RECENT BLOG NEWS
Or sign up to receive weekly email notifications containing the latest news from wolfSSL.
In addition, wolfSSL now has a support-specific blog page dedicated to answering some of the more commonly received support questions.
wolfSSL version 4.8.1 is available for download!!
This version of wolfSSL includes many new features, ports, and some great fixes. Some of the new features added includes:
- A tie in for use with wolfSentry.
- wolfSentry is a universal, dynamic, embedded IDPS (intrusion detection and prevention system)
- The build option added to enable the code for use with wolfSentry can be compiled using the autotools flag –enable-wolfsentry. wolfSentry is our new product that can be used in a similar fashion as a firewall but unlike many firewall applications available today wolfSentry is designed for deeply embedded IoT devices with resource constraints.
- Learn more from our webinar: Introducing wolfSentry, an Embeddable IDPS
- A number of API for the compatibility layer
- Helps support replacing OpenSSL using wolfSSL along with updating your crypto for FIPS requirements,
- A QNX CAAM driver for use with NXP’ i.MX devices,
- CAAM stands for Cryptographic Accelerator and Assurance Module. When used, it speeds up the cryptographic algorithms such as ECC and AES, as well as increases security by using encrypted keys and secure memory partitions.
- Support for STM32G0,
- Zephyr project example,
- The Zephyr Project is a scalable real-time operating system (RTOS) supporting multiple hardware architectures, optimized for resource constrained devices, and built with safety and security in mind.
- An easy-to-use Dolphin emulator test for DEVKITPRO
- devkitPro is a set of tool chains for compiling to gaming platforms.
- Fixes for PKCS#7
- PKCS#7 is used to sign, encrypt, or decrypt messages under Public Key Infrastructure (PKI). It is also used for certificate dissemination, but is most commonly used for single sign-on.
- Better parsing and handling of edge cases along with fixes for existing ports.
- Fixes that came from testing with Coverity and fsanitizer tools.
- Coverity is very efficient in finding issues, and is often used as a metric for good code (based on how many issues are found and fixed)
- fsanitizer is a static analysis tool
- Two vulnerabilities announced,
- one dealing with OCSP
- OCSP or “Online Certificate Status Protocol” is an Internet protocol that is used to obtain the revocation status of an X.509 digital certificate.
- the other with a previously fixed base64 PEM decoding side channel vulnerability.
- PEM, or “Privacy Enhanced Mail” is the most common format that certificates are issued in by certificate authorities.
- one dealing with OCSP
For a full list of changes, check out the updated ChangeLog.md bundled with wolfSSL or view our page on GitHub here (https://github.com/wolfSSL/wolfssl). Any questions can be sent directly to firstname.lastname@example.org.
This post has been cross posted from Daniel Stenberg’s blog – originally posted here.
The curl factory has once again cranked out a new curl release.
- the 202nd release
- 3 changes
- 56 days (total: 8,580)
- 128 bug-fixes (total: 7,270)
- 186 commits (total: 27,651)
- 0 new public libcurl function (total: 85)
- 0 new curl_easy_setopt() option (total: 290)
- 0 new curl command line option (total: 242)
- 62 contributors, 25 new (total: 2,484)
- 41 authors, 16 new (total: 948)
- 3 security fixes (total: 111)
- 3,500 USD paid in Bug Bounties (total: 16,900 USD)
This time we once again announce security advisories in association with the release.
CVE-2021-22945 is a double-free flaw in the MQTT code. Patch your old curl or upgrade to this version if you use it to send MQTT. The reporter of this flaw was awarded 1,000 USD from the curl bug-bounty program.
CVE-2021-22946 is a bug in response handling for several protocols (IMAP, POP3 and FTP) that bypasses the enforced TLS check so that even transfers that are explicitly told to require TLS can accidentally silently be performed in clear text! Rewarded 1,000 USD.
