From 0cbc640aad7ff38fe186826ea0118efd8509c186 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 9 Feb 2017 15:39:55 -0700 Subject: [PATCH 1/4] memory managment in crl.c with crl monitor --- src/crl.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/crl.c b/src/crl.c index 2fbcde08c..8d3729ec1 100644 --- a/src/crl.c +++ b/src/crl.c @@ -873,9 +873,19 @@ int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor) pathBuf[pathLen] = '\0'; /* Null Terminate */ if (type == SSL_FILETYPE_PEM) { + /* free old path before setting a new one */ + if (crl->monitors[0].path) { + XFREE(crl->monitors[0].path, crl->heap, + DYNAMIC_TYPE_CRL_MONITOR); + } crl->monitors[0].path = pathBuf; crl->monitors[0].type = SSL_FILETYPE_PEM; } else { + /* free old path before setting a new one */ + if (crl->monitors[1].path) { + XFREE(crl->monitors[1].path, crl->heap, + DYNAMIC_TYPE_CRL_MONITOR); + } crl->monitors[1].path = pathBuf; crl->monitors[1].type = SSL_FILETYPE_ASN1; } From e307f3e89d722d142d75c079e7c84b510baac8ad Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 9 Feb 2017 16:06:34 -0700 Subject: [PATCH 2/4] free decoded cert with small stack build --- wolfcrypt/src/asn.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index f2d124b0a..509364825 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8501,18 +8501,27 @@ int wc_SetAuthKeyIdFromCert(Cert *cert, const byte *der, int derSz) ret = ParseCert(decoded, CERT_TYPE, NO_VERIFY, 0); if (ret != 0) { FreeDecodedCert(decoded); + #ifdef WOLFSSL_SMALL_STACK + XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif return ret; } /* Subject Key Id not found !! */ if (decoded->extSubjKeyIdSet == 0) { FreeDecodedCert(decoded); + #ifdef WOLFSSL_SMALL_STACK + XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif return ASN_NO_SKID; } /* SKID invalid size */ if (sizeof(cert->akid) < sizeof(decoded->extSubjKeyId)) { FreeDecodedCert(decoded); + #ifdef WOLFSSL_SMALL_STACK + XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif return MEMORY_E; } @@ -8521,6 +8530,10 @@ int wc_SetAuthKeyIdFromCert(Cert *cert, const byte *der, int derSz) cert->akidSz = KEYID_SIZE; FreeDecodedCert(decoded); + #ifdef WOLFSSL_SMALL_STACK + XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return 0; } From 6c55701725f66c964ca7372e16c22c4634bf9051 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 10 Feb 2017 10:09:45 -0700 Subject: [PATCH 3/4] c89 build with ECC compresed key --- wolfcrypt/src/ecc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index f5a9b2d42..0aabb65c2 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -3891,10 +3891,10 @@ int wc_ecc_import_point_der(byte* in, word32 inLen, const int curve_idx, #ifdef HAVE_COMP_KEY if (err == MP_OKAY && compressed == 1) { /* build y */ mp_int t1, t2; - DECLARE_CURVE_SPECS(3) - int did_init = 0; + DECLARE_CURVE_SPECS(3) + if (mp_init_multi(&t1, &t2, NULL, NULL, NULL, NULL) != MP_OKAY) err = MEMORY_E; else @@ -4495,10 +4495,11 @@ int wc_ecc_import_x963_ex(const byte* in, word32 inLen, ecc_key* key, #ifdef HAVE_COMP_KEY if (err == MP_OKAY && compressed == 1) { /* build y */ - DECLARE_CURVE_SPECS(3) mp_int t1, t2; int did_init = 0; + DECLARE_CURVE_SPECS(3) + if (mp_init_multi(&t1, &t2, NULL, NULL, NULL, NULL) != MP_OKAY) err = MEMORY_E; else From 337c52b4cfb4cbb47232c207d666be4f78292228 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 10 Feb 2017 10:19:34 -0700 Subject: [PATCH 4/4] prepare for release 3.10.2 --- README | 33 +++++++++++++++++++++++++++++++++ README.md | 35 +++++++++++++++++++++++++++++++++++ configure.ac | 4 ++-- rpm/spec.in | 7 +++++-- support/wolfssl.pc | 2 +- wolfssl/version.h | 4 ++-- 6 files changed, 78 insertions(+), 7 deletions(-) diff --git a/README b/README index 63f245259..b2292bbe0 100644 --- a/README +++ b/README @@ -34,6 +34,39 @@ before calling wolfSSL_new(); Though it's not recommended. *** end Notes *** +********* wolfSSL (Formerly CyaSSL) Release 3.10.2 (2/10/2017) + +Release 3.10.2 of wolfSSL has bug fixes and new features including: + +- Poly1305 Windows macros fix. Thanks to GitHub user Jay Satiro +- Compatibility layer expanded with multiple functions added +- Improve fp_copy performance with ALT_ECC_SIZE +- OCSP updates and improvements +- Fixes for IAR EWARM 8 compiler warnings +- Reduce stack usage with ECC_CACHE_CURVE disabled +- Added ECC export raw for public and private key +- Fix for NO_ASN_TIME build +- Supported curves extensions now populated by default +- Add DTLS build without big integer math +- Fix for static memory feature with wc_ecc_verify_hash_ex and not SHAMIR +- Added PSK interoperability testing to script bundled with wolfSSL +- Fix for Python wrapper random number generation. Compiler optimizations with Python could place the random number in same buffer location each time. Thanks to GitHub user Erik Bray (embray) +- Fix for tests on unaligned memory with static memory feature +- Add macro WOLFSSL_NO_OCSP_OPTIONAL_CERTS to skip optional OCSP certificates +- Sanity checks on NULL arguments added to wolfSSL_set_fd and wolfSSL_DTLS_SetCookieSecret +- mp_jacobi stack use reduced, thanks to Szabi Tolnai for providing a solution to reduce stack usage + + +This release of wolfSSL fixes 2 low and 1 medium level security vulnerability. + +Low level fix of buffer overflow for when loading in a malformed temporary DH file. Thanks to Yueh-Hsun Lin and Peng Li from KNOX Security, Samsung Research America for the report. + +Medium level fix for processing of OCSP response. If using OCSP without hard faults enforced and no alternate revocation checks like OCSP stapling then it is recommended to update. + +Low level fix for potential cache attack on RSA operations. If using wolfSSL RSA on a server that other users can have access to monitor the cache, then it is recommended to update wolfSSL. Thanks to Andreas Zankl, Johann Heyszl and Georg Sigl at Fraunhofer AISEC for the initial report. + +See INSTALL file for build instructions. +More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html ********* wolfSSL (Formerly CyaSSL) Release 3.10.0 (12/21/2016) diff --git a/README.md b/README.md index ae166c18e..a5e1e542b 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,41 @@ wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); before calling wolfSSL_new(); Though it's not recommended. ``` +# wolfSSL (Formerly CyaSSL) Release 3.10.2 (2/10/2017) + +## Release 3.10.2 of wolfSSL has bug fixes and new features including: + +- Poly1305 Windows macros fix. Thanks to GitHub user Jay Satiro +- Compatibility layer expanded with multiple functions added +- Improve fp_copy performance with ALT_ECC_SIZE +- OCSP updates and improvements +- Fixes for IAR EWARM 8 compiler warnings +- Reduce stack usage with ECC_CACHE_CURVE disabled +- Added ECC export raw for public and private key +- Fix for NO_ASN_TIME build +- Supported curves extensions now populated by default +- Add DTLS build without big integer math +- Fix for static memory feature with wc_ecc_verify_hash_ex and not SHAMIR +- Added PSK interoperability testing to script bundled with wolfSSL +- Fix for Python wrapper random number generation. Compiler optimizations with Python could place the random number in same buffer location each