Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

libmbedtls14-2.28.2-1.1 RPM for ppc64le

From OpenSuSE Ports Tumbleweed for ppc64le

Name: libmbedtls14 Distribution: openSUSE Tumbleweed
Version: 2.28.2 Vendor: openSUSE
Release: 1.1 Build date: Fri Dec 23 02:44:52 2022
Group: System/Libraries Build host: obs-power8-02
Size: 275554 Source RPM: mbedtls-2.28.2-1.1.src.rpm
Summary: Transport Layer Security protocol suite
mbedtls implements the SSL 3.0, TLS 1.0, 1.1 and 1.2 protocols. It
supports a number of extensions such as SSL Session Tickets (RFC
5077), Server Name Indication (SNI) (RFC 6066), Truncated HMAC (RFC
6066), Max Fragment Length (RFC 6066), Secure Renegotiation (RFC
5746) and Application Layer Protocol Negotiation (ALPN). It
understands the RSA, (EC)DH(E)-RSA, (EC)DH(E)-PSK and RSA-PSK key






* Wed Dec 21 2022 Alexander Bergmann <>
  - Update to 2.28.2: (bsc#1206576, CVE-2022-46393)
    * Fix potential heap buffer overread and overwrite in DTLS if
    * An adversary with access to precise enough information about memory
      accesses (typically, an untrusted operating system attacking a secure
      enclave) could recover an RSA private key after observing the victim
      performing a single private-key operation if the window size used for the
      exponentiation was 3 or smaller. Found and reported by Zili KOU,
      Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks
      and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation
      and Test in Europe 2023.
    * Fix a long-standing build failure when building x86 PIC code with old
      gcc (4.x). The code will be slower, but will compile. We do however
      recommend upgrading to a more recent compiler instead. Fixes #1910.
    * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined.
      Contributed by Kazuyuki Kimura to fix #2020.
    * Use double quotes to include private header file psa_crypto_cipher.h.
      Fixes 'file not found with include' error when building with Xcode.
    * Fix handling of broken symlinks when loading certificates using
      mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a
      broken link is encountered, skip the broken link and continue parsing
      other certificate files. Contributed by Eduardo Silva in #2602.
    * Fix a compilation error when using CMake with an IAR toolchain.
      Fixes #5964.
    * Fix bugs and missing dependencies when building and testing
      configurations with only one encryption type enabled in TLS 1.2.
    * Provide the missing definition of mbedtls_setbuf() in some configurations
      with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196.
    * Fix compilation errors when trying to build with
      PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
    * Fix memory leak in ssl_parse_certificate_request() caused by
      mbedtls_x509_get_name() not freeing allocated objects in case of error.
      Change mbedtls_x509_get_name() to clean up allocated objects on error.
    * Fix checks on PK in check_config.h for builds with PSA and RSA. This does
      not change which builds actually work, only moving a link-time error to
      an early check.
    * Fix ECDSA verification, where it was not always validating the
      public key. This bug meant that it was possible to verify a
      signature with an invalid public key, in some cases. Reported by
      Guido Vranken using Cryptofuzz in #4420.
    * Fix a possible null pointer dereference if a memory allocation fails
      in TLS PRF code. Reported by Michael Madsen in #6516.
    * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable
      bytes when parsing certificates containing a binary RFC 4108
      HardwareModuleName as a Subject Alternative Name extension. Hardware
      serial numbers are now rendered in hex format. Fixes #6262.
    * Fix bug in error reporting in dh_genprime.c where upon failure,
      the error code returned by mbedtls_mpi_write_file() is overwritten
      and therefore not printed.
    * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)
      with A > 0 created an unintended representation of the value 0 which was
      not processed correctly by some bignum operations. Fix this. This had no
      consequence on cryptography code, but might affect applications that call
      bignum directly and use negative numbers.
    * Fix undefined behavior (typically harmless in practice) of
      mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int()
      when both operands are 0 and the left operand is represented with 0 limbs.
