Security
* Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
CVE-2024-45157
Bugfix
* Fix the build in some configurations when check_config.h is not included.
Fix gh#Mbed-TLS/mbedtls#9152.
* Fix issue of redefinition warning messages for _GNU_SOURCE in
entropy_poll.c and sha_256.c. There was a build warning during building for
linux platform. Resolves gh#Mbed-TLS/mbedtls#9026
* Fix error handling when creating a key in a dynamic secure element
(feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition,
the creation could return PSA_SUCCESS but using or destroying the key would
not work. Fixes gh#Mbed-TLS/mbedtls#8537.
* Fix a memory leak that could occur when failing to process an RSA
key through some PSA functions due to low memory conditions. Document and
enforce the limitation of mbedtls_psa_register_se_key()
to persistent keys. Resolves gh#Mbed-TLS/mbedtls#9253.
- Add fix_calloc-transposed-args.patch
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls-2?expand=0&rev=16
- Update to version 2.28.8:
Features
* AES-NI is now supported in Windows builds with clang and clang-cl.
Resolves gh#Mbed-TLS/mbedtls#8372.
* Add pc files for pkg-config, e.g.:
pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)
Security
* Passing buffers that are stored in untrusted memory as arguments
to PSA functions is now secure by default.
The PSA core now protects against modification of inputs or exposure
of intermediate outputs during operations. This is currently implemented
by copying buffers.
This feature increases code size and memory usage. If buffers passed to
PSA functions are owned exclusively by the PSA core for the duration of
the function call (i.e. no buffer parameters are in shared memory),
copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS.
Note that setting this option will cause input-output buffer overlap to
be only partially supported (gh#Mbed-TLS/mbedtls#3266).
Fixes CVE-2024-28960 boo#1222157 .
Bugfix
* Fix the build with CMake when Everest is enabled through
a user configuration file or the compiler command line. Fixes gh#Mbed-TLS/mbedtls#8165.
* Fix an inconsistency between implementations and usages of __cpuid,
which mainly causes failures when building Windows target using
mingw or clang. Fixes gh#Mbed-TLS/mbedtls#8334 & gh#Mbed-TLS/mbedtls#8332.
* Correct initial capacities for key derivation algorithms: TLS12_PRF,
TLS12_PSK_TO_MS.
* Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
multiple of 8. Fixes gh#Mbed-TLS/mbedtls#868.
* Avoid segmentation fault caused by releasing not initialized
entropy resource in gen_key example. Fixes gh#Mbed-TLS/mbedtls#8809.
* Fix missing bitflags in SSL session serialization headers. Their absence
allowed SSL sessions saved in one configuration to be loaded in a
different, incompatible configuration.
* Fix the restoration of the ALPN when loading serialized connection with
the mbedtls_ssl_context_load() API.
* Fully support arbitrary overlap between inputs and outputs of PSA
functions. Note that overlap is still only partially supported when
MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (gh#Mbed-TLS/mbedtls#3266).
Changes
* Use heap memory to allocate DER encoded public/private key.
This reduces stack usage significantly for writing a public/private
key to a PEM string.
* cmake: Use GnuInstallDirs to customize install directories
Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR
variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if
LIB_INSTALL_DIR is set.
OBS-URL: https://build.opensuse.org/request/show/1163794
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls-2?expand=0&rev=14
- Update to 2.28.5:
Features
* The documentation of mbedtls_ecp_group now describes the optimized
representation of A for some curves. Fixes gh#Mbed-TLS/mbedtls#8045.
Security
* Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should
review the size of the output buffer passed to this function, and note that
the output after decryption may include CBC padding. Consider moving to the
new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext() which
checks for overflow of the output buffer and reports the actual length of
the output.
* Improve padding calculations in CBC decryption, NIST key unwrapping and
RSA OAEP decryption. With the previous implementation, some compilers
(notably recent versions of Clang and IAR) could produce non-constant time
code, which could allow a padding oracle attack if the attacker has access
to precise timing measurements.
* Fix a buffer overread when parsing short TLS application data records in
ARC4 or null-cipher cipher suites. Credit to OSS-Fuzz.
Bugfix
* Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
using ECC key. The certificate was rejected by some crypto frameworks.
Fixes gh#Mbed-TLS/mbedtls#2924.
* Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
signature can silently return an incorrect result in low memory conditions.
