security/wolfssl: Add DEBUG option and enable more features.

- Set --enable-opensslall which is needed for
  wolfSSL_X509_NAME_print_ex() and friends.
- Set --enable-certgen to allow certificate generation.
- Define WOLFSSL_ALT_NAMES so one can generate certificates
  with the Subject Alternative Name extension.
- Set --enable-sessioncerts to allow to inspect certificates
  with wolfSSL_get_peer_cert_chain().
- Set --enable-des3 so one can load PBES2-3DES-CBC-encoded keys.

Additionally a patch to prevent memory leaks is included.

PR:		252829
Submitted by:	Fabian Keil <fk@fabiankeil.de>
Reported by:	Fabian Keil <fk@fabiankeil.de>
Approved by:	fox (maintainer)

2 files changed, 42 insertions, 2 deletions

diff --git a/security/wolfssl/Makefile b/security/wolfssl/Makefile
index dad5f8b2a600..44f2dcec8b11 100644
--- a/security/wolfssl/Makefile
+++ b/security/wolfssl/Makefile
@@ -2,9 +2,11 @@
 
 PORTNAME=	wolfssl
 PORTVERSION=	4.6.0
+PORTREVISION=	1
 CATEGORIES=	security devel
 MASTER_SITES=	https://www.wolfssl.com/ \
 		LOCAL/fox
+
 MAINTAINER=	fox@FreeBSD.org
 COMMENT=	Embedded SSL C-Library
 
@@ -16,14 +18,18 @@ USE_LDCONFIG=	yes
 
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--disable-dependency-tracking \
+		--enable-certgen \
+		--enable-des3 \
 		--enable-dh \
 		--enable-dsa \
 		--enable-dtls \
 		--enable-ecc \
 		--enable-ipv6 \
 		--enable-keygen \
+		--enable-opensslall \
 		--enable-opensslextra \
 		--enable-ripemd \
+		--enable-sessioncerts \
 		--enable-sha512 \
 		--enable-shared \
 		--enable-sni \
@@ -32,8 +38,11 @@ CONFIGURE_ARGS=	--disable-dependency-tracking \
 		--enable-tls13 \
 		--enable-tls13-draft18
 TEST_TARGET=	check
+CFLAGS+=	-DWOLFSSL_ALT_NAMES
 PORTDOCS=	*
-OPTIONS_DEFINE=	DOCS
+OPTIONS_DEFINE=	DEBUG DOCS
+
+DEBUG_CONFIGURE_ON=	--enable-debug
 
 post-configure:
 	@${REINPLACE_CMD} \
@@ -42,7 +51,7 @@ post-configure:
 		-e '/^pkgconfigdir/s|(libdir)|&data|' \
 		${WRKSRC}/Makefile
 
-post-install:
+post-install-DEBUG-off:
 	@${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/libwolfssl.so
 
 .include <bsd.port.mk>
diff --git a/security/wolfssl/files/patch-src-ssl.c b/security/wolfssl/files/patch-src-ssl.c
new file mode 100644
index 000000000000..15dbf7856c62
--- /dev/null
+++ b/security/wolfssl/files/patch-src-ssl.c
@@ -0,0 +1,31 @@
+From 0aead8cb868003a5dff2e81d6a7ffd7579652610 Mon Sep 17 00:00:00 2001
+From: Fabian Keil <fk@fabiankeil.de>
+Date: Sun, 17 Jan 2021 11:21:59 +0100
+Subject: [PATCH] wolfSSL_CertManagerFree(): free refMutex
+
+Fixes memory leaks like:
+       ==323== 96 bytes in 1 blocks are definitely lost in loss record 3 of 4
+       ==323==    at 0x4C291E1: calloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
+       ==323==    by 0x585495F: pthread_mutex_init (in /lib/libthr.so.3)
+       ==323==    by 0x4E7B5E8: wc_InitMutex (wc_port.c:1071)
+       ==323==    by 0x4F09540: wolfSSL_CertManagerNew_ex (ssl.c:3596)
+       ==323==    by 0x4EC6A81: InitSSL_Ctx (internal.c:1752)
+       ==323==    by 0x4F0441E: wolfSSL_CTX_new_ex (ssl.c:394)
+       ==323==    by 0x4F04658: wolfSSL_CTX_new (ssl.c:436)
+       ==323==    by 0x400AA2: main (wolfssl-ctx-leak.c:9)
+
+This is a partial cherry-pick of upstream commit
+9598c037168b73ce2f by Tesfa Mael.
+--- src/ssl.c.orig	2020-12-23 02:15:20 UTC
++++ src/ssl.c
+@@ -3663,7 +3663,9 @@ void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER* cm)
+             FreeTrustedPeerTable(cm->tpTable, TP_TABLE_SIZE, cm->heap);
+             wc_FreeMutex(&cm->tpLock);
+             #endif
+-
++            if (wc_FreeMutex(&cm->refMutex) != 0) {
++                WOLFSSL_MSG("Couldn't free refMutex mutex");
++            }
+             XFREE(cm, cm->heap, DYNAMIC_TYPE_CERT_MANAGER);
+         }
+     }