RECENT BLOG NEWS

So, what’s new at wolfSSL? Take a look below to check out the most recent news, or sign up to receive weekly email notifications containing the latest news from wolfSSL. wolfSSL also has a support-specific blog page dedicated to answering some of the more commonly received support questions.

Vulnerability Disclosure: wolfSSH (CVE-2024-2873)

Affected Users:

Anyone using wolfSSH server versions prior to release v1.4.17.

Summary:

It is possible for a malicious client to bypass user authentication when logging into a wolfSSH server. The wolfSSH server was not rigorous about checking the current state of the key exchange when handling channel open messages.

wolfSSH’s example echoserver and the wolfSSHd server will not allow one to obtain a shell as root or any other user. By skipping the user authentication, the user’s login name won’t be set, and the server will error out because it cannot find the user’s home directory. At this point, the server has allocated some memory resources for a channel, but then releases them immediately.

Due to the way wolfSSH server handles incoming connections, forwarding requires an active shell connection to work. If user authentication is skipped, the server will terminate the connection with an error before allowing any forwarding.

This issue with message processing is in the library. The application using the library has the responsibility of checking that the username is set and checking the credentials. One could have an application that gives access to the system without checking the user authentication.

Recommendation:

Prompt update to wolfSSH v1.4.17. This version rejects out-of-sequence channel messages before user authentication has completed and rejects user authentication messages after user authentication is complete.

Additional Details:

The patch fixing this issue can be viewed at the links:

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSH, SHA-1, and Configuration

wolfSSH is following the industry common practice of removing SHA-1 as a default configuration option. SHA-1 has been considered broken for a while now and shouldn’t be used for security purposes. [RFC 8332](https://datatracker.ietf.org/doc/html/rfc8332) recognizes this for the SSH protocol and offers new RSA-based algorithms for signing authentication messages.

In the wolfSSH v1.4.15 release, we were heavy-handed when it came to disabling SHA-1 and removed it from the compile using a preprocessor flag. There was an option to add it back in, but its use wasn’t clear. This was a mistake.

For wolfSSH v1.4.17, we restored SHA-1 to the library, but it is “soft-disabled.” This means it is not offered in the default list of algorithms available during key exchange. One may add the algorithm “ssh-rsa” back as an available algorithm, along with DHE using SHA-1, at runtime. To support this, there is now a set of functions to set the algorithm lists used during key exchange and to poll the library on which algorithms are enabled in the build. Please see the wolfSSH manual section 13 for more information on the [Key Exchange Algorithm Configuration].

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSH v1.4.17 Improvements and Fixes

wolfSSH has several useful features that were introduced in this most recent release.

We have made wolfSSH builds for various systems better and easier. This includes changes to configuration scripts and modifying code to work with various compiler quirks. We’ve made building wolfSSH for Nucleus, QNX, Windows, and ESP32 builds better. And we’ve fixed an issue working with the Zephyr file system involving redundant file mode bits.

We’ve improved testing of wolfSSH. There are new scripts to test details of the wolfSSHd server. Also, the Zephyr SFTP test uses a different file for the transfer test. The new file used is available in all situations.

The terminal support with shells is improved. The terminal size bounds were not getting set correctly in all builds, and that is now fixed. The shell environment now sets up things like the `$SHELL` variable and the `$0` value as expected. We fixed a potential memory leak when receiving the terminal modes from the peer. For Windows builds, the shell environment has its own quirks and we are working with those better.

wolfSSH has been able to run commands and scripts over a connection for a while. We’ve recently improved this behavior with wolfSSHd and use the I/O pipes better. The return code from the script or command is captured and returned to the peer as expected.

Missed with the SHA-1 disable and reenable was a bug with verifying RSA signatures. Disabling SHA-1, the testing used ECDSA authentication instead. This bug is now fixed.

Finally, we try to keep wolfSSH tunable for size. If you don’t want a feature, you can easily leave it out of a build. This is good for embedded targets with constraints on code and memory usage. A few of the guard checks were incorrect and have been fixed.

In all, we think this makes wolfSSH a better product. If you have any questions or are wondering about wolfSSH on other platforms, please email support@wolfSSL.com. Thank you!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Join wolfSSL for Cybersecurity Innovations at AMD AC Summits in North America

We are thrilled to announce that wolfSSL will be participating in all the upcoming AMD AC Summits across North America, kicking off in Boston, MA on May 7th and concluding in Dallas, TX on May 21st. As a leading provider of lightweight, portable, embedded SSL/ TLS software, we’re excited to be a part of AMD AC Summit to explore the latest advancements and opportunities in the industry.

