RECENT BLOG NEWS
What are the Advantages of wolfTPM?
At wolfSSL, we have been developing a TPM stack with customers for many years called wolfTPM, a portable, open-source TPM stack with backward API compatibility, designed for embedded use. It is highly portable, and has native support for Linux and Windows. RTOS and bare metal environments can take advantage of a single IO callback for SPI hardware interface, no external dependencies, and compact code size with low resource usage.
wolfTPM offers API wrappers to help with complex TPM operations like attestation and examples to help with complex cryptographic processes like the generation of Certificate Signing Request (CSR) using a TPM.
Due to wolfTPM’s portability, it is generally very easy to compile on new platforms.
Here are a few reasons to use wolfTPM over other secure elements:
1) It is based on a widely accepted standard TCG TPM 2.0.
2) There are many chip vendors options and they are pin compatible.
3) Support for RSA. All TPM’s support at least RSA 2048 (the STSAFE and ATECC do not).
4) More NV storage
5) Measured Boot (PCR’s)
6) Advanced Policy management
7) Seal/unseal data based on private key or PCR state.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Love it? Star wolfSSL on GitHub.
FIPS 140-3 and the TLS KDF
There has been a little turmoil between the CAVP and the FIPS community regarding the TLS KDF. The CAVP deprecated testing of the kdf-component-tls-1.0 at the beginning of the year. The community wasn’t ready and it was temporarily un-deprecated. wolfSSL and our wolfCrypt cryptography library are ready for the transition to the RFC7627 TLS KDF.
The kdf-component-tls-1.0 KDF is the standard TLSv1.2 KDF described in RFC5246. The preferred algorithm is the KDF described in RFC7627, also know as Extended Master Secret. This uses the TLSv1.2 KDF and replaces the client and master random values with hashes of the handshake messages up to the key exchange. This cryptographically ties the TLS master secret to the handshake. wolfSSL has enabled Extended Master Secret as a default since 2016.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfCrypt as an Engine for OpenSSL
As many people know, the OpenSSL project is struggling with FIPS. As of October 2020, OpenSSL has no active FIPS 140 validation. OpenSSL had plans to restore it’s FIPS validation with OpenSSL 3.0, however, they ran into significant delays, and since FIPS 140-2 testing ends September 2021, OpenSSL ultimately decided to focus their efforts on FIPS 140-3.
This means that OpenSSL users will not have a supported FIPS package for the indefinite future. This is a big issue for companies that rely on security.
To fill this breach, wolfSSL has integrated our FIPS-certified crypto module (wolfCrypt) with OpenSSL as an OpenSSL engine. This means that:
- OpenSSL users can get a supported FIPS solution, with packages available up to the 24×7 level,
- The new wolfCrypt FIPS solution supports algorithms used in TLS 1.3, meaning your OpenSSL-based project can support TLS 1.3,
- You can support hardware encryption with your project, as the new wolfCrypt solution has full hardware encryption support, as provided by native wolfCrypt!
Additionally, should you be using one of the OpenSSL derivatives like BoringSSL, we can also support you.
wolfEngine is structured as a separate standalone library which links against wolfSSL (libwolfssl) and OpenSSL. wolfEngine implements and exposes an OpenSSL engine implementation which wraps the wolfCrypt native API internally. Algorithm support matches that as listed on the wolfCrypt FIPS 140-2 certificate #3389.
wolfEngine is compiled by default as a shared library called libwolfengine which can be dynamically registered at runtime by an application or by OpenSSL itself through a config file. wolfEngine also provides an entry point for applications to load the engine when compiled in a static build.
wolfEngine has been tested on Linux with OpenSSL 1.0.2h and 1.1.1b inside OpenSSL apps (s_client, s_server, etc) and several popular Open Source packages – including cURL, stunnel, nginx, OpenLDAP, and OpenSSH!
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Love it? Star wolfSSL on GitHub.
