diff options
| author | fhajny <fhajny@pkgsrc.org> | 2016-06-16 14:17:03 +0000 |
|---|---|---|
| committer | fhajny <fhajny@pkgsrc.org> | 2016-06-16 14:17:03 +0000 |
| commit | 65b403b3f2ef79574e2bf47696f7a493d30c57c8 (patch) | |
| tree | f0ac39ee2b911d9305e2fc1241bd7a380ae27b25 /security/mbedtls | |
| parent | cd9013857e730fb6c54fc44b5afb784a43c93200 (diff) | |
| download | pkgsrc-65b403b3f2ef79574e2bf47696f7a493d30c57c8.tar.gz | |
Update security/mbedtls to 2.2.1.
This breaks removes the legacy PolarSSL compatibility layer. For
software that needs it, please use security/mbedtls1 instead.
Change license to apache-2.0.
Upstream changelog since 1.3.11 follows.
= mbed TLS 2.2.1 released 2016-01-05
Security
- Fix potential double free when mbedtls_asn1_store_named_data() fails
to allocate memory. Only used for certificate generation, not
triggerable remotely in SSL/TLS.
- Disable MD5 handshake signatures in TLS 1.2 by default
Bugfix
- Fix over-restrictive length limit in GCM.
- Fix bug in certificate validation that caused valid chains to be
rejected when the first intermediate certificate has
pathLenConstraint=0.
- Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign()
- Fix suboptimal handling of unexpected records that caused interop
issues with some peers over unreliable links. Avoid dropping an
entire DTLS datagram if a single record in a datagram is unexpected,
instead only drop the record and look at subsequent records (if any
are present) in the same datagram.
= mbed TLS 2.2.0 released 2015-11-04
Security
- Fix potential double free if mbedtls_ssl_conf_psk() is called more
than once and some allocation fails. Cannot be forced remotely.
- Fix potential heap corruption on Windows when
mbedtls_x509_crt_parse_path() is passed a path longer than 2GB.
Cannot be triggered remotely.
- Fix potential buffer overflow in some asn1_write_xxx() functions.
Cannot be triggered remotely unless you create X.509 certificates
based on untrusted input or write keys of untrusted origin.
- The X509 max_pathlen constraint was not enforced on intermediate
certificates.
Features
- Experimental support for EC J-PAKE as defined in Thread 1.0.0.
Disabled by default as the specification might still change.
- Added a key extraction callback to accees the master secret and key
block. (Potential uses include EAP-TLS and Thread.)
Bugfix
- Self-signed certificates were not excluded from pathlen counting,
resulting in some valid X.509 being incorrectly rejected.
- Fix build error with configurations where ECDHE-PSK is the only key
exchange.
- Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
ECHD-ECDSA if the only key exchange. Multiple reports.
- Fixed a bug causing some handshakes to fail due to some non-fatal
alerts not being properly ignored.
- mbedtls_x509_crt_verify(_with_profile)() now also checks the key
type and size/curve against the profile. Before that, there was no
way to set a minimum key size for end-entity certificates with
RSA keys.
- Fix failures in MPI on Sparc(64) due to use of bad assembly code.
- Fix typo in name of the extKeyUsage OID.
- Fix bug in ASN.1 encoding of booleans that caused generated CA
certificates to be rejected by some applications, including OS X
Keychain.
Changes
- Improved performance of mbedtls_ecp_muladd() when one of the scalars
is or -1.
= mbed TLS 2.1.2 released 2015-10-06
Security
- Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
overflow of the hostname or session ticket.
- Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more
than once in the same handhake and mbedtls_ssl_conf_psk() was used.
- Fix stack buffer overflow in pkcs12 decryption (used by
mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
- Fix potential buffer overflow in mbedtls_mpi_read_string().
- Fix potential random memory allocation in mbedtls_pem_read_buffer()
on crafted PEM input data.
- Fix possible heap buffer overflow in base64_encoded() when the input
buffer is 512MB or larger on 32-bit platforms.
- Fix potential double-free if mbedtls_conf_psk() is called repeatedly
on the same mbedtls_ssl_config object and memory allocation fails.
- Fix potential heap buffer overflow in servers that perform client
authentication against a crafted CA cert. Cannot be triggered
remotely unless you allow third parties to pick trust CAs for
client auth.
Bugfix
- Fix compile error in net.c with musl libc.
- Fix macroization of 'inline' keyword when building as C++.
Changes
- Added checking of hostname length in mbedtls_ssl_set_hostname() to
ensure domain names are compliant with RFC 1035.
- Fixed paths for check_config.h in example config files.
