pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/security/mbedtls



Module Name:    pkgsrc
Committed By:   fhajny
Date:           Thu Jun 16 14:17:03 UTC 2016

Modified Files:
        pkgsrc/security/mbedtls: Makefile PLIST distinfo
        pkgsrc/security/mbedtls/patches: patch-Makefile patch-library_Makefile
Removed Files:
        pkgsrc/security/mbedtls/patches: patch-programs_test_CMakeLists.txt

Log Message:
Update security/mbedtls to 2.2.1.

This breaks removes the legacy PolarSSL compatibility layer. For
software that needs it, please use security/mbedtls1 instead.
Change license to apache-2.0.

Upstream changelog since 1.3.11 follows.

= mbed TLS 2.2.1 released 2016-01-05

Security
- Fix potential double free when mbedtls_asn1_store_named_data() fails
  to allocate memory. Only used for certificate generation, not
  triggerable remotely in SSL/TLS.
- Disable MD5 handshake signatures in TLS 1.2 by default

Bugfix
- Fix over-restrictive length limit in GCM.
- Fix bug in certificate validation that caused valid chains to be
  rejected when the first intermediate certificate has
  pathLenConstraint=0.
- Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign()
- Fix suboptimal handling of unexpected records that caused interop
  issues with some peers over unreliable links. Avoid dropping an
  entire DTLS datagram if a single record in a datagram is unexpected,
  instead only drop the record and look at subsequent records (if any
  are present) in the same datagram.

= mbed TLS 2.2.0 released 2015-11-04

Security
- Fix potential double free if mbedtls_ssl_conf_psk() is called more
  than once and some allocation fails. Cannot be forced remotely.
- Fix potential heap corruption on Windows when
  mbedtls_x509_crt_parse_path() is passed a path longer than 2GB.
  Cannot be triggered remotely.
- Fix potential buffer overflow in some asn1_write_xxx() functions.
  Cannot be triggered remotely unless you create X.509 certificates
  based on untrusted input or write keys of untrusted origin.
- The X509 max_pathlen constraint was not enforced on intermediate
  certificates.

Features
- Experimental support for EC J-PAKE as defined in Thread 1.0.0.
  Disabled by default as the specification might still change.
- Added a key extraction callback to accees the master secret and key
  block. (Potential uses include EAP-TLS and Thread.)

Bugfix
- Self-signed certificates were not excluded from pathlen counting,
  resulting in some valid X.509 being incorrectly rejected.
- Fix build error with configurations where ECDHE-PSK is the only key
  exchange.
- Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
  ECHD-ECDSA if the only key exchange. Multiple reports.
- Fixed a bug causing some handshakes to fail due to some non-fatal
  alerts not being properly ignored.
- mbedtls_x509_crt_verify(_with_profile)() now also checks the key
  type and size/curve against the profile. Before that, there was no
  way to set a minimum key size for end-entity certificates with
  RSA keys.
- Fix failures in MPI on Sparc(64) due to use of bad assembly code.
- Fix typo in name of the extKeyUsage OID.
- Fix bug in ASN.1 encoding of booleans that caused generated CA
  certificates to be rejected by some applications, including OS X
  Keychain.

Changes
- Improved performance of mbedtls_ecp_muladd() when one of the scalars
  is or -1.

= mbed TLS 2.1.2 released 2015-10-06

Security
- Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
  overflow of the hostname or session ticket.
- Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more
  than once in the same handhake and mbedtls_ssl_conf_psk() was used.
- Fix stack buffer overflow in pkcs12 decryption (used by
  mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
- Fix potential buffer overflow in mbedtls_mpi_read_string().
- Fix potential random memory allocation in mbedtls_pem_read_buffer()
  on crafted PEM input data.
- Fix possible heap buffer overflow in base64_encoded() when the input
  buffer is 512MB or larger on 32-bit platforms.
- Fix potential double-free if mbedtls_conf_psk() is called repeatedly
  on the same mbedtls_ssl_config object and memory allocation fails.
- Fix potential heap buffer overflow in servers that perform client
  authentication against a crafted CA cert. Cannot be triggered
  remotely unless you allow third parties to pick trust CAs for
  client auth.

Bugfix
- Fix compile error in net.c with musl libc.
- Fix macroization of 'inline' keyword when building as C++.

Changes
- Added checking of hostname length in mbedtls_ssl_set_hostname() to
  ensure domain names are compliant with RFC 1035.
- Fixed paths for check_config.h in example config files.

= mbed TLS 2.1.1 released 2015-09-17

Security
- Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
  signatures.
- Fix possible client-side NULL pointer dereference (read) when the
  client tries to continue the handshake after it failed (a misuse
  of the API).

Bugfix
- Fix warning when using a 64bit platform.
- Fix off-by-one error in parsing Supported Point Format extension
  that caused some handshakes to fail.

