security/wolfssl: Fix arm64 build.

- Pull in upstream patch https://github.com/wolfSSL/wolfssl/pull/8348
- Bump PORTREVISION

security/wolfssl: Fix arm64 build.

security/wolfssl: Update to 5.7.6

Changes since 5.7.4:

wolfSSL Release 5.7.6 (Dec 31, 2024)

To download the release bundle of wolfSSL visit the download page at
www.wolfssl.com/download/

NOTE:

  * --enable-heapmath is deprecated.
  * In this release, the default cipher suite preference is updated to
    prioritize TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256 when
    enabled.

security/wolfssl: Enable additional build options.

Enable option for storing user-defined data in TLS API

PR:             282430
Reported by:    Matthias Andree <mandree@FreeBSD.org>

security/wolfssl: Update to 5.7.4

Changes since 5.7.2:

wolfSSL Release 5.7.4 (Oct 24, 2024)

Release 5.7.4 has been developed according to wolfSSL's development and QA
process (see link below) and successfully passed the quality criteria.
https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance

NOTE: * --enable-heapmath is being deprecated and will be removed by end of 2024

PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request
number where the code change was added.

security/wolfssl: Update to 5.7.2

Changes since 5.7.0:

wolfSSL Release 5.7.2 (July 8, 2024)

NOTE: * --enable-heapmath is being deprecated and will be removed by end of
2024

Vulnerabilities

  * [Medium] CVE-2024-1544
    Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.
    6.6 with wc_ecc_sign_hash calls. Generating the ECDSA nonce k samples a
    random number r and then truncates this randomness with a modular

security/wolfssl: Update to 5.7.0

Changes since 5.6.6:

wolfSSL Release 5.7.0 (Mar 20, 2024)

NOTE: * --enable-heapmath is being deprecated and will be removed by end of
2024

NOTE: In future releases, --enable-des3 (which is disabled by default) will
be insufficient in itself to enable DES3 in TLS cipher suites. A new option,
--enable-des3-tls-suites, will need to be supplied in addition. This option
should only be used in backward compatibility scenarios, as it is inherently
insecure.

security/wolfssl: Update to 5.6.6

Changes since 5.6.4:

wolfSSL Release 5.6.6 (Dec 19, 2023)

NOTE: * --enable-heapmath is being deprecated and will be removed by 2024

REMINDER: When working with AES Block Cipher algorithms, wc_AesInit() should
always be called first to initialize the Aes structure, before calling other Aes
API functions. Recently we found several places in our documentation, comments,
and codebase where this pattern was not observed. We have since fixed this
omission in several PRs for this release.

Vulnerabilities

security/wolfssl: Update to v5.6.4

Changes since v5.6.3:

wolfSSL Release 5.6.4 (October 30, 2023)

NOTE: * --enable-heapmath is being deprecated and will be removed by 2024
* Old CyaSSL/CtaoCrypt shim layer was removed in this release (5.6.4)

Vulnerabilities

  * [Medium] A fix was added, but still under review for completeness, for a
    Bleichenbacher style attack, leading to being able to decrypt a saved TLS
    connection and potentially forge a signature after probing with a large
    number of trial connections. This issue is around RSA decryption and

security/wolfssl: fix packageing (+)

Unbreak packaging after 5638b5ef1ff5d825cda9432d97540fd1fe4caa8c

===> Checking for items in STAGEDIR missing from pkg-plist
Error: Orphaned: lib/libwolfssl.so.35.5.1
===> Checking for items in pkg-plist which are not in STAGEDIR
Error: Missing: lib/libwolfssl.so.35.4.0
===> Error: Plist issues found.

