Accepting request 1289615 from security:tls

- Enable SRTP protocol needed by some software.
  * Add patch mbedtls-enable-srtp.patch (forwarded request 1289614 from lmulling)

OBS-URL: https://build.opensuse.org/request/show/1289615
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls?expand=0&rev=48

_service

@@ -1,11 +1,11 @@
 <services>
   <service name="obs_scm" mode="manual">
-    <param name="versionformat">3.6.1</param>
     <param name="url">https://github.com/Mbed-TLS/mbedtls.git</param>
     <param name="scm">git</param>
+    <param name="versionformat">@PARENT_TAG@</param>
+    <param name="revision">refs/tags/v3.6.4</param>
+    <param name="versionrewrite-pattern">v(.*)</param>
     <param name="changesgenerate">enable</param>
-    <param name="exclude">.*</param>
-    <param name="revision">refs/tags/v3.6.1</param>
   </service>
   <service name="tar" mode="buildtime"/>
   <service name="recompress" mode="buildtime">

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/Mbed-TLS/mbedtls.git</param>
-              <param name="changesrevision">71c569d44bf3a8bd53d874c81ee8ac644dd6e9e3</param></service></servicedata>
+              <param name="changesrevision">c765c831e5c2a0971410692f92f7a81d6ec65ec2</param></service></servicedata>

mbedtls-3.6.1.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7a8c0377c4550810ca5dd168844533899606965ca614c5a63b484eac3557d0c4
-size 45245453

mbedtls-3.6.4.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c3a49794f7649f6e32c58e0fb7c4c3993367c7d10ec4ec7974970dafb07d515d
+size 46485517

mbedtls-enable-srtp.patch

@@ -0,0 +1,11 @@
+--- mbedtls-3.6.2.orig/include/mbedtls/mbedtls_config.h	2025-05-06 19:21:15.440302375 +0300
++++ mbedtls-3.6.2/include/mbedtls/mbedtls_config.h	2025-05-06 19:22:15.156469574 +0300
+@@ -2024,7 +2024,7 @@
+  *
+  * Uncomment this to enable support for use_srtp extension.
+  */
+-//#define MBEDTLS_SSL_DTLS_SRTP
++#define MBEDTLS_SSL_DTLS_SRTP
+ 
+ /**
+  * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE

