Category: Uncategorized

*Jointly posted with GrammaTech 

wolfSSL is a lightweight embedded SSL/TLS library and we pride ourselves for being the best-tested crypto and SSL/TLS stack available on the market. From API unit testing to fuzz testing to continuous integration, we do it all to ensure we’re secure for our customers. Now we’re adding an additional static analysis tool to the arsenal, GrammaTech’s CodeSonar, for even more security assurance. 

Static analysis also known as static application security testing (SAST) is the process of using a tool to scan for bugs and defects in source code without actually running a program. CodeSonar’s analysis of our codebase helped reveal even more ways to ensure that all of our bases are covered and security is maximized. By displaying the defects through thorough descriptions and visualizations, CodeSonar allowed us to come up with quick and efficient fixes. Setting up the program was straight-forward and it took about 2 hours to scan through the wolfSSL code base. The figure below offers a brief summary of the warnings generated by the analysis.

We reviewed all the warnings and marked them appropriately. CodeSonar also now allows us to list the new warnings that are introduced by code changes and allows us to maintain our security posture easily.

These were the defects detected throughout the hundreds of thousands of lines of code in the wolfSSL code base. Most of the Buffer Overruns generated have safeguards around them to make certain that they don’t happen during execution. A majority of the Uninitialized Variable warnings are generated because of the way wolfSSL initializes keys and other structs (initialized by constructor methods instead of direct initialization). And, the Null pointer Dereferences are to guarantee that nothing in the code makes it past where it needs to be. 

CodeSonar did help us uncover possible leaks that we were able to fix within a day. With CodeSonar, our development team can take swift and methodical action whenever a problem is uncovered. We know that’s what customers like to hear! So if you’d like peace of mind knowing that your product incorporates a cutting-edge lightweight and secure TLS/Cryptography library, download wolfSSL.

Need more? Subscribe to our YouTube page for access to webinars.

Love it? Star us on GitHub!

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

As you may know, wolfSSL has integrated our FIPS-certified crypto module (wolfCrypt) with OpenSSL as an OpenSSL engine, a product we call wolfEngine. You may also know that OpenSSL 3.0 has done away with the engines paradigm in favor of a new concept, called providers. wolfSSL has begun work on an OpenSSL 3.0 provider, allowing you to use latest version of OpenSSL backed by our FIPS-certified wolfCrypt library. Like wolfEngine, the wolfSSL provider for OpenSSL is an excellent pathway for users looking to get FIPS compliance fast while still using OpenSSL.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL is excited to announce support for using Silicon Labs Hardware acceleration. The EFR32 family of devices support multiple wireless interfaces with hardware cryptographic operations. wolfSSL can now offload cryptographic operations for dramatically increased performance on the Silicon Labs EFR32 family!

Our new support includes hardware acceleration of the following algorithms:

• RNG
• AES-CBC
• AES-GCM
• AES-CCM
• SHA-1
• SHA-2
• ECDHE
• ECDSA

The new functionality can be enabled by defining WOLFSSL_SILABS_SE_ACCEL. In user_settings.h More details are available in the README.md in wolfcrypt/src/port/silabs of the wolfSSL tree.

Benchmarks

Benchmark was performed on an EFR32 Gecko 2 (Series 1) using the xGM210P022.

The tests use Simplicity Studio v5 with Gecko SDK 3.0 using Micrium OS 5 and Secure Element Manager.

