Category: wolfSSL/ wolfCrypt

wolfSSL libspdm Support

wolfSSL has added support for libspdm 3.3.0. libspdm is the reference implementation of the DMTF’s Security Protocols and Data Models (SPDM specifications). The goal of the SPDM specifications is to provide device attestation and authentication as well as secure communication over any transport. Both wolfSSL and SPDM are designed to operate on any transport.

Our wolfCrypt library is the underlying cryptographic library used by wolfSSL. wolfCrypt is a lightweight, embeddable, and easy-to-configure crypto library. It supports all the algorithms used by SPDM such as AES, CHACHA, POLY-1305, SHA-3, RSA, ECC. wolfCrypt is FIPS 140-3 validated and is available under both open source and commercial licenses. wolfCrypt also supports the Chinese SM ciphers SM2, SM3, and SM4.

If you have questions about the libspdm port or any other port, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

AI-automated fuzz testing uncovered a vulnerability in wolfSSL

Code Intelligence is happy to announce the discovery of a heap-based use-after-free vulnerability in wolfSSL, identified through a fuzz test automatically generated by an AI Test Agent. This marks another milestone in advancing automated security testing and demonstrates the power of AI-driven tools to improve software reliability and safety.

Discovery and Resolution

The vulnerability was identified during the final week of October 2024.

Remarkably, the discovery required no manual intervention—beyond setting up the project and typing “cifuzz spark” into the command line. This fuzz test, automatically generated and executed by Spark, the AI Test Agent, uncovered the critical data that exposed the flaw.

Spark, the AI Test Agent, is an enhancement to ?ode Intelligence’s fuzz testing product CI Fuzz. Leveraging LLMs and advanced static analysis, it autonomously identifies the most critical functions in the codebase to fuzz, generates and runs fuzz tests, and thus, finds bugs and vulnerabilities.

Spark will be publicly demonstrated to the security and software development community on January 28, 2025. Secure your free spot here.

Spark uncovered the vulnerability in wolfSSL during its final beta testing. Code Intelligence reported the issue to the wolfSSL team immediately, and they responded with exceptional efficiency, resolving the vulnerability within 3 days.

The fix was officially included in release wolfSSL 5.7.6 on 31 December 2024.

In the only manual step, Peter Samarin from Code Intelligence has assessed and confirmed that the vulnerability exists and is exploitable under specific conditions.

We encourage developers to update to the latest version of wolfSSL to mitigate any potential risks.

What Is a Heap-Based Use-After-Free?

A heap-based use-after-free vulnerability occurs when a program continues to access memory on the heap after it has been freed.

In a typical scenario, a program allocates memory, uses it, and then frees it. However, if there is a mistake in memory management, such as a dangling pointer, a subsequent access attempt may interact with memory that has already been reallocated for another use.

This can lead to unexpected behavior, crashes, or—more worryingly—security exploits that allow attackers to execute arbitrary code or manipulate program behavior maliciously.

We are grateful to the Code Intelligence team for uncovering and reporting the vulnerability to us. You can explore the technical details of the issue in Code Intelligence’s blog post.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfSSL SSSD Support

We have ported the System Security Services Daemon (SSSD) to use wolfSSL for its SSL/TLS support. SSSD provides a set of daemons that allow access to identity and authentication providers. SSSD is used to connect to remote directories and authentication mechanisms such as LDAP, Kerberos, or FreeIPA. The wolfSSL SSSD port allows organizations to leverage the performance and size advantages of wolfSSL for their SSSD deployments.

wolfSSL is a lightweight and portable SSL/TLS library written in C. It supports industry standards up to the current TLS 1.3 and DTLS 1.3 levels, is far smaller than OpenSSL, offers a simple API, an OpenSSL compatibility layer, and includes FIPS 140-3 validated cryptography. By integrating wolfSSL with SSSD, organizations can benefit from enhanced performance, reduced memory footprint, and robust security features, making it an ideal choice for secure identity and authentication services.

The patch and installation instructions for SSSD are available here. If you have any questions regarding this or any other port, please contact us at facts@wolfssl.com or +1 425 245 8247.

Download wolfSSL Now

wolfSSL Support for STM32G4

wolfSSL now has support for STM32G4 microcontrollers. With new features that enable better performance and flexibility for cryptographic operations on STM32G4 hardware. Below is a summary of the key changes and updates that were made in PR #7997:

Key Changes and Features

  1. User Settings Synchronization:
    The `user_settings_stm32.h` configuration file has been synchronized with the STM32Cube IDE’s `default_conf.ftl`. This ensures that the configurations are up to date and consistent with the STM32G4 environment.
  2. New Configuration Options:
    WOLF_CONF_IO: This option allows the user to select the network stack to use.
    Options include:

    • 1 = User IO (custom)
    • 2 = LWIP (POSIX)
    • 3 = LWIP (native )

    WOLF_CONF_RESUMPTION: This option controls session caching and session ticket functionality.

