From nobody Sat May 07 11:43:55 2022 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id F25591ABD5CE; Sat, 7 May 2022 11:43:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KwQZ35gyKz3CcP; Sat, 7 May 2022 11:43:55 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651923835; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZOWoNBUjG6zzDqWjToO/Iuu3TASQufq/uaei71Fud7w=; b=K+2mjNbh/7Ey8fJMuZFl1rHbYSXrxlQVhXi3WLWYebIKztcGLYMtNSM44YHIvRAMIMiJav p4FBOk89SBnWbF7ZoY7szjZAfFU2Khu8xDbYcqK3w9FZBIr3dSnDuqqcSt3lnEgtbovvpG bunYD23OJ3HcofAsPV1Tn1h1lT/r4v5pJ3jfQSVYzruwjsb9Wm0ztNk/4k3/o9zW3SKiFu jlxH2DjnYDUT4dK5MQ25ZbtdqaMIEOyczpqyIYC8gZaO53I5YNwBtcUivlwrAb3sy8H+dl d9YfTrAjmzyM3fthwdmi+1JTz7XLZwIyk+tubOso5Jbe7uvTVboQr6UQPEOvrA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A14827F51; Sat, 7 May 2022 11:43:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 247BhtDq078121; Sat, 7 May 2022 11:43:55 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 247BhtV2078120; Sat, 7 May 2022 11:43:55 GMT (envelope-from git) Date: Sat, 7 May 2022 11:43:55 GMT Message-Id: <202205071143.247BhtV2078120@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Santhosh Raju Subject: git: 9819baefd0e5 - main - security/wolfssl: Update to v5.3.0 List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fox X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 9819baefd0e561dd26087196faf9e477115f57b5 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1651923835; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZOWoNBUjG6zzDqWjToO/Iuu3TASQufq/uaei71Fud7w=; b=ph0xTZTGOHmz0pbfHdmOHp5s13hghffHIqq6cYSNebJnjTr95DXPl7OfJ61CNaQo+d+jNg PjKCTNQ2m9pR5xHC9XlsrbKJm71i4zZLlnxJKk0qqTa9fDuZpK/kBalWlIT4EzL2B7G4HO DlR8C1qYWmP/1PUel7+BLaq/Z8DaDdzbXTmO8PSOkMtokP0Y86fLpsCsinHP5nJWVV1oe2 Y6osVLmiHTRk9orWOcXIEsH0ltVdzMHO+FVvNxcXuVgAQhx23e7JRCdd5MSrq+uB114dXH lmsQCL9feIeHw4TTP56rlPNAfvdRBx05JN+us2tt6SvQDvNueP7rWUDBjVUjLA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1651923835; a=rsa-sha256; cv=none; b=dgADAaJOzg2bG18fn1YmiSHNK5uOXDI4zYIREuKJpCGr8D8J0mJSMwXp5Hw+uL0HNk9oJu w+Uh2myzzrardarrRr3fDT1wyCo8jJn/fochVFMKtoDw1IRflMn5+nEqXDNGt2Igsufh21 zs5ruk2rp7RohikdN1brun4KRVgvpHOCu/MkL/JYcJqaBbpu2vxMr5LMpg9WvIv4KRD/yb b0+785XIDkzLXwHdqIbt5BLja9luYSlG3muWmqLHdM80qGDnemjuCmN+QDudcef0THiS1/ r7zAdo3GKnRB/D1OOlDK/xmGcDabmOxe0aUXiSwPiDM2PrvOFyWZXte+vOD6IQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by fox: URL: https://cgit.FreeBSD.org/ports/commit/?id=9819baefd0e561dd26087196faf9e477115f57b5 commit 9819baefd0e561dd26087196faf9e477115f57b5 Author: Santhosh Raju AuthorDate: 2022-05-07 11:37:34 +0000 Commit: Santhosh Raju CommitDate: 2022-05-07 11:43:03 +0000 security/wolfssl: Update to v5.3.0 Changes since v5.2.0: Release 5.3.0 of wolfSSL embedded TLS has bug fixes and new features including: New Feature Additions Ports * Updated support for Stunnel to version 5.61 * Add i.MX8 NXP SECO use for secure private ECC keys and expand cryptodev-linux for use with the RSA/Curve25519 with the Linux CAAM driver * Allow encrypt then mac with Apache port * Update Renesas TSIP version to 1.15 on GR-ROSE and certificate signature data for TSIP / SCE example * Add IAR MSP430 example, located in IDE/IAR-MSP430 directory * Add support for FFMPEG with the enable option --enable-ffmpeg, FFMPEG is used for recording and converting video and audio (https://ffmpeg.org/) * Update the bind port to version 9.18.0 Post Quantum * Add Post-quantum KEM benchmark for STM32 * Enable support for using post quantum algorithms with embedded STM32 boards and port to STM32U585 Compatibility Layer Additions * Add port to support libspdm (https://github.com/DMTF/libspdm/blob/main/README.md), compatibility functions added for the port were: - ASN1_TIME_compare - DH_new_by_nid - OBJ_length, OBJ_get0_data, - EVP layer ChaCha20-Poly1305, HKDF - EC_POINT_get_affine_coordinates - EC_POINT_set_affine_coordinates * Additional functions added were: - EC_KEY_print_fp - EVP_PKEY_paramgen - EVP_PKEY_sign/verify functionality - PEM_write_RSAPublicKey - PEM_write_EC_PUBKEY - PKCS7_sign - PKCS7_final - SMIME_write_PKCS7 - EC_KEY/DH_up_ref - EVP_DecodeBlock - EVP_EncodeBlock - EC_KEY_get_conv_form - BIO_eof - Add support for BIO_CTRL_SET and BIO_CTRL_GET * Add compile time support for the type SSL_R_NULL_SSL_METHOD_PASSED * Enhanced X509_NAME_print_ex() to support