update README for release v5.1.1

CMakeLists.txt

@@ -28,13 +28,13 @@ if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_BINARY_DIR}")
      You must delete them, or cmake will refuse to work.")
 endif()
 
-project(wolfssl VERSION 5.1.0 LANGUAGES C)
+project(wolfssl VERSION 5.1.1 LANGUAGES C)
 
 # shared library versioning
 # increment if interfaces have been added, removed or changed
 set(LIBTOOL_CURRENT 31)
 # increment if source code has changed  set to zero if current is incremented
-set(LIBTOOL_REVISION 0)
+set(LIBTOOL_REVISION 1)
 # increment if interfaces have been added set to zero if interfaces have been
 # removed or changed
 set(LIBTOOL_AGE 1)

ChangeLog.md

@@ -1,3 +1,9 @@
+# wolfSSL Release 5.1.1 (Jan 3rd, 2021)
+Release 5.1.1 of wolfSSL embedded TLS has a high vulnerability fix:
+
+### Vulnerabilities
+* \[High\]  In connections using AES-CBC or DES3 with TLS/DTLS 1.2 or 1.1 the IV being used is not random. Users using wolfSSL version 5.0.0 or 5.1.0 doing TLS/DTLS 1.2 or 1.1 connections, without AEAD only, should update the version of wolfSSL used.
+
 # wolfSSL Release 5.1.0 (Dec 27, 2021)
 Release 5.1.0 of wolfSSL embedded TLS has bug fixes and new features including:
 

README

@@ -77,6 +77,12 @@ https://www.wolfssl.com/docs/security-vulnerabilities/
 See INSTALL file for build instructions.
 More info can be found on-line at https://wolfssl.com/wolfSSL/Docs.html
 
+# wolfSSL Release 5.1.1 (Jan 3rd, 2021)
+Release 5.1.1 of wolfSSL embedded TLS has a high vulnerability fix:
+
+### Vulnerabilities
+* \[High\]  In connections using AES-CBC or DES3 with TLS/DTLS 1.2 or 1.1 the IV being used is not random. Users using wolfSSL version 5.0.0 or 5.1.0 doing TLS/DTLS 1.2 or 1.1 connections, without AEAD only, should update the version of wolfSSL used.
+
 # wolfSSL Release 5.1.0 (Dec 27, 2021)
 Release 5.1.0 of wolfSSL embedded TLS has bug fixes and new features including:
 

README.md

@@ -78,6 +78,12 @@ macro `NO_OLD_SHA_NAMES`. These names get mapped to the OpenSSL API for a
 single call hash function. Instead the name `WC_SHA`, `WC_SHA256`, `WC_SHA384` and
 `WC_SHA512` should be used for the enum name.
 
+# wolfSSL Release 5.1.1 (Jan 3rd, 2021)
+Release 5.1.1 of wolfSSL embedded TLS has a high vulnerability fix:
+
+### Vulnerabilities
+* \[High\]  In connections using AES-CBC or DES3 with TLS/DTLS 1.2 or 1.1 the IV being used is not random. Users using wolfSSL version 5.0.0 or 5.1.0 doing TLS/DTLS 1.2 or 1.1 connections, without AEAD only, should update the version of wolfSSL used.
+
 # wolfSSL Release 5.1.0 (Dec 27, 2021)
 Release 5.1.0 of wolfSSL embedded TLS has bug fixes and new features including:
 

configure.ac

@@ -7,7 +7,7 @@
 #
 AC_COPYRIGHT([Copyright (C) 2006-2020 wolfSSL Inc.])
 AC_PREREQ([2.69])
-AC_INIT([wolfssl],[5.1.0],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[https://www.wolfssl.com])
+AC_INIT([wolfssl],[5.1.1],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[https://www.wolfssl.com])
 AC_CONFIG_AUX_DIR([build-aux])
 
 # The following sets CFLAGS to empty if unset on command line.  We do not
@@ -38,7 +38,7 @@ LT_INIT([disable-static win32-dll])
 AC_ARG_VAR(EXTRA_CFLAGS, [Extra CFLAGS to add to autoconf-computed arg list.  Can also supply directly to make.])
 
 #shared library versioning
-WOLFSSL_LIBRARY_VERSION=31:0:1
+WOLFSSL_LIBRARY_VERSION=31:1:1
 #                        | | |
 #                 +------+ | +---+
 #                 |        |     |
@@ -216,8 +216,9 @@ AC_ARG_ENABLE([fips],
 #   v5-RC8 - historical FIPS 140-3 (wolfCrypt WCv5.0-RC8)
 #   v5-RC9 - historical FIPS 140-3 (wolfCrypt WCv5.0-RC9)
 #   v5-RC10 - historical FIPS 140-3, wolfCrypt/fips WCv5.0-RC10
-#   v5-RC11 - FIPS 140-3, wolfCrypt/fips WCv5.0-RC11
-#   v5 - currently, alias for v5-RC11
+#   v5-RC11 - historical FIPS 140-3, wolfCrypt/fips WCv5.0-RC11
+#   v5-RC12 - FIPS 140-3, wolfCrypt/fips WCv5.0-RC12
+#   v5 - currently, alias for v5-RC12
 #   v5-ready - FIPS 140-3 settings with in-tree wolfcrypt sources, feature locked
 #   v5-dev - FIPS 140-3 settings with in-tree wolfcrypt sources, features freely adjustable
 #   ready - currently, same as v5-ready
@@ -264,12 +265,18 @@ AS_CASE([$ENABLED_FIPS],
         HAVE_FIPS_VERSION_MINOR=2
         ENABLED_FIPS="yes"
     ],
-    [v5|v5-RC11],[
+    [v5-RC11],[
         FIPS_VERSION="v5-RC11"
         HAVE_FIPS_VERSION=5
         HAVE_FIPS_VERSION_MINOR=2
         ENABLED_FIPS="yes"
     ],
+    [v5|v5-RC12],[
+        FIPS_VERSION="v5-RC12"
+        HAVE_FIPS_VERSION=5
+        HAVE_FIPS_VERSION_MINOR=2
+        ENABLED_FIPS="yes"
+    ],
     [ready|v5-ready],[
         FIPS_VERSION="v5-ready"
         HAVE_FIPS_VERSION=5

