pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/security/mbedtls
Module Name: pkgsrc
Committed By: fhajny
Date: Thu Jun 16 14:17:03 UTC 2016
Modified Files:
pkgsrc/security/mbedtls: Makefile PLIST distinfo
pkgsrc/security/mbedtls/patches: patch-Makefile patch-library_Makefile
Removed Files:
pkgsrc/security/mbedtls/patches: patch-programs_test_CMakeLists.txt
Log Message:
Update security/mbedtls to 2.2.1.
This breaks removes the legacy PolarSSL compatibility layer. For
software that needs it, please use security/mbedtls1 instead.
Change license to apache-2.0.
Upstream changelog since 1.3.11 follows.
= mbed TLS 2.2.1 released 2016-01-05
Security
- Fix potential double free when mbedtls_asn1_store_named_data() fails
to allocate memory. Only used for certificate generation, not
triggerable remotely in SSL/TLS.
- Disable MD5 handshake signatures in TLS 1.2 by default
Bugfix
- Fix over-restrictive length limit in GCM.
- Fix bug in certificate validation that caused valid chains to be
rejected when the first intermediate certificate has
pathLenConstraint=0.
- Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign()
- Fix suboptimal handling of unexpected records that caused interop
issues with some peers over unreliable links. Avoid dropping an
entire DTLS datagram if a single record in a datagram is unexpected,
instead only drop the record and look at subsequent records (if any
are present) in the same datagram.
= mbed TLS 2.2.0 released 2015-11-04
Security
- Fix potential double free if mbedtls_ssl_conf_psk() is called more
than once and some allocation fails. Cannot be forced remotely.
- Fix potential heap corruption on Windows when
mbedtls_x509_crt_parse_path() is passed a path longer than 2GB.
Cannot be triggered remotely.
- Fix potential buffer overflow in some asn1_write_xxx() functions.
Cannot be triggered remotely unless you create X.509 certificates
based on untrusted input or write keys of untrusted origin.
- The X509 max_pathlen constraint was not enforced on intermediate
certificates.
Features
- Experimental support for EC J-PAKE as defined in Thread 1.0.0.
Disabled by default as the specification might still change.
- Added a key extraction callback to accees the master secret and key
block. (Potential uses include EAP-TLS and Thread.)
Bugfix
- Self-signed certificates were not excluded from pathlen counting,
resulting in some valid X.509 being incorrectly rejected.
- Fix build error with configurations where ECDHE-PSK is the only key
exchange.
- Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
ECHD-ECDSA if the only key exchange. Multiple reports.
- Fixed a bug causing some handshakes to fail due to some non-fatal
alerts not being properly ignored.
- mbedtls_x509_crt_verify(_with_profile)() now also checks the key
type and size/curve against the profile. Before that, there was no
way to set a minimum key size for end-entity certificates with
RSA keys.
- Fix failures in MPI on Sparc(64) due to use of bad assembly code.
- Fix typo in name of the extKeyUsage OID.
- Fix bug in ASN.1 encoding of booleans that caused generated CA
certificates to be rejected by some applications, including OS X
Keychain.
Changes
- Improved performance of mbedtls_ecp_muladd() when one of the scalars
is or -1.
= mbed TLS 2.1.2 released 2015-10-06
Security
- Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
overflow of the hostname or session ticket.
- Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more
than once in the same handhake and mbedtls_ssl_conf_psk() was used.
- Fix stack buffer overflow in pkcs12 decryption (used by
mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
- Fix potential buffer overflow in mbedtls_mpi_read_string().
- Fix potential random memory allocation in mbedtls_pem_read_buffer()
on crafted PEM input data.
- Fix possible heap buffer overflow in base64_encoded() when the input
buffer is 512MB or larger on 32-bit platforms.
- Fix potential double-free if mbedtls_conf_psk() is called repeatedly
on the same mbedtls_ssl_config object and memory allocation fails.
- Fix potential heap buffer overflow in servers that perform client
authentication against a crafted CA cert. Cannot be triggered
remotely unless you allow third parties to pick trust CAs for
client auth.
Bugfix
- Fix compile error in net.c with musl libc.
- Fix macroization of 'inline' keyword when building as C++.
Changes
- Added checking of hostname length in mbedtls_ssl_set_hostname() to
ensure domain names are compliant with RFC 1035.
- Fixed paths for check_config.h in example config files.
= mbed TLS 2.1.1 released 2015-09-17
Security
- Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
signatures.
- Fix possible client-side NULL pointer dereference (read) when the
client tries to continue the handshake after it failed (a misuse
of the API).
Bugfix
- Fix warning when using a 64bit platform.
