2
0

README 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341
  1. *** Description ***
  2. The wolfSSL embedded SSL library (formerly CyaSSL) is a lightweight SSL/TLS
  3. library written in ANSI C and targeted for embedded, RTOS, and
  4. resource-constrained environments - primarily because of its small size, speed,
  5. and feature set. It is commonly used in standard operating environments as well
  6. because of its royalty-free pricing and excellent cross platform support.
  7. wolfSSL supports industry standards up to the current TLS 1.3 and DTLS 1.2
  8. levels, is up to 20 times smaller than OpenSSL, and offers progressive ciphers
  9. such as ChaCha20, Curve25519, and Blake2b. User benchmarking and feedback
  10. reports dramatically better performance when using wolfSSL over OpenSSL.
  11. wolfSSL is powered by the wolfCrypt library. Two versions of the wolfCrypt
  12. cryptography library have been FIPS 140-2 validated (Certificate #2425 and
  13. certificate #3389). For additional information, visit the wolfCrypt FIPS FAQ
  14. (https://www.wolfssl.com/license/fips/) or contact fips@wolfssl.com
  15. *** Why choose wolfSSL? ***
  16. There are many reasons to choose wolfSSL as your embedded SSL solution. Some of
  17. the top reasons include size (typical footprint sizes range from 20-100 kB),
  18. support for the newest standards (SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3,
  19. DTLS 1.0, and DTLS 1.2), current and progressive cipher support (including
  20. stream ciphers), multi-platform, royalty free, and an OpenSSL compatibility API
  21. to ease porting into existing applications which have previously used the
  22. OpenSSL package. For a complete feature list, see chapter 4 of the wolfSSL
  23. manual. (https://www.wolfssl.com/docs/wolfssl-manual/ch4/)
  24. *** Notes, Please read ***
  25. Note 1)
  26. wolfSSL as of 3.6.6 no longer enables SSLv3 by default. wolfSSL also no longer
  27. supports static key cipher suites with PSK, RSA, or ECDH. This means if you
  28. plan to use TLS cipher suites you must enable DH (DH is on by default), or
  29. enable ECC (ECC is on by default), or you must enable static key cipher suites
  30. with
  31. WOLFSSL_STATIC_DH
  32. WOLFSSL_STATIC_RSA
  33. or
  34. WOLFSSL_STATIC_PSK
  35. though static key cipher suites are deprecated and will be removed from future
  36. versions of TLS. They also lower your security by removing PFS.
  37. When compiling ssl.c, wolfSSL will now issue a compiler error if no cipher
  38. suites are available. You can remove this error by defining
  39. WOLFSSL_ALLOW_NO_SUITES in the event that you desire that, i.e., you're not
  40. using TLS cipher suites.
  41. Note 2)
  42. wolfSSL takes a different approach to certificate verification than OpenSSL
  43. does. The default policy for the client is to verify the server, this means
  44. that if you don't load CAs to verify the server you'll get a connect error,
  45. no signer error to confirm failure (-188).
  46. If you want to mimic OpenSSL behavior of having SSL_connect succeed even if
  47. verifying the server fails and reducing security you can do this by calling:
  48. wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
  49. before calling wolfSSL_new();. Though it's not recommended.
  50. Note 3)
  51. The enum values SHA, SHA256, SHA384, SHA512 are no longer available when
  52. wolfSSL is built with --enable-opensslextra (OPENSSL_EXTRA) or with the macro
  53. NO_OLD_SHA_NAMES. These names get mapped to the OpenSSL API for a single call
  54. hash function. Instead the name WC_SHA, WC_SHA256, WC_SHA384 and WC_SHA512
  55. should be used for the enum name.
  56. *** end Notes ***
  57. For additional vulnerability information visit the vulnerability page at
  58. https://www.wolfssl.com/docs/security-vulnerabilities/
  59. See INSTALL file for build instructions.
  60. More info can be found on-line at https://wolfssl.com/wolfSSL/Docs.html
  61. # wolfSSL Release 5.0.0 (Nov 01, 2021)
  62. [Release 5.0.0](https://github.com/wolfSSL/wolfssl/releases/tag/v5.0.0-stable) of wolfSSL embedded TLS has bug fixes and new features including:
  63. ### Vulnerabilities
  64. * \[Low\] Hang with DSA signature creation when a specific q value is used in a maliciously crafted key. If a DSA key with an invalid q value of either 1 or 0 was decoded and used for creating a signature, it would result in a hang in wolfSSL. Users that are creating signatures with DSA and are using keys supplied from an outside source are affected.