Top Ten Things you should know about Secure Boot
At wolfSSL, we have been developing secure boot solutions with customers for many years, and more recently we have released wolfBoot, a secure bootloader designed for embedded systems.
wolfBoot provides reliable support to remote firmware updates on a wide range of devices, supporting the most common architectures (ARM Cortex-M, ARM Cortex-A, ARM Cortex-R RISC-V RV32, PowerPC, and x86_64 via UEFI).
wolfBoot supports all types of RTOS and embedded operating systems, so it can be used to boot FreeRTOS, Contiki, RIOT-OS, ChibiOS, ThreadX, VxWorks, QNX, TRON/ITRON/uITRON, Micrium’s uC/OS, FreeRTOS, SafeRTOS, Freescale MQX, Nucleus, TinyOS, TI-RTOS, uTasker, embOS, INtime, MbedOS, Linux, and many more…
Here is our list of the top ten interesting facts about secure boot.
- Trusted firmware updates have become a requirement for IoT projects
IoT devices are not immune to cyber attacks, and many real-life cases have proven that misconfigured systems may even be an easier challenge for an attacker, and sometimes even compromise the entire distributed system from a single vulnerability in one software component.
Vulnerabilities happen. No matter whether the software is completely written from scratch or depends on third party components, defects in the implementation may surface at the worst time possible for the project timeline, and critical systems cannot afford to keep vulnerable versions running. At wolfSSL we know that security software development never sleeps. As soon as new vulnerabilities are discovered, the entire team immediately switch their focus on delivering a fix, launch all the tests and release a new version of the software.
IT services may already benefit of continuous deployment mechanisms to ensure that new versions of the software components are available to run just after they have been updated and delivered. This is a good way to reduce risks related to running outdated software in production.
Why should similar mechanisms not be widely available on embedded systems? Well, the question is complicated, due to a few aspects. The diversity of microcontrollers available on the market poses quite a few challenges for embedded systems developers to provide a unified mechanism that fits all the scenarios, use cases, platform specific hardware and sometimes unique communication interfaces and protocols. Moreover, embedded software is generally installed from a monolithic
binary file, containing a 1:1 match to the physical content of the non-volatile memory onboard. Updating a single component may be tricky unless there has been some specific partitioning mechanism in place.
The effort for defining the guidelines for a secure and safe firmware update mechanism have been lead by the SUIT group within IETF, which has studied the problem and has produced a standard RFC9019. “The document […] lists the requirements and describes an architecture for a firmware update mechanisms suitable for IoT devices.”
- Updates are verified using public-key signature authentication
The key feature offered by a secure bootloader following the SUIT definition is the use of state-of-the-art cryptography to guarantee the authenticity of the current firmware and the updates that are coming from a remote source. By using public-key based authentication it is possible to verify that all the software on board before running it.
The mechanism is quite simple: the owner of the device creates a key pair. The private key is secret, it is never revealed or stored on the device itself. The private key is used by a script or a program to sign the manifest header, which is transmitted alongside with the binary image of the new software. The manifest header contains all the meta-data associated to the firmware image.
The bootloader can access a copy of the public key, as it is stored on the non-volatile memory on board, or on a specific hardware secure vault. The public key is not a secret, and even if revealed, it does not pose any risk for the secure boot process.
When the bootloader receives the update package, it uses the public key to initiate the verification. Only software that contains valid metadata, including a verifiable signature, will be allowed to run on the target.
- Operating with small bootloaders
The secure bootloader is, in many cases, the only immutable part of an embedded system. SUIT specifications assume that in general the bootloader itself will not be uploaded because this may pose a risk in reliability. For this reason, one of the requirements for the implementation of a secure bootloader is to keep the bootloader small, and dedicate other components in the system to the task of transferring the firmware images and initiating the update.
This also means that code safety is critical in bootloader context, to guarantee the required level of reliability and minimize the attack surface. SUIT in particular mandates the use of small parsers in the code, since parsers are described as a “known source of bugs”.
