Everything you wanted to know about how wolfSSL support handles vulnerability reports, but were afraid to ask

Sometimes the consumers of the wolfSSL Embedded TLS library are curious about our internal process for handling vulnerability reports.  The first thing our users need to know is that wolfSSL takes every vulnerability report seriously!  We currently maintain a mean time to verification of about 1.5 hours.  Our mean time to achieve a fix is about 12 hours.  As most of our readers know, not all CVE’s are created equally, so our fixes can take anywhere from 24 minutes to 24 hours.

The final statistic we can share is one that we are particularly proud of:  Our mean time between a report and a release over the last 3 years is 38 hours!  We believe this is an industry leading number, and one that we will strive to maintain and even improve!

Break-down of wolfSSL vulnerability response procedures:

#1 – (45 – 120 minutes)

– Support staff de-prioritizes all support to confirm vulnerability exists

– Support staff makes any necessary modifications to provided test code to make it build out-of-the-box for engineering team

– Support staff creates README for engineering team to be able to re-produce in 10 minutes or less

– As soon as validated and tests streamlined alert is sent to engineering team along with report and test case

#2 – (20 minutes – 1 day)

– Engineering team fixes the issue and opens a pull request

– Multiple engineers review fix

#3 – (1 hour)

– Jenkins automated integration server tests fix

#4 – (1 hour)

– Senior Engineer reviews Jenkins results and suggested fix

#5 – (N/A)

– repeat steps #2 – #4 as necessary

#6 – (N/A)

– Fix is merged

#7 (1 day)

– Release process started

– New GPL licensed release posted to website

– Commercial Releases sent to customers

wolfSSL Microchip MLA Support

In addition to ongoing support for MPLAB Harmony,  wolfSSL has updated its support for Microchip Libraries for Applications (MLA). Using wolfSSL`s embedded SSL/TLS libraries we created an MLA TCP/IP demo using the PIC32 Ethernet Starter Kit, which enables SMTP and HTTPS over SSL/TLS. For access to this demo contact us today at facts@wolfssl.com.

If you are using Microchip’s MLA on any of the supported platforms (PIC16, PIC18, PIC24, dsPIC33, or PIC32) and looking for an embedded TLS solution, or have questions, please contact our support team at support@wolfssl.com, we would be more than happy to support your efforts!

References:

MLA Support: https://www.wolfssl.com/wolfSSL/wolfssl-pic32.html
Supported Platforms: http://www.microchip.com/mplab/microchip-libraries-for-applications

wolfSSL Hardware Crypto Support for TIVA-C

@wolfSSL has been collaborating with @TXInstruments for some time to provide ongoing hardware encryption support for your #IoT projects! Hardware support for the following algorithms is available in the #wolfSSL #embedded #TLS #SSL library when building with #TIRTOS for the #TivaC(PDF) micro controller.

AES
CCM
DES3
MD5
SHA
SHA-224
SHA-256

For instructions on building wolfSSL on TIRTOS, the following guide is very useful! Also included in the guide are details on setting up a TLS example server!
https://github.com/wolfSSL/wolfssl-examples/blob/master/tirtos_ccs_examples/README.md

For any other questions or info please contact support@wolfssl.com or facts@wolfssl.com

wolfSSL Hardware Crypto Support for TIVA-C

@wolfSSL has been collaborating with @TXInstruments for some time to provide ongoing hardware encryption support for your #IoT projects! Hardware support for the following algorithms is available in the #wolfSSL #embedded #TLS #SSL library when building with #TIRTOS for the #TivaC micro controller.

AES

CCM

DES3

MD5

SHA

SHA-224

SHA-256

For instructions on building wolfSSL on TIRTOS, the following guide is very useful!  Also included in the guide are details on setting up a TLS example server!

https://github.com/wolfSSL/wolfssl-examples/blob/master/tirtos_ccs_examples/README.md

For any other questions or info please contact support@wolfssl.com or facts@wolfssl.com

Using wolfSSL on the Atmel ATECC508A

The wolfSSL embedded SSL/TLS library and wolfCrypt embedded crypto engine have been integrated into the Atmel ATECC508A crypto element, adding support for ECC hardware acceleration and protected private key storage on the ATECC508A.
Using wolfSSL, ATECC508A users can benefit from both increased ECC performance and secure key storage, thus hardening their TLS connections.  The wolfCrypt ATECC508A port adds:

+ wolfCrypt support for ECC hardware acceleration using the ATECC508A.  The new defines for this port are WOLFSSL_ATMEL and WOLFSSL_ATECC508A
+ New public key callback for Pre Master Secret

For more complete details please visit the wolfSSL Atmel webpage. The code can be downloaded directly from wolfSSL’s “More Downloads” page, with the title “Atmel_ATECC508_Demos.zip”.

wolfSSL is dual licensed under both the GPLv2 as well as a standard commercial license.  For licensing information, please see the wolfSSL License Page, or contact us facts@wolfssl.com or call us at (425) 245-8247

wolfSSL 2016 Annual Report

Each year we like to document, review, and reflect on our progress, the details of which are below.  As most of our consumers know, we’ve been diligent in the squashing of bugs, our testing, and the addition of features.

