- Update to version 2.28.9:

Security
  * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
    not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
    MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
    CVE-2024-45157
  Bugfix
  * Fix the build in some configurations when check_config.h is not included.
    Fix gh#Mbed-TLS/mbedtls#9152.
  * Fix issue of redefinition warning messages for _GNU_SOURCE in
    entropy_poll.c and sha_256.c. There was a build warning during building for
    linux platform.  Resolves gh#Mbed-TLS/mbedtls#9026
  * Fix error handling when creating a key in a dynamic secure element
    (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition,
    the creation could return PSA_SUCCESS but using or destroying the key would
    not work. Fixes gh#Mbed-TLS/mbedtls#8537.
  * Fix a memory leak that could occur when failing to process an RSA
    key through some PSA functions due to low memory conditions.  Document and
    enforce the limitation of mbedtls_psa_register_se_key()
    to persistent keys. Resolves gh#Mbed-TLS/mbedtls#9253.
- Add fix_calloc-transposed-args.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls-2?expand=0&rev=16

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

baselibs.conf

@@ -0,0 +1,3 @@
+libmbedtls14
+libmbedx509-1
+libmbedcrypto7

fix_calloc-transposed-args.patch

@@ -0,0 +1,59 @@
+From 990a88cd53d40ff42481a2c200b05f656507f326 Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <slyich@gmail.com>
+Date: Thu, 25 Jan 2024 20:48:56 +0000
+Subject: [PATCH] tests: fix `calloc()` argument list (`gcc-14` fix)
+
+`gcc-14` added a new `-Wcalloc-transposed-args` warning recently. It
+detected minor infelicity in `calloc()` API usage in `mbedtls`:
+
+    In file included from /build/mbedtls/tests/include/test/ssl_helpers.h:19,
+                     from /build/mbedtls/tests/src/test_helpers/ssl_helpers.c:11:
+    /build/mbedtls/tests/src/test_helpers/ssl_helpers.c: In function 'mbedtls_test_init_handshake_options':
+    /build/mbedtls/tests/include/test/macros.h:128:46:
+      error: 'calloc' sizes specified with 'sizeof' in the earlier argument
+        and not in the later argument [-Werror=calloc-transposed-args]
+      128 |             (pointer) = mbedtls_calloc(sizeof(*(pointer)),  \
+          |                                              ^
+
+Signed-off-by: Sergei Trofimovich <slyich@gmail.com>
+---
+ tests/include/test/macros.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tests/include/test/macros.h b/tests/include/test/macros.h
+index 894fc6727cc8..3c347e17e901 100644
+--- a/tests/include/test/macros.h
++++ b/tests/include/test/macros.h
+@@ -135,8 +135,8 @@
+     do {                                                    \
+         TEST_ASSERT((pointer) == NULL);                     \
+         if ((item_count) != 0) {                            \
+-            (pointer) = mbedtls_calloc(sizeof(*(pointer)),  \
+-                                       (item_count));       \
++            (pointer) = mbedtls_calloc((item_count),        \
++                                       sizeof(*(pointer))); \
+             TEST_ASSERT((pointer) != NULL);                 \
+         }                                                   \
+     } while (0)
+@@ -165,8 +165,8 @@
+ #define TEST_CALLOC_NONNULL(pointer, item_count)            \
+     do {                                                    \
+         TEST_ASSERT((pointer) == NULL);                     \
+-        (pointer) = mbedtls_calloc(sizeof(*(pointer)),      \
+-                                   (item_count));           \
++        (pointer) = mbedtls_calloc((item_count),            \
++                                   sizeof(*(pointer)));     \
+         if (((pointer) == NULL) && ((item_count) == 0)) {   \
+             (pointer) = mbedtls_calloc(1, 1);               \
+         }                                                   \
+@@ -185,8 +185,8 @@
+     do {                                                    \
+         TEST_ASSERT((pointer) == NULL);                     \
+         if ((item_count) != 0) {                            \
+-            (pointer) = mbedtls_calloc(sizeof(*(pointer)),  \
+-                                       (item_count));       \
++            (pointer) = mbedtls_calloc((item_count),        \
++                                       sizeof(*(pointer))); \
+             TEST_ASSUME((pointer) != NULL);                 \
+         }                                                   \
+     } while (0)

