diff options
| author | fox <fox@pkgsrc.org> | 2022-10-01 11:47:09 +0000 |
|---|---|---|
| committer | fox <fox@pkgsrc.org> | 2022-10-01 11:47:09 +0000 |
| commit | ffa1d5457f9e3179f6bd0f8e82c9cfcba468d4e2 (patch) | |
| tree | 562dea700b493d326fc8059c5cb7d4bacb3a7a8d | |
| parent | 25e1f8157fc31db50b2aaa91dcec96e94ad50356 (diff) | |
| download | pkgsrc-ffa1d5457f9e3179f6bd0f8e82c9cfcba468d4e2.tar.gz | |
security/wolfssl: Update to v5.5.1
Changes since v5.5.0:
wolfSSL Release 5.5.1 (Sep 28, 2022) Latest
Vulnerabilities
* [Med] Denial of service attack and buffer overflow against TLS 1.3 servers
using session ticket resumption. When built with --enable-session-ticket and
making use of TLS 1.3 server code in wolfSSL, there is the possibility of a
malicious client to craft a malformed second ClientHello packet that causes
the server to crash. This issue is limited to when using both
--enable-session-ticket and TLS 1.3 on the server side. Users with TLS 1.3
servers, and having --enable-session-ticket, should update to the latest
version of wolfSSL. Thanks to Max at Trail of Bits for the report and
"LORIA, INRIA, France" for research on tlspuffin.
New Feature Additions
* Add support for non-blocking ECC key gen and shared secret gen for
P-256/384/521
* Add support for non-blocking ECDHE/ECDSA in TLS/DTLS layer.
* Port to NXP RT685 with FreeRTOS
* Add option to build post quantum Kyber API (--enable-kyber)
* Add post quantum algorithm sphincs to wolfCrypt
* Config. option to force no asm with SP build (--enable-sp=noasm)
* Allow post quantum keyshare for DTLS 1.3
Enhancements
* DTLSv1.3: Do HRR Cookie exchange by default
* Add wolfSSL_EVP_PKEY_new_CMAC_key to OpenSSL compatible API
* Update ide win10 build files to add missing sp source files
* Improve Workbench docs
* Improve EVP support for CHACHA20_POLY1305
* Improve wc_SetCustomExtension documentation
* RSA-PSS with OCSP and add simple OCSP response DER verify test case
* Clean up some FIPS versioning logic in configure.ac and WIN10 user_settings.h
* Don't over-allocate memory for DTLS fragments
* Add WOLFSSL_ATECC_TFLXTLS for Atmel port
* SHA-3 performance improvements with x86_64 assembly
* Add code to fallback to S/W if TSIP cannot handle
* Improves entropy with VxWorks
* Make time in milliseconds 64-bits for longer session ticket lives
* Support for setting cipher list with bytes
* wolfSSL_set1_curves_list(), wolfSSL_CTX_set1_curves_list() improvements
* Add to RSAES-OAEP key parsing for pkcs7
* Add missing DN nid to work with PrintName()
* SP int: default to 16 bit word size when NO_64BIT defined
* Limit the amount of fragments we store per a DTLS connection and error out
when max limit is reached
* Detect when certificate's RSA public key size is too big and fail on loading
of certificate
Fixes
* Fix for async with OCSP non-blocking in ProcessPeerCerts
* Fixes for building with 32-bit and socket size sign/unsigned mismatch
* Fix Windows CMakeList compiler options
* TLS 1.3 Middle-Box compat: fix missing brace
* Configuration consistency fixes for RSA keys and way to force disable of
private keys
* Fix for Aarch64 Mac M1 SP use
* Fix build errors and warnings for MSVC with DTLS 1.3
* Fix HMAC compat layer function for SHA-1
* Fix DTLS 1.3 do not negotiate ConnectionID in HelloRetryRequest
* Check return from call to wc_Time
* SP math: fix build configuration with opensslall
* Fix for async session tickets
* SP int mp_init_size fixes when SP_WORD_SIZE == 8
* Ed. function to make public key now checks for if the private key flag is set
* Fix HashRaw WC_SHA256_DIGEST_SIZE for wc_Sha256GetHash
* Fix for building with PSK only
* Set correct types in wolfSSL_sk_*_new functions
* Sanity check that size passed to mp_init_size() is no more than SP_INT_DIGITS
| -rw-r--r-- | security/wolfssl/Makefile | 4 | ||||
| -rw-r--r-- | security/wolfssl/PLIST | 6 | ||||
