Month: December 2017

wolfSSL 3.13.0 is now available for download! wolfSSL 3.13.0 includes bug fixes and new features, including support for TLS 1.3 Draft 21, performance and footprint optimizations, build fixes, updated examples and project files, and one vulnerability fix.

Continue reading below for a summary of the features and fixes included in this release!

Protocol Changes:

* Fixes for TLS 1.3, support for Draft 21
* TLS 1.0 disabled by default, addition of “–enable-tls10” configure option

Performance and Size Optimizations:

* New option to reduce SHA-256 code size at expense of performance (USE_SLOW_SHA256)
* New option for memory reduced build (–enable-lowresource)
* AES-GCM performance improvements on AVX1 (IvyBridge) and AVX2
* SHA-256 and SHA-512 performance improvements using AVX1/2 ASM
* SHA-3 size and performance optimizations
* Fixes for Intel AVX2 builds on Mac/OSX
* Intel assembly for Curve25519, and Ed25519 performance optimizations
* Allow adjusting static I/O buffer size with WOLFMEM_IO_SZ

Build Option Updates:

* New option to force 32-bit mode with “–enable-32bit”
* New option to disable all inline assembly with “–disable-asm”
* Ability to override maximum signature algorithms using WOLFSSL_MAX_SIGALGO
* Removes 3DES and SHA1 dependencies from PKCS#7
* Adds ability to disable PKCS#7 EncryptedData type (NO_PKCS7_ENCRYPTED_DATA)

Feature Additions:

* Add ability to get client-side SNI
* Expanded OpenSSL compatibility layer
* Adds static memory support to the wolfSSL example client
* Adds option to wolfCrypt benchmark to benchmark individual algorithms
* Adds option to wolfCrypt benchmark to display benchmarks in powers of 10 (-base10)

Updated Project Files:

* Updated Visual Studio for ARM builds (for ECC supported curves and SHA-384)
* Updated Texas Instruments TI-RTOS build
* Updated STM32 CubeMX build with fixes for SHA
* Updated IAR EWARM project files
* Updated Apple Xcode projects with the addition of a benchmark example project

Build and Feature Fixes:

* Fixes for handling of unsupported TLS extensions.
* Fixes for compiling AES-GCM code with GCC 4.8.*
* Fixes for building without a filesystem
* Fix for logging file names with OpenSSL compatibility layer enabled, with
WOLFSSL_MAX_ERROR_SZ user-overridable
* Fixes for sniffer to use TLS 1.2 client method

Vulnerability Fix:

This release of wolfSSL fixes 1 security vulnerability.

wolfSSL is cited in the recent ROBOT Attack by Böck, Somorovsky, and Young. The paper notes that wolfSSL only gives a weak oracle without a practical attack but this is still a flaw. This release contains a fix for this report. Please note that wolfSSL has static RSA cipher suites disabled by default as of version 3.6.6 because of the lack of perfect forward secrecy. Only users who have explicitly enabled static RSA cipher suites with WOLFSSL_STATIC_RSA and use those suites on a host are affected. More information will be available on our website at:

https://wolfssl.com/wolfSSL/security/vulnerabilities.php

For additional documentation, please visit our Docs page, or contact us at facts@wolfssl.com.

 

wolfSSL now supports Xilinx SoCs and FPGAs. The wolfSSL embedded SSL/TLS library can be used with FPGAs which use the MicroBlaze CPU and/or Zynq and Zynq UltraScale+ SoCs. Improved performance speeds with using the hardware crpyto can be seen. Increasing AES-GCM, RSA, and SHA3 operations performance. In addition to the performance gained a user also gets the additional security the hardware provides while executing the algorithms.

For more information contact facts@wolfssl.com

wolfSSL is a growing company looking to add a top notch embedded systems software engineer to our organization. wolfSSL develops, markets and sells the leading Open Source embedded SSL/TLS protocol implementation, wolfSSL. Our users are primarily building devices or applications that need security. Other products include wolfCrypt embedded cryptography engine, wolfMQTT client library, and wolfSSH.

