git: 496fc69ac505 - main - security/wolfssl: Update to 5.7.2
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 04 Aug 2024 14:42:05 UTC
The branch main has been updated by fox:
URL: https://cgit.FreeBSD.org/ports/commit/?id=496fc69ac5059a4c24d6bf0b9fa5e87f7ef94a50
commit 496fc69ac5059a4c24d6bf0b9fa5e87f7ef94a50
Author: Santhosh Raju <fox@FreeBSD.org>
AuthorDate: 2024-08-04 14:40:15 +0000
Commit: Santhosh Raju <fox@FreeBSD.org>
CommitDate: 2024-08-04 14:40:15 +0000
security/wolfssl: Update to 5.7.2
Changes since 5.7.0:
wolfSSL Release 5.7.2 (July 8, 2024)
NOTE: * --enable-heapmath is being deprecated and will be removed by end of
2024
Vulnerabilities
* [Medium] CVE-2024-1544
Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.
6.6 with wc_ecc_sign_hash calls. Generating the ECDSA nonce k samples a
random number r and then truncates this randomness with a modular
reduction mod n where n is the order of the elliptic curve. Analyzing the
division through a control-flow revealing side-channel reveals a bias in
the most significant bits of k. Depending on the curve this is either a
negligible bias or a significant bias large enough to reconstruct k with
lattice reduction methods. Thanks to Luca Wilke, Florian Sieck and Thomas
Eisenbarth (University of Lübeck) for reporting the vulnerability.
Details will appear in the proceedings of CCS 24.
Fixed #7020
* [Medium] CVE-2024-5288
A private key blinding operation, enabled by defining the macro
WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer
attack on ECC operations. If performing ECC private key operations in an
environment where a malicious user could gain fine control over the
device and perform row hammer style attacks it is recommended to update
the version of wolfSSL used and to build with WOLFSSL_BLIND_PRIVATE_KEY
defined. Thanks to Kemal Derya, M. Caner Tol, Berk Sunar for the report
(Vernam Applied Cryptography and Cybersecurity Lab at Worcester
Polytechnic Institute)
Fixed in github pull request #7416
* [Low] When parsing a provided maliciously crafted certificate directly
using wolfSSL API, outside of a TLS connection, a certificate with an
excessively large number of extensions could lead to a potential DoS.
There are existing sanity checks during a TLS handshake with wolfSSL which
mitigate this issue. Thanks to Bing Shi for the report.
Fixed in github pull request #7597
* [Low] CVE-2024-5991
In the function MatchDomainName(), input param str is treated as a NULL
terminated string despite being user provided and unchecked.
Specifically, the Openssl compatibility function X509_check_host() takes
in a pointer and length to check against, with no requirements that it be
NULL terminated. While calling without a NULL terminated string is very
uncommon, it is still technically allowed. If a caller was attempting to
do a name check on a non*NULL terminated buffer, the code would read
beyond the bounds of the input array until it found a NULL terminator.
Fixed in github pull request #7604
* [Medium] CVE-2024-5814
A malicious TLS1.2 server can force a TLS1.3 client with downgrade
capability to use a ciphersuite that it did not agree to and achieve a
successful connection. This is because, aside from the extensions, the
client was skipping fully parsing the server hello when downgrading from
TLS 1.3.
Fixed in github pull request #7619
* [Medium] OCSP stapling version 2 response verification bypass issue when
a crafted response of length 0 is received. Found with internal testing.
Fixed in github pull request #7702
* [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS
connection attempt. A revoked CA certificate could incorrectly be loaded
into the trusted signers list and used in a repeat connection attempt.
Found with internal testing.
