pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/security/wolfssl
Module Name: pkgsrc
Committed By: fox
Date: Sat May 7 07:47:36 UTC 2022
Modified Files:
pkgsrc/security/wolfssl: Makefile PLIST distinfo
Log Message:
security/wolfssl: Update to v5.3.0
Changes since v5.2.0:
Release 5.3.0 of wolfSSL embedded TLS has bug fixes and new features including:
New Feature Additions
Ports
* Updated support for Stunnel to version 5.61
* Add i.MX8 NXP SECO use for secure private ECC keys and expand
cryptodev-linux for use with the RSA/Curve25519 with the Linux CAAM driver
* Allow encrypt then mac with Apache port
* Update Renesas TSIP version to 1.15 on GR-ROSE and certificate signature
data for TSIP / SCE example
* Add IAR MSP430 example, located in IDE/IAR-MSP430 directory
* Add support for FFMPEG with the enable option --enable-ffmpeg, FFMPEG is
used for recording and converting video and audio (https://ffmpeg.org/)
* Update the bind port to version 9.18.0
Post Quantum
* Add Post-quantum KEM benchmark for STM32
* Enable support for using post quantum algorithms with embedded STM32 boards
and port to STM32U585
Compatibility Layer Additions
* Add port to support libspdm
(https://github.com/DMTF/libspdm/blob/main/README.md), compatibility
functions added for the port were:
- ASN1_TIME_compare
- DH_new_by_nid
- OBJ_length, OBJ_get0_data,
- EVP layer ChaCha20-Poly1305, HKDF
- EC_POINT_get_affine_coordinates
- EC_POINT_set_affine_coordinates
* Additional functions added were:
- EC_KEY_print_fp
- EVP_PKEY_paramgen
- EVP_PKEY_sign/verify functionality
- PEM_write_RSAPublicKey
- PEM_write_EC_PUBKEY
- PKCS7_sign
- PKCS7_final
- SMIME_write_PKCS7
- EC_KEY/DH_up_ref
- EVP_DecodeBlock
- EVP_EncodeBlock
- EC_KEY_get_conv_form
- BIO_eof
- Add support for BIO_CTRL_SET and BIO_CTRL_GET
* Add compile time support for the type SSL_R_NULL_SSL_METHOD_PASSED
* Enhanced X509_NAME_print_ex() to support RFC5523 basic escape
* More checks on OPENSSL_VERSION_NUMBER for API prototype differences
* Add extended key usage support to wolfSSL_X509_set_ext
* SSL_VERIFY_FAIL_IF_NO_PEER_CERT now can also connect with compatibility
layer enabled and a TLS 1.3 PSK connection is used
* Improve wolfSSL_BN_rand to handle non byte boundaries and top/bottom
parameters
* Changed X509_V_ERR codes to better match OpenSSL values used
* Improve wolfSSL_i2d_X509_name to allow for a NULL input in order to get the
expected resulting size
* Enhance the smallstack build to reduce stack size farther when built with
compatibility layer enabled
Misc.
* Sniffer asynchronous support addition, handling of DH shared secret and
tested with Intel QuickAssist
* Added in support for OCSP with IPv6
* Enhance SP (single precision) optimizations for use with the ECC P521
* Add new public API wc_CheckCertSigPubKey() for use to easily check the
signature of a certificate given a public key buffer
* Add CSR (Certificate Signing Request) userId support in subject name
* Injection and parsing of custom extensions in X.509 certificates
* Add WOLF_CRYPTO_CB_ONLY_RSA and WOLF_CRYPTO_CB_ONLY_ECC to reduce code size
if using only crypto callback functions with RSA and ECC
* Created new --enable-engine configure flag used to build wolfSSL for use with
wolfEngine
* With TLS 1.3 PSK, when WOLFSSL_PSK_MULTI_ID_PER_CS is defined multiple IDs
for a cipher suite can be handled
* Added private key id/label support with improving the PK (Public Key)
callbacks
* Support for Intel QuickAssist ECC KeyGen acceleration
* Add the function wolfSSL_CTX_SetCertCbCtx to set user context for certificate
call back
* Add the functions wolfSSL_CTX_SetEccSignCtx(WOLFSSL_CTX* ctx, void userCtx)
and wolfSSL_CTX_GetEccSignCtx(WOLFSSL_CTX ctx) for setting and getting a user
context
* wolfRand for AMD --enable-amdrand
Fixes
PORT Fixes
* KCAPI memory optimizations and page alignment fixes for ECC, AES mode fixes
and reduction to memory usage
* Add the new kdf.c file to the TI-RTOS build
* Fix wait-until-done in RSA hardware primitive acceleration of ESP-IDF port
* IOTSafe workarounds when reading files with ending 0’s and for ECC
signatures
Math Library Fixes
* Sanity check with SP math that ECC points ordinates are not greater than
modulus length
* Additional sanity checks that _sp_add_d does not error due to overflow
* Wycheproof fixes, testing integration, and fixes for AVX / AArch64 ASM edge
case tests
* TFM fp_div_2_ct rework to avoid potential overflow
Misc.
