diff --git a/mbedtls-2.3.0-apache.tgz b/mbedtls-2.3.0-apache.tgz deleted file mode 100644 index df976b9..0000000 --- a/mbedtls-2.3.0-apache.tgz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:590734c8bc8b3ac48e9123d44bf03562e91f8dce0d1ac2615c318c077f3215b2 -size 1896335 diff --git a/mbedtls-2.4.0-apache.tgz b/mbedtls-2.4.0-apache.tgz new file mode 100644 index 0000000..21f7009 --- /dev/null +++ b/mbedtls-2.4.0-apache.tgz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c1c3559ed39f7a1b1550c4cf4ccb918bf239301a3311d98dda92bed8a25b7f0d +size 1917968 diff --git a/mbedtls.changes b/mbedtls.changes index 17723b3..8eedffd 100644 --- a/mbedtls.changes +++ b/mbedtls.changes @@ -1,3 +1,33 @@ +------------------------------------------------------------------- +Sun Nov 13 18:18:58 UTC 2016 - mpluskal@suse.com + +- Update to version 2.4.0: + * Removes the MBEDTLS_SSL_AEAD_RANDOM_IV configuration option, + because it was not compliant with RFC-5116 and could lead to + session key recovery in very long TLS sessions. + * Fixes potential stack corruption in mbedtls_x509write_crt_der() + and mbedtls_x509write_csr_der() when the signature is copied to + the buffer without checking whether there is enough space in + the destination. The issue cannot be triggered remotely. + * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, + as defined by NIST SP 800-38B, RFC-4493 and RFC-4615. + * Added hardware entropy self-test to verify that the hardware + entropy source is functioning correctly. + * Added a script to print build environment information for + diagnostic use in test scripts, which is also now called by + all.sh verification script. + * Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the + user to configure the maximum length of a file path that can be + buffered when calling mbedtls_x509_crt_parse_path(). + * Added a configuration file config-no-entropy.h that configures + the subset of library features that do not require an entropy + source. + * Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This + allows users to configure the minimum number of bytes for + entropy sources using the mbedtls_hardware_poll() function. + * Miscelanous bugfixes +- Drop no longer needed mbedtls_fix522.patch + ------------------------------------------------------------------- Sat Aug 27 11:11:20 UTC 2016 - mpluskal@suse.com diff --git a/mbedtls.spec b/mbedtls.spec index 031faee..bf8cf50 100644 --- a/mbedtls.spec +++ b/mbedtls.spec @@ -20,7 +20,7 @@ %define lib_crypto libmbedcrypto0 %define lib_x509 libmbedx509-0 Name: mbedtls -Version: 2.3.0 +Version: 2.4.0 Release: 0 Summary: Libraries for crypto and SSL/TLS protocols License: Apache-2.0 @@ -28,7 +28,6 @@ Group: Development/Libraries/C and C++ Url: https://tls.mbed.org Source: https://tls.mbed.org/download/%{name}-%{version}-apache.tgz Source99: baselibs.conf -Patch0: mbedtls_fix522.patch BuildRequires: cmake BuildRequires: pkgconfig BuildRequires: pkgconfig(libpkcs11-helper-1) @@ -89,7 +88,6 @@ SSL/TLS protocol suite. %prep %setup -q -%patch0 -p1 sed -i 's|//\(#define MBEDTLS_ZLIB_SUPPORT\)|\1|' include/mbedtls/config.h sed -i 's|//\(#define MBEDTLS_HAVEGE_C\)|\1|' include/mbedtls/config.h sed -i 's|//\(#define MBEDTLS_THREADING_C\)|\1|' include/mbedtls/config.h diff --git a/mbedtls_fix522.patch b/mbedtls_fix522.patch deleted file mode 100644 index 10f7ef7..0000000 --- a/mbedtls_fix522.patch +++ /dev/null @@ -1,392 +0,0 @@ -From b5b6af2663fdb7f57c30494607bade90810f6844 Mon Sep 17 00:00:00 2001 -From: Simon