wolfSSL 2022 Annual Report

wolfSSL’s progress continued at a fantastic pace in 2022! New people, new products, new customers, new code, and new testing marked another excellent year for the project and the company. We are particularly pleased with the amount of integration work that we completed in conjunction with our open source and commercial partners. Additionally, our FIPS 140-3 certificate moved closer to completion. Finally, as our readers know, we are laser focused on producing the best tested TLS 1.3 and cryptography. Our latest advancements in testing are covered later in this report.

We also want to give our thanks to all of our wonderful customers, open source users, and partners. You’ve been tremendous and we look forward to serving you in 2023.

wolfSSL Technical Progress

A total of 9 releases of the wolfSSL embedded TLS library were delivered in 2022, each with bug fixes, enhancements, and new feature additions. Highlights of these releases included:

  1. New Hardware and OS Ports
    1. Hardware
    2. OS Ports
      • wolfBoot support for NXP T2080 on DEOS (an avionics RTOS w/ DO-178C cert)
  1. New Open Source Software Ports!
    1. chrony – Versatile implementation of the Network Time Protocol (NTP)
    2. FFmpeg – Video manipulation utility. wolfSSL used to access remote files over HTTPS.
    3. git – Version control system. Requires other dependencies to also be built with wolfSSL (curl + ssh).
    4. Kerberos 5 (krb5) – Network authentication service.
    5. libspdm – DMTF’s Security Protocols and Data Models. Enables authentication, attestation, and key exchange to assist in providing infrastructure security enablement.
    6. NXP SE05X Middleware – Adds a HostCrypto option for using wolfSSL. Establish an authenticated SCP03 channel to SE050.
    7. Liboqs – Patched to use different SPHINCS+ variants and liboqs version.
  1. Updates to Existing Ports
    1. StrongSwan VPN (libstrongswan) – Updates to build errors with latest release. Tested with wolfCrypt FIPS.
    2. lighttpd – Enable post-quantum algorithms with liboqs
    3. stunnel – Enable post-quantum algorithms with stunnel
    4. Version Updates
      • stunnel 5.61
      • net-snmp 5.9.1
      • bind 9.18.0
      • OpenSSH 8.2p1
      • OpenSSH 8.5p1
      • OpenSSH 9.0 – First post-quantum OpenSSH release. Streamlined NTRU Prime key encapsulation mechanism with X25519 ECDH KEM fallback
      • Qt 5.15.8
      • OpenResty 1.19.9.1
      • OpenResty fixes with wolfCrypt FIPS
      • Python 3.8.14
  1. Compiler and IDE Updates
    1. Added IAR example for the MSP430, located in IDE/IAR-MSP430.
    2. Update VxWorks Workbench example to support the latest VxWorks.
    3. Added example Visual Studio project for FIPS v5 ready
    4. Added support for SEGGER embOS and emNET with an IAR Workbench example in IDE/IAR-EWARM/embOS.
    5. Added support for Infineon AURIX IDE.
    6. Added support for the nRF5340 with CryptoCell-312 to Zephyr.
    7. Added support for NuttX.
    8. Added example MCUXpresso IDE project.
  1. Post Quantum Algorithm Support
    1. wolfSSL KEMs: Kyber – liboqs, pqm4, and wolfSSL proprietary.
    2. wolfSSL Authentication: Dilithium/Falcon/Sphincs+ – liboqs.
    3. wolfSSH: hybrid ECDHE-Kyber (P256 with Level1).
    4. wolfMQTT KEMs: Kyber Level1 and hybrid ECDHE-Kyber (P256 with Level1).
    5. wolfMQTT Authentication: Falcon Level1.
  1. New Hardware Crypto Support
    1. Apple M1 (ARMv8.2-A)
    2. NXP SE050 – Expanded support
    3. NXP CAAM SECO HSM (secure controller)
    4. NXP CAAM QNX – Expanded support
    5. Renesas TSIP RX65N and RX72N
    6. Analog Devices MAXQ1080 and MAXQ1065
    7. Platform Security Architecture (PSA) Interface
    8. Xilinx Versal Hardened Crypto
    9. ARM32 and x86 assembly support expanded
    10. CryptoCell-312
  1. Improvements to Existing Hardware Crypto Support
    1. SHA-3 performance with x86_64 assembly
    2. AES CBC/GCM x86 ASM performance
    3. AES ARM32 without crypto hardware instructions
    4. AES GCM assembler optimization for ARMv7