Changes
- Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile()
  to allow use of mbedtls_x509_crt_profile_next.
- When a client initiates a reconnect from the same port as a live
  connection, if cookie verification is available
  (MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable
  cookie callbacks set with mbedtls_ssl_conf_dtls_cookies()), this
  will be detected and mbedtls_ssl_read() will return
  MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a
  new handshake with the same context. (See RFC 6347 section 4.2.8.)

= mbed TLS 2.1.0 released 2015-09-04

Features
- Added support for yotta as a build system.
- Primary open source license changed to Apache 2.0 license.

Bugfix
- Fix segfault in the benchmark program when benchmarking DHM.
- Fix build error with CMake and pre-4.5 versions of GCC
- Fix bug when parsing a ServerHello without extensions
- Fix bug in CMake lists that caused libmbedcrypto.a not to be
  installed
- Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to
  be installed
- Fix compile error with armcc 5 with --gnu option.
- Fix bug in Makefile that caused programs not to be installed
  correctly
- Fix bug in Makefile that prevented from installing without building
  the tests
- Fix missing -static-libgcc when building shared libraries for
  Windows with make.
- Fix link error when building shared libraries for Windows with make.
- Fix error when loading libmbedtls.so.
- Fix bug in mbedtls_ssl_conf_default() that caused the default preset
  to be always used
- Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could
  result trying to unlock an unlocked mutex on invalid input
- Fix -Wshadow warnings
- Fix memory corruption on client with overlong PSK identity, around
  SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely
- Fix unused function warning when using MBEDTLS_MDx_ALT or
  MBEDTLS_SHAxxx_ALT
- Fix memory corruption in pkey programs

Changes
- The PEM parser now accepts a trailing space at end of lines
- It is now possible to #include a user-provided configuration file at
  the end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on
  the compiler's command line.
- When verifying a certificate chain, if an intermediate certificate
  is trusted, no later cert is checked.
- Prepend a "thread identifier" to debug messages
- Add mbedtls_ssl_get_max_frag_len() to query the current maximum
  fragment length.

= mbed TLS 2.0.0 released 2015-07-13

Features
- Support for DTLS 1.0 and 1.2 (RFC 6347).
- Ability to override core functions from MDx, SHAx, AES and DES
  modules with custom implementation (eg hardware accelerated),
  complementing the ability to override the whole module.
- New server-side implementation of session tickets that rotate keys
  to preserve forward secrecy, and allows sharing across multiple
  contexts.
- Added a concept of X.509 cerificate verification profile that
  controls which algorithms and key sizes (curves for ECDSA) are
  acceptable.
- Expanded configurability of security parameters in the SSL module
  with mbedtls_ssl_conf_dhm_min_bitlen() and mbedtls_ssl_conf_sig_hashes().
- Introduced a concept of presets for SSL security-relevant
  configuration parameters.

