Join Our Live Webinar: Enhanced Security: SM Ciphers Integrated with wolfSSL

Please join us for our informative webinar titled “Enhanced Security: SM Ciphers Integration with wolfSSL,” scheduled for May 23rd at 2 pm PT. This session, led by wolfSSL Senior Software Engineer Sean Parkinson, will explore the integration of SM Ciphers and their effective employment within the wolfSSL framework. Sean will provide in-depth insights into the ShangMi algorithms, highlighting their benefits and applications in various critical systems.

Watch the webinar here: Enhanced Security: SM Ciphers Integration with wolfSSL

As mandated by Chinese government regulations, the use of SM2, SM3, and SM4 is now required in critical systems such as automobiles, avionics, power systems, and communication networks. In response to these requirements and the needs of our multinational clients operating in China, we have integrated these algorithms into our wolfSSL products. Our latest release supports SM2, SM3, and SM4, and we plan to introduce the ZUC stream cipher later this year to fully comply with SM9 standards. We are also working towards achieving OSCCA certification, enhancing our appeal in the Chinese market.

For those considering wolfSSL for your security needs, here are 6 benefits of our ShangMi ciphers implementation:

  1. The SM Ciphers are fully supported in wolfSSL’s TLS 1.3 and DTLS 1.3 implementations.
  2. wolfSSH, wolfBoot and our other products will support ShangMi ciphers.
  3. ARM, Intel, and RiscV assembly is in the works for our SM implementations for maximum performance
  4. We support bare metal for SM2, SM3, and SM4.
  5. We have maximized performance and minimized size, so the ShangMi algorithms will work well for embedded systems use cases on a wide variety of microcontrollers (MCU’s). They will be available for all of the MCU silicon that we currently support, including STM32, NXP i.MX, RISC-V, Renesas RA, RX, and Synergy, Nordic NRF32, Microchip PIC32, Infineon Aurix, TI MSP, and many others.
  6. Our GPLv2 versions of the SM ciphers are available on GitHub and for download.
    Commercial licenses are also available.

Don’t miss this opportunity to discover comprehensive security solutions and compliance strategies during our webinar on SM cipher implementations from wolfSSL. Watch now!

As always, the webinar will feature interactive Q&A sessions. If you have any questions about the ShangMi ciphers and algorithms, please contact us at facts@wolfSSL.com, or call us at +1 425 245 8247.

Download wolfSSL Now

Participate Now | curl User Survey 2024

We are excited to announce the opening of the 11th annual curl user survey 2024. As part of our ongoing commitment to enhance your experience and adapt to community needs, we invite all curl and libcurl users to share their invaluable feedback.

Take the Survey

This survey serves as the primary channel to connect with url and libcurl users, understanding their views and preferences without any tracking, cookies, or advertisements on our website. Your participation helps us maintain our privacy-focused user feedback tools, ensuring that we respect your digital space while gathering essential insights.

Why Your Feedback Matters

Your feedback is crucial. By dedicating a few minutes of your time to our survey, you not only contribute to our knowledge but directly influence the future development of curl and libcurl. The insight from the curl user survey help us identify trends and understand the broader impact of curl on developers.

Community Insights and Trends

By asking similar questions as in previous years, such as those features in the curl user survey 2023 analysis, we aim to track changes and emerging trends within our community. This consistency allows us to compare data year-over-year and better understand how our tools are being used.

This survey will be available from May14th until the end of May 27th, 2024. We aspire to surpass last year’s participation, where 606 people shared their thoughts. If you know friends or colleagues who use curl or libcurl, encourage them to participate as well. Every response adds value and enhances our community-driven project.

Participate in curl User Survey 2024

We appreciate your continued support and honest opinions. Your feedback not only guides us but is integral to the ongoing success and improvement of curl.

See also:

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

MQTT v5.0 versus v3.1.1

wolfMQTT was updated to support the draft MQTT v5.0 version of the specification in 2018. The specification was finalized in 2019, and wolfSSL has been a proponent of the new version ever since!

