RECENT BLOG NEWS

We at wolfSSL are pleased to announce that now you can use wolfSSL directly from Docker!

In a few words, Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers are like virtual machines, but way more lighter as the container shares some resources with the hosting machine.

We created a collection of wolfSSL containers targeting the following OSs: Debian, Ubuntu, Alpine Linux, CentOS

There are 3 different flavors of containers we have created based on each OS, they are: lib, test and examples

wolfssl/wolfssl ubuntu-examples 9198e6d82596 127MB
wolfssl/wolfssl ubuntu-test     ba5ca8ca4359 351MB
wolfssl/wolfssl ubuntu-lib      125125eea7ab 126MB
ubuntu          latest          2d696327ab2e 122MB
wolfssl/wolfssl debian-examples cd066ee3b5db 106MB
wolfssl/wolfssl debian-test     5a3edb3a2a20 356MB
wolfssl/wolfssl debian-lib      3086ef0f07b6 105MB
debian          latest          72ef1cf971d1 100MB
wolfssl/wolfssl centos-examples 37687e96d5b9 222MB
wolfssl/wolfssl centos-test     359d4195ca53 392MB
wolfssl/wolfssl centos-lib      a8c6cafd6205 221MB
centos          latest          196e0ce0c9fb 197MB
wolfssl/wolfssl alpine-examples 490120f86d61 8.74MB
wolfssl/wolfssl alpine-test     52b698631bec 228MB
wolfssl/wolfssl alpine-lib      692a0c26cda6 7.97MB
alpine          latest          76da55c8019d 3.97MB

The -lib images contains only the wolfSSL binaries, while -examples also contains the test examples and -test also contains wolfSSL’s source code.

You can find further information on how to run wolfSSL examples on a docker container in our docker hub page: https://hub.docker.com/u/wolfssl/

And here is a quick example, server in the left tab and the client in the right tab:

wolfSSL recently presented at the XSWIG (Xilinx Security Working Group) in Longmont Colorado. Covering the topics of building wolfSSL for an Ultrazed EG starter kit and collecting benchmark values with hardware acceleration. If you would like more details of what we talked about, or are looking to add security to an FPGA embedded board contact us at facts@wolfssl.com!

A recent paper used wolfSSL as a test bed for proving out their attack on Ed25519 signatures.  You can read the paper here: https://eprint.iacr.org/2017/985.pdf .  This was not an attack on wolfSSL itself or its implementation, but rather a differential power attack that involves SHA-512 and Ed25519.  The recommended countermeasure is to change Ed25519 and remove its deterministic signature properties.  If you are interested in this countermeasure please let us know as we can make this available as a build option.

According to a recent article,  researchers have announced that Wi-Fi security has a protocol level exploit that can render all Wi-Fi traffic vulnerable to sniffing or manipulation. The good news is that if you are already using an independent form of end-to-end encryption such as SSL/TLS then the stolen packets are of little use as they are encrypted independent of the WEP/WPA1/WPA2 protocols.

These vulnerabilities are scheduled to be presented on November 1st at the 24th annual “ACM Conference on Computer and Communications Security” to be held in Dallas, TX.

Paper Title:

     “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2”

Authors:

     Mathy Vanhoef (KU Leuven, imec-DistriNet)

     Frank Piessens (KU Leuven, imec-DistriNet)

Securing your Wi-Fi traffic with SSL/TLS, offered by @wolfSSL, can keep your data secure in a wireless world by providing independent end-to-end security for your Wi-Fi traffic rendering any stolen Wi-Fi traffic useless to attackers. Users MUST BE AWARE and look for the green lock to ensure the SSL/TLS was not stripped while using Wi-Fi (See video below for explanation!)

PLEASE WATCH THIS VIDEO so you know how to detect if SSL/TLS has been STRIPPED and your traffic is vulnerable to sniffing and/or modification!

