|
|
@@ -70,163 +70,72 @@ should be used for the enum name.
|
|
|
|
|
|
*** end Notes ***
|
|
|
|
|
|
-# wolfSSL Release 5.4.0 (July 11, 2022)
|
|
|
+# wolfSSL Release 5.5.0 (Aug 30, 2022)
|
|
|
|
|
|
Note:
|
|
|
-** Future releases of wolfSSL will turn off TLS 1.1 by default
|
|
|
-** Release 5.4.0 made SP math the default math implementation. To make an equivalent build as –disable-fastmath from previous versions of wolfSSL, now requires using the configure option –enable-heapmath instead.
|
|
|
+** If not free’ing FP_ECC caches per thread by calling wc_ecc_fp_free there is a possible memory leak during TLS 1.3 handshakes which use ECC. Users are urged to confirm they are free’ing FP_ECC caches per thread if enabled to avoid this issue.
|
|
|
|
|
|
-Release 5.4.0 of wolfSSL embedded TLS has bug fixes and new features including:
|
|
|
+Release 5.5.0 of wolfSSL embedded TLS has bug fixes and new features including:
|
|
|
|
|
|
## Vulnerabilities
|
|
|
-* [High] Potential for DTLS DoS attack. In wolfSSL versions before 5.4.0 the return-routability check is wrongly skipped in a specific edge case. The check on the return-routability is there for stopping attacks that either consume excessive resources on the server, or try to use the server as an amplifier sending an excessive amount of messages to a victim IP. If using DTLS 1.0/1.2 on the server side users should update to avoid the potential DoS attack. CVE-2022-34293
|
|
|
-* [Medium] Ciphertext side channel attack on ECC and DH operations. Users on systems where rogue agents can monitor memory use should update the version of wolfSSL and change private ECC keys. Thanks to Sen Deng from Southern University of Science and Technology (SUSTech) for the report.
|
|
|
-* [Medium] Public disclosure of a side channel vulnerability that has been fixed since wolfSSL version 5.1.0. When running on AMD there is the potential to leak private key information with ECDSA operations due to a ciphertext side channel attack. Users on AMD doing ECDSA operations with wolfSSL versions less than 5.1.0 should update their wolfSSL version used. Thanks to professor Yinqian Zhang from Southern University of Science and Technology (SUSTech), his Ph.D. student Mengyuan Li from The Ohio State University, and his M.S students Sen Deng and Yining Tang from SUStech along with other collaborators; Luca Wilke, Jan Wichelmann and Professor Thomas Eisenbarth from the University of Lubeck, Professor Shuai Wang from Hong Kong University of Science and Technology, Professor Radu Teodorescu from The Ohio State University, Huibo Wang, Kang Li and Yueqiang Cheng from Baidu Security and Shoumeng Yang from Ant Financial Services Group.
|
|
|
-CVE-2020-12966 https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1013 CVE-2021-46744 https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1033
|
|
|
-
|
|
|
+* [Low] Fault injection attack on RAM via Rowhammer leads to ECDSA key disclosure. Users doing operations with private ECC keys such as server side TLS connections and creating ECC signatures, who also have hardware that could be targeted with a sophisticated Rowhammer attack should update the version of wolfSSL and compile using the macro WOLFSSL_CHECK_SIG_FAULTS. Thanks to Yarkin Doroz, Berk Sunar, Koksal Must, Caner Tol, and Kristi Rahman all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute for the report.
|
|
|
+* [Low] In wolfSSL version 5.3.0 if compiled with --enable-session-ticket and the client has non-empty session cache, with TLS 1.2 there is the possibility of a man in the middle passing a large session ticket to the client and causing a crash due to an invalid free. There is also the potential for a malicious TLS 1.3 server to crash a client in a similar manner except in TLS 1.3 it is not susceptible to a man in the middle attack. Users on the client side with –enable-session-ticket compiled in and using wolfSSL version 5.3.0 should update their version of wolfSSL. Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France" for research on tlspuffin.