One step further in this direction is to completely avoid dynamic memory allocations in the bootloader code. Measuring the memory usage at compile time and allocating static buffers for all the data structures significantly reduce the chance of memory management bugs such as overlapping of sections or heap-stack collisions when inappropriate memory mappings are configured.
A secure bootloader implementation cannot ignore resources and safety related requirements, or the risk is to create bigger issues than what it is expected to fix!
- Rollback attacks
In the perspective of continuous vulnerability management, new updates are released and made available often. Unless the firmware images are transferred using a secure channel, such as TLS, there is always a risk that an old update is intercepted by an attacker, or anyone who is sniffing the traffic towards the firmware consuming device. This is particularly true in those broadcast-friendly environments, e.g. if the firmware images are distributed through a local mesh network that does not support secure socket communication.
An attacker may know about a vulnerability in a previous version, and attempt to downgrade the firmware on the target device to that specific version, by repeating the transmission of the firmware image previously recorded by wiretapping on the network.
A secure boot mechanism must retain the information about the firmware version alongside with all the other information in the manifest header. The version number, like the rest of the meta data, is enclosed in the envelope together with the firmware image during the signing process, which means that the version cannot be altered by an attacker without compromising the validity of the signature for the update package. The bootloader will not allow to install packages with a version number that is older than the one that is currently running on the system.
Rollback attacks are very easy to perform and preventing them is a key task for the secure bootloader.
- Power failures and high reliability
According to Murphy’s law “anything that can go wrong will go wrong”. In the case of remote updates installation, the worst point to lose the power or having any kind of hardware glitch that results in a system reset is when the content of the non-volatile memory is altered during the installation of firmware updates. If a power cut occurs in the middle of a FLASH sector copy operation, the state of the destination sector is unpredictable upon the next boot.
A mechanism that can prevent this situation, like the one implemented in wolfBoot, consists in keeping always two copies of the same sector, and using a mechanism based on flags to confirm that each step has been completed. Upon reboot, the operation can be resumed from the last successful operation, so there is no risk of leaving the system in an unrecoverable state.
- Secure boot and secure update transfers
Downloading the new version is a task for the embedded application, or a thread running on top of a real-time operating system. As indicated by SUIT, including the responsibility of transferring the firmware image in the bootloader code
would result in a bigger, more complex secure bootloader with external dependencies on protocol stack implementations and platform-specific device drivers. Embedded systems may in fact access the network picking from a variety of different connectivity technologies available. Not all of these technologies share the same protocol families or transport mechanisms. Some low power communication protocol such as LPWAN may even have stricter requirements on bandwidth or network availability.
wolfSSL is the embedded SSL/TLS library targeted for embedded systems. Being transport-layer agnostic that can provide secure socket communication on top of all kinds of data transfer technologies and operating system or bare metal applications.
Using the latest standard (TLS 1.3) to secure your connections means that devices can communicate to each other and to the back-end on end-to-end secured channels, using the best cryptography available as standard to date.
Some of the benefits of securing all the data in motion using TLS include of course encryption of all the data transferred between two endpoints, and optionally server-side identification for clients that access data, services or remote firmware updates.
On systems where the entire stack is deployed, including TLS socket communication, transferring the firmware images can be done over the same channel so that the update package can travel the network to the firmware consumer securely.
As TLS may not be an option for a subset of device with a very limited amount of resources available, at least encryption should be considered on such devices. wolfCrypt is a crypto engine targeted for embedded, RTOS and resource constraint environments, which is the core component of wolfSSL, but can as well used as standalone library to access the implementation of the most popular algorithms and cyphers.
- Key management and trust anchors
In a distributed system architecture designed for remote firmware updates, key management is a critical task. The back-end system is in charge of keeping the private key (or keys) safe, and generating signed packages to distribute to firmware consumers when a new version is available.
wolfBoot is distributed with a toolbox of key management scripts and utilities that can be easily integrated on server side to facilitate these tasks. In the simplest case, the signature that is included in update packages is obtained using a private key which is accessible by the owner of the device. In some cases, a more elaborated key provisioning system is in place. When a separate software or hardware component is performing the signature step, the package creation process can be split to redirect and delegate the DSA step to another component.
