wolfKeyMgr v1.1 release

Author: dgarske

ChangeLog.md

@@ -1,3 +1,15 @@
+# wolfKeyMgr v1.1 (Nov 9, 2021)
+* Added support for x448 (curve448).
+* Added argument support to HTTP server.
+* Fixed `ets_test` help messages for fingerprint and context string.
+* Fix to use `memmove` for relocation of memory within same buffer. 
+* Fixed sanitizer and scan-build reports.
+* Fixed support for `HAVE_PUBLIC_FFDHE` not defined.
+* Fixed HTTPS example server to send shutdown.
+* Renamed "ETSI" API/structs to be "ETS" (Enterprise Transport Security) not ETSI org.
+* Improved error reporting when connection to key manager fails.
+* Improved help on middlebox/decrypt tool.
+
 # wolfKeyMgr v1.0 (Sep 1, 2021)
 * Support for Curve25519 and Curve448 in key manager.
 * Support for Curve25519 in middle-box decryption.

README.md

@@ -50,7 +50,7 @@ $ ./autogen.sh
 $ git clone https://github.com/wolfssl/wolfssl
 $ cd wolfssl
 $ ./autogen.sh
-$ ./configure --enable-sniffer --enable-curve25519 CFLAGS="-DWOLFSSL_DH_EXTRA"
+$ ./configure --enable-sniffer --enable-curve25519 --enable-curve448 CFLAGS="-DWOLFSSL_DH_EXTRA"
 $ make
 $ make check   # (optional, but highly recommended)
 $ sudo make install
@@ -60,9 +60,9 @@ Notes:
 
 * To enable all Intel (AESNI/AVX) speedups use `--enable-intelasm --enable-sp --enable-sp-asm`
 * To enable all ARMv8 (aarch64) speedups use `--enable-armasm --enable-sp --enable-sp-asm`
-* Requires at least wolfSSL v4.8.0 with PR:
-   - https://github.com/wolfSSL/wolfssl/pull/4181
-   - https://github.com/wolfSSL/wolfssl/pull/4335 (required for Curve25519)
+
+* Requires at least wolfSSL v5.0.0 with PR:
+   - https://github.com/wolfSSL/wolfssl/pull/4522 (required for Curve448)
 
 2. Install libevent version 2.0+
 
@@ -116,22 +116,25 @@ This application handles secure distribution and optional storage of the generat
 
 ```sh
 $ ./src/wolfkeymgr -?
-wolfKeyManager 1.0
+wolfKeyManager 1.1
 -?          Help, print this usage
 -i          Do not chdir / in daemon mode
 -b          Daemon mode, run in background
 -p <str>    Pid File name, default ./wolfkeymgr.pid
+-P <port>   Listener port, default 8119
 -l <num>    Log Level (1=Error to 4=Debug), default 4
 -f <str>    Log file name, default None
 -o <num>    Max open files, default  1024
 -s <num>    Seconds to timeout non-push connections, default 60
 -r <num>    Key renewal timeout, default 3600
+-u <num>    Key renewal max use count, default 100
 -t <num>    Thread pool size, default  16
--k <pem>    TLS Server TLS Key, default ./certs/server-key.pem
+-k <pem>    TLS Server TLS Key, default ./certs/server-rsa-key.pem
 -w <pass>   TLS Server Key Password, default wolfssl
--c <pem>    TLS Server Certificate, default ./certs/server-cert.pem
+-c <pem>    TLS Server Certificate, default ./certs/server-rsa-cert.pem
 -A <pem>    TLS CA Certificate, default ./certs/ca-cert.pem
 -K <keyt>   Key Type: SECP256R1, FFDHE_2048, X25519 or X448 (default SECP256R1)
+-v <file>   Vault file for key storage, default ./wolfkeymgr.vault
 ```
 
 To exit the key manager use ctrl+c.
@@ -142,7 +145,7 @@ This demonstrates secure interactions with the key manager service using the ETS
 
 ```sh
 $ ./examples/ets_test/ets_test -?
-ets_test 1.0
+ets_test 1.1
 -?          Help, print this usage
 -e          Error mode, force error response
 -h <str>    Host to connect to, default localhost
@@ -158,8 +161,8 @@ ets_test 1.0
 -c <pem>    TLS Client Certificate, default certs/client-cert.pem
 -A <pem>    TLS CA Certificate, default certs/ca-cert.pem
 -K <keyt>   Key Type: SECP256R1, FFDHE_2048, X25519 or X448 (default SECP256R1)
--F <fprint> Fingerprint of ephemeral public key (first 80-bit of pkey hash as hex string)
--C <ctxstr> Context string (used for multiple servers)
+-F <fprint> Fingerprint to find (first 80-bit of pkey hash as hex string)
+-C <name>   Unique key name (used for multiple servers)
 ```
 
