RECENT BLOG NEWS
Renesas RX TSIP with ECDSA and Crypto Callbacks
wolfSSL now has support for Renesas RX TSIP with ECDSA and crypto callbacks. This update provides broader flexibility and security for embedded systems with Renesas RX TSIP. Below is a summary of the key changes and updates that were added in PR# 7685:
Key Changes and Features
- Renesas RX TSIP with ECDSA Support
WolfSSL now fully supports ECDSA on Renesas RX TSIP, which adds greater functionality when generating signatures. The update also adds support for raw R+S signatures. - ECC with NO_ASN
You can now use ECC support without ASN.1 encoding by using the configuration:
‘./configure –enable-cryptonly –disable-rsa –disable-asn –disable-examples’
This can decrease the overhead in environments where you don’t need ASN.1 support. - RX TSIP Crypt Configuration Fixes
These changes also fixes issues with WOLFSSL_RENESAS_TSIP_CRYPTONLY and NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH macros, allowing for builds to complete smoothly when there is only a requirement for cryptography operations. - Reverted wc_GenerateSeed Support
wc_GenerateSeed on the RX TSIP was reverted. This ensures compatibility with the updated RNG on RX TSIP. - Updated Client Authentication Key Data
Example key data with private key for client authentication has been updated.
Testing
These changes were tested using the e2Studio IDE, and tests were verified including client and server examples.
Conclusion
These updates extend wolfSSL’s support of the Renesas RX TSIP to include ECDSA and Raw R+S signature support, greatly improving flexibility and optimizing the build for embedded systems. If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
wolfSSL Enhances PowerPC Support on Darwin
At wolfSSL, we are committed to supporting a wide range of platforms and architectures, ensuring that our SSL/TLS library can be used across various environments. One of the platforms we continue to support is PowerPC, both in 32-bit and 64-bit configurations.
The latest updates to our PowerPC support primarily focus on resolving compatibility issues with Darwin (macOS) systems. The recent changes in the pull request https://github.com/wolfSSL/wolfssl/pull/7931 do not introduce any new features or modify existing functionality. These updates include:
- PowerPC Macros: Adjustments ensure compatibility with Darwin, allowing smooth builds on macOS.
- Assembler Compatibility: We’ve addressed issues with how registers are prefixed in the Darwin ABI ensuring compatibility with PowerPC systems.
Instead of adding register prefixes via a simple macro, we’ve opted for a more robust approach. This helps prevent potential issues in the future.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
Extended Key Update for Transport Layer Security (TLS) 1.3
The Extended Key Update extension for (D)TLS 1.3 is a draft proposal for a new key update mechanism. (D)TLS 1.3 lacks perfect forward secrecy (PFS) for long-lived sessions, leaving them vulnerable to key exfiltration attacks. The proposed Extended Key Update mechanism addresses this by incorporating minimal key exchanges during key updates. This safeguards connections by ensuring that even if session keys are compromised, past and future communications remain confidential.
This extension is ideal for environments where long uninterrupted secure connections are critical. By introducing PFS into key updates without requiring establishing new connections, it enhances security while maintaining availability. Its design also supports hybrid key exchanges, ensuring post-quantum readiness with a fallback to classical cryptography.
wolfSSL strives to provide the best security, and that is why we monitor new developments closely. If this extension is a feature you would be interested in, please write to us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now
wolfSSL DTLS 1.2 Connection ID
wolfSSL release 5.7.4 includes an exciting new feature. We have implemented Connection ID (CID) support for DTLS 1.2 (RFC 9146). CID is a new feature in DTLS 1.2 that allows for better handling of connection migration. Without it, DTLS connections are tied to the IP 5-tuple making it unable to recover the connection if one of the peers changes their address. This is where CID comes in. This feature is used to associate DTLS records from a new IP address to an existing connection. This is especially useful for mobile devices that may switch between Wi-Fi and cellular networks, or for any device that may change IP addresses during a connection.
Using CID’s in wolfSSL is easy. Just setup your connection as usual, but call wolfSSL_dtls_cid_use() to enable the CID feature on the connection. This will enable the CID on your side of the connection. To request the peer to use a CID, use wolfSSL_dtls_cid_set().