- Fix off-by-one error in parsing Supported Point Format extension
that caused some handshakes to fail.
Changes
- Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile()
to allow use of mbedtls_x509_crt_profile_next.
- When a client initiates a reconnect from the same port as a live
connection, if cookie verification is available
(MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable
cookie callbacks set with mbedtls_ssl_conf_dtls_cookies()), this
will be detected and mbedtls_ssl_read() will return
MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a
new handshake with the same context. (See RFC 6347 section 4.2.8.)
= mbed TLS 2.1.0 released 2015-09-04
Features
- Added support for yotta as a build system.
- Primary open source license changed to Apache 2.0 license.
Bugfix
- Fix segfault in the benchmark program when benchmarking DHM.
- Fix build error with CMake and pre-4.5 versions of GCC
- Fix bug when parsing a ServerHello without extensions
- Fix bug in CMake lists that caused libmbedcrypto.a not to be
installed
- Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to
be installed
- Fix compile error with armcc 5 with --gnu option.
- Fix bug in Makefile that caused programs not to be installed
correctly
- Fix bug in Makefile that prevented from installing without building
the tests
- Fix missing -static-libgcc when building shared libraries for
Windows with make.
- Fix link error when building shared libraries for Windows with make.
- Fix error when loading libmbedtls.so.
- Fix bug in mbedtls_ssl_conf_default() that caused the default preset
to be always used
- Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could
result trying to unlock an unlocked mutex on invalid input
- Fix -Wshadow warnings
- Fix memory corruption on client with overlong PSK identity, around
SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely
- Fix unused function warning when using MBEDTLS_MDx_ALT or
MBEDTLS_SHAxxx_ALT
- Fix memory corruption in pkey programs
Changes
- The PEM parser now accepts a trailing space at end of lines
- It is now possible to #include a user-provided configuration file at
the end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on
the compiler's command line.
- When verifying a certificate chain, if an intermediate certificate
is trusted, no later cert is checked.
- Prepend a "thread identifier" to debug messages
- Add mbedtls_ssl_get_max_frag_len() to query the current maximum
fragment length.
= mbed TLS 2.0.0 released 2015-07-13
Features
- Support for DTLS 1.0 and 1.2 (RFC 6347).
- Ability to override core functions from MDx, SHAx, AES and DES
modules with custom implementation (eg hardware accelerated),
complementing the ability to override the whole module.
- New server-side implementation of session tickets that rotate keys
to preserve forward secrecy, and allows sharing across multiple
contexts.
- Added a concept of X.509 cerificate verification profile that
controls which algorithms and key sizes (curves for ECDSA) are
acceptable.
- Expanded configurability of security parameters in the SSL module
with mbedtls_ssl_conf_dhm_min_bitlen() and mbedtls_ssl_conf_sig_hashes().
- Introduced a concept of presets for SSL security-relevant
configuration parameters.
API Changes
- The library has been split into libmbedcrypto, libmbedx509,
libmbedtls. You now need to link to all of them if you use TLS
for example.
- All public identifiers moved to the mbedtls_* or MBEDTLS_*
namespace. Some names have been further changed to make them more
consistent. Migration helpers scripts/rename.pl and
include/mbedlts/compat-1.3.h are provided. Full list of renamings
in scripts/data_files/rename-1.3-2.0.txt
- Renamings of fields inside structures, not covered by the previous
list:
mbedtls_cipher_info_t.key_length -> key_bitlen
mbedtls_cipher_context_t.key_length -> key_bitlen
mbedtls_ecp_curve_info.size -> bit_size
- Headers are now found in the 'mbedtls' directory (previously
'polarssl').
- The following _init() functions that could return errors have
been split into an _init() that returns void and another function
that should generally be the first function called on this context after
init:
mbedtls_ssl_init() -> mbedtls_ssl_setup()
mbedtls_ccm_init() -> mbedtls_ccm_setkey()
mbedtls_gcm_init() -> mbedtls_gcm_setkey()
mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
Note that for mbedtls_ssl_setup(), you need to be done setting up
the ssl_config structure before calling it.
- Most ssl_set_xxx() functions (all except ssl_set_bio(),
ssl_set_hostname(),
ssl_set_session() and ssl_set_client_transport_id(), plus
ssl_legacy_renegotiation()) have been renamed to
mbedtls_ssl_conf_xxx() (see rename.pl and compat-1.3.h above) and
their first argument's type changed from ssl_context to ssl_config.
- ssl_set_bio() changed signature (contexts merged, order switched,
one additional callback for read-with-timeout).