mbedtls.changes

@@ -1,3 +1,850 @@
+-------------------------------------------------------------------
+Tue Jul 01 14:39:38 UTC 2025 - Jaime Marquínez Ferrándiz <jaime.marquinez.ferrandiz@fastmail.net>
+
+- Update to version 3.6.4:
+  * Added generated files
+  * Version bump 3.6.4
+  * Assemble ChangeLog
+  * Properly initialize SSL endpoint objects
+  * Fix accidentally skipped test assertion
+  * Update framework pointer (release-sync)
+  * fix: additional MSVC v142 build issue with tls1.3 configuration enabled.
+  * Remove blank line
+  * Simplify changelog
+  * Add a note about processor memory reordering
+  * Add changelog
+  * Replace __attribute__((nonstring)) with macro MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING
+  * Improve some explanations
+  * Don't mutate dst_size
+  * Add __attribute__ ((nonstring)) to remove unterminated-string-initialization warning
+  * Note that GCM is also impacted
+  * Adjust test case with invalid base64
+  * Fix race condition in mbedtls_aesni_has_support
+  * mbedtls_base64_decode: test dst=NULL with dlen>0
+  * Explain some aspects of the tests
+  * mbedtls_base64_decode: insist on correct padding
+  * Added CVE's to ChangeLogs
+  * lms.c: Updated documentation
+  * test_suite_lms.data: Updated comments
+  * Fix mbedtls_base64_decode() accepting invalid inputs with 4n+1 digits
+  * mbedtls_base64_decode: assert sloppy behavior with bad number of =
+  * mbedtls_base64_decode: test the reported output length
+  * test_suite_lms: Added negative test for corrupted Merkle path
+  * test_suite_lms: Added a test for importing invalid sized key
+  * Added changelog for check return of merkle leaf
+  * Added changelog for lms enum casting
+  * Added changelog for lms overread
+  * Fix change log entry
+  * Fix build test programs in MSVC (due to a warning treated as error in winbase.h)
+  * Built-in lms driver: always zeroize output-buffer in create_merkle_leaf_value
+  * Built-in lms driver:Check return values of Merkle node creation
+  * Built-in lms/lmots driver: Harden public key import against enum truncation
+  * Built-in lms driver: Added input guard
+  * Add changelog
+  * Add fix for PEM underflow
+  * Add test using underflow-causing PEM keyfile
+  * Update framework with additional operation initialization checks
+  * Fix possible UB in mbedtls_asn1_write_raw_buffer()
+  * Fix psa_pake_operation_s member types
+  * Move PAKE size calculation macros, cipher suite and operation structs
+  * Add change log
+  * Move the inclusion of crypto_sizes.h and crypto_struct.h in crypto.h
+  * Add ChangeLog entry
+  * Improve unit tests for mbedtls_asn1_store_named_data
+  * Fix bug in mbedtls_asn1_store_named_data()
+  * Add tests for bug in mbedtls_x509_string_to_names()
+  * Restore standard initializers in _init tests
+  * Use short initializers for multipart operation structures
+  * Avoid a useless copy in cert_{req,write}
+  * Mark ssl_tls12_preset_suiteb_sig_algs const
+  * Mark ssl_tls12_preset_default_sig_algs const
+  * Fix type in ChangeLog
+  * Add comment on apparent type mismatch
+  * Remove redundant free loop
+  * Fix ECDSA documentation: blinding is no longer optional
+  * ECDSA is a special flower
+  * Note functions that store the RNG callback in a context
+  * Reference mbedtls_f_rng_t in public documentation
+  * Name and document the type of random generator callbacks
+  * Add credit to the reporters of the PKCS7 issue
+  * Grammar in comments
+  * Remove .gitmodules
+  * Changelog entry for the union initialization fixes
+  * Test with GCC 15 with sloppy union initialization
+  * Initialize MAC context in internal functions for one-shot MAC
+  * Initialize MAC context in internal functions for KDF
+  * Initialize driver context in setup functions
+  * Add unit test for new behaviour of string_to_names()
+  * Fix memory leak in cert_write & cert_req
+  * Fix runtime error in cert_write & cert_req
+  * Restore behaviour of mbedtls_x509write_set_foo_name()
+  * Fix undocumented free() in x509_string_to_names()
+  * Improve comments
+  * Update framework
+  * Allow gcc-15 to be in $PATH
+  * Enable drivers when testing with GCC 15
+  * GCC 15: Silence -Wunterminated-string-initialization
+  * Test with GCC 15
+  * Disable warning from gcc -pedantic on dlsym/dlopen
+  * Move persistent key tests to a separate .data file
+  * Move concurrent tests to a separate .data file
+  * Update obsolete section title
+  * Complain about a missing comma in multiline lists of strings
+  * Prepare framework for pylint check-str-concat-over-line-jumps
+  * framework: update reference
+  * Constify cipher_wrap:mbedtls_cipher_base_lookup_table
+  * Fix some test helper functions returning 0 on some failures
+  * Check the status of mbedtls_ssl_set_hostname()
+  * Add missing ifdef for mbedtls_ssl_tls13_exporter
+  * Add label_len argument to non-PSA tls_prf_generic
+  * Fix dependencies for TLS-Exporter tests
+  * Fix doxygen for MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+  * Fix mistake in previous comment change
+  * Fix HkdfLabel comment
+  * Allow maximum label length in Hkdf-Expand-Label
+  * Exporter: Add min. and max. label tests
+  * Fix max. label length in key material exporter
+  * Document BAD_INPUT_DATA error in key material exporter
+  * Fix requirements for TLS 1.3 Exporter compat test
+  * Use mbedtls_calloc, not regular calloc
+  * Add fixed compatibility test for TLS 1.3 Exporter
+  * Remove exporter compatibility test for TLS 1.3
+  * Fix openssl s_client invocation
+  * Print names of new tests properly
+  * Fix memory leak in example programs
+  * ssl-opt.sh: Add tests for keying material export
+  * mbedtls_test_ssl_do_handshake_with_endpoints: Zeroize endpoints
+  * Exporter tests: Don't use unavailbable constant
+  * Exporter tests: Add missing depends-ons
+  * Use one maximum key_len for all exported keys
+  * Exporter tests: Reduce key size in long key tests
+  * Exporter tests: Free endpoints before PSA_DONE()
+  * Exporter tests: Fix possible uninitialized variable use
+  * Coding style cleanup
+  * Exporter tests: Initialize allocated memory
+  * Exportert tests: Free endpoints and options
+  * Fix output size check for key material exporter
+  * Increase allowed output size of HKDF-Expand-Label
+  * Add more tests for keying material export
+  * Mention MBEDTLS_SSL_KEYING_MATERIAL_EXPORT in change log
+  * Fix #endif comment
+  * Enable MBEDTLS_SSL_KEYING_MATERIAL_EXPORT by default
+  * Create MBEDTLS_SSL_KEYING_MATERIAL_EXPORT option
+  * Remove TLS 1.2 Exporter if we don't have randbytes
+  * Revert "Store randbytes for TLS 1.2 TLS-Exporter"
+  * Fix typos in comments
+  * Use fewer magic numbers in TLS-Exporter functions
+  * Add label length argument to tls_prf_generic()
+  * Store randbytes for TLS 1.2 TLS-Exporter
+  * Fix coding style
+  * Fix build when one of TLS 1.2 or 1.3 is disabled
+  * Fix coding style
+  * Fix TLS exporter changelog entry
+  * Fix doxygen comment parameter name
+  * Fix typos in comment
+  * Fix mismatches in function declarations
+  * Fix key_len check in TLS-Exporter
