revert changes to match 4.8.1 bundle

update docs for 4.8.1

CMakeLists.txt

@@ -28,7 +28,7 @@ if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_BINARY_DIR}")
      You must delete them, or cmake will refuse to work.")
 endif()
 
-project(wolfssl VERSION 4.8.0 LANGUAGES C)
+project(wolfssl VERSION 4.8.1 LANGUAGES C)
 
 # shared library versioning
 # increment if interfaces have been added, removed or changed

ChangeLog.md

@@ -1,3 +1,10 @@
+# wolfSSL Release 4.8.1 (July 16, 2021)
+Release 4.8.1 of wolfSSL embedded TLS has an OCSP vulnerability fix:
+
+### Vulnerabilities
+* [High] OCSP verification issue when response is for a certificate with no relation to the chain in question BUT that response contains the NoCheck extension which effectively disables ALL verification of that one cert. Users who should upgrade to 4.8.1 are TLS client users doing OCSP, TLS server users doing mutual auth with OCSP, and CertManager users doing OCSP independent of TLS. Thanks to Jan Nauber, Marco Smeets, Werner Rueschenbaum and Alissa Kim for the report.
+
+
 # wolfSSL Release 4.8.0 (July 09, 2021)
 Release 4.8.0 of wolfSSL embedded TLS has bug fixes and new features including:
 

README

@@ -72,6 +72,12 @@ should be used for the enum name.
 
 *** end Notes ***
 
+# wolfSSL Release 4.8.1 (July 16, 2021)
+Release 4.8.1 of wolfSSL embedded TLS has an OCSP vulnerability fix:
+
+### Vulnerabilities
+* [High] OCSP verification issue when response is for a certificate with no relation to the chain in question BUT that response contains the NoCheck extension which effectively disables ALL verification of that one cert. Users who should upgrade to 4.8.1 are TLS client users doing OCSP, TLS server users doing mutual auth with OCSP, and CertManager users doing OCSP independent of TLS. Thanks to Jan Nauber, Marco Smeets, Werner Rueschenbaum and Alissa Kim for the report.
+
 
 # wolfSSL Release 4.8.0 (July 09, 2021)
 Release 4.8.0 of wolfSSL embedded TLS has bug fixes and new features including:

README.md

@@ -76,6 +76,12 @@ macro ```NO_OLD_SHA_NAMES```. These names get mapped to the OpenSSL API for a
 single call hash function. Instead the name WC_SHA, WC_SHA256, WC_SHA384 and
 WC_SHA512 should be used for the enum name.
 
+# wolfSSL Release 4.8.1 (July 16, 2021)
+Release 4.8.1 of wolfSSL embedded TLS has an OCSP vulnerability fix:
+
+### Vulnerabilities
+* [High] OCSP verification issue when response is for a certificate with no relation to the chain in question BUT that response contains the NoCheck extension which effectively disables ALL verification of that one cert. Users who should upgrade to 4.8.1 are TLS client users doing OCSP, TLS server users doing mutual auth with OCSP, and CertManager users doing OCSP independent of TLS. Thanks to Jan Nauber, Marco Smeets, Werner Rueschenbaum and Alissa Kim for the report.
+
 # wolfSSL Release 4.8.0 (July 09, 2021)
 Release 4.8.0 of wolfSSL embedded TLS has bug fixes and new features including:
 

configure.ac

@@ -7,7 +7,7 @@
 #
 AC_COPYRIGHT([Copyright (C) 2006-2020 wolfSSL Inc.])
 AC_PREREQ([2.69])
-AC_INIT([wolfssl],[4.8.0],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[https://www.wolfssl.com])
+AC_INIT([wolfssl],[4.8.1],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[https://www.wolfssl.com])
 AC_CONFIG_AUX_DIR([build-aux])
 
 # The following sets CFLAGS to empty if unset on command line.  We do not
@@ -36,7 +36,7 @@ LT_PREREQ([2.4.2])
 LT_INIT([disable-static win32-dll])
 
 #shared library versioning
-WOLFSSL_LIBRARY_VERSION=29:0:5
+WOLFSSL_LIBRARY_VERSION=29:1:5
 #                        | | |
 #                 +------+ | +---+
 #                 |        |     |

rpm/spec.in

@@ -74,7 +74,7 @@ mkdir -p $RPM_BUILD_ROOT/
 %{_libdir}/libwolfssl.la
 %{_libdir}/libwolfssl.so
 %{_libdir}/libwolfssl.so.24
-%{_libdir}/libwolfssl.so.24.5.0
+%{_libdir}/libwolfssl.so.24.5.1
 
 %files devel
 %defattr(-,root,root,-)

wolfcrypt/src/asn.c

@@ -10212,9 +10212,13 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
             }
 
         #ifdef HAVE_OCSP
-            /* trust for the lifetime of the responder's cert*/
-            if (cert->ocspNoCheckSet && verify == VERIFY_OCSP)
-                verify = NO_VERIFY;
+            if (verify == VERIFY_OCSP_CERT) {
+                /* trust for the lifetime of the responder's cert*/
+                if (cert->ocspNoCheckSet)
+                    verify = VERIFY;
+                else
+                    verify = VERIFY_OCSP;
+            }
         #endif
             /* advance past extensions */
             cert->srcIdx = cert->sigIndex;
@@ -17957,7 +17961,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
 
         /* Don't verify if we don't have access to Cert Manager. */
         ret = ParseCertRelative(&cert, CERT_TYPE,
-                                noVerify ? NO_VERIFY : VERIFY_OCSP, cm);
+                                noVerify ? NO_VERIFY : VERIFY_OCSP_CERT, cm);
         if (ret < 0) {
             WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
             FreeDecodedCert(&cert);

wolfcrypt/src/port/caam/caam_qnx.c

@@ -1190,7 +1190,7 @@ static int getSupported(char* in)
 #endif
 
 char cannedResponse[] = {
-        "wolfCrypt QNX CAAM driver version 4.8.0\n"
+        "wolfCrypt QNX CAAM driver version 4.8.1\n"
         "Supports:\n"
         "\tAES-CMAC\n"
         "\tECC (sign, verify, ecdh, keygen)\n"

wolfssl/version.h

@@ -28,8 +28,8 @@
 extern "C" {
 #endif
 
-#define LIBWOLFSSL_VERSION_STRING "4.8.0"
-#define LIBWOLFSSL_VERSION_HEX 0x04008000
+#define LIBWOLFSSL_VERSION_STRING "4.8.1"
+#define LIBWOLFSSL_VERSION_HEX 0x04008001
 
 #ifdef __cplusplus
 }

wolfssl/wolfcrypt/asn.h

@@ -595,6 +595,7 @@ enum VerifyType {
     VERIFY_OCSP = 3,
     VERIFY_NAME = 4,
     VERIFY_SKIP_DATE = 5,
+    VERIFY_OCSP_CERT = 6,
 };
 
 #ifdef WOLFSSL_CERT_EXT