  65. * \[Low\] Issue with incorrectly validating a certificate that has multiple subject alternative names when given a name constraint. In the case where more than one subject alternative name is used in the certificate, previous versions of wolfSSL could incorrectly validate the certificate. Users verifying certificates with multiple alternative names and name constraints, are recommended to either use the certificate verify callback to check for this case or update the version of wolfSSL used. Thanks to Luiz Angelo Daros de Luca for the report.
  66. ### New Feature Additions
  67. ###### New Product
  68. * FIPS 140-3 -- currently undergoing laboratory testing, code review and ultimately CMVP validation. Targeting the latest FIPS standard.
  69. ###### Ports
  70. * IoT-Safe with TLS demo
  71. * SE050 port with support for RNG, SHA, AES, ECC (sign/verify/shared secret) and ED25519
  72. * Support for Renesas TSIP v1.13 on RX72N
  73. ###### Post Quantum
  74. * Support for OQS's (liboqs version 0.7.0) implementation of NIST Round 3 KEMs as TLS 1.3 groups --with-liboqs
  75. * Hybridizing NIST ECC groups with the OQS groups
  76. * Remove legacy NTRU and QSH
  77. * Make quantum-safe groups available to the compatibility layer
  78. ###### Linux Kernel Module
  79. * Full support for FIPS 140-3, with in-kernel power on self test (POST) and conditional algorithm self test(s) (CAST)
  80. * --enable-linuxkm-pie -- position-independent in-kernel wolfCrypt container, for FIPS
  81. * Vectorized x86 acceleration in PK algs (RSA, ECC, DH, DSA) and AES/AES-GCM
  82. * Vectorized x86 acceleration in interrupt handlers
  83. * Support for Linux-native module signatures
  84. * Complete SSL/TLS and Crypto API callable from other kernel module(s)
  85. * Support for LTS kernel lines: 3.16, 4.4, 4.9, 5.4, 5.10
  86. ###### Compatibility Layer Additions
  87. * Ports
  88. - Add support for libssh2
  89. - Add support for pyOpenSSL
  90. - Add support for libimobiledevice
  91. - Add support for rsyslog
  92. - Add support for OpenSSH 8.5p1
  93. - Add support for Python 3.8.5
  94. * API/Structs Added
  95. - ERR_lib_error_string
  96. - EVP_blake2
  97. - wolfSSL_set_client_CA_list
  98. - wolfSSL_EVP_sha512_224
  99. - wolfSSL_EVP_sha512_256
  100. - wc_Sha512_224/2256Hash
  101. - wc_Sha512_224/256Hash
  102. - wc_InitSha512_224/256
  103. - wc_InitSha512_224/256_ex
  104. - wc_Sha512_224/256Update
  105. - wc_Sha512_224/256FinalRaw
  106. - wc_Sha512_224/256Final
  107. - wc_Sha512_224/256Free
  108. - wc_Sha512_224/256GetHash
  109. - wc_Sha512_224/256Copy
  110. - wc_Sha512_224/256SetFlags
  111. - wc_Sha512_224/256GetFlags
  112. - wc_Sha512_224/256Transform
  113. - EVP_MD_do_all and OBJ_NAME_do_all
  114. - EVP_shake128
  115. - EVP_shake256
  116. - SSL_CTX_set_num_tickets
  117. - SSL_CTX_get_num_tickets
  118. - SSL_CIPHER_get_auth_nid
  119. - SSL_CIPHER_get_cipher_nid
  120. - SSL_CIPHER_get_digest_nid
  121. - SSL_CIPHER_get_kx_nid
  122. - SSL_CIPHER_is_aead
  123. - SSL_CTX_set_msg_callback
  124. - a2i_IPADDRESS
  125. - GENERAL_NAME_print
  126. - X509_VERIFY_PARAM_set1_ip
  127. - EVP_CIPHER_CTX_set_iv_length
  128. - PEM_read_bio_RSA_PUBKEY
  129. - i2t_ASN1_OBJECT
  130. - DH_set_length
  131. - Set_tlsext_max_fragment_length
  132. - AUTHORITY_iNFO_ACCESS_free
  133. - EVP_PBE_scrypt
  134. - ASN1_R_HEADER_TOO_LONG
  135. - ERR_LIB
  136. - X509_get_default_cert_file/file_env/dir/dir_env() stubs
  137. - SSL_get_read_ahead/SSL_set_read_ahead()
  138. - SSL_SESSION_has_ticket()
  139. - SSL_SESSION_get_ticket_lifetime_hint()
  140. - DIST_POINT_new
  141. - DIST_POINT_free
  142. - DIST_POINTS_free
  143. - CRL_DIST_POINTS_free
  144. - sk_DIST_POINT_push
  145. - sk_DIST_POINT_value
  146. - sk_DIST_POINT_num
  147. - sk_DIST_POINT_pop_free
  148. - sk_DIST_POINT_free
  149. - X509_get_extension_flags
  150. - X509_get_key_usage
  151. - X509_get_extended_key_usage
  152. - ASN1_TIME_to_tm
  153. - ASN1_TIME_diff
  154. - PEM_read_X509_REQ
  155. - ERR_load_ERR_strings
  156. - BIO_ssl_shutdown
  157. - BIO_get_ssl
  158. - BIO_new_ssl_connect
  159. - BIO_set_conn_hostname
  160. - NID_pkcs9_contentType
  161. ###### Misc.
