wolfSSH STM32Cube Expansion Package for STM32 is now available!

wolfSSH offers all the functionality of a SSH server and client in a compact and microcontroller friendly library and is now available for use as an STM32Cube Package. wolfCrypt, the crypto engine for wolfSSH, heavily supports STM32 hardware and now you can leverage wolfSSH as an SSH solution in the same environment. wolfSSH supports SSH protocol v.2 with both password and public key based authentication and is the easiest way to implement SFTP and SCP on embedded targets, giving the possibility to customize the actions associated with remote filesystem access operations.

Download the new STM32Cube Pack from https://www.wolfssl.com/files/ide/I-CUBE-wolfSSH.pack and follow the documentation here to get started.

You can also reference this webinar for more insight on running wolfSSL on STM32 hardware. How to use wolfSSL software expansion for STM32Cube

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL pthread_rwlock Support

wolfSSL uses mutexes for most locking synchronization. In release 5.6.0 we have added support for pthread_rwlock_t (https://github.com/wolfSSL/wolfssl/pull/5952 and https://github.com/wolfSSL/wolfssl/pull/6086). It is currently implemented in the session caching logic. This will speed up multi-threaded servers by allowing multiple threads to read from the cache simultaneously. We also recommend multi-threaded servers to define ENABLE_SESSION_CACHE_ROW_LOCK when building wolfSSL. This will initialize and use a separate lock for each row in the cache.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL Supported Open Source Projects

wolfSSL makes a great effort to support many different projects. We provide patches for projects to leverage our OpenSSL Compatibility Layer and work with maintainers to upstream support whenever possible. This blog is a list of currently supported open source projects. The support type denotes how wolfSSL is supported. “Patch” means that we provide a patch file that needs to be applied. “Upstream” means that wolfSSL is supported in the project’s mainline. “Fork” means that we provide a forked version of the library with changes made to support wolfSSL.

