forked from pool/mbedtls
806db72ddc
- Update to version 2.8.0:
* Security:
+ Defend against Bellcore glitch attacks by verifying the results of RSA private key operations.
+ Fix implementation of the truncated HMAC extension. The previous implementation allowed an offline 2^80 brute force attack on the HMAC key of a single, uninterrupted connection (with no resumption of the session).
+ Reject CRLs containing unsupported critical extensions. Found by Falko Strenzke and Evangelos Karatsiolis.
+ Fix a buffer overread in ssl_parse_server_key_exchange() that could cause a crash on invalid input.
+ Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a crash on invalid input.
* Features:
+ Enable reading encrypted PEM files produced by software that uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli, OpenVPN Inc. Fixes #1339
+ Support public keys encoded in PKCS#1 format. #1122
* New deprecations:
+ Compression and crypto don't mix. We don't recommend using compression and cryptography, and have deprecated support for record compression (configuration option MBEDTLS_ZLIB_SUPPORT).
* Bugfix:
+ Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct. In the context of SSL, this resulted in handshake failure. Reported by daniel in the Mbed TLS forum. #1351
+ Fix setting version TLSv1 as minimal version, even if TLS 1 is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION and MBEDTLS_SSL_MIN_MINOR_VERSION instead of MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664
+ Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE only if __MINGW32__ is not defined. Fix suggested by Thomas Glanzmann and Nick Wilson on issue #355
+ Fix memory allocation corner cases in memory_buffer_alloc.c module. Found by Guido Vranken. #639
+ Don't accept an invalid tag when parsing X.509 subject alternative names in some circumstances.
+ Fix a possible arithmetic overflow in ssl_parse_server_key_exchange() that could cause a key exchange to fail on valid data.
+ Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that could cause a key exchange to fail on valid data.
+ Fix a 1-byte heap buffer overflow (read-only) during private key parsing. Found through fuzz testing.
* Changes
+ Fix tag lengths and value ranges in the documentation of CCM encryption. Contributed by Mathieu Briand.
+ Fix a typo in a comment in ctr_drbg.c. Contributed by Paul Sokolovsky.
+ Remove support for the library reference configuration for picocoin.
+ MD functions deprecated in 2.7.0 are no longer inline, to provide a migration path for those depending on the library's ABI.
+ Use (void) when defining functions with no parameters. Contributed by Joris Aerts. #678
OBS-URL: https://build.opensuse.org/request/show/593915
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls?expand=0&rev=16
142 lines
4.6 KiB
RPMSpec
142 lines
4.6 KiB
RPMSpec
#
|
|
# spec file for package mbedtls
|
|
#
|
|
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%define lib_tls libmbedtls10
|
|
%define lib_crypto libmbedcrypto1
|
|
%define lib_x509 libmbedx509-0
|
|
Name: mbedtls
|
|
Version: 2.8.0
|
|
Release: 0
|
|
Summary: Libraries for crypto and SSL/TLS protocols
|
|
License: Apache-2.0
|
|
Group: Development/Libraries/C and C++
|
|
URL: https://tls.mbed.org
|
|
Source: https://tls.mbed.org/download/%{name}-%{version}-apache.tgz
|
|
Source99: baselibs.conf
|
|
BuildRequires: cmake
|
|
BuildRequires: pkgconfig
|
|
BuildRequires: pkgconfig(libpkcs11-helper-1)
|
|
BuildRequires: pkgconfig(zlib)
|
|
|
|
%description
|
|
mbedtls implements the SSL3, TLS 1.0, 1.1 and 1.2 protocols. It
|
|
supports a number of extensions such as SSL Session Tickets (RFC
|
|
5077), Server Name Indication (SNI) (RFC 6066), Truncated HMAC (RFC
|
|
6066), Max Fragment Length (RFC 6066), Secure Renegotiation (RFC
|
|
5746) and Application Layer Protocol Negotiation (ALPN). It
|
|
understands the RSA, (EC)DH(E)-RSA, (EC)DH(E)-PSK and RSA-PSK key
|
|
exchanges.
