Accepting request 837996 from home:dirkmueller:branches:security:tls
- update to 2.24.0: * see https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0 * Fix a vulnerability in the verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify()) with the actual certificate name: when the subjecAltName extension is present, the expected name was compared to any name in that extension regardless of its type. This means that an attacker could for example impersonate a 4-bytes or 16-byte domain by getting a certificate for the corresponding IPv4 or IPv6 (this would require the attacker to control that IP address, though). Similar attacks using other subjectAltName name types might be possible. * When checking X.509 CRLs, a certificate was only considered as revoked if its revocationDate was in the past according to the local clock if available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, certificates were never considered as revoked. On builds with MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for example, an untrusted OS attacking a secure enclave) could prevent revocation of certificates via CRLs. Fixed by no longer checking the revocationDate field, in accordance with RFC 5280. Reported by yuemonangong in #3340. Reported independently and fixed by Raoul Strackx and Jethro * In (D)TLS record decryption, when using a CBC ciphersuites without the Encrypt-then-Mac extension, use constant code flow memory access patterns to extract and check the MAC. This is an improvement to the existing countermeasure against Lucky 13 attacks. The previous countermeasure was effective against network-based attackers, but less so against local attackers. The new countermeasure defends against local attackers, even if they have access to fine-grained measurements. In particular, this fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University). OBS-URL: https://build.opensuse.org/request/show/837996 OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=20
This commit is contained in:
parent
6a77a4ff04
commit
874cecdf09
@ -1,3 +1,47 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Sep 9 11:24:12 UTC 2020 - Dirk Mueller <dmueller@suse.com>
|
||||||
|
|
||||||
|
- update to 2.24.0:
|
||||||
|
* see https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0
|
||||||
|
* Fix a vulnerability in the verification of X.509 certificates when matching
|
||||||
|
the expected common name (the cn argument of mbedtls_x509_crt_verify())
|
||||||
|
with the actual certificate name: when the subjecAltName extension is
|
||||||
|
present, the expected name was compared to any name in that extension
|
||||||
|
regardless of its type. This means that an attacker could for example
|
||||||
|
impersonate a 4-bytes or 16-byte domain by getting a certificate for the
|
||||||
|
corresponding IPv4 or IPv6 (this would require the attacker to control that
|
||||||
|
IP address, though). Similar attacks using other subjectAltName name types
|
||||||
|
might be possible.
|
||||||
|
* When checking X.509 CRLs, a certificate was only considered as revoked if
|
||||||
|
its revocationDate was in the past according to the local clock if
|
||||||
|
available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
|
||||||
|
certificates were never considered as revoked. On builds with
|
||||||
|
MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
|
||||||
|
example, an untrusted OS attacking a secure enclave) could prevent
|
||||||
|
revocation of certificates via CRLs. Fixed by no longer checking the
|
||||||
|
revocationDate field, in accordance with RFC 5280. Reported by yuemonangong
|
||||||
|
in #3340. Reported independently and fixed by Raoul Strackx and Jethro
|
||||||
|
* In (D)TLS record decryption, when using a CBC ciphersuites without the
|
||||||
|
Encrypt-then-Mac extension, use constant code flow memory access patterns
|
||||||
|
to extract and check the MAC. This is an improvement to the existing
|
||||||
|
countermeasure against Lucky 13 attacks. The previous countermeasure was
|
||||||
|
effective against network-based attackers, but less so against local
|
||||||
|
attackers. The new countermeasure defends against local attackers, even if
|
||||||
|
they have access to fine-grained measurements. In particular, this fixes a
|
||||||
|
local Lucky 13 cache attack found and reported by Tuba Yavuz, Farhaan
|
||||||
|
Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler (University of
|
||||||
|
Florida) and Dave Tian (Purdue University).
|
||||||
|
* Fix side channel in RSA private key operations and static (finite-field)
|
||||||
|
Diffie-Hellman. An adversary with precise enough timing and memory access
|
||||||
|
information (typically an untrusted operating system attacking a secure
|
||||||
|
enclave) could bypass an existing counter-measure (base blinding) and
|
||||||
|
potentially fully recover the private key.
|
||||||
|
* Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). Credit to
|
||||||
|
OSS-Fuzz for detecting the problem and to Philippe Antoine for pinpointing
|
||||||
|
the problematic code.
|
||||||
|
* Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused
|
||||||
|
application data from memory.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Sep 7 01:37:34 UTC 2020 - Stefan Brüns <stefan.bruens@rwth-aachen.de>
|
Mon Sep 7 01:37:34 UTC 2020 - Stefan Brüns <stefan.bruens@rwth-aachen.de>
|
||||||
|
|
||||||
|
@ -20,7 +20,7 @@
|
|||||||
%define lib_crypto libmbedcrypto5
|
%define lib_crypto libmbedcrypto5
|
||||||
%define lib_x509 libmbedx509-1
|
%define lib_x509 libmbedx509-1
|
||||||
Name: mbedtls
|
Name: mbedtls
|
||||||
Version: 2.23.0
|
Version: 2.24.0
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Libraries for crypto and SSL/TLS protocols
|
Summary: Libraries for crypto and SSL/TLS protocols
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:9933fe6b5991d5308e183a5a07454f76d7054721ba269d0c3811b227cb629e7a
|
|
||||||
size 3877270
|
|
3
v2.24.0.tar.gz
Normal file
3
v2.24.0.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:d436ae4892bd80329ca18a3960052fbb42d3f1f46c7519711d6763621ca6cfa0
|
||||||
|
size 3911881
|
Loading…
Reference in New Issue
Block a user