Merge pull request #2 from dgarske/changelog

Added ChangeLog in prep for v1.0 tag

Author: anhu

ChangeLog.md

@@ -0,0 +1,116 @@
+# wolfKeyMgr v1.0 (Sep 1, 2021)
+* Support for Curve25519 and Curve448 in key manager.
+* Support for Curve25519 in middle-box decryption.
+* Support for loading all supported ephemeral keys.
+* Refactor common ETSI client test code.
+* Improved middle-box decryption to better handle concurrent keys of different formats.
+* Improved handling for not compiled in cases.
+* Fix for ./configure config summary.
+
+# wolfKeyMgr v0.11 (Aug 4, 2021)
+* Fix to use fingerprint to find keys.
+* Improved the fingerprint calculation code and added hash.
+* Added multiple server support using `contextStr`.
+* Add unit test to `make check`.
+* Improve `src/wolfkeymgr` exit documentation.
+* Added example output for demo to `README.md`.
+
+# wolfKeyMgr v0.10 (Jul 30, 2021)
+* Added secure vault for key storage using RSA and AES GCM.
+* Added support for multiple active key types.
+* Added key find support.
+* Added middlebox decrypt PCAP replay support.
+* Added key max use count to limit uses of an ephemeral key.
+* Added computed "name" based on public key for ETSI key.
+* Added API unit test framework.
+* Added `--enable-vault=clear` option to optionally disable vault encryption.
+* Fix to not start listeners until key/cert/vault setup.
+* Fixed issue with worker threads generating new keys and not using existing ones.
+* Fix for https example server listen error handling.
+* Fixed gets with newline.
+* Fix for middlebox/decrypt default loopback interface selection. Default to first interface (1).
+* Fix for request / response collision. Centralize the max buffer sizes.
+* Moved key gen into ETSI module.
+* Rename `wolfEtsiKeyGet` to `wolfEtsiKeyGetPtr`.
+* Refactor to support multiple active key types.
+* Improved printing of public key name in logs.
+* Improved error for key generation failure.
+* Improve libevent and browser issue documentation.
+* Improve middle-box decryption error handling for permissions issue.
+* Cleanups to remove `WOLFKM_ETSI_SERVICE` and `disableMutalAuth`.
+* Move the ETSI documentation into `docs/README.md`. Remove copies of specs and use links.
+* Cleanup ETSI service configuration and defaults.
+
+# wolfKeyMgr v0.9 (Jun 15, 2021)
+* Added HTTPS server / client for local testing.
+* Added middle-box decryption example (uses the wolfSSL sniffer module).
+* Fixes for HTTP engine parsing.
+* Improve socket select error reporting for timeout vs. error.
+* Added ETSI client push support.
+* Added ability to specify default key type for Key Manager.
+* Added better debug printing for key used.
+
+# wolfKeyMgr v0.8 (May 24, 2021)
+* Added DH key support.
+* Added HTTP support for fingerprints, groups and contextstr.
+* Added ETSI client key argument (`-K`).
+* Fixes for URI encoding.
+* Refactor of service to support more key types.
+* Refactor of internal structure names to leading upper case.
+* Removed the "noTLS" build option.
+
+# wolfKeyMgr v0.7 (May 17, 2021)
+* Fix for HTTP header encode/decode conflict with variable `i`.
+* Fix for HTTP server response parsing with no null termination issue.
+* Added expires data to HTTP response.
+* Added ETSI client GET caching.
+* Added etsi_client `-r` support for GET (test caching).
+
+# wolfKeyMgr v0.6 (May 12, 2021)
+* Fix for ETSI client to properly detect socket error with non-blocking connect.
+* Added EtsiKey struct and modified the wolfEtsiClientGet() API.
+* Implemented some ETSI key helpers.
+* Added stub API's for future push/find with callbacks.
+* Progress with handling key expiration data and other key types.
+
+# wolfKeyMgr v0.5 (May 10, 2021)
+* Fix for missing "make dist" files.
+* Fix possible seg fault if pid creation failed.
+* Fixed issue with forcful close of listen socket causing loop.
+* Added missing files for cert generation.
+* Added fingerprint to push syntax.
+* Added TODO item for key expires.
+* Remove certservice requirement.
+* Cleanup unused `KeyManager_t`.
+* Do not track and ignore options.h.
+* Spelling fixes.
+
+# wolfKeyMgr v0.4 (Mar 1, 2021)
+* Fix for stray `wolfSSL_CTX_free`.
+* Added mutex protection on ETSI client.
+* Added URL decoding to HTTP module.
+* Added SIGPIPE ignore to ETSI client.
+* Added test key/certificate for Apache HTTPD.
+* Added "-r" argument for key manager for the key update interval.
+
+# wolfKeyMgr v0.3 (Feb 24, 2021)
+* Added TLS mutual authentication.
+* Improved logging and flushing of logging on SIGINT/SIGTERM.
+* Added SIGTERM support.
+* Improved README.md example steps.
+* Fixes for libwolfkeymgr headers for shared use.
+* Fix for missing shared library header files. Stop tracking options.h.
+
+# wolfKeyMgr v0.2 (Feb 19, 2021)
+* Fixes for threading.
+* Added libwolfkeymgr for general use API's.
+* Added ETSI client API's.
+* Added full HTTP server/client support.
+* Abstraction of all modules to library for generic socket, TLS, HTTP and ETSI functions.
+* Added non-blocking support for client.
+* Added version header.
+* Improvement to performance.
+
+# wolfKeyMgr v0.1 - Initial version (Feb 15, 2021)
+* Supports ETSI (Enterprise Transport Security) key manager for Get and Push of TLS static ephemeral keys.
+* Supports Certificate Signing (enabled with `--enable-certsvc`) disabled by default.

