Category: Uncategorized

The security of wolfSSL products is always on our mind and holds high importance.  Conducting regular, diligent, and well-planned testing helps maintain wolfSSL’s robustness and security.  We strive to write and maintain clean, readable, and understandable code.

Like the halting problem, we know it is impossible to test every single possible path through the software, but we practice an approach that is focused on lowering risk of failure. In addition to extensive automated testing, we make sure that we specifically test well-known use cases. This post outlines some of our internal testing process.

1. API Unit Testing:  We have unit tests in place that test API functions for correct behavior. This helps maintain library consistency across releases and as the code evolves.  It helps us to deliver a high quality well tested API to our end users with each software release.  API unit tests are run with each “make check” of wolfSSL.

2. Cipher Suite Testing: wolfSSL supports an extensive list of cipher suites, which are all tested with every “make check” using the wolfSSL example client and example server.  Each cipher suite is tested not only in the default configuration, but also in non-blocking mode and with client authentication both turned on/off.

3. Algorithm Testing: The security of our SSL/TLS implementation depends on the correctness and robustness of our underlying cryptography library, wolfCrypt.  We test all algorithms using NIST test vectors in addition to running our CAVP test harness used for our FIPS 140-2 validations.  We also test on both big and little endian platforms for portability.

4. Benchmark Testing: We engage in another ever expanding universe of benchmark testing, where we look at sizing, transmission rates, connection speeds, and cryptography performance.  A version of our benchmark suite is included in every download for users to enjoy!

5. Static Analysis: We do static analysis on our entire codebase using not only one, but multiple different static analysis tools.  We currently use Coverity Scan, clang scan-build, and Facebook infer.  These tools help us to automatically find bugs including ones on low-traffic code paths.

6. Detecting Memory Errors:  We mitigate memory errors by using valgrind on a regular and automated basis.  This helps find memory errors including invalid access, use of undefined values, incorrect freeing of dynamic memory, and memory leaks.

7. Interop Testing: We test for interoperability with other Open Source TLS implementations, including OpenSSL, BoringSSL, and GnuTLS.  This helps us to catch any protocol implementation errors in either wolfSSL or the implementation being tested against.  We also test outside of a closed environment by connecting to servers in the real world running unknown SSL/TLS implementations.

8. Real World Builds: We build with a series of ‘real’ applications, like cURL, wget, pppd, OpenSSH, stunnel, lighttpd, etc.  For some of our customers with top level support, we build new releases with their application.

9. Compiler Testing: We have users who compile wolfSSL with a variety of different compilers.  As such, we test compiling wolfSSL with many different compilers and toolchains including gcc/g++, clang, icc, Visual Studio, CodeWarrior, KDS, LPCXpresso, MPLAB XC, TI CCS, Keil, IAR, Cygwin, MinGW, CrossWorks, Arduino, Wind River Workbench, and more.

10. Peer Review: More eyes on a codebase reduces bugs that end up in a final product.  Internally, we operate using a “Fork and Pull Request” model.  This means that every commit that makes it into our master branch has been reviewed and tested by at least two separate engineers.

11. Third Party Testing: Our code is regularly reviewed by university researchers, customer and user security teams, FIPS and certification labs, and our Open Source user base.  This helps put more eyes on our code and product architecture.

12. Fuzz Testing: We test using several different software fuzzers, including an in-memory fuzzer, a network fuzzer, OSS-fuzz, libfuzzer, tlsfuzzer, and AFL.  Fuzz testing bombards the program with invalid, unexpected, and random data that then allows for observing if there is potential memory leaks or logic errors.  This allows us to catch bugs that could turn into potential vulnerabilities if released in a final release.

13. Continuous Integration (CI): Leveraging Jenkins, we run tests on each commit submitted to the wolfSSL code repository.  Tests run on each commit include testing of our FIPS build, numerous build options (customer/user/common), running valgrind, and doing static analysis with scan-build.

14. Nightly Test Cycle: Each night we run extended tests that last longer than the typical ones during the work day.  These are more in-depth than our CI testing and puts results in our engineers’ inboxes each morning.  Some tests included in our nightly cycle include extended build option testing on multiple platforms with multiple compilers, and extended fuzz testing.

If you have specific questions about how we test, please contact us at facts@wolfssl.com.  If you would like us to include your SSL/TLS or crypto implementation in our interop testing, please let us know!  Likewise, if you would like to include wolfSSL in your own test framework, we would be happy to discuss.

