git: 2b488f7b2f97 - main - security/wolfssl: Update to v5.6.0

From: Santhosh Raju <fox_at_FreeBSD.org>
Date: Sun, 26 Mar 2023 09:14:48 UTC
The branch main has been updated by fox:

URL: https://cgit.FreeBSD.org/ports/commit/?id=2b488f7b2f970f0dcf56c9054d86f11d06470004

commit 2b488f7b2f970f0dcf56c9054d86f11d06470004
Author:     Santhosh Raju <fox@FreeBSD.org>
AuthorDate: 2023-03-26 09:10:52 +0000
Commit:     Santhosh Raju <fox@FreeBSD.org>
CommitDate: 2023-03-26 09:14:13 +0000

    security/wolfssl: Update to v5.6.0
    
    Changes since v5.5.4:
    
    wolfSSL Release 5.6.0 (Mar 24, 2023)
    
    Release 5.6.0 has been developed according to wolfSSL's development and QA
    process (see link below) and successfully passed the quality
    criteria. https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
    
    NOTE: * --enable-heapmath is being deprecated and will be removed by 2024 * This
    release makes ASN Template the default with ./configure, the previous ASN
    parsing can be built with --enable-asn=original
    
    Release 5.6.0 of wolfSSL embedded TLS has bug fixes and new features including:
    
    New Feature Additions
    * ASN template is now the default ASN parsing implementation when compiling with
      configure
    * Added in support for TLS v1.3 Encrypted Client Hello (ECH) and HPKE (Hybrid
      Public Key Encryption)
    * DTLS 1.3 stateless server ClientHello parsing support added
    
    Ports
    * Add RX64/RX71 SHA hardware support
    * Port to RT1170 and expand NXP CAAM driver support
    * Add NuttX integration files for ease of use
    * Updated Stunnel support for version 5.67 Compatibility Layer
    * Add in support for AES-CCM with EVP
    * BN compatibility API refactoring and separate API created
    * Expanding public key type cipher suite list strings support
    
    Misc.
    * Support pthread_rwlock and add enable option
    * Add wolfSSL_CertManagerLoadCABuffer_ex() that takes a user certificate chain
      flag and additional verify flag options
    * Docker build additions for wolfSSL library and wolfCLU application
    * Add favorite drink pilot attribute type to get it from the encoding
    * Added in support for indefinite length BER parsing with PKCS12
    * Add dynamic session cache which allocates sessions from the heap with macro
      SESSION_CACHE_DYNAMIC_MEM
    
    Improvements / Optimizations
    
    Tests
    * Additional CI (continuous integration) testing and leveraging of GitHub
      workflows
    * Add CI testing for wpa_supplicant, OpenWrt and OpenVPN using GitHub workflows
    * Add compilation of Espressif to GitHub workflows tests
    * Refactoring and improving error results with wolfCrypt unit test application
    * Minor warning fixes from Coverity static analysis scan
    * Add new SHA-512/224 and SHA-512/256 tests
    * Used codespell and fixed some minor typos
    
    Ports
    * Improve TLS1.2 client authentication to use TSIP
    * Updated Kyber macro to be WOLFSSL_HAVE_KYBER and made changes that make Kyber
      work on STM32
    * AES-GCM Windows assembly additions
    * CRLF line endings, trailing spaces for C# Wrapper Projects Compatibility Layer
    * Update PubKey and Key PEM-to-DER APIs to support return of needed DER size
    * Allow reading ENC EC PRIVATE KEY as well via wolfSSL_PEM_read_bio_ECPrivateKey
    * Improve wolfSSL_EC_POINT_cmp to handle Jacobian ordinates
    * Fix issue with BIO_reset() and add BIO_FLAGS_MEM_RDONLY flag support for read
      only BIOs
    
    SP
    * In SP math library rework mod 3 and use count leading zero instruction
    * Fix with SP ECC sign to reject the random k generated when r is 0
    * With SP math add better detection of when add won't work and double is needed
      with point_add_qz1 internal function
    * With SP int fail when buffer writing to is too small for number rather than
      discarding the extra values
    
    Builds
    * Define WOLFSSL_SP_SMALL_STACK if wolfSSL is build with --enable-smallstack
    * Fix CMake to exclude libm when DH is not enabled
    * Allow building of SAKKE as external non-FIPS algorithm with wolfmikey product
    * Add option to add library suffix, --with-libsuffix
    * ASN template compile option WOLFSSL_ASN_INT_LEAD_0_ANY to allow leading zeros
    * Add user_settings.h template for wolfTPM to
      examples/configs/user_settings_wolftpm.h
    * Purge the AES variant of Dilithium
    * Expand WOLFSSL_NO_ASN_STRICT to allow parsing of explicit ECC public key
    * Remove relocatable text in ARMv7a AES assembly for use with FIPS builds
    * Expand checking for hardware that supports ARMv7a neon with autotools
      configure
    * Sanity check on allocation fails with DSA and FP_ECC build when zeroizing
      internal buffer
    * Additional TLS alerts sent when compiling with WOLFSSL_EXTRA_ALERTS macro
      defined
    