+  * Actually set exporter defaults in ssl_client2
+  * Simplify mbedtls_ssl_tls13_exporter
+  * Add test for TLS-Exporter in TLS 1.3
+  * Fix commented out function declaration
+  * Add changelog entry for TLS-Exporter feature
+  * Add TLS-Exporter options to ssl_client2
+  * Add TLS-Exporter options to ssl_server2
+  * Implement TLS-Exporter feature
+  * programs: demo: do not source project_detection.sh directly
+  * Fix record insertion
+  * programs: demo: source project_detection.sh
+  * framework: update reference
+  * Update feature macro for 3.6
+  * Use HANDSHAKE_OVER in nominal test cases
+  * Improve comments
+  * Adapt dependencies to the 3.6 branch
+  * Use same dependencies for helper functions
+  * Tighten dependencies again
+  * Improve dependency declarations
+  * Tighten dependency declarations
+  * Improve documentation
+  * Remove redundant setup
+  * Fix copypasta
+  * Simulate closing the connection mid-message
+  * Also test inserting non-empty, non-handshake records
+  * Fix the build without MBEDTLS_DEBUG_C
+  * Fix the build in PSK-only configurations
+  * Fix printf of enum
+  * Pacify ancient clang -Wmissing-initializer
+  * Test split, coalesced-split and empty handshake records
+  * Create handshake record coalescing tests
+  * Document gotcha of move_handshake_to_state
+  * Add a log message on every SSL state transition
+  * Always call mbedtls_ssl_handshake_set_state
+  * Document assumption of mbedtls_get_pkcs_padding
+  * Modify ChangeLog entry to full plaintext recovery
+  * Add testcase for maximum padding length
+  * Remove unnecessary TEST_CF_PUBLIC macro call
+  * Update to the new name in usages as well
+  * Add missing credit for set_hostname issue
+  * cmake: Generate test_keys.h and test_certs.h in the build tree
+  * Update framework pointer
+  * Revert "Add auto-generated files"
+  * Restored framework as a submodule
+  * Deleted flattened framework dir.
+  * Appease check-names with prefix
+  * Disable check-names for static padding function
+  * Add ChangeLog entry for PKCS#7 side channel fix
+  * Fix timing side-channel in PKCS7 padding
+  * Add constant-flow testing for PKCS7 padding
+
+-------------------------------------------------------------------
+Wed May 07 22:09:39 UTC 2025 - Yoshio Sato <vasua.ukraine@gmail.com>
+
+- Update _service file to easier obtain new sources.
+- Update to version 3.6.3:
+  * Add auto-generated files
+  * Added framework as a flattened directory
+  * Unlinked framework as a submodule.
+  * Updated BRANCHES.md
+  * Finalise ChangeLog
+  * Version Bump for 3.6.3
+  * Assemble Changelog
+  * Changelog: Added CVE.
+  * ssl-opt: Added 4 and 128 bytes tests to HS defragmentation for server initiated reneg
+  * ssl-opt: Fixed a minor typo.
+  * Reword slightly to be more tentative
+  * Re-introduce log asserts on positive cases
+  * Improve a test assertion
+  * Fix a typo
+  * Add test cases for EOF in the middle of fragments
+  * Adjust logic around log pattern
+  * Add test for length larger than 2^16
+  * Adapt "large ClientHello" tests to incremental
+  * Cleanly reject non-HS in-between HS fragments
+  * Reduce the level of logging used in tests
+  * Move new tests to their own data file
+  * Fix dependency issues
+  * New test function for large ClientHello
+  * Fix hash dependencies for TLS 1.2 tests
+  * Fix curve dependencies
+  * Add missing dependency declaration
+  * Fix dependency issues
+  * Add test with non-HS record in-between HS fragments
+  * Add test to TLS 1.3 ClientHello fragmentation
+  * Add reference tests with 1.3 ClientHello
+  * Add supported_curves/groups extension
+  * New test function inject_client_content_on_the_wire()
+  * ssl-opt: Disabled the renegotiation delay for fragmented HS renegotiation.
+  * ssl-opt: Updated documentation.
+  * ssl-opt: Added client-initiated server-rejected renegotation test.
+  * ssl-opt: Updated O_NEXT_CLI_RENEGOTIATE used by fragmented HS renegotiation with certificates.
+  * ssl-opt: Fragmented HS renegotiation, removed -legacy_renegotiation argument.
+  * ssl-opt: Fragmented HS renegotiation, removed requires_certificate_authentication dependency.
+  * ssl-opt: Fragmented HS renegotiation, removed requires_openssl_3_x dependency.
+  * ssl-opt: Fragmented HS renegotiation, adjusted test names for consistency.
+  * ssl-opt: Fragmented HS renegotiation, updated matching regex
+  * ssl-opt: Added coverage for client-initiated fragmented HS renegotiation tests.
+  * ssl-opt: Refactored fragmented HS renegotiation tests.
+  * ssl-opt: Fragmented HS renegotiation, updated documentation.
+  * ssl-opt: Removed mock-tests from HS renegotiation.
+  * sll-opt: Added refence fix for the Mock HS Defrag test using renegotitiation delay
+  * programs -> ssl_client2.c: Added option renego_delay to set record buffer depth.
+  * Added Mock Renegotiation negative test for testing.
+  * ssl-opt: Added fragmented HS tests for server-initiated renegotiation.
+  * ssl-opt: Added fragmented HS tests for client-initiated renegotiation.
+  * ssl-opt: Added fragmented HS tests for SSL_VARIABLE_BUFFER_LENGTH.
+  * Add note about MBEDTLS_PRIVATE() in 3.6
+  * Fix typos in the 3.0 migration guide
+  * mbedtls_net_send API description typo fix
+  * Use an array of strings instead of pointer smuggling
+  * Use dummy typedef instead of macro
+  * Clarify changelog
+  * Updated framework pointer.
+  * Update the location of defragmentation limitations
+  * State globally that the limitations don't apply to DTLS
+  * Clarify DTLS
+  * ClientHello may be fragmented in renegotiation
+  * Move the defragmentation documentation to mbedtls_ssl_handshake
+  * Refer to the API documentation for details
+  * Document the limitations of TLS handshake message defragmentation
+  * Add changelog entry for TLS 1.2 Finished fix
+  * More generally, what needs psa_crypto_init also needs threading
+  * PSA core: Allow enabling one volatile/builtin key
+  * Cleanly reject non-HS in-between HS fragments
+  * Replace zero by PSA_ALG_NONE in key derivation input functions
+  * Fix comments
+  * Update changelog to call out MinGW
+  * TLS1.2: Check for failures in Finished calculation
+  * Never use %zu on MinGW
+  * Remove Everest VS2010 compatibility headers
+  * Fix MSVC version guard for C99 format size specifiers
+  * Disable fatal assertions in Windows printf tests
+  * Add testcase for MBEDTLS_PRINTF_MS_TIME
+  * Test handling of format macros defined in debug.h
+  * Run test_suite_debug without MBEDTLS_SSL_TLS_C
+  * Fix a log message
+  * Note unused variables when debugging is disabled
+  * Pacify uncrustify
+  * Fix uninitialized variable
+  * Unify handshake fragment log messages
+  * Fix handshake defragmentation when the record has multiple messages
+  * Fix end check before memmove
+  * Zeroize temporary heap buffers used when deriving an ECC key
+  * Zeroize temporary heap buffers used in PSA operations
+  * Update framework
+  * Make conversion explicit to silence MSVC warning
+  * Fix dodgy printf calls
+  * Handshake defragmentation: reassemble incrementally
