CVS commit: pkgsrc/security/polarssl

["OBATA Akio" <obache%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   obache
Date:           Wed Sep 11 13:17:26 UTC 2013

Modified Files:
        pkgsrc/security/polarssl: Makefile PLIST distinfo
        pkgsrc/security/polarssl/patches: patch-Makefile

Log Message:
Update PolarSSL to 1.2.8

= Version 1.2.8 released 2013-06-19
Features
   * Parsing of PKCS#8 encrypted private key files
   * PKCS#12 PBE and derivation functions
   * Centralized module option values in config.h to allow user-defined
     settings without editing header files by using POLARSSL_CONFIG_OPTIONS

Changes
   * HAVEGE random generator disabled by default
   * Internally split up x509parse_key() into a (PEM) handler function
     and specific DER parser functions for the PKCS#1 and unencrypted
     PKCS#8 private key formats
   * Added mechanism to provide alternative implementations for all
     symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
         config.h)
   * PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated
     old PBKDF2 module

Bugfix
   * Secure renegotiation extension should only be sent in case client
     supports secure renegotiation
   * Fixed offset for cert_type list in ssl_parse_certificate_request()
   * Fixed const correctness issues that have no impact on the ABI
   * x509parse_crt() now better handles PEM error situations
   * ssl_parse_certificate() now calls x509parse_crt_der() directly
     instead of the x509parse_crt() wrapper that can also parse PEM
         certificates
   * x509parse_crtpath() is now reentrant and uses more portable stat()
   * Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
   * Fixed values for 2-key Triple DES in cipher layer
   * ssl_write_certificate_request() can handle empty ca_chain

Security
   * A possible DoS during the SSL Handshake, due to faulty parsing of
     PEM-encoded certificates has been fixed (found by Jack Lloyd)

= Version 1.2.7 released 2013-04-13
Features
   * Ability to specify allowed ciphersuites based on the protocol version.

Changes
   * Default Blowfish keysize is now 128-bits
   * Test suites made smaller to accommodate Raspberry Pi

Bugfix
   * Fix for MPI assembly for ARM
   * GCM adapted to support sizes > 2^29

= Version 1.2.6 released 2013-03-11
Bugfix
   * Fixed memory leak in ssl_free() and ssl_reset() for active session
   * Corrected GCM counter incrementation to use only 32-bits instead of
     128-bits (found by Yawning Angel)
   * Fixes for 64-bit compilation with MS Visual Studio
   * Fixed net_bind() for specified IP addresses on little endian systems
   * Fixed assembly code for ARM (Thumb and regular) for some compilers

Changes
   * Internally split up rsa_pkcs1_encrypt(), rsa_pkcs1_decrypt(),
     rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and
     PKCS#1 v2.1 functions
   * Added support for custom labels when using rsa_rsaes_oaep_encrypt()
     or rsa_rsaes_oaep_decrypt()
   * Re-added handling for SSLv2 Client Hello when the define
     POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
   * The SSL session cache module (ssl_cache) now also retains peer_cert
     information (not the entire chain)

Security
   * Removed further timing differences during SSL message decryption in
     ssl_decrypt_buf()
   * Removed timing differences due to bad padding from
     rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
     operations

= Version 1.2.5 released 2013-02-02
Changes
   * Allow enabling of dummy error_strerror() to support some use-cases
   * Debug messages about padding errors during SSL message decryption are
     disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
   * Sending of security-relevant alert messages that do not break
     interoperability can be switched on/off with the flag
     POLARSSL_SSL_ALL_ALERT_MESSAGES

Security
   * Removed timing differences during SSL message decryption in
     ssl_decrypt_buf() due to badly formatted padding

= Version 1.2.4 released 2013-01-25
Changes
   * Added ssl_handshake_step() to allow single stepping the handshake process

Bugfix
   * Memory leak when using RSA_PKCS_V21 operations fixed
   * Handle future version properly in ssl_write_certificate_request()
   * Correctly handle CertificateRequest message in client for <= TLS 1.1
     without DN list

= Version 1.2.3 released 2012-11-26
Bugfix
   * Server not always sending correct CertificateRequest message

= Version 1.2.2 released 2012-11-24
Changes
   * Added p_hw_data to ssl_context for context specific hardware acceleration
     data
   * During verify trust-CA is only checked for expiration and CRL presence

Bugfixes
   * Fixed client authentication compatibility
   * Fixed dependency on POLARSSL_SHA4_C in SSL modules

= Version 1.2.1 released 2012-11-20
Changes
   * Depth that the certificate verify callback receives is now numbered
     bottom-up (Peer cert depth is 0)

Bugfixes
   * Fixes for MSVC6
   * Moved mpi_inv_mod() outside POLARSSL_GENPRIME
   * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
     Pégourié-Gonnard)
   * Fixed possible segfault in mpi_shift_r() (found by Manuel
     Pégourié-Gonnard)
   * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 pkgsrc/security/polarssl/Makefile
cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/polarssl/PLIST \
    pkgsrc/security/polarssl/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/polarssl/patches/patch-Makefile

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.