    * Fix undefined behavior (typically harmless in practice) when some bignum
      functions receive the most negative value of mbedtls_mpi_sint. Credit
      to OSS-Fuzz. Fixes #6597.
    * Fix undefined behavior (typically harmless in practice) in PSA ECB
      encryption and decryption.
* Fri Nov 04 2022 Mia Herkt <>
  - Update to 2.28.1: (CVE-2022-35409)
    Default behavior changes
    * mbedtls_cipher_set_iv will now fail with ChaCha20 and
      ChaCha20+Poly1305 for IV lengths other than 12. The library was
      silently overwriting this length with 12, but did not inform
      the caller about it.
    * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA
      crypto feature requirements in the file named by the new macro
      MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default
      psa/crypto_config.h. Furthermore you may name an additional
      file to include after the main file with the macro
    * Zeroize dynamically-allocated buffers used by the PSA Crypto
      key storage module before freeing them. These buffers contain
      secret key material, and could thus potentially leak the key
      through freed heap.
    * Fix a potential heap buffer overread in TLS 1.2 server-side
      when MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created
      with mbedtls_pk_setup_opaque()) is provisioned, and a static
      ECDH ciphersuite is selected. This may result in an application
      crash or potentially an information leak.
    * Fix a buffer overread in DTLS ClientHello parsing in servers
      An unauthenticated client or a man-in-the-middle could cause a
      DTLS server to read up to 255 bytes after the end of the SSL
      input buffer. The buffer overread only happens when
      MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that
      depends on the exact configuration: 258 bytes if using
      mbedtls_ssl_cookie_check(), and possibly up to 571 bytes with
      a custom cookie check function.
      Reported by the Cybeats PSI Team.
    * Fix a memory leak if mbedtls_ssl_config_defaults() is called
    * Fix several bugs (warnings, compiler and linker errors, test
      failures) in reduced configurations when MBEDTLS_USE_PSA_CRYPTO
      is enabled.
    * Fix a bug in (D)TLS curve negotiation: when
      MBEDTLS_USE_PSA_CRYPTO was enabled and an ECDHE-ECDSA or
      ECDHE-RSA key exchange was used, the client would fail to check
      that the curve selected by the server for ECDHE was indeed one
      that was offered. As a result, the client would accept any
      curve that it supported, even if that curve was not allowed
      according to its configuration.
    * Fix unit tests that used 0 as the file UID. This failed on some
      implementations of PSA ITS.
    * Fix API violation in mbedtls_md_process() test by adding a call
      to mbedtls_md_starts().
    * Fix compile errors when MBEDTLS_HAVE_TIME is not defined.
      Add tests to catch bad uses of time.h.
    * Fix bug in the alert sending function
      mbedtls_ssl_send_alert_message() potentially leading to
      corrupted alert messages being sent in case the function needs
      to be re-called after initially returning
    * In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled
      but none of MBEDTLS_SSL_HW_RECORD_ACCEL,
      using CID would crash due to a null pointer dereference.
      Fix this.
    * Fix incorrect documentation of mbedtls_x509_crt_profile. The
      previous documentation stated that the allowed_pks field
      applies to signatures only, but in fact it does apply to the
      public key type of the end entity certificate, too.
    * Fix PSA cipher multipart operations using ARC4. Previously, an
      IV was required but discarded. Now, an IV is rejected, as it
      should be.
    * Fix undefined behavior in mbedtls_asn1_find_named_data(), where
      val is not NULL and val_len is zero. psa_raw_key_agreement()
      now returns PSA_ERROR_BUFFER_TOO_SMALL when applicable.
    * Fix a bug in the x25519 example program where the removal of
      MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run.
    * Encode X.509 dates before 1/1/2000 as UTCTime rather than
    * Fix order value of curve x448.
    * Fix string representation of DNs when outputting values
      containing commas and other special characters, conforming to
      RFC 1779.
