Month: March 2023

wolfSSL makes a great effort to support many different projects. We provide patches for projects to leverage our OpenSSL Compatibility Layer and work with maintainers to upstream support whenever possible. This blog is a list of currently supported open source projects. The support type denotes how wolfSSL is supported. “Patch” means that we provide a patch file that needs to be applied. “Upstream” means that wolfSSL is supported in the project’s mainline. “Fork” means that we provide a forked version of the library with changes made to support wolfSSL.

List of Supported Projects

Project Name	Description	Support Type	Link
apache-httpd	Apache HTTP Server	Patch	https://github.com/wolfSSL/osp/tree/master/apache-httpd
asio	Asio C++ Library	Patch	https://github.com/wolfSSL/osp/tree/master/asio
bind9	DNS software system	Patch	https://github.com/wolfSSL/osp/tree/master/bind9
chrony	Network Time Protocol Implementation	Patch	https://github.com/wolfSSL/osp/tree/master/chrony/4.1
cjose	JOSE for C/C++	Patch	https://github.com/wolfSSL/osp/tree/master/cjose
ffmpeg	Video Manipulation Utility	Patch	https://github.com/wolfSSL/osp/tree/master/ffmpeg
freeradius-server-2.1.12	FreeRADIUS Server Project	Patch	https://github.com/wolfSSL/osp/tree/master/freeradius-server-2.1.12
git	Version Control	Patch	https://github.com/wolfSSL/osp/tree/master/git
haproxy	Load Balancer	Patch	https://github.com/wolfSSL/osp/tree/master/haproxy
hostapd	Access Point and Authentication Server	Upstream	https://w1.fi/hostapd/
Kerberos 5	Network Authentication	Patch	https://github.com/wolfSSL/osp/tree/master/krb5
libest	Cisco EST stack written in C	Patch	https://github.com/wolfSSL/osp/tree/master/libest
libimobiledevice	Library to communicate with services on iOS devices	Patch	https://github.com/wolfSSL/osp/tree/master/libimobiledevice
libsignal-protocol-c	Signal Protocol C Library	Patch	https://github.com/wolfSSL/osp/tree/master/libsignal-protocol-c
libspdm	Security Protocol and Data Model Implementation	Patch	https://github.com/wolfSSL/osp/tree/master/libspdm/1.0.0
libssh2	client-side C library for SSH2	Patch	https://github.com/wolfSSL/osp/tree/master/libssh2/1.9.0
lighttpd	lighttpd web server	Upstream	https://github.com/lighttpd/lighttpd1.4
mariadb	MariaDB relational database	Patch	https://github.com/wolfSSL/osp/tree/master/mariadb/10.5.11
msmtp	SMTP client	Patch	https://github.com/wolfSSL/osp/tree/master/msmtp/1.8.7
net-snmp	Simple Network Management Protocol	Patch	https://github.com/wolfSSL/osp/tree/master/net-snmp
nginx	Web Server	Patch	https://github.com/wolfSSL/wolfssl-nginx
ntp	Network Time Protocol	Patch	https://github.com/wolfSSL/osp/tree/master/ntp/4.2.8p15
NXP SE05X Middleware	wolfSSL HostCrypto support patch	Patch	https://github.com/wolfSSL/osp/tree/master/nxp-se05x-middleware
openldap	Open source lightweight directory access protocol	Patch	https://github.com/wolfSSL/osp/tree/master/openldap
openpegasus	Open source DMTF CIM and WBEM	Patch	https://github.com/wolfSSL/osp/tree/master/openpegasus/2.14.1
openresty	Ningx and LuaJIT-based web platform	Patch	https://github.com/wolfSSL/osp/tree/master/openresty
OpenSSH	SSH	Patch	https://github.com/wolfSSL/osp/tree/master/openssh
OpenVPN	Virtual Private Network	Upstream	https://github.com/OpenVPN/openvpn
ppp	Paul’s PPP Package	Fork	https://github.com/wolfSSL/osp/tree/master/ppp
Python	Python language and interpreter	Patch	https://github.com/wolfSSL/osp/tree/master/Python
qt	Qt GUI Library	Patch	https://github.com/wolfSSL/osp/tree/master/qt
rsyslog	rocket-fast Syslog Server	Patch	https://github.com/wolfSSL/osp/tree/master/rsyslog/8.2106.0
sblim-sfcb	SBLIM Small-footprint CIM Broker	Patch	https://github.com/wolfSSL/osp/tree/master/sblim-sfcb/1.4.9
socat	socat Multipurpose relay	Patch	https://github.com/wolfSSL/osp/tree/master/socat
strongSwan	IPsec-based VPN	Upstream	https://github.com/strongswan/strongswan
stunnel	stunnel Proxy	Patch	https://github.com/wolfSSL/osp/tree/master/stunnel
sudo	Command-line Utility	Patch	https://github.com/wolfSSL/osp/tree/master/sudo/1.9.5p2
tcpdump	Command-line packet analyzer	Patch	https://github.com/wolfSSL/osp/tree/master/tcpdump/4.9.3
urllib3	urllib3 HTTP client for Python	Patch	https://github.com/wolfSSL/osp/tree/master/urllib3
websocket-client	WebSocket client for Python	Fork	https://github.com/wolfSSL/osp/tree/master/websocket-client
websocketpp	WebSocket++	Fork	https://github.com/wolfSSL/osp/tree/master/websocketpp
wpa-supplicant	WiFi Authentication with WPA, WPA2, and WPA3	Upstream	https://w1.fi/wpa_supplicant/