API Changes
- The library has been split into libmbedcrypto, libmbedx509,
  libmbedtls. You now need to link to all of them if you use TLS
  for example.
- All public identifiers moved to the mbedtls_* or MBEDTLS_*
  namespace. Some names have been further changed to make them more
  consistent. Migration helpers scripts/rename.pl and
  include/mbedlts/compat-1.3.h are provided. Full list of renamings
  in scripts/data_files/rename-1.3-2.0.txt
- Renamings of fields inside structures, not covered by the previous
  list:
    mbedtls_cipher_info_t.key_length -> key_bitlen
    mbedtls_cipher_context_t.key_length -> key_bitlen
    mbedtls_ecp_curve_info.size -> bit_size
- Headers are now found in the 'mbedtls' directory (previously
  'polarssl').
- The following _init() functions that could return errors have
  been split into an _init() that returns void and another function
  that should generally be the first function called on this context after
  init:
    mbedtls_ssl_init() -> mbedtls_ssl_setup()
    mbedtls_ccm_init() -> mbedtls_ccm_setkey()
    mbedtls_gcm_init() -> mbedtls_gcm_setkey()
    mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
    mbedtls_ctr_drbg_init()  -> mbedtls_ctr_drbg_seed()
  Note that for mbedtls_ssl_setup(), you need to be done setting up
  the ssl_config structure before calling it.
- Most ssl_set_xxx() functions (all except ssl_set_bio(),
  ssl_set_hostname(),
  ssl_set_session() and ssl_set_client_transport_id(), plus
  ssl_legacy_renegotiation()) have been renamed to
  mbedtls_ssl_conf_xxx() (see rename.pl and compat-1.3.h above) and
  their first argument's type changed from ssl_context to ssl_config.
- ssl_set_bio() changed signature (contexts merged, order switched,
  one additional callback for read-with-timeout).
- The following functions have been introduced and must be used in
  callback implementations (SNI, PSK) instead of their *conf
  counterparts:
    mbedtls_ssl_set_hs_own_cert()
    mbedtls_ssl_set_hs_ca_chain()
    mbedtls_ssl_set_hs_psk()
- mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now
  set using mbedtls_ssl_set_hostname().
- mbedtls_ssl_conf_session_cache() changed prototype (only one context
  pointer, parameters reordered).
- On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in
  place of mbedtls_ssl_conf_session_tickets() to enable session
  tickets.
- The SSL debug callback gained two new arguments (file name, line
  number).
- Debug modes were removed.
- mbedtls_ssl_conf_truncated_hmac() now returns void.
- mbedtls_memory_buffer_alloc_init() now returns void.
- X.509 verification flags are now an uint32_t. Affect the signature
  of:
    mbedtls_ssl_get_verify_result()
    mbedtls_x509_ctr_verify_info()
    mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
    mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
- The following functions changed prototype to avoid an in-out length
  parameter:
    mbedtls_base64_encode()
    mbedtls_base64_decode()
    mbedtls_mpi_write_string()
    mbedtls_dhm_calc_secret()
- In the NET module, all "int" and "int *" arguments for file
  descriptors changed type to "mbedtls_net_context *".
- net_accept() gained new arguments for the size of the client_ip
  buffer.
- In the threading layer, mbedtls_mutex_init() and
  mbedtls_mutex_free() now return void.
- ecdsa_write_signature() gained an addtional md_alg argument and
  ecdsa_write_signature_det() was deprecated.
- pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA.
- Last argument of x509_crt_check_key_usage() and
  mbedtls_x509write_crt_set_key_usage() changed from int to unsigned.
- test_ca_list (from certs.h) is renamed to test_cas_pem and is only
  available if POLARSSL_PEM_PARSE_C is defined (it never worked
  without).
- Test certificates in certs.c are no longer guaranteed to be
  nul-terminated strings; use the new *_len variables instead of strlen().
- Functions mbedtls_x509_xxx_parse(), mbedtls_pk_parse_key(),
  mbedtls_pk_parse_public_key() and mbedtls_dhm_parse_dhm() now expect
  the length parameter to include the terminating null byte for PEM input.
- Signature of mpi_mul_mpi() changed to make the last argument
  unsigned
- calloc() is now used instead of malloc() everywhere. API of platform
  layer and the memory_buffer_alloc module changed accordingly.
- Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
  (support for renegotiation now needs explicit enabling in config.h).
- Split MBEDTLS_HAVE_TIME into MBEDTLS_HAVE_TIME and
  MBEDTLS_HAVE_TIME_DATE in config.h
- net_connect() and net_bind() have a new 'proto' argument to choose
  between TCP and UDP, using the macros NET_PROTO_TCP or
  NET_PROTO_UDP. Their 'port' argument type is changed to a string.
- Some constness fixes

Removals
- Removed mbedtls_ecp_group_read_string(). Only named groups are
  supported.
- Removed mbedtls_ecp_sub() and mbedtls_ecp_add(), use
  mbedtls_ecp_muladd().
- Removed individual mdX_hmac, shaX_hmac, mdX_file and shaX_file
  functions (use generic functions from md.h)
- Removed mbedtls_timing_msleep(). Use mbedtls_net_usleep() or a
  custom waiting function.
- Removed test DHM parameters from the test certs module.
- Removed the PBKDF2 module (use PKCS5).
- Removed POLARSSL_ERROR_STRERROR_BC (use mbedtls_strerror()).
- Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
- Removed openssl.h (very partial OpenSSL compatibility layer).
- Configuration options POLARSSL_HAVE_LONGLONG was removed (now always
  on).
- Configuration options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16
  have been removed (compiler is required to support 32-bit operations).
- Configuration option POLARSSL_HAVE_IPV6 was removed (always
  enabled).
- Removed test program o_p_test, the script compat.sh does more.
- Removed test program ssl_test, superseded by ssl-opt.sh.
- Removed helper script active-config.pl

New deprecations
- md_init_ctx() is deprecated in favour of md_setup(), that adds a
  third argument (allowing memory savings if HMAC is not used)

Semi-API changes (technically public, morally private)
- Renamed a few headers to include _internal in the name. Those
  headers are not supposed to be included by users.
- Changed md_info_t into an opaque structure (use md_get_xxx()
  accessors).
- Changed pk_info_t into an opaque structure.
- Changed cipher_base_t into an opaque structure.
- Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and
  x509_crl.
- x509_crt.key_usage changed from unsigned char to unsigned int.
- Removed r and s from ecdsa_context
- Removed mode from des_context and des3_context

