Sudo with sssd support is a good candidate
for a flavor because it is a fairly common requirement
in some deployments.
Sponsored by: Klara, Inc.
Approved by: 0mp (mentor)
Approved by: garga (maintainer)
Differential Revision: https://reviews.freebsd.org/D48147
security/sssd was removed from ports recently, which broke
the SSSD option. Let's remove the SSSD option and let users
use SSSD2 instead.
PORTREVISION has been bumped so it is easier to tell which
version of the sudo package supports only sssd2.
PR: 283952
Sponsored by: Klara, Inc.
Approved by: 0mp (mentor)
Approved by: garga (maintainer)
Differential Revision: https://reviews.freebsd.org/D48389
changes by Simon Tatham unless otherwise stated, newest first:
* 1e451997 2024-12-26 | Treat SOS and PM terminal escape sequences like APC (HEAD -> pre-0.83, origin/pre-0.83)
* 98200d1b 2024-12-19 | Arm: turn on PSTATE.DIT if available and needed.
* c2077f88 2024-12-19 | Fix compile warnings in tree234 tests.
* 27550b02 2024-12-16 | Windows: inhibit all default application manifests.
* 363debc7 2024-12-15 | lineedit: make both ^M and ^J terminate a line.
* 1fc5f4af 2024-12-15 | wm_size_resize_term: update conf unconditionally.
* 11c7c760 2024-12-15 | Remove bit-rotted RDB_DEBUG_PATCH.
* c91437ba 2024-12-15 | Update cmake_minimum_required to avoid warnings on sid.
* 7802932e 2024-12-15 | Document how to set GIT_SSH_COMMAND to plink -batch.
* 09095a7d 2023-07-15 | Avoid treating non-X GDK display names as X ones [Ben Harris]
* 1ce8ec9c 2024-12-08 | lineedit_send_line: batch up output characters.
* edd5e13f 2024-12-14 | Fix assertion failure on Restart Session.
* f8e1a2b3 2024-12-13 | Windows: rewrite request_file() to support Unicode.
* 22dfc46f 2024-12-13 | Windows: add filename_to_wstr().
* 1ef0fbaa 2024-12-13 | Add helper function dupwcscat().
* 897ecf46 2024-12-11 | SUPDUP: make the TDCRL command clear to end of line.
* 3c6a5139 2024-12-08 | Minimally document ML-KEM key exchange methods. [Jacob Nevins]
* a3f22a2c 2024-12-08 | Use the new 'HYBRID' names for the hybrid KEX packets.
* e98615f0 2024-12-07 | New post-quantum kex: ML-KEM, and three hybrids of it.
* b36d490b 2024-12-07 | Give the kex selection list box a fixed height.
* 16629d3b 2024-12-07 | Add more variants of SHAKE.
* f08da2b6 2024-12-07 | Separate NTRU Prime from the hybridisation layer.
* fcdc804b 2024-12-01 | Move some NTRU helper routines into a header file.
* c2d7ea8e 2024-12-04 | Fix use of aligned_alloc() to be ASan-clean.
* 7da34495 2024-12-07 | Fix error message when KEXINIT negotiation fails.
* 296b6291 2024-12-07 | GTK: fix a crash when clicking Cancel on Change Settings.
* 6a88b294 2024-12-04 | Unix PuTTY/pterm: fix UB with small keypad. [Jacob Nevins]
* b97f20d0 2024-11-30 | release.pl: Adjust pscp/plink transcript updater. [Jacob Nevins]
* 54f6fefe 2024-11-30 | Docs: pscp/plink now need -h/--help to print usage. [Jacob Nevins]
* ebe24534 2024-11-28 | psftp: use cmdline_arg_to_filename for batch files.
* d4e848a9 2024-11-28 | CHECKLST: update for some extra test builds.
* 948a4c8e 2024-11-28 | Fix a compile warning when building with GTK 1.
* 8805cf3d 2024-11-28 | Fix a build failure with NO_GSSAPI defined.
* c72a8627 2024-11-28 | Fix build failures with NO_IPV6 defined.