= mbed TLS 2.1.1 released 2015-09-17
Security
- Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
signatures.
- Fix possible client-side NULL pointer dereference (read) when the
client tries to continue the handshake after it failed (a misuse
of the API).
Bugfix
- Fix warning when using a 64bit platform.
- Fix off-by-one error in parsing Supported Point Format extension
that caused some handshakes to fail.
Changes
- Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile()
to allow use of mbedtls_x509_crt_profile_next.
- When a client initiates a reconnect from the same port as a live
connection, if cookie verification is available
(MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable
cookie callbacks set with mbedtls_ssl_conf_dtls_cookies()), this
will be detected and mbedtls_ssl_read() will return
MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a
new handshake with the same context. (See RFC 6347 section 4.2.8.)
= mbed TLS 2.1.0 released 2015-09-04
Features
- Added support for yotta as a build system.
- Primary open source license changed to Apache 2.0 license.
Bugfix
- Fix segfault in the benchmark program when benchmarking DHM.
- Fix build error with CMake and pre-4.5 versions of GCC
- Fix bug when parsing a ServerHello without extensions
- Fix bug in CMake lists that caused libmbedcrypto.a not to be
installed
- Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to
be installed
- Fix compile error with armcc 5 with --gnu option.
- Fix bug in Makefile that caused programs not to be installed
correctly
- Fix bug in Makefile that prevented from installing without building
the tests
- Fix missing -static-libgcc when building shared libraries for
Windows with make.
- Fix link error when building shared libraries for Windows with make.
- Fix error when loading libmbedtls.so.
- Fix bug in mbedtls_ssl_conf_default() that caused the default preset
to be always used
- Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could
result trying to unlock an unlocked mutex on invalid input
- Fix -Wshadow warnings
- Fix memory corruption on client with overlong PSK identity, around
SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely
- Fix unused function warning when using MBEDTLS_MDx_ALT or
MBEDTLS_SHAxxx_ALT
- Fix memory corruption in pkey programs
Changes
- The PEM parser now accepts a trailing space at end of lines
- It is now possible to #include a user-provided configuration file at
the end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on
the compiler's command line.
- When verifying a certificate chain, if an intermediate certificate
is trusted, no later cert is checked.
- Prepend a "thread identifier" to debug messages
- Add mbedtls_ssl_get_max_frag_len() to query the current maximum
fragment length.
= mbed TLS 2.0.0 released 2015-07-13
Features
- Support for DTLS 1.0 and 1.2 (RFC 6347).
- Ability to override core functions from MDx, SHAx, AES and DES
modules with custom implementation (eg hardware accelerated),
complementing the ability to override the whole module.
- New server-side implementation of session tickets that rotate keys
to preserve forward secrecy, and allows sharing across multiple
contexts.
- Added a concept of X.509 cerificate verification profile that
controls which algorithms and key sizes (curves for ECDSA) are
acceptable.
- Expanded configurability of security parameters in the SSL module
with mbedtls_ssl_conf_dhm_min_bitlen() and mbedtls_ssl_conf_sig_hashes().
- Introduced a concept of presets for SSL security-relevant
configuration parameters.
API Changes
- The library has been split into libmbedcrypto, libmbedx509,
libmbedtls. You now need to link to all of them if you use TLS
for example.
- All public identifiers moved to the mbedtls_* or MBEDTLS_*
namespace. Some names have been further changed to make them more
consistent. Migration helpers scripts/rename.pl and
include/mbedlts/compat-1.3.h are provided. Full list of renamings
in scripts/data_files/rename-1.3-2.0.txt
- Renamings of fields inside structures, not covered by the previous
list:
mbedtls_cipher_info_t.key_length -> key_bitlen
mbedtls_cipher_context_t.key_length -> key_bitlen
mbedtls_ecp_curve_info.size -> bit_size
- Headers are now found in the 'mbedtls' directory (previously
'polarssl').
- The following _init() functions that could return errors have
been split into an _init() that returns void and another function
that should generally be the first function called on this context after
init:
mbedtls_ssl_init() -> mbedtls_ssl_setup()
mbedtls_ccm_init() -> mbedtls_ccm_setkey()
mbedtls_gcm_init() -> mbedtls_gcm_setkey()
mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
Note that for mbedtls_ssl_setup(), you need to be done setting up
the ssl_config structure before calling it.
- Most ssl_set_xxx() functions (all except ssl_set_bio(),
ssl_set_hostname(),
ssl_set_session() and ssl_set_client_transport_id(), plus
ssl_legacy_renegotiation()) have been renamed to
mbedtls_ssl_conf_xxx() (see rename.pl and compat-1.3.h above) and
their first argument's type changed from ssl_context to ssl_config.
