From 28637b7a55d9affe62c27324d99ec84d8557ad23 Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 9 Nov 2021 17:07:53 -0800 Subject: [PATCH] wolfKeyMgr v1.1 release --- ChangeLog.md | 12 ++++++++++++ README.md | 34 ++++++++++++++++++++++------------ configure.ac | 4 ++-- src/mod_http.c | 9 +++------ src/mod_vault.c | 18 ++++++++++-------- src/sock_mgr.c | 5 ++++- src/svc_ets.c | 29 ++++++++++++++++++----------- wolfkeymgr/version.h | 2 +- 8 files changed, 72 insertions(+), 41 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index ab70082..54e40db 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,15 @@ +# wolfKeyMgr v1.1 (Nov 9, 2021) +* Added support for x448 (curve448). +* Added argument support to HTTP server. +* Fixed `ets_test` help messages for fingerprint and context string. +* Fix to use `memmove` for relocation of memory within same buffer. +* Fixed sanitizer and scan-build reports. +* Fixed support for `HAVE_PUBLIC_FFDHE` not defined. +* Fixed HTTPS example server to send shutdown. +* Renamed "ETSI" API/structs to be "ETS" (Enterprise Transport Security) not ETSI org. +* Improved error reporting when connection to key manager fails. +* Improved help on middlebox/decrypt tool. + # wolfKeyMgr v1.0 (Sep 1, 2021) * Support for Curve25519 and Curve448 in key manager. * Support for Curve25519 in middle-box decryption. diff --git a/README.md b/README.md index d6f044a..cca1751 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,7 @@ $ ./autogen.sh $ git clone https://github.com/wolfssl/wolfssl $ cd wolfssl $ ./autogen.sh -$ ./configure --enable-sniffer --enable-curve25519 CFLAGS="-DWOLFSSL_DH_EXTRA" +$ ./configure --enable-sniffer --enable-curve25519 --enable-curve448 CFLAGS="-DWOLFSSL_DH_EXTRA" $ make $ make check # (optional, but highly recommended) $ sudo make install @@ -60,9 +60,9 @@ Notes: * To enable all Intel (AESNI/AVX) speedups use `--enable-intelasm --enable-sp --enable-sp-asm` * To enable all ARMv8 (aarch64) speedups use `--enable-armasm --enable-sp --enable-sp-asm` -* Requires at least wolfSSL v4.8.0 with PR: - - https://github.com/wolfSSL/wolfssl/pull/4181 - - https://github.com/wolfSSL/wolfssl/pull/4335 (required for Curve25519) + +* Requires at least wolfSSL v5.0.0 with PR: + - https://github.com/wolfSSL/wolfssl/pull/4522 (required for Curve448) 2. Install libevent version 2.0+ @@ -116,22 +116,25 @@ This application handles secure distribution and optional storage of the generat ```sh $ ./src/wolfkeymgr -? -wolfKeyManager 1.0 +wolfKeyManager 1.1 -? Help, print this usage -i Do not chdir / in daemon mode -b Daemon mode, run in background -p Pid File name, default ./wolfkeymgr.pid +-P Listener port, default 8119 -l Log Level (1=Error to 4=Debug), default 4 -f Log file name, default None -o Max open files, default 1024 -s Seconds to timeout non-push connections, default 60 -r Key renewal timeout, default 3600 +-u Key renewal max use count, default 100 -t Thread pool size, default 16 --k TLS Server TLS Key, default ./certs/server-key.pem +-k TLS Server TLS Key, default ./certs/server-rsa-key.pem -w TLS Server Key Password, default wolfssl --c TLS Server Certificate, default ./certs/server-cert.pem +-c TLS Server Certificate, default ./certs/server-rsa-cert.pem -A TLS CA Certificate, default ./certs/ca-cert.pem -K Key Type: SECP256R1, FFDHE_2048, X25519 or X448 (default SECP256R1) +-v Vault file for key storage, default ./wolfkeymgr.vault ``` To exit the key manager use ctrl+c. @@ -142,7 +145,7 @@ This demonstrates secure