RFC5523 basic escape * More checks on OPENSSL_VERSION_NUMBER for API prototype differences * Add extended key usage support to wolfSSL_X509_set_ext * SSL_VERIFY_FAIL_IF_NO_PEER_CERT now can also connect with compatibility layer enabled and a TLS 1.3 PSK connection is used * Improve wolfSSL_BN_rand to handle non byte boundaries and top/bottom parameters * Changed X509_V_ERR codes to better match OpenSSL values used * Improve wolfSSL_i2d_X509_name to allow for a NULL input in order to get the expected resulting size * Enhance the smallstack build to reduce stack size farther when built with compatibility layer enabled Misc. * Sniffer asynchronous support addition, handling of DH shared secret and tested with Intel QuickAssist * Added in support for OCSP with IPv6 * Enhance SP (single precision) optimizations for use with the ECC P521 * Add new public API wc_CheckCertSigPubKey() for use to easily check the signature of a certificate given a public key buffer * Add CSR (Certificate Signing Request) userId support in subject name * Injection and parsing of custom extensions in X.509 certificates * Add WOLF_CRYPTO_CB_ONLY_RSA and WOLF_CRYPTO_CB_ONLY_ECC to reduce code size if using only crypto callback functions with RSA and ECC * Created new --enable-engine configure flag used to build wolfSSL for use with wolfEngine * With TLS 1.3 PSK, when WOLFSSL_PSK_MULTI_ID_PER_CS is defined multiple IDs for a cipher suite can be handled * Added private key id/label support with improving the PK (Public Key) callbacks * Support for Intel QuickAssist ECC KeyGen acceleration * Add the function wolfSSL_CTX_SetCertCbCtx to set user context for certificate call back * Add the functions wolfSSL_CTX_SetEccSignCtx(WOLFSSL_CTX* ctx, void userCtx) and wolfSSL_CTX_GetEccSignCtx(WOLFSSL_CTX ctx) for setting and getting a user context * wolfRand for AMD --enable-amdrand Fixes PORT Fixes * KCAPI memory optimizations and page alignment fixes for ECC, AES mode fixes and reduction to memory usage * Add the new kdf.c file to the TI-RTOS build * Fix wait-until-done in RSA hardware primitive acceleration of ESP-IDF port * IOTSafe workarounds when reading files with ending 0’s and for ECC signatures Math Library Fixes * Sanity check with SP math that ECC points ordinates are not greater than modulus length * Additional sanity checks that _sp_add_d does not error due to overflow * Wycheproof fixes, testing integration, and fixes for AVX / AArch64 ASM edge case tests * TFM fp_div_2_ct rework to avoid potential overflow Misc. * Fix for PKCS#7 with Crypto Callbacks * Fix for larger curve sizes with deterministic ECC sign * Fixes for building wolfSSL alongside openssl using --enable-opensslcoexist * Fix for compatibility layer handling of certificates with SHA256 SKID (Subject Key ID) * Fix for wolfSSL_ASN1_TIME_diff erroring out on a return value of 0 from mktime * Remove extra padding when AES-CBC encrypted with PemToDer * Fixes for TLS v1.3 early data with async. * Fixes for async disables around the DevCopy calls * Fixes for Windows AES-NI with clang compiler * Fix for handling the detection of processing a plaintext TLS alert packet * Fix for potential memory leak in an error case with TLSX supported groups * Sanity check on input size in DecodeNsCertType * AES-GCM stack alignment fixes with assembly code written for AVX/AVX2 * Fix for PK callbacks with server side and setting a public key Improvements/Optimizations Build Options and Warnings * Added example user settings template for FIPS v5 ready * Automake file touch cleanup for use with Yocto devtool * Allow disabling forced 'make clean' at the end of ./configure by using --disable-makeclean * Enable TLS 1.3 early data when specifying --enable-all option * Disable PK Callbacks with JNI FIPS builds * Add a FIPS cert 3389 ready option, this is the fips-ready build * Support (no)inline with Wind River Diab compiler * ECDH_compute_key allow setting of globalRNG with FIPS 140-3 * Add logic equivalent to configure.ac in settings.h for Poly1305 * Fixes to support building opensslextra with SP math * CPP protection for extern references to x86_64 asm code * Updates and enhancements for Espressif ESP-IDF wolfSSL setup_win.bat * Documentation improvements with auto generation * Fix reproducible-build for working an updated version of libtool, version 2.4.7 * Fixes for