RECENT BLOG NEWS
wolfSSL Support for DO-178 DAL A
wolfSSL is adding support for complete RTCA DO-178C level A certification! wolfSSL will offer DO-178 wolfCrypt as a commercial off -the-shelf (COTS) solution for connected avionics applications. Adherence to DO-178C level A will be supported through the first wolfCrypt COTS DO-178C certification kit release that includes traceable artifacts for the following encryption algorithms:
- SHA-256 for message digest.
- AES for encryption and decryption.
- RSA to sign and verify a message.
- chacha20_poly1305 for authenticated encryption and decryption.
- ECC to sign, verify and share secrets.
- HMAC for keyed-hashing for message authentication.
The primary goal of this initial release is to provide the proper cryptographic underpinnings for secure boot and secure firmware update in commercial and military avionics. wolfSSL brings trusted, military-grade security to connected commercial and military aircraft. Avionics developers now have a flexible, compact, economical, high-performance COTS solution for quickly delivering enhanced, secure communications that can be readily certified to DO-178. In addition, any of the FIPS 140-2 validated crypto algorithms can be used in DO-178 mode for combined FIPS 140-2/DO-178 consumption. The wolfCrypt cryptography library has been FIPS 140-2 validated (Certificate’s #2425 and #3389). For additional information, contact us at fips@wolfssl.com!
Optimization Support
We understand that securely rebooting avionic systems has rigorous performance requirements. As such, we’re here to help with cryptographic performance optimizations through our services organization.
Release Plan
- Basic crypto for secure boot and secure firmware updates – Available Now!
- wolfBoot Secure Boot – Q1, 2022
- wolfSSL – Q2, 2022
- wolfDTLS – Q2, 2022
To download and view the most recent version of wolfSSL, the wolfSSL GitHub repository can be cloned from here: https://github.com/wolfssl/wolfssl.git, and the most recent stable release can be downloaded from the wolfSSL download page here: https://www.wolfssl.com/download/.
For more information, please visit the wolfSSL DO-178 product page: https://www.wolfssl.com/wolfssl-support-178-dal/.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Post-Quantum Goodies in wolfSSL 5.1.1: FALCON
This is a quote from a message posted by Dustin Moody of NIST on the NIST PQC Forum at https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/fvnhyQ25jUg :
“Yes - the 3rd round will shortly be ending. NIST is actively writing the 3rd Round report which will
explain our rationale for which algorithms we will standardize. We hope to be able to announce the
results and report not later than the end of March.”
Dustin Moody, Feb. 9, 2022
So, we can expect some news from NIST in a month or so. With this in mind, we thought this might also be a good time to talk about the FALCON Signature Scheme integration in the wolfSSL v5.1.1 release and some of the other work we have done around post-quantum cryptography.
The FALCON Signature Scheme is a post-quantum algorithm that is a finalist of round 3 of the NIST PQC competition. It shows much promise in that while its artifacts are large and key generation and signing are a bit slower than currently standardized algorithms, signature verification times are much faster which bodes well for IoT and constrained devices. You can compare the speed in our benchmarking data that can be found in Appendix G of our wolfSSL Manual: https://www.wolfssl.com/documentation/wolfSSL-Manual.pdf
The good news for our customers that want to experiment with FALCON is that it couldn’t be easier! All you need to do is build liboqs, rebuild wolfSSL and add the –with-liboqs flag. If you built your application to statically link with wolfSSL, you will need to rebuild your application. If you dynamically link, you do not need to rebuild. All you have to do now is swap out your certificates with FALCON certificates! No code changes are required for your application. You can find instructions and a script for generating a FALCON certificate chain here: https://github.com/wolfSSL/wolfssl-examples/tree/master/pq
For customers who want to see post-quantum algorithms working in a real world use-case, we have instructions for you to build a quantum-safe apache web server and curl web client. All you need to do is follow the instructions here: https://github.com/wolfSSL/osp/blob/master/apache-httpd/README_post_quantum.md
Finally, just a few words regarding motivation. Most people understand the harvest and decrypt threat model and thus see the urgency for moving to post-quantum key establishment. However, seeing the motivation for signature schemes might be harder. Suppose you are deploying authentication algorithms on devices that have long lifetimes and are hard to update. A good example of this might be firmware for industrial machinery or cars. If the lifetime of your deployment exceeds the time to a cryptographically relevant quantum computer, then you should probably consider experimenting to understand the impact of post-quantum algorithms sooner rather than later.
