RECENT BLOG NEWS

Did you know that the wolfSSL lightweight SSL library builds and runs out of the box on the Raspberry Pi? We recently ran tests on a Raspberry Pi model B with wolfSSL 3.0.0. You can check out the results below:

1. Downloading

For the test, we downloaded cyassl-3.0.0.zip file from our download page.

2. Building

Instead of cross compiling wolfSSL to armv6, we compiled wolfSSL directly on our Raspberry Pi to get an average time of the building process. Following the process described in the README file to configure and build wolfSSL, the results were as follows:

$ time ./configure
…
real 1m33.504s
user 0m50.270s
sys 0m16.550s

$ time make
…
real 3m20.676s
user 2m50.290s
sys 0m6.940s

3. Benchmarking

To decide which math library to use we compared the results of the default build (./configure) with a modified one (./configure –enable-fastmath):

wolfSSL Benchmark, Normal Big Integer Math Library

pi@raspberrypi ~/cyassl-3.0.0 $ ./ctaocrypt/benchmark/benchmark
AES 5 megs took 0.880 seconds, 5.681 MB/s
ARC4 5 megs took 0.230 seconds, 21.734 MB/s
3DES 5 megs took 3.064 seconds, 1.632 MB/s

MD5 5 megs took 0.104 seconds, 48.112 MB/s
SHA 5 megs took 0.217 seconds, 23.072 MB/s
SHA-256 5 megs took 0.498 seconds, 10.032 MB/s

RSA 2048 encryption took 17.453 milliseconds, avg over 100 iterations
RSA 2048 decryption took 147.625 milliseconds, avg over 100 iterations
DH 2048 key generation 48.942 milliseconds, avg over 100 iterations
DH 2048 key agreement 61.991 milliseconds, avg over 100 iterations

wolfSSL Benchmark, Fast Big Integer Math Library

pi@raspberrypi ~/cyassl-3.0.0 $ ./ctaocrypt/benchmark/benchmark
AES 5 megs took 0.889 seconds, 5.624 MB/s
ARC4 5 megs took 0.200 seconds, 24.943 MB/s
3DES 5 megs took 2.479 seconds, 2.017 MB/s

MD5 5 megs took 0.101 seconds, 49.303 MB/s
SHA 5 megs took 0.217 seconds, 23.004 MB/s
SHA-256 5 megs took 0.561 seconds, 8.914 MB/s

RSA 2048 encryption took 4.622 milliseconds, avg over 100 iterations
RSA 2048 decryption took 131.030 milliseconds, avg over 100 iterations
DH 2048 key generation 57.496 milliseconds, avg over 100 iterations
DH 2048 key agreement 57.325 milliseconds, avg over 100 iterations

As expected, the fastmath provided more performant RSA operations – thus we used this build for the example test.

4. Running

After testing the crypto layer, it was time to test the protocol layer running our client example against our server example running or a remote Ubuntu server:

$ time ./examples/client/client -h external_server
SSL version is TLSv1.2
SSL cipher suite is TLS_RSA_WITH_AES_256_CBC_SHA256
Server response: I hear you fa shizzle!

real 0m0.885s
user 0m0.520s
sys 0m0.080s

5. Conclusion

wolfSSL 3.0.0 works out of the box on Raspberry Pi. While building wolfSSL on Raspberry Pi is OK, it does take some time to do so. Users should consider using cross compilation during the development cycle if building wolfSSL for the Pi on a regular basis needed.

6. Extra

If you like to stay synchronized with the latest commits of our github repository, don`t like to wait for stable releases, love git repositories, or just want to checkout a specific version, you can do so by following these steps before compiling wolfSSL:

* Check if you have libtool, autoconf and automake installed on your Pi:
$ sudo apt-get install libtool autoconf automake
* Clone wolfSSL repository from GitHub:
$ git clone https://github.com/cyassl/cyassl.git
* Run the autogen script:
$ cd cyassl
$ ./autogen.sh

Hi everyone, we’re curious if anyone is interested in using wolfSSL with the Oculus Rift? If you don’t know what an Oculus Rift is, it is a Next Generation Virtual Reality Technology for video games or any Virtual Reality Applications. You can learn more at the following URL:

http://www.oculusvr.com/

If you have any questions, or would like to see wolfSSL working with the Oculus Rift, please email us at facts@wolfssl.com. 

OpenSSL released several security advisories yesterday: http://www.openssl.org/news/secadv_20140605.txt. None of these are attacks on the SSL/TLS protocols themselves.  They are all implementation bugs.  Most are critical bug fixes to DTLS (TLS over UDP).  As a clean room implementation of SSL, wolfSSL does not use any OpenSSL code and is free from these defects.  The most critical report seems to be the Man in the Middle vulnerability where an attacker can inject a Change Cipher Spec message to force a weak key stream (CVE-2014-0224).  wolfSSL does not create the keying material upon receipt of the Change Cipher Spec message as OpenSSL did/does and is free from this problem.