Event Details

  • Boston, MA | May 7th
  • Washington D.C., MD | May 9th
  • Los Angeles, CA | May 14th
  • San Jose, CA | May 16th
  • Dallas, TX | May 21st

Why wolfSSL?

wolfSSL brings cutting-edge solutions to the table, including support for UltraScale+, MicroBlaze, AMD Zen and x86 processors. Tested and benchmarked on boards such as; Versal, ZCU102, and the Zynq series.

  • wolfSSL: Our lightweight and portable SSL/TLS library, written in C, is powered by the wolfCrypt library, currently on the CMVP Modules in Process List for FIPS 140-3. wolfSSL supports industry standards up to the current TLS 1.3 and DTLS 1.3 protocol levels.
  • wolfBoot: our secure bootloader solution is a portable, OS-agnostic, and for 32-bit microcontrollers and IoT devices. It ensures the prevention of loading malicious or unauthorized firmware on the target. Our implementation leverages wolfSSL’s underlying wolfCrypt module for signature authentication of running firmware, with support for DO-178 and MISRA compliance support.
  • Hardware Platform Support: Our solutions are tested and optimized for a wide range of hardware platforms, including Ultrascale+ and Versal. Plus, our architecture is designed for easy portability to new hardware, ensuring seamless integration with your next-generation devices.
  • Post-Quantum Support: Our own implementation of NIST’s ML-KEM protocol, commonly referred to as Kyber, has been seamlessly integrated with wolfSSL. We are in the advanced stages of planning further integrations with wolfBoot and curl to enhance our cryptographic capabilities. Our goal is to support you in meeting the CASA 2.0 standards, ensuring robust cryptographic protection for your systems.

Let’s Connect:

Register today to secure your spot at the AMD AC Summit and connect with wolfSSL. Join us to explore solutions to enhance your cybersecurity systems.

If you have questions about any of the above, or would like to schedule a meeting with us, please reach out to facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Join Our Webinar: Everything You Need to Know about FIPS 140-3 in 2024

Join us on May 9th at 10am PT for an enlightening webinar hosted by Kaleb Himes, Senior Software Engineer at wolfSSL, as we explore the critical aspects of FIPS 140-3. This webinar will deep dive into the fundamentals, benefits of wolfCrypt FIPS, and the essentials of FIPS certification.

Watch the webinar here: Everything You Need to Know about FIPS 140-3

During this detailed session, you will gain insights into:

  • The benefits of FIPS 140-3 for securing cryptographic modules
  • Detailed FIPS certification and compliance procedures
  • Understanding the significance of an Operational Environment (OE)
  • Exploring how wolfCrypt FIPS can be integrated as kernel modules
  • Utilizing wolfEngine and wolfProvider to meet OpenSSL FIPS 140-3 requirements
  • Latest updates on the status of wolfCrypt FIPS 140-3

Watch now to ensure you don’t miss out on this valuable opportunity to deepen your understanding of FIPS 140-3 and its certification process. Learn how wolfCrypt FIPS can streamline your FIPS compliance needs.

As always, our webinar will include a live Q&A session. If you have any questions about wolfCrypt FIPS, FIPS 140-3 certification, or any related topics, please feel free to contact us at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

PQC support for the Zephyr port

PQC support for the Zephyr port was introduced in the last wolfSSL release using liboqs. This involved adding necessary files to the CMakeLists.txt for the Zephyr module. Zephyr is an open-source real-time operating system (RTOS) designed for resource-constrained devices and embedded systems. It is maintained by the Linux Foundation and supported by a vibrant community of developers and contributors.

PR #7026 (https://github.com/wolfSSL/wolfssl/pull/7026) also addressed proper random number generation within liboqs by using the wolfSSL interface. Previously, liboqs random data acquisition relied on various sources, depending on the liboqs build configuration. With the changes, a custom RNG method is provided through the OQS_randombytes_custom_algorithm() interface, enabling liboqs to obtain RNG data from wolfSSL for all generic liboqs uses.

