wolfSSL 2021 Annual Report

Last year was an excellent year for wolfSSL! We progressed on all of our critical performance vectors, including technical leadership, top notch support, sales growth and new design wins. The sheer volume of new code that we produced, in conjunction with our new products and design wins, is impressive to say the least. Additionally, we made the migration from a strictly on-prem based testing rig to a hybrid rig. Our new rig harnesses the power of cloud computing, and allows us to even further improve on our testing in order to bring you the best tested TLS. Thank you for reading, and please contact us if there is something that you would like on the wolfSSL roadmap for 2022!

wolfSSL Technical Progress

A total of 5 releases of the wolfSSL embedded TLS library were delivered in 2021, each with bug fixes, enhancements, and new feature additions. Highlights of these releases included:

1. New Hardware and OS Ports

Linux Kernel Crypto API (KCAPI) – Allows for offloading of crypto operations to kernel hardware or software. Support includes AES-CBC, AES-GCM, SHA-2, and HMAC. Also possible to use RSA, DH and ECC with custom kernel modules.
Linux Kernel Module build option (–enable-linuxkm), which is also supported with FIPS modes of operation using FIPS compliant integrity checks and conditional algorithm self tests (CASTs). Compliance up to the latest FIPS 140-3.
NXP i.MX CAAM – QNX
NXP SE050
IOT-Safe (SIM card PK)
Cypress/Infineon PSoc6
Renesas RA6M4, RX65N, RX72N, TSIP, SCE Protected Mode (see our new GitHub repository)
Fusion RTOS
Dolphin Emulator

2. New Software Ports!

3. Updates to Existing Ports

STM32: Supported platforms now include G0 and U5
Fixes for NXP mmCAU/LTC, Microchip ATECC608, Espressif ESP32, ST STM32 PKA AES-GCM, Renesas RA6M3
Updated project ports:
1. Stunnel 5.57
2. Qt 5.15
3. Apache 2.4.51
4. Socat 1.7.4.1
5. lighttpd 1.4.51
6. OpenSSH 8.8

4. Operating System Updates

WIN32 WinCE wolfCrypt port
TI-RTOS port maintenance

5. Compiler and IDE Updates

Android
STM32
GCC Makefile
Espressif ESP-IDF
INTIME
QNX

6. Post Quantum Algorithm Support

Removed legacy QSH and NTRU support.
Added support for FALCON signature schemes in TLS 1.3 (Levels 1, 5)
Added support for KEMs in TLS 1.3 as groups and hybridized groups with NIST ECC Curves:
1. SABER (Levels 1, 3, 5)
2. KYBER (Levels 1, 3, 5) and KYBER 90S (Levels 1, 3, 5)
3. NTRU HRSS (Level 3) and HPS (Levels 1, 3, 5)
Full interoperability of algorithms we implemented against the OQS team’s OpenSSL fork.
Integrations with Open Source projects allowing use of post-quantum algorithms with the following popular projects:
1. Apache
2. Nginx
3. Lighttpd
4. cURL
5. MariaDB
6. Stunnel
Joint integration with the OQS team to patch Wireshark, making it aware of and display the new algorithms and their variants.

7. New Hardware Crypto Support

IotSAFE support
Renesas RA6M4 SCE Protected Mode support
Renesas RX65N / RX72N TSIP 1.14 support

8. Improvements to Existing Hardware Crypto Support

Fixed DCP port
Fixed Psoc6 SHA512 regressions
Fixed broken ECC public key computation in PR in NXP LTC
Fix for STM32 PKA ECC point mapping

9. New and Updated Algorithms

New Post-Quantum Algorithm support, as mentioned above.
Added ECCSI and SAKKE for Identity-based Encryption.
Added support for streaming AES-GCM.
Added streaming API for Ed25519 and Ed448.
Added ISO 18033 and SEC 1 implementations of ECIES.

10. Algorithm Performance Optimization

Improved TFM and SP math implementation of addmod_ct and submod_ct for a 30% improvement in performance of ECC operations.

