From nobody Sun Aug 04 14:42:05 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WcMj94pgYz5SS4h; Sun, 04 Aug 2024 14:42:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WcMj94LBxz4kMn; Sun, 4 Aug 2024 14:42:05 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1722782525; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=k8wgPFmmJhoNpfEKAntfAKlL5CltRTAfNK6rW5HY3sI=; b=QU0u2bQhV9uwStO8o3gkyzaZ8NdZYO9XA3avI00uu0wJRm9YfOo+ebgV1WPfkEBUi04uJA 2WmPsu1b3N41G4qPY4o5ePOvhUUggTgt2G6w1+JU8g941V68sk8ehqa7LtRAMYOuC6SpgV jtigqVSyh8v+6r1k2PQf4/MSfTYBvph2glszYiASWemBKQ4L34RAXTXblG6vkqqOVM2UPI lsFwtgBqE3pEVkao1RdOgCsugxFoZok4y9l9+ZTSezDOZbfAHrQLVPd5F4kEAxmhqAU2Nu UYjSQVpZKrL241X7pQ94ho4hn5IJ/pIP91o5ogfh1IG1U2hA3gmmBz78GV/akg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1722782525; a=rsa-sha256; cv=none; b=TpFmoXN4K3viuv2zxDBwG51y+yNlr9FTXfdSNjQHLuN6qfqgvrprMPcAhcl7iSf9bNUJwj 8m8NOAcqHmSr6a0xVZKzxJ6wxAx3CUKnEye0RY1QqJRUisHx1af0uqW1hA726DkWa1dVpj GvweAK8l1j6UfpSYqL7YKwP0TuBh5jbHOPG2l676iEn1cv1sha6jdIHsskuxgUUr9OyK97 +B5TPXiouXk0isrI7mFlqc/2RTOCp0B4oXQq/ZHPVewihMFRnA/W6pEMd+bTn/d3AdA53X cDiHXiKi7I58QqsLINo9+Im9yComf//dD+ItJc3Pvm43FwrymZ+TgA5JCIpjZw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1722782525; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=k8wgPFmmJhoNpfEKAntfAKlL5CltRTAfNK6rW5HY3sI=; b=MzuANx9u0JfBN8zikOfx+/O6ntzGrcouChhpikkyCXbJ7KbsX+UYPaT/q6b1/sa1Zd98oF WClyopTEplHuQ9ldV9l5G0dgjrS80pomA025++zGi5Vpr2zLtiWIPph/FtUUv2ORimIJXd tP6iwm6qAubdTNAZjKFG9ZOyv/wL8HzmaIERu0F/0G8C6ZZPrHU5sSnH+sw+vJdPbKIDnQ 9JUic5dNHNpagWZcAVroaFeFmpYb672uynqXMJLRzWFcoNuj7jGAJf+WFgu6UGY71NJBeK y8zmGcJVfP0pw/I5On5AXWJR7ewE/JA426uBeHStbIaf1hTleZ0iHeACTGFqBg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WcMj93xZlz108W; Sun, 4 Aug 2024 14:42:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 474Eg5kP090376; Sun, 4 Aug 2024 14:42:05 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 474Eg5J1090373; Sun, 4 Aug 2024 14:42:05 GMT (envelope-from git) Date: Sun, 4 Aug 2024 14:42:05 GMT Message-Id: <202408041442.474Eg5J1090373@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Santhosh Raju Subject: git: 496fc69ac505 - main - security/wolfssl: Update to 5.7.2 List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fox X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 496fc69ac5059a4c24d6bf0b9fa5e87f7ef94a50 Auto-Submitted: auto-generated The branch main has been updated by fox: URL: https://cgit.FreeBSD.org/ports/commit/?id=496fc69ac5059a4c24d6bf0b9fa5e87f7ef94a50 commit 496fc69ac5059a4c24d6bf0b9fa5e87f7ef94a50 Author: Santhosh Raju AuthorDate: 2024-08-04 14:40:15 +0000 Commit: Santhosh Raju CommitDate: 2024-08-04 14:40:15 +0000 security/wolfssl: Update to 5.7.2 Changes since 5.7.0: wolfSSL Release 5.7.2 (July 8, 2024) NOTE: * --enable-heapmath is being deprecated and will be removed by end of 2024 Vulnerabilities * [Medium] CVE-2024-1544 Potential ECDSA nonce side channel attack in versions of wolfSSL before 5. 6.6 with wc_ecc_sign_hash calls. Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Analyzing the division through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. Thanks to Luca Wilke, Florian Sieck and Thomas Eisenbarth (University of Lübeck) for reporting the vulnerability. Details will appear in the proceedings of CCS 24. Fixed #7020 * [Medium] CVE-2024-5288 A private key blinding operation, enabled by defining the macro WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer attack on ECC operations. If performing ECC private key operations in an environment where a malicious user could gain fine control over the device and perform row hammer style attacks it is recommended to update the version of wolfSSL used and to build with WOLFSSL_BLIND_PRIVATE_KEY defined. Thanks to Kemal Derya, M. Caner Tol, Berk Sunar for the report (Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute) Fixed in github pull request #7416 * [Low] When parsing a provided maliciously crafted certificate directly using wolfSSL API, outside of a TLS connection, a certificate with an excessively large number of