Butcher -Date: Wed, 13 Jul 2016 14:46:18 +0100 -Subject: [PATCH 1/3] Puts platform time abstraction into its own header - -Separates platform time abstraction into it's own header from the -general platform abstraction as both depend on different build options. -(MBEDTLS_PLATFORM_C vs MBEDTLS_HAVE_TIME) ---- - include/mbedtls/platform.h | 37 ++----------------- - include/mbedtls/platform_time.h | 81 +++++++++++++++++++++++++++++++++++++++++ - include/mbedtls/ssl.h | 2 +- - library/net.c | 1 - - library/ssl_cache.c | 2 - - library/ssl_ciphersuites.c | 1 - - library/ssl_cli.c | 4 +- - library/ssl_cookie.c | 2 - - library/ssl_srv.c | 4 +- - library/ssl_ticket.c | 2 - - library/ssl_tls.c | 1 - - library/x509.c | 7 +++- - programs/ssl/dtls_client.c | 1 - - 13 files changed, 93 insertions(+), 52 deletions(-) - create mode 100644 include/mbedtls/platform_time.h - -diff --git a/include/mbedtls/platform.h b/include/mbedtls/platform.h -index caf8f25..b1b019e 100644 ---- a/include/mbedtls/platform.h -+++ b/include/mbedtls/platform.h -@@ -29,6 +29,10 @@ - #include MBEDTLS_CONFIG_FILE - #endif - -+#if defined(MBEDTLS_HAVE_TIME) -+#include "mbedtls/platform_time.h" -+#endif -+ - #ifdef __cplusplus - extern "C" { - #endif -@@ -244,39 +248,6 @@ int mbedtls_platform_set_exit( void (*exit_func)( int status ) ); - #endif - - /* -- * The time_t datatype -- */ --#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO) --typedef MBEDTLS_PLATFORM_TIME_TYPE_MACRO mbedtls_time_t; --#else --/* For time_t */ --#include --typedef time_t mbedtls_time_t; --#endif /* MBEDTLS_PLATFORM_TIME_TYPE_MACRO */ -- --/* -- * The function pointers for time -- */ --#if defined(MBEDTLS_PLATFORM_TIME_ALT) --extern mbedtls_time_t (*mbedtls_time)( mbedtls_time_t* time ); -- --/** -- * \brief Set your own time function pointer -- * -- * \param time_func the time function implementation -- * -- * \return 0 -- */ --int mbedtls_platform_set_time( mbedtls_time_t (*time_func)( mbedtls_time_t* time ) ); --#else --#if defined(MBEDTLS_PLATFORM_TIME_MACRO) --#define mbedtls_time MBEDTLS_PLATFORM_TIME_MACRO --#else --#define mbedtls_time time --#endif /* MBEDTLS_PLATFORM_TIME_MACRO */ --#endif /* MBEDTLS_PLATFORM_TIME_ALT */ -- --/* - * The function pointers for reading from and writing a seed file to - * Non-Volatile storage (NV) in a platform-independent way - * -diff --git a/include/mbedtls/platform_time.h b/include/mbedtls/platform_time.h -new file mode 100644 -index 0000000..abb3431 ---- /dev/null -+++ b/include/mbedtls/platform_time.h -@@ -0,0 +1,81 @@ -+/** -+ * \file platform_time.h -+ * -+ * \brief mbed TLS Platform time abstraction -+ * -+ * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved -+ * SPDX-License-Identifier: Apache-2.0 -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); you may -+ * not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ * -+ * This file is part of mbed TLS (https://tls.mbed.org) -+ */ -+#ifndef MBEDTLS_PLATFORM_TIME_H -+#define MBEDTLS_PLATFORM_TIME_H -+ -+#if !defined(MBEDTLS_CONFIG_FILE) -+#include "config.h" -+#else -+#include MBEDTLS_CONFIG_FILE -+#endif -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+/** -+ * \name SECTION: Module settings -+ * -+ * The configuration options you can set for this module are in this section. -+ * Either change them in config.h or define them on the compiler command line. -+ * \{ -+ */ -+ -+/* -+ * The time_t datatype -+ */ -+#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO) -+typedef