Category: Uncategorized

Do you need a FIPS 140-2 validated cryptography library for your ARM-based platform? wolfCrypt has been FIPS 140-2 validated on several different operating environments to date, some of which have been on resource-constrained ARM-based devices.

FIPS validating a crypto library on a resource-constrained device can be more involved than doing a validation on a standard desktop-like platform. Variances in OS, Flash/RAM, filesystem (or lack of), entropy, communication, and more can make things interesting. Going through our past ARM-based validations, we have figured out how to make this process easier with wolfCrypt!

If you are interested in exploring FIPS 140-2 cryptography validations on ARM platforms, reach out to us at facts@wolfssl.com!

Greetings! In this post we are covering Operational Environment’s (OE’s) we worked with this past year. These OE’s were validated under an OEM relationship where the company validating is licensed to resell the wolfCrypt FIPS product under their own brand name.

wolfSSL was particularly excited about both of these projects as they display the great range of capabilities for wolfSSL and the wolfCrypt FIPS module.

The first OE was an embedded system with Cortex M4 processor and the second was a backend server where the wolfSSL product scales nicely due to reduced run-time resource use!

wolfSSL is happy to assist with OEM FIPS validation and rebranding if the situation fits! We would love to hear from you, contact us anytime: fips@wolfssl.com

If you missed the first part in our series, you can read it here!

wolfSSL 3.12.0 is now available for download! This release contains bug fixes, new features, and includes fixes for one security vulnerability (low level).

The one low level vulnerability fix included in this release is in relation to a potential DoS attack on a wolfSSL client. Previously a client would accept many warning alert messages without a limit. This fix puts a limit to the number of warning alert messages received and if this limit is reached a fatal error ALERT_COUNT_E is returned. The max number of warning alerts by default is set to 5 and can be adjusted with the macro WOLFSSL_ALERT_COUNT_MAX. Thanks for the report from Tarun Yadav and Koustav Sadhukhan from Defence Research and Development Organization, INDIA.

Continue reading below for a summary of the features and fixes included in this release.

TLS 1.3 Support!

If you follow wolfSSL’s blog, you may have heard discussion about our TLS 1.3 BETA support. wolfSSL 3.12.0 is the first stable release that contains our TLS 1.3 support (client and server side)! This means that you can pair TLS 1.3 with your favorite other features and project ports too! TLS 1.3 with Nginx! TLS 1.3 with ARMv8! and TLS 1.3 with Async Crypto!

Enable TLS 1.3 draft 20 support using the “–enable-tls13” configure option, or the older draft 18 support with the “–enable-tls13-draft18” option. wolfSSL also supports 0RTT with TLS 1.3, which can be enabled with “–enable-earlydata”.

For more information about using wolfSSL with TLS 1.3, visit our TLS 1.3 webpage, or contact us at support@wolfssl.com.

Build and Configure Option Changes

– Added enable all feature (–enable-all)
– Added trackmemory feature (–enable-trackmemory)
– Fixes for compiling wolfSSL with GCC version 7, most dealing with switch statement fall through warnings.
– Added warning when compiling without hardened math operations

Intel Assembly Improvements, Intel SGX Linux Support, and Intel QuickAssist Support

For users of wolfSSL on Intel platforms, we have made improvements including:

– A port of wolfSSL for Intel SGX with Linux. We previously only supported Intel SGX with Windows.
– AVX and AVX2 assembly instructions for improved ChaCha20 performance
– Intel QAT fixes for when using –disable-fastmath
– Improvements and enhancements to Intel QuickAssist support

Note: There is a known issue with using ChaCha20 AVX assembly on versions of GCC earlier than 5.2. This is encountered with using the wolfSSL enable options “–enable-intelasm” and “–enable-chacha”. To avoid this issue ChaCha20 can be enabled with “–enable-chacha=noasm”.

If using “–enable-intelasm” and also using “–enable-sha224” or “–enable-sha256” there is a known issue with trying to use “-fsanitize=address”.

Official SHA-3 Support (Keccak)

Previously wolfSSL only supported the SHA-3 runner-up Blake2b. wolfSSL now additionally supports the final SHA-3 winner, Keccak. This can be enabled with the “–enable-sha3” configure option. It is enabled by default on x86_64 platforms.

DTLS Multicast and Updates

For our DTLS users, wolfSSL now supports DTLS Multicast with “–enable-mcast”! In addition, this release also contains:

– An update to how DTLS handles decryption and MAC failures
– An update to the DTLS session export version number for use with the “–enable-sessionexport” option

For more details about DTLS Multicast, get in touch with us at facts@wolfssl.com!