- The following functions have been introduced and must be used in
callback implementations (SNI, PSK) instead of their *conf
counterparts:
mbedtls_ssl_set_hs_own_cert()
mbedtls_ssl_set_hs_ca_chain()
mbedtls_ssl_set_hs_psk()
- mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now
set using mbedtls_ssl_set_hostname().
- mbedtls_ssl_conf_session_cache() changed prototype (only one context
pointer, parameters reordered).
- On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in
place of mbedtls_ssl_conf_session_tickets() to enable session
tickets.
- The SSL debug callback gained two new arguments (file name, line
number).
- Debug modes were removed.
- mbedtls_ssl_conf_truncated_hmac() now returns void.
- mbedtls_memory_buffer_alloc_init() now returns void.
- X.509 verification flags are now an uint32_t. Affect the signature
of:
mbedtls_ssl_get_verify_result()
mbedtls_x509_ctr_verify_info()
mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
- The following functions changed prototype to avoid an in-out length
parameter:
mbedtls_base64_encode()
mbedtls_base64_decode()
mbedtls_mpi_write_string()
mbedtls_dhm_calc_secret()
- In the NET module, all "int" and "int *" arguments for file
descriptors changed type to "mbedtls_net_context *".
- net_accept() gained new arguments for the size of the client_ip
buffer.
- In the threading layer, mbedtls_mutex_init() and
mbedtls_mutex_free() now return void.
- ecdsa_write_signature() gained an addtional md_alg argument and
ecdsa_write_signature_det() was deprecated.
- pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA.
- Last argument of x509_crt_check_key_usage() and
mbedtls_x509write_crt_set_key_usage() changed from int to unsigned.
- test_ca_list (from certs.h) is renamed to test_cas_pem and is only
available if POLARSSL_PEM_PARSE_C is defined (it never worked
without).
- Test certificates in certs.c are no longer guaranteed to be
nul-terminated strings; use the new *_len variables instead of strlen().
- Functions mbedtls_x509_xxx_parse(), mbedtls_pk_parse_key(),
mbedtls_pk_parse_public_key() and mbedtls_dhm_parse_dhm() now expect
the length parameter to include the terminating null byte for PEM input.
- Signature of mpi_mul_mpi() changed to make the last argument
unsigned
- calloc() is now used instead of malloc() everywhere. API of platform
layer and the memory_buffer_alloc module changed accordingly.
- Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
(support for renegotiation now needs explicit enabling in config.h).
- Split MBEDTLS_HAVE_TIME into MBEDTLS_HAVE_TIME and
MBEDTLS_HAVE_TIME_DATE in config.h
- net_connect() and net_bind() have a new 'proto' argument to choose
between TCP and UDP, using the macros NET_PROTO_TCP or
NET_PROTO_UDP. Their 'port' argument type is changed to a string.
- Some constness fixes
Removals
- Removed mbedtls_ecp_group_read_string(). Only named groups are
supported.
- Removed mbedtls_ecp_sub() and mbedtls_ecp_add(), use
mbedtls_ecp_muladd().
- Removed individual mdX_hmac, shaX_hmac, mdX_file and shaX_file
functions (use generic functions from md.h)
- Removed mbedtls_timing_msleep(). Use mbedtls_net_usleep() or a
custom waiting function.
- Removed test DHM parameters from the test certs module.
- Removed the PBKDF2 module (use PKCS5).
- Removed POLARSSL_ERROR_STRERROR_BC (use mbedtls_strerror()).
- Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
- Removed openssl.h (very partial OpenSSL compatibility layer).
- Configuration options POLARSSL_HAVE_LONGLONG was removed (now always
on).
- Configuration options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16
have been removed (compiler is required to support 32-bit operations).
- Configuration option POLARSSL_HAVE_IPV6 was removed (always
enabled).
- Removed test program o_p_test, the script compat.sh does more.
- Removed test program ssl_test, superseded by ssl-opt.sh.
- Removed helper script active-config.pl
New deprecations
- md_init_ctx() is deprecated in favour of md_setup(), that adds a
third argument (allowing memory savings if HMAC is not used)
Semi-API changes (technically public, morally private)
- Renamed a few headers to include _internal in the name. Those
headers are not supposed to be included by users.
- Changed md_info_t into an opaque structure (use md_get_xxx()
accessors).
- Changed pk_info_t into an opaque structure.
- Changed cipher_base_t into an opaque structure.
- Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and
x509_crl.
- x509_crt.key_usage changed from unsigned char to unsigned int.
- Removed r and s from ecdsa_context
- Removed mode from des_context and des3_context
Default behavior changes
- The default minimum TLS version is now TLS 1.0.
- RC4 is now blacklisted by default in the SSL/TLS layer, and excluded
from the default ciphersuite list returned by ssl_list_ciphersuites()
- Support for receiving SSLv2 ClientHello is now disabled by default
at compile time.