An addendum to the report notes that all WPA Supplicant users using v2.6 are vulnerable to this attack (All android 6.0+ users).

References:

https://www.theverge.com/2017/10/16/16481136/wpa2-wi-fi-krack-vulnerability

https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns

https://www.wired.com/story/krack-wi-fi-wpa2-vulnerability/

https://www.krackattacks.com/

https://acmccs.github.io/session-F3/

https://w1.fi/wpa_supplicant/

wolfSSL has supported the ThreadX/NetX RTOS with the TLS protocol. Recently we added the ability to use DTLS with NetX. Out of the box, wolfSSL has the I/O callback functions for handling UDP packets for DTLS. As an extension to DTLS, wolfSSL also supports Multicast DTLS. If you would like to know more please contact our sales team via email, sales@wolfssl.com

One of the major new features of TLS v1.3 is the 0-RTT handshake protocol. This variation of the handshake, using Pre-Shared Keys (PSKs), allows the client to send encrypted data to the server in the first flight. This is particularly useful for TLS on embedded devices. Take the example of IoT. There may be thousands or even millions of devices reporting back regularly to the central servers with small updates.

Using 0-RTT, the IoT device can send a ClientHello plus all the update data, known as “early data”, in one flight. Then, the server responds with the ServerHello, EncryptedExtensions, and Finished messages plus acknowledgement of the early data all in one flight. Finally the device responds with EndOfEarlyData and Finished messages in a final flight to close the loop on the security.

We can see that the data is offloaded, without having to wait for the server. The device stores a little state and goes back to its job ready for the interrupt on response. If the response times out then the server can resend with an updated ClientHello. On response, the device processes the handshake messages and responds closing the connection and the update can be discarded.

This is all very efficient in terms of processing and overall round-trip time. But, there are potential security issues including: replay attacks and no forward security.

An attacker can replay messages from a device. The server decrypts the early data using a key directly derived from the PSK and no other authentication is performed. Without the second flight from the client, the server would not recognize the copy is invalid. The recommended defense is single-use tickets. Each ticket contains a fresh PSK. This has the downside of requiring a shared database of tickets across servers. Alternatively, unique values from the ClientHello used with each PSK can be stored instead.

The attacker may also intercept the client’s first flight and spam the server with copies. If the early data contains “state modifying” data as in the example above, processing a copy would be disastrous. If the PSK is single-use, the client will get out of sync with the server and a full handshake will be required. The server may well interpret the attack as the client attempting to retry and therefore this must be handled at the application level.

When the PSK is reused for a number of messages, forward secrecy is lost. This means that if a device is compromised all messages encrypted using keys derived from the current PSK are exposed. The recommended defense is to use a short timeout with tickets to limit the period of vulnerability.

Using 0-RTT does require more careful architecture on the server side, the benefits at the client side are worth it.

The security of wolfSSL products is always on our mind and holds high importance.  Conducting regular, diligent, and well-planned testing helps maintain wolfSSL’s robustness and security.  We strive to write and maintain clean, readable, and understandable code.

Like the halting problem, we know it is impossible to test every single possible path through the software, but we practice an approach that is focused on lowering risk of failure. In addition to extensive automated testing, we make sure that we specifically test well-known use cases. This post outlines some of our internal testing process.

1. API Unit Testing:  We have unit tests in place that test API functions for correct behavior. This helps maintain library consistency across releases and as the code evolves.  It helps us to deliver a high quality well tested API to our end users with each software release.  API unit tests are run with each “make check” of wolfSSL.

2. Cipher Suite Testing: wolfSSL supports an extensive list of cipher suites, which are all tested with every “make check” using the wolfSSL example client and example server.  Each cipher suite is tested not only in the default configuration, but also in non-blocking mode and with client authentication both turned on/off.

