wolfSSL adds ShangMi ciphers and algorithms SM2, SM3, and SM4 to wolfCrypt

As many people know, Chinese government regulators are now mandating use of SM2, SM3 and SM4 in critical systems, including automobiles, avionics, power systems, and communication systems. Since many of our customers are multi-nationals that do business in China, they have been requesting the addition of these algorithms in wolfSSL products.

Today we are about to release our supported versions of SM2, SM3, and SM4, with the intention to release the ZUC stream cipher at some point this year to completely satisfy SM9. We are also in contact with labs regarding support of OSCCA certification at some point in the future.

This is really great news for our customers selling into Chinese markets!

For those readers considering using wolfSSL products, here’s some additional notes:

  • The SM Ciphers will be fully supported in wolfSSL’s TLS 1.3 implementation.
  • wolfSSH, wolfBoot and our other products will support ShangMi ciphers.
  • ARM, Intel, and RiscV assembly is in the works for our SM implementations for maximum performance.
  • We will continue to support bare metal for ZUC, SM2, SM3, and SM4.
  • True to form, we have maximized performance and minimized size, so the ShangMi algorithms will work well for embedded systems use cases on a wide variety of microcontrollers (MCU’s). They will be available for all of the MCU silicon that we currently support, including STM32, NXP i.MX, RISC-V, Renesas RA, RX, and Synergy, Nordic NRF32, Microchip PIC32, Infineon Aurix, TI MSP, and many others.
  • Our GPLv2 licensed versions of the SM ciphers will be made available on GitHub and for download.

Commercially licensed versions are available.

If you have questions about our support for the ShangMi ciphers and algorithms, please contact us at facts@wolfSSL.com, or call us at +1 425 245 8247.

Download wolfSSL Now

Improved Silicon Labs Simplicity Studio support

In WolfSSL release v5.6.4 we have added support for Silicon Labs’ Simplicity Studio. In addition we have tested with the ERF32xG21 series of chips and have created an example setup. More information can be found in the WolfSSL repo.

Using our benchmarking tool, we have the following results from a Cortex M33 at 80MHz:

wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each)    
RNG 200 KiB took 1.057 seconds 189.215 KiB/s  
AES-128-CBC-enc 6 MiB took 1.000 seconds 5.542 MiB/s  
AES-128-CBC-dec 6 MiB took 1.000 seconds 5.518 MiB/s  
AES-192-CBC-enc 5 MiB took 1.001 seconds 5.415 MiB/s  
AES-192-CBC-dec 5 MiB took 1.001 seconds 5.390 MiB/s  
AES-256-CBC-enc 5 MiB took 1.004 seconds 5.301 MiB/s  
AES-256-CBC-dec 5 MiB took 1.001 seconds 5.268 MiB/s  
AES-128-GCM-enc 5 MiB took 1.003 seconds 4.844 MiB/s  
AES-128-GCM-dec 5 MiB took 1.003 seconds 4.625 MiB/s  
AES-192-GCM-enc 5 MiB took 1.002 seconds 4.751 MiB/s  
AES-192-GCM-dec 5 MiB took 1.002 seconds 4.532 MiB/s  
AES-256-GCM-enc 5 MiB took 1.002 seconds 4.654 MiB/s  
AES-256-GCM-dec 4 MiB took 1.000 seconds 4.443 MiB/s  
AES-128-GCM-enc-no_AAD 5 MiB took 1.004 seconds 4.888 MiB/s  
AES-128-GCM-dec-no_AAD 5 MiB took 1.001 seconds 4.658 MiB/s  
AES-192-GCM-enc-no_AAD 5 MiB took 1.000 seconds 4.785 MiB/s  
AES-192-GCM-dec-no_AAD 5 MiB took 1.000 seconds 4.565 MiB/s  
AES-256-GCM-enc-no_AAD 5 MiB took 1.004 seconds 4.693 MiB/s  
AES-256-GCM-dec-no_AAD 4 MiB took 1.003 seconds 4.479 MiB/s  
GMAC Small 5 MiB took 1.000 seconds 4.653 MiB/s  
CHACHA 2 MiB took 1.012 seconds 1.809 MiB/s  
CHA-POLY 1 MiB took 1.006 seconds 1.189 MiB/s  
POLY1305 5 MiB took 1.004 seconds 5.082 MiB/s  
SHA 8 MiB took 1.000 seconds 7.812 MiB/s  
SHA-256 8 MiB took 1.000 seconds 8.032 MiB/s  
HMAC-SHA 7 MiB took 1.000 seconds 7.056 MiB/s  
HMAC-SHA256 7 MiB took 1.002 seconds 7.237 MiB/s  
RSA 2048 public 30 ops took 1.022 sec avg 34.067 ms 29.354 ops/sec
RSA 2048 private 2 ops took 2.398 sec avg 1199.000 ms 0.834 ops/sec
ECC [SECP256R1] 256 key gen 172 ops took 1.004 sec avg 5.837 ms 171.315 ops/sec
ECDHE [SECP256R1] 256 agree 186 ops took 1.005 sec avg 5.403 ms 185.075 ops/sec
ECDSA [SECP256R1] 256 sign 174 ops took 1.007 sec avg 5.787 ms 172.790 ops/sec
ECDSA [SECP256R1] 256 verify 160 ops took 1.003 sec avg 6.269 ms 159.521 ops/sec

