The release of wolfSSL version 4.2.0 is now available!
Many exciting new features were added in this release along with optimizations and some fixes. wolfSSL has spent 10,000 hours worth of engineering on creating the code for this release. We’ve added new features, ports, and made it more robust. For a full list of fixes, optimizations, and recommendations check out our README on GitHub (https://github.com/wolfSSL/wolfssl) or the ChangeLog.md in the main download from www.wolfssl.com. We suggest that all users keep up to date with wolfSSL versions to get access to new features, optimizations, and minor fixes. We also have a list of higher severity fixes in the bottom of the README/ChangeLog to help answer any questions on security related fixes and changes. Feel free to reach out to us at facts (at) wolfssl.com with any questions regarding the release.
This is a list of the notable exciting new features in wolfSSL version 4.2.0:
- Over 198 OpenSSL compatibility API’s added
- This includes the support for many open source projects such as NGINX (https://www.nginx.com/)
- The additions make it easier to migrate projects from OpenSSL to wolfSSL and keep support for FIPS active
- Apache (https://www.apache.org/) port added for compiling with wolfSSL using –enable-apachehttpd
- Port for using wolfSSL with OpenVSwitch (https://openvpn.net/community-resources/ethernet-bridging/)
- Port for Renesas TSIP (https://www.renesas.com/br/en/products/software-tools/software-os-middleware-driver/security-crypto/trusted-secure-ip-driver.html)
- Visual Studio Solution for Azure Sphere Devices (MT3620 and MT3620-mini) added to the directory IDE/VS-AZURE-SPHERE
- Addition of Coldfire MCF5441X NetBurner example to the directory IDE/M68K/
- Added support for prime checking to SP math build
- Addition of DYNAMIC_TYPE_BIGINT type for tracking mp_int allocations
- Addition of wc_ecc_get_curve_params API for getting ecc_set_type params for a curve
- Adding in TLS_SHA256_SHA256 and TLS_SHA384_SHA384 TLS1.3 cipher suites (null ciphers)
- Added in PKCS7 decryption callbacks for CMS operations
- Added handling for optional ECC parameters with PKCS7 KARI
- Addition to configure.ac for FIPS wolfRand builds
- Adding the flag WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY for ignoring certificate date checks with the functions wolfSSL_CTX_load_verify_buffer_ex and wolfSSL_CTX_load_verify_locations_ex
- Support for PKCS8 keys added to the function wolfSSL_CTX_use_PrivateKey_buffer
- Support for KECCAK hashing. Build with macro WOLFSSL_HASH_FLAGS and call wc_Sha3_SetFlags(&sha, WC_HASH_SHA3_KECCAK256) before the first SHA3 update
- Addition of setting secure renegotiation at CTX level
- Addition of KDS (NXP Kinetis Design Studio) example project to directory IDE/KDS/ (https://www.nxp.com/design/designs/design-studio-integrated-development-environment-ide:KDS_IDE)
- Support for Encrypt-Then-MAC to TLS 1.2 and below
- Added a new build option for a TITAN session cache that can hold just over 2 million session entries (–enable-titancache)
- Synchronous Quick Assist Support for Sniffer
- Added Support for SiFive HiFive Unleashed board
- Support for Google WebRTC added in to compatibility layer build (https://webrtc.org/)
- Additional Sniffer features; IPv6 sniffer support, Fragment chain input, Data store callback, Various statistics tweaks and other Sniffer fixes
We have the best tested crypto and a goal to release code without any bugs or issues, but being human, some do slip through. In our effort to be as transparent as possible this is a list of fixes that we feel users should be aware of when considering whether to update to the latest wolfSSL version:
- Fix for sanity check on reading TLS 1.3 pre-shared key extension. This fixes a potential for an invalid read when TLS 1.3 and pre-shared keys is enabled. Users without TLS 1.3 enabled are unaffected. Users with TLS 1.3 enabled and HAVE_SESSION_TICKET defined or NO_PSK not defined should update wolfSSL versions. Thanks to Robert Hoerr for the report.
- Fix for potential program hang when ocspstapling2 is enabled. This is a moderate level fix that affects users who have ocspstapling2 enabled(off by default) and are on the server side. In parsing a CSR2 (Certificate Status Request v2 ) on the server side, there was the potential for a malformed extension to cause a program hang. Thanks to Robert Hoerr for the report.
- Two moderate level fixes involving an ASN.1 over read by one byte. CVE-2019-15651 is for a fix that is due to a potential one byte over read when decoding certificate extensions. CVE-2019-16748 is for a fix on a potential one byte overread with checking certificate signatures. This affects builds that do certificate parsing and do not have the macro NO_SKID defined.Thanks to Yan Jia and the researcher team from Institute of Software, Chinese Academy of Sciences for the report.
- High level fix for DSA operations involving an attack on recovering DSA private keys. This fix affects users that have DSA enabled and are performing DSA operations (off by default). All users that have DSA enabled and are using DSA keys are advised to regenerate DSA keys and update wolfSSL version. ECDSA is NOT affected by this and TLS code is NOT affected by this issue. This affects a very small percentage of users (~ less than 1%). Thanks to Ján Jan?ár for the report.
For additional vulnerability information visit the vulnerability page at https://www.wolfssl.com/docs/security-vulnerabilities/
Love from wolfSSL <3