RECENT BLOG NEWS
Or sign up to receive weekly email notifications containing the latest news from wolfSSL.
In addition, wolfSSL now has a support-specific blog page dedicated to answering some of the more commonly received support questions.
One of our favorite tools at yaSSL is valgrind: http://valgrind.org . Originally a memory error detector, it`s now an instrumentation framework for dynamic analysis that also does thread error detection, cache and branch-prediction profiling, and heap profiling. If you`ve never used it, you should. If you are using it, you should probably be using it more.
We recently added an –enable-valgrind option to the wolfSSL lightweight SSL library to encourage us to use it more ourselves. If valgrind is installed on your system all of the wolfSSL tests will be run under it. This allows early detection of difficult to track down errors. The detailed output makes tracking down and fixing errors a relatively simple process.
One of our community members recently ported CTaoCrypt’s RSA and ECC code to the TinOS operating system in a project called TinyPKC (http://www-db.in.tum.de/~kothmayr/tinypkc/). TinyPKC was tested on 16-bit and 32-bit microcontroller platforms and should run on 8-bit platforms as well. It supports ECC key lengths from 112 bits to 521 bits and arbitrary RSA key lengths.
TinyPKC uses a subset of the CTaoCrypt functionality and provides support for the following operations:
– RSA public key encryption / private key decryption
– RSA private key signature generation / public key signature verification
– ECDSA signature generation and verification
– ECDH operations
For more information, please see the TinyPKC website and the included README in the download. Are you interested in running the wolfSSL embedded SSL library on TinyOS? If so, contact us at email@example.com.
yaSSL believes that business and technology partnerships are one of the keys to fostering success. Such partnerships can come in many forms – be that business, technical, or community based, and work for both open source or commercial solutions. To date, we have partnered with several companies, and are always looking for new partnerships. To see a list of our current partners, please visit our Partner Page (http://yassl.com/yaSSL/Partners.html).
Are you interested in becoming a partner with yaSSL? If so, contact us at firstname.lastname@example.org for more information.
Hi! This top ten list crossed our desk today and we thought it was worthwhile to share with our users. Combating MITM attacks and properly implementing SSL/TLS are on the list again this year.
wolfSSL provides a mechanism to plug in your own application specific I/O routines. By default, the library uses functions that call the system’s recv() and send() functions with a file descriptor cached with the function wolfSSL_set_fd().
The prototypes for the I/O routines are:
int CBIORecv(CYASSL* ssl, char* buf, int sz, void* ctx);
int CBIOSend(CYASSL* ssl, char* buf, int sz, void* ctx);
In the default case, the network socket’s file descriptor is passed to the I/O routine in the ctx parameter. The ssl parameter is a pointer to the current session. In the receive case, buf points to the buffer where incoming cipher text should be copied for wolfSSL to decrypt and sz is the size of the buffer. In the send case, buf points to the buffer where wolfSSL has written cipher text to be sent and sz is the size of that buffer.
First you need to register your I/O callbacks with the CYASSL_CTX for your application using the functions wolfSSL_SetIORecv() and wolfSSL_SetIOSend().
As an example, for your application you want to control the socket for your own purposes. An example would be to have a server with a datagram socket which receives data from multiple clients or processes TLS through STDIN and STDOUT. In this case you would have four buffers:
cipher-receive encrypted data received from peer
cipher-send encrypted data to send to peer
clear-receive clear data received from wolfSSL
clear-send clear data passed to wolfSSL
Pointers to these buffers, values for their sizes, and read and write positions should be placed into a structure. This structure should be saved to the wolfSSL session with the functions wolfSSL_SetIOReadCtx() and wolfSSL_SetIOWriteCtx().
The application receives a block of cipher text into the buffer cipher-receive. Next the application would call wolfSSL_read(ssl, buffer_data->clear_receive), causing wolfSSL to call myCBIORecv(). myCBIORecv() will be given a buffer, the size of the buffer, and the ctx, which has the cipher-receive buffer. The callback may be called many times for one call to wolfSSL_read(). If the cipher-receive buffer is empty, the callback should return -2, otherwise it should return the number of bytes copied into buf.
When the library wants to send data, like during handshaking or when wolfSSL_send() is called with some clear text, the library will call myCBIOSend(). The callback is given a buffer full of encrypted data, and the length of the encrypted data. In this example, the callback would copy this cipher text into cipher-send and return the number of bytes copied. If the cipher-send buffer isn’t big enough, the callback should return -2.