Diab C89 and armclang * Fix mcapi_test.c to include the settings.h before crypto.h * Update and handle builds with NO_WOLFSSL_SERVER and NO_WOLFSSL_CLIENT * Fix for some macro defines with FIPS 140-3 build so that RSA_PKCS1_PSS_PADDING can be used with RSA sign/verify functions Math Libraries * Add RSA/DH check for even modulus * Enhance TFM math to handle more alloc failure cases gracefully * SP ASM performance improvements mostly around AArch64 * SP ASM improvements for additional cache attack resistance * Add RSA check for small difference between p and q * 6-8% performance increase with ECC operations using SP int by improving the Montgomery Reduction Testing and Validation * All shell scripts in source tree now tested for correctness using shellcheck and bash -n * Added build testing under gcc-12 and -std=c++17 and fixed warnings * TLS 1.3 script test improvement to wait for server to write file * Unit tests for ECC r/s zeroness handling * CI server was expanded with a very “quiet” machine that can support multiple ContantTime tests ensuring ongoing mitigation against side-channel timing based attacks. Algorithms being assessed on this machine are: AES-CBC, AES-GCM, CHACHA20, ECC, POLY1305, RSA, SHA256, SHA512, CURVE25519. * Added new multi configuration windows builds to CI testing for greater testing coverage of windows use-cases Misc. * Support for ECC import to check validity of key on import even if one of the coordinates (x or y) is 0 * Modify example app to work with FreeRTOS+IoT * Ease of access for cert used for verifying a PKCS#7 bundle * Clean up Visual Studio output and intermediate directories * With TLS 1.3 fail immediately if a server sends empty certificate message * Enhance the benchmark application to support multi-threaded testing * Improvement for wc_EccPublicKeyToDer to not overestimate the buffer size required * Fix to check if wc_EccPublicKeyToDer has enough output buffer space * Fix year 2038 problem in wolfSSL_ASN1_TIME_diff * Various portability improvements (Time, DTLS epoch size, IV alloc) * Prefer status_request_v2 over status_request when both are present * Add separate "struct stat" definition XSTATSTRUCT to make overriding XSTAT easier for portability * With SipHash replace gcc specific ASM instruction with generic * Don't force a ECC CA when a custom CA is passed with -A * Add peer authentication failsafe for TLS 1.2 and below * Improve parsing of UID from subject and issuer name with the compatibility layer by * Fallback to full TLS handshake if session ticket fails * Internal refactoring of code to reduce ssl.c file size --- security/wolfssl/Makefile | 2 +- security/wolfssl/distinfo | 6 +++--- security/wolfssl/pkg-plist | 5 +++-- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/security/wolfssl/Makefile b/security/wolfssl/Makefile index b1bb04d718d7..2a1817c6e4ce 100644 --- a/security/wolfssl/Makefile +++ b/security/wolfssl/Makefile @@ -1,5 +1,5 @@ PORTNAME= wolfssl -PORTVERSION= 5.2.0 +PORTVERSION= 5.3.0 CATEGORIES= security devel MASTER_SITES= https://www.wolfssl.com/ \ LOCAL/fox diff --git a/security/wolfssl/distinfo b/security/wolfssl/distinfo index 34ea038e9009..73df68f56362 100644 --- a/security/wolfssl/distinfo +++ b/security/wolfssl/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1645857440 -SHA256 (wolfssl-5.2.0.zip) = 1042c798f53294d46f0df43ee673191da94fc71d2f94e05e7e4daad5e108edd5 -SIZE (wolfssl-5.2.0.zip) = 15470250 +TIMESTAMP = 1651916876 +SHA256 (wolfssl-5.3.0.zip) = 60d9d47b255f05da0c90538b30cd6b43bcbc8a29f057ed41d4dd14aee4dde8bd +SIZE (wolfssl-5.3.0.zip) = 22125813 diff --git a/security/wolfssl/pkg-plist b/security/wolfssl/pkg-plist index 7de4d0428dce..459b2ee20643 100644 --- a/security/wolfssl/pkg-plist +++ b/security/wolfssl/pkg-plist @@ -122,6 +122,7 @@ include/wolfssl/openssl/err.h include/wolfssl/openssl/evp.h include/wolfssl/openssl/fips_rand.h include/wolfssl/openssl/hmac.h +include/wolfssl/openssl/kdf.h include/wolfssl/openssl/lhash.h include/wolfssl/openssl/md4.h include/wolfssl/openssl/md5.h @@ -228,8 +229,8 @@ include/wolfssl/wolfcrypt/wolfmath.h include/wolfssl/wolfio.h lib/libwolfssl.a lib/libwolfssl.so -lib/libwolfssl.so.32 -lib/libwolfssl.so.32.0.0 +lib/libwolfssl.so.33 +lib/libwolfssl.so.33.0.0 libdata/pkgconfig/wolfssl.pc %%PORTDOCS%%%%DOCSDIR%%/README.txt %%PORTDOCS%%%%DOCSDIR%%/example/client.c