A full list of what was changed can be found in the wolfSSL ChangeLog (https://www.wolfssl.com/docs/wolfssl-changelog/).
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfCrypt and FIPS 140-3
wolfCrypt has been listed on the CMVP IUT List for FIPS 140-3! We are currently working with our testing lab to get validated as quickly as possible with the new FIPS standard from the NIST. wolfSSL is the first software library on the FIPS 140-3 IUT list for embedded development.
FIPS 140-3 involves a few significant changes, and wolfSSL is prepared to deliver the first and best implementation of FIPS 140-3.
FIPS 140-3 is the replacement for FIPS 140-2, so it is always a good idea to switch over to it as soon as possible. You will also want wolfSSL’s FIPS 140-3 Certificate for reasons including:
– Conditional Algorithm Self-Testing (CAST): Testing Streamlined – only test algorithms when they will be first used, or at will
– Addition of TLS v1.2 KDF (RFC7627) and v1.3 KDF (RFC8446)
– Addition of SSH KDF
– Addition of explicit testing of 3072-bit and 4096-bit RSA
– Addition of RSA-PSS
– Addition of HMAC with SHA-3
– Addition of AES-OFB mode
– Addition of external seeding source callback function for Hash_DRBG
– Removal of insecure algorithms: 3DES and MD5
For more information, please visit our FIPS page here.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Love it? Star wolfSSL on GitHub!
wolfSSL 2021 Annual Report
Last year was an excellent year for wolfSSL! We progressed on all of our critical performance vectors, including technical leadership, top notch support, sales growth and new design wins. The sheer volume of new code that we produced, in conjunction with our new products and design wins, is impressive to say the least. Additionally, we made the migration from a strictly on-prem based testing rig to a hybrid rig. Our new rig harnesses the power of cloud computing, and allows us to even further improve on our testing in order to bring you the best tested TLS. Thank you for reading, and please contact us if there is something that you would like on the wolfSSL roadmap for 2022!
wolfSSL Technical Progress
A total of 5 releases of the wolfSSL embedded TLS library were delivered in 2021, each with bug fixes, enhancements, and new feature additions. Highlights of these releases included:
1. New Hardware and OS Ports
- Linux Kernel Crypto API (KCAPI) – Allows for offloading of crypto operations to kernel hardware or software. Support includes AES-CBC, AES-GCM, SHA-2, and HMAC. Also possible to use RSA, DH and ECC with custom kernel modules.
- Linux Kernel Module build option (–enable-linuxkm), which is also supported with FIPS modes of operation using FIPS compliant integrity checks and conditional algorithm self tests (CASTs). Compliance up to the latest FIPS 140-3.
- NXP i.MX CAAM – QNX
- NXP SE050
- IOT-Safe (SIM card PK)
- Cypress/Infineon PSoc6
- Renesas RA6M4, RX65N, RX72N, TSIP, SCE Protected Mode (see our new GitHub repository)
- Fusion RTOS
- Dolphin Emulator
2. New Software Ports!
- Bind DNS
- Cjose
- HaProxy
- Kerberos
- Libest
- libmobiledevice
- Net-SNMP
- NTP
- OpenVPN
- OpenLDAP
- OpenPegasus
- OpenResty
- PyOpenSSL
- Python
- Rsyslog
- sblim-sfcb
- Socat
- Tcpdump
- libSSH2
- Zephyr
3. Updates to Existing Ports
- STM32: Supported platforms now include G0 and U5
- Fixes for NXP mmCAU/LTC, Microchip ATECC608, Espressif ESP32, ST STM32 PKA AES-GCM, Renesas RA6M3
- Updated project ports:
- Stunnel 5.57
- Qt 5.15
- Apache 2.4.51
- Socat 1.7.4.1
- lighttpd 1.4.51
- OpenSSH 8.8
4. Operating System Updates
- WIN32 WinCE wolfCrypt port
- TI-RTOS port maintenance
5. Compiler and IDE Updates
- Android
- STM32
- GCC Makefile
- Espressif ESP-IDF
- INTIME
- QNX
6. Post Quantum Algorithm Support
- Removed legacy QSH and NTRU support.
- Added support for FALCON signature schemes in TLS 1.3 (Levels 1, 5)
- Added support for KEMs in TLS 1.3 as groups and hybridized groups with NIST ECC Curves:
- SABER (Levels 1, 3, 5)
- KYBER (Levels 1, 3, 5) and KYBER 90S (Levels 1, 3, 5)
- NTRU HRSS (Level 3) and HPS (Levels 1, 3, 5)
- Full interoperability of algorithms we implemented against the OQS team’s OpenSSL fork.