If you have any questions regarding CID’s in DTLS 1.2 or 1.3, please contact us at facts@wolfssl.com or +1 425 245 8247.
Download wolfSSL Now
wolfSSL libspdm Support
wolfSSL has added support for libspdm 3.3.0. libspdm is the reference implementation of the DMTF’s Security Protocols and Data Models (SPDM specifications). The goal of the SPDM specifications is to provide device attestation and authentication as well as secure communication over any transport. Both wolfSSL and SPDM are designed to operate on any transport.
Our wolfCrypt library is the underlying cryptographic library used by wolfSSL. wolfCrypt is a lightweight, embeddable, and easy-to-configure crypto library. It supports all the algorithms used by SPDM such as AES, CHACHA, POLY-1305, SHA-3, RSA, ECC. wolfCrypt is FIPS 140-3 validated and is available under both open source and commercial licenses. wolfCrypt also supports the Chinese SM ciphers SM2, SM3, and SM4.
If you have questions about the libspdm port or any other port, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
AI-automated fuzz testing uncovered a vulnerability in wolfSSL
Code Intelligence is happy to announce the discovery of a heap-based use-after-free vulnerability in wolfSSL, identified through a fuzz test automatically generated by an AI Test Agent. This marks another milestone in advancing automated security testing and demonstrates the power of AI-driven tools to improve software reliability and safety.
Discovery and Resolution
The vulnerability was identified during the final week of October 2024.
Remarkably, the discovery required no manual intervention—beyond setting up the project and typing “cifuzz spark” into the command line. This fuzz test, automatically generated and executed by Spark, the AI Test Agent, uncovered the critical data that exposed the flaw.
Spark, the AI Test Agent, is an enhancement to ?ode Intelligence’s fuzz testing product CI Fuzz. Leveraging LLMs and advanced static analysis, it autonomously identifies the most critical functions in the codebase to fuzz, generates and runs fuzz tests, and thus, finds bugs and vulnerabilities.
Spark will be publicly demonstrated to the security and software development community on January 28, 2025. Secure your free spot here.
Spark uncovered the vulnerability in wolfSSL during its final beta testing. Code Intelligence reported the issue to the wolfSSL team immediately, and they responded with exceptional efficiency, resolving the vulnerability within 3 days.
The fix was officially included in release wolfSSL 5.7.6 on 31 December 2024.
In the only manual step, Peter Samarin from Code Intelligence has assessed and confirmed that the vulnerability exists and is exploitable under specific conditions.
We encourage developers to update to the latest version of wolfSSL to mitigate any potential risks.
What Is a Heap-Based Use-After-Free?
A heap-based use-after-free vulnerability occurs when a program continues to access memory on the heap after it has been freed.
In a typical scenario, a program allocates memory, uses it, and then frees it. However, if there is a mistake in memory management, such as a dangling pointer, a subsequent access attempt may interact with memory that has already been reallocated for another use.
This can lead to unexpected behavior, crashes, or—more worryingly—security exploits that allow attackers to execute arbitrary code or manipulate program behavior maliciously.
We are grateful to the Code Intelligence team for uncovering and reporting the vulnerability to us. You can explore the technical details of the issue in Code Intelligence’s blog post.
If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
wolfSSL SSSD Support
We have ported the System Security Services Daemon (SSSD) to use wolfSSL for its SSL/TLS support. SSSD provides a set of daemons that allow access to identity and authentication providers. SSSD is used to connect to remote directories and authentication mechanisms such as LDAP, Kerberos, or FreeIPA. The wolfSSL SSSD port allows organizations to leverage the performance and size advantages of wolfSSL for their SSSD deployments.
wolfSSL is a lightweight and portable SSL/TLS library written in C. It supports industry standards up to the current TLS 1.3 and DTLS 1.3 levels, is far smaller than OpenSSL, offers a simple API, an OpenSSL compatibility layer, and includes FIPS 140-3 validated cryptography. By integrating wolfSSL with SSSD, organizations can benefit from enhanced performance, reduced memory footprint, and robust security features, making it an ideal choice for secure identity and authentication services.
