Merge pull request #1994 from JacobBarthelmeh/Release

prepare for release 3.15.7

ChangeLog.md

@@ -1,3 +1,41 @@
+# wolfSSL Release 3.15.7 (12/26/2018)
+
+Release 3.15.7 of wolfSSL embedded TLS has bug fixes and new features including:
+
+* Support for Espressif ESP-IDF development framework
+* Fix for XCode build with iPhone simulator on i386
+* PKCS7 support for generating and verify bundles using a detached signature
+* Fix for build disabling AES-CBC and enabling opensslextra compatibility layer
+* Updates to sniffer for showing session information and handling split messages across records
+* Port update for Micrium uC/OS-III
+* Feature to adjust max fragment size post handshake when compiled with the macro WOLFSSL_ALLOW_MAX_FRAGMENT_ADJUST
+* Adding the macro NO_MULTIBYTE_PRINT for compiling out special characters that embedded devices may have problems with
+* Updates for Doxygen documentation, including PKCS #11 API and more
+* Adding Intel QuickAssist v1.7 driver support for asynchronous crypto
+* Adding Intel QuickAssist RSA key generation and SHA-3 support
+* RSA verify only (--enable-rsavfy) and RSA public only (--enable-rsapub) builds added
+* Enhancements to test cases for increased code coverage
+* Updates to VxWorks port for use with Mongoose, including updates to the OpenSSL compatibility layer
+* Yocto Project ease of use improvements along with many updates and build instructions added to the INSTALL file
+* Maximum ticket nonce size was increased to 8
+* Updating --enable-armasm build for ease of use with autotools
+* Updates to internal code checking TLS 1.3 version with a connection
+* Removing unnecessary extended master secret from ServerHello if using TLS 1.3
+* Fix for TLS v1.3 HelloRetryRequest to be sent immediately and not grouped
+
+
+
+This release of wolfSSL includes a fix for 1 security vulnerability.
+
+Medium level fix for potential cache attack with a variant of Bleichenbacher’s attack. Earlier versions of wolfSSL leaked PKCS #1 v1.5 padding information during private key decryption that could lead to a potential padding oracle attack. It is recommended that users update to the latest version of wolfSSL if they have RSA cipher suites enabled and have the potential for malicious software to be ran on the same system that is performing RSA operations. Users that have only ECC cipher suites enabled and are not performing RSA PKCS #1 v1.5 Decryption operations are not vulnerable. Also users with TLS 1.3 only connections are not vulnerable to this attack. Thanks to Eyal Ronen (Weizmann Institute), Robert Gillham (University of Adelaide), Daniel Genkin (University of Michigan), Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom (University of Adelaide and Data61) for the report.
+
+The paper for further reading on the attack details can be found at http://cat.eyalro.net/cat.pdf.
+
+
+See INSTALL file for build instructions.
+More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
+
+
 # wolfSSL Release 3.15.5 (11/07/2018)
 
 Release 3.15.5 of wolfSSL embedded TLS has bug fixes and new features including:

