Job Posting: Embedded Systems Software Engineer

wolfSSL is a growing company looking to add a top notch embedded systems software engineer to our organization. wolfSSL develops, markets and sells the leading Open Source embedded SSL/TLS protocol implementation, wolfSSL. Our users are primarily building devices or applications that need security. Other products include wolfCrypt embedded cryptography engine, wolfMQTT client library, and wolfSSH.

Job Description:

Currently, we are seeking to add a senior level C software engineer with 5-10 years experience interested in a fun company with tremendous upside. Backgrounds that are useful to our team include networking, security, and hardware optimizations. Assembly experience is a plus. Experience with encryption software is a plus. RTOS experience is a plus.  Experience with hardware-based cryptography is a plus.

Operating environments of particular interest to us include Linux, Windows, Embedded Linux and RTOS varieties (VxWorks, QNX, ThreadX, uC/OS, MQX, FreeRTOS, etc). Experience with mobile environments such as Android and iOS is also a plus, but not required.

Location is flexible. For the right candidate, we’re open to this individual working from virtually any location.

How To Apply

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

AES-SIV Added to wolfCrypt

wolfSSL is happy to announce that we’ve recently added support for AES-SIV (synthetic initialization vector). Our implementation is based on the specification in RFC 5297. SIV mode is designed to be resistant to security degradation from accidental nonce reuse. Notably, AES-SIV is a mandatory AEAD algorithm for network time protocol (NTP) servers supporting network time security (NTS), per RFC 8915. We added AES-SIV to support our chrony 4.1 port, which is one of the only major NTP implementations that currently supports NTS.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Math Library Improvements in wolfSSL 5.1.1

Significant improvements to the C-only implementation of Single Precision math for P-256 and P-384 have been made in wolfSSL 5.1.1. Previously the Montgomery reduction implementation was performed generically. This function makes up a significant proportion of the time to perform ECC operations. By adding an optimised implementation the performance of the 32-bit C code improved by up to 80%! The 64-bit C code saw similar improvements.

Also the Aarch64 implementation of P-384 got an optimised version of the Montgomery reduction operation too. This improved its performance by up to 150%!

From fuzz testing, it was found that the implementation finding the square root modulo a prime (used in uncompressing a point) was not handling a value of zero correctly and resulted in the function not returning. This corner case will not occur with valid points. Compressed points are not recommended and disabled by default, but the fix was required to protect against potential attacks.

Bug fixes for the SP general math library were made for 5.1.1. These included fixes to sanity check values passed to sp_gcd (used in but not affecting RSA key generation) and better checking of maximum size of numbers when dividing. Also, when compiling for MIPS 32-bit, some compilers didn’t like the register names ‘$lo’ and ‘$hi’. These have been changed to ‘%lo’ and ‘%hi’ respectively.

The Single Precision code was also fixed around modular exponentiation. When the modulus is even or the exponent is 0 then we now error out. These are not use cases that are hit in normal operation.

A couple of bug fixes were made in the TFM implementation of our math library as well. An improved Montgomery reduction for Intel x86_64 was added in 5.0.0 and fixed to work reliably in this release. Also some out of memory error handling was improved around this same function.

A full list of what was changed can be found in the wolfSSL ChangeLog (https://www.wolfssl.com/docs/wolfssl-changelog/).
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL Support for DO-178 DAL A

wolfSSL is adding support for complete RTCA DO-178C level A certification! wolfSSL will offer DO-178 wolfCrypt as a commercial off -the-shelf (COTS) solution for connected avionics applications. Adherence to DO-178C level A will be supported through the first wolfCrypt COTS DO-178C certification kit release that includes traceable artifacts for the following encryption algorithms:

  • SHA-256 for message digest.
  • AES for encryption and decryption.
  • RSA to sign and verify a message.
  • chacha20_poly1305 for authenticated encryption and decryption.
  • ECC to sign, verify and share secrets.
  • HMAC  for keyed-hashing for message authentication.