- The default authmode for SSL/TLS clients is now REQUIRED.
- Support for RSA_ALT contexts in the PK layer is now optional. Since
is is enabled in the default configuration, this is only noticeable
if using a custom config.h
- Default DHM parameters server-side upgraded from 1024 to 2048 bits.
- A minimum RSA key size of 2048 bits is now enforced during
ceritificate chain verification.
- Negotiation of truncated HMAC is now disabled by default on server
too.
- The following functions are now case-sensitive:
mbedtls_cipher_info_from_string()
mbedtls_ecp_curve_info_from_name()
mbedtls_md_info_from_string()
mbedtls_ssl_ciphersuite_from_string()
mbedtls_version_check_feature()
Requirement changes
- The minimum MSVC version required is now 2010 (better C99 support).
- The NET layer now unconditionnaly relies on getaddrinfo() and
select().
- Compiler is required to support C99 types such as long long and
uint32_t.
API changes from the 1.4 preview branch
- ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio()
with new prototype, and mbedtls_ssl_set_read_timeout().
- The following functions now return void:
mbedtls_ssl_conf_transport()
mbedtls_ssl_conf_max_version()
mbedtls_ssl_conf_min_version()
- DTLS no longer hard-depends on TIMING_C, but uses a callback
interface instead, see mbedtls_ssl_set_timer_cb(), with the Timing
module providing an example implementation, see
mbedtls_timing_delay_context and mbedtls_timing_set/get_delay().
- With UDP sockets, it is no longer necessary to call net_bind() again
after a successful net_accept().
Changes
- mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now
thread-safe if MBEDTLS_THREADING_C is enabled.
- Reduced ROM fooprint of SHA-256 and added an option to reduce it
even more (at the expense of performance) MBEDTLS_SHA256_SMALLER.
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 pkgsrc/security/mbedtls/Makefile \
pkgsrc/security/mbedtls/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/mbedtls/PLIST
cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/mbedtls/patches/patch-Makefile \
pkgsrc/security/mbedtls/patches/patch-library_Makefile
cvs rdiff -u -r1.1 -r0 \
pkgsrc/security/mbedtls/patches/patch-programs_test_CMakeLists.txt
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/security/mbedtls/Makefile
diff -u pkgsrc/security/mbedtls/Makefile:1.2 pkgsrc/security/mbedtls/Makefile:1.3
--- pkgsrc/security/mbedtls/Makefile:1.2 Sat Mar 5 11:29:22 2016
+++ pkgsrc/security/mbedtls/Makefile Thu Jun 16 14:17:03 2016
@@ -1,9 +1,8 @@
-# $NetBSD: Makefile,v 1.2 2016/03/05 11:29:22 jperkin Exp $
+# $NetBSD: Makefile,v 1.3 2016/06/16 14:17:03 fhajny Exp $
#
-DISTNAME= mbedtls-1.3.11-gpl
-PKGNAME= ${DISTNAME:-gpl=}
-PKGREVISION= 1
+DISTNAME= mbedtls-2.2.1-apache
+PKGNAME= ${DISTNAME:-apache=}
CATEGORIES= security devel
MASTER_SITES= https://tls.mbed.org/download/
EXTRACT_SUFX= .tgz
@@ -11,7 +10,7 @@ EXTRACT_SUFX= .tgz
MAINTAINER= pkgsrc-users%NetBSD.org@localhost
HOMEPAGE= https://tls.mbed.org/
COMMENT= Lightweight, modular cryptographic and SSL/TLS library
-LICENSE= gnu-gpl-v2
+LICENSE= apache-2.0