Job Description:

Currently, we are seeking to add a senior level C software engineer with 5-10 years experience interested in a fun company with tremendous upside. Backgrounds that are useful to our team include networking, security, and hardware optimizations. Assembly experience is a plus. Experience with encryption software is a plus. RTOS experience is a plus.  Experience with hardware-based cryptography is a plus.

Operating environments of particular interest to us include Linux, Windows, Embedded Linux and RTOS varieties (VxWorks, QNX, ThreadX, uC/OS, MQX, FreeRTOS, etc). Experience with mobile environments such as Android and iOS is also a plus, but not required.

Location is flexible. For the right candidate, we’re open to this individual working from virtually any location.

How To Apply

To apply or discuss, please send your resume and cover letter to facts@wolfssl.com.

wolfSSL is cited in the recent ROBOT Attack by Böck, Somorovsky, and Young.  The paper notes that wolfSSL only gives a weak oracle without a practical attack but this is still a flaw.  We’ve posted a fix for this and a general release will be available next week.  Please note that wolfSSL has disabled static RSA cipher suites by default as of version 3.6.6 because of the lack of perfect forward secrecy.  Only users who have explicitly enabled static RSA cipher suites with WOLFSSL_STATIC_RSA and use those suites on a host are affected.

Contact support@wolfssl.com if you have any questions or concerns.

We decided to benchmark our wolfCrypt/wolfSSL libraries on Apple’s new A11 processor in their latest iPhone 8 / 8 Plus and iPhone X. This processor features six ARMv8 CPU cores (2 high-performance 2.53GHz and 4 high-efficiency 1.42GHz). The benchmarks use wolfSSL’s latest speedups for ARMv8 crypto extensions and single precision math to demonstrate our exceptional performance.

For symmetric AES and SHA using our ARMv8 crypto assembly speedups we see:

AES-128 CBC Encrypt: 912.347 MB/s (36.58X)
AES-128 CBC Decrypt: 6,084.83 MB/s (256.15X)
AES-128 GCM Encrypt: 1,242.28 MB/s (193.65X)
AES-128 GCM Decrypt: 575.83 MB/s (90.26X)
SHA-256: 1,717.28 MB/s (56.11X)

This feature is enabled using `./configure –enable-armasm` or the `WOLFSSL_ARMASM` define.

For asymmetric RSA, DH and ECC using our single precision math speedups we see:

RSA 2048 public: 1,211.27 ops/sec (1.50X)
RSA 2048 private: 32.59 ops/sec (1.18X)
DH 2048 key gen: 77.44 ops/sec (1.24X)
DH 2048 key agree: 77.45 ops/sec (1.29X)
ECC 256 key gen: 1670.65 ops/sec (8.67X)
ECDHE 256 agree: 396.88 ops/sec (2.05X)
ECDSA 256 sign: 1,212.33 ops/sec (6.42X)
ECDSA 256 verify: 331.02 ops/sec (2.38X)

This feature is enabled using `./configure –enable-sp` or the `WOLFSSL_HAVE_SP_RSA`, `WOLFSSL_HAVE_SP_DH` and `WOLFSSL_HAVE_SP_ECC` defines.

For TLS v1.2 we see the following performance benchmarks by cipher suite:

DHE-RSA-AES128-SHA256: CPS 22.5, Read 388 MB/s, Write 106 MB/s
ECDHE-RSA-AES128-GCM-SHA256: CPS 26.2, Read 598 MB/s RX, Write 125 MB/s
ECDHE-ECDSA-AES128-GCM-SHA256: CPS 83.4, Read 504.8 MB/s, Write 92.2 MB/s

Benchmarks done on iPhone X using a single thread and our wolfCrypt and wolfSSL benchmark tools.
`X`= performance increase as compared to our default software based implementation.
`CPS` = Connections per second

You can download the raw benchmark numbers here:
https://www.wolfssl.com/files/benchmarks/iOSiPhoneXA11Benchmarks.pdf

You can find the Xcode iOS benchmark project used here:
https://github.com/wolfSSL/wolfssl/pull/1257
Or in the wolfSSL repository in `IDE/XCODE/Benchmarks`

For questions please email us at facts@wolfssl.com.