    * Silence a warning from GCC 12 in the selftest program.
    * Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of
    * Fix resource leaks in mbedtls_pk_parse_public_key() in low
      memory conditions.
    * Fix server connection identifier setting for outgoing encrypted
      records on DTLS 1.2 session resumption. After DTLS 1.2 session
      resumption with connection identifier, the Mbed TLS client now
      properly sends the server connection identifier in encrypted
      record headers.
    * Fix a null pointer dereference when performing some operations
      on zero represented with 0 limbs (specifically
      mbedtls_mpi_mod_int() dividing by 2, and
      mbedtls_mpi_write_string() in base 2).
    * Fix record sizes larger than 16384 being sometimes accepted
      despite being non-compliant. This could not lead to a buffer
      overflow. In particular, application data size was already
      checked correctly.
* Mon Jan 17 2022 Guillaume GARDET <>
  - Fix baselib.conf
* Thu Jan 13 2022 Guillaume GARDET <>
  - Update to 2.28.0: (bsc#1193979, CVE-2021-45450)
    API changes
    * Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a
    different order. This only affects applications that define such
    structures directly or serialize them.
    Requirement changes
    * Sign-magnitude and one's complement representations for signed integers are
    not supported. Two's complement is the only supported representation.
    which allowed SHA-1 in the default TLS configuration for certificate
    signing. It was intended to facilitate the transition in environments
    with SHA-1 certificates. SHA-1 is considered a weak message digest and
    its use constitutes a security risk.
    * Remove the partial support for running unit tests via Greentea on Mbed OS,
    which had been unmaintained since 2018.
    * The identifier of the CID TLS extension can be configured by defining
    MBEDTLS_TLS_EXT_CID at compile time.
    * Warn if errors from certain functions are ignored. This is currently
    supported on GCC-like compilers and on MSVC and can be configured through
    the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled
    (where supported) for critical functions where ignoring the return
    value is almost always a bug. Enable the new configuration option
    MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This
    is currently implemented in the AES, DES and md modules, and will be
    extended to other modules in the future.
    * Add missing PSA macros declared by PSA Crypto API 1.0.0:
    * Add new API mbedtls_ct_memcmp for constant time buffer comparison.
    * Add PSA API definition for ARIA.
    * Zeroize several intermediate variables used to calculate the expected
    value when verifying a MAC or AEAD tag. This hardens the library in
    case the value leaks through a memory disclosure vulnerability. For
    example, a memory disclosure vulnerability could have allowed a
    man-in-the-middle to inject fake ciphertext into a DTLS connection.
    * In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back
    from the output buffer. This fixes a potential policy bypass or decryption
    oracle vulnerability if the output buffer is in memory that is shared with
    an untrusted application.
    * Fix a double-free that happened after mbedtls_ssl_set_session() or
    mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
    (out of memory). After that, calling mbedtls_ssl_session_free()
    and mbedtls_ssl_free() would cause an internal session buffer to
    be free()'d twice.
    * Stop using reserved identifiers as local variables. Fixes #4630.
    * The GNU makefiles invoke python3 in preference to python except on Windows.
    * The check was accidentally not performed when cross-compiling for Windows
    on Linux. Fix this. Fixes #4774.
    * Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or
    PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type.
    * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935.
    * Don't use the obsolete header path sys/fcntl.h in unit tests.
    These header files cause compilation errors in musl.
    Fixes #4969.
    * Fix missing constraints on x86_64 and aarch64 assembly code
    for bignum multiplication that broke some bignum operations with
    (at least) Clang 12.
    Fixes #4116, #4786, #4917, #4962.
    * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled.
    * Failures of alternative implementations of AES or DES single-block
    This does not concern the implementation provided with Mbed TLS,
    where this function cannot fail, or full-module replacements with
    MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092.
    * Some failures of HMAC operations were ignored. These failures could only
    happen with an alternative implementation of the underlying hash module.
    * Fix the error returned by psa_generate_key() for a public key. Fixes #4551.
