Date: Sat, 21 Mar 2026 12:49:15 +0000 From: Santhosh Raju <fox@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 3c9c41c9b472 - main - security/wolfssl: Update to 5.9.0 Message-ID: <69be93cb.3df66.200df585@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by fox: URL: https://cgit.FreeBSD.org/ports/commit/?id=3c9c41c9b4729c022614dbdd8632d15cdf3dbe7b commit 3c9c41c9b4729c022614dbdd8632d15cdf3dbe7b Author: Santhosh Raju <fox@FreeBSD.org> AuthorDate: 2026-03-21 12:39:29 +0000 Commit: Santhosh Raju <fox@FreeBSD.org> CommitDate: 2026-03-21 12:40:06 +0000 security/wolfssl: Update to 5.9.0 Changes since 5.8.4: To download the release bundle of wolfSSL visit the download page at www.wolfssl.com/download/ PR stands for Pull Request, and PR references a GitHub pull request number where the code change was added. Vulnerabilities * [High CVE-2026-3548] Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsing CRL numbers - both heap-based and stack-based. Only affects builds with CRL support enabled when loading untrusted CRLs. Fixed in PR 9628 and PR 9873. * [High CVE-2026-3549] Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ECH extension parsing logic causing out-of-bounds writes. ECH is disabled by default; still evolving as a standard. Fixed in PR 9817. * [High CVE-2026-3547] Out-of-bounds read in ALPN parsing due to incomplete validation. Affects builds with ALPN enabled (disabled by default but enabled for Apache httpd, BIND, curl, HAProxy, Hitch, Lighttpd, JNI, nginx, QUIC compatibility). Fixed in PR 9860. * [Med. CVE-2026-2646] A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. Occurs when deserializing session data with SESSION_CERTS enabled; requires loading maliciously crafted external sessions. Fixed in PR 9748 and PR 9949. * [Med. CVE-2026-3849] Stack Buffer Overflow in wc_HpkeLabeledExtract via oversized ECH config. Malicious TLS servers supporting ECH could trigger crashes with potential remote execution. Fixed in PR 9737. * [Low CVE-2026-0819] wolfSSL PKCS7 SignedData encoding OOB write (signed attributes). Occurs when creating signed PKCS7 with more than 7 signed attributes. Fixed in PR 9630. * [Low CVE-2026-1005] Integer underflow in wolfSSL packet sniffer. Affects builds with --enable-sniffer and AEAD support; allows buffer overflow via malformed TLS records. Fixed in PR 9571. * [Low CVE-2026-2645] Logic flaw existed in the TLS 1.2 server state machine. Server could incorrectly accept CertificateVerify before ClientKeyExchange. Fixed in PR 9694. * [Low CVE-2026-3230] Client does not catch if the required key_share extension is missing from ServerHello. Client authenticates server correctly but derives predictable key. Fixed in PR 9754. * [Low CVE-2026-3229] Integer Overflow in Certificate Chain Allocation. Affects APIs: wolfSSL_CTX_add_extra_chain_cert, wolfSSL_CTX_add1_chain_cert, wolfSSL_add0_chain_cert. Fixed in PR 9827. * [Low CVE-2026-3579] wolfSSL 5.8.4 and earlier on RISC-V RV32I architectures lacks constant-time software implementation for 64-bit multiplication, exposing cryptographic data via timing side-channel. Fixed in PR 9855. * [Low CVE-2026-3580] Compiler-induced timing leak in sp_256_get_entry_256_9 on RISC-V. GCC