Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1645858367277050"
MIME-Version: 1.0
Date: Sat, 26 Feb 2022 06:52:47 +0000
From: "Santhosh Raju" <fox@netbsd.org>
Subject: CVS commit: pkgsrc/security/wolfssl
To: pkgsrc-changes@NetBSD.org
Reply-To: fox@netbsd.org
Message-Id: <20220226065247.1222EFB24@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_1645858367277050
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

Module Name:	pkgsrc
Committed By:	fox
Date:		Sat Feb 26 06:52:46 UTC 2022

Modified Files:
	pkgsrc/security/wolfssl: Makefile PLIST distinfo

Log Message:
security/wolfssl: Update to v5.2.0

Changes since v5.1.1:

wolfSSL Release 5.2.0 (Feb 21, 2022)

Release 5.2.0 of wolfSSL embedded TLS has bug fixes and new features including:
Vulnerabilities

  * [High] A TLS v1.3 server who requires mutual authentication can be
    bypassed. If a malicious client does not send the certificate_verify message
    a client can connect without presenting a certificate even if the server
    requires one. Thank you to Aina Toky Rasoamanana and Olivier Levillain of
    Télécom SudParis.
  * [High] A TLS v1.3 client attempting to authenticate a TLS v1.3 server can
    have its certificate check bypassed. If the sig_algo in the
    certificate_verify message is different than the certificate message checking
    may be bypassed. Thank you to Aina Toky Rasoamanana and Olivier Levillain of
    Télécom SudParis.

New Feature Additions

  *  Example applications for Renesas RX72N with FreeRTOS+IoT
  *  Renesas FSP 3.5.0 support for RA6M3
  *  For TLS 1.3, improved checks on order of received messages.
  *  Support for use of SHA-3 cryptography instructions available in ARMv8.2-A
     architecture extensions. (For Apple M1)
  *  Support for use of SHA-512 cryptography instructions available in ARMv8.2-A
     architecture extensions. (For Apple M1)
  *  Fixes for clang -Os on clang >= 12.0.0
  *  Expose Sequence Numbers so that Linux TLS (kTLS) can be configured
  *  Fix bug in TLSX_ALPN_ParseAndSet when using ALPN select callback.
  *  Allow DES3 with FIPS v5-dev.
  *  Include HMAC for deterministic ECC sign build
  *  Add --enable-chrony configure option. This sets build options needed to
     build the Chrony NTP (Network Time Protocol) service.
  *  Add support for STM32U575xx boards.
  *  Fixes for NXP’s SE050 Ed25519/Curve25519.
  *  TLS: Secure renegotiation info on by default for compatibility.
  *  Inline C code version of ARM32 assembly for cryptographic algorithms
     available and compiling for improved performance on ARM platforms
  *  Configure HMAC: define NO_HMAC to disable HMAC (default: enabled)
  *  ISO-TP transport layer support added to wolfio for TLS over CAN Bus
  *  Fix initialization bug in SiLabs AES support
  *  Domain and IP check is only performed on leaf certificates

ARM PSA Support (Platform Security Architecture) API

  * Initial support added for ARM’s Platform Security Architecture (PSA) API in
    wolfCrypt which allows support of ARM PSA enabled devices by wolfSSL,
    wolfSSH, and wolfBoot and wolfCrypt FIPS.
  * Included algorithms: ECDSA, ECDH, HKDF, AES, SHA1, SHA256, SHA224, RNG

ECICE Updates

  * Support for more encryption algorithms: AES-256-CBC, AES-128-CTR,
    AES-256-CTR
  * Support for compressed public keys in messages.