- ssl_set_bio() changed signature (contexts merged, order switched,
one additional callback for read-with-timeout).
- The following functions have been introduced and must be used in
callback implementations (SNI, PSK) instead of their *conf
counterparts:
mbedtls_ssl_set_hs_own_cert()
mbedtls_ssl_set_hs_ca_chain()
mbedtls_ssl_set_hs_psk()
- mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now
set using mbedtls_ssl_set_hostname().
- mbedtls_ssl_conf_session_cache() changed prototype (only one context
pointer, parameters reordered).
- On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in
place of mbedtls_ssl_conf_session_tickets() to enable session
tickets.
- The SSL debug callback gained two new arguments (file name, line
number).
- Debug modes were removed.
- mbedtls_ssl_conf_truncated_hmac() now returns void.
- mbedtls_memory_buffer_alloc_init() now returns void.
- X.509 verification flags are now an uint32_t. Affect the signature
of:
mbedtls_ssl_get_verify_result()
mbedtls_x509_ctr_verify_info()
mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
- The following functions changed prototype to avoid an in-out length
parameter:
mbedtls_base64_encode()
mbedtls_base64_decode()
mbedtls_mpi_write_string()
mbedtls_dhm_calc_secret()
- In the NET module, all "int" and "int *" arguments for file
descriptors changed type to "mbedtls_net_context *".
- net_accept() gained new arguments for the size of the client_ip
buffer.
- In the threading layer, mbedtls_mutex_init() and
mbedtls_mutex_free() now return void.
- ecdsa_write_signature() gained an addtional md_alg argument and
ecdsa_write_signature_det() was deprecated.
- pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA.
- Last argument of x509_crt_check_key_usage() and
mbedtls_x509write_crt_set_key_usage() changed from int to unsigned.
- test_ca_list (from certs.h) is renamed to test_cas_pem and is only
available if POLARSSL_PEM_PARSE_C is defined (it never worked
without).
- Test certificates in certs.c are no longer guaranteed to be
nul-terminated strings; use the new *_len variables instead of strlen().
- Functions mbedtls_x509_xxx_parse(), mbedtls_pk_parse_key(),
mbedtls_pk_parse_public_key() and mbedtls_dhm_parse_dhm() now expect
the length parameter to include the terminating null byte for PEM input.
- Signature of mpi_mul_mpi() changed to make the last argument
unsigned
- calloc() is now used instead of malloc() everywhere. API of platform
layer and the memory_buffer_alloc module changed accordingly.
- Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
(support for renegotiation now needs explicit enabling in config.h).
- Split MBEDTLS_HAVE_TIME into MBEDTLS_HAVE_TIME and
MBEDTLS_HAVE_TIME_DATE in config.h
- net_connect() and net_bind() have a new 'proto' argument to choose
between TCP and UDP, using the macros NET_PROTO_TCP or
NET_PROTO_UDP. Their 'port' argument type is changed to a string.
- Some constness fixes
Removals
- Removed mbedtls_ecp_group_read_string(). Only named groups are
supported.
- Removed mbedtls_ecp_sub() and mbedtls_ecp_add(), use
mbedtls_ecp_muladd().
- Removed individual mdX_hmac, shaX_hmac, mdX_file and shaX_file
functions (use generic functions from md.h)
- Removed mbedtls_timing_msleep(). Use mbedtls_net_usleep() or a
custom waiting function.
- Removed test DHM parameters from the test certs module.
- Removed the PBKDF2 module (use PKCS5).
- Removed POLARSSL_ERROR_STRERROR_BC (use mbedtls_strerror()).
- Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
- Removed openssl.h (very partial OpenSSL compatibility layer).
- Configuration options POLARSSL_HAVE_LONGLONG was removed (now always
on).
- Configuration options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16
have been removed (compiler is required to support 32-bit operations).
- Configuration option POLARSSL_HAVE_IPV6 was removed (always
enabled).
- Removed test program o_p_test, the script compat.sh does more.
- Removed test program ssl_test, superseded by ssl-opt.sh.
- Removed helper script active-config.pl
New deprecations
- md_init_ctx() is deprecated in favour of md_setup(), that adds a
third argument (allowing memory savings if HMAC is not used)
Semi-API changes (technically public, morally private)
- Renamed a few headers to include _internal in the name. Those
headers are not supposed to be included by users.
- Changed md_info_t into an opaque structure (use md_get_xxx()
accessors).
- Changed pk_info_t into an opaque structure.
- Changed cipher_base_t into an opaque structure.
- Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and
x509_crl.