List of Supported Projects

Project NameDescriptionSupport TypeLink
apache-httpdApache HTTP ServerPatchhttps://github.com/wolfSSL/osp/tree/master/apache-httpd
asioAsio C++ LibraryPatchhttps://github.com/wolfSSL/osp/tree/master/asio
bind9DNS software systemPatchhttps://github.com/wolfSSL/osp/tree/master/bind9
chronyNetwork Time Protocol ImplementationPatchhttps://github.com/wolfSSL/osp/tree/master/chrony/4.1
cjoseJOSE for C/C++Patchhttps://github.com/wolfSSL/osp/tree/master/cjose
curlcommand-line tool for transferring dataUpstreamhttps://github.com/curl/curl
ffmpegVideo Manipulation UtilityPatchhttps://github.com/wolfSSL/osp/tree/master/ffmpeg
freeradius-server-2.1.12FreeRADIUS Server ProjectPatchhttps://github.com/wolfSSL/osp/tree/master/freeradius-server-2.1.12
gitVersion ControlPatchhttps://github.com/wolfSSL/osp/tree/master/git
haproxyLoad BalancerPatchhttps://github.com/wolfSSL/osp/tree/master/haproxy
hostapdAccess Point and Authentication ServerUpstreamhttps://w1.fi/hostapd/
Kerberos 5Network AuthenticationPatchhttps://github.com/wolfSSL/osp/tree/master/krb5
libestCisco EST stack written in CPatchhttps://github.com/wolfSSL/osp/tree/master/libest
libimobiledeviceLibrary to communicate with services on iOS devicesPatchhttps://github.com/wolfSSL/osp/tree/master/libimobiledevice
libsignal-protocol-cSignal Protocol C LibraryPatchhttps://github.com/wolfSSL/osp/tree/master/libsignal-protocol-c
libspdmSecurity Protocol and Data Model ImplementationPatchhttps://github.com/wolfSSL/osp/tree/master/libspdm/1.0.0
libssh2client-side C library for SSH2Patchhttps://github.com/wolfSSL/osp/tree/master/libssh2/1.9.0
lighttpdlighttpd web serverUpstreamhttps://github.com/lighttpd/lighttpd1.4
mariadbMariaDB relational databasePatchhttps://github.com/wolfSSL/osp/tree/master/mariadb/10.5.11
msmtpSMTP clientPatchhttps://github.com/wolfSSL/osp/tree/master/msmtp/1.8.7
net-snmpSimple Network Management ProtocolPatchhttps://github.com/wolfSSL/osp/tree/master/net-snmp
nginxWeb ServerPatchhttps://github.com/wolfSSL/wolfssl-nginx
ntpNetwork Time ProtocolPatchhttps://github.com/wolfSSL/osp/tree/master/ntp/4.2.8p15
NXP SE05X MiddlewarewolfSSL HostCrypto support patchPatchhttps://github.com/wolfSSL/osp/tree/master/nxp-se05x-middleware
openldapOpen source lightweight directory access protocolPatchhttps://github.com/wolfSSL/osp/tree/master/openldap
openpegasusOpen source DMTF CIM and WBEMPatchhttps://github.com/wolfSSL/osp/tree/master/openpegasus/2.14.1
openrestyNingx and LuaJIT-based web platformPatchhttps://github.com/wolfSSL/osp/tree/master/openresty
OpenSSHSSHPatchhttps://github.com/wolfSSL/osp/tree/master/openssh
OpenVPNVirtual Private NetworkUpstreamhttps://github.com/OpenVPN/openvpn
pppPaul’s PPP PackageForkhttps://github.com/wolfSSL/osp/tree/master/ppp
PythonPython language and interpreterPatchhttps://github.com/wolfSSL/osp/tree/master/Python
qtQt GUI LibraryPatchhttps://github.com/wolfSSL/osp/tree/master/qt
rsyslogrocket-fast Syslog ServerPatchhttps://github.com/wolfSSL/osp/tree/master/rsyslog/8.2106.0
sblim-sfcbSBLIM Small-footprint CIM BrokerPatchhttps://github.com/wolfSSL/osp/tree/master/sblim-sfcb/1.4.9
socatsocat Multipurpose relayPatchhttps://github.com/wolfSSL/osp/tree/master/socat
strongSwanIPsec-based VPNUpstreamhttps://github.com/strongswan/strongswan
stunnelstunnel ProxyPatchhttps://github.com/wolfSSL/osp/tree/master/stunnel
sudoCommand-line UtilityPatchhttps://github.com/wolfSSL/osp/tree/master/sudo/1.9.5p2
tcpdumpCommand-line packet analyzerPatchhttps://github.com/wolfSSL/osp/tree/master/tcpdump/4.9.3
urllib3urllib3 HTTP client for PythonPatchhttps://github.com/wolfSSL/osp/tree/master/urllib3
websocket-clientWebSocket client for PythonForkhttps://github.com/wolfSSL/osp/tree/master/websocket-client
websocketppWebSocket++Forkhttps://github.com/wolfSSL/osp/tree/master/websocketpp
wpa-supplicantWiFi Authentication with WPA, WPA2, and WPA3Upstreamhttps://w1.fi/wpa_supplicant/

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL Release Version 5.6.0

wolfSSL release version 5.6.0 is available now! A couple things to note with this release is that the new and improved ASN parsing, and generation, code is enabled by default now. Additionally we have the upcoming deprecation of –enable-heapmath which is scheduled to be removed by 2024.

This release also saw the addition of DTLS 1.3 stateless ClientHello parsing support. Not only are we leading the pack with adaptation of DTLS 1.3 but we are also adding in features such as the stateless ClientHello support. Some other additions of note were; the port to RT1170 and use of CAAM, update to Stunnel version 5.67, RX64/RX71 hardware acceleration support, and expansion of the compatibility layer.

Improvements to continuous integration testing and some refactoring of our testing framework was done during the last release cycle. To stay the best tested crypto on the market we are constantly trying to improve the testing that we do. This release also had some nice fixes that were made.