    • 0 = No session cache
    • 1 = Session cache / Session tickets

    WOLF_CONF_TPM: Enables TPM support, which adds Crypto Callbacks, Public MP, and AES CFB support.
    WOLF_CONF_PK: TLS Key Callbacks fir better key management in cryptographic operations.
    WOLF_CONF_AESGCM: Support for AES GCM encryption modes with:

    • 1 = GCM_SMALL
    • 2 = GCM_TABLE_4BIT

Testing

The code was compiled in STM32CubeIDE for STM32G491x, but no hardware was available for testing at the time. Tests have been run with essential hardware features, including:

  • – RTC
  • – RNG
  • – LPUART1
  • – ARM ASM

Conclusion

wolfSSL now supports STM32G4 microcontrollers, which has custom IO, session caching, TPM support, and AES GCM support. If you have any further questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfSSL Supports TSIP v1.21

wolfSSL 5.7.4 adds support for Renesas TSIP v1.21 on RX72N and RX65N platform. The RX72N and RX65N are the flagship models of RX series, using a 32-bit, 240 MHz on RX72N, and 120 MHz on RX65N. Using the TSIP driver, wolfSSL can offload supported cryptographic and TLS operations on the underlying Renesas hardware for increased performance. TSIP v1.21 is the latest version released in 2024. By updating the driver, it offers better performance and stability than previous versions.

Check out wolfSSL Renesas TSIP support here.

Example applications for Renesas RX series MCUs with Renesas IDE e2studio project files are provided in the wolfSSL package, included in the /IDE/Renesas/e2studio/RXxx folders. Detailed instruction manuals written both in English and Japanese will help you get started with wolfSSL on these platforms quickly.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

New Year New Release: Introducing wolfSSL 5.7.6

Welcome 2025 with boundless possibilities and stronger security! We are excited to introduce wolfSSL 5.7.6, the latest update in open-source cybersecurity! Designed with the cleanest code, this release is packed with exciting enhancements:

  • Expanded Hardware Support: wolfSSL hardware support now includes RP2350 and STM32MP135F, with enhanced capabilities for RP2040 and Renesas TSIP.
  • Enhanced APIs: APIs introduced for simplified Curve25519 key decoding, stateless DTLS CID on the server side, and CRL callbacks.
  • Post-Quantum Cryptography Advances: Updated Post-Quantum ML-DSA features include parsing security levels from the DER encoding and expanded build options.

Dive into the ChangeLog for complete details on what wolfSSL 5.7.6 has to offer and start your year with a solution that works seamlessly right out of the box!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Improved OCSP Support in wolfSSL

wolfSSL has recently made important improvements to its Online Certificate Status Protocol (OCSP) support. A recent fix in pull request #7779 addresses an issue where the OCSP request was incorrectly freed when saved in ssl->ctx->certOcspRequest. This update ensures that the OCSP request is properly retained, enhancing the stability and reliability of certificate status checking.

In addition to OCSP, we also fully support Certificate Revocation Lists (CRL). However, OCSP is the preferred method for real-time certificate status validation. OCSP provides a more efficient and timely approach to checking certificate revocation status and remains a key feature of our SSL/TLS library.

These updates reflect wolfSSL’s ongoing commitment to providing secure, efficient SSL/TLS solutions with robust certificate validation features. To learn more about wolfSSL’s OCSP support, visit our OCSP page.

If you have questions or need assistance, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Boost DES and 3DES ECB Performance with NXP’s MMCAU in wolfSSL

Starting in wolfSSL 5.7.4, it is now supported to use NXP’s MMCAU hardware accelerator to handle DES and 3DES ECB Crypto Operations. This addition to the MMCAU hardware port can be seen in PR #7960.

The MMCAU can be used to speed up other cryptography algorithms in wolfSSL like:

  • AES – 128/192/256
  • MD5
  • SHA – 1
  • SHA – 256

To see more about our support with NXP hardware check out our NXP hardware page or if you want to evaluate wolfSSL 5.7.4 you can download that here!

Have questions about using NXP’s hardware with wolfSSL? If so, send us an email at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

Enhancing Realm Database Security with wolfSSL

Are you looking to add FIPS 140-3 certified cryptography to your Realm database? wolfSSL has you covered!

We’ve successfully integrated wolfSSL into Realm, providing you with robust TLS and cryptographic functionality. A version tested on Linux is available, and we can also help you enable support for platforms like Android and iOS upon request.

Getting Started with Realm and wolfSSL

To start using wolfSSL with Realm, follow these steps:

Configure wolfSSL:

./configure --enable-static --enable-opensslall --enable-enckeys --enable-certgen --enable-context-extra-user-data
sudo make install

Optionally, specify the installation directory with --prefix=/path/to/install.