  1. Enhanced Session Management:
    • MQTT v5.0 introduces improved session management, allowing clients to resume sessions seamlessly. This feature ensures continuity and reliability, especially in scenarios where connections may be unstable or intermittent.
  2. Extended Message Properties:
    • Version 5.0 introduces extended message properties. These properties offer richer metadata for messages, enabling more sophisticated message routing, filtering, and processing.
  3. Payload Format Indicators:
    • With MQTT v5.0, publishers can indicate the format of the message payload, providing valuable information to subscribers. This feature enhances interoperability and simplifies message handling, especially in heterogeneous IoT environments.
  4. Message Expiry Interval:
    • MQTT v5.0 allows publishers to specify a message expiry interval, ensuring that messages are delivered within a defined timeframe or discarded if they expire. This capability enhances message reliability and resource efficiency, particularly in constrained IoT networks.
  5. Request/Response Model:
    • Version 5.0 introduces a request/response messaging pattern, enabling clients to make requests and receive responses over MQTT. This feature simplifies communication in IoT applications, facilitating interactions between devices and servers.
  6. Flow Control Enhancements:
    • MQTT v5.0 provides improved flow control mechanisms, including the ability to specify maximum packet size and rate limits. These enhancements help prevent network congestion and improve overall system stability and performance.
  7. Topic Alias:
    • In MQTT v5.0, topic aliasing allows clients to use shorter topic identifiers, reducing bandwidth usage and improving efficiency, especially in scenarios with long or complex topic names.
  8. Shared Subscriptions:
    • Shared subscriptions enable multiple clients to share the processing of messages from a single subscription, distributing the workload efficiently across subscribers. This feature enhances scalability and resource utilization in MQTT v5.0 compared to v3.1.1.
  9. Support for Binary Data:
    • MQTT v5.0 introduces native support for binary data transmission, eliminating the need for encoding and decoding payloads, which simplifies application development and improves performance.
  10. Authentication Enhancements:
    • Version 5.0 offers enhanced authentication mechanisms, including support for more robust authentication methods such as OAuth 2.0. These enhancements bolster security and authentication capabilities, addressing evolving IoT security requirements.

wolfMQTT has excellent examples that demonstrate the capabilities of MQTT v5.0: Property handling callback for incoming messages

During connect:

LWT delay
Request problem info
Max packet size

During subscribe:

Subscription identifier

During publish:

Payload format indicator
Topic alias

As the MQTT specification continues to evolve, wolfSSL will stay on top of the latest improvements. Want to try out MQTT v5.0? You’ll need a broker that supports MQTT v5.0. You can find a list of brokers that we tested.

You can run the wolfMQTT client examples after building the code from here.

While you’re there, show us some love and give the wolfMQTT project a Star!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSL now supported on PlatformIO

The best encryption libraries are now available on the PlatformIO environment!

At wolfSSL, we continue to embrace rapid prototyping environments, including Arduino, Visual Studio, and now PlatformIO for VS Code, among other IDE applications.

There are hundreds of boards supported by PlatformIO on numerous frameworks and platforms.

We are providing two different Official wolfSSL libraries: standard and another specifically for Arduino:

There are also two different versions: the stable release versions (above) and these staging updates, with the latest post-release changes.

The stable release versions will generally follow our standard release cycle. The initial 5.7.0 versions include post stable-release updates needed for the Initial PlatformIO support.

See the PlatformIO documentation for Getting Started with PlatformIO.

For Windows users using pio from command line:


set PATH=%PATH%;C:\Users\%USERNAME%\.platformio\penv\Scripts\
pio --help
pio account show

Our initial release has full support for Espressif ESP32 boards, but other boards should work with just a few modifications to the wolfSSL user_settings.h file. See the example configs:

https://github.com/wolfSSL/wolfssl/tree/master/examples/configs

Here’s an example platformio.ini file for the ESP32:


[env:esp32dev]
platform = espressif32
board = esp32dev
framework = espidf
upload_port = COM82
monitor_port = COM82
monitor_speed = 115200
build_flags = -DWOLFSSL_USER_SETTINGS, -DWOLFSSL_ESP32
monitor_filters = direct
lib_deps = wolfssl/wolfSSL@^5.7.0-rev.3b

See also: Espressif Systems Leverages PlatformIO Labs Next-Gen Technology for its Software Products.