11. New and Updated Build Options

S/MIME support (–enable-smime)
–enable-wolfsentry and –with-wolfsentry=
–enable-wolftpm
–enable-caam
–enable-kcapi
–enable-eccsi
–enable-sakke
–enable-wolfclu
–enable-curl
–enable-reproducible-build
–enable-aesgcm-stream
–enable-ed25519-stream
–enable-ed448-stream
–enable-linuxkm-pie
–enable-keying-material
–enable-iotsafe
–enable-iotsafe-hwrng
–enable-sp=
1. smallfast
2. smallec1024
3. smallp1024
4. small1024
5. ec1024
6. p1024
7. 1024
8. asm
–enable-context-extra-user-data
–enable-aescbc-length-checks
–enable-altcertchains
–enable-sblim-sfcb
–enable-crypttests-libs
–enable-benchmark
–enable-aligndata
–enable-error-queue-per-thread
–with-max-rsa-bits=
–with-max-ecc-bits=
–with-liboqs=
–with-se050=
–enable-bind
–enable-libssh2
–enable-net-snmp
–enable-ntp
–enable-openresty
–enable-rsyslog
–enable-smime
–enable-tcpdump
–enable-krb

12. TLS Additions and Updates

Session Ticket (Added AES GCM support)
TLS export/import
Keying Material Exporters for TLS (RFC 5705)
S/MIME (Secure/Multipurpose Internet Mail Extensions)
Asynchronous TLS v1.3 TLSX ECC/DH keygen/agree
TLS 1.3 Updates
1. Better Interop
2. Better Portability
3. Better Testing
4. More Cipher Suites
Crypto Callbacks extended: Ed/X25519, SHA2-384/512, AES CCM, CMAC
TLS v1.3 sniffer / DH Extra / Static Ephemeral
LWIP Native Support (IP stack)
DTLS
1. Resend the previous DTLS handshake flight only on a network read timeout (WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT)
2. Change default DTLS future packet behavior. Messages from “too far into the future” are now accepted.

13. Single Precision Math Updates

Significant SP math performance improvements
Windows now has assembly code implementation for Intel x86 64-bit that increases performance by 5 to 10 times!
C only implementation has had significant improvements that have major impacts on performance. 32-bit code most significantly 25% for 2048-bit operations and 50% and more for larger sizes.
Improved performance of ARM Thumb code by 30-40%.
On Aarch64, improved performance of P-384 operations by 65-100%.

14. FIPS 140-2 and 140-3 Validation News!

FIPS 140-3 support merged, including Linux Kernel Module support
28 140-2 (Cert 3389) OE additions!

15. Testing

More continuous integration testing added, including cppcheck static analysis
Added support for Google Compute Engine to supplement testing slave farm in CI ecosystem, testing capabilities are now dynamically scalable based on test load and internal developer activity
Expanded API testing coverage with OpenSSL compatibility layer additions

16. Examples

New Post-Quantum cryptography example.
New wolfSSL CAN Bus example.
New RIOT-OS example using lwIP POSIX sockets.

17. Additional Product Enhancements

Revamped Documentation
- wolfCLU
- wolfMQTT
- wolfSentry
- wolfSSL
- wolfTPM

wolfMQTT (4 releases)
- SN feature enhancements
  1. Will Topic update and Will Message update
  2. Publish with QoS-1
  3. Receiving Disconnect Packet while going to sleep
  4. New callback for REGISTER topic ID from gateway when client subscribes to wildcard topics
  5. Handling PINGREQ message from the gateway to client
  6. New example added for QoS level -1 feature
- HiveMQ Cloud compatibility with SNI feature
- Huge improvements to multithread and non-blocking features
- Examples
  1. TLS mutual auth in client examples
  2. Add ability to publish files from example client