The purpose of this note is not to critique OpenSSL, but rather to inform our user base about how they may be affected.  For additional information or questions about CyaSSL please contact us at facts@wolfssl.com

Hi!  We`ve been supporting AES-NI for a few years now.  We`ve decided to extend that support to Visual Studio users.  If you would like to use AES-NI with Visual Studio, then let us know.  Beta code will be available shortly.  Contact us at facts@wolfssl.com if you have questions.

For those of you interested in how CyaSSL fits into IoT, here is an example you should take a look at!

We have prepared a demo with CyaSSL, Xively, and mbed. It runs on various mbed platforms with Ethernet connections, including NXP LPC1768 whose RAM size is as small as 32k for applications + 32k for drivers.

In the demo configuration, mbed sends sensor data every 10 seconds through SSL to the Xively server, and you can see it through the browser on your pc.

 “mbed with Sensors” –[https]–> “Xively Server” <–[https]– “Browser on PC”

Xively is a cloud IoT service. It provides both HTTP and HTTPS APIs for IoT clients, in which they highly recommend HTTPS for obvious reasons, especially for commercial applications.

The demo includes the CyaSSL-based https client class. It is forked from the standard mbed http client class. So you can find out how it can be embedded into a socket-based program as well.

To use the project, please go to our mbed site and import the demo.

http://mbed.org/users/wolfSSL/

http://mbed.org/users/wolfSSL/code/CyaSSL-Xively/

For more information:

Xively: http://xively.com

mbed: http://mbed.org

mbed HTTPClient class:

    http://mbed.org/users/donatien/code/HTTPClient/

    http://mbed.org/handbook/TCP-IP-protocols-and-APIs

Understanding the stack and the heap are fundamental steps for all software developers. The importance of such understanding is inversely proportional to the amount of memory available on the platform, as both compete for a piece of the total memory space available on a system.

In some cases the developer has the choice of when to use one (either the stack or heap) more than the other. In other cases, a scenario may force the developer to work with minimal use of the stack, the heap, or both.

With this in mind, wolfSSL is introducing a new build option in CyaSSL. Developers can now choose a CyaSSL build that best matches their needs of using more stack and less heap OR more heap and less stack. This process is being accomplished by the refactoring of the CyaSSL code. Currently 90% of the encryption layer has been refactored to use the new option.

Small stack usage is not enabled by default. To enable it users must use the option “–enable-small-stack” when configuring the CyaSSL build as in the following example:

./configure –enable-small-stack [other options]

For users who don`t use CyaSSL`s configure script for compilation, smaller stack usage is not enabled by default. In this case, users will need to add the compiler directive CYASSL_SMALL_STACK in config.h file or settings.h to enjoy its benefits as in the following example:

#define CYASSL_SMALL_STACK

or

#define CYASSL_SMALL_STACK 1

If you have any questions about stack usage with CyaSSL please let us know at facts@wolfssl.com.

Hi!  Some of you know that the IETF working group on TLS is creating the specification for TLS 1.3.  We plan to upgrade wolfSSL to the TLS 1.3 specification as soon as the spec is finalized, or even close to finalized.  We are always aggressive with implementing the new TLS specifications, because we like to supply the community with a good test bed.  We did a great job getting TLS 1.2 out right away, as well as DTLS 1.2, and the community appreciated the effort.  We plan to continue our tradition of being quick with new protocol level changes.  

If you`re interested in what TLS 1.3 thinking is so far, then look here:  https://www.ietf.org/proceedings/87/slides/slides-87-tls-5.pdf.  If you have TLS 1.3 questions or comments, you are welcome to email us at facts@wolfssl.com or call us at +1 425 245 8247.

The new release of wolfSSL, v3.0.0, is now ready to download from our website.  New features include:

– FIPS release candidate
– X.509 improvements that address items reported by Suman Jana with security researchers at UT Austin and UC Davis
– Small stack size improvements, –enable-smallstack. Offloads large local variables to the heap. (Note this is not complete.)
– Updated AES-CCM-8 cipher suites to use approved suite numbers.

Please see the README and our on-line documentation for more information or feel free to contact us.

Hi!  We`ve scheduled ourselves to implement ChaCha20 and Poly1305 into wolfSSL this summer.  If you`re learning about what these are, see these links:

http://cr.yp.to/mac.html

https://www.imperialviolet.org/2013/10/07/chacha20.html

We`re excited about this addition to our code.  If you have comments, questions, or need it in our code sooner than this summer, then let us know!  We can be reached at facts@wolfssl.com or by phone at +1 425 245 8247.

As a follow up to the recent Heartbleed bug in OpenSSL, Embedded Computing Design interviewed wolfSSL’s CTO, Todd Ouska for an article titled “Heartbleed: (Not) one in a million”. You can read the article at the following URL:

http://embedded-computing.com/20937-heartbleed-not-one-in-a-million