Is your device working on the PlatformIO environment with wolfSSL? Send us a message and let us help you get started: support@wolfSSL.com or open an issue on GitHub.

Get Started with wolfSSL

Additional information on getting Started with wolfSSL on the Espressif environment is available on the wolfSSL GitHub repository as well as this YouTube recording:

There’s also a must-see 2024 Roadmap to review all the exciting new features:

Find out more

If you have any feedback, questions, or require support, please don’t hesitate to reach out to us via facts@wolfSSL.com, call us at +1 425 245 8247, or open an issue on GitHub.

Download wolfSSL Now

What is the difference between AES and ECC?

AES (Advanced Encryption Standard) and ECC (Elliptic Curve Cryptography) are both cryptographic algorithms used for securing data, but they operate in different ways and serve different purposes:

AES (Advanced Encryption Standard)

  • AES is a symmetric encryption algorithm, meaning the same key is used for both encryption and decryption.
  • It operates on blocks of data and is commonly used for encrypting large amounts of data, such as files or entire hard drives.
  • AES is widely adopted and considered secure when used with sufficiently long keys (128, 192, or 256 bits).
  • Code Size: The code size for implementing AES depends on factors such as the programming language, optimization techniques used, and the desired features (e.g., support for different key lengths).
    • In optimized implementations, the core AES algorithm (encryption and decryption) can be relatively compact. Implementations in low-level languages like C or assembly language are often more efficient in terms of code size.
    • Additional features such as key expansion, mode of operation (e.g., CBC, ECB), and padding schemes can increase the overall code size.
  • Memory Footprint: The memory footprint of AES implementations can vary depending on factors such as the key length, block size, and the specific operations being performed.
    • Memory requirements typically include space for storing the encryption/decryption keys, the input plaintext/ciphertext blocks, and intermediate values during computation.
    • For embedded systems or devices with limited resources, memory optimization techniques such as minimizing the number of lookup tables or precomputing values can be employed to reduce memory usage

ECC (Elliptic Curve Cryptography)

  • ECC is an asymmetric encryption algorithm, meaning it uses a pair of keys: a public key used on one end and a private key used on the other. For example, in signing, the encryption is done with the private key and verification is done with the public key.
  • It is based on the mathematics of elliptic curves over finite fields.
  • ECC is particularly well-suited for scenarios where computational resources are limited, such as mobile devices or IoT devices, as it offers equivalent security to RSA but with shorter key lengths, resulting in faster computations and less memory usage. That being said, ECC requires larger keys than AES to provide equivalent encryption strength.
  • ECC is often used for key exchange protocols like Diffie-Hellman key exchange and in digital signatures.
  • Code Size: Implementing ECC requires additional mathematical operations compared to AES, particularly involving elliptic curve arithmetic. However, optimized libraries are available that provide efficient ECC implementations.
    • Code size can vary depending on factors such as the choice of elliptic curve parameters, the underlying arithmetic field, and the desired level of optimization.
    • Libraries such as WolfSSL or OpenSSL provide ECC functionality and can be integrated into applications with relatively modest code size overhead.
  • Memory Footprint: ECC implementations typically require memory for storing various parameters, including public/private keys, intermediate values during computation, and precomputed tables for performance optimization.
    • Memory usage depends on factors such as the key size, the chosen elliptic curve, and the specific operations being performed (e.g., key generation, point multiplication).
    • ECC implementations optimized for memory-constrained environments often utilize techniques such as point compression to reduce memory usage.

In summary, AES is used for symmetric encryption of large amounts of data, while ECC is used for signing/verification and key exchange, particularly in resource constrained environments.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfCrypt JCE Provider and JNI Wrapper 1.6.0 Now Available

wolfCrypt JNI/JCE 1.6.0 is now available for download!

wolfCrypt JNI/JCE provides Java-based applications with an easy way to use the native wolfCrypt cryptography library. The thin JNI wrapper can be used for direct JNI calls into native wolfCrypt, or the JCE provider (wolfJCE) can be registered as a Java Security provider for seamless integration underneath the Java Security API. wolfCrypt JNI/JCE also supports running on top of wolfCrypt FIPS 140-2 and the upcoming wolfCrypt 140-3 modules for easy conformance to FIPS cryptography requirements in your Java-based application or service.