- Integrations with Open Source projects allowing use of post-quantum algorithms with the following popular projects:
- Apache
- Nginx
- Lighttpd
- cURL
- MariaDB
- Stunnel
- Joint integration with the OQS team to patch Wireshark, making it aware of and display the new algorithms and their variants.
7. New Hardware Crypto Support
- IotSAFE support
- Renesas RA6M4 SCE Protected Mode support
- Renesas RX65N / RX72N TSIP 1.14 support
8. Improvements to Existing Hardware Crypto Support
- Fixed DCP port
- Fixed Psoc6 SHA512 regressions
- Fixed broken ECC public key computation in PR in NXP LTC
- Fix for STM32 PKA ECC point mapping
9. New and Updated Algorithms
- New Post-Quantum Algorithm support, as mentioned above.
- Added ECCSI and SAKKE for Identity-based Encryption.
- Added support for streaming AES-GCM.
- Added streaming API for Ed25519 and Ed448.
- Added ISO 18033 and SEC 1 implementations of ECIES.
10. Algorithm Performance Optimization
- Improved TFM and SP math implementation of addmod_ct and submod_ct for a 30% improvement in performance of ECC operations.
11. New and Updated Build Options
- S/MIME support (–enable-smime)
- –enable-wolfsentry and –with-wolfsentry=
- –enable-wolftpm
- –enable-caam
- –enable-kcapi
- –enable-eccsi
- –enable-sakke
- –enable-wolfclu
- –enable-curl
- –enable-reproducible-build
- –enable-aesgcm-stream
- –enable-ed25519-stream
- –enable-ed448-stream
- –enable-linuxkm-pie
- –enable-keying-material
- –enable-iotsafe
- –enable-iotsafe-hwrng
- –enable-sp=
- smallfast
- smallec1024
- smallp1024
- small1024
- ec1024
- p1024
- 1024
- asm
- –enable-context-extra-user-data
- –enable-aescbc-length-checks
- –enable-altcertchains
- –enable-sblim-sfcb
- –enable-crypttests-libs
- –enable-benchmark
- –enable-aligndata
- –enable-error-queue-per-thread
- –with-max-rsa-bits=
- –with-max-ecc-bits=
- –with-liboqs=
- –with-se050=
- –enable-bind
- –enable-libssh2
- –enable-net-snmp
- –enable-ntp
- –enable-openresty
- –enable-rsyslog
- –enable-smime
- –enable-tcpdump
- –enable-krb
12. TLS Additions and Updates
- Session Ticket (Added AES GCM support)
- TLS export/import
- Keying Material Exporters for TLS (RFC 5705)
- S/MIME (Secure/Multipurpose Internet Mail Extensions)
- Asynchronous TLS v1.3 TLSX ECC/DH keygen/agree
- TLS 1.3 Updates
- Better Interop
- Better Portability
- Better Testing
- More Cipher Suites
- Crypto Callbacks extended: Ed/X25519, SHA2-384/512, AES CCM, CMAC
- TLS v1.3 sniffer / DH Extra / Static Ephemeral
- LWIP Native Support (IP stack)
- DTLS
- Resend the previous DTLS handshake flight only on a network read timeout (WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT)
- Change default DTLS future packet behavior. Messages from “too far into the future” are now accepted.
13. Single Precision Math Updates
- Significant SP math performance improvements
- Windows now has assembly code implementation for Intel x86 64-bit that increases performance by 5 to 10 times!
- C only implementation has had significant improvements that have major impacts on performance. 32-bit code most significantly 25% for 2048-bit operations and 50% and more for larger sizes.
- Improved performance of ARM Thumb code by 30-40%.
- On Aarch64, improved performance of P-384 operations by 65-100%.
14. FIPS 140-2 and 140-3 Validation News!
- FIPS 140-3 support merged, including Linux Kernel Module support
- 28 140-2 (Cert 3389) OE additions!
15. Testing
- More continuous integration testing added, including cppcheck static analysis
- Added support for Google Compute Engine to supplement testing slave farm in CI ecosystem, testing capabilities are now dynamically scalable based on test load and internal developer activity
- Expanded API testing coverage with OpenSSL compatibility layer additions
16. Examples
- New Post-Quantum cryptography example.
- New wolfSSL CAN Bus example.
- New RIOT-OS example using lwIP POSIX sockets.
