- Update to 2.28.2: (bsc#1206576, CVE-2022-46393)
Security:
* Fix potential heap buffer overread and overwrite in DTLS if
MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
old: security:tls/mbedtls
new: home:abergmann:branches:security:tls/mbedtls rev None
Index: mbedtls.changes
===================================================================
--- mbedtls.changes (revision 36)
+++ mbedtls.changes (revision 2)
@@ -1,4 +1,75 @@
-------------------------------------------------------------------
+Wed Dec 21 11:10:10 UTC 2022 - Alexander Bergmann <abergmann@suse.com>
+
+- Update to 2.28.2: (bsc#1206576, CVE-2022-46393)
+
+ Security:
+ * Fix potential heap buffer overread and overwrite in DTLS if
+ MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
+ MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
+ * An adversary with access to precise enough information about memory
+ accesses (typically, an untrusted operating system attacking a secure
+ enclave) could recover an RSA private key after observing the victim
+ performing a single private-key operation if the window size used for the
+ exponentiation was 3 or smaller. Found and reported by Zili KOU,
+ Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
+ and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
+ and Test in Europe 2023.
+
+ Bugfix:
+ * Fix a long-standing build failure when building x86 PIC code with old
+ gcc (4.x). The code will be slower, but will compile. We do however
+ recommend upgrading to a more recent compiler instead. Fixes#1910.
+ * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
+ Contributed by Kazuyuki Kimura to fix#2020.
+ * Use double quotes to include private header file psa_crypto_cipher.h.
+ Fixes 'file not found with include' error when building with Xcode.
+ * Fix handling of broken symlinks when loading certificates using
+ mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
+ broken link is encountered, skip the broken link and continue parsing
+ other certificate files. Contributed by Eduardo Silva in #2602.
+ * Fix a compilation error when using CMake with an IAR toolchain.
+ Fixes#5964.
+ * Fix bugs and missing dependencies when building and testing
+ configurations with only one encryption type enabled in TLS 1.2.
+ * Provide the missing definition of mbedtls_setbuf() in some configurations
+ with MBEDTLS_PLATFORM_C disabled. Fixes#6118, #6196.
+ * Fix compilation errors when trying to build with
+ PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
+ * Fix memory leak in ssl_parse_certificate_request() caused by
+ mbedtls_x509_get_name() not freeing allocated objects in case of error.
+ Change mbedtls_x509_get_name() to clean up allocated objects on error.
+ * Fix checks on PK in check_config.h for builds with PSA and RSA. This does
+ not change which builds actually work, only moving a link-time error to
+ an early check.
+ * Fix ECDSA verification, where it was not always validating the
+ public key. This bug meant that it was possible to verify a
+ signature with an invalid public key, in some cases. Reported by
+ Guido Vranken using Cryptofuzz in #4420.
+ * Fix a possible null pointer dereference if a memory allocation fails
+ in TLS PRF code. Reported by Michael Madsen in #6516.
+ * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
+ bytes when parsing certificates containing a binary RFC 4108
+ HardwareModuleName as a Subject Alternative Name extension. Hardware
+ serial numbers are now rendered in hex format. Fixes#6262.
+ * Fix bug in error reporting in dh_genprime.c where upon failure,
+ the error code returned by mbedtls_mpi_write_file() is overwritten
+ and therefore not printed.
+ * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
+ with A > 0 created an unintended representation of the value 0 which was
+ not processed correctly by some bignum operations. Fix this. This had no
+ consequence on cryptography code, but might affect applications that call
+ bignum directly and use negative numbers.
+ * Fix undefined behavior (typically harmless in practice) of
+ mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int()
+ when both operands are 0 and the left operand is represented with 0 limbs.
+ * Fix undefined behavior (typically harmless in practice) when some bignum
+ functions receive the most negative value of mbedtls_mpi_sint. Credit
+ to OSS-Fuzz. Fixes#6597.
+ * Fix undefined behavior (typically harmless in practice) in PSA ECB
+ encryption and decryption.