    5. X448 and Ed448 performance
  1. New and Updated Algorithms
    1. SP Math ECC 521-bit support
    2. Support for RSA-PSS signed certificates
    3. Added CSR custom OID generation support
    4. TLS support for ISO-TP transport over CAN Bus
    5. Non-blocking ECC key generation and shared secret for P-256/384/521 including with TLS/DTLS
    6. ECIES geniv=Generate IV, more AES options, comp pub keys
  1. Algorithm Performance Optimization
    1. SP Math is now default and provides better performance!
    2. SHA-3 on ARMv8.2-A and later using SHA-3 instructions
    3. SHA-3 assembly for Intel x64
    4. Intel x86 AES using AES-NI
    5. ARMv7 SHA2-256 in assembly
    6. SP implementation of P384 improved performance
    7. X448 and Ed448 improved performance for 64-bit platforms
  1. New and Updated Build Options (as if you didn’t have enough already!)
    1. --enable-entropy-memuse
    2. --enable-sys-ca-certs
    3. --enable-quic
    4. --enable-srtp
    5. --enable-kyber
    6. --enable-psa
    7. --enable-psa-lib-static
    8. --enable-dtls13
    9. --enable-dtlscid
    10. --enable-eccencrypt=geniv
    11. --enable-secure-renegotiation-info
    12. --enable-ticket-nonce-malloc
    13. --enable-chrony
    14. --enable-openldap
    15. --enable-ffmpeg
    16. --enable-strongswan
    17. --enable-heapmath
    18. --enable-aessiv
    19. --enable-amdrand
    20. --with-seco=PATH
  1. TLS Additions and Updates
    1. Added DTLS v1.3 support
    2. Added DTLS-SRTP support
    3. Added QUIC support
    4. Added system CA Certificate Store support (Linux, Mac, Win, Android)
    5. Implemented a software-based entropy gatherer
    6. Added sniffer asynchronous support (with Intel QuickAssist)
    7. Expanded wolfSSL’s OpenSSL compatibility layer: added 72 new API’s (now over 1,600 API’s)
    8. Expanded wolfSSL’s safe ABI support by 50 API’s (to 113 in total)
    9. Constant time improvements
    10. ForceZero improvements
    11. Glitching protection by hardening the TLS encrypt operations
    12. Added additional TLS state checking
    13. Session cache refactoring
    14. (Dear reader, if you are curious about any of the above items, feel free to ask us about the details at facts@wolfssl.com)
  1. The first ever DTLS 1.3 Release in the wild
    1. DTLS 1.3 support added in June 2022!
    2. Added version negotiation support
    3. Added Connection ID support
    4. (Narrator: Please try this out and test it, we need feedback)
  1. Single Precision Math Updates
    1. SP Math ECC 384-bit speed improvements
    2. SP support for ARMv3, ARMv6, and ARMv7a
    3. SP Math ECC 521-bit support
  1. FIPS 140-2 and 140-3 Validation News!
    1. FIPS 140-2 News
      • SP 800-56A Revision 3 compliance requirements were received from the lab in fall of 2021. All testing was updated to account for the revision 3 requirements in late 2021 and early 2022.
      • February 14th, 2022 – 10 new Operational environments added to wolfCrypt FIPS cert #3389 (All had been tested prior to SP 800-56A Revision 3 requirements)
      • March 14th, 2022 – 12 new Operational environments added to wolfCrypt FIPS cert #3389 (Some but not all tested with the new SP800-56A Revision 3 compliance in place)
      • March 15th, 2022 – 20 of the past Operational Environments were retested bringing them up to the latest SP800-56A Revision 3 compliance so that they would not be dropped from cert #3389 on July 1st of 2022, the stated transition date handed down by the CMVP
      • wolfSSL has completed testing for 14 additional Operating Environments while waiting for SP800-56A Revision 3 submissions to be reviewed, with 12 new Operational Environments in the testing process that will soon be ready for submission
      • wolfSSL completed CAVP-only algorithm certificates for select OE’s that had no plans to go through CMVP validation
      • wolfSSL takes a hard stance on “Vendor Affirmation” abuse by software module vendors (not hardware vendors) making affirmation claims on hardware and software Operational Environments that are wholly different from tested configurations on the associated certificate
