1 Topic by shizuka

(0 replies, posted in Announcements)

wolfCLU release 0.1.6 is available! wolfSSL’s command line utility (wolfCLU) is a drop in replacement for the OpenSSL command line utility. It’s a handy swiss army knife of common operations used, often great for system admins or test developers. Doing things such as creating and signing certificates, generating new keys, parsing X509 certificates into human readable form, and much more. This release has seen some fixes to wolfCLU along with exciting new features. One of the new features being the addition of support for post quantum Dilithium signature generation and verification. For a full list of changes check out the ChangeLog.md.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Go to forum: Announcements

2 Topic by shizuka

(0 replies, posted in Announcements)

wolfCrypt JNI/JCE 1.7.0 is now available for download! This release contains a number of bug fixes, changes and new features to help better support usage from applications and 3rd party frameworks that consume wolfJCE internally.
wolfCrypt JNI/JCE allows for easy use of the native wolfCrypt cryptography library from Java. The thin JNI wrapper can be used for direct JNI calls into native wolfCrypt, or the JCE provider (wolfJCE) can be registered as a Java Security provider for seamless integration underneath the Java Cryptography API. wolfCrypt JNI/JCE can also support running on top of wolfCrypt FIPS 140-2 and 140-3 validated modules.
Changes in this release are summarized below, but please see ChangeLog.md for a full list. Watch for individual future blogs on some of these topics as well for a more in depth description.

New JCE Functionality:

  • Addition of a new WolfSSLKeyStore (WKS) KeyStore implementation to help conform to FIPS 140-2 / 140-3 compliant KeyStore use

JNI and JCE Changes:

  • Build compatibility has been fixed with older Java versions that do not support BigInteger.longValueExact()

  • Detection of native RSA minimum key size (RSA_MIN_SIZE), and exposure of this minimum to Java via Rsa.RSA_MIN_SIZE

  • Fixes to pointer use when calling the native X509CheckPrivateKey() API

Example Changes:

  • Addition of a new Android Studio example IDE project, located under the “IDE/Android” directory. This can be useful as an example to see how CMakeLists.txt should be structured to build native wolfSSL and wolfCrypt JNI/JCE.

Testing Changes:

  • Facebook Infer is now run on all GitHub pull requests using GitHub Actions

  • Android Gradle builds are now tested on all GitHub pull requests using GitHub Actions

wolfCrypt JNI/JCE 1.7.0 can be downloaded from the wolfSSL download page, and an updated version of the wolfCrypt JNI/JCE User Manual can be found here. For any questions, or to get help using wolfSSL products in your projects, contact us at support@wolfssl.com.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

Go to forum: Announcements

3 Topic by shizuka

(0 replies, posted in Announcements)

wolfSSL JNI/JSSE 1.14.0 is now available for download! This release contains a number of bug fixes, changes and new features to help better support usage from applications and 3rd party frameworks that consume wolfJSSE internally.
wolfSSL JNI/JSSE allows for easy use of the native wolfSSL SSL/TLS library from Java. The thin JNI wrapper can be used for direct JNI calls into native wolfSSL, or the JSSE provider (wolfJSSE) can be registered as a Java Security provider for seamless integration underneath the Java Security API. wolfSSL JNI/JSSE provides TLS 1.3 support and can also support running on top of wolfCrypt FIPS 140-2 and 140-3 validated modules.
Changes in this release are summarized below, but please see ChangeLog.md for a full list. Watch for individual future blogs on some of these topics as well for a more in depth description.

New JNI and JSSE Functionality:

  • Addition of a new WKS KeyStore type to better facilitate FIPS compliance where needed

  • Performance and scalability improvement with the use of native poll() set as default over select()

  • Support for using RSA-PSS based certificates in TLS connections

  • Addition of LDAPS endpoint identification verification to X509ExtendedTrustManager

  • Two new JNI wrapped methods for native “wolfSSL_SessionIsSetup()” and “wolfSSL_SESSION_dup()

JSSE System/Security Property Support:

  • wolfjsse.debugFormat=JSON – a new System property to support outputting debug logs in JSON format, which can be more friendly for some log collection mechanisms

  • wolfjsse.clientSessionCache.disabled – a new Security property to disable the Java client-side session cache, which will prevent session resumption from occurring

JSSE Changes:

  • Native memory leak fixes, related to calls to wolfSSL_get_peer_certificate()