    Benchmarking
    * Update wolfCrypt benchmark Windows build files to support x64 Platform
    * Add SHA512/224 and SHA512/256 benchmarks, fixed CVS macro and display sizes
    * Separate AES-GCM streaming runs when benchmarked
    * No longer call external implementation of Kyber from benchmark
    * Fix for benchmarking shake with custom block size
    * Fixes for benchmark help -alg list and block format Documentation/Examples
    * Document use of wc_AesFree() and update documentation of Ed25519 with Doxygen
    * Move the wolfSSL Configuration section higher in QUIC.md
    * Add Japanese Doxygen documentation for cmac.h, quic.h and remove incomplete
      Japanese doxygen in asn_public.h
    * Espressif examples run with local wolfSSL now with no additional setup needed
    * Added a fix for StartTLS use In the example client
    * Add a base-line user_settings.h for use with FIPS 140-3 in XCode example app
    
    Optimizations
    * AES-NI usage added for AES modes ECB/CTR/XTS
    
    Misc
    * Update AES-GCM stream decryption to allow long IVs
    * Internal refactor to use wolfSSL_Ref functions when incrementing or
      decrementing the structures reference count and fixes for static analysis
      reports
    * Cleanup function logging making adjustments to the debug log print outs
    * Remove realloc dependency in DtlsMsgCombineFragBuckets function
    * Refactor to use WOLFSSL_CTX’s cipher suite list when possible
    * Update internal padding of 0’s with DSA sign and additional tests with
      mp_to_unsigned_bin_len function
    * With DTLS SRTP use wolfSSL_export_keying_material instead of wc_PRF_TLS
    * Updated macro naming from HAVE_KYBER to be WOLFSSL_HAVE_KYBER
    * Update AES XTS encrypt to handle in-place encryption properly
    * With TLS 1.3 add option to require only PSK with DHE
    
    Fixes
    
    Ports
    * Fix for AES use with CAAM on imx8qxp with SECO builds
    * Fix for PIC32 crypto HW and unused TLSX_SetResponse
    * Fix warning if ltime is unsigned seen with QNX build
    * Updates and fix for Zephyr project support
    * Include sys/time.h for WOLFSSL_RIOT_OS
    * Move X509_V errors from enums to defines for use with HAProxy CLI
    * Fix IAR compiler warnings resolved
    * Fix for STM32 Hash peripherals (like on F437) with FIFO depth = 1
    * ESP32 fix for SHA384 init with hardware acceleration
    
    Builds
    * Add WOLFSSL_IP_ALT_NAME macro define to --enable-curl
    * Fixes for building with C++17 and avoiding clashing with byte naming
    * Fixes SP math all build issue with small-stack and no hardening
    * Fix for building with ASN template with NO_ASN_TIME defined
    * Fix building FIPSv2 with WOLFSSL_ECDSA_SET_K defined
    * Don't allow aesgcm-stream option with kcapi
    * Fix DTLS test case for when able to read peers close notify alert on FreeBSD
      systems
    * Fix for "expression must have a constant value" in tls13.c with Green Hills
      compiler
    * Fixes for building KCAPI with opensslextra enabled
    * Fix warnings of shadows min and subscript with i486-netbsd-gcc compiler
    * Fix issue with async and WOLFSSL_CHECK_ALERT_ON_ERR
    * Fix for PKCS7 with asynchronous crypto enabled
    
    Math Library
    * SP Aarch64 fix for conditional changed in asm needing "cc" and fix for ECC
      P256 mont reduce
    * In SP builds add sanity check with DH exp. to check the output length for
      minimum size
    * In SP math fix scalar length check with EC scalar multiply
    * With SP int fix handling negative character properly with read radix
    * Add error checks before setting variable err in SP int with the function
      sp_invmod_mont_ct
    * Fix to add sanity check for malloc of zero size in fastmath builds
    * In fastmath fix a possible overflow in fp_to_unsigned_bin_len length check
    * Heapmath fast mod. reduce fix
    
    Compatibility Layer
    * Fixes for encoding/decoding ecc public keys and ensure i2d public key
      functions do not include any private key information
    * Fix for EVP_EncryptUpdate to update outl on empty input
    * Fix SE050 RSA public key loading and RSA/ECC SE050 TLS Compatibility
    * Rework EC API and validate point after setting it
    * Fix for X509 RSA PSS with compatibility layer functions
    * Fix size of structures used with SHA operations when built with opensslextra
      for Espressif hardware accelerated hashing
    * Added sanity check on key length with wolfSSL_CMAC_Init function
    * Fix for return value type conversion of bad mutex error in logging function
    * Fix NID conflict NID_givenName and NID_md5WithRSAEncryption
    * Fix unguarded XFPRINTF calls with opensslextra build
    * Fix wolfSSL_ASN1_INTEGER_to_BN for negative values
    * Fix for potential ASN1_STRING leak in wolfSSL_X509_NAME_ENTRY_create_by_txt
      and wolfSSL_X509_NAME_ENTRY_create_by_NID when memory allocation fails
    
