RECENT BLOG NEWS

We’re happy to announce that we’ve added wolfSSL support to libimobiledevice using our OpenSSL compatibility layer! libimobiledevice is “a cross-platform FOSS library written in C to communicate with iOS devices natively.” The wolfSSL port allows you to use libimobiledevice with our FIPS-certified wolfCrypt library. To build libimobiledevice with wolfSSL, follow the instructions in our open source projects repository here.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

We’re happy to announce that we’ve added wolfSSL support to OpenPegasus 2.14.1 using our OpenSSL compatibility layer! OpenPegasus is an open source CIM server. The wolfSSL port allows you to use OpenPegasus with our FIPS-certified wolfCrypt library. To build OpenPegasus with wolfSSL, follow the instructions in our open source projects repository.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

We’re happy to announce that we’ve added wolfSSL support to rsyslog 8.2106.0 using our OpenSSL compatibility layer! rsyslog is “the rocket-fast system for log processing”. The wolfSSL port allows you to use rsyslog with our FIPS-certified wolfCrypt library.

To build rsyslog with wolfSSL, follow the instructions in our open source projects repository here.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Ever wonder exactly how much power your crypto is consuming? How long the battery of your device will last after adding in security? wolfSSL has worked with EEMBC to plug wolfSSL into SecureMark TLS for benchmarking a hardware’s performance and power consumption (https://github.com/eembc/securemark-tls). One of the algorithms benchmarked with SecureMark is ECDSA which makes up the bulk of the power and time taken for TLS 1.3 and TLS 1.2 handshakes using ECDSA cipher suites. 

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Version 1.2.0 of wolfCrypt JCE and JNI is now available for download! The wolfCrypt JCE provider and JNI wrapper provide Java applications with a convenient Java API to the widely-used wolfCrypt cryptography library, including support for FIPS 140-2/140-3!  This package provides both a Java JCE Provider as well as a thin JNI wrapper around native wolfCrypt.

Release 1.2.0 includes FIPS 140-3 compatibility, bug fixes and changes including:

• Add FIPS 140-3 compatibility when using wolfCrypt FIPS or FIPS Ready
• Increase junit version from 4.12 to 4.13 in pom.xml
• Add local “./lib” directory to “java.library.path” in pom.xml
• Fix debug builds using the “WOLFCRYPT_JNI_DEBUG_ON” define
• Fix compatibility with wolfCrypt “NO_OLD_*” defines
• Fix compatibility with wolfSSL “./configure –enable-all” and ECC tests

wolfCrypt JCE and JNI 1.2.0 can be downloaded from the wolfSSL download page and the wolfCrypt JNI Manual can be found here.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL often recognizes the work of our amazing community through GitHub. Today, we’re giving visibility to the excellent work of Kasper Kyllönen and Dr. Ian Oliver, on their fork of the wolfBoot GitHub repository. Visit their fork and check out their changes here: https://github.com/nokia/wolfBoot

Their wolfBoot fork has some Raspberry Pi related improvements for testing, measured boot and debugging.

wolfBoot is a portable secure bootloader solution that offers firmware authentication and firmware update mechanisms. It can be easily ported and integrated in existing embedded software projects to provide a secure firmware update mechanism. Check out our GitHub page for our wolfBoot repository, as well as repositories of our other products!

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Version 1.8.0 of wolfSSL JSSE and JNI is now available for download! The wolfSSL JSSE provider and JNI wrapper provide Java applications with a convenient Java API to the widely-used wolfSSL embedded SSL/TLS library, including support for TLS 1.3 and FIPS 140-2/140-3!  This package provides both a Java JSSE Provider as well as a thin JNI wrapper around native wolfSSL.

Release 1.8.0 includes FIPS 140-3 compatibility, bug fixes and new features including:

• wolfCrypt FIPS 140-3 and FIPS Ready compatibility
• Add Socket method wrappers, fixes behavior when inner Socket used with JSSE
• Add wrappers to get FIPS verifyCore hash (FIPS error cb or directly)
• Fix potential NullPointerException with several clone() methods
• Refactor of SSLSessionContext implementation
• Fix behavior of WolfSSLSocket.getSoTimeout() when external Socket is wrapped
• Fix timeout used in socketSelect to correctly handle fractional sec timeouts
• Fix memory leak when custom X509TrustManager is used with wolfJSSE
• Add support for multiple X509TrustManager objects across multiple sessions
• Call WolfSSL.cleanup() in finalizer to release library resources earlier
• Release native WOLFSSL memory sooner, when WolfSSLSocket is closed
• Better management and freeing of native WolfSSLCertificate memory
• Release native logging callback when library is freed
• Release native wolfCrypt FIPS callback when library is freed
• Release CTX-level Java verify callback when CTX is freed
• Release CTX-level Java CRL callback when CTX is freed
• Better global reference cleanup in error conditions
• Fix unused variable warnings in non-FIPS builds
• Use one static WolfSSL object across all WolfSSLProvider objects
• Release local JNI array inside WolfSSLSession.read() on function exit
• Add multi-threaded JSSE provider client and server examples
• Update Android AOSP install script to create missing blank files if needed
• Update Android AOSP build fixes to define `SIZEOF_LONG` and `SIZEOF_LONG_LONG`
• Update IDE/Android example Android Studio project
• Fix default cipher suite list order used in JSSE WolfSSLContext objects
• Fix FIPS Ready compatibility with `WC_RNG_SEED_CB`
• Update Android AOSP Android.mk to compile wolfCrypt kdf.c

wolfSSL JSSE and JNI 1.8.0 can be downloaded from the wolfSSL download page and the wolfSSL JNI Manual can be found here.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

We have added wolfCrypt support to SQLCipher, which enables encryption of a SQLite database. The port also supports using our wolfCrypt FIPS module.