wolfSSH (3 releases)
- Easier build with wolfSSL
- Added remote port forwarding
- Improved keep alive
- Small stack option for embedded builds
- SFTP Support for FATFS
- Added support of 192 and 256 bit AES keys
- Improved build options to leave out unwanted algorithms
- Improved interoperability with other tools
  1. Dropbear
  2. Firezilla
  3. winSCP
- Support for EWARM
- MQX IDE build added

wolfTPM (4 releases)
- Added examples for symmetric key generation, NV, remote attestation, make credential, PCR read and GPIO.
- Support for QNX
- Example for QEMU with wolfTPM
- Improved documentation

wolfBoot (3 releases)
- New architectures
  1. ARMv8-M
  2. PowerPC
  3. ARM Cortex-R
- Measured boot
- Support for Trustzone-M
- New memory model
- RSA4096 using SP
- WOLFBOOT_SMALL_STACK
- Delta updates
- New HAL:
  1. STM32L4
  2. STM32L0x3
  3. STMU575xx
  4. NXP i.MX-RT1060
  5. NXP T2080
  6. TI TMS570LC435

wolfSentry (3 releases, all preview/beta)
- Dev phases 1, 2, 3, completed – static firewall, with action plugins, POC notifications via plugin, and configuration updates at any time.
- Full configuration loaded from JSON, with streaming load and all-or-none semantics
- Advanced lock facility complete, with ports for semaphore back ends under POSIX, MacOS-X, and FreeRTOS. Implements shareable, promotable, timeout-capable, deadlock-safe locks.
- POC integration with LWIP, under Linux and FreeRTOS, demonstrating filtering at the IP stack level, including filtering by MAC address, filtering of ICMP, and pre-accept filtering.
- Port to STM32 (FreeRTOS+LWIP)
- Turnkey integration with libwolfssl via the –enable-wolfsentry option, allowing post-accept filtering of incoming connections, and demonstrating pre-connect filtering of outbound connections, via integrations in the example client and server.

wolfEngine (1 release)
- wolfEngine made public on GitHub and first official release with version 0.9.0.
- Allows users to achieve FIPS compliance with wolfCrypt FIPS + OpenSSL. Supports all algorithms in wolfSSL’s FIPS certificate (and others):
  1. SHA-1
  2. SHA2 (224, 256, 384, 512)
  3. SHA3 (224, 256, 384, 512)
  4. DES3-CBC
  5. AES w/ 128, 192, and 256 bit keys. ECB, CBC, CTR, GCM, and CCM modes.
  6. DRBG
  7. RSA
  8. DH
  9. ECC. ECDSA, ECDH, EC key generation. Curves P-192, P-224, P-256, P-384, P-521.
  10. HMAC
  11. CMAC
  12. HKDF
  13. PBKDF2
  14. TLS PRF
- Support for OpenSSL 1.0.2 and 1.1.1.
- Runs on macOS, Windows, Linux.
- Integrates seamlessly with anything that uses OpenSSL, including:
  1. OpenSSH
  2. nginx
  3. stunnel
  4. OpenVPN
  5. curl
  6. libssh2
  7. libssh
  8. ntpd
  9. mongoDB
  10. Node.js
  11. radius
  12. radsec
  13. syslog-ng
  14. grpc
  15. dhcpd
  16. dhclient
- See wolfProvider for OpenSSL 3.0.0 support.

wolfProvider (code available on GitHub)
- wolfProvider made public on GitHub.
- Allows users of OpenSSL 3.0.0 to achieve FIPS 140-3 Compliance
- Supports:
  1. AES-GCM/CCM/CTR/CBC/ECB
  2. MD5/SHA-1/SHA2/SHA3/SHAKE256
  3. DRBG
  4. RSA/RSA-PSS
  5. DH
  6. ECDH/ECDSA/EC KeyGen with P-192/P-224/P-256/P-384/P-521
  7. HMAC/CMAC/GMAC
  8. HKDF/PBKDF2/PKCS12 PBKDF2/TLS 1.3 KDF/TLS1 PRF
- Runs on Linux