  162. * KCAPI: add support for using libkcapi for crypto (Linux Kernel)
  163. * Configure option for --with-max-rsa-bits= and --with-max-ecc-bits=
  164. * SP ARM Thumb support for Keil and performance improvements
  165. * Add support for WOLFSSL_VERIFY_POST_HANDSHAKE verify mode
  166. * PKCS #11: support static linking with PKCS #11 library --enable-pkcs11=static LIBS=-l
  167. * Add build option --enable-wolfclu for use with wolfCLU product
  168. * Add support for X9.42 header i.e “BEGIN X9.42 DH PARAMETERS”
  169. * Add --enable-altcertchains for configuring wolfSSL with alternate certificate chains feature enabled
  170. * Add public API wc_RsaKeyToPublicDer_ex to allow getting RSA public key without ASN.1 header (can return only seq + n + e)
  171. * Add SNI and TLSx options to CMake build
  172. ### Fixes
  173. ###### PORT Fixes
  174. * Add return value checking for FREESCALE_RNGA
  175. * Fix MMCAU_SHA256 type warnings
  176. * Fixes for building with Microchip XC32 and ATECC
  177. ###### Math Library Fixes
  178. * TFM check that the modulus length is valid for fixed data array size
  179. * TFM fp_submod_ct fix check for greater
  180. * Check return value of mp_grow in mp_mod_2d
  181. * Fix for ECC point multiply to error out on large multipliers
  182. * SP ECC error on multiplier larger than curve order
  183. ###### TLS 1.3
  184. * TLS1.3 sanity check for cases where a private key is larger than the configured maximum
  185. * Fix early data max size handling in TLS v1.3
  186. * Fixes for PK callbacks with TLS v1.3
  187. * Check min downgrade when no extensions are sent with the ServerHello
  188. ###### Misc.
  189. * Previously wolfSSL enum values were used as NID’s. Now only the compatibility layer NID enums are the NID values:
  190. - CTC_SHAwDSA -> NID_dsaWithSHA1
  191. - CTC_SHA256wDSA -> NID_dsa_with_SHA256
  192. - CTC_MD2wRSA -> NID_md2WithRSAEncryption
  193. - CTC_MD5wRSA -> NID_md5WithRSAEncryption
  194. - CTC_SHAwRSA -> NID_sha1WithRSAEncryption
  195. - CTC_SHA224wRSA -> NID_sha224WithRSAEncryption
  196. - CTC_SHA256wRSA -> NID_sha256WithRSAEncryption
  197. - CTC_SHA384wRSA -> NID_sha384WithRSAEncryption
  198. - CTC_SHA512wRSA -> NID_sha512WithRSAEncryption
  199. - CTC_SHA3_224wRSA -> NID_RSA_SHA3_224
  200. - CTC_SHA3_256wRSA -> NID_RSA_SHA3_256
  201. - CTC_SHA3_384wRSA -> NID_RSA_SHA3_384
  202. - CTC_SHA3_512wRSA -> NID_RSA_SHA3_512
  203. - CTC_SHAwECDSA -> NID_ecdsa_with_SHA1
  204. - CTC_SHA224wECDSA -> NID_ecdsa_with_SHA224
  205. - CTC_SHA256wECDSA -> NID_ecdsa_with_SHA256
  206. - CTC_SHA384wECDSA -> NID_ecdsa_with_SHA384
  207. - CTC_SHA512wECDSA -> NID_ecdsa_with_SHA512
  208. - CTC_SHA3_224wECDSA -> NID_ecdsa_with_SHA3_224
  209. - CTC_SHA3_256wECDSA -> NID_ecdsa_with_SHA3_256
  210. - CTC_SHA3_384wECDSA -> NID_ecdsa_with_SHA3_384
  211. - CTC_SHA3_512wECDSA -> NID_ecdsa_with_SHA3_512
  212. - DSAk -> NID_dsa
  213. - RSAk -> NID_rsaEncryption
  214. - ECDSAk -> NID_X9_62_id_ecPublicKey
  215. - BASIC_CA_OID -> NID_basic_constraints
  216. - ALT_NAMES_OID -> NID_subject_alt_name
  217. - CRL_DIST_OID -> NID_crl_distribution_points
  218. - AUTH_INFO_OID -> NID_info_access
  219. - AUTH_KEY_OID -> NID_authority_key_identifier
  220. - SUBJ_KEY_OID -> NID_subject_key_identifier
  221. - INHIBIT_ANY_OID -> NID_inhibit_any_policy
  222. * Fix for DES IV size used with FIPSv2
  223. * Fix signed comparison issue with serialSz
  224. * Fix missing CBIOSend and properly guard hmac in DupSSL()
  225. * Fix calculation of length of encoding in ssl.c
  226. * Fix encoding to check proper length in asn.c
  227. * Fix for wc_ecc_ctx_free and heap hint
  228. * Fix for debug messages with AF_ALG build
  229. * Fix for static memory with bucket size matching.
