Category: wolfSSL/ wolfCrypt

rustls-wolfcrypt-provider integrates the wolfCrypt cryptographic library as a backend for Rustls, allowing developers to use wolfCrypt’s secure cryptographic functions with Rustls’ modern TLS stack. Currently in alpha, this library offers flexibility for those needing an alternative crypto provider, especially for projects requiring FIPS 140-3 readiness.

Other reasons to consider wolfCrypt as your Rustls provider include the following:

1. Hardware encryption support, wolfCrypt supports hardware encryption and assembly optimizations for systems big and small. See our list of supported hardware encryption schemes.
2. Support: we will support Rustls when used in conjunction with wolfCrypt.
3. Consulting: If you need help making all of this work in your environment, we’ll help!

Supported Cipher Suites

TLS 1.3:

• TLS13_CHACHA20_POLY1305_SHA256
• TLS13_AES_128_GCM_SHA256
• TLS13_AES_256_GCM_SHA384

TLS 1.2:

• TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
• TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS12_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

With rustls-wolfcrypt-provider, developers can combine the cryptographic strengths of wolfCrypt with the modern TLS capabilities of Rustls, supporting Rustls version 0.23.9. This integration is ideal for projects that require both strong security and the flexibility of wolfCrypt’s cryptography.

Are you interested in Rust solutions with wolfSSL integration?

If you have questions about any of the above or need assistance, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfSSL helps make the internet secure. Part of this task is continually updating our default settings to keep up with adversarial advancements. A recent article detailed the use of default RSA key sizes by an IoT manufacturer, which resulted in a 512 bit key being used for authentication. “The factoring required $70 in cloud computing costs and less than 24 hours.”

Since wolfSSL also had the default minimum set to 512 bits, we decided to update the default minimum to 2048 bits. The decision to use 2048 bit for the minimum was based on NIST recommendations and security industry best practices. This affects key generation using wc_MakeRsaKey. Testing infrastructure was also updated to be sure the smaller key sizes are still being covered by CI tests. The default RSA key size minimum can be overridden in the configuration using the RSA_MIN_SIZE macro.

For more information about using RSA in wolfSSL or have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfSSL’s trusted partner, ExpressVPN, recently announced impressive cryptographic benchmark results comparing unaccelerated and hardware-accelerated performance with wolfSSL. Check out ExpressVPN’s benchmarks and download Lightway Core, ExpressVPN’s modern VPN protocol, on GitHub.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Are you prepared for the upcoming security enhancements in Azure, which will remove support for TLS 1.0 and TLS 1.1? By the end of October, Azure will no longer accept connections using TLS 1.0 and TLS 1.1 (Azure announcement). This is great news! The older TLS protocols are less secure compared to the newer TLS 1.2 and TLS 1.3 standards. wolfSSL supports both TLS 1.2 and TLS 1.3, and can assist in upgrading your product’s security to prepare for the deprecation of TLS 1.0 and TLS 1.1 in Azure.

For more information and upgrade assistance contact facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Do you have an idea for a project but want a quick prototype without the hassle of a custom board? We’re happy to announce that our latest wolfSSL v5.7.2 library is now available in the Arduino Registry for rapid prototypes.

Just type “wolfSSL” in the Library Manager of the Arduino IDE. If nothing happens right away, check to see if the IDE is downloading updates as indicated in the lower-right corner of the app and wait for the process to complete.

There are TLS Client and Server apps, as well as a bare-bones Hello World that just prints the wolfSSL version. See the bottom of the list in Files – Examples – “Examples from Custom Libraries” in the IDE.

Just edit the SSID and Password:

All of the source code is available at: https://github.com/wolfSSL/Arduino-wolfSSL. We also have a more detailed Getting Started with wolfSSL on Arduino guide.

Want to check performance? Check out our recent blog: How do you benchmark cryptography?

When you are ready to move on to the next step, wolfSSL will be there for you! Need to have your project NIST Certified? Recently we announced that wolfSSL is the First in the World to offer FIPS 140–3 Automated Submission with our NIST Certificate #471.

See our prior blogs on:

• What is the difference between FIPS 140-2 and FIPS 140-3?
• FIPS vs FedRAMP Compliance and Requirements

The What is FIPS (Quick Overview) blog also applies to RISC-V with regards to how your RISC-V Operating Environment (“OE”) can be certified:

1. You send us your hardware and toolchain.
2. We run the initial tests which ensure the cryptography module behaves according to specification given your specific hardware and operating system.
3. The CMVP certified lab runs and verifies the tests and their documentation.
4. The test results are submitted to CMVP for review.
5. Your specific operating environment is added to our certificate.
6. You are FIPS 140 compliant in 60-90 days.