|
|
|
+* [Low] If using wolfSSL_clear to reset a WOLFSSL object (vs the normal wolfSSL_free/wolfSSL_new) it can result in runtime issues. This exists with builds using the wolfSSL compatibility layer (--enable-opnesslextra) and only when the application is making use of wolfSSL_clear instead of SSL_free/SSL_new. In the case of a TLS 1.3 resumption, after continuing to use the WOLFSSH object after having called wolfSSL_clear, an application could crash. It is suggested that users calling wolfSSL_clear update the version of wolfSSL used. Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France" for research on tlspuffin.
|
|
|
+* Potential DoS attack on DTLS 1.2. In the case of receiving a malicious plaintext handshake message at epoch 0 the connection will enter an error state reporting a duplicate message. This affects both server and client side. Users that have DTLS enabled and in use should update their version of wolfSSL to mitigate the potential for a DoS attack.
|
|
|
|
|
|
## New Feature Additions
|
|
|
+* QUIC support added, for using wolfSSL with QUIC implementations like ngtcp2
|
|
|
+* SE050 port additions and fixes
|
|
|
+* Added support for Dilithium post quantum algorithm use with TLS
|
|
|
+* Support for RSA-PSS signed certificates
|
|
|
+* Support for Infineon AURIX IDE
|
|
|
+* Add Zephyr support for nRF5340 with CryptoCell-312
|
|
|
+
|
|
|
+## Enhancements
|
|
|
+* Expanded ABI support by 50 APIs to include wolfCrypt and Certificates making a total of 113 ABIs controlled and maintained
|
|
|
+* DTLS 1.3 partial support for ConnectionID as described by RFC9146 and RFC9147
|
|
|
+* Added support for X509_CRL_print function
|
|
|
+* Remove deprecated algorithms in Renesas cs+ project
|
|
|
+* Support more build options disable/enable with i.MX CAAM build
|
|
|
+* wolfSSL_CTX_set_options and wolfSSL_CTX_get_options functions added to non compatibility layer builds
|
|
|
+* TFM: change inline x86 asm code to compile with clang
|
|
|
+* Improvements to error queue and fix for behavior of wolfSSL_ERR_get_error
|
|
|
+* scripts/makedistsmall.sh script added for creating a small source/header only package
|
|
|
+* TLS 1.3: restrict extension validity by message, Extensions ServerName, SupportedGroups and ALPN must not appear in server_hello
|
|
|
+* Add liboqs integration to CMake build system
|
|
|
+* Adds wolfSSL_PEM_read_RSAPrivateKey() to the OpenSSL compatible API
|
|
|
+* Added support for P384 pre-share in bundled example server
|
|
|
+* Replace clz assembly instruction in ARM 32 builds when not supported
|
|
|
+* Integrate chacha20-poly1305 into the EVP interface
|
|
|
+* Additional validation that extensions appear in correct messages
|
|
|
+* Allow SAN to be critical with ASN template build
|
|
|
+* Support wolfSSL_CTX_set1_curves_list being available when X25519 and/or X448 only defined
|
|
|
+* Adds wolfSSL_PEM_read_RSA_PUBKEY() to the OpenSSL compatible API
|
|
|
+* Match OpenSSL self signed error return with compatibility layer build
|
|
|
+* Added wolfSSL_dtls_create_peer and wolfSSL_dtls_free_peer to help with Python and Go wrappers for DTLS
|
|
|
+
|
|
|
+## Fixes
|
|
|
+* DTLS 1.3 asynchronous use case fixes
|
|
|