If you have questions about any of the above, please contact us at facts@wolfSSL.com, call us at +1 425 245 8247 or visit out FAQ page.

Download wolfSSL Now

Targets supported by wolfBoot

Designed by Freepik: www.freepik.com

Here at wolfSSL, we pride ourselves on the portability of our products. An essential part of the real-world applicability of our projects is that they can run in various environments in support of various use cases. We recently published an incomplete list of parts that our SSL/TLS library wolfSSL has been run on. Since our secure bootloader wolfBoot shares the same flexibility, we wanted to share a similar list of supported targets and architectures.

Here’s a list of supported CPU architectures:

CPU Architectures
ARMv6-M Cortex-M0
ARMv7-A Cortex-A9
ARMv7-M Cortex-M3
ARMv7-M Cortex-M4
ARMv7-M Cortex-M7
ARMv7-R Cortex-R5
ARMv8-A Cortex-A53
ARMv8-A Cortex-A57
ARMv8-M Cortex-M33
PowerPC 32-Bit
PowerPC 64-Bit
RV32 32-Bit RISC-V
Intel x86 32-Bit
Intel x86 64-Bit
RXv3 core

Here’s a list of supported hardware parts and their manufacturers:

Part Manufacturer
Xilinx UltraScale+ ZCU102 AMD
PSoC 62S2 Infineon/Cypress
i.MX-RT1050 NXP/Freescale
i.MX-RT1060 NXP/Freescale
i.MX-RT1064 NXP/Freescale
Kinetis K64 NXP/Freescale
Kinetis K82 NXP/Freescale
QorIQ P1021 NXP/Freescale
QorIQ T1024 NXP/Freescale
QorIQ T2080 NXP/Freescale
QorIQ LS1028A NXP/Freescale
LPC54xxxx NXP/Freescale
nRF5280 Nordic
11th Gen Core i7 (Tiger Lake) Intel
PI3 RaspberryPi
RX72N Renesas
RA6M4 Renesas
STM32C0xx ST Microelectronics
STM32F4xx ST Microelectronics
STM32F7xx ST Microelectronics
STM32G0xx ST Microelectronics
STM32H7xx ST Microelectronics
STM32L0xx ST Microelectronics
STM32L4xx ST Microelectronics
STM32L5xx ST Microelectronics
STM32U5xx ST Microelectronics
STM32WBxx ST Microelectronics
HiFive1 SiFive (RISC-V)
ATSAMR21 Microchip (Atmel)
TM4C1294xx Texas Instruments
TMS570lc4xx Texas Instruments
CC26x2 Texas Instruments

For info on the wolfBoot configuration details of the targets listed above, visit https://github.com/wolfSSL/wolfBoot/blob/master/docs/Targets.md. For wolfBoot usage examples, visit https://github.com/wolfSSL/wolfBoot-examples.