We would like to announce that the wolfSSL embedded SSL library now has support for hardware-based cryptography and random number generation offered by the STM32F7.  Supported cryptographic algorithms include AES (CBC, CTR), DES (ECB, CBC), 3DES, MD5, and SHA1.  For details regarding the STM32F7 crypto and hash processors, please see the STM32F7 Hardware Abstraction Layer (HAL) and Low-layer drivers document (linked below).

If you are using the STM32F7 with wolfSSL, you can see substantial speed improvements when using the hardware crypto versus using wolfSSL’s software crypto implementation.  The following benchmarks were gathered from the wolfCrypt benchmark application (wolfcrypt/benchmark/benchmark.c) running on the STM32F777NI board (STM32F7) using the STM32F7 HAL on bare metal (No OS).

wolfSSL Software Crypto, Normal Big Integer Math Library

RNG               3 MB took 1.000 seconds,    3.149 MB/s

AES-Enc           6 MB took 1.000 seconds,    6.494 MB/s

AES-Dec           7 MB took 1.000 seconds,    6.519 MB/s

AES-GCM-Enc       3 MB took 1.004 seconds,    2.553 MB/s

AES-GCM-Dec       3 MB took 1.004 seconds,    2.553 MB/s

AES-CTR           7 MB took 1.000 seconds,    6.543 MB/s

CHACHA           16 MB took 1.000 seconds,   15.723 MB/s

CHA-POLY         10 MB took 1.000 seconds,   10.474 MB/s

3DES              1 MB took 1.008 seconds,    1.405 MB/s

MD5              24 MB took 1.000 seconds,   24.243 MB/s

POLY1305         42 MB took 1.000 seconds,   41.821 MB/s

SHA              14 MB took 1.000 seconds,   14.380 MB/s

SHA-224           8 MB took 1.000 seconds,    8.423 MB/s

SHA-256           8 MB took 1.000 seconds,    8.423 MB/s

SHA-384           2 MB took 1.000 seconds,    2.319 MB/s

SHA-512           2 MB took 1.000 seconds,    2.319 MB/s

STM32F7 Hardware Crypto, Normal Big Integer Math Library

RNG              6 MB took 1.000 seconds,    6.030 MB/s

AES-Enc         30 MB took 1.000 seconds,   30.396 MB/s

AES-Dec         30 MB took 1.000 seconds,   30.371 MB/s

AES-GCM-Enc     42 MB took 1.000 seconds,   42.261 MB/s

AES-GCM-Dec     33 MB took 1.000 seconds,   32.861 MB/s

AES-CTR         48 MB took 1.000 seconds,   47.827 MB/s

CHACHA          16 MB took 1.000 seconds,   15.747 MB/s

CHA-POLY        11 MB took 1.000 seconds,   10.522 MB/s

3DES            13 MB took 1.000 seconds,   12.988 MB/s

MD5             41 MB took 1.000 seconds,   40.894 MB/s

POLY1305        42 MB took 1.000 seconds,   41.846 MB/s

SHA             38 MB took 1.004 seconds,   38.202 MB/s

SHA-224         41 MB took 1.000 seconds,   41.309 MB/s

SHA-256         39 MB took 1.000 seconds,   39.111 MB/s

SHA-384          2 MB took 1.004 seconds,    2.310 MB/s

SHA-512          2 MB took 1.004 seconds,    2.310 MB/s

 As the above benchmarks (and chart) show, the hardware-based algorithms on the STM32F7 demonstrate significantly faster speeds than that of their software counterparts.

To enable STM32F7 hardware crypto and RNG support, define WOLFSSL_STM32F7 when building wolfSSL.  For a more complete list of defines which may be required, please see the WOLFSSL_STM32F7 define in <wolfssl_root>/wolfssl/wolfcrypt/settings.h.  You can find the most recent version of wolfSSL on GitHub, here: https://github.com/wolfssl/wolfssl.

If you would like to use wolfSSL with STM32F7 hardware-based cryptography or RNG, or have any questions, please contact us at facts@wolfssl.com for more information.

wolfSSL embedded SSL library

STM32: http://www.st.com/internet/mcu/class/1734.jsp

STM32F7 HAL and Low-layer drivers documentation: http://www.st.com/content/ccc/resource/technical/document/user_manual/45/27/9c/32/76/57/48/b9/DM00189702.pdf/files/DM00189702.pdf/jcr:content/translations/en.DM00189702.pdf

Are you a user of PikeOS or ElinOS, and interested in a lightweight TLS 1.3 implementation?  The wolfSSL embedded SSL/TLS library now supports TLS 1.3 (drafts 18 and 20).  TLS 1.3 improves performance of establishing TLS connections by reducing the required number of round trips during the TLS handshake (including a new 0-RTT option where applications can send application data in the first flight!).  It also increases security by removing old legacy algorithms in favor of new, secure, and performant ones.