The public key that is stored inside the embedded system is considered a ‘trust anchor’, because the trust in the validity of the remote firmware updates depends on the integrity of the public key used for digital authentication.
Trust anchor management is in general outside the generic scope of a bootloader itself because it depends on the hardware platform. However, it is of primary importance to include adequate protections against the risk of compromising the public key stored on the device and used by the bootloader to validate the authenticity of the firmware. A trust anchor store should be protected against write access using the available countermeasures available in hardware.
- Secure elements and trust anchor stores
The best way of protecting trust anchors and other cryptographic material is using a hardware component that is designed for this purpose. Hardware security module (HSM, CAAM, etc.) usually offer both key storage and cryptographic operation acceleration in the same module. wolfCrypt, our crypto engine that powers wolfBoot, supports all possible schemes from a wide range of manufacturer-specific API to access this functionality, such as Microchip ATECC608A, ARM CryptoCell, NXP CAU/mmCAU/LTC, STMicroelectronic PKA, Infineon-Cypress PSoC6 and many others. Find the exhaustive list of hardware crypto we support here.
More recently, an effort of agreeing on the protocols used to the access to security cryptoprocessors, ISO/IEC standardized the TPM (Trusted Platform Module) format, which is in use nowadays in nearly all personal computers and notebooks. The same technology is now available for embedded systems thanks to wolfTPM, a library providing APIs to access TPM 2.0 compatible secure element. Popular TPM devices supported by wolfTPM include the ST33 and the Infineon 9670.
wolfBoot can as well be optionally compiled together with wolfTPM to make use of secure key storage and cryptography acceleration provided by these devices. It also support measured boot, storing the firmware hash into a TPM Platform Configuration Register(PCR).
- Updating the bootloader
The SUIT proposed standard recommends that the small bootloader is immutable, due to the intrinsic complexity for the bootloader to implement a reliable way to update itself. However in some cases it is useful to have the possibility to update the bootloader code itself.
Consider for example a situation where the public key is built-in the bootloader code, key provisioning relies on a single private key and this key gets compromised on the back-end.
Another case is a long life product, where the algorithms or the key length in use by the bootloader code today may become obsolete, or compromised, by many years of research. In a few years it may become a requirement to update the bootloader code to match new requirements.
For these reasons we think that giving the possibility to update the bootloader code is important. wolfBoot can be optionally compiled to support this option. A special update package that is marked as wolfboot self-update will cause the bootloader to overwrite its own code after a successful validation of the package itself.
The bootloader update process is not completely fail-safe due to intrinsic hardware constraints, but it is sufficiently reliable to be used for those emergency cases described above.
- Estimating the development effort
When approaching secure boot and remote updates, it is often too easy to underestimate the impact of this single task on the development cycle of the entire project. A large amount of effort is spent on guaranteeing the reliability of the system in all the possible cases that could occur when the device is deployed.
The bootloader is perhaps the most critical part of the system. Everything else in your application can break, as long as there is still a way to update it from a remote location. Implementing a secure bootloader from scratch for a specific project is a tough task which in some cases may require as much development and testing as all the rest of the software components in the system.
At wolfSSL we have several years of experience in supporting our customers to build secure boot and remote updates solutions, and we have designed wolfBoot to provide a solid platform that can be used as the fundamental building block that can fit any secure boot architectural requirements.
We are available to talk with you about your design and we are happy to provide design and development services to complete the integration with any custom embedded system.