The primary goal of this initial release is to provide the proper cryptographic underpinnings for secure boot and secure firmware update in commercial and military avionics. wolfSSL brings trusted, military-grade security to connected commercial and military aircraft. Avionics developers now have a flexible, compact, economical, high-performance COTS solution for quickly delivering enhanced, secure communications that can be readily certified to DO-178. In addition, any of the FIPS 140-2 validated crypto algorithms can be used in DO-178 mode for combined FIPS 140-2/DO-178 consumption. The wolfCrypt cryptography library has been FIPS 140-2 validated (Certificate’s #2425 and #3389). For additional information, contact us at fips@wolfssl.com

Optimization Support

We understand that securely rebooting avionic systems has rigorous performance requirements. As such, we’re here to help with cryptographic performance optimizations through our services organization. 

Release Plan

  • Basic crypto for secure boot and secure firmware updates – Available Now!
  • wolfBoot Secure Boot – Q1, 2022
  • wolfSSL – Q2, 2022
  • wolfDTLS – Q2, 2022

To download and view the most recent version of wolfSSL, the wolfSSL GitHub repository can be cloned from here: https://github.com/wolfssl/wolfssl.git, and the most recent stable release can be downloaded from the wolfSSL download page here: https://www.wolfssl.com/download/.

For more information, please visit the wolfSSL DO-178 product page: https://www.wolfssl.com/wolfssl-support-178-dal/.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Post-Quantum Goodies in wolfSSL 5.1.1: FALCON

This is a quote from a message posted by Dustin Moody of NIST on the NIST PQC Forum at https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/fvnhyQ25jUg :

“Yes - the 3rd round will shortly be ending.  NIST is actively writing the 3rd Round report which will 
explain our rationale for which algorithms we will standardize.   We hope to be able to announce the 
results and report not later than the end of March.”

Dustin Moody, Feb. 9, 2022

So, we can expect some news from NIST in a month or so. With this in mind, we thought this might also be a good time to talk about the FALCON Signature Scheme integration in the wolfSSL v5.1.1 release and some of the other work we have done around post-quantum cryptography.

The FALCON Signature Scheme is a post-quantum algorithm that is a finalist of round 3 of the NIST PQC competition. It shows much promise in that while its artifacts are large and key generation and signing are a bit slower than currently standardized algorithms, signature verification times are much faster which bodes well for IoT and constrained devices.  You can compare the speed in our benchmarking data that can be found in Appendix G of our wolfSSL Manual: https://www.wolfssl.com/documentation/wolfSSL-Manual.pdf

The good news for our customers that want to experiment with FALCON is that it couldn’t be easier! All you need to do is build liboqs, rebuild wolfSSL and add the –with-liboqs flag.  If you built your application to statically link with wolfSSL, you will need to rebuild your application.  If you dynamically link, you do not need to rebuild.  All you have to do now is  swap out your certificates with FALCON certificates!  No code changes are required for your application. You can find instructions and a script for generating a  FALCON certificate chain here: https://github.com/wolfSSL/wolfssl-examples/tree/master/pq

For customers who want to see post-quantum algorithms working in a real world use-case, we have instructions for you to build a quantum-safe apache web server and curl web client. All you need to do is follow the instructions here: https://github.com/wolfSSL/osp/blob/master/apache-httpd/README_post_quantum.md

Finally, just a few words regarding motivation.  Most people understand the harvest and decrypt threat model and thus see the urgency for moving to post-quantum key establishment. However, seeing the motivation for signature schemes might be harder. Suppose you are deploying authentication algorithms on devices that have long lifetimes and are hard to update.  A good example of this might be firmware for industrial machinery or cars.  If the lifetime of your deployment exceeds the time to a cryptographically relevant quantum computer, then you should probably consider experimenting to understand the impact of post-quantum algorithms sooner rather than later.