Reported by:	poudriere fallout
Approved by:	portmgr blanket

security/wolfssl: Update to v5.6.3

Changes since v5.6.0:

wolfSSL Release 5.6.3 (Jun 16, 2023)

Release 5.6.3 of wolfSSL embedded TLS has 4 bug fixes:

* Fix for setting the atomic macro options introduced in release 5.6.2. This
  issue affects GNU gcc autoconf builds. The fix resolves a potential mismatch
of
  the generated macros defined in options.h file and the macros used when the
  wolfSSL library is compiled. In version 5.6.2 this mismatch could result in
  unstable runtime behavior.
* Fix for invalid suffix error with Windows build using the macro
  GCM_TABLE_4BIT.

security/wolfssl: Update to v5.6.0

Changes since v5.5.4:

wolfSSL Release 5.6.0 (Mar 24, 2023)

Release 5.6.0 has been developed according to wolfSSL's development and QA
process (see link below) and successfully passed the quality
criteria.
https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance

NOTE: * --enable-heapmath is being deprecated and will be removed by 2024 * This
release makes ASN Template the default with ./configure, the previous ASN
parsing can be built with --enable-asn=original

Release 5.6.0 of wolfSSL embedded TLS has bug fixes and new features including:

security/wolfssl: Update to v5.5.4

Changes since v5.5.3:

wolfSSL Release 5.5.4 (Dec 21, 2022)

Release 5.5.4 of wolfSSL embedded TLS has bug fixes and new features including:

New Feature Additions

* QUIC related changes for HAProxy integration and config option
* Support for Analog Devices MAXQ1080 and MAXQ1065
* Testing and build of wolfSSL with NuttX
* New software based entropy gatherer with configure option
  --enable-entropy-memuseOP

security/wolfssl: Update the description.

Update the supported TLS version in description.

PR: 267737
Reported by: Yonas Yanfa <yonas.yanfa@gmail.com>

security/wolfssl: Update to v5.5.3

Changes since v5.5.1:

wolfSSL Release 5.5.3 (Nov 2, 2022)

Release 5.5.3 of wolfSSL embedded TLS has the following bug fix:

Fixes

* Fix for possible buffer zeroization overrun introduced at the end of v5.5.2
  release cycle in GitHub pull request 5743
  (https://github.com/wolfSSL/wolfssl/pull/5743) and fixed in pull request 5757
  (https://github.com/wolfSSL/wolfssl/pull/5757). In the case where a specific
  memory allocation failed or a hardware fault happened there was the potential

security/wolfssl: Update to v5.5.1

Changes since v5.5.0:

wolfSSL Release 5.5.1 (Sep 28, 2022) Latest

Vulnerabilities
* [Med] Denial of service attack and buffer overflow against TLS 1.3 servers
  using session ticket resumption. When built with --enable-session-ticket and
  making use of TLS 1.3 server code in wolfSSL, there is the possibility of a
  malicious client to craft a malformed second ClientHello packet that causes
  the server to crash. This issue is limited to when using both
  --enable-session-ticket and TLS 1.3 on the server side. Users with TLS 1.3
  servers, and having --enable-session-ticket, should update to the latest
  version of wolfSSL. Thanks to Max at Trail of Bits for the report and

Remove WWW entries moved into port Makefiles

Commit b7f05445c00f has added WWW entries to port Makefiles based on
WWW: lines in pkg-descr files.

This commit removes the WWW: lines of moved-over URLs from these
pkg-descr files.

Approved by:		portmgr (tcberner)

Add WWW entries to port Makefiles

It has been common practice to have one or more URLs at the end of the
ports' pkg-descr files, one per line and prefixed with "WWW:". These
URLs should point at a project website or other relevant resources.

Access to these URLs required processing of the pkg-descr files, and
they have often become stale over time. If more than one such URL was
present in a pkg-descr file, only the first one was tarnsfered into
the port INDEX, but for many ports only the last line did contain the
port specific URL to further information.

There have been several proposals to make a project URL available as
a macro in the ports' Makefiles, over time.

security/wolfssl: Update to v5.5.0

Changes since v5.4.0:

wolfSSL Release 5.5.0 (Aug 30, 2022)

Note:
** If not free’ing FP_ECC caches per thread by calling wc_ecc_fp_free there is
a
   possible memory leak during TLS 1.3 handshakes which use ECC. Users are urged
   to confirm they are free’ing FP_ECC caches per thread if enabled to avoid
   this issue.

Release 5.5.0 of wolfSSL embedded TLS has bug fixes and new features including:

Vulnerabilities

security/wolfssl: Update to v5.4.0

Changes since v5.3.0:

wolfSSL Release 5.4.0 (July 11, 2022)

Note:
** Future releases of wolfSSL will turn off TLS 1.1 by default
** Release 5.4.0 made SP math the default math implementation. To make an
   equivalent build as –disable-fastmath from previous versions of wolfSSL,
now
   requires using the configure option –enable-heapmath instead.

