Pedro Monreal Gonzalez
d767eaf9d9
- Update to 2.28.1: (CVE-2022-35409)
Default behavior changes
* mbedtls_cipher_set_iv will now fail with ChaCha20 and
ChaCha20+Poly1305 for IV lengths other than 12. The library was
silently overwriting this length with 12, but did not inform
the caller about it.
gh#Mbed-TLS/mbedtls#4301
Features
* When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA
crypto feature requirements in the file named by the new macro
MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default
psa/crypto_config.h. Furthermore you may name an additional
file to include after the main file with the macro
MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE.
Security
* Zeroize dynamically-allocated buffers used by the PSA Crypto
key storage module before freeing them. These buffers contain
secret key material, and could thus potentially leak the key
through freed heap.
* Fix a potential heap buffer overread in TLS 1.2 server-side
when MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created
with mbedtls_pk_setup_opaque()) is provisioned, and a static
ECDH ciphersuite is selected. This may result in an application
crash or potentially an information leak.
* Fix a buffer overread in DTLS ClientHello parsing in servers
with MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled.
An unauthenticated client or a man-in-the-middle could cause a
DTLS server to read up to 255 bytes after the end of the SSL
input buffer. The buffer overread only happens when
MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that
depends on the exact configuration: 258 bytes if using
mbedtls_ssl_cookie_check(), and possibly up to 571 bytes with
a custom cookie check function.
Reported by the Cybeats PSI Team.
Bugfix
* Fix a memory leak if mbedtls_ssl_config_defaults() is called
twice.
* Fix several bugs (warnings, compiler and linker errors, test
failures) in reduced configurations when MBEDTLS_USE_PSA_CRYPTO
is enabled.
* Fix a bug in (D)TLS curve negotiation: when
MBEDTLS_USE_PSA_CRYPTO was enabled and an ECDHE-ECDSA or
ECDHE-RSA key exchange was used, the client would fail to check
that the curve selected by the server for ECDHE was indeed one
that was offered. As a result, the client would accept any
curve that it supported, even if that curve was not allowed
according to its configuration.
gh#Mbed-TLS/mbedtls#5291
* Fix unit tests that used 0 as the file UID. This failed on some
implementations of PSA ITS.
gh#Mbed-TLS/mbedtls#3838
* Fix API violation in mbedtls_md_process() test by adding a call
to mbedtls_md_starts().
gh#Mbed-TLS/mbedtls#2227
* Fix compile errors when MBEDTLS_HAVE_TIME is not defined.
Add tests to catch bad uses of time.h.
* Fix bug in the alert sending function
mbedtls_ssl_send_alert_message() potentially leading to
corrupted alert messages being sent in case the function needs
to be re-called after initially returning
MBEDTLS_SSL_WANT_WRITE.
gh#Mbed-TLS/mbedtls#1916
* In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled
but none of MBEDTLS_SSL_HW_RECORD_ACCEL,
MBEDTLS_SSL_EXPORT_KEYS or MBEDTLS_DEBUG_C, DTLS handshakes
using CID would crash due to a null pointer dereference.
Fix this.
gh#Mbed-TLS/mbedtls#3998
* Fix incorrect documentation of mbedtls_x509_crt_profile. The
previous documentation stated that the allowed_pks field
applies to signatures only, but in fact it does apply to the
public key type of the end entity certificate, too.
gh#Mbed-TLS/mbedtls#1992
* Fix PSA cipher multipart operations using ARC4. Previously, an
IV was required but discarded. Now, an IV is rejected, as it
should be.
* Fix undefined behavior in mbedtls_asn1_find_named_data(), where
val is not NULL and val_len is zero. psa_raw_key_agreement()
now returns PSA_ERROR_BUFFER_TOO_SMALL when applicable.
gh#Mbed-TLS/mbedtls#5735
* Fix a bug in the x25519 example program where the removal of
MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run.
gh#Mbed-TLS/mbedtls#4901
gh#Mbed-TLS/mbedtls#3191
* Encode X.509 dates before 1/1/2000 as UTCTime rather than
GeneralizedTime.
gh#Mbed-TLS/mbedtls#5465
* Fix order value of curve x448.
