Received: by mail.netbsd.org (Postfix, from userid 605) id BB33084E73; Wed, 2 Nov 2022 18:57:39 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id EA82484DA5 for ; Wed, 2 Nov 2022 18:57:38 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id 6koVBpKNnnVB for ; Wed, 2 Nov 2022 18:57:37 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id C8A9284D43 for ; Wed, 2 Nov 2022 18:57:37 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id B613AFA90; Wed, 2 Nov 2022 18:57:37 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_166741545776650" MIME-Version: 1.0 Date: Wed, 2 Nov 2022 18:57:37 +0000 From: "Amitai Schleier" Subject: CVS commit: pkgsrc/security/libretls To: pkgsrc-changes@NetBSD.org Reply-To: schmonz@netbsd.org X-Mailer: log_accum Message-Id: <20221102185737.B613AFA90@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_166741545776650 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: schmonz Date: Wed Nov 2 18:57:37 UTC 2022 Modified Files: pkgsrc/security/libretls: Makefile distinfo Log Message: Update to 3.5.2. From the changelog: - tls_signer: Replace ECDSA_METHOD with EC_KEY_METHOD - doc: Note OpenSSL 3.0.0 compatibility in README From the upstream LibreSSL changelog for 3.5.0: * New Features - The RFC 3779 API was ported from OpenSSL. Many bugs were fixed, regression tests were added and the code was cleaned up. - Certificate Transparency was ported from OpenSSL. Many internal improvements were made, resulting in cleaner and safer code. Regress coverage was added. libssl does not yet make use of it. * Portable Improvements - Fixed various POSIX compliance and other portability issues found by the port to the Sortix operating system. - Add libmd as platform specific libraries for Solaris. Issue reported from (ihsan opencsw org) on libressl ML. - Set IA-64 compiler flag only if it is HP-UX with IA-64. Suggested from Larkin Nickle (me larbob org) by libressl ML. - Enabled and scheduled Coverity scan. Contributed by Ilya Shipitsin (chipitsine gmail com> on github. * Compatibility Changes - Most structs that were previously defined in the following headers are now opaque as they are in OpenSSL 1.1: bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h, x509.h, x509v3.h, x509_vfy.h - Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_ OpenSSL added the TLSv1.3 ciphersuites with "RFC names" instead of using something consistent with the previous naming. Various test suites expect these names (instead of checking for the much more sensible cipher numbers). The old names are still accepted as aliases. - Subject alternative names and name constraints are now validated when they are added to certificates. Various interoperability problems with stacks that validate certificates more strictly than OpenSSL can be avoided this way. - Attempt to opportunistically use the host name for SNI in s_client * Bug fixes - In some situations, the verifier would discard the error on an unvalidated certificate chain. This would happen when the verification callback was in use, instructing the verifier to continue unconditionally. This could lead to incorrect decisions being made in software. - Avoid an infinite loop in SSL_shutdown() - Fix another return 0 bug in SSL_shutdown() - Handle zero byte reads/writes that trigger handshakes in the TLSv1.3 stack - A long standing memleak in libtls CRL handling was fixed * Internal Improvements - Cache the SHA-512 hash instead of the SHA-1 hash and cache notBefore and notAfter times when X.509 certificates are parsed. - The X.509 lookup code has been simplified and cleaned up. - Fixed numerous issues flagged by coverity and the cryptofuzz project - Increased the number of Miller-Rabin checks in DH and DSA key/parameter generation - Started using the bytestring API in libcrypto for cleaner and safer code - Convert {i2d,d2i}_{,EC_,DSA_,RSA_}PUBKEY{,_bio,_fp}() to templated ASN1 - Convert ASN1_OBJECT_new() to calloc() - Convert ASN1_STRING_type_new() to calloc() - Rewrite ASN1_STRING_cmp() - Use calloc() for X509_CRL_METHOD_new() instead of malloc() - Convert ASN1_PCTX_new() to calloc() - Replace asn1_tlc_clear and asn1_tlc_clear_nc macros with a function - Consolidate {d2i,i2d}_{pr,pu}.c - Remove handling of a NULL BUF_MEM from asn1_collect() - Pull the recursion depth check up to the top of asn1_collect() - Inline collect_data() in asn1_collect() - Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM to CBB - Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN() - Consolidate ASN.1 universal tag type data - Rewrite ASN.1 