Category: Uncategorized

The winter release of wolfMQTT, v1.8.0, is now available! This release has several bug fixes and optimizations including:

• Fixes for non-blocking in WIN32 and large payload (PR #202)
• Make TLS IO callback functions public (PR #201)
• Bug fixes (PR #186, 188, 189, 193, 196, 199, 200)
• Update default test broker (PR #194)
• MQTT-SN fixes for multithread and register topic name (PR #185, 190)
• Fix multi-thread to use pthread mutex with condition (PR #183)
• Fix for WIN thread create macro (PR #182)
• Use options.h with Arduino build (PR #181)
• Use MqttClient_Ping_ex instead of MqttClient_Ping in examples (PR #179)
• Fixes for building with MinGW (PR #178)
• MQTT-SN support for multithread (PR #176)
• TLS mutual auth in client examples (PR #175)
• MQTT-SN feature enhancements (PR #173)
• Add runtime message option to client (PR #171)

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

https://github.com/wolfSSL/wolfMQTT/blob/master/ChangeLog.md

While you’re there, show us some love and give the wolfMQTT project a Star!
You can download the latest release here: https://www.wolfssl.com/download/
Or clone directly from our GitHub repository: https://github.com/wolfSSL/wolfMQTT

Hi! We’ve been wondering how well the M1 will perform in our standard cryptographic benchmarks, just like you! We’ll also be bring FIPS 140-2 to the M1.

Watch this space, as we’ll be releasing them in the next few weeks.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Did you know that the wolfSSL embedded SSL/TLS library supports ARMv8 as well as the Cryptography Extensions that it provides?  wolfSSL is more than 10 times faster with AES and SHA256 operations the ARMv8 board we have been testing on (HiKey LeMaker) when using hardware acceleration versus software crypto!

ARMv8 Benchmark Data comparing Software and Hardware Cryptography

Algorithm	Software Cryptography	Hardware Cryptography
RNG	16.761 MB/s	82.599 MB/s
AES-128-CBC-enc	26.491 MB/s	649.179 MB/s
AES-128-CBC-dec	26.915 MB/s	607.407 MB/s
AES-192-CBC-enc	22.796 MB/s	566.717 MB/s
AES-192-CBC-dec	23.130 MB/s	553.092 MB/s
AES-256-CBC-enc	20.004 MB/s	504.143 MB/s
AES-256-CBC-dec	20.207 MB/s	491.374 MB/s
AES-128-GCM-enc	6.224 MB/s	393.407 MB/s
AES-128-GCM-dec	6.226 MB/s	182.279 MB/s
AES-192-GCM-enc	5.895 MB/s	361.801 MB/s
AES-192-GCM-dec	5.895 MB/s	175.676 MB/s
AES-256-GCM-enc	5.609 MB/s	333.911 MB/s
AES-256-GCM-dec	5.610 MB/s	169.085 MB/s
CHACHA	60.510 MB/s	60.017 MB/s
CHA-POLY	41.805 MB/s	41.410 MB/s
MD5	156.310 MB/s	154.421 MB/s
POLY1305	144.464 MB/s	143.058 MB/s
SHA	89.874 MB/s	89.154 MB/s
SHA-256	38.805 MB/s	533.139 MB/s
HMAC-MD5	156.301 MB/s	154.083 MB/s
HMAC-SHA	89.859 MB/s	89.045 MB/s
HMAC-SHA256	38.814 MB/s	532.316 MB/s
RSA, 2048, public	171.995 Ops/s	171.355 Ops/s
RSA, 2048, private	13.716 Ops/s	13.686 Ops/s
DH, 2048, key generation	50.831 Ops/s	50.575 Ops/s
DH, 2048, agree	41.826 Ops/s	41.596 Ops/s

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Version 4.7.0 of wolfSSL has general fixes and optimizations, a few excellent feature additions, and some vulnerability fixes. Some of the new features added are support for S/MIME bundles which are commonly used with email traffic, an --enable-reproducable-build flag to help out with inspecting the wolfSSL library created, expansion to the OpenSSL compatibility layer, and additional session ticket API’s that help modularly control which TLS protocol version can use session tickets.