    * Fix the build of sample programs when neither MBEDTLS_ERROR_C nor
    * Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length.
    This algorithm now accepts only the same salt length for verification
    that it produces when signing, as documented. Use the new algorithm
    PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946.
    * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved
    for algorithm values that fully encode the hashing step, as per the PSA
    Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and
    PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers
    all algorithms that can be used with psa_{sign,verify}_hash(), including
    these two.
    * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries
    not to list other shared libraries they need.
    * Fix a bug in mbedtls_gcm_starts() when the bit length of the iv
    exceeds 2^32. Fixes #4884.
    * Fix an uninitialized variable warning in test_suite_ssl.function with GCC
    version 11.
    * Fix the build when no SHA2 module is included. Fixes #4930.
    * Fix the build when only the bignum module is included. Fixes #4929.
    * Fix a potential invalid pointer dereference and infinite loop bugs in
    pkcs12 functions when the password is empty. Fix the documentation to
    better describe the inputs to these functions and their possible values.
    Fixes #5136.
    * The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC
    operations psa_mac_compute() and psa_mac_sign_setup().
    * The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC
    operations psa_mac_verify() and psa_mac_verify_setup().
    disabled by default.
    * Improve the performance of base64 constant-flow code. The result is still
    slower than the original non-constant-flow implementation, but much faster
    than the previous constant-flow implementation. Fixes #4814.
    * Indicate in the error returned if the nonce length used with
    ChaCha20-Poly1305 is invalid, and not just unsupported.
    * The mbedcrypto library includes a new source code module constant_time.c,
    containing various functions meant to resist timing side channel attacks.
    * This module does not have a separate configuration option, and functions
    from this module will be included in the build as required. Currently
    most of the interface of this module is private and may change at any
* Tue Jul 20 2021 Pedro Monreal <>
  - Update to 2.27.0:
    API changes:
    * Update AEAD output size macros to bring them in line with the PSA Crypto
      API version 1.0 spec. This version of the spec parameterizes them on the
      key type used, as well as the key bit-size in the case of
      The old versions of these macros were renamed and deprecated as follows:
    * Implement one-shot cipher functions, psa_cipher_encrypt and
      psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
    * Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
      signature with a specific salt length. This function allows to validate
      test cases provided in the NIST's CAVP test suite.
    * Added support for built-in driver keys through the PSA opaque crypto
      driver interface. Refer to the documentation of
      MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
    * Implement psa_sign_message() and psa_verify_message().
    * The new function mbedtls_mpi_random() generates a random value in a
      given range uniformly.
    * Implement psa_mac_compute() and psa_mac_verify() as defined in the
      PSA Cryptograpy API 1.0.0 specification.
    * MBEDTLS_ECP_MAX_BITS is now determined automatically from the configured
      curves and no longer needs to be configured explicitly to save RAM.
    * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
      private keys and of blinding values for DHM and elliptic curves (ECP)
    * Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
      An adversary who is capable of very precise timing measurements could
      learn partial information about the leading bits of the nonce used for the
      signature, allowing the recovery of the private key after observing a
      large number of signature operations. This completes a partial fix in
      Mbed TLS 2.20.0.
    * It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is
      too small, leading to buffer overflows in ECC operations. Fail the build
      in such a case.
    * An adversary with access to precise enough information about memory
      accesses (typically, an untrusted operating system attacking a secure
      enclave) could recover an RSA private key after observing the victim
      performing a single private-key operation.
    * An adversary with access to precise enough timing information (typically, a
      co-located process) could recover a Curve25519 or Curve448 static ECDH key
      after inputting a chosen public key and observing the victim performing the
      corresponding private-key operation.
    * Add printf function attributes to mbedtls_debug_print_msg to ensure we
      get printf format specifier warnings.
    * Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
      lead to seed file corruption in the case where the path to the seed file is
    * PSA functions other than psa_open_key now return PSA_ERROR_INVALID_HANDLE
      rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them
      in line with version 1.0.0 of the specification.