* Fix IAR compiler warnings. Fixes gh#Mbed-TLS/mbedtls#7873,
gh#Mbed-TLS/mbedtls#4300.
* Fix an issue when parsing an otherName subject alternative name into a
mbedtls_x509_san_other_name struct. The type-id of the otherName was not
copied to the struct. This meant that the struct had incomplete information
about the otherName SAN and contained uninitialized memory.
* Fix the detection of HardwareModuleName otherName SANs. These were being
detected by comparing the wrong field and the check was erroneously
inverted.
* Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes
gh#Mbed-TLS/mbedtls#7498. Functions in the ssl_cache module now return a
negative MBEDTLS_ERR_xxx error code on failure. Before, they returned 1 to
indicate failure in some cases involving a missing entry or a full cache.
Changes
* In configurations with ARIA or Camellia but not AES, the value of
MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might suggest.
This did not affect any library code, because this macro was only used in
relation with CMAC which does not support these ciphers. Its value is now
16 if ARIA or Camellia are present. This may affect application code that
uses this macro.
OBS-URL: https://build.opensuse.org/request/show/1116219
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls-2?expand=0&rev=8
- Update to 2.28.3:
Features
* Use HOSTCC (if it is set) when compiling C code during generation of the
configuration-independent files. This allows them to be generated when CC
is set for cross compilation.
* AES-NI is now supported with Visual Studio.
* AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM is
disabled, when compiling with GCC or Clang or a compatible compiler for a
target CPU that supports the requisite instructions (for example gcc -m32
-msse2 -maes -mpclmul). (Generic x86 builds with GCC-like compilers still
require MBEDTLS_HAVE_ASM and a 64-bit target.)
Security
* MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
builds that couldn't compile the GCC-style assembly implementation (most
notably builds with Visual Studio), leaving them vulnerable to timing
side-channel attacks. There is now an intrinsics-based AES-NI
implementation as a fallback for when the assembly one cannot be used.
Bugfix
* Fix a build issue on Windows where the source and build directory could
not be on different drives (#5751).
* Fix possible integer overflow in mbedtls_timing_hardclock(), which
could cause a crash for certain platforms & compiler options.
* Fix IAR compiler warnings. Fixes#6924.
* Fix a bug in the build where directory names containing spaces were
causing generate_errors.pl to error out resulting in a build failure.
Fixes issue #6879.
* Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes#3174.
* Fix a build issue when defining MBEDTLS_TIMING_ALT and MBEDTLS_SELF_TEST.
The library would not link if the user didn't provide an external self-test
function. The self-test is now provided regardless of the choice of
internal/alternative timing implementation. Fixes#6923.
* mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
whose binary representation is longer than 20 bytes. This was already
forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
enforced also at code level.
* Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
Aaron Ucko under Valgrind.
* Fix behavior of certain sample programs which could, when run with no
arguments, access uninitialized memory in some cases. Fixes#6700 (which
was found by TrustInSoft Analyzer during REDOCS'22) and #1120.
* Fix build errors in test programs when MBEDTLS_CERTS_C is disabled.
Fixes#6243.
* Fix parsing of X.509 SubjectAlternativeName extension. Previously,
malformed alternative name components were not caught during initial
certificate parsing, but only on subsequent calls to
mbedtls_x509_parse_subject_alt_name(). Fixes#2838.
* Fix bug in conversion from OID to string in
mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
correctly.
* Reject OIDs with overlong-encoded subidentifiers when converting them to a
string.
* Reject OIDs with subidentifier values exceeding UINT_MAX. Such
subidentifiers can be valid, but Mbed TLS cannot currently handle them.
* Reject OIDs that have unterminated subidentifiers, or (equivalently) have
the most-significant bit set in their last byte.
* Silence a warning about an unused local variable in bignum.c on some
architectures. Fixes#7166.
* Silence warnings from clang -Wdocumentation about empty \retval
descriptions, which started appearing with Clang 15. Fixes#6960.
* Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
len argument is 0 and buffer is NULL.
Changes
* The C code follows a new coding style. This is transparent for users but
affects contributors and maintainers of local patches. For more
information, see
https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
* Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2. As tested in
issue 6790, the correlation between this define and RSA decryption
performance has changed lately due to security fixes. To fix the
performance degradation when using default values the window was reduced
from 6 to 2, a value that gives the best or close to best results when
tested on Cortex-M4 and Intel i7.
OBS-URL: https://build.opensuse.org/request/show/1084072
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls-2?expand=0&rev=2