Math Improvements

  * Improved performance of X448 and Ed448 through inlining Karatsuba in square
    and multiplication operations for 128-bit implementation (64-bit platforms
    with 128-bit type support).
  * SP Math C implementation: fix for corner case in curve specific
    implementations of Montgomery Reduction (P-256, P-384).
  * SP math all: assembly snippets added for ARM Thumb. Performance improvement
    on platform.
  * SP math all: ARM64/32 sp_div_word assembly snippets added to remove
    dependency on __udiv3.
  * SP C implementation: multiplication of two signed types with overflow is
    undefined in C. Now cast to unsigned type before multiplication is
    performed.
  * SP C implementation correctly builds when using CFLAG: -m32

OpenSSL Compatibility Layer

  * Added DH_get_2048_256 to compatibility layer.
  * wolfSSLeay_version now returns the version of wolfSSL
  * Added C++ exports for API’s in wolfssl/openssl/crypto.h. This allows better
    compatibility when building with a C++ compiler.
  * Fix for OpenSSL x509_NAME_hash mismatch
  * Implement FIPS_mode and FIPS_mode_set in the compat layer.
  * Fix for certreq and certgen options with openssl compatibility
  * wolfSSL_BIO_dump() and wolfSSL_OBJ_obj2txt() rework
  * Fix IV length bug in EVP AES-GCM code.
  * Add new ASN1_INTEGER compatibility functions.
  * Fix wolfSSL_PEM_X509_INFO_read with NO_FILESYSTEM

CMake Updates

  * Check for valid override values.
  * Add KEYGEN option.
  * Cleanup help messages.
  * Add options to support wolfTPM.

VisualStudio Updates

  * Remove deprecated VS solution
  * Fix VS unreachable code warning

New Algorithms and Protocols

  * AES-SIV (RFC 5297)
  * DTLS SRTP (RFC 5764), used with WebRTC to agree on profile for new real-time
    session keys
  * SipHash MAC/PRF for hash tables. Includes inline assembly for x86_64 and
    Aarch64.

Remove Obsolete Algorithms

  * IDEA
  * Rabbit
  * HC-128


To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 pkgsrc/security/wolfssl/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/security/wolfssl/PLIST
cvs rdiff -u -r1.12 -r1.13 pkgsrc/security/wolfssl/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1645858367277050
Content-Disposition: inline
Content-Length: 3932
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/security/wolfssl/Makefile
diff -u pkgsrc/security/wolfssl/Makefile:1.11 pkgsrc/security/wolfssl/Makefile:1.12
--- pkgsrc/security/wolfssl/Makefile:1.11	Sat Jan  8 09:48:16 2022
+++ pkgsrc/security/wolfssl/Makefile	Sat Feb 26 06:52:46 2022
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.11 2022/01/08 09:48:16 fox Exp $
+# $NetBSD: Makefile,v 1.12 2022/02/26 06:52:46 fox Exp $
 
-DISTNAME=	wolfssl-5.1.1
+DISTNAME=	wolfssl-5.2.0
 CATEGORIES=	security
 MASTER_SITES=	https://www.wolfssl.com/
 EXTRACT_SUFX=	.zip