+  * mbedtls_ssl_prepare_handshake_record(): log offsets after decryption
+  * mbedtls_ssl_prepare_handshake_record(): refactor first fragment prep
+  * Tweak handshake fragment log message
+  * Tweak "waiting for more handshake fragments" log message
+  * Fix Doxygen markup
+  * Update framework
+  * Generate handshake defragmentation test cases: update analyze_outcomes
+  * Switch to generated handshake tests
+  * Normalize requirements in defragmentation test cases
+  * Normalize messages in defragmentation test cases
+  * Normalize whitespace in defragmentation test cases
+  * Move most TLS handshake defragmentation tests to a separate file
+  * New generated file: tests/opt-testcases/handshake-generated.sh
+  * Fix code style for key derivation input function
+  * Replace zero by PSA_ALG_NONE in key derivation test function
+  * Replace zero by PSA_ALG_NONE in key derivation testing
+  * Simplify testing psa_key_derivation_input_*() bad state
+  * Fix psa_key_derivation_input_integer() not detecting bad state
+  * framework: update reference
+  * ssl-opt: Re-introduce certificate dependency for HS negative tests.
+  * ssl-opt: Removed dependencies for HS defrag negative tests.
+  * ssl-opt: Adjusted reference hs defragmentation tests.
+  * ssl-opt: Minor typos and documentation fixes.
+  * analyze_outcomes: Temporary disabled 3 HS Degragmentation tests.
+  * ssl-opt: Updated documentation of HS-Defrag tests.
+  * ssl-opt: Removed redundant dependencies: requires_openssl_3_x
+  * ssl-opt.sh: Disabled HS Defrag Tests for TLS1.2 where len < 16
+  * ssl-opt: Replaced max_send_frag with split_send_frag
+  * ssl-opt: Added coverage for hs defragmentation TLS 1.2 tests.
+  * ChangeLog: Updated the entry for tls-hs-defragmentation
+  * ssl-opt: Updated documentation.
+  * ssl-opt: Added negative tests for handshake fragmentation.
+  * ssl-opt: Added handshake fragmentation tests for 4 byte fragments.
+  * ssl-opt: Added negative-assertion testing, (HS Fragmentation disabled)
+  * ssl-opt: Added tls 1.2 tests for HS defragmentation.
+  * ssl-opt: Dependency resolving set to use to requires_protocol_version HS deframentation tests.
+  * ssl-opt: Adjusted the wording on handshake fragmentation tests.
+  * ssl-opt: Added requires_openssl_3_x to defragmentation tests.
+  * ssl-opt: Updated the keywords to look up during handshake fragmentation tests.
+  * Add missing client certificate check in handshake defragmentation tests
+  * Test Handshake defragmentation only for TLS 1.3 only for small values
+  * Add guard to handshake defragmentation tests for client certificate
+  * Add a comment to elaborate using split_send_frag in handshake defragmentation tests
+  * Enforce client authentication in handshake fragmentation tests
+  * Remove unneeded mtu option from handshake fragmentation tests
+  * Add client authentication to handshake defragmentation tests
+  * Require openssl to support TLS 1.3 in handshake defragmentation tests
+  * Remove unnecessary string check in handshake defragmentation tests
+  * Fix typo in TLS Handshake defrafmentation tests
+  * Improve TLS handshake defragmentation tests
+  * Add TLS Hanshake defragmentation tests
+  * Document the need to call mbedtls_ssl_set_hostname
+  * Improve documentation of mbedtls_ssl_set_hostname
+  * Expand and rectify the documentation of mbedtls_ssl_context::hostname
+  * Changelog entries for requiring mbedls_ssl_set_hostname() in TLS clients
+  * Add a note about calling mbedtls_ssl_set_hostname to mbedtls_ssl_setup
+  * Run part of ssl-opt.sh in full_no_deprecated
+  * changelog: add note for MD changes
+  * crypto_extra: improve description of psa_can_do_hash()
+  * psa: move definition of psa_can_do_hash() to crypto_extra.h
+  * docs: update md-cipher-dispatch
+  * adjust_legacy_crypto: improve enablement of MBEDTLS_MD_xxx_VIA_PSA
+  * md: allow dispatch to PSA whenever CRYPTO_CLIENT is enabled
+  * adjust_legacy_crypto: move auto-enabling of CRYPTO_CLIENT when CRYPTO_C
+  * Document PSA's need for threading
+  * Update framework pointer
+  * Update documentation regarding metatest
+  * Update documentation regarding test_zeroize
+  * Update path to demo_common.sh
+  * Update path for moved test_zeroize.gdb script
+  * Update paths for moved programs in generate_visualc_files.pl
+  * Update paths for moved dlopen_demo.sh
+  * Update paths for moved program files in CMakeLists
+  * Update include paths in C files
+  * Update paths for moved program files in makefiles
+  * Remove unused variable in ssl_server.c
+  * Update the changelog message
+  * Remove obselete checks due to the introduction of handhsake defragmen...
+  * Add a note about badmac_seen's new name in ssl_context_info
+  * Fix Doxygen misuse
+  * Add MBEDTLS_FRAMEWORK_DIR variable to CMake
+  * Don't reset badmac_seen on a DTLS client reconnect
+  * Merge in_hsfraglen with badmac_seen_or_in_hsfraglen
+  * Change the type of in_hsfraglen to unsigned
+  * Rename badmac_seen to badmac_seen_or_in_hsfraglen
+  * Minor readability improvement
+  * Remove in_hshdr
+  * Add a safety check for in_hsfraglen
+  * Allow fragments less HS msg header size (4 bytes)
+  * Remove mbedtls_ssl_reset_in_out_pointers
+  * Review comments
+  * Update ChangeLog.d/tls-hs-defrag-in.txt
+  * Defragment incoming TLS handshake messages
+  * Move programs out of Mbed TLS
+  * mbedtls_ssl_set_hostname tests: add tests with CA callback
+  * Call mbedtls_ssl_set_hostname in the generic endpoint setup in unit tests
+  * Require calling mbedtls_ssl_set_hostname() for security
+  * Create configuration option to bypass the mbedtls_ssl_set_hostname check
+  * Create error code for mbedtls_ssl_set_hostname not called
+  * Keep track of whether mbedtls_ssl_set_hostname() has been called
+  * Update the documentation of ssl->hostname
+  * Access ssl->hostname through abstractions
+  * mbedtls_ssl_set_hostname tests: baseline
+  * Automate MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK dependency
+  * Make guards more consistent between X.509-has-certs and SSL-has-certs
+  * Fix Doxygen markup
+  * framework: update reference
+  * components-compliance.sh: update references to test_psa_compliance.py
+  * components-configuration.sh: update references to test_psa_constant_names.py
+  * Move files out of Mbed TLS
+  * test_suite_ssl: update description for conf_curve and conf_gruop tests
+  * test_suite_ssl: add ECDHE-RSA case for handshake_fragmentation()
+  * test_suite_ssl: add new ECDHE-RSA tests
+  * Update tf-psa-crypto/drivers/builtin/src/ecp.c
+  * Fix missing-word typo
+  * Add paragraph on undefined behaviour
+  * Add X.509 formatting validation to SECURITY.md
+  * Fix incorrect test function
+  * Remove useless dependency from test function
+  * Add ignore list entries for ECDH/FFDH algorithm without key type
+  * Remove test coverage exceptions that are no longer needed
+  * Update framework
+  * Update framework pointer
+  * Stop recommended deprecated function in migration guide
+  * config.py: Simplify crypto config default path setting
+  * framework: update reference