- x509_crt.key_usage changed from unsigned char to unsigned int.
- Removed r and s from ecdsa_context
- Removed mode from des_context and des3_context
Default behavior changes
- The default minimum TLS version is now TLS 1.0.
- RC4 is now blacklisted by default in the SSL/TLS layer, and excluded
from the default ciphersuite list returned by ssl_list_ciphersuites()
- Support for receiving SSLv2 ClientHello is now disabled by default
at compile time.
- The default authmode for SSL/TLS clients is now REQUIRED.
- Support for RSA_ALT contexts in the PK layer is now optional. Since
is is enabled in the default configuration, this is only noticeable
if using a custom config.h
- Default DHM parameters server-side upgraded from 1024 to 2048 bits.
- A minimum RSA key size of 2048 bits is now enforced during
ceritificate chain verification.
- Negotiation of truncated HMAC is now disabled by default on server
too.
- The following functions are now case-sensitive:
mbedtls_cipher_info_from_string()
mbedtls_ecp_curve_info_from_name()
mbedtls_md_info_from_string()
mbedtls_ssl_ciphersuite_from_string()
mbedtls_version_check_feature()
Requirement changes
- The minimum MSVC version required is now 2010 (better C99 support).
- The NET layer now unconditionnaly relies on getaddrinfo() and
select().
- Compiler is required to support C99 types such as long long and
uint32_t.
API changes from the 1.4 preview branch
- ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio()
with new prototype, and mbedtls_ssl_set_read_timeout().
- The following functions now return void:
mbedtls_ssl_conf_transport()
mbedtls_ssl_conf_max_version()
mbedtls_ssl_conf_min_version()
- DTLS no longer hard-depends on TIMING_C, but uses a callback
interface instead, see mbedtls_ssl_set_timer_cb(), with the Timing
module providing an example implementation, see
mbedtls_timing_delay_context and mbedtls_timing_set/get_delay().
- With UDP sockets, it is no longer necessary to call net_bind() again
after a successful net_accept().
Changes
- mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now
thread-safe if MBEDTLS_THREADING_C is enabled.
- Reduced ROM fooprint of SHA-256 and added an option to reduce it
even more (at the expense of performance) MBEDTLS_SHA256_SMALLER.
Diffstat (limited to 'security/mbedtls')
| -rw-r--r-- | security/mbedtls/Makefile | 14 | ||||
| -rw-r--r-- | security/mbedtls/PLIST | 155 | ||||
| -rw-r--r-- | security/mbedtls/distinfo | 15 | ||||
| -rw-r--r-- | security/mbedtls/patches/patch-Makefile | 53 | ||||
| -rw-r--r-- | security/mbedtls/patches/patch-library_Makefile | 30 | ||||
| -rw-r--r-- | security/mbedtls/patches/patch-programs_test_CMakeLists.txt | 14 |
6 files changed, 141 insertions, 140 deletions