      • wolfSSL proposed an update to “tested configurations” and how they get listed on a FIPS certificate(s)
    2. FIPS 140-3 News
      • wolfSSL’s 140-3 submission changed to “In Review” status on October 28th of 2022 and we are hopeful to see a certificate sometime in Q1 or Q2 of 2023!
  1. Testing
    1. Our primary focus for 2022 was migrating all existing tests capable of running in the cloud to Google Compute Engine for scalability and capability
    2. Greatly expanded coverage of DTLS testing to include the latest DTLS 1.3
      • Added fuzzing targets for the DTLS 1.2 and DTLS 1.3 protocols using wolfSSL’s in-house fuzzing solution
      • Added 100’s of DTLS configurations that are tested on every GitHub pull request and again against the master code repository every night
    3. Greatly expanded coverage of Single Precision math testing
      • Added fuzzing targets for the Single Precision math library using wolfSSL’s in-house fuzzer
      • Added 100’s of SP configurations to both GitHub Pull Request testing and nightly testing
    4. Added automated testing of the FIPS 140-3 submission candidate code with wolfCLU (command line utility) (narrator: wolfCLU is really coming along)
    5. Added automated testing of the wolfSSL’s in-house proprietary ACVP harness, including testing of:
      • wolfCrypt FIPS 140-2 validated module
      • wolfCrypt FIPS 140-3 submission candidate
      • wolfSSL FIPS Ready
      • wolfSSL non-FIPS master
    6. Added TLS regression tests to guard against:
      • Performance degradation in TLS handshake times
      • Throughput degradation in TLS record layer transactions
      • Cryptographic algorithm performance degradation
      • Footprint size bloat (Narrator: Nobody enjoys their TLS bloated)
    7. Added new supplementary coverage through the “wolfssl-multi-test” framework:
      • Added cppcheck static analysis
      • Added clang-tidy static analysis
      • Added fully automated nightly runs of all scenarios, with rich text result emails targeted using git blame
      • Added wolfCrypt benchmark coverage, checked nightly against per-config per-algorithm baselines
      • Added cross target building+testing (qemu-based) for all asm-supported targets (ARM, MIPS, PPC, RISC-V, S390, 68k), including all 32/64 bit and endian variants, and sanitizer scenarios on all ARM variants
      • Added shellcheck static analysis for shell scripts
      • Added integrated test runtime isolation using bubblewrap and unshare
      • Expanded Linux kernel module testing to mainline (prerelease) kernels
      • Added per-line git blame for test output
      • Added FIPS 140-3 “–disable-sha” test scenarios
      • Added wolfSentry, WireGuard, QUIC, DTLS13, and PQ coverage
      • Added “super-quick-check” 15 minute meta-scenario
      • Numerous consistency/usability improvements – 10 new command line options, including –dry-run, –enable-bwrap, and –verbose-analyzers
  1. Examples
    1. New wolfSSL examples and wolfssl-examples repository additions included:
      • Renesas RX72N examples with FreeRTOS+IoT
      • Example C# PSK client
      • Example of adding the wolfSSL library as a subdirectory to a project and using CMake to build
      • Analog Devices MAXQ10xx example client
      • NXP SE050 EdgeLock example
      • OCSP non-blocking async example
      • wolfCrypt API example use of SPHINCS+ key for sign/verify
      • Expanded Android examples to include native wolfCrypt test and benchmark plus SP Math configurations
      • Script to generate example Dlithium Cert-chains
      • DTLS 1.3 examples
      • wolfSSL + CAAM using SECO HSM and NVM examples
      • ESP32 with VisualGDB examples
      • AES key update examples
      • Example of certificate generation and parsing with custom extensions
      • NXP SECO cryptodev examples
      • CSR example using crypto callbacks (HSM)
      • Trusted Firmware-M TLS1.3 example
    2. Updated examples included:
      • Updated certificate generation examples to create CA key and cert