If you have questions about post quantum or any of the above, please contact facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Join Us in Stockholm for curl-up 2024

Exciting news from cURL! We’re thrilled to announce that in just 2 days, the much-anticipated curl-up 2024 event will kick off in Stockholm, Sweden from May 4th to the 5th. This event is a key gathering for software developers, open-source enthusiasts, and network professionals who use or contribute to cURL.

We’re inviting all cURL contributors, maintainers, and fans to join us. This is a perfect opportunity for you to engage directly with Daniel Stenberg, the founder and maintainer of cURL, as well as network with other speakers and industry experts in software development and open-source technology.

Date: May 4th to the 5th

Location: Best Western, Döbelnsgatan 17, 111 40 Stockholm, Sweden

Stay updated on event details, including the venue and agenda, on our dedicated web page, curl-up 2024.

We are excited to support our top-100 contributors with traveling and lodging expenses. Please consult the funding attendance section on our website to view the regulations and eligibility requirements.

Registration is mandatory. Register now to secure your space! Let’s make curl-up 2024 an unforgettable weekend. We can’t wait to see you there!

For any inquiries regarding the event, please don’t hesitate to contact us at facts@wolfSSL.com or call us at +1 425 245 9247.

Download wolfSSL Now

wolfSSL on Microblaze

MicroBlaze, developed by Xilinx, is a soft processor core optimized for Xilinx FPGAs. It offers flexibility and scalability, making it suitable for a wide range of applications, including embedded systems and IoT devices. Integrating wolfSSL’s AES-GCM with MicroBlaze is possible and has been done running on a soft CPU on MicroBlaze. In the latest wolfSSL release this integration saw some additional enhancements. When used on a MicroBlaze, wolfSSL’s AES-GCM enhances the security capabilities of FPGA-based systems, enabling developers to implement secure communication protocols and data encryption mechanisms. There is also the option of setting up wolfSSL so that it makes use of Xilinx’s xilsecure while running on the Microblaze. Increasing the AES-GCM performance significantly.

For more information about using wolfSSL on a MicroBlaze or if you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

RSA-PSS with CRL’s

Did you know wolfSSL has integration of RSA-PSS signatures with Certificate Revocation List (CRL) support?

RSA-PSS: Enhancing Security Layers

RSA-PSS, or Probabilistic Signature Scheme, represents a modern approach to digital signatures. Unlike traditional RSA signatures, RSA-PSS offers improved security properties, making it more resilient against various cryptographic attacks. By adopting RSA-PSS, wolfSSL users benefit from heightened security, enhancing the integrity of cryptographic operations.

Certificate Revocation List (CRL): Managing Certificate Integrity

In the realm of certificate management, CRL plays a pivotal role. It serves as a mechanism for indicating the revocation status of digital certificates. With CRL, systems can promptly identify and reject compromised or revoked certificates, bolstering the overall security posture. Integrating CRL support into wolfSSL empowers users with efficient certificate management capabilities, ensuring the authenticity and integrity of cryptographic transactions.

Empowering wolfSSL with RSA-PSS and CRL Integration

The fusion of RSA-PSS with CRL support within wolfSSL is a logical step when providing cutting-edge security solutions. Now, wolfSSL users can leverage the combined strength of RSA-PSS signatures and CRL management to fortify their cryptographic environments.

To delve deeper into the RSA-PSS with CRL integration in wolfSSL, visit our GitHub repository (https://github.com/wolfSSL/wolfssl/pull/7119) or reach out to facts@wolfSSL.com for assistance.

Thank you for entrusting wolfSSL as your ally in cybersecurity.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Removal of user RSA

In the last release of wolfSSL there was some house cleaning done on older RSA implementations. The user RSA layer was removed along with the hooks used for tying in IPP. When those were first introduced we had yet to implement SP (single precision) versions of RSA. Fast forward to today, and there is a faster implementation of RSA in wolfSSL itself. In IPP v0.9 it was able to do 990.09 RSA 2048 bit sign operations per second and in wolfSSL 5.7.0 it was able to run 1,015.23 operations per second. Verify operations took around the same time with both libraries now at 35,714 operations per second on average. These measurements were collected on an older Intel(R) Core(TM) i7-4870HQ CPU. Along with a performant implementation of RSA there are now the crypto callbacks if desiring to plug in custom RSA operations. This being the case the –enable-fastrsa, user RSA, and IPP hooks were dropped to lower maintenance and reduce bundle size.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Posts navigation

1 2 3 4 5 6 7 8 9 10 179 180 181

Weekly updates

Archives