    Misc.
    * Add sanity check to prevent an out of bounds read with OCSP response decoding
    * Sanity check to not allow 0 length with bit string and integer when parsing
      ASN1 syntax
    * Adjust RNG sanity checks and remove error prone first byte comparison
    * With PKCS7 add a fix for GetAsnTimeString() to correctly increment internal
      data pointer
    * PKCS7 addition of sequence around algo parameters with authenvelop
    * DSA fixes for clearing mp_int before re-reading data and avoid mp_clear
      without first calling mp_init
    * Fix for SRTP setting bitfield when it is encoded for the TLS extension
    * Fix for handling small http headers when doing CRL verification
    * Fix for ECCSI hash function to validate the output size and curve size
    * Fix for value of givenName and name being reversed with CSR generation
    * Fix for error type returned (OCSP_CERT_UNKNOWN) with OCSP verification
    * Fix for a potential memory leak with ProcessCSR when handling OCSP responses
    * Fix for VERIFY_SKIP_DATE flag not ignoring date errors when set
    * Fix for zlib decompression buffer issue with PKCS7
    * Fix for DTLS message pool send size used and DTLS server saving of the
      handshake sequence
    * Fix to propagate WOLFSSL_TICKET_RET_CREATE error return value from
      DoDecryptTicket()
    * Fix for handling long session IDs with TLS 1.3 session tickets
    * Fix for AES-GCM streaming when caching an IV
    * Fix for test case with older selftest that returns bad padding instead of salt
      len error
    * Add fix for siphash cache and added in additional tests
    * Fix potential out of bounds memset to 0 in error case with session export
      function used with --enable-sessionexport builds
    * Fix possible NULL dereference in TLSX_CSR_Parse with TLS 1.3
    * Fix for sanity check on RSA pad length with no padding using the build macro
      WC_RSA_NO_PADDING
---
 security/wolfssl/Makefile  | 2 +-
 security/wolfssl/distinfo  | 6 +++---
 security/wolfssl/pkg-plist | 3 ++-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/security/wolfssl/Makefile b/security/wolfssl/Makefile
index e39485c010e3..11adb39b486d 100644
--- a/security/wolfssl/Makefile
+++ b/security/wolfssl/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	wolfssl
-PORTVERSION=	5.5.4
+PORTVERSION=	5.6.0
 CATEGORIES=	security devel
 MASTER_SITES=	https://www.wolfssl.com/ \
 		LOCAL/fox
diff --git a/security/wolfssl/distinfo b/security/wolfssl/distinfo
index 1fd49e27f7d3..f53631960558 100644
--- a/security/wolfssl/distinfo
+++ b/security/wolfssl/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1675516684
-SHA256 (wolfssl-5.5.4.zip) = 76da2d57183a5de2660f6214db7234d21df6d8c5ef12a79bdad5e68774dda380
-SIZE (wolfssl-5.5.4.zip) = 20699104
+TIMESTAMP = 1679815666
+SHA256 (wolfssl-5.6.0.zip) = ff8ca6bcdc01786727d7f11c05d04afa8e83b450014c92e9061df1a89eba15d9
+SIZE (wolfssl-5.6.0.zip) = 23437703
diff --git a/security/wolfssl/pkg-plist b/security/wolfssl/pkg-plist
index e701605ecaf0..8c3d547db664 100644
--- a/security/wolfssl/pkg-plist
+++ b/security/wolfssl/pkg-plist
@@ -194,6 +194,7 @@ include/wolfssl/wolfcrypt/ge_448.h
 include/wolfssl/wolfcrypt/ge_operations.h
 include/wolfssl/wolfcrypt/hash.h
 include/wolfssl/wolfcrypt/hmac.h
+include/wolfssl/wolfcrypt/hpke.h
 include/wolfssl/wolfcrypt/integer.h
 include/wolfssl/wolfcrypt/kdf.h
 include/wolfssl/wolfcrypt/kyber.h
@@ -237,7 +238,7 @@ include/wolfssl/wolfio.h
 lib/libwolfssl.a
 lib/libwolfssl.so
 lib/libwolfssl.so.35
-lib/libwolfssl.so.35.3.0
+lib/libwolfssl.so.35.4.0
 libdata/pkgconfig/wolfssl.pc
 %%PORTDOCS%%%%DOCSDIR%%/QUIC.md
 %%PORTDOCS%%%%DOCSDIR%%/README.txt