CVE-2021-22947 allows a mitm attacker to inject data into the protocol stream for FTP, IMAP, POP3 or SMTP in a way before the TLS upgrade so that curl accepts that data and uses it after after having upgraded to TLS. The untrusted data slips in and gets treated as trusted! Rewarded 1,500 USD.
These two latter ones came as an indirect result/inspiration from the NO STARTTLS research.
This release comes with three changes to take note of…
Users of the bearssl TLS backend will appreciate that it too now supports the CURLOPT_CAINFO_BLOB option so that the CA certificate easily can be provided in-memory by applications.
The cookie engine in curl now considers
http://localhost to be secure and thus cookies that are marked “secure” will be sent over it – even when not using HTTPS. This is done because curl now since a while back makes sure that localhost is always truly local.
Users of the Secure Transport TLS backend can now use CURLINFO_CERTINFO to extract information about the server’s certificate chain.
Some of the most interesting bug-fixes we did this round.
When you build curl to use the c-ares name resolver backend, curl will now use this function to get improved handling for IPv4+ IPv6. This also ups our requirement on c-ares to 1.16.0.
hyper works better
1xx responses, Transfer-Encoding and more have been fixed. The number of tests that are disabled for hyper builds are even fewer than before, but there’s still plenty of work to do before it can be considered not experimental.
cmake builds: avoid poll() on macOS
We have deliberately not used poll() in macOS builds for a long time when building with configure, and now we realized that cmake builds inadvertently had poll() use enabled, which caused curl to misbehave when for example connecting to a host while that connection got closed by the peer. poll() is now disabled on macOS even when cmake is used.
configure: also check lib64 for the OpenSSL pkg-config file
OpenSSL did a very late change just before they shipped version 3.0.0: they modified the default installation path for the library for 64 bit systems from
$prefix/lib64, and subsequently we had to update our configure script detection logic accordingly. This helps configure to find OpenSSL v3 installs.
curl.1: provide examples for each option
The documentation now must provide at least one example command line for each command line option curl provides. This is verified in the build and will cause build errors if a file doesn’t comply! Feel free to suggest new, more or better examples when you start to see them in the man page.
HTTP 1.1: disallow >3-digit response codes
The HTTP protocol is defined to only allow three-digit numbers and now curl enforces that check stricter. This was in part made to align behavior when curl is built to use hyper.
HTTP 1.1: ignore content-length if any transfer-encoding is used
Non-chunked transfer-encoded content that also sends
Content-Length headers is rare but was incorrectly handled by curl. Found when aligning behavior with hyper builds.
http_proxy: only wait for writable socket while sending request
Due to a mistake in the handling of what socket activity to wait for, curl could accidentally be made to busy-loop from the CONNECT request was sent to the proxy until the first data arrived.
Support mbedTLS 3.0.0
When mbedTLS released a new version with support for TLS 1.3 etc, they also modified the API a bit.
We’ve had our own internal strerror replacement function for a long time (primarily due to it not being thread-safe), but a recent code review revealed that a lot of uses of this function had still crept in. Starting now, our code check tool (checksrc) will error if strerror is used in libcurl code.
The mailing lists move from cool.haxx.se to lists.haxx.se
Our old decommissioned server hosted 29 mailing lists. We moved most of them and killed off a few. All our mailing lists are now hosted on lists.haxx.se, including all the curl related ones of course! The old server name will simply redirect to the new one if you go there with a browser.
- wolfSSL offers Curl support is available, and part of that support revenue goes into finding and fixing these kinds of vulnerabilities.
- Customers under curl support can get advice on whether or not the advisories apply to them.
- 24×7 support on curl is available, and can include pre-notification of upcoming vulnerability announcements.
Contact us at email@example.com to learn more.
*Jointly posted with GrammaTech
wolfSSL is a lightweight embedded SSL/TLS library and we pride ourselves for being the best-tested crypto and SSL/TLS stack available on the market. From API unit testing to fuzz testing to continuous integration, we do it all to ensure we’re secure for our customers. Now we’re adding an additional static analysis tool to the arsenal, GrammaTech’s CodeSonar, for even more security assurance.