+
+-------------------------------------------------------------------
Fri Nov 4 16:53:36 UTC 2022 - Mia Herkt <mia@0x0.st>
- Update to 2.28.1: (CVE-2022-35409)
Index: mbedtls.spec
===================================================================
--- mbedtls.spec (revision 36)
+++ mbedtls.spec (revision 2)
@@ -20,7 +20,7 @@
%define lib_crypto libmbedcrypto7
%define lib_x509 libmbedx509-1
Name: mbedtls
-Version: 2.28.1
+Version: 2.28.2
Release: 0
Summary: Libraries for crypto and SSL/TLS protocols
License: Apache-2.0
Index: mbedtls-2.28.2.tar.gz
===================================================================
Binary file mbedtls-2.28.2.tar.gz (revision 2) added
Index: mbedtls-2.28.1.tar.gz
===================================================================
Binary file mbedtls-2.28.1.tar.gz (revision 36) deleted
OBS-URL: https://build.opensuse.org/request/show/1044072
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=37
- Update to 2.28.1: (CVE-2022-35409)
Default behavior changes
* mbedtls_cipher_set_iv will now fail with ChaCha20 and
ChaCha20+Poly1305 for IV lengths other than 12. The library was
silently overwriting this length with 12, but did not inform
the caller about it.
gh#Mbed-TLS/mbedtls#4301
Features
* When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA
crypto feature requirements in the file named by the new macro
MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default
psa/crypto_config.h. Furthermore you may name an additional
file to include after the main file with the macro
MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.
Security
* Zeroize dynamically-allocated buffers used by the PSA Crypto
key storage module before freeing them. These buffers contain
secret key material, and could thus potentially leak the key
through freed heap.
* Fix a potential heap buffer overread in TLS 1.2 server-side
when MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created
with mbedtls_pk_setup_opaque()) is provisioned, and a static
ECDH ciphersuite is selected. This may result in an application
crash or potentially an information leak.
* Fix a buffer overread in DTLS ClientHello parsing in servers
with MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled.
An unauthenticated client or a man-in-the-middle could cause a
DTLS server to read up to 255 bytes after the end of the SSL
input buffer. The buffer overread only happens when
MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that
depends on the exact configuration: 258 bytes if using
mbedtls_ssl_cookie_check(), and possibly up to 571 bytes with
a custom cookie check function.
Reported by the Cybeats PSI Team.
Bugfix
* Fix a memory leak if mbedtls_ssl_config_defaults() is called
twice.
* Fix several bugs (warnings, compiler and linker errors, test
failures) in reduced configurations when MBEDTLS_USE_PSA_CRYPTO
is enabled.
* Fix a bug in (D)TLS curve negotiation: when
MBEDTLS_USE_PSA_CRYPTO was enabled and an ECDHE-ECDSA or
ECDHE-RSA key exchange was used, the client would fail to check
that the curve selected by the server for ECDHE was indeed one
that was offered. As a result, the client would accept any
curve that it supported, even if that curve was not allowed
according to its configuration.
gh#Mbed-TLS/mbedtls#5291
* Fix unit tests that used 0 as the file UID. This failed on some
implementations of PSA ITS.
gh#Mbed-TLS/mbedtls#3838
* Fix API violation in mbedtls_md_process() test by adding a call
to mbedtls_md_starts().
gh#Mbed-TLS/mbedtls#2227
* Fix compile errors when MBEDTLS_HAVE_TIME is not defined.
Add tests to catch bad uses of time.h.
* Fix bug in the alert sending function
mbedtls_ssl_send_alert_message() potentially leading to
corrupted alert messages being sent in case the function needs
to be re-called after initially returning
MBEDTLS_SSL_WANT_WRITE.
gh#Mbed-TLS/mbedtls#1916
* In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled
but none of MBEDTLS_SSL_HW_RECORD_ACCEL,
MBEDTLS_SSL_EXPORT_KEYS or MBEDTLS_DEBUG_C, DTLS handshakes
using CID would crash due to a null pointer dereference.
Fix this.
gh#Mbed-TLS/mbedtls#3998
* Fix incorrect documentation of mbedtls_x509_crt_profile. The
previous documentation stated that the allowed_pks field
applies to signatures only, but in fact it does apply to the
public key type of the end entity certificate, too.
gh#Mbed-TLS/mbedtls#1992
* Fix PSA cipher multipart operations using ARC4. Previously, an
IV was required but discarded. Now, an IV is rejected, as it
should be.
* Fix undefined behavior in mbedtls_asn1_find_named_data(), where
val is not NULL and val_len is zero. psa_raw_key_agreement()
now returns PSA_ERROR_BUFFER_TOO_SMALL when applicable.
gh#Mbed-TLS/mbedtls#5735
* Fix a bug in the x25519 example program where the removal of
MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run.
gh#Mbed-TLS/mbedtls#4901
gh#Mbed-TLS/mbedtls#3191
* Encode X.509 dates before 1/1/2000 as UTCTime rather than
GeneralizedTime.
gh#Mbed-TLS/mbedtls#5465
* Fix order value of curve x448.
