git: 9819baefd0e5 - main - security/wolfssl: Update to v5.3.0

From: Santhosh Raju <fox_at_FreeBSD.org>
Date: Sat, 07 May 2022 11:43:55 UTC
The branch main has been updated by fox:

URL: https://cgit.FreeBSD.org/ports/commit/?id=9819baefd0e561dd26087196faf9e477115f57b5

commit 9819baefd0e561dd26087196faf9e477115f57b5
Author:     Santhosh Raju <fox@FreeBSD.org>
AuthorDate: 2022-05-07 11:37:34 +0000
Commit:     Santhosh Raju <fox@FreeBSD.org>
CommitDate: 2022-05-07 11:43:03 +0000

    security/wolfssl: Update to v5.3.0
    
    Changes since v5.2.0:
    
    Release 5.3.0 of wolfSSL embedded TLS has bug fixes and new features including:
    
    New Feature Additions
    Ports
    
      * Updated support for Stunnel to version 5.61
      * Add i.MX8 NXP SECO use for secure private ECC keys and expand
        cryptodev-linux for use with the RSA/Curve25519 with the Linux CAAM driver
      * Allow encrypt then mac with Apache port
      * Update Renesas TSIP version to 1.15 on GR-ROSE and certificate signature
        data for TSIP / SCE example
      * Add IAR MSP430 example, located in IDE/IAR-MSP430 directory
      * Add support for FFMPEG with the enable option --enable-ffmpeg, FFMPEG is
        used for recording and converting video and audio (https://ffmpeg.org/)
      * Update the bind port to version 9.18.0
    
    Post Quantum
    
      * Add Post-quantum KEM benchmark for STM32
      * Enable support for using post quantum algorithms with embedded STM32 boards
        and port to STM32U585
    
    Compatibility Layer Additions
    
      * Add port to support libspdm
        (https://github.com/DMTF/libspdm/blob/main/README.md), compatibility
        functions added for the port were:
          - ASN1_TIME_compare
          - DH_new_by_nid
          - OBJ_length, OBJ_get0_data,
          - EVP layer ChaCha20-Poly1305, HKDF
          - EC_POINT_get_affine_coordinates
          - EC_POINT_set_affine_coordinates
      * Additional functions added were:
          - EC_KEY_print_fp
          - EVP_PKEY_paramgen
          - EVP_PKEY_sign/verify functionality
          - PEM_write_RSAPublicKey
          - PEM_write_EC_PUBKEY
          - PKCS7_sign
          - PKCS7_final
          - SMIME_write_PKCS7
          - EC_KEY/DH_up_ref
          - EVP_DecodeBlock
          - EVP_EncodeBlock
          - EC_KEY_get_conv_form
          - BIO_eof
          - Add support for BIO_CTRL_SET and BIO_CTRL_GET
      * Add compile time support for the type SSL_R_NULL_SSL_METHOD_PASSED
      * Enhanced X509_NAME_print_ex() to support RFC5523 basic escape
      * More checks on OPENSSL_VERSION_NUMBER for API prototype differences
      * Add extended key usage support to wolfSSL_X509_set_ext
      * SSL_VERIFY_FAIL_IF_NO_PEER_CERT now can also connect with compatibility
        layer enabled and a TLS 1.3 PSK connection is used
      * Improve wolfSSL_BN_rand to handle non byte boundaries and top/bottom
        parameters
      * Changed X509_V_ERR codes to better match OpenSSL values used
      * Improve wolfSSL_i2d_X509_name to allow for a NULL input in order to get the
        expected resulting size
      * Enhance the smallstack build to reduce stack size farther when built with
        compatibility layer enabled
    
    Misc.
    