Release 5.4.0 of wolfSSL embedded TLS has bug fixes and new features including:

Vulnerabilities

security/wolfssl: Update to v5.3.0

Changes since v5.2.0:

Release 5.3.0 of wolfSSL embedded TLS has bug fixes and new features including:

New Feature Additions
Ports

  * Updated support for Stunnel to version 5.61
  * Add i.MX8 NXP SECO use for secure private ECC keys and expand
    cryptodev-linux for use with the RSA/Curve25519 with the Linux CAAM driver
  * Allow encrypt then mac with Apache port
  * Update Renesas TSIP version to 1.15 on GR-ROSE and certificate signature
    data for TSIP / SCE example

security/wolfssl: Update to v5.2.0

Changes since v5.1.1:

wolfSSL Release 5.2.0 (Feb 21, 2022)

Release 5.2.0 of wolfSSL embedded TLS has bug fixes and new features including:
Vulnerabilities

  * [High] A TLS v1.3 server who requires mutual authentication can be
    bypassed. If a malicious client does not send the certificate_verify message
    a client can connect without presenting a certificate even if the server
    requires one. Thank you to Aina Toky Rasoamanana and Olivier Levillain of
    Télécom SudParis.
  * [High] A TLS v1.3 client attempting to authenticate a TLS v1.3 server can

security/wolfssl: Update to v5.1.1

Changes since v5.1.0:

wolfSSL Release 5.1.1 (Jan 3rd, 2022)

Release 5.1.1 of wolfSSL embedded TLS has a high vulnerability fix:
Vulnerabilities

  * [High] In connections using AES-CBC or DES3 with TLS/DTLS 1.2 or 1.1 the IV
    being used is not random. Users using wolfSSL version 5.0.0 or 5.1.0 doing
    TLS/DTLS 1.2 or 1.1 connections, without AEAD only, should update the
    version of wolfSSL used.

security/wolfssl: Update to v5.1.0

Changes since v5.0.0:

wolfSSL Release 5.1.0 (Dec 27, 2021)

Release 5.1.0 of wolfSSL embedded TLS has bug fixes and new features including:
Vulnerabilities

  * [Low] Potential for DoS attack on a wolfSSL client due to processing hello
    packets of the incorrect side. This affects only connections using TLS v1.2
    or less that have also been compromised by a man in the middle
    attack. Thanks to James Henderson, Mathy Vanhoef, Chris M. Stone, Sam
    L. Thomas, Nicolas Bailleut, and Tom Chothia (University of Birmingham, KU
    Leuven, ENS Rennes for the report.

security/wolfssl: Update to v5.0.0

Changes since v4.8.1:

wolfSSL Release 5.0.0 (Nov 01, 2021)

Release 5.0.0 of wolfSSL embedded TLS has bug fixes and new features including:
Vulnerabilities

  * [\Low] Hang with DSA signature creation when a specific q value is used in a
    maliciously crafted key. If a DSA key with an invalid q value of either 1 or
    0 was decoded and used for creating a signature, it would result in a hang
    in wolfSSL. Users that are creating signatures with DSA and are using keys
    supplied from an outside source are affected.
  * [\Low] Issue with incorrectly validating a certificate that has multiple

security/wolfssl: Add CPE information

Approved by:	portmgr (blanket)

security/wolfssl: Updates to v4.8.1

Changes since v4.8.0:

wolfSSL Release 4.8.1 (July 16, 2021)

Release 4.8.1 of wolfSSL embedded TLS has an OCSP vulnerability fix:
Vulnerabilities

  * [High] OCSP verification issue when response is for a certificate with no
    relation to the chain in question BUT that response contains the NoCheck
    extension which effectively disables ALL verification of that one cert.
    Users who should upgrade to 4.8.1 are TLS client users doing OCSP, TLS
    server users doing mutual auth with OCSP, and CertManager users doing OCSP
    independent of TLS. Thanks to Jan Nauber, Marco Smeets, Werner Rueschenbaum
    and Alissa Kim of Volkswagen Infotainment for the report.