Static analysis also known as static application security testing (SAST) is the process of using a tool to scan for bugs and defects in source code without actually running a program. CodeSonar’s analysis of our codebase helped reveal even more ways to ensure that all of our bases are covered and security is maximized. By displaying the defects through thorough descriptions and visualizations, CodeSonar allowed us to come up with quick and efficient fixes. Setting up the program was straight-forward and it took about 2 hours to scan through the wolfSSL code base. The figure below offers a brief summary of the warnings generated by the analysis.
We reviewed all the warnings and marked them appropriately. CodeSonar also now allows us to list the new warnings that are introduced by code changes and allows us to maintain our security posture easily.
These were the defects detected throughout the hundreds of thousands of lines of code in the wolfSSL code base. Most of the Buffer Overruns generated have safeguards around them to make certain that they don’t happen during execution. A majority of the Uninitialized Variable warnings are generated because of the way wolfSSL initializes keys and other structs (initialized by constructor methods instead of direct initialization). And, the Null pointer Dereferences are to guarantee that nothing in the code makes it past where it needs to be.
CodeSonar did help us uncover possible leaks that we were able to fix within a day. With CodeSonar, our development team can take swift and methodical action whenever a problem is uncovered. We know that’s what customers like to hear! So if you’d like peace of mind knowing that your product incorporates a cutting-edge lightweight and secure TLS/Cryptography library, download wolfSSL.
Need more? Subscribe to our YouTube page for access to webinars.
Love it? Star us on GitHub!
As you may know, wolfSSL has integrated our FIPS-certified crypto module (wolfCrypt) with OpenSSL as an OpenSSL engine, a product we call wolfEngine. You may also know that OpenSSL 3.0 has done away with the engines paradigm in favor of a new concept, called providers. wolfSSL has begun work on an OpenSSL 3.0 provider, allowing you to use latest version of OpenSSL backed by our FIPS-certified wolfCrypt library. Like wolfEngine, the wolfSSL provider for OpenSSL is an excellent pathway for users looking to get FIPS compliance fast while still using OpenSSL.
Reach out to firstname.lastname@example.org for more information!
wolfSSL is excited to announce support for using Silicon Labs Hardware acceleration. The EFR32 family of devices support multiple wireless interfaces with hardware cryptographic operations. wolfSSL can now offload cryptographic operations for dramatically increased performance on the Silicon Labs EFR32 family!
Our new support includes hardware acceleration of the following algorithms:
The new functionality can be enabled by defining WOLFSSL_SILABS_SE_ACCEL. In user_settings.h More details are available in the README.md in wolfcrypt/src/port/silabs of the wolfSSL tree.
Benchmark was performed on an EFR32 Gecko 2 (Series 1) using the xGM210P022.
|Algorithm||Data Throughput (MB/s)|
|ECC operation||Average time to complete (ms)||Operations per second|
|ECC 256 key gen||5.929||168.663|
|ECDHE 256 agree||5.440||183.816|
|ECDSA 256 sign||6.373||156.902|
|ECDSA 256 verify||6.727||148.662|
Please contact us at email@example.com with any questions you have on wolfSSL, or just give us a call!
wolfSSL now supports NXP’s SE050 hardware security chip. This is an external I2C crypto co-processor chip that supports RSA key sizes up to 4096-bit, ECC curves up to 521 bit and ED25519 / Curve25519. You can see the full implementation details in GitHub pull request 4322.
We have also expanded our Kinetis LTC support to accelerate RSA key generation. This made it into our v4.8.1 release of wolfSSL.
NXP Semiconductor is a key member of wolfSSL’s partner network. wolfSSL ships with support for offloading cryptographic operations onto several NXP devices, such as the Coldfire, Kinetis, LPC, S32 and i.MX microprocessors. Additionally we support hardware cryptographic acceleration using NXP’s CAU, MMCAU, LTC, CAAM and SE050 hardware. If your target is missing, tell us!
wolfSSL develops a full suite of products supporting NXP designs. Learn about wolfBoot secure boot and TLS 1.3 firmware update with FreeRTOS and wolfSSL on NXP Freedom Board K64 here. After the release of wolfSSL version 4.2.0, we provide improved support for crypto hardware performance, now on NXP mmCAU. Download the latest wolfSSL version 4.8.1 here!
