RECENT BLOG NEWS

So, what’s new at wolfSSL? Take a look below to check out the most recent news.
Or sign up to receive weekly email notifications containing the latest news from wolfSSL.
In addition, wolfSSL now has a support-specific blog page dedicated to answering some of the more commonly received support questions.

wolfSSL v4.8.1 Release

wolfSSL version 4.8.1 is available for download!!

This version of wolfSSL includes many new features, ports, and some great fixes. Some of the new features added includes:

  • A tie in for use with wolfSentry
    • wolfSentry is a universal, dynamic, embedded IDPS (intrusion detection and prevention system)
    • The build option added to enable the code for use with wolfSentry can be compiled using the autotools flag –enable-wolfsentry. wolfSentry is our new product that can be used in a similar fashion as a firewall but unlike many firewall applications available today wolfSentry is designed for deeply embedded IoT devices with resource constraints.
    • Learn more from our webinar: Introducing wolfSentry, an Embeddable IDPS
  • A number of API for the compatibility layer 
    • Helps support replacing OpenSSL using wolfSSL along with updating your crypto for FIPS requirements, 
  • A QNX CAAM driver for use with NXP’  i.MX devices, 
    • CAAM stands for Cryptographic Accelerator and Assurance Module. When used, it speeds up the cryptographic algorithms such as ECC and AES, as well as increases security by using encrypted keys and secure memory partitions.
  • Support for STM32G0
  • Zephyr project example,
    • The Zephyr Project is a scalable real-time operating system (RTOS) supporting multiple hardware architectures, optimized for resource constrained devices, and built with safety and security in mind.
  • An easy-to-use Dolphin emulator test for DEVKITPRO
    • devkitPro is a set of tool chains for compiling to gaming platforms.
  • Fixes for PKCS#7 
    • PKCS#7 is used to sign, encrypt, or decrypt messages under Public Key Infrastructure (PKI). It is also used for certificate dissemination, but is most commonly used for single sign-on.
  • Better parsing and handling of edge cases along with fixes for existing ports. 
  • Fixes that came from testing with Coverity and fsanitizer tools. 
    • Coverity is very efficient in finding issues, and is often used as a metric for good code (based on how many issues are found and fixed)
    •  fsanitizer is a static analysis tool
  • Two vulnerabilities announced, 
    • one dealing with OCSP 
      • OCSP or “Online Certificate Status Protocol” is an Internet protocol that is used to obtain the revocation status of an X.509 digital certificate.
    • the other with a previously fixed base64 PEM decoding side channel vulnerability.
      • PEM, or “Privacy Enhanced Mail” is the most common format that certificates are issued in by certificate authorities.

For a full list of changes, check out the updated ChangeLog.md bundled with wolfSSL or view our page on GitHub here (https://github.com/wolfSSL/wolfssl). Any questions can be sent directly to facts@wolfssl.com.

wolfSSL support for the ATECC608 Crypto Coprocessor

wolfSSL embedded SSL/TLS support the latest Microchip ATECC508 and ATECC608 I2C cryptographic coprocessors.

Prerequisites:

Examples:

Preprocessor Macros:

  • WOLFSSL_ATECC508A
  • WOLFSSL_ATECC608A
  • WOLFSSL_ATECC_PKCB
  • WOLFSSL_ATMEL
  • WOLFSSL_ATECC_DEBUG
  • WOLFSSL_ATECC_TNGTLS

PK Callbacks:

wolfSSL’s TLS layer PK callbacks expose API’s to set ECC callbacks. These are enabled with:

#define HAVE_PK_CALLBACKS or ./configure --enable-pkcallbacks.

Reference API’s:

  • atcatls_create_key_cb
  • atcatls_verify_signature_cb
  • atcatls_sign_certificate_cb
  • Atcatls_create_pms_cb

 

We plan on adding support for the new 608A PRF and HKDF for TLS 1.2 and TLS 1.3 speed improvements.