security/wolfssl: Updates to v4.8.0

Changes since v4.7.0:

wolfSSL Release 4.8.0 (July 09, 2021)

Release 4.8.0 of wolfSSL embedded TLS has bug fixes and new features including:
Vulnerabilities

  * [Low] OCSP request/response verification issue. In the case that the serial
    number in the OCSP request differs from the serial number in the OCSP
    response the error from the comparison was not resulting in a failed
    verification. We recommend users that have wolfSSL version 4.6.0 and 4.7.0
    with OCSP enabled update their version of wolfSSL. Version 4.5.0 and earlier
    are not affected by this report. Thanks to Rainer, Roee, Barak, Hila and

One more small cleanup, forgotten yesterday.
Reported by:	lwhsu

Remove # $FreeBSD$ from Makefiles.

security/wolfssl: Updates to v4.7.0

- Remove the memory leak patch since now it is upstreamed.

Changes since v4.6.0:

wolfSSL Release 4.7.0 (February 16, 2021)

Release 4.7.0 of wolfSSL embedded TLS has bug fixes and new features including:
New Feature Additions

  * Compatibility Layer expansion SSL_get_verify_mode, X509_VERIFY_PARAM API,
    X509_STORE_CTX API added
  * WOLFSSL_PSK_IDENTITY_ALERT macro added for enabling a subset of TLS alerts
  * Function wolfSSL_CTX_NoTicketTLSv12 added to enable turning off session

security/wolfssl: Fix QA issues

====> Checking for pkg-plist issues (check-plist)
===> Parsing plist
===> Checking for items in STAGEDIR missing from pkg-plist
===> Checking for items in pkg-plist which are not in STAGEDIR
Error: Missing: %%DOCSDIR%%/README.txt
Error: Missing: %%DOCSDIR%%/example/client.c
Error: Missing: %%DOCSDIR%%/example/echoclient.c
Error: Missing: %%DOCSDIR%%/example/echoserver.c
Error: Missing: %%DOCSDIR%%/example/sctp-client-dtls.c
Error: Missing: %%DOCSDIR%%/example/sctp-client.c
Error: Missing: %%DOCSDIR%%/example/sctp-server-dtls.c
Error: Missing: %%DOCSDIR%%/example/sctp-server.c
Error: Missing: %%DOCSDIR%%/example/server.c

security/wolfssl: Add DEBUG option and enable more features.

- Set --enable-opensslall which is needed for
  wolfSSL_X509_NAME_print_ex() and friends.
- Set --enable-certgen to allow certificate generation.
- Define WOLFSSL_ALT_NAMES so one can generate certificates
  with the Subject Alternative Name extension.
- Set --enable-sessioncerts to allow to inspect certificates
  with wolfSSL_get_peer_cert_chain().
- Set --enable-des3 so one can load PBES2-3DES-CBC-encoded keys.

Additionally a patch to prevent memory leaks is included.

PR:		252829
Submitted by:	Fabian Keil <fk@fabiankeil.de>
Reported by:	Fabian Keil <fk@fabiankeil.de>
Approved by:	fox (maintainer)

security/wolfssl: Updates to v4.6.0

Changes since v4.5.0:

wolfSSL Release 4.6.0 (December 22, 2020)

Release 4.6.0 of wolfSSL embedded TLS has bug fixes and new features including:

New Feature Additions

New Build Options

  * wolfSSL now enables linux kernel module support. Big news for Linux kernel
    module developers with crypto requirements! wolfCrypt and wolfSSL are now
    loadable as modules in the Linux kernel, providing the entire libwolfssl

security/wolfssl: fix build on big-endian

Merge upstream patch to fix build on big-endian architectures.

Also unmark mips and mips64 as broken, now builds fine.

MFH:		2020Q4 (fix build blanket)

QAT fixes.

Reported by:
http://package21.nyi.freebsd.org/data/113amd64-default-qat/546304/logs/wolfssl-4.5.0.log

security/wolfssl: Updates to v4.5.0

Changes since v4.4.0:

wolfSSL Release 4.5.0 (August 19, 2020)

If you have questions about this release, feel free to contact us on our
info@ address.