Release 1.6.0 contains a significant number of bug fixes, changes, and new features to help better support application usage of the Java Security APIs as well as 3rd party Java frameworks that consume JCE providers internally. This release adds new JCE class implementations, new algorithm modes, Windows support, and improves automated testing with GitHub Actions across several Java JDK implementations and versions.

New functionality added in this release is summarized below, but please see ChangeLog.md for a full list that includes all changes and fixes.

New Functionality

New JCE Functionality:

  • Add RSA support to KeyPairGenerator class (PR 49)
  • Add AES/CBC/PKCS5Padding support to Cipher class (PR 51)
  • Add RSA support to Cipher class (PR 51)
  • Add PKIX implementation of CertPathValidator class (PR 60, 66)
  • Add SHA1 alias for MessageDigest SHA-1 for interop compatibility (PR 61)
  • Add AES/GCM/NoPadding support to Cipher class (PR 62)
  • Add SecretKeyFactory implementation supporting PBKDF2 (PR 70)
  • Add DEFAULT support to SecureRandom class (PR 72)

New JNI Wrapped APIs and Functionality:

  • Add AES-GCM support to com.wolfssl.wolfcrypt.AesGcm class (PR 62)

New Platform Support:

Build System Changes:

  • Support custom wolfSSL library prefix and name in makefile.linux (PR 45)
  • Standardize JNI library name on OSX to .dylib (PR 54)
  • Update Maven build support (PR 55)

Testing Changes:

  • Add extended threading test for WolfCryptRandom class (PR 44)
  • Add Facebook Infer test script, make fixes (PR 48, 63)
  • Add GitHub Actions tests for Oracle/Zulu/Coretto/Temurin/Microsoft JDKs on Linux and OS X (PR 65)

wolfCrypt JNI/JCE 1.6.0 can be downloaded from the wolfSSL download page, and an updated version of the wolfSSL JNI/JSSE User Manual can be found here. For any questions, or to get help using wolfSSL in your product or projects, contact us at support@wolfSSL.com.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Elevate Your Cybersecurity Skills: Master wolfSSL, DTLS 1.3, and FIPS with Comprehensive Training Videos

In today’s fast-paced world, staying ahead of the curve isn’t just advantageous—it’s essential. Continuous learning is key to personal and professional growth. At wolfSSL, we recognize this need, which is why we host webinars featuring tailored training courses for various skill levels. Our software engineers guide you through the fundamentals to advanced features, empowering you to master wolfSSL, DTLS 1.3, and wolfCrypt FIPS.

wolfSSL 2 Parts Training

Elevate your cybersecurity expertise with wolfSSL. Join wolfSSL Engineering Manager Chris Conlon for comprehensive sessions tailored to both novices and seasoned professionals. Gain invaluable insights into cybersecurity, covering topics such as network security protocols, SSL/TLS protocol and basic library usage, debugging wolfSSL, DTLS usage, wolfSSL PSK usage, and much more. Buckle up and master cybersecurity with wolfSSL training.

DTLS 1.3 Training

This session is your gateway to mastering DTLS 1.3, a groundbreaking protocol adopted by wolfSSL. As pioneers in TLS technology, wolfSSL takes pride in being the first library to implement DTLS 1.3. Join us for the DTLS 1.3 training session led by wolfSSL Software Developer, Marco, to delve into fundamental concepts of DTLS and engage in hands-on exploration of DTLS in UDP applications using wolfSSL DTLS 1.3. Take advantage of this opportunity to deepen your understanding and expertise in DTLS technology.

FIPS Training

Our FIPS Training offers an exciting opportunity to deepen your understanding of FIPS and gain valuable insights into its implementation. As leaders in embedded FIPS certificates, wolfSSL provides unparalleled expertise. Senior Software Engineer Kaleb Himes will guide you through public resources for the FIPS module, the security policy, locating and using the user guide or cryptographic officer manual, and best security practices at the application level. Expand your knowledge and familiarity with FIPS through this exclusive opportunity.

