Author: Kajal Sapkota

wolfSSL Inc is proud to announce an important incremental update to wolfSSH: v1.4.13!

In this release, we fix a severe user authentication bug in wolfSSHd. It is highly recommended that anyone using wolfSSHd upgrade to this version immediately (see Vulnerabilities in the change log below).

We have added a STM32Cube Expansion Pack for building in that environment. The daemonization and test coverage of wolfSSHd has been improved. We also improved support for transferring large files with SFTP. We also have a testbed for checking wolfSSH with LwIP using both FreeRTOS and Linux.

The release information from the change log is reposted below:

wolfSSH v1.4.13 (Apr 3, 2023)

New Feature Additions and Improvements

• Improvement to forking the wolfSSHd daemon.
• Added an STM32Cube Expansion pack. See the file _ide/STM32CUBE/README.md_ for more information. (https://www.wolfssl.com/files/ide/I-CUBE-wolfSSH.pack)
• Improved test coverage for wolfSSHd.
• X.509 style private key support.

Fixes

• Fixed shadow password checking in wolfSSHd.
• Building cleanups: warnings, types, 32-bit.
• SFTP fixes for large files.
• Testing and fixes with SFTP and LwIP.

Vulnerabilities

• wolfSSHd would allow users without passwords to log in with any password. This is fixed as of this version. The return value of crypt() was not correctly checked. This issue was introduced in v1.4.11 and only affects wolfSSHd when using the default authentication callback provided with wolfSSHd. Anyone using wolfSSHd should upgrade to v1.4.13.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL release version 5.6.0 is available now! A couple things to note with this release is that the new and improved ASN parsing, and generation, code is enabled by default now. Additionally we have the upcoming deprecation of –enable-heapmath which is scheduled to be removed by 2024.

This release also saw the addition of DTLS 1.3 stateless ClientHello parsing support. Not only are we leading the pack with adaptation of DTLS 1.3 but we are also adding in features such as the stateless ClientHello support. Some other additions of note were; the port to RT1170 and use of CAAM, update to Stunnel version 5.67, RX64/RX71 hardware acceleration support, and expansion of the compatibility layer.

Improvements to continuous integration testing and some refactoring of our testing framework was done during the last release cycle. To stay the best tested crypto on the market we are constantly trying to improve the testing that we do. This release also had some nice fixes that were made.

A full list of the changes can be found in the ChangeLog.md file bundled with wolfSSL. If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

What is the difference in modes with wpa_supplicant using wolfSSL FIPS vs non FIPS? Some of the algorithms are restricted when using CONFIG_FIPS=y while building wpa_supplicant. This is not a limitation in wpa_supplicant or in wolfSSL, but is due to restrictions and guidelines put in place for FIPS. To help avoid using algorithms that have not been sanctioned for use with FIPS, the build removes MD5/MD4 along with DES. Removal of these algorithms limits the modes supported.

Another restriction that is seen with FIPS use is that the key passed into HMAC must be 14 bytes or longer, this can cause issues with hunting-and-peck mode unless password sizes can be known to always be large enough. To avoid the limitation on HMAC key size, hash-to-element (sae_pwe=1) can be used instead.

	Supported By wolfSSL
wpa_supplicant modes	Not FIPS	FIPS	Test Ran
EAP-TLS	Yes	Yes	eap_proto_tls
EAP-PEAP/MSCHAPv2	Yes	No	ap_wpa_eap_peap_eap_mschapv2 ap_wpa2_eap_peap_eap_mschapv2
EAP-PEAP/TLS	Yes	Yes	ap_wpa2_eap_peap_eap_tls
EAP-PEAP/GTC	Yes	Yes	ap_wpa2_eap_peap_eap_gtc
EAP-PEAP/OTP	Yes	Yes	eap_proto_otp
EAP-TTLS/EAP-MD5-Challenge	Yes	No	ap_wpa2_eap_ttls_eap_md5
EAP-TTLS/EAP-GTC	Yes	Yes	ap_wpa2_eap_ttls_eap_gtc
EAP-TTLS/EAP-MSCHAPv2	Yes	No	ap_wpa2_eap_ttls_mschapv2
EAP-TTLS/MSCHAP	Yes	No	ap_wpa2_eap_ttls_mschap
EAP-TTLS/PAP	Yes	Yes	ap_wpa2_eap_ttls_pap
EAP-TTLS/CHAP	Yes	No	ap_wpa2_eap_ttls_chap
EAP-SIM	Yes	Yes	eap_proto_sim
EAP-AKA	Yes	Yes	eap_proto_aka
EAP-PSK	Yes	Yes	eap_proto_psk
EAP-PAX	Yes	Yes	eap_proto_pax
LEAP	Yes	No	eap_proto_leap

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Listen to us talk in person!

We will be at Aerospace TechWeek Europe in Munich on 29th-30th March 2023.

Senior Software Engineer Daniele Lacamera will be giving a fantastic presentation in the Tech Workshops, on the expo floor. Titled “Cybersecurity attacks in avionics: countermeasures and mitigations”; listen to Daniele introduce a range of potential risks related to digital and physical attacks targeting avionic systems, and illustrate the best strategies and technical countermeasures to mitigate and/or prevent these attacks.

Feel free to stop by our booth at Stand 815 to talk to our security experts including the man of the hour Daniele Lacamera, as well as our Business Directors Wolfram Kusterer and Martin Engstrom.