README

@@ -73,79 +73,38 @@ should be used for the enum name.
 *** end Notes ***
 
 
-********* wolfSSL Release 3.15.5 (11/07/2018)
-
-Release 3.15.5 of wolfSSL embedded TLS has bug fixes and new features including:
-
-- Fixes for GCC-8 warnings with strings
-- Additional compatibility API’s added, including functions like wolfSSL_X509_CA_num and wolfSSL_PEM_read_X509_CRL
-- Fixes for OCSP use with NGINX port
-- Renamed the macro INLINE to WC_INLINE for inline functions
-- Doxygen updates and formatting for documentation generation
-- Added support for the STM32L4 with AES/SHA hardware acceleration
-- Adds checking for critical extension with certificate Auth ID and the macro WOLFSSL_ALLOW_CRIT_SKID to override the check
-- Added public key callbacks to ConfirmSignature function to expand public key callback support
-- Added ECC and Curve25519 key generation callback support
-- Fix for memory management with wolfSSL_BN_hex2bn function
-- Added support for dynamic allocation of PKCS7 structure using wc_PKCS7_New and wc_PKCS7_Free
-- Port to apache mynewt added in the directory wolfssl-3.15.5/IDE/mynewt/*
-- OCSP stapling in TLS 1.3 additions
-- Port for ASIO added with --enable-asio configure flag
-- Contiki port added with macro WOLFSSL_CONTIKI
-- Memory free optimizations with adding in earlier free’s where possible
-- Made modifications to the primality testing so that the Miller-Rabin tests check against up to 40 random numbers rather than a fixed list of small primes
-- Certificate validation time generation updated
-- Fixes for MQX classic 4.0 with IAR-EWARM
-- Fix for assembly optimized version of Curve25519
-- Make SOCKET_PEER_CLOSED_E consistent between read and write cases
-- Relocate compatibility layer functions for OpenSSH port update
-- Update to Intel® SGX port, files included by Windows version and macros defined when using WOLFSSL_SGX
-- Updates to Nucleus version supported
-- Stack size reduction with smallstack build
-- Updates to Rowley-Crossworks settings for CMSIS 4
-- Added reference STSAFE-A100 public key callbacks for TLS support
-- Added reference ATECC508A/ATECC608A public key callbacks for TLS support
-- Updated support for latest CryptoAuthLib (10/25/2018)
-- Added a wolfSSL static library project for Atollic TrueSTUDIO
-- Flag to disable AES-CBC and have only AEAD cipher suites with TLS
-- AF_ALG and cryptodev-linux crypto support added
-- Update to IO callbacks with use of WOLFSSL_BIO
-- Additional support for parsing certificate subject OIDs (businessCategory, jurisdiction of incorporation country, and jurisdiction of incorporation state)
-- Added  wc_ecc_ecport_ex and wc_export_inti API's for ECC hex string exporting
-- Updates to XCODE build with wolfSSL
-- Fix for guard on when to include sys/time.h header
-- Updates and enhancements to the GCC-ARM example
-- Fix for PKCS8 padding with encryption
-- Updates for wolfcrypt JNI wrapper
-- ALT_ECC_SIZE use with SP math
-- PIC32MZ hardware acceleration buffer alignment fixes
-- Renesas e2studio project files added
-- Renesas RX example project added
-- Fix for DH algorithm when using SP math with ARM assembly
-- Fixes and enhancements for NXP K82 support
-- Benchmark enhancements to print in CSV format and in Japanese
-- Support for PKCS#11 added with --enable-pkcs11
-- Fixes for asynchronous crypto use with TLS 1.3
-- TLS 1.3 only build, allows for disabling TLS 1.2 and earlier protocols
-- Fix for GCC warnings in function wolfSSL_ASN1_TIME_adj
-- Added --enable-asn=nocrypt for certificate only parsing support
-- Added support for parsing PIV format certificates with the function wc_ParseCertPIV and macro WOLFSSL_CERT_PIV
-- Added APIs to support GZIP
-- Updates to support Lighttpd
-- Version resource added for Windows DLL builds
-- Increased code coverage with additional testing
-- Added support for constructed OCTET_STRING with PKCS#7 signed data
-- Added DTLS either (server/client) side initialization setting
-- Minor fixes for building with MINGW32 compiler
-- Added support for generic ECC PEM header/footer with PKCS8 parsing
-- Added Japanese output to example server and client with “-1 1” flag
-- Added USE_ECDSA_KEYSZ_HASH_ALGO macro for building to use digest sizes that match ephemeral key size
-- Expand PKCS#7 CMS support with KEKRI, PWRI and ORI
-- Streaming capability for PKCS#7 decoding and sign verify added
-
-
-See INSTALL file for build instructions.
-More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
+********* wolfSSL Release 3.15.7 (12/26/2018)
+
+Release 3.15.7 of wolfSSL embedded TLS has bug fixes and new features including:
+
+- Support for Espressif ESP-IDF development framework
+- Fix for XCode build with iPhone simulator on i386
+- PKCS7 support for generating and verify bundles using a detached signature
+- Fix for build disabling AES-CBC and enabling opensslextra compatibility layer
+- Updates to sniffer for showing session information and handling split messages across records
+- Port update for Micrium uC/OS-III
+- Feature to adjust max fragment size post handshake when compiled with the macro WOLFSSL_ALLOW_MAX_FRAGMENT_ADJUST
+- Adding the macro NO_MULTIBYTE_PRINT for compiling out special characters that embedded devices may have problems with
+- Updates for Doxygen documentation, including PKCS #11 API and more
+- Adding Intel QuickAssist v1.7 driver support for asynchronous crypto
+- Adding Intel QuickAssist RSA key generation and SHA-3 support
+- RSA verify only (--enable-rsavfy) and RSA public only (--enable-rsapub) builds added
+- Enhancements to test cases for increased code coverage
+- Updates to VxWorks port for use with Mongoose, including updates to the OpenSSL compatibility layer
+- Yocto Project ease of use improvements along with many updates and build instructions added to the INSTALL file
+- Maximum ticket nonce size was increased to 8
+- Updating --enable-armasm build for ease of use with autotools
+- Updates to internal code checking TLS 1.3 version with a connection
+- Removing unnecessary extended master secret from ServerHello if using TLS 1.3
+- Fix for TLS v1.3 HelloRetryRequest to be sent immediately and not grouped
+
+
+
+This release of wolfSSL includes a fix for 1 security vulnerability.
+
+Medium level fix for potential cache attack with a variant of Bleichenbacher’s attack. Earlier versions of wolfSSL leaked PKCS #1 v1.5 padding information during private key decryption that could lead to a potential padding oracle attack. It is recommended that users update to the latest version of wolfSSL if they have RSA cipher suites enabled and have the potential for malicious software to be ran on the same system that is performing RSA operations. Users that have only ECC cipher suites enabled and are not performing RSA PKCS #1 v1.5 Decryption operations are not vulnerable. Also users with TLS 1.3 only connections are not vulnerable to this attack. Thanks to Eyal Ronen (Weizmann Institute), Robert Gillham (University of Adelaide), Daniel Genkin (University of Michigan), Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom (University of Adelaide and Data61) for the report.
+
+The paper for further reading on the attack details can be found at http://cat.eyalro.net/cat.pdf.
 