Upstream clang >= 16 made -Wimplicit-function-declaration into an error
by default. In the base system, this change was reverted to reduce the
fallout in ports, because there are many problematic configure scripts.
For security/heimdal this also applies, so for building the port with
devel/llvm16 or higher we need to add -Wno-implicit-function-declaration
to CFLAGS.
While here, use LDFLAGS+= for -Wl,--undefined-version, to avoid
overwriting any user-specified LDFLAGS.
PR: 283131
Approved by: maintainer timeout (2 weeks)
MFH: 2025Q1
The port has expired but isn't removed yet because there are still too
many consumers. Rename it because the name "security/mbedtls" makes it
look like it's the default version.
PR: 283792
Changes since 5.7.4:
wolfSSL Release 5.7.6 (Dec 31, 2024)
To download the release bundle of wolfSSL visit the download page at
www.wolfssl.com/download/
NOTE:
* --enable-heapmath is deprecated.
* In this release, the default cipher suite preference is updated to
prioritize TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256 when
enabled.
* This release adds a sanity check for including wolfssl/options.h or
user_settings.h.
PR stands for Pull Request, and PR references a GitHub pull request
number where the code change was added.
Vulnerabilities
* [Med] An OCSP (non stapling) issue was introduced in wolfSSL version 5.7.4
when performing OCSP requests for intermediate certificates in a certificate
chain. This affects only TLS 1.3 connections on the server side. It would not
impact other TLS protocol versions or connections that are not using the
traditional OCSP implementation. (Fix in pull request 8115)
New Feature Additions
* Add support for RP2350 and improve RP2040 support, both with RNG
optimizations (PR 8153)
* Add support for STM32MP135F, including STM32CubeIDE support and HAL
support
for SHA2/SHA3/AES/RNG/ECC optimizations. (PR 8223, 8231, 8241)
* Implement Renesas TSIP RSA Public Enc/Private support (PR 8122)
* Add support for Fedora/RedHat system-wide crypto-policies (PR 8205)
* Curve25519 generic keyparsing API added with wc_Curve25519KeyToDer and
wc_Curve25519KeyDecode (PR 8129)
* CRL improvements and update callback, added the functions
wolfSSL_CertManagerGetCRLInfo and wolfSSL_CertManagerSetCRLUpdate_Cb
(PR 8006)
* For DTLS, add server-side stateless and CID quality-of-life API.
(PR 8224)
Enhancements and Optimizations
* Add a CMake dependency check for pthreads when required. (PR 8162)
* Update OS_Seed declarations for legacy compilers and FIPS modules (boundary
not affected). (PR 8170)
* Enable WOLFSSL_ALWAYS_KEEP_SNI by default when using --enable-jni. (PR 8283)
* Change the default cipher suite preference, prioritizing
TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256. (PR 7771)
* Add SRTP-KDF (FIPS module v6.0.0) to checkout script for release bundling
(PR 8215)
* Make library build when no hardware crypto available for Aarch64 (PR 8293)
* Update assembly code to avoid uint*_t types for better compatibility with
older C standards. (PR 8133)
* Add initial documentation for writing ASN template code to decode BER/DER.