Default behavior changes
- The default minimum TLS version is now TLS 1.0.
- RC4 is now blacklisted by default in the SSL/TLS layer, and excluded
  from the default ciphersuite list returned by ssl_list_ciphersuites()
- Support for receiving SSLv2 ClientHello is now disabled by default
  at compile time.
- The default authmode for SSL/TLS clients is now REQUIRED.
- Support for RSA_ALT contexts in the PK layer is now optional. Since
  is is enabled in the default configuration, this is only noticeable
  if using a custom config.h
- Default DHM parameters server-side upgraded from 1024 to 2048 bits.
- A minimum RSA key size of 2048 bits is now enforced during
  ceritificate chain verification.
- Negotiation of truncated HMAC is now disabled by default on server
  too.
- The following functions are now case-sensitive:
    mbedtls_cipher_info_from_string()
    mbedtls_ecp_curve_info_from_name()
    mbedtls_md_info_from_string()
    mbedtls_ssl_ciphersuite_from_string()
    mbedtls_version_check_feature()

Requirement changes
- The minimum MSVC version required is now 2010 (better C99 support).
- The NET layer now unconditionnaly relies on getaddrinfo() and
  select().
- Compiler is required to support C99 types such as long long and
  uint32_t.

API changes from the 1.4 preview branch
- ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio()
  with new prototype, and mbedtls_ssl_set_read_timeout().
- The following functions now return void:
    mbedtls_ssl_conf_transport()
    mbedtls_ssl_conf_max_version()
    mbedtls_ssl_conf_min_version()
- DTLS no longer hard-depends on TIMING_C, but uses a callback
  interface instead, see mbedtls_ssl_set_timer_cb(), with the Timing
  module providing an example implementation, see
  mbedtls_timing_delay_context and mbedtls_timing_set/get_delay().
- With UDP sockets, it is no longer necessary to call net_bind() again
  after a successful net_accept().

Changes
- mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now
  thread-safe if MBEDTLS_THREADING_C is enabled.
- Reduced ROM fooprint of SHA-256 and added an option to reduce it
  even more (at the expense of performance) MBEDTLS_SHA256_SMALLER.


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 pkgsrc/security/mbedtls/Makefile \
    pkgsrc/security/mbedtls/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/mbedtls/PLIST
cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/mbedtls/patches/patch-Makefile \
    pkgsrc/security/mbedtls/patches/patch-library_Makefile
cvs rdiff -u -r1.1 -r0 \
    pkgsrc/security/mbedtls/patches/patch-programs_test_CMakeLists.txt

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/mbedtls/Makefile
diff -u pkgsrc/security/mbedtls/Makefile:1.2 pkgsrc/security/mbedtls/Makefile:1.3
--- pkgsrc/security/mbedtls/Makefile:1.2        Sat Mar  5 11:29:22 2016
+++ pkgsrc/security/mbedtls/Makefile    Thu Jun 16 14:17:03 2016
@@ -1,9 +1,8 @@
-# $NetBSD: Makefile,v 1.2 2016/03/05 11:29:22 jperkin Exp $
+# $NetBSD: Makefile,v 1.3 2016/06/16 14:17:03 fhajny Exp $
 #
 
-DISTNAME=              mbedtls-1.3.11-gpl
-PKGNAME=               ${DISTNAME:-gpl=}
-PKGREVISION=           1
+DISTNAME=              mbedtls-2.2.1-apache
+PKGNAME=               ${DISTNAME:-apache=}
 CATEGORIES=            security devel
 MASTER_SITES=          https://tls.mbed.org/download/
 EXTRACT_SUFX=          .tgz
@@ -11,7 +10,7 @@ EXTRACT_SUFX=         .tgz
 MAINTAINER=            pkgsrc-users%NetBSD.org@localhost
 HOMEPAGE=              https://tls.mbed.org/
 COMMENT=               Lightweight, modular cryptographic and SSL/TLS library
-LICENSE=               gnu-gpl-v2
+LICENSE=               apache-2.0
 
 CONFLICTS+=            polarssl-[0-9]*
 SUPERSEDES+=           polarssl-[0-9]*
@@ -28,13 +27,8 @@ REPLACE_PERL=                tests/scripts/*.pl
 
 CMAKE_ARGS+=           -DUSE_SHARED_MBEDTLS_LIBRARY=ON
 MAKE_ENV+=             RANLIB=${RANLIB:Q}
-TEST_TARGET=           check
 
