wolfSSL 2.0 New Features – Part 1

    • Here`s a more detailed report on some of the new features that are in the recent wolfSSL 2.0 release. wolfSSL 2.0 RC1 is available for download from our Downloads page.

    * SHA-256 cipher suites are now supported. The new suites include:

    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_RSA_WITH_AES_256_CBC_SHA256
    TLS_RSA_WITH_AES_128_CBC_SHA256

    No action is needed to include these suites, they`re in by default.

    * Root certificate verification has been added. wolfSSL used to require all certificates in the chain to be trusted in order to do a verification. Now, only the top or root certificate of the chain is required to be loaded as a trusted certificate in order to properly verify the chain.

    * PKCS #8 private key encryption. wolfSSL now support PKCS #8 private encrypted keys. Supported formats include PKCS #5 version 1 – version 2 and PKCS #12. Types of encryption available include DES, 3DES, RC4, and AES.

    * Serial number retrieval for x509. A serial number of any length can now be extracted with wolfSSL using the extension function:

    int wolfSSL_X509_get_serial_number(X509* x509, byte* buffer, int* inOutSz)

    buffer will be written to with at most *inOutSz bytes on input. After the call, if successful (return of 0), *inOutSz will hold the actual number of bytes written to buffer. A full example is included cyassl_test.h.

    * PBKDF2 and PKCS #12 PBKDF. wolfSSL used to only support password based key derivation function 1. Now it additionally support version 2 and the PBKDF version from PKCS #12. Use is the same as the original and the function prototypes look like:

    int PBKDF2(byte* output, const byte* passwd, int pLen, const byte* salt, int sLen, int iterations, int kLen, int hashType);

    int PKCS12_PBKDF(byte* output, const byte* passwd, int pLen, const byte* salt, int sLen, int iterations, int kLen, int hashType, int purpose);

    output contains the derived key, passwd holds the user password of length pLen, salt holds the salt input of length sLen, iterations is the number of iterations to perform, kLen is the desired derived key length, and hashType is the hash to use which can be MD5, SHA1, or SHA2.

    A full example is included in ctaocrypt/src/test.c. Please email us at info@yassl.com or support@yassl.com with any questions regarding the above feature additions, or wolfSSL in general.