Algorithm	Data Throughput (MB/s)
RNG	1.895
SHA	7.195
SHA-224	7.327
SHA-256	7.334
HMAC-SHA	6.304
HMAC-SHA224	6.329
HMAC-SHA256	6.323
AES-128-CBC-enc	4.897
AES-128-CBC-dec	4.907
AES-192-CBC-enc	4.795
AES-192-CBC-dec	4.805
AES-256-CBC-enc	4.703
AES-256-CBC-dec	4.712
AES-128-GCM-enc	4.463
AES-128-GCM-dec	4.317
AES-192-GCM-enc	4.377
AES-192-GCM-dec	4.235
AES-256-GCM-enc	4.297
AES-256-GCM-dec	4.162
AES-CCM-Enc	4.203
AES-CCM-Dec	4.045

ECC operation	Average time to complete (ms)	Operations per second
ECC 256 key gen	5.929	168.663
ECDHE 256 agree	5.440	183.816
ECDSA 256 sign	6.373	156.902
ECDSA 256 verify	6.727	148.662

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfSSL now supports NXP’s SE050 hardware security chip. This is an external I2C crypto co-processor chip that supports RSA key sizes up to 4096-bit, ECC curves up to 521 bit and ED25519 / Curve25519. You can see the full implementation details in GitHub pull request 4322.

We have also expanded our Kinetis LTC support to accelerate RSA key generation. This made it into our v4.8.1 release of wolfSSL.

NXP Semiconductor is a key member of wolfSSL’s partner network. wolfSSL ships with support for offloading cryptographic operations onto several NXP devices, such as the Coldfire, Kinetis, LPC, S32 and i.MX microprocessors. Additionally we support hardware cryptographic acceleration using NXP’s CAU, MMCAU, LTC, CAAM and SE050 hardware. If your target is missing, tell us!

wolfSSL develops a full suite of products supporting NXP designs. Learn about wolfBoot secure boot and TLS 1.3 firmware update with FreeRTOS and wolfSSL on NXP Freedom Board K64 here. After the release of wolfSSL version 4.2.0, we provide improved support for crypto hardware performance, now on NXP mmCAU. Download the latest wolfSSL version 4.8.1 here!

wolfSSL also provides surviving FIPS certificates that can be leveraged for your i.MX8, i.MX7 and i.MX8 CAAM projects. Stay tuned for upcoming FIPS 140-3 support. 

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Love it? Star us on GitHub!

wolfSSL is always adding new ports to our highly portable wolfCrypt library! We’re continuing our series on the latest open source project ports—this week, we’re featuring tcpdump.

We have integrated wolfSSL with tcpdump, a powerful command-line packet analyzer. This update allows for the use of tcpdump with our FIPS-validated crypto library, wolfCrypt. Tcpdump is a versatile tool with many options and filters, and is commonly used to capture or filter TCP/IP packets that are received or transferred over a network on a specific interface. Its long-running history ensures that there are many resources available for learning how to use this tool (See the tcpdump Wikipedia page for more info). 

Through the OpenSSL compatibility layer, tcpdump is able to call into wolfSSL. Visit the GitHub page here: https://github.com/wolfSSL/osp/tree/master/tcpdump/4.9.3

Need more? Subscribe to our YouTube channel for access to wolfSSL webinars!
Love it? Star us on GitHub!

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

News to look forward to—wolfSSL plans to integrate wolfTPM, our portable TPM 2.0 library, into U-Boot! This would extend the TPM 2.0 capabilities in U-Boot to include signature verification and measured boot.

For many platforms, we can replace U-Boot such as on the Xilinx UltraScale+ MPSoC.

wolfBoot is a portable secure bootloader solution that offers firmware authentication and firmware update mechanisms. Thanks to its minimalistic design, wolfBoot is completely independent from any OS or bare-metal application. Some of its key features include:

• Partition signature verification using ED25519, RSA and ECC
• Encryption of partitions
• Updating of partitions in the boot loader
• Measured boot with TPM 2.0 PCR registers
• Offloading to crypto coprocessors like the TPM 2.0 modules
• Version checking for updates
• Rollback on failed updates

For information on our wolfBoot TPM integration, visit https://www.wolfssl.com/curious-learn-wolfboot-tpm/.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Connect with wolfSSL!
Twitter
LinkedIn
GitHub

Public key infrastructure or PKI is important term used to define everything that is used to “create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.” (https://en.wikipedia.org/wiki/Public_key_infrastructure) As RSA and ECC are one of the main algorithms used for PKI key generation, we are wondering if anyone is interested in RSA 3k or ECC 384 support in wolfBoot?