A full list of the changes can be found in the ChangeLog.md file bundled with wolfSSL. If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL and wpa_supplicant FIPS

What is the difference in modes with wpa_supplicant using wolfSSL FIPS vs non FIPS? Some of the algorithms are restricted when using CONFIG_FIPS=y while building wpa_supplicant. This is not a limitation in wpa_supplicant or in wolfSSL, but is due to restrictions and guidelines put in place for FIPS. To help avoid using algorithms that have not been sanctioned for use with FIPS, the build removes MD5/MD4 along with DES. Removal of these algorithms limits the modes supported.

Another restriction that is seen with FIPS use is that the key passed into HMAC must be 14 bytes or longer, this can cause issues with hunting-and-peck mode unless password sizes can be known to always be large enough. To avoid the limitation on HMAC key size, hash-to-element (sae_pwe=1) can be used instead.

Supported By wolfSSL
wpa_supplicant modes Not FIPS FIPS Test Ran
EAP-TLS Yes Yes eap_proto_tls
EAP-PEAP/MSCHAPv2 Yes No ap_wpa_eap_peap_eap_mschapv2

ap_wpa2_eap_peap_eap_mschapv2

EAP-PEAP/TLS Yes Yes ap_wpa2_eap_peap_eap_tls
EAP-PEAP/GTC Yes Yes ap_wpa2_eap_peap_eap_gtc
EAP-PEAP/OTP Yes Yes eap_proto_otp
EAP-TTLS/EAP-MD5-Challenge Yes No ap_wpa2_eap_ttls_eap_md5
EAP-TTLS/EAP-GTC Yes Yes ap_wpa2_eap_ttls_eap_gtc
EAP-TTLS/EAP-MSCHAPv2 Yes No ap_wpa2_eap_ttls_mschapv2
EAP-TTLS/MSCHAP Yes No ap_wpa2_eap_ttls_mschap
EAP-TTLS/PAP Yes Yes ap_wpa2_eap_ttls_pap
EAP-TTLS/CHAP Yes No ap_wpa2_eap_ttls_chap
EAP-SIM Yes Yes eap_proto_sim
EAP-AKA Yes Yes eap_proto_aka
EAP-PSK Yes Yes eap_proto_psk
EAP-PAX Yes Yes eap_proto_pax
LEAP Yes No eap_proto_leap

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

White Paper: Applying wolfBoot to 11th Gen Intel Core Processors for Secure Boot

wolfSSL and Intel have jointly published a white paper on the advantages of using the wolfBoot secure bootloader together with 11th Gen Intel Core processors.  The white paper has been published on wolfSSL’s White Paper page and can be downloaded today!

This white paper introduces the wolfBoot secure bootloader and 11th Gen Intel Core i7 Processors, talks about potential advantages of replacing the Intel Slim Bootloader with wolfBoot, and shows performance benchmarks of how the wolfCrypt cryptography library benefits from leveraging Intel AES-NI, AVX2, and AVX-512.

11th Gen Intel Core i7 processors include security features out of the box that make them an ideal processor choice for a number of project designs. Some of these include Intel Advanced Encryption Standard New Instructions (Intel AES-NI) , Intel Advanced Vector Extensions (Intel AVX2, Intel AVX-512), and UEFI Secure Boot. Given an excellent set of features offered by Intel processors, some users and Intel-based projects will benefit from extending the boot process using a second stage bootloader subsequent to Intel’s UEFI. This paper will introduce the wolfBoot secure bootloader, 11th Gen Intel® CoreTM i7 processors, and how wolfBoot can replace Intel® Slim Bootloader to provide certified and customized solutions such as securely unlocking a SATA drive using the trusted platform module version 2.0 (TPM 2.0) during boot.

wolfBoot is flexible and customizable in its use of hardware-based cryptography and secure key storage solutions.  It can leverage the wolfCrypt FIPS 140-2 (and upcoming 140-3) module for applications needing validated cryptography, or wolfCrypt DO-178C for secure boot requirements in avionics applications.  For more details, download our white paper today, If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL Premium Support

One of the primary distinctions between wolfSSL and other security libraries is the availability of commercial support packages (https://www.wolfssl.com/products/support-and-maintenance/).