A full list of what was changed can be found in the wolfSSL ChangeLog (https://www.wolfssl.com/docs/wolfssl-changelog/).
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfCrypt and FIPS 140-3

wolfCrypt has been listed on the CMVP IUT List for FIPS 140-3! We are currently working with our testing lab to get validated as quickly as possible with the new FIPS standard from the NIST. wolfSSL is the first software library on the FIPS 140-3 IUT list for embedded development.

FIPS 140-3 involves a few significant changes, and wolfSSL is prepared to deliver the first and best implementation of FIPS 140-3.

FIPS 140-3 is the replacement for FIPS 140-2, so it is always a good idea to switch over to it as soon as possible. You will also want wolfSSL’s FIPS 140-3 Certificate for reasons including:

– Conditional Algorithm Self-Testing (CAST): Testing Streamlined – only test algorithms when they will be first used, or at will
– Addition of TLS v1.2 KDF (RFC7627) and v1.3 KDF (RFC8446)
– Addition of SSH KDF
– Addition of explicit testing of 3072-bit and 4096-bit RSA
– Addition of RSA-PSS
– Addition of HMAC with SHA-3
– Addition of AES-OFB mode
– Addition of external seeding source callback function for Hash_DRBG
– Removal of insecure algorithms: 3DES and MD5

For more information, please visit our FIPS page here.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Love it? Star wolfSSL on GitHub!

wolfSSL 2021 Annual Report

Last year was an excellent year for wolfSSL! We progressed on all of our critical performance vectors, including technical leadership, top notch support, sales growth and new design wins. The sheer volume of new code that we produced, in conjunction with our new products and design wins, is impressive to say the least. Additionally, we made the migration from a strictly on-prem based testing rig to a hybrid rig. Our new rig harnesses the power of cloud computing, and allows us to even further improve on our testing in order to bring you the best tested TLS. Thank you for reading, and please contact us if there is something that you would like on the wolfSSL roadmap for 2022!

wolfSSL Technical Progress

A total of 5 releases of the wolfSSL embedded TLS library were delivered in 2021, each with bug fixes, enhancements, and new feature additions. Highlights of these releases included:

1. New Hardware and OS Ports

  • Linux Kernel Crypto API (KCAPI) – Allows for offloading of crypto operations to kernel hardware or software.  Support includes AES-CBC, AES-GCM, SHA-2, and HMAC. Also possible to use RSA, DH and ECC with custom kernel modules.
  • Linux Kernel Module build option (–enable-linuxkm), which is also supported with FIPS modes of operation using FIPS compliant integrity checks and conditional algorithm self tests (CASTs). Compliance up to the latest FIPS 140-3.
  • NXP i.MX CAAM – QNX 
  • NXP SE050 
  • IOT-Safe (SIM card PK)
  • Cypress/Infineon PSoc6
  • Renesas RA6M4, RX65N, RX72N, TSIP, SCE Protected Mode (see our new GitHub repository)
  • Fusion RTOS
  • Dolphin Emulator

2. New Software Ports!

  1. Bind DNS 
  2. Cjose 
  3. HaProxy
  4. Kerberos
  5. Libest 
  6. libmobiledevice
  7. Net-SNMP 
  8. NTP 
  9. OpenVPN 
  10. OpenLDAP 
  11. OpenPegasus 
  12. OpenResty 
  13. PyOpenSSL 
  14. Python 
  15. Rsyslog 
  16. sblim-sfcb 
  17. Socat 
  18. Tcpdump 
  19. libSSH2 
  20. Zephyr

3. Updates to Existing Ports

  • STM32: Supported platforms now include G0 and U5
  • Fixes for NXP mmCAU/LTC, Microchip ATECC608, Espressif ESP32, ST STM32 PKA AES-GCM, Renesas RA6M3
  • Updated project ports:
    1. Stunnel 5.57 
    2. Qt 5.15
    3. Apache 2.4.51
    4. Socat 1.7.4.1
    5. lighttpd 1.4.51 
    6. OpenSSH 8.8

