Accepting request 293450 from devel:libraries:c_c++

Polarssl replacement OBS-URL: https://build.opensuse.org/request/show/293450 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls?expand=0&rev=1
2015-03-30 17:33:01 +00:00 · 2015-03-30 17:33:01 +00:00 · a811e8daf5
commit a811e8daf5
5 changed files with 299 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.osc
--- a/mbedtls-1.3.10-gpl.tgz
+++ b/mbedtls-1.3.10-gpl.tgz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:746fd88e0c6623691fc56c4eed52e40a57b2da0ac80f6dd8995094aa6adb407e
+size 1709888
--- a/mbedtls.changes
+++ b/mbedtls.changes
@ -0,0 +1,178 @@
+-------------------------------------------------------------------
+Fri Mar 27 16:59:55 UTC 2015 - mpluskal@suse.com
+
+- Update package categories
+
+-------------------------------------------------------------------
+Wed Mar 18 18:56:26 UTC 2015 - mpluskal@suse.com
+
+- Create symlink to ensure compatibility with polarssl
+
+-------------------------------------------------------------------
+Mon Mar 16 12:54:22 UTC 2015 - mpluskal@suse.com
+
+- Update provides/obsoletes
+
+-------------------------------------------------------------------
+Sun Mar 15 21:23:17 UTC 2015 - mpluskal@suse.com
+
+- Fix sed for includes
+
+-------------------------------------------------------------------
+Sun Mar 15 11:44:53 UTC 2015 - mpluskal@suse.com
+
+- Rename to mbedtls
+- Use cmake macro for building
+- Update to 1.3.10
+   * NULL pointer dereference in the buffer-based allocator when the buffer is
+     full and polarssl_free() is called (found by Mark Hasemeyer)
+     (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
+     not by default).
+   * Fix remotely-triggerable uninitialised pointer dereference caused by
+     crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
+     client certificate) (found using Codenomicon Defensics).
+   * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
+     (TLS server is not affected if it doesn't ask for a client certificate)
+     (found using Codenomicon Defensics).
+   * Fix potential stack overflow while parsing crafted X.509 certificates
+     (TLS server is not affected if it doesn't ask for a client certificate)
+     (found using Codenomicon Defensics).
+   * Fix timing difference that could theoretically lead to a
+     Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
+     (reported by Sebastian Schinzel).
+   * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
+   * Add support for Extended Master Secret (draft-ietf-tls-session-hash).
+   * Add support for Encrypt-then-MAC (RFC 7366).
+   * Add function pk_check_pair() to test if public and private keys match.
+   * Add x509_crl_parse_der().
+   * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
+     length of an X.509 verification chain.
+   * Support for renegotiation can now be disabled at compile-time
+   * Support for 1/n-1 record splitting, a countermeasure against BEAST.
+   * Certificate selection based on signature hash, prefering SHA-1 over SHA-2
+     for pre-1.2 clients when multiple certificates are available.
+   * Add support for getrandom() syscall on recent Linux kernels with Glibc or
+     a compatible enough libc (eg uClibc).
+   * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime
+     while using the default ciphersuite list.
+   * Added new error codes and debug messages about selection of
+     ciphersuite/certificate.
+
+-------------------------------------------------------------------
+Tue Jan 20 19:33:12 UTC 2015 - fisiu@opensuse.org
+
+- Add polarssl-CVE-2015-1182.patch: Remote attack using crafted certificates:
+  fix boo#913903, CVE-2015-1182.
+
+-------------------------------------------------------------------
+Mon Nov  3 12:25:24 UTC 2014 - fisiu@opensuse.org
+
+- Update to 1.3.9, detailed changes available in ChangeLog file:
+  * Lowest common hash was selected from signature_algorithms extension in
+    TLS 1.2: fix boo#903672, CVE-2014-8627.
+  * Remotely-triggerable memory leak when parsing some X.509 certificates,
+    CVE-2014-8628.
+  * Remotely-triggerable memory leak when parsing crafted ClientHello,
+    CVE-2014-8628.
+  * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x.
+  * Ciphersuites using RSA-PSK key exchange now require TLS 1.x.
+  * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits RSA 
+    keys.
+  * X.509 certificates with more than one AttributeTypeAndValue per 
+    RelativeDistinguishedName are not accepted any more.
+- Build with POLARSSL_THREADING_PTHREAD: fix boo#903671.
+
+-------------------------------------------------------------------
+Fri Aug 15 17:17:05 UTC 2014 - fisiu@opensuse.org
+
+- Update to 1.3.8, detailed changes available in ChangeLog file:
+  * Fix length checking for AEAD ciphersuites (found by Codenomicon).
+    It was possible to crash the server (and client) using crafted messages
+    when a GCM suite was chosen.
+  * Add CCM module and cipher mode to Cipher Layer
+  * Support for CCM and CCM_8 ciphersuites
+  * Support for parsing and verifying RSASSA-PSS signatures in the X.509
+    modules (certificates, CRLs and CSRs).
+  * Blowfish in the cipher layer now supports variable length keys.
+  * Add example config.h for PSK with CCM, optimized for low RAM usage.
+  * Optimize for RAM usage in example config.h for NSA Suite B profile.
+  * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
+    from the default list (inactive by default).
+  * Add server-side enforcement of sent renegotiation requests
+    (ssl_set_renegotiation_enforced())
+  * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
+    ciphersuites to use and save some memory if the list is small.
+
+-------------------------------------------------------------------
+Sat Mar 29 14:01:16 UTC 2014 - fisiu@opensuse.org
+
+- Update to 1.3.5, detailed changes available in ChangeLog file:
+  * Elliptic Curve Cryptography module added
+  * Elliptic Curve Diffie Hellman module added
+  * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
+    (ECDHE-based ciphersuites)
+  * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS
+    (ECDSA-based ciphersuites)
+  * Ability to specify allowed ciphersuites based on the protocol version.