+* Fix handling of counter to support incrementing across all bytes in ARM crypto asm
|
|
|
+* Fixes for ED25519/ED448 private key with public key export (RFC8410)
|
|
|
+* Fix for build with NO_TLS macro
|
|
|
+* Fix for write dup function to copy over TLS version
|
|
|
+* Fix to handle path lengths of 0 when checking certificate CA path lengths
|
|
|
+* Fix for CMake not installing sp_int.h for SP math all
|
|
|
+* When WOLFSSL_VALIDATE_ECC_IMPORT is defined ECC import validates private key value is less than order
|
|
|
+* PSA crypto fixes
|
|
|
+* Fix for not having default pkcs7 signed attributes
|
|
|
+* DTLS socket and timeout fixes
|
|
|
+* SP int: exptmod ensure base is less than modulus
|
|
|
+* Fix for AddPacketInfo with WOLFSSL_CALLBACKS to not pass encrypted TLS 1.3 handshake messages to callbacks
|
|
|
+* Fix for sniffer to ensure the session was polled before trying to reprocess it
|
|
|
|
|
|
-### DTLS 1.3
|
|
|
-* Support for using the new DTLSv1.3 protocol was added
|
|
|
-* Enhancements to bundled examples for an event driven server with DTLS 1.3 was added
|
|
|
-### Ports
|
|
|
-* Update for the version of VxWorks supported, adding in support for version 6.x
|
|
|
-* Support for new DPP and EAP-TEAP/EAP-FAST in wpa_supplicant
|
|
|
-* Update for TSIP version support, adding support for version 1.15 for RX65N and RX72N
|
|
|
-* Improved TSIP build to handle having the options WOLFSSL_AEAD_ONLY defined or NO_AES_CBC defined
|
|
|
-* Added support for offloading TLS1.3 operations to Renesas RX boards with TSIP
|
|
|
-### Misc.
|
|
|
-* Constant time improvements due to development of new constant time tests
|
|
|
-* Initial translation of API headers to Japanese and expansion of Japanese help message support in example applications
|
|
|
-* Add support for some FPKI (Federal PKI) certificate cases, UUID, FASC-N, PIV extension for use with smart cards
|
|
|
-* Add support for parsing additional CSR attributes such as unstructured name and content type
|
|
|
-* Add support for Linux getrandom() when defining the macro WOLFSSL_GETRANDOM
|
|
|
-* Add TLS 1.2 ciphersuite ECDHE_PSK_WITH_AES_128_GCM_SHA256 from RFC 8442
|
|
|
-* Expand CAAM support with QNX to include i.MX8 boards and add AES-CTR support
|
|
|
-* Enhanced glitching protection by hardening the TLS encrypt operations
|
|
|
-
|
|
|
-## Math and Performance
|
|
|
-
|
|
|
-### SP Math Additions
|
|
|
-* Support for ARMv3, ARMv6 and ARMv7a
|
|
|
- - Changes and improvements to get SP building for armv7-a
|
|
|
- - Updated assembly for moving large immediate values on ARMv6
|
|
|
- - Support for architectures with no ldrd/strd and clz
|
|
|
-* Reworked generation using common asm ruby code for 32bit ARM
|
|
|
-* Enable wolfSSL SP math all by default (sp_int.c)
|
|
|
-* Update SP math all to not use sp_int_word when SQR_MUL_ASM is available
|
|
|
-### SP Math Fixes
|
|
|
-* Fixes for constant time with div function
|
|
|
-* Fix casting warnings for Windows builds and assembly changes to support XMM6-15 being non-volatile
|
|
|
-* Fix for div_word when not using div function
|
|
|
-* Fixes for user settings with SP ASM and ED/Curve25519 small
|
|
|
-* Additional Wycheproof tests ran and fixes