For more questions please email us at facts@wolfssl.com.

wolfCrypt FIPS 140-2 on ARM

Do you need a FIPS 140-2 validated cryptography library for your ARM-based platform? wolfCrypt has been FIPS 140-2 validated (certificate #3389) on several different operating environments to date, some of which have been on resource-constrained ARM-based devices.

FIPS validating a crypto library on a resource-constrained device can be more involved than doing a validation on a standard desktop-like platform. Variances in OS, Flash/RAM, filesystem (or lack of), entropy, communication, and more can make things interesting. Going through our past ARM-based validations, we have figured out how to make this process easier with wolfCrypt!

If you are interested in exploring FIPS 140-2 cryptography validations on ARM platforms, reach out to us at facts@wolfssl.com!

To learn more about our FIPS 140-3 certification, please register for our webinar on October 14th!

Upcoming Live Webinars : FIPS 140-3 Certification and Migrating to wolfSSL from OpenSSL

On October 13th & 14th wolfSSL will be hosting two live webinars, one will cover FIPS 140-3 Certification and the other will be on Migrating from OpenSSL to wolfSSL. Read below for more information as well as a links to register.

Oct 13, 9:00 AM PST: FIPS 140-3
Register Here: https://us02web.zoom.us/webinar/register/WN_WCO3LQ5dRiKifbbg5OCnYA

wolfSSL is thrilled to be the first in FIPS 140-3 certification and we want to share it with you! Join the wolfSSL team, Kaleb Himes, Senior Engineer & FIPS authority, as we cover all things FIPS 140-3. There will be a live Q&A so bring all your FIPS-related questions. We will cover the current transition to FIPS 140-3, its importance for cybersecurity, as well as how wolfSSL is implementing it in our products.

Oct 14, 9:00 AM PST: Migrating from OpenSSL to wolfSSL
Register Here: https://us02web.zoom.us/webinar/register/WN_7oyLVSq6Tba5828QvfFzcQ

There are many reasons why a user might want to switch from OpenSSL to wolfSSL. In order to facilitate this transition, wolfSSL has an accessible compatibility layer. Join us as wolfSSL Engineer, Jacob, talks about the top reasons why people migrate from OpenSSL to wolfSSL as well as how to get started. He will cover how to build with the compatibility layer as well as some examples of applications.

Both webinars will include a Q&A section, so please bring any questions you may have.

If you have any other questions or concerns please reach out to facts@wolfssl.com or support@wolfssl.com anytime.

Visit Us at it-sa!

We’re actually going somewhere! Come see wolfSSL at it-sa ’21 in Nuremberg, Germany this week.

it-sa ‘21: October 12th – 14th, 2021
Get a pass: https://www.mwcbarcelona.com/attend/registration#tab-physical-passes
Exhibition hours: 09:00 – 18:00 (Tuesday and Wednesday) 09:00 – 17:00 (Thursday)

wolfSSL will be at booth 7-611, with Business Directors Wolfram Kusterer and wolfSSL Engineer Juliusz Sosinowicz on the ground to answer all your embedded security questions. Plus, our full sales team will be on standby in the virtual booth to talk to you! Email facts@wolfSSL.com if you’d like to book a meeting ahead of the event. 

If you’re new to wolfSSL, here’s how we can help you win big in mobile industry and beyond:
– wolfSSL is up to 20x smaller than OpenSSL
– First commercial implementation of TLS 1.3, with TLS 1.3 Sniffer
– First in FIPS 140-3
– Best tested, most secure, fastest crypto on the market with incomparable certifications and highly customizable modularity
– Access to 24×7 support from a real team of Engineers
– Support for the newest standards (including TLS 1.2, TLS 1.3, DTLS 1.2, and DTLS 1.3 forthcoming)
– Multi-platform, dual-licensed, royalty free, with an OpenSSL compatibility API to ease porting into existing applications which have previously used the OpenSSL package
– Full product suite including MQTT with support up to v5.0, Secure Boot, wolfSentry IDPS, SSHv2 server, TPM 2.0 portable project, Java wrappers and JSSE support, plus commercial curl support at the enterprise level. 