Download and patch Realm Core:

git clone https://github.com/realm/realm-core.git
cd realm-core
git checkout a5e87a39
git submodule update --init --recursive

Applying the Patch to support wolfSSL:

git apply ../realm-v13.26.0.patch

You can obtain the patch from wolfSSL/osp/realm directory

Build Realm Core with wolfSSL:

mkdir build
cmake -B build -DREALM_ENABLE_ENCRYPTION=1 -DREALM_USE_WOLFSSL=1 -DREALM_WOLFSSL_ROOT_DIR=/usr/local/lib
cmake --build build
./build/test/realm-tests

If you’d like to secure your Realm app with wolfSSL or need support for other platforms, reach out to us at facts@wolfSSL.com or call us at +1 425 245 8247.

Stay secure with wolfSSL and Realm!

Download wolfSSL Now

Getting Started with wolfSSL using Visual Studio 2022

It’s never been easier to get started with wolfSSL on Microsoft Windows using Visual Studio 2022!

New VS2022-specific project and solutions files have been created for both the wolfssl/wolfcrypt core library, as well as the test and benchmark examples. These files are available immediately on GitHub and are included in the recent release.

For long term customers and backward-compatibility, we’ve had older versions of Visual Studio that generally would update to whatever latest version might be installed. See our blog post here.

Now with the new VS 2022 files, no more manual adjustments are needed. The project files work immediately out of the box. Just open the project file and click the run button.

Let’s say you’ve just cloned the latest version of wolfSSL from GitHub in your C:\workspace directory:

git clone https://github.com/wolfSSL/wolfssl

The test and benchmark examples also include a vcxproj.user file that aids in pointing the working directory of the project to the root-level wolfSSL to easily find the compiled binary.

To get started with the examples, simply navigate to the wolfCrypt benchmark directory:

C:\workspace\wolfssl\wolfcrypt\benchmark

and open either the benchmark-VS2022.vcxproj project or benchmark-VS2022.sln solution files in Visual Studio 2022.

If you happen to be one of the Windows developers that also uses WSL, you may occasionally see an oddity in Visual Studio’s equivalent of git status as compared to the result from the WSL prompt. The issue is the way Windows might handle file permissions that differ between Windows and Linux when the same file system is shared (e.g. C:\workspace vs /mnt/c/workspace), causing Visual Studio to detect modified files even though there’s no apparent text change. One way to fix this is with this git command:

git config core.fileMode false

Visual Studio may need to be re-launched if it was already already running when the command was entered in a WSL prompt.

When using wolfSSL on Windows, it is a common practice to use a user_settings.h file. There’s an example in the wolfssl/IDE/WIN directory:

https://github.com/wolfSSL/wolfssl/blob/master/IDE/WIN/user_settings.h

The wolfCrypt Benchmark and wolfCrypt Test applications can also be used as reference examples.

Note the beginning of the benchmark.c file. It uses a common pattern of including the wolfssl library:

#ifdef HAVE_CONFIG_H
    #include 
#endif

#ifndef WOLFSSL_USER_SETTINGS
    #include 
#endif
#include  /* also picks up user_settings.h */

It is important to define the c-compiler preprocessor definition: WOLFSSL_USER_SETTINGS

The #include <wolfssl/wolfcrypt/settings.h> should be listed before any other wolfSSL headers are included. The user_settings.h is included in the settings.h file. The user_settings.h should never be explicitly included in any other source code header.

Beyond the Benchmark and Test Examples

Do you have a project and you’d like to add the wolfssl library? Right-click on the solution file and select “Add – Existing Project…”:

Navigate to the root directory of your wolfSSL source code and add the wolfssl-VS2022.vcxproj file to your solution.

Be sure to also add a reference to each project that will use the wolfssl library. Right click on “references” and add check the “wolfssl” project:

Depending on the directory structure and relative location of the project, the path to the wolfssl source code headers will likely need to be added to the Additional Include Directories. The typical example will be at least for the root directory:

C:/workspace/wolfssl

And oftentimes the user_settings.h as well, shown here in the example IDE/Win directory:

C:/workspace/wolfssl/IDE/Win

The example property page would look like this:

That’s it! Simply build and run the project.

Reorganization Coming Soon

Visual Studio project and solution files will soon be moved to the .\IDE\VS2010.\IDE\VS2022 directories.

The FIPS-related builds currently interspersed in other directories will soon be consolidated and moved to a new .\IDE-FIPS directory. See PR #8126.

For more information:

Post Quantum

Do you have code that can be upgraded to Post Quantum? See our recent blog.

FIPS Certified!

When you are ready to move on to the next step, wolfSSL will be there for you! Need to have your project NIST Certified? Recently we announced that wolfSSL is the First in the World to offer FIPS 140–3 Automated Submission with our NIST Certificate #4718.

For more details, see our blog What is FIPS (long version).

Find out more:

If you have any feedback, questions, or require support, please don’t hesitate to reach out to us via facts@wolfSSL.com, call us at +1 425 245 8247, or open an issue on GitHub.

Download wolfSSL Now

Posts navigation

1 2 3 4 5 6 7