If you have questions about our support for open source projects or wolfSSL please contact us at facts@wolfssl.com. 

wolfSSL release version 5.6.0 is available now! A couple things to note with this release is that the new and improved ASN parsing, and generation, code is enabled by default now. Additionally we have the upcoming deprecation of –enable-heapmath which is scheduled to be removed by 2024.

This release also saw the addition of DTLS 1.3 stateless ClientHello parsing support. Not only are we leading the pack with adaptation of DTLS 1.3 but we are also adding in features such as the stateless ClientHello support. Some other additions of note were; the port to RT1170 and use of CAAM, update to Stunnel version 5.67, RX64/RX71 hardware acceleration support, and expansion of the compatibility layer.

Improvements to continuous integration testing and some refactoring of our testing framework was done during the last release cycle. To stay the best tested crypto on the market we are constantly trying to improve the testing that we do. This release also had some nice fixes that were made.

A full list of the changes can be found in the ChangeLog.md file bundled with wolfSSL. For questions about wolfSSL contact us at facts@wolfssl.com.

What is the difference in modes with wpa_supplicant using wolfSSL FIPS vs non FIPS? Some of the algorithms are restricted when using CONFIG_FIPS=y while building wpa_supplicant. This is not a limitation in wpa_supplicant or in wolfSSL, but is due to restrictions and guidelines put in place for FIPS. To help avoid using algorithms that have not been sanctioned for use with FIPS, the build removes MD5/MD4 along with DES. Removal of these algorithms limits the modes supported.

Another restriction that is seen with FIPS use is that the key passed into HMAC must be 14 bytes or longer, this can cause issues with hunting-and-peck mode unless password sizes can be known to always be large enough. To avoid the limitation on HMAC key size, hash-to-element (sae_pwe=1) can be used instead.

	Supported By wolfSSL
wpa_supplicant modes	Not FIPS	FIPS	Test Ran
EAP-TLS	Yes	Yes	eap_proto_tls
EAP-PEAP/MSCHAPv2	Yes	No	ap_wpa_eap_peap_eap_mschapv2 ap_wpa2_eap_peap_eap_mschapv2
EAP-PEAP/TLS	Yes	Yes	ap_wpa2_eap_peap_eap_tls
EAP-PEAP/GTC	Yes	Yes	ap_wpa2_eap_peap_eap_gtc
EAP-PEAP/OTP	Yes	Yes	eap_proto_otp
EAP-TTLS/EAP-MD5-Challenge	Yes	No	ap_wpa2_eap_ttls_eap_md5
EAP-TTLS/EAP-GTC	Yes	Yes	ap_wpa2_eap_ttls_eap_gtc
EAP-TTLS/EAP-MSCHAPv2	Yes	No	ap_wpa2_eap_ttls_mschapv2
EAP-TTLS/MSCHAP	Yes	No	ap_wpa2_eap_ttls_mschap
EAP-TTLS/PAP	Yes	Yes	ap_wpa2_eap_ttls_pap
EAP-TTLS/CHAP	Yes	No	ap_wpa2_eap_ttls_chap
EAP-SIM	Yes	Yes	eap_proto_sim
EAP-AKA	Yes	Yes	eap_proto_aka
EAP-PSK	Yes	Yes	eap_proto_psk
EAP-PAX	Yes	Yes	eap_proto_pax
LEAP	Yes	No	eap_proto_leap

Please do not hesitate to contact us at facts@wolfssl.com with any questions, comments, or suggestions.

wolfSSL and Intel have jointly published a white paper on the advantages of using the wolfBoot secure bootloader together with 11th Gen Intel Core processors.  The white paper has been published on wolfSSL’s White Paper page and can be downloaded today!

