- Do not run testsuite in parallel - its not reliable
- update to 2.23.0:
a lot of changes see https://github.com/ARMmbed/mbedtls/releases/tag/v2.23.0
* Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394.
* Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246.
OBS-URL: https://build.opensuse.org/request/show/830740
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls?expand=0&rev=24
- update to 2.23.0:
a lot of changes see https://github.com/ARMmbed/mbedtls/releases/tag/v2.23.0
* Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394.
* Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246.
OBS-URL: https://build.opensuse.org/request/show/827276
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=15
- Library package version bumped to libmbedtls12
- Update to version 2.14.1: [bsc#1118727, CVE-2018-19608]
Security
* Fix timing variations and memory access variations in RSA PKCS#1 v1.5
decryption that could lead to a Bleichenbacher-style padding oracle
attack. In TLS, this affects servers that accept ciphersuites based on
RSA decryption (i.e. ciphersuites whose name contains RSA but not
(EC)DH(E)). Discovered by Eyal Ronen (Weizmann Institute), Robert Gillham
(University of Adelaide), Daniel Genkin (University of Michigan),
Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom
(University of Adelaide, Data61). The attack is described in more detail
in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
* In mbedtls_mpi_write_binary(), don't leak the exact size of the number
via branching and memory access patterns. An attacker who could submit
a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
of the decryption and not its result could nonetheless decrypt RSA
plaintexts and forge RSA signatures. Other asymmetric algorithms may
have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham,
Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom.
* Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
modules.
API Changes
* The new functions mbedtls_ctr_drbg_update_ret() and
mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update()
and mbedtls_hmac_drbg_update() respectively, but the new functions
report errors whereas the old functions return void. We recommend that
applications use the new functions.
- Version 2.14.0:
Security
OBS-URL: https://build.opensuse.org/request/show/657220
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=4
- Update to version 2.12.0:
* Security
+ Fixed a vulnerability in the TLS ciphersuites based on use of CBC and SHA-384 in DTLS/TLS 1.0 to 1.2, that allowed an active network attacker to partially recover the plaintext of messages under certains conditions by exploiting timing side-channels.
+ Fixed a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker, with the ability to execute code on the local machine as well as to manipulate network packets, to partially recover the plaintext of messages under certain conditions by using a cache attack targetting an internal MD/SHA buffer.
+ Added a counter-measure against a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker with the ability to execute code on the local machine as well as manipulate network packets, to partially recover the plaintext of messages certain conditions (see previous entry) by using a cache attack targeting the SSL input record buffer.
* Features
+ Added new cryptographic primitives, the stream cipher Chacha20, one-time authenticator Poly1305 and AEAD construct Chacha20-Poly1305, as defined in RFC 7539. Contributed by Daniel King.
+ Added support for the CHACHA20-POLY1305 ciphersuites from RFC 7905.
+ Made the receive and transmit buffers independently configurable in size, for situations where the outgoing buffer can be fixed at a smaller size than the incoming buffer
+ Added support for the AES based key wrapping modes defined by NIST SP 800-38F algorithms KW and KWP and by RFC's 3394 and 5649.
+ Added platform support for the Haiku OS.
* Bugfix
+ Fixed the key_app_writer example which was creating an invalid ASN.1 tag by writing an additional leading zero byte. Found by Aryeh R. #1257.
+ Fixed a C++ compilation error, caused by a variable named new. Found and fixed by Hirotaka Niisato. #1783.
+ Fixed the "no symbols" warning issued by ranlib when building on Mac OS X. Fix contributed by tabascoeye.
+ Clarified documentation for mbedtls_ssl_write() to include 0 as a valid return value. Found by @davidwu2000. #839.
+ Fixed a memory leak in mbedtls_x509_csr_parse(). Found and fixed by catenacyber, Philippe Antoine. #1623.
+ Added length checks to some TLS parsing functions. Found and fixed by Philippe Antoine from Catena cyber. #1663.