Makefile.am

@@ -24,6 +24,7 @@ DISTCLEANFILES+= aminclude.am
 
 ACLOCAL_AMFLAGS = -I m4
 EXTRA_DIST += README.md
+EXTRA_DIST += ChangeLog.md
 EXTRA_DIST += LICENSE
 
 include src/include.am

examples/https/client.c

@@ -40,7 +40,7 @@ int https_client_test(int argc, char** argv)
     wolfSSL_Init();
 
     /* log setup */
-    //wolfSSL_Debugging_ON();
+    /* wolfSSL_Debugging_ON(); */
     wolfKeyMgr_SetLogFile(NULL, 0, WOLFKM_LOG_DEBUG);
 
     ctx = wolfTlsClientNew();

examples/https/server.c

@@ -71,7 +71,7 @@ int https_server_test(int argc, char** argv)
     wolfSSL_Init();
 
     /* log setup */
-    //wolfSSL_Debugging_ON();
+    /* wolfSSL_Debugging_ON(); */
     wolfKeyMgr_SetLogFile(NULL, 0, WOLFKM_LOG_DEBUG);
 
     ctx = wolfTlsServerNew();

examples/test_config.c

@@ -42,7 +42,7 @@ int etsi_client_connect(const char* urlStr)
                 ETSI_TEST_CLIENT_CERT, WOLFSSL_FILETYPE_PEM);
 
             if (urlStr) {
-                strncpy(urlStrCopy, urlStr, HTTP_MAX_URI);
+                strncpy(urlStrCopy, urlStr, (HTTP_MAX_URI - 1));
                 memset(&url, 0, sizeof(url));
                 wolfHttpUrlDecode(&url, urlStrCopy);
             }

examples/test_config.h

@@ -35,8 +35,8 @@ extern "C" {
 #define ETSI_TEST_TIMEOUT_MS      2
 #define ETSI_TEST_KEY_TYPE        ETSI_KEY_TYPE_SECP256R1
 
-/* example certificate and key for mutual authentication to key manager */
-/* see ./certs/test-cert.sh for generation and signing */
+/* Example certificate and key for mutual authentication to key manager.
+ * See ./certs/test-cert.sh for generation and signing. */
 #define ETSI_TEST_CLIENT_CA       "certs/ca-cert.pem"
 #define ETSI_TEST_CLIENT_KEY      "certs/client-key.pem"
 #define ETSI_TEST_CLIENT_PASS     "wolfssl"
@@ -48,8 +48,8 @@ extern "C" {
 #define HTTPS_TEST_TIMEOUT_SEC    30
 #define HTTPS_TEST_MAX_DATA       512
 
