wolfSSL 2021 Annual Report

Last year was an excellent year for wolfSSL! We progressed on all of our critical performance vectors, including technical leadership, top notch support, sales growth and new design wins. The sheer volume of new code that we produced, in conjunction with our new products and design wins, is impressive to say the least. Additionally, we made the migration from a strictly on-prem based testing rig to a hybrid rig. Our new rig harnesses the power of cloud computing, and allows us to even further improve on our testing in order to bring you the best tested TLS. Thank you for reading, and please contact us if there is something that you would like on the wolfSSL roadmap for 2022!

wolfSSL Technical Progress

A total of 5 releases of the wolfSSL embedded TLS library were delivered in 2021, each with bug fixes, enhancements, and new feature additions. Highlights of these releases included:

1. New Hardware and OS Ports

  • Linux Kernel Crypto API (KCAPI) – Allows for offloading of crypto operations to kernel hardware or software.  Support includes AES-CBC, AES-GCM, SHA-2, and HMAC. Also possible to use RSA, DH and ECC with custom kernel modules.
  • Linux Kernel Module build option (–enable-linuxkm), which is also supported with FIPS modes of operation using FIPS compliant integrity checks and conditional algorithm self tests (CASTs). Compliance up to the latest FIPS 140-3.
  • NXP i.MX CAAM – QNX 
  • NXP SE050 
  • IOT-Safe (SIM card PK)
  • Cypress/Infineon PSoc6
  • Renesas RA6M4, RX65N, RX72N, TSIP, SCE Protected Mode (see our new GitHub repository)
  • Fusion RTOS
  • Dolphin Emulator

2. New Software Ports!

  1. Bind DNS 
  2. Cjose 
  3. HaProxy
  4. Kerberos
  5. Libest 
  6. libmobiledevice
  7. Net-SNMP 
  8. NTP 
  9. OpenVPN 
  10. OpenLDAP 
  11. OpenPegasus 
  12. OpenResty 
  13. PyOpenSSL 
  14. Python 
  15. Rsyslog 
  16. sblim-sfcb 
  17. Socat 
  18. Tcpdump 
  19. libSSH2 
  20. Zephyr

3. Updates to Existing Ports

  • STM32: Supported platforms now include G0 and U5
  • Fixes for NXP mmCAU/LTC, Microchip ATECC608, Espressif ESP32, ST STM32 PKA AES-GCM, Renesas RA6M3
  • Updated project ports:
    1. Stunnel 5.57 
    2. Qt 5.15
    3. Apache 2.4.51
    4. Socat 1.7.4.1
    5. lighttpd 1.4.51 
    6. OpenSSH 8.8

4. Operating System Updates

  • WIN32 WinCE wolfCrypt port
  • TI-RTOS port maintenance

5. Compiler and IDE Updates

  • Android
  • STM32
  • GCC Makefile
  • Espressif ESP-IDF
  • INTIME
  • QNX

6. Post Quantum Algorithm Support

  1. Removed legacy QSH and NTRU support.
  2. Added support for FALCON signature schemes in TLS 1.3 (Levels 1, 5)
  3. Added support for KEMs in TLS 1.3 as groups and hybridized groups with NIST ECC Curves: 
    1. SABER (Levels 1, 3, 5)
    2. KYBER (Levels 1, 3, 5) and KYBER 90S  (Levels 1, 3, 5)
    3. NTRU HRSS (Level 3) and HPS  (Levels 1, 3, 5)
  4. Full interoperability of algorithms we implemented against the OQS team’s OpenSSL fork. 
  5. Integrations with Open Source projects allowing use of post-quantum algorithms with the following popular projects: 
    1. Apache
    2. Nginx
    3. Lighttpd
    4. cURL
    5. MariaDB
    6. Stunnel
  6. Joint integration with the OQS team to patch Wireshark, making it aware of and display the new algorithms and their variants.

7. New Hardware Crypto Support

  • IotSAFE support
  • Renesas RA6M4 SCE Protected Mode support
  • Renesas RX65N / RX72N TSIP 1.14 support

8. Improvements to Existing Hardware Crypto Support

  • Fixed DCP port 
  • Fixed Psoc6 SHA512 regressions
  • Fixed broken ECC public key computation in PR in NXP LTC
  • Fix for STM32 PKA ECC point mapping

9. New and Updated Algorithms

  • New Post-Quantum Algorithm support, as mentioned above. 
  • Added ECCSI and SAKKE for Identity-based Encryption.
  • Added support for streaming AES-GCM.
  • Added streaming API for Ed25519 and Ed448.
  • Added ISO 18033 and SEC 1 implementations of ECIES.