    * PSA functions creating a key now return PSA_ERROR_INVALID_ARGUMENT rather
      than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key
      to create is not valid, bringing them in line with version 1.0.0 of the
    * Fix some cases in the bignum module where the library constructed an
      unintended representation of the value 0 which was not processed
      correctly by some bignum operations. This could happen when
      mbedtls_mpi_read_string() was called on "-0", or when
      mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
      the arguments being negative and the other being 0.
    * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
    * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
    * Fix an incorrect error code when parsing a PKCS#8 private key.
    * In a TLS client, enforce the Diffie-Hellman minimum parameter size
      set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
      minimum size was rounded down to the nearest multiple of 8.
    * In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
      defined to specific values.  If the code is used in a context
      where these are already defined, this can result in a compilation
      error.  Instead, assume that if they are defined, the values will
      be adequate to build Mbed TLS.
    * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
      when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
      was disabled. Fix the dependency.
    * Do not offer SHA384 cipher suites when SHA-384 is disabled.
    * With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built
      nonetheless, resulting in undefined reference errors when building a
      shared library.
    * Fix test suite code on platforms where int32_t is not int, such as
      Arm Cortex-M.
    * Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
      directive in a header and a missing initialization in the self-test.
    * Fix a missing initialization in the Camellia self-test, affecting
      MBEDTLS_CAMELLIA_ALT implementations.
    * Restore the ability to configure PSA via Mbed TLS options to support RSA
      key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME
      is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
    * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
      (when the encrypt-then-MAC extension is not in use) with some ALT
      implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
      the affected side to wrongly reject valid messages.
    * Remove outdated check-config.h check that prevented implementing the
      timing module on Mbed OS.
    * Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
      about missing inputs.
    * Fix a resource leak in a test suite with an alternative AES
    * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
      could notably be triggered by setting the TLS debug level to 3 or above
      and using a Montgomery curve for the key exchange.
    * psa_verify_hash() was relying on implementation-specific behavior of
      mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
      implementations. This reliance is now removed.
    * Disallow inputs of length different from the corresponding hash when
      signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates
      that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.)
    * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
      A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
      could not be triggered by code that constructed A with one of the
      mbedtls_mpi_read_xxx functions (including in particular TLS code) since
      those always built an mpi object with at least one limb.
    * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
      effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect
      applications that call mbedtls_mpi_gcd() directly.
    * The PSA API no longer allows the creation or destruction of keys with a
      read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
      can now only be used as intended, for keys that cannot be modified through
      normal use of the API.
    * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
      in all the right places. Include it from crypto_platform.h, which is
      the natural place.
    * mbedtls_pk_sign() and mbedtls_pk_verify() and their extended and
      restartable variants now always honor the specified hash length if
      nonzero. Before, for RSA, hash_len was ignored in favor of the length of
      the specified hash algorithm.
    * Fix which alert is sent in some cases to conform to the
      applicable RFC: on an invalid Finished message value, an
      invalid max_fragment_length extension, or an
      unsupported extension used by the server.
    * Correct (change from 12 to 13 bytes) the value of the macro describing the
      maximum nonce length returned by psa_aead_generate_nonce().
    * Add extra printf compiler warning flags to builds.
    * Fix memsan build false positive in x509_crt.c with Clang 11
    * Fix the setting of the read timeout in the DTLS sample programs.
    * Remove the AES sample application programs/aes/aescrypt2 which shows
      bad cryptographic practice.
    * Alternative implementations of CMAC may now opt to not support 3DES as a
      CMAC block cipher, and still pass the CMAC self test.
    * Remove configs/config-psa-crypto.h, which was identical to the default
      configuration except for having some extra cryptographic mechanisms
      enabled and for unintended differences. This configuration was primarily
      intended to demonstrate the PSA API, and lost most of its usefulness when
      MBEDTLS_PSA_CRYPTO_C became enabled by default.