CONFLICTS+= polarssl-[0-9]*
SUPERSEDES+= polarssl-[0-9]*
@@ -28,13 +27,8 @@ REPLACE_PERL= tests/scripts/*.pl
CMAKE_ARGS+= -DUSE_SHARED_MBEDTLS_LIBRARY=ON
MAKE_ENV+= RANLIB=${RANLIB:Q}
-TEST_TARGET= check
LDFLAGS.SunOS+= -lsocket
-post-install:
- ${CHMOD} -x ${DESTDIR}${PREFIX}/lib/libmbedtls.a
- ${SETENV} ${SH} ${WRKSRC}/scripts/polarssl_symlinks.sh ${DESTDIR}${PREFIX}/lib
-
.include "../../mk/pthread.buildlink3.mk"
.include "../../mk/bsd.pkg.mk"
Index: pkgsrc/security/mbedtls/distinfo
diff -u pkgsrc/security/mbedtls/distinfo:1.2 pkgsrc/security/mbedtls/distinfo:1.3
--- pkgsrc/security/mbedtls/distinfo:1.2 Wed Nov 4 01:17:50 2015
+++ pkgsrc/security/mbedtls/distinfo Thu Jun 16 14:17:03 2016
@@ -1,9 +1,8 @@
-$NetBSD: distinfo,v 1.2 2015/11/04 01:17:50 agc Exp $
+$NetBSD: distinfo,v 1.3 2016/06/16 14:17:03 fhajny Exp $
-SHA1 (mbedtls-1.3.11-gpl.tgz) = 3948084c9d3312b381d458b06d9a2066c3cc0184
-RMD160 (mbedtls-1.3.11-gpl.tgz) = 66448e7d5ca41e7c64f55bdb3e4b9ec9d1ec3205
-SHA512 (mbedtls-1.3.11-gpl.tgz) = 242c486becc34d3b7ebba7624686aea6ed7713033aeabbfae7227284df322f191ddd5b9ded1228f100cd50bcfafb12396d93c30420afd3feb979b52a1860551e
-Size (mbedtls-1.3.11-gpl.tgz) = 1731809 bytes
-SHA1 (patch-Makefile) = 80698e16a397133de134ab582016b9e91ad652f0
-SHA1 (patch-library_Makefile) = 551854fbdd91ae180f1d5408869a556ff0c39d1a
-SHA1 (patch-programs_test_CMakeLists.txt) = 94ce731d81f1584c406e3b295c84fd6a5c327a50
+SHA1 (mbedtls-2.2.1-apache.tgz) = d2ff60fad7191dbb5b81ff6c22769964e5a7d53d
+RMD160 (mbedtls-2.2.1-apache.tgz) = a87671954663085100e288f4395f385435471825
+SHA512 (mbedtls-2.2.1-apache.tgz) = 6a74abc4ea225eb6bcf20894bb1a6faa82dbaff11129c41849151e2654570609efeee70d0644ce63c4d2c11e6142b2db262b88f3a22fdceff0a215a64a5d6eb0
+Size (mbedtls-2.2.1-apache.tgz) = 1863674 bytes
+SHA1 (patch-Makefile) = c69fceae637bd025fccf0ac3de926dfc37c22fa6
+SHA1 (patch-library_Makefile) = 7565162f06d2abd91cc974321fd873409f11a181
Index: pkgsrc/security/mbedtls/PLIST
diff -u pkgsrc/security/mbedtls/PLIST:1.1 pkgsrc/security/mbedtls/PLIST:1.2
--- pkgsrc/security/mbedtls/PLIST:1.1 Fri Jun 12 09:05:05 2015
+++ pkgsrc/security/mbedtls/PLIST Thu Jun 16 14:17:03 2016
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.1 2015/06/12 09:05:05 fhajny Exp $
+@comment $NetBSD: PLIST,v 1.2 2016/06/16 14:17:03 fhajny Exp $
${PLIST.tools}bin/aescrypt2
${PLIST.tools}bin/benchmark
${PLIST.tools}bin/cert_app
@@ -9,6 +9,8 @@ ${PLIST.tools}bin/crypt_and_hash
${PLIST.tools}bin/dh_client
${PLIST.tools}bin/dh_genprime
${PLIST.tools}bin/dh_server
+${PLIST.tools}bin/dtls_client
+${PLIST.tools}bin/dtls_server
${PLIST.tools}bin/gen_entropy
${PLIST.tools}bin/gen_key
${PLIST.tools}bin/gen_random_ctr_drbg
@@ -16,10 +18,8 @@ ${PLIST.tools}bin/gen_random_havege
${PLIST.tools}bin/generic_sum
${PLIST.tools}bin/hello
${PLIST.tools}bin/key_app
-${PLIST.tools}bin/md5sum
${PLIST.tools}bin/mini_client
${PLIST.tools}bin/mpi_demo
-${PLIST.tools}${PLIST.tests}bin/o_p_test
${PLIST.tools}bin/pem2der
${PLIST.tools}bin/pk_decrypt
${PLIST.tools}bin/pk_encrypt
@@ -32,8 +32,6 @@ ${PLIST.tools}bin/rsa_genkey
${PLIST.tools}bin/rsa_sign
${PLIST.tools}bin/rsa_verify