extensions could lead to a potential DoS. There are existing sanity checks during a TLS handshake with wolfSSL which mitigate this issue. Thanks to Bing Shi for the report. Fixed in github pull request #7597 * [Low] CVE-2024-5991 In the function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the Openssl compatibility function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. While calling without a NULL terminated string is very uncommon, it is still technically allowed. If a caller was attempting to do a name check on a non*NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator. Fixed in github pull request #7604 * [Medium] CVE-2024-5814 A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello when downgrading from TLS 1.3. Fixed in github pull request #7619 * [Medium] OCSP stapling version 2 response verification bypass issue when a crafted response of length 0 is received. Found with internal testing. Fixed in github pull request #7702 * [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS connection attempt. A revoked CA certificate could incorrectly be loaded into the trusted signers list and used in a repeat connection attempt. Found with internal testing. Fixed in github pull request #7702 New Feature Additions * Added Dilithium/ML-DSA: Implementation of ML-DSA-44/65/87 (PR 7622) * AES RISC-V 64-bit ASM: ECB/CBC/CTR/GCM/CCM (PR 7569) * Added CUDA support for AES encryption (PR 7436) * Added support for gRPC (PR 7445) * Added function wc_RsaPrivateKeyDecodeRaw to import raw RSA private keys (PR 7608) * Added crypto callback for SHA-3 (PR 7670) * Support for Infineon Modus Toolbox with wolfSSL (PR 7369) * Allow user to send a user_canceled alert by calling wolfSSL_SendUserCanceled (PR 7590) * C# wrapper SNI support added (PR 7610) * Quantum-safe algorithm support added to the Linux kernel module (PR 7574) * Support for NIST 800-56C Option 1 KDF, using the macro WC_KDF_NIST_SP_800_56C added (PR 7589) * AES-XTS streaming mode added, along with hardware acceleration and kernel module use (PR 7522, 7560, 7424) * PlatformIO FreeRTOS with ESP build and addition of benchmark and test example applications (PR 7528, 7413, 7559, 7542) Enhancements and Optimizations * Expanded STM32 AES hardware acceleration support for use with STM32H5 (PR 7578) * Adjusted wc_xmss and wc_lms settings to support use with wolfBoot (PR 7393) * Added the --enable-rpk option to autotools build for using raw public key support (PR 7379) * SHA-3 Thumb2, ARM32 assembly implementation added (PR 7667) * Improvements to RSA padding to expose Pad/Unpad APIs (PR 7612) * Updates and API additions for supporting socat version 1.8.0.0 (PR 7594) * cmake build improvements, expanding build options with SINGLE_THREADED and post-quantum algorithms, adjusting the generation of options.h file and using “yes;no” boolean instead of strings (PR 7611, 7546, 7479, 7480, 7380) * Improvements for Renesas RZ support (PR 7474) * Improvements to dual algorithm certificates for post-quantum keys (PR 7286) * Added wolfSSL_SessionIsSetup so the user can check if a session ticket has been sent by the server (PR 7430) * hostap updates: Implement PACs for EAP-FAST and filter cipher list on TLS version change (PR 7446) * Changed subject name comparison to match different upper and lower cases (PR 7420) * Support for DTLS 1.3 downgrade when using PSK (PR 7367) * Update to static memory build for more generic memory pools used (PR 7418) * Improved performance of Kyber C implementation (PR 7654) * Support for ECC_CACHE_CURVE with no malloc (PR 7490) * Added the configure option --enable-debug-trace-errcodes (macro WOLFSSL_DEBUG_TRACE_ERROR_CODES) which enables more debug tracking of error code values (PR 7634) * Enhanced wc_MakeRsaKey and wc_RsaKeyToDer to work with WOLFSSL_NO_MALLOC (PR 7362) * Improvements to assembly implementations of ChaCha20 and Poly1305 ASM for use with MSVC (PR 7319) * Cortex-M inline assembly labels with unique number appended (PR 7649) * Added secret logging callback to TLS <= 1.2, enabled with the macro HAVE_SECRET_CALLBACK (PR 7372) * Made