pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/security/mbedtls



Module Name:    pkgsrc
Committed By:   nia
Date:           Thu Feb 20 15:27:31 UTC 2020

Modified Files:
        pkgsrc/security/mbedtls: Makefile PLIST distinfo

Log Message:
mbedtls: Update to 2.16.4

Security
   * Fix side channel vulnerability in ECDSA. Our bignum implementation is not
     constant time/constant trace, so side channel attacks can retrieve the
     blinded value, factor it (as it is smaller than RSA keys and not guaranteed
     to have only large prime factors), and then, by brute force, recover the
     key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
   * Zeroize local variables in mbedtls_internal_aes_encrypt() and
     mbedtls_internal_aes_decrypt() before exiting the function. The value of
     these variables can be used to recover the last round key. To follow best
     practice and to limit the impact of buffer overread vulnerabilities (like
     Heartbleed) we need to zeroize them before exiting the function.
     Issue reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
     Grant Hernandez, and Kevin Butler (University of Florida) and
     Dave Tian (Purdue University).
   * Fix side channel vulnerability in ECDSA key generation. Obtaining precise
     timings on the comparison in the key generation enabled the attacker to
     learn leading bits of the ephemeral key used during ECDSA signatures and to
     recover the private key. Reported by Jeremy Dubeuf.
   * Catch failure of AES functions in mbedtls_ctr_drbg_random(). Uncaught
     failures could happen with alternative implementations of AES. Bug
     reported and fix proposed by Johan Uppman Bruce and Christoffer Lauri,
     Sectra.

Bugfix
   * Remove redundant line for getting the bitlen of a bignum, since the variable
     holding the returned value is overwritten a line after.
     Found by irwir in #2377.
   * Support mbedtls_hmac_drbg_set_entropy_len() and
     mbedtls_ctr_drbg_set_entropy_len() before the DRBG is seeded. Before,
     the initial seeding always reset the entropy length to the compile-time
     default.

Changes
   * Add unit tests for AES-GCM when called through mbedtls_cipher_auth_xxx()
     from the cipher abstraction layer. Fixes #2198.
   * Clarify how the interface of the CTR_DRBG and HMAC modules relates to
     NIST SP 800-90A. In particular CTR_DRBG requires an explicit nonce
     to achieve a 256-bit strength if MBEDTLS_ENTROPY_FORCE_SHA256 is set.


To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 pkgsrc/security/mbedtls/Makefile
cvs rdiff -u -r1.4 -r1.5 pkgsrc/security/mbedtls/PLIST
cvs rdiff -u -r1.6 -r1.7 pkgsrc/security/mbedtls/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/mbedtls/Makefile
diff -u pkgsrc/security/mbedtls/Makefile:1.10 pkgsrc/security/mbedtls/Makefile:1.11
--- pkgsrc/security/mbedtls/Makefile:1.10       Sat Jan 18 21:50:40 2020
+++ pkgsrc/security/mbedtls/Makefile    Thu Feb 20 15:27:31 2020
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.10 2020/01/18 21:50:40 jperkin Exp $
+# $NetBSD: Makefile,v 1.11 2020/02/20 15:27:31 nia Exp $
 
-DISTNAME=      mbedtls-2.16.3-apache
+DISTNAME=      mbedtls-2.16.4-apache
 PKGNAME=       ${DISTNAME:-apache=}
-PKGREVISION=   1
 CATEGORIES=    security devel
 MASTER_SITES=  https://tls.mbed.org/download/
 EXTRACT_SUFX=  .tgz

Index: pkgsrc/security/mbedtls/PLIST
diff -u pkgsrc/security/mbedtls/PLIST:1.4 pkgsrc/security/mbedtls/PLIST:1.5
--- pkgsrc/security/mbedtls/PLIST:1.4   Tue Oct  1 17:44:11 2019
+++ pkgsrc/security/mbedtls/PLIST       Thu Feb 20 15:27:31 2020
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.4 2019/10/01 17:44:11 nia Exp $
+@comment $NetBSD: PLIST,v 1.5 2020/02/20 15:27:31 nia Exp $
 ${PLIST.tools}bin/aescrypt2
 ${PLIST.tools}bin/benchmark
 ${PLIST.tools}bin/cert_app
@@ -121,13 +121,13 @@ include/mbedtls/x509_csr.h
 include/mbedtls/xtea.h
 lib/libmbedcrypto.a
 lib/libmbedcrypto.so
-lib/libmbedcrypto.so.${PKGVERSION}
+lib/libmbedcrypto.so.2.16.3
 lib/libmbedcrypto.so.3
 lib/libmbedtls.a
 lib/libmbedtls.so
 lib/libmbedtls.so.12
-lib/libmbedtls.so.${PKGVERSION}
+lib/libmbedtls.so.2.16.3
 lib/libmbedx509.a
 lib/libmbedx509.so
 lib/libmbedx509.so.0
-lib/libmbedx509.so.${PKGVERSION}
+lib/libmbedx509.so.2.16.3

Index: pkgsrc/security/mbedtls/distinfo
diff -u pkgsrc/security/mbedtls/distinfo:1.6 pkgsrc/security/mbedtls/distinfo:1.7
--- pkgsrc/security/mbedtls/distinfo:1.6        Tue Oct  1 17:44:11 2019
+++ pkgsrc/security/mbedtls/distinfo    Thu Feb 20 15:27:31 2020
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.6 2019/10/01 17:44:11 nia Exp $
+$NetBSD: distinfo,v 1.7 2020/02/20 15:27:31 nia Exp $
 
-SHA1 (mbedtls-2.16.3-apache.tgz) = dce8550f8f9465f3aea44cb7d0f9d0ba8140034a
-RMD160 (mbedtls-2.16.3-apache.tgz) = 611635dce5ac99372272dd5c6edcb64d886f6e3b
-SHA512 (mbedtls-2.16.3-apache.tgz) = 62b984d04570334e740ff8b857b4dad73804a4d0aec22b224cb813eb8a6a4b2ec9bff3126c198552e030da94201fd98ed764e8b9f53056e2f94a51dfdbb47cdd
-Size (mbedtls-2.16.3-apache.tgz) = 2553709 bytes
+SHA1 (mbedtls-2.16.4-apache.tgz) = e446cbac7d24fc3ff1b1c4ee7c021694ede86db6
+RMD160 (mbedtls-2.16.4-apache.tgz) = 1b3f927dc2ff886bca1877beb4808a35a7414e8a
+SHA512 (mbedtls-2.16.4-apache.tgz) = 7b72a83c941bcb2b6b7710e00e68e390ee3c856eff957ff1608fe9d59c4d40b36f536283a83d3a1c4fe53dc268e877a56360f3654d226f967a881287df3dcbe7
+Size (mbedtls-2.16.4-apache.tgz) = 2692484 bytes
 SHA1 (patch-library_net__sockets.c) = cd8f9cf84947800eb73d004847789626511ceb35



Home | Main Index | Thread Index | Old Index