------------------------------------------------------------------- Fri Mar 27 16:59:55 UTC 2015 - mpluskal@suse.com - Update package categories ------------------------------------------------------------------- Wed Mar 18 18:56:26 UTC 2015 - mpluskal@suse.com - Create symlink to ensure compatibility with polarssl ------------------------------------------------------------------- Mon Mar 16 12:54:22 UTC 2015 - mpluskal@suse.com - Update provides/obsoletes ------------------------------------------------------------------- Sun Mar 15 21:23:17 UTC 2015 - mpluskal@suse.com - Fix sed for includes ------------------------------------------------------------------- Sun Mar 15 11:44:53 UTC 2015 - mpluskal@suse.com - Rename to mbedtls - Use cmake macro for building - Update to 1.3.10 * NULL pointer dereference in the buffer-based allocator when the buffer is full and polarssl_free() is called (found by Mark Hasemeyer) (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is not by default). * Fix remotely-triggerable uninitialised pointer dereference caused by crafted X.509 certificate (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix remotely-triggerable memory leak caused by crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix potential stack overflow while parsing crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix timing difference that could theoretically lead to a Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges (reported by Sebastian Schinzel). * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv). * Add support for Extended Master Secret (draft-ietf-tls-session-hash). * Add support for Encrypt-then-MAC (RFC 7366). * Add function pk_check_pair() to test if public and private keys match. * Add x509_crl_parse_der(). * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the length of an X.509 verification chain. * Support for renegotiation can now be disabled at compile-time * Support for 1/n-1 record splitting, a countermeasure against BEAST. * Certificate selection based on signature hash, prefering SHA-1 over SHA-2 for pre-1.2 clients when multiple certificates are available. * Add support for getrandom() syscall on recent Linux kernels with Glibc or a compatible enough libc (eg uClibc). * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime while using the default ciphersuite list. * Added new error codes and debug messages about selection of ciphersuite/certificate. ------------------------------------------------------------------- Tue Jan 20 19:33:12 UTC 2015 - fisiu@opensuse.org - Add polarssl-CVE-2015-1182.patch: Remote attack using crafted certificates: fix boo#913903, CVE-2015-1182. ------------------------------------------------------------------- Mon Nov 3 12:25:24 UTC 2014 - fisiu@opensuse.org - Update to 1.3.9, detailed changes available in ChangeLog file: * Lowest common hash was selected from signature_algorithms extension in TLS 1.2: fix boo#903672, CVE-2014-8627. * Remotely-triggerable memory leak when parsing some X.509 certificates, CVE-2014-8628. * Remotely-triggerable memory leak when parsing crafted ClientHello, CVE-2014-8628. * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x. * Ciphersuites using RSA-PSK key exchange now require TLS 1.x. * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits RSA keys. * X.509 certificates with more than one AttributeTypeAndValue per RelativeDistinguishedName are not accepted any more. - Build with POLARSSL_THREADING_PTHREAD: fix boo#903671. ------------------------------------------------------------------- Fri Aug 15 17:17:05 UTC 2014 - fisiu@opensuse.org - Update to 1.3.8, detailed changes available in ChangeLog file: * Fix length checking for AEAD ciphersuites (found by Codenomicon). It was possible to crash the server (and client) using crafted messages when a GCM suite was chosen. * Add CCM module and cipher mode to Cipher Layer * Support for CCM and CCM_8 ciphersuites * Support for parsing and verifying RSASSA-PSS signatures in the X.509 modules (certificates, CRLs and CSRs). * Blowfish in the cipher layer now supports variable length keys. * Add example config.h for PSK with CCM, optimized for low RAM usage. * Optimize for RAM usage in example config.h for NSA Suite B profile. * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites from the default list (inactive by default). * Add server-side enforcement of sent renegotiation requests (ssl_set_renegotiation_enforced()) * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of ciphersuites to use and save some memory if the list is small. ------------------------------------------------------------------- Sat Mar 29 14:01:16 UTC 2014 - fisiu@opensuse.org - Update to 1.3.5, detailed changes available in ChangeLog file: * Elliptic Curve Cryptography module added * Elliptic Curve Diffie Hellman module added * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS (ECDHE-based ciphersuites) * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS (ECDSA-based ciphersuites) * Ability to specify allowed ciphersuites based on the protocol version. * PSK and DHE-PSK based ciphersuites added * Memory allocation abstraction layer added * Buffer-based memory allocator added (no malloc() / free() / HEAP usage) * Threading abstraction layer added (dummy / pthread / alternate) * Public Key abstraction layer added * Parsing Elliptic Curve keys * Parsing Elliptic Curve certificates * Support for max_fragment_length extension (RFC 6066) * Support for truncated_hmac extension (RFC 6066) * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros (ISO/IEC 7816-4) padding and zero padding in the cipher layer * Support for session tickets (RFC 5077) * Certificate Request (CSR) generation with extensions (key_usage, ns_cert_type) * X509 Certificate writing with extensions (basic_constraints, issuer_key_identifier, etc) * Optional blinding for RSA, DHM and EC * Support for multiple active certificate / key pairs in SSL servers for the same host (Not to be confused with SNI!) ------------------------------------------------------------------- Wed May 15 12:21:45 UTC 2013 - fisiu@opensuse.org - Update to 1.2.7: * Ability to specify allowed ciphersuites based on the protocol version. * Default Blowfish keysize is now 128-bits * Test suites made smaller to accommodate Raspberry Pi * Fix for MPI assembly for ARM * GCM adapted to support sizes > 2^29 ------------------------------------------------------------------- Sat Mar 16 16:03:03 UTC 2013 - fisiu@opensuse.org - Update to 1.2.6: * Fixed memory leak in ssl_free() and ssl_reset() * Corrected GCM counter incrementation to use only 32-bits instead of 128-bits * Fixed net_bind() for specified IP addresses on little endian systems * Fixed assembly code for ARM (Thumb and regular) * Detailed information available in ChangeLog file. ------------------------------------------------------------------- Fri Mar 8 13:38:43 UTC 2013 - fisiu@opensuse.org - Update to 1.2.5 ------------------------------------------------------------------- Sun Jan 29 14:29:51 UTC 2012 - jengelh@medozas.de - Remove redundant tags/sections per specfile guideline suggestions ------------------------------------------------------------------- Sat Jun 11 04:46:46 UTC 2011 - crrodriguez@opensuse.org - Update to version 0.99.5 ------------------------------------------------------------------- Sun Apr 10 19:21:16 UTC 2011 - crrodriguez@opensuse.org - Initial version