RECENT BLOG NEWS
Upcoming Webinar: Why everyone is using cURL and you should too
Join Daniel Stenberg, founder and maintainer of cURL and libcurl, as he goes through some basic curl fundamentals about what cURL is, who uses cURL, why use cURL etc. As well as giving information on how to customize your configuration, and other features that may be useful.
As always bring your questions for the Q&A following the presentation.
Watch the webinar here: Why Everyone is Using curl and you should too
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfTPM 2.4.0 Released!
We are excited to announce our wolfTPM v2.4 release. This includes improvements for Windows including support for cmake, C# wrappers, and c++ compiler fixes. This expands the wolfTPM cross platform API that is easy to use and supports Linux, Windows and embedded platforms. C# wrappers have been tested on Linux and Windows. These changes enable support for vcpkg for wolfSSL, wolfTPM, and wolfMQTT (see PR).
Release Details:
- Fixes for c++ compiler (PR #206)
- Adding a C# wrappers (PR #203)
- CMake support (PR #202, #204, #205)
- Add support for ST33 vendor specific command TPM_CC_GetRandom2 (PR #200)
- Fix writing PEM in wolfTPM2_RsaKey_TpmToPemPub (PR #201)
- Improve TPM2_SetupPCRSel (multiple calls) (PR #198)
- Fix for a few spelling errors and whitespace cleanup (PR #199)
- v2.3.1 updates (PR #197)
- Fix make install by renaming pcr example read.c (PR #196)
For a full list of changes, check out the updated ChangeLog.md bundled with wolfSSL or view our page on GitHub here.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfBoot 1.11 Released!
wolfBoot 1.11 has been released. This release introduces new algorithms for signature verification (Ed448, Ecc384), for integrity check (Sha2-384) and for external storage encryption (Aes128 and 256). Encryption support for external storage has been improved.
Our team introduced mitigation against glitching attacks. Find out more in this post.
Support for new targets has been included: NXP i.MX-RT1050 and STM32U5.
For the full list of changes, please see our Github page.
You can download the latest release here: https://www.wolfssl.com/download/
Or clone directly from our GitHub repository: https://github.com/wolfSSL/wolfBoot
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfSSL 5.3.0 Release!
wolfSSL has released a new version! 5.3.0.
This contains some exciting new additions and fixes. A full list can be found in the ChangeLog.md (https://www.wolfssl.com/docs/wolfssl-changelog/) but some of the highlights are:
- SP performance enhancements and fixes
- wolfSSL’s Single Precision (SP) Math Library bring the best implementations to insure the best performance of Public Key Algorithms
- Compatibility layer enhancements and function additions
- The wolfSSL OpenSSL compatibility layer is a means to switch applications designed for OpenSSL over to use wolfSSL.
- Embedded post quantum port on an STM32 device and benchmarks
- CAAM support for i.MX8 on Linux
- CAAM (Cryptographic Accelerator and Assurance Module) is hardware that can be found on many i.MX NXP devices. When used it speeds up the cryptographic algorithms such as ECC and AES.
- Updates to Renesas TSIP support, Stunnel, Bind and other ports…
- Additions and improvements to testing including use of Wycheproof
- Project Wycheproof is a test suite developed and maintained by the Google Security Team. Their unit tests use Java security packages (java.security and javax.crypto) to allow for multiple JCA/JCE provider implementations to be tested, including wolfJCE.
A full list of what was changed can be found in the wolfSSL ChangeLog (https://www.wolfssl.com/docs/wolfssl-changelog/).
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Upcoming Webinar : Everything you need to know about Securing Medical Devices!
Story time with wolfSSL! Join us for a comprehensive presentation on how to leverage wolfSSL for all of your Medical Device needs as we go through a variety of different use cases and example with the specific engineering details for each story.
As always bring your questions for the Q&A following the presentation.
Topic: Everything you need to know about Securing Medical Devices!
