Category: wolfSSL/ wolfCrypt

Are you interested in FIPS 140-3 RISC-V Certification? Check out our RISC-V Announcement:

wolfSSL Embraces RISC-V; FIPS 140-3 Certifications Now Available

The RISC-V architecture, known for its open-source and customizable nature, has seen a growing adoption in various embedded systems and IoT applications. As developers continue to push the boundaries of what RISC-V can achieve, the need for robust, secure, and highly optimized cryptographic solutions has become increasingly important. Enter wolfSSL, a lightweight SSL/TLS library that has been tailored for the unique demands of RISC-V environments.

Customization and advanced features of wolfSSL on RISC-V include hardware acceleration optimizations, particularly on platforms like Espressif’s ESP32-C3 and ESP32-C6 (see examples), where wolfSSL enhances performance with RISC-V assembly-level optimizations. These optimizations not only improve the speed of cryptographic operations but also ensure a smaller footprint, making them ideal for resource-constrained environments. Additionally, wolfSSL supports the integration of secure bootloaders, secure communication protocols, and FIPS 140-3 certifications, offering developers the tools needed to build secure, reliable, and high-performance systems on RISC-V.

This customization capability allows developers to tailor security features to their specific needs, leveraging the flexibility of RISC-V to create advanced, secure applications that meet the rigorous demands of modern embedded systems.

How can you make your application [Better | Faster | Smaller | More Secure] ?

The first place to look for customization is our Tuning Guide to get an overview. There are also some sample user setting files as described in a prior blog: Using user_settings.h with wolfSSL.

Wondering where to get started? We have examples that should work on nearly every Windows/Mac/*nix platform (let us know if you find one that doesn’t!). There are also numerous examples for different environments and IDE platforms.

Check out our recent blog: Top 5 Build Options To Improve wolfCrypt/wolfSSL Performance.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Are you interested in FIPS 140-3 RISC-V Certification? Check out our RISC-V Announcement:

wolfSSL Embraces RISC-V; FIPS 140-3 Certifications Now Available

The important thing to know: there are no special requirements for wolfSSL to run on your RISC-V device. There are no external dependencies. We can run a TLS stack in the smallest memory footprint. Although not a RISC-V device, [gojimmypi] was able to get a TLS stack working in less than 24KB on the Arduino Nano 33 IoT device with total 32KB RAM + 256KB Flash. Most targets will of course have considerably more memory resources.

There are examples to help you get started. There are also examples for different specific environments and IDE platforms.

One of the important things to remember, particularly on embedded devices, is that a reasonably accurate clock is needed. Otherwise certificate validation will fail if the device time is not within the begin and end dates for the certificates.

This particular example is extracted from the Espressif wolfssl_client example, but applies to all platforms:

For embedded systems, copy or install wolfSSL as needed for your particular environment.

For command-line systems:

  ./configure LDFLAGS="-L/path/to/wolfssl" CPPFLAGS="-I/path/to/includes"

For using a custom user_settings.h file, for instance with CMake, define WOLFSSL_USER_SETTINGS:

    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS")
    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS")

Include a couple of wolfSSL files.

    /* wolfSSL */
    #include 
    #include 

Note that the settings.h file must be included before any other wolfSSL file, in every source file that uses wolfSSL. Never explicitly include the user_settings.h file, as it is preprocessed and included by the settings.h file.

Create and initialize wolfSSL ctx (context object)

    ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); /* SSL 3.0 - TLS 1.3. */
    /*   options:   */
    /* ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());      only TLS 1.2 */
    /* ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method());      only TLS 1.3 */

Open a socket:

    sockfd = socket(AF_INET, SOCK_STREAM, 0)

Optionally set a cipher suite:

    ret = wolfSSL_CTX_set_cipher_list(ctx, WOLFSSL_ESP32_CIPHER_SUITE);

Set client certificate:

    ret = wolfSSL_CTX_use_certificate_chain_buffer_format(ctx,
                                     CTX_CLIENT_CERT,
                                     CTX_CLIENT_CERT_SIZE,
                                     CTX_CLIENT_CERT_TYPE);

Load CA Certificate

        ret = wolfSSL_CTX_load_verify_buffer(ctx,
                                     CTX_CA_CERT,
                                     CTX_CA_CERT_SIZE,
                                     CTX_CA_CERT_TYPE);

Load private key:

    ret_i = wolfSSL_CTX_use_PrivateKey_buffer(ctx,
                                     CTX_CLIENT_KEY,
                                     CTX_CLIENT_KEY_SIZE,
                                     CTX_CLIENT_KEY_TYPE);