4. Operating System Updates

  • WIN32 WinCE wolfCrypt port
  • TI-RTOS port maintenance

5. Compiler and IDE Updates

  • Android
  • STM32
  • GCC Makefile
  • Espressif ESP-IDF
  • INTIME
  • QNX

6. Post Quantum Algorithm Support

  1. Removed legacy QSH and NTRU support.
  2. Added support for FALCON signature schemes in TLS 1.3 (Levels 1, 5)
  3. Added support for KEMs in TLS 1.3 as groups and hybridized groups with NIST ECC Curves: 
    1. SABER (Levels 1, 3, 5)
    2. KYBER (Levels 1, 3, 5) and KYBER 90S  (Levels 1, 3, 5)
    3. NTRU HRSS (Level 3) and HPS  (Levels 1, 3, 5)
  4. Full interoperability of algorithms we implemented against the OQS team’s OpenSSL fork. 
  5. Integrations with Open Source projects allowing use of post-quantum algorithms with the following popular projects: 
    1. Apache
    2. Nginx
    3. Lighttpd
    4. cURL
    5. MariaDB
    6. Stunnel
  6. Joint integration with the OQS team to patch Wireshark, making it aware of and display the new algorithms and their variants.

7. New Hardware Crypto Support

  • IotSAFE support
  • Renesas RA6M4 SCE Protected Mode support
  • Renesas RX65N / RX72N TSIP 1.14 support

8. Improvements to Existing Hardware Crypto Support

  • Fixed DCP port 
  • Fixed Psoc6 SHA512 regressions
  • Fixed broken ECC public key computation in PR in NXP LTC
  • Fix for STM32 PKA ECC point mapping

9. New and Updated Algorithms

  • New Post-Quantum Algorithm support, as mentioned above. 
  • Added ECCSI and SAKKE for Identity-based Encryption.
  • Added support for streaming AES-GCM.
  • Added streaming API for Ed25519 and Ed448.
  • Added ISO 18033 and SEC 1 implementations of ECIES.

10. Algorithm Performance Optimization

  • Improved TFM and SP math implementation of addmod_ct and submod_ct for a 30% improvement in performance of ECC operations.

11. New and Updated Build Options

  • S/MIME support (–enable-smime)
  • –enable-wolfsentry and –with-wolfsentry=
  • –enable-wolftpm
  • –enable-caam
  • –enable-kcapi
  • –enable-eccsi
  • –enable-sakke
  • –enable-wolfclu
  • –enable-curl
  • –enable-reproducible-build
  • –enable-aesgcm-stream
  • –enable-ed25519-stream
  • –enable-ed448-stream
  • –enable-linuxkm-pie
  • –enable-keying-material
  • –enable-iotsafe
  • –enable-iotsafe-hwrng
  • –enable-sp=
    1. smallfast
    2. smallec1024
    3. smallp1024
    4. small1024
    5. ec1024
    6. p1024
    7. 1024
    8. asm
  • –enable-context-extra-user-data
  • –enable-aescbc-length-checks
  • –enable-altcertchains
  • –enable-sblim-sfcb
  • –enable-crypttests-libs
  • –enable-benchmark
  • –enable-aligndata
  • –enable-error-queue-per-thread
  • –with-max-rsa-bits=
  • –with-max-ecc-bits=
  • –with-liboqs=
  • –with-se050=
  • –enable-bind
  • –enable-libssh2
  • –enable-net-snmp
  • –enable-ntp
  • –enable-openresty
  • –enable-rsyslog
  • –enable-smime
  • –enable-tcpdump
  • –enable-krb

12. TLS Additions and Updates

  • Session Ticket (Added AES GCM support)
  • TLS export/import
  • Keying Material Exporters for TLS (RFC 5705)
  • S/MIME (Secure/Multipurpose Internet Mail Extensions)
  • Asynchronous TLS v1.3 TLSX ECC/DH keygen/agree
  • TLS 1.3 Updates
    1. Better Interop
    2. Better Portability
    3. Better Testing
    4. More Cipher Suites
  • Crypto Callbacks extended: Ed/X25519, SHA2-384/512, AES CCM, CMAC
  • TLS v1.3 sniffer / DH Extra / Static Ephemeral
  • LWIP Native Support (IP stack)
  • DTLS
    1. Resend the previous DTLS handshake flight only on a network read timeout (WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT)
    2. Change default DTLS future packet behavior. Messages from “too far into the future” are now accepted.