Watch the webinar here: Everything you need to know about Securing Medical Devices
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Constant Time Testing
It is no secret that wolfSSL makes every effort to provide the best tested cryptographic and SSL/TLS solution available on the market.
To that end, wolfSSL is proud to announce that as of today there is a suite of Constant Time Tests evaluating two of the three big integer math libraries wolfCrypt offers that have support for constant time execution.
Big integer math libraries natively available in wolfSSL are:
-
- sp_int.c
- Use setting –enable-sp=yes to use this library
- For non-Autoconf builds use setting(s)
- WOLFSSL_SP
- WOLFSSL_HAVE_SP_RSA
- WOLFSSL_HAVE_SP_ECC
- WOLFSSL_HAVE_SP_DH
- (optional) WOLFSSL_SP_SMALL (reduced footprint)
- Stack based math library with optimized math, faster than tfm.c
- sp_int.c
- Constant time support for all algorithms: RSA, DH, and ECC
-
- tfm.c
- Default on Linux (no setting needed to use)
- For non-Autoconf builds use setting USE_FAST_MATH to enable this library
- Stack based (large static buffer), enjoys better performance
- tfm.c
- Constant time for only two algorithms (RSA and ECC)
-
- integer.c
- Use setting –disable-fastmath on Linux to use this library
- Avoid the setting USE_FAST_MATH to use this library when building with non-Autoconf solutions (IDEs’, Makefiles, whenever user_settings.h is used etc.)
- Heap based, suffers overhead of alloc/free at the benefit of only the needed resources.
- integer.c
- Not-constant time, avoid if concerned about timing attacks
Note: None of the above applies to externally implemented hardware and/or software solution(s). IE when using the crypto callbacks to offload operations to an external cryptographic module or using external quantum safe solutions such as liboqs etc.
wolfSSL is also evaluating constant time execution for the following algorithms that do NOT depend on any of the three big integer math options: AES-CBC, AES-GCM, ChaCha20, Poly1305, SHA2-256, SHA2-512 and X25519 (AKA “Curve25519”)
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Doing Crypto Without Malloc’s
wolfSSL has easy options for building and running without any malloc’s! Avoiding the use of all dynamic memory can be important in many environments, including safety critical ones and the use with satellites, being one of NASA’s 10 rules to not use any dynamic memory after initialization. The easy build options for no system malloc’s helps wolfSSL be used under these stringent requirements. Along with being able to do crypto operations with the no malloc build, wolfSSL can also support full TLS handshakes with no malloc’s!
To build wolfSSL with no dynamic memory –enable-staticmemory could be used. Examples and tests with setting aside the memory pools for the staticmemory build can be seen in the wolfcrypt/test/test.c file bundled with wolfSSL. By default this falls back to malloc when no static memory is available, to avoid this fallback mechanism to system malloc’s the macro WOLFSSL_NO_MALLOC must also be defined. In addition to the staticmemory enable option there is a nomalloc version with our SP (single precision) asymmetric performance speed ups too! This could be enabled with –enable-sp=nomalloc when using autoconf.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Secure Boot and Glitching Attacks
In general, a “glitch” is a momentary fault that may happen on a system, preventing it from working properly, for a brief amount of time. The effects of a single glitch on proper software execution may be multiple, including catastrophic consequences that may prevent the system from continuing the execution.
Glitching attacks are complex and expensive to execute, but can be a real issue for secure boot mechanisms, and often very hard to prevent or mitigate. They aim at exploiting predictable consequences of single glitches in order to take control of the execution or the data contained in the system. The glitch can be injected using different techniques, which often rely on well known weaknesses of the specific microcontroller or CPU. The most common glitch injection consists in varying the voltage supplied to the chip at a specific time, or modifying the profile of the clock signal to mangle the timing of the execution of the instructions. More advanced attacks can rely on irradiating the device with strong electromagnetic interference.