We understand how important security is in your IoT project, and we are the only company to offer 24×7 support on secure boot solutions for remote firmware updates.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfMQTT Releases v1.11.0
The New Year release of wolfMQTT, v1.11.0, is now available! This release has several bug fixes and optimizations including:
- Return correct error code in SN_Client_Connect (PR #268)
- Removing unsupported TLS and SNI options in sn-client (PR #266)
- Fixes for multithreading with non-blocking (PR #252)
- Doxygen work removing depreciated command and fixing other warnings (PR #264)
- Fix overwriting TLS error in connect (PR #259)
- Add GitHub Actions (PR #256 #260 #263)
- Fix wm_Sem on Windows (PR #255 #261)
- Fix scripts for host without mosquitto (PR #257 #265)
- Trim whitespace and convert tab to spaces (PR #251)
- Refactor of write length (PR #250)
- Fixes for publish edge cases (PR #248)
- Remove unused sub_id element, add support for local test broker (PR #249)
- Fix to make sure MqttClient_DecodePacket called in all cases (PR #246)
- Known bug with multithread and without nonblocking enabled in this release.
https://github.com/wolfSSL/wolfMQTT/blob/master/ChangeLog.md
While you’re there, show us some love and give the wolfMQTT project a Star!
You can download the latest release here: https://www.wolfssl.com/download/
Or clone directly from our GitHub repository: https://github.com/wolfSSL/wolfMQTT
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfSSL Adds Support for the Arm® TrustZone® CryptoCell-310
Are you a user of the ARM CryptoCell acceleration hardware? If so, you will be happy to know that wolfSSL has support for CryptoCell with wolfCrypt and benchmark examples to the wolfSSL embedded SSL/TLS library!
The wolfSSL port supports the following features:
- SHA-256
- AES CBC
- Elliptic Curve Digital Signature Algorithm (ECDSA) – sign and verify
- Elliptic Curve Diffie Hellman (ECDH) – shared secret
- ECC key generation support
- RSA sign and verify
- RSA key generation support
- RSA encrypt and decrypt
These features are tested on nRF52840 hardware platform with Nordic nRF5_SDK_15.2.0.
You can use the WOLFSSL_CRYPTOCELL macro to activate the CryptoCell support in wolfSSL. For instructions on how to build and run the examples on your projects, please see the “<wolfssl-root>/IDE/CRYPTOCELL/README” file. This support is currently located in our GitHub master branch, and will roll into the next stable release of wolfSSL.
wolfSSL provides support for the latest and greatest version of the TLS protocol, TLS 1.3! Using the wolfSSL port will allow your device to connect to the internet in one of the most secure ways possible.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Resources
The most recent version of wolfSSL can be downloaded from our download page, here: https://www.wolfssl.com/download/
wolfSSL GitHub repository: https://github.com/wolfssl/wolfssl.git
wolfSSL support for TLS 1.3: https://www.wolfssl.com/docs/tls13/
Upcoming Webinar: Getting Started with wolfMQTT
Join wolfSSL engineer Eric Blankenhorn to learn more about our wolfMQTT library, built to be multi-platform, space conscious and extensible. The wolfMQTT library is a client implementation of the MQTT written in C for embedded use, and supports SSL/TLS via the wolfSSL library. Bring your questions for the Q&A session to follow!
Watch the webinar here : Getting Started with wolfMQTT
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Deprecation of Rabbit, HC128, IDEA, Camellia
Here at wolfSSL, we like to be on the cutting edge of things. Sometimes that means supporting algorithms before they are widely adopted which can lead to supporting algorithms that do not get wide adoption. This has been the case for the following algorithms:
– Rabbit
– HC128
– IDEA
– Camellia
To reduce code complexity, we have decided to deprecate support for these algorithms. Sometime in a future release, these algorithms will no longer be present in wolfSSL.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
cTLS: Compact TLS
Here at wolfSSL we are at the cutting edge of cryptography and protocols. For example, even before TLS 1.3 was fully standardized, we were implementing it in line with the draft RFCs. Also, with the progress that is being made in the quantum computing space, we are keeping abreast of post-quantum cryptography and the standardization process for post-quantum algorithms. If you want, you can even experiment with the new algorithms by configuring wolfSSL using `–with-liboqs`.