Getting Started Series

In addition to our training videos, we also offer the ‘Getting Started’ series. Each video serves as a manual, providing step-by-step guidance to make your experience seamless and efficient. Explore our comprehensive instructional video series:

Embark on your learning journey with wolfSSL webinar recordings. Watch our training videos to enhance your skills. If you encounter technical questions along the way, wolfSSL is here to assist you. Reach out to us at support@wolfSSL.com.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Join Our Live Webinar: Benchmarks with wolfSSL

Get excited for the upcoming webinar on ‘Benchmarks with wolfSSL,’ scheduled for May 16th at 10am PT. Led by wolfSSL Senior Software Engineer Jacob Barthelmeh, this session is set to be a deep dive into SSL/TLS performance optimization techniques.

During the webinar, Jacob will demonstrate how the wolfSSL embedded SSL/TLS library excels in various hardware devices and environments, providing detailed insights into cryptographic performance analysis.

Watch the webinar here: Benchmarks with wolfSSL

Sneak peek into the webinar agenda:

  • Analyzing Performance History in Cryptography
  • Evaluating Cryptographic Performance with the Crypto Benchmark Application
  • Leveraging Hardware Acceleration for Enhanced SSL/TLS Performance
  • Exploring Asynchronous/Code Wrapper Benchmarks for Optimization
    …and much more
    *Agenda is subject to change

Don’t miss this exclusive opportunity to learn directly from Jacob about leveraging wolfSSL benchmarks to deepen your understanding of cryptographic performance. Watch now and embark on this enlightening journey with us!

As always, our webinar includes Q&A throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSL JSSE Provider and JNI Wrapper 1.13.0 Now Available

wolfSSL JNI/JSSE 1.13.0 is now available for download!

wolfSSL JNI/JSSE provides Java-based applications with an easy way to use the native wolfSSL SSL/TLS library. The thin JNI wrapper can be used for direct JNI calls into native wolfSSL, or the JSSE provider (wolfJSSE) can be registered as a Java Security provider for seamless integration underneath the Java Security API. wolfSSL JNI/JSSE provides TLS 1.3 support and can also support running on top of wolfCrypt FIPS 140-2 and the upcoming wolfCrypt 140-3 modules.

Release 1.13.0 contains a significant number of bug fixes, changes, and new features to help better support application usage of the Java Security APIs as well as 3rd party Java frameworks that consume JSSE providers internally. This release also improves behavior when used in multi threaded applications and use cases, and improves automated testing with GitHub actions across several Java JDK implementations and versions.

New functionality

New functionality added in this release is summarized below, but please see ChangeLog.md for a full list that includes all changes and fixes.

New JSSE Functionality:

  • Add SSLSocket.getApplicationProtocol(), which returns the negotiated ALPN protocol of a TLS connection (PR 150)
  • Add native WOLFSSL_TRUST_PEER_CERT support in WolfSSLTrustX509 (PR 154)
  • Add implementation of javax.net.ssl.X509ExtendedTrustManager, which adds hostname checking inside the TrustManager (PR 159)
  • Add getSSLParameters() to SSLEngine and SSLSocket, allowing applications to retrieve the SSLParameters objects set (PR 159)
  • Add getHandshakeSession() to SSLSocket, returning the SSLSession being constructed during the TLS handshake (PR 159)
  • Convert SSLSession to ExtendedSSLSession, adding getRequestedServerNames() to return a list of all SNIServerNames of the requested SNI extension(PR 159)
  • Add ALPN API support to SSLSocket and SSLEngine with tests (PR 163)
  • Add implementation of X509ExtendedKeyManager (PR 167)
  • New JSSE System/Security Property Support:
    • Add partial support for jdk.tls.disabledAlgorithms Security property, allowing algorithms and key sizes to be limited (PR 136)
    • Add support for wolfjsse.enabledCipherSuites Security property, enabling locking down of TLS cipher suites allowed (PR 136)
    • Add support for wolfjsse.enabledSignatureAlgorithms Security property, enabling locking down of the TLS signature algorithms allowed (PR 136)
    • Add support for wolfjsse.enabledSupportedCurves Security property, enabling locking down of the TLS supported ECC curves allowed (PR 143)