If you aren’t familiar with these operating systems, here’s a quick summary via Wikipedia:

PikeOS:

“PikeOS is a microkernel-based real-time operating system made by SYSGO AG. It is targeted at safety and security critical embedded systems. It provides a partitioned environment for multiple operating systems with different design goals, safety requirements, or security requirements to coexist in a single machine.”

ElinOS:

“ELinOS is a commercial development environment for embedded Linux. It consists of a Linux distribution for the target embedded system and development tools for a development host computer. ELinOS provides embedded Linux as a standalone operating system or it can be integrated into the PikeOS virtualization platform if safety and security demands cannot be met by Linux alone.”

To learn more about how to use wolfSSL with TLS 1.3, you can visit our TLS 1.3 webpage, or contact us at facts@wolfssl.com!

As you may know, wolfSSL includes support for offloading cryptography operations into NXP Coldfire and Kinetis devices that include the CAU, mmCAU, or LTC hardware crypto modules. Taking advantage of these modules improves performance of both the cryptography and the SSL/TLS layer running on top of it.

Here is a quick comparison of performance between software cryptography and the hardware-based cryptography offered by the Kinetis mmCAU on a K60 TWR running at 100MHz:

Software Crypto Hardware Crypto

AES 0.49 MB/s 2.71 MB/s
DES 0.31 MB/s 3.49 MB/s
3DES 0.12 MB/s 1.74 MB/s
MD5 4.07 MB/s 4.88 MB/s
SHA-1 1.74 MB/s 2.71 MB/s
SHA-256 1.16 MB/s 2.22 MB/s
HMAC-SHA 1.74 MB/s 3.05 MB/s
HMAC-SHA256 1.22 MB/s 2.03 MB/s

And, here are some benchmark comparisons between software and hardware cryptography offered by the LTC module on a NXP FRDM-K82F, Cortex M4 running at 150 MHz:

Software Crypto Hardware Crypto

RNG 0.136 MB/s 0.939 MB/s
AES enc 0.247 MB/s 12.207 MB/s
AES dec 0.239 MB/s 12.207 MB/s
AES-GCM 0.016 MB/s 12.207 MB/s
AES-CTR 0.247 MB/s 8.138 MB/s
AES-CCM 0.121 MB/s 6.104 MB/s
CHACHA 0.568 MB/s 3.052 MB/s
CHA-POLY 0.444 MB/s 1.878 MB/s
POLY1305 2.441 MB/s 8.138 MB/s
SHA 0.842 MB/s 4.069 MB/s
SHA-256 0.309 MB/s 2.713 MB/s
SHA-384 0.224 MB/s 0.763 MB/s
SHA-512 0.216 MB/s 0.698 MB/s
RSA 2048 public 147.000 ms 12.000 ms (over 1 iteration)
RSA 2048 private 2363.000 ms 135.000 ms (over 1 iteration
ECC 256 key generation 355.400 ms 17.400 ms (over 5 iterations)
EC-DHE key agreement 352.400 ms 15.200 ms (over 5 iterations)
EC-DSA sign time 362.400 ms 20.200 ms (over 5 iterations)
EC-DSA verify time 703.400 ms 33.000 ms (over 5 iterations)
CURVE25519 256 key generation 66.200 ms 14.400 ms (over 5 iterations)
CURVE25519 key agreement 65.400 ms 14.400 ms (over 5 iterations)
ED25519 key generation 25.000 ms 14.800 ms (over 5 iterations)
ED25519 sign time 30.400 ms 16.800 ms (over 5 iterations)
ED25519 verify time 74.400 ms 30.400 ms (over 5 iterations)

Did you know that wolfSSL also now supports TLS 1.3? With TLS 1.3, users also have the ability to use this new protocol version for even better performance for TLS connections!

TLS 1.3 includes several improvements over TLS 1.2, including reducing the number of round trips required to perform a full handshake, and repurposing the ticketing system to allow for servers to be stateless. These changes mean better performance on Freescale/NXP CAU, mmCAU, and LTC-based devices, and lower memory usage on those devices acting as a TLS server.

To learn more about using TLS 1.3 in wolfSSL, visit our TLS 1.3 webpage today!

As you may know, wolfSSL includes support for offloading cryptography operations into the PIC32MZ hardware crypto module.  This improves performance of both the cryptography and the SSL/TLS layer running on top of it.