    * When building the test suites with GNU make, invoke python3 or python, not
      python2, which is no longer supported upstream.
    * When using session cache based session resumption on the server,
      double-check that custom session cache implementations return
      sessions which are consistent with the negotiated ciphersuite
      and compression method.
    * Fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
      When that flag is on, standard GNU C printf format specifiers
      should be used.
    * Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage
      during ECC operations at a negligible performance cost.
    * mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and
      mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs
      when their input has length 0. Note that this is an implementation detail
      and can change at any time, so this change should be transparent, but it
      may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string()
      now writing an empty string where it previously wrote one or more
      zero digits when operating from values constructed with an mpi_read
      function and some mpi operations.
    * Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when
      when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
      is also applied when loading a key from storage.
    * Remove mbedtls-4237.patch upstream
    * Library soname bump to libmbedcrypto7
* Thu Apr 15 2021 Martin Pluskal <>
  -  Workaround for building with gcc-11 boo#1181876
* Mon Mar 22 2021 Guillaume GARDET <>
  - Update to 2.26.0: [bsc#1189589, CVE-2021-24119]
    * * This release of Mbed TLS provides bug fixes, minor enhancements and new
    features. This release includes fixes for security issues.
    * see
  - Fix build with patch from
* Tue Jan 19 2021 Luigi Baldoni <>
  - Fix build for Leap targets
  - Use upstream tarball name
* Tue Dec 22 2020 Dirk Müller <>
  - update to 2.25.0:
    * This release of Mbed TLS provides bug fixes, minor enhancements and new
    features. This release includes fixes for security issues.
    * see
    * The functions mbedtls_cipher_auth_encrypt() and
    mbedtls_cipher_auth_decrypt() would write past the minimum documented size
    of the output buffer when used with NIST_KW. As a result, code using those
    functions as documented with NIST_KW could have a buffer overwrite of up to
    15 bytes, with consequences ranging up to arbitrary code execution
    depending on the location of the output buffer.
    * Limit the size of calculations performed by mbedtls_mpi_exp_mod to
    MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating
    Diffie-Hellman key pairs. Credit to OSS-Fuzz.
    * A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
    which is how most uses of randomization in asymmetric cryptography (including
    key generation, intermediate value randomization and blinding) are implemented.
    This could cause failures or the silent use of non-random values. A random
    generator can fail if it needs reseeding and cannot not obtain entropy, or due
    to an internal failure (which, for Mbed TLS's own CTR_DRBG or HMAC_DRBG, can
    only happen due to a misconfiguration).
    * Fix a compliance issue whereby we were not checking the tag on the algorithm
    parameters (only the size) when comparing the signature in the description part
    of the cert to the real signature. This meant that a NULL algorithm parameters
    entry would look identical to an array of REAL (size zero) to the library and
    thus the certificate would be considered valid. However, if the parameters do
    not match in any way then the certificate should be considered invalid, and
    indeed OpenSSL marks these certs as invalid when mbedtls did not. Many thanks
    to guidovranken who found this issue via differential fuzzing and reported it
    in #3629.
    * Zeroising of local buffers and variables which are used for calculations in
    mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(),
    mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process()
    functions to erase sensitive data from memory. Reported by Johan Malmgren and
    Johan Uppman Bruce from Sectra.
* Wed Sep 09 2020 Dirk Mueller <>
  - update to 2.24.0:
    * see
    * Fix a vulnerability in the verification of X.509 certificates when matching
    the expected common name (the cn argument of mbedtls_x509_crt_verify())
    with the actual certificate name: when the subjecAltName extension is
    present, the expected name was compared to any name in that extension
    regardless of its type. This means that an attacker could for example
    impersonate a 4-bytes or 16-byte domain by getting a certificate for the
    corresponding IPv4 or IPv6 (this would require the attacker to control that
    IP address, though). Similar attacks using other subjectAltName name types
    might be possible.