wc_RNG_DRBG_Reseed() a public wolfCrypt API (PR 7386) * Enabled DES3 support without the DES3 ciphers. To re-enable DES3 cipher suites, use the configure flag --enable-des3-tls-suites (PR 7315) * Added stubs required for latest nginx (1.25.5) (PR 7449) * Added option for using a custom salt with the function wc_ecc_ctx_set_own_salt (PR 7552) * Added PQ files for Windows (PR 7419) * Enhancements to static memory feature, adding the option for a global heap hint (PR 7478) and build options for a lean or debug setting, enabled with --enable-staticmemory=small or --enable-staticmemory=debug (PR 7597) * Updated --enable-jni to define SESSION_CERTS for wolfJSSE (PR 7557) * Exposed DTLS in Ada wrapper and updated examples (PR 7397) * Added additional minimum TLS extension size sanity checks (PR 7602) * ESP improvements: updating the examples and libraries, updates for Apple HomeKit SHA/SRP, and fix for endianness with SHA512 software fallback (PR 7607, 7392, 7505, 7535) * Made the wc_CheckCertSigPubKey API publicly available with the define of the macro WOLFSSL_SMALL_CERT_VERIFY (PR 7599) * Added an alpha/preview of additional FIPS 140-3 full submission, bringing additional algorithms such as SRTP-KDF, AES-XTS, GCM streaming, AES-CFB, ED25519, and ED448 into the FIPS module boundary (PR 7295) * XCODE support for v5.2.3 of the FIPS module (PR 7140) * Expanded OpenSSL compatibility layer and added EC_POINT_hex2point (PR 7191) Fixes * Fixed Kyber control-flow timing leak. Thanks to Antoon Purnal from PQShield for the report. * Fixed the NXP MMCAU HW acceleration for SHA-256 (PR 7389) * Fixed AES-CFB1 encrypt/decrypt on size (8*x-1) bits (PR 7431) * Fixed use of %rip with SHA-256 x64 assembly (PR 7409) * Fixed OCSP response message build for DTLS (PR 7671) * Handled edge case in wc_ecc_mulmod() with zero (PR 7532) * Fixed RPK (Raw Public Key) to follow certificate use correctly (PR 7375) * Added sanity check on record header with QUIC use (PR 7638) * Added sanity check for empty directory strings in X.509 when parsing (PR 7669) * Added sanity check on non-conforming serial number of 0 in certificates being parsed (PR 7625) * Fixed wolfSSL_CTX_set1_sigalgs_list() to make the TLS connection conform to the selected sig hash algorithm (PR 7693) * Various fixes for dual algorithm certificates including small stack use and support for Certificate Signing Requests (PR 7577) * Added sanity check for critical policy extension when wolfSSL is built without policy extension support enabled (PR 7388) * Added sanity check that the ed25519 signature is smaller than the order ( PR 7513) * Fixed Segger emNet to handle non-blocking want read/want write (PR 7581) --- security/wolfssl/Makefile | 2 +- security/wolfssl/distinfo | 6 +++--- security/wolfssl/pkg-plist | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/security/wolfssl/Makefile b/security/wolfssl/Makefile index 6e6e186af983..680b17cc66b9 100644 --- a/security/wolfssl/Makefile +++ b/security/wolfssl/Makefile @@ -1,5 +1,5 @@ PORTNAME= wolfssl -PORTVERSION= 5.7.0 +PORTVERSION= 5.7.2 CATEGORIES= security devel MASTER_SITES= https://www.wolfssl.com/ \ LOCAL/fox diff --git a/security/wolfssl/distinfo b/security/wolfssl/distinfo index 8b7849a11921..e0245e56af62 100644 --- a/security/wolfssl/distinfo +++ b/security/wolfssl/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1711187466 -SHA256 (wolfssl-5.7.0.zip) = 30bea4b6537157c4720435343b380c5eca9185218738265ca6e090828e7c9c06 -SIZE (wolfssl-5.7.0.zip) = 24483650 +TIMESTAMP = 1722780792 +SHA256 (wolfssl-5.7.2.zip) = 07d580eb452aed737f1ce71aecc4f076276508f9454d70c8083772f6143ca160 +SIZE (wolfssl-5.7.2.zip) = 25112699 diff --git a/security/wolfssl/pkg-plist b/security/wolfssl/pkg-plist index 8a7625c274bf..3bc0cefa9ad8 100644 --- a/security/wolfssl/pkg-plist +++ b/security/wolfssl/pkg-plist @@ -156,7 +156,7 @@ include/wolfssl/wolfio.h lib/libwolfssl.a lib/libwolfssl.so lib/libwolfssl.so.42 -lib/libwolfssl.so.42.1.0 +lib/libwolfssl.so.42.2.0 libdata/pkgconfig/wolfssl.pc %%PORTDOCS%%%%DOCSDIR%%/QUIC.md %%PORTDOCS%%%%DOCSDIR%%/README.txt