This white paper introduces the wolfBoot secure bootloader and 11th Gen Intel Core i7 Processors, talks about potential advantages of replacing the Intel Slim Bootloader with wolfBoot, and shows performance benchmarks of how the wolfCrypt cryptography library benefits from leveraging Intel AES-NI, AVX2, and AVX-512.

11th Gen Intel Core i7 processors include security features out of the box that make them an ideal processor choice for a number of project designs. Some of these include Intel Advanced Encryption Standard New Instructions (Intel AES-NI) , Intel Advanced Vector Extensions (Intel AVX2, Intel AVX-512), and UEFI Secure Boot. Given an excellent set of features offered by Intel processors, some users and Intel-based projects will benefit from extending the boot process using a second stage bootloader subsequent to Intel’s UEFI. This paper will introduce the wolfBoot secure bootloader, 11th Gen Intel® CoreTM i7 processors, and how wolfBoot can replace Intel® Slim Bootloader to provide certified and customized solutions such as securely unlocking a SATA drive using the trusted platform module version 2.0 (TPM 2.0) during boot.

wolfBoot is flexible and customizable in its use of hardware-based cryptography and secure key storage solutions.  It can leverage the wolfCrypt FIPS 140-2 (and upcoming 140-3) module for applications needing validated cryptography, or wolfCrypt DO-178C for secure boot requirements in avionics applications.  For more details, download our white paper today, or email wolfSSL at facts@wolfssl.com with any questions.

One of the primary distinctions between wolfSSL and other security libraries is the availability of commercial support packages (https://www.wolfssl.com/products/support-and-maintenance/).

The Premium Support package includes these benefits:

• Optimization Assistance
• Unlimited Support Incidents
• Contact via email, phone, and shared screen debug session
• Dedicated Support Engineer
• 4 Business Hour Response Time
• Build Config Added to Nightly CI Tests

Having your build configuration tested by our Nightly CI ensures that any changes made to the library will not cause regressions to your project! Having a highly configurable library means having a high level of complexity. We make every effort to test against the most common configurations, and having your project’s wolfSSL configuration added to that matrix removes any uncertainty that you’ll be able to painlessly update to future releases of the library.

Customers with our 24×7 Support package gain the additional advantage of having their target hardware added to our Nightly CI Tests.

wolfSSL wants to help you achieve your project’s security goals! Please contact us (facts@wolfssl.com) with any questions.

A little while ago, we wrote a blog post (https://www.wolfssl.com/nsa-announces-cnsa-suite-2-0/) and did a webinar (https://www.youtube.com/watch?v=IiykMe-pjqo) about the CNSA 2.0 announcement(https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF).  It discusses the need for preparing to use post-quantum algorithms.  For signature schemes, it specifies Dilithium Level 5 as a good general purpose algorithm and LMS and XMSS as being good for signing software and firmware updates.

Here at wolfSSL, plans are underway to make our wolfBoot product use post-quantum algorithms to sign the image updates.  Whether we start with Dilithium Level 5, LMS or XMSS  is up in the air. On the one hand, the time lines as prescribed in CNSA 2.0 for LMS and XMSS are accelerated. On the other hand, Dilithium is already supported through our integration with liboqs.

Want us to accelerate our plans and get them a higher priority? Have a preference for one of Dilithium, LMS or XMSS? Make yourself heard and reach out to facts@wolfssl.com with your thoughts!!

This past December, NIST announced that the venerable SHA-1 algorithm, introduced in 1995, is at end-of-life.  While wolfSSL does not use or recommend SHA-1 for new designs, we do implement and support it in our products.  With the NIST announcement, that will soon change for new FIPS 140 submissions, as we too will retire SHA-1.

The wolfSSL FIPS 140-3 cryptographic module currently in process at NIST includes SHA-1.  Thus, customers with an existing requirement for SHA-1 will be able to satisfy that requirement under that certificate once it has been issued.