interactions with the key manager service using the ETS ```sh $ ./examples/ets_test/ets_test -? -ets_test 1.0 +ets_test 1.1 -? Help, print this usage -e Error mode, force error response -h Host to connect to, default localhost @@ -158,8 +161,8 @@ ets_test 1.0 -c TLS Client Certificate, default certs/client-cert.pem -A TLS CA Certificate, default certs/ca-cert.pem -K Key Type: SECP256R1, FFDHE_2048, X25519 or X448 (default SECP256R1) --F Fingerprint of ephemeral public key (first 80-bit of pkey hash as hex string) --C Context string (used for multiple servers) +-F Fingerprint to find (first 80-bit of pkey hash as hex string) +-C Unique key name (used for multiple servers) ``` This client also support stress testing options: @@ -225,8 +228,15 @@ This is a passive way to decrypt TLS traffic including Perfect Forward Secrecy ( This can be run in a real-time mode capturing ethernet traffic on a port for one or more server interfaces. It can also be run passing a previously captured pcap file. ```sh -./examples/middlebox/decrypt -? -usage: ./decrypt or ./decrypt dumpFile keyServerURL [server] [port] [password] +$ ./examples/middlebox/decrypt -? +decrypt 1.1 +usage: ./decrypt or ./decrypt pcapFile keyServerURL [server] [port] [password] +-? Help, print this usage +pcapFile A previously saved pcap file +keyServerURL Key Manager URL or private key as PEM (default https://localhost:8119) +server The server’s IP address (v4 or v6) (default 127.0.0.1) +port The server port to sniff (default 443) +password Private Key Password if required ``` diff --git a/configure.ac b/configure.ac index 735b915..ed80cb1 100644 --- a/configure.ac +++ b/configure.ac @@ -5,7 +5,7 @@ AC_PREREQ(2.59) -AC_INIT([wolfKeyManager],[1.0],[http://www.wolfssl.com]) +AC_INIT([wolfKeyManager],[1.1],[http://www.wolfssl.com]) AC_CONFIG_AUX_DIR(config) AC_CONFIG_HEADERS([wolfkeymgr/config.h]) AC_CONFIG_MACRO_DIR(m4) @@ -71,7 +71,7 @@ LT_PREREQ([2.2]) LT_INIT([disable-static win32-dll]) # Shared library versioning -WOLFKM_LIBRARY_VERSION=8:0:0 +WOLFKM_LIBRARY_VERSION=9:0:0 # | | | # +------+ | +---+ # | | | diff --git a/src/mod_http.c b/src/mod_http.c index c15edd5..8c57afa 100644 --- a/src/mod_http.c +++ b/src/mod_http.c @@ -165,7 +165,6 @@ static void HttpParseHeader(HttpHeader* headers, word32* headerCount, char* hdrS int wolfHttpServer_ParseRequest(HttpReq* req, byte* buf, word32 sz) { char* sec = (char*)buf, *endline, *last; - word32 len = sz; word32 itemSz; if (req == NULL) { @@ -185,7 +184,7 @@ int wolfHttpServer_ParseRequest(HttpReq* req, byte* buf, word32 sz) } req->method = sec; itemSz = strlen(sec) + 1; /* include space */ - sec += itemSz; len -= itemSz; + sec += itemSz; /* Find end of line */ endline = strstr(sec, kCrlf); @@ -291,7 +290,6 @@ int wolfHttpServer_EncodeResponse(int rspCode, const char* message, bodySz = remain; memcpy(out, body, bodySz); out += bodySz; - remain -= bodySz; } /* calculate total length */ @@ -306,7 +304,6 @@ int wolfHttpServer_EncodeResponse(int rspCode, const char* message, int wolfHttpClient_ParseResponse(HttpRsp* rsp, char* buf, word32 sz) { char* sec = buf, *endline; - word32 len = sz; word32 itemSz; if (rsp == NULL) { @@ -322,7 +319,7 @@ int wolfHttpClient_ParseResponse(HttpRsp* rsp, char* buf, word32 sz) } rsp->version = sec; itemSz = strlen(sec) + 1; /* include space */ - sec += itemSz; len -= itemSz; + sec += itemSz; /* HTTP Response Code */ /* find next space */ @@ -332,7 +329,7 @@ int wolfHttpClient_ParseResponse(HttpRsp* rsp, char* buf, word32 