SQLCipher extends the SQLite database library to add security enhancements that make it more suitable for encrypted local data storage like [1]:

• on-the-fly encryption
• tamper detection
• memory sanitization
• strong key derivation

This feature is enabled with `./configure –with-crypto-lib=wolfssl`.

See pull request https://github.com/sqlcipher/sqlcipher/pull/411 for details.

[1] From the SQLCipher README.md. https://github.com/sqlcipher/sqlcipher#sqlcipher

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

We are excited to announce our wolfTPM v2.3 release. This includes some minor fixes and features for PCR and GPIO.

If using a big endian platform consider updating to resolve a byte swapping issue with the TIS layer.

We have refactored the GPIO configuration example for use with either STM ST33 or Nuvoton NPCT750 TPM 2.0 modules.

The PCR example now includes a standalone read example.

Release Details:

• Refactor GPIO support (single gpio_config) (PR #194)
• Fix for Linux HAL IO try again timeout logic (PR #194)
• Fix for big endian in TIS layer (PR #191)
• Fix for RSAES padding (RSA_Encrypt) (PR #187)
• Fix in tests to allow command code error for CreateLoaded (not supported on hardware) (PR #184)
• Fix for compiler warning for file read in make_credential.c (PR #182)
• Fixes for Windows builds (PR #181)
• Fixes for RSA RNG in edge case builds (fixes wolfBoot build error) (PR #180)
• Added PCR Read example (PR #185)

For a full list of changes, check out the updated ChangeLog.md bundled with wolfSSL or view our page on GitHub here (https://github.com/wolfSSL/wolfTPM).

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Happy Fall! wolfSSL has a great treat for all, we released version 5.0.0 and it is now ready for download! This includes a new major feature, having our FIPS 140-3 code added in. Stay tuned for more information in upcoming blog posts regarding the FIPS 140-3 code additions! It also includes notable feature additions such as the post quantum resistant code supporting use of liboqs, expansion to the compatibility layer for ease of replacing OpenSSL and many more features and fixes.

Key New Feature Additions

New Product

• FIPS 140-3 — currently undergoing laboratory testing, code review and ultimately CMVP validation. Targeting the latest FIPS standard.
  • Federal Information Processing Standards (FIPS) 140-3 is a mandatory standard for the protection of sensitive or valuable data within Federal systems. FIPS 140-3 is an incremental advancement of FIPS 140-2, which now standardizes on the ISO 19790:2012 and ISO 24759:2017 specifications.

Post Quantum

• Support for OQS‘s (liboqs version 0.7.0) implementation of NIST Round 3 KEMs as TLS 1.3 groups –with-liboqs
• Hybridizing NIST ECC groups with the OQS groups
• Remove legacy NTRU and QSH
• Make quantum-safe groups available to the compatibility layer

Linux Kernel Module

• Full support for FIPS 140-3, with in-kernel power on self test (POST) and conditional algorithm self test(s) (CAST)
• –enable-linuxkm-pie — position-independent in-kernel wolfCrypt container, for FIPS
• Vectorized x86 acceleration in PK algs (RSA, ECC, DH, DSA) and AES/AES-GCM
• Vectorized x86 acceleration in interrupt handlers
• Support for Linux-native module signatures
• Complete SSL/TLS and Crypto API callable from other kernel module(s)
• Support for LTS kernel lines: 3.16, 4.4, 4.9, 5.4, 5.10
• KCAPI: add support for using libkcapi for crypto

Compatibility Layer Expansion

• Ports
  • Add support for libssh2
  • Add support for pyOpenSSL
  • Add support for libimobiledevice
  • Add support for rsyslog
  • Add support for OpenSSH 8.5p1
  • Add support for Python 3.8.5  
• Numerous API/Structs Added

The release contained two vulnerabilities – one regarding a hang with DSA sign creation and the other regarding the handling of certificate name constraints. 
Vulnerabilities

• [Low] Hang with DSA signature creation when a specific q value is used in a maliciously crafted key. If a DSA key with an invalid q value of either 1 or 0 was decoded and used for creating a signature, it would result in a hang in wolfSSL. Users that are creating signatures with DSA and are using keys supplied from an outside source are affected.
• [Low] Issue with incorrectly validating a certificate that has multiple subject alternative names when given a name constraint. In the case where more than one subject alternative name is used in the certificate, previous versions of wolfSSL could incorrectly validate the certificate. Users verifying certificates with multiple alternative names and name constraints, are recommended to either use the certificate verify callback to check for this case or update the version of wolfSSL used. Thanks to Luiz Angelo Daros de Luca for the report.

For a full list of changes, check out the updated ChangeLog.md bundled with wolfSSL or view our page on GitHub here (https://github.com/wolfSSL/wolfssl).

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.