 LDFLAGS.SunOS+=                -lsocket
 
-post-install:
-       ${CHMOD} -x ${DESTDIR}${PREFIX}/lib/libmbedtls.a
-       ${SETENV} ${SH} ${WRKSRC}/scripts/polarssl_symlinks.sh ${DESTDIR}${PREFIX}/lib
-
 .include "../../mk/pthread.buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"
Index: pkgsrc/security/mbedtls/distinfo
diff -u pkgsrc/security/mbedtls/distinfo:1.2 pkgsrc/security/mbedtls/distinfo:1.3
--- pkgsrc/security/mbedtls/distinfo:1.2        Wed Nov  4 01:17:50 2015
+++ pkgsrc/security/mbedtls/distinfo    Thu Jun 16 14:17:03 2016
@@ -1,9 +1,8 @@
-$NetBSD: distinfo,v 1.2 2015/11/04 01:17:50 agc Exp $
+$NetBSD: distinfo,v 1.3 2016/06/16 14:17:03 fhajny Exp $
 
-SHA1 (mbedtls-1.3.11-gpl.tgz) = 3948084c9d3312b381d458b06d9a2066c3cc0184
-RMD160 (mbedtls-1.3.11-gpl.tgz) = 66448e7d5ca41e7c64f55bdb3e4b9ec9d1ec3205
-SHA512 (mbedtls-1.3.11-gpl.tgz) = 242c486becc34d3b7ebba7624686aea6ed7713033aeabbfae7227284df322f191ddd5b9ded1228f100cd50bcfafb12396d93c30420afd3feb979b52a1860551e
-Size (mbedtls-1.3.11-gpl.tgz) = 1731809 bytes
-SHA1 (patch-Makefile) = 80698e16a397133de134ab582016b9e91ad652f0
-SHA1 (patch-library_Makefile) = 551854fbdd91ae180f1d5408869a556ff0c39d1a
-SHA1 (patch-programs_test_CMakeLists.txt) = 94ce731d81f1584c406e3b295c84fd6a5c327a50
+SHA1 (mbedtls-2.2.1-apache.tgz) = d2ff60fad7191dbb5b81ff6c22769964e5a7d53d
+RMD160 (mbedtls-2.2.1-apache.tgz) = a87671954663085100e288f4395f385435471825
+SHA512 (mbedtls-2.2.1-apache.tgz) = 6a74abc4ea225eb6bcf20894bb1a6faa82dbaff11129c41849151e2654570609efeee70d0644ce63c4d2c11e6142b2db262b88f3a22fdceff0a215a64a5d6eb0
+Size (mbedtls-2.2.1-apache.tgz) = 1863674 bytes
+SHA1 (patch-Makefile) = c69fceae637bd025fccf0ac3de926dfc37c22fa6
+SHA1 (patch-library_Makefile) = 7565162f06d2abd91cc974321fd873409f11a181