However, and regardless of FIPS status, customers still using SHA-1 in security-critical roles — signatures, authentications, HMAC, KDFs, etc. — should refactor the implicated systems to use a modern hash algorithm such as SHA-2 or SHA-3.  wolfSSL stands ready to help our customers select and implement an appropriate migration path.

All FIPS 140 modules submitted on or after December 31 2025 will exclude SHA-1, to avoid early certificate sunset under the timeline announced by NIST.

In preparation for this transition, wolfSSL has already prepared its FIPS 140-3 codebase to build, run, and pass full ACVP testing, with SHA-1 gated out.  We are also routinely testing our mainline and FIPS codebases to assure correct function with SHA-1 disabled.

For more information on the announcement from NIST, see
https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm

Celebrate 25 Years of curl with a Zoom Birthday Party on March 20, 2023 at 17:00 UTC. Join fellow curl developers and enthusiasts online for a presentation on the major changes done over the years. Come and contribute to the discussion by asking questions or sharing your own insights. Let’s make this a memorable birthday party for curl!

Follow this link to register for the event: https://us02web.zoom.us/webinar/register/WN_J8VYX7IgRaaAZ1AB-hRKsQ

Follow this link to Daniel Stenberg’s blog providing more detail on the event: https://daniel.haxx.se/blog/2023/03/10/curl-25-years-online-celebration/

Earlier this month, we issued the final beta release of wolfSentry, the wolfSSL
embedded IDPS/firewall. This set the stage for our first production release of
wolfSentry, with increasingly mature and comprehensive facilities for securing
embedded endpoints.

Version 1.0.0 of wolfSentry delivers high-performance thread safety — in
multithreaded builds, all internal structures are protected, with shared locks
allowing for high concurrency on multithreaded/multicore targets. Realtime/TSN
use cases are supported with hard deadlines for return of control to the caller.

We have also improved support for dynamic/stateful rules, including constant
time garbage collection. These capabilites are demonstrated in the updated and
refined examples/notification-demo, our sample implementation of dynamic
defenses and event notifications integrated with an embedded web server.

Configuration of user plugins can now be driven with deep user-defined JSON
trees embedded within the unified JSON configuration package. These trees are
parsed at configuration time, and the pre-parsed contents are then available to
plugins through high performance btree lookups. This highly expressive, high
performance configuration mechanism streamlines configuration of complex
application-specific plugins. Moreover, the pre-parsed JSON trees can be
updated and expanded by plugin logic, using lock upgrades and DOM accessors, as
a supplementary stateful mechanism.

wolfSentry is available now, and is an ideal endpoint security solution for
deeply embedded use cases, with close and easy integration with user
applications, embedded IP stacks, and common libraries like wolfSSL.

Take advantage of the opportunity to enhance your embedded security knowledge with wolfSSL’s free two-day training taking place March 15th and 16th. Be sure to register for both days as day 2 will build off the content from day 1.

Day 1 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_OZ3yQPubRBqrtxhHsOm3ug

Day 2 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_8eIUIe_yRtCiaS1yKGKwJQ

The wolfSSL Python wrapper provides a Python interface to the wolfSSL library, a lightweight and portable SSL/TLS library optimized for performance in embedded and IoT devices.

The wolfSSL Python wrapper allows Python developers to use the wolfSSL library, simplifying the development process and reducing time-to-market. Furthermore, The wolfSSL port allows you to use Python with our FIPS 140-2/3 certified wolfCrypt library, ensuring that it meets strict security standards for developers working with sensitive data.

To use the wolfSSL Python wrapper, developers can follow the instructions provided in the wolfSSL open source projects repository on GitHub. Once installed, developers can easily integrate wolfSSL into their Python applications, from IoT devices to embedded systems.

wolfSSL also has a very simple Golang wrapper. While GO has its own tls/crypto library, wolfSSL is a proven and optimized solution that is a viable option for GO projects. For some insight on how it would work, follow the instructions in this README to view/build a simple server/client example secured by wolfSSL TLS.

Are you interested in extensions to our Golang wrapper?  Let us know at facts@wolfssl.com.

Take advantage of the opportunity to enhance your embedded security knowledge with wolfSSL’s free two-day training taking place March 15th and 16th. Be sure to register for both days as day 2 will build off the content from day 1.

Day 1 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_OZ3yQPubRBqrtxhHsOm3ug

Day 2 Registration: https://us02web.zoom.us/webinar/register/1616774545098/WN_8eIUIe_yRtCiaS1yKGKwJQ