Revisions of mbedtls
Martin Pluskal (pluskalm)
accepted
request 907287
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 31)
- Update to 2.27.0: API changes: * Update AEAD output size macros to bring them in line with the PSA Crypto API version 1.0 spec. This version of the spec parameterizes them on the key type used, as well as the key bit-size in the case of PSA_AEAD_TAG_LENGTH. The old versions of these macros were renamed and deprecated as follows: - PSA_AEAD_TAG_LENGTH -> PSA_AEAD_TAG_LENGTH_1_ARG - PSA_AEAD_ENCRYPT_OUTPUT_SIZE -> PSA_AEAD_ENCRYPT_OUTPUT_SIZE_2_ARG - PSA_AEAD_DECRYPT_OUTPUT_SIZE -> PSA_AEAD_DECRYPT_OUTPUT_SIZE_2_ARG - PSA_AEAD_UPDATE_OUTPUT_SIZE -> PSA_AEAD_UPDATE_OUTPUT_SIZE_2_ARG - PSA_AEAD_FINISH_OUTPUT_SIZE -> PSA_AEAD_FINISH_OUTPUT_SIZE_1_ARG - PSA_AEAD_VERIFY_OUTPUT_SIZE -> PSA_AEAD_VERIFY_OUTPUT_SIZE_1_ARG * Implement one-shot cipher functions, psa_cipher_encrypt and psa_cipher_decrypt, according to the PSA Crypto API 1.0.0 specification. Features: * Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a signature with a specific salt length. This function allows to validate test cases provided in the NIST's CAVP test suite. * Added support for built-in driver keys through the PSA opaque crypto driver interface. Refer to the documentation of MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information. * Implement psa_sign_message() and psa_verify_message(). * The new function mbedtls_mpi_random() generates a random value in a given range uniformly. * Implement psa_mac_compute() and psa_mac_verify() as defined in the PSA Cryptograpy API 1.0.0 specification. * MBEDTLS_ECP_MAX_BITS is now determined automatically from the configured curves and no longer needs to be configured explicitly to save RAM.
buildservice-autocommit
accepted
request 885737
from
Martin Pluskal (pluskalm)
(revision 30)
auto commit by copy to link target
Martin Pluskal (pluskalm)
committed
(revision 29)
- Workaround for building with gcc-11 boo#1181876
buildservice-autocommit
accepted
request 880715
from
Martin Pluskal (pluskalm)
(revision 28)
auto commit by copy to link target
Martin Pluskal (pluskalm)
committed
(revision 27)
mbedtls-4237.patch
Martin Pluskal (pluskalm)
accepted
request 880551
from
Guillaume GARDET (Guillaume_G)
(revision 26)
- Update to 2.26.0: * * This release of Mbed TLS provides bug fixes, minor enhancements and new features. This release includes fixes for security issues. * see https://github.com/ARMmbed/mbedtls/releases/tag/v2.26.0 - Fix build with patch from https://github.com/ARMmbed/mbedtls/pull/4237
buildservice-autocommit
accepted
request 864545
from
Martin Pluskal (pluskalm)
(revision 25)
auto commit by copy to link target
Martin Pluskal (pluskalm)
accepted
request 864424
from
Luigi Baldoni (alois)
(revision 24)
- Fix build for Leap targets - Use upstream tarball name
buildservice-autocommit
accepted
request 858120
from
Martin Pluskal (pluskalm)
(revision 23)
auto commit by copy to link target
Martin Pluskal (pluskalm)
accepted
request 858114
from
Dirk Mueller (dirkmueller)
(revision 22)
- update to 2.25.0: * This release of Mbed TLS provides bug fixes, minor enhancements and new features. This release includes fixes for security issues. * see https://github.com/ARMmbed/mbedtls/releases/tag/v2.25.0 * The functions mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_decrypt() would write past the minimum documented size of the output buffer when used with NIST_KW. As a result, code using those functions as documented with NIST_KW could have a buffer overwrite of up to 15 bytes, with consequences ranging up to arbitrary code execution depending on the location of the output buffer. * Limit the size of calculations performed by mbedtls_mpi_exp_mod to MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating Diffie-Hellman key pairs. Credit to OSS-Fuzz. * A failure of the random generator was ignored in mbedtls_mpi_fill_random(), which is how most uses of randomization in asymmetric cryptography (including key generation, intermediate value randomization and blinding) are implemented. This could cause failures or the silent use of non-random values. A random generator can