      • ESP32 test and benchmark example clean-up
      • ESP32 TLS1.3 WiFi station client/server example
      • PQM4 library example to enable optimizations
      • (Narrator: Ask us for more examples if you need them at facts@wolfssl.com)
  1. Additional Product Enhancements
    1. Documentation
      • wolfSSL product documentation received a facelift, with improved Markdown sources, a new nightly build system, and public GitHub repository
      • All product manuals are now re-built nightly and available on wolfSSL’s Documentation web page in both HTML and PDF formats!
    2. wolfMQTT (6 releases)
      • Fixes for multithreading use with non-blocking
      • Documentation expansion
      • GitHub Action testing
      • MQTTv5 property handling fixes
      • CMake support and fixes to vcpkg build
      • ST NUCLEO F767ZI with TOPPERS OS support
      • Post-Quantum algorithm support
      • Addition of a GitHub CIFuzz action
      • MQTTv5 and MQTT-SN disconnect fixes
    3. wolfSSH (3 releases)
      • wolfSSHd
        • Server daemon targeting embedded Linux
        • Allows users to log into a shell on their device
        • Allows users to SFTP files to and from the filesystem
      • X.509 Certificates
        • Uses X.509 certificates for public key authentication
        • Allows for CRL and OSCP checking
        • Support for certificate chains
      • PQA Support with Hybrid ECDH-P256 Kyber-Level1
      • Better Interoperability
        • winSCP
        • Filezilla
      • More RTOS Support
        • Green Hills INTEGRITY
        • FreeRTOS with LwIP
        • Espressif ESP-IDF configuration
        • Linux on PowerPC
      • wolfCrypt FIPS 140-3 integration
    4. wolfTPM (4 releases)
      • Added C# wrappers for key handling, CSR/Cert generation, RSA encrypt/decrypt and sign/verify
      • Added Infineon SLB9672 support
      • Added Infineon TriCore HAL support
      • Added examples for Keyed Hash / NV counter increment
      • Added keygen example for creating a primary key
      • Added ST33 GetRandom2 support
      • Add CMake support
      • Fixes for C++ compilers
      • (Narrator: This is the tool to add a TPM to your embedded systems project)
    5. wolfBoot (4 releases)
      • New signature algorithm: ED448
      • New encryption algorithm: AES (128 and 256 in CTR mode)
      • Mitigations against fault injections (collaboration with newAE)
      • Support for multiple partitions/multiple keys
      • Encryption extended to delta updates and self updates
      • New target: STM32G0
      • New target: STM32U5
      • New target: i.MX-RT1050
      • New target: NXP T2080
      • New target: NXP QoriQ p1021
      • New target: x86 (via UEFI)
      • SPI refactoring and support for QSPI on STM32
      • Improved tests (new cloud CI + GitHub actions using renode)
      • DO-178C code cropping (dry run) in preparation for certification
    6. wolfSentry (5 releases)
      • User-defined key-value pairs, allowing user plugins to store configuration data in the unified wolfSentry config (JSON). Supports binary objects in base64, custom K-V validators, and freeform user-defined JSON tree values.
      • User-defined address families, for plugin support of any address family, with idiomatic addresses in the unified JSON config.
      • JSON DOM helper routines, for easy app-level use of JSON.
      • New automatic penalty-boxing logic in the core, driven by the “derogatory” and “commendable” counts in each route state.
      • An example app with dynamic rules and realtime notifications.
      • Completed readwrite lock “kernel” layered on counting semaphores, developed on POSIX, ported to Mac OSX and FreeRTOS – supports complex semantics including cheap recursion and lock promotion/demotion with promotion reservations. Implements error checking and acquisition deadlines.
      • Added autolocking to all public APIs that need it – on multicore targets with multithreaded accept handlers, most filtration/processing of traffic by wolfSentry is concurrent using shared locks. With high-complexity plugins this can be important.