optimization breaks side-channel resistance of ECC scalar multiplication. Fixed in PR 9855. * [Low CVE-2026-3503] Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) on ARM Cortex-M allows physical attackers to compromise key material via transient faults. Fixed in PR 9734. * [Low CVE-2026-4159] 1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. Requires crafted CMS EnvelopedData message. Fixed in PR 9945. * [Low CVE-2026-4395] Heap buffer out of bounds write case existed in wolfSSL version 5.8.4 and earlier when importing an ECC key while built with KCAPI support. Fixed in PR 9988. New Features * FIPS 205, SLH-DSA implementation. (PR 9838) * Added OCSP responder API and support. (PR 9761) * Add AES CryptoCB key import support. (PR 9658) * Add the RNG bank facility to wolfCrypt, wc_rng_new_bankref(). (PR 9616) Ports, Hardware Integration, and ASM Enhancements * Add Renesas SK-S7G2 support. (PR 9561) * Support for STM32 HMAC hardware. (PR 9745) * Add STM32G0 hardware crypto support. (PR 9707) * Misc STM32 fixes and testing improvements. (PR 9446, 9563) * Various Thumb2 AES/SP ASM enhancements and fixes. (PR 9464, 9491, 9547, 9615, 9767) * Add Zephyr 4.1+ build compatibility for wolfssl_tls_sock sample. (PR 9765) Rust Wrapper * Added FIPS support. (PR 9739) * Added modules for dilithium (PR 9819), chacha20-poly1305 (PR 9599), curve25519 (PR 9594), blake2 (PR 9586), LMS (PR 9910), and ml-kem (PR 9833). * Miscellaneous fixes and enhancements for RSA, ECC, HASHDRBG, HMAC-BLAKE2, and XChaCha20-Poly1305. (PR 9453, 9499, 9500, 9624, 9687) Post-Quantum Cryptography (PQC) * General improvements for WOLFSSL_NO_MALLOC PQC support. (PR 9674) * Various ML-DSA bug fixes. (PR 9575, 9696) * Fixed a bug with ML-DSA verification with WOLFSSL_DILITHIUM_SMALL. (PR 9760) * ML-KEM bug fixes and improvements. (PR 9470, 9621, 9822) * Collection of ML-KEM fixes including DTLS 1.3 cookie and ClientHello fragment handling, static memory handling, memory leak in TLS server PQC handling with ECH, and expanded hybrid/individual ML-KEM level test coverage. (PR 9968) TLS/DTLS * Add support for TLS 1.3 Brainpool curves. (PR 9701) * DTLS retransmission enhancement. (PR 9623) * Fix DTLS header size calculation. (PR 9513) * Fix (D)TLS fragmentation size checks. (PR 9592) * Extend AIA interface. (PR 9728) * Various TLS 1.3 and extension fixes. (PR 9528, 9538, 9466, 9662, 9824, 9934) * Improve TLS message order checks. (PR 9694, 9718) * TLS ECH improvements. (PR 9737) * Harden compare of mac with TLS 1.3 finished. (PR 9864) PKCS * Add PKCS7 ECC raw sign callback support. (PR 9656) * Add RSA-PSS support for SignedData. (PR 9742) * Support for ML-DSA via PKCS#11. (PR 9726, 9836) * Fix PKCS11 object leak in Pkcs11ECDH. (PR 9780) * Fix PKCS#7 SignedData parsing for non-OCTET_STRING content types. (PR 9559) * Add RSA-PSS certificate support for PKCS7 EnvelopedData KTRI. (PR 9854) Kernel * Various linuxkm fixes and enhancements for Tegra kernels. (PR 9478, 9540, 9512) * freebsdkm: FIPS support (PR 9590), and x86 crypto acceleration support. (PR 9714) * Support offline FIPS hash calculation in linuxkm. (PR 9800) Testing Improvements * Increase test coverage for PQC and CMake. (PR 9637) * API