To learn more, come meet us at it-sa ’21 or email facts@wolfSSL.com.  


Love it?
Star wolfSSL on GitHub.
Discover MWC ‘21 here.
Follow @wolfSSL on Twitter for daily updates!

Open Source Project Ports: Socat

Thanks to the portability of our wolfCrypt library, plus our team of expert engineers, wolfSSL is frequently adding new ports. Keep an eye out as we continue showcasing a few of the latest open source project ports over the next few weeks!

We have recently integrated wolfSSL with the socat tool for Linux. This port allows for the use of socat with our FIPS-validated crypto library, wolfCrypt. Socat is a command line based utility that allows for bidirectional data transfers between two independent channels. For more information on socat, please visit the project’s website at www.dest-unreach.org/socat

As of wolfSSL version 4.8.0, we have enabled socat to be able to call into wolfSSL through the OpenSSL compatibility layer. You can access the GitHub page here: https://github.com/wolfSSL/osp/tree/master/socat

Need more? Subscribe to our YouTube channel for access to wolfSSL webinars!
Love it? Star us on GitHub!

Post-Quantum wolfSSH

The wolfSSL library is now safe against the “Harvest Now, Decrypt Later” post-quantum threat model with the addition of our new TLS 1.3 post-quantum groups. But where does that leave wolfSSH? It is still only using RSA and elliptic curve key exchange algorithms which are vulnerable to the threat model mentioned above. If you are interested in knowing about our plans to protect wolfSSH using post-quantum key exchanges, please get in contact with us at facts@wolfssl.com.

Upcoming Live Webinar : wolfEngine – wolfCrypt as an Engine for OpenSSL

Join our live wolfEngine  webinar, where we introduce one of our newest products wolfEngine, a separate standalone library which links against wolfSSL (libwolfssl) and OpenSSL. wolfEngine implements and exposes an OpenSSL engine implementation which wraps the wolfCrypt native API internally. Algorithm support matches that as listed on the wolfCrypt FIPS 140-2 certificate #3389.

Learn about about what wolfEngine is, why you should care, and why wolfEngine could be the solution to all of your problems. As always bring your questions for the Q&A following the presentation.

wolfEngine : wolfCrypt as an Engine for OpenSSL
Time: Oct 7, 2021 09:00 AM in Pacific Time
Register here: https://us02web.zoom.us/webinar/register/WN_1gPXMVUgReClAodxe7sTPg

If you have any other questions or concerns please reach out to facts@wolfssl.com or support@wolfssl.com anytime.

Loading wolfSSL into the Linux Kernel – Update

wolfSSL Linux kernel module support has grown by leaps and bounds, with new support for public key (PK) cryptographic acceleration, FIPS 140-3, accelerated crypto in IRQ handlers, portability improvements, and overall feature completeness.

The module provides the entire libwolfssl API natively to other kernel modules, allowing fully kernel-resident TLS/DTLS endpoints with in-kernel handshaking.  Configuration and building is turnkey via the --enable-linuxkm option, and can optionally be configured for cryptographic self-test at load time (POST), including full FIPS 140-3 core hash integrity verification and self-test.

As with library builds, the kernel module can be configured in detail to meet application requirements, while staying within target capabilities and limitations.  In particular, developers can opt to link in only the wolfCrypt suite of low level cryptographic algorithms, or can include the full TLS protocol stack with TLS 1.3 support.

For PK operations, the kernel module leverages our new function-complete SP bignum implementation, featuring state of the art performance and side channel attack immunity.  AVX2 and AES-NI accelerations are available on x86, and are usable from both normal kernel threads and from interrupt handler contexts. When configured for AES-NI acceleration, the module delivers AES256-GCM encrypt/decrypt at better than 1 byte per cycle.

Kernel module builds of libwolfssl are supported in wolfSSL release 4.6 and newer, and are available in our mainline github repository, supporting the 3.x, 4.x, and 5.x Linux version lines on x86-64, with limited support for ARM and MIPS. Full FIPS 140-3 support on x86-64 will be available in the forthcoming wolfSSL Version 5.0 release.