10. Algorithm Performance Optimization

  • Improved TFM and SP math implementation of addmod_ct and submod_ct for a 30% improvement in performance of ECC operations.

11. New and Updated Build Options

  • S/MIME support (–enable-smime)
  • –enable-wolfsentry and –with-wolfsentry=
  • –enable-wolftpm
  • –enable-caam
  • –enable-kcapi
  • –enable-eccsi
  • –enable-sakke
  • –enable-wolfclu
  • –enable-curl
  • –enable-reproducible-build
  • –enable-aesgcm-stream
  • –enable-ed25519-stream
  • –enable-ed448-stream
  • –enable-linuxkm-pie
  • –enable-keying-material
  • –enable-iotsafe
  • –enable-iotsafe-hwrng
  • –enable-sp=
    1. smallfast
    2. smallec1024
    3. smallp1024
    4. small1024
    5. ec1024
    6. p1024
    7. 1024
    8. asm
  • –enable-context-extra-user-data
  • –enable-aescbc-length-checks
  • –enable-altcertchains
  • –enable-sblim-sfcb
  • –enable-crypttests-libs
  • –enable-benchmark
  • –enable-aligndata
  • –enable-error-queue-per-thread
  • –with-max-rsa-bits=
  • –with-max-ecc-bits=
  • –with-liboqs=
  • –with-se050=
  • –enable-bind
  • –enable-libssh2
  • –enable-net-snmp
  • –enable-ntp
  • –enable-openresty
  • –enable-rsyslog
  • –enable-smime
  • –enable-tcpdump
  • –enable-krb

12. TLS Additions and Updates

  • Session Ticket (Added AES GCM support)
  • TLS export/import
  • Keying Material Exporters for TLS (RFC 5705)
  • S/MIME (Secure/Multipurpose Internet Mail Extensions)
  • Asynchronous TLS v1.3 TLSX ECC/DH keygen/agree
  • TLS 1.3 Updates
    1. Better Interop
    2. Better Portability
    3. Better Testing
    4. More Cipher Suites
  • Crypto Callbacks extended: Ed/X25519, SHA2-384/512, AES CCM, CMAC
  • TLS v1.3 sniffer / DH Extra / Static Ephemeral
  • LWIP Native Support (IP stack)
  • DTLS
    1. Resend the previous DTLS handshake flight only on a network read timeout (WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT)
    2. Change default DTLS future packet behavior. Messages from “too far into the future” are now accepted.

13. Single Precision Math Updates

  • Significant SP math performance improvements
  • Windows now has assembly code implementation for Intel x86 64-bit that increases performance by 5 to 10 times!
  • C only implementation has had significant improvements that have major impacts on performance. 32-bit code most significantly 25% for 2048-bit operations and 50% and more for larger sizes.
  • Improved performance of ARM Thumb code by 30-40%.
  • On Aarch64, improved performance of P-384 operations by 65-100%.

14. FIPS 140-2 and 140-3 Validation News!

  • FIPS 140-3 support merged, including Linux Kernel Module support
  • 28 140-2 (Cert 3389) OE additions!

15. Testing

  • More continuous integration testing added, including cppcheck static analysis
  • Added support for Google Compute Engine to supplement testing slave farm in CI ecosystem, testing capabilities are now dynamically scalable based on test load and internal developer activity
  • Expanded API testing coverage with OpenSSL compatibility layer additions

16. Examples

  • New Post-Quantum cryptography example.
  • New wolfSSL CAN Bus example.
  • New RIOT-OS example using lwIP POSIX sockets.

