rpm/mbedtls-2
SHA256
1
0
Fork 0
forked from pool/mbedtls-2
Code Pull Requests Activity
77cd7e0775
mbedtls-2/mbedtls-2.spec
Jaime Marquínez Ferrándiz 77cd7e0775 Accepting request 1116219 from home:jaimeMF:branches:security:tls 
- Update to 2.28.5:
  Features
  * The documentation of mbedtls_ecp_group now describes the optimized
    representation of A for some curves. Fixes gh#Mbed-TLS/mbedtls#8045.
  Security
  * Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should
    review the size of the output buffer passed to this function, and note that
    the output after decryption may include CBC padding. Consider moving to the
    new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext() which
    checks for overflow of the output buffer and reports the actual length of
    the output.
  * Improve padding calculations in CBC decryption, NIST key unwrapping and
    RSA OAEP decryption. With the previous implementation, some compilers
    (notably recent versions of Clang and IAR) could produce non-constant time
    code, which could allow a padding oracle attack if the attacker has access
    to precise timing measurements.
  * Fix a buffer overread when parsing short TLS application data records in
    ARC4 or null-cipher cipher suites. Credit to OSS-Fuzz.
  Bugfix
  * Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
    using ECC key. The certificate was rejected by some crypto frameworks.
    Fixes gh#Mbed-TLS/mbedtls#2924.
  * Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
    signature can silently return an incorrect result in low memory conditions.
  * Fix IAR compiler warnings. Fixes gh#Mbed-TLS/mbedtls#7873,
    gh#Mbed-TLS/mbedtls#4300.
  * Fix an issue when parsing an otherName subject alternative name into a
    mbedtls_x509_san_other_name struct. The type-id of the otherName was not
    copied to the struct. This meant that the struct had incomplete information
    about the otherName SAN and contained uninitialized memory.
  * Fix the detection of HardwareModuleName otherName SANs. These were being
    detected by comparing the wrong field and the check was erroneously
    inverted.
  * Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
    MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes
    gh#Mbed-TLS/mbedtls#7498.  Functions in the ssl_cache module now return a
    negative MBEDTLS_ERR_xxx error code on failure. Before, they returned 1 to
    indicate failure in some cases involving a missing entry or a full cache.
  Changes
  * In configurations with ARIA or Camellia but not AES, the value of
    MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might suggest.
    This did not affect any library code, because this macro was only used in
    relation with CMAC which does not support these ciphers.  Its value is now
    16 if ARIA or Camellia are present. This may affect application code that
    uses this macro.

OBS-URL: https://build.opensuse.org/request/show/1116219
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls-2?expand=0&rev=8
2023-10-07 14:56:25 +00:00