    * When checking X.509 CRLs, a certificate was only considered as revoked if
    its revocationDate was in the past according to the local clock if
    available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
    certificates were never considered as revoked. On builds with
    MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
    example, an untrusted OS attacking a secure enclave) could prevent
    revocation of certificates via CRLs. Fixed by no longer checking the
    revocationDate field, in accordance with RFC 5280. Reported by yuemonangong
    in #3340. Reported independently and fixed by Raoul Strackx and Jethro
    * In (D)TLS record decryption, when using a CBC ciphersuites without the
    Encrypt-then-Mac extension, use constant code flow memory access patterns
    to extract and check the MAC. This is an improvement to the existing
    countermeasure against Lucky 13 attacks. The previous countermeasure was
    effective against network-based attackers, but less so against local
    attackers. The new countermeasure defends against local attackers, even if
    they have access to fine-grained measurements. In particular, this fixes a
    local Lucky 13 cache attack found and reported by Tuba Yavuz, Farhaan
    Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler (University of
    Florida) and Dave Tian (Purdue University).
    * Fix side channel in RSA private key operations and static (finite-field)
    Diffie-Hellman. An adversary with precise enough timing and memory access
    information (typically an untrusted operating system attacking a secure
    enclave) could bypass an existing counter-measure (base blinding) and
    potentially fully recover the private key.
    * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). Credit to
    OSS-Fuzz for detecting the problem and to Philippe Antoine for pinpointing
    the problematic code.
    * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused
    application data from memory.
* Mon Sep 07 2020 Stefan Brüns <>
  - Add workaround for failing builds (Python not found) due to
* Mon Aug 31 2020 Martin Pluskal <>
  - Do not run testsuite in parallel - its not reliable
* Mon Aug 17 2020 Dirk Mueller <>
  - update to 2.23.0:
    a lot of changes see
    * Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394.
    * Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
    * Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246.
* Thu Apr 02 2020 Martin Pluskal <>
  - Update to version 2.16.5:
    * Security improvements and bugfixes
* Wed Nov 13 2019 Martin Pluskal <>
  - Update to version 2.16.3:
    * Security improvements and bugfixes
* Tue Sep 03 2019 Martin Pluskal <>
  - Update to version 2.16.2:
    * Security improvements and bugfixes
  - Use ninja to for build
* Mon Jan 07 2019 Martin Pluskal <>
  - Update to version 2.16.0:
    * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation of parameters in the API. This allows detection of obvious misuses of the API, such as passing NULL pointers. The API of existing functions hasn't changed, but requirements on parameters have been made more explicit in the documentation. See the corresponding API documentation for each function to see for which parameter values it is defined. This feature is disabled by default. See its API documentation in config.h for additional steps you have to take when enabling it.
    API Changes
    * The following functions in the random generator modules have been deprecated and replaced as shown below. The new functions change the return type from void to int to allow returning error codes when using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest primitive. Fixes #1798. mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret() mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret()
    * Extend ECDH interface to enable alternative implementations.
    * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for ARIA, CAMELLIA and Blowfish. These error codes will be replaced by the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
    * Additional parameter validation checks have been added for the following modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH, ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI. Where modules have had parameter validation added, existing parameter checks may have changed. Some modules, such as Chacha20 had existing parameter validation whereas other modules had little. This has now been changed so that the same level of validation is present in all modules, and that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default is off. That means that checks which were previously present by default will no longer be.
    New deprecations
    * Deprecate mbedtls_ctr_drbg_update() and mbedtls_hmac_drbg_update() in favor of functions that can return an error code.
    * Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482.
    * Fix runtime error in mbedtls_platform_entropy_poll() when run through qemu user emulation. Reported and fix suggested by randombit. Fixes #1212.
    * Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659.
    * Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170.
    * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507.
    * Fix double initialization of ECC hardware that made some accelerators hang.



Generated by rpm2html 1.8.1

Fabrice Bellet, Thu Mar 9 11:09:55 2023