diff --git a/security/mbedtls/Makefile b/security/mbedtls/Makefile index c34693d4629..0e34ebef5dd 100644 --- a/security/mbedtls/Makefile +++ b/security/mbedtls/Makefile @@ -1,9 +1,8 @@ -# $NetBSD: Makefile,v 1.2 2016/03/05 11:29:22 jperkin Exp $ +# $NetBSD: Makefile,v 1.3 2016/06/16 14:17:03 fhajny Exp $ # -DISTNAME= mbedtls-1.3.11-gpl -PKGNAME= ${DISTNAME:-gpl=} -PKGREVISION= 1 +DISTNAME= mbedtls-2.2.1-apache +PKGNAME= ${DISTNAME:-apache=} CATEGORIES= security devel MASTER_SITES= https://tls.mbed.org/download/ EXTRACT_SUFX= .tgz @@ -11,7 +10,7 @@ EXTRACT_SUFX= .tgz MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= https://tls.mbed.org/ COMMENT= Lightweight, modular cryptographic and SSL/TLS library -LICENSE= gnu-gpl-v2 +LICENSE= apache-2.0 CONFLICTS+= polarssl-[0-9]* SUPERSEDES+= polarssl-[0-9]* @@ -28,13 +27,8 @@ REPLACE_PERL= tests/scripts/*.pl CMAKE_ARGS+= -DUSE_SHARED_MBEDTLS_LIBRARY=ON MAKE_ENV+= RANLIB=${RANLIB:Q} -TEST_TARGET= check LDFLAGS.SunOS+= -lsocket -post-install: - ${CHMOD} -x ${DESTDIR}${PREFIX}/lib/libmbedtls.a - ${SETENV} ${SH} ${WRKSRC}/scripts/polarssl_symlinks.sh ${DESTDIR}${PREFIX}/lib - .include "../../mk/pthread.buildlink3.mk" .include "../../mk/bsd.pkg.mk" diff --git a/security/mbedtls/PLIST b/security/mbedtls/PLIST index 672327523c3..696b306117d 100644 --- a/security/mbedtls/PLIST +++ b/security/mbedtls/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.1 2015/06/12 09:05:05 fhajny Exp $ +@comment $NetBSD: PLIST,v 1.2 2016/06/16 14:17:03 fhajny Exp $ ${PLIST.tools}bin/aescrypt2 ${PLIST.tools}bin/benchmark ${PLIST.tools}bin/cert_app @@ -9,6 +9,8 @@ ${PLIST.tools}bin/crypt_and_hash ${PLIST.tools}bin/dh_client ${PLIST.tools}bin/dh_genprime ${PLIST.tools}bin/dh_server +${PLIST.tools}bin/dtls_client +${PLIST.tools}bin/dtls_server ${PLIST.tools}bin/gen_entropy ${PLIST.tools}bin/gen_key ${PLIST.tools}bin/gen_random_ctr_drbg @@ -16,10 +18,8 @@ ${PLIST.tools}bin/gen_random_havege ${PLIST.tools}bin/generic_sum ${PLIST.tools}bin/hello ${PLIST.tools}bin/key_app -${PLIST.tools}bin/md5sum ${PLIST.tools}bin/mini_client ${PLIST.tools}bin/mpi_demo -${PLIST.tools}${PLIST.tests}bin/o_p_test ${PLIST.tools}bin/pem2der ${PLIST.tools}bin/pk_decrypt ${PLIST.tools}bin/pk_encrypt @@ -32,8 +32,6 @@ ${PLIST.tools}bin/rsa_genkey ${PLIST.tools}bin/rsa_sign ${PLIST.tools}bin/rsa_verify ${PLIST.tools}bin/selftest -${PLIST.tools}bin/sha1sum -${PLIST.tools}bin/sha2sum ${PLIST.tools}bin/ssl_cert_test ${PLIST.tools}bin/ssl_client1 ${PLIST.tools}bin/ssl_client2 @@ -41,78 +39,83 @@ ${PLIST.tools}bin/ssl_fork_server ${PLIST.tools}bin/ssl_mail_client ${PLIST.tools}bin/ssl_pthread_server ${PLIST.tools}bin/ssl_server -${PLIST.tools}bin/ssl_test ${PLIST.tools}bin/strerror -include/polarssl/aes.h -include/polarssl/aesni.h -include/polarssl/arc4.h -include/polarssl/asn1.h -include/polarssl/asn1write.h -include/polarssl/base64.h -include/polarssl/bignum.h -include/polarssl/blowfish.h -include/polarssl/bn_mul.h -include/polarssl/camellia.h -include/polarssl/ccm.h -include/polarssl/certs.h -include/polarssl/check_config.h -include/polarssl/cipher.h -include/polarssl/cipher_wrap.h -include/polarssl/compat-1.2.h -include/polarssl/config.h -include/polarssl/ctr_drbg.h -include/polarssl/debug.h -include/polarssl/des.h -include/polarssl/dhm.h -include/polarssl/ecdh.h -include/polarssl/ecdsa.h -include/polarssl/ecp.h -include/polarssl/entropy.h -include/polarssl/entropy_poll.h -include/polarssl/error.h -include/polarssl/gcm.h -include/polarssl/havege.h -include/polarssl/hmac_drbg.h -include/polarssl/md.h -include/polarssl/md2.h -include/polarssl/md4.h -include/polarssl/md5.h -include/polarssl/md_wrap.h -include/polarssl/memory.h -include/polarssl/memory_buffer_alloc.h -include/polarssl/net.h -include/polarssl/oid.h -include/polarssl/openssl.h -include/polarssl/padlock.h -include/polarssl/pbkdf2.h -include/polarssl/pem.h -include/polarssl/pk.h -include/polarssl/pk_wrap.h -include/polarssl/pkcs11.h -include/polarssl/pkcs12.h -include/polarssl/pkcs5.h -include/polarssl/platform.h -include/polarssl/ripemd160.h -include/polarssl/rsa.h -include/polarssl/sha1.h -include/polarssl/sha256.h -include/polarssl/sha512.h -include/polarssl/ssl.h -include/polarssl/ssl_cache.h -include/polarssl/ssl_ciphersuites.h -include/polarssl/threading.h -include/polarssl/timing.h -include/polarssl/version.h -include/polarssl/x509.h -include/polarssl/x509_crl.h -include/polarssl/x509_crt.h -include/polarssl/x509_csr.h -include/polarssl/xtea.h +${PLIST.tools}bin/udp_proxy +include/mbedtls/aes.h +include/mbedtls/aesni.h +include/mbedtls/arc4.h +include/mbedtls/asn1.h +include/mbedtls/asn1write.h +include/mbedtls/base64.h +include/mbedtls/bignum.h +include/mbedtls/blowfish.h +include/mbedtls/bn_mul.h +include/mbedtls/camellia.h +include/mbedtls/ccm.h +include/mbedtls/certs.h +include/mbedtls/check_config.h +include/mbedtls/cipher.h +include/mbedtls/cipher_internal.h +include/mbedtls/compat-1.3.h +include/mbedtls/config.h +include/mbedtls/ctr_drbg.h +include/mbedtls/debug.h +include/mbedtls/des.h +include/mbedtls/dhm.h +include/mbedtls/ecdh.h +include/mbedtls/ecdsa.h +include/mbedtls/ecjpake.h +include/mbedtls/ecp.h +include/mbedtls/entropy.h +include/mbedtls/entropy_poll.h +include/mbedtls/error.h +include/mbedtls/gcm.h +include/mbedtls/havege.h +include/mbedtls/hmac_drbg.h +include/mbedtls/md.h +include/mbedtls/md2.h +include/mbedtls/md4.h +include/mbedtls/md5.h +include/mbedtls/md_internal.h +include/mbedtls/memory_buffer_alloc.h +include/mbedtls/net.h +include/mbedtls/oid.h +include/mbedtls/padlock.h +include/mbedtls/pem.h +include/mbedtls/pk.h +include/mbedtls/pk_internal.h +include/mbedtls/pkcs11.h +include/mbedtls/pkcs12.h +include/mbedtls/pkcs5.h +include/mbedtls/platform.h +include/mbedtls/ripemd160.h +include/mbedtls/rsa.h +include/mbedtls/sha1.h +include/mbedtls/sha256.h +include/mbedtls/sha512.h +include/mbedtls/ssl.h +include/mbedtls/ssl_cache.h +include/mbedtls/ssl_ciphersuites.h +include/mbedtls/ssl_cookie.h +include/mbedtls/ssl_internal.h +include/mbedtls/ssl_ticket.h +include/mbedtls/threading.h +include/mbedtls/timing.h +include/mbedtls/version.h +include/mbedtls/x509.h +include/mbedtls/x509_crl.h +include/mbedtls/x509_crt.h +include/mbedtls/x509_csr.h +include/mbedtls/xtea.h +lib/libmbedcrypto.a +lib/libmbedcrypto.so +lib/libmbedcrypto.so.0 +lib/libmbedcrypto.so.${PKGVERSION} lib/libmbedtls.a lib/libmbedtls.so +lib/libmbedtls.so.10 lib/libmbedtls.so.${PKGVERSION} -lib/libmbedtls.so.9 -lib/libpolarssl.a -lib/libpolarssl.so -lib/libpolarssl.so.${PKGVERSION} -lib/libpolarssl.so.9 +lib/libmbedx509.a +lib/libmbedx509.so +lib/libmbedx509.so.0 +lib/libmbedx509.so.