We made a world of progress in 2016, but these accomplishments stand out:

1. We’ve continued to make significant enhancements to our unrivaled cryptography test rig,
2. We’ve added support for a number of secure enclaves, and
3. We added to our already long list of hardware assisted cryptography methods, and finally,
4. We’ve added a number of new environments and algo’s to our FIPS-140 certificate.
5. We also crossed over to securing over 2 Billion connections

All in all, we’re pretty happy with what we’ve done!

Now let’s look forward into 2017!  You can expect us to release a string of TLS 1.3 based enhancements.  Our TLS 1.3 client is currently in alpha, and will make progress quickly.  Shout out and many thanks to the IETF TLS WG for making systematic progress on the new protocol.

You can also expect us to make a lot of progress on supporting additional secure enclaves.  They are now a fundamental requirement for professional IoT designs.  The same is true for the server side of the connection, where clunky HSM’s will be replaced by Intel’s SGX.

See below for all of the engaging details!

wolfSSL Technical Progress

A total of five wolfSSL releases were delivered in 2016, each with bug fixes, enhancements, and new feature additions.  Highlights of these releases included:

1. New Algorithm Support:
a. AES-CMAC (RFC 4493)
b. SHA-224 (RFC 3874)
c. Scrypt (RFC 7914)
d. AES Key Wrap (RFC 3394)
e. ANSI-X9.63 KDF (Key Derivation Function)
2. New Hardware Crypto Support:
a. ARMv8
b. Intel SGX
c. Intel RDSEED and AES-NI enhancements
d. NXP LTC
e. Updated STMicroelectronics STM32 support
3. ECC Improvements:
a. ECC performance enhancements
b. ECC Custom Curve support
c. SECP, Koblitz, and Brainpool curve support
4. Additional PKCS Support:
a. PKCS#12 certificate processing
b. Updated PKCS#7 and CMS support
5. Language Bindings:
a. Python Wrapper
b. C# Wrapper
1. Asynchronous wolfCrypt and TLS Client Support
7. Enhanced DTLS Support:
a. DTLS over SCTP
b. DTLS session export
8. wolfSSL SSL/TLS Layer Improvements
a. TLS Extended Master Secret
b. New static memory only build option
c. Dynamic session tickets
d. LeanTLS build option
e. CTX level RNG for single-threaded builds
f. OCSP improvements
g. New Cipher Suites
i. ECDHE-ECDSA-AES128-CCM
ii. ECDHE-PSK suites
iii. PSK-CHACHA20-POLY1305 suites
h. Expanded unit and algorithm testing
9. wolfCrypt Improvements
a. Support for Whitewood netRandom library
b. Expanded benchmark support
c. RSA OAEP Padding Support
d. ChaCha20-Poly1305 Update

wolfSSL Porting Progress

1. New Operating System Support
a. RIOT
b. Frosted
c. uTasker
d. embOS
2. Compiler and Framework Support:
a. Updated Visual Studio support
b. Updated MDK5 projects
c. MinGW Compatibility Updates
d. Updated NXP KSDK support
e. Updated LPCXpresso example project
3. Board Support:
a. STMicroelectronics STM32CubeMX support
b. Microchip/Atmel ATECC508A support
c. NXP K82 support
d. Nordic nRF51 support
e. Arduino support update and example client
4. Distro and Community Support:
a. Better OS distro support (–enable-distro)
b. Updated wolfSSL MySQL Support
c. Inclusion in Ubuntu!

wolfSSL Events and Tradeshows

The wolfSSL team participated in a total of 20 events in 2016, including:

1. FOSDEM (Brussels, Belgium)
2. Embedded World (Nuremberg, Germany)
3. RSA USA (San Francisco, CA)
4. ESC Boston (Boston, MA)
5. NXP FTF (Austin, TX)
6. Microchip MASTERS (Phoenix, AZ)
7. IoT Devcon (Santa Clara, CA)
8. Sensors Expo (San Jose, CA)
9. Black Hat (Las Vegas, NV)
10. Intel Developer Forum (San Francisco, CA)
11. ENOVA (Paris, France)
12. ESC Minneapolis (Minneapolis, MN)
13. Sensors Midwest (Rosemont, IL)
14. ST Developers Conference (Santa Clara, CA)
15. IoT Korea (Seoul, South Korea)
16. IoT Japan (Tokyo, Japan)
17. ARM TechCon (Santa Clara, CA)
18. Hackaday Superconference (Pasadena, CA)
19. Embedded Technology Conference (Yokohama, Japan)
20. ICMC (Ottawa, Ontario, Canada)

In summary, we had a great year!  2016 was successful for us on multiple fronts, and we look forward to serving our customers and community with ever more secure and functional software in 2017!  As always, your feedback is welcome at facts@wolfssl.com!