|
|
|
-* Fix for SP math ECC non-blocking to always check `hashLen`
|
|
|
-* Fix for SP math handling edge case with submod
|
|
|
-
|
|
|
-## Improvements and Optimizations
|
|
|
-
|
|
|
-### Compatibility Layer
|
|
|
-* Provide access to "Finished" messages outside of compatibility layer builds
|
|
|
-* Remove unneeded FIPS guard on wolfSSL_EVP_PKEY_derive
|
|
|
-* Fix control command issues with AES-GCM, control command EVP_CTRL_GCM_IV_GEN
|
|
|
-* Add support for importing private only EC key to a WOLFSSL_EVP_PKEY struct
|
|
|
-* Add support for more extensions to wolfSSL_X509_print_ex
|
|
|
-* Update for internal to DER (i2d) AIPs to move the buffer pointer when passed in and the operation is successful
|
|
|
-* Return subject and issuer X509_NAME object even when not set
|
|
|
-### Ports
|
|
|
-* Renesas RA6M4 example update and fixes
|
|
|
-* Support multi-threaded use cases with Renesas SCE protected mode and TSIP
|
|
|
-* Add a global variable for heap-hint for use with TSIP
|
|
|
-* Changes to support v5.3.0 cube pack for STM32
|
|
|
-* Use the correct mutex type for embOS
|
|
|
-* ESP-IDF build cleanup and enhancements, adding in note regarding ESP-IDF Version
|
|
|
-* Support for SEGGER embOS and emNET
|
|
|
-* Fix to handle WOLFSSL_DTLS macro in Micrium build
|
|
|
-### Build Options
|
|
|
-* Support for verify only and no-PSS builds updated
|
|
|
-* Add the enable options wolfssh (mapped to the existing –enable-ssh)
|
|
|
-* Remove WOLFSSL_ALT_NAMES restriction on notBefore/notAfter use in Cert struct
|
|
|
-* Move several more definitions outside the BUILDING_WOLFSSL gate with linux kernel module build
|
|
|
-* Modify --enable-openssh to not enable non-FIPS algos for FIPS builds
|
|
|
-* Remove the Python wrappers from wolfSSL source (use pip install instead of using wolfSSL with Python and our separate Python repository)
|
|
|
-* Add --enable-openldap option to configure.ac for building the OpenLDAP port
|
|
|
-* Resolve DTLS build to handle not having –enable-hrrcookie when not needed
|
|
|
-* Add an --enable-strongswan option to configure.ac for building the Strongswan port
|
|
|
-* Improve defaults for 64-bit BSDs in configure
|
|
|
-* Crypto only build can now be used openssl extra
|
|
|
-* Update ASN template build to properly handle WOLFSSL_CERT_EXT and HAVE_OID_ENCODING
|
|
|
-* Allow using 3DES and MD5 with FIPS 140-3, as they fall outside of the FIPS boundary
|
|
|
-* Add the build option --enable-dh=const which replaces setting the macro WOLFSSL_DH_CONST and now conditionally link to -lm as needed
|
|
|
-* Add the macro WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY which is used to verify hostname/ip address using alternate name (SAN) only and does not use the common name
|
|
|
-* WOLFSSL_DTLS_NO_HVR_ON_RESUME macro added (off by default to favor more security). If defined, a DTLS server will not do a cookie exchange on successful client resumption: the resumption will be faster (one RTT less) and will consume less bandwidth (one ClientHello and one HelloVerifyRequest less). On the other hand, if a valid SessionID is collected, forged clientHello messages will consume resources on the server.
|
|
|
-* Misc.