17. Additional Product Enhancements

  • Revamped Documentation
    • wolfCLU
    • wolfMQTT
    • wolfSentry
    • wolfSSL
    • wolfTPM
  • wolfMQTT (4 releases)
    • SN feature enhancements
      1. Will Topic update and Will Message update
      2. Publish with QoS-1
      3. Receiving Disconnect Packet while going to sleep
      4. New callback for REGISTER topic ID from gateway when client subscribes to wildcard topics
      5. Handling PINGREQ message from the gateway to client
      6. New example added for QoS level -1 feature
    • HiveMQ Cloud compatibility with SNI feature
    • Huge improvements to multithread and non-blocking features
    • Examples
      1. TLS mutual auth in client examples
      2. Add ability to publish files from example client
  • wolfSSH (3 releases)
    • Easier build with wolfSSL
    • Added remote port forwarding
    • Improved keep alive
    • Small stack option for embedded builds
    • SFTP Support for FATFS
    • Added support of 192 and 256 bit AES keys
    • Improved build options to leave out unwanted algorithms
    • Improved interoperability with other tools
      1. Dropbear
      2. Firezilla
      3. winSCP
    • Support for EWARM
    • MQX IDE build added
  • wolfTPM (4 releases)
    • Added examples for symmetric key generation, NV, remote attestation, make credential, PCR read and GPIO.
    • Support for QNX
    • Example for QEMU with wolfTPM
    • Improved documentation
  • wolfBoot (3 releases)
    • New architectures
      1. ARMv8-M
      2. PowerPC
      3. ARM Cortex-R
    • Measured boot
    • Support for Trustzone-M
    • New memory model
    • RSA4096 using SP
    • WOLFBOOT_SMALL_STACK
    • Delta updates
    • New HAL:
      1. STM32L4
      2. STM32L0x3
      3. STMU575xx
      4. NXP i.MX-RT1060
      5. NXP T2080
      6. TI TMS570LC435
  • wolfSentry (3 releases, all preview/beta)
    • Dev phases 1, 2, 3, completed – static firewall, with action plugins, POC notifications via plugin, and configuration updates at any time.
    • Full configuration loaded from JSON, with streaming load and all-or-none semantics
    • Advanced lock facility complete, with ports for semaphore back ends under POSIX, MacOS-X, and FreeRTOS.  Implements shareable, promotable, timeout-capable, deadlock-safe locks.
    • POC integration with LWIP, under Linux and FreeRTOS, demonstrating filtering at the IP stack level, including filtering by MAC address, filtering of ICMP, and pre-accept filtering.
    • Port to STM32 (FreeRTOS+LWIP)
    • Turnkey integration with libwolfssl via the –enable-wolfsentry option, allowing post-accept filtering of incoming connections, and demonstrating pre-connect filtering of outbound connections, via integrations in the example client and server.
  • wolfEngine (1 release)
    • wolfEngine made public on GitHub and first official release with version 0.9.0.
    • Allows users to achieve FIPS compliance with wolfCrypt FIPS + OpenSSL. Supports all algorithms in wolfSSL’s FIPS certificate (and others):
      1. SHA-1
      2. SHA2 (224, 256, 384, 512)
      3. SHA3 (224, 256, 384, 512)
      4. DES3-CBC
      5. AES w/ 128, 192, and 256 bit keys. ECB, CBC, CTR, GCM, and CCM modes.
      6. DRBG
      7. RSA
      8. DH
      9. ECC. ECDSA, ECDH, EC key generation. Curves P-192, P-224, P-256, P-384, P-521.
      10. HMAC
      11. CMAC
      12. HKDF
      13. PBKDF2
      14. TLS PRF
    • Support for OpenSSL 1.0.2 and 1.1.1.
    • Runs on macOS, Windows, Linux.
    • Integrates seamlessly with anything that uses OpenSSL, including:
      1. OpenSSH
      2. nginx
      3. stunnel
      4. OpenVPN
      5. curl
      6. libssh2
      7. libssh
      8. ntpd
      9. mongoDB
      10. Node.js
      11. radius
      12. radsec
      13. syslog-ng
      14. grpc
      15. dhcpd
      16. dhclient
    • See wolfProvider for OpenSSL 3.0.0 support.
  • wolfProvider (code available on GitHub)
    • wolfProvider made public on GitHub.
    • Allows users of OpenSSL 3.0.0 to achieve FIPS 140-3 Compliance
    • Supports:
      1. AES-GCM/CCM/CTR/CBC/ECB
      2. MD5/SHA-1/SHA2/SHA3/SHAKE256
      3. DRBG
      4. RSA/RSA-PSS
      5. DH
      6. ECDH/ECDSA/EC KeyGen with P-192/P-224/P-256/P-384/P-521
      7. HMAC/CMAC/GMAC
      8. HKDF/PBKDF2/PKCS12 PBKDF2/TLS 1.3 KDF/TLS1 PRF
    • Runs on Linux
  • wolfCLU (1 release)
    • Additional support added for multiple commands:
      1. ecparam
      2. pkey
      3. req
      4. crl
      5. pkcs12 (parsing)
      6. rsa
      7. rand
      8. s_client
      9. dgst
      10. verify
      11. rsa
      12. md5
    • Added in a logging layer and mapping of errors to stderr
    • Increased unit tests with ‘make check’ and include running tests as a pre-commit hook
    • Support for parsing and using basic config files when doing ‘req’ or ‘ca’ operations
    • Enhancements to existing commands:
      1. x509 , -noout and print out of specific parts of certificate
      2. x509 , -days for setting number of days valid
      3. x509 , -pubout to display the public key
      4. More descriptive version print out
      5. PEM output for RSA/ECC key generation
    • Initial integration of FIPS 140-3 use
    • Refactoring of directories and test certificate locations
    • Resolve warnings and issues from using -Wall and static analysis tools
  • wolfSSL JNI/JSSE (2 releases)
    • wolfCrypt FIPS 140-3 and FIPS Ready compatibility
    • JSSE level memory leak fixes, along with earlier internal memory cleanup.
    • Addition of Socket method wrappers for use of wrapped inner Socket objects in WolfSSLSocket
    • Updated Android AOSP support
    • JSSE level fixes for SSLContext, SSLSocket
    • Fixes for static analysis warnings (Infer), exception cases, connection closures, and more.
  • wolfCrypt JNI/JCE (1 release)
    • wolfCrypt FIPS 140-3 and FIPS Ready compatibility
    • Compatibility with wolfSSL “–enable-all” and additional build fixes
  • wolfSSL Python
    • Added OpenSSL compatibility layer. 
    • Updated example certifications.
  • wolfCrypt Python
    • Added signature generation and verification.
    • Now works with FIPS ready.
    • Support for ed448, PEM RSA keys, and more.
  • wolfCrypt DO-178C
    • wolfCrypt 2
      • AES GCM
      • Environment:
        • Ultrazed-EG(on A53), little endian
        • GCC compiler that comes with Xilinx SDK 2017.4
        • Run Azure RTOS ThreadX SMP version 5.8 on the A53 cores
    • wolfCrypt 3
      • SHA-256
      • SHA-384
      • HMAC (SHA-256)
      • HMAC (SHA-384)
      • HASH-DRBG SHA-256
      • AES GCM
      • AES CMAC
      • ECC – P384 (sign/verify/shared secrets)
      • ECC key export
      • X509 cert verify
      • Environment:
        • NXP S32V234 (on A53)
        • Arm Developer Studio version 2019.0-1, with armclang
        • 1120 compiler version 6.12.1