-/* see ./certs/test-cert.sh for generation and signing */
-/* this is a self signed test cert server presents */
+/* See ./certs/test-cert.sh for generation and signing.
+ * This is a self signed test cert the server can present. */
 #define HTTPS_TEST_CA             "certs/test-cert.pem"
 #define HTTPS_TEST_CERT           "certs/test-cert.pem"
 #define HTTPS_TEST_KEY            "certs/test-key.pem"

src/sock_mgr.c

@@ -164,8 +164,8 @@ static void OurListenerError(struct evconnlistener* listener, void* ptr)
     }
     /* for invalid argument disable listener */
     if (err == EINVAL) {
-        /* this can happen if ss -kill socket is run */
-        /* otherwise causes libevent error callback loop */
+        /* this can happen if ss -kill socket is run,
+         * otherwise causes libevent error callback loop */
         evconnlistener_disable(listener);
     }
 }
@@ -390,7 +390,7 @@ static void WorkerExit(void* arg)
 
     /* put per thread stats into global stats */
     /* do this before closing active connections,
-        so we can see how many were connected */
+     * so we can see how many were connected */
     pthread_mutex_lock(&svc->globalStats.lock);
     svc->globalStats.totalConnections   += threadStats.totalConnections;
     svc->globalStats.completedRequests  += threadStats.completedRequests;

src/svc_etsi.c

@@ -51,10 +51,12 @@ typedef struct EtsiSvcCtx {
 #ifdef WOLFKM_VAULT
     wolfVaultCtx*   vault; /* key vault */
 #endif
+
+    byte shutdown:1; /* signal to shutdown workers */
 } EtsiSvcCtx;
 static EtsiSvcCtx gSvcCtx;
 
-/* the top level service */
+/* The top level service */
 static SvcInfo gEtsiService = {
     .desc = "ETSI",
 
@@ -130,6 +132,14 @@ static int EtsiSvcGenNewKey(EtsiSvcCtx* svcCtx, EtsiKeyType keyType, EtsiKey* ke
     return ret;
 }
 
+static void WakeKeyGenWorker(EtsiSvcCtx* svcCtx)
+{
+    /* signal key generation thread to wake */
+    pthread_mutex_lock(&svcCtx->kgMutex);
+    pthread_cond_signal(&svcCtx->kgCond);
+    pthread_mutex_unlock(&svcCtx->kgMutex);
+}
+
 static int SetupKeyPackage(SvcConn* conn, EtsiSvcCtx* svcCtx)
 {
     int ret = 0, i;
@@ -222,9 +232,7 @@ static int SetupKeyPackage(SvcConn* conn, EtsiSvcCtx* svcCtx)
 
     if (wakeKg) {
         /* signal key generation thread to wake */
-        pthread_mutex_lock(&svcCtx->kgMutex);
-        pthread_cond_signal(&svcCtx->kgCond);
-        pthread_mutex_unlock(&svcCtx->kgMutex);
+        WakeKeyGenWorker(svcCtx);
     }
 
     return ret;
@@ -318,7 +326,7 @@ static void* KeyPushWorker(void* arg)
         pthread_mutex_unlock(&svcCtx->kgMutex);
 
         XLOG(WOLFKM_LOG_DEBUG, "Key Generation Worker Wake %d sec\n", ret);
-    } while (1);
+    } while (!svcCtx->shutdown);
 
     return NULL;
 }
@@ -347,7 +355,7 @@ static int wolfEtsiSvc_DoResponse(SvcConn* conn)
     return ret;
 }
 
-/* the key request handler */
+/* The key request handler */
 int wolfEtsiSvc_DoRequest(SvcConn* conn)
 {
     int ret = 0;
@@ -581,6 +589,10 @@ void wolfEtsiSvc_Cleanup(SvcInfo* svc)
 
         wc_FreeRng(&svcCtx->rng);
 