New and Updated Hardware Ports

With this release, we have update several of our hardware ports and added a few new ones as well, including:

– Update and fix for our Microchip PIC32MZ port
– Fix for STM32F4 AES-GCM
– Addition of a Xilinx port, based on the UltraZed-EG Starter Kit based on the Xilinx Zynq® UltraScale+™ MPSoC
– Addition of SHA-224 and AES key wrap to ARMv8 port
– Additional input argument sanity checks to ARMv8 assembly port

Enhanced Testing

– Additional unit testing for MD5, SHA, SHA224, SHA256, SHA384, SHA512, RipeMd, HMAC, 3DES, IDEA, ChaCha20, ChaCha20Poly1305 AEAD, Camellia, Rabbit, ARC4, AES, RSA, HC-128

Updated Operating System Ports

– Update TI-RTOS port for dependency on new wolfSSL source files
– Update MQX Classic and mmCAU ports
– Fix ThreadX/NetX warning

wolfSSL Python Wrapper

– Expand wolfSSL Python wrapper to now include a client side implementation

wolfSSL Python Wrapper Documentation
wolfCrypt Python Wrapper Documentation

Other Additions and Modifications

Other changes that this release contains includes:

– Fix for making PKCS12 dynamic types match
– Fixes for potential memory leaks when using –enable-fast-rsa
– Fix for when using custom ECC curves and add BRAINPOOLP256R1 test
– Fix for Async crypto with GCC 7.1 and HMAC when not using Intel QuickAssist
– Added more sanity checks to fp_read_unsigned_bin function
– Fix for potential buffer over read with wolfSSL_CertPemToDer
– Add PKCS7/CMS decode support for KARI with IssuerAndSerialNumber
– Added RSA PSS sign and verify
– Fixes for AES key wrap and PKCS7 on Windows VS
– Support use of staticmemory with PKCS7
– Fix for Blake2b build with GCC 5.4
– Fixes for OCSP and CRL non blocking sockets and for incomplete cert chain with OCSP

Updated Examples

– Adjust example servers to not treat a peer closed error as a hard error
– Added benchmark block size argument

If you have any questions about the new release, or using wolfSSL in your project, please contact us at facts@wolfssl.com

libFuzzer, a fuzzing engine created by LLVM, is now being used to test the wolfSSL library. Below is a short description of libFuzzer, taken from LLVM’s website here.

LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the library via a specific fuzzing entrypoint (aka “target function”); the fuzzer then tracks which areas of the code are reached, and generates mutations on the corpus of input data in order to maximize the code coverage. The code coverage information for libFuzzer is provided by LLVM’s SanitizerCoverage instrumentation.

With this tool, wolfSSL API are being tested on how well they can handle random gibberish, poorly formatted certificates, and other forms of data that are created and input by the user. These tests are being used to detect buffer-overflow bugs, segmentation faults, memory leaks, undefined behaviors, and many other bugs that could potentially be used to exploit the wolfSSL library.

If you are interested in further details of how wolfSSL is using libFuzzer, email us at facts@wolfssl.com.

wolfSSL is pleased to bring our community a report of the past years FIPS activities. In part one of this three-part series we will cover the new Operating Environments (OEs) added to the wolfSSL certificate in the past year + CAVP algorithm testing done by wolfSSL.

Part two of this series will cover OEs tested by wolfSSL for OEM partners.

Part Three of this series will cover on-site consulting services offered by wolfSSL and some of the commentary from our on-site consulting engineers.

This past year wolfSSL added the following OEs to the wolfCrypt certificate on 06/23/2016

wolfSSL also performed algorithm testing or CAVP only validation for AES in these OEs:

The following AES modes of operation were tested: ECB, CBC, CMAC, GMAC, and GCM. The algo certificates can be visited via the following links.
http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#4452 (3/31/2017)
http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#4027 (7/31/2016)

wolfSSL also performed algorithm testing or CAVP only validation for SHA-256 on the Same OEs.
Those certificates can be found via the following links.
http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.html#3665 (3/31/2017)
http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.html#3320 (7/31/2016)

wolfSSL offers several FIPS services including but not limited to: OEM revalidations, on-site consulting for receiving your own FIPS validation, or just a traditional FIPS validation for your operating environment. For more info please contact fips@wolfssl.com and we will be happy to discuss details with you!

