CVS commit: pkgsrc/security/wolfssl

["Santhosh Raju" <fox%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   fox
Date:           Sat Feb  4 15:19:51 UTC 2023

Modified Files:
        pkgsrc/security/wolfssl: Makefile distinfo

Log Message:
security/wolfssl: Update to v5.5.4

Changes since v5.5.3:

wolfSSL Release 5.5.4 (Dec 21, 2022)

Release 5.5.4 of wolfSSL embedded TLS has bug fixes and new features including:

New Feature Additions

* QUIC related changes for HAProxy integration and config option
* Support for Analog Devices MAXQ1080 and MAXQ1065
* Testing and build of wolfSSL with NuttX
* New software based entropy gatherer with configure option
  --enable-entropy-memuseOP
* NXP SE050 feature expansion and fixes, adding in RSA support and conditional
  compile of AES and CMAC
* Support for multi-threaded sniffer

Improvements / Optimizations

Benchmark and Tests
* Add alternate test case for unsupported static memory API when testing mutex
  allocations
* Additional unit test cases added for AES CCM 256-bit
* Initialize and free AES object with benchmarking AES-OFB
* Kyber with DTLS 1.3 tests added
* Tidy up Espressif ESP32 test and benchmark examples
* Rework to be able to run API tests individually and add display of time taken
  per test

Build and Port Improvements
* Add check for 64-bit ABI on MIPS64 before declaring a 64-bit CPU
* Add support to detect SIZEOF_LONG in armclang and diab
* Added in a simple example working on Rx72n
* Update azsphere support to prevent compilation of file included inline
* --enable-brainpool configure option added and default to on when custom curves
    are also on
* Add RSA PSS salt defines to engine builds if not FIPS v2

Post Quantum
* Remove kyber-90s and route all Kyber through wolfcrypt
* Purge older version of NTRU and SABER from wolfSSL

SP Math
* Support static memory build with sp-math
* SP C, SP int: improve performance
* SP int: support mingw64 again
* SP int: enhancements to guess 64-bit type and check on NO_64BIT macro set
  before using long long
* SP int: check size required when using sp_int on stack
* SP: --enable-sp-asm now enables SP by default if not set
* SP: support aarch64 big endian

DTLS
* Allow DTLS 1.3 to compile when FIPS is enabled
* Allow for stateless DTLS client hello parsing

Misc.
* Easier detection of DRBG health when using Intel’s RDRAND by updating the
  structures status value
* Detection of duplicate known extensions with TLS
* PKCS#11 handle a user PIN that is a NULL_PTR, compile time check in finding
  keys, add initialization API
* Update max Cert Policy size based on RFC 5280
* Add Android CA certs path for wolfSSL_CTX_load_system_CA_certs()
* Improve logic for enabling system CA certs on Apple devices
* Stub functions to allow for cpuid public functions with non-intel builds
* Increase RNG_SECURITY_STRENGTH for FIPS
* Improvements in OpenSSL Compat ERR Queue handling
* Support ASN1/DER CRLs in LoadCertByIssuer
* Expose more ECC math functions and improve async shared secret
* Improvement for sniffer error messages
* Warning added that renegotiation in TLS 1.3 requires session ticket
* Adjustment for TLS 1.3 post auth support
* Rework DH API and improve PEM read/write

## Fixes

Build Fixes
* Fix --enable-devcrypto build error for sys without u_int8_t type
* Fix casts in evp.c and build issue in ParseCRL
* Fixes for compatibility layer building with heap hint and OSSL callbacks
* fix compile error due to Werro=undef on gcc-4.8
* Fix mingw-w64 build issues on windows
* Xcode project fixes for different build settings
* Initialize variable causing failures with gcc-11 and gcc-12 with a unique
  wolfSSL build configuration
* Prevent WOLFSSL_NO_MALLOC from breaking RSA certificate verification
* Fixes for various tests that do not properly handle `WC_PENDING_E` with
  async. builds
* Fix for misc `HashObject` to be excluded for `WOLFCRYPT_ONLY`

OCSP Fixes
* Correctly save next status with OCSP response verify
* When the OCSP responder returns an unknown exception, continue through to
  checking the CRL

Math Fixes
* Fix for implicit conversion with 32-bit in SP math
* Fix for error checks when modulus is even with SP int build
* Fix for checking of err in _sp_exptmod_nct with SP int build
* ECC cofactor fix when checking scalar bits
* ARM32 ASM: don't use ldrd on user data
* SP int, fix when ECC specific size code included