Create a wolfSSL secure socket layer connection:

    ssl = wolfSSL_new(ctx)

Tell wolfSSL to verify the peer, and no callback:

    wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, 0);

Connect

    ret = connect(sockfd,
                 (struct sockaddr *)&servAddr,
                 sizeof(servAddr))

Once your application is connected, send a message with wolfSSL_write()

        /* Send the message to the server */
        do {
            err = 0; /* reset error */
            ret_i = wolfSSL_write(ssl, buff, len);
            if (ret_i <= 0) {
                err = wolfSSL_get_error(ssl, 0);
            }
        } while (err == WOLFSSL_ERROR_WANT_WRITE ||
                 err == WOLFSSL_ERROR_WANT_READ);

And receive a message with wolfSSL_read()

        do {
            err = 0; /* reset error */
            ret_i = wolfSSL_read(ssl, buff, sizeof(buff));
            if (ret_i <= 0) {
                err = wolfSSL_get_error(ssl, 0);
            }
        } while ((err == WOLFSSL_ERROR_WANT_READ) ||
                 (err == WOLFSSL_ERROR_WANT_WRITE) );

A build command would look something like this:

gcc -o simple_tls_client simple_tls_client.c \
    -I/usr/local/include -L/usr/local/lib -lwolfssl

Have any questions on using wolfSSL in your project? We’d love to help!

Common questions are answered over on our forums.

If you have a project that you don’t want to share publicly, please email us at support@wolfSSL.com.

We want to hear how you want to use wolfSSL. Please contact us at facts@wolfSSL.com, +1 425 245 8247, or open an issue on GitHUb.

Catch up on ‘Part 1: Ready for Integration: wolfSSL and RISC-V‘ and ‘Part 2: Installing and Configuring wolfSSL on RISC-V.’

Download wolfSSL Now

There are no special requirements or prerequisites for using wolfSSL in a RISC-V project. As noted in our prior blog, wolfSSL has been developed in a Clean Room environment and has no external dependencies. Unlike other options, wolfSSL is still maintained with oversight from the original developers. If your current project compiles, you can add wolfSSL.

See the wolfSSL Quick Start Guide.

Are you interested in FIPS 140-3 RISC-V Certification? Check out our RISC-V Announcement:

wolfSSL Embraces RISC-V; FIPS 140-3 Certifications Now Available

Prerequisites: Hardware and Software Requirements

• Hardware: nearly any RISC-V board.
• Software: Ubuntu or another Linux distribution, GNU toolchain for RISC-V, and necessary development tools (e.g., make, gcc).

Downloading wolfSSL

• Source Code: Obtain the latest wolfSSL source code from the official wolfSSL Download Page.

Building wolfSSL for RISC-V

Clone the Repository:

git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl

Set Up the Build Environment: Ensure the RISC-V GNU toolchain is installed and configured.

Compile wolfSSL:

There’s not much difference between compiling for RISC-V or any other platform, unless perhaps you need to cross-compile. See additional information in the INSTALL file.

./autogen # optional, depending on source. (see docs)
./configure --host=riscv64-unknown-elf
make
make install

Configuring wolfSSL

Custom Build Options: Modify the configure command with options specific to your use case. For example, enabling TLS 1.3:

make install
./configure --host=riscv64-unknown-elf --enable-tls13

By following these steps, you’ll have wolfSSL downloaded, built, and configured on your RISC-V platform, ready for development.

Beyond the basic compilation of wolfSSL, there are a variety of enhancements and optimization options available for the RISC-V CPU. See our upcoming blog: “Customization and Advanced wolfSSL Features on RISC-V”

Want to optimize performance? See Top 5 Build Options To Improve wolfCrypt/wolfSSL Performance.

Want to check performance? Check out our recent blog: How do you benchmark cryptography?

The wolfSSL cryptographic libraries will run anywhere on nearly any RISC-V CPU! Check out our prior blog using the Radiona ULX3S Softcore Hazard3 RISC-VHazard3 by Luke Wren is the same one used in the Raspberry Pi Pico 2.

Are you using RISC-V in your project? We want to hear about it!

If you have questions about any of the above, please contact us at facts@wolfSSL.com, +1 425 245 8247, or open an issue on GitHub.

Catch up on ‘Part 1: Ready for Integration: wolfSSL and RISC-V‘ then dive into ‘Part 3: Sample Application: Integrating wolfSSL with a RISC-V‘.