Fixed in github pull request #7702
New Feature Additions
* Added Dilithium/ML-DSA: Implementation of ML-DSA-44/65/87 (PR 7622)
* AES RISC-V 64-bit ASM: ECB/CBC/CTR/GCM/CCM (PR 7569)
* Added CUDA support for AES encryption (PR 7436)
* Added support for gRPC (PR 7445)
* Added function wc_RsaPrivateKeyDecodeRaw to import raw RSA private keys
(PR 7608)
* Added crypto callback for SHA-3 (PR 7670)
* Support for Infineon Modus Toolbox with wolfSSL (PR 7369)
* Allow user to send a user_canceled alert by calling
wolfSSL_SendUserCanceled (PR 7590)
* C# wrapper SNI support added (PR 7610)
* Quantum-safe algorithm support added to the Linux kernel module (PR 7574)
* Support for NIST 800-56C Option 1 KDF, using the macro
WC_KDF_NIST_SP_800_56C added (PR 7589)
* AES-XTS streaming mode added, along with hardware acceleration and kernel
module use (PR 7522, 7560, 7424)
* PlatformIO FreeRTOS with ESP build and addition of benchmark and test
example applications (PR 7528, 7413, 7559, 7542)
Enhancements and Optimizations
* Expanded STM32 AES hardware acceleration support for use with STM32H5 (PR
7578)
* Adjusted wc_xmss and wc_lms settings to support use with wolfBoot (PR
7393)
* Added the --enable-rpk option to autotools build for using raw public key
support (PR 7379)
* SHA-3 Thumb2, ARM32 assembly implementation added (PR 7667)
* Improvements to RSA padding to expose Pad/Unpad APIs (PR 7612)
* Updates and API additions for supporting socat version 1.8.0.0 (PR 7594)
* cmake build improvements, expanding build options with SINGLE_THREADED
and post-quantum algorithms, adjusting the generation of options.h file
and using “yes;no” boolean instead of strings (PR 7611, 7546, 7479, 7480,
7380)
* Improvements for Renesas RZ support (PR 7474)
* Improvements to dual algorithm certificates for post-quantum keys (PR
7286)
* Added wolfSSL_SessionIsSetup so the user can check if a session ticket
has been sent by the server (PR 7430)
* hostap updates: Implement PACs for EAP-FAST and filter cipher list on TLS
version change (PR 7446)
* Changed subject name comparison to match different upper and lower cases
(PR 7420)
* Support for DTLS 1.3 downgrade when using PSK (PR 7367)
* Update to static memory build for more generic memory pools used (PR 7418)
* Improved performance of Kyber C implementation (PR 7654)
* Support for ECC_CACHE_CURVE with no malloc (PR 7490)
* Added the configure option --enable-debug-trace-errcodes (macro
WOLFSSL_DEBUG_TRACE_ERROR_CODES) which enables more debug tracking of
error code values (PR 7634)
* Enhanced wc_MakeRsaKey and wc_RsaKeyToDer to work with WOLFSSL_NO_MALLOC
(PR 7362)
* Improvements to assembly implementations of ChaCha20 and Poly1305 ASM for
use with MSVC (PR 7319)
* Cortex-M inline assembly labels with unique number appended (PR 7649)
* Added secret logging callback to TLS <= 1.2, enabled with the macro
HAVE_SECRET_CALLBACK (PR 7372)
* Made wc_RNG_DRBG_Reseed() a public wolfCrypt API (PR 7386)
* Enabled DES3 support without the DES3 ciphers. To re-enable DES3 cipher
suites, use the configure flag --enable-des3-tls-suites (PR 7315)
* Added stubs required for latest nginx (1.25.5) (PR 7449)
* Added option for using a custom salt with the function
wc_ecc_ctx_set_own_salt (PR 7552)
* Added PQ files for Windows (PR 7419)
* Enhancements to static memory feature, adding the option for a global
heap hint (PR 7478) and build options for a lean or debug setting,
enabled with --enable-staticmemory=small or --enable-staticmemory=debug
(PR 7597)
* Updated --enable-jni to define SESSION_CERTS for wolfJSSE (PR 7557)
* Exposed DTLS in Ada wrapper and updated examples (PR 7397)
* Added additional minimum TLS extension size sanity checks (PR 7602)
* ESP improvements: updating the examples and libraries, updates for Apple
HomeKit SHA/SRP, and fix for endianness with SHA512 software fallback (PR
7607, 7392, 7505, 7535)
* Made the wc_CheckCertSigPubKey API publicly available with the define of
the macro WOLFSSL_SMALL_CERT_VERIFY (PR 7599)
* Added an alpha/preview of additional FIPS 140-3 full submission, bringing
additional algorithms such as SRTP-KDF, AES-XTS, GCM streaming, AES-CFB,
ED25519, and ED448 into the FIPS module boundary (PR 7295)
* XCODE support for v5.2.3 of the FIPS module (PR 7140)
* Expanded OpenSSL compatibility layer and added EC_POINT_hex2point (PR
7191)
Fixes
* Fixed Kyber control-flow timing leak. Thanks to Antoon Purnal from
PQShield for the report.