+  * components-build-system.sh: align component_test_cmake_as_package
+  * Move files out of Mbed TLS
+  * framework: update reference
+  * scripts: add new min_requirements.py script
+  * Move files out of Mbed TLS
+  * PSA interruptible sign/verify: detect invalid curve family in start
+  * framework: update reference
+  * component-basic-checks: fix paths of files moved to framework
+  * Move files out of Mbed TLS
+  * framework: updated reference
+  * scripts: fix paths for files moved to framework
+  * Move files out of Mbed TLS
+  * Update framework submodule
+  * Remove test coverage exceptions that are no longer needed
+  * crypto_config.h: Don't list mechanisms that are not implemented
+  * Update submodule
+  * Update submodule with the merge
+  * Update submodule
+  * Adujst paths
+  * Move files out of Mbed TLS
+  * Update submodule with the merge
+  * Update submodule
+  * Adjust paths
+  * Move files out of Mbed TLS
+  * Add change log entry on AES-NI asm block fixes
+  * Specify previously missed XMM register clobbers in AES-NI asm blocks
+  * Specify register clobbers in mbedtls_aesni_crypt_ecb()
+  * Update framework to the merge of #99
+  * Update framework
+  * Create a new Python module used by generate_psa_tests.py
+  * Fix `make dir/file` not rebuilding existing files
+  * Remove Invalid import/export key test
+  * Fix export public-key opaque key test paramters
+  * make: Add missing dependency
+  * Move test_keys.h to include/test
+  *  Fix incorrect submodule error message in CMake
+  * Fix incorrect submodule error message in Makefile
+  * Update submodule with the merge
+  * Added debug print in tls13 ssl_tls13_write_key_share_ext
+  * Update submodule
+  * Adapt paths for scripts/quiet
+  * Adapt paths for output_env.sh
+  * Move files out of Mbed TLS
+  * Refactor scripts to use config.py instead of config.pl
+  * Remove obsolete tcp_client.pl
+  * Remove obsolete Travis CI scripts
+  * Remove obsolete Docker CI scripts
+  * Distinguish between MBEDTLS_PSA_CRYPTO_C and MBEDTLS_PSA_CRYPTO_CLIENT
+  * FFDH in TLS: it's only a limitation for TLS 1.2, not TLS 1.3
+  * Fix copypasta
+  * reworked changelog according to suggestion
+  * Added changelog
+  * Make mbedTLS compile with MS-DOS DJGPP
+  * Update submodule to point to main
+  * Define FRAMEWORK
+  * Fix paths
+  * Use new functions
+  * Add project and branch detection in shell
+  * p256-m: allow deterministic ECDSA verification
+  * PSA interruptible sign/verify: detect unsupported mechanism in start
+  * Add missing resource cleanup on test failure
+  * Fix edge case with half-supported ECDSA (manual test cases)
+  * Move back *config_test_driver* headers from the framework
+  * Add some missing test case dependencies
+  * Update framework submodule
+  * import_not_supported: edge case of unsupported curves
+  * PSA sign/verify: more uniform error on an unsupported hash
+  * Update framework to add ported test helper changes
+  * Update framework submodule
+  * Update framework submodule
+  * Update framework submodule
+  * Properly clean instrument_record_status.h
+  * Reverse accidental docs PSA test wrappers path
+  * Add missing dependency to hash testsuite
+  * Disable test hooks when checking missing symbols
+  * Move mbedtls_test_hook_error_add from error.c to helpers.c
+  * Add missing include path to visual C script
+  * Update test_keys.h path on Windows
+  * Update paths to generated PSA test wrappers
+  * Update generate path to instrument_record_status.h
+  * Update path to PSA crypto alt headers
+  * Add extra paths to generate_visualc_files.pl
+  * Update make clean target with moved test helpers
+  * Update test_keys.h generation in Makefile
+  * Update libtestdriver paths in tests/Makefile
+  * Add tests/Makefile targets for moved test helpers
+  * Update common.mk with test helper object paths
+  * Add framework test include path to common.mk
+  * Add SSL-related test includes to ssl programs
+  * Add the framework/tests/include path to testsuites
+  * Re-add tests/include and tests/src paths to tests
+  * Add missing extra include path to fuzzer programs
+  * Re-add tests/include path for test helpers
+  * Update references to test helpers
+  * Move some test helpers out of Mbed TLS
+  * Update framework pointer
+  * Fix documentation for GCM decryption functions
+  * Fix issue where input data could be length 0
+  * Fix check_names errorr for MBEDTLS_GCM_ALT comment
+  * Update path to all-core.sh
+  * Update framework pointer
+  * Move all-{core,helpers}.sh out of Mbed TLS
+  *  Fix TEST_CALLOC issues with GCM buffer overlap tests
+  * Add test cases for AES GCM input and output buffer overlap
+  * Update GCM buffer overlap documentation
+  * Fix MD_PSA_INIT called before initializing some data structures
+  * Update submodule with the merge
+  * all.sh: improve check for clean config files
+  * all.sh: rationalize relative path usage
+  * Fix undefined variable in CMakeLists.txt
+  * Fix undefined variable in makefile
+  * Improve makefile error message
+  * Improve submodule error messages for Github archives
+  * Add a Python utility function to get the 3.6 feature macro
+  * Skip slowest FFDH tests against GnuTLS with MSan or Valgrind
+  * Don't use Unicode in .function file
+  * More explanation of what we do and do not test
+  * Add changelog entry
+  * mbedtls_psa_ecp_generate_key: don't calculate the public key
+  * Basic statistical tests for mbedtls_psa_ecp_generate_key()
+  * Unit tests for mbedtls_psa_ecp_generate_key()
+  * Rm forgotten armc5
+  * Drop building with armcc5 in all.sh
+  * Add override arguments for new gcc targets
+  * Clarify GCC version requirement
+  * Split up the Thumb-1 test component
+  * Remove superfluous invocations of make clean
+  * Update component speed estimates
+  * Initialize result caching variables
+  * Use true/false in place of integers
+  * Ignore missing temporary files during cleanup
+  * Fix copypasta in gcc_version
+  * Add AArch64 default config test
+  * Add Arm eabi default config tests
+  * Changelog entry for ECDSA conversion functions called with bits=0
+  * Remove unreachable assignments
+  * Assert non-empty data when needed
+  * Initialize CCM context before doing anything fallible
+  * mbedtls_ecdsa_raw_to_der and mbedtls_ecdsa_der_to_raw: reject bits==0
+  * Document errors for mbedtls_ecdsa_raw_to_der and mbedtls_ecdsa_der_to_raw
+  * mbedtls_mpi_write_binary{,_le}: test 0-size output
+  * Modernize mpi_write_binary and mpi_write_binary_le
+  * Disentangle 3.6/4.0 *_PSA_INIT/DONE variants
+  * Pair inits with declarations
+  * Move AES_PSA_INIT to after drbg init
+  * CMakeLists: use -O2 as ASAN_FLAG only in GCC versions before 7.0
+  * Revert "Temporarily comment out tests that are clogging the CI"
+  * Fix double free in case of test failure
+  * Add missing check of return
+  * Add const specifiers to pacify armclang
+  * Fix tests where tests were done prior to init
+  * Harmonise names of MBEDTLS_TEST_HAVE_ macros
+  * Tidy up header guards
+  * net/mbedtls_net_connect: Preventing double close problem