We would like all our customers to know that we are also aware of and actively watching the standardization process of cTLS. It has the following features:
– Omitting unnecessary values that are a holdover from previous versions of TLS.
– Omitting handshake messages and field required for backwards-compatibility with earlier TLS versions.
– More compact encodings.
– A template-based specialization mechanism that allows pre-populating information at both endpoints without the need for negotiation.
– Alternative cryptographic techniques, such as semi-static Diffie-Hellman.
The protocol specification claims to ensure security by mapping the data from the wire protocol back to a full TLS 1.3 transcript with the same features used.
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
wolfSSL v5.1.1 Release
Happy Holidays!
The wolfSSL holiday release is available for download!
This release includes more compatibility layer expansions, updates to the version of open source projects supported, post quantum additions, and new hardware port additions to name some of what was included. As well as 2 vulnerabilities fixed in the release bundle.
A major performance upgrade was added to wolfSSL SP C implementation for ECC. In some cases increasing the performance with the C implementation by over 20%. SP (single precision) performance is turned on by using the enable option –enable-sp.
New Feature Additions
Ports
- Curve25519 support with NXP SE050 added
- Renesas RA6M4 support with SCE Protected Mode and FSP 3.5.0
- Renesas TSIP 1.14 support for RX65N/RX72N
Post Quantum
- Post quantum resistant algorithms used with Apache port
- NIST round 3 FALCON Signature Scheme support added to TLS 1.3 connections
- FALCON added to the benchmarking application
- Testing of cURL with wolfSSL post quantum resistant build
Compatibility Layer Additions
- Updated NGINX port to NGINX version 1.21.4
- Updated Apache port to Apache version 2.4.51
- Add support for SSL_OP_NO_TLSv1_2 flag with wolfSSL_CTX_set_options function
- Support added for the functions
- SSL_CTX_get_max_early_data
- SSL_CTX_set_max_early_data
- SSL_set_max_early_data
- SSL_get_max_early_data
- SSL_CTX_clear_mode
- SSL_CONF_cmd_value_type
- SSL_read_early_data
- SSL_write_early_data
Fixes
PORT Fixes
- Building with Android wpa_supplicant and KeyStore
- Setting initial value of CA certificate with TSIP enabled
- Cryptocell ECC build fix and fix with RSA disabled
- IoT-SAFE improvement for Key/File slot ID size, fix for C++ compile, and fixes for retrieving the public key after key generation
Math Library Fixes
- Check return values on TFM library montgomery function in case the system runs out of memory. This resolves an edge case of invalid ECC signatures being created.
- SP math library sanity check on size of values passed to sp_gcd.
- SP math library sanity check on exponentiation by 0 with mod_exp
- Update base ECC mp_sqrtmod_prime function to handle an edge case of zero
- TFM math library with Intel MULX multiply fix for carry in assembly code
Improvements/Optimizations
Build Options and Warnings
- Bugfix: could not build with liboqs and without DH enabled
- Build with macro NO_ECC_KEY_EXPORT fixed
- Fix for building with the macro HAVE_ENCRYPT_THEN_MAC when session export is enabled
- Building with wolfSentry and HAVE_EX_DATA macro set
Math Libraries
- Improvement for performance with SP C implementation of montgomery reduction for ECC (P256 and P384) and SP ARM64 implementation for ECC (P384)
- With SP math handle case of dividing by length of dividend
- SP math improvement for lo/hi register names to be used with older GCC compilers
Vulnerabilities
- [Low] Potential for DoS attack on a wolfSSL client due to processing hello packets of the incorrect side. This affects only connections using TLS v1.2 or less that have also been compromised by a man in the middle attack. Thanks to James Henderson, Mathy Vanhoef, Chris M. Stone, Sam L. Thomas, Nicolas Bailleut, and Tom Chothia (University of Birmingham, KU Leuven, ENS Rennes for the report.