Download wolfSSL Now

Advantages of Using wolfSSL on RISC-V Platforms

One of the key benefits of using wolfSSL in a RISC-V project is that the library has been developed in a “clean room” environment. In part, this means there’s no inherited code baggage and more importantly: no external dependencies. If there’s an existing RISC-V project, wolfSSL can be easily added. Just plug in the library and it is ready to go.

If there’s an existing RISC-V project that uses OpenSSL, there’s a compatibility layer to help transition the application and ease the migration effort. See Chapter 13 of the documentation and our prior blog on migrating from OpenSSL.

Want to check performance? Check out our recent blog: How do you benchmark cryptography?

Some environments such as the Espressif ESP32 “C” Series, use the RISC-V environment completely transparently to the developer.

If there’s not an existing project yet, check out some of our many examples on GitHub, or contact us for help getting started.

Are you interested in FIPS 140-3 RISC-V Certification? Check out our RISC-V Announcement:

wolfSSL Embraces RISC-V; FIPS 140-3 Certifications Now Available

Some of the aspects to consider:

1. Resource Efficiency:
   • Reduced Footprint: wolfSSL’s small memory footprint and minimal code size are ideal for resource-constrained RISC-V environments.
   • Low Power Consumption: Efficient design leads to lower power consumption, perfect for embedded systems and IoT devices.
2. Performance Optimization:
   • Hardware Acceleration: Leverage RISC-V’s custom instructions for accelerated cryptographic operations with wolfSSL.
   • Scalability: Tailor wolfSSL’s modular design for optimized performance in various RISC-V applications.
3. Security:
   • Robust Features: Comprehensive support for modern cryptographic algorithms and TLS 1.3 ensures secure communication.
   • Compliance: FIPS 140-3 validation meets stringent security standards for various industries.
4. Flexibility and Customization:
   • Open Source: Modify and tailor wolfSSL to specific needs with its open-source nature.
   • Rich Feature Set: Access a wide range of cryptographic algorithms and protocols without additional libraries.
5. Community and Support:
   • Active Community: Benefit from a wealth of resources and community support for both wolfSSL and RISC-V. Visit our forums or browse our repositories on GitHub.
   • Professional Support: Commercial support from wolfSSL ensures quick resolution of critical issues.
6. Future-Proofing:
   • Evolving Standards: Stay compatible with the latest RISC-V advancements and features.
   • Longevity: Invest in sustainable and forward-compatible technologies with wolfSSL and RISC-V.

Combining wolfSSL with RISC-V allows for the creation of secure, efficient, and scalable applications across various computing environments.

Are you interested in RISC-V or FIPS Certification? We want to hear about your project!

If you have questions about any of the above, please contact us at facts@wolfSSL.com, +1 425 245 8247, or open an issue on GitHub.

Continue to ‘Part 2: Installing and Configuring wolfSSL on RISC-V.’

Download wolfSSL Now

The wolfSSL team has expanded our Open Source Projects repository with a port for Mosquitto, an open source MQTT broker. Mosquitto users can benefit from wolfSSL’s lightweight SSL/TLS library.

Why should you use wolfSSL with Mosquitto?

• Portability across platforms and OS/RTOS environments
• Low/optimized memory use (runtime and footprint)
• Best-tested SSL/TLS/crypto implementation available, reducing vulnerabilities
• Current protocol support, up to TLS 1.3
• Progressive algorithm support (ChaCha20, Poly1305, Curve/Ed25519, etc)
• Commercial support available direct from wolfSSL engineers
• Commercial licenses available (in addition to standard GPLv2)

To use the Mosquitto port, follow the instructions in the patch file.

Set up wolfSSL

git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-mosquitto
make
make install

Set up Eclipse Mosquitto

git clone https://github.com/eclipse/mosquitto.git
cd mosquitto
git checkout v2.0.18
patch -p1 < 
make WITH_TLS=wolfssl
make WITH_TLS=wolfssl test

Let us know what you think! We plan to add support for CMake builds. If you are interested or have questions about any of the above, please contact us at facts@wolfssl.com or +1 425 245 8247.