If you’re new to wolfSSL, here’s how we can help you secure all of your aerospace assets:

• wolfSSL new features
• wolfSSL with TLS 1.3, and DTLS 1.3
• wolfCrypt with FIPS 140-3 support
• wolfCrypt as an engine for OpenSSL
• MISRA-C versions of wolfCrypt
• DO-178 cert kits for wolfCrypt
• wolfBoot Secure Bootloader
• wolfSSL MQTT-SN and the latest version
• wolfTPM
• wolfSSH
• cURL and tinycURL

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Be our guest at Satellite 2023 with a FREE Exhibit Hall Pass!

Come talk to the wolfSSL team at booth #1440, March 13-16 in Washington D.C!

We would love to talk with you about:

• wolfSSL new features
• wolfSSL with TLS 1.3, and DTLS 1.3
• wolfCrypt with FIPS 140-3 support
• wolfCrypt as an engine for OpenSSL
• MISRA-C versions of wolfCrypt
• DO-178 cert kits for wolfCrypt
• wolfBoot Secure Bootloader
• wolfSSL MQTT-SN and the latest version
• wolfTPM
• wolfSSH
• cURL and tinycURL

We are also FIPS compatible! Learn more here: https://www.wolfssl.com/wolfssl-fips-ready-8/

The wolfSSL discounted registration code is: WOL1440

This code entitles your guests to a FREE Exhibit Hall Pass or $350 0ff conference passes with the link: https://satellite23.nvytes.co/sat23lp/WOL1440.html

Satellite 2023 will be an amazing opportunity to be a part of the revolutionary introduction of technology and satellites to countless industries. The demand and functionalities of satellites are constantly expanding and this event is an amazing opportunity to explore these possibilities. This event is an amazing way to have personal face-to-face interactions with individuals you may never meet otherwise and provides countless ways to expand your network.

To learn more about the tradeshow, visit: https://www.satshow.com/

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Embedded World Nuremberg is this month! We’ll be there talking about security, encryption and everything in between. Stop by and say hello! We’ll be giving away plenty of awesome wolfSSL swag and we’d love to hear about your project.

One of the platforms we fully support is of course the ubiquitous Espressif ESP32. We have dedicated staff focusing exclusively on the ESP32 to make our encryption libraries easy to get started and easy to implement in your project.  

Our recent updates to the Core Espressif Examples are now “no install”: simply clone wolfssl and run the projects in the IDE/Espressif/ESP-IDF examples directory. We also have more examples in the wolfssl-examples repository and some Espressif SSH Server examples, too.

The examples can be used on any platform: Windows, Mac, Linux. For Windows users, we also have VisualGDB project files. For Espressif chipsets without a built-in JTAG, the projects are pre-configured to use the open source Tigard JTAG adapter.

All of the Espressif chipsets are supported. Both Xtensa and RISC-V: including the ESP32 classic, as well as the ESP32-C3, ESP32-S3, and more.

We welcome everyone from the largest corporate environments to the student hobbyists. We’re FIPS certified and ready to provide a serious, commercial grade, open source encryption solution.

wolfSSL will be at booth 4-610, with Business Directors Wolfram Kusterer and Martin Engstrom as well as our Senior Software Engineers David Garske and Juliusz Sosinowicz on the ground to answer all your embedded security questions. Plus, our full sales team will be on standby in the virtual booth to talk to you! Email facts@wolfSSL.com if you’d like to book a meeting ahead of the event. 

If you’re new to wolfSSL, here’s how we can help you win big in the embedded industry and beyond:

• wolfSSL is up to 20x smaller than OpenSSL 
• First commercial implementation of TLS 1.3, with TLS 1.3 Sniffer
• On of the first in FIPS 140-3 
• Best tested, most secure, fastest crypto on the market with incomparable certifications and highly customizable modularity 
• Access to 24×7 support from a real team of Engineers 
• Support for the newest standards (including TLS 1.2, TLS 1.3, DTLS 1.2, and DTLS 1.3) 
• Multi-platform, dual-licensed, royalty free, with an OpenSSL compatibility API to ease porting into existing applications which have previously used the OpenSSL package 
• Full product suite including MQTT with support up to v5.0, Secure Boot, wolfSentry IDPS, SSHv2 server, TPM 2.0 portable project, Java wrappers and JSSE support, plus commercial curl support at the enterprise level. 

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Love it? Star wolfSSL on GitHub.

Discover Embedded World here.

Follow @wolfSSL on Twitter for daily updates!

Exciting news in wolfSSL language bindings: we are currently exploring the possibility of adding bindings for the Ada and Spark languages!

Ada is a programming language known for its explicitness, strong typing, and abundance of compile-time checks. It is widely used in safety-critical and high-integrity software. Spark, on the other hand, is a smaller subset of Ada that offers the invaluable ability to formally prove the correctness of your software.

We believe that wolfSSL bindings would be immensely valuable to the Ada and Spark communities. These bindings would provide a production-ready, robust, and well-tested TLS stack that supports the latest protocols (TLS1.3/DTLS1.3). Additionally, it would open the door to obtaining FIPS 140-3 and DOI-178C certifications for Ada and Spark applications that use TLS for their encrypted communications, or that want to use our wolfCrypt implementation for their cryptographic operations, such as encrypting data at rest.

As wolfSSL already supports post-quantum TLS 1.3 and DTLS 1.3, these bindings would also naturally allow you to make your Ada and SPARK applications quantum-safe.

Are you interested in an Ada/Spark wrapper? If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.