Here is a quick comparison of performance between software cryptography and the hardware-based cryptography offered by the PIC32MZ:

           Software Crypto     Hardware Crypto

AES-CBC    0.26 Mb/s           5.78 Mb/s

AES-CTR    0.69 Mb/s           5.67 Mb/s

3DES       6.19 Mb/s           6.19 Mb/s

MD5        6.22 Mb/s           16.84 Mb/s

SHA-1      3.46 Mb/s           16.65 Mb/s

SHA-256    1.678 Mb/s          15.84 Mb/s

Did you know that wolfSSL also now supports TLS 1.3?  With TLS 1.3, users also have the ability to use this new protocol version for even better performance for TLS connections!

TLS 1.3 includes several improvements over TLS 1.2, including reducing the number of round trips required to perform a full handshake, and repurposing the ticketing system to allow for servers to be stateless.  These changes mean better performance on PIC32-based devices, and lower memory usage on those PIC32 devices acting as a TLS server.

To learn more about using TLS 1.3 in wolfSSL, visit our TLS 1.3 webpage today!

Hi!  Are you a user of Arch Linux?  wolfSSL 3.12.0 is now available as a package in the Arch User Repository!

https://aur.archlinux.org/packages/wolfssl

wolfSSL, written in C, supports industry protocol standards up to TLS 1.3 and DTLS 1.2 and progressive ciphers including ChaCha20, Poly1305, Curve25519, Ed25519, and SHA-3.  We encourage you to give our package a try and let us know what you think!

For help getting started with wolfSSL and wolfCrypt, see:

wolfSSL Manual

wolfSSL API Reference

wolfCrypt API Reference

wolfSSL Quickstart Guide

SSL/TLS Tutorial

wolfSSL supports use with Intel® SGX on both Windows and Linux. In addition to being available on both operating systems the Linux example includes running a full TLS connection in a secure Enclave. Examples can be found on GitHub under wolfssl/wolfssl-examples located here (https://github.com/wolfSSL/wolfssl-examples). One of the exciting upcoming features this year, is that wolfSSL is planning to be FIPS certified while running inside a secure Enclave.

If there are questions about current support or the future roadmap feel free to let us know at facts@wolfssl.com.

Do you need a FIPS 140-2 validated cryptography library for your ARM-based platform? wolfCrypt has been FIPS 140-2 validated on several different operating environments to date, some of which have been on resource-constrained ARM-based devices.

FIPS validating a crypto library on a resource-constrained device can be more involved than doing a validation on a standard desktop-like platform. Variances in OS, Flash/RAM, filesystem (or lack of), entropy, communication, and more can make things interesting. Going through our past ARM-based validations, we have figured out how to make this process easier with wolfCrypt!

If you are interested in exploring FIPS 140-2 cryptography validations on ARM platforms, reach out to us at facts@wolfssl.com!

Greetings! In this post we are covering Operational Environment’s (OE’s) we worked with this past year. These OE’s were validated under an OEM relationship where the company validating is licensed to resell the wolfCrypt FIPS product under their own brand name.

wolfSSL was particularly excited about both of these projects as they display the great range of capabilities for wolfSSL and the wolfCrypt FIPS module.

The first OE was an embedded system with Cortex M4 processor and the second was a backend server where the wolfSSL product scales nicely due to reduced run-time resource use!

wolfSSL is happy to assist with OEM FIPS validation and rebranding if the situation fits! We would love to hear from you, contact us anytime: fips@wolfssl.com

If you missed the first part in our series, you can read it here!

wolfSSL 3.12.0 is now available for download! This release contains bug fixes, new features, and includes fixes for one security vulnerability (low level).

The one low level vulnerability fix included in this release is in relation to a potential DoS attack on a wolfSSL client. Previously a client would accept many warning alert messages without a limit. This fix puts a limit to the number of warning alert messages received and if this limit is reached a fatal error ALERT_COUNT_E is returned. The max number of warning alerts by default is set to 5 and can be adjusted with the macro WOLFSSL_ALERT_COUNT_MAX. Thanks for the report from Tarun Yadav and Koustav Sadhukhan from Defence Research and Development Organization, INDIA.

Continue reading below for a summary of the features and fixes included in this release.

TLS 1.3 Support!

If you follow wolfSSL’s blog, you may have heard discussion about our TLS 1.3 BETA support. wolfSSL 3.12.0 is the first stable release that contains our TLS 1.3 support (client and server side)! This means that you can pair TLS 1.3 with your favorite other features and project ports too! TLS 1.3 with Nginx! TLS 1.3 with ARMv8! and TLS 1.3 with Async Crypto!