Love it? Star us on GitHub!
wolfSSL is always adding new ports to our highly portable wolfCrypt library! We’re continuing our series on the latest open source project ports—this week, we’re featuring tcpdump.
We have integrated wolfSSL with tcpdump, a powerful command-line packet analyzer. This update allows for the use of tcpdump with our FIPS-validated crypto library, wolfCrypt. Tcpdump is a versatile tool with many options and filters, and is commonly used to capture or filter TCP/IP packets that are received or transferred over a network on a specific interface. Its long-running history ensures that there are many resources available for learning how to use this tool (See the tcpdump Wikipedia page for more info).
Through the OpenSSL compatibility layer, tcpdump is able to call into wolfSSL. Visit the GitHub page here: https://github.com/wolfSSL/osp/tree/master/tcpdump/4.9.3
News to look forward to—wolfSSL plans to integrate wolfTPM, our portable TPM 2.0 library, into U-Boot! This would extend the TPM 2.0 capabilities in U-Boot to include signature verification and measured boot.
For many platforms, we can replace U-Boot such as on the Xilinx UltraScale+ MPSoC.
wolfBoot is a portable secure bootloader solution that offers firmware authentication and firmware update mechanisms. Thanks to its minimalistic design, wolfBoot is completely independent from any OS or bare-metal application. Some of its key features include:
- Partition signature verification using ED25519, RSA and ECC
- Encryption of partitions
- Updating of partitions in the boot loader
- Measured boot with TPM 2.0 PCR registers
- Offloading to crypto coprocessors like the TPM 2.0 modules
- Version checking for updates
- Rollback on failed updates
For information on our wolfBoot TPM integration, visit https://www.wolfssl.com/curious-learn-wolfboot-tpm/.
If you are interested in our U-Boot wolfTPM integration, please email firstname.lastname@example.org.
Public key infrastructure or PKI is important term used to define everything that is used to “create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.” (https://en.wikipedia.org/wiki/Public_key_infrastructure) As RSA and ECC are one of the main algorithms used for PKI key generation, we are wondering if anyone is interested in RSA 3k or ECC 384 support in wolfBoot?
Please let us know by sending a note to email@example.com
You can download the latest release here: https://www.wolfssl.com/download/
Or clone directly from our GitHub repository: https://github.com/wolfSSL/wolfBoot
While you’re there, show us some love and give the wolfBoot project a Star!
wolfSSL has long been aware of the quantum threat to modern cryptography. Though quantum computing currently exists on small scales, research has determined enough to know that once full-scale quantum computing is available, all modern cryptography (RSA, ECC, etc.) will no longer be secure. Furthermore, the proven usage model of Quantum Computing as a Service (QCaaS) via the Cloud means that quantum capabilities will be more widely available, posing a greater security threat. This risk is why wolfSSL provides support for integration with the NTRU cryptosystem and an implementation of the QSH TLS extension.
With NIST already having announced the Round 3 finalists of the Post-Quantum Cryptography Competition, we thought it was time to update our quantum-safe offerings. WolfSSL will soon support integration with the Open Quantum-Safe project’s libOQS. Initial support will be for Key Exchange only using all parameter sets of Crystals-Kyber, NTRU, and SABER for TLS 1.3. With perfect forward secrecy, these algorithms can protect you from the “Harvest and Decrypt” threat model.
“Harvest and Decrypt”
If encrypted sensitive data is stolen (harvested) today, it will be accessible (decrypted) once a sufficiently-powered quantum computer is available. If the sensitive information has a secrecy requirement that extends beyond the time it will take to develop large-scale quantum computing, then that data should be considered at risk today. The quantum threat to current confidential data demonstrates the importance of migrating to quantum-safe solutions as soon as possible. For more details, you can look up “Mosca’s Inequality”.