fail if it needs reseeding and cannot not obtain entropy, or due to an internal failure (which, for Mbed TLS's own CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration). * Fix a compliance issue whereby we were not checking the tag on the algorithm parameters (only the size) when comparing the signature in the description part of the cert to the real signature. This meant that a NULL algorithm parameters entry would look identical to an array of REAL (size zero) to the library and thus the certificate would be considered valid. However, if the parameters do not match in any way then the certificate should be considered invalid, and indeed OpenSSL marks these certs as invalid when mbedtls did not. Many thanks to guidovranken who found this issue via differential fuzzing and reported it
buildservice-autocommit
accepted
request 838417
from
Martin Pluskal (pluskalm)
(revision 21)
auto commit by copy to link target
Martin Pluskal (pluskalm)
accepted
request 837996
from
Dirk Mueller (dirkmueller)
(revision 20)
- update to 2.24.0: * see https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0 * Fix a vulnerability in the verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify()) with the actual certificate name: when the subjecAltName extension is present, the expected name was compared to any name in that extension regardless of its type. This means that an attacker could for example impersonate a 4-bytes or 16-byte domain by getting a certificate for the corresponding IPv4 or IPv6 (this would require the attacker to control that IP address, though). Similar attacks using other subjectAltName name types might be possible. * When checking X.509 CRLs, a certificate was only considered as revoked if its revocationDate was in the past according to the local clock if available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, certificates were never considered as revoked. On builds with MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for example, an untrusted OS attacking a secure enclave) could prevent revocation of certificates via CRLs. Fixed by no longer checking the revocationDate field, in accordance with RFC 5280. Reported by yuemonangong in #3340. Reported independently and fixed by Raoul Strackx and Jethro * In (D)TLS record decryption, when using a CBC ciphersuites without the Encrypt-then-Mac extension, use constant code flow memory access patterns to extract and check the MAC. This is an improvement to the existing countermeasure against Lucky 13 attacks. The previous countermeasure was effective against network-based attackers, but less so against local attackers. The new countermeasure defends against local attackers, even if they have access to fine-grained measurements. In particular, this fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University).
buildservice-autocommit
accepted
request 832675
from
Martin Pluskal (pluskalm)
(revision 19)
auto commit by copy to link target
Martin Pluskal (pluskalm)
accepted
request 832637
from
Stefan Brüns (StefanBruens)
(revision 18)
- Add workaround for failing builds (Python not found) due to https://gitlab.kitware.com/cmake/cmake/-/issues/21168
buildservice-autocommit
accepted
request 830740
from
Martin Pluskal (pluskalm)
(revision 17)
auto commit by copy to link target
Martin Pluskal (pluskalm)
committed
(revision 16)
- Do not run testsuite in parallel - its not reliable
Martin Pluskal (pluskalm)
accepted
request 827276
from
Dirk Mueller (dirkmueller)
(revision 15)
- update to 2.23.0: a lot of changes see https://github.com/ARMmbed/mbedtls/releases/tag/v2.23.0 * Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394. * Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley. * Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246.
buildservice-autocommit
accepted
request 790837
from
Martin Pluskal (pluskalm)
(revision 14)
auto commit by copy to link target
Martin Pluskal (pluskalm)
committed
(revision 13)
- Update to version 2.16.5: * Security improvements and bugfixes
buildservice-autocommit
accepted
request 748322
from
Martin Pluskal (pluskalm)
(revision 12)
auto commit by copy to link target
Displaying revisions 21 - 40 of 51