  • Optimizations to allow for easier and more efficient garbage collection

  • SSLEngine fixes for session storage, unwrap() FINISHED state transitions, HandshakeStatus when receiving TLS 1.3 session tickets after the handshake, correctly closing inbound on ALPN protocol name errors, and closure when fatal alerts are received

  • SSLSocket fixes for end of stream handling in InputStream read() calls

  • Fixes to throw expected or correct exceptions for several cases

  • SSLSession getPeerCertificates() returns correct X509Certificate array

  • Fixes around SSLSocket closure in a few different use cases

  • Client-side session resumption is now keyed on the cipher suite and protocol in addition to host and port

  • Build compatibility has been fixed with the older Android API 24, removing method calls not available in that SDK version

  • A potential deadlock on close() between SSLSocket and the associated InputStream read() or OutputStream write() calls has been fixed

Exchange Changes:

  • The Host String has been added into the HTTP GET request in the example ClientJSSE when used with the “-g” command line option

  • JNI-only threaded client/server example applications have been added which can be helpful for seeing or debugging session resumption at the JNI-only level

  • A basic RMI example client and server have been added, which can useful for reference and testing wolfJSSE over RMI

Testing Changes:

  • Facebook Infer is now run on all GitHub pull requests using GitHub Actions

  • TLS 1.0 and 1.1 JUnit tests are now run even if those protocols are disabled in the system “java.security” file, as long as native wolfSSL support has been compiled in

  • Android Gradle builds are now tested on all GitHub pull requests using GitHub Actions

wolfSSL JNI/JSSE 1.14.0 can be downloaded from the wolfSSL download page, and an updated version of the wolfSSL JNI/JSSE User Manual can be found here. For any questions, or to get help using wolfSSL products in your projects, contact us at support@wolfssl.com.

If you have questions about any of the above, please contact us at facts@wolfssl.com or +1 425 245 8247.

Download wolfSSL Now

Go to forum: Announcements

4 Topic by shizuka

(0 replies, posted in Announcements)

wolfSSL is proud to announce the release of wolfMQTT v1.19.1!

This release fixes an issue in the Espressif example and corrects some documentation issues.

Release 1.19.1 has been developed according to wolfSSL’s development and QA process and successfully passed the quality criteria.

Check out the ChangeLog from the download for a full list of features and fixes, or contact us at facts@wolfSSL.com with any questions. While you’re there, show us some love and give the wolfMQTT project a Star!

Download the latest release or clone directly from our GitHub repository.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Go to forum: Announcements

5 Topic by shizuka

(0 replies, posted in Announcements)

We are proud to announce the next release of wolfTPM that includes minor bug fixes and some exciting new features. The v3.6.0 release is incremental and part of our quarterly release schedule. Each release goes through additional testing including tests on actual TPM 2.0 hardware.

This release includes minor bug fixes and new features such as:

  • Provisioning the initial device (IDevID) and initial attestation (IAK)

    • New key templates and examples

    • New build option --enable-provisioning or WOLFTPM_PROVISIONING

  • Improved support for parsing for all TPM2_GetCapability capabilities

  • Improved the TPM TLS examples for use with WOLFTPM_MFG_IDENTITY

  • New TPM2_Certify example

  • New wolfTPM2_CreatePrimaryKey_ex API for creation ticket

  • Tested support with Nations NS350 TPM

The minor issues fixed are:

  • Issue with TPM2_GetRCString and RC_WARN error codes (broken in v3.4.0)

  • Issue with TPM2_SetupPCRSel on some PCR selection edge cases

  • Improved building without ECC or RSA or file system

The new v3.6.0 release can be downloaded on our website or on GitHub.com/wolfssl/woltpm

If you have questions about ay of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

Go to forum: Announcements

6 Topic by shizuka

(0 replies, posted in Announcements)

wolfBoot 2.3.0 has finally been released! The universal secure bootloader extends its support to new platforms, improves existing ports, and introduces new groundbreaking features that set the pace to defining secure-boot for the next generation of embedded systems.