Release 4.5.0 of wolfSSL embedded TLS has bug fixes and new features including:

New Feature Additions

* Added Xilinx Vitis 2019.2 example and README updates
* TLS v1.3 is now enabled by default

security/wolfssl: Fixes build failure.

Uploaded the distfile manually into distcache to prevent failures during fetch.

Reviewed by:	philip

security/wolfssl: Updates to v4.4.0

Changes since v4.3.0:

wolfSSL Release 4.4.0 (04/22/2020)

If you have questions about this release, feel free to contact us on our
info@ address.

Release 4.4.0 of wolfSSL embedded TLS has bug fixes and new features including:
New Feature Additions

  * Hexagon support.
  * DSP builds to offload ECC verify operations.
  * Certificate Manager callback support.

Fix PLIST issue (r524152) with DOCS enabled

====> Checking for pkg-plist issues (check-plist)
===> Parsing plist
===> Checking for items in STAGEDIR missing from pkg-plist
===> Checking for items in pkg-plist which are not in STAGEDIR
Error: Missing: %%DOCSDIR%%/README.txt
Error: Missing: %%DOCSDIR%%/example/client.c
Error: Missing: %%DOCSDIR%%/example/echoclient.c
Error: Missing: %%DOCSDIR%%/example/echoserver.c
Error: Missing: %%DOCSDIR%%/example/sctp-client-dtls.c
Error: Missing: %%DOCSDIR%%/example/sctp-client.c
Error: Missing: %%DOCSDIR%%/example/sctp-server-dtls.c
Error: Missing: %%DOCSDIR%%/example/sctp-server.c
Error: Missing: %%DOCSDIR%%/example/server.c
Error: Missing: %%DOCSDIR%%/example/tls_bench.c
Error: Missing: %%DOCSDIR%%/taoCert.txt
===> Error: Plist issues found.
*** Error code 1

Stop.
make: stopped in /usr/ports/security/wolfssl
=>> Error: check-plist failures detected

Approved by:	portmgr (blanket)

security/wolfssl: Updates to 4.3.0

- Minor portlint / portfmt fixes.
- Take ownership of the port.

Changes:	https://www.wolfssl.com/docs/wolfssl-changelog/
PR:		242853
Submitted by:	takefu@airport.fm
Reviewed by:	philip

- Update to 4.2.0
- Fix LICENSE
- Add LICENSE_FILE
- Add testing support

PR:		233190
Submitted by:	takefu@airport.fm

Returns johans's ports to the pool after safekeeping his commit bit.

These ports now build on powerpc64.

While here, pet portlint.

Approved by:	portmgr (tier-2 blanket)

Update MASTER_SITES and WWW

Approved by:	portmgr (blanket)

Add DOCS options to ports that should have one.

Also various fixes related to said option.

PR:		230864
Submitted by:	mat
exp-runs by:	antoine

Update to WolfSSL 3.13.0
https://www.wolfssl.com/docs/wolfssl-changelog/

Update to WolfSSL 3.12
https://www.wolfssl.com/docs/wolfssl-changelog/

Mark some ports failing on powerpc64.  These ports are either new
ports, or had been recently unblocked.

While here, pet portlint.

Approved by:	portmgr (tier-2 blanket)

Correct plist

Reported by:	linimon

Update to latest release (4 May); bugfixes and new features
https://www.wolfssl.com/wolfSSL/Docs-wolfssl-changelog.html

Update to WolfSSL 3.10
Configure script now uses bash-isms

Update to WolfSSL 3.9.8

Update to WolfSSL 3.9.0
https://www.wolfssl.com/wolfSSL/Docs-wolfssl-changelog.html

- Update WolfSSL to 3.8.0 (new MASTER_SITES, WWW entry and description)
- Includes important security fixes for CVE-2015-7744 and CVE-2015-6925
  see
https://www.wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found%2C_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html
- Disables support for SSLv3

PR:		205936
Submitted by:	Christoph Moench-Tegeder <cmt@burggraben.net>
MFH:		2016Q1

- Update to WolfSSL 3.4.6
- Remove options to include ChaCha and Poly1305, these are now on by default

CyaSSL has been renamed WolfSSL upstream
Rename port and update to 3.4.0
http://www.yassl.com/yaSSL/Products-wolfssl.html