A few of the improvements and optimizations in the release are to linux kernel module support, DTLS resending of a flight after timeouts, the CMake build with a user settings file and out of directory builds of wolfSSL.

This release fixes 3 vulnerabilities, one of them being a TLS 1.3 client side issue that is rated as high. Thanks to Aina Toky Rasoamanana and Olivier Levillain from Télécom SudParis for the report on this TLS 1.3 issue.

A full list of items in the release can be seen in the ChangeLog.md bundled with wolfSSL or on our main webpage.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

FIPS 140-2 requires the use of validated cryptography in the security systems implemented by federal agencies to protect sensitive information. The wolfCrypt Module is a comprehensive suite of FIPS Approved algorithms. All key sizes and modes have been implemented to allow flexibility and efficiency.

The National Institute of Standards and Technology (NIST) is sending FIPS cert #2425 into sunset June 2021. For customers who will be impacted, the wolfCrypt Cryptographic Module maintains its #3389 certificate and can be used in conjunction with the wolfSSL embedded SSL/TLS library for full TLS 1.3 client and server support. Upgrade your FIPS cert with wolfSSL to stay afloat and benefit from: 

• Algorithm support for TLS 1.3!
• New algorithms such as AES (CBC, GCM, CTR, ECB), CVL, Hash DRBG, DSA, DHE, ECDSA (key generation, sign, verify), HMAC, RSA (key generation, sign, verify), SHA-3, SHA-2, SHA-1, and Triple-DES
• Hardware encryption support for NXP’s Cryptographic Assistance and Assurance Module (CAAM), NXP Memory-Mapped Cryptographic Acceleration Unit (mmCAU), Intel’s AES-NI, and more
• Support for secure elements and TPM’s
• Interoperability with wolfBoot, wolfSSH, and wolfTPM
• Integration support for third party libraries such as strongswan, nginx, python and more

Contact us to upgrade to FIPS cert #3389 at fips@wolfssl.com. 

Additional Resources 

Learn more about wolfSSL support for FIPS cert #3389: https://www.wolfssl.com/wolfcrypt-fips-certificate-3389-3/ 

For a list of supported Operating Environments for wolfCrypt FIPS, check our FIPS page: https://www.wolfssl.com/license/fips/ 

Our FIPS Story

wolfSSL is currently the leader in embedded FIPS certificates. We have a long history in FIPS starting with wolfCrypt FIPS 140-2 Level 1 Certificate #2425 as well as wolfCrypt v4 FIPS 140-2 Level 1 Certificate #3389. wolfSSL partners with FIPS experts KeyPair to bring you FIPS consulting services, and high assurance along each step of your FIPS certification process. Additionally, wolfSSL will be the first implementation of FIPS 140-3.

wolfSSL also provides support for a wolfCrypt FIPS Ready version of the library! wolfCrypt FIPS Ready is our FIPS enabled cryptography layer code included in the wolfSSL source tree that you can enable and build. You do not get a FIPS certificate, you are not FIPS approved, but you will be FIPS Ready. FIPS Ready means that you have included the FIPS code into your build and that you are operating according to the FIPS enforced best practices of default entry point, and power on self test.

wolfCrypt FIPS Ready can be downloaded from the wolfSSL download page located here: https://www.wolfssl.com/download/. More information on getting set up with wolfCrypt FIPS Ready can be found in our FIPS Ready User guide here: https://www.wolfssl.com/docs/fips-ready-user-guide/

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

As a proud partner with ARM, wolfSSL is available as a CMSIS pack! wolfSSL was one of the first libraries available as a MDK5 software pack, which has evolved into CMSIS.

The wolfSSL ARM MDK5 pack supports CMSIS-RTOS by default, providing both the library and example applications. The user can choose to use a different OS as well.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

A question we get asked frequently is what are the build size and memory usage of the wolfTPM portable library. Here we will compare wolfTPM with the other popular TPM2.0 stacks, “ibmtss2” created at IBM and “tpm2-tss” originally created by Intel.

This comparison is interesting, because wolfTPM was built from scratch to be optimized for embedded devices and resource-constrained environments. This gives our TPM2.0 library a small footprint while still providing the features our users want and need.