17. Additional Product Enhancements
- Revamped Documentation
- wolfCLU
- wolfMQTT
- wolfSentry
- wolfSSL
- wolfTPM
- wolfMQTT (4 releases)
- SN feature enhancements
- Will Topic update and Will Message update
- Publish with QoS-1
- Receiving Disconnect Packet while going to sleep
- New callback for REGISTER topic ID from gateway when client subscribes to wildcard topics
- Handling PINGREQ message from the gateway to client
- New example added for QoS level -1 feature
- HiveMQ Cloud compatibility with SNI feature
- Huge improvements to multithread and non-blocking features
- Examples
- TLS mutual auth in client examples
- Add ability to publish files from example client
- SN feature enhancements
- wolfSSH (3 releases)
- Easier build with wolfSSL
- Added remote port forwarding
- Improved keep alive
- Small stack option for embedded builds
- SFTP Support for FATFS
- Added support of 192 and 256 bit AES keys
- Improved build options to leave out unwanted algorithms
- Improved interoperability with other tools
- Dropbear
- Firezilla
- winSCP
- Support for EWARM
- MQX IDE build added
- wolfTPM (4 releases)
- Added examples for symmetric key generation, NV, remote attestation, make credential, PCR read and GPIO.
- Support for QNX
- Example for QEMU with wolfTPM
- Improved documentation
- wolfBoot (3 releases)
- New architectures
- ARMv8-M
- PowerPC
- ARM Cortex-R
- Measured boot
- Support for Trustzone-M
- New memory model
- RSA4096 using SP
- WOLFBOOT_SMALL_STACK
- Delta updates
- New HAL:
- STM32L4
- STM32L0x3
- STMU575xx
- NXP i.MX-RT1060
- NXP T2080
- TI TMS570LC435
- New architectures
- wolfSentry (3 releases, all preview/beta)
- Dev phases 1, 2, 3, completed – static firewall, with action plugins, POC notifications via plugin, and configuration updates at any time.
- Full configuration loaded from JSON, with streaming load and all-or-none semantics
- Advanced lock facility complete, with ports for semaphore back ends under POSIX, MacOS-X, and FreeRTOS. Implements shareable, promotable, timeout-capable, deadlock-safe locks.
- POC integration with LWIP, under Linux and FreeRTOS, demonstrating filtering at the IP stack level, including filtering by MAC address, filtering of ICMP, and pre-accept filtering.
- Port to STM32 (FreeRTOS+LWIP)
- Turnkey integration with libwolfssl via the –enable-wolfsentry option, allowing post-accept filtering of incoming connections, and demonstrating pre-connect filtering of outbound connections, via integrations in the example client and server.
- wolfEngine (1 release)
- wolfEngine made public on GitHub and first official release with version 0.9.0.
- Allows users to achieve FIPS compliance with wolfCrypt FIPS + OpenSSL. Supports all algorithms in wolfSSL’s FIPS certificate (and others):
- SHA-1
- SHA2 (224, 256, 384, 512)
- SHA3 (224, 256, 384, 512)
- DES3-CBC
- AES w/ 128, 192, and 256 bit keys. ECB, CBC, CTR, GCM, and CCM modes.
- DRBG
- RSA
- DH
- ECC. ECDSA, ECDH, EC key generation. Curves P-192, P-224, P-256, P-384, P-521.
- HMAC
- CMAC
- HKDF
- PBKDF2
- TLS PRF
- Support for OpenSSL 1.0.2 and 1.1.1.
- Runs on macOS, Windows, Linux.
- Integrates seamlessly with anything that uses OpenSSL, including:
- OpenSSH
- nginx
- stunnel
- OpenVPN
- curl
- libssh2
- libssh
- ntpd
- mongoDB
- Node.js
- radius
- radsec
- syslog-ng
- grpc
- dhcpd
- dhclient
- See wolfProvider for OpenSSL 3.0.0 support.
- wolfProvider (code available on GitHub)
- wolfProvider made public on GitHub.