+  * fix PR9302 backporting issues
+  * changelog: fix typo
+  * changelog: updated description
+  * changelog: updated description
+  * changelog: describe support for static key slot buffers
+  * Documentation: fix some nits
+  * psa: move definition of MBEDTLS_PSA_KEY_BUFFER_MAX_SIZE
+  * test_suite_psa_crypto.data: fix some depends_on
+  * psa_crypto_helpers: add guard for MBEDTLS_TEST_STATIC_KEY_SLOTS_SUPPORT_RSA_xxx
+  * components-basic-checks: add new exception for MBEDTLS_CTR_DRBG_MAX_REQUEST
+  * test_suite_psa_crypto: use finer grained checks on the key slot buffer size
+  * psa_crypto_helpers: enhance definitions for static key slot related test symbols
+  * psa_crypto_helpers: add MBEDTLS_TEST_ prefix to newly created symbols
+  * psa: move default definition of MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE
+  * test: disable dynamic key store in test_crypto_with_static_key_slots
+  * check_config: prevent fully dynamic and static key stores to be enabled simultaneously
+  * psa: zeroize static key buffer content when key slot is freed
+  * test_suite_psa_crypto_storage_format: improve input bit length specification for static key buffer
+  * test: properly select MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE value
+  * mbedtls_config: fix/improve descriptions of PSA_STATIC_KEY_SLOT symbols
+  * psa: fix some macro definition
+  * test: add test with persitent key whose length is larger than MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE
+  * test: extend component_test_crypto_with_static_key_slots
+  * psa-core: remove unnecessary element in psa_key_slot_t
+  * psa_crypto_core: take also cipher's key length into account when sizing static key buffer
+  * test: revert fixes for PSA entropy
+  * test_suite_psa_crypto_driver_wrappers: revert changes and fix validate_key()
+  * psa-core: properly set PSA_CRYPTO_MAX_STORAGE_SIZE
+  * test: disable all legacy symbols in test_psa_crypto_without_heap
+  * test: minor fixes to test_psa_crypto_without_heap and test_crypto_with_static_key_slots
+  * mbedtls_config: fix descriptions for PSA static key slots
+  * mbedtls_config: move MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE to the correct place
+  * test: add new component to test core library without calloc/free
+  * test: add new component to test MBEDTLS_PSA_STATIC_KEY_SLOTS
+  * psa: allow to use static key buffers instead of dynamic ones
+  * Re-add special case for 3.6
+  * Only guard with CRYPTO_CLIENT when version >= 4
+  * Regenerate PSA test wrappers
+  * Align 3.6 tests/{src,include} with development PR
+  * Update framework
+  * Fix a typo in a comment
+  * all.sh: fix missing quotes
+  * Update framework to main
+  * Update submodule after the merge
+  * all.sh: adjust for when tf-psa-crypto is absent
+  * all.sh: re-instate 3.6-specific code
+  * all.sh: update documentation
+  * all.sh: move top-level code to a function
+  * all.sh: document new file structure
+  * all.sh: move definitions to all-core.sh
+  * all.sh: wrap main code into main() function
+  * all.sh: move clang_version() to helpers file
+  * all.sh: move component helpers to separate file
+  * all.sh: Move some functions to the right section
+  * all.sh: rename a helper function
+  * all.sh: extract repeated code to a function
+  * all.sh: group psasim helpers
+  * all.sh: rm obsolete functions
+  * all.sh: first define functions, then call them.
+  * all.sh: temporary alignment with development
+  * all.sh: align-dev: PSAsim functions
+  * all.sh: align-dev: tf-psa-crypto stuff
+  * all.sh: align-dev: move functions to the right place
+  * all.sh: align with development: whitespace
+  * Add "common.h"
+  * Update submodule
+  * Adjust file path for translate_ciphers.py
+  * Adjust file path for generate_tls13_compat_tests.py
+  * Adjust file path for generate_ssl_debug_helpers.py
+  * Move some files to framework repository
+  * Declare a generated file that was added after 3.6.1
+  * Revert "Add generated files"
+  * Temporarily comment out tests that are clogging the CI
+  * Work around GCC 5 performance problem with Asan+UBSan and -O3
+  * Improve support for submodules in code_style.py
+  * Minor readability improvements
+  * Remove ignore list entries that don't apply in 3.6
+  * framework: Fix overly lenient config tests for PSA_WANT_xxx
+  * Switch outcome analysis to enforcing that all tests are executed
+  * Add ALT-adjacent config option to the test coverage ignore list
+  * Add missing algorithm in the test driver configuration
+  * Add ignore list entries for configurations that are not tested
+  * Add ignore list entries for crypto tests that are not executed
+  * Add ignore list entries for TLS tests that are not executed
+  * Remove test case involving SECP224K1 in PSA
+  * In PSA generated tests, ignore patterns for which an issue has been raised
+  * In PSA generated tests, don't ignore not-implemented in some negative tests
+  * In PSA generated tests, ignore mechanisms that are not implemented
+  * Fix driver schema json default type requirements
+  * Update framework to the branch with collect_test_cases.py and outcome_analysis.py
+  * Default to allowing partial test coverage
+  * Downgrade mypy to a version that works with our code base
+  * Upgrade mypy to the last version supporting Python 3.6
+  * Move test case analysis modules to framework repository
+  * Adjust paths for impending moves to the framework
+  * Separate code and data of outcome analysis
+  * Pass KNOWN_TASKS as an argument to main
+  * Typecheck main
+  * Don't reuse a variable name inside a function
+  * Missing NotImplementedError in abstract method
+  * Remove sample ignore list elements for coverage
+  * Create a module to split branch-independent code out of analyze_outcomes.py
+  * Split test case collection from checks
+  * Create a module to split test case collection from checks
+  * check_test_cases.py: make 3.6 identical with development
+  * Don't use the "allow list" terminology any longer
+  * Switch coverage analysis to IGNORE_TESTS for its allowlist
+  * Simplify sub-test-suite handling in is_test_case_ignored
+  * Move test case ignore list to the master Task class
+  * Remove now-useless level of method call indirection
+  * Move analysis functions into their respective classes
+  * Remove dead code that was handling stringly typed data
+  * Replace stringly typed data by class: driver vs reference (data)
+  * Replace stringly typed data by class: driver vs reference (code)
+  * Replace stringly typed data by class: coverage
+  * Replace stringly typed data by class: prepare
+  * Allow running pylint and mypy on a single file
+  * Remove "error" allowance in dtls_server
+  * dtls_server: allow unexpected messages during handshake
+  * Update submodule
+  * Update submodule to the head of framework PR
+  * Expand on block cipher modes/derivatives
+  * Update framework to the main branch
+  * Expand on key derivations
+  * Clarify the superset rule
+  * Update and refine notes on restartable ECC and 4.0
+  * Skip ssl_server in config-suite-b