Need more? Subscribe to our YouTube channel for access to wolfSSL webinars!
Love it? Star us on GitHub!

wolfSSL not affected by CVE-2021-3711, nor CVE-2021-3712

It came to our attention that OpenSSL just published two new vulnerabilities.

  • CVE-2021-3711 – “SM2 decryption buffer overflow” (nakedsecurity)
  • CVE-202103712 – “Read buffer overruns processing ASN.1 strings.” (nakedsecurity)

These were specific OpenSSL issues and do not affect wolfSSL. For a list of CVEs that apply to wolfSSL please watch the security page on our website here: https://www.wolfssl.com/docs/security-vulnerabilities/

We wanted to take this opportunity to remind our customers and users that wolfSSL is in no way related to OpenSSL. wolfSSL was written from the ground up and is a unique SSL/TLS implementation.

That being said, wolfSSL does support an OpenSSL compatibility layer allowing OpenSSL users to drop in wolfSSL but continue to use the most commonly found OpenSSL API’s after re-compiling their applications to link against wolfSSL.

One individual also pointed out the time delta between report and fix on the above CVEs and wolfSSL would like to remind our customers and users of how proud we are of our less than 48 hour delta between report and fix. For more on our response time and process regarding vulnerabilities check out https://www.wolfssl.com/everything-wanted-know-wolfssl-support-handles-vulnerability-reports-afraid-ask/

If you have any other questions or concerns please reach out to facts@wolfssl.com or support@wolfssl.com anytime.

 

wolfCrypt FIPS on EFM32-GG

A quick followup to the post “wolfSSLs’ Proprietary ACVP client”.

wolfSSL Inc. is proud to announce a recent addition to the wolfCrypt FIPS cert 3389!

  • CMSIS-RTOS2 v2.1.3 running on a Silicon Labs EFM32G (Giant Gecko) chipset with wolfCrypt v4.6.1

Testing and standup for the EFM32 Giant Gecko was done collaboratively between wolfSSL Inc. and one of wolfSSLs’ customers. wolfCrypt had not previously been ported to or run on an EFM32 device so this was an exciting opportunity to both test on an EFM32 for the first time and to take wolfCrypt, running on the EFM32, through FIPS certification!
If you have any questions about getting wolfCrypt or wolfSSL up and running on your EFM32 target, not only is it possible, it is possible with FIPS 140-2 (and soon FIPS 140-3) certification as well!

Other OE’s added since the original ACVP client post are:

  • Linux 4.14 running on ARMv8 Cortex A53 with and without PAA (module version 4.5.4)
  • Windows CE 6.0 running on ARM Cortex-A8 (module version 4.6.2)
  • Linux 4.19 running on ARMv8 Cortex A53 with and without PAA (module version 4.5.4)

At the time of this posting wolfSSL has:

  • 10 OE additions (1SUB) in coordination phase with the CMVP to be added to cert 3389
  • 4 OE additions (1SUB) that have completed all testing and are ready to be submitted to the CMVP
  • 5 OE additions (1SUB) actively in the testing process
  • 1 OE addition (1SUB) in the queue to start

While the CMVP is no longer accepting 3SUB and 5SUB submissions for FIPS 140-2 (Cutoff date was 22 Sep 2021) wolfSSL Inc. continues to work on 1SUB OE additions. wolfSSL Inc. will continue to work on 1SUB OE additions to cert 3389 until 7 months before the expiration date of cert 3389.

wolfSSL Inc. was one of the first to submit for FIPS 140-3 and we expect to be one of the first to receive a 140-3 certificate. If you are looking for a commercial FIPS 140-3 solution, then look no further!

If you need FIPS 140-2 or 140-3 please don’t hesitate to reach out to fips@wolfssl.com anytime.

Posts navigation

1 2 3 4 138 139 140

Weekly updates

Archives

Latest Tweets