From a811e8daf52ae08c56a7816a576f22f5de36e4b66b7965f8ed37b23c6ebb4dee Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Mon, 30 Mar 2015 17:33:01 +0000 Subject: [PATCH] Accepting request 293450 from devel:libraries:c_c++ Polarssl replacement OBS-URL: https://build.opensuse.org/request/show/293450 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls?expand=0&rev=1 --- .gitattributes | 23 ++++++ .gitignore | 1 + mbedtls-1.3.10-gpl.tgz | 3 + mbedtls.changes | 178 +++++++++++++++++++++++++++++++++++++++++ mbedtls.spec | 94 ++++++++++++++++++++++ 5 files changed, 299 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 mbedtls-1.3.10-gpl.tgz create mode 100644 mbedtls.changes create mode 100644 mbedtls.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/mbedtls-1.3.10-gpl.tgz b/mbedtls-1.3.10-gpl.tgz new file mode 100644 index 0000000..1ea4d14 --- /dev/null +++ b/mbedtls-1.3.10-gpl.tgz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:746fd88e0c6623691fc56c4eed52e40a57b2da0ac80f6dd8995094aa6adb407e +size 1709888 diff --git a/mbedtls.changes b/mbedtls.changes new file mode 100644 index 0000000..a3b4ca3 --- /dev/null +++ b/mbedtls.changes @@ -0,0 +1,178 @@ +------------------------------------------------------------------- +Fri Mar 27 16:59:55 UTC 2015 - mpluskal@suse.com + +- Update package categories + +------------------------------------------------------------------- +Wed Mar 18 18:56:26 UTC 2015 - mpluskal@suse.com + +- Create symlink to ensure compatibility with polarssl + +------------------------------------------------------------------- +Mon Mar 16 12:54:22 UTC 2015 - mpluskal@suse.com + +- Update provides/obsoletes + +------------------------------------------------------------------- +Sun Mar 15 21:23:17 UTC 2015 - mpluskal@suse.com + +- Fix sed for includes + +------------------------------------------------------------------- +Sun Mar 15 11:44:53 UTC 2015 - mpluskal@suse.com + +- Rename to mbedtls +- Use cmake macro for building +- Update to 1.3.10 + * NULL pointer dereference in the buffer-based allocator when the buffer is + full and polarssl_free() is called (found by Mark Hasemeyer) + (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is + not by default). + * Fix remotely-triggerable uninitialised pointer dereference caused by + crafted X.509 certificate (TLS server is not affected if it doesn't ask for a + client certificate) (found using Codenomicon Defensics). + * Fix remotely-triggerable memory leak caused by crafted X.509 certificates + (TLS server is not affected if it doesn't ask for a client certificate) + (found using Codenomicon Defensics). + * Fix potential stack overflow while parsing crafted X.509 certificates + (TLS server is not affected if it doesn't ask for a client certificate) + (found using Codenomicon Defensics). + * Fix timing difference that could theoretically lead to a + Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges + (reported by Sebastian Schinzel). + * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv). + * Add support for Extended Master Secret (draft-ietf-tls-session-hash). + * Add support for Encrypt-then-MAC (RFC 7366). + * Add function pk_check_pair() to test if public and private keys match. + * Add x509_crl_parse_der(). + * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the + length of an X.509 verification chain. + * Support for renegotiation can now be disabled at compile-time + * Support for 1/n-1 record splitting, a countermeasure against BEAST. + * Certificate selection based on signature hash, prefering SHA-1 over SHA-2 + for pre-1.2 clients when multiple certificates are available. + * Add support for getrandom() syscall on recent Linux kernels with Glibc or + a compatible enough libc (eg uClibc). + * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime + while using