|
|
|
-* Refactoring of some internal TLS functions to reduce the memory usage
|
|
|
-* Make old less secure TimingPadVerify implementation available
|
|
|
-* Add support for aligned data with clang LLVM
|
|
|
-* Remove subject/issuer email from the list of alt. Email names in the DecodedCerts struct
|
|
|
-* Zeroizing of pre-master secret buffer in TLS 1.3
|
|
|
-* Update to allow TLS 1.3 application server to send session ticket
|
|
|
-* Improve the sniffer asynchronous test case to support multiple concurrent streams
|
|
|
-* Clean up wolfSSL_clear() and add more logging
|
|
|
-* Update to not error out on bad CRL next date if using NO_VERIFY when parsing
|
|
|
-* Add an example C# PSK client
|
|
|
-* Add ESP-IDF WOLFSSL_ESP8266 setting for ESP8266 devices
|
|
|
-* Support longer sigalg list for post quantum use cases and inter-op with OQS's OpenSSL fork
|
|
|
-* Improve AES-GCM word implementation of GMULT to be constant time
|
|
|
-* Additional sanity check with Ed25519/Ed448, now defaults to assume public key is not trusted
|
|
|
-* Support PSK ciphersuites in benchmark apps
|
|
|
-* FIPS in core hash using SHA2-256 and SHA2-384
|
|
|
-* Add ability to store issuer name components when parsing a certificate
|
|
|
-* Make the critical extension flags in DecodedCert always available
|
|
|
-* Updates to the default values for basic constraint with X509’s
|
|
|
-* Support using RSA OAEP with no malloc and add additional sanity checks
|
|
|
-* Leverage async code paths to support WANT_WRITE while sending packet fragments
|
|
|
-* New azsphere example for continuous integration testing
|
|
|
-* Update RSA key generation function to handle pairwise consistency tests with static memory pools used
|
|
|
-* Resolve build time warning by passing in and checking output length with internal SetCurve function
|
|
|
-* Support DTLS bidirectional shutdown in the examples
|
|
|
-* Improve DTLS version negotiation and downgrade capability
|
|
|
-
|
|
|
-### General Fixes
|
|
|
-* Fixes for STM32 Hash/PKA, add some missing mutex frees, and add an additional benchmark
|
|
|
-* Fix missing return checks in KSDK ED25519 code
|
|
|
-* Fix compilation warnings from IAR
|
|
|
-* Fixes for STM32U5/H7 hash/crypto support
|
|
|
-* Fix for using track memory feature with FreeRTOS
|
|
|
-* Fixup XSTR processing for MICRIUM
|
|
|
-* Update Zephyr fs.h path
|
|
|
-* DTLS fixes with WANT_WRITE simulations
|
|
|
-* Fixes for BER use with PKCS7 to have additional sanity checks and guards on edge cases
|
|
|
-* Fix to handle exceptional edge case with TFM mp_exptmod_ex
|
|
|
-* Fix for stack and heap measurements of a 32-bit build
|
|
|
-* Fix to allow enabling AES key wrap (direct) with KCAPI
|
|
|
-* Fix --enable-openssh FIPS detection syntax in configure.ac
|
|
|
-* Fix to move wolfSSL_ERR_clear_error outside gate for OPENSSL_EXTRA
|
|
|
-* Remove MCAPI project's dependency on zlib version
|
|
|
-* Only use __builtin_offset on supported GCC versions (4+)
|
|
|
-* Fix for c89 builds with using WOLF_C89
|
|
|
-* Fix 64bit postfix for constants building with powerpc
|
|
|
-* Fixed async Sniffer with TLS v1.3, async removal of `WC_HW_WAIT_E` and sanitize leak
|
|
|
-* Fix for QAT ECC to gate use of HW based on marker
|
|
|
-* Fix the supported version extension to always check minDowngrade
|
|
|
-* Fix for TLS v1.1 length sanity check for large messages
|
|
|
-* Fixes for loading a long DER/ASN.1 certificate chain
|
|
|
-* Fix to expose the RSA public DER export functions with certgen
|
|
|
-* Fixes for building with small version of SHA3
|
|
|
-* Fix configure with WOLFSSL_WPAS_SMALL
|
|
|
-* Fix to free PKCS7 recipient list in error cases
|
|
|
-* Sanity check to confirm ssl->hsHashes is not NULL before attempting to dereference it
|
|
|
-* Clear the leftover byte count in Aes struct when setting IV
|
|
|
|
|
|
For additional vulnerability information visit the vulnerability page at:
|
|
|
https://www.wolfssl.com/docs/security-vulnerabilities/
|
|
|
|
|
|
See INSTALL file for build instructions.
|
|
|
More info can be found on-line at: https://wolfssl.com/wolfSSL/Docs.html
|
|
|
-# wolfSSL Release 5.3.0 (May 3rd, 2022)
|
|
|
-
|
|
|
|
|
|
*** Resources ***
|
|
|
|
Jacob Barthelmeh