The patch and installation instructions for SSSD are available here. If you have any questions regarding this or any other port, please contact us at facts@wolfssl.com or +1 425 245 8247.
Download wolfSSL Now
wolfSSL Support for STM32G4
wolfSSL now has support for STM32G4 microcontrollers. With new features that enable better performance and flexibility for cryptographic operations on STM32G4 hardware. Below is a summary of the key changes and updates that were made in PR #7997:
Key Changes and Features
- User Settings Synchronization:
The `user_settings_stm32.h` configuration file has been synchronized with the STM32Cube IDE’s `default_conf.ftl`. This ensures that the configurations are up to date and consistent with the STM32G4 environment. - New Configuration Options:
WOLF_CONF_IO: This option allows the user to select the network stack to use.
Options include:- 1 = User IO (custom)
- 2 = LWIP (POSIX)
- 3 = LWIP (native )
WOLF_CONF_RESUMPTION: This option controls session caching and session ticket functionality.
- 0 = No session cache
- 1 = Session cache / Session tickets
WOLF_CONF_TPM: Enables TPM support, which adds Crypto Callbacks, Public MP, and AES CFB support.
WOLF_CONF_PK: TLS Key Callbacks fir better key management in cryptographic operations.
WOLF_CONF_AESGCM: Support for AES GCM encryption modes with:- 1 = GCM_SMALL
- 2 = GCM_TABLE_4BIT
Testing
The code was compiled in STM32CubeIDE for STM32G491x, but no hardware was available for testing at the time. Tests have been run with essential hardware features, including:
- – RTC
- – RNG
- – LPUART1
- – ARM ASM
Conclusion
wolfSSL now supports STM32G4 microcontrollers, which has custom IO, session caching, TPM support, and AES GCM support. If you have any further questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
wolfSSL Supports TSIP v1.21
wolfSSL 5.7.4 adds support for Renesas TSIP v1.21 on RX72N and RX65N platform. The RX72N and RX65N are the flagship models of RX series, using a 32-bit, 240 MHz on RX72N, and 120 MHz on RX65N. Using the TSIP driver, wolfSSL can offload supported cryptographic and TLS operations on the underlying Renesas hardware for increased performance. TSIP v1.21 is the latest version released in 2024. By updating the driver, it offers better performance and stability than previous versions.
Check out wolfSSL Renesas TSIP support here.
Example applications for Renesas RX series MCUs with Renesas IDE e2studio project files are provided in the wolfSSL package, included in the /IDE/Renesas/e2studio/RXxx folders. Detailed instruction manuals written both in English and Japanese will help you get started with wolfSSL on these platforms quickly.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now
New Year New Release: Introducing wolfSSL 5.7.6
Welcome 2025 with boundless possibilities and stronger security! We are excited to introduce wolfSSL 5.7.6, the latest update in open-source cybersecurity! Designed with the cleanest code, this release is packed with exciting enhancements:
- Expanded Hardware Support: wolfSSL hardware support now includes RP2350 and STM32MP135F, with enhanced capabilities for RP2040 and Renesas TSIP.
- Enhanced APIs: APIs introduced for simplified Curve25519 key decoding, stateless DTLS CID on the server side, and CRL callbacks.
- Post-Quantum Cryptography Advances: Updated Post-Quantum ML-DSA features include parsing security levels from the DER encoding and expanded build options.
Dive into the ChangeLog for complete details on what wolfSSL 5.7.6 has to offer and start your year with a solution that works seamlessly right out of the box!
If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.