${PKGVERSION} diff --git a/security/mbedtls/distinfo b/security/mbedtls/distinfo index cae6982fb54..b6240af3cd2 100644 --- a/security/mbedtls/distinfo +++ b/security/mbedtls/distinfo @@ -1,9 +1,8 @@ -$NetBSD: distinfo,v 1.2 2015/11/04 01:17:50 agc Exp $ +$NetBSD: distinfo,v 1.3 2016/06/16 14:17:03 fhajny Exp $ -SHA1 (mbedtls-1.3.11-gpl.tgz) = 3948084c9d3312b381d458b06d9a2066c3cc0184 -RMD160 (mbedtls-1.3.11-gpl.tgz) = 66448e7d5ca41e7c64f55bdb3e4b9ec9d1ec3205 -SHA512 (mbedtls-1.3.11-gpl.tgz) = 242c486becc34d3b7ebba7624686aea6ed7713033aeabbfae7227284df322f191ddd5b9ded1228f100cd50bcfafb12396d93c30420afd3feb979b52a1860551e -Size (mbedtls-1.3.11-gpl.tgz) = 1731809 bytes -SHA1 (patch-Makefile) = 80698e16a397133de134ab582016b9e91ad652f0 -SHA1 (patch-library_Makefile) = 551854fbdd91ae180f1d5408869a556ff0c39d1a -SHA1 (patch-programs_test_CMakeLists.txt) = 94ce731d81f1584c406e3b295c84fd6a5c327a50 +SHA1 (mbedtls-2.2.1-apache.tgz) = d2ff60fad7191dbb5b81ff6c22769964e5a7d53d +RMD160 (mbedtls-2.2.1-apache.tgz) = a87671954663085100e288f4395f385435471825 +SHA512 (mbedtls-2.2.1-apache.tgz) = 6a74abc4ea225eb6bcf20894bb1a6faa82dbaff11129c41849151e2654570609efeee70d0644ce63c4d2c11e6142b2db262b88f3a22fdceff0a215a64a5d6eb0 +Size (mbedtls-2.2.1-apache.tgz) = 1863674 bytes +SHA1 (patch-Makefile) = c69fceae637bd025fccf0ac3de926dfc37c22fa6 +SHA1 (patch-library_Makefile) = 7565162f06d2abd91cc974321fd873409f11a181 diff --git a/security/mbedtls/patches/patch-Makefile b/security/mbedtls/patches/patch-Makefile index 4abb99a33ec..7f3621faa1f 100644 --- a/security/mbedtls/patches/patch-Makefile +++ b/security/mbedtls/patches/patch-Makefile @@ -1,30 +1,35 @@ -$NetBSD: patch-Makefile,v 1.1 2015/06/12 09:05:05 fhajny Exp $ +$NetBSD: patch-Makefile,v 1.2 2016/06/16 14:17:03 fhajny Exp $ Fix DESTDIR for pkgsrc. ---- Makefile.orig 2015-06-04 12:49:19.000000000 +0000 +--- Makefile.orig 2016-01-04 22:26:36.000000000 +0000 +++ Makefile -@@ -1,6 +1,5 @@ +@@ -1,6 +1,6 @@ -DESTDIR=/usr/local -PREFIX=mbedtls_ ++PREFIX=/usr/local +APPPREFIX=mbedtls_ - OLDPREFIX=polarssl_ .SILENT: -@@ -19,35 +18,35 @@ tests: lib - $(MAKE) -C tests - install: -- mkdir -p $(DESTDIR)/include/polarssl -- cp -r include/polarssl $(DESTDIR)/include -+ mkdir -p $(DESTDIR)$(PREFIX)/include/polarssl -+ cp -r include/polarssl $(DESTDIR)$(PREFIX)/include +@@ -21,34 +21,34 @@ tests: lib + + ifndef WINDOWS + install: no_test +- mkdir -p $(DESTDIR)/include/mbedtls +- cp -r include/mbedtls $(DESTDIR)/include ++ mkdir -p $(DESTDIR)$(PREFIX)/include/mbedtls ++ cp -r include/mbedtls $(DESTDIR)$(PREFIX)/include - mkdir -p $(DESTDIR)/lib -- cp -RP library/libpolarssl.* library/libmbedtls.* $(DESTDIR)/lib +- cp -RP library/libmbedtls.* $(DESTDIR)/lib +- cp -RP library/libmbedx509.* $(DESTDIR)/lib +- cp -RP library/libmbedcrypto.* $(DESTDIR)/lib + mkdir -p $(DESTDIR)$(PREFIX)/lib -+ cp -RP library/libpolarssl.* library/libmbedtls.* $(DESTDIR)$(PREFIX)/lib ++ cp -RP library/libmbedtls.* $(DESTDIR)$(PREFIX)/lib ++ cp -RP library/libmbedx509.* $(DESTDIR)$(PREFIX)/lib ++ cp -RP library/libmbedcrypto.