Enable TLS 1.3 draft 20 support using the “–enable-tls13” configure option, or the older draft 18 support with the “–enable-tls13-draft18” option. wolfSSL also supports 0RTT with TLS 1.3, which can be enabled with “–enable-earlydata”.

For more information about using wolfSSL with TLS 1.3, visit our TLS 1.3 webpage, or contact us at support@wolfssl.com.

Build and Configure Option Changes

– Added enable all feature (–enable-all)
– Added trackmemory feature (–enable-trackmemory)
– Fixes for compiling wolfSSL with GCC version 7, most dealing with switch statement fall through warnings.
– Added warning when compiling without hardened math operations

Intel Assembly Improvements, Intel SGX Linux Support, and Intel QuickAssist Support

For users of wolfSSL on Intel platforms, we have made improvements including:

– A port of wolfSSL for Intel SGX with Linux. We previously only supported Intel SGX with Windows.
– AVX and AVX2 assembly instructions for improved ChaCha20 performance
– Intel QAT fixes for when using –disable-fastmath
– Improvements and enhancements to Intel QuickAssist support

Note: There is a known issue with using ChaCha20 AVX assembly on versions of GCC earlier than 5.2. This is encountered with using the wolfSSL enable options “–enable-intelasm” and “–enable-chacha”. To avoid this issue ChaCha20 can be enabled with “–enable-chacha=noasm”.

If using “–enable-intelasm” and also using “–enable-sha224” or “–enable-sha256” there is a known issue with trying to use “-fsanitize=address”.

Official SHA-3 Support (Keccak)

Previously wolfSSL only supported the SHA-3 runner-up Blake2b. wolfSSL now additionally supports the final SHA-3 winner, Keccak. This can be enabled with the “–enable-sha3” configure option. It is enabled by default on x86_64 platforms.

DTLS Multicast and Updates

For our DTLS users, wolfSSL now supports DTLS Multicast with “–enable-mcast”! In addition, this release also contains:

– An update to how DTLS handles decryption and MAC failures
– An update to the DTLS session export version number for use with the “–enable-sessionexport” option

For more details about DTLS Multicast, get in touch with us at facts@wolfssl.com!

New and Updated Hardware Ports

With this release, we have update several of our hardware ports and added a few new ones as well, including:

– Update and fix for our Microchip PIC32MZ port
– Fix for STM32F4 AES-GCM
– Addition of a Xilinx port, based on the UltraZed-EG Starter Kit based on the Xilinx Zynq® UltraScale+™ MPSoC
– Addition of SHA-224 and AES key wrap to ARMv8 port
– Additional input argument sanity checks to ARMv8 assembly port

Enhanced Testing

– Additional unit testing for MD5, SHA, SHA224, SHA256, SHA384, SHA512, RipeMd, HMAC, 3DES, IDEA, ChaCha20, ChaCha20Poly1305 AEAD, Camellia, Rabbit, ARC4, AES, RSA, HC-128

Updated Operating System Ports

– Update TI-RTOS port for dependency on new wolfSSL source files
– Update MQX Classic and mmCAU ports
– Fix ThreadX/NetX warning

wolfSSL Python Wrapper

– Expand wolfSSL Python wrapper to now include a client side implementation

wolfSSL Python Wrapper Documentation
wolfCrypt Python Wrapper Documentation

Other Additions and Modifications

Other changes that this release contains includes:

– Fix for making PKCS12 dynamic types match
– Fixes for potential memory leaks when using –enable-fast-rsa
– Fix for when using custom ECC curves and add BRAINPOOLP256R1 test
– Fix for Async crypto with GCC 7.1 and HMAC when not using Intel QuickAssist
– Added more sanity checks to fp_read_unsigned_bin function
– Fix for potential buffer over read with wolfSSL_CertPemToDer
– Add PKCS7/CMS decode support for KARI with IssuerAndSerialNumber
– Added RSA PSS sign and verify
– Fixes for AES key wrap and PKCS7 on Windows VS
– Support use of staticmemory with PKCS7
– Fix for Blake2b build with GCC 5.4
– Fixes for OCSP and CRL non blocking sockets and for incomplete cert chain with OCSP

Updated Examples

– Adjust example servers to not treat a peer closed error as a hard error
– Added benchmark block size argument

If you have any questions about the new release, or using wolfSSL in your project, please contact us at facts@wolfssl.com