3. Algorithm Testing: The security of our SSL/TLS implementation depends on the correctness and robustness of our underlying cryptography library, wolfCrypt.  We test all algorithms using NIST test vectors in addition to running our CAVP test harness used for our FIPS 140-2 validations.  We also test on both big and little endian platforms for portability.

4. Benchmark Testing: We engage in another ever expanding universe of benchmark testing, where we look at sizing, transmission rates, connection speeds, and cryptography performance.  A version of our benchmark suite is included in every download for users to enjoy!

5. Static Analysis: We do static analysis on our entire codebase using not only one, but multiple different static analysis tools.  We currently use Coverity Scan, clang scan-build, and Facebook infer.  These tools help us to automatically find bugs including ones on low-traffic code paths.

6. Detecting Memory Errors:  We mitigate memory errors by using valgrind on a regular and automated basis.  This helps find memory errors including invalid access, use of undefined values, incorrect freeing of dynamic memory, and memory leaks.

7. Interop Testing: We test for interoperability with other Open Source TLS implementations, including OpenSSL, BoringSSL, and GnuTLS.  This helps us to catch any protocol implementation errors in either wolfSSL or the implementation being tested against.  We also test outside of a closed environment by connecting to servers in the real world running unknown SSL/TLS implementations.

8. Real World Builds: We build with a series of ‘real’ applications, like cURL, wget, pppd, OpenSSH, stunnel, lighttpd, etc.  For some of our customers with top level support, we build new releases with their application.

9. Compiler Testing: We have users who compile wolfSSL with a variety of different compilers.  As such, we test compiling wolfSSL with many different compilers and toolchains including gcc/g++, clang, icc, Visual Studio, CodeWarrior, KDS, LPCXpresso, MPLAB XC, TI CCS, Keil, IAR, Cygwin, MinGW, CrossWorks, Arduino, Wind River Workbench, and more.

10. Peer Review: More eyes on a codebase reduces bugs that end up in a final product.  Internally, we operate using a “Fork and Pull Request” model.  This means that every commit that makes it into our master branch has been reviewed and tested by at least two separate engineers.

11. Third Party Testing: Our code is regularly reviewed by university researchers, customer and user security teams, FIPS and certification labs, and our Open Source user base.  This helps put more eyes on our code and product architecture.

12. Fuzz Testing: We test using several different software fuzzers, including an in-memory fuzzer, a network fuzzer, OSS-fuzz, libfuzzer, tlsfuzzer, and AFL.  Fuzz testing bombards the program with invalid, unexpected, and random data that then allows for observing if there is potential memory leaks or logic errors.  This allows us to catch bugs that could turn into potential vulnerabilities if released in a final release.

13. Continuous Integration (CI): Leveraging Jenkins, we run tests on each commit submitted to the wolfSSL code repository.  Tests run on each commit include testing of our FIPS build, numerous build options (customer/user/common), running valgrind, and doing static analysis with scan-build.

14. Nightly Test Cycle: Each night we run extended tests that last longer than the typical ones during the work day.  These are more in-depth than our CI testing and puts results in our engineers’ inboxes each morning.  Some tests included in our nightly cycle include extended build option testing on multiple platforms with multiple compilers, and extended fuzz testing.

If you have specific questions about how we test, please contact us at facts@wolfssl.com.  If you would like us to include your SSL/TLS or crypto implementation in our interop testing, please let us know!  Likewise, if you would like to include wolfSSL in your own test framework, we would be happy to discuss.

We would like to announce that the wolfSSL embedded SSL library now has support for hardware-based cryptography and random number generation offered by the STM32F7.  Supported cryptographic algorithms include AES (CBC, CTR), DES (ECB, CBC), 3DES, MD5, and SHA1.  For details regarding the STM32F7 crypto and hash processors, please see the STM32F7 Hardware Abstraction Layer (HAL) and Low-layer drivers document (linked below).

