RECENT BLOG NEWS

So, what’s new at wolfSSL? Take a look below to check out the most recent news, or sign up to receive weekly email notifications containing the latest news from wolfSSL. wolfSSL also has a support-specific blog page dedicated to answering some of the more commonly received support questions.

How to use the wolfSSL staticmemory feature

wolfSSL is an embedded cryptographic library that includes a TLS/DTLS implementation. For resource-constrained devices or safety-critical applications, dynamic memory allocation via malloc and free system calls may be unavailable. To address these scenarios, wolfSSL offers the –enable-staticmemory feature. This feature provides a robust and straightforward allocation mechanism as an alternative. It utilizes a pre-allocated buffer, segmenting it into sections that applications can acquire by calling XMALLOC and release back to the memory pool using XFREE.

To activate this feature, compile wolfSSL using ./configure –enable-staticmemory or, if utilizing a user_settings.h file, define WOLFSSL_STATIC_MEMORY. Subsequently, execute make. Following compilation, the application must invoke wc_LoadStaticMemory to designate the buffer for partitioning and utilization, and then transmit the resulting “heap hint” to all XMALLOC and XFREE calls. By default, XMALLOC and XFREE calls will revert to the system’s malloc and free if no “heap hint” is provided. To circumvent all system malloc and free calls, the macro WOLFSSL_NO_MALLOC can be defined. For instance, this can be achieved via ./configure –enable-staticmemory CPPFLAGS=-DWOLFSSL_NO_MALLOC.

An additional option available, introduced in wolfSSL version 5.7.0 and subsequent releases, is the utilization of a globally defined “heap hint.” This global heap hint is established by invoking the setter function void* wolfSSL_SetGlobalHeapHint(void* heap). Consequently, any invocation of XMALLOC or XFREE that receives a NULL pointer as the “heap hint” will default to employing the globally configured “heap hint” pointer.

Setting up the memory sizes to use for each of the sections can be a difficult problem. To help some with a base configuration of the memory sizes there is a relatively new memory “bucket” optimizer tool located in the wolfssl-examples repository. It takes in the logging output of memory allocation calls from an application and provides a suggested static memory configuration based on the results. It’s possible in some cases to get even more optimized with the configuration but this example application gives a very good starting point.

The following is an example output when providing the memory logs of testwolfcrypt to the optimizer:

Building wolfSSL and collecting memory usage logs

$ ./configure --enable-staticmemory CPPFLAGS="-DWOLFSSL_DEBUG_MEMORY -DWOLFSSL_DEBUG_MEMORY_PRINT" -q && make > /dev/null && ./wolfcrypt/test/testwolfcrypt &> testwolfcrypt.log