- [Low] Client side session resumption issue once the session resumption cache has been filled up. The hijacking of a session resumption has been demonstrated so far with only non verified peer connections. That is where the client is not verifying the server’s CA that it is connecting to. There is the potential though for other cases involving proxies that are verifying the server to be at risk, if using wolfSSL in a case involving proxies use wolfSSL_get1_session and then wolfSSL_SESSION_free when done where possible. If not adding in the session get/free function calls we recommend that users of wolfSSL that are resuming sessions update to the latest version (wolfSSL version 5.1.0 or later). Thanks to the UK’s National Cyber Security Centre (NCSC) for the report.
A full list of what was changed can be found in the wolfSSL ChangeLog (https://www.wolfssl.com/docs/wolfssl-changelog/).
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.
Weekly updates
Archives
- December 2024 (19)
- November 2024 (29)
- October 2024 (18)
- September 2024 (21)
- August 2024 (24)
- July 2024 (27)
- June 2024 (22)
- May 2024 (28)
- April 2024 (29)
- March 2024 (21)
- February 2024 (18)
- January 2024 (21)
- December 2023 (20)
- November 2023 (20)
- October 2023 (23)
- September 2023 (17)
- August 2023 (25)
- July 2023 (39)
- June 2023 (13)
- May 2023 (11)
- April 2023 (6)
- March 2023 (23)
- February 2023 (7)
- January 2023 (7)
- December 2022 (15)
- November 2022 (11)
- October 2022 (8)
- September 2022 (7)
- August 2022 (12)
- July 2022 (7)
- June 2022 (14)
- May 2022 (10)
- April 2022 (11)
- March 2022 (12)
- February 2022 (22)
- January 2022 (12)
- December 2021 (13)
- November 2021 (27)
- October 2021 (11)
- September 2021 (14)
- August 2021 (10)
- July 2021 (16)
- June 2021 (13)
- May 2021 (9)
- April 2021 (13)
- March 2021 (24)
- February 2021 (22)
- January 2021 (18)
- December 2020 (19)
- November 2020 (11)
- October 2020 (3)
- September 2020 (20)
- August 2020 (11)
- July 2020 (7)
- June 2020 (14)
- May 2020 (13)
- April 2020 (14)
- March 2020 (4)
- February 2020 (21)
- January 2020 (18)
- December 2019 (7)
- November 2019 (16)
- October 2019 (14)
- September 2019 (18)
- August 2019 (16)
- July 2019 (8)
- June 2019 (9)
- May 2019 (28)
- April 2019 (27)
- March 2019 (15)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (9)
- October 2018 (15)
- September 2018 (15)
- August 2018 (5)
- July 2018 (15)
- June 2018 (29)
- May 2018 (12)
- April 2018 (6)
- March 2018 (18)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (5)
- September 2017 (7)
- August 2017 (6)
- July 2017 (11)
- June 2017 (7)
- May 2017 (9)
- April 2017 (5)
- March 2017 (6)
- January 2017 (8)
- December 2016 (2)
- November 2016 (1)
- October 2016 (15)
- September 2016 (6)
- August 2016 (5)
- July 2016 (4)
- June 2016 (9)
- May 2016 (4)
- April 2016 (4)
- March 2016 (4)
- February 2016 (9)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (5)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (12)
- January 2015 (4)
- December 2014 (6)
- November 2014 (3)
- October 2014 (1)
- September 2014 (11)
- August 2014 (5)
- July 2014 (9)
- June 2014 (10)
- May 2014 (5)
- April 2014 (9)
- February 2014 (3)
- January 2014 (5)
- December 2013 (7)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (7)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (8)
- December 2012 (12)
- November 2012 (5)
- October 2012 (7)
- September 2012 (3)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (4)
- April 2012 (6)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (5)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (7)
- May 2011 (11)
- April 2011 (4)
- March 2011 (12)
- February 2011 (7)
- January 2011 (11)
- December 2010 (17)
- November 2010 (12)
- October 2010 (11)
- September 2010 (9)
- August 2010 (20)
- July 2010 (12)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)