Port Fixes
* Fixes for STM32 PKA ECC (not 256-bit) and improvements for AES-GCM
* Fix for cryptocell signature verification with ECC
* Benchmark devid changes, CCM with SECO fix, set IV on AES import into SECO

Compat. Layer Fixes
* Fix for handling DEFAULT:... cipher suite list
* Fix memory leak in wolfSSL_X509_NAME_ENTRY_get_object
* Set alt name type to V_ASN1_IA5STRING
* Update name hash functions wolfSSL_X509_subject_name_hash and
  wolfSSL_X509_issuer_name_hash to hash the canonical form of subject
* Fix wolfSSL_set_SSL_CTX() to be usable during handshake
* Fix X509_get1_ocsp to set num of elements in stack
* X509v3 EXT d2i: fix freeing of aia
* Fix to remove recreation of certificate with wolfSSL_PEM_write_bio_X509()
* Link newly created x509 store's certificate manager to self by default to
  assist with CRL verification
* Fix for compatibility `EC_KEY_new_by_curve_name` to not create a key if the
  curve is not found

Misc.
* Free potential signer malloc in a fail case
* fix other name san parsing and add RID cert to test parsing
* WOLFSSL_OP_NO_TICKET fix for TLSv1.2
* fix ASN template parsing of X509 subject directory attribute
* Fix the wrong IV size with the cipher suite
  TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
* Fix incorrect self signed error return when compiled with certreq and certgen.
* Fix wrong function name in debug comment with wolfSSL_X509_get_name_oneline()
* Fix for decryption after second handshake with async sniffer
* Allow session tickets to properly resume when using PQ KEMs
* Add sanity overflow check to DecodeAltNames input buffer access


To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 pkgsrc/security/wolfssl/Makefile
cvs rdiff -u -r1.18 -r1.19 pkgsrc/security/wolfssl/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/wolfssl/Makefile
diff -u pkgsrc/security/wolfssl/Makefile:1.17 pkgsrc/security/wolfssl/Makefile:1.18
--- pkgsrc/security/wolfssl/Makefile:1.17       Sat Nov 12 05:52:26 2022
+++ pkgsrc/security/wolfssl/Makefile    Sat Feb  4 15:19:51 2023
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.17 2022/11/12 05:52:26 fox Exp $
+# $NetBSD: Makefile,v 1.18 2023/02/04 15:19:51 fox Exp $
 
-DISTNAME=      wolfssl-5.5.3
+DISTNAME=      wolfssl-5.5.4
 CATEGORIES=    security
 MASTER_SITES=  https://www.wolfssl.com/
 EXTRACT_SUFX=  .zip

Index: pkgsrc/security/wolfssl/distinfo
diff -u pkgsrc/security/wolfssl/distinfo:1.18 pkgsrc/security/wolfssl/distinfo:1.19
--- pkgsrc/security/wolfssl/distinfo:1.18       Sat Nov 12 05:52:26 2022
+++ pkgsrc/security/wolfssl/distinfo    Sat Feb  4 15:19:51 2023
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.18 2022/11/12 05:52:26 fox Exp $
+$NetBSD: distinfo,v 1.19 2023/02/04 15:19:51 fox Exp $
 
-BLAKE2s (wolfssl-5.5.3.zip) = 4dfbd08ec59e786d5e833d5292ee6fb1b178d100e2330ba4d5c479302bc3cdec
-SHA512 (wolfssl-5.5.3.zip) = 9e2640581ea8dc15bb3d6bfa66679587f61f843824ed4bd20baf14fbadaab166539edf5c6147346f1552eb4f789f17abacd7a850bdb4ba35f801f60011da7634
-Size (wolfssl-5.5.3.zip) = 20551889 bytes
+BLAKE2s (wolfssl-5.5.4.zip) = 8d6e46e4d496324fd3d2788bd710782bc6e4f8a9f1ec46ae6c84e07fbcd4493e
+SHA512 (wolfssl-5.5.4.zip) = b1ee46b7b4f4d9dbce73993ee863362d74107425ddfe39a90ae20480ae1a40544724e92bd76733a9ecf4ceed58698f4a929f9f16e9289e82927fab8bad90328b
+Size (wolfssl-5.5.4.zip) = 20699104 bytes
 SHA1 (patch-configure) = 70270a0f102297d2b61f47bdc6420f393b6689fd