sz) } rsp->code = atoi(sec); itemSz = strlen(sec) + 1; /* include space */ - sec += itemSz; len -= itemSz; + sec += itemSz; /* HTTP Response Message */ /* find end of line */ diff --git a/src/mod_vault.c b/src/mod_vault.c index 39c1f68..8354198 100644 --- a/src/mod_vault.c +++ b/src/mod_vault.c @@ -184,14 +184,16 @@ int wolfVaultOpen(wolfVaultCtx** ctx, const char* file) ret = WOLFKM_BAD_FILE; } - /* read remainder */ - headSz = ctx_new->header.headerSz-headSz; - ret = (int)fread(headPtr, 1, headSz, ctx_new->fd); - ret = (ret == headSz) ? 0 : WOLFKM_BAD_FILE; - - vaultSz = wolfVaultGetSize(ctx_new); - if (vaultSz > ctx_new->header.headerSz) - vaultSz -= ctx_new->header.headerSz; + if (ret == 0) { + /* read remainder */ + headSz = ctx_new->header.headerSz-headSz; + ret = (int)fread(headPtr, 1, headSz, ctx_new->fd); + ret = (ret == headSz) ? 0 : WOLFKM_BAD_FILE; + + vaultSz = wolfVaultGetSize(ctx_new); + if (vaultSz > ctx_new->header.headerSz) + vaultSz -= ctx_new->header.headerSz; + } if (ret == 0 && ctx_new->header.vaultSz != vaultSz) { XLOG(WOLFKM_LOG_ERROR, "Vault size does not match actual %lu != %lu\n", vaultSz, ctx_new->header.vaultSz); diff --git a/src/sock_mgr.c b/src/sock_mgr.c index 342866a..52df8db 100644 --- a/src/sock_mgr.c +++ b/src/sock_mgr.c @@ -298,7 +298,10 @@ void ServiceConnFree(SvcConn* conn) me = conn->me; - XLOG(WOLFKM_LOG_DEBUG, "Freeing %s Service Connection\n", conn->svc->desc); + if (conn->svc) { + XLOG(WOLFKM_LOG_DEBUG, "Freeing %s Service Connection\n", + conn->svc->desc); + } DecrementCurrentConnections(conn); if (conn->svc && conn->svc->closeCb) { diff --git a/src/svc_ets.c b/src/svc_ets.c index 13e5040..a17f62e 100644 --- a/src/svc_ets.c +++ b/src/svc_ets.c @@ -625,7 +625,12 @@ static int wolfEtsSvcVaultAuthCb(wolfVaultCtx* ctx, byte* key, word32 keySz, if (memcmp(keyEnc, zeroBuffer, keyEncSz) == 0) { /* Generate key for encryption */ ret = wc_RNG_GenerateBlock(&rng, key, keySz); - + if (ret != 0) { + XLOG(WOLFKM_LOG_ERROR, "Error %s (%d) generating key\n", + wolfKeyMgr_GetError(ret), ret); + wc_FreeRng(&rng); + return ret; + } newKey = 1; } @@ -677,22 +682,24 @@ static int wolfEtsSvcVaultAuthCb(wolfVaultCtx* ctx, byte* key, word32 keySz, if (newKey || ret != 0) { XLOG(WOLFKM_LOG_WARN, "Vault Auth: Setting up new encryption key\n"); + ret = 0; /* reset error code */ if (!newKey) { /* Generate key for encryption */ ret = wc_RNG_GenerateBlock(&rng, key, keySz); } - - /* use long term private RSA key to encrypt key */ - ret = wc_RsaPublicEncrypt(key, keySz, keyEnc, privKeySz, &rsa, - &rng); - if (ret > 0) { - if (ret != (int)privKeySz) { - XLOG(WOLFKM_LOG_WARN, "Vault Auth: " - "Encrypted key size %d not expected %d\n", ret, privKeySz); + if (ret == 0) { + /* use long term private RSA key to encrypt key */ + ret = wc_RsaPublicEncrypt(key, keySz, keyEnc, privKeySz, &rsa, + &rng); + if (ret > 0) { + if (ret != (int)privKeySz) { + XLOG(WOLFKM_LOG_WARN, "Vault Auth: " + "Encrypted key size %d not expected %d\n", ret, privKeySz); + } + ret = 0; /* success */ } - ret = 0; /* success */ } - else { + if (ret != 0) { XLOG(WOLFKM_LOG_ERROR, "Vault Auth: encrypt key error %s (%d)\n", wolfKeyMgr_GetError(ret), ret); } diff --git a/wolfkeymgr/version.h b/wolfkeymgr/version.h index 83c3835..1d6bd50 100644 --- a/wolfkeymgr/version.h +++ b/wolfkeymgr/version.h @@ -27,7 +27,7 @@ extern "C" { #endif -#define LIBWOLFSSL_VERSION_STRING "1.0" +#define LIBWOLFSSL_VERSION_STRING "1.1" #define LIBWOLFSSL_VERSION_HEX @HEX_VERSION@ #ifdef __cplusplus