mbedtls-2.28.8.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4fef7de0d8d542510d726d643350acb3cdb9dc76ad45611b59c9aa08372b4213
+size 4039097

mbedtls-2.28.9.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e4dbcf86a4fb31506482888560f02b161e0ecfb82fee0643abcfc86abee5817e
+size 4075616

mbedtls-2.spec

@@ -0,0 +1,169 @@
+#
+# spec file for package mbedtls-2
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define lib_tls    libmbedtls14
+%define lib_crypto libmbedcrypto7
+%define lib_x509   libmbedx509-1
+%define _rname     mbedtls
+Name:           mbedtls-2
+Version:        2.28.9
+Release:        0
+Summary:        Libraries for crypto and SSL/TLS protocols
+License:        Apache-2.0 OR GPL-2.0-or-later
+Group:          Development/Libraries/C and C++
+URL:            https://tls.mbed.org
+Source:         https://github.com/ARMmbed/mbedtls/archive/v%{version}.tar.gz#/%{_rname}-%{version}.tar.gz
+Source99:       baselibs.conf
+# PATCH-FIX-UPSTREAM: https://github.com/Mbed-TLS/mbedtls/pull/9529
+Patch0:         fix_calloc-transposed-args.patch
+BuildRequires:  cmake
+BuildRequires:  ninja
+BuildRequires:  pkgconfig
+BuildRequires:  pkgconfig(libpkcs11-helper-1)
+BuildRequires:  pkgconfig(zlib)
+%{?suse_build_hwcaps_libs}
+
+%description
+mbedtls implements the SSL3, TLS 1.0, 1.1 and 1.2 protocols. It
+supports a number of extensions such as SSL Session Tickets (RFC
+5077), Server Name Indication (SNI) (RFC 6066), Truncated HMAC (RFC
+6066), Max Fragment Length (RFC 6066), Secure Renegotiation (RFC
+5746) and Application Layer Protocol Negotiation (ALPN). It
+understands the RSA, (EC)DH(E)-RSA, (EC)DH(E)-PSK and RSA-PSK key
+exchanges.
+
+%package -n %{lib_tls}
+Summary:        Transport Layer Security protocol suite
+Group:          System/Libraries
+
+%description -n %{lib_tls}
+mbedtls implements the SSL 3.0, TLS 1.0, 1.1 and 1.2 protocols. It
+supports a number of extensions such as SSL Session Tickets (RFC
+5077), Server Name Indication (SNI) (RFC 6066), Truncated HMAC (RFC
+6066), Max Fragment Length (RFC 6066), Secure Renegotiation (RFC
+5746) and Application Layer Protocol Negotiation (ALPN). It
+understands the RSA, (EC)DH(E)-RSA, (EC)DH(E)-PSK and RSA-PSK key
+exchanges.
+
+%package -n %{lib_crypto}
+Summary:        Cryptographic base library for mbedtls
+Group:          System/Libraries
+
+%description -n %{lib_crypto}
+This subpackage of mbedtls contains a library that exposes
+cryptographic ciphers, hashes, algorithms and format support such as
+AES, MD5, SHA, Elliptic Curves, BigNum, PKCS, ASN.1, BASE64.
+
+%package -n %{lib_x509}
+Summary:        Library to work with X.509 certificates
+Group:          System/Libraries
+
+%description -n %{lib_x509}
+This subpackage of mbedtls contains a library that can read, verify