* Fix string representation of DNs when outputting values
containing commas and other special characters, conforming to
RFC 1779.
gh#Mbed-TLS/mbedtls#769
* Silence a warning from GCC 12 in the selftest program.
gh#Mbed-TLS/mbedtls#5974
* Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of
0.
* Fix resource leaks in mbedtls_pk_parse_public_key() in low
memory conditions.
* Fix server connection identifier setting for outgoing encrypted
records on DTLS 1.2 session resumption. After DTLS 1.2 session
resumption with connection identifier, the Mbed TLS client now
properly sends the server connection identifier in encrypted
record headers.
gh#Mbed-TLS/mbedtls#5872
* Fix a null pointer dereference when performing some operations
on zero represented with 0 limbs (specifically
mbedtls_mpi_mod_int() dividing by 2, and
mbedtls_mpi_write_string() in base 2).
* Fix record sizes larger than 16384 being sometimes accepted
despite being non-compliant. This could not lead to a buffer
overflow. In particular, application data size was already
checked correctly.
OBS-URL: https://build.opensuse.org/request/show/1033587
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=36
153 lines
4.9 KiB
RPMSpec
153 lines
4.9 KiB
RPMSpec
#
|
|
# spec file for package mbedtls
|
|
#
|
|
# Copyright (c) 2022 SUSE LLC
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%define lib_tls libmbedtls14
|
|
%define lib_crypto libmbedcrypto7
|
|
%define lib_x509 libmbedx509-1
|
|
Name: mbedtls
|
|
Version: 2.28.1
|
|
Release: 0
|
|
Summary: Libraries for crypto and SSL/TLS protocols
|
|
License: Apache-2.0
|
|
Group: Development/Libraries/C and C++
|
|
URL: https://tls.mbed.org
|
|
Source: https://github.com/ARMmbed/mbedtls/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
|
|
Source99: baselibs.conf
|
|
BuildRequires: cmake
|
|
BuildRequires: ninja
|
|
BuildRequires: pkgconfig
|
|
BuildRequires: pkgconfig(libpkcs11-helper-1)
|
|
BuildRequires: pkgconfig(zlib)
|
|
|
|
%description
|
|
mbedtls implements the SSL3, TLS 1.0, 1.1 and 1.2 protocols. It
|
|
supports a number of extensions such as SSL Session Tickets (RFC
|
|
5077), Server Name Indication (SNI) (RFC 6066), Truncated HMAC (RFC
|
|
6066), Max Fragment Length (RFC 6066), Secure Renegotiation (RFC
|
|
5746) and Application Layer Protocol Negotiation (ALPN). It
|
|
understands the RSA, (EC)DH(E)-RSA, (EC)DH(E)-PSK and RSA-PSK key
|
|
exchanges.
|
|
|
|
%package -n %{lib_tls}
|
|
Summary: Transport Layer Security protocol suite
|
|
Group: System/Libraries
|
|
|
|
%description -n %{lib_tls}
|
|
mbedtls implements the SSL 3.0, TLS 1.0, 1.1 and 1.2 protocols. It
|
|
supports a number of extensions such as SSL Session Tickets (RFC
|
|
5077), Server Name Indication (SNI) (RFC 6066), Truncated HMAC (RFC
|
|
6066), Max Fragment Length (RFC 6066), Secure Renegotiation (RFC
|
|
5746) and Application Layer Protocol Negotiation (ALPN). It
|
|
understands the RSA, (EC)DH(E)-RSA, (EC)DH(E)-PSK and RSA-PSK key
|
|
exchanges.
|
|
|
|
%package -n %{lib_crypto}
|
|
Summary: Cryptographic base library for mbedtls
|
|
Group: System/Libraries
|
|
|
|
%description -n %{lib_crypto}
|
|
This subpackage of mbedtls contains a library that exposes
|
|
cryptographic ciphers, hashes, algorithms and format support such as
|
|
AES, MD5, SHA, Elliptic Curves, BigNum, PKCS, ASN.1, BASE64.
