2023-05-02 16:10:32 +02:00
|
|
|
#
|
2023-05-08 13:40:53 +02:00
|
|
|
# spec file for package mbedtls-2
|
2023-05-02 16:10:32 +02:00
|
|
|
#
|
2023-05-08 13:40:53 +02:00
|
|
|
# Copyright (c) 2023 SUSE LLC
|
2023-05-02 16:10:32 +02:00
|
|
|
#
|
|
|
|
|
# All modifications and additions to the file contributed by third parties
|
|
|
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
|
|
|
# upon. The license for this file, and modifications and additions to the
|
|
|
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
|
|
|
# license for the pristine package is not an Open Source License, in which
|
|
|
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
|
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
|
|
|
# published by the Open Source Initiative.
|
|
|
|
|
|
|
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
%define lib_tls libmbedtls14
|
|
|
|
|
%define lib_crypto libmbedcrypto7
|
|
|
|
|
%define lib_x509 libmbedx509-1
|
|
|
|
|
%define _rname mbedtls
|
|
|
|
|
Name: mbedtls-2
|
Accepting request 1116219 from home:jaimeMF:branches:security:tls
- Update to 2.28.5:
Features
* The documentation of mbedtls_ecp_group now describes the optimized
representation of A for some curves. Fixes gh#Mbed-TLS/mbedtls#8045.
Security
* Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should
review the size of the output buffer passed to this function, and note that
the output after decryption may include CBC padding. Consider moving to the
new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext() which
checks for overflow of the output buffer and reports the actual length of
the output.
* Improve padding calculations in CBC decryption, NIST key unwrapping and
RSA OAEP decryption. With the previous implementation, some compilers
(notably recent versions of Clang and IAR) could produce non-constant time
code, which could allow a padding oracle attack if the attacker has access
to precise timing measurements.
* Fix a buffer overread when parsing short TLS application data records in
ARC4 or null-cipher cipher suites. Credit to OSS-Fuzz.
Bugfix
* Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
using ECC key. The certificate was rejected by some crypto frameworks.
Fixes gh#Mbed-TLS/mbedtls#2924.
* Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
signature can silently return an incorrect result in low memory conditions.
* Fix IAR compiler warnings. Fixes gh#Mbed-TLS/mbedtls#7873,
gh#Mbed-TLS/mbedtls#4300.
* Fix an issue when parsing an otherName subject alternative name into a
mbedtls_x509_san_other_name struct. The type-id of the otherName was not
copied to the struct. This meant that the struct had incomplete information
about the otherName SAN and contained uninitialized memory.
* Fix the detection of HardwareModuleName otherName SANs. These were being
detected by comparing the wrong field and the check was erroneously
inverted.
* Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes
gh#Mbed-TLS/mbedtls#7498. Functions in the ssl_cache module now return a
negative MBEDTLS_ERR_xxx error code on failure. Before, they returned 1 to
indicate failure in some cases involving a missing entry or a full cache.
Changes
* In configurations with ARIA or Camellia but not AES, the value of
MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might suggest.
This did not affect any library code, because this macro was only used in
relation with CMAC which does not support these ciphers. Its value is now
16 if ARIA or Camellia are present. This may affect application code that
uses this macro.
OBS-URL: https://build.opensuse.org/request/show/1116219
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls-2?expand=0&rev=8
2023-10-07 16:56:25 +02:00
|
|
|
Version: 2.28.5
|
2023-05-02 16:10:32 +02:00
|
|
|
Release: 0
|
|
|
|
|
Summary: Libraries for crypto and SSL/TLS protocols
|
|
|
|
|
License: Apache-2.0
|
|
|
|
|
Group: Development/Libraries/C and C++
|
|
|
|
|
URL: https://tls.mbed.org
|
|
|
|
|
Source: https://github.com/ARMmbed/mbedtls/archive/v%{version}.tar.gz#/%{_rname}-%{version}.tar.gz
|
|
|
|
|
Source99: baselibs.conf
|
|
|
|
|
BuildRequires: cmake
|
|
|
|
|
BuildRequires: ninja
|
|
|
|
|
BuildRequires: pkgconfig
|
|
|
|
|
BuildRequires: pkgconfig(libpkcs11-helper-1)
|
|
|
|
|
BuildRequires: pkgconfig(zlib)
|
|
|
|
|
%{?suse_build_hwcaps_libs}
|
|
|
|
|
|
|
|
|
|
%description
|
|
|
|
|
mbedtls implements the SSL3, TLS 1.0, 1.1 and 1.2 protocols. It
|
|
|
|
|
supports a number of extensions such as SSL Session Tickets (RFC
|
|
|
|
|
5077), Server Name Indication (SNI) (RFC 6066), Truncated HMAC (RFC
|
|
|
|
|
6066), Max Fragment Length (RFC 6066), Secure Renegotiation (RFC
|
|
|
|
|
5746) and Application Layer Protocol Negotiation (ALPN). It
|
|
|
|
|
understands the RSA, (EC)DH(E)-RSA, (EC)DH(E)-PSK and RSA-PSK key
|
|
|
|
|
exchanges.