In the specific context of secure boot, the goal for an attacker is to circumvent the security checks in those critical sections of the code, e.g. the code that performs verifications on the firmware authenticity, integrity or versioning. These attacks could eventually defeat the security checks, and take control of the system by uploading an unauthorized firmware image. While they require an accurate synchronization and several attempts, these attacks will eventually succeed in injecting a fault in the hardware at the required time in order to skip the verification.
Our secure bootloader, wolfBoot, follows the indication of RFC9019 to provide a secure, public key based verification of the integrity and authenticity of the firmware and its updates. It runs on several different architectures, from small microcontrollers up to x86_64 systems. wolfBoot is OS-agnostic and provides best-in-class security thanks to the FIPS 140-2 certified algorithms implemented in the wolfCrypt security engine.
wolfBoot already comes with plenty of unique features. Now it is also the first open source secure bootloader to implement mitigations against glitching attacks. Our development team has recently added an optional feature that can be activated at compile time, to reinforce the security of the critical variables and decision points in the code. This has required an evaluation of the code flow of wolfBoot from a point of view that includes the possibility for an attacker to skip single specific instructions. Introducing these mitigations has been tricky, because redundant code written in C is usually discarded by the compiler. For this reason the countermeasures must be programmed in assembly, which makes this code architecture specific.
The upcoming release of wolfBoot will contain a first version of these countermeasures, but glitching support mitigation already made it to our main branch on github, and it can be freely compiled and used in GPL projects for evaluation and auditing purposes.
To compile wolfBoot with glitching and side-channel attack mitigations turned on, it is sufficient to add ARMORED=1 to the configuration options (i.e. via command line when invoking make, or through the .config file). The ARMORED option is currently supported on ARM Cortex-M architecture. Support for other architectures will be added in the future.
You can download wolfBoot today from our download page or from our github repository
What is the next feature that you want to see implemented in wolfBoot? Is there any architecture or platform that we don’t yet support that could benefit from our glitch-resistant secure boot mechanism? Let us know!
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Webinar Alert: Kernel Mode
Watch our webinar about Kernel Mode presented by wolfSSL engineer Daniel Pouzzner tomorrow at 10AM Pacific.
In December 2020, wolfSSL 4.6.0 featured initial support for building as a Linux kernel module, supplying the entire native wolfCrypt and wolfSSL APIs directly to other kernel modules.
We have support with in-kernel FIPS 140-3, additional accelerated cryptography options on x86, and substantial improvements in stack usage.
Porting a library as large and complex as wolfSSL to the Linux kernel has been a multi-phase undertaking, guided by three key objectives:
A build process that is completely turnkey on supported kernel lines, via configure –enable-linuxkm and –with-linux-source=/source/tree/top.
A source tree that remains unified: the library and the kernel module are built from the same codebase, and differ only in various settings, and in kernel-specific glue logic.
Module builds that use the Linux in-tree Kbuild toolchain, rather than a bespoke out-of-tree build system, to facilitate simultaneous and continuing support for a wide variety of old and new kernel releases.
The Linux kernel is not a POSIX target, and many facilities commonly available to libraries and applications are unavailable (e.g. stack red zones, the C library, thread-local storage) or severely restricted (e.g. stack depth and vectorized instructions). Additionally, each minor kernel version and hardware target has peculiarities that cannot be ignored.
In this presentation, we will chronicle some of the challenges we encountered porting wolfSSL to this unusual target, and the solutions we developed.
As always we will have a Q&A Session following the webinar.
Watch the webinar here: Linux Kernel Mode
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
New wolfSSL Documentation Launched
Over the past few months the engineering team at wolfSSL have been working on a new reference documentation system for all of the wolfSSL products. The first fruits of this can be found in the form of the wolfSSL library documentation which is also available in PDF form.
This project had several goals:
- Update the documentation as much as possible
- Unify documentation locations and standards
- Reduce the barrier of entry to getting new edits into the documentation
- Reduce the barrier of entry to consuming the documentation
- Create methods of automatically building and deploying the documentation
The documentation source itself is in two parts, the first is the long form documentation pages which were previously shared documents to be edited. These are now Markdown documents in a GitHub repository. The second part is the Doxygen reference you can find in the repository with the code. Our new build system dynamically converts the Doxygen to Markdown, merges it with the long form pages, does some other minor cleanups and manipulations and then generates HTML and PDF outputs.
