Hello community, here is the log from the commit of package mbedtls for openSUSE:Factory checked in at 2018-07-13 10:19:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mbedtls (Old) and /work/SRC/openSUSE:Factory/.mbedtls.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mbedtls" Fri Jul 13 10:19:30 2018 rev:17 rq:621852 version:2.11.0 Changes: -------- --- /work/SRC/openSUSE:Factory/mbedtls/mbedtls.changes 2018-04-07 20:53:20.246468241 +0200 +++ /work/SRC/openSUSE:Factory/.mbedtls.new/mbedtls.changes 2018-07-13 10:20:52.130420833 +0200 @@ -1,0 +2,47 @@ +Mon Jul 9 13:21:03 UTC 2018 - [email protected] + +- Update to version 2.11.0: + * Features + + Added support for the XTS block cipher mode with AES (AES-XTS). Contributed by Aorimn in pull request #414. + + Implemented the HMAC-based extract-and-expand key derivation function (HKDF) per RFC 5869. Contributed by Thomas Fossati. + + For TLS servers, added support for offloading private key operations to an external cryptoprocessor. Private key operations can be asynchronous to allow non-blocking operation of the TLS server stack. + + Added support for ARIA cipher (RFC 5794) and associated TLS ciphersuites (RFC 6209). ARIA is disabled by default. To enable, see MBEDTLS_ARIA_C in config.h. + + Added support for the CCM* block cipher mode as defined in IEEE Std 802.15.4. + + Added an additional block mode, OFB (Output Feedback) per NIST SP 800-38a, to the AES module and cipher abstraction module. + * API Changes + + Mbed TLS 2.11.0 maintains source code compatibility with the last minor version, Mbed TLS 2.9.0, but extends the interface with additional capabilities. Mbed TLS 2.11.0 modifies the ABI and increases the SOVERSION. + * Bugfix + + Fixed the cert_write example to handle certificates signed with elliptic curves as well as RSA. Fixes #777 found by dbedev. + + Fixed the redefinition of _WIN32_WINNT, to avoid overriding a definition used by user applications. Found and fixed by Fabio Alessandrelli. + + Fixed compilation warnings with the IAR toolchain on 32-bit platforms. Reported by rahmanih in #683. + + Fixed an issue with MicroBlaze support in bn_mul.h which was causing the build to fail. Found by zv-io. Fixes #1651. + + Fixed braces in mbedtls_memory_buffer_alloc_status(). Found by sbranden in #552. + + Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to configure the maximum length of a file path that can be buffered when calling mbedtls_x509_crt_parse_path(). Fixes #492. + + Fixed redundant declaration of mbedtls_ssl_list_ciphersuites. Raised by TrinityTonic in #1359. +- Changes for version 2.9.0: + + Security + + Fixed an issue in the X.509 module which could lead to a buffer overread during certificate validation. Additionally, the issue could also lead to unnecessary callback checks being made or to some validation checks to be omitted. The overread could be triggered remotely, while the other issues would require a non DER-compliant certificate to be correctly signed by a trusted CA, or a trusted CA with a non DER-compliant certificate. Found by luocm. Fixes #825. + + Fixed the buffer length assertion in the ssl_parse_certificate_request() function which could lead to an arbitrary overread of the message buffer. The overreads could be caused by receiving a malformed algorithms section which was too short. In builds with debug output, this overread data was output with the debug data. + + Fixed a client-side bug in the validation of the server's ciphersuite choice which could potentially lead to the client accepting a ciphersuite it didn't offer or a ciphersuite that could not be used with the TLS or DTLS version chosen by the server. This could lead to corruption of internal data structures for some configurations. + * Features + + Added an option of MBEDTLS_AES_FEWER_TABLES, to dynamically compute smaller AES tables during runtime, thereby reducing the RAM/ROM footprint by ~6KiB. Suggested and contributed by jkivilin. + + Added initial support for Curve448 (RFC 7748). So far