* Fix for PKCS#7 with Crypto Callbacks
* Fix for larger curve sizes with deterministic ECC sign
* Fixes for building wolfSSL alongside openssl using --enable-opensslcoexist
* Fix for compatibility layer handling of certificates with SHA256 SKID (Subject Key ID)
* Fix for wolfSSL_ASN1_TIME_diff erroring out on a return value of 0 from mktime
* Remove extra padding when AES-CBC encrypted with PemToDer
* Fixes for TLS v1.3 early data with async.
* Fixes for async disables around the DevCopy calls
* Fixes for Windows AES-NI with clang compiler
* Fix for handling the detection of processing a plaintext TLS alert packet
* Fix for potential memory leak in an error case with TLSX supported groups
* Sanity check on input size in DecodeNsCertType
* AES-GCM stack alignment fixes with assembly code written for AVX/AVX2
* Fix for PK callbacks with server side and setting a public key
Improvements/Optimizations
Build Options and Warnings
* Added example user settings template for FIPS v5 ready
* Automake file touch cleanup for use with Yocto devtool
* Allow disabling forced 'make clean' at the end of ./configure by using
--disable-makeclean
* Enable TLS 1.3 early data when specifying --enable-all option
* Disable PK Callbacks with JNI FIPS builds
* Add a FIPS cert 3389 ready option, this is the fips-ready build
* Support (no)inline with Wind River Diab compiler
* ECDH_compute_key allow setting of globalRNG with FIPS 140-3
* Add logic equivalent to configure.ac in settings.h for Poly1305
* Fixes to support building opensslextra with SP math
* CPP protection for extern references to x86_64 asm code
* Updates and enhancements for Espressif ESP-IDF wolfSSL setup_win.bat
* Documentation improvements with auto generation
* Fix reproducible-build for working an updated version of libtool, version
2.4.7
* Fixes for Diab C89 and armclang
* Fix mcapi_test.c to include the settings.h before crypto.h
* Update and handle builds with NO_WOLFSSL_SERVER and NO_WOLFSSL_CLIENT
* Fix for some macro defines with FIPS 140-3 build so that
RSA_PKCS1_PSS_PADDING can be used with RSA sign/verify functions
Math Libraries
* Add RSA/DH check for even modulus
* Enhance TFM math to handle more alloc failure cases gracefully
* SP ASM performance improvements mostly around AArch64
* SP ASM improvements for additional cache attack resistance
* Add RSA check for small difference between p and q
* 6-8% performance increase with ECC operations using SP int by improving the
Montgomery Reduction
Testing and Validation
* All shell scripts in source tree now tested for correctness using shellcheck
and bash -n
* Added build testing under gcc-12 and -std=c++17 and fixed warnings
* TLS 1.3 script test improvement to wait for server to write file
* Unit tests for ECC r/s zeroness handling
* CI server was expanded with a very “quiet” machine that can support multiple
ContantTime tests ensuring ongoing mitigation against side-channel timing
based attacks. Algorithms being assessed on this machine are: AES-CBC,
AES-GCM, CHACHA20, ECC, POLY1305, RSA, SHA256, SHA512, CURVE25519.
* Added new multi configuration windows builds to CI testing for greater
testing coverage of windows use-cases
Misc.