testing: split out and better organized test cases. (PR 9641) * Added test for session deserialization input validation. (PR 9759) * Added TLS Anvil workflow. (PR 9804) * Added rng-tools 6.17 testing. (PR 9810) * Added openldap 2.6.9 testing. (PR 9805) * Add bind 9.20.11 to the test matrix. (PR 9806) * Misc testing fixes. (PR 9584, 9670, 9688, 9710, 9716, 9755) * Implement a stateful port tracking mechanism for test port assignment. (PR 9850) Bug Fixes * Fix for buffer overflow write in the wolfSSL CAAM driver for Integrity OS on i.MX6. * API Documentation: various fixes and improvements. (PR 9458, 9552, 9570, 9585) * Fix potential memory under-read in TLS ticket processing function. * Fix IP address check in wolfSSL_X509_check_host(). (PR 9502) * Check if ctx and ssl are null when checking public key in certificate. (PR 9506) * Fix test when ECH and harden are enabled. (PR 9510) * Fix wc_CmacFree() to use correct heap pointer from internal Aes structure. (PR 9527) * Various Coverity analyzer fixes. (PR 9437, 9534, 9619, 9646, 9812, 9842, 9887, 9933) * Fix dereference before Null check. (PR 9591) * Fix memory leak in case of handshake error. (PR 9609) * Fix MatchBaseName. (PR 9626) * ChaCha20 Aarch64 ASM fix. (PR 9627) * Fix TLSX_Parse to correctly handle client and server cert type ext with TLS1.3. (PR 9657) * Fix cert SW issues in Aes and rng. (PR 9681) * Various fixes for NO_RNG builds. (PR 9689, 9698) * Fixes for STSAFE-A120 ECDHE. (PR 9703) * Fix Crash when using Sha224 Callback with MAX32666. (PR 9712) * Fix for RSA private key parsing (allowing public) and RSA keygen no malloc support. (PR 9715) * Fix null check in ECDSA encode. (PR 9771) * Various static analyzer fixes. (PR 9786, 9788, 9795, 9801, 9817) * Fix switch case handling in TLSX_IsGroupSupported function. (PR 9777) * Fixes to big-endian bugs found in Curve448 and Blake2S. (PR 9778) * Fix cert chain size issue. (PR 9827) * Fix potential memory leak when copying into existing SHA contexts. (PR 9829) * Add sanity checks in key export. (PR 9823) * CRL enhancements for revoked entries. (PR 9839) * Fix DRBG_internal alloc in wc_RNG_HealthTestLocal. (PR 9847) * Various CMake fixes and improvements. (PR 9605, 9725) * RISC-V 32 no mul SP C: implement multiplication. (PR 9855) * ASN: improve handling of ASN.1 parsing/encoding. (PR 9872) * Various fixes to CRL parsing. (PR 9628, 9873) * Harden hash comparison in TLS1.2 finished. (PR 9874) * Various fixes to TLS sniffer. (PR 9571, 9643, 9867, 9901, 9924) * Check ivLen in wolfSSL_EVP_CIPHER_CTX_set_iv_length. (PR 9943) * Validate that the ticket length is at least ID_LEN before use in SetTicket. (PR 9782) * Enforce null compression in compression_methods list. (PR 9913) * Additional sanity check on number of groups in set groups function. (PR 9861) * Resolves issues with asynchronous and crypto callback handling. (PR 9784) * Fix checkPad to reject zero PKCS#7 padding value. (PR 9878) * Add sanity check on keysize found with ECC point import. (PR 9989) * Adds a range check to ensure session ticket lifetimes are within bounds. (PR 9881) * Fix potential overflows in hash used-size calculation for TI and SE050. (PR 9954) * Correct a constant mismatch for