The Premium Support package includes these benefits:

  • Optimization Assistance
  • Unlimited Support Incidents
  • Contact via email, phone, and shared screen debug session
  • Dedicated Support Engineer
  • 4 Business Hour Response Time
  • Build Config Added to Nightly CI Tests

Having your build configuration tested by our Nightly CI ensures that any changes made to the library will not cause regressions to your project! Having a highly configurable library means having a high level of complexity. We make every effort to test against the most common configurations, and having your project’s wolfSSL configuration added to that matrix removes any uncertainty that you’ll be able to painlessly update to future releases of the library.

Customers with our 24×7 Support package gain the additional advantage of having their target hardware added to our Nightly CI Tests.

wolfSSL wants to help you achieve your project’s security goals! If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Post-Quantum Verification in wolfBoot

A little while ago, we wrote a blog post (https://www.wolfssl.com/nsa-announces-cnsa-suite-2-0/) and did a webinar (https://www.youtube.com/watch?v=IiykMe-pjqo) about the CNSA 2.0 announcement(https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF).  It discusses the need for preparing to use post-quantum algorithms.  For signature schemes, it specifies Dilithium Level 5 as a good general purpose algorithm and LMS and XMSS as being good for signing software and firmware updates.

Here at wolfSSL, plans are underway to make our wolfBoot product use post-quantum algorithms to sign the image updates.  Whether we start with Dilithium Level 5, LMS or XMSS  is up in the air. On the one hand, the time lines as prescribed in CNSA 2.0 for LMS and XMSS are accelerated. On the other hand, Dilithium is already supported through our integration with liboqs.

Want us to accelerate our plans and get them a higher priority? Have a preference for one of Dilithium, LMS or XMSS? If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

FIPS 140-3 and SHA-1 Retirement

This past December, NIST announced that the venerable SHA-1 algorithm, introduced in 1995, is at end-of-life.  While wolfSSL does not use or recommend SHA-1 for new designs, we do implement and support it in our products.  With the NIST announcement, that will soon change for new FIPS 140 submissions, as we too will retire SHA-1.

The wolfSSL FIPS 140-3 cryptographic module currently in process at NIST includes SHA-1.  Thus, customers with an existing requirement for SHA-1 will be able to satisfy that requirement under that certificate once it has been issued.

However, and regardless of FIPS status, customers still using SHA-1 in security-critical roles — signatures, authentications, HMAC, KDFs, etc. — should refactor the implicated systems to use a modern hash algorithm such as SHA-2 or SHA-3.  wolfSSL stands ready to help our customers select and implement an appropriate migration path.

All FIPS 140 modules submitted on or after December 31 2025 will exclude SHA-1, to avoid early certificate sunset under the timeline announced by NIST.

In preparation for this transition, wolfSSL has already prepared its FIPS 140-3 codebase to build, run, and pass full ACVP testing, with SHA-1 gated out.  We are also routinely testing our mainline and FIPS codebases to assure correct function with SHA-1 disabled.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

CURL 25th Anniversary Online Celebration

Celebrate 25 Years of curl with a Zoom Birthday Party on March 20, 2023 at 17:00 UTC. Join fellow curl developers and enthusiasts online for a presentation on the major changes done over the years. Come and contribute to the discussion by asking questions or sharing your own insights. Let’s make this a memorable birthday party for curl!

Read the blog to learn about the history of curl!

Follow this link to Daniel Stenberg’s blog providing more detail on the event: https://daniel.haxx.se/blog/2023/03/10/curl-25-years-online-celebration/

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Posts navigation

1 2 3 42 43 44 45 46 47 48 189 190 191