- Allows users of OpenSSL 3.0.0 to achieve FIPS 140-3 Compliance
- Supports:
- AES-GCM/CCM/CTR/CBC/ECB
- MD5/SHA-1/SHA2/SHA3/SHAKE256
- DRBG
- RSA/RSA-PSS
- DH
- ECDH/ECDSA/EC KeyGen with P-192/P-224/P-256/P-384/P-521
- HMAC/CMAC/GMAC
- HKDF/PBKDF2/PKCS12 PBKDF2/TLS 1.3 KDF/TLS1 PRF
- Runs on Linux
- wolfCLU (1 release)
- Additional support added for multiple commands:
- ecparam
- pkey
- req
- crl
- pkcs12 (parsing)
- rsa
- rand
- s_client
- dgst
- verify
- rsa
- md5
- Added in a logging layer and mapping of errors to stderr
- Increased unit tests with ‘make check’ and include running tests as a pre-commit hook
- Support for parsing and using basic config files when doing ‘req’ or ‘ca’ operations
- Enhancements to existing commands:
- x509 , -noout and print out of specific parts of certificate
- x509 , -days for setting number of days valid
- x509 , -pubout to display the public key
- More descriptive version print out
- PEM output for RSA/ECC key generation
- Initial integration of FIPS 140-3 use
- Refactoring of directories and test certificate locations
- Resolve warnings and issues from using -Wall and static analysis tools
- Additional support added for multiple commands:
- cURL (8 releases)
- wolfSSL JNI/JSSE (2 releases)
- wolfCrypt FIPS 140-3 and FIPS Ready compatibility
- JSSE level memory leak fixes, along with earlier internal memory cleanup.
- Addition of Socket method wrappers for use of wrapped inner Socket objects in WolfSSLSocket
- Updated Android AOSP support
- JSSE level fixes for SSLContext, SSLSocket
- Fixes for static analysis warnings (Infer), exception cases, connection closures, and more.
- wolfCrypt JNI/JCE (1 release)
- wolfCrypt FIPS 140-3 and FIPS Ready compatibility
- Compatibility with wolfSSL “–enable-all” and additional build fixes
- wolfSSL Python
- Added OpenSSL compatibility layer.
- Updated example certifications.
- wolfCrypt Python
- Added signature generation and verification.
- Now works with FIPS ready.
- Support for ed448, PEM RSA keys, and more.
- wolfCrypt DO-178C
- wolfCrypt 2
- AES GCM
- Environment:
- Ultrazed-EG(on A53), little endian
- GCC compiler that comes with Xilinx SDK 2017.4
- Run Azure RTOS ThreadX SMP version 5.8 on the A53 cores
- wolfCrypt 3
- SHA-256
- SHA-384
- HMAC (SHA-256)
- HMAC (SHA-384)
- HASH-DRBG SHA-256
- AES GCM
- AES CMAC
- ECC – P384 (sign/verify/shared secrets)
- ECC key export
- X509 cert verify
- Environment:
- NXP S32V234 (on A53)
- Arm Developer Studio version 2019.0-1, with armclang
- 1120 compiler version 6.12.1
- wolfCrypt 2
wolfSSL Top 10 Blog Posts/Technical Announcements
- wolfSSL Software Development Process
- Riding the CAN bus
- wolfSSL Quality Assurance
- wolfEngine and OpenSSL Provider Solution Now Public!
- wolfSSL Support for DO-178 DAL A
- Sniffing traffic with TLS v1.3
- First wolfCrypt DO-178 SOI Audits
- wolfSSL NXP SE050 Support
- Integration of the Falcon Signature Scheme into wolfSSL
- wolfCrypt FIPS 140-2 on ARM
2021 Webinars
The wolfSSL team hosted and/or participated in a total of 58 webinars this year. Check out our top 5 webinars of the year.
- Everything you need to know about FIPS 140-3
- wolfEngine : wolfCrypt as an Engine for OpenSSL
- Secure Element or TPM : how to include hardware security in your project using wolfSSL and wolfBoot
- Secure and Reliable Firmware Updates with wolfBoot
- Beyond DO-178: Building Secure Solutions for Future Aviation Systems
We host at least one webinar per week, make sure you are checking out our blog page to find out about our webinars! Check out our youtube page for all of our previous webinars!
wolfSSL Organizational Growth
- wolfSSL added 9 new team members in 2021. Additions included salespeople, engineers, administrators, and interns.
- We expanded our customer base considerably, are now securing connections for over 2,000 products, have partner relationships with over 40 vendors, and are securing well over 2 Billion connections on any given day, worldwide.