Running the optimizer application on the resulting memory usage log

$ make
gcc  -o memory_bucket_optimizer memory_bucket_optimizer.c -lwolfssl

$./memory_bucket_optimizer testwolfcrypt.log 
Found 24 unique allocation sizes
Peak heap usage: 60074 bytes (maximum concurrent memory usage)
Allocation Sizes, Frequencies, and Concurrent Usage:
Size    Count   Max Concurrent
----    -----   --------------
4208    1       1
3128    914     19
2112    85      1
1600    13      1
1120    13      1
1040    1       1
1024    4       2
800     37      1
257     65      2
256     9       1
235     7       1
227     5       1
223     5       1
207     5       1
191     5       1
136     5       1
128     8       1
104     5       1
72      5       1
64      6       1
48      5       1
32      2       1
28      1       1
0       0       0
Optimization Summary:
Padding size per bucket: 32 bytes
Maximum unique buckets allowed: 9
Total buckets created: 9
Note: Reached maximum bucket limit (9). Some allocations may use larger buckets.
Note: Allocations with waste < padding size use existing buckets to reduce overhead
Note: Bucket limit helps balance memory efficiency vs. management overhead
Optimized Bucket Sizes and Distribution:
Data Size + Padding = Bucket Size    Dist
----------------------------------------
272     + 32      = 304            2
800     + 32      = 832            1
1024    + 32      = 1056           2
1040    + 32      = 1072           1
1120    + 32      = 1152           1
1600    + 32      = 1632           1
2112    + 32      = 2144           1
3136    + 32      = 3168           19
4208    + 32      = 4240           1
WOLFMEM_BUCKETS and WOLFMEM_DIST Macros:
#define WOLFMEM_BUCKETS 304,832,1056,1072,1152,1632,2144,3168,4240
#define WOLFMEM_DIST 2,1,2,1,1,1,1,19,1
Memory Efficiency Analysis:
Note: Allocations with waste < 32 bytes (padding size) use existing buckets
Size    Count   Concurrent Bucket   Waste   Coverage
----    -----   ---------- ------   -----   --------
4208    1       1          4240    0       ?
3128    914     19         3168    8       ?
2112    85      1          2144    0       ?
1600    13      1          1632    0       ?
1120    13      1          1152    0       ?
1040    1       1          1072    0       ?
1024    4       2          1056    0       ?
800     37      1          832     0       ?
257     65      2          304     15      ?
256     9       1          304     16      ?
235     7       1          304     37      ?
227     5       1          304     45      ?
223     5       1          304     49      ?
207     5       1          304     65      ?
191     5       1          304     81      ?
136     5       1          304     136     ?
128     8       1          304     144     ?
104     5       1          304     168     ?
72      5       1          304     200     ?
64      6       1          304     208     ?
48      5       1          304     224     ?
32      2       1          304     240     ?
28      1       1          304     244     ?
0       0       0          304     272     ?
Efficiency Summary:
Total allocations: 1206
Allocations handled: 1206 (100.0%)
Total memory waste: 16654.00 bytes
Average waste per allocation: 13.81 bytes
Total bucket memory: 73984 bytes
Memory overhead: 1239 bytes
  - Padding per bucket: 32 bytes (included in bucket sizes)
  - Heap structures: 296 bytes
  - Alignment: 15 bytes
Total memory needed: 75223 bytes
Data memory: 3141010 bytes
Buffer Size Recommendations:
============================
Minimum buffer size needed: 75224 bytes
Usage in wolfSSL application:
============================
// Allocate buffer
byte staticBuffer[75224];
// Load static memory
WOLFSSL_HEAP_HINT* heapHint = NULL;
if (wc_LoadStaticMemory_ex(&heapHint, 9, bucket_sizes, bucket_dist,
    staticBuffer, 75224, 0, 0) != 0) {
    // Handle error
}
// Use in wolfSSL context
wolfSSL_CTX_load_static_memory(&method, NULL, staticBuffer,
    75224, 0, 1);

Additional documentation about the staticmemory feature can be found in the wolfSSL manual.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfPKCS11 v2.0.0 is Here!

We are thrilled to announce the release of wolfPKCS11 v2.0.0, a landmark update that solidifies its position as a top-tier, high-performance PKCS#11 provider. This release is the culmination of the work detailed in our previous blog posts, “Firefox Gets FIPS 140-3 Power” and “wolfPKCS11 Supercharged,” and it brings a new era of security, performance, and flexibility to the PKCS#11 ecosystem.

What’s New in v2.0.0?

This release is brimming with features that establish wolfPKCS11 as a comprehensive and robust backend for Mozilla’s Network Security Services (NSS). This enables any application that relies on NSS to be powered by our FIPS 140-3 validated wolfCrypt engine.
Here are some of the key highlights:

  • Full NSS Backend Support: With the addition of 50 new cryptographic mechanisms and a dozen new API functions, wolfPKCS11 now provides extensive support for NSS. This allows for a seamless “drop-in” replacement for the default NSS cryptographic module, offering a straightforward path to FIPS compliance for applications like Firefox, Thunderbird, and various Linux server products.
  • Modern and Secure Cryptography: We’ve integrated support for modern and provably secure signature schemes like RSA-PSS, which provide enhanced resilience against cryptographic attacks.
  • Advanced Cryptographic Operations: This release introduces a suite of powerful new functions for advanced cryptographic operations. These include comprehensive C_Digest functions for hashing, as well as multi-part signing and encryption with C_SignEncryptUpdate and decryption and verification with C_DecryptVerifyUpdate. We have also added C_SignRecoverInit and C_VerifyRecover for signature schemes with message recovery, providing more options for secure and efficient data handling.
  • Comprehensive Algorithm Support: This release includes a full suite of SHA-2 and SHA-3 hashing algorithms, alongside advanced AES capabilities like CKM_AES_KEY_WRAP_PAD for secure key management.

Enhanced Debugging for a Smoother Development Experience

We understand that a smooth development process is crucial. That’s why we’ve introduced new debugging features in this release. You can now enable debug logging for the API, giving you more visibility into the inner workings of the token and helping you troubleshoot issues more effectively.

Our Commitment to Quality and Reliability

This release is not just about adding new features; it’s also a testament to our unwavering commitment to quality and reliability.