* Support for ECC import to check validity of key on import even if one of the
coordinates (x or y) is 0
* Modify example app to work with FreeRTOS+IoT
* Ease of access for cert used for verifying a PKCS#7 bundle
* Clean up Visual Studio output and intermediate directories
* With TLS 1.3 fail immediately if a server sends empty certificate message
* Enhance the benchmark application to support multi-threaded testing
* Improvement for wc_EccPublicKeyToDer to not overestimate the buffer size
required
* Fix to check if wc_EccPublicKeyToDer has enough output buffer space
* Fix year 2038 problem in wolfSSL_ASN1_TIME_diff
* Various portability improvements (Time, DTLS epoch size, IV alloc)
* Prefer status_request_v2 over status_request when both are present
* Add separate "struct stat" definition XSTATSTRUCT to make overriding XSTAT
easier for portability
* With SipHash replace gcc specific ASM instruction with generic
* Don't force a ECC CA when a custom CA is passed with -A
* Add peer authentication failsafe for TLS 1.2 and below
* Improve parsing of UID from subject and issuer name with the compatibility
layer by
* Fallback to full TLS handshake if session ticket fails
* Internal refactoring of code to reduce ssl.c file size
To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 pkgsrc/security/wolfssl/Makefile
cvs rdiff -u -r1.7 -r1.8 pkgsrc/security/wolfssl/PLIST
cvs rdiff -u -r1.13 -r1.14 pkgsrc/security/wolfssl/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/security/wolfssl/Makefile
diff -u pkgsrc/security/wolfssl/Makefile:1.12 pkgsrc/security/wolfssl/Makefile:1.13
--- pkgsrc/security/wolfssl/Makefile:1.12 Sat Feb 26 06:52:46 2022
+++ pkgsrc/security/wolfssl/Makefile Sat May 7 07:47:36 2022
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.12 2022/02/26 06:52:46 fox Exp $
+# $NetBSD: Makefile,v 1.13 2022/05/07 07:47:36 fox Exp $
-DISTNAME= wolfssl-5.2.0
+DISTNAME= wolfssl-5.3.0
CATEGORIES= security
MASTER_SITES= https://www.wolfssl.com/
EXTRACT_SUFX= .zip
Index: pkgsrc/security/wolfssl/PLIST
diff -u pkgsrc/security/wolfssl/PLIST:1.7 pkgsrc/security/wolfssl/PLIST:1.8
--- pkgsrc/security/wolfssl/PLIST:1.7 Sat Feb 26 06:52:46 2022
+++ pkgsrc/security/wolfssl/PLIST Sat May 7 07:47:36 2022
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.7 2022/02/26 06:52:46 fox Exp $
+@comment $NetBSD: PLIST,v 1.8 2022/05/07 07:47:36 fox Exp $
bin/wolfssl-config
include/cyassl/callbacks.h
include/cyassl/certs_test.h
@@ -123,6 +123,7 @@ include/wolfssl/openssl/err.h
include/wolfssl/openssl/evp.h
include/wolfssl/openssl/fips_rand.h
include/wolfssl/openssl/hmac.h
+include/wolfssl/openssl/kdf.h
include/wolfssl/openssl/lhash.h
include/wolfssl/openssl/md4.h
include/wolfssl/openssl/md5.h
Index: pkgsrc/security/wolfssl/distinfo
diff -u pkgsrc/security/wolfssl/distinfo:1.13 pkgsrc/security/wolfssl/distinfo:1.14
--- pkgsrc/security/wolfssl/distinfo:1.13 Sat Feb 26 06:52:46 2022
+++ pkgsrc/security/wolfssl/distinfo Sat May 7 07:47:36 2022
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.13 2022/02/26 06:52:46 fox Exp $
+$NetBSD: distinfo,v 1.14 2022/05/07 07:47:36 fox Exp $
-BLAKE2s (wolfssl-5.2.0.zip) = 2f9c0cf5eef5781abe8f863d39db22959253561d97676bc61c608d257e94092f
-SHA512 (wolfssl-5.2.0.zip) = eb3565cffd261c13b69d7049b0bc6ea030419a29aeb3f0937ea2f1de2c6b22aeabee354abe5c0d88fcd7249eb9b3f63ff4ca2dd61942c4fda6c067d0cc2d9def
-Size (wolfssl-5.2.0.zip) = 15470250 bytes
+BLAKE2s (wolfssl-5.3.0.zip) = 1db0de62b934f6ce89ac135e999e357193a2a8422919da10113eed32bbc249fb
+SHA512 (wolfssl-5.3.0.zip) = 82e484e3c9fe031daf513eb01ad35beb886f38f461f1c94ad9d31c68709ca23b572a9cf9793e9df63d8101989a34877ada97a318fe1347cc60ccf6767d90456a
+Size (wolfssl-5.3.0.zip) = 22125813 bytes
SHA1 (patch-certs_intermediate_genintcerts.sh) = bdcf9a1fd14170aaf780ab9677fd8bc6e4ddc75c
Home |
Main Index |
Thread Index |
Old Index