      • Final beta release (0.8.0) staged our first production release in January 2023.
    7. wolfEngine (Narrator: or how to plug wolfCrypt into OpenSSL) (Release of stable 1.0.0 version)
      • Added compatibility with wolfCrypt FIPS 140-3
      • Added examples of loading wolfEngine via config file or programmatically
      • Improved RNG, AES-GCM, AES-CTR, RSA, ECC, and DH support
      • Added engine control commands
      • Improved Windows and Visual Studio build support
    8. wolfCLU (2 releases)
      • Expanded x509 command to handle
        • -subject
        • -issuer
        • -serial
        • -dates
        • -email
        • -fingerprint
        • -purpose
        • -hash
        • -modulus
      • Expanded enc command with -pass
      • Expanded verify command to include -partial_chain
      • Expanded req command to handle
        • -text
        • -noout
        • -extensions
        • -verify
        • Print out of additional req attributes
      • Added -text support to ecparam command
      • Add -passout flag to req command
      • Additional commands added
        • Add ca command
        • Add dsaparam command
        • Add dhparam command
        • Add a basic s_client command for simple TLS client connections
        • Add rand command
        • Add PKCS#12 parsing support and command
        • Add CRL verify command
      • Add print out of private key to PKEY command
      • ??Support for parsing multiple organization names with conf file
      • Add disable filesystem configure
      • Support for building on FreeRTOS
      • Support for building on Windows
      • Testing additions
        • Tied in GitHub Actions for continuous integration testing
        • Testing with FIPS 140-3 wolfCrypt
        • Increased unit tests ran with ‘make check’
        • Improve error logging
      • Support for creating a CSR with attributes
      • (Narrator: Thar be dragons attacking that aircraft when you’re sleeping, and we’re fighting them for you. Some of them are big.)
    9. cURL (8 releases)
    10. wolfSSL JNI/JSSE (3 releases)
      • Improved SSLEngine for better compatibility with Undertow, Jetty, and Tomcat
      • Added support for Java 17 and 18, and testing with Amazon Coretto
      • Improved threading and synchronization support
      • Improved SSLSocket timeout and shutdown support
      • Added support for loading system CA certificates, ALPN, keyStore system properties, and RPM packaging
      • Improved example code and documentation
    11. wolfCrypt JNI/JCE (2 releases)
      • Added security provider test example
      • Added test cases and fixes for ChaCha20 support
      • Improvements for compatibility with wolfCrypt FIPS 140-3
      • Added build compatibility with Java 7
      • Added support for “SHA” algorithm string, RPM packaging support, and improvements to MessageDigest implementation
    12. wolfSSL Python (4 releases)
      • Initialization fixes (calling wolfSSL_init())
      • Improvements in the build system
      • Support for TLS 1.3
      • Added support for DTLS up to DTLS 1.3
    13. wolfCrypt Python (4 releases)
      • Improved support for building in Windows
      • Fixed build/package generation process
      • Support for AES-GCM streaming
      • Support for AES-CTR
      • Support for RSA_OAEP and PSS padding
    14. wolfCrypt DO-178C
      • Completed two certification data packages.
        1. NXP S32V234 (on A53)
          • ARM Developer Studio version 2019.0-1, with armclangcompiler version 6.12.1 using an optimization level of -0s
          • Algorithms: SHA-256, SHA-384, HMAC (SHA-256), HMAC (SHA-384), HASH-DRBG (SHA-256), AES-GCM, AES-CMAC, ECC P384 (sign/verify/shared secret), X.509 certificate verify
        2. Xilinx Ultrazed-EG(on A53), little endian
          • GCC compiler that comes with Xilinx SDK 2017.4
            Run Azure RTOS ThreadX SMP version 5.8 on the A53 cores
          • Algorithms: AES-256-GCM assembly with NEON instructions