A New Era of Secure Boot with ML-DSA and Hybrid Authentication
The introduction of quantum resistant algorithms in the latest releases of wolfSSL has accelerated the integration of asymmetric cryptography in our secure boot solution. In 2023, wolfBoot v2.0.0 expanded its signature verification algorithms to include the hash-based stateful signatures LMS (+HSS) and XMSS (^MT). wolfBoot v2.3.0 further extends these options by introducing ML-DSA, as specified in FIPS-204, for verifying the authenticity of firmware and other critical components. Support for ML-DSA in wolfBoot is currently available in three variants: ML-DSA-44, ML-DSA-65 and ML-DSA-87, corresponding to NIST security category 2, 3 and 5, respectively.

Hybrid Authentication: Post-Quantum Meets Classic Cryptography
One of the most anticipated features in WolfBoot 2.3.0 is its support for hybrid authentication, a method that combines Post-Quantum Cryptography (PQC) algorithms with traditional cryptographic techniques like ECC and RSA. This hybrid approach strengthens security by combining the resilience of PQC, which resists quantum attacks, with the well-established reliability of classic algorithms. Pairing PQC algorithms with ECC521 offers a path toward CNSA 2.0 compliance, a set of guidelines for systems demanding the highest levels of security.

Hybrid authentication in WolfBoot secures the boot process by signing and validating boot images with a combination of PQC and traditional cryptography. This dual-layer protection approach ensures that even if one algorithm becomes vulnerable, the other remains resilient, offering a future-proof strategy for embedded systems as quantum computing capabilities grow.

Boot time optimization and performance monitoring
Thanks to the newly introduced assembly optimization for ARM in wolfCrypt, image verification times have been dramatically reduced. These ARM optimizations are now enabled by default on all Cortex-M devices.
New benchmark tools have been added to our continuous integration environment, to ensure that we can constantly monitor boot time, footprint size, runtime memory usage and other performance indicators.

Improved keystore and keyvault management
Starting with wolfBoot 2.3.0, it is now possible to store public keys of different sizes in the same trust anchor. This is a crucial feature to allow double signature verification in hybrid mode, or when integrating heterogeneous components in the boot chain, involving more than one cipher at a time.

PKCS11 key vault storage drivers have also been improved, and can now reliably store keys in non-volatile memories, ensuring compatibility with wolfPKCS11.

Hardware support

In this version, the following new targets have been added to the list of hardware platforms we support:

  • Infineon AURIX TriCore TC3xx

  • Microchip AT-SAMA5D3

  • Nordic nRF5340

Moreover, the support for some of the existing ports has been improved and stabilized. During the development of wolfBoot v. 2.3.0 we mostly worked on the following targets:

  • NXP i.MX-RT family: the capabilities have been extended, including the support for built-in High-Assurance Boot (HAB) mechanism, provided by the manufacturer. Flash interaction has improved, and DCACHE invalidation has been fine-tuned to increase performance

  • Renesas RX: improvements introduced for this family of microcontrollers include the introduction of a full-flash erase operation, a more efficient flash management and support for boot-time IRQ.

  • Raspberry Pi: added UART driver

Find out more about wolfBoot

Join our webinar “What’s new in wolfBoot” on November 21, 2024 to discover more details about wolfBoot 2.3.0 and our real-life scenarios for post-quantum cryptography adoption.

If you want to share your secure-boot experience with us or ask us anything on this topic, reach out via email at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Go to forum: Announcements

7 Topic by shizuka

(0 replies, posted in Announcements)

The latest version of wolfSSH, 1.4.19, brings improvements, stability fixes and an additional feature! DH Group 14 with SHA-256 Key Exchange (KEX) support was added in with this release.

Along with this new feature some of the improvements that were added are: CI testing, macro guards around TTY modes, use of wolfSSL kyber implementation, and an update to the Espressif example. Among the fixes there were additions for gracefully handling non-existent directories with SFTP and handling of re-key/window full cases with wolfSSHd. For a full list of changes see the bundled ChangeLog.md.

Contact facts@wolfssl.com for more information regarding wolfSSL and wolfSSH.

If you have questions about any of the above, please contact us at facts@wolfssl.com or +1 425 245 8247.

Download wolfSSL Now

Go to forum: Announcements

8 Topic by shizuka

(0 replies, posted in Announcements)

wolfSSL release 5.7.4 is now available, with exciting optimizations for ARM devices and enhancements to post-quantum cryptography algorithms. If you’re using wolfSSL on RISC-V, we’ve also included new performance enhancements specifically for RISC-V devices. Alongside these optimizations and new features, several important fixes were made. One notable fix involves the behavior of X509_STORE_add_cert() and X509_STORE_load_locations() functions to better align with OpenSSL when the compatibility layer is enabled.
Below are some of the key changes in this release. For a more comprehensive list, refer to the ChangeLog.