+ Remove unused headers included in x509.c. Found by Chris Hanson and fixed by Brendan Shanks. #992.
+ Fixed compilation error when MBEDTLS_ARC4_C is disabled and MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
+ Fixed the inline assembly for the MPI multiply helper function for i386 and i386 with SSE2. Found by László Langó. #1550.
+ Fixed the namespacing in header files. Remove the mbedtls namespacing in the #include in the header files. #857.
+ Fixed a compiler warning of 'use before initialisation' in mbedtls_pk_parse_key(). Found by Martin Boye Petersen and fixed by Dawid Drozd.#1098.
+ Fixed decryption of zero length messages (which contain all padding) when a CBC based ciphersuite was used together with Encrypt-then-MAC.
+ Fixed the ssl_client2 example to send application data with 0-length content when the request_size argument is set to 0 as stated in the documentation. #1833.
+ Corrected the documentation for mbedtls_ssl_get_session(). This API has deep copy of the session, and the peer certificate is not lost. #926.
+ Fixed issues when building to the C99 standard, using -std=c99. Fixed by Nick Wilson.
* Changes
+ Fails when receiving a TLS alert message with an invalid length, or invalid zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
+ Changed the default behaviour of mbedtls_hkdf_extract() to return an error when calling with a NULL salt and non-zero salt length. Contributed by Brian J Murray
OBS-URL: https://build.opensuse.org/request/show/631028
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls?expand=0&rev=18
- Update to version 2.8.0:
* Security:
+ Defend against Bellcore glitch attacks by verifying the results of RSA private key operations.
+ Fix implementation of the truncated HMAC extension. The previous implementation allowed an offline 2^80 brute force attack on the HMAC key of a single, uninterrupted connection (with no resumption of the session).
+ Reject CRLs containing unsupported critical extensions. Found by Falko Strenzke and Evangelos Karatsiolis.
+ Fix a buffer overread in ssl_parse_server_key_exchange() that could cause a crash on invalid input.
+ Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a crash on invalid input.
* Features:
+ Enable reading encrypted PEM files produced by software that uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli, OpenVPN Inc. Fixes#1339
+ Support public keys encoded in PKCS#1 format. #1122
* New deprecations:
+ Compression and crypto don't mix. We don't recommend using compression and cryptography, and have deprecated support for record compression (configuration option MBEDTLS_ZLIB_SUPPORT).
* Bugfix:
+ Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct. In the context of SSL, this resulted in handshake failure. Reported by daniel in the Mbed TLS forum. #1351
+ Fix setting version TLSv1 as minimal version, even if TLS 1 is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION and MBEDTLS_SSL_MIN_MINOR_VERSION instead of MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664
+ Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE only if __MINGW32__ is not defined. Fix suggested by Thomas Glanzmann and Nick Wilson on issue #355
+ Fix memory allocation corner cases in memory_buffer_alloc.c module. Found by Guido Vranken. #639
+ Don't accept an invalid tag when parsing X.509 subject alternative names in some circumstances.
+ Fix a possible arithmetic overflow in ssl_parse_server_key_exchange() that could cause a key exchange to fail on valid data.
+ Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that could cause a key exchange to fail on valid data.
+ Fix a 1-byte heap buffer overflow (read-only) during private key parsing. Found through fuzz testing.
* Changes
+ Fix tag lengths and value ranges in the documentation of CCM encryption. Contributed by Mathieu Briand.
+ Fix a typo in a comment in ctr_drbg.c. Contributed by Paul Sokolovsky.
+ Remove support for the library reference configuration for picocoin.
+ MD functions deprecated in 2.7.0 are no longer inline, to provide a migration path for those depending on the library's ABI.
+ Use (void) when defining functions with no parameters. Contributed by Joris Aerts. #678
OBS-URL: https://build.opensuse.org/request/show/593915
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls?expand=0&rev=16