MBEDTLS_PLATFORM_TIME_TYPE_MACRO mbedtls_time_t; -+#else -+/* For time_t */ -+#include -+typedef time_t mbedtls_time_t; -+#endif /* MBEDTLS_PLATFORM_TIME_TYPE_MACRO */ -+ -+/* -+ * The function pointers for time -+ */ -+#if defined(MBEDTLS_PLATFORM_TIME_ALT) -+extern mbedtls_time_t (*mbedtls_time)( mbedtls_time_t* time ); -+ -+/** -+ * \brief Set your own time function pointer -+ * -+ * \param time_func the time function implementation -+ * -+ * \return 0 -+ */ -+int mbedtls_platform_set_time( mbedtls_time_t (*time_func)( mbedtls_time_t* time ) ); -+#else -+#if defined(MBEDTLS_PLATFORM_TIME_MACRO) -+#define mbedtls_time MBEDTLS_PLATFORM_TIME_MACRO -+#else -+#define mbedtls_time time -+#endif /* MBEDTLS_PLATFORM_TIME_MACRO */ -+#endif /* MBEDTLS_PLATFORM_TIME_ALT */ -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif /* platform_time.h */ -diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h -index 82c0760..c0bfd3e 100644 ---- a/include/mbedtls/ssl.h -+++ b/include/mbedtls/ssl.h -@@ -52,7 +52,7 @@ - #endif - - #if defined(MBEDTLS_HAVE_TIME) --#include -+#include "mbedtls/platform_time.h" - #endif - - /* -diff --git a/library/net.c b/library/net.c -index 4142bc0..8b96321 100644 ---- a/library/net.c -+++ b/library/net.c -@@ -36,7 +36,6 @@ - #include "mbedtls/platform.h" - #else - #include --#define mbedtls_time_t time_t - #endif - - #include "mbedtls/net.h" -diff --git a/library/ssl_cache.c b/library/ssl_cache.c -index 01c66ae..9b62de2 100644 ---- a/library/ssl_cache.c -+++ b/library/ssl_cache.c -@@ -37,8 +37,6 @@ - #include - #define mbedtls_calloc calloc - #define mbedtls_free free --#define mbedtls_time time --#define mbedtls_time_t time_t - #endif - - #include "mbedtls/ssl_cache.h" -diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c -index 3546331..a762bf7 100644 ---- a/library/ssl_ciphersuites.c -+++ b/library/ssl_ciphersuites.c -@@ -33,7 +33,6 @@ - #include "mbedtls/platform.h" - #else - #include --#define mbedtls_time_t time_t - #endif - - #include "mbedtls/ssl_ciphersuites.h" -diff --git a/library/ssl_cli.c b/library/ssl_cli.c -index cd39db0..358dc46 100644 ---- a/library/ssl_cli.c -+++ b/library/ssl_cli.c -@@ -33,8 +33,6 @@ - #include - #define mbedtls_calloc calloc - #define mbedtls_free free --#define mbedtls_time time --#define mbedtls_time_t time_t - #endif - - #include "mbedtls/debug.h" -@@ -46,7 +44,7 @@ - #include - - #if defined(MBEDTLS_HAVE_TIME) --#include -+#include "mbedtls/platform_time.h" - #endif - - #if defined(MBEDTLS_SSL_SESSION_TICKETS) -diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c -index f241c86..9fb32de 100644 ---- a/library/ssl_cookie.c -+++ b/library/ssl_cookie.c -@@ -36,8 +36,6 @@ - #else - #define mbedtls_calloc calloc - #define mbedtls_free free --#define mbedtls_time time --#define mbedtls_time_t time_t - #endif - - #include "mbedtls/ssl_cookie.h" -diff --git a/library/ssl_srv.c b/library/ssl_srv.c -index 7271045..ec59cc1 100644 ---- a/library/ssl_srv.c -+++ b/library/ssl_srv.c -@@ -33,8 +33,6 @@ - #include - #define mbedtls_calloc calloc - #define mbedtls_free free --#define mbedtls_time time --#define mbedtls_time_t time_t - #endif - - #include "mbedtls/debug.h" -@@ -48,7 +46,7 @@ - #endif - - #if defined(MBEDTLS_HAVE_TIME) --#include -+#include "mbedtls/platform_time.h" - #endif - - #if defined(MBEDTLS_SSL_SESSION_TICKETS) -diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c -index 5d77403..4d9116d 100644 ---- a/library/ssl_ticket.c -+++ b/library/ssl_ticket.c -@@ -33,8 +33,6 @@ - #include - #define mbedtls_calloc calloc - #define mbedtls_free free --#define mbedtls_time time --#define mbedtls_time_t time_t - #endif - - #include "mbedtls/ssl_ticket.h" -diff --git a/library/ssl_tls.c b/library/ssl_tls.c -index 80a908d..505bb6c 100644 ---- a/library/ssl_tls.c -+++ b/library/ssl_tls.c -@@ -41,7 +41,6 @@ - #include - #define mbedtls_calloc calloc - #define mbedtls_free free --#define mbedtls_time_t time_t - #endif - - #include "mbedtls/debug.h" -diff --git a/library/x509.c b/library/x509.c -index a0df817..bc3bfe0 100644 ---- a/library/x509.c -+++ b/library/x509.c -@@ -55,12 +55,15 @@ - #include - #define mbedtls_free free - #define mbedtls_calloc calloc --#define mbedtls_time time --#define mbedtls_time_t time_t - #define mbedtls_printf printf - #define mbedtls_snprintf snprintf - #endif - -+ -+#if defined(MBEDTLS_HAVE_TIME) -+#include "mbedtls/platform_time.h" -+#endif -+ - #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) - #include - #else -diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c -index 14fb612..b37eb83 100644 ---- a/programs/ssl/dtls_client.c -+++ b/programs/ssl/dtls_client.c -@@ -31,7 +31,6 @@ - #include - #define mbedtls_printf printf - #define mbedtls_fprintf fprintf --#define mbedtls_time_t time_t - #endif - - #if !defined(MBEDTLS_SSL_CLI_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) || \ - -From b92834324f29768a5bf39c58c674c5f3c09b6763 Mon Sep 17 00:00:00 2001 -From: Simon Butcher -Date: Wed, 13 Jul 2016 11:02:41 +0100 -Subject: [PATCH 2/3] Fixes all.sh for full config - -MBEDTLS_PLATFORM_TIME_ALT was accidentally left in the full config test -leading to linker problems. ---- - tests/scripts/all.sh | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh -index 5262397..a2b0995 100755 ---- a/tests/scripts/all.sh -+++ b/tests/scripts/all.sh -@@ -231,6 +231,7 @@ scripts/config.pl unset MBEDTLS_PLATFORM_MEMORY - scripts/config.pl unset MBEDTLS_PLATFORM_PRINTF_ALT - scripts/config.pl unset MBEDTLS_PLATFORM_FPRINTF_ALT - scripts/config.pl unset MBEDTLS_PLATFORM_SNPRINTF_ALT -+scripts/config.pl unset MBEDTLS_PLATFORM_TIME_ALT - scripts/config.pl unset MBEDTLS_PLATFORM_EXIT_ALT - scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED - scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C - -From 23e9778684ba734dbfba1445e145b04dd6b59e76 Mon Sep 17 00:00:00 2001 -From: Simon Butcher -Date: Wed, 13 Jul 2016 13:31:08 +0100 -Subject: [PATCH 3/3] Adds missing conditions for platform time - -In platform.c, made the time functions dependent on the configuration -MBEDTLS_HAVE_TIME to fix a build break where the functions could be -built but the mbedtls_time_t was not defined. ---- - library/platform.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/library/platform.c b/library/platform.c -index 68ca45d..2591c45 100644 ---- a/library/platform.c -+++ b/library/platform.c -@@ -190,6 +190,8 @@ int mbedtls_platform_set_exit( void (*exit_func)( int status ) ) - } - #endif /* MBEDTLS_PLATFORM_EXIT_ALT */ - -+#if defined(MBEDTLS_HAVE_TIME) -+ - #if defined(MBEDTLS_PLATFORM_TIME_ALT) - #if !defined(MBEDTLS_PLATFORM_STD_TIME) - /* -@@ -213,6 +215,8 @@ int mbedtls_platform_set_time( mbedtls_time_t (*time_func)( mbedtls_time_t* time - } - #endif /* MBEDTLS_PLATFORM_TIME_ALT */ - -+#endif /* MBEDTLS_HAVE_TIME */ -+ - #if defined(MBEDTLS_ENTROPY_NV_SEED) - #if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS) && defined(MBEDTLS_FS_IO) - /* Default implementations for the platform independent seed functions use