|
|
|
|
|
|
|
|
|
|
%package -n %{lib_tls}
|
|
|
|
|
Summary: Transport Layer Security protocol suite
|
|
|
|
|
Group: System/Libraries
|
|
|
|
|
|
|
|
|
|
%description -n %{lib_tls}
|
|
|
|
|
mbedtls implements the SSL 3.0, TLS 1.0, 1.1 and 1.2 protocols. It
|
|
|
|
|
supports a number of extensions such as SSL Session Tickets (RFC
|
|
|
|
|
5077), Server Name Indication (SNI) (RFC 6066), Truncated HMAC (RFC
|
|
|
|
|
6066), Max Fragment Length (RFC 6066), Secure Renegotiation (RFC
|
|
|
|
|
5746) and Application Layer Protocol Negotiation (ALPN). It
|
|
|
|
|
understands the RSA, (EC)DH(E)-RSA, (EC)DH(E)-PSK and RSA-PSK key
|
|
|
|
|
exchanges.
|
|
|
|
|
|
|
|
|
|
%package -n %{lib_crypto}
|
|
|
|
|
Summary: Cryptographic base library for mbedtls
|
|
|
|
|
Group: System/Libraries
|
|
|
|
|
|
|
|
|
|
%description -n %{lib_crypto}
|
|
|
|
|
This subpackage of mbedtls contains a library that exposes
|
|
|
|
|
cryptographic ciphers, hashes, algorithms and format support such as
|
|
|
|
|
AES, MD5, SHA, Elliptic Curves, BigNum, PKCS, ASN.1, BASE64.
|
|
|
|
|
|
|
|
|
|
%package -n %{lib_x509}
|
|
|
|
|
Summary: Library to work with X.509 certificates
|
|
|
|
|
Group: System/Libraries
|
|
|
|
|
|
|
|
|
|
%description -n %{lib_x509}
|
|
|
|
|
This subpackage of mbedtls contains a library that can read, verify
|
|
|
|
|
and write X.509 certificates, read/write Certificate Signing Requests
|
|
|
|
|
and read Certificate Revocation Lists.
|
|
|
|
|
|
|
|
|
|
%package devel
|
|
|
|
|
Summary: Development files for mbedtls, a SSL/TLS library
|
|
|
|
|
Group: Development/Libraries/C and C++
|
|
|
|
|
Requires: %{lib_crypto} = %{version}
|
|
|
|
|
Requires: %{lib_tls} = %{version}
|
|
|
|
|
Requires: %{lib_x509} = %{version}
|
2023-05-08 13:40:53 +02:00
|
|
|
Provides: mbedtls-devel = %{version}-%{release}
|
2023-05-02 16:10:32 +02:00
|
|
|
Conflicts: mbedtls-devel >= 3
|
|
|
|
|
|
|
|
|
|
%description devel
|
|
|
|
|
This subpackage contains the development files for mbedtls,
|
|
|
|
|
a suite of libraries for cryptographic functions and the
|
|
|
|
|
SSL/TLS protocol suite.