* Fix string representation of DNs when outputting values
containing commas and other special characters, conforming to
RFC 1779.
gh#Mbed-TLS/mbedtls#769
* Silence a warning from GCC 12 in the selftest program.
gh#Mbed-TLS/mbedtls#5974
* Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of
0.
* Fix resource leaks in mbedtls_pk_parse_public_key() in low
memory conditions.
* Fix server connection identifier setting for outgoing encrypted
records on DTLS 1.2 session resumption. After DTLS 1.2 session
resumption with connection identifier, the Mbed TLS client now
properly sends the server connection identifier in encrypted
record headers.
gh#Mbed-TLS/mbedtls#5872
* Fix a null pointer dereference when performing some operations
on zero represented with 0 limbs (specifically
mbedtls_mpi_mod_int() dividing by 2, and
mbedtls_mpi_write_string() in base 2).
* Fix record sizes larger than 16384 being sometimes accepted
despite being non-compliant. This could not lead to a buffer
overflow. In particular, application data size was already
checked correctly.
OBS-URL: https://build.opensuse.org/request/show/1033587
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=36
- Update to 2.27.0:
API changes:
* Update AEAD output size macros to bring them in line with the PSA Crypto
API version 1.0 spec. This version of the spec parameterizes them on the
key type used, as well as the key bit-size in the case of
PSA_AEAD_TAG_LENGTH.
The old versions of these macros were renamed and deprecated as follows:
- PSA_AEAD_TAG_LENGTH -> PSA_AEAD_TAG_LENGTH_1_ARG
- PSA_AEAD_ENCRYPT_OUTPUT_SIZE -> PSA_AEAD_ENCRYPT_OUTPUT_SIZE_2_ARG
- PSA_AEAD_DECRYPT_OUTPUT_SIZE -> PSA_AEAD_DECRYPT_OUTPUT_SIZE_2_ARG
- PSA_AEAD_UPDATE_OUTPUT_SIZE -> PSA_AEAD_UPDATE_OUTPUT_SIZE_2_ARG
- PSA_AEAD_FINISH_OUTPUT_SIZE -> PSA_AEAD_FINISH_OUTPUT_SIZE_1_ARG
- PSA_AEAD_VERIFY_OUTPUT_SIZE -> PSA_AEAD_VERIFY_OUTPUT_SIZE_1_ARG
* Implement one-shot cipher functions, psa_cipher_encrypt and
psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
specification.
Features:
* Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
signature with a specific salt length. This function allows to validate
test cases provided in the NIST's CAVP test suite.
* Added support for built-in driver keys through the PSA opaque crypto
driver interface. Refer to the documentation of
MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
* Implement psa_sign_message() and psa_verify_message().
* The new function mbedtls_mpi_random() generates a random value in a
given range uniformly.
* Implement psa_mac_compute() and psa_mac_verify() as defined in the
PSA Cryptograpy API 1.0.0 specification.
* MBEDTLS_ECP_MAX_BITS is now determined automatically from the configured
curves and no longer needs to be configured explicitly to save RAM.
OBS-URL: https://build.opensuse.org/request/show/907287
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=31
- update to 2.25.0:
* This release of Mbed TLS provides bug fixes, minor enhancements and new
features. This release includes fixes for security issues.
* see https://github.com/ARMmbed/mbedtls/releases/tag/v2.25.0
* The functions mbedtls_cipher_auth_encrypt() and
mbedtls_cipher_auth_decrypt() would write past the minimum documented size
of the output buffer when used with NIST_KW. As a result, code using those
functions as documented with NIST_KW could have a buffer overwrite of up to
15 bytes, with consequences ranging up to arbitrary code execution
depending on the location of the output buffer.
* Limit the size of calculations performed by mbedtls_mpi_exp_mod to
MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating
Diffie-Hellman key pairs. Credit to OSS-Fuzz.
* A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
which is how most uses of randomization in asymmetric cryptography (including
key generation, intermediate value randomization and blinding) are implemented.
This could cause failures or the silent use of non-random values. A random
generator can fail if it needs reseeding and cannot not obtain entropy, or due
to an internal failure (which, for Mbed TLS's own CTR_DRBG or HMAC_DRBG, can
only happen due to a misconfiguration).
