[pkgsrc/trunk]: pkgsrc/security/wolfssl security/wolfssl: Update to v5.5.1

[fox <fox%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/8c3479c9bdf6
branches:  trunk
changeset: 386123:8c3479c9bdf6
user:      fox <fox%pkgsrc.org@localhost>
date:      Sat Oct 01 11:47:09 2022 +0000

description:
security/wolfssl: Update to v5.5.1

Changes since v5.5.0:

wolfSSL Release 5.5.1 (Sep 28, 2022) Latest

Vulnerabilities
* [Med] Denial of service attack and buffer overflow against TLS 1.3 servers
  using session ticket resumption. When built with --enable-session-ticket and
  making use of TLS 1.3 server code in wolfSSL, there is the possibility of a
  malicious client to craft a malformed second ClientHello packet that causes
  the server to crash. This issue is limited to when using both
  --enable-session-ticket and TLS 1.3 on the server side. Users with TLS 1.3
  servers, and having --enable-session-ticket, should update to the latest
  version of wolfSSL. Thanks to Max at Trail of Bits for the report and
  "LORIA, INRIA, France" for research on tlspuffin.

New Feature Additions
* Add support for non-blocking ECC key gen and shared secret gen for
  P-256/384/521
* Add support for non-blocking ECDHE/ECDSA in TLS/DTLS layer.
* Port to NXP RT685 with FreeRTOS
* Add option to build post quantum Kyber API (--enable-kyber)
* Add post quantum algorithm sphincs to wolfCrypt
* Config. option to force no asm with SP build (--enable-sp=noasm)
* Allow post quantum keyshare for DTLS 1.3

Enhancements
* DTLSv1.3: Do HRR Cookie exchange by default
* Add wolfSSL_EVP_PKEY_new_CMAC_key to OpenSSL compatible API
* Update ide win10 build files to add missing sp source files
* Improve Workbench docs
* Improve EVP support for CHACHA20_POLY1305
* Improve wc_SetCustomExtension documentation
* RSA-PSS with OCSP and add simple OCSP response DER verify test case
* Clean up some FIPS versioning logic in configure.ac and WIN10 user_settings.h
* Don't over-allocate memory for DTLS fragments
* Add WOLFSSL_ATECC_TFLXTLS for Atmel port
* SHA-3 performance improvements with x86_64 assembly
* Add code to fallback to S/W if TSIP cannot handle
* Improves entropy with VxWorks
* Make time in milliseconds 64-bits for longer session ticket lives
* Support for setting cipher list with bytes
* wolfSSL_set1_curves_list(), wolfSSL_CTX_set1_curves_list() improvements
* Add to RSAES-OAEP key parsing for pkcs7
* Add missing DN nid to work with PrintName()
* SP int: default to 16 bit word size when NO_64BIT defined
* Limit the amount of fragments we store per a DTLS connection and error out
  when max limit is reached
* Detect when certificate's RSA public key size is too big and fail on loading
  of certificate

Fixes
* Fix for async with OCSP non-blocking in ProcessPeerCerts
* Fixes for building with 32-bit and socket size sign/unsigned mismatch
* Fix Windows CMakeList compiler options
* TLS 1.3 Middle-Box compat: fix missing brace
* Configuration consistency fixes for RSA keys and way to force disable of
  private keys
* Fix for Aarch64 Mac M1 SP use
* Fix build errors and warnings for MSVC with DTLS 1.3
* Fix HMAC compat layer function for SHA-1
* Fix DTLS 1.3 do not negotiate ConnectionID in HelloRetryRequest
* Check return from call to wc_Time
* SP math: fix build configuration with opensslall
* Fix for async session tickets
* SP int mp_init_size fixes when SP_WORD_SIZE == 8
* Ed. function to make public key now checks for if the private key flag is set
* Fix HashRaw WC_SHA256_DIGEST_SIZE for wc_Sha256GetHash
* Fix for building with PSK only
* Set correct types in wolfSSL_sk_*_new functions
* Sanity check that size passed to mp_init_size() is no more than SP_INT_DIGITS

diffstat:

 security/wolfssl/Makefile                |   4 ++--
 security/wolfssl/PLIST                   |   6 +++++-
 security/wolfssl/distinfo                |   9 +++++----
 security/wolfssl/patches/patch-configure |  15 +++++++++++++++
 4 files changed, 27 insertions(+), 7 deletions(-)

diffs (84 lines):

diff -r 8ac2b7a75a44 -r 8c3479c9bdf6 security/wolfssl/Makefile
--- a/security/wolfssl/Makefile Sat Oct 01 11:26:24 2022 +0000
+++ b/security/wolfssl/Makefile Sat Oct 01 11:47:09 2022 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.15 2022/09/04 08:41:57 fox Exp $
+# $NetBSD: Makefile,v 1.16 2022/10/01 11:47:09 fox Exp $
 