fips-check.sh

@@ -223,22 +223,22 @@ netos-7.6)
 
 linuxv5)
   FIPS_REPO="git@github.com:wolfSSL/fips.git"
-  FIPS_VERSION="WCv5.0-RC11"
+  FIPS_VERSION="WCv5.0-RC12"
   CRYPT_REPO="git@github.com:wolfSSL/wolfssl.git"
-  CRYPT_VERSION="WCv5.0-RC11"
+  CRYPT_VERSION="WCv5.0-RC12"
   CRYPT_INC_PATH="wolfssl/wolfcrypt"
   CRYPT_SRC_PATH="wolfcrypt/src"
   WC_MODS=( aes sha sha256 sha512 rsa hmac random cmac dh ecc sha3 kdf )
-  RNG_VERSION="WCv5.0-RC11"
+  RNG_VERSION="WCv5.0-RC12"
   FIPS_SRCS=( fips.c fips_test.c wolfcrypt_first.c wolfcrypt_last.c )
   FIPS_INCS=( fips.h )
-  FIPS_OPTION="v5-RC11"
+  FIPS_OPTION="v5-RC12"
   COPY_DIRECT=( wolfcrypt/src/aes_asm.S wolfcrypt/src/aes_asm.asm
                 wolfcrypt/src/sha256_asm.S wolfcrypt/src/sha512_asm.S )
   ;;
 linuxv5-ready|fips-ready|fips-v5-ready)
   FIPS_REPO="git@github.com:wolfSSL/fips.git"
-  FIPS_VERSION="WCv5.0-RC11"
+  FIPS_VERSION="WCv5.0-RC12"
   CRYPT_INC_PATH=wolfssl/wolfcrypt
   CRYPT_SRC_PATH=wolfcrypt/src
   FIPS_SRCS=( fips.c fips_test.c wolfcrypt_first.c wolfcrypt_last.c )

rpm/spec.in

@@ -74,7 +74,7 @@ mkdir -p $RPM_BUILD_ROOT/
 %{_libdir}/libwolfssl.la
 %{_libdir}/libwolfssl.so
 %{_libdir}/libwolfssl.so.30
-%{_libdir}/libwolfssl.so.30.1.0
+%{_libdir}/libwolfssl.so.30.1.1
 
 %files devel
 %defattr(-,root,root,-)

src/internal.c

@@ -18366,8 +18366,6 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
                 ret = wc_RNG_GenerateBlock(ssl->rng, args->iv, args->ivSz);
                 if (ret != 0)
                     goto exit_buildmsg;
-
-                XMEMSET(args->iv, 0, args->ivSz);
             }
 #if !defined(NO_PUBLIC_GCM_SET_IV) && \
     ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \

tests/api.c

@@ -20621,6 +20621,7 @@ static int test_wc_DsaKeyToPublicDer(void)
     }
     if (ret == 0) {
         word32 idx = 0;
+        wc_FreeDsaKey(&genKey);
         ret = wc_DsaPublicKeyDecode(der, &idx, &genKey, sz);
     }
     /* Test without the SubjectPublicKeyInfo header */
@@ -20635,6 +20636,7 @@ static int test_wc_DsaKeyToPublicDer(void)
     }
     if (ret == 0) {
         word32 idx = 0;
+        wc_FreeDsaKey(&genKey);
         ret = wc_DsaPublicKeyDecode(der, &idx, &genKey, sz);
     }
 

wolfssl/version.h

@@ -28,8 +28,8 @@
 extern "C" {
 #endif
 
-#define LIBWOLFSSL_VERSION_STRING "5.1.0"
-#define LIBWOLFSSL_VERSION_HEX 0x05001000
+#define LIBWOLFSSL_VERSION_STRING "5.1.1"
+#define LIBWOLFSSL_VERSION_HEX 0x05001001
 
 #ifdef __cplusplus
 }

wolfssl/wolfcrypt/types.h

@@ -316,7 +316,7 @@ decouple library dependencies with standard string, memory and so on.
             #elif ((__GNUC__ > 7) || ((__GNUC__ == 7) && (__GNUC_MINOR__ >= 1)))
                 #define FALL_THROUGH ; __attribute__ ((fallthrough))
             #elif defined(__clang__) && defined(__clang_major__) && \
-                    (__clang_major__ >= 11)
+                    (__clang_major__ >= 12)
                 #define FALL_THROUGH ; __attribute__ ((fallthrough))
             #endif
         #endif