|
|
|
|
|
|
|
|
|
|
%prep
|
|
|
|
|
%autosetup -p1 -n %{_rname}-%{version}
|
|
|
|
|
sed -i 's|//\(#define MBEDTLS_ZLIB_SUPPORT\)|\1|' include/mbedtls/config.h
|
|
|
|
|
sed -i 's|//\(#define MBEDTLS_HAVEGE_C\)|\1|' include/mbedtls/config.h
|
|
|
|
|
sed -i 's|//\(#define MBEDTLS_THREADING_C\)|\1|' include/mbedtls/config.h
|
|
|
|
|
sed -i 's|//\(#define MBEDTLS_THREADING_PTHREAD\)|\1|' include/mbedtls/config.h
|
|
|
|
|
|
|
|
|
|
%build
|
|
|
|
|
%define __builder ninja
|
|
|
|
|
export CFLAGS="%{optflags} -Wno-stringop-overflow -Wno-maybe-uninitialized"
|
|
|
|
|
export CXXLAGS="%{optflags} -Wno-stringop-overflow -Wno-maybe-uninitialized"
|
|
|
|
|
%cmake \
|
|
|
|
|
-DUNSAFE_BUILD=ON \
|
|
|
|
|
-DLINK_WITH_PTHREAD=ON \
|
|
|
|
|
-DUSE_PKCS11_HELPER_LIBRARY=ON \
|
|
|
|
|
-DENABLE_ZLIB_SUPPORT=ON \
|
|
|
|
|
-DINSTALL_MBEDTLS_HEADERS=ON \
|
|
|
|
|
-DUSE_SHARED_MBEDTLS_LIBRARY=ON \
|
|
|
|
|
-DUSE_STATIC_MBEDTLS_LIBRARY=OFF \
|
|
|
|
|
-DENABLE_PROGRAMS=OFF \
|
|
|
|
|
-DCMAKE_POLICY_DEFAULT_CMP0012=NEW
|
|
|
|
|
%cmake_build
|
|
|
|
|
|
|
|
|
|
%install
|
|
|
|
|
%cmake_install
|
|
|
|
|
|
|
|
|
|
%check
|
|
|
|
|
# parallel execution fails
|
|
|
|
|
# %%ctest
|
|
|
|
|
pushd build
|
|
|
|
|
LD_LIBRARY_PATH=%{buildroot}%{_libdir} \
|
|
|
|
|
%{_bindir}/ctest --output-on-failure --force-new-ctest-process -j1
|
|
|
|
|
|
|
|
|
|
%post -n %{lib_tls} -p /sbin/ldconfig
|
|
|
|
|
%post -n %{lib_crypto} -p /sbin/ldconfig
|
|
|
|
|
%post -n %{lib_x509} -p /sbin/ldconfig
|
|
|
|
|
%postun -n %{lib_tls} -p /sbin/ldconfig
|
|
|
|
|
%postun -n %{lib_crypto} -p /sbin/ldconfig
|
|
|
|
|
%postun -n %{lib_x509} -p /sbin/ldconfig
|
|
|
|
|
|
|
|
|
|
%files devel
|
|
|
|
|
%license LICENSE
|
|
|
|
|
%doc ChangeLog README.md
|
|
|
|
|
%dir %{_includedir}/mbedtls
|
|
|
|
|
%dir %{_includedir}/psa
|
|
|
|
|
%{_includedir}/mbedtls/*.h
|
|
|
|
|
%{_includedir}/psa/*.h
|
|
|
|
|
%{_libdir}/libmbedtls.so
|
|
|
|
|
%{_libdir}/libmbedcrypto.so
|
|
|
|
|
%{_libdir}/libmbedx509.so
|
|
|
|
|
|
|
|
|
|
%files -n %{lib_tls}
|
|
|
|
|
%license LICENSE
|
|
|
|
|
%{_libdir}/libmbedtls.so.*
|
|
|
|
|
|
|
|
|
|
%files -n %{lib_crypto}
|
|
|
|
|
%license LICENSE
|
|
|
|
|
%{_libdir}/libmbedcrypto.so.*
|
|
|
|
|
|
|
|
|
|
%files -n %{lib_x509}
|
|
|
|
|
%license LICENSE
|
|
|
|
|
%{_libdir}/libmbedx509.so.*
|
|
|
|
|
|
|
|
|
|
%changelog
|