|
|
|
|
%package -n %{lib_x509}
|
|
Summary: Library to work with X.509 certificates
|
|
Group: System/Libraries
|
|
|
|
%description -n %{lib_x509}
|
|
This subpackage of mbedtls contains a library that can read, verify
|
|
and write X.509 certificates, read/write Certificate Signing Requests
|
|
and read Certificate Revocation Lists.
|
|
|
|
%package devel
|
|
Summary: Development files for mbedtls, a SSL/TLS library
|
|
Group: Development/Libraries/C and C++
|
|
Requires: %{lib_crypto} = %{version}
|
|
Requires: %{lib_tls} = %{version}
|
|
Requires: %{lib_x509} = %{version}
|
|
|
|
%description devel
|
|
This subpackage contains the development files for mbedtls,
|
|
a suite of libraries for cryptographic functions and the
|
|
SSL/TLS protocol suite.
|
|
|
|
%prep
|
|
%autosetup -p1
|
|
sed -i 's|//\(#define MBEDTLS_ZLIB_SUPPORT\)|\1|' include/mbedtls/config.h
|
|
sed -i 's|//\(#define MBEDTLS_HAVEGE_C\)|\1|' include/mbedtls/config.h
|
|
sed -i 's|//\(#define MBEDTLS_THREADING_C\)|\1|' include/mbedtls/config.h
|
|
sed -i 's|//\(#define MBEDTLS_THREADING_PTHREAD\)|\1|' include/mbedtls/config.h
|
|
|
|
%build
|
|
%define __builder ninja
|
|
export CFLAGS="%{optflags} -Wno-stringop-overflow -Wno-maybe-uninitialized"
|
|
export CXXLAGS="%{optflags} -Wno-stringop-overflow -Wno-maybe-uninitialized"
|
|
%cmake \
|
|
-DUNSAFE_BUILD=ON \
|
|
-DLINK_WITH_PTHREAD=ON \
|
|
-DUSE_PKCS11_HELPER_LIBRARY=ON \
|
|
-DENABLE_ZLIB_SUPPORT=ON \
|
|
-DINSTALL_MBEDTLS_HEADERS=ON \
|
|
-DUSE_SHARED_MBEDTLS_LIBRARY=ON \
|
|
-DUSE_STATIC_MBEDTLS_LIBRARY=OFF \
|
|
-DENABLE_PROGRAMS=OFF \
|
|
-DCMAKE_POLICY_DEFAULT_CMP0012=NEW
|
|
%cmake_build
|
|
|
|
%install
|
|
%cmake_install
|
|
|
|
%check
|
|
# parallel execution fails
|
|
# %%ctest
|
|
pushd build
|
|
LD_LIBRARY_PATH=%{buildroot}%{_libdir} \
|
|
%{_bindir}/ctest --output-on-failure --force-new-ctest-process -j1
|
|
|
|
%post -n %{lib_tls} -p /sbin/ldconfig
|
|
%post -n %{lib_crypto} -p /sbin/ldconfig
|
|
%post -n %{lib_x509} -p /sbin/ldconfig
|
|
%postun -n %{lib_tls} -p /sbin/ldconfig
|
|
%postun -n %{lib_crypto} -p /sbin/ldconfig
|
|
%postun -n %{lib_x509} -p /sbin/ldconfig
|
|
|
|
%files devel
|
|
%license LICENSE
|
|
%doc ChangeLog README.md
|
|
%dir %{_includedir}/mbedtls
|
|
%dir %{_includedir}/psa
|
|
%{_includedir}/mbedtls/*.h
|
|
%{_includedir}/psa/*.h
|
|
%{_libdir}/libmbedtls.so
|
|
%{_libdir}/libmbedcrypto.so
|
|
%{_libdir}/libmbedx509.so
|
|
|
|
%files -n %{lib_tls}
|
|
%license LICENSE
|
|
%{_libdir}/libmbedtls.so.*
|
|
|
|
%files -n %{lib_crypto}
|
|
%license LICENSE
|
|
%{_libdir}/libmbedcrypto.so.*
|
|
|
|
%files -n %{lib_x509}
|
|
%license LICENSE
|
|
%{_libdir}/libmbedx509.so.*
|
|
|
|
%changelog
|