Index: pkgsrc/security/mbedtls/PLIST
diff -u pkgsrc/security/mbedtls/PLIST:1.1 pkgsrc/security/mbedtls/PLIST:1.2
--- pkgsrc/security/mbedtls/PLIST:1.1   Fri Jun 12 09:05:05 2015
+++ pkgsrc/security/mbedtls/PLIST       Thu Jun 16 14:17:03 2016
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.1 2015/06/12 09:05:05 fhajny Exp $
+@comment $NetBSD: PLIST,v 1.2 2016/06/16 14:17:03 fhajny Exp $
 ${PLIST.tools}bin/aescrypt2
 ${PLIST.tools}bin/benchmark
 ${PLIST.tools}bin/cert_app
@@ -9,6 +9,8 @@ ${PLIST.tools}bin/crypt_and_hash
 ${PLIST.tools}bin/dh_client
 ${PLIST.tools}bin/dh_genprime
 ${PLIST.tools}bin/dh_server
+${PLIST.tools}bin/dtls_client
+${PLIST.tools}bin/dtls_server
 ${PLIST.tools}bin/gen_entropy
 ${PLIST.tools}bin/gen_key
 ${PLIST.tools}bin/gen_random_ctr_drbg
@@ -16,10 +18,8 @@ ${PLIST.tools}bin/gen_random_havege
 ${PLIST.tools}bin/generic_sum
 ${PLIST.tools}bin/hello
 ${PLIST.tools}bin/key_app
-${PLIST.tools}bin/md5sum
 ${PLIST.tools}bin/mini_client
 ${PLIST.tools}bin/mpi_demo
-${PLIST.tools}${PLIST.tests}bin/o_p_test
 ${PLIST.tools}bin/pem2der
 ${PLIST.tools}bin/pk_decrypt
 ${PLIST.tools}bin/pk_encrypt
@@ -32,8 +32,6 @@ ${PLIST.tools}bin/rsa_genkey
 ${PLIST.tools}bin/rsa_sign
 ${PLIST.tools}bin/rsa_verify
 ${PLIST.tools}bin/selftest
-${PLIST.tools}bin/sha1sum
-${PLIST.tools}bin/sha2sum
 ${PLIST.tools}bin/ssl_cert_test
 ${PLIST.tools}bin/ssl_client1
 ${PLIST.tools}bin/ssl_client2
@@ -41,78 +39,83 @@ ${PLIST.tools}bin/ssl_fork_server
 ${PLIST.tools}bin/ssl_mail_client
 ${PLIST.tools}bin/ssl_pthread_server
 ${PLIST.tools}bin/ssl_server
-${PLIST.tools}bin/ssl_test
 ${PLIST.tools}bin/strerror
-include/polarssl/aes.h
-include/polarssl/aesni.h
-include/polarssl/arc4.h
-include/polarssl/asn1.h
-include/polarssl/asn1write.h
-include/polarssl/base64.h
-include/polarssl/bignum.h
-include/polarssl/blowfish.h
-include/polarssl/bn_mul.h
-include/polarssl/camellia.h
-include/polarssl/ccm.h
-include/polarssl/certs.h
-include/polarssl/check_config.h
-include/polarssl/cipher.h
-include/polarssl/cipher_wrap.h
-include/polarssl/compat-1.2.h
-include/polarssl/config.h
-include/polarssl/ctr_drbg.h
-include/polarssl/debug.h
-include/polarssl/des.h
-include/polarssl/dhm.h
-include/polarssl/ecdh.h
-include/polarssl/ecdsa.h
-include/polarssl/ecp.h
-include/polarssl/entropy.h
-include/polarssl/entropy_poll.h
-include/polarssl/error.h
-include/polarssl/gcm.h
-include/polarssl/havege.h
-include/polarssl/hmac_drbg.h
-include/polarssl/md.h
-include/polarssl/md2.h
-include/polarssl/md4.h
-include/polarssl/md5.h
-include/polarssl/md_wrap.h
-include/polarssl/memory.h
-include/polarssl/memory_buffer_alloc.h
-include/polarssl/net.h
-include/polarssl/oid.h
-include/polarssl/openssl.h
-include/polarssl/padlock.h
-include/polarssl/pbkdf2.h
-include/polarssl/pem.h
-include/polarssl/pk.h
-include/polarssl/pk_wrap.h
-include/polarssl/pkcs11.h
-include/polarssl/pkcs12.h
-include/polarssl/pkcs5.h
-include/polarssl/platform.h
-include/polarssl/ripemd160.h
-include/polarssl/rsa.h
-include/polarssl/sha1.h
-include/polarssl/sha256.h
-include/polarssl/sha512.h
-include/polarssl/ssl.h
-include/polarssl/ssl_cache.h
-include/polarssl/ssl_ciphersuites.h
-include/polarssl/threading.h
-include/polarssl/timing.h
-include/polarssl/version.h
-include/polarssl/x509.h
-include/polarssl/x509_crl.h
-include/polarssl/x509_crt.h
-include/polarssl/x509_csr.h
-include/polarssl/xtea.h
+${PLIST.tools}bin/udp_proxy
+include/mbedtls/aes.h
+include/mbedtls/aesni.h
+include/mbedtls/arc4.h
+include/mbedtls/asn1.h
+include/mbedtls/asn1write.h
+include/mbedtls/base64.h
+include/mbedtls/bignum.h
+include/mbedtls/blowfish.h
+include/mbedtls/bn_mul.h
+include/mbedtls/camellia.h
+include/mbedtls/ccm.h
+include/mbedtls/certs.h
+include/mbedtls/check_config.h
+include/mbedtls/cipher.h
+include/mbedtls/cipher_internal.h
+include/mbedtls/compat-1.3.h
+include/mbedtls/config.h
+include/mbedtls/ctr_drbg.h
+include/mbedtls/debug.h
+include/mbedtls/des.h
+include/mbedtls/dhm.h
+include/mbedtls/ecdh.h
+include/mbedtls/ecdsa.h
+include/mbedtls/ecjpake.h
+include/mbedtls/ecp.h
+include/mbedtls/entropy.h
+include/mbedtls/entropy_poll.h
+include/mbedtls/error.h
+include/mbedtls/gcm.h
+include/mbedtls/havege.h
+include/mbedtls/hmac_drbg.h
+include/mbedtls/md.h
+include/mbedtls/md2.h
+include/mbedtls/md4.h
+include/mbedtls/md5.h
+include/mbedtls/md_internal.h
+include/mbedtls/memory_buffer_alloc.h
+include/mbedtls/net.h
+include/mbedtls/oid.h
+include/mbedtls/padlock.h
+include/mbedtls/pem.h
+include/mbedtls/pk.h
+include/mbedtls/pk_internal.h
+include/mbedtls/pkcs11.h
+include/mbedtls/pkcs12.h
+include/mbedtls/pkcs5.h
+include/mbedtls/platform.h
+include/mbedtls/ripemd160.h
+include/mbedtls/rsa.h
+include/mbedtls/sha1.h
+include/mbedtls/sha256.h
+include/mbedtls/sha512.h
+include/mbedtls/ssl.h
+include/mbedtls/ssl_cache.h
+include/mbedtls/ssl_ciphersuites.h
+include/mbedtls/ssl_cookie.h
+include/mbedtls/ssl_internal.h
+include/mbedtls/ssl_ticket.h
+include/mbedtls/threading.h
+include/mbedtls/timing.h
+include/mbedtls/version.h
+include/mbedtls/x509.h
+include/mbedtls/x509_crl.h
+include/mbedtls/x509_crt.h
+include/mbedtls/x509_csr.h
+include/mbedtls/xtea.h
+lib/libmbedcrypto.a
+lib/libmbedcrypto.so
+lib/libmbedcrypto.so.0
+lib/libmbedcrypto.so.${PKGVERSION}
 lib/libmbedtls.a
 lib/libmbedtls.so
+lib/libmbedtls.so.10
 lib/libmbedtls.so.${PKGVERSION}
-lib/libmbedtls.so.9
-lib/libpolarssl.a
-lib/libpolarssl.so
-lib/libpolarssl.so.${PKGVERSION}
-lib/libpolarssl.so.9
+lib/libmbedx509.a
+lib/libmbedx509.so
+lib/libmbedx509.so.0
+lib/libmbedx509.so.${PKGVERSION}