     * Sniffer asynchronous support addition, handling of DH shared secret and
       tested with Intel QuickAssist
     * Added in support for OCSP with IPv6
     * Enhance SP (single precision) optimizations for use with the ECC P521
     * Add new public API wc_CheckCertSigPubKey() for use to easily check the
       signature of a certificate given a public key buffer
     * Add CSR (Certificate Signing Request) userId support in subject name
     * Injection and parsing of custom extensions in X.509 certificates
     * Add WOLF_CRYPTO_CB_ONLY_RSA and WOLF_CRYPTO_CB_ONLY_ECC to reduce code size
       if using only crypto callback functions with RSA and ECC
     * Created new --enable-engine configure flag used to build wolfSSL for use with
       wolfEngine
     * With TLS 1.3 PSK, when WOLFSSL_PSK_MULTI_ID_PER_CS is defined multiple IDs
       for a cipher suite can be handled
     * Added private key id/label support with improving the PK (Public Key)
       callbacks
     * Support for Intel QuickAssist ECC KeyGen acceleration
     * Add the function wolfSSL_CTX_SetCertCbCtx to set user context for certificate
       call back
     * Add the functions wolfSSL_CTX_SetEccSignCtx(WOLFSSL_CTX* ctx, void userCtx)
       and wolfSSL_CTX_GetEccSignCtx(WOLFSSL_CTX ctx) for setting and getting a user
       context
     * wolfRand for AMD --enable-amdrand
    
    Fixes
    PORT Fixes
    
      * KCAPI memory optimizations and page alignment fixes for ECC, AES mode fixes
        and reduction to memory usage
      * Add the new kdf.c file to the TI-RTOS build
      * Fix wait-until-done in RSA hardware primitive acceleration of ESP-IDF port
      * IOTSafe workarounds when reading files with ending 0’s and for ECC
        signatures
    
    Math Library Fixes
    
      * Sanity check with SP math that ECC points ordinates are not greater than
        modulus length
      * Additional sanity checks that _sp_add_d does not error due to overflow
      * Wycheproof fixes, testing integration, and fixes for AVX / AArch64 ASM edge
        case tests
      * TFM fp_div_2_ct rework to avoid potential overflow
    
    Misc.
    
      * Fix for PKCS#7 with Crypto Callbacks
      * Fix for larger curve sizes with deterministic ECC sign
      * Fixes for building wolfSSL alongside openssl using --enable-opensslcoexist
      * Fix for compatibility layer handling of certificates with SHA256 SKID (Subject Key ID)
      * Fix for wolfSSL_ASN1_TIME_diff erroring out on a return value of 0 from mktime
      * Remove extra padding when AES-CBC encrypted with PemToDer
      * Fixes for TLS v1.3 early data with async.
      * Fixes for async disables around the DevCopy calls
      * Fixes for Windows AES-NI with clang compiler
      * Fix for handling the detection of processing a plaintext TLS alert packet
      * Fix for potential memory leak in an error case with TLSX supported groups
      * Sanity check on input size in DecodeNsCertType
      * AES-GCM stack alignment fixes with assembly code written for AVX/AVX2
      * Fix for PK callbacks with server side and setting a public key
    
    Improvements/Optimizations
    Build Options and Warnings
    
      * Added example user settings template for FIPS v5 ready
      * Automake file touch cleanup for use with Yocto devtool
      * Allow disabling forced 'make clean' at the end of ./configure by using
        --disable-makeclean
      * Enable TLS 1.3 early data when specifying --enable-all option
      * Disable PK Callbacks with JNI FIPS builds
      * Add a FIPS cert 3389 ready option, this is the fips-ready build
      * Support (no)inline with Wind River Diab compiler
      * ECDH_compute_key allow setting of globalRNG with FIPS 140-3
      * Add logic equivalent to configure.ac in settings.h for Poly1305
      * Fixes to support building opensslextra with SP math
      * CPP protection for extern references to x86_64 asm code
      * Updates and enhancements for Espressif ESP-IDF wolfSSL setup_win.bat
      * Documentation improvements with auto generation
      * Fix reproducible-build for working an updated version of libtool, version
        2.4.7
      * Fixes for Diab C89 and armclang
      * Fix mcapi_test.c to include the settings.h before crypto.h
      * Update and handle builds with NO_WOLFSSL_SERVER and NO_WOLFSSL_CLIENT
      * Fix for some macro defines with FIPS 140-3 build so that
        RSA_PKCS1_PSS_PADDING can be used with RSA sign/verify functions
    
    Math Libraries
    
      * Add RSA/DH check for even modulus
      * Enhance TFM math to handle more alloc failure cases gracefully
      * SP ASM performance improvements mostly around AArch64
      * SP ASM improvements for additional cache attack resistance
      * Add RSA check for small difference between p and q
      * 6-8% performance increase with ECC operations using SP int by improving the
        Montgomery Reduction
    
    Testing and Validation
    
      * All shell scripts in source tree now tested for correctness using shellcheck
        and bash -n
      * Added build testing under gcc-12 and -std=c++17 and fixed warnings
      * TLS 1.3 script test improvement to wait for server to write file
      * Unit tests for ECC r/s zeroness handling
      * CI server was expanded with a very “quiet” machine that can support multiple
        ContantTime tests ensuring ongoing mitigation against side-channel timing
        based attacks. Algorithms being assessed on this machine are: AES-CBC,
        AES-GCM, CHACHA20, ECC, POLY1305, RSA, SHA256, SHA512, CURVE25519.
      * Added new multi configuration windows builds to CI testing for greater
        testing coverage of windows use-cases
    
    Misc.
    