To continue future-proofing encrypted data streams, wolfSSL plans to hybridize key construction algorithms with NIST-standardized ECDSA components. These hybridized algorithms will continue to be FIPS compliant under the current NIST standards. In addition, wolfSSL is developing a test for post-quantum cURL, coming in the next 4 to 6 weeks.
wolfSSL is attending ICMC (International Cryptographic Module Conference) this week, where we will be talking more about post-quantum computing—come visit us there!
wolfSSL is an exhibiting sponsor at this year’s International Cryptographic Module Conference (ICMC) in Maryland. We’re all about doing cryptography right, and as the best-tested crypto on the market, we can’t wait to talk through securing your projects at ICMC.
Find us September 1-3 in Washington DC at the Hyatt Regency Bethesda or online to join this hybridized event! We’re talking about:
• Benchmarking wolfCrypt for your target
• FIPS 140-3 validated crypto
• The advantages of TLS 1.3
• wolfCrypt as an engine for OpenSSL
• TPM/HSM support
• OCSP support
• TLS 1.3 sniffing
• wolfRand, wolfSSL’s FIPS module with a hardware entropy source
• DO-178C DAL A
• Post-quantum algorithms in wolfSSH
• RISC-V support in wolfBoot
• Commercial-style developer support backed 24×7 by a team of real Engineers
• Why open source matters for best-tested security
Come meet us at ICMC and bring all your cryptography questions! In the meantime, download and star wolfSSL on GitHub. If you’d like to book a meeting online or in-person, email facts@wolfSSL.com. We can’t wait to see you!
- September 2021 (9)
- August 2021 (13)
- July 2021 (21)
- June 2021 (19)
- May 2021 (12)
- April 2021 (12)
- March 2021 (27)
- February 2021 (29)
- January 2021 (22)
- December 2020 (21)
- November 2020 (14)
- October 2020 (7)
- September 2020 (22)
- August 2020 (11)
- July 2020 (8)
- June 2020 (14)
- May 2020 (15)
- April 2020 (14)
- March 2020 (4)
- February 2020 (24)
- January 2020 (18)
- December 2019 (7)
- November 2019 (16)
- October 2019 (14)
- September 2019 (24)
- August 2019 (21)
- July 2019 (8)
- June 2019 (13)
- May 2019 (35)
- April 2019 (31)
- March 2019 (20)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (10)
- October 2018 (18)
- September 2018 (18)
- August 2018 (8)
- July 2018 (15)
- June 2018 (29)
- May 2018 (15)
- April 2018 (11)
- March 2018 (19)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (7)
- September 2017 (8)
- August 2017 (6)
- July 2017 (11)
- June 2017 (8)
- May 2017 (10)
- April 2017 (5)
- March 2017 (7)
- February 2017 (1)
- January 2017 (8)
- December 2016 (3)
- November 2016 (2)
- October 2016 (18)
- September 2016 (8)
- August 2016 (5)
- July 2016 (4)
- June 2016 (10)
- May 2016 (4)
- April 2016 (5)
- March 2016 (4)
- February 2016 (12)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (6)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (13)
- January 2015 (6)
- December 2014 (7)
- November 2014 (3)
- October 2014 (2)
- September 2014 (11)
- August 2014 (6)
- July 2014 (9)
- June 2014 (11)
- May 2014 (11)
- April 2014 (9)
- March 2014 (3)
- February 2014 (3)
- January 2014 (5)
- December 2013 (9)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (8)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (9)
- December 2012 (13)
- November 2012 (5)
- October 2012 (7)
- September 2012 (4)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (5)
- April 2012 (7)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (6)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (8)
- May 2011 (12)
- April 2011 (4)
- March 2011 (12)
- February 2011 (8)
- January 2011 (13)
- December 2010 (17)
- November 2010 (12)
- October 2010 (14)
- September 2010 (11)
- August 2010 (20)
- July 2010 (14)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)