 
 *** Resources ***

README.md

@@ -58,75 +58,38 @@ hash function. Instead the name WC_SHA, WC_SHA256, WC_SHA384 and WC_SHA512
 should be used for the enum name.
 ```
 
-# wolfSSL Release 3.15.5 (11/07/2018)
-
-Release 3.15.5 of wolfSSL embedded TLS has bug fixes and new features including:
-
-* Fixes for GCC-8 warnings with strings
-* Additional compatibility API’s added, including functions like wolfSSL_X509_CA_num and wolfSSL_PEM_read_X509_CRL
-* Fixes for OCSP use with NGINX port
-* Renamed the macro INLINE to WC_INLINE for inline functions
-* Doxygen updates and formatting for documentation generation
-* Added support for the STM32L4 with AES/SHA hardware acceleration
-* Adds checking for critical extension with certificate Auth ID and the macro WOLFSSL_ALLOW_CRIT_SKID to override the check
-* Added public key callbacks to ConfirmSignature function to expand public key callback support
-* Added ECC and Curve25519 key generation callback support
-* Fix for memory management with wolfSSL_BN_hex2bn function
-* Added support for dynamic allocation of PKCS7 structure using wc_PKCS7_New and wc_PKCS7_Free
-* Port to apache mynewt added in the directory wolfssl-3.15.5/IDE/mynewt/*
-* OCSP stapling in TLS 1.3 additions
-* Port for ASIO added with --enable-asio configure flag
-* Contiki port added with macro WOLFSSL_CONTIKI
-* Memory free optimizations with adding in earlier free’s where possible
-* Made modifications to the primality testing so that the Miller-Rabin tests check against up to 40 random numbers rather than a fixed list of small primes
-* Certificate validation time generation updated
-* Fixes for MQX classic 4.0 with IAR-EWARM
-* Fix for assembly optimized version of Curve25519
-* Make SOCKET_PEER_CLOSED_E consistent between read and write cases
-* Relocate compatibility layer functions for OpenSSH port update
-* Update to Intel® SGX port, files included by Windows version and macros defined when using WOLFSSL_SGX
-* Updates to Nucleus version supported
-* Stack size reduction with smallstack build
-* Updates to Rowley-Crossworks settings for CMSIS 4
-* Added reference STSAFE-A100 public key callbacks for TLS support
-* Added reference ATECC508A/ATECC608A public key callbacks for TLS support
-* Updated support for latest CryptoAuthLib (10/25/2018)
-* Added a wolfSSL static library project for Atollic TrueSTUDIO
-* Flag to disable AES-CBC and have only AEAD cipher suites with TLS
-* AF_ALG and cryptodev-linux crypto support added
-* Update to IO callbacks with use of WOLFSSL_BIO
-* Additional support for parsing certificate subject OIDs (businessCategory, jurisdiction of incorporation country, and jurisdiction of incorporation state)
-* Added  wc_ecc_ecport_ex and wc_export_inti API's for ECC hex string exporting
-* Updates to XCODE build with wolfSSL
-* Fix for guard on when to include sys/time.h header
-* Updates and enhancements to the GCC-ARM example
-* Fix for PKCS8 padding with encryption
-* Updates for wolfcrypt JNI wrapper
-* ALT_ECC_SIZE use with SP math
-* PIC32MZ hardware acceleration buffer alignment fixes
-* Renesas e2studio project files added
-* Renesas RX example project added
-* Fix for DH algorithm when using SP math with ARM assembly
-* Fixes and enhancements for NXP K82 support
-* Benchmark enhancements to print in CSV format and in Japanese
-* Support for PKCS#11 added with --enable-pkcs11