Index: pkgsrc/security/mbedtls/patches/patch-Makefile
diff -u pkgsrc/security/mbedtls/patches/patch-Makefile:1.1 pkgsrc/security/mbedtls/patches/patch-Makefile:1.2
--- pkgsrc/security/mbedtls/patches/patch-Makefile:1.1  Fri Jun 12 09:05:05 2015
+++ pkgsrc/security/mbedtls/patches/patch-Makefile      Thu Jun 16 14:17:03 2016
@@ -1,30 +1,35 @@
-$NetBSD: patch-Makefile,v 1.1 2015/06/12 09:05:05 fhajny Exp $
+$NetBSD: patch-Makefile,v 1.2 2016/06/16 14:17:03 fhajny Exp $
 
 Fix DESTDIR for pkgsrc.
 
---- Makefile.orig      2015-06-04 12:49:19.000000000 +0000
+--- Makefile.orig      2016-01-04 22:26:36.000000000 +0000
 +++ Makefile
-@@ -1,6 +1,5 @@
+@@ -1,6 +1,6 @@
  
 -DESTDIR=/usr/local
 -PREFIX=mbedtls_
++PREFIX=/usr/local
 +APPPREFIX=mbedtls_
- OLDPREFIX=polarssl_
  
  .SILENT:
-@@ -19,35 +18,35 @@ tests:     lib
-       $(MAKE) -C tests
  
- install:
--      mkdir -p $(DESTDIR)/include/polarssl
--      cp -r include/polarssl $(DESTDIR)/include
-+      mkdir -p $(DESTDIR)$(PREFIX)/include/polarssl
-+      cp -r include/polarssl $(DESTDIR)$(PREFIX)/include
+@@ -21,34 +21,34 @@ tests: lib
+ 
+ ifndef WINDOWS
+ install: no_test
+-      mkdir -p $(DESTDIR)/include/mbedtls
+-      cp -r include/mbedtls $(DESTDIR)/include
++      mkdir -p $(DESTDIR)$(PREFIX)/include/mbedtls
++      cp -r include/mbedtls $(DESTDIR)$(PREFIX)/include
        
 -      mkdir -p $(DESTDIR)/lib
--      cp -RP library/libpolarssl.* library/libmbedtls.* $(DESTDIR)/lib
+-      cp -RP library/libmbedtls.*    $(DESTDIR)/lib
+-      cp -RP library/libmbedx509.*   $(DESTDIR)/lib
+-      cp -RP library/libmbedcrypto.* $(DESTDIR)/lib
 +      mkdir -p $(DESTDIR)$(PREFIX)/lib
-+      cp -RP library/libpolarssl.* library/libmbedtls.* $(DESTDIR)$(PREFIX)/lib
++      cp -RP library/libmbedtls.*    $(DESTDIR)$(PREFIX)/lib
++      cp -RP library/libmbedx509.*   $(DESTDIR)$(PREFIX)/lib
++      cp -RP library/libmbedcrypto.* $(DESTDIR)$(PREFIX)/lib
        