draft QUIC transport params. (PR 9868) * Correct the key type detection logic in Falcon and SPHINCS+. (PR 9979, 9980) * XMSS: Fix index copy for signing. (PR 9978) * Fix pathlen not copied in ASN1_OBJECT_dup and not marked set in X509_add_ext. (PR 9940) * Ensure CheckHeaders length does not exceed packet size in sniffer. (PR 9947) * SP fixes: 32-bit ARM assembly fixes modular exponentiation bug. (PR 9964) * Fix buffer-overflow in LMS leaf cache indexing. (PR 9919) --- security/wolfssl/Makefile | 3 +-- security/wolfssl/distinfo | 6 +++--- security/wolfssl/pkg-plist | 11 ++++++++--- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/security/wolfssl/Makefile b/security/wolfssl/Makefile index 61ff158e3d59..c113d0a7e993 100644 --- a/security/wolfssl/Makefile +++ b/security/wolfssl/Makefile @@ -1,6 +1,5 @@ PORTNAME= wolfssl -PORTVERSION= 5.8.4 -PORTREVISION= 1 +PORTVERSION= 5.9.0 CATEGORIES= security devel MASTER_SITES= https://www.wolfssl.com/ \ LOCAL/fox diff --git a/security/wolfssl/distinfo b/security/wolfssl/distinfo index be025ee8c338..262b7caa3ee8 100644 --- a/security/wolfssl/distinfo +++ b/security/wolfssl/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1764510481 -SHA256 (wolfssl-5.8.4.zip) = 6531a01075594d412ceb6afd435f85fc8054551b6f1ae8cc0fba920974927f47 -SIZE (wolfssl-5.8.4.zip) = 27409830 +TIMESTAMP = 1774028803 +SHA256 (wolfssl-5.9.0.zip) = e2bc897fcfef7dc7f38f8c805a273020150c41311a61a2fb4677c83834d3d6cb +SIZE (wolfssl-5.9.0.zip) = 28246542 diff --git a/security/wolfssl/pkg-plist b/security/wolfssl/pkg-plist index 382d68a43309..81a75b461bb5 100644 --- a/security/wolfssl/pkg-plist +++ b/security/wolfssl/pkg-plist @@ -130,6 +130,7 @@ include/wolfssl/wolfcrypt/pwdbased.h include/wolfssl/wolfcrypt/random.h include/wolfssl/wolfcrypt/rc2.h include/wolfssl/wolfcrypt/ripemd.h +include/wolfssl/wolfcrypt/rng_bank.h include/wolfssl/wolfcrypt/rsa.h include/wolfssl/wolfcrypt/sakke.h include/wolfssl/wolfcrypt/settings.h @@ -152,23 +153,27 @@ include/wolfssl/wolfcrypt/wc_encrypt.h include/wolfssl/wolfcrypt/wc_lms.h include/wolfssl/wolfcrypt/wc_mlkem.h include/wolfssl/wolfcrypt/wc_port.h +include/wolfssl/wolfcrypt/wc_slhdsa.h include/wolfssl/wolfcrypt/wc_xmss.h +include/wolfssl/wolfcrypt/wolfentropy.h include/wolfssl/wolfcrypt/wolfevent.h include/wolfssl/wolfcrypt/wolfmath.h include/wolfssl/wolfcrypt/xmss.h include/wolfssl/wolfio.h +lib/cmake/wolfssl/wolfssl-config-version.cmake +lib/cmake/wolfssl/wolfssl-config.cmake +lib/cmake/wolfssl/wolfssl-targets.cmake lib/libwolfssl.a lib/libwolfssl.so lib/libwolfssl.so.44 -lib/libwolfssl.so.44.0.1 +lib/libwolfssl.so.44.1.0 libdata/pkgconfig/wolfssl.pc %%PORTDOCS%%%%DOCSDIR%%/QUIC.md %%PORTDOCS%%%%DOCSDIR%%/README.txt -%%PORTDOCS%%%%DOCSDIR%%/example/async_client.c -%%PORTDOCS%%%%DOCSDIR%%/example/async_server.c %%PORTDOCS%%%%DOCSDIR%%/example/client.c %%PORTDOCS%%%%DOCSDIR%%/example/echoclient.c %%PORTDOCS%%%%DOCSDIR%%/example/echoserver.c +%%PORTDOCS%%%%DOCSDIR%%/example/ocsp_responder.c %%PORTDOCS%%%%DOCSDIR%%/example/sctp-client-dtls.c %%PORTDOCS%%%%DOCSDIR%%/example/sctp-client.c %%PORTDOCS%%%%DOCSDIR%%/example/sctp-server-dtls.chome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69be93cb.3df66.200df585>