Category: Uncategorized

Are you a user of Micrium?  If so, you will be happy to know that wolfSSL recently updated support and added TLS client and server examples to the wolfSSL embedded SSL/TLS library for Micrium!

We have also run a benchmark of our wolfCrypt/wolfSSL libraries on an NXP Kinetis K70 (Freescale TWR-K70F120M MCU) tower system board with a project built using the IAR Embedded Workbench IDE - ARM 8.32.1 (IAR ELF Linker V8.32.1.169/W32 for ARM). The details can be viewed on the wolfSSL benchmarks page.

For instructions on how to build and integrate the examples on your projects or to see the benchmark results, please see the README located in “IDE/ECLIPSE/MICRIUM”.  This support is currently located in our GitHub master branch, and will roll into the next stable release of wolfSSL as well. For any questions or help getting wolfSSL up and running on your environment, please contact us at support@wolfssl.com.  wolfSSL also now supports the most current version of TLS, TLS 1.3!  Learn more here: https://www.wolfssl.com/docs/tls13/ !

wolfSSL v3.15.5 was released last week which features many new additions to the library. One of those new additions is the reduction of the stack usage while using the “smallstack” build option.

The goal of wolfSSL’s “smallstack” build is to use at most 1kB of stack.  All other memory used is placed on the heap.

Currently, wolfSSL passes the option "--enable-smallstack" to the configure script. The small stack option can also be enabled by defining the following option: WOLFSSL_SMALL_STACK

Please contact support@wolfssl.com with any questions about building the wolfSSL embedded SSL/TLS library for your platform, or customizing the memory usage of wolfSSL.

The wolfSSL FAQ page can be useful for information or general questions that need need answers immediately. It covers some of the most common questions that the support team receives, along with the support team's responses. It's a great resource for questions about wolfSSL, embedded TLS, and for solutions to problems getting started with wolfSSL.

To view this page for yourself, please follow this link here.

Here is a sample list of 5 questions that the FAQ page covers:

1. How do I build wolfSSL on ... (*NIX, Windows, Embedded device) ?
2. How do I manage the build configuration of wolfSSL?
3. How much Flash/RAM does wolfSSL use?
4. How do I extract a public key from a X.509 certificate?
5. Is it possible to use no dynamic memory with wolfSSL and/or wolfCrypt?

Have a  question that isn't on the FAQ? Feel free to email us at support@wolfssl.com.

wolfSSL v3.15.5 was recently released and features many new additions to the library. One of those options is support for Lighttpd. Lighttpd is an open-source web server that is optimized for speed-critical environments while remaining standards-compliant, portable, and flexible.

The addition of support for Lighttpd is the perfect match for web servers looking to remain lightweight, fast, and portable while providing top-rate security. The wolfSSL embedded SSL/TLS library provides support for TLS 1.3, is available in a FIPS-validated version, and its size ranges from 20-100kB.

To build wolfSSL for use with Lighttpd, simply run the configure script with the option "--enable-lighty".

The most recent version of the wolfSSL library can be downloaded from our download page here: https://www.wolfssl.com/download/
More information about the new release of wolfSSL and its added features can be found here: https://www.wolfssl.com/wolfssl-3-15-5-now-available/

Please contact us at support@wolfssl.com for assistance or questions in compiling wolfSSL for use with Lighttpd!

wolfSSL v3.15.5 was released last week, which features many new additions to the library. One of those options is support for PCKS#11. The PKCS#11 standard defines an API to cryptographic tokens. The API defines most commonly used cryptographic object types (RSA keys, X.509 Certificates, DES/Triple DES keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects.

Using wolfSSL on your application or your device will now allow you to utilize PKCS#11 for access to hardware security modules, smart cards, and other cryptographic tokens.

To build wolfSSL with PKCS#11 support, the library needs to be downloaded and then built with a specific option. The library can be downloaded from the wolfSSL download page, here: https://www.wolfssl.com/download/. The steps to build wolfSSL with PKCS#11 are detailed below:

# From within wolfSSL's root directory
./autogen.sh
./configure --enable-pkcs11
make
sudo make install

wolfSSL also has its PKCS#11 documentation located within its doxygen pages, here: https://www.wolfssl.com/doxygen/group__PKCS11.html. This PKCS#11 documentation provides information on the recently added PKCS#11 API.

