Open Source embedded SSL/TLS cryptographic library
Open Source embedded SSL/TLS cryptographic library
- Developed at security:tls
- Sources inherited from project openSUSE:Factory
-
3
derived packages
- Download package
-
Checkout Package
osc -A https://api.opensuse.org checkout openSUSE:42:Factory-Candidates-Check/mbedtls && cd $_ - Create Badge
Refresh
Refresh
Source Files
| Filename | Size | Changed |
|---|---|---|
| baselibs.conf | 0000000042 42 Bytes | |
| mbedtls-2.8.0-apache.tgz | 0002136782 2.04 MB | |
| mbedtls.changes | 0000037450 36.6 KB | |
| mbedtls.spec | 0000004672 4.56 KB |
Revision 16 (latest revision is 45)
Dominique Leuenberger (dimstar_suse)
accepted
request 593915
from
Martin Pluskal (pluskalm)
(revision 16)
- Update to version 2.8.0:
* Security:
+ Defend against Bellcore glitch attacks by verifying the results of RSA private key operations.
+ Fix implementation of the truncated HMAC extension. The previous implementation allowed an offline 2^80 brute force attack on the HMAC key of a single, uninterrupted connection (with no resumption of the session).
+ Reject CRLs containing unsupported critical extensions. Found by Falko Strenzke and Evangelos Karatsiolis.
+ Fix a buffer overread in ssl_parse_server_key_exchange() that could cause a crash on invalid input.
+ Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a crash on invalid input.
* Features:
+ Enable reading encrypted PEM files produced by software that uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli, OpenVPN Inc. Fixes #1339
+ Support public keys encoded in PKCS#1 format. #1122
* New deprecations:
+ Compression and crypto don't mix. We don't recommend using compression and cryptography, and have deprecated support for record compression (configuration option MBEDTLS_ZLIB_SUPPORT).
* Bugfix:
+ Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct. In the context of SSL, this resulted in handshake failure. Reported by daniel in the Mbed TLS forum. #1351
+ Fix setting version TLSv1 as minimal version, even if TLS 1 is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION and MBEDTLS_SSL_MIN_MINOR_VERSION instead of MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664
+ Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE only if __MINGW32__ is not defined. Fix suggested by Thomas Glanzmann and Nick Wilson on issue #355
+ Fix memory allocation corner cases in memory_buffer_alloc.c module. Found by Guido Vranken. #639
+ Don't accept an invalid tag when parsing X.509 subject alternative names in some circumstances.
+ Fix a possible arithmetic overflow in ssl_parse_server_key_exchange() that could cause a key exchange to fail on valid data.
+ Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that could cause a key exchange to fail on valid data.
+ Fix a 1-byte heap buffer overflow (read-only) during private key parsing. Found through fuzz testing.
* Changes
+ Fix tag lengths and value ranges in the documentation of CCM encryption. Contributed by Mathieu Briand.
+ Fix a typo in a comment in ctr_drbg.c. Contributed by Paul Sokolovsky.
+ Remove support for the library reference configuration for picocoin.
+ MD functions deprecated in 2.7.0 are no longer inline, to provide a migration path for those depending on the library's ABI.
+ Use (void) when defining functions with no parameters. Contributed by Joris Aerts. #678
Comments 0