* Fix a compliance issue whereby we were not checking the tag on the algorithm
parameters (only the size) when comparing the signature in the description part
of the cert to the real signature. This meant that a NULL algorithm parameters
entry would look identical to an array of REAL (size zero) to the library and
thus the certificate would be considered valid. However, if the parameters do
not match in any way then the certificate should be considered invalid, and
indeed OpenSSL marks these certs as invalid when mbedtls did not. Many thanks
to guidovranken who found this issue via differential fuzzing and reported it
OBS-URL: https://build.opensuse.org/request/show/858114
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=22
- update to 2.24.0:
* see https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0
* Fix a vulnerability in the verification of X.509 certificates when matching
the expected common name (the cn argument of mbedtls_x509_crt_verify())
with the actual certificate name: when the subjecAltName extension is
present, the expected name was compared to any name in that extension
regardless of its type. This means that an attacker could for example
impersonate a 4-bytes or 16-byte domain by getting a certificate for the
corresponding IPv4 or IPv6 (this would require the attacker to control that
IP address, though). Similar attacks using other subjectAltName name types
might be possible.
* When checking X.509 CRLs, a certificate was only considered as revoked if
its revocationDate was in the past according to the local clock if
available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
certificates were never considered as revoked. On builds with
MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
example, an untrusted OS attacking a secure enclave) could prevent
revocation of certificates via CRLs. Fixed by no longer checking the
revocationDate field, in accordance with RFC 5280. Reported by yuemonangong
in #3340. Reported independently and fixed by Raoul Strackx and Jethro
* In (D)TLS record decryption, when using a CBC ciphersuites without the
Encrypt-then-Mac extension, use constant code flow memory access patterns
to extract and check the MAC. This is an improvement to the existing
countermeasure against Lucky 13 attacks. The previous countermeasure was
effective against network-based attackers, but less so against local
attackers. The new countermeasure defends against local attackers, even if
they have access to fine-grained measurements. In particular, this fixes a
local Lucky 13 cache attack found and reported by Tuba Yavuz, Farhaan
Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler (University of
Florida) and Dave Tian (Purdue University).
OBS-URL: https://build.opensuse.org/request/show/837996
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=20
- update to 2.23.0:
a lot of changes see https://github.com/ARMmbed/mbedtls/releases/tag/v2.23.0
* Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394.
* Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246.
OBS-URL: https://build.opensuse.org/request/show/827276
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=15
- Library package version bumped to libmbedtls12
- Update to version 2.14.1: [bsc#1118727, CVE-2018-19608]
Security
* Fix timing variations and memory access variations in RSA PKCS#1 v1.5
decryption that could lead to a Bleichenbacher-style padding oracle
attack. In TLS, this affects servers that accept ciphersuites based on
RSA decryption (i.e. ciphersuites whose name contains RSA but not
(EC)DH(E)). Discovered by Eyal Ronen (Weizmann Institute), Robert Gillham
(University of Adelaide), Daniel Genkin (University of Michigan),
Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom
(University of Adelaide, Data61). The attack is described in more detail
in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
* In mbedtls_mpi_write_binary(), don't leak the exact size of the number
via branching and memory access patterns. An attacker who could submit
a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
of the decryption and not its result could nonetheless decrypt RSA
plaintexts and forge RSA signatures. Other asymmetric algorithms may
have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham,
Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom.
* Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
modules.
API Changes
* The new functions mbedtls_ctr_drbg_update_ret() and
mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update()
and mbedtls_hmac_drbg_update() respectively, but the new functions
report errors whereas the old functions return void. We recommend that
applications use the new functions.
- Version 2.14.0:
Security
OBS-URL: https://build.opensuse.org/request/show/657220
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=4
- Update to version 2.12.0:
* Security
+ Fixed a vulnerability in the TLS ciphersuites based on use of CBC and SHA-384 in DTLS/TLS 1.0 to 1.2, that allowed an active network attacker to partially recover the plaintext of messages under certains conditions by exploiting timing side-channels.
+ Fixed a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker, with the ability to execute code on the local machine as well as to manipulate network packets, to partially recover the plaintext of messages under certain conditions by using a cache attack targetting an internal MD/SHA buffer.
+ Added a counter-measure against a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker with the ability to execute code on the local machine as well as manipulate network packets, to partially recover the plaintext of messages certain conditions (see previous entry) by using a cache attack targeting the SSL input record buffer.
* Features
+ Added new cryptographic primitives, the stream cipher Chacha20, one-time authenticator Poly1305 and AEAD construct Chacha20-Poly1305, as defined in RFC 7539. Contributed by Daniel King.
+ Added support for the CHACHA20-POLY1305 ciphersuites from RFC 7905.
+ Made the receive and transmit buffers independently configurable in size, for situations where the outgoing buffer can be fixed at a smaller size than the incoming buffer
+ Added support for the AES based key wrapping modes defined by NIST SP 800-38F algorithms KW and KWP and by RFC's 3394 and 5649.
+ Added platform support for the Haiku OS.
