forked from pool/mbedtls
c11c7d3c29
- Update to version 2.12.0:
* Security
+ Fixed a vulnerability in the TLS ciphersuites based on use of CBC and SHA-384 in DTLS/TLS 1.0 to 1.2, that allowed an active network attacker to partially recover the plaintext of messages under certains conditions by exploiting timing side-channels.
+ Fixed a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker, with the ability to execute code on the local machine as well as to manipulate network packets, to partially recover the plaintext of messages under certain conditions by using a cache attack targetting an internal MD/SHA buffer.
+ Added a counter-measure against a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker with the ability to execute code on the local machine as well as manipulate network packets, to partially recover the plaintext of messages certain conditions (see previous entry) by using a cache attack targeting the SSL input record buffer.
* Features
+ Added new cryptographic primitives, the stream cipher Chacha20, one-time authenticator Poly1305 and AEAD construct Chacha20-Poly1305, as defined in RFC 7539. Contributed by Daniel King.
+ Added support for the CHACHA20-POLY1305 ciphersuites from RFC 7905.
+ Made the receive and transmit buffers independently configurable in size, for situations where the outgoing buffer can be fixed at a smaller size than the incoming buffer
+ Added support for the AES based key wrapping modes defined by NIST SP 800-38F algorithms KW and KWP and by RFC's 3394 and 5649.
+ Added platform support for the Haiku OS.
* Bugfix
+ Fixed the key_app_writer example which was creating an invalid ASN.1 tag by writing an additional leading zero byte. Found by Aryeh R. #1257.
+ Fixed a C++ compilation error, caused by a variable named new. Found and fixed by Hirotaka Niisato. #1783.
+ Fixed the "no symbols" warning issued by ranlib when building on Mac OS X. Fix contributed by tabascoeye.
+ Clarified documentation for mbedtls_ssl_write() to include 0 as a valid return value. Found by @davidwu2000. #839.
+ Fixed a memory leak in mbedtls_x509_csr_parse(). Found and fixed by catenacyber, Philippe Antoine. #1623.
+ Added length checks to some TLS parsing functions. Found and fixed by Philippe Antoine from Catena cyber. #1663.
+ Remove unused headers included in x509.c. Found by Chris Hanson and fixed by Brendan Shanks. #992.
+ Fixed compilation error when MBEDTLS_ARC4_C is disabled and MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719.
+ Fixed the inline assembly for the MPI multiply helper function for i386 and i386 with SSE2. Found by László Langó. #1550.
+ Fixed the namespacing in header files. Remove the mbedtls namespacing in the #include in the header files. #857.
+ Fixed a compiler warning of 'use before initialisation' in mbedtls_pk_parse_key(). Found by Martin Boye Petersen and fixed by Dawid Drozd.#1098.
+ Fixed decryption of zero length messages (which contain all padding) when a CBC based ciphersuite was used together with Encrypt-then-MAC.
+ Fixed the ssl_client2 example to send application data with 0-length content when the request_size argument is set to 0 as stated in the documentation. #1833.
+ Corrected the documentation for mbedtls_ssl_get_session(). This API has deep copy of the session, and the peer certificate is not lost. #926.
+ Fixed issues when building to the C99 standard, using -std=c99. Fixed by Nick Wilson.
* Changes
+ Fails when receiving a TLS alert message with an invalid length, or invalid zero-length messages when using TLS 1.2. Contributed by Espressif Systems.
+ Changed the default behaviour of mbedtls_hkdf_extract() to return an error when calling with a NULL salt and non-zero salt length. Contributed by Brian J Murray
OBS-URL: https://build.opensuse.org/request/show/631028
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls?expand=0&rev=18
142 lines
4.6 KiB
RPMSpec
142 lines
4.6 KiB
RPMSpec
#
|
|
# spec file for package mbedtls
|
|
#
|
|
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%define lib_tls libmbedtls11
|
|
%define lib_crypto libmbedcrypto3
|
|
%define lib_x509 libmbedx509-0
|
|
Name: mbedtls
|
|
Version: 2.12.0
|
|
Release: 0
|
|
Summary: Libraries for crypto and SSL/TLS protocols
|
|
License: Apache-2.0
|
|
Group: Development/Libraries/C and C++
|
|
URL: https://tls.mbed.org
|
|
Source: https://tls.mbed.org/download/%{name}-%{version}-apache.tgz
|
|
Source99: baselibs.conf
|
|
BuildRequires: cmake
|
|
BuildRequires: pkgconfig
|
|
BuildRequires: pkgconfig(libpkcs11-helper-1)
|
|
BuildRequires: pkgconfig(zlib)
|
|
|
|
%description
|
|
mbedtls implements the SSL3, TLS 1.0, 1.1 and 1.2 protocols. It
|
|
supports a number of extensions such as SSL Session Tickets (RFC
|
|
5077), Server Name Indication (SNI) (RFC 6066), Truncated HMAC (RFC
|
|
6066), Max Fragment Length (RFC 6066), Secure Renegotiation (RFC
|
|
5746) and Application Layer Protocol Negotiation (ALPN). It
|
|
understands the RSA, (EC)DH(E)-RSA, (EC)DH(E)-PSK and RSA-PSK key
|
|
exchanges.