As we’ve mentioned in a previous blog post one of the key advantages of TLS 1.3 is the reduction in round-trips.  Older versions of the TLS protocol require two complete round-trips before the client sends the application data.  With TLS v1.3 only 1 round-trip is required!  This means network latency has less impact on the time required to establish a secure connection.  We recently completed a handshake benchmark with various latencies to make sure wolfSSL is taking advantage of the reduced latency in TLS 1.3.

For more details on using TLS v1.3 with wolfSSL, please contact us at facts@wolfssl.com

The wolfCrypt cryptography library is now available to Java developers! wolfSSL recently released a JNI wrapper and JCE provider that wraps the native C wolfCrypt library.

The JCE (Java Cryptographic Extension) framework supports the installation of custom Cryptographic Service Providers which can in turn implement a subset of the underlying cryptographic functionality used by the Java Security API. The “wolfcrypt-jni” package contains both a thin wolfCrypt JNI wrapper as well as a wolfCrypt JCE provider.

This package has been tested with several different JDK variants, including OpenJDK, Oracle JDK, and Android. It also ships with pre-signed JAR files for use with Oracle JDK versions that verify JCE provider classes.

Classes and algorithms currently supported by the wolfCrypt JCE Provider:

java.security.MessageDigest
MD5, SHA-1, SHA-256, SHA-384, SHA-512

java.security.SecureRandom
HashDRBG

javax.crypto.Cipher
AES/CBC/NoPadding
DESede/CBC/NoPadding
RSA/ECB/PKCS1Padding

javax.crypto.Mac
HmacMD5, HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA512

java.security.Signature
MD5withRSA, SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA
SHA1withECDSA, SHA256withECDSA, SHA384withECDSA, SHA512withECDSA

javax.crypto.KeyAgreement
DiffieHellman, DH, ECDH

java.security.KeyPairGenerator
EC, DH

You can download the wolfCrypt JNI wrapper and JCE provider from the wolfSSL download page, or look over the wolfJCE User Manual. Please send any feedback or questions to us at facts@wolfssl.com.

As our readers have seen us post about in the past, NXP has a new LP Trusted Crypto (LTC) core which accelerates RSA/ECC PKI in their Kinetis K8x line.

The LTC hardware accelerator improves:
* RSA performance by 12-17X
* ECC performance by 18-23X
* Ed/Curve25519 performance by 2-3X.

wolfSSL now provides support for TLS 1.3 (#TLS13), which was introduced in an internet draft in October of 2016.

If desired, the LTC hardware accelerator can be combined with TLS 1.3, providing:

* Reduced number of round trips while performing a full handshake
* A repurposed ticketing system allows for servers to be stateless
* More attack resistance from improvements to renegotiation, compression, CBC, padding, etc.

Support for the NXP LTC adds to wolfSSL’s existing mmCAU support, now accelerating RNG, AES (CBC, CCM, GCM, CTR), DES/3DES, MD5, SHA, SHA256, SHA384/512 and ChaCha20/Poly1305.

The combined LTC/MMCAU hardware acceleration improves performance, reduces power consumption and reduces code size by 40%.

Here are the benchmarks on a FRDM-K82F Cortex M4 @ 150MHz:

Hardware Accelerated (LTC / MMCAU):
RNG      25 kB took 0.026 seconds,    0.939 MB/s
AES enc  25 kB took 0.002 seconds,   12.207 MB/s
AES dec  25 kB took 0.002 seconds,   12.207 MB/s
AES-GCM  25 kB took 0.002 seconds,   12.207 MB/s
AES-CTR  25 kB took 0.003 seconds,    8.138 MB/s
AES-CCM  25 kB took 0.004 seconds,    6.104 MB/s
CHACHA   25 kB took 0.008 seconds,    3.052 MB/s
CHA-POLY 25 kB took 0.013 seconds,    1.878 MB/s
POLY1305 25 kB took 0.003 seconds,    8.138 MB/s
SHA      25 kB took 0.006 seconds,    4.069 MB/s
SHA-256  25 kB took 0.009 seconds,    2.713 MB/s
SHA-384  25 kB took 0.032 seconds,    0.763 MB/s
SHA-512  25 kB took 0.035 seconds,    0.698 MB/s
RSA 2048 public          12.000 milliseconds, avg over 1 iterations
RSA 2048 private         135.000 milliseconds, avg over 1 iterations
ECC  256 key generation  17.400 milliseconds, avg over 5 iterations
EC-DHE   key agreement   15.200 milliseconds, avg over 5 iterations
EC-DSA   sign   time     20.200 milliseconds, avg over 5 iterations
EC-DSA   verify time     33.000 milliseconds, avg over 5 iterations
CURVE25519 256 key generation 14.400 milliseconds, avg over 5 iterations
CURVE25519 key agreement      14.400 milliseconds, avg over 5 iterations
ED25519  key generation  14.800 milliseconds, avg over 5 iterations
ED25519  sign   time     16.800 milliseconds, avg over 5 iterations
ED25519  verify time     30.400 milliseconds, avg over 5 iterations