Choosing a good hash function for a hash table is difficult to say the least. Even if you can achieve good distribution and performance for a given hash function it`s still most likely dependent on table size and the type of input. Resizing the table or getting unexpected input can quickly turn an otherwise good choice into a bad one. Using a cryptographic hash function reduces nearly all of the problems. Any and all table sizes are now equally supported. Strings, numbers, and even binary data are all valid input. And since a change in a single bit of input has an avalanche effect on the output, uniform distribution is achieved. Really, the only possible negative is performance. But it`s not nearly as bad as you probably think.
We tested 100 bytes of random data and did the test 1,000,000 times using the hash functions MD5, SHA1, and a typical MULTIPLIER type hash function. Of course the basic hash function was the fastest at 0.66 microseconds per hash. MD5 used 0.78 microseconds per hash while SHA1 consumed 1.02 microseconds per hash. All in all, the small hit in performance seems well worth the gains in being able to use variable table sizes and any type of input without concern. Testing was done using wolfSSL`s cryptography functionality in the CTaoCrypt module.
Would you like to learn more about how SSL/TLS work, or more about the wolfSSL lightweight SSL library? If so, yaSSL is now offering a training course on SSL/TLS and wolfSSL. The wolfSSL training course covers details of SSL/TLS as well as the wolfSSL embedded SSL library. Participants will have the opportunity to learn the inner workings of the SSL/TLS protocols as well as further their knowledge of the wolfSSL embedded SSL library. Topics covered will include library design, building and getting started with wolfSSL, features, portability/customizability, certificates and keys, debugging and troubleshooting SSL, wolfSSL best practices, and details about the CTaoCrypt cryptography library.
Upon completion of the wolfSSL training course, attendees will:
– Achieve a basic understanding of how SSL/TLS work
– Learn the package and design of wolfSSL
– Effectively build wolfSSL for target platforms
– Learn effective wolfSSL debugging strategies
– Add wolfSSL to ANSI-C based client and server applications
– Learn best practices for adding wolfSSL to embedded, desktop/enterprise, or cloud applications or devices
– Develop using wolfSSL’s underlying cryptography library, CTaoCrypt
For a more detailed outline and more information on duration, scheduling, and pricing, please contact yaSSL at email@example.com.
Are you interested in using the wolfSSL lightweight SSL library on the Green Hills INTEGRITY RTOS? Although wolfSSL doesn’t currently have INTEGRITY support, we would like to gauge user and community interest to help us plan our schedule for the upcoming year. If you would like to see INTEGRITY support added to wolfSSL, please let us know at firstname.lastname@example.org.
From Wikipedia, INTEGRITY “is royalty-free, POSIX-certified, and intended for use in embedded systems needing reliability, availability, and fault tolerance. It is built atop the velOSity microkernel and is intended mainly for modern 32- or 64-bit embedded system designs that support an MMU.” To learn more about INTEGRITY, please visit the Green Hills website, here: http://www.ghs.com/products/rtos/integrity.html.
Business and Company Progress
• We doubled our customer base again this year and dramatically increased revenues, confirming the usefulness of our technology, our open source strategy, and our relevance in the emerging device security and BYOD markets.
• We have further penetrated key vertical markets, including home appliances, smart metering, sensors, M2M, gaming, VoIP, banking, and defense/military.
• We expanded our partnerships with Synopsys, Freescale, Mentor Graphics, Intel, Microchip, ARM, Marvell, FreeRTOS, EBS Net, Cavium, and STMicroelectronicselectronics.
• We successfully participated in the following events: CES, FOSDEM, Design West, OSCON, RSA, Black Hat, Game Developer Conference, Design East, Infosec UK, Intel Developer Forum, Intel Alliance Summit, and ARM TechCon.
• We increased the size of our team, and continue to hire top notch engineering talent.
• We continue to value and support the open source community through our free support offering for open source users.
• We released two new case studies surrounding M2M communication (Cinterion, CCww) and a new white paper with Intel about AES-NI.
• We gave presentations at FOSDEM 2012 (Technical Update), the Kerberos Consortium during RSA (Kerberos/GSS-API Android), DESIGN West (Nucleus Support), Infosecurity UK (What to look for in a SSL/TLS library), and the MySQL Meetup in Seattle (yaSSL in MySQL).