New Features and Additions

  • RISC-V 64: Added new assembly optimizations for SHA-256, SHA-512, ChaCha20, Poly1305, and SHA-3 (PRs 7758, 7833, 7818, 7873, 7916).

  • DTLS 1.2 Connection ID: Implemented support for Connection ID (CID) (PR 7995).

  • DevkitPro Support: Added support for (DevkitPro)libnds (PR 7990).

  • Mosquitto: Added a port for Mosquitto OSP (Open Source Project) (PR 6460).

  • sssd: Added a port for init sssd (PR 7781).

  • eXosip2: Added support for eXosip2 (PR 7648).

  • STM32G4: Added support for STM32G4 (PR 7997).

  • MAX32665 and MAX32666: Added support for TPU hardware and ARM ASM crypto callback (PR 7777).

  • libspdm: Added support for building wolfSSL to be used in libspdm (PR 7869).

  • Nucleus Plus: Added support for use with Nucleus Plus 2.3 (PR 7732).

  • RFC5755 Attribute Certificates: Initial support for x509 attribute certificates (acerts) with --enable-acert (PR 7926).

  • PKCS#11 RSA Padding Offload: Allows tokens to perform CKM_RSA_PKCS (sign/encrypt), CKM_RSA_PKCS_PSS (sign), and CKM_RSA_PKCS_OAEP (encrypt) (PR 7750).

  • Heap/Pool Allocation: Added “new” and “delete” style functions for heap/pool allocation and freeing of low-level crypto structures (PRs 3166, 8089).

Espressif / Arduino Updates

  • Updated wolfcrypt settings.h

  • Updated Espressif SHA, utility, memory, and time helpers (PR 7955).

  • Fixed _thread_local_start and _thread_local_end for Espressif (PR 8030).

  • Enhanced benchmarking for Espressif devices (PR 8037).

  • Introduced Espressif common CONFIG_WOLFSSL_EXAMPLE_NAME in Kconfig (PR 7866).

  • Added wolfSSL esp-tls

  • Updated wolfSSL release for Arduino (PR 7775).

Post-Quantum Crypto Updates

  • Dilithium: Support for fixed-size arrays in dilithium_key (PR 7727).

  • Dilithium Precalc: Added option to use precalc with small sign (PR 7744).

  • Kyber FIPS: Allowed Kyber to be built with FIPS (PR 7788).

  • Kyber in Linux Kernel: Enabled Kyber ASM usage in Linux kernel module (PR 7872).

  • Dilithium, Kyber: Updated to final specifications (PR 7877).

  • Dilithium FIPS: Supported FIPS 204 Draft and Final Draft (PRs 7909, 8016).

ARM Assembly Optimizations

  • ARM32: Added assembly optimizations for ChaCha20 and Poly1305 (PR 8020).

  • Poly1305 Aarch64: Improved Poly1305 assembly optimizations for Aarch64 (PR 7859).

  • Poly1305 Thumb-2: Poly1305 Thumb-2

  • STM32CubePack: Added ARM ASM build option to STM32CubePack (PR 7747).

  • Visual Studio: Added ARM64 support to the Visual Studio project (PR 8010).

  • Kyber ARM Optimizations: Added assembly optimizations for ARM32, Aarch64, ARMv7E-M, and ARMv7-M (PRs 8040, 7998, 7706).

If you have questions about any of the above, please contact us facts@wolfssl.com or +1 425 245 8247.
wolfSSL is the best tested TLS

Go to forum: Announcements

9 Topic by shizuka

(0 replies, posted in Announcements)

wolfSSL is proud to announce the release of wolfProvider 1.0.1. This release contains several fixes and improvements. Most notably, we have added AES CFB support. A better logging of code execution has been added to make debugging easier. Scripted compilation of dependencies (such as wolfSSL and OpenSSL) have been added to get started easier.

WolfProvider is intended for use by customers who want to have a FIPS validated module, but are already invested with using OpenSSL. The provider gives drop-in replacements for the cryptographic algorithms used by OpenSSL. The wolfProvider uses the wolfCrypt engine underneath which is FIPS 140-3 certified.