13. Single Precision Math Updates

  • Significant SP math performance improvements
  • Windows now has assembly code implementation for Intel x86 64-bit that increases performance by 5 to 10 times!
  • C only implementation has had significant improvements that have major impacts on performance. 32-bit code most significantly 25% for 2048-bit operations and 50% and more for larger sizes.
  • Improved performance of ARM Thumb code by 30-40%.
  • On Aarch64, improved performance of P-384 operations by 65-100%.

14. FIPS 140-2 and 140-3 Validation News!

  • FIPS 140-3 support merged, including Linux Kernel Module support
  • 28 140-2 (Cert 3389) OE additions!

15. Testing

  • More continuous integration testing added, including cppcheck static analysis
  • Added support for Google Compute Engine to supplement testing slave farm in CI ecosystem, testing capabilities are now dynamically scalable based on test load and internal developer activity
  • Expanded API testing coverage with OpenSSL compatibility layer additions

16. Examples

  • New Post-Quantum cryptography example.
  • New wolfSSL CAN Bus example.
  • New RIOT-OS example using lwIP POSIX sockets.

17. Additional Product Enhancements

  • Revamped Documentation
    • wolfCLU
    • wolfMQTT
    • wolfSentry
    • wolfSSL
    • wolfTPM
  • wolfMQTT (4 releases)
    • SN feature enhancements
      1. Will Topic update and Will Message update
      2. Publish with QoS-1
      3. Receiving Disconnect Packet while going to sleep
      4. New callback for REGISTER topic ID from gateway when client subscribes to wildcard topics
      5. Handling PINGREQ message from the gateway to client
      6. New example added for QoS level -1 feature
    • HiveMQ Cloud compatibility with SNI feature
    • Huge improvements to multithread and non-blocking features
    • Examples
      1. TLS mutual auth in client examples
      2. Add ability to publish files from example client
  • wolfSSH (3 releases)
    • Easier build with wolfSSL
    • Added remote port forwarding
    • Improved keep alive
    • Small stack option for embedded builds
    • SFTP Support for FATFS
    • Added support of 192 and 256 bit AES keys
    • Improved build options to leave out unwanted algorithms
    • Improved interoperability with other tools
      1. Dropbear
      2. Firezilla
      3. winSCP
    • Support for EWARM
    • MQX IDE build added
  • wolfTPM (4 releases)
    • Added examples for symmetric key generation, NV, remote attestation, make credential, PCR read and GPIO.
    • Support for QNX
    • Example for QEMU with wolfTPM
    • Improved documentation
  • wolfBoot (3 releases)
    • New architectures
      1. ARMv8-M
      2. PowerPC
      3. ARM Cortex-R
    • Measured boot
    • Support for Trustzone-M
    • New memory model
    • RSA4096 using SP
    • WOLFBOOT_SMALL_STACK
    • Delta updates
    • New HAL:
      1. STM32L4
      2. STM32L0x3
      3. STMU575xx
      4. NXP i.MX-RT1060
      5. NXP T2080
      6. TI TMS570LC435
  • wolfSentry (3 releases, all preview/beta)
    • Dev phases 1, 2, 3, completed – static firewall, with action plugins, POC notifications via plugin, and configuration updates at any time.
    • Full configuration loaded from JSON, with streaming load and all-or-none semantics
    • Advanced lock facility complete, with ports for semaphore back ends under POSIX, MacOS-X, and FreeRTOS.  Implements shareable, promotable, timeout-capable, deadlock-safe locks.
    • POC integration with LWIP, under Linux and FreeRTOS, demonstrating filtering at the IP stack level, including filtering by MAC address, filtering of ICMP, and pre-accept filtering.
    • Port to STM32 (FreeRTOS+LWIP)
    • Turnkey integration with libwolfssl via the –enable-wolfsentry option, allowing post-accept filtering of incoming connections, and demonstrating pre-connect filtering of outbound connections, via integrations in the example client and server.
  • wolfEngine (1 release)