* $(DESTDIR)$(PREFIX)/lib - mkdir -p $(DESTDIR)/bin + mkdir -p $(DESTDIR)$(PREFIX)/bin @@ -32,33 +37,29 @@ Fix DESTDIR for pkgsrc. if [ -x $$p ] && [ ! -d $$p ] ; \ then \ - f=$(PREFIX)`basename $$p` ; \ -+ f=$(APPPREFIX)`basename $$p` ; \ - o=$(OLDPREFIX)`basename $$p` ; \ - cp $$p $(DESTDIR)/bin/$$f ; \ -- ln -sf $$f $(DESTDIR)/bin/$$o ; \ ++ f=$(APPPREFIX)`basename $$p` ; \ + cp $$p $(DESTDIR)$(PREFIX)/bin/$$f ; \ -+ ln -sf $$f $(DESTDIR)$(PREFIX)/bin/$$o ; \ fi \ done uninstall: -- rm -rf $(DESTDIR)/include/polarssl -- rm -f $(DESTDIR)/lib/libpolarssl.* +- rm -rf $(DESTDIR)/include/mbedtls - rm -f $(DESTDIR)/lib/libmbedtls.* -+ rm -rf $(DESTDIR)$(PREFIX)/include/polarssl -+ rm -f $(DESTDIR)$(PREFIX)/lib/libpolarssl.* +- rm -f $(DESTDIR)/lib/libmbedx509.* +- rm -f $(DESTDIR)/lib/libmbedcrypto.* ++ rm -rf $(DESTDIR)$(PREFIX)/include/mbedtls + rm -f $(DESTDIR)$(PREFIX)/lib/libmbedtls.* ++ rm -f $(DESTDIR)$(PREFIX)/lib/libmbedx509.* ++ rm -f $(DESTDIR)$(PREFIX)/lib/libmbedcrypto.* for p in programs/*/* ; do \ if [ -x $$p ] && [ ! -d $$p ] ; \ then \ - f=$(PREFIX)`basename $$p` ; \ -+ f=$(APPPREFIX)`basename $$p` ; \ - o=$(OLDPREFIX)`basename $$p` ; \ - rm -f $(DESTDIR)/bin/$$f ; \ -- rm -f $(DESTDIR)/bin/$$o ; \ ++ f=$(APPPREFIX)`basename $$p` ; \ + rm -f $(DESTDIR)$(PREFIX)/bin/$$f ; \ -+ rm -f $(DESTDIR)$(PREFIX)/bin/$$o ; \ fi \ done - + endif diff --git a/security/mbedtls/patches/patch-library_Makefile b/security/mbedtls/patches/patch-library_Makefile index 27e435d0f37..35330fb86ab 100644 --- a/security/mbedtls/patches/patch-library_Makefile +++ b/security/mbedtls/patches/patch-library_Makefile @@ -1,15 +1,33 @@ -$NetBSD: patch-library_Makefile,v 1.1 2015/06/12 09:05:05 fhajny Exp $ +$NetBSD: patch-library_Makefile,v 1.2 2016/06/16 14:17:03 fhajny Exp $ Call ranlib instead of non-portable 'ar s'. ---- library/Makefile.orig 2015-06-04 12:49:19.000000000 +0000 +--- library/Makefile.orig 2016-01-04 22:26:36.000000000 +0000 +++ library/Makefile -@@ -95,7 +95,7 @@ libmbedtls.a: $(OBJS) +@@ -92,7 +92,7 @@ libmbedtls.a: $(OBJS_TLS) echo " AR $@" - $(AR) rc $@ $(OBJS) + $(AR) rc $@ $(OBJS_TLS) echo " RL $@" - $(AR) s $@ + $(RANLIB) $@ - libpolarssl.$(DLEXT): libmbedtls.$(DLEXT) - echo " LN $@ -> $?" + libmbedtls.$(SOEXT_TLS): $(OBJS_TLS) libmbedx509.so + echo " LD $@" +@@ -115,7 +115,7 @@ libmbedx509.a: $(OBJS_X509) + echo " AR $@" + $(AR) rc $@ $(OBJS_X509) + echo " RL $@" +- $(AR) s $@ ++ $(RANLIB) $@ + + libmbedx509.$(SOEXT_X509): $(OBJS_X509) libmbedcrypto.so + echo " LD $@" +@@ -138,7 +138,7 @@ libmbedcrypto.a: $(OBJS_CRYPTO) + echo " AR $@" + $(AR) rc $@ $(OBJS_CRYPTO) + echo " RL $@" +- $(AR) s $@ ++ $(RANLIB) $@ + + libmbedcrypto.$(SOEXT_CRYPTO): $(OBJS_CRYPTO) + echo " LD $@" diff --git a/security/mbedtls/patches/patch-programs_test_CMakeLists.txt b/security/mbedtls/patches/patch-programs_test_CMakeLists.txt deleted file mode 100644 index 5eb32f9e6a1..00000000000 --- a/security/mbedtls/patches/patch-programs_test_CMakeLists.txt +++ /dev/null @@ -1,14 +0,0 @@ -$NetBSD: patch-programs_test_CMakeLists.txt,v 1.1 2015/06/12 09:05:05 fhajny Exp $ - -Make OpenSSL optional. - ---- programs/test/CMakeLists.txt.orig 2015-06-04 12:49:19.000000000 +0000 -+++ programs/test/CMakeLists.txt -@@ -1,4 +1,6 @@ --FIND_PACKAGE(OpenSSL) -+if(ENABLE_TESTING) -+ FIND_PACKAGE(OpenSSL) -+endif(ENABLE_TESTING) - - set(libs - mbedtls |