Download wolfSSL Now

In the 5.7.2 release, a new macro WOLFSSL_MAX_ALT_NAMES was introduced to limit the maximum number of allowed subject alternative names to a default value of 128 to prevent a possible denial of service attack. Unfortunately, after the release, some commonly used certificates were brought to our attention that have more than 128 subject alternative names. If you started using 5.7.2 and hit error -161 on certificate handling this may be your problem. This issue can be immediately mitigated by building with WOLFSSL_MAX_ALT_NAMES at a number larger, say 512 or 1024. The wolfSSL master branch already has an increased default of 1024 which should be sufficient for all real world certificates and will be included in the 5.7.3 release.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfSSL release 5.7.2 is now available! This release includes an implementation of Dilithium, optimizations for RISC-V use, AES-XTS streaming capabilities, and quantum safe algorithm support with the Linux kernel module, to name a few of the recent additions. There have also been other enhancements, such as STM32 AES hardware support for STM32H5 and SHA-3 ARM thumb assembly implementations. Along with these amazing features and enhancements, some great fixes and additional sanity checks were added. One of the additional sanity checks limits the maximum number of alternate names parsed with certificates. This defaults to 128 but can be changed by defining the macro WOLFSSL_MAX_ALT_NAMES to any desired value. A full list of vulnerability fixes, feature additions, and general changes can be found in the ChangeLog.md bundled with wolfSSL or in the main README.md.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

The lwIP project is a great, lightweight TCP/IP stack implementation, with widespread use in the embedded world. Users of lwIP and wolfSSL know that we have long supported an lwIP integration, which allows wolfSSL to handle the TLS layer while lwIP handles network input/output.

Similarly, we support a wolfSentry integration with lwIP, that allows wolfSentry to function as a dynamic firewall and IDPS for lwIP.

But what if you wanted to combine lwIP with IPSec? Furthermore, what if you wanted wolfCrypt to handle the IPSec cryptographic operations in such a combination?

If you’re curious about lwIP, wolfCrypt, and IPSec, or have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

The wolfSSL embedded TLS library and its crypto engine wolfCrypt are both highly configurable to give users the best cryptographic performance. Our users appreciate that they’re able to customize their builds to suit their specific needs. If your needs are a crypto or SSL/TLS solution optimized for performance, we’ve compiled a list of the top 5 wolfSSL build options that you should consider.

Intel Assembly
For use with Intel/AMD processors, enabling the intelasm option for wolfSSL will utilize enhanced assembly instructions of the processor that can dramatically enhance cryptographic performance for most algorithms. The instruction sets leveraged when the configure option is enabled include AVX1, AVX2, BMI2, RDRAND, RDSEED, AESNI, and ADX. This option also automatically enables our Intel AES-NI support, which on its own can lead to direct AES encryption that’s over 3.3 times faster than using software-based AES. Performance increases in total can be as large as 5,800% when intelasm is used.
Enabled with: ./configure –enable-intelasm
Macro: WOLFSSL_ARMASM


ARM Assembly
Whether you’re doing cryptography on an ARMv8, ARMv7 or even an ARM64, armasm is the quickest way to speedup your cryptographic operations, and by doing so speedup your TLS that makes use of these algorithms. By using the cryptographic instructions built into the chips, we get a significant boost in performance over straight C. We recently did another round of tuning on our ARM64 code and got the crypto running up to 9.5 times faster than it already was.
Enabled with: ./configure –enable-armasm
Macro: WOLFSSL_ARMASM

RISC-V Assembly
The newest addition on this list, wolfSSL now has support for RISC-V hardware acceleration. The RISC-V assembly implementation of AES includes standard/scalar cryptography/vector cryptographic instructions for ECB/CBC/CTR/GCM/CCM and can be up to 50 times faster than the software implementation.
Enabled with: ./configure –enable-riscv-asm
Macro: WOLFSSL_RISCV_ASM

Single Precision Math Assembly
Unlike some of the other build options on this list, SP ASM is hardware agnostic. SP is Single Precision Math and it is a wolfSSL developed math library that is extremely well optimized for cryptographic math calculations. SP ASM is the assembly component of the SP math library. Enabling this option leads to faster RSA, ECC and DH operations.
Enabled with: ./configure –enable-sp –enable-sp-asm
Macros: WOLFSSL_SP_ASM (along with WOLFSSL_SP_HAVE_RSA/ECC/DH)

AES GCM (4-bit Table)
A hardware agnostic feature for AES GCM (authenticated cipher) to improve the symmetric performance of the GHASH authentication calculation. The performance gain is about a 3x speedup.
Enabled with: ./configure –enable-asmgcm=4bit
Macros: WOLFSSL_SP_ASM (along with WOLFSSL_SP_HAVE_RSA/ECC/DH)

For more information on the wolfSSL library and its performance, please visit our benchmarks page or contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

We are excited to share the latest benchmark results of wolfSSL v5.7.0 running on the HiFive Unleashed at 1.4GHz. We implemented AES for ECB, CBC, CTR, GCM, and CCM using assembly for RISC-V. This benchmark demonstrates the performance capabilities of wolfSSL on RISC-V architecture, highlighting our commitment to providing high-performance, lightweight, and secure SSL/TLS solutions across diverse platforms.