 -      mkdir -p $(DESTDIR)/bin
 +      mkdir -p $(DESTDIR)$(PREFIX)/bin
@@ -32,33 +37,29 @@ Fix DESTDIR for pkgsrc.
            if [ -x $$p ] && [ ! -d $$p ] ;     \
            then                                \
 -              f=$(PREFIX)`basename $$p` ;     \
-+              f=$(APPPREFIX)`basename $$p` ;     \
-               o=$(OLDPREFIX)`basename $$p` ;  \
 -              cp $$p $(DESTDIR)/bin/$$f ;     \
--              ln -sf $$f $(DESTDIR)/bin/$$o ; \
++              f=$(APPPREFIX)`basename $$p` ;     \
 +              cp $$p $(DESTDIR)$(PREFIX)/bin/$$f ;     \
-+              ln -sf $$f $(DESTDIR)$(PREFIX)/bin/$$o ; \
            fi                                  \
        done
  
  uninstall:
--      rm -rf $(DESTDIR)/include/polarssl
--      rm -f $(DESTDIR)/lib/libpolarssl.*
+-      rm -rf $(DESTDIR)/include/mbedtls
 -      rm -f $(DESTDIR)/lib/libmbedtls.*
-+      rm -rf $(DESTDIR)$(PREFIX)/include/polarssl
-+      rm -f $(DESTDIR)$(PREFIX)/lib/libpolarssl.*
+-      rm -f $(DESTDIR)/lib/libmbedx509.*
+-      rm -f $(DESTDIR)/lib/libmbedcrypto.*
++      rm -rf $(DESTDIR)$(PREFIX)/include/mbedtls
 +      rm -f $(DESTDIR)$(PREFIX)/lib/libmbedtls.*
++      rm -f $(DESTDIR)$(PREFIX)/lib/libmbedx509.*
++      rm -f $(DESTDIR)$(PREFIX)/lib/libmbedcrypto.*
        
        for p in programs/*/* ; do              \
            if [ -x $$p ] && [ ! -d $$p ] ;     \
            then                                \
 -              f=$(PREFIX)`basename $$p` ;     \
-+              f=$(APPPREFIX)`basename $$p` ;     \
-               o=$(OLDPREFIX)`basename $$p` ;  \
 -              rm -f $(DESTDIR)/bin/$$f ;      \
--              rm -f $(DESTDIR)/bin/$$o ;      \
++              f=$(APPPREFIX)`basename $$p` ;     \
 +              rm -f $(DESTDIR)$(PREFIX)/bin/$$f ;      \
-+              rm -f $(DESTDIR)$(PREFIX)/bin/$$o ;      \
            fi                                  \
        done
- 
+ endif
Index: pkgsrc/security/mbedtls/patches/patch-library_Makefile
diff -u pkgsrc/security/mbedtls/patches/patch-library_Makefile:1.1 pkgsrc/security/mbedtls/patches/patch-library_Makefile:1.2
--- pkgsrc/security/mbedtls/patches/patch-library_Makefile:1.1  Fri Jun 12 09:05:05 2015
+++ pkgsrc/security/mbedtls/patches/patch-library_Makefile      Thu Jun 16 14:17:03 2016
@@ -1,15 +1,33 @@
-$NetBSD: patch-library_Makefile,v 1.1 2015/06/12 09:05:05 fhajny Exp $
+$NetBSD: patch-library_Makefile,v 1.2 2016/06/16 14:17:03 fhajny Exp $
 
 Call ranlib instead of non-portable 'ar s'.
 
---- library/Makefile.orig      2015-06-04 12:49:19.000000000 +0000
+--- library/Makefile.orig      2016-01-04 22:26:36.000000000 +0000
 +++ library/Makefile
-@@ -95,7 +95,7 @@ libmbedtls.a: $(OBJS)
+@@ -92,7 +92,7 @@ libmbedtls.a: $(OBJS_TLS)
        echo "  AR    $@"
-       $(AR) rc $@ $(OBJS)
+       $(AR) rc $@ $(OBJS_TLS)
        echo "  RL    $@"
 -      $(AR) s $@
 +      $(RANLIB) $@
  
- libpolarssl.$(DLEXT): libmbedtls.$(DLEXT)
-       echo "  LN    $@ -> $?"
+ libmbedtls.$(SOEXT_TLS): $(OBJS_TLS) libmbedx509.so
+       echo "  LD    $@"
+@@ -115,7 +115,7 @@ libmbedx509.a: $(OBJS_X509)
+       echo "  AR    $@"
+       $(AR) rc $@ $(OBJS_X509)
+       echo "  RL    $@"
+-      $(AR) s $@
++      $(RANLIB) $@
+ 
+ libmbedx509.$(SOEXT_X509): $(OBJS_X509) libmbedcrypto.so
+       echo "  LD    $@"
+@@ -138,7 +138,7 @@ libmbedcrypto.a: $(OBJS_CRYPTO)
+       echo "  AR    $@"
+       $(AR) rc $@ $(OBJS_CRYPTO)
+       echo "  RL    $@"
+-      $(AR) s $@
++      $(RANLIB) $@
+ 
+ libmbedcrypto.$(SOEXT_CRYPTO): $(OBJS_CRYPTO)
+       echo "  LD    $@"



Home | Main Index | Thread Index | Old Index