wolfSSL Top 10 Blog Posts/Technical Announcements

  1. wolfSSL Software Development Process
  2. Riding the CAN bus 
  3. wolfSSL Quality Assurance
  4. wolfEngine and OpenSSL Provider Solution Now Public! 
  5. wolfSSL Support for DO-178 DAL A
  6. Sniffing traffic with TLS v1.3
  7. First wolfCrypt DO-178 SOI Audits
  8. wolfSSL NXP SE050 Support 
  9. Integration of the Falcon Signature Scheme into wolfSSL
  10. wolfCrypt FIPS 140-2 on ARM

2021 Webinars

The wolfSSL team hosted and/or participated in a total of 58 webinars this year. Check out our top 5 webinars of the year.

  1. Everything you need to know about FIPS 140-3
  2. wolfEngine : wolfCrypt as an Engine for OpenSSL
  3. Secure Element or TPM : how to include hardware security in your project using wolfSSL and wolfBoot
  4. Secure and Reliable Firmware Updates with wolfBoot
  5. Beyond DO-178: Building Secure Solutions for Future Aviation Systems

We host at least one webinar per week, make sure you are checking out our blog page to find out about our webinars! Check out our youtube page for all of our previous webinars!

wolfSSL Organizational Growth

  • wolfSSL added 9 new team members in 2021. Additions included salespeople, engineers, administrators, and interns.
  • We expanded our customer base considerably, are now securing connections for over 2,000 products, have partner relationships with over 40 vendors, and are securing well over 2 Billion connections on any given day, worldwide.
  • wolfSSL represents one of the largest teams focused on a single implementation of TLS/Crypto worldwide. If you know of anyone who fits the following description, please let us know.

wolfSSL Events and Tradeshows

The wolfSSL team participated in a total of 16 events in 2021! As part of these events we were in 11 cities, 5 US states, and 4 countries! We participated in a total of 6 virtual events and were fortunate to attend 10 in-person events. The events we participated this last year included:

  1. Black Hat Asia
  2. cURL Up
  3. Mobile World Congress
  4. Black Hat 2021
  5. Sea Air Space
  6. ICMC
  7. SIdO Lyon
  8. IoT Tech Expo North America
  9. CyberSatGov
  10. it-sa
  11. Internet of Things World
  12. Aerospace Tech Week (FACE)
  13. NXP Connects (EMEA)
  14. NXP Connects (AMEC)
  15. TU Automotive Detroit (now Automotive Tech Week)
  16. NXP Connects (APAC)

In summary, we had a great year! 2021 was successful on multiple fronts, and we look forward to serving our customers and community with ever more secure and functional software in 2022. 

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.