rpm/mbedtls
SHA256
1
0
Fork 0
forked from pool/mbedtls
Code Pull Requests Activity
32885839d9
mbedtls/mbedtls.spec
Martin Pluskal 32885839d9 Accepting request 858114 from home:dirkmueller:branches:security:tls 
- update to 2.25.0:
  * This release of Mbed TLS provides bug fixes, minor enhancements and new
  features. This release includes fixes for security issues. 
  * see https://github.com/ARMmbed/mbedtls/releases/tag/v2.25.0
  * The functions mbedtls_cipher_auth_encrypt() and
  mbedtls_cipher_auth_decrypt() would write past the minimum documented size
  of the output buffer when used with NIST_KW. As a result, code using those
  functions as documented with NIST_KW could have a buffer overwrite of up to
  15 bytes, with consequences ranging up to arbitrary code execution
  depending on the location of the output buffer.
  * Limit the size of calculations performed by mbedtls_mpi_exp_mod to
  MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating
  Diffie-Hellman key pairs. Credit to OSS-Fuzz.
  
  * A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
  which is how most uses of randomization in asymmetric cryptography (including
  key generation, intermediate value randomization and blinding) are implemented.
  This could cause failures or the silent use of non-random values. A random
  generator can fail if it needs reseeding and cannot not obtain entropy, or due
  to an internal failure (which, for Mbed TLS's own CTR_DRBG or HMAC_DRBG, can
  only happen due to a misconfiguration).
  
  * Fix a compliance issue whereby we were not checking the tag on the algorithm
  parameters (only the size) when comparing the signature in the description part
  of the cert to the real signature. This meant that a NULL algorithm parameters
  entry would look identical to an array of REAL (size zero) to the library and
  thus the certificate would be considered valid. However, if the parameters do
  not match in any way then the certificate should be considered invalid, and
  indeed OpenSSL marks these certs as invalid when mbedtls did not. Many thanks
  to guidovranken who found this issue via differential fuzzing and reported it

OBS-URL: https://build.opensuse.org/request/show/858114
OBS-URL: https://build.opensuse.org/package/show/security:tls/mbedtls?expand=0&rev=22
2020-12-22 10:24:25 +00:00

149 lines
4.7 KiB
RPMSpec
Raw Blame History

#
# spec file for package mbedtls
#
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define lib_tls libmbedtls13
%define lib_crypto libmbedcrypto6
%define lib_x509 libmbedx509-1
Name: mbedtls
Version: 2.25.0
Release: 0
Summary: Libraries for crypto and SSL/TLS protocols
License: Apache-2.0
Group: Development/Libraries/C and C++
URL: https://tls.mbed.org
Source: https://github.com/ARMmbed/mbedtls/archive/v%{version}.tar.gz
Source99: baselibs.conf
BuildRequires: cmake
BuildRequires: ninja
BuildRequires: pkgconfig
BuildRequires: pkgconfig(libpkcs11-helper-1)
BuildRequires: pkgconfig(zlib)
%description
mbedtls implements the SSL3, TLS 1.0, 1.1 and 1.2 protocols. It
supports a number of extensions such as SSL Session Tickets (RFC
5077), Server Name Indication (SNI) (RFC 6066), Truncated HMAC (RFC
6066), Max Fragment Length (RFC 6066), Secure Renegotiation (RFC
5746) and Application Layer Protocol Negotiation (ALPN). It
understands the RSA, (EC)DH(E)-RSA, (EC)DH(E)-PSK and RSA-PSK key
exchanges.
%package -n %{lib_tls}
Summary: Transport Layer Security protocol suite
Group: System/Libraries
%description -n %{lib_tls}
mbedtls implements the SSL 3.0, TLS 1.0, 1.1 and 1.2 protocols. It
supports a number of extensions such as SSL Session Tickets (RFC
5077), Server Name Indication (SNI) (RFC 6066), Truncated HMAC (RFC
6066), Max Fragment Length (RFC 6066), Secure Renegotiation (RFC
5746) and Application Layer Protocol Negotiation (ALPN). It
understands the RSA, (EC)DH(E)-RSA, (EC)DH(E)-PSK and RSA-PSK key
exchanges.
%package -n %{lib_crypto}
Summary: Cryptographic base library for mbedtls
Group: System/Libraries
%description -n %{lib_crypto}
This subpackage of mbedtls contains a library that exposes
cryptographic ciphers, hashes, algorithms and format support such as
AES, MD5, SHA, Elliptic Curves, BigNum, PKCS, ASN.1, BASE64.
%package -n %{lib_x509}
Summary: Library to work with X.509 certificates
Group: System/Libraries
%description -n %{lib_x509}
This subpackage of mbedtls contains a library that can read, verify
and write X.509 certificates, read/write Certificate Signing Requests
and read Certificate Revocation Lists.
%package devel
Summary: Development files for mbedtls, a SSL/TLS library
Group: Development/Libraries/C and C++
Requires: %{lib_crypto} = %{version}
Requires: %{lib_tls} = %{version}
Requires: %{lib_x509} = %{version}
%description devel
This subpackage contains the development files for mbedtls,
a suite of libraries for cryptographic functions and the
SSL/TLS protocol suite.
%prep
%autosetup
sed -i 's|//\(#define MBEDTLS_ZLIB_SUPPORT\)|\1|' include/mbedtls/config.h
sed -i 's|//\(#define MBEDTLS_HAVEGE_C\)|\1|' include/mbedtls/config.h
sed -i 's|//\(#define MBEDTLS_THREADING_C\)|\1|' include/mbedtls/config.h
sed -i 's|//\(#define MBEDTLS_THREADING_PTHREAD\)|\1|' include/mbedtls/config.h
%build
%define __builder ninja
%cmake \
-DLINK_WITH_PTHREAD=ON \
-DUSE_PKCS11_HELPER_LIBRARY=ON \
-DENABLE_ZLIB_SUPPORT=ON \
-DINSTALL_MBEDTLS_HEADERS=ON \
-DUSE_SHARED_MBEDTLS_LIBRARY=ON \
-DUSE_STATIC_MBEDTLS_LIBRARY=OFF \
-DENABLE_PROGRAMS=OFF \
-DCMAKE_POLICY_DEFAULT_CMP0012=NEW
%cmake_build
%install
%cmake_install
%check
# parallel execution fails
# %%ctest
pushd build
%{_bindir}/ctest --output-on-failure --force-new-ctest-process -j1
%post -n %{lib_tls} -p /sbin/ldconfig
%post -n %{lib_crypto} -p /sbin/ldconfig
%post -n %{lib_x509} -p /sbin/ldconfig
%postun -n %{lib_tls} -p /sbin/ldconfig
%postun -n %{lib_crypto} -p /sbin/ldconfig
%postun -n %{lib_x509} -p /sbin/ldconfig
%files devel
%license LICENSE
%doc ChangeLog README.md
%dir %{_includedir}/mbedtls
%dir %{_includedir}/psa
%{_includedir}/mbedtls/*.h
%{_includedir}/psa/*.h
%{_libdir}/libmbedtls.so
%{_libdir}/libmbedcrypto.so
%{_libdir}/libmbedx509.so
%files -n %{lib_tls}
%license LICENSE
%{_libdir}/libmbedtls.so.*
%files -n %{lib_crypto}
%license LICENSE
%{_libdir}/libmbedcrypto.so.*
%files -n %{lib_x509}
%license LICENSE
%{_libdir}/libmbedx509.so.*
%changelog
View Git Blame Copy Permalink