+  * PSK and DHE-PSK based ciphersuites added
+  * Memory allocation abstraction layer added
+  * Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
+  * Threading abstraction layer added (dummy / pthread / alternate)
+  * Public Key abstraction layer added
+  * Parsing Elliptic Curve keys
+  * Parsing Elliptic Curve certificates
+  * Support for max_fragment_length extension (RFC 6066)
+  * Support for truncated_hmac extension (RFC 6066)
+  * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
+    (ISO/IEC 7816-4) padding and zero padding in the cipher layer
+  * Support for session tickets (RFC 5077)
+  * Certificate Request (CSR) generation with extensions (key_usage,
+    ns_cert_type)
+  * X509 Certificate writing with extensions (basic_constraints,
+    issuer_key_identifier, etc)
+  * Optional blinding for RSA, DHM and EC
+  * Support for multiple active certificate / key pairs in SSL servers for
+    the same host (Not to be confused with SNI!)
+
+-------------------------------------------------------------------
+Wed May 15 12:21:45 UTC 2013 - fisiu@opensuse.org
+
+- Update to 1.2.7:
+  * Ability to specify allowed ciphersuites based on the protocol
+    version.
+  * Default Blowfish keysize is now 128-bits
+  * Test suites made smaller to accommodate Raspberry Pi
+  * Fix for MPI assembly for ARM
+  * GCM adapted to support sizes > 2^29
+
+-------------------------------------------------------------------
+Sat Mar 16 16:03:03 UTC 2013 - fisiu@opensuse.org
+
+- Update to 1.2.6:
+  * Fixed memory leak in ssl_free() and ssl_reset()
+  * Corrected GCM counter incrementation to use only 32-bits
+    instead of 128-bits
+  * Fixed net_bind() for specified IP addresses on little endian
+    systems
+  * Fixed assembly code for ARM (Thumb and regular)
+  * Detailed information available in ChangeLog file.
+
+-------------------------------------------------------------------
+Fri Mar  8 13:38:43 UTC 2013 - fisiu@opensuse.org
+
+- Update to 1.2.5
+
+-------------------------------------------------------------------
+Sun Jan 29 14:29:51 UTC 2012 - jengelh@medozas.de
+
+- Remove redundant tags/sections per specfile guideline suggestions
+
+-------------------------------------------------------------------
+Sat Jun 11 04:46:46 UTC 2011 - crrodriguez@opensuse.org
+
+- Update to version 0.99.5
+
+-------------------------------------------------------------------
+Sun Apr 10 19:21:16 UTC 2011 - crrodriguez@opensuse.org
+
+- Initial version
--- a/mbedtls.spec
+++ b/mbedtls.spec
@ -0,0 +1,94 @@
+#
+# spec file for package mbedtls
+#
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
+#
+
+
+%define lib_name lib%{name}8
+Name:           mbedtls
+Version:        1.3.10
+Release:        0
+Summary:        Open Source embedded SSL/TLS cryptographic library
+License:        GPL-2.0+
+Group:          Development/Libraries/C and C++
+Url:            https://tls.mbed.org
+Source:         https://tls.mbed.org/download/%{name}-%{version}-gpl.tgz
+BuildRequires:  cmake
+BuildRequires:  pkg-config
+BuildRequires:  zlib-devel
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+
+%description
+A portable, easy to use, readable and flexible SSL library.
+
+%package -n %{lib_name}
+Summary:        Open Source embedded SSL/TLS cryptographic library
+Group:          System/Libraries
+
+%description -n %{lib_name}
+A portable, easy to use, readable and flexible SSL library.
+
+%package devel
+Summary:        Open Source embedded SSL/TLS cryptographic library
+Group:          Development/Libraries/C and C++
+Requires:       %{lib_name} = %{version}
+Provides:       libpolarssl-devel = %{version}
+Obsoletes:      libpolarssl-devel < %{version}
+Provides:       polarssl-devel = %{version}
+Obsoletes:      polarssl-devel < %{version}
+
+%description devel
+A portable, easy to use, readable and flexible SSL library.
+
+%prep
+%setup -q
+sed -i 's|//\(#define POLARSSL_THREADING_C\)|\1|' include/polarssl/config.h
+sed -i 's|//\(#define POLARSSL_THREADING_PTHREAD\)|\1|' include/polarssl/config.h
+
+%build
+%cmake \
+    -DUSE_SHARED_MBEDTLS_LIBRARY=ON \
+    -DUSE_STATIC_MBEDTLS_LIBRARY=OFF \
+    -DENABLE_ZLIB_SUPPORT=ON \
+    -DENABLE_PROGRAMS=OFF
+
+make VERBOSE=1 %{?_smp_mflags}
+
+%install
+%cmake_install
+# create compatibility symlink
+ln -s %{_libdir}/libmbedtls.so %{buildroot}%{_libdir}/libpolarssl.so
+
+%check
+export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{_builddir}/%{name}-%{version}/build/library
+make -C build test %{?_smp_mflags}
+
+%post -n %{lib_name} -p /sbin/ldconfig
+
+%postun -n %{lib_name}  -p /sbin/ldconfig
+
+%files devel
+%defattr(-,root,root)
+%dir %{_includedir}/polarssl
+%{_includedir}/polarssl/*.h
+%{_libdir}/libmbedtls.so
+%{_libdir}/libpolarssl.so
+
+%files -n %{lib_name}
+%defattr(-,root,root)
+%doc ChangeLog README.rst LICENSE
+%{_libdir}/libmbedtls.so.*
+
+%changelog