wolfSSL v5.1.1 Release

Happy Holidays!

The wolfSSL holiday release is available for download!

This release includes more compatibility layer expansions, updates to the version of open source projects supported, post quantum additions, and new hardware port additions to name some of what was included. As well as 2 vulnerabilities fixed in the release bundle. 

A major performance upgrade was added to wolfSSL SP C implementation for ECC. In some cases increasing the performance with the C implementation by over 20%. SP (single precision) performance is turned on by using the enable option –enable-sp.

New Feature Additions

Ports

  • Curve25519 support with NXP SE050 added
  • Renesas RA6M4 support with SCE Protected Mode and FSP 3.5.0
  • Renesas TSIP 1.14 support for RX65N/RX72N

Post Quantum

  • Post quantum resistant algorithms used with Apache port
  • NIST round 3 FALCON Signature Scheme support added to TLS 1.3 connections
  • FALCON added to the benchmarking application
  • Testing of cURL with wolfSSL post quantum resistant build

Compatibility Layer Additions

  • Updated NGINX port to NGINX version 1.21.4
  • Updated Apache port to Apache version 2.4.51
  • Add support for SSL_OP_NO_TLSv1_2 flag with wolfSSL_CTX_set_options function
  • Support added for the functions
    • SSL_CTX_get_max_early_data
    • SSL_CTX_set_max_early_data
    • SSL_set_max_early_data
    • SSL_get_max_early_data
    • SSL_CTX_clear_mode
    • SSL_CONF_cmd_value_type
    • SSL_read_early_data
    • SSL_write_early_data

Fixes

PORT Fixes

  • Building with Android wpa_supplicant and KeyStore
  • Setting initial value of CA certificate with TSIP enabled
  • Cryptocell ECC build fix and fix with RSA disabled 
  • IoT-SAFE improvement for Key/File slot ID size, fix for C++ compile, and fixes for retrieving the public key after key generation

Math Library Fixes

  • Check return values on TFM library montgomery function in case the system runs out of memory. This resolves an edge case of invalid ECC signatures being created.
  • SP math library sanity check on size of values passed to sp_gcd.
  • SP math library sanity check on exponentiation by 0 with mod_exp
  • Update base ECC mp_sqrtmod_prime function to handle an edge case of zero
  • TFM math library with Intel MULX multiply fix for carry in assembly code

Improvements/Optimizations

Build Options and Warnings

  • Bugfix: could not build with liboqs and without DH enabled
  • Build with macro NO_ECC_KEY_EXPORT fixed
  • Fix for building with the macro HAVE_ENCRYPT_THEN_MAC when session export is enabled
  • Building with wolfSentry and HAVE_EX_DATA macro set

Math Libraries

  • Improvement for performance with SP C implementation of montgomery reduction for ECC (P256 and P384) and SP ARM64 implementation for ECC (P384)
  • With SP math handle case of dividing by length of dividend
  • SP math improvement for lo/hi register names to be used with older GCC compilers

Vulnerabilities

  • [Low]  Potential for DoS attack on a wolfSSL client due to processing hello packets of the incorrect side. This affects only connections using TLS v1.2 or less that have also been compromised by a man in the middle attack. Thanks to James Henderson, Mathy Vanhoef, Chris M. Stone, Sam L. Thomas, Nicolas Bailleut, and Tom Chothia (University of Birmingham, KU Leuven, ENS Rennes for the report.
  • [Low] Client side session resumption issue once the session resumption cache has been filled up. The hijacking of a session resumption has been demonstrated so far with only non verified peer connections. That is where the client is not verifying the server’s CA that it is connecting to. There is the potential though for other cases involving proxies that are verifying the server to be at risk, if using wolfSSL in a case involving proxies use wolfSSL_get1_session and then wolfSSL_SESSION_free when done where possible. If not adding in the session get/free function calls we recommend that users of wolfSSL that are resuming sessions update to the latest version (wolfSSL version 5.1.0 or later). Thanks to the UK’s National Cyber Security Centre (NCSC) for the report.

A full list of what was changed can be found in the wolfSSL ChangeLog (https://www.wolfssl.com/docs/wolfssl-changelog/).

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.