Don’t see your part/architecture on this list? Not to worry! The minimalistic design and tiny HAL API of wolfBoot make it portable to the highest degree. Reach out to us letting us know the details of your system and we can get you in touch with our porting experts.

If you have questions, comments, and suggestions about any of the above, contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

XMSS and LMS in wolfBoot and wolfCrypt for CNSA 2.0

Designed by Freepik: www.freepik.com

Have you seen the recently released wolfBoot v2.0.0? It is full of a lot of interesting new features and optimizations. You can see full detail in the changelog.

What about the CNSA 2.0 Guidance? We’ve mentioned it many times in our blog posts. You can find it here.

You might be wondering, what do these have to do with each other? The NSA’s CNSA 2.0 guidance specifically states that LMS/HSS and XMSS/XMSS^MT are appropriate for firmware signing. These algorithms are now supported in the 2.0.0 release of wolfBoot. They depend on our LMS and XMSS integrations in wolfCrypt which are part of the recently released 5.6.4 version of wolfSSL! So, you can start working with these algorithms and signing and verifying your firmware images TODAY.

Being able to do that today is really important because the CNSA 2.0 says that LMS/HSS and XMSS/XMSS^MT are to be added as an option and tested in your systems and products today. By 2025, only a year from now, these algorithms are to be the default and preferred algorithms. By 2030, all other algorithms are to be phased out.

Are you ready to meet these expectations? You are if you use wolfBoot!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Keystores and Secure Elements supported by wolfSSL/wolfCrypt

When looking to store your cryptographic secrets, it is important to have a good platform to store them on. Even more important is the ease of accessing and using those secrets. With wolfTPM, we have already added support for the following platforms:

  • Raspberry Pi (Linux)
  • MMIO (Memory mapped IO)
  • STM32 with CubeMX
  • Atmel ASF
  • Xilinx (Ultrascale+ / Microblaze)
  • QNX
  • Infineon TriCore (TC2xx/TC3xx)
  • Barebox

These TPM (Trusted Platform Module) 2.0 modules are tested and running in the field:

  • STM ST33TP* SPI/I2C
  • Infineon OPTIGA SLB9670/SLB9672
  • Microchip ATTPM20
  • Nations Tech Z32H330TC
  • Nuvoton NPCT650/NPCT750

For direct Secure Element access, we have ports in wolfSSL for:

Wolfcrypt has support for the following:

For more detailed information on our supported hardware take a look at our Hardware Support list.

We also offer support for PKCS11 to interface to various HSMs like:

  • Infineon TriCore Aurix
  • Renesas RH850
  • ST SPC58

Wolfcrypt also gives support for PSA (Platform Security Architecture). This includes the following algorithms:

  • hashes: SHA-1, SHA-224, SHA-256
  • AES: AES-ECB, AES-CBC, AES-CTR, AES-GCM, AES-CCM
  • ECDH PK callbacks (P-256)
  • ECDSA PK callbacks (P-256)
  • RNG

Another product of interest could be wolfBoot, which – as the name suggests – is a bootloader that can use an HSM (Hardware Security Module) for validation and verification. It supports use of the ARM TrustZone technology. WolfBoot also supports all of the TPMs and secure elements listed above, as it inherits all of wolfCrypt’s capabilities. WolfBoot can also be used in an fTPM (Firmware TPM) environment where the bootloader code is running on the same device as the one providing TPM functionality.

Check out the latest updates on the keystores and secure elements supported by wolfSSL.