${PLIST.tools}bin/selftest
-${PLIST.tools}bin/sha1sum
-${PLIST.tools}bin/sha2sum
${PLIST.tools}bin/ssl_cert_test
${PLIST.tools}bin/ssl_client1
${PLIST.tools}bin/ssl_client2
@@ -41,78 +39,83 @@ ${PLIST.tools}bin/ssl_fork_server
${PLIST.tools}bin/ssl_mail_client
${PLIST.tools}bin/ssl_pthread_server
${PLIST.tools}bin/ssl_server
-${PLIST.tools}bin/ssl_test
${PLIST.tools}bin/strerror
-include/polarssl/aes.h
-include/polarssl/aesni.h
-include/polarssl/arc4.h
-include/polarssl/asn1.h
-include/polarssl/asn1write.h
-include/polarssl/base64.h
-include/polarssl/bignum.h
-include/polarssl/blowfish.h
-include/polarssl/bn_mul.h
-include/polarssl/camellia.h
-include/polarssl/ccm.h
-include/polarssl/certs.h
-include/polarssl/check_config.h
-include/polarssl/cipher.h
-include/polarssl/cipher_wrap.h
-include/polarssl/compat-1.2.h
-include/polarssl/config.h
-include/polarssl/ctr_drbg.h
-include/polarssl/debug.h
-include/polarssl/des.h
-include/polarssl/dhm.h
-include/polarssl/ecdh.h
-include/polarssl/ecdsa.h
-include/polarssl/ecp.h
-include/polarssl/entropy.h
-include/polarssl/entropy_poll.h
-include/polarssl/error.h
-include/polarssl/gcm.h
-include/polarssl/havege.h
-include/polarssl/hmac_drbg.h
-include/polarssl/md.h
-include/polarssl/md2.h
-include/polarssl/md4.h
-include/polarssl/md5.h
-include/polarssl/md_wrap.h
-include/polarssl/memory.h
-include/polarssl/memory_buffer_alloc.h
-include/polarssl/net.h
-include/polarssl/oid.h
-include/polarssl/openssl.h
-include/polarssl/padlock.h
-include/polarssl/pbkdf2.h
-include/polarssl/pem.h
-include/polarssl/pk.h
-include/polarssl/pk_wrap.h
-include/polarssl/pkcs11.h
-include/polarssl/pkcs12.h
-include/polarssl/pkcs5.h
-include/polarssl/platform.h
-include/polarssl/ripemd160.h
-include/polarssl/rsa.h
-include/polarssl/sha1.h
-include/polarssl/sha256.h
-include/polarssl/sha512.h
-include/polarssl/ssl.h
-include/polarssl/ssl_cache.h
-include/polarssl/ssl_ciphersuites.h
-include/polarssl/threading.h
-include/polarssl/timing.h
-include/polarssl/version.h
-include/polarssl/x509.h
-include/polarssl/x509_crl.h
-include/polarssl/x509_crt.h
-include/polarssl/x509_csr.h
-include/polarssl/xtea.h
+${PLIST.tools}bin/udp_proxy
+include/mbedtls/aes.h
+include/mbedtls/aesni.h
+include/mbedtls/arc4.h
+include/mbedtls/asn1.h
+include/mbedtls/asn1write.h
+include/mbedtls/base64.h
+include/mbedtls/bignum.h
+include/mbedtls/blowfish.h
+include/mbedtls/bn_mul.h
+include/mbedtls/camellia.h
+include/mbedtls/ccm.h
+include/mbedtls/certs.h
+include/mbedtls/check_config.h
+include/mbedtls/cipher.h
+include/mbedtls/cipher_internal.h
+include/mbedtls/compat-1.3.h
+include/mbedtls/config.h
+include/mbedtls/ctr_drbg.h
+include/mbedtls/debug.h
+include/mbedtls/des.h
+include/mbedtls/dhm.h
+include/mbedtls/ecdh.h
+include/mbedtls/ecdsa.h
+include/mbedtls/ecjpake.h
+include/mbedtls/ecp.h
+include/mbedtls/entropy.h
+include/mbedtls/entropy_poll.h
+include/mbedtls/error.h
+include/mbedtls/gcm.h
+include/mbedtls/havege.h
+include/mbedtls/hmac_drbg.h
+include/mbedtls/md.h
+include/mbedtls/md2.h
+include/mbedtls/md4.h
+include/mbedtls/md5.h
+include/mbedtls/md_internal.h