- wolfSSL represents one of the largest teams focused on a single implementation of TLS/Crypto worldwide. If you know of anyone who fits the following description, please let us know.
wolfSSL Events and Tradeshows
The wolfSSL team participated in a total of 16 events in 2021! As part of these events we were in 11 cities, 5 US states, and 4 countries! We participated in a total of 6 virtual events and were fortunate to attend 10 in-person events. The events we participated this last year included:
- Black Hat Asia
- cURL Up
- Mobile World Congress
- Black Hat 2021
- Sea Air Space
- ICMC
- SIdO Lyon
- IoT Tech Expo North America
- CyberSatGov
- it-sa
- Internet of Things World
- Aerospace Tech Week (FACE)
- NXP Connects (EMEA)
- NXP Connects (AMEC)
- TU Automotive Detroit (now Automotive Tech Week)
- NXP Connects (APAC)
In summary, we had a great year! 2021 was successful on multiple fronts, and we look forward to serving our customers and community with ever more secure and functional software in 2022.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Deprecation of FIPS v1
Here at wolfSSL, we have been supporting your FIPS needs for several years now with our FIPS Ready, certificate #2425 and certificate #3389 source bundles. This support is going to continue with the soon to be granted FIPS 140-3 certificate. With the new certificate coming soon, we thought this might be a good time to do a bit of house cleaning.
As certificate #2425 has been added to the NIST sunset list as of June 2021, we will be removing the FIPS v1 feature from wolfSSL.
Customers who still need this feature are encouraged to move to the upcoming FIPS 140-3 certificate if timelines permit. However, if customers need a solution in the near term, they can move to certificate #3389 which sunsets in 2024.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Top 10 wolfSSL Library Configurations
Here at wolfSSL, we strive to support our customers’ needs for customization and finding the right trade-offs. The following table is a list of the top 10 things you can do with wolfSSL’s configuration flags.
Task | Configure Flag(s) | Details |
Get Ready for Your First FIPS Customer | –enable-fips=ready | You will need to have a fips-ready bundle which is available as both an open source code bundle or under a proprietary license. |
Become DO-178 Compliant | –enable-sp-math | We have taken ECC in sp_c32.c in the SP-Math Library through DO-178C certification. |
Make Your Application Secure from Side-Channel Attacks | –enable-sp-math –enable-sp-math-all
CFLAGS=”WOLFSSL_SP_CACHE_RESISTANT” or –enable-fastmath –enable-harden |
Our SP-Math Library is always timing resistant and runs private key operations in constant time. Our Fast Math Library can be made timing resistant by enabling the hardened build. |
Reduce Your Stack Usage | –enable-smallstack and –enable-smallstackcache | Allocating memory on the heap will be favored over the stack. |
Reduce Your Heap Usage | –enable-static-memory | All memory that wolfSSL LIbrary allocates will be on the stack as local variables. |
Reduce Your Code Size | –enable-sha3=small –enable-aesgcm=small –enable-lowresource
CFLAGS=”-DNO_ERROR_STRINGS -DNO_INLINE -DCURVED25519_SMALL -DUSE_SLOW_SHA” -DUSE_SLOW_SHA256 -DUSE_SLOW_SHA612” |
This will come at a cost of algorithm speed and memory usage. |
Make a Really Small PSK-Only wolfSSL Library | –enable-leanpsk | PSK stands for pre-shared key. Approximate build size for wolfSSL on an embedded system with this enabled is 21kB. |
Make a Really Small Client-Only wolfSSL Library | –enable-leantls | This produces a small footprint TLS client that supports TLS 1.2 client only, ECC256, AES128 and SHA256. |
Use Only wolfCrypt | –enable-cryptonly | This enables a wolfCrypt-only build, greatly reducing the size. No TLS, no SSL. |
Figure Out What is Going on Under the Hood | –enable-debug | This will build the wolfSSL Library with debug symbols so you can use your debugger to step through the code as it executes. Also, if you call wolfSSL_Debugging_ON() lots of debugging messages will be printed to stderr. |
Note that some of these flags can be combined while others are mutually exclusive. Please feel free to experiment with different combinations.
Want more? You can see a full list of our configuration flags by downloading our latest release and executing the following command: ./configure –help
Still hungry? You can get detailed documentation about our configuration flags from “Chapter 2: Building wolfSSL” in the wolfSSL Manual which can be found here: https://www.wolfssl.com/documentation/wolfSSL-Manual.pdf. Need some expert advice?
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfSSL provider support for PKCS11
We now support wolfCrypt as a PKCS11 provider for applications to consume. The new wolfPKCS11 library adds a PKCS11 layer on top of the wolfCrypt API’s to enable customers who wish to standardize on an API interface or may already have developed code against PKCS #11.
PKCS #11 is an OASIS standard for “Cryptographic Token Interface Base Specification” (A.K.A Cryptoki). It defines an API interface for communicating with Hardware Security Modules (HSM) to provide cryptography support such as RSA and ECC. It allows enumeration of devices and features using a shared or static library.