+  * Use OPENSSL_NEXT for a test case that uses IPv6 when available
+  * Note known issue about test cases skipped in TLS 1.3-only builds
+  * Test SSL sample programs against each other and ssl_client2, ssl_server2
+  * dtls_client: don't force the use of IPv6
+  * ssl_server: Allow the client to close the connection first
+  * Compatibiliy with older OpenSSL and GnuTLS
+  * Declare GnuTLS version dependency for TLS 1.3 test cases
+  * Declare OpenSSL version dependency for TLS 1.3 test cases
+  * Test dtls_server
+  * Test ssl_fork_server
+  * Test ssl_pthread_server
+  * Test ssl_server
+  * Test dtls_client
+  * Test ssl_client1
+  * Allow test cases to use a specific port
+  * Prepare to test SSL sample programs
+  * ssl_client1: Exit with an error status if the TLS connection failed
+  * Don't pass the section name to adapters
+  * Change "realfull" to activate everything
+  * Change "full" to affect boolean settings rather than use sections
+  * Pass the setting's value to adapters
+  * Have `make ssl-opt` generate `tls13-compat.sh` (make edition)
+  * Have `make ssl-opt` generate `tls13-compat.sh`
+  * Fix copypasta
+  * armv8 AES, SHA: simplify structure and fix copypasta
+  * Use .s extension for assembly
+  * Ignore and clean generated assembly
+  * Add target to compile to assembly
+  * Use -O2 for build+test with earliest compilers
+  * Fix spurious * in regex
+  * Don't set LD to a path with a typo for mingw
+  * Remove PSA macros usage from adapters
+  * CMake: generate tls13-compat.sh in the default build target
+  * Move generation of tls13-compat.sh to tests/CMakeLists.txt
+  * Print a "Gen" line when generating a file
+  * Remove obsolete requirement for GnuTLS %DISABLE_TLS13_COMPAT_MODE
+  * Reduce level of non-error debug message
+  * Remove transitional always-on internal option
+  * Changelog entry: fix #9551
+  * Fix sensitivity of tls13-compat.sh to the exact generation method
+  * Automatically generate tests/opt-testcases/tls13-compat.sh
+  * generate_tls13_compat_tests: change default mode to all
+  * Remove obsolete requirements on middlebox compatibility mode: generated
+  * Remove obsolete requirements on middlebox compatibility mode: manual
+  * Remove mid-stanza blank lines
+  * Adapt middlebox compatibility tests for always-on acceptance
+  * Separate accepting TLS 1.3 middlebox compatibility from sending it
+  * Avoid multiline requires_all_configs_xxx
+  * Remove test-ref-configs.pl, which no longer does anything
+  * Move config-tfm.h testing to separate all.sh component
+  * Move config-symmetric-only.h testing to separate all.sh components
+  * Move config-thread.h testing to separate all.sh components
+  * Move config-suite-b.h testing to separate all.sh components
+  * Move config-ccm-psk-dtls1_2.h testing to separate all.sh components
+  * Move config-ccm-psk-tls1_2.h testing to separate all.sh components
+  * Move config-no-entropy.h testing to separate all.sh component
+  * make: support "make ssl-opt" to just build what ssl-opt.sh needs
+  * CMake: support "make ssl-opt" to just build what ssl-opt.sh needs
+  * CMake: support "make programs"
+  * Fix obsolete comment about MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+  * Update framework
+  * Remove unused `CombinedConfig` class
+  * Update old class names
+  * Use MbedTLSConfig for config handling to keep campatibility
+  * Apply the parameter change
+  * Fix documentation
+  * Update member variable names
+  * Fix documentation
+  * Update `config.py` to use `config_common.py` from the framework
+  * Document the C compiler requirement
+  * Make the file a bit more readable
+  * Remove some dependencies
+  * Add PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+  * Replace MBEDTLS_PK_CAN_ECDSA_SOME with MBEDTLS_PK_CAN_ECDSA_SIGN
+  * Add missing ALG_SHA_1
+  * opt-testcases/*.sh are not executable
+  * requires_certificate_authentication: prioritize TLS 1.3
+  * Documentation improvements
+  * Fix detection of TLS 1.2 PSK-ephemeral key exchange modes
+  * Improve some comments
+  * Remove unused auth_mode parameter on a PSK test case
+  * Fix weirdly quoted invocations of requires_any_configs_enabled
+  * Also activate PSK-only mode when PSK-ephemeral key exchanges are available
+  * Unify the two requires-key-exchange-with-certificate function
+  * Detect PSK-only mode in TLS 1.3 as well
+  * Fix PSK-only mode doing less than it should
+  * Detect more cases where certificates are required
+  * ssl-opt: Fix GnuTLS PSK injection
+  * Use CONFIGS_ENABLED instead of repeatedly calling query_compile_time_config
+  * Fix "Renegotiation: openssl server, client-initiated" with OpenSSL 3
+  * tests: add a test for pkg-config files
+  * Update framework to the merge of #45
+  * Update framework
+  * Clarify summary of PSA limitations
+  * Misc minor clarifications in transition-guards.md
+  * Clarify a comment in all.sh
+  * Fix some typos & markdown
+  * Add links and missing )
+  * Minor updates in doc/comments/debug
+  * Add transition-guards.md
+  * Update psa-migration/strategy.md
+  * Update psa-limitations.md and add summary
+  * Use libary default in ssl_client2 for new_session_tickets
+  * Add guard on internal 1.2-only function
+  * Misc improvements to comments
+  * Make error line consistent with the header
+  * Fix code style (for real this time, hopefully)
+  * Fix guards on #include
+  * Fix code style
+  * Prepare codepath tests for early termination
+  * Fix incorrect test result
+  * Move bignum code path testing out of the library
+  * Explain the choice of the value of  MBEDTLS_MPI_IS_PUBLIC
+  * Initial local variables to secure default
+  * Introduce MBEDTLS_MPI_IS_TEST
+  * Add tests for optionally safe code paths in RSA
+  * Add tests for optionally safe code paths in bignum
+  * Revert "Add generated files"
+  * Leave the spaces in psa-transition.md
+  * Fix typo in psa-transition.md
+  * ccm.c: Return early when ccm* is used without tag.
+  * Remove test_valgrind_constant_flow_psa_no_asm
+  * Tiny fix in library/constant_time_impl.h
+  * Remove the hack in library/constant_time_impl.h
+  * Edit component_release_test_valgrind_constant_flow_no_asm
+  * Change valgrind constant flow testing to test without asm
+  * Disable asm in component_test_memsan
+  * Alter constant-flow memsan testing
+  * Corrected header line of analyze_driver_vs_reference
+  * ssl_client2: Add Host to HTTP GET request
+
+-------------------------------------------------------------------
+Tue May  6 16:37:59 UTC 2025 - Yoshio Sato <vasua.ukraine@gmail.com>
+
+- Enable SRTP protocol needed by some software.
+  * Add patch mbedtls-enable-srtp.patch
+
+-------------------------------------------------------------------
+Thu Oct 17 09:38:18 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to version 3.6.2: [bsc#1231708, CVE-2024-49195]
+  * test_suite_pkwrite: extend coverage of wrong output buffer
+    sizes in pk_write_check_common()
+  * pkwrite: fix buffer overrun
+
 -------------------------------------------------------------------
 Sat Sep 07 12:00:00 UTC 2024 - cunix@mail.de
 