-* Fixes for asynchronous crypto use with TLS 1.3
-* TLS 1.3 only build, allows for disabling TLS 1.2 and earlier protocols
-* Fix for GCC warnings in function wolfSSL_ASN1_TIME_adj
-* Added --enable-asn=nocrypt for certificate only parsing support
-* Added support for parsing PIV format certificates with the function wc_ParseCertPIV and macro WOLFSSL_CERT_PIV
-* Added APIs to support GZIP
-* Updates to support Lighttpd
-* Version resource added for Windows DLL builds
-* Increased code coverage with additional testing
-* Added support for constructed OCTET_STRING with PKCS#7 signed data
-* Added DTLS either (server/client) side initialization setting
-* Minor fixes for building with MINGW32 compiler
-* Added support for generic ECC PEM header/footer with PKCS8 parsing
-* Added Japanese output to example server and client with “-1 1” flag
-* Added USE_ECDSA_KEYSZ_HASH_ALGO macro for building to use digest sizes that match ephemeral key size
-* Expand PKCS#7 CMS support with KEKRI, PWRI and ORI
-* Streaming capability for PKCS#7 decoding and sign verify added
+# wolfSSL Release 3.15.7 (12/26/2018)
+
+Release 3.15.7 of wolfSSL embedded TLS has bug fixes and new features including:
+
+* Support for Espressif ESP-IDF development framework
+* Fix for XCode build with iPhone simulator on i386
+* PKCS7 support for generating and verify bundles using a detached signature
+* Fix for build disabling AES-CBC and enabling opensslextra compatibility layer
+* Updates to sniffer for showing session information and handling split messages across records
+* Port update for Micrium uC/OS-III
+* Feature to adjust max fragment size post handshake when compiled with the macro WOLFSSL_ALLOW_MAX_FRAGMENT_ADJUST
+* Adding the macro NO_MULTIBYTE_PRINT for compiling out special characters that embedded devices may have problems with
+* Updates for Doxygen documentation, including PKCS #11 API and more
+* Adding Intel QuickAssist v1.7 driver support for asynchronous crypto
+* Adding Intel QuickAssist RSA key generation and SHA-3 support
+* RSA verify only (--enable-rsavfy) and RSA public only (--enable-rsapub) builds added
+* Enhancements to test cases for increased code coverage
+* Updates to VxWorks port for use with Mongoose, including updates to the OpenSSL compatibility layer
+* Yocto Project ease of use improvements along with many updates and build instructions added to the INSTALL file
+* Maximum ticket nonce size was increased to 8
+* Updating --enable-armasm build for ease of use with autotools
+* Updates to internal code checking TLS 1.3 version with a connection
+* Removing unnecessary extended master secret from ServerHello if using TLS 1.3
+* Fix for TLS v1.3 HelloRetryRequest to be sent immediately and not grouped
+
+
+
+This release of wolfSSL includes a fix for 1 security vulnerability.
+
+Medium level fix for potential cache attack with a variant of Bleichenbacher’s attack. Earlier versions of wolfSSL leaked PKCS #1 v1.5 padding information during private key decryption that could lead to a potential padding oracle attack. It is recommended that users update to the latest version of wolfSSL if they have RSA cipher suites enabled and have the potential for malicious software to be ran on the same system that is performing RSA operations. Users that have only ECC cipher suites enabled and are not performing RSA PKCS #1 v1.5 Decryption operations are not vulnerable. Also users with TLS 1.3 only connections are not vulnerable to this attack. Thanks to Eyal Ronen (Weizmann Institute), Robert Gillham (University of Adelaide), Daniel Genkin (University of Michigan), Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom (University of Adelaide and Data61) for the report.