identifier/length parsing in CBS - Make OBJ_obj2nid() work correctly with NID_undef - tlsext_tick_lifetime_hint is now an uint32_t - Untangle ssl3_get_message() return values - Rename tls13_buffer to tls_buffer - Fold DTLS_STATE_INTERNAL into DTLS1_STATE - Provide a way to determine our maximum legacy version - Mop up enc_read_ctx and read_hash - Fold SSL_SESSION_INTERNAL into SSL_SESSION - Use ssl_force_want_read in the DTLS code - Add record processing limit to DTLS code - Add explicit CBS_contains_zero_byte() check in CBS_strdup() - Improve SNI hostname validation - Ensure SSL_set_tlsext_host_name() is given a valid hostname - Fix a strange check in the auto DH codepath - Factor out/rewrite DHE key exchange - Convert server serialisation of DHE parameters/public key to new functions - Check DH public key in ssl_kex_peer_public_dhe() - Move the minimum DHE key size check into ssl_kex_peer_params_dhe() - Clean up and refactor server side DHE key exchange - Provide CBS_get_last_u8() - Provide CBS_get_u64() - Provide CBS_add_u64() - Provide various CBS_peek_* functions - Use CBS_get_last_u8() to find the content type in TLSv1.3 records - unifdef TLS13_USE_LEGACY_CLIENT_AUTH - Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack - Only allow zero length key shares when we know we're doing HRR - Pull key share group/length CBB code up from tls13_key_share_public() - Refactor ssl3_get_server_kex_ecdhe() to separate parsing and validation - Return 0 on failure from send/get kex functions in the legacy stack - Rename tls13_key_share to tls_key_share - Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection - Convert legacy TLS client to tls_key_share - Convert legacy TLS server to tls_key_share - Stop attempting to duplicate the public and private key of dh_tmp - Rename dh_tmp to dhe_params - Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY - Clean up pkey handling in ssl3_get_server_key_exchange() - Fix GOST skip certificate verify handling - Simplify tlsext_keyshare_server_parse() - Plumb decode errors through key share parsing code - Simplify SSL_get_peer_certificate() - Cleanup/simplify ssl_cert_type() - The S3I macro was removed - The openssl(1) cms and smime subcommands option handling was converted and the C source was cleaned up. * Documentation improvements - 45 new manual pages, most of which were written from scratch. Documentation coverage of ASN.1 and X.509 code has been significantly improved. Upstream 3.5.1 changelog: * A malicious certificate can cause an infinite loop. Reported by and fix from Tavis Ormandy and David Benjamin, Google. Upstream 3.5.2 changelog: This is the first stable release for the 3.5.x branch, as shipped with OpenBSD 7.1. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 pkgsrc/security/libretls/Makefile cvs rdiff -u -r1.8 -r1.9 pkgsrc/security/libretls/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_166741545776650 Content-Disposition: inline Content-Length: 1548 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/security/libretls/Makefile diff -u pkgsrc/security/libretls/Makefile:1.6 pkgsrc/security/libretls/Makefile:1.7 --- pkgsrc/security/libretls/Makefile:1.6 Sat Dec 18 13:55:18 2021 +++ pkgsrc/security/libretls/Makefile Wed Nov 2 18:57:37 2022 @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.6 2021/12/18 13:55:18 schmonz Exp $ +# $NetBSD: Makefile,v 1.7 2022/11/02 18:57:37 schmonz Exp $ -DISTNAME= libretls-3.4.2 +DISTNAME= libretls-3.5.2 CATEGORIES= security MASTER_SITES= https://causal.agency/libretls/ Index: pkgsrc/security/libretls/distinfo diff -u pkgsrc/security/libretls/distinfo:1.8 pkgsrc/security/libretls/distinfo:1.9 --- pkgsrc/security/libretls/distinfo:1.8 Sat Dec 18 13:55:18 2021 +++ pkgsrc/security/libretls/distinfo Wed Nov 2 18:57:37 2022 @@ -1,5 +1,5 @@ -$NetBSD: distinfo,v 1.8 2021/12/18 13:55:18 schmonz Exp $ +$NetBSD: distinfo,v 1.9 2022/11/02 18:57:37 schmonz Exp $ -BLAKE2s (libretls-3.4.2.tar.gz) = 4db43b5e22127dda7838787d2bb96df6bd9632efbcc8623d76f5e64335281a1e -SHA512 (libretls-3.4.2.tar.gz) = 0ded26558b74a00e5e05629d577c07ad9b8a8955aacbd7f97d6d1c81d4e7ccfe7c2fe0cc5bcb03fffb282cd51b8404236371d0074e39508099d1990fc3e065ba -Size (libretls-3.4.2.tar.gz) = 435457 bytes +BLAKE2s (libretls-3.5.2.tar.gz) = cdf125019914045d7fac0c07d627aba99cd7da4f008ff0f6372d5f56908506ca +SHA512 (libretls-3.5.2.tar.gz) = 62eed971cbacb4a50e5ebdad1ea1d57dd3b4f7520634393faf1fc141ef63b6e7d50acbe49747c956fca6b9f2dec8a79ab724df6e08a77858a1624b5a6e3cbe57 +Size (libretls-3.5.2.tar.gz) = 425404 bytes --_----------=_166741545776650--