Download wolfSSL Now
Weekly updates
Archives
- May 2025 (1)
- April 2025 (24)
- March 2025 (22)
- February 2025 (21)
- January 2025 (23)
- December 2024 (22)
- November 2024 (29)
- October 2024 (18)
- September 2024 (21)
- August 2024 (24)
- July 2024 (27)
- June 2024 (22)
- May 2024 (28)
- April 2024 (29)
- March 2024 (21)
- February 2024 (18)
- January 2024 (21)
- December 2023 (20)
- November 2023 (20)
- October 2023 (23)
- September 2023 (17)
- August 2023 (25)
- July 2023 (39)
- June 2023 (13)
- May 2023 (11)
- April 2023 (6)
- March 2023 (23)
- February 2023 (7)
- January 2023 (7)
- December 2022 (15)
- November 2022 (11)
- October 2022 (8)
- September 2022 (7)
- August 2022 (12)
- July 2022 (7)
- June 2022 (14)
- May 2022 (10)
- April 2022 (11)
- March 2022 (12)
- February 2022 (22)
- January 2022 (12)
- December 2021 (13)
- November 2021 (27)
- October 2021 (11)
- September 2021 (14)
- August 2021 (10)
- July 2021 (16)
- June 2021 (13)
- May 2021 (9)
- April 2021 (13)
- March 2021 (24)
- February 2021 (22)
- January 2021 (18)
- December 2020 (19)
- November 2020 (11)
- October 2020 (3)
- September 2020 (20)
- August 2020 (11)
- July 2020 (7)
- June 2020 (14)
- May 2020 (13)
- April 2020 (14)
- March 2020 (4)
- February 2020 (21)
- January 2020 (18)
- December 2019 (7)
- November 2019 (16)
- October 2019 (14)
- September 2019 (18)
- August 2019 (16)
- July 2019 (8)
- June 2019 (9)
- May 2019 (28)
- April 2019 (27)
- March 2019 (15)
- February 2019 (10)
- January 2019 (16)
- December 2018 (24)
- November 2018 (9)
- October 2018 (15)
- September 2018 (15)
- August 2018 (5)
- July 2018 (15)
- June 2018 (29)
- May 2018 (12)
- April 2018 (6)
- March 2018 (18)
- February 2018 (6)
- January 2018 (11)
- December 2017 (5)
- November 2017 (12)
- October 2017 (5)
- September 2017 (7)
- August 2017 (6)
- July 2017 (11)
- June 2017 (7)
- May 2017 (9)
- April 2017 (5)
- March 2017 (6)
- January 2017 (8)
- December 2016 (2)
- November 2016 (1)
- October 2016 (15)
- September 2016 (6)
- August 2016 (5)
- July 2016 (4)
- June 2016 (9)
- May 2016 (4)
- April 2016 (4)
- March 2016 (4)
- February 2016 (9)
- January 2016 (6)
- December 2015 (4)
- November 2015 (6)
- October 2015 (5)
- September 2015 (5)
- August 2015 (8)
- July 2015 (7)
- June 2015 (9)
- May 2015 (1)
- April 2015 (4)
- March 2015 (12)
- January 2015 (4)
- December 2014 (6)
- November 2014 (3)
- October 2014 (1)
- September 2014 (11)
- August 2014 (5)
- July 2014 (9)
- June 2014 (10)
- May 2014 (5)
- April 2014 (9)
- February 2014 (3)
- January 2014 (5)
- December 2013 (7)
- November 2013 (4)
- October 2013 (7)
- September 2013 (3)
- August 2013 (9)
- July 2013 (7)
- June 2013 (4)
- May 2013 (7)
- April 2013 (4)
- March 2013 (2)
- February 2013 (3)
- January 2013 (8)
- December 2012 (12)
- November 2012 (5)
- October 2012 (7)
- September 2012 (3)
- August 2012 (6)
- July 2012 (4)
- June 2012 (3)
- May 2012 (4)
- April 2012 (6)
- March 2012 (2)
- February 2012 (5)
- January 2012 (7)
- December 2011 (5)
- November 2011 (7)
- October 2011 (5)
- September 2011 (6)
- August 2011 (5)
- July 2011 (2)
- June 2011 (7)
- May 2011 (11)
- April 2011 (4)
- March 2011 (12)
- February 2011 (7)
- January 2011 (11)
- December 2010 (17)
- November 2010 (12)
- October 2010 (11)
- September 2010 (9)
- August 2010 (20)
- July 2010 (12)
- June 2010 (7)
- May 2010 (1)
- January 2010 (2)
- November 2009 (2)
- October 2009 (1)
- September 2009 (1)
- May 2009 (1)
- February 2009 (1)
- January 2009 (1)
- December 2008 (1)