A good introduction to PKCS #11 can be found here:
http://wiki.ncryptoki.com/introduction-to-pkcs-11-specifications.ashx
The source code is in a new GitHub repository here:
https://github.com/wolfSSL/wolfPKCS11
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfCLU ‘ca’ Command Added
wolfCLU (wolfSSL command line utility) has seen many feature additions! One of the features added was support for the command ‘ca’. This command now can handle basic conf. files for use with signing certificates. It is useful in projects to make a quick certificate with a given CA while avoiding having to write the code and create an application. This feature was one of many that has recently been added. Check out the repository here for the current bleeding edge of wolfCLU (https://github.com/wolfSSL/wolfclu).
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfBoot 1.10 – Secure Bootloader with Unique Features
A new version of wolfBoot (1.10) has been recently released and can be downloaded from our website, or cloned from our github repository. A full list of features can be found in our Changelog.
As we recently announced, we have ported wolfBoot to run as an EFI application to verify the subsequent stages in the boot chain of a x86_64 PC. We have improved the configuration for some of the supported platforms and targets. Finally, because of improved support for delta updates and one new signature verification algorithm (Ed448), this new version adds even more unique characteristics that you won’t find in any other existing secure boot solutions.
Here is a summary of our users’ favorite unique features, now fully supported in wolfBoot 1.10:
Secure, compact, fast, FIPS-compliant cryptographic library
wolfBoot’s main task is to ensure that only a trusted firmware image can run on the target device, as indicated by RFC9019. It uses signature verification on the firmware image every time the device starts or when a firmware update is received, OTA or through any custom transport.
wolfBoot relies on wolfCrypt cryptographic engine to support the widest range of options for signature verification algorithms, including: ECC-256, RSA up to 4096 bit, Ed25519 and Ed448.
Thanks to a wide choice of hardware security modules and crypto co-processors supported by wolfCrypt; wolfBoot can offload all cryptographic operations to dedicated hardware components when available, cutting down boot time and run-time resources.
Simplicity and portability
wolfBoot does not depend on any specific libraries, except for wolfCrypt. It does not rely on any operating system environment, driver, platform or toolchains.
wolfBoot can secure the boot process of any standalone applications as well as complex operating systems, from small class-I microcontrollers up to Rich Execution Environments, on a wide range of microcontrollers and processors architectures (ARM, x86, PowerPc, RISC-V, and more). It can manage the initialization of Trusted execution environments (TEE) (e.g. TrustZone-M in ARM Cortex-M33).
The build-time configuration is concentrated in a single configuration file, and a command-line wizard is made available to ensure a quick and painless integration.
The key command line tools, ‘sign’ and ‘keygen’ (for Windows, Linux, MacOS), distributed along with wolfBoot, follow the development of all the features supported by the bootloader to the latest version. They are easy to use, widely documented, and simple to integrate with any deploy mechanism and back-end update services.
Roll-back: the bootloader “rescue” mode
wolfBoot stores a copy of the old firmware that gets replaced during the update. Mistakes can happen when building or transmitting a firmware update; even if the firmware is trusted and authenticated through wolfBoot it might still introduce bugs and issues in the field that may prevent the device from being reachable again. For this reason, wolfBoot implements a mechanism that requires the firmware to confirm that the system is working as expected after the update. In absence of this confirmation, at the next reboot wolfBoot considers the update as failed, and restores the original image from the backup taken during the update.
Use any external storage, with confidentiality
Some microcontrollers may not have enough flash space to accommodate two versions of the firmware in the internal FLASH. The only requirement on these system is normally that only the current executing firmware image should be stored in FLASH, where it can be eXecuted in Place (XiP). Most systems don’t support XiP on external storage supports, but that space can still be allocated to store updates and host the swap space required by wolfBoot to perform the update.
Thanks to a transparent, generic external flash interface, wolfBoot can use any external non-volatile memory support to host update and swap partitions, maximizing the space available in the internal FLASH for the running software.
Neighbor systems can host a virtual partition for the wolfBoot target, using any communication bus to implement remote, emulated memory access.
Encryption and decryption is done at runtime by wolfBoot when accessing these external storage devices for writing and reading, respectively. This mechanism prevents wiretapping or intercepting the firmware images when they are transferred on the BUS (SPI, CAN, Uart,…) that connects to the storage device.
Examples distributed with wolfBoot showcase this feature, with common SPI FLASH targets, and emulated remote storage, on a neighbor system via UART.
Self-update: can a secure bootloader update itself?
wolfBoot offers the possibility to authenticate and install a newer version of itself. A special update package can be created with the key tools, containing an update for the bootloader itself. wolfBoot will parse, authenticate and install the update by temporarily executing a copy of itself in RAM.