Index: pkgsrc/security/wolfssl/PLIST
diff -u pkgsrc/security/wolfssl/PLIST:1.6 pkgsrc/security/wolfssl/PLIST:1.7
--- pkgsrc/security/wolfssl/PLIST:1.6	Thu Dec 30 01:19:03 2021
+++ pkgsrc/security/wolfssl/PLIST	Sat Feb 26 06:52:46 2022
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.6 2021/12/30 01:19:03 fox Exp $
+@comment $NetBSD: PLIST,v 1.7 2022/02/26 06:52:46 fox Exp $
 bin/wolfssl-config
 include/cyassl/callbacks.h
 include/cyassl/certs_test.h
@@ -20,7 +20,6 @@ include/cyassl/ctaocrypt/dsa.h
 include/cyassl/ctaocrypt/ecc.h
 include/cyassl/ctaocrypt/error-crypt.h
 include/cyassl/ctaocrypt/fips_test.h
-include/cyassl/ctaocrypt/hc128.h
 include/cyassl/ctaocrypt/hmac.h
 include/cyassl/ctaocrypt/integer.h
 include/cyassl/ctaocrypt/logging.h
@@ -34,7 +33,6 @@ include/cyassl/ctaocrypt/mpi_superclass.
 include/cyassl/ctaocrypt/pkcs7.h
 include/cyassl/ctaocrypt/poly1305.h
 include/cyassl/ctaocrypt/pwdbased.h
-include/cyassl/ctaocrypt/rabbit.h
 include/cyassl/ctaocrypt/random.h
 include/cyassl/ctaocrypt/ripemd.h
 include/cyassl/ctaocrypt/rsa.h
@@ -123,6 +121,7 @@ include/wolfssl/openssl/ed448.h
 include/wolfssl/openssl/engine.h
 include/wolfssl/openssl/err.h
 include/wolfssl/openssl/evp.h
+include/wolfssl/openssl/fips_rand.h
 include/wolfssl/openssl/hmac.h
 include/wolfssl/openssl/lhash.h
 include/wolfssl/openssl/md4.h
@@ -191,9 +190,7 @@ include/wolfssl/wolfcrypt/fips_test.h
 include/wolfssl/wolfcrypt/ge_448.h
 include/wolfssl/wolfcrypt/ge_operations.h
 include/wolfssl/wolfcrypt/hash.h
-include/wolfssl/wolfcrypt/hc128.h
 include/wolfssl/wolfcrypt/hmac.h
-include/wolfssl/wolfcrypt/idea.h
 include/wolfssl/wolfcrypt/integer.h
 include/wolfssl/wolfcrypt/kdf.h
 include/wolfssl/wolfcrypt/logging.h
@@ -209,7 +206,6 @@ include/wolfssl/wolfcrypt/pkcs12.h
 include/wolfssl/wolfcrypt/pkcs7.h
 include/wolfssl/wolfcrypt/poly1305.h
 include/wolfssl/wolfcrypt/pwdbased.h
-include/wolfssl/wolfcrypt/rabbit.h
 include/wolfssl/wolfcrypt/random.h
 include/wolfssl/wolfcrypt/rc2.h
 include/wolfssl/wolfcrypt/ripemd.h
@@ -221,6 +217,7 @@ include/wolfssl/wolfcrypt/sha256.h
 include/wolfssl/wolfcrypt/sha3.h
 include/wolfssl/wolfcrypt/sha512.h
 include/wolfssl/wolfcrypt/signature.h
+include/wolfssl/wolfcrypt/siphash.h
 include/wolfssl/wolfcrypt/srp.h
 include/wolfssl/wolfcrypt/tfm.h
 include/wolfssl/wolfcrypt/types.h

Index: pkgsrc/security/wolfssl/distinfo
diff -u pkgsrc/security/wolfssl/distinfo:1.12 pkgsrc/security/wolfssl/distinfo:1.13
--- pkgsrc/security/wolfssl/distinfo:1.12	Sat Jan  8 09:48:16 2022
+++ pkgsrc/security/wolfssl/distinfo	Sat Feb 26 06:52:46 2022
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.12 2022/01/08 09:48:16 fox Exp $
+$NetBSD: distinfo,v 1.13 2022/02/26 06:52:46 fox Exp $
 
-BLAKE2s (wolfssl-5.1.1.zip) = 6cd4f2acc34cbdd57409f3a81b2107fb5fb23a816b3268c532141fb9d892033c
-SHA512 (wolfssl-5.1.1.zip) = f9a024d0895263e3962c9155cdfbb875d30be9cbb846642cd950eaae74eb768681a9ad08a3b970f5611ca9ee7894498002ffc8a3690afbcfb15a4106dee27f81
-Size (wolfssl-5.1.1.zip) = 12558116 bytes
+BLAKE2s (wolfssl-5.2.0.zip) = 2f9c0cf5eef5781abe8f863d39db22959253561d97676bc61c608d257e94092f
+SHA512 (wolfssl-5.2.0.zip) = eb3565cffd261c13b69d7049b0bc6ea030419a29aeb3f0937ea2f1de2c6b22aeabee354abe5c0d88fcd7249eb9b3f63ff4ca2dd61942c4fda6c067d0cc2d9def
+Size (wolfssl-5.2.0.zip) = 15470250 bytes
 SHA1 (patch-certs_intermediate_genintcerts.sh) = bdcf9a1fd14170aaf780ab9677fd8bc6e4ddc75c


--_----------=_1645858367277050--