diff --git a/mbedtls-2.28.2.tar.gz b/mbedtls-2.28.2.tar.gz deleted file mode 100644 index 9be5a61..0000000 --- a/mbedtls-2.28.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bc55232bf71fd66045122ba9050a29ea7cb2e8f99b064a9e6334a82f715881a0 -size 3934658 diff --git a/mbedtls-2.28.3.tar.gz b/mbedtls-2.28.3.tar.gz new file mode 100644 index 0000000..efd0556 --- /dev/null +++ b/mbedtls-2.28.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bdf7c5bbdc338da3edad89b2885d4f8668f9a6fffeba6ec17a60333e36dade6f +size 3952497 diff --git a/mbedtls-2.changes b/mbedtls-2.changes index fa83adf..f1b36af 100644 --- a/mbedtls-2.changes +++ b/mbedtls-2.changes @@ -1,3 +1,81 @@ +------------------------------------------------------------------- +Tue May 2 14:26:41 UTC 2023 - Jaime Marquínez Ferrándiz + +- Update to 2.28.3: + Features + * Use HOSTCC (if it is set) when compiling C code during generation of the + configuration-independent files. This allows them to be generated when CC + is set for cross compilation. + * AES-NI is now supported with Visual Studio. + * AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM is + disabled, when compiling with GCC or Clang or a compatible compiler for a + target CPU that supports the requisite instructions (for example gcc -m32 + -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like compilers still + require MBEDTLS_HAVE_ASM and a 64-bit target.) + Security + * MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on + builds that couldn't compile the GCC-style assembly implementation (most + notably builds with Visual Studio), leaving them vulnerable to timing + side-channel attacks. There is now an intrinsics-based AES-NI + implementation as a fallback for when the assembly one cannot be used. + Bugfix + * Fix a build issue on Windows where the source and build directory could + not be on different drives (#5751). + * Fix possible integer overflow in mbedtls_timing_hardclock(), which + could cause a crash for certain platforms & compiler options. + * Fix IAR compiler warnings. Fixes #6924. + * Fix a bug in the build where directory names containing spaces were + causing generate_errors.pl to error out resulting in a build failure. + Fixes issue #6879. + * Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are + defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174. + * Fix a build issue when defining MBEDTLS_TIMING_ALT and MBEDTLS_SELF_TEST. + The library would not link if the user didn't provide an external self-test + function. The self-test is now provided regardless of the choice of + internal/alternative timing implementation. Fixes #6923. + * mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers + whose binary representation is longer than 20 bytes. This was already + forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being + enforced also at code level. + * Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by + Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by + Aaron Ucko under Valgrind. + * Fix behavior of certain sample programs which could, when run with no + arguments, access uninitialized memory in some cases. Fixes #6700 (which + was found by TrustInSoft Analyzer during REDOCS'22) and #1120. + * Fix build errors in test programs when MBEDTLS_CERTS_C is disabled. + Fixes #6243. + * Fix parsing of X.509 SubjectAlternativeName extension. Previously, + malformed alternative name components were not caught during initial + certificate parsing, but only on subsequent calls to + mbedtls_x509_parse_subject_alt_name(). Fixes #2838. + * Fix bug in conversion from OID to string in + mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed + correctly. + * Reject OIDs with overlong-encoded subidentifiers when converting them to a + string. + * Reject OIDs with subidentifier values exceeding UINT_MAX. Such + subidentifiers can be valid, but Mbed TLS cannot currently handle them. + * Reject OIDs that have unterminated subidentifiers, or (equivalently) have + the most-significant bit set in their last byte. + * Silence a warning about an unused local variable in bignum.c on some + architectures. Fixes #7166. + * Silence warnings from clang -Wdocumentation about empty \retval + descriptions, which started appearing with Clang 15. Fixes #6960. + * Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if + len argument is 0 and buffer is NULL. + Changes + * The C code follows a new coding style. This is transparent for users but + affects contributors and maintainers of local patches. For more + information, see + https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/ + * Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2. As tested in + issue 6790, the correlation between this define and RSA decryption + performance has changed lately due to security fixes. To fix the + performance degradation when using default values the window was reduced + from 6 to 2, a value that gives the best or close to best results when + tested on Cortex-M4 and Intel i7. + ------------------------------------------------------------------- Mon May 1 20:48:28 UTC 2023 - Jaime Marquínez Ferrándiz diff --git a/mbedtls-2.spec b/mbedtls-2.spec index 4deb3f3..d890019 100644 --- a/mbedtls-2.spec +++ b/mbedtls-2.spec @@ -21,7 +21,7 @@ %define lib_x509 libmbedx509-1 %define _rname mbedtls Name: mbedtls-2 -Version: 2.28.2 +Version: 2.28.3 Release: 0 Summary: Libraries for crypto and SSL/TLS protocols License: Apache-2.0