There are now fully working cross-links in the documentation to learn more about specific options and the formatting has been standardized across the entire documentation.
Over the coming weeks we will be automating the build and deployment of the documentation so it is always up-to-date every day. We will also be releasing documentation using the same system for the full suite of wolfSSL products. We will also be making edits over time to refine and improve the documentation that is there. We welcome any feedback to support@wolfssl.com!
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Weekly updates
Archives
- December 2024 (19)
- November 2024 (29)
- October 2024 (18)
- September 2024 (21)
- August 2024 (24)
- July 2024 (27)
- June 2024 (22)
- May 2024 (28)
- April 2024 (29)
- March 2024 (21)
- February 2024 (18)
- January 2024 (21)
- December 2023 (20)
- November 2023 (20)
- October 2023 (23)
- September 2023 (17)
- August 2023 (25)
- July 2023 (39)
- June 2023 (13)
- May 2023 (11)
- April 2023 (6)
- March 2023 (23)
- February 2023 (7)
- January 2023 (7)
- December 2022 (15)
- November 2022 (11)
- October 2022 (8)
- September 2022 (7)
- August 2022 (12)
- July 2022 (7)
- June 2022 (14)
- May 2022 (10)
- April 2022 (11)
- March 2022 (12)
- February 2022 (22)
- January 2022 (12)
- December 2021 (13)
- November 2021 (27)
- October 2021 (11)
- September 2021 (14)
- August 2021 (10)
- July 2021 (16)
- June 2021 (13)
- May 2021 (9)
- April 2021 (13)
- March 2021 (24)
- February 2021 (22)
- January 2021 (18)
- December 2020 (19)
- November 2020 (11)
- October 2020 (3)
- September 2020 (20)
- August 2020 (11)
- July 2020 (7)
- June 2020 (14)
- May 2020 (13)
- April 2020 (14)
- March 2020 (4)
- February 2020 (21)
- January 2020 (18)
- December 2019 (7)
- November 2019 (16)
- October 2019 (14)
- September 2019 (18)
- August 2019 (16)
- July 2019 (8)
- June 2019 (9)
- May 2019 (28)
- April 2019 (27)
- March 2019 (15)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (9)
- October 2018 (15)
- September 2018 (15)
- August 2018 (5)
- July 2018 (15)
- June 2018 (29)
- May 2018 (12)
- April 2018 (6)
- March 2018 (18)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (5)
- September 2017 (7)
- August 2017 (6)
- July 2017 (11)
- June 2017 (7)
- May 2017 (9)
- April 2017 (5)
- March 2017 (6)
- January 2017 (8)
- December 2016 (2)
- November 2016 (1)
- October 2016 (15)
- September 2016 (6)
- August 2016 (5)
- July 2016 (4)
- June 2016 (9)
- May 2016 (4)
- April 2016 (4)
- March 2016 (4)
- February 2016 (9)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (5)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (12)
- January 2015 (4)
- December 2014 (6)
- November 2014 (3)
- October 2014 (1)
- September 2014 (11)
- August 2014 (5)
- July 2014 (9)
- June 2014 (10)
- May 2014 (5)
- April 2014 (9)
- February 2014 (3)
- January 2014 (5)
- December 2013 (7)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (7)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (8)
- December 2012 (12)
- November 2012 (5)
- October 2012 (7)
- September 2012 (3)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (4)
- April 2012 (6)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (5)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (7)
- May 2011 (11)
- April 2011 (4)
- March 2011 (12)
- February 2011 (7)
- January 2011 (11)
- December 2010 (17)
- November 2010 (12)
- October 2010 (11)
- September 2010 (9)
- August 2010 (20)
- July 2010 (12)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)