Accepting request 827276 from home:dirkmueller:branches:security:tls

- update to 2.23.0: a lot of changes see https://github.com/ARMmbed/mbedtls/releases/tag/v2.23.0 * Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394. * Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley. * Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246. OBS-URL: https://build.opensuse.org/request/show/827276 OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=15
2020-08-17 10:36:14 +00:00 · 2020-08-17 10:36:14 +00:00 · ddd7fc109e
commit ddd7fc109e
parent 4f3728d555
5 changed files with 22 additions and 11 deletions
--- a/baselibs.conf
+++ b/baselibs.conf
@ -1,3 +1,3 @@
-libmbedtls12
-libmbedx509-0
-libmbedcrypto3
+libmbedtls13
+libmbedx509-1
+libmbedcrypto5
--- a/mbedtls-2.16.5-apache.tgz
+++ b/mbedtls-2.16.5-apache.tgz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:65b4c6cec83e048fd1c675e9a29a394ea30ad0371d37b5742453f74084e7b04d
-size 2695416
--- a/mbedtls.changes
+++ b/mbedtls.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon Aug 17 07:53:22 UTC 2020 - Dirk Mueller <dmueller@suse.com>
+
+- update to 2.23.0:
+  a lot of changes see https://github.com/ARMmbed/mbedtls/releases/tag/v2.23.0
+  * Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394.
+  * Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
+  * Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246.
+
 -------------------------------------------------------------------
 Thu Apr  2 10:16:05 UTC 2020 - Martin Pluskal <mpluskal@suse.com>

--- a/mbedtls.spec
+++ b/mbedtls.spec
@ -16,17 +16,17 @@
 #


-%define lib_tls    libmbedtls12
-%define lib_crypto libmbedcrypto3
-%define lib_x509   libmbedx509-0
+%define lib_tls    libmbedtls13
+%define lib_crypto libmbedcrypto5
+%define lib_x509   libmbedx509-1
 Name:           mbedtls
-Version:        2.16.5
+Version:        2.23.0
 Release:        0
 Summary:        Libraries for crypto and SSL/TLS protocols
 License:        Apache-2.0
 Group:          Development/Libraries/C and C++
 URL:            https://tls.mbed.org
-Source:         https://tls.mbed.org/download/%{name}-%{version}-apache.tgz
+Source:         https://github.com/ARMmbed/mbedtls/archive/v%{version}.tar.gz
 Source99:       baselibs.conf
 BuildRequires:  cmake
 BuildRequires:  ninja
@ -123,7 +123,9 @@ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{_builddir}/%{name}-%{version}/build/li
 %license LICENSE
 %doc ChangeLog README.md
 %dir %{_includedir}/mbedtls
+%dir %{_includedir}/psa
 %{_includedir}/mbedtls/*.h
+%{_includedir}/psa/*.h
 %{_libdir}/libmbedtls.so
 %{_libdir}/libmbedcrypto.so
 %{_libdir}/libmbedx509.so
--- a/v2.23.0.tar.gz
+++ b/v2.23.0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9933fe6b5991d5308e183a5a07454f76d7054721ba269d0c3811b227cb629e7a
+size 3877270