You might be wondering about upgrading. Don’t worry! These new features maintain full backward compatibility. The PKCS#11 standard provides a stable API, and this release focuses on “filling in the gaps” by implementing more of the standard’s functions. To ensure a seamless transition for existing users, we also perform rigorous upgrade testing on the token storage, so you can update with confidence.

We’ve introduced a new –enable-nss compile-time option to streamline integration and have significantly improved our CI pipeline with extensive regression testing against the NSS suite, static analysis, and dynamic sanitizers to guarantee stability.
We have also included numerous fixes for TPM users and improved the handling of object attributes for greater security and reliability. These updates transform wolfPKCS11 into a fully-featured, highly reliable, and FIPS-capable PKCS#11 implementation.

Get Started Today!
The latest version of wolfPKCS11 is available now on the wolfSSL download page. We invite you to explore these powerful new features and discover how they can bring the industry-leading performance and certified security of wolfCrypt to the entire ecosystem of applications built on NSS.
For any technical questions, please reach out to us at support@wolfssl.com. For inquiries related to FIPS 140-3 validation, commercial licensing, or any other questions, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

Live Webinar: Securing the Edge AI with wolfSSL on the STM32N6

Unlock advanced security with the STM32N6 and wolfBoot for trusted Edge AI applications.

This webinar explores the security and performance advantages of the STM32N6 for Edge AI, with wolfBoot extending protection through a secure, authenticated boot process. You’ll gain practical insights into how the STM32N6’s unique architecture accelerates AI workloads while maintaining strong security—plus see how wolfBoot establishes a hardware root of trust to ensure that only verified code runs on the device.

Register Now: Securing the Edge AI with wolfSSL on the STM32N6
Date: October 1st | 9 AM PT

Built on the Arm® Cortex®-M55 with Helium™ vector processing, the STM32N6 is engineered for high-performance Edge AI. Its built-in Memory Cipher Engine (MCE) safeguards external flash access, giving developers a robust foundation for secure, efficient, and scalable AI-enabled applications.

wolfBoot, wolfSSL’s secure bootloader, strengthens this platform by ensuring firmware integrity and preventing tampered code from executing. It leverages hardware-assisted root of trust features such as measured boot and secure partitions to protect against attacks even when using external flash storage.

This webinar will cover:

  • Key features of the STM32N6 for Edge AI
  • Security standards update: FIPS 140-3, CNSA 2.0, and PQC
  • Best practices and secure boot with wolfBoot
  • Cryptographic acceleration and MCE flash protection
  • TLS 1.3 demo on STM32N6

Register Now!
As always, our webinar will include Q&A throughout. If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

Secure Data Transfers on BSD Systems

Many developers working on FreeBSD, OpenBSD, and NetBSD may not realize that cURL can be integrated with wolfSSL for secure communications. This combination allows applications to use modern TLS protocols and FIPS 140-3 validated cryptography on BSD platforms.

Secure communication is critical in servers and embedded devices. Using wolfSSL with cURL ensures standards-compliant TLS connections while maintaining portability across BSD-based operating systems.

For projects with constrained environments, wolfSSL also provides tiny-curl, a lightweight cURL variant suitable for low-memory devices.

This setup demonstrates a practical, verified approach to secure networking on BSD systems, using tools that are widely adopted in the industry.

Learn more about wolfSSL solutions! If you have questions about any of the above, please contact us at facts@wolfssl.com or call +1 425 245 8247.

Download wolfSSL Now

The Radio Equipment Directive (RED) and Evolving Cybersecurity Requirements

The Radio Equipment Directive (RED) 2014/53/EU establishes the regulatory framework for placing radio equipment on the European market. Its goal is to create a unified market while ensuring essential requirements for safety, electromagnetic compatibility, efficient use of the radio spectrum, and more recently cybersecurity and data protection.

To strengthen protections, the European Commission activated Articles 3(3)(d), (e), and (f), which address cybersecurity, privacy, and fraud prevention for certain categories of connected devices. In addition, Articles 3(3)(i) and 4 focus on ensuring that radio equipment remains compliant and interoperable when software updates or modifications are introduced.

These developments overlap with the Cyber Resilience Act (CRA), which will shift some cybersecurity requirements away from RED. Still, RED remains critical, particularly for compliance related to software updates and radio equipment security.

wolfSSL and RED Compliance

  • Lightweight TLS/crypto for constrained devices
  • FIPS 140-3 validated wolfCrypt for compliance-focused markets
  • Support for modern protocols and algorithms, including Post-Quantum Cryptography
  • Open source allows third party audits

wolfSSL delivers the security foundation that helps manufacturers align with RED today, and adapt to future changes tomorrow.