If you are using the STM32F7 with wolfSSL, you can see substantial speed improvements when using the hardware crypto versus using wolfSSL’s software crypto implementation.  The following benchmarks were gathered from the wolfCrypt benchmark application (wolfcrypt/benchmark/benchmark.c) running on the STM32F777NI board (STM32F7) using the STM32F7 HAL on bare metal (No OS).

wolfSSL Software Crypto, Normal Big Integer Math Library

RNG               3 MB took 1.000 seconds,    3.149 MB/s

AES-Enc           6 MB took 1.000 seconds,    6.494 MB/s

AES-Dec           7 MB took 1.000 seconds,    6.519 MB/s

AES-GCM-Enc       3 MB took 1.004 seconds,    2.553 MB/s

AES-GCM-Dec       3 MB took 1.004 seconds,    2.553 MB/s

AES-CTR           7 MB took 1.000 seconds,    6.543 MB/s

CHACHA           16 MB took 1.000 seconds,   15.723 MB/s

CHA-POLY         10 MB took 1.000 seconds,   10.474 MB/s

3DES              1 MB took 1.008 seconds,    1.405 MB/s

MD5              24 MB took 1.000 seconds,   24.243 MB/s

POLY1305         42 MB took 1.000 seconds,   41.821 MB/s

SHA              14 MB took 1.000 seconds,   14.380 MB/s

SHA-224           8 MB took 1.000 seconds,    8.423 MB/s

SHA-256           8 MB took 1.000 seconds,    8.423 MB/s

SHA-384           2 MB took 1.000 seconds,    2.319 MB/s

SHA-512           2 MB took 1.000 seconds,    2.319 MB/s

STM32F7 Hardware Crypto, Normal Big Integer Math Library

RNG              6 MB took 1.000 seconds,    6.030 MB/s

AES-Enc         30 MB took 1.000 seconds,   30.396 MB/s

AES-Dec         30 MB took 1.000 seconds,   30.371 MB/s

AES-GCM-Enc     42 MB took 1.000 seconds,   42.261 MB/s

AES-GCM-Dec     33 MB took 1.000 seconds,   32.861 MB/s

AES-CTR         48 MB took 1.000 seconds,   47.827 MB/s

CHACHA          16 MB took 1.000 seconds,   15.747 MB/s

CHA-POLY        11 MB took 1.000 seconds,   10.522 MB/s

3DES            13 MB took 1.000 seconds,   12.988 MB/s

MD5             41 MB took 1.000 seconds,   40.894 MB/s

POLY1305        42 MB took 1.000 seconds,   41.846 MB/s

SHA             38 MB took 1.004 seconds,   38.202 MB/s

SHA-224         41 MB took 1.000 seconds,   41.309 MB/s

SHA-256         39 MB took 1.000 seconds,   39.111 MB/s

SHA-384          2 MB took 1.004 seconds,    2.310 MB/s

SHA-512          2 MB took 1.004 seconds,    2.310 MB/s

 As the above benchmarks (and chart) show, the hardware-based algorithms on the STM32F7 demonstrate significantly faster speeds than that of their software counterparts.

To enable STM32F7 hardware crypto and RNG support, define WOLFSSL_STM32F7 when building wolfSSL.  For a more complete list of defines which may be required, please see the WOLFSSL_STM32F7 define in <wolfssl_root>/wolfssl/wolfcrypt/settings.h.  You can find the most recent version of wolfSSL on GitHub, here: https://github.com/wolfssl/wolfssl.

If you would like to use wolfSSL with STM32F7 hardware-based cryptography or RNG, or have any questions, please contact us at facts@wolfssl.com for more information.

wolfSSL embedded SSL library

STM32: http://www.st.com/internet/mcu/class/1734.jsp

STM32F7 HAL and Low-layer drivers documentation: http://www.st.com/content/ccc/resource/technical/document/user_manual/45/27/9c/32/76/57/48/b9/DM00189702.pdf/files/DM00189702.pdf/jcr:content/translations/en.DM00189702.pdf