* Bugfix
+ Fixed the key_app_writer example which was creating an invalid ASN.1 tag by writing an additional leading zero byte. Found by Aryeh R. #1257.
+ Fixed a C++ compilation error, caused by a variable named new. Found and fixed by Hirotaka Niisato. #1783.
+ Fixed the "no symbols" warning issued by ranlib when building on Mac OS X. Fix contributed by tabascoeye.
+ Clarified documentation for mbedtls_ssl_write() to include 0 as a valid return value. Found by @davidwu2000. #839.
+ Fixed a memory leak in mbedtls_x509_csr_parse(). Found and fixed by catenacyber, Philippe Antoine. #1623.
+ Added length checks to some TLS parsing functions. Found and fixed by Philippe Antoine from Catena cyber. #1663.
+ Remove unused headers included in x509.c. Found by Chris Hanson and fixed by Brendan Shanks. #992.
+ Fixed compilation error when MBEDTLS_ARC4_C is disabled and MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
+ Fixed the inline assembly for the MPI multiply helper function for i386 and i386 with SSE2. Found by László Langó. #1550.
+ Fixed the namespacing in header files. Remove the mbedtls namespacing in the #include in the header files. #857.
+ Fixed a compiler warning of 'use before initialisation' in mbedtls_pk_parse_key(). Found by Martin Boye Petersen and fixed by Dawid Drozd.#1098.
+ Fixed decryption of zero length messages (which contain all padding) when a CBC based ciphersuite was used together with Encrypt-then-MAC.
+ Fixed the ssl_client2 example to send application data with 0-length content when the request_size argument is set to 0 as stated in the documentation. #1833.
+ Corrected the documentation for mbedtls_ssl_get_session(). This API has deep copy of the session, and the peer certificate is not lost. #926.
+ Fixed issues when building to the C99 standard, using -std=c99. Fixed by Nick Wilson.
* Changes
+ Fails when receiving a TLS alert message with an invalid length, or invalid zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
+ Changed the default behaviour of mbedtls_hkdf_extract() to return an error when calling with a NULL salt and non-zero salt length. Contributed by Brian J Murray
OBS-URL: https://build.opensuse.org/request/show/631028
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls?expand=0&rev=18
- Update to version 2.8.0:
* Security:
+ Defend against Bellcore glitch attacks by verifying the results of RSA private key operations.
+ Fix implementation of the truncated HMAC extension. The previous implementation allowed an offline 2^80 brute force attack on the HMAC key of a single, uninterrupted connection (with no resumption of the session).
+ Reject CRLs containing unsupported critical extensions. Found by Falko Strenzke and Evangelos Karatsiolis.
+ Fix a buffer overread in ssl_parse_server_key_exchange() that could cause a crash on invalid input.
+ Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a crash on invalid input.
* Features:
+ Enable reading encrypted PEM files produced by software that uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli, OpenVPN Inc. Fixes#1339
+ Support public keys encoded in PKCS#1 format. #1122
* New deprecations:
+ Compression and crypto don't mix. We don't recommend using compression and cryptography, and have deprecated support for record compression (configuration option MBEDTLS_ZLIB_SUPPORT).
* Bugfix:
+ Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct. In the context of SSL, this resulted in handshake failure. Reported by daniel in the Mbed TLS forum. #1351
+ Fix setting version TLSv1 as minimal version, even if TLS 1 is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION and MBEDTLS_SSL_MIN_MINOR_VERSION instead of MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664
+ Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE only if __MINGW32__ is not defined. Fix suggested by Thomas Glanzmann and Nick Wilson on issue #355
+ Fix memory allocation corner cases in memory_buffer_alloc.c module. Found by Guido Vranken. #639
+ Don't accept an invalid tag when parsing X.509 subject alternative names in some circumstances.
+ Fix a possible arithmetic overflow in ssl_parse_server_key_exchange() that could cause a key exchange to fail on valid data.
+ Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that could cause a key exchange to fail on valid data.
+ Fix a 1-byte heap buffer overflow (read-only) during private key parsing. Found through fuzz testing.
* Changes
+ Fix tag lengths and value ranges in the documentation of CCM encryption. Contributed by Mathieu Briand.
+ Fix a typo in a comment in ctr_drbg.c. Contributed by Paul Sokolovsky.
+ Remove support for the library reference configuration for picocoin.
+ MD functions deprecated in 2.7.0 are no longer inline, to provide a migration path for those depending on the library's ABI.
+ Use (void) when defining functions with no parameters. Contributed by Joris Aerts. #678
OBS-URL: https://build.opensuse.org/request/show/593915
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls?expand=0&rev=16