wolfSSL Top 10 Blog Posts / Technical Announcements

  1. wolfCrypt FIPS 140-3 IUT Update
  2. Top 10 wolfSSL Library Configurations
  3. wolfSSL adds QUIC Support
  4. wolfSSL Support for NXP SE050 with SCP03
  5. Top Ten Things you should know about Secure Boot
  6. wolfSSL running on Xilinx Versal Hardware Encryption
  7. Building wolfSSL with Yocto explained in only 2 minutes!
  8. DTLS 1.3 Beta, What’s New, Benchmarks, and Examples
  9. wolfSSL adds Rust Bindings and Wrappers
  10. Avoid building a “Billion Dollar Brick” with wolfSSL Satellite Cybersecurity Solutions

2022 Webinars

The wolfSSL team hosted and/or participated in a total of 58 webinars this year. Check out our top 5 webinars of the year:

  1. Everything you need to know about FIPS 140-3
  2. Getting Started with wolfSSL in 2022
  3. Secure Element or TPM with wolfSSL
  4. Looking Under the Hood – wolfSSL Automotive Stories and Examples!
  5. Securing BTLE with wolfSSL and TLS v1.3

We host at least one webinar per week, make sure you are checking out our blog page to find out about our webinars! Check out our YouTube channel for all of our previous webinars!

wolfSSL Organizational Growth

  • wolfSSL added 7 new team members in 2022. Additions included salespeople, engineers, and administrators.
  • We expanded our customer base considerably, are now securing connections for over 2,000 products, have partner relationships with over 40 vendors, and are securing well over 2 Billion connections on any given day, worldwide.
  • wolfSSL represents one of the largest teams focused on a single implementation of TLS/Crypto worldwide. If you know of anyone who fits the following description, please let us know.

wolfSSL Events and Tradeshows

The wolfSSL team participated in a total of 49 events in 2022! As part of these events we were in 39 cities, 15 US states, and 7 countries! We participated in one virtual event and were fortunate to attend 48 in-person events. The events we participated this last year included:

CESCyberLEOBlack Hat USAIoT TechExpo North AmericaST Tech Tour - Burlington
West 2022Global Connected Aircraft (Connected Aviation Intelligence Summit)ST Tech Tour - Southern CaliforniaST Tech Tour - MontrealAMD-Xilinx XSWG - Washington DC
Satellite 2022NXP Tech Days - MinneapolisNXP Tech Days - Silicon ValleyHIS 2022Aerospace Tech Week AMERICAS
DoD Information Warfare SymposiumcURL UpICMCST Developers ConferenceAutomotive Computing Conference
Quad-A 2022 SummitEmbedded Tech ConventionAIR, SPACE & CYBER CONFERENCEAUSA 2022AAAA Cribbins Army Aviation Conference
ST Tech Tour - SchaumburgAutomotive Tech Detroit 2022Air Force FACE and SOSA TIM and ExpoMilSat SymposiumESCAR Europe
RWC/HACSESCAR USA 2022International Cyber ExpoNXP Tech Days - DetroitMilitary & Aviation Exhibition 2022
Cyber Physical Systems Security SummitEmbedded World 2022MWC Las VegasNBAA-BACEEmbedded Software Engineering Kongress
IoT Solutions World CongressAutomobile Elektronik KongressNXP Tech Days - Bostonit-saXSWG (Xilinx) - Germany
Forum 78NXP Tech Days - IrvineXSWG (Xilinx) - ColoradoCyberSatGov

(Narrator: We are talkative)

In summary, we had a great year! 2022 was successful on multiple fronts, and we look forward to serving our customers and community with ever more secure and functional software in 2023. As always, your feedback is welcome at facts@wolfssl.com.