At the time of writing, the current versions of TPM2.0 libraries is as follows:
wolfTPM is at major version 2.0.0
ibmtss2 is at version 1.5.0
tss2-tpm is at version 3.0.3

The test environment is x86_64 machine, running Ubuntu 20.04.1 LTS, with gcc compiler at version 9.3.0 (from the official Ubuntu 9.3.0-17ubuntu1~20.04 package).

Here are the memory footprint results reported by the GNU Size tool:

Code (text)	Memory (data)	bss	Total (Dec)	filename
2658649	186120	186120	2879905	ibmtss keygen
2730620	176736	33888	2941244	Tpm2-tss keygen
119980	1040	24	121044	wolfTPM keygen

Observations

1. wolfTPM needs the least amount of RAM, in orders of magnitude.
2. wolfTPM also has the smallest build size
3. wolfTPM does not use heap
4. wolfTPM has no external dependencies

For completeness, below are the configurations used for each TPM2.0 stack:

– tpm2-tss stack (originally created by Intel) was built using

./configure –enable-shared=no –enable-nodl –disable-fapi -disable-tcti-mssim -disable-tcti-swtpm

In details:

• Disable shared library build (enables static library build)
• Disable dynamic library loading
• Disable support of feature api
• Disable support for Microsoft TPM Simulator
• Disable support for IBM TPM Simulator

tpm2-tss test application: https://github.com/tomoveu/tpm2-tss/tree/size-9

– Ibmtss stack was built using

./configure –disable-tpm-1.2 –disable-rmtpm –disable-shared

In details:

• Disable support for obsolete TPM 1.2
• Disable support for resource manager
• Disable shared libraries (enables static library build)

ibmtss test application: https://github.com/tomoveu/ibmtss/tree/ibm-size-3

– wolfTPM was built using

./configure –enable-devtpm –enable-wolfcrypt –disable-shared

In details:

• Enable /dev/tpmX interface for Linux
• Enable wolfCrypt support for parameter encryption
• Disable shared libraries (enables static library build)

wolfTPM test application: https://github.com/tomoveu/wolfTPM/tree/size-6

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

For a full list of wolfTPM features, please visit the wolfTPM Product Page.

Hi friends! wolfSSL is looking at participating in the GSMA mobile standard ecosystem for IoT SAFE. We bring robust security; what would this mean for your IoT projects?

IoT SAFE is an IoT SIM applet for secure end-to-end communication, developed by the mobile industry with the goal of standardizing and streamlining IoT device security. Learn more about IoT SAFE.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

wolfBoot v1.7.1 is now available for download from the wolfSSL download page. This version includes some important fixes, improved support for hardware platforms and a few new features.

Our IoT-friendly bootloader is now capable of running in secure mode on Cortex-M33 microcontrollers, using TrustZone-M. Measured boot is now available through the integration with wolfTPM.

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Don’t forget to check our GitHub Repository for documentation and to stay up to date with our latest developments. And while you are there, please give us a star!

Hi! As our readers know, wolfSSL produces the first embedded TLS library that has begun testing for the new FIPS 140-3 standard, as listed here: https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/iut-list

There are a few significant changes coming with FIPS 140-3. Over the years with many specification updates, a few things got a little inconsistent, so these inconsistencies have been brought back in line. wolfSSL is prepared to deliver the first and best implementation of FIPS 140-3, so get ready.

As FIPS 140-3 is the replacement for FIPS 140-2 it is always a good idea to switch over to it as soon as possible. You will also want wolfSSL’s FIPS 140-3 Certificate for many additional reasons that include:
– Merging the FIPS + ISO Standard (see this https://www.corsec.com/fips-140-3/)
– CAST Testing Streamlined – just testing the algos they are actually using.
– Addition of TLS KDF in FIPS Boundary
– Addition of SSH KDF in FIPS Boundary
– Addition of RSA 4096
– Addition of ECDSA + SHA-3
– Removal of insecure algorithms: example Triple DES

Additional Resources

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.

Check out the wolfSSL embedded SSL/TLS library, star us on Github, and learn more about the latest TLS 1.3 is available in wolfSSL.