Software only:
RNG      25 kB took 0.179 seconds,    0.136 MB/s
AES enc  25 kB took 0.099 seconds,    0.247 MB/s
AES dec  25 kB took 0.102 seconds,    0.239 MB/s
AES-GCM  25 kB took 1.486 seconds,    0.016 MB/s
AES-CTR  25 kB took 0.099 seconds,    0.247 MB/s
AES-CCM  25 kB took 0.201 seconds,    0.121 MB/s
CHACHA   25 kB took 0.043 seconds,    0.568 MB/s
CHA-POLY 25 kB took 0.055 seconds,    0.444 MB/s
POLY1305 25 kB took 0.010 seconds,    2.441 MB/s
SHA      25 kB took 0.029 seconds,    0.842 MB/s
SHA-256  25 kB took 0.079 seconds,    0.309 MB/s
SHA-384  25 kB took 0.109 seconds,    0.224 MB/s
SHA-512  25 kB took 0.113 seconds,    0.216 MB/s
RSA 2048 public          147.000 milliseconds, avg over 1 iterations
RSA 2048 private         2363.000 milliseconds, avg over 1 iterations
ECC  256 key generation  355.400 milliseconds, avg over 5 iterations
EC-DHE   key agreement   352.400 milliseconds, avg over 5 iterations
EC-DSA   sign   time     362.400 milliseconds, avg over 5 iterations
EC-DSA   verify time     703.400 milliseconds, avg over 5 iterations
CURVE25519 256 key generation 66.200 milliseconds, avg over 5 iterations
CURVE25519 key agreement      65.400 milliseconds, avg over 5 iterations
ED25519  key generation  25.000 milliseconds, avg over 5 iterations
ED25519  sign   time     30.400 milliseconds, avg over 5 iterations
ED25519  verify time     74.400 milliseconds, avg over 5 iterations

For more information on how wolfSSL supports TLS 1.3, check out this page.

Download wolfSSL from our download page today!  These changes are also included in the KSDK 2.0.

TLS 1.3 is now available

wolfSSH v1.2.0 is currently a work in process. We have just added support for Elliptic Curve algorithms and AES-GCM. The following key exchange and public key algorithms are now available:

• ecdh-sha2-nistp256
• ecdh-sha2-nistp384
• ecdh-sha2-nistp521
• ecdsa-sha2-nistp256
• ecdsa-sha2-nistp384
• ecdsa-sha2-nistp521

The new encryption algorithm that is available is “aes128-gcm@openssh.com”, which is an implementation of RFC 5647, using the MAC algorithm implied with using the AEAD algorithm AES-GCM.

We look forward to bigger and better additions to wolfSSH in the near future, allowing a richer SSH experience in the IoT. Please see our wolfSSH page for more information and check out a download of wolfSSL.

wolfSSL is glad to announce that it is incorporating American Fuzzy Lop (AFL) into its testing suite.

Improving security is the at the heart of what wolfSSL is about. That is why wolfSSL has decided to include the AFL fuzzer to its list of tools. Finding bugs first locally allows our teams to make improvements to our libraries helping to eliminate vulnerabilities before they are released in our stable product releases.

Why choose AFL?

AFL is fast and efficient and here at wolfSSL we preach the importance of speed and efficiency. There is also an impressive “trophy case” of bugs found on the AFL home page here. Among the programs listed in the trophy case are several SSL/TLS libraries proving that this fuzzer works for encrypted communications. Finally, AFL is open source like wolfSSL allowing the freedom to look under the hood.

Where we Stand now and our Plans for the Future.

Currently we have 26 individual API tests that cover some of the most common function calls in the wolfSSL library. These tests will be ran daily and if anything of interest is found our teams will be notified right away. We plan to increase the number of tests run as our team determines which API stands to benefit from fuzz testing the most. Our teams are excited to see what AFL can find in the upcoming months as they work alongside it to bring you one of the best TLS/SSL libraries available.

american fuzzy lop (AFL)
wolfSSL SSL/TLS library