-DISTNAME=      wolfssl-5.5.0
+DISTNAME=      wolfssl-5.5.1
 CATEGORIES=    security
 MASTER_SITES=  https://www.wolfssl.com/
 EXTRACT_SUFX=  .zip
diff -r 8ac2b7a75a44 -r 8c3479c9bdf6 security/wolfssl/PLIST
--- a/security/wolfssl/PLIST    Sat Oct 01 11:26:24 2022 +0000
+++ b/security/wolfssl/PLIST    Sat Oct 01 11:47:09 2022 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.10 2022/09/04 08:41:57 fox Exp $
+@comment $NetBSD: PLIST,v 1.11 2022/10/01 11:47:09 fox Exp $
 bin/wolfssl-config
 include/cyassl/callbacks.h
 include/cyassl/certs_test.h
@@ -186,6 +186,7 @@
 include/wolfssl/wolfcrypt/ed25519.h
 include/wolfssl/wolfcrypt/ed448.h
 include/wolfssl/wolfcrypt/error-crypt.h
+include/wolfssl/wolfcrypt/ext_kyber.h
 include/wolfssl/wolfcrypt/falcon.h
 include/wolfssl/wolfcrypt/fe_448.h
 include/wolfssl/wolfcrypt/fe_operations.h
@@ -196,6 +197,7 @@
 include/wolfssl/wolfcrypt/hmac.h
 include/wolfssl/wolfcrypt/integer.h
 include/wolfssl/wolfcrypt/kdf.h
+include/wolfssl/wolfcrypt/kyber.h
 include/wolfssl/wolfcrypt/logging.h
 include/wolfssl/wolfcrypt/md2.h
 include/wolfssl/wolfcrypt/md4.h
@@ -222,11 +224,13 @@
 include/wolfssl/wolfcrypt/signature.h
 include/wolfssl/wolfcrypt/siphash.h
 include/wolfssl/wolfcrypt/sp_int.h
+include/wolfssl/wolfcrypt/sphincs.h
 include/wolfssl/wolfcrypt/srp.h
 include/wolfssl/wolfcrypt/tfm.h
 include/wolfssl/wolfcrypt/types.h
 include/wolfssl/wolfcrypt/visibility.h
 include/wolfssl/wolfcrypt/wc_encrypt.h
+include/wolfssl/wolfcrypt/wc_kyber.h
 include/wolfssl/wolfcrypt/wc_port.h
 include/wolfssl/wolfcrypt/wolfevent.h
 include/wolfssl/wolfcrypt/wolfmath.h
diff -r 8ac2b7a75a44 -r 8c3479c9bdf6 security/wolfssl/distinfo
--- a/security/wolfssl/distinfo Sat Oct 01 11:26:24 2022 +0000
+++ b/security/wolfssl/distinfo Sat Oct 01 11:47:09 2022 +0000
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.16 2022/09/04 08:41:57 fox Exp $
+$NetBSD: distinfo,v 1.17 2022/10/01 11:47:09 fox Exp $
 
-BLAKE2s (wolfssl-5.5.0.zip) = 082c16346b4f774a1ceb0669acbcf700de9749991fd15f6bbaea8002e4e1c67a
-SHA512 (wolfssl-5.5.0.zip) = ec2b1c21b59f92c5c29cf5616227b31ec463f2ac4a2793e41d4ab271bc7540334dcae6a69cbaf706d05a371c33527ccbe7f07620aab09046ab8e2f48ad618d3e
-Size (wolfssl-5.5.0.zip) = 20168520 bytes
+BLAKE2s (wolfssl-5.5.1.zip) = c63d84698177add2f008f607b1560ceefc5574ccc4628b9f3d70450b84df315d
+SHA512 (wolfssl-5.5.1.zip) = fb61f1f4208e33260e8ff7804bf0518807f1b89db1c1619ec04ca1400b6779cc2309c399244b4b35bdf57f892bf7dfbce138321981d9c9a89e59c53cc210028f
+Size (wolfssl-5.5.1.zip) = 20389385 bytes
+SHA1 (patch-configure) = 70270a0f102297d2b61f47bdc6420f393b6689fd
diff -r 8ac2b7a75a44 -r 8c3479c9bdf6 security/wolfssl/patches/patch-configure
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/wolfssl/patches/patch-configure  Sat Oct 01 11:47:09 2022 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-configure,v 1.5 2022/10/01 11:47:10 fox Exp $
+
+Make the script portable.
+
+--- configure.orig     2022-10-01 11:35:36.891958063 +0000
++++ configure
+@@ -21777,7 +21777,7 @@ then
+         then
+                 as_fn_error $? "You need to enable both DTLS and TLSv1.3 to use DTLSv1.3" "$LINENO" 5
+         fi
+-        if test "x$ENABLED_SEND_HRR_COOKIE" == "xundefined"
++        if test "x$ENABLED_SEND_HRR_COOKIE" = "xundefined"
+         then
+                 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: DTLSv1.3 is enabled, enabling HRR cookie" >&5
+ printf "%s\n" "$as_me: DTLSv1.3 is enabled, enabling HRR cookie" >&6;}