For more details, see our blog What is FIPS (In-Depth Overview).

Have specific requests or technical questions? We’d love to hear from you! Please reach out to us at support@wolfSSL.com or open an issue on GitHub. For general inquiries, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Are you interested in FIPS 140-3 RISC-V Certification? Check out our RISC-V Announcement:

wolfSSL Embraces RISC-V; FIPS 140-3 Certifications Now Available

Here are some places where wolfSSL can be found:

1. Hex Five And wolfSSL Announce The First Secure IoT Stack For RISC-VHex Five Security, Inc., in collaboration with wolfSSL, has developed the first secure IoT stack for RISC-V, which is a significant advancement for secure embedded systems. This stack integrates Hex Five’s MultiZone™ Security, a trusted execution environment (TEE) that allows for hardware-enforced separation of software components into multiple isolated zones, with wolfSSL’s TLS 1.3 cryptographic library. This combination ensures that any security vulnerabilities in one part of the system are contained, preventing them from compromising the entire IoT device.

   “wolfSSL, a leading provider of TLS cryptography and Hex Five Security, provider of MultiZone™ Security, the first Trusted Execution Environment for RISC-V announce general availability of the industry-first secure IoT stack for RISC-V – a TLS 1.3 reference implementation of freeRTOS with hardware-enforced separation between OS, TCP/IP stack and root of trust”

   This secure IoT stack is particularly valuable for RISC-V developers as it addresses the security challenges inherent in monolithic system designs by enabling fine-grained separation and protection of system functions. The stack is open source and available for developers on GitHub, promoting wider adoption and innovation within the RISC-V community?.

2. wolfSSL and Synopsys are working together to bring the wolfSSL portfolio of products to the Synopsys ARC® architecture.The Synopsys ARC Access Program is a collaborative initiative that supports a diverse ecosystem of hardware and software vendors in developing optimized solutions for Synopsys DesignWare® ARC® processors. The program provides members with access to essential development tools, such as ARC MetaWare, as well as opportunities for joint marketing and technical collaboration. This ecosystem is designed to accelerate the development and deployment of ARC-based embedded systems across various industries.

   As part of this program, wolfSSL offers its lightweight and embedded security solutions, which are highly optimized for speed, size, and portability, to enhance the security of ARC-based systems. This collaboration helps developers integrate advanced cryptographic features into their designs, ensuring secure communication and data protection in embedded applications.

3. Microchip Microsemi PolarFire SoCThe Microchip Microsemi Accelerate Ecosystem Partner Program is a collaborative initiative that connects Microsemi with industry leaders in silicon, IP, systems, software, and design services to deliver integrated and pre-validated solutions. This program helps partners accelerate time to market and revenue generation through technology collaboration, joint marketing efforts, and sales acceleration. Notably, wolfSSL, a leading provider of SSL/TLS libraries, is part of this ecosystem, offering secure communication solutions that integrate with Microsemi’s products, enhancing security and performance for end customers?.
4. Lightway, ExpressVPN’s new protocol for a superior VPN experienceWe at wolfSSL are proud to be partners with the awesome team over at ExpressVPN.

   Also read what you need to know about the OpenSSL bug:

   “Our Lightway VPN protocol uses wolfSSL for all of its cryptographic needs and does not use OpenSSL at all. That means that all Lightway clients and servers are totally unaffected by the OpenSSL bug. If you connect to ExpressVPN using Lightway (which is the default in our apps), you’ll be protected by wolfSSL”

5. Espressif Managed ComponentsAnother company leveraging wolfSSL for RISC-V is Espressif, specifically in their ESP32-C3 and ESP32-C6 devices. wolfSSL has integrated RISC-V hardware acceleration into these devices, enhancing cryptographic performance. This integration allows Espressif’s RISC-V-based chips to benefit from the high-performance, lightweight SSL/TLS libraries that wolfSSL is known for, providing secure communication capabilities optimized for embedded systems.

   There are more details on Getting Started with Managed Components in our prior blog.

   See also:

   • Espressif RISC-V Hardware Accelerated Cryptographic Functions Up to 1000% Faster
   • Post Quantum Key Share on the Espressif ESP32
   • wolfSSH – Now Available as an Espressif Managed Component
   • wolfMQTT – Now Available as an Espressif Managed Component
   • Secure Your Apple HomeKit Espressif ESP32 Devices with wolfSSL

Having any questions or problems with wolfSSL? We want to help!

1. Check out the documentation
2. Reach out to us on our product forums
3. Open a GitHub issue
4. View the wiki
5. Send us an email at support@wolfSSL.com

Are you interested in RISC-V or FIPS Certification? We want to hear about your project!