 This client also support stress testing options:
@@ -225,8 +228,15 @@ This is a passive way to decrypt TLS traffic including Perfect Forward Secrecy (
 This can be run in a real-time mode capturing ethernet traffic on a port for one or more server interfaces. It can also be run passing a previously captured pcap file.
 
 ```sh
-./examples/middlebox/decrypt -?
-usage: ./decrypt or ./decrypt dumpFile keyServerURL [server] [port] [password]
+$ ./examples/middlebox/decrypt -?
+decrypt 1.1
+usage: ./decrypt or ./decrypt pcapFile keyServerURL [server] [port] [password]
+-?           Help, print this usage
+pcapFile     A previously saved pcap file
+keyServerURL Key Manager URL or private key as PEM (default https://localhost:8119)
+server       The server’s IP address (v4 or v6) (default 127.0.0.1)
+port         The server port to sniff (default 443)
+password     Private Key Password if required
 ```
 
 

configure.ac

@@ -5,7 +5,7 @@
 
 AC_PREREQ(2.59)
 
-AC_INIT([wolfKeyManager],[1.0],[http://www.wolfssl.com])
+AC_INIT([wolfKeyManager],[1.1],[http://www.wolfssl.com])
 AC_CONFIG_AUX_DIR(config)
 AC_CONFIG_HEADERS([wolfkeymgr/config.h])
 AC_CONFIG_MACRO_DIR(m4)
@@ -71,7 +71,7 @@ LT_PREREQ([2.2])
 LT_INIT([disable-static win32-dll])
 
 # Shared library versioning
-WOLFKM_LIBRARY_VERSION=8:0:0
+WOLFKM_LIBRARY_VERSION=9:0:0
 #                      | | |
 #               +------+ | +---+
 #               |        |     |

src/mod_http.c

@@ -165,7 +165,6 @@ static void HttpParseHeader(HttpHeader* headers, word32* headerCount, char* hdrS
 int wolfHttpServer_ParseRequest(HttpReq* req, byte* buf, word32 sz)
 {
     char* sec = (char*)buf, *endline, *last;
-    word32 len = sz;
     word32 itemSz;
 
     if (req == NULL)  {
@@ -185,7 +184,7 @@ int wolfHttpServer_ParseRequest(HttpReq* req, byte* buf, word32 sz)
     }
     req->method = sec;
     itemSz = strlen(sec) + 1; /* include space */
-    sec += itemSz; len -= itemSz;
+    sec += itemSz;
 
     /* Find end of line */
     endline = strstr(sec, kCrlf);
@@ -291,7 +290,6 @@ int wolfHttpServer_EncodeResponse(int rspCode, const char* message,
             bodySz = remain;
         memcpy(out, body, bodySz);
         out += bodySz;
-        remain -= bodySz;
     }
 
     /* calculate total length */
@@ -306,7 +304,6 @@ int wolfHttpServer_EncodeResponse(int rspCode, const char* message,
 int wolfHttpClient_ParseResponse(HttpRsp* rsp, char* buf, word32 sz)
 {
     char* sec = buf, *endline;
-    word32 len = sz;
     word32 itemSz;
 
     if (rsp == NULL)  {
@@ -322,7 +319,7 @@ int wolfHttpClient_ParseResponse(HttpRsp* rsp, char* buf, word32 sz)
     }
     rsp->version = sec;
     itemSz = strlen(sec) + 1; /* include space */
-    sec += itemSz; len -= itemSz;
+    sec += itemSz;
 
     /* HTTP Response Code */
     /* find next space */
@@ -332,7 +329,7 @@ int wolfHttpClient_ParseResponse(HttpRsp* rsp, char* buf, word32 sz)
     }
     rsp->code = atoi(sec);
     itemSz = strlen(sec) + 1; /* include space */
-    sec += itemSz; len -= itemSz;
+    sec += itemSz;
 
     /* HTTP Response Message */
     /* find end of line */

src/mod_vault.c

@@ -184,14 +184,16 @@ int wolfVaultOpen(wolfVaultCtx** ctx, const char* file)
             ret = WOLFKM_BAD_FILE;
         }
 
