rpm/mbedtls
SHA256
1
0
Fork 0
forked from pool/mbedtls
Code Pull Requests Activity

Accepting request 657220 from home:pmonrealgonzalez:branches:security:tls

Browse Source 
- Library package version bumped to libmbedtls12

- Update to version 2.14.1: [bsc#1118727, CVE-2018-19608]
  Security
   * Fix timing variations and memory access variations in RSA PKCS#1 v1.5
     decryption that could lead to a Bleichenbacher-style padding oracle
     attack. In TLS, this affects servers that accept ciphersuites based on
     RSA decryption (i.e. ciphersuites whose name contains RSA but not
     (EC)DH(E)). Discovered by Eyal Ronen (Weizmann Institute),  Robert Gillham
     (University of Adelaide), Daniel Genkin (University of Michigan),
     Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom
     (University of Adelaide, Data61). The attack is described in more detail
     in the paper available here: http://cat.eyalro.net/cat.pdf  CVE-2018-19608
   * In mbedtls_mpi_write_binary(), don't leak the exact size of the number
     via branching and memory access patterns. An attacker who could submit
     a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
     of the decryption and not its result could nonetheless decrypt RSA
     plaintexts and forge RSA signatures. Other asymmetric algorithms may
     have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham,
     Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom.
   * Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
     modules.
  API Changes
   * The new functions mbedtls_ctr_drbg_update_ret() and
     mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update()
     and mbedtls_hmac_drbg_update() respectively, but the new functions
     report errors whereas the old functions return void. We recommend that
     applications use the new functions.
- Version 2.14.0:
  Security

OBS-URL: https://build.opensuse.org/request/show/657220
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=4
This commit is contained in:
Tomáš Chvátal 2018-12-11 15:42:05 +00:00 committed by Git OBS Bridge
parent c11c7d3c29
commit 1791b616af
5 changed files with 232 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
baselibs.conf
View File

@ -1,3 +1,3 @@
libmbedtls11
libmbedtls12
libmbedx509-0
libmbedcrypto3

3
mbedtls-2.12.0-apache.tgz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a2bed048f41a19ec7b4dd2e96649145bbd68a6955c3b51aeb7ccbf8908c3ce97
size 2390563

3
mbedtls-2.14.1-apache.tgz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f189cbd58c9b1933e4e4460b592664447f3694ad2de882a1332d177e8eedc61d
size 2468132