The benchmark results prove that the new assembly optimizations are much faster.

With RISC-V assembly optimizations:

./configure --enable-riscv-asm && make

root@HiFiveU:~/wolfssl-riscv# ./wolfcrypt/benchmark/benchmark -aes-cbc -aes-gcm------------------------------------------------------------------------------
 wolfSSL version 5.7.0
------------------------------------------------------------------------------
Math:   Multi-Precision: Wolf(SP) word-size=64 bits=3072 sp_int.c
wolfCrypt Benchmark (block bytes 1048576, min 1.0 sec each)
AES-128-CBC-enc             20 MiB took 1.076 seconds,   18.588 MiB/s
AES-128-CBC-dec             20 MiB took 1.083 seconds,   18.473 MiB/s
AES-192-CBC-enc             20 MiB took 1.245 seconds,   16.062 MiB/s
AES-192-CBC-dec             20 MiB took 1.246 seconds,   16.047 MiB/s
AES-256-CBC-enc             15 MiB took 1.057 seconds,   14.189 MiB/s
AES-256-CBC-dec             15 MiB took 1.055 seconds,   14.212 MiB/s
AES-128-GCM-enc             15 MiB took 1.300 seconds,   11.543 MiB/s
AES-128-GCM-dec             15 MiB took 1.300 seconds,   11.535 MiB/s
AES-192-GCM-enc             15 MiB took 1.425 seconds,   10.526 MiB/s
AES-192-GCM-dec             15 MiB took 1.425 seconds,   10.523 MiB/s
AES-256-GCM-enc             10 MiB took 1.032 seconds,    9.687 MiB/s
AES-256-GCM-dec             10 MiB took 1.032 seconds,    9.691 MiB/s
GMAC Table 4-bit            31 MiB took 1.025 seconds,   30.251 MiB/s
Benchmark complete

Without RISC-V assembly optimizations:

./configure —enable-all && make

root@HiFiveU:~/wolfssl# ./wolfcrypt/benchmark/benchmark -aes-cbc -aes-gcm
------------------------------------------------------------------------------
 wolfSSL version 5.7.0
------------------------------------------------------------------------------
Math:   Multi-Precision: Wolf(SP) word-size=64 bits=4096 sp_int.c
wolfCrypt Benchmark (block bytes 1048576, min 1.0 sec each)
AES-128-CBC-enc              5 MiB took 12.798 seconds,    0.391 MiB/s
AES-128-CBC-dec              5 MiB took 12.672 seconds,    0.395 MiB/s
AES-192-CBC-enc              5 MiB took 15.301 seconds,    0.327 MiB/s
AES-192-CBC-dec              5 MiB took 15.181 seconds,    0.329 MiB/s
AES-256-CBC-enc              5 MiB took 17.820 seconds,    0.281 MiB/s
AES-256-CBC-dec              5 MiB took 17.669 seconds,    0.283 MiB/s
AES-128-GCM-enc              5 MiB took 12.870 seconds,    0.388 MiB/s
AES-128-GCM-dec              5 MiB took 12.870 seconds,    0.388 MiB/s
AES-192-GCM-enc              5 MiB took 15.375 seconds,    0.325 MiB/s
AES-192-GCM-dec              5 MiB took 15.376 seconds,    0.325 MiB/s
AES-256-GCM-enc              5 MiB took 17.878 seconds,    0.280 MiB/s
AES-256-GCM-dec              5 MiB took 17.896 seconds,    0.279 MiB/s
AES-128-GCM-STREAM-enc       5 MiB took 12.878 seconds,    0.388 MiB/s
AES-128-GCM-STREAM-dec       5 MiB took 12.878 seconds,    0.388 MiB/s
AES-192-GCM-STREAM-enc       5 MiB took 15.379 seconds,    0.325 MiB/s
AES-192-GCM-STREAM-dec       5 MiB took 15.385 seconds,    0.325 MiB/s
AES-256-GCM-STREAM-enc       5 MiB took 17.881 seconds,    0.280 MiB/s
AES-256-GCM-STREAM-dec       5 MiB took 17.888 seconds,    0.280 MiB/s
GMAC Table 4-bit            30 MiB took 1.006 seconds,   29.831 MiB/s
Benchmark complete

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now