only mbedtls_ecp_mul() and ECDH primitive functions (mbedtls_ecdh_gen_public(), mbedtls_ecdh_compute_shared()) are supported for now. Contributed by Nicholas Wilson. + * API Changes + + Mbed TLS 2.9.0 maintains source code and binary compatibility with the last minor version, Mbed TLS 2.8.0, but extends the interface with additional capabilities. + + Extended the API with the function of mbedtls_net_poll() to allow user applications to wait for a network context to become ready before reading or writing. + + Added the function mbedtls_ssl_check_pending() to the public API to allow a check for whether more more data is pending to be processed in the internal message buffers. This function is necessary to determine the underlying transport when event-driven IO is used. + * Bugfix + + Fixed a spurious uninitialized variable warning in cmac.c. Fix independently contributed by Brian J Murray and David Brown. + + Added missing dependencies in test suites that led to build failures in configurations that omit certain hashes or public-key algorithms. Fixes #1040. + + Fixed a C89 incompatibility issue in benchmark.c. Contributed by Brendan Shanks. Fixes #1353. + + Added missing dependencies for MBEDTLS_HAVE_TIME_DATE and MBEDTLS_VERSION_FEATURES in some test suites. Contributed by Deomid Ryabkov. Fixes #1299, #1475. + + Fixed the Makefile build process for building shared libraries on Mac OS X. Fixed by mnacamura. + + Fixed parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was unable to parse keys which had only the optional parameters field of the ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379. + + Added an optimisation to return the plaintext data more quickly on unpadded CBC decryption, as stated in the mbedtls_cipher_update() documentation. Contributed by Andy Leiserson. + + Fixed the overriding and ignoring of return values when parsing and writing to a file in the pk_sign program. Found by kevlut in #1142. + + Added restrictions to the usage of the error code MBEDTLS_ERR_SSL_WANT_READ to situations where data needs to be fetched from the underlying transport in order to make progress. Previously, this error code was also occasionally returned when unexpected messages were being discarded, ignoring that further messages could potentially already be pending to be processed in the internal buffers; these cases led to deadlocks when event-driven I/O was used. Found and reported by Hubert Mis in #772. + + Fixed buffer length assertions in the ssl_parse_certificate_request() function which led to a potential one byte overread of the message buffer. + + Fixed invalid buffer sizes being passed to zlib during record compression and decompression. + + Raised the soversion of libmbedcrypto to match the soversion of the maintained 2.7 branch. The soversion was increased in Mbed TLS version 2.7.1 to reflect breaking changes in that release, but the increment was missed in 2.8.0 and later releases outside of the 2.7 branch. + +------------------------------------------------------------------- Old: ---- mbedtls-2.8.0-apache.tgz New: ---- mbedtls-2.11.0-apache.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mbedtls.spec ++++++ --- /var/tmp/diff_new_pack.RFycfY/_old 2018-07-13 10:20:53.030421909 +0200 +++ /var/tmp/diff_new_pack.RFycfY/_new 2018-07-13 10:20:53.030421909 +0200 @@ -16,11 +16,11 @@ # -%define lib_tls libmbedtls10 -%define lib_crypto libmbedcrypto1 +%define lib_tls libmbedtls11 +%define lib_crypto libmbedcrypto3 %define lib_x509 libmbedx509-0 Name: mbedtls -Version: 2.8.0 +Version: 2.11.0 Release: 0 Summary: Libraries for crypto and SSL/TLS protocols License: Apache-2.0 ++++++ baselibs.conf ++++++ --- /var/tmp/diff_new_pack.RFycfY/_old 2018-07-13 10:20:53.046421928 +0200 +++ /var/tmp/diff_new_pack.RFycfY/_new 2018-07-13 10:20:53.046421928 +0200 @@ -1,3 +1,3 @@ -libmbedtls10 +libmbedtls11 libmbedx509-0 -libmbedcrypto1 +libmbedcrypto3 ++++++ mbedtls-2.8.0-apache.tgz -> mbedtls-2.11.0-apache.tgz ++++++ ++++ 31442 lines of diff (skipped)