Incremental updates: faster OTA transfers with “delta updates”
wolfBoot supports incremental updates, based on a specific older version. Thesign tool can create a small “patch” that only contains the binary difference between the version currently running on target and the update package, a ‘delta update’ package. This package is processed by wolfBoot to reconstruct a complete image of the resulting update. The authenticity of the update is verified twice: first when the package is received before applying the patch, and then after the patch is applied, every time the new firmware is staged for boot.
What feature would you like to see in the next release of wolfBoot? Contact us at facts@wolfssl.com with any comments or questions!
Check out our GitHub page for the full documentation, and to stay up to date with our latest developments. And while you are there, consider giving the wolfBoot project a star!
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Upcoming Webinar: Looking Under The Hood – wolfSSL Automotive Security
Join us for a comprehensive presentation on how to leverage wolfSSL for all of your automotive security needs. Out expert engineers will go through a variety of different use cases, stories, and examples, each with specific engineering details. Bring your questions for the Q&A session to follow!
Watch the webinar here: Looking Under the Hood – Everything you need to know about automotive security that you’re too afraid to ask: wolfSSL Automotive Stories and Examples!
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Weekly updates
Archives
- December 2024 (19)
- November 2024 (29)
- October 2024 (18)
- September 2024 (21)
- August 2024 (24)
- July 2024 (27)
- June 2024 (22)
- May 2024 (28)
- April 2024 (29)
- March 2024 (21)
- February 2024 (18)
- January 2024 (21)
- December 2023 (20)
- November 2023 (20)
- October 2023 (23)
- September 2023 (17)
- August 2023 (25)
- July 2023 (39)
- June 2023 (13)
- May 2023 (11)
- April 2023 (6)
- March 2023 (23)
- February 2023 (7)
- January 2023 (7)
- December 2022 (15)
- November 2022 (11)
- October 2022 (8)
- September 2022 (7)
- August 2022 (12)
- July 2022 (7)
- June 2022 (14)
- May 2022 (10)
- April 2022 (11)
- March 2022 (12)
- February 2022 (22)
- January 2022 (12)
- December 2021 (13)
- November 2021 (27)
- October 2021 (11)
- September 2021 (14)
- August 2021 (10)
- July 2021 (16)
- June 2021 (13)
- May 2021 (9)
- April 2021 (13)
- March 2021 (24)
- February 2021 (22)
- January 2021 (18)
- December 2020 (19)
- November 2020 (11)
- October 2020 (3)
- September 2020 (20)
- August 2020 (11)
- July 2020 (7)
- June 2020 (14)
- May 2020 (13)
- April 2020 (14)
- March 2020 (4)
- February 2020 (21)
- January 2020 (18)
- December 2019 (7)
- November 2019 (16)
- October 2019 (14)
- September 2019 (18)
- August 2019 (16)
- July 2019 (8)
- June 2019 (9)
- May 2019 (28)
- April 2019 (27)
- March 2019 (15)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (9)
- October 2018 (15)
- September 2018 (15)
- August 2018 (5)
- July 2018 (15)
- June 2018 (29)
- May 2018 (12)
- April 2018 (6)
- March 2018 (18)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (5)
- September 2017 (7)
- August 2017 (6)
- July 2017 (11)
- June 2017 (7)
- May 2017 (9)
- April 2017 (5)
- March 2017 (6)
- January 2017 (8)
- December 2016 (2)
- November 2016 (1)
- October 2016 (15)
- September 2016 (6)
- August 2016 (5)
- July 2016 (4)
- June 2016 (9)
- May 2016 (4)
- April 2016 (4)
- March 2016 (4)
- February 2016 (9)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (5)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (12)
- January 2015 (4)
- December 2014 (6)
- November 2014 (3)
- October 2014 (1)
- September 2014 (11)
- August 2014 (5)
- July 2014 (9)
- June 2014 (10)
- May 2014 (5)
- April 2014 (9)
- February 2014 (3)
- January 2014 (5)
- December 2013 (7)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (7)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (8)
- December 2012 (12)
- November 2012 (5)
- October 2012 (7)
- September 2012 (3)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (4)
- April 2012 (6)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (5)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (7)
- May 2011 (11)
- April 2011 (4)
- March 2011 (12)
- February 2011 (7)
- January 2011 (11)
- December 2010 (17)
- November 2010 (12)
- October 2010 (11)
- September 2010 (9)
- August 2010 (20)
- July 2010 (12)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)