* Fixed the NXP MMCAU HW acceleration for SHA-256 (PR 7389)
* Fixed AES-CFB1 encrypt/decrypt on size (8*x-1) bits (PR 7431)
* Fixed use of %rip with SHA-256 x64 assembly (PR 7409)
* Fixed OCSP response message build for DTLS (PR 7671)
* Handled edge case in wc_ecc_mulmod() with zero (PR 7532)
* Fixed RPK (Raw Public Key) to follow certificate use correctly (PR 7375)
* Added sanity check on record header with QUIC use (PR 7638)
* Added sanity check for empty directory strings in X.509 when parsing (PR
7669)
* Added sanity check on non-conforming serial number of 0 in certificates
being parsed (PR 7625)
* Fixed wolfSSL_CTX_set1_sigalgs_list() to make the TLS connection conform
to the selected sig hash algorithm (PR 7693)
* Various fixes for dual algorithm certificates including small stack use
and support for Certificate Signing Requests (PR 7577)
* Added sanity check for critical policy extension when wolfSSL is built
without policy extension support enabled (PR 7388)
* Added sanity check that the ed25519 signature is smaller than the order (
PR 7513)
* Fixed Segger emNet to handle non-blocking want read/want write (PR 7581)
---
security/wolfssl/Makefile | 2 +-
security/wolfssl/distinfo | 6 +++---
security/wolfssl/pkg-plist | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/security/wolfssl/Makefile b/security/wolfssl/Makefile
index 6e6e186af983..680b17cc66b9 100644
--- a/security/wolfssl/Makefile
+++ b/security/wolfssl/Makefile
@@ -1,5 +1,5 @@
PORTNAME= wolfssl
-PORTVERSION= 5.7.0
+PORTVERSION= 5.7.2
CATEGORIES= security devel
MASTER_SITES= https://www.wolfssl.com/ \
LOCAL/fox
diff --git a/security/wolfssl/distinfo b/security/wolfssl/distinfo
index 8b7849a11921..e0245e56af62 100644
--- a/security/wolfssl/distinfo
+++ b/security/wolfssl/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1711187466
-SHA256 (wolfssl-5.7.0.zip) = 30bea4b6537157c4720435343b380c5eca9185218738265ca6e090828e7c9c06
-SIZE (wolfssl-5.7.0.zip) = 24483650
+TIMESTAMP = 1722780792
+SHA256 (wolfssl-5.7.2.zip) = 07d580eb452aed737f1ce71aecc4f076276508f9454d70c8083772f6143ca160
+SIZE (wolfssl-5.7.2.zip) = 25112699
diff --git a/security/wolfssl/pkg-plist b/security/wolfssl/pkg-plist
index 8a7625c274bf..3bc0cefa9ad8 100644
--- a/security/wolfssl/pkg-plist
+++ b/security/wolfssl/pkg-plist
@@ -156,7 +156,7 @@ include/wolfssl/wolfio.h
lib/libwolfssl.a
lib/libwolfssl.so
lib/libwolfssl.so.42
-lib/libwolfssl.so.42.1.0
+lib/libwolfssl.so.42.2.0
libdata/pkgconfig/wolfssl.pc
%%PORTDOCS%%%%DOCSDIR%%/QUIC.md
%%PORTDOCS%%%%DOCSDIR%%/README.txt