|
|
|
|
%package -n %{lib_tls}
|
|
Summary: Transport Layer Security protocol suite
|
|
Group: System/Libraries
|
|
|
|
%description -n %{lib_tls}
|
|
mbedtls implements the SSL 3.0, TLS 1.0, 1.1 and 1.2 protocols. It
|
|
supports a number of extensions such as SSL Session Tickets (RFC
|
|
5077), Server Name Indication (SNI) (RFC 6066), Truncated HMAC (RFC
|
|
6066), Max Fragment Length (RFC 6066), Secure Renegotiation (RFC
|
|
5746) and Application Layer Protocol Negotiation (ALPN). It
|
|
understands the RSA, (EC)DH(E)-RSA, (EC)DH(E)-PSK and RSA-PSK key
|
|
exchanges.
|
|
|
|
%package -n %{lib_crypto}
|
|
Summary: Cryptographic base library for mbedtls
|
|
Group: System/Libraries
|
|
|
|
%description -n %{lib_crypto}
|
|
This subpackage of mbedtls contains a library that exposes
|
|
cryptographic ciphers, hashes, algorithms and format support such as
|
|
AES, MD5, SHA, Elliptic Curves, BigNum, PKCS, ASN.1, BASE64.
|
|
|
|
%package -n %{lib_x509}
|
|
Summary: Library to work with X.509 certificates
|
|
Group: System/Libraries
|
|
|
|
%description -n %{lib_x509}
|
|
This subpackage of mbedtls contains a library that can read, verify
|
|
and write X.509 certificates, read/write Certificate Signing Requests
|
|
and read Certificate Revocation Lists.
|
|
|
|
%package devel
|
|
Summary: Development files for mbedtls, a SSL/TLS library
|
|
Group: Development/Libraries/C and C++
|
|
Requires: %{lib_crypto} = %{version}
|
|
Requires: %{lib_tls} = %{version}
|
|
Requires: %{lib_x509} = %{version}
|
|
|
|
%description devel
|
|
This subpackage contains the development files for mbedtls,
|
|
a suite of libraries for cryptographic functions and the
|
|
SSL/TLS protocol suite.
|
|
|
|
%prep
|
|
%autosetup
|
|
sed -i 's|//\(#define MBEDTLS_ZLIB_SUPPORT\)|\1|' include/mbedtls/config.h
|
|
sed -i 's|//\(#define MBEDTLS_HAVEGE_C\)|\1|' include/mbedtls/config.h
|
|
sed -i 's|//\(#define MBEDTLS_THREADING_C\)|\1|' include/mbedtls/config.h
|
|
sed -i 's|//\(#define MBEDTLS_THREADING_PTHREAD\)|\1|' include/mbedtls/config.h
|
|
|
|
%build
|
|
%cmake \
|
|
-DLINK_WITH_PTHREAD=ON \
|
|
-DUSE_PKCS11_HELPER_LIBRARY=ON \
|
|
-DENABLE_ZLIB_SUPPORT=ON \
|
|
-DINSTALL_MBEDTLS_HEADERS=ON \
|
|
-DUSE_SHARED_MBEDTLS_LIBRARY=ON \
|
|
-DUSE_STATIC_MBEDTLS_LIBRARY=OFF \
|
|
-DENABLE_PROGRAMS=OFF
|
|
%make_jobs
|
|
|
|
%install
|
|
%cmake_install
|
|
|
|
%check
|
|
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{_builddir}/%{name}-%{version}/build/library
|
|
%ctest
|
|
|
|
%post -n %{lib_tls} -p /sbin/ldconfig
|
|
%post -n %{lib_crypto} -p /sbin/ldconfig
|
|
%post -n %{lib_x509} -p /sbin/ldconfig
|
|
%postun -n %{lib_tls} -p /sbin/ldconfig
|
|
%postun -n %{lib_crypto} -p /sbin/ldconfig
|
|
%postun -n %{lib_x509} -p /sbin/ldconfig
|
|
|
|
%files devel
|
|
%license LICENSE
|
|
%doc ChangeLog README.md
|
|
%dir %{_includedir}/mbedtls
|
|
%{_includedir}/mbedtls/*.h
|
|
%{_libdir}/libmbedtls.so
|
|
%{_libdir}/libmbedcrypto.so
|
|
%{_libdir}/libmbedx509.so
|
|
|
|
%files -n %{lib_tls}
|
|
%license LICENSE
|
|
%{_libdir}/libmbedtls.so.*
|
|
|
|
%files -n %{lib_crypto}
|
|
%license LICENSE
|
|
%{_libdir}/libmbedcrypto.so.*
|
|
|
|
%files -n %{lib_x509}
|
|
%license LICENSE
|
|
%{_libdir}/libmbedx509.so.*
|
|
|
|
%changelog
|