More information about the new release of wolfSSL v3.15.5 can be found here: https://www.wolfssl.com/wolfssl-3-15-5-now-available/
wolfSSL v3.15.5 download: https://www.wolfssl.com/download/
Wikipedia article on PKCS#11: https://en.wikipedia.org/wiki/PKCS_11

wolfSSL v3.15.5 was released last week which features many new additions to the library. One of those options is the availability of a TLS 1.3 only build, which enables the wolfSSL embedded SSL/TLS library to built such that use of TLS 1.2 and prior protocols is effectively disabled.

The TLS 1.3 only build is useful when forward secrecy and extra security are desired in embedded systems or applications. This option will cause attempted connections with other clients or servers to fail during the handshake unless they support the use of TLS 1.3, which prevents insecure connections from even being formed in the first place. Additionally, this TLS 1.3 option also streamlines the library. By enabling just TLS 1.3, the portions of the library that provide functionality for prior TLS protocol versions are not included when building the library, reducing the build size.

The newest version of wolfSSL can be downloaded from the download page. To build the wolfSSL library in TLS 1.3 only mode once downloaded, it requires the following options be used when running the configure script:

--enable-tls13
--disable-tlsv12
--disable-oldtls

References

wolfSSL v3.15.5 release notes: https://www.wolfssl.com/wolfssl-3-15-5-now-available/
Differences between SSL/TLS protocol versions: https://www.wolfssl.com/differences-between-ssl-and-tls-protocol-versions-3/

Please contact us at facts@wolfssl.com with questions about using TLS 1.3 with wolfSSL, or compiling the library for your platform.

The wolfMQTT client now supports connecting to v5.0 enabled brokers. Handling properties received from the server is accomplished via a customizable callback. The following v5.0 specification features are supported by the wolfMQTT client:

• AUTH packet
• User properties
• Server connect ACK properties
• Format and content type for publish
• Server disconnect
• Reason codes and strings
• Maximum packet size
• Server assigned client identifier
• Subscription ID
• Topic Alias

As a side note, wolfMQTT uses the wolfSSL embedded SSL/TLS library for SSL/TLS support.  Since wolfSSL supports TLS 1.3, your wolfMQTT-based projects can now use MQTT with TLS 1.3 with a supported broker!

You can download the latest release from our website or clone on GitHub. For more information please email us at facts@wolfssl.com.

wolfSSL is a lightweight TLS/SSL library that is targeted for embedded devices and systems. It has support for the TLS 1.3 protocol, which is a secure protocol for transporting data between devices and across the Internet. In addition, wolfSSL uses the wolfCrypt encryption library to handle its data encryption.

Because there is a FIPS 140-2 validated version of wolfCrypt, this means that wolfSSL not only has support for the most current version of TLS, but it also has the encryption backbone to support your FIPS 140-2 needs if required.

Some key benefits of combining TLS 1.3 with FIPS validated software include:

1. Software becomes marketable to federal agencies - without FIPS, a federal agency is not able to use cryptographic-based software
2. Single round trip
3. 0-RTT (a mode that enable zero round trip time)
4. After Server Hello, all handshake messages are encrypted.

And much more! For more information regarding the benefits of using TLS 1.3 or using the FIPS validated version of wolfCrypt, check out wolfSSL's TLS 1.3 Protocol Support and our wolfCrypt FIPS page.

FIPS 140-2 is a government validation that certifies that an encryption module has successfully passed rigorous testing and meets high encryption standards as specified by NIST. For more information or details on FIPS 140-2, it may be helpful to view this Wikipedia article: https://en.wikipedia.org/wiki/FIPS_140-2

For more details about wolfSSL, TLS 1.3, or if you have any other general inquiries please contact facts@wolfssl.com

To find out more about FIPS, check out the NIST FIPS publications or contact fips@wolfssl.com

The MQTT Sensor Network standard provides a lightweight networking protocol perfectly suited to low cost, low power hardware. The protocol allows using small topic identifiers in place of the full topic name when sending and receiving publish data.

The wolfMQTT SN Client implementation is based on the OASIS MQTT-SN v1.2 specification. The SN API is configured with the --enable-sn option. There is a separate API for the sensor network API, which all begin with the "SN_" prefix. The wolfMQTT SN Client operates over UDP, which is distinct from the wolfMQTT clients that use TCP. The following features are supported by the wolfMQTT SN Client:

• Register
• Will topic and message set up
• Will topic and message update
• All QoS levels
• Variable-sized packet length field

You can download the latest release of wolfMQTT from our website or clone on GitHub. For more information please email us at facts@wolfssl.com.

