pool/mbedtls
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
874cecdf09
mbedtls/mbedtls.spec
Martin Pluskal 874cecdf09 Accepting request 837996 from home:dirkmueller:branches:security:tls 
- update to 2.24.0:
  * see https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0
  * Fix a vulnerability in the verification of X.509 certificates when matching
  the expected common name (the cn argument of mbedtls_x509_crt_verify())
  with the actual certificate name: when the subjecAltName extension is
  present, the expected name was compared to any name in that extension
  regardless of its type. This means that an attacker could for example
  impersonate a 4-bytes or 16-byte domain by getting a certificate for the
  corresponding IPv4 or IPv6 (this would require the attacker to control that
  IP address, though). Similar attacks using other subjectAltName name types
  might be possible.
  * When checking X.509 CRLs, a certificate was only considered as revoked if
  its revocationDate was in the past according to the local clock if
  available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
  certificates were never considered as revoked. On builds with
  MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
  example, an untrusted OS attacking a secure enclave) could prevent
  revocation of certificates via CRLs. Fixed by no longer checking the
  revocationDate field, in accordance with RFC 5280. Reported by yuemonangong
  in #3340. Reported independently and fixed by Raoul Strackx and Jethro
  * In (D)TLS record decryption, when using a CBC ciphersuites without the
  Encrypt-then-Mac extension, use constant code flow memory access patterns
  to extract and check the MAC. This is an improvement to the existing
  countermeasure against Lucky 13 attacks. The previous countermeasure was
  effective against network-based attackers, but less so against local
  attackers. The new countermeasure defends against local attackers, even if
  they have access to fine-grained measurements. In particular, this fixes a
  local Lucky 13 cache attack found and reported by Tuba Yavuz, Farhaan
  Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler (University of
  Florida) and Dave Tian (Purdue University).

OBS-URL: https://build.opensuse.org/request/show/837996
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=20
2020-09-29 05:57:17 +00:00

149 lines
4.7 KiB
RPMSpec
Raw Blame History

#
# spec file for package mbedtls
#
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define lib_tls libmbedtls13
%define lib_crypto libmbedcrypto5
%define lib_x509 libmbedx509-1
Name: mbedtls
Version: 2.24.0
Release: 0
Summary: Libraries for crypto and SSL/TLS protocols
License: Apache-2.0
Group: Development/Libraries/C and C++
URL: https://tls.mbed.org
Source: https://github.com/ARMmbed/mbedtls/archive/v%{version}.tar.gz
Source99: baselibs.conf
BuildRequires: cmake
BuildRequires: ninja
BuildRequires: pkgconfig
BuildRequires: pkgconfig(libpkcs11-helper-1)
BuildRequires: pkgconfig(zlib)
%description
mbedtls implements the SSL3, TLS 1.0, 1.1 and 1.2 protocols. It
supports a number of extensions such as SSL Session Tickets (RFC
5077), Server Name Indication (SNI) (RFC 6066), Truncated HMAC (RFC
6066), Max Fragment Length (RFC 6066), Secure Renegotiation (RFC
5746) and Application Layer Protocol Negotiation (ALPN). It
understands the RSA, (EC)DH(E)-RSA, (EC)DH(E)-PSK and RSA-PSK key
exchanges.
%package -n %{lib_tls}
Summary: Transport Layer Security protocol suite
Group: System/Libraries
%description -n %{lib_tls}
mbedtls implements the SSL 3.0, TLS 1.0, 1.1 and 1.2 protocols. It
supports a number of extensions such as SSL Session Tickets (RFC
5077), Server Name Indication (SNI) (RFC 6066), Truncated HMAC (RFC
6066), Max Fragment Length (RFC 6066), Secure Renegotiation (RFC
5746) and Application Layer Protocol Negotiation (ALPN). It
understands the RSA, (EC)DH(E)-RSA, (EC)DH(E)-PSK and RSA-PSK key
exchanges.
%package -n %{lib_crypto}
Summary: Cryptographic base library for mbedtls
Group: System/Libraries
%description -n %{lib_crypto}
This subpackage of mbedtls contains a library that exposes
cryptographic ciphers, hashes, algorithms and format support such as
AES, MD5, SHA, Elliptic Curves, BigNum, PKCS, ASN.1, BASE64.
%package -n %{lib_x509}
Summary: Library to work with X.509 certificates
Group: System/Libraries
%description -n %{lib_x509}
This subpackage of mbedtls contains a library that can read, verify
and write X.509 certificates, read/write Certificate Signing Requests
and read Certificate Revocation Lists.
%package devel
Summary: Development files for mbedtls, a SSL/TLS library
Group: Development/Libraries/C and C++
Requires: %{lib_crypto} = %{version}
Requires: %{lib_tls} = %{version}
Requires: %{lib_x509} = %{version}
%description devel
This subpackage contains the development files for mbedtls,
a suite of libraries for cryptographic functions and the
SSL/TLS protocol suite.
%prep
%autosetup
sed -i 's|//\(#define MBEDTLS_ZLIB_SUPPORT\)|\1|' include/mbedtls/config.h
sed -i 's|//\(#define MBEDTLS_HAVEGE_C\)|\1|' include/mbedtls/config.h
sed -i 's|//\(#define MBEDTLS_THREADING_C\)|\1|' include/mbedtls/config.h
sed -i 's|//\(#define MBEDTLS_THREADING_PTHREAD\)|\1|' include/mbedtls/config.h
%build
%define __builder ninja
%cmake \
-DLINK_WITH_PTHREAD=ON \
-DUSE_PKCS11_HELPER_LIBRARY=ON \
-DENABLE_ZLIB_SUPPORT=ON \
-DINSTALL_MBEDTLS_HEADERS=ON \
-DUSE_SHARED_MBEDTLS_LIBRARY=ON \
-DUSE_STATIC_MBEDTLS_LIBRARY=OFF \
-DENABLE_PROGRAMS=OFF \
-DCMAKE_POLICY_DEFAULT_CMP0012=NEW
%cmake_build
%install
%cmake_install
%check
# parallel execution fails
# %%ctest
pushd build
%{_bindir}/ctest --output-on-failure --force-new-ctest-process -j1
%post -n %{lib_tls} -p /sbin/ldconfig
%post -n %{lib_crypto} -p /sbin/ldconfig
%post -n %{lib_x509} -p /sbin/ldconfig
%postun -n %{lib_tls} -p /sbin/ldconfig
%postun -n %{lib_crypto} -p /sbin/ldconfig
%postun -n %{lib_x509} -p /sbin/ldconfig
%files devel
%license LICENSE
%doc ChangeLog README.md
%dir %{_includedir}/mbedtls
%dir %{_includedir}/psa
%{_includedir}/mbedtls/*.h
%{_includedir}/psa/*.h
%{_libdir}/libmbedtls.so
%{_libdir}/libmbedcrypto.so
%{_libdir}/libmbedx509.so
%files -n %{lib_tls}
%license LICENSE
%{_libdir}/libmbedtls.so.*
%files -n %{lib_crypto}
%license LICENSE
%{_libdir}/libmbedcrypto.so.*
%files -n %{lib_x509}
%license LICENSE
%{_libdir}/libmbedx509.so.*
%changelog
Reference in New Issue View Git Blame Copy Permalink