| -rw-r--r-- | security/wolfssl/distinfo | 9 | ||||
| -rw-r--r-- | security/wolfssl/patches/patch-configure | 15 |
4 files changed, 27 insertions, 7 deletions
diff --git a/security/wolfssl/Makefile b/security/wolfssl/Makefile index 8c8e6ab74bd..2a990eec7e4 100644 --- a/security/wolfssl/Makefile +++ b/security/wolfssl/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.15 2022/09/04 08:41:57 fox Exp $ +# $NetBSD: Makefile,v 1.16 2022/10/01 11:47:09 fox Exp $ -DISTNAME= wolfssl-5.5.0 +DISTNAME= wolfssl-5.5.1 CATEGORIES= security MASTER_SITES= https://www.wolfssl.com/ EXTRACT_SUFX= .zip diff --git a/security/wolfssl/PLIST b/security/wolfssl/PLIST index 62eb37d406b..92a78068499 100644 --- a/security/wolfssl/PLIST +++ b/security/wolfssl/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.10 2022/09/04 08:41:57 fox Exp $ +@comment $NetBSD: PLIST,v 1.11 2022/10/01 11:47:09 fox Exp $ bin/wolfssl-config include/cyassl/callbacks.h include/cyassl/certs_test.h @@ -186,6 +186,7 @@ include/wolfssl/wolfcrypt/eccsi.h include/wolfssl/wolfcrypt/ed25519.h include/wolfssl/wolfcrypt/ed448.h include/wolfssl/wolfcrypt/error-crypt.h +include/wolfssl/wolfcrypt/ext_kyber.h include/wolfssl/wolfcrypt/falcon.h include/wolfssl/wolfcrypt/fe_448.h include/wolfssl/wolfcrypt/fe_operations.h @@ -196,6 +197,7 @@ include/wolfssl/wolfcrypt/hash.h include/wolfssl/wolfcrypt/hmac.h include/wolfssl/wolfcrypt/integer.h include/wolfssl/wolfcrypt/kdf.h +include/wolfssl/wolfcrypt/kyber.h include/wolfssl/wolfcrypt/logging.h include/wolfssl/wolfcrypt/md2.h include/wolfssl/wolfcrypt/md4.h @@ -222,11 +224,13 @@ include/wolfssl/wolfcrypt/sha512.h include/wolfssl/wolfcrypt/signature.h include/wolfssl/wolfcrypt/siphash.h include/wolfssl/wolfcrypt/sp_int.h +include/wolfssl/wolfcrypt/sphincs.h include/wolfssl/wolfcrypt/srp.h include/wolfssl/wolfcrypt/tfm.h include/wolfssl/wolfcrypt/types.h include/wolfssl/wolfcrypt/visibility.h include/wolfssl/wolfcrypt/wc_encrypt.h +include/wolfssl/wolfcrypt/wc_kyber.h include/wolfssl/wolfcrypt/wc_port.h include/wolfssl/wolfcrypt/wolfevent.h include/wolfssl/wolfcrypt/wolfmath.h diff --git a/security/wolfssl/distinfo b/security/wolfssl/distinfo index e25c637e2dd..b9ba9793a00 100644 --- a/security/wolfssl/distinfo +++ b/security/wolfssl/distinfo @@ -1,5 +1,6 @@ -$NetBSD: distinfo,v 1.16 2022/09/04 08:41:57 fox Exp $ +$NetBSD: distinfo,v 1.17 2022/10/01 11:47:09 fox Exp $ -BLAKE2s (wolfssl-5.5.0.zip) = 082c16346b4f774a1ceb0669acbcf700de9749991fd15f6bbaea8002e4e1c67a -SHA512 (wolfssl-5.5.0.zip) = ec2b1c21b59f92c5c29cf5616227b31ec463f2ac4a2793e41d4ab271bc7540334dcae6a69cbaf706d05a371c33527ccbe7f07620aab09046ab8e2f48ad618d3e -Size (wolfssl-5.5.0.zip) = 20168520 bytes +BLAKE2s (wolfssl-5.5.1.zip) = c63d84698177add2f008f607b1560ceefc5574ccc4628b9f3d70450b84df315d +SHA512 (wolfssl-5.5.1.zip) = fb61f1f4208e33260e8ff7804bf0518807f1b89db1c1619ec04ca1400b6779cc2309c399244b4b35bdf57f892bf7dfbce138321981d9c9a89e59c53cc210028f +Size (wolfssl-5.5.1.zip) = 20389385 bytes +SHA1 (patch-configure) = 70270a0f102297d2b61f47bdc6420f393b6689fd diff --git a/security/wolfssl/patches/patch-configure b/security/wolfssl/patches/patch-configure new file mode 100644 index 00000000000..55a26721bc0 --- /dev/null +++ b/security/wolfssl/patches/patch-configure @@ -0,0 +1,15 @@ +$NetBSD: patch-configure,v 1.5 2022/10/01 11:47:10 fox Exp $ + +Make the script portable. + +--- configure.orig 2022-10-01 11:35:36.891958063 +0000 ++++ configure +@@ -21777,7 +21777,7 @@ then + then + as_fn_error $? "You need to enable both DTLS and TLSv1.3 to use DTLSv1.3" "$LINENO" 5 + fi +- if test "x$ENABLED_SEND_HRR_COOKIE" == "xundefined" ++ if test "x$ENABLED_SEND_HRR_COOKIE" = "xundefined" + then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: DTLSv1.3 is enabled, enabling HRR cookie" >&5 + printf "%s\n" "$as_me: DTLSv1.3 is enabled, enabling HRR cookie" >&6;} |