-        /* read remainder */
-        headSz = ctx_new->header.headerSz-headSz;
-        ret = (int)fread(headPtr, 1, headSz, ctx_new->fd);
-        ret = (ret == headSz) ? 0 : WOLFKM_BAD_FILE;
-
-        vaultSz = wolfVaultGetSize(ctx_new);
-        if (vaultSz > ctx_new->header.headerSz)
-            vaultSz -= ctx_new->header.headerSz;
+        if (ret == 0) {
+            /* read remainder */
+            headSz = ctx_new->header.headerSz-headSz;
+            ret = (int)fread(headPtr, 1, headSz, ctx_new->fd);
+            ret = (ret == headSz) ? 0 : WOLFKM_BAD_FILE;
+
+            vaultSz = wolfVaultGetSize(ctx_new);
+            if (vaultSz > ctx_new->header.headerSz)
+                vaultSz -= ctx_new->header.headerSz;
+        }
         if (ret == 0 && ctx_new->header.vaultSz != vaultSz) {
             XLOG(WOLFKM_LOG_ERROR, "Vault size does not match actual %lu != %lu\n",
                 vaultSz, ctx_new->header.vaultSz);

src/sock_mgr.c

@@ -298,7 +298,10 @@ void ServiceConnFree(SvcConn* conn)
 
     me = conn->me;
 
-    XLOG(WOLFKM_LOG_DEBUG, "Freeing %s Service Connection\n", conn->svc->desc);
+    if (conn->svc) {
+        XLOG(WOLFKM_LOG_DEBUG, "Freeing %s Service Connection\n",
+            conn->svc->desc);
+    }
     DecrementCurrentConnections(conn);
 
     if (conn->svc && conn->svc->closeCb) {

src/svc_ets.c

@@ -625,7 +625,12 @@ static int wolfEtsSvcVaultAuthCb(wolfVaultCtx* ctx, byte* key, word32 keySz,
     if (memcmp(keyEnc, zeroBuffer, keyEncSz) == 0) {
         /* Generate key for encryption */
         ret = wc_RNG_GenerateBlock(&rng, key, keySz);
-
+        if (ret != 0) {
+            XLOG(WOLFKM_LOG_ERROR, "Error %s (%d) generating key\n",
+                wolfKeyMgr_GetError(ret), ret);
+            wc_FreeRng(&rng);
+            return ret;
+        }
         newKey = 1;
     }
 
@@ -677,22 +682,24 @@ static int wolfEtsSvcVaultAuthCb(wolfVaultCtx* ctx, byte* key, word32 keySz,
 
     if (newKey || ret != 0) {
         XLOG(WOLFKM_LOG_WARN, "Vault Auth: Setting up new encryption key\n");
+        ret = 0; /* reset error code */
         if (!newKey) {
             /* Generate key for encryption */
             ret = wc_RNG_GenerateBlock(&rng, key, keySz);
         }
-
-        /* use long term private RSA key to encrypt key */
-        ret = wc_RsaPublicEncrypt(key, keySz, keyEnc, privKeySz, &rsa,
-            &rng);
-        if (ret > 0) {
-            if (ret != (int)privKeySz) {
-                XLOG(WOLFKM_LOG_WARN, "Vault Auth: "
-                    "Encrypted key size %d not expected %d\n", ret, privKeySz);
+        if (ret == 0) {
+            /* use long term private RSA key to encrypt key */
+            ret = wc_RsaPublicEncrypt(key, keySz, keyEnc, privKeySz, &rsa,
+                &rng);
+            if (ret > 0) {
+                if (ret != (int)privKeySz) {
+                    XLOG(WOLFKM_LOG_WARN, "Vault Auth: "
+                        "Encrypted key size %d not expected %d\n", ret, privKeySz);
+                }
+                ret = 0; /* success */
             }
-            ret = 0; /* success */
         }
-        else {
+        if (ret != 0) {
             XLOG(WOLFKM_LOG_ERROR, "Vault Auth: encrypt key error %s (%d)\n",
                 wolfKeyMgr_GetError(ret), ret);
         }

wolfkeymgr/version.h

@@ -27,7 +27,7 @@
 extern "C" {
 #endif
 
-#define LIBWOLFSSL_VERSION_STRING "1.0"
+#define LIBWOLFSSL_VERSION_STRING "1.1"
 #define LIBWOLFSSL_VERSION_HEX @HEX_VERSION@
 
 #ifdef __cplusplus