    • wolfEngine made public on GitHub and first official release with version 0.9.0.
    • Allows users to achieve FIPS compliance with wolfCrypt FIPS + OpenSSL. Supports all algorithms in wolfSSL’s FIPS certificate (and others):
      1. SHA-1
      2. SHA2 (224, 256, 384, 512)
      3. SHA3 (224, 256, 384, 512)
      4. DES3-CBC
      5. AES w/ 128, 192, and 256 bit keys. ECB, CBC, CTR, GCM, and CCM modes.
      6. DRBG
      7. RSA
      8. DH
      9. ECC. ECDSA, ECDH, EC key generation. Curves P-192, P-224, P-256, P-384, P-521.
      10. HMAC
      11. CMAC
      12. HKDF
      13. PBKDF2
      14. TLS PRF
    • Support for OpenSSL 1.0.2 and 1.1.1.
    • Runs on macOS, Windows, Linux.
    • Integrates seamlessly with anything that uses OpenSSL, including:
      1. OpenSSH
      2. nginx
      3. stunnel
      4. OpenVPN
      5. curl
      6. libssh2
      7. libssh
      8. ntpd
      9. mongoDB
      10. Node.js
      11. radius
      12. radsec
      13. syslog-ng
      14. grpc
      15. dhcpd
      16. dhclient
    • See wolfProvider for OpenSSL 3.0.0 support.
  • wolfProvider (code available on GitHub)
    • wolfProvider made public on GitHub.
    • Allows users of OpenSSL 3.0.0 to achieve FIPS 140-3 Compliance
    • Supports:
      1. AES-GCM/CCM/CTR/CBC/ECB
      2. MD5/SHA-1/SHA2/SHA3/SHAKE256
      3. DRBG
      4. RSA/RSA-PSS
      5. DH
      6. ECDH/ECDSA/EC KeyGen with P-192/P-224/P-256/P-384/P-521
      7. HMAC/CMAC/GMAC
      8. HKDF/PBKDF2/PKCS12 PBKDF2/TLS 1.3 KDF/TLS1 PRF
    • Runs on Linux
  • wolfCLU (1 release)
    • Additional support added for multiple commands:
      1. ecparam
      2. pkey
      3. req
      4. crl
      5. pkcs12 (parsing)
      6. rsa
      7. rand
      8. s_client
      9. dgst
      10. verify
      11. rsa
      12. md5
    • Added in a logging layer and mapping of errors to stderr
    • Increased unit tests with ‘make check’ and include running tests as a pre-commit hook
    • Support for parsing and using basic config files when doing ‘req’ or ‘ca’ operations
    • Enhancements to existing commands:
      1. x509 , -noout and print out of specific parts of certificate
      2. x509 , -days for setting number of days valid
      3. x509 , -pubout to display the public key
      4. More descriptive version print out
      5. PEM output for RSA/ECC key generation
    • Initial integration of FIPS 140-3 use
    • Refactoring of directories and test certificate locations
    • Resolve warnings and issues from using -Wall and static analysis tools
  • wolfSSL JNI/JSSE (2 releases)
    • wolfCrypt FIPS 140-3 and FIPS Ready compatibility
    • JSSE level memory leak fixes, along with earlier internal memory cleanup.
    • Addition of Socket method wrappers for use of wrapped inner Socket objects in WolfSSLSocket
    • Updated Android AOSP support
    • JSSE level fixes for SSLContext, SSLSocket
    • Fixes for static analysis warnings (Infer), exception cases, connection closures, and more.
  • wolfCrypt JNI/JCE (1 release)
    • wolfCrypt FIPS 140-3 and FIPS Ready compatibility
    • Compatibility with wolfSSL “–enable-all” and additional build fixes
  • wolfSSL Python
    • Added OpenSSL compatibility layer. 
    • Updated example certifications.
  • wolfCrypt Python
    • Added signature generation and verification.
    • Now works with FIPS ready.
    • Support for ed448, PEM RSA keys, and more.
  • wolfCrypt DO-178C
    • wolfCrypt 2
      • AES GCM
      • Environment:
        • Ultrazed-EG(on A53), little endian
        • GCC compiler that comes with Xilinx SDK 2017.4
        • Run Azure RTOS ThreadX SMP version 5.8 on the A53 cores
    • wolfCrypt 3
      • SHA-256
      • SHA-384
      • HMAC (SHA-256)
      • HMAC (SHA-384)
      • HASH-DRBG SHA-256
      • AES GCM
      • AES CMAC
      • ECC – P384 (sign/verify/shared secrets)
      • ECC key export
      • X509 cert verify
      • Environment:
        • NXP S32V234 (on A53)
        • Arm Developer Studio version 2019.0-1, with armclang
        • 1120 compiler version 6.12.1