time. Thanks to GitHub user Erik Bray (embray) +- Fix for tests on unaligned memory with static memory feature +- Add macro WOLFSSL_NO_OCSP_OPTIONAL_CERTS to skip optional OCSP certificates +- Sanity checks on NULL arguments added to wolfSSL_set_fd and wolfSSL_DTLS_SetCookieSecret +- mp_jacobi stack use reduced, thanks to Szabi Tolnai for providing a solution to reduce stack usage + + +This release of wolfSSL fixes 2 low and 1 medium level security vulnerability. + +Low level fix of buffer overflow for when loading in a malformed temporary DH file. Thanks to Yueh-Hsun Lin and Peng Li from KNOX Security, Samsung Research America for the report. + +Medium level fix for processing of OCSP response. If using OCSP without hard faults enforced and no alternate revocation checks like OCSP stapling then it is recommended to update. + +Low level fix for potential cache attack on RSA operations. If using wolfSSL RSA on a server that other users can have access to monitor the cache, then it is recommended to update wolfSSL. Thanks to Andreas Zankl, Johann Heyszl and Georg Sigl at Fraunhofer AISEC for the initial report. + +See INSTALL file for build instructions. +More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html + + # wolfSSL (Formerly CyaSSL) Release 3.10.0 (12/21/2016) ## Release 3.10.0 of wolfSSL has bug fixes and new features including: diff --git a/configure.ac b/configure.ac index 8afb2db4d..e3510bd5d 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([wolfssl],[3.10.0],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) +AC_INIT([wolfssl],[3.10.2],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) AC_CONFIG_AUX_DIR([build-aux]) @@ -35,7 +35,7 @@ AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_HEADERS([config.h:config.in])dnl Keep filename to 8.3 for MS-DOS. #shared library versioning -WOLFSSL_LIBRARY_VERSION=9:0:6 +WOLFSSL_LIBRARY_VERSION=10:0:0 # | | | # +------+ | +---+ # | | | diff --git a/rpm/spec.in b/rpm/spec.in index ae8fc8ad8..ffb217e2e 100644 --- a/rpm/spec.in +++ b/rpm/spec.in @@ -72,8 +72,8 @@ mkdir -p $RPM_BUILD_ROOT/ %{_docdir}/wolfssl/README.txt %{_libdir}/libwolfssl.la %{_libdir}/libwolfssl.so -%{_libdir}/libwolfssl.so.3 -%{_libdir}/libwolfssl.so.3.6.0 +%{_libdir}/libwolfssl.so.10 +%{_libdir}/libwolfssl.so.10.0.0 %files devel %defattr(-,root,root,-) @@ -229,6 +229,7 @@ mkdir -p $RPM_BUILD_ROOT/ %{_includedir}/wolfssl/wolfcrypt/visibility.h %{_includedir}/wolfssl/wolfcrypt/wc_encrypt.h %{_includedir}/wolfssl/wolfcrypt/wolfevent.h +%{_includedir}/wolfssl/wolfcrypt/wolfmath.h %{_includedir}/wolfssl/error-ssl.h %{_includedir}/wolfssl/ocsp.h %{_includedir}/wolfssl/openssl/aes.h @@ -276,6 +277,8 @@ mkdir -p $RPM_BUILD_ROOT/ %{_libdir}/pkgconfig/wolfssl.pc %changelog +* Thu Feb 09 2017 Jacob Barthelmeh +- Added header for wolfssl/wolfcrypt/wolfmath.h * Fri Nov 11 2016 Jacob Barthelmeh - Added header for wolfssl/openssl/aes.h * Fri Oct 28 2016 Jacob Barthelmeh diff --git a/support/wolfssl.pc b/support/wolfssl.pc index 41636af6d..12b8be27a 100644 --- a/support/wolfssl.pc +++ b/support/wolfssl.pc @@ -5,6 +5,6 @@ includedir=${prefix}/include Name: wolfssl Description: wolfssl C library. -Version: 3.10.0 +Version: 3.10.2 Libs: -L${libdir} -lwolfssl Cflags: -I${includedir} diff --git a/wolfssl/version.h b/wolfssl/version.h index bd92deb26..e94ec3fcb 100644 --- a/wolfssl/version.h +++ b/wolfssl/version.h @@ -28,8 +28,8 @@ extern "C" { #endif -#define LIBWOLFSSL_VERSION_STRING "3.10.0" -#define LIBWOLFSSL_VERSION_HEX 0x03010000 +#define LIBWOLFSSL_VERSION_STRING "3.10.2" +#define LIBWOLFSSL_VERSION_HEX 0x03010002 #ifdef __cplusplus }