If you have questions about any of the above, please contact us at facts@wolfSSL.com, +1 425 245 8247, or open an issue on GitHub.

Download wolfSSL Now

Are you interested in FIPS 140-3 RISC-V Certification? Check out our RISC-V Announcement:

wolfSSL Embraces RISC-V; FIPS 140-3 Certifications Now Available

The RISC-V architecture, known for its open-source and customizable nature, has seen a growing adoption in various embedded systems and IoT applications. As developers continue to push the boundaries of what RISC-V can achieve, the need for robust, secure, and highly optimized cryptographic solutions has become increasingly important. Enter wolfSSL, a lightweight SSL/TLS library that has been tailored for the unique demands of RISC-V environments.

Customization and advanced features of wolfSSL on RISC-V include hardware acceleration optimizations, particularly on platforms like Espressif’s ESP32-C3 and ESP32-C6 (see examples), where wolfSSL enhances performance with RISC-V assembly-level optimizations. These optimizations not only improve the speed of cryptographic operations but also ensure a smaller footprint, making them ideal for resource-constrained environments. Additionally, wolfSSL supports the integration of secure bootloaders, secure communication protocols, and FIPS 140-3 certifications, offering developers the tools needed to build secure, reliable, and high-performance systems on RISC-V.

This customization capability allows developers to tailor security features to their specific needs, leveraging the flexibility of RISC-V to create advanced, secure applications that meet the rigorous demands of modern embedded systems.

How can you make your application [Better | Faster | Smaller | More Secure] ?

The first place to look for customization is our Tuning Guide to get an overview. There are also some sample user setting files as described in a prior blog: Using user_settings.h with wolfSSL.

Wondering where to get started? We have examples that should work on nearly every Windows/Mac/*nix platform (let us know if you find one that doesn’t!). There are also numerous examples for different environments and IDE platforms.

Check out our recent blog: Top 5 Build Options To Improve wolfCrypt/wolfSSL Performance.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Are you interested in FIPS 140-3 RISC-V Certification? Check out our RISC-V Announcement:

wolfSSL Embraces RISC-V; FIPS 140-3 Certifications Now Available

The important thing to know: there are no special requirements for wolfSSL to run on your RISC-V device. There are no external dependencies. We can run a TLS stack in the smallest memory footprint. Although not a RISC-V device, [gojimmypi] was able to get a TLS stack working in less than 24KB on the Arduino Nano 33 IoT device with total 32KB RAM + 256KB Flash. Most targets will of course have considerably more memory resources.

There are examples to help you get started. There are also examples for different specific environments and IDE platforms.

One of the important things to remember, particularly on embedded devices, is that a reasonably accurate clock is needed. Otherwise certificate validation will fail if the device time is not within the begin and end dates for the certificates.

This particular example is extracted from the Espressif wolfssl_client example, but applies to all platforms:

For embedded systems, copy or install wolfSSL as needed for your particular environment.

For command-line systems:

  ./configure LDFLAGS="-L/path/to/wolfssl" CPPFLAGS="-I/path/to/includes"

For using a custom user_settings.h file, for instance with CMake, define WOLFSSL_USER_SETTINGS:

    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS")
    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS")

Include a couple of wolfSSL files.

    /* wolfSSL */
    #include 
    #include 

Note that the settings.h file must be included before any other wolfSSL file, in every source file that uses wolfSSL. Never explicitly include the user_settings.h file, as it is preprocessed and included by the settings.h file.

Create and initialize wolfSSL ctx (context object)

    ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); /* SSL 3.0 - TLS 1.3. */
    /*   options:   */
    /* ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());      only TLS 1.2 */
    /* ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method());      only TLS 1.3 */

Open a socket:

    sockfd = socket(AF_INET, SOCK_STREAM, 0)

Optionally set a cipher suite:

    ret = wolfSSL_CTX_set_cipher_list(ctx, WOLFSSL_ESP32_CIPHER_SUITE);

Set client certificate:

    ret = wolfSSL_CTX_use_certificate_chain_buffer_format(ctx,
                                     CTX_CLIENT_CERT,
                                     CTX_CLIENT_CERT_SIZE,
                                     CTX_CLIENT_CERT_TYPE);

Load CA Certificate

        ret = wolfSSL_CTX_load_verify_buffer(ctx,
                                     CTX_CA_CERT,
                                     CTX_CA_CERT_SIZE,
                                     CTX_CA_CERT_TYPE);

