Spring is here, and along with it is the newest and shiniest release of the wolfSSL embedded SSL/TLS library!
As with every release, this release includes many feature additions, bug fixes, and improvements to the wolfSSL library. Additionally, this new version of the wolfSSL library includes support for the new FIPS 140-2 Certificate for wolfCrypt v4.0! More information on wolfSSL and FIPS can be found here: https://www.wolfssl.com/license/fips/.
The list below outlines the new feature additions that are included with the release of wolfSSL version 4.0.0:
- Support for wolfCrypt FIPS v4.0.0, certificate #3389
- FIPS Ready Initiative
- Added TLS server side secure renegotiation
- Added TLS Trusted CA extension
- Support for the Deos Safety Critical RTOS
- TLS handshake now supports using PKCS #11 for private keys
- PKCS #11 support of HMAC, AES-CBC and random seeding/generation
- Support for named FFDHE parameters in TLS 1.2 (RFC 7919)
- Added Espressif ESP32 WROOM support with hardware crypto acceleration. More data can be found here: https://www.wolfssl.com/docs/benchmarks/#espressif_esp32_wroom.
- Added Cypress WICED Studio support
- Added ARM CMSIS-RTOS v2 support
- Added port to the Zephyr Project
- Added Cortex-M support for Single Precision (SP) math
- Added wolfCrypt RSA non-blocking time support
- Added 16-bit compiler support using --enable-16bit option
Additionally, the wolfSSL blog will be posting more elaboration and details on the ports and support that have been added with this release in the furture. Stay tuned for more information!
The following list outlines the various fixes, updates, and general improvements that have been included with wolfSSL 4.0.0:
- Added new wrapper for snprintf for use with certain Visual Studio builds
- Added ECC_PUBLICKEY_TYPE to the supported PEM header types
- Added strict checking of the ECDSA signature DER encoding length
- Added ECDSA option to limit sig/algos in client_hello to key size with USE_ECDSA_KEYSZ_HASH_ALGO
- Compatibility fixes for secure renegotiation with Chrome
- Better size check for TLS record fragment reassembly
- Improvements to non-blocking and handshake message retry support for DTLS
- Improvements to OCSP with ECDSA signers
- OCSP fixes for memory management and initializations
- Fixes for EVP Cipher decryption padding checks
- Removal of null terminators on wolfSSL_X509_print substrings
- wolfSSL_sk_ASN1_OBJCET_pop function renamed to wolfSSL_sk_ASN1_OBJECT_pop
- Adjustment to include path in compatibility layer for evp.h and objects.h
- Fixes for decoding BER encoded PKCS7 contents
- Move the TLS PRF to wolfCrypt.
- Update to CMS KARI support
- Fixes and additions to the OpenSSL compatibility layer
- Xcode project file update
- Fixes for ATECC508A/ATECC608A
- Fixes issue with CA path length for self signed root CA's
- Fixes for Single Precision (SP) ASM when building sources directly
- Fixes for STM32 AES GCM
- Fixes for ECC sign with hardware to ensure the input is truncated
- Fixes for proper detection of PKCS7 buffer overflow case
- Fixes to handle degenerate PKCS 7 with BER encoding
- Fixes for TLS v1.3 handling of 6144 and 8192 bit keys
- Fixes for possible build issues with SafeRTOS
- Improved Arduino sketch example
- Improved crypto callback features
- Improved TLS benchmark tool
There was also a bug in the tls_bench.c example test application (unrelated to the crypto or TLS portions of the library) that was resolved in wolfSSL 4.0.0 - CVE-2019-6439.
To download and view the most recent version of wolfSSL, the wolfSSL GitHub repository can be cloned from here: https://github.com/wolfssl/wolfssl.git, and the most recent stable release can be downloaded from the wolfSSL download page here: https://www.wolfssl.com/download/.
For more information, please contact facts@wolfssl.com.