If your team is navigating RED compliance or preparing for CRA, or have questions about any of the above, please contact us at facts@wolfssl.com or call +1 425 245 8247.

Download wolfSSL Now

Support for STM32U5 DHUK

In wolfCrypt and wolfPKCS11 we added support for using a Derived Hardware Unique Key (DHUK) for AES with the STM32U5.

This feature enables use of a device unique AES key (up to 256-bit) available for encryption/decryption. The key cannot be read from the hardware, which makes it great to wrap other symmetric keys for storage and greatly improves security.

In wolfPKCS11 a nice example was added showing how the DHUK can be used to wrap an AES key and then make use of that wrapped key for encryption and decryption. Both wrapping with AES-ECB and AES-CBC modes are supported.

Check out the wolfPKCS11 Example and wolfCrypt Feature PR.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

New CMS/PKCS#7 decode APIs for SymmetricKeyPackage, OneSymmetricKey, and EncryptedKeyPackage

Recent commits to wolfSSL have enabled support to decode new CMS/PKCS#7 message types.

The CMS message type EncryptedKeyPackage (defined in RFC 6032) can be decoded with the new API wc_PKCS7_DecodeEncryptedKeyPackage().

The CMS message types SymmetricKeyPackage and OneSymmetricKey (defined in RFC 6031) can be decoded with the new APIs

wc_PKCS7_DecodeSymmetricKeyPackageAttribute(),
wc_PKCS7_DecodeSymmetricKeyPackageKey(),
wc_PKCS7_DecodeOneSymmetricKeyAttribute(), and
wc_PKCS7_DecodeOneSymmetricKeyKey().

If you have questions about any of the above, please contact us at facts@wolfssl.com or call +1 425 245 8247.

Download wolfSSL Now

Live Webinar: Achieving Avionics Security with DO-178C-Certified Cryptography

Enhancing Avionics Security with DO-178C-Certified Solutions

Join us on September 24 at 9 AM PT to learn how wolfSSL strengthens avionics security in safety-critical systems while meeting DO-178C DAL A certification requirements. The webinar will highlight practical strategies for secure embedded systems and how certified products are applied in real-world avionics.

Register Now: Achieving Avionics Security with DO-178C-Certified Cryptography
Date: Septemer 24 | 9 AM PT

wolfSSL provides DO-178C-certified solutions, including wolfSSL and wolfBoot, designed for aerospace applications. These products combine flexibility and advanced cryptography, including crypto agility, post-quantum readiness, and software-based cryptography to provide a secure alternative to traditional hardware-only approaches.

This webinar will cover:

  • Introduction to wolfSSL: Overview of our secure embedded software solutions for aerospace
  • DO-178C Certification Basics: Key requirements and compliance strategies
  • Certified Products: wolfSSL and wolfBoot for safety-critical applications
  • Customer Use Case: Implementing secure boot in real-world avionics systems

Register now to gain actionable insights for building secure, compliant, and future-ready avionics systems.

As always, our webinar will include Q&A throughout. If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

Relaxing CMS/PKCS#7 decode support requirements

Previous wolfSSL versions required X.963 KDF support and AES keywrap functionality to be enabled in order to build CMS/PKCS#7 decode support.

Recent changes to wolfSSL have allowed CMS/PKCS#7 decode support to be built without either of these requirements.

Previously, if the user desired to have the HAVE_PKCS7 build option defined, then the HAVE_X963_KDF and HAVE_AES_KEYWRAP build options were also required. Now, the HAVE_X963_KDF and HAVE_AES_KEYWRAP build options are optional and wolfSSL can be built with HAVE_PKCS7 enabled and either or neither of these build options enabled.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfCrypt MISRA improvements

Some recent pull requests have been merged to the wolfssl repository to allow wolfcrypt to avoid MISRA warnings for certain MISRA 2023 rules.

For example, MISRA rule 3.1 disallows nested comment leaders (e.g. a “//” sequence within a “/* … */” comment block). These have been removed. Also, MISRA rule 8.2 requires function prototypes to include named parameters, so a few instances of prototypes without named parameters have been resolved.

These are initial steps in bringing wolfssl and wolfcrypt into better compliance with the MISRA coding standards.

If you have questions about any of the above, please contact us at facts@wolfssl.com or call +1 425 245 8247.

Download wolfSSL Now

Posts navigation

1 2 3 4 5 6 7 213 214 215

Weekly updates

Archives