225
mbedtls.changes
View File

@ -1,3 +1,228 @@
-------------------------------------------------------------------
Tue Dec 11 14:07:44 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Library package version bumped to libmbedtls12
-------------------------------------------------------------------
Tue Dec 11 13:48:05 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Update to version 2.14.1: [bsc#1118727, CVE-2018-19608]
Security
* Fix timing variations and memory access variations in RSA PKCS#1 v1.5
decryption that could lead to a Bleichenbacher-style padding oracle
attack. In TLS, this affects servers that accept ciphersuites based on
RSA decryption (i.e. ciphersuites whose name contains RSA but not
(EC)DH(E)). Discovered by Eyal Ronen (Weizmann Institute), Robert Gillham
(University of Adelaide), Daniel Genkin (University of Michigan),
Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom
(University of Adelaide, Data61). The attack is described in more detail
in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608
* In mbedtls_mpi_write_binary(), don't leak the exact size of the number
via branching and memory access patterns. An attacker who could submit
a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing
of the decryption and not its result could nonetheless decrypt RSA
plaintexts and forge RSA signatures. Other asymmetric algorithms may
have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham,
Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom.
* Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG
modules.
API Changes
* The new functions mbedtls_ctr_drbg_update_ret() and
mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update()
and mbedtls_hmac_drbg_update() respectively, but the new functions
report errors whereas the old functions return void. We recommend that
applications use the new functions.
- Version 2.14.0:
Security
* Fix overly strict DN comparison when looking for CRLs belonging to a
particular CA. This previously led to ignoring CRLs when the CRL's issuer
name and the CA's subject name differed in their string encoding (e.g.,
one using PrintableString and the other UTF8String) or in the choice of
upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue
#1784.
* Fix a flawed bounds check in server PSK hint parsing. In case the
incoming message buffer was placed within the first 64KiB of address
space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker
to trigger a memory access up to 64KiB beyond the incoming message buffer,
potentially leading to an application crash or information disclosure.
* Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The
previous settings for the number of rounds made it practical for an
adversary to construct non-primes that would be erroneously accepted as
primes with high probability. This does not have an impact on the
security of TLS, but can matter in other contexts with numbers chosen
potentially by an adversary that should be prime and can be validated.
For example, the number of rounds was enough to securely generate RSA key
pairs or Diffie-Hellman parameters, but was insufficient to validate
Diffie-Hellman parameters properly.
See "Prime and Prejudice" by by Martin R. Albrecht and Jake Massimo and
Kenneth G. Paterson and Juraj Somorovsky.
Features
* Add support for temporarily suspending expensive ECC computations after
some configurable amount of operations. This is intended to be used in
constrained, single-threaded systems where ECC is time consuming and can
block other operations until they complete. This is disabled by default,
but can be enabled by MBEDTLS_ECP_RESTARTABLE at compile time and
configured by mbedtls_ecp_set_max_ops() at runtime. It applies to the new
xxx_restartable functions in ECP, ECDSA, PK and X.509 (CRL not supported
yet), and to existing functions in ECDH and SSL (currently only
implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2,
including client authentication).
* Add support for Arm CPU DSP extensions to accelerate asymmetric key
operations. On CPUs where the extensions are available, they can accelerate
MPI multiplications used in ECC and RSA cryptography. Contributed by
Aurelien Jarno.
* Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS
signature always used a salt with the same length as the hash, and returned
an error if this was not possible. Now the salt size may be up to two bytes
shorter. This allows the library to support all hash and signature sizes
that comply with FIPS 186-4, including SHA-512 with a 1024-bit key.
* Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter
than 256 bits limits the security of generated material to 128 bits.
API Changes
* Add a common error code of `MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED` for
a feature that is not supported by underlying alternative
implementations implementing cryptographic primitives. This is useful for
hardware accelerators that don't implement all options or features.
New deprecations
* All module specific errors following the form
MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLE that indicate a feature is not
supported are deprecated and are now replaced by the new equivalent
platform error.
* All module specific generic hardware acceleration errors following the
form MBEDTLS_ERR_XXX_HW_ACCEL_FAILED that are deprecated and are replaced
by the equivalent plaform error.
* Deprecate the function mbedtls_mpi_is_prime() in favor of
mbedtls_mpi_is_prime_ext() which allows specifying the number of
Miller-Rabin rounds.
Bugfix
* Fix wrong order of freeing in programs/ssl/ssl_server2 example
application leading to a memory leak in case both
MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set.
Fixes #2069.
* Fix a bug in the update function for SSL ticket keys which previously
invalidated keys of a lifetime of less than a 1s. Fixes #1968.
* Fix failure in hmac_drbg in the benchmark sample application, when
MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
* Fix a bug in the record decryption routine ssl_decrypt_buf()
which lead to accepting properly authenticated but improperly
padded records in case of CBC ciphersuites using Encrypt-then-MAC.
* Fix memory leak and freeing without initialization in the example
program programs/x509/cert_write. Fixes #1422.
* Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is
MBEDTLS_MODE_ECB. Found by ezdevelop. Fixes #1091.
* Zeroize memory used for buffering or reassembling handshake messages
after use.