+include/mbedtls/memory_buffer_alloc.h
+include/mbedtls/net.h
+include/mbedtls/oid.h
+include/mbedtls/padlock.h
+include/mbedtls/pem.h
+include/mbedtls/pk.h
+include/mbedtls/pk_internal.h
+include/mbedtls/pkcs11.h
+include/mbedtls/pkcs12.h
+include/mbedtls/pkcs5.h
+include/mbedtls/platform.h
+include/mbedtls/ripemd160.h
+include/mbedtls/rsa.h
+include/mbedtls/sha1.h
+include/mbedtls/sha256.h
+include/mbedtls/sha512.h
+include/mbedtls/ssl.h
+include/mbedtls/ssl_cache.h
+include/mbedtls/ssl_ciphersuites.h
+include/mbedtls/ssl_cookie.h
+include/mbedtls/ssl_internal.h
+include/mbedtls/ssl_ticket.h
+include/mbedtls/threading.h
+include/mbedtls/timing.h
+include/mbedtls/version.h
+include/mbedtls/x509.h
+include/mbedtls/x509_crl.h
+include/mbedtls/x509_crt.h
+include/mbedtls/x509_csr.h
+include/mbedtls/xtea.h
+lib/libmbedcrypto.a
+lib/libmbedcrypto.so
+lib/libmbedcrypto.so.0
+lib/libmbedcrypto.so.${PKGVERSION}
lib/libmbedtls.a
lib/libmbedtls.so
+lib/libmbedtls.so.10
lib/libmbedtls.so.${PKGVERSION}
-lib/libmbedtls.so.9
-lib/libpolarssl.a
-lib/libpolarssl.so
-lib/libpolarssl.so.${PKGVERSION}
-lib/libpolarssl.so.9
+lib/libmbedx509.a
+lib/libmbedx509.so
+lib/libmbedx509.so.0
+lib/libmbedx509.so.${PKGVERSION}
Index: pkgsrc/security/mbedtls/patches/patch-Makefile
diff -u pkgsrc/security/mbedtls/patches/patch-Makefile:1.1 pkgsrc/security/mbedtls/patches/patch-Makefile:1.2
--- pkgsrc/security/mbedtls/patches/patch-Makefile:1.1 Fri Jun 12 09:05:05 2015
+++ pkgsrc/security/mbedtls/patches/patch-Makefile Thu Jun 16 14:17:03 2016
@@ -1,30 +1,35 @@
-$NetBSD: patch-Makefile,v 1.1 2015/06/12 09:05:05 fhajny Exp $
+$NetBSD: patch-Makefile,v 1.2 2016/06/16 14:17:03 fhajny Exp $
Fix DESTDIR for pkgsrc.
---- Makefile.orig 2015-06-04 12:49:19.000000000 +0000
+--- Makefile.orig 2016-01-04 22:26:36.000000000 +0000
+++ Makefile
-@@ -1,6 +1,5 @@
+@@ -1,6 +1,6 @@
-DESTDIR=/usr/local
-PREFIX=mbedtls_
++PREFIX=/usr/local
+APPPREFIX=mbedtls_
- OLDPREFIX=polarssl_
.SILENT:
-@@ -19,35 +18,35 @@ tests: lib
- $(MAKE) -C tests
- install:
-- mkdir -p $(DESTDIR)/include/polarssl
-- cp -r include/polarssl $(DESTDIR)/include
-+ mkdir -p $(DESTDIR)$(PREFIX)/include/polarssl
-+ cp -r include/polarssl $(DESTDIR)$(PREFIX)/include
+@@ -21,34 +21,34 @@ tests: lib
+
+ ifndef WINDOWS
+ install: no_test
+- mkdir -p $(DESTDIR)/include/mbedtls
+- cp -r include/mbedtls $(DESTDIR)/include
++ mkdir -p $(DESTDIR)$(PREFIX)/include/mbedtls
++ cp -r include/mbedtls $(DESTDIR)$(PREFIX)/include
- mkdir -p $(DESTDIR)/lib
-- cp -RP library/libpolarssl.* library/libmbedtls.* $(DESTDIR)/lib
+- cp -RP library/libmbedtls.* $(DESTDIR)/lib
+- cp -RP library/libmbedx509.* $(DESTDIR)/lib
+- cp -RP library/libmbedcrypto.* $(DESTDIR)/lib
+ mkdir -p $(DESTDIR)$(PREFIX)/lib
-+ cp -RP library/libpolarssl.* library/libmbedtls.* $(DESTDIR)$(PREFIX)/lib
++ cp -RP library/libmbedtls.* $(DESTDIR)$(PREFIX)/lib
++ cp -RP library/libmbedx509.* $(DESTDIR)$(PREFIX)/lib
++ cp -RP library/libmbedcrypto.* $(DESTDIR)$(PREFIX)/lib
- mkdir -p $(DESTDIR)/bin
+ mkdir -p $(DESTDIR)$(PREFIX)/bin
@@ -32,33 +37,29 @@ Fix DESTDIR for pkgsrc.
