c module. Found by Guido Vranken. #639
    + Don't accept an invalid tag when parsing X.509 subject alternative names in some circumstances.
    + Fix a possible arithmetic overflow in ssl_parse_server_key_exchange() that could cause a key exchange to fail on valid data.
    + Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that could cause a key exchange to fail on valid data.
    + Fix a 1-byte heap buffer overflow (read-only) during private key parsing. Found through fuzz testing.
  * Changes
    + Fix tag lengths and value ranges in the documentation of CCM encryption. Contributed by Mathieu Briand.
    + Fix a typo in a comment in ctr_drbg.c. Contributed by Paul Sokolovsky.
    + Remove support for the library reference configuration for picocoin.
    + MD functions deprecated in 2.7.0 are no longer inline, to provide a migration path for those depending on the library's ABI.
    + Use (void) when defining functions with no parameters. Contributed by Joris Aerts. #678

OBS-URL: https://build.opensuse.org/request/show/593915
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls?expand=0&rev=16

mbedtls-2.7.0-apache.tgz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:aeb66d6cd43aa1c79c145d15845c655627a7fc30d624148aaafbb6c36d7f55ef
-size 2108442

mbedtls-2.8.0-apache.tgz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ab8b62b995781bcf22e87a265ed06267f87c3041198e996b44441223d19fa9c3
+size 2136782

mbedtls.changes

@@ -1,3 +1,34 @@
+-------------------------------------------------------------------
+Fri Apr  6 08:17:46 UTC 2018 - mpluskal@suse.com
+
+- Update to version 2.8.0:
+  * Security:
+    + Defend against Bellcore glitch attacks by verifying the results of RSA private key operations.
+    + Fix implementation of the truncated HMAC extension. The previous implementation allowed an offline 2^80 brute force attack on the HMAC key of a single, uninterrupted connection (with no resumption of the session).
+    + Reject CRLs containing unsupported critical extensions. Found by Falko Strenzke and Evangelos Karatsiolis.
+    + Fix a buffer overread in ssl_parse_server_key_exchange() that could cause a crash on invalid input.
+    + Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a crash on invalid input.
+  * Features:
+    + Enable reading encrypted PEM files produced by software that uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli, OpenVPN Inc. Fixes #1339
+    + Support public keys encoded in PKCS#1 format. #1122
+  * New deprecations:
+    + Compression and crypto don't mix. We don't recommend using compression and cryptography, and have deprecated support for record compression (configuration option MBEDTLS_ZLIB_SUPPORT).
+  * Bugfix:
+    + Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct. In the context of SSL, this resulted in handshake failure. Reported by daniel in the Mbed TLS forum. #1351
+    + Fix setting version TLSv1 as minimal version, even if TLS 1 is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION and MBEDTLS_SSL_MIN_MINOR_VERSION instead of MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664
+    + Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE only if __MINGW32__ is not defined. Fix suggested by Thomas Glanzmann and Nick Wilson on issue #355
+    + Fix memory allocation corner cases in memory_buffer_alloc.c module. Found by Guido Vranken. #639
+    + Don't accept an invalid tag when parsing X.509 subject alternative names in some circumstances.
+    + Fix a possible arithmetic overflow in ssl_parse_server_key_exchange() that could cause a key exchange to fail on valid data.
+    + Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that could cause a key exchange to fail on valid data.
+    + Fix a 1-byte heap buffer overflow (read-only) during private key parsing. Found through fuzz testing.
+  * Changes
+    + Fix tag lengths and value ranges in the documentation of CCM encryption. Contributed by Mathieu Briand.
+    + Fix a typo in a comment in ctr_drbg.c. Contributed by Paul Sokolovsky.
+    + Remove support for the library reference configuration for picocoin.
+    + MD functions deprecated in 2.7.0 are no longer inline, to provide a migration path for those depending on the library's ABI.
+    + Use (void) when defining functions with no parameters. Contributed by Joris Aerts. #678
+
 -------------------------------------------------------------------
 Thu Mar  8 09:32:12 UTC 2018 - mpluskal@suse.com
 

mbedtls.spec

@@ -20,7 +20,7 @@
 %define lib_crypto libmbedcrypto1
 %define lib_x509   libmbedx509-0
 Name:           mbedtls
-Version:        2.7.0
+Version:        2.8.0
 Release:        0
 Summary:        Libraries for crypto and SSL/TLS protocols
 License:        Apache-2.0
@@ -86,7 +86,7 @@ a suite of libraries for cryptographic functions and the
 SSL/TLS protocol suite.
 
 %prep
-%setup -q
+%autosetup
 sed -i 's|//\(#define MBEDTLS_ZLIB_SUPPORT\)|\1|' include/mbedtls/config.h
 sed -i 's|//\(#define MBEDTLS_HAVEGE_C\)|\1|' include/mbedtls/config.h
 sed -i 's|//\(#define MBEDTLS_THREADING_C\)|\1|' include/mbedtls/config.h