* Use `mbedtls_platform_zeroize()` instead of `memset()` for zeroization
of sensitive data in the example programs aescrypt2 and crypt_and_hash.
* Change the default string format used for various X.509 DN attributes to
UTF8String. Previously, the use of the PrintableString format led to
wildcards and non-ASCII characters being unusable in some DN attributes.
Reported by raprepo in #1860 and by kevinpt in #468. Fix contributed by
Thomas-Dee.
* Fix compilation failure for configurations which use compile time
replacements of standard calloc/free functions through the macros
MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO.
Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706.
Changes
* Removed support for Yotta as a build tool.
* Add tests for session resumption in DTLS.
* Close a test gap in (D)TLS between the client side and the server side:
test the handling of large packets and small packets on the client side
in the same way as on the server side.
* Change the dtls_client and dtls_server samples to work by default over
IPv6 and optionally by a build option over IPv4.
* Change the use of Windows threading to use Microsoft Visual C++ runtime
calls, rather than Win32 API calls directly. This is necessary to avoid
conflict with C runtime usage. Found and fixed by irwir.
* Remember the string format of X.509 DN attributes when replicating
X.509 DNs. Previously, DN attributes were always written in their default
string format (mostly PrintableString), which could lead to CRTs being
created which used PrintableStrings in the issuer field even though the
signing CA used UTF8Strings in its subject field; while X.509 compliant,
such CRTs were rejected in some applications, e.g. some versions of
Firefox, curl and GnuTLS. Reported in #1033 by Moschn. Fix contributed by
Thomas-Dee.
* Improve documentation of mbedtls_ssl_get_verify_result().
Fixes #517 reported by github-monoculture.
* Add MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR flag to mbedtls_mpi_gen_prime() and
use it to reduce error probability in RSA key generation to levels mandated
by FIPS-186-4.
- Version 2.13.1
API Changes
* Extend the platform module with an abstraction mbedtls_platform_gmtime_r()
whose implementation should behave as a thread-safe version of gmtime().
This allows users to configure such an implementation at compile time when
the target system cannot be deduced automatically, by setting the option
MBEDTLS_PLATFORM_GMTIME_R_ALT. At this stage Mbed TLS is only able to
automatically select implementations for Windows and POSIX C libraries.
Bugfix
* Fix build failures on platforms where only gmtime() is available but
neither gmtime_r() nor gmtime_s() are present. Fixes #1907.
- Version 2.13.0
Security
* Fix an issue in the X.509 module which could lead to a buffer overread
during certificate extensions parsing. In case of receiving malformed
input (extensions length field equal to 0), an illegal read of one byte
beyond the input buffer is made. Found and analyzed by Nathan Crandall.
Features
* Add support for fragmentation of outgoing DTLS handshake messages. This
is controlled by the maximum fragment length as set locally or negotiated
with the peer, as well as by a new per-connection MTU option, set using
mbedtls_ssl_set_mtu().
* Add support for auto-adjustment of MTU to a safe value during the
handshake when flights do not get through (RFC 6347, section 4.1.1.1,
last paragraph).
* Add support for packing multiple records within a single datagram,
enabled by default.
* Add support for buffering out-of-order handshake messages in DTLS.
The maximum amount of RAM used for this can be controlled by the
compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined
in mbedtls/config.h.
API Changes
* Add function mbedtls_ssl_set_datagram_packing() to configure
the use of datagram packing (enabled by default).
Bugfix
* Fix a potential memory leak in mbedtls_ssl_setup() function. An allocation
failure in the function could lead to other buffers being leaked.
* Fixes an issue with MBEDTLS_CHACHAPOLY_C which would not compile if
MBEDTLS_ARC4_C and MBEDTLS_CIPHER_NULL_CIPHER weren't also defined. #1890
* Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails.
Fix contributed by Espressif Systems.
* Add ecc extensions only if an ecc based ciphersuite is used.
This improves compliance to RFC 4492, and as a result, solves
interoperability issues with BouncyCastle. Raised by milenamil in #1157.
* Replace printf with mbedtls_printf in the ARIA module. Found by
TrinityTonic in #1908.
* Fix potential use-after-free in mbedtls_ssl_get_max_frag_len()
and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941.
* Fix a bug that caused SSL/TLS clients to incorrectly abort the handshake
with TLS versions 1.1 and earlier when the server requested authentication
without providing a list of CAs. This was due to an overly strict bounds
check in parsing the CertificateRequest message,
introduced in Mbed TLS 2.12.0. Fixes #1954.
* Fix a miscalculation of the maximum record expansion in
mbedtls_ssl_get_record_expansion() in case of ChachaPoly ciphersuites,
or CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes #1913, #1914.
* Fix undefined shifts with negative values in certificates parsing
(found by Catena cyber using oss-fuzz)
* Fix memory leak and free without initialization in pk_encrypt
and pk_decrypt example programs. Reported by Brace Stout. Fixes #1128.
* Remove redundant else statement. Raised by irwir. Fixes #1776.
Changes
* Copy headers preserving timestamps when doing a "make install".
Contributed by xueruini.
* Allow the forward declaration of public structs. Contributed by Dawid
Drozd. Fixes #1215 raised by randombit.
* Improve compatibility with some alternative CCM implementations by using
CCM test vectors from RAM.
* Add support for buffering of out-of-order handshake messages.
* Add warnings to the documentation of the HKDF module to reduce the risk
of misusing the mbedtls_hkdf_extract() and mbedtls_hkdf_expand()
functions. Fixes #1775. Reported by Brian J. Murray.
-------------------------------------------------------------------
Thu Aug 23 07:22:18 UTC 2018 - mpluskal@suse.com

6
mbedtls.spec
View File

@ -12,15 +12,15 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define lib_tls libmbedtls11
%define lib_tls libmbedtls12
%define lib_crypto libmbedcrypto3
%define lib_x509 libmbedx509-0
Name: mbedtls
Version: 2.12.0
Version: 2.14.1
Release: 0
Summary: Libraries for crypto and SSL/TLS protocols
License: Apache-2.0