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

You can download the latest release here: https://www.wolfssl.com/download/
Or clone directly from our GitHub repository: https://github.com/wolfSSL/wolfBoot
While you’re there, show us some love and give the wolfBoot project a Star!

wolfSSL has long been aware of the quantum threat to modern cryptography. Though quantum computing currently exists on small scales, research has determined enough to know that once full-scale quantum computing is available, all modern cryptography (RSA, ECC, etc.) will no longer be secure. Furthermore, the proven usage model of Quantum Computing as a Service (QCaaS) via the Cloud means that quantum capabilities will be more widely available, posing a greater security threat. This risk is why wolfSSL provides support for integration with the NTRU cryptosystem and an implementation of the QSH TLS extension. 

With NIST already having announced the Round 3 finalists of the Post-Quantum Cryptography Competition, we thought it was time to update our quantum-safe offerings. WolfSSL will soon support integration with the Open Quantum-Safe project’s libOQS. Initial support will be for Key Exchange only using all parameter sets of Crystals-Kyber, NTRU, and SABER for TLS 1.3. With perfect forward secrecy, these algorithms can protect you from the “Harvest and Decrypt” threat model.

“Harvest and Decrypt”

If encrypted sensitive data is stolen (harvested) today, it will be accessible (decrypted) once a sufficiently-powered quantum computer is available. If the sensitive information has a secrecy requirement that extends beyond the time it will take to develop large-scale quantum computing, then that data should be considered at risk today. The quantum threat to current confidential data demonstrates the importance of migrating to quantum-safe solutions as soon as possible. For more details, you can look up “Mosca’s Inequality”.

Next Steps

To continue future-proofing encrypted data streams, wolfSSL plans to hybridize key construction algorithms with NIST-standardized ECDSA components. These hybridized algorithms will continue to be FIPS compliant under the current NIST standards. In addition, wolfSSL is developing a test for post-quantum cURL, coming in the next 4 to 6 weeks.

wolfSSL is attending ICMC (International Cryptographic Module Conference) this week, where we will be talking more about post-quantum computing—come visit us there! 

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

One of the highlights of our wolfCrypt library is its exceptional portability, which allows wolfSSL’s team of engineers to frequently add new ports! Stay tuned for the rest of our blog series on the latest open source project ports over the next few weeks.

This week, we’re showcasing libssh2! We have integrated wolfSSL with the libssh2 project, which allows for the use of libssh2 with our FIPS-validated crypto library, wolfCrypt. Libssh2 is a client-side C library designed to implement the SSH2 protocol for embedding specific SSH (Secure Shell) capabilities into other tools. The project includes hundreds of functions that allow specific activities and components to be selected and added to an application, while still remaining small in size.

We’ve enabled libssh2 to be able to call into wolfSSL through the OpenSSL compatibility layer. You can access the GitHub page here: https://github.com/wolfSSL/osp/tree/master/libssh2/1.9.0

Need more? Subscribe to our YouTube channel for access to wolfSSL webinars!
Love it? Star us on GitHub!

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

lighttpd has added support for wolfSSL in version 1.4.51! lighttpd is a fast and lightweight web server designed with a very low memory footprint. These design goals make wolfSSL an excellent choice as the SSL/TLS implementation, as it’s built to be lightweight, portable, and very fast. wolfSSL targets embedded and IoT devices but works just as well on desktop, enterprise, and cloud environments. Configuring wolfSSL as the SSL/TLS backend for lighttpd is simple and can provide you with the immediate benefit of a lower memory footprint and faster cryptography!

Compile wolfSSL with:

./configure --enable-lighty
make
make install

Compile lighttpd with:

./configure --with-wolfssl
make 
make install

To learn about how to setup your lighttpd instance to use wolfSSL, please visit https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Love it? Star us on GitHub!