If you have questions about any of the above, please contact us at facts@wolfSSL.com, call us at +1 425 245 8247 or view our FAQ page.

Download wolfSSL Now

Partnership News: wolfSSL and Weston Embedded Solutions

wolfSSL is proud to partner with Weston Embedded Solutions, developers of the Cesium RTOS line of real time kernels and protocol stacks for embedded systems. Weston Embedded Solutions and their products trace their roots back to Micrium and the popular uC/OS software that pioneered the use of real time kernels more than 30 years ago. Cesium RTOS is popular among customers demanding real time performance and proven reliability in the most critical embedded applications. This partnership allows wolfSSL to broaden its portfolio of supported real time operating systems giving customers integrated access to the most reliable and trusted embedded kernels and middleware components.

The combination of wolfSSL’s state-of-the-art SSL/TLS library and Weston Embedded Solutions’ highly reliable Cesium RTOS provide a level of protection that is simply unmatched in the industry. Customers can now enjoy enhanced security and performance, reduced development time, and increased flexibility in their embedded systems.

The ultra configurability of wolfSSL will let you make the optimizations and trade offs that make the most sense for you. Whether your application requires a small code size, no stack usage, no heap usage, minimal memory usage or blazing performance, wolfSSL and Weston Embedded Solutions will get you where you need to be.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfBoot: support for post-quantum secure-boot with XMSS/XMSS^MT signatures

Designed by Freepik: www.freepik.com

wolfBoot v2.0 is here, and with it a number of new features and enhancements. Rounding out our post-quantum support, in addition to LMS/HSS, wolfBoot now supports the XMSS/XMSS^MT post-quantum stateful hash-based signature (HBS) scheme. XMSS is the eXtended Merkle Signature Scheme, while XMSS^MT is its multi-tree generalization that allows it to scale efficiently into a large number of signatures by constructing a hypertree from layers of XMSS subtrees.

Like our previous LMS support, XMSS wolfBoot support includes keygen, signing, verifying, and importing externally generated public keys. Furthermore, XMSS wolfBoot support builds on our previous XMSS wolfCrypt integration, and thus supports all SHA256 parameter sets from tables 10 and 11 of NIST SP 800-208, while also allowing for hardware acceleration of hash operations when computing the hash-chains needed for XMSS signatures.

Thus wolfBoot now supports both post-quantum stateful HBS schemes recommended by NIST SP 800-208 and the NSA’s CNSA 2.0 suite. Do you have a post-quantum secure-boot requirement from the CNSA 2.0 timeline? Are you curious about integrating post-quantum support into your secure-boot process? If so, please contact us at facts@wolfSSL.com.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfBoot support for Renesas RX72N

Designed by @Noxifer81

We are excited to announce wolfBoot’s support for the Renesas RX72N. The RX72N MCU is the flagship model of RX series, using a 32-bit RX72N 240 MHz microcontroller.

wolfBoot is a portable secure bootloader solution that offers firmware authentication and firmware update mechanisms. Due to its minimalistic design and tiny HAL API, wolfBoot is completely independent from any OS or bare-metal application.

By adding wolfBoot support for the board, it demonstrates simple secure firmware update by wolfBoot. A sample application v1 is securely updated to v2. Both versions behave the same except displaying its version of v1 or v2. They are compiled by e2Studio and run on the target board. Detailed steps to run the application can be found at GitHub README.

Additionally, you are able to run wolfBoot with Renesas TSIP (Trusted Secure IP) driver, which supports high-speed hardware encryption. You can find the Readme at wolfBoot GitHub.

Current support for Renesas TSIP driver acceleration includes:

  • SHA256/RSA

If interested in trying wolfBoot on the RX72N or have questions about any of the above, please contact facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Live Webinar: Mastering libcurl with Daniel Stenberg

We are excited to invite you to our upcoming two-part webinar series on Mastering libcurl, presented by the founder and lead developer of cURL and libcurl, Daniel Stenberg. The first part will take place on November 16th at 9 AM PT, and the second part is scheduled for November 20th at 9 AM PT.