This release contains many new exciting additions to the wolfSSL embedded IoT library and some fixes to existing features. One of the changes with TLS 1.3 was adding in the capability of doing a TLS 1.3 only build. In addition to having the TLS 1.3 only build, OCSP stapling support with TLS 1.3 was added along with some fixes for asynchronous crypto use with the TLS 1.3 implementation.

Enhancements and fixes were made for PKCS parsing:

• Added support for dynamic allocation of PKCS7 structure using wc_PKCS7_New and wc_PKCS7_Free functions
• Support for PKCS#11 added with “--enable-pkcs11”
• Expanded PKCS#7 CMS support with KEKRI, PWRI and ORI
• Streaming capability for PKCS#7 decoding and sign verify added
• Added support for constructed OCTET_STRING with PKCS#7 signed data
• Fix for PKCS8 padding with encryption
• Added support for generic ECC PEM header/footer with PKCS8 parsing

Additional ports were added and some of the existing ports were updated to make it easy to use wolfSSL in new environments:

• Port for ASIO added with “--enable-asio” configure flag
• Port to apache mynewt added in the directory wolfssl-3.15.5/IDE/mynewt/*
• Added a wolfSSL static library project for Atollic TrueSTUDIO
• Contiki port added with macro WOLFSSL_CONTIKI
• AF_ALG and cryptodev-linux crypto support added
• Added support for the STM32L4 with AES/SHA hardware acceleration
• Renesas e2studio project files added
• Renesas RX example project added
• Added reference STSAFE-A100 public key callbacks for TLS support
• Added reference ATECC508A/ATECC608A public key callbacks for TLS support

Existing ports that were updated:

• Update to Intel® SGX port, files included by Windows version and macros defined when using WOLFSSL_SGX
• Updated support for latest CryptoAuthLib (10/25/2018)
• Fixes for MQX classic 4.0 with IAR-EWARM
• Updates to Nucleus version supported
• Updates to Rowley-Crossworks settings for CMSIS 4
• Updates to support Lighttpd
• Fixes for OCSP use with NGINX port
• Updates to XCODE build with wolfSSL
• PIC32MZ hardware acceleration buffer alignment fixes
• Fixes and enhancements for NXP K82 support
• Relocate compatibility layer functions for OpenSSH port update
• Updates and enhancements to the GCC-ARM example
• Updates for wolfcrypt JNI wrapper

Additional Features:

• Added DTLS either (server/client) side initialization setting
• Flag to disable AES-CBC and have only AEAD cipher suites with TLS “--disable-aescbc”
• Added “--enable-asn=nocrypt” for certificate only parsing support
• Benchmark enhancements to print in CSV format and in Japanese
• Added Japanese output to example server and client with “-1 1” flag
• Added USE_ECDSA_KEYSZ_HASH_ALGO macro for building to use digest sizes that match ephemeral key size
• Additional compatibility API’s added, including functions like wolfSSL_X509_CA_num and wolfSSL_PEM_read_X509_CRL
• Adds checking for critical extension with certificate Auth ID and the macro WOLFSSL_ALLOW_CRIT_SKID to override the check
• Added public key callbacks to ConfirmSignature function to expand public key callback support
• Added ECC and Curve25519 key generation callback support
• Additional support for parsing certificate subject OIDs (businessCategory, jurisdiction of incorporation country, and jurisdiction of incorporation state)
• Added  wc_ecc_ecport_ex and wc_export_inti API's for ECC hex string exporting
• Added support for parsing PIV format certificates with the function wc_ParseCertPIV and macro WOLFSSL_CERT_PIV
• Added APIs to support GZIP
• Version resource added for Windows DLL builds

Optimizations:

• Memory free optimizations with adding in earlier free’s where possible
• ALT_ECC_SIZE use with SP math
• Stack size reduction with smallstack build
• Fix for assembly optimized version of Curve25519
• Fix for DH algorithm when using SP math with ARM assembly

Macro and Behavior Changes:

• Renamed the macro INLINE to WC_INLINE for inline functions
• Made modifications to the primality testing so that the Miller-Rabin tests check against up to 40 random numbers rather than a fixed list of small primes
• Make SOCKET_PEER_CLOSED_E consistent between read and write cases

For a full list of changes see the changelog located at https://www.wolfssl.com/docs/wolfssl-changelog/