+and write X.509 certificates, read/write Certificate Signing Requests
+and read Certificate Revocation Lists.
+
+%package devel
+Summary:        Development files for mbedtls, a SSL/TLS library
+Group:          Development/Libraries/C and C++
+Requires:       %{lib_crypto} = %{version}
+Requires:       %{lib_tls} = %{version}
+Requires:       %{lib_x509} = %{version}
+Provides:       mbedtls-devel = %{version}-%{release}
+Conflicts:      mbedtls-devel >= 3
+
+%description devel
+This subpackage contains the development files for mbedtls,
+a suite of libraries for cryptographic functions and the
+SSL/TLS protocol suite.
+
+%prep
+%autosetup -p1 -n %{_rname}-%{version}
+sed -i 's|//\(#define MBEDTLS_ZLIB_SUPPORT\)|\1|' include/mbedtls/config.h
+sed -i 's|//\(#define MBEDTLS_HAVEGE_C\)|\1|' include/mbedtls/config.h
+sed -i 's|//\(#define MBEDTLS_THREADING_C\)|\1|' include/mbedtls/config.h
+sed -i 's|//\(#define MBEDTLS_THREADING_PTHREAD\)|\1|' include/mbedtls/config.h
+
+%build
+%define __builder ninja
+export CFLAGS="%{optflags} -Wno-stringop-overflow -Wno-maybe-uninitialized"
+export CXXLAGS="%{optflags} -Wno-stringop-overflow -Wno-maybe-uninitialized"
+%cmake \
+  -DUNSAFE_BUILD=ON \
+  -DLINK_WITH_PTHREAD=ON \
+  -DUSE_PKCS11_HELPER_LIBRARY=ON \
+  -DENABLE_ZLIB_SUPPORT=ON \
+  -DINSTALL_MBEDTLS_HEADERS=ON \
+  -DUSE_SHARED_MBEDTLS_LIBRARY=ON \
+  -DUSE_STATIC_MBEDTLS_LIBRARY=OFF \
+  -DENABLE_PROGRAMS=OFF \
+  -DCMAKE_POLICY_DEFAULT_CMP0012=NEW
+%cmake_build
+
+%install
+%cmake_install
+
+%check
+# parallel execution fails
+# %%ctest
+pushd build
+LD_LIBRARY_PATH=%{buildroot}%{_libdir} \
+ %{_bindir}/ctest --output-on-failure --force-new-ctest-process -j1
+
+%post -n %{lib_tls}      -p /sbin/ldconfig
+%post -n %{lib_crypto}   -p /sbin/ldconfig
+%post -n %{lib_x509}     -p /sbin/ldconfig
+%postun -n %{lib_tls}    -p /sbin/ldconfig
+%postun -n %{lib_crypto} -p /sbin/ldconfig
+%postun -n %{lib_x509}   -p /sbin/ldconfig
+
+%files devel
+%license LICENSE
+%doc ChangeLog README.md
+%dir %{_includedir}/mbedtls
+%dir %{_includedir}/psa
+%dir %{_includedir}/everest
+%dir %{_includedir}/everest/kremlib
+%dir %{_includedir}/everest/kremlin
+%dir %{_includedir}/everest/kremlin/internal
+%dir %{_includedir}/everest/vs2010
+%{_libdir}/pkgconfig/*.pc
+%{_includedir}/mbedtls/*.h
+%{_includedir}/psa/*.h
+%{_includedir}/everest/*.h
+%{_includedir}/everest/kremlib/*.h
+%{_includedir}/everest/kremlin/*.h
+%{_includedir}/everest/kremlin/internal/*.h
+%{_includedir}/everest/vs2010/*.h
+%{_libdir}/libmbedtls.so
+%{_libdir}/libmbedcrypto.so
+%{_libdir}/libmbedx509.so
+
+%files -n %{lib_tls}
+%license LICENSE
+%{_libdir}/libmbedtls.so.*
+
+%files -n %{lib_crypto}
+%license LICENSE
+%{_libdir}/libmbedcrypto.so.*
+
+%files -n %{lib_x509}
+%license LICENSE
+%{_libdir}/libmbedx509.so.*
+
+%changelog