wolfSSL Top 10 Blog Posts/Technical Announcements

  1. wolfSSL Software Development Process
  2. Riding the CAN bus 
  3. wolfSSL Quality Assurance
  4. wolfEngine and OpenSSL Provider Solution Now Public! 
  5. wolfSSL Support for DO-178 DAL A
  6. Sniffing traffic with TLS v1.3
  7. First wolfCrypt DO-178 SOI Audits
  8. wolfSSL NXP SE050 Support 
  9. Integration of the Falcon Signature Scheme into wolfSSL
  10. wolfCrypt FIPS 140-2 on ARM

2021 Webinars

The wolfSSL team hosted and/or participated in a total of 58 webinars this year. Check out our top 5 webinars of the year.

  1. Everything you need to know about FIPS 140-3
  2. wolfEngine : wolfCrypt as an Engine for OpenSSL
  3. Secure Element or TPM : how to include hardware security in your project using wolfSSL and wolfBoot
  4. Secure and Reliable Firmware Updates with wolfBoot
  5. Beyond DO-178: Building Secure Solutions for Future Aviation Systems

We host at least one webinar per week, make sure you are checking out our blog page to find out about our webinars! Check out our youtube page for all of our previous webinars!

wolfSSL Organizational Growth

  • wolfSSL added 9 new team members in 2021. Additions included salespeople, engineers, administrators, and interns.
  • We expanded our customer base considerably, are now securing connections for over 2,000 products, have partner relationships with over 40 vendors, and are securing well over 2 Billion connections on any given day, worldwide.
  • wolfSSL represents one of the largest teams focused on a single implementation of TLS/Crypto worldwide. If you know of anyone who fits the following description, please let us know.

wolfSSL Events and Tradeshows

The wolfSSL team participated in a total of 16 events in 2021! As part of these events we were in 11 cities, 5 US states, and 4 countries! We participated in a total of 6 virtual events and were fortunate to attend 10 in-person events. The events we participated this last year included:

  1. Black Hat Asia
  2. cURL Up
  3. Mobile World Congress
  4. Black Hat 2021
  5. Sea Air Space
  6. ICMC
  7. SIdO Lyon
  8. IoT Tech Expo North America
  9. CyberSatGov
  10. it-sa
  11. Internet of Things World
  12. Aerospace Tech Week (FACE)
  13. NXP Connects (EMEA)
  14. NXP Connects (AMEC)
  15. TU Automotive Detroit (now Automotive Tech Week)
  16. NXP Connects (APAC)

In summary, we had a great year! 2021 was successful on multiple fronts, and we look forward to serving our customers and community with ever more secure and functional software in 2022. 

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Deprecation of FIPS v1

Here at wolfSSL, we have been supporting your FIPS needs for several years now with our FIPS Ready, certificate #2425 and certificate #3389 source bundles.  This support is going to continue with the soon to be granted FIPS 140-3 certificate. With the new certificate coming soon, we thought this might be a good time to do a bit of house cleaning.