Load private key:

    ret_i = wolfSSL_CTX_use_PrivateKey_buffer(ctx,
                                     CTX_CLIENT_KEY,
                                     CTX_CLIENT_KEY_SIZE,
                                     CTX_CLIENT_KEY_TYPE);

Create a wolfSSL secure socket layer connection:

    ssl = wolfSSL_new(ctx)

Tell wolfSSL to verify the peer, and no callback:

    wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, 0);

Connect

    ret = connect(sockfd,
                 (struct sockaddr *)&servAddr,
                 sizeof(servAddr))

Once your application is connected, send a message with wolfSSL_write()

        /* Send the message to the server */
        do {
            err = 0; /* reset error */
            ret_i = wolfSSL_write(ssl, buff, len);
            if (ret_i <= 0) {
                err = wolfSSL_get_error(ssl, 0);
            }
        } while (err == WOLFSSL_ERROR_WANT_WRITE ||
                 err == WOLFSSL_ERROR_WANT_READ);

And receive a message with wolfSSL_read()

        do {
            err = 0; /* reset error */
            ret_i = wolfSSL_read(ssl, buff, sizeof(buff));
            if (ret_i <= 0) {
                err = wolfSSL_get_error(ssl, 0);
            }
        } while ((err == WOLFSSL_ERROR_WANT_READ) ||
                 (err == WOLFSSL_ERROR_WANT_WRITE) );

A build command would look something like this:

gcc -o simple_tls_client simple_tls_client.c \
    -I/usr/local/include -L/usr/local/lib -lwolfssl

Have any questions on using wolfSSL in your project? We’d love to help!

Common questions are answered over on our forums.

If you have a project that you don’t want to share publicly, please email us at support@wolfSSL.com.

We want to hear how you want to use wolfSSL. Please contact us at facts@wolfSSL.com, +1 425 245 8247, or open an issue on GitHUb.

Catch up on ‘Part 1: Ready for Integration: wolfSSL and RISC-V‘ and ‘Part 2: Installing and Configuring wolfSSL on RISC-V.’

Download wolfSSL Now

There are no special requirements or prerequisites for using wolfSSL in a RISC-V project. As noted in our prior blog, wolfSSL has been developed in a Clean Room environment and has no external dependencies. Unlike other options, wolfSSL is still maintained with oversight from the original developers. If your current project compiles, you can add wolfSSL.

See the wolfSSL Quick Start Guide.

Are you interested in FIPS 140-3 RISC-V Certification? Check out our RISC-V Announcement:

wolfSSL Embraces RISC-V; FIPS 140-3 Certifications Now Available

Prerequisites: Hardware and Software Requirements

• Hardware: nearly any RISC-V board.
• Software: Ubuntu or another Linux distribution, GNU toolchain for RISC-V, and necessary development tools (e.g., make, gcc).

Downloading wolfSSL

• Source Code: Obtain the latest wolfSSL source code from the official wolfSSL Download Page.

Building wolfSSL for RISC-V

Clone the Repository:

git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl

Set Up the Build Environment: Ensure the RISC-V GNU toolchain is installed and configured.

Compile wolfSSL:

There’s not much difference between compiling for RISC-V or any other platform, unless perhaps you need to cross-compile. See additional information in the INSTALL file.

./autogen # optional, depending on source. (see docs)
./configure --host=riscv64-unknown-elf
make
make install

Configuring wolfSSL

Custom Build Options: Modify the configure command with options specific to your use case. For example, enabling TLS 1.3:

make install
./configure --host=riscv64-unknown-elf --enable-tls13

By following these steps, you’ll have wolfSSL downloaded, built, and configured on your RISC-V platform, ready for development.

Beyond the basic compilation of wolfSSL, there are a variety of enhancements and optimization options available for the RISC-V CPU. See our upcoming blog: “Customization and Advanced wolfSSL Features on RISC-V”

Want to optimize performance? See Top 5 Build Options To Improve wolfCrypt/wolfSSL Performance.

Want to check performance? Check out our recent blog: How do you benchmark cryptography?

The wolfSSL cryptographic libraries will run anywhere on nearly any RISC-V CPU! Check out our prior blog using the Radiona ULX3S Softcore Hazard3 RISC-VHazard3 by Luke Wren is the same one used in the Raspberry Pi Pico 2.

Are you using RISC-V in your project? We want to hear about it!

If you have questions about any of the above, please contact us at facts@wolfSSL.com, +1 425 245 8247, or open an issue on GitHub.

Catch up on ‘Part 1: Ready for Integration: wolfSSL and RISC-V‘ then dive into ‘Part 3: Sample Application: Integrating wolfSSL with a RISC-V‘.

Download wolfSSL Now