Refer to the README.md found in the release for usage instructions. We also maintain a ChangeLog.md for a list of changes in each release.

If you have questions about any of the above, please contact us at facts@wolfssl.com or +1 425 245 8247.
wolfSSL is the best tested TLS

Go to forum: Announcements

10 Topic by shizuka

(0 replies, posted in Announcements)

wolfSSL is proud to announce the release of wolfProvider 1.0.0 (https://github.com/wolfSSL/wolfProvider … tag/v1.0.0). This release is the first official support for being a Provider for OpenSSL 3.x. Intended for use by customers who want to have a FIPS validated module, but are already invested in using OpenSSL. The provider gives drop-in replacements for the cryptographic algorithms used by OpenSSL. The wolfProvider uses the wolfCrypt engine underneath which is FIPS 140-3 certified.

Refer to the README.md (https://github.com/wolfSSL/wolfProvider … /README.md) found in the release for usage instructions. We also maintain a ChangeLog.md (https://github.com/wolfSSL/wolfProvider … angeLog.md) for a list of changes in each release.

If you have questions about any of the above, please contact us at facts@wolfssl.com or +1 425 245 8247.
wolfSSL is the best tested TLS

Go to forum: Announcements

11 Topic by shizuka

(0 replies, posted in Announcements)

It is Christmas in July! The summer release of wolfSSH is here, version 1.4.18!

Version 1.4.18 brings with it bug fixes, new features, and some enhancements as well! New features in this release include new algorithms and a memory configuration option.

We also have a nice round of enhancements which range from channel setup callbacks, better testing, improved portability, and more!

New Features

  • wolfSSL style static memory pool allocation support.

  • Ed25519 public key support.

  • Banner option for wolfSSHd configuration.

  • Non-blocking socket support to the example SCP client.

Improvements

  • Documentation updates.

  • Update the Zephyr test action.

  • Add a no-filesystem build to the Zephyr port.

  • Update the macOS test action.

  • Refactor certificate processing. Only verify certificates when a signature is present.

  • Update the Kyber test action.

  • Refactor the Curve25519 Key Agreement support.

  • Update the STM32Cube Pack.

  • Increase the memory that Zephyr uses for a heap for testing.

  • Add a macro wrapper to replace the ReadDir function.

  • Add callback hook for keying completion.

  • Add function to return strings for the names of algorithms.

  • Add asynchronous server side user authentication.

  • Add ssh-rsa (SHA-1) to the default user auth algorithm list when sha1-soft-disable is disabled.

  • Update Espressif examples using Managed Components.

  • Add SCP test case.

  • Refactor RSA sign and verify.

  • Refresh the example echoserver with updates from wolfSSHd.

  • Add callback hooks for most channel messages including open, close, success, fail, and requests.

  • Reduce the number of memory allocations SCP makes.

  • Improve wolfSSHd’s behavior on closing a connection. It closes channels and waits for the peer to close the channels.

Fixes

  • Refactor wolfSSHd service support for Windows to fix PowerShell Write-Progress.

  • Fix partial success case with public key user authentication.

  • Fix the build guards with respect to cannedKeyAlgoNames.

  • Error if unable to open the local file when doing a SCP send.

  • Fix some IPv6 related build issues.

  • Add better checks for SCP error returns for closed channels.

  • In the example SCP client, move the public key check context after the WOLFSSH object is created.

  • Fix error reporting for wolfSSH_SFTP_STAT.

  • In the example SCP client, fix error code checking on shutdown.

  • Change return from wolfSSH_shutdown() to WS_CHANNEL_CLOSED.

  • Fix SFTP symlink handling.

  • Fix variable initialization warnings for Zephyr builds.

  • Fix wolfSSHd case of non-console output handles.

  • Fix testsuite for single threaded builds. Add single threaded test action.

  • Fix wolfSSHd shutting down on fcntl() failure.

  • Fix wolfSSHd on Windows handling virtual terminal sequences using exec commands.

  • Fix possible null dereference when matching MAC algos during key exchange.

Visit our download page (https://www.wolfssl.com/download/) or wolfSSH GitHub repository (https://github.com/wolfSSL/wolfssh) to download the release bundle, and feel free to email us at facts@wolfssl.com or support@wolfssl.com or call us at +1 425 245 8247 with any questions about the wolfSSH embedded SSH library or other products.
wolfSSL is the best tested TLS

Go to forum: Announcements