the default ciphersuite list. + * Added new error codes and debug messages about selection of + ciphersuite/certificate. + +------------------------------------------------------------------- +Tue Jan 20 19:33:12 UTC 2015 - fisiu@opensuse.org + +- Add polarssl-CVE-2015-1182.patch: Remote attack using crafted certificates: + fix boo#913903, CVE-2015-1182. + +------------------------------------------------------------------- +Mon Nov 3 12:25:24 UTC 2014 - fisiu@opensuse.org + +- Update to 1.3.9, detailed changes available in ChangeLog file: + * Lowest common hash was selected from signature_algorithms extension in + TLS 1.2: fix boo#903672, CVE-2014-8627. + * Remotely-triggerable memory leak when parsing some X.509 certificates, + CVE-2014-8628. + * Remotely-triggerable memory leak when parsing crafted ClientHello, + CVE-2014-8628. + * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x. + * Ciphersuites using RSA-PSK key exchange now require TLS 1.x. + * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits RSA + keys. + * X.509 certificates with more than one AttributeTypeAndValue per + RelativeDistinguishedName are not accepted any more. +- Build with POLARSSL_THREADING_PTHREAD: fix boo#903671. + +------------------------------------------------------------------- +Fri Aug 15 17:17:05 UTC 2014 - fisiu@opensuse.org + +- Update to 1.3.8, detailed changes available in ChangeLog file: + * Fix length checking for AEAD ciphersuites (found by Codenomicon). + It was possible to crash the server (and client) using crafted messages + when a GCM suite was chosen. + * Add CCM module and cipher mode to Cipher Layer + * Support for CCM and CCM_8 ciphersuites + * Support for parsing and verifying RSASSA-PSS signatures in the X.509 + modules (certificates, CRLs and CSRs). + * Blowfish in the cipher layer now supports variable length keys. + * Add example config.h for PSK with CCM, optimized for low RAM usage. + * Optimize for RAM usage in example config.h for NSA Suite B profile. + * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites + from the default list (inactive by default). + * Add server-side enforcement of sent renegotiation requests + (ssl_set_renegotiation_enforced()) + * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of + ciphersuites to use and save some memory if the list is small. + +------------------------------------------------------------------- +Sat Mar 29 14:01:16 UTC 2014 - fisiu@opensuse.org + +- Update to 1.3.5, detailed changes available in ChangeLog file: + * Elliptic Curve Cryptography module added + * Elliptic Curve Diffie Hellman module added + * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS + (ECDHE-based ciphersuites) + * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS + (ECDSA-based ciphersuites) + * Ability to specify allowed ciphersuites based on the protocol version. + * PSK and DHE-PSK based ciphersuites added + * Memory allocation abstraction layer added + * Buffer-based memory allocator added (no malloc() / free() / HEAP usage) + * Threading abstraction layer added (dummy / pthread / alternate) + * Public Key abstraction layer added + * Parsing Elliptic Curve keys + * Parsing Elliptic Curve certificates + * Support for max_fragment_length extension (RFC 6066) + * Support for truncated_hmac extension (RFC 6066) + * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros + (ISO/IEC 7816-4) padding and zero padding in the cipher layer + * Support for session tickets (RFC 5077) + * Certificate Request (CSR) generation with extensions (key_usage, + ns_cert_type) + * X509 Certificate writing with extensions (basic_constraints, + issuer_key_identifier, etc) + * Optional blinding for RSA, DHM and EC + * Support for multiple active certificate / key pairs in SSL servers for + the same host (Not to be confused with