• yaSSL introduced a Japanese version of www.yassl.com to better cater to our Japanese users and customers.
• We introduced a new three-tiered support program.
wolfSSL Technical Progress
• AES-GCM – Direct AES Galois Counter Mode support and cipher suites
• CRL – Certificate Revocation List processing with directory monitoring
• OCSP – Online Certificate Status Protocol support built in
• Lean PSK – A low footprint, 24k, PSK TLSv1.2 build
• Reduced Memory use after handshake – Once the TLS handshake is complete, handshake resources are freed
• Lower stack memory use – Use of large static buffers eliminated
• Reliable DTLS, Cookies – DTLS cookies and full reliability now supported, no longer beta
• Unit/Suite Tests – Exposed unit API, hash, and cipher suite tests with valgrind support
• Static ECDH – Now supports several static ECDH cipher suites
• ECC client cert – Authentication with client ECC certificates now supported
• ECC released into open source – Now available on github and downloads
• SHA-384 – Direct use and cipher suites supported
• Subject AltName processing – AltNames easily retrieved from peer certificate for verification
• Sniffer SessionTicket support – Support for modern browsers using session tickets
• Command line example options – Example client and server now have several runtime options
wolfSSL Porting Progress
• FreeRTOS and FreeRTOS Windows Simulator
• Freescale MQX/RTCS/MFS. wolfSSL is now ported to MQX and has been tested on the Kinetis MCU. Example CodeWarrior projects are now available in the wolfSSL download.
• EBSnet RTIP
• Yocto/OpenEmbedded. A new Yocto/OpenEmbedded layer is available for easy integration of wolfSSL into existing Yocto projects.
• Nucleus RTOS
• TinyOS. Several CTaoCrypt algorithms have been ported to TinyOS
yaSSL Embedded Web Server Progress
• Release version 1.0 with bug fixes and feature enhancements
• SafeRTOS port
• MIT Java GSS-API for Android
• wolfSSL is now able to be used as a crypto provider for MIT Kerberos
• wolfSSL now supports ssmtp 2.64
• libscs now has support for wolfSSL
Are you interested in using the wolfSSL embedded SSL library in an extremely resource constrained environment? If so, you may be interested to hear that we have recently implemented a wolfSSL “Lean PSK” build which enables the wolfSSL library to be built with a footprint size of 20kB!
The “Lean PSK” build requires the use of pre-shared keys with wolfSSL, along with removing several additional features. If you are curious, or would like to learn more, please contact us at email@example.com.
- June 2020 (4)
- May 2020 (17)
- April 2020 (17)
- March 2020 (7)
- February 2020 (24)
- January 2020 (18)
- December 2019 (9)
- November 2019 (16)
- October 2019 (14)
- September 2019 (24)
- August 2019 (21)
- July 2019 (8)
- June 2019 (13)
- May 2019 (35)
- April 2019 (32)
- March 2019 (20)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (11)
- October 2018 (18)
- September 2018 (18)
- August 2018 (8)
- July 2018 (15)
- June 2018 (29)
- May 2018 (15)
- April 2018 (11)
- March 2018 (19)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (7)
- September 2017 (8)
- August 2017 (6)
- July 2017 (11)
- June 2017 (8)
- May 2017 (10)
- April 2017 (5)
- March 2017 (7)
- February 2017 (1)
- January 2017 (8)
- December 2016 (3)
- November 2016 (2)
- October 2016 (18)
- September 2016 (8)
- August 2016 (5)
- July 2016 (4)
- June 2016 (11)
- May 2016 (4)
- April 2016 (5)
- March 2016 (4)
- February 2016 (12)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (6)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (13)
- January 2015 (6)
- December 2014 (7)
- November 2014 (3)
- October 2014 (2)
- September 2014 (11)
- August 2014 (6)
- July 2014 (9)
- June 2014 (11)
- May 2014 (11)
- April 2014 (9)
- March 2014 (3)
- February 2014 (3)
- January 2014 (5)
- December 2013 (9)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (8)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (9)
- December 2012 (13)
- November 2012 (5)
- October 2012 (7)
- September 2012 (4)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (6)
- April 2012 (7)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (6)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (8)
- May 2011 (12)
- April 2011 (4)
- March 2011 (12)
- February 2011 (9)
- January 2011 (13)
- December 2010 (17)
- November 2010 (12)
- October 2010 (14)
- September 2010 (11)
- August 2010 (20)
- July 2010 (14)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)