As certificate #2425 has been added to the NIST sunset list as of June 2021, we will be removing the FIPS v1 feature from wolfSSL.

Customers who still need this feature are encouraged to move to the upcoming FIPS 140-3 certificate if timelines permit.  However, if customers need a solution in the near term, they can move to certificate #3389 which sunsets in 2024.  

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Top 10 wolfSSL Library Configurations

Here at wolfSSL, we strive to support our customers’ needs for customization and finding the right trade-offs. The following table is a list of the top 10 things you can do with wolfSSL’s configuration flags.

Task Configure Flag(s) Details
Get Ready for Your First FIPS Customer –enable-fips=ready You will need to have a fips-ready bundle which is available as both an open source code bundle or under a proprietary license.
Become DO-178 Compliant –enable-sp-math We have taken ECC in sp_c32.c in the SP-Math Library through DO-178C certification.
Make Your Application Secure from Side-Channel Attacks –enable-sp-math –enable-sp-math-all

CFLAGS=”WOLFSSL_SP_CACHE_RESISTANT”

or

–enable-fastmath –enable-harden 

Our SP-Math Library is always timing resistant and runs private key operations in constant time.  Our Fast Math Library can be made timing resistant by enabling the hardened build.
Reduce Your Stack Usage –enable-smallstack and –enable-smallstackcache Allocating memory on the heap will be favored over the stack.
Reduce Your Heap Usage –enable-static-memory All memory that wolfSSL LIbrary allocates will be on the stack as local variables.
Reduce Your Code Size –enable-sha3=small –enable-aesgcm=small –enable-lowresource

CFLAGS=”-DNO_ERROR_STRINGS -DNO_INLINE -DCURVED25519_SMALL -DUSE_SLOW_SHA” -DUSE_SLOW_SHA256 -DUSE_SLOW_SHA612”

This will come at a cost of algorithm speed and memory usage.
Make a Really Small PSK-Only wolfSSL Library –enable-leanpsk PSK stands for pre-shared key. Approximate build size for wolfSSL on an embedded system with this enabled is 21kB.
Make a Really Small Client-Only wolfSSL Library –enable-leantls This produces a small footprint TLS client that supports TLS 1.2 client only, ECC256, AES128 and SHA256.
Use Only wolfCrypt –enable-cryptonly This enables a wolfCrypt-only build, greatly reducing the size. No TLS, no SSL.
Figure Out What is Going on Under the Hood –enable-debug This will build the wolfSSL Library with debug symbols so you can use your debugger to step through the code as it executes.  Also, if you call wolfSSL_Debugging_ON() lots of debugging messages will be printed to stderr.

 

Note that some of these flags can be combined while others are mutually exclusive. Please feel free to experiment with different combinations.

Want more? You can see a full list of our configuration flags by downloading our latest release and executing the following command:  ./configure –help

Still hungry? You can get detailed documentation about our configuration flags from “Chapter 2: Building wolfSSL” in the wolfSSL  Manual which can be found here: https://www.wolfssl.com/documentation/wolfSSL-Manual.pdf.  Need some expert advice? 

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL provider support for PKCS11

We now support wolfCrypt as a PKCS11 provider for applications to consume. The new wolfPKCS11 library adds a PKCS11 layer on top of the wolfCrypt API’s to enable customers who wish to standardize on an API interface or may already have developed code against PKCS #11.

PKCS #11 is an OASIS standard for “Cryptographic Token Interface Base Specification” (A.K.A Cryptoki). It defines an API interface for communicating with Hardware Security Modules (HSM) to provide cryptography support such as RSA and ECC. It allows enumeration of devices and features using a shared or static library.

A good introduction to PKCS #11 can be found here: 

http://wiki.ncryptoki.com/introduction-to-pkcs-11-specifications.ashx

The source code is in a new GitHub repository here:

https://github.com/wolfSSL/wolfPKCS11

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Posts navigation

1 2 3