(PR 8120)
* Perform full reduction in sc_muladd for EdDSA with Curve448 (PR 8276)
* Allow SHA-3 hardware cryptography instructions to be explicitly not used in
MacOS builds (PR 8282)
* Make Kyber and ML-KEM available individually and together. (PR 8143)
* Update configuration options to include Kyber/ML-KEM and fix defines used in
wolfSSL_get_curve_name. (PR 8183)
* Make GetShortInt available with WOLFSSL_ASN_EXTRA (PR 8149)
* Improved test coverage and minor improvements of X509 (PR 8176)
* Add sanity checks for configuration methods, ensuring the inclusion of
wolfssl/options.h or user_settings.h. (PR 8262)
* Enable support for building without TLS (NO_TLS). Provides reduced code size
option for non-TLS users who want features like the certificate manager or
compatibility layer. (PR 8273)
* Exposed get_verify functions with OPENSSL_EXTRA. (PR 8258)
* ML-DSA/Dilithium: obtain security level from DER when decoding (PR 8177)
* Implementation for using PKCS11 to retrieve certificate for SSL CTX (PR 8267)
* Add support for the RFC822 Mailbox attribute (PR 8280)
* Initialize variables and adjust types resolve warnings with Visual Studio in
Windows builds. (PR 8181)
* Refactors and expansion of opensslcoexist build (PR 8132, 8216, 8230)
* Add DTLS 1.3 interoperability, libspdm and DTLS CID interoperability tests
(PR 8261, 8255, 8245)
* Remove trailing error exit code in wolfSSL install setup script (PR 8189)
* Update Arduino files for wolfssl 5.7.4 (PR 8219)
* Improve Espressif SHA HW/SW mutex messages (PR 8225)
* Apply post-5.7.4 release updates for Espressif Managed Component examples
(PR 8251)
* Expansion of c89 conformance (PR 8164)
* Added configure option for additional sanity checks with
--enable-faultharden (PR 8289)
* Aarch64 ASM additions to check CPU features before hardware crypto
instruction use (PR 8314)
Fixes
* Fix a memory issue when using the compatibility layer with
WOLFSSL_GENERAL_NAME and handling registered ID types. (PR 8155)
* Fix a build issue with signature fault hardening when using public key
callbacks (HAVE_PK_CALLBACKS). (PR 8287)
* Fix for handling heap hint pointer properly when managing multiple WOLFSSL_CTX
objects and freeing one of them (PR 8180)
* Fix potential memory leak in error case with Aria. (PR 8268)
* Fix Set_Verify flag behaviour on Ada wrapper. (PR 8256)
* Fix a compilation error with the NO_WOLFSSL_DIR flag. (PR 8294)
* Resolve a corner case for Poly1305 assembly code on Aarch64. (PR 8275)
* Fix incorrect version setting in CSRs. (PR 8136)
* Correct debugging output for cryptodev. (PR 8202)
* Fix for benchmark application use with /dev/crypto GMAC auth error due to size
of AAD (PR 8210)
* Add missing checks for the initialization of sp_int/mp_int with DSA to free
memory properly in error cases. (PR 8209)
* Fix return value of wolfSSL_CTX_set_tlsext_use_srtp (8252)
* Check Root CA by Renesas TSIP before adding it to ca-table (PR 8101)
* Prevent adding a certificate to the CA cache for Renesas builds if it does not
set CA:TRUE in basic constraints. (PR 8060)
* Fix attribute certificate holder entityName parsing. (PR 8166)
* Resolve build issues for configurations without any wolfSSL/openssl
compatibility layer headers. (PR 8182)
* Fix for building SP RSA small and RSA public only (PR 8235)
* Fix for Renesas RX TSIP RSA Sign/Verify with wolfCrypt only (PR 8206)
* Fix to ensure all files have settings.h included (like wc_lms.c) and guards
for building all *.c files (PR 8257 and PR 8140)
* Fix x86 target build issues in Visual Studio for non-Windows operating
systems. (PR 8098)
* Fix wolfSSL_X509_STORE_get0_objects to handle no CA (PR 8226)
Properly handle reference counting when adding to the X509 store.
(PR 8233)
* Fix for various typos and improper size used with FreeRTOS_bind in the Renesas
example. Thanks to Hongbo for the report on example issues. (PR 7537)
* Fix for potential heap use after free with wolfSSL_PEM_read_bio_PrivateKey.
Thanks to Peter for the issue reported. (PR 8139)
Santhosh Raju
Matthias Andree
Gabriel M. Dutra
Muhammad Moinur Rahman
Charlie Li
Ruslan Makhmatkhanov
Nuno Teixeira
Xavier Beaudouin
Yuri Victorovich
Yasuhiro Kimura
Po-Chuan Hsieh
Matthias Fechner
Markus Wipp
Emanuel Haupt
Fernando Apesteguía
Mikhail Pchelin
Sergey A. Osokin
Dimitry Andric
Tijl Coosemans
Rene Ladan