157 lines
5.1 KiB
RPMSpec
Raw Blame History

#
# spec file for package mbedtls-2
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define lib_tls libmbedtls14
%define lib_crypto libmbedcrypto7
%define lib_x509 libmbedx509-1
%define _rname mbedtls
Name: mbedtls-2
Version: 2.28.5
Release: 0
Summary: Libraries for crypto and SSL/TLS protocols
License: Apache-2.0
Group: Development/Libraries/C and C++
URL: https://tls.mbed.org
Source: https://github.com/ARMmbed/mbedtls/archive/v%{version}.tar.gz#/%{_rname}-%{version}.tar.gz
Source99: baselibs.conf
BuildRequires: cmake
BuildRequires: ninja
BuildRequires: pkgconfig
BuildRequires: pkgconfig(libpkcs11-helper-1)
BuildRequires: pkgconfig(zlib)
%{?suse_build_hwcaps_libs}
%description
mbedtls implements the SSL3, TLS 1.0, 1.1 and 1.2 protocols. It
supports a number of extensions such as SSL Session Tickets (RFC
5077), Server Name Indication (SNI) (RFC 6066), Truncated HMAC (RFC
6066), Max Fragment Length (RFC 6066), Secure Renegotiation (RFC
5746) and Application Layer Protocol Negotiation (ALPN). It
understands the RSA, (EC)DH(E)-RSA, (EC)DH(E)-PSK and RSA-PSK key
exchanges.
%package -n %{lib_tls}
Summary: Transport Layer Security protocol suite
Group: System/Libraries
%description -n %{lib_tls}
mbedtls implements the SSL 3.0, TLS 1.0, 1.1 and 1.2 protocols. It
supports a number of extensions such as SSL Session Tickets (RFC
5077), Server Name Indication (SNI) (RFC 6066), Truncated HMAC (RFC
6066), Max Fragment Length (RFC 6066), Secure Renegotiation (RFC
5746) and Application Layer Protocol Negotiation (ALPN). It
understands the RSA, (EC)DH(E)-RSA, (EC)DH(E)-PSK and RSA-PSK key
exchanges.
%package -n %{lib_crypto}
Summary: Cryptographic base library for mbedtls
Group: System/Libraries
%description -n %{lib_crypto}
This subpackage of mbedtls contains a library that exposes
cryptographic ciphers, hashes, algorithms and format support such as
AES, MD5, SHA, Elliptic Curves, BigNum, PKCS, ASN.1, BASE64.
%package -n %{lib_x509}
Summary: Library to work with X.509 certificates
Group: System/Libraries
%description -n %{lib_x509}
This subpackage of mbedtls contains a library that can read, verify
and write X.509 certificates, read/write Certificate Signing Requests
and read Certificate Revocation Lists.
%package devel
Summary: Development files for mbedtls, a SSL/TLS library
Group: Development/Libraries/C and C++
Requires: %{lib_crypto} = %{version}
Requires: %{lib_tls} = %{version}
Requires: %{lib_x509} = %{version}
Provides: mbedtls-devel = %{version}-%{release}
Conflicts: mbedtls-devel >= 3
%description devel
This subpackage contains the development files for mbedtls,
a suite of libraries for cryptographic functions and the
SSL/TLS protocol suite.
%prep
%autosetup -p1 -n %{_rname}-%{version}
sed -i 's|//\(#define MBEDTLS_ZLIB_SUPPORT\)|\1|' include/mbedtls/config.h
sed -i 's|//\(#define MBEDTLS_HAVEGE_C\)|\1|' include/mbedtls/config.h
sed -i 's|//\(#define MBEDTLS_THREADING_C\)|\1|' include/mbedtls/config.h
sed -i 's|//\(#define MBEDTLS_THREADING_PTHREAD\)|\1|' include/mbedtls/config.h
%build
%define __builder ninja
export CFLAGS="%{optflags} -Wno-stringop-overflow -Wno-maybe-uninitialized"
export CXXLAGS="%{optflags} -Wno-stringop-overflow -Wno-maybe-uninitialized"
%cmake \
-DUNSAFE_BUILD=ON \
-DLINK_WITH_PTHREAD=ON \
-DUSE_PKCS11_HELPER_LIBRARY=ON \
-DENABLE_ZLIB_SUPPORT=ON \
-DINSTALL_MBEDTLS_HEADERS=ON \
-DUSE_SHARED_MBEDTLS_LIBRARY=ON \
-DUSE_STATIC_MBEDTLS_LIBRARY=OFF \
-DENABLE_PROGRAMS=OFF \
-DCMAKE_POLICY_DEFAULT_CMP0012=NEW
%cmake_build
%install
%cmake_install
%check
# parallel execution fails
# %%ctest
pushd build
LD_LIBRARY_PATH=%{buildroot}%{_libdir} \
%{_bindir}/ctest --output-on-failure --force-new-ctest-process -j1
%post -n %{lib_tls} -p /sbin/ldconfig
%post -n %{lib_crypto} -p /sbin/ldconfig
%post -n %{lib_x509} -p /sbin/ldconfig
%postun -n %{lib_tls} -p /sbin/ldconfig
%postun -n %{lib_crypto} -p /sbin/ldconfig
%postun -n %{lib_x509} -p /sbin/ldconfig
%files devel
%license LICENSE
%doc ChangeLog README.md
%dir %{_includedir}/mbedtls
%dir %{_includedir}/psa
%{_includedir}/mbedtls/*.h
%{_includedir}/psa/*.h
%{_libdir}/libmbedtls.so
%{_libdir}/libmbedcrypto.so
%{_libdir}/libmbedx509.so
%files -n %{lib_tls}
%license LICENSE
%{_libdir}/libmbedtls.so.*
%files -n %{lib_crypto}
%license LICENSE
%{_libdir}/libmbedcrypto.so.*
%files -n %{lib_x509}
%license LICENSE
%{_libdir}/libmbedx509.so.*
%changelog
View Git Blame Copy Permalink