      * Support for ECC import to check validity of key on import even if one of the
        coordinates (x or y) is 0
      * Modify example app to work with FreeRTOS+IoT
      * Ease of access for cert used for verifying a PKCS#7 bundle
      * Clean up Visual Studio output and intermediate directories
      * With TLS 1.3 fail immediately if a server sends empty certificate message
      * Enhance the benchmark application to support multi-threaded testing
      * Improvement for wc_EccPublicKeyToDer to not overestimate the buffer size
        required
      * Fix to check if wc_EccPublicKeyToDer has enough output buffer space
      * Fix year 2038 problem in wolfSSL_ASN1_TIME_diff
      * Various portability improvements (Time, DTLS epoch size, IV alloc)
      * Prefer status_request_v2 over status_request when both are present
      * Add separate "struct stat" definition XSTATSTRUCT to make overriding XSTAT
        easier for portability
      * With SipHash replace gcc specific ASM instruction with generic
      * Don't force a ECC CA when a custom CA is passed with -A
      * Add peer authentication failsafe for TLS 1.2 and below
      * Improve parsing of UID from subject and issuer name with the compatibility
        layer by
      * Fallback to full TLS handshake if session ticket fails
      * Internal refactoring of code to reduce ssl.c file size
---
 security/wolfssl/Makefile  | 2 +-
 security/wolfssl/distinfo  | 6 +++---
 security/wolfssl/pkg-plist | 5 +++--
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/security/wolfssl/Makefile b/security/wolfssl/Makefile
index b1bb04d718d7..2a1817c6e4ce 100644
--- a/security/wolfssl/Makefile
+++ b/security/wolfssl/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	wolfssl
-PORTVERSION=	5.2.0
+PORTVERSION=	5.3.0
 CATEGORIES=	security devel
 MASTER_SITES=	https://www.wolfssl.com/ \
 		LOCAL/fox
diff --git a/security/wolfssl/distinfo b/security/wolfssl/distinfo
index 34ea038e9009..73df68f56362 100644
--- a/security/wolfssl/distinfo
+++ b/security/wolfssl/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1645857440
-SHA256 (wolfssl-5.2.0.zip) = 1042c798f53294d46f0df43ee673191da94fc71d2f94e05e7e4daad5e108edd5
-SIZE (wolfssl-5.2.0.zip) = 15470250
+TIMESTAMP = 1651916876
+SHA256 (wolfssl-5.3.0.zip) = 60d9d47b255f05da0c90538b30cd6b43bcbc8a29f057ed41d4dd14aee4dde8bd
+SIZE (wolfssl-5.3.0.zip) = 22125813
diff --git a/security/wolfssl/pkg-plist b/security/wolfssl/pkg-plist
index 7de4d0428dce..459b2ee20643 100644
--- a/security/wolfssl/pkg-plist
+++ b/security/wolfssl/pkg-plist
@@ -122,6 +122,7 @@ include/wolfssl/openssl/err.h
 include/wolfssl/openssl/evp.h
 include/wolfssl/openssl/fips_rand.h
 include/wolfssl/openssl/hmac.h
+include/wolfssl/openssl/kdf.h
 include/wolfssl/openssl/lhash.h
 include/wolfssl/openssl/md4.h
 include/wolfssl/openssl/md5.h
@@ -228,8 +229,8 @@ include/wolfssl/wolfcrypt/wolfmath.h
 include/wolfssl/wolfio.h
 lib/libwolfssl.a
 lib/libwolfssl.so
-lib/libwolfssl.so.32
-lib/libwolfssl.so.32.0.0
+lib/libwolfssl.so.33
+lib/libwolfssl.so.33.0.0
 libdata/pkgconfig/wolfssl.pc
 %%PORTDOCS%%%%DOCSDIR%%/README.txt
 %%PORTDOCS%%%%DOCSDIR%%/example/client.c