+
+The paper for further reading on the attack details can be found at http://cat.eyalro.net/cat.pdf.
 
 
 See INSTALL file for build instructions.

configure.ac

@@ -7,7 +7,7 @@
 #
 AC_COPYRIGHT([Copyright (C) 2006-2018 wolfSSL Inc.])
 AC_PREREQ([2.63])
-AC_INIT([wolfssl],[3.15.6],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[https://www.wolfssl.com])
+AC_INIT([wolfssl],[3.15.7],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[https://www.wolfssl.com])
 AC_CONFIG_AUX_DIR([build-aux])
 
 # The following sets CFLAGS and CXXFLAGS to empty if unset on command line.
@@ -34,7 +34,7 @@ LT_PREREQ([2.2])
 LT_INIT([disable-static win32-dll])
 
 #shared library versioning
-WOLFSSL_LIBRARY_VERSION=19:0:0
+WOLFSSL_LIBRARY_VERSION=20:0:1
 #                        | | |
 #                 +------+ | +---+
 #                 |        |     |

rpm/spec.in

@@ -74,7 +74,7 @@ mkdir -p $RPM_BUILD_ROOT/
 %{_libdir}/libwolfssl.la
 %{_libdir}/libwolfssl.so
 %{_libdir}/libwolfssl.so.19
-%{_libdir}/libwolfssl.so.19.0.0
+%{_libdir}/libwolfssl.so.19.1.0
 
 %files devel
 %defattr(-,root,root,-)
@@ -198,7 +198,6 @@ mkdir -p $RPM_BUILD_ROOT/
 %{_includedir}/wolfssl/wolfcrypt/ed25519.h
 %{_includedir}/wolfssl/wolfcrypt/error-crypt.h
 %{_includedir}/wolfssl/wolfcrypt/fe_operations.h
-%{_includedir}/wolfssl/wolfcrypt/fips.h
 %{_includedir}/wolfssl/wolfcrypt/fips_test.h
 %{_includedir}/wolfssl/wolfcrypt/ge_operations.h
 %{_includedir}/wolfssl/wolfcrypt/hash.h
@@ -267,6 +266,7 @@ mkdir -p $RPM_BUILD_ROOT/
 %{_includedir}/wolfssl/openssl/opensslv.h
 %{_includedir}/wolfssl/openssl/ossl_typ.h
 %{_includedir}/wolfssl/openssl/pem.h
+%{_includedir}/wolfssl/openssl/pkcs7.h
 %{_includedir}/wolfssl/openssl/pkcs12.h
 %{_includedir}/wolfssl/openssl/rand.h
 %{_includedir}/wolfssl/openssl/rc4.h
@@ -288,6 +288,8 @@ mkdir -p $RPM_BUILD_ROOT/
 %{_libdir}/pkgconfig/wolfssl.pc
 
 %changelog
+* Thu Dec 20 2018 Jacob Barthelmeh <[email protected]>
+- Remove wolfssl/wolfcrypt/fips.h, add wolfssl/openssl/pkcs7.h
 * Wed Jun 20 2018 Jacob Barthelmeh <[email protected]>
 - Remove NEWS, update ChangeLog to ChangeLog.md, remove wolfssl/wolfcrypt/fips.h, add wolfssl/wolfcrypt/cryptodev.h
 * Thu May 31 2018 John Safranek <[email protected]>

wolfssl/openssl/ssl.h

@@ -760,6 +760,8 @@ typedef STACK_OF(WOLFSSL_ASN1_OBJECT) GENERAL_NAMES;
 #define SSL_set_tlsext_status_ids       wolfSSL_set_tlsext_status_ids
 #define SSL_get_tlsext_status_ocsp_res  wolfSSL_get_tlsext_status_ocsp_resp
 #define SSL_set_tlsext_status_ocsp_res  wolfSSL_set_tlsext_status_ocsp_resp
+#define SSL_set_tlsext_status_ocsp_resp  wolfSSL_set_tlsext_status_ocsp_resp
+#define SSL_get_tlsext_status_ocsp_resp  wolfSSL_get_tlsext_status_ocsp_resp
 
 #define SSL_CTX_add_extra_chain_cert    wolfSSL_CTX_add_extra_chain_cert
 #define SSL_CTX_get_read_ahead          wolfSSL_CTX_get_read_ahead

wolfssl/version.h

@@ -28,8 +28,8 @@
 extern "C" {
 #endif
 
-#define LIBWOLFSSL_VERSION_STRING "3.15.6"
-#define LIBWOLFSSL_VERSION_HEX 0x03015006
+#define LIBWOLFSSL_VERSION_STRING "3.15.7"
+#define LIBWOLFSSL_VERSION_HEX 0x03015007
 
 #ifdef __cplusplus
 }