|
|
|
|
%package -n %{lib_tls}
|
|
Summary: Transport Layer Security protocol suite
|
|
Group: System/Libraries
|
|
|
|
%description -n %{lib_tls}
|
|
mbedtls implements the SSL 3.0, TLS 1.0, 1.1 and 1.2 protocols. It
|
|
supports a number of extensions such as SSL Session Tickets (RFC
|
|
5077), Server Name Indication (SNI) (RFC 6066), Truncated HMAC (RFC
|
|
6066), Max Fragment Length (RFC 6066), Secure Renegotiation (RFC
|
|
5746) and Application Layer Protocol Negotiation (ALPN). It
|
|
understands the RSA, (EC)DH(E)-RSA, (EC)DH(E)-PSK and RSA-PSK key
|
|
exchanges.
|
|
|
|
%package -n %{lib_crypto}
|
|
Summary: Cryptographic base library for mbedtls
|
|
Group: System/Libraries
|
|
|
|
%description -n %{lib_crypto}
|
|
This subpackage of mbedtls contains a library that exposes
|
|
cryptographic ciphers, hashes, algorithms and format support such as
|
|
AES, MD5, SHA, Elliptic Curves, BigNum, PKCS, ASN.1, BASE64.
|
|
|
|
%package -n %{lib_x509}
|
|
Summary: Library to work with X.509 certificates
|
|
Group: System/Libraries
|
|
|
|
%description -n %{lib_x509}
|
|
This subpackage of mbedtls contains a library that can read, verify
|
|
and write X.509 certificates, read/write Certificate Signing Requests
|
|
and read Certificate Revocation Lists.
|
|
|
|
%package devel
|
|
Summary: Development files for mbedtls, a SSL/TLS library
|
|
Group: Development/Libraries/C and C++
|
|
Requires: %{lib_crypto} = %{version}
|
|
Requires: %{lib_tls} = %{version}
|
|
Requires: %{lib_x509} = %{version}
|
|
|
|
%description devel
|
|
This subpackage contains the development files for mbedtls,
|
|
a suite of libraries for cryptographic functions and the
|
|
SSL/TLS protocol suite.
|
|
|
|
%prep
|
|
%autosetup
|
|
sed -i 's|//\(#define MBEDTLS_ZLIB_SUPPORT\)|\1|' include/mbedtls/config.h
|
|
sed -i 's|//\(#define MBEDTLS_HAVEGE_C\)|\1|' include/mbedtls/config.h
|
|
sed -i 's|//\(#define MBEDTLS_THREADING_C\)|\1|' include/mbedtls/config.h
|
|
sed -i 's|//\(#define MBEDTLS_THREADING_PTHREAD\)|\1|' include/mbedtls/config.h
|
|
|
|
%build
|
|
%cmake \
|
|
-DLINK_WITH_PTHREAD=ON \
|
|
-DUSE_PKCS11_HELPER_LIBRARY=ON \
|
|
-DENABLE_ZLIB_SUPPORT=ON \
|
|
-DINSTALL_MBEDTLS_HEADERS=ON \
|
|
-DUSE_SHARED_MBEDTLS_LIBRARY=ON \
|
|
-DUSE_STATIC_MBEDTLS_LIBRARY=OFF \
|
|
-DENABLE_PROGRAMS=OFF
|
|
%make_jobs
|
|
|
|
%install
|
|
%cmake_install
|
|
|
|
%check
|
|
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{_builddir}/%{name}-%{version}/build/library
|
|
%ctest
|
|
|
|
%post -n %{lib_tls} -p /sbin/ldconfig
|
|
%post -n %{lib_crypto} -p /sbin/ldconfig
|
|
%post -n %{lib_x509} -p /sbin/ldconfig
|
|
%postun -n %{lib_tls} -p /sbin/ldconfig
|
|
%postun -n %{lib_crypto} -p /sbin/ldconfig
|
|
%postun -n %{lib_x509} -p /sbin/ldconfig
|
|
|
|
%files devel
|
|
%license LICENSE
|
|
%doc ChangeLog README.md
|
|
%dir %{_includedir}/mbedtls
|
|
%{_includedir}/mbedtls/*.h
|
|
%{_libdir}/libmbedtls.so
|
|
%{_libdir}/libmbedcrypto.so
|
|
%{_libdir}/libmbedx509.so
|
|
|
|
%files -n %{lib_tls}
|
|
%license LICENSE
|
|
%{_libdir}/libmbedtls.so.*
|
|
|
|
%files -n %{lib_crypto}
|
|
%license LICENSE
|
|
%{_libdir}/libmbedcrypto.so.*
|
|
|
|
%files -n %{lib_x509}
|
|
%license LICENSE
|
|
%{_libdir}/libmbedx509.so.*
|
|
|
|
%changelog
|