New JNI Wrapped APIs and Functionality:

  • wolfSSL_CTX_SetTmpDH() and wolfSSL_CTX_SetTmpDH_file() (PR 136)
  • wolfSSL_CTX_SetMinDh/Rsa/EccKey_Sz() (PR 136)
  • wolfSSL_set1_sigalgs_list() (PR 136)
  • wolfSSL_CTX_UseSupportedCurve() (PR 158)
  • wolfSSL_X509_check_host() and wolfSSL_SNI_GetRequest() (PR 159)
  • wolfSSL_CTX_set_groups() and wolfTLSv1_3_client/server_method() (PR 164)
  • SSL_CTX_set1_sigalgs_list() (PR 169)
  • wolfSSL_set_tls13_secret_cb(), add ability to set Java callback (PR 181)
  • Add X.509v3 certificate generation support in WolfSSLCertificate and examples (PR 141)
  • Add Certificate Signing Request (CSR) support and examples (PR 146)

New Platform Support:

Build System Changes:

  • Add JAVA_HOME support in java.sh for use with custom Java install (PR 121)
  • New argument to java.sh for custom wolfSSL library name to be used (PR 126)
  • Add lib64 directory to library search path in java.sh (PR 130)
  • Standardize JNI library name on OSX to .dylib (PR 152)
  • Add Maven build support (PR 153)
  • Update Android Studio example project (PR 185)

Debugging Changes:

  • Add WolfSSLDebug.logHex() for printing byte arrays as hex (PR 129)
  • Add synchronization and Thread ID to debug log messages (PR 129)
  • Add new debug System property wolfsslengine.io.debug for I/O debug logs (PR 137)
  • Add timestamp to debug logs (PR 148)
  • Fix for enabling JSSE debug logs after WolfSSLProvider has been registered (PR 166)
  • Make native wolfSSL debug log format consistent with wolfJSSE logs (PR 166)

Testing Changes:

  • Add Facebook Infer test script, make fixes (PR 127, 182)
  • Add extended threading test of SSLEngine (PR 124)
  • Testing with and fixes from SonarQube static analyzer (PR 131)
  • Add extended threading test of SSLSocket (PR 149)
  • Testing with and fixes for running SunJSSE tests on wolfJSSE (PR 170, 174)
  • Add GitHub Actions tests for Oracle/Zulu/Coretto/Temurin/Microsoft JDKs on Linux and OS X (PR 176)

wolfSSL JNI/JSSE 1.13.0 can be downloaded from the wolfSSL download page, and an updated version of the wolfSSL JNI/JSSE User Manual can be found here. For any questions, or to get help using wolfSSL in your product or projects, contact us at support@wolfSSL.com.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Vulnerability Disclosure: wolfSSH (CVE-2024-2873)

Affected Users:

Anyone using wolfSSH server versions prior to release v1.4.17.

Summary:

It is possible for a malicious client to bypass user authentication when logging into a wolfSSH server. The wolfSSH server was not rigorous about checking the current state of the key exchange when handling channel open messages.

wolfSSH’s example echoserver and the wolfSSHd server will not allow one to obtain a shell as root or any other user. By skipping the user authentication, the user’s login name won’t be set, and the server will error out because it cannot find the user’s home directory. At this point, the server has allocated some memory resources for a channel, but then releases them immediately.

Due to the way wolfSSH server handles incoming connections, forwarding requires an active shell connection to work. If user authentication is skipped, the server will terminate the connection with an error before allowing any forwarding.

This issue with message processing is in the library. The application using the library has the responsibility of checking that the username is set and checking the credentials. One could have an application that gives access to the system without checking the user authentication.

Recommendation:

Prompt update to wolfSSH v1.4.17. This version rejects out-of-sequence channel messages before user authentication has completed and rejects user authentication messages after user authentication is complete.

Additional Details:

The patch fixing this issue can be viewed at the links:

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Posts navigation

1 2 3