SNI!) + +------------------------------------------------------------------- +Wed May 15 12:21:45 UTC 2013 - fisiu@opensuse.org + +- Update to 1.2.7: + * Ability to specify allowed ciphersuites based on the protocol + version. + * Default Blowfish keysize is now 128-bits + * Test suites made smaller to accommodate Raspberry Pi + * Fix for MPI assembly for ARM + * GCM adapted to support sizes > 2^29 + +------------------------------------------------------------------- +Sat Mar 16 16:03:03 UTC 2013 - fisiu@opensuse.org + +- Update to 1.2.6: + * Fixed memory leak in ssl_free() and ssl_reset() + * Corrected GCM counter incrementation to use only 32-bits + instead of 128-bits + * Fixed net_bind() for specified IP addresses on little endian + systems + * Fixed assembly code for ARM (Thumb and regular) + * Detailed information available in ChangeLog file. + +------------------------------------------------------------------- +Fri Mar 8 13:38:43 UTC 2013 - fisiu@opensuse.org + +- Update to 1.2.5 + +------------------------------------------------------------------- +Sun Jan 29 14:29:51 UTC 2012 - jengelh@medozas.de + +- Remove redundant tags/sections per specfile guideline suggestions + +------------------------------------------------------------------- +Sat Jun 11 04:46:46 UTC 2011 - crrodriguez@opensuse.org + +- Update to version 0.99.5 + +------------------------------------------------------------------- +Sun Apr 10 19:21:16 UTC 2011 - crrodriguez@opensuse.org + +- Initial version diff --git a/mbedtls.spec b/mbedtls.spec new file mode 100644 index 0000000..eeaa2b8 --- /dev/null +++ b/mbedtls.spec @@ -0,0 +1,94 @@ +# +# spec file for package mbedtls +# +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + + +%define lib_name lib%{name}8 +Name: mbedtls +Version: 1.3.10 +Release: 0 +Summary: Open Source embedded SSL/TLS cryptographic library +License: GPL-2.0+ +Group: Development/Libraries/C and C++ +Url: https://tls.mbed.org +Source: https://tls.mbed.org/download/%{name}-%{version}-gpl.tgz +BuildRequires: cmake +BuildRequires: pkg-config +BuildRequires: zlib-devel +BuildRoot: %{_tmppath}/%{name}-%{version}-build + +%description +A portable, easy to use, readable and flexible SSL library. + +%package -n %{lib_name} +Summary: Open Source embedded SSL/TLS cryptographic library +Group: System/Libraries + +%description -n %{lib_name} +A portable, easy to use, readable and flexible SSL library. + +%package devel +Summary: Open Source embedded SSL/TLS cryptographic library +Group: Development/Libraries/C and C++ +Requires: %{lib_name} = %{version} +Provides: libpolarssl-devel = %{version} +Obsoletes: libpolarssl-devel < %{version} +Provides: polarssl-devel = %{version} +Obsoletes: polarssl-devel < %{version} + +%description devel +A portable, easy to use, readable and flexible SSL library. + +%prep +%setup -q +sed -i 's|//\(#define POLARSSL_THREADING_C\)|\1|' include/polarssl/config.h +sed -i 's|//\(#define POLARSSL_THREADING_PTHREAD\)|\1|' include/polarssl/config.h + +%build +%cmake \ + -DUSE_SHARED_MBEDTLS_LIBRARY=ON \ + -DUSE_STATIC_MBEDTLS_LIBRARY=OFF \ + -DENABLE_ZLIB_SUPPORT=ON \ + -DENABLE_PROGRAMS=OFF + +make VERBOSE=1 %{?_smp_mflags} + +%install +%cmake_install +# create compatibility symlink +ln -s %{_libdir}/libmbedtls.so %{buildroot}%{_libdir}/libpolarssl.so + +%check +export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{_builddir}/%{name}-%{version}/build/library +make -C build test %{?_smp_mflags} + +%post -n %{lib_name} -p /sbin/ldconfig + +%postun -n %{lib_name} -p /sbin/ldconfig + +%files devel +%defattr(-,root,root) +%dir %{_includedir}/polarssl +%{_includedir}/polarssl/*.h +%{_libdir}/libmbedtls.so +%{_libdir}/libpolarssl.so + +%files -n %{lib_name} +%defattr(-,root,root) +%doc ChangeLog README.rst LICENSE +%{_libdir}/libmbedtls.so.* + +%changelog