wolfCLU (1 release)
- Additional support added for multiple commands:
  1. ecparam
  2. pkey
  3. req
  4. crl
  5. pkcs12 (parsing)
  6. rsa
  7. rand
  8. s_client
  9. dgst
  10. verify
  11. rsa
  12. md5
- Added in a logging layer and mapping of errors to stderr
- Increased unit tests with ‘make check’ and include running tests as a pre-commit hook
- Support for parsing and using basic config files when doing ‘req’ or ‘ca’ operations
- Enhancements to existing commands:
  1. x509 , -noout and print out of specific parts of certificate
  2. x509 , -days for setting number of days valid
  3. x509 , -pubout to display the public key
  4. More descriptive version print out
  5. PEM output for RSA/ECC key generation
- Initial integration of FIPS 140-3 use
- Refactoring of directories and test certificate locations
- Resolve warnings and issues from using -Wall and static analysis tools

cURL (8 releases)
- https://curl.se/changes.html

wolfSSL JNI/JSSE (2 releases)
- wolfCrypt FIPS 140-3 and FIPS Ready compatibility
- JSSE level memory leak fixes, along with earlier internal memory cleanup.
- Addition of Socket method wrappers for use of wrapped inner Socket objects in WolfSSLSocket
- Updated Android AOSP support
- JSSE level fixes for SSLContext, SSLSocket
- Fixes for static analysis warnings (Infer), exception cases, connection closures, and more.

wolfCrypt JNI/JCE (1 release)
- wolfCrypt FIPS 140-3 and FIPS Ready compatibility
- Compatibility with wolfSSL “–enable-all” and additional build fixes

wolfSSL Python
- Added OpenSSL compatibility layer.
- Updated example certifications.

wolfCrypt Python
- Added signature generation and verification.
- Now works with FIPS ready.
- Support for ed448, PEM RSA keys, and more.

wolfCrypt DO-178C
- wolfCrypt 2
  - AES GCM
  - Environment:
    - Ultrazed-EG(on A53), little endian
    - GCC compiler that comes with Xilinx SDK 2017.4
    - Run Azure RTOS ThreadX SMP version 5.8 on the A53 cores
- wolfCrypt 3
  - SHA-256
  - SHA-384
  - HMAC (SHA-256)
  - HMAC (SHA-384)
  - HASH-DRBG SHA-256
  - AES GCM
  - AES CMAC
  - ECC – P384 (sign/verify/shared secrets)
  - ECC key export
  - X509 cert verify
  - Environment:
    - NXP S32V234 (on A53)
    - Arm Developer Studio version 2019.0-1, with armclang
    - 1120 compiler version 6.12.1

wolfSSL Top 10 Blog Posts/Technical Announcements

2021 Webinars

The wolfSSL team hosted and/or participated in a total of 58 webinars this year. Check out our top 5 webinars of the year.

We host at least one webinar per week, make sure you are checking out our blog page to find out about our webinars! Check out our youtube page for all of our previous webinars!

wolfSSL Organizational Growth

wolfSSL added 9 new team members in 2021. Additions included salespeople, engineers, administrators, and interns.
We expanded our customer base considerably, are now securing connections for over 2,000 products, have partner relationships with over 40 vendors, and are securing well over 2 Billion connections on any given day, worldwide.
wolfSSL represents one of the largest teams focused on a single implementation of TLS/Crypto worldwide. If you know of anyone who fits the following description, please let us know.

wolfSSL Events and Tradeshows

The wolfSSL team participated in a total of 16 events in 2021! As part of these events we were in 11 cities, 5 US states, and 4 countries! We participated in a total of 6 virtual events and were fortunate to attend 10 in-person events. The events we participated this last year included:

In summary, we had a great year! 2021 was successful on multiple fronts, and we look forward to serving our customers and community with ever more secure and functional software in 2022. As always, your feedback is welcome at facts@wolfssl.com.