Watch the webinars here:

Part 1: Mastering libcurl part 1

Part 2: Mastering libcurl part 2

Sneak peek of the webinar

  • Getting started with cURL
  • API and Architecture
  • Functional Features
  • Advanced Functionality
  • HTTP, URLs and more

libcurl is a powerful tool that has revolutionized the way developers interact with the internet. Whether you’re a seasoned programmer or a curious novice, this webinar is the perfect opportunity to unlock your potential and discover the endless possibilities of libcurl.

Don’t miss out on this exclusive webinar to learn from the founder of cURL and take your development skills to the next level. Click the links above to watch now!

Check out Daniel’s blog for more details.

As always, our webinars will include Q&A sessions throughout. If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSL Release 5.6.4

wolfSSL version 5.6.4 is now available! This update introduces a number of exciting new features. We’ve added post-quantum support to DTLS 1.3, expanded sniffer support with keylog use, integrated post-quantum stateful hash-based signature schemes like LMS/HSS and XMSS/XMSS^MT, introduced Ada bindings, expanded our range with additional SM2 cipher suites, and incorporated AES EAX mode, and much more! Alongside these enhancements, the release brings quality improvements and addresses one identified vulnerability. You can review the full rundown of updates in the included ChangeLog.md. Here’s a breakdown of the latest features and enhancements:

New Feature Additions

  • DTLS 1.3 PQC: support fragmenting the second ClientHello message. This allows arbitrarily long keys to be used, opening up support for all PQC ciphersuites in DTLS 1.3.
  • SM2/SM3/SM4: Chinese cipher support including TLS 1.3 and 1.2 cipher suites. SM2 SP math implementation available for improved performance and minimum size. Bare metal support available.
  • Ability to parse ASN1 only with SMIME_read_PKCS7
  • Added support for MemUse Entropy on Windows
  • Added Ada Bindings for wolfSSL, benefiting Ada language users who need to add security and FIPS to their designs.
  • Added a PEM example that converts to and from DER/PEM.
  • Added LMS/HSS and XMSS/XMSS^MT stateful hash-based signature scheme wolfcrypt hooks, both normal and verify-only options. wolfBoot, wolfSSH, and wolfSSL will inherit this functionality from wolfCrypt for users moving to CNSA 2.0
  • Added support for the AES EAX mode of operation
  • Port for use with Hitch (https://github.com/varnish/hitch) added
  • Add XTS API’s to handle multiple sectors in the new port to VeraCrypt. VeraCrypt users now have access to FIPS based encryption of wolfCrypt.
  • Sniffer tool now supports decrypting TLS sessions using secrets obtained from a SSLKEYLOGFILE

Enhancements and Optimizations

  • Turned on SNI by default on hosts with resources
  • Improved support for Silicon Labs Simplicity Studio and the ERF32 Gecko SDK
  • Thumb-2 and ARM32 Curve25519 and Ed25519 assembly have significantly improved performance.
  • Thumb-2 AES assembly code added.
  • Thumb-2 and ARM32 SP implementations of RSA, DH and ECC have significantly improved performance.
  • Minor performance improvements to SP ECC for Intel x64.
  • AES-XTS assembly code added for Intel x64, Aarch64 and ARM32 to dramatically improve performance
  • Added support for X963 KDFs to ECIES.
  • Added 32-bit type only implementation of AES GMULT using tables.
  • Add support for nginx version 1.25.0 for those using nginx with wolfSSL
  • Add support for Kerberos version 5 1.21.1
  • Check all CRL entries in case a single issuer has multiple CRL’s loaded
  • CRL verify of the entire chain including loaded CA’s
  • Added example for building wolfSSL as an Apple universal binary framework using configure

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Posts navigation

1 2 3 27 28 29 30 31 32 33 189 190 191