if [ -x $$p ] && [ ! -d $$p ] ; \
then \
- f=$(PREFIX)`basename $$p` ; \
-+ f=$(APPPREFIX)`basename $$p` ; \
- o=$(OLDPREFIX)`basename $$p` ; \
- cp $$p $(DESTDIR)/bin/$$f ; \
-- ln -sf $$f $(DESTDIR)/bin/$$o ; \
++ f=$(APPPREFIX)`basename $$p` ; \
+ cp $$p $(DESTDIR)$(PREFIX)/bin/$$f ; \
-+ ln -sf $$f $(DESTDIR)$(PREFIX)/bin/$$o ; \
fi \
done
uninstall:
-- rm -rf $(DESTDIR)/include/polarssl
-- rm -f $(DESTDIR)/lib/libpolarssl.*
+- rm -rf $(DESTDIR)/include/mbedtls
- rm -f $(DESTDIR)/lib/libmbedtls.*
-+ rm -rf $(DESTDIR)$(PREFIX)/include/polarssl
-+ rm -f $(DESTDIR)$(PREFIX)/lib/libpolarssl.*
+- rm -f $(DESTDIR)/lib/libmbedx509.*
+- rm -f $(DESTDIR)/lib/libmbedcrypto.*
++ rm -rf $(DESTDIR)$(PREFIX)/include/mbedtls
+ rm -f $(DESTDIR)$(PREFIX)/lib/libmbedtls.*
++ rm -f $(DESTDIR)$(PREFIX)/lib/libmbedx509.*
++ rm -f $(DESTDIR)$(PREFIX)/lib/libmbedcrypto.*
for p in programs/*/* ; do \
if [ -x $$p ] && [ ! -d $$p ] ; \
then \
- f=$(PREFIX)`basename $$p` ; \
-+ f=$(APPPREFIX)`basename $$p` ; \
- o=$(OLDPREFIX)`basename $$p` ; \
- rm -f $(DESTDIR)/bin/$$f ; \
-- rm -f $(DESTDIR)/bin/$$o ; \
++ f=$(APPPREFIX)`basename $$p` ; \
+ rm -f $(DESTDIR)$(PREFIX)/bin/$$f ; \
-+ rm -f $(DESTDIR)$(PREFIX)/bin/$$o ; \
fi \
done
-
+ endif
Index: pkgsrc/security/mbedtls/patches/patch-library_Makefile
diff -u pkgsrc/security/mbedtls/patches/patch-library_Makefile:1.1 pkgsrc/security/mbedtls/patches/patch-library_Makefile:1.2
--- pkgsrc/security/mbedtls/patches/patch-library_Makefile:1.1 Fri Jun 12 09:05:05 2015
+++ pkgsrc/security/mbedtls/patches/patch-library_Makefile Thu Jun 16 14:17:03 2016
@@ -1,15 +1,33 @@
-$NetBSD: patch-library_Makefile,v 1.1 2015/06/12 09:05:05 fhajny Exp $
+$NetBSD: patch-library_Makefile,v 1.2 2016/06/16 14:17:03 fhajny Exp $
Call ranlib instead of non-portable 'ar s'.
---- library/Makefile.orig 2015-06-04 12:49:19.000000000 +0000
+--- library/Makefile.orig 2016-01-04 22:26:36.000000000 +0000
+++ library/Makefile
-@@ -95,7 +95,7 @@ libmbedtls.a: $(OBJS)
+@@ -92,7 +92,7 @@ libmbedtls.a: $(OBJS_TLS)
echo " AR $@"
- $(AR) rc $@ $(OBJS)
+ $(AR) rc $@ $(OBJS_TLS)
echo " RL $@"
- $(AR) s $@
+ $(RANLIB) $@
- libpolarssl.$(DLEXT): libmbedtls.$(DLEXT)
- echo " LN $@ -> $?"
+ libmbedtls.$(SOEXT_TLS): $(OBJS_TLS) libmbedx509.so
+ echo " LD $@"
+@@ -115,7 +115,7 @@ libmbedx509.a: $(OBJS_X509)
+ echo " AR $@"
+ $(AR) rc $@ $(OBJS_X509)
+ echo " RL $@"
+- $(AR) s $@
++ $(RANLIB) $@
+
+ libmbedx509.$(SOEXT_X509): $(OBJS_X509) libmbedcrypto.so
+ echo " LD $@"
+@@ -138,7 +138,7 @@ libmbedcrypto.a: $(OBJS_CRYPTO)
+ echo " AR $@"
+ $(AR) rc $@ $(OBJS_CRYPTO)
+ echo " RL $@"
+- $(AR) s $@
++ $(RANLIB) $@
+
+ libmbedcrypto.$(SOEXT_CRYPTO): $(OBJS_CRYPTO)
+ echo " LD $@"
Home |
Main Index |
Thread Index |
Old Index