+        /* signal shutdown and wake worker */
+        svcCtx->shutdown =  1;
+        WakeKeyGenWorker(svcCtx);
+
         pthread_mutex_destroy(&svcCtx->kgMutex);
         pthread_cond_destroy(&svcCtx->kgCond);
 

tests/unit_tests.c

@@ -1,4 +1,4 @@
-/* api.c
+/* unit_tests.c
  *
  * Copyright (C) 2006-2021 wolfSSL Inc.
  *
@@ -62,7 +62,6 @@ static int vault_test(void)
     wolfVaultCtx* ctx = NULL;
     wolfVaultItem item;
     const char* testFile = "vault.bin";
-    //const char* testPass = "password";
     struct vaultTestItems {
         word32 type;
         const char* name;

wolfkeymgr/mod_etsi.h

@@ -124,11 +124,11 @@ typedef struct EtsiKey {
 } EtsiKey;
 
 /* Key callback Function */
-/* if return code is not zero then socket will be closed */
+/* If return code is not zero then socket will be closed */
 typedef int (*EtsiKeyCallbackFunc)(EtsiClientCtx* client, EtsiKey* key, void* cbCtx);
 
 /* ETSI Client API's */
-/* allocate new ETSI client context */
+/* Allocate new ETSI client context */
 WOLFKM_API EtsiClientCtx* wolfEtsiClientNew(void);
 
 /* Setup the TLS mutual authentication key/certificate for accessing the ETSI Key Manager */
@@ -160,8 +160,8 @@ WOLFKM_API int wolfEtsiClientGet(EtsiClientCtx* client, EtsiKey* key,
     EtsiKeyType keyType, const char* fingerprint, const char* contextStr,
     int timeoutSec);
 
-/* this call will be blocking until socket failure or callback non-zero return */
-/* when server pushes new keys the callback will trigger with EtsiKey populated */
+/* This call will be blocking until socket failure or callback non-zero return
+ * when server pushes new keys the callback will trigger with EtsiKey populated */
 WOLFKM_API int wolfEtsiClientPush(EtsiClientCtx* client, EtsiKeyType keyType,
     const char* fingerprint, const char* contextStr,
     EtsiKeyCallbackFunc cb, void* cbCtx);
@@ -178,8 +178,8 @@ WOLFKM_API int wolfEtsiClientClose(EtsiClientCtx* client);
 WOLFKM_API void wolfEtsiClientFree(EtsiClientCtx* client);
 
 /* ETSI Key API's */
-/* allocate ETSI key dynamically from heap */
-/* The EtsiKey can come from stack, but must be memset to zero */
+/* Allocate ETSI key dynamically from heap.
+ * The EtsiKey can come from stack, but must be memset to zero. */
 WOLFKM_API EtsiKey* wolfEtsiKeyNew(void);
 /* Returns the wolf PK type (enum wc_PkType) */
 WOLFKM_API int wolfEtsiKeyGetPkType(EtsiKey* key);
@@ -193,9 +193,9 @@ WOLFKM_API int wolfEtsiKeyLoadSSL(EtsiKey* key, WOLFSSL* ssl);
 WOLFKM_API int wolfEtsiKeyGetPtr(EtsiKey* key, byte** response, word32* responseSz);
 /* Generate a new key */
 WOLFKM_API int wolfEtsiKeyGen(EtsiKey* key, EtsiKeyType keyType, WC_RNG* rng);
-/* print ETSI key data - for debugging / testing */
+/* Print ETSI key data - for debugging / testing */
 WOLFKM_API void wolfEtsiKeyPrint(EtsiKey* key);
-/* release ETSI key resources */
+/* Release ETSI key resources */
 WOLFKM_API void wolfEtsiKeyFree(EtsiKey* key);
 
 WOLFKM_API const char* wolfEtsiKeyNamedGroupStr(EtsiKey* key);
@@ -208,7 +208,8 @@ WOLFKM_API int wolfEtsiCalcTlsFingerprint(EtsiKeyType keyType,
 /* Build public name for key */
 WOLFKM_API int wolfEtsiKeyComputeName(EtsiKey* key);
 
-/* these are required if using multiple threads sharing the wolfSSL library for init mutex protection */
+/* These are required if using multiple threads sharing the wolfSSL library 
+ * for init mutex protection */
 WOLFKM_API int wolfEtsiClientInit(void);
 WOLFKM_API void wolfEtsiClientCleanup(void);