mbedtls.obsinfo

@@ -1,4 +1,4 @@
 name: mbedtls
-version: 3.6.1
+version: 3.6.4
-mtime: 1725009114
+mtime: 1750881360
-commit: 71c569d44bf3a8bd53d874c81ee8ac644dd6e9e3
+commit: c765c831e5c2a0971410692f92f7a81d6ec65ec2

mbedtls.spec

@@ -22,7 +22,7 @@
 %define lib_everest libeverest
 %define lib_p256m   libp256m
 Name:           mbedtls
-Version:        3.6.1
+Version:        3.6.4
 Release:        0
 Summary:        Libraries for crypto and SSL/TLS protocols
 License:        Apache-2.0 OR GPL-2.0-or-later
@@ -31,6 +31,8 @@ Source:         %{name}-%{version}.tar.gz
 Source99:       baselibs.conf
 # PATCH-FEATURE-OPENSUSE - enable MBEDTLS_THREADING_PTHREAD and MBEDTLS_THREADING_C
 Patch1:         mbedtls-enable-pthread.patch
+# PATCH-FEATURE-OPENSUSE - enable MBEDTLS_SSL_DTLS_SRTP
+Patch2:         mbedtls-enable-srtp.patch
 BuildRequires:  cmake
 BuildRequires:  ninja
 %{?suse_build_hwcaps_libs}