  230. * Fixes for SRP with heap hint.
  231. * Fixes for CAAM build macros and spelling for Keil build
  232. * Sniffer fix for possible math issue around 64-bit pointer and 32-bit unsigned int
  233. * Fix for sniffer TCP sequence rollover
  234. * wolfSSL_PEM_write_bio_PUBKEY to write only the public part
  235. * Fix for sending only supported groups in TLS extension
  236. * Fix for sniffer to better handle spurious retransmission edge case
  237. * SSL_set_alpn_protos and SSL_CTX_set_alpn_protos now returns 0 on successFixes issue with SSL_CTX_set1_curves_list and SSL_set1_curves_list not checking the last character of the names variable provided, non-0 on failure to better match expected return values
  238. * Fixes and improvements for crypto callbacks with TLS (mutual auth)
  239. * Fix for bad memory_mutex lock on static memory cleanup
  240. * Zero terminate name constraints strings when parsing certificates
  241. * Fix for verifying a certificate when multiple permitted name constraints are used
  242. * Fix typo in ifdef for HAVE_ED448
  243. * Fix typos in comments in SHA512
  244. * Add sanity check on buffer size with ED25519 key decode
  245. * Sanity check on PKCS7 stream amount read
  246. * PKCS7 fix for double free on error case and sanity check on set serial number
  247. * Sanity check on PKCS7 input size wc_PKCS7_ParseSignerInfo
  248. * Forgive a DTLS session trying to send too much at once
  249. ### Improvements/Optimizations
  250. ###### Build Options and Warnings
  251. * Rework of RC4 disable by default and depreciation
  252. * wolfSSL as a Zephyr module (without setup.sh)
  253. * Add include config.h to bio.c
  254. * Support for PKCS7 without AES CBC.
  255. * Fixes for building without AES CBC
  256. * Added WOLFSSL_DH_EXTRA to --enable-all and --enable-sniffer
  257. * Add a CMake option to build wolfcrypt test and bench code as libraries
  258. * GCC makefile: allow overriding and provide more flexibility
  259. ###### Math Libraries
  260. * Improve performance of fp_submod_ct() and fp_addmod_ct()
  261. * Improve performance of sp_submod_ct() and sp_addmod_ct()
  262. * SP int, handle even modulus with exponentiation
  263. ###### Misc.
  264. * Cleanups for Arduino examples and memory documentation
  265. * Refactor hex char to byte conversions
  266. * Added GCC-ARM TLS server example
  267. * Improvements to session locking to allow per-row
  268. * Improved sniffer statistics and documentation
  269. * EVP key support for heap hint and crypto callbacks
  270. * Reduced stack size for dh_generation_test and Curve ASN functions
  271. * Espressif README Syntax / keyword highlighting / clarifications
  272. * AARCH64 SHA512: implementation using crypto instructions added
  273. * wc_RsaPSS_CheckPadding_ex2 added for use with HEAP hint
  274. * wc_AesKeyWrap_ex and wc_AesKeyUnWrap_ex bound checks on input and output sizes
  275. * Add additional error handling to wolfSSL_BIO_get_len
  276. * Add code to use popen and the command 'host', useful with qemu
  277. * Adjustment to subject alt names order with compatibility layer to better match expected order
  278. * Reduce BIO compatibility layer verbosity
  279. * Set a default upper bound on error queue size with compatibility layer
  280. * WOLFSSL_CRL_ALLOW_MISSING_CDP macro for Skip CRL verification in case no CDP in peer cert
  281. * Fixes for scan-build LLVM-13 and expanded coverage
  282. * Increase the default DTLS_MTU_ADDITIONAL_READ_BUFFER and make it adjustable
  283. *** Resources ***
  284. [wolfSSL Website](https://www.wolfssl.com/)
  285. [wolfSSL Wiki](https://github.com/wolfSSL/wolfssl/wiki)
  286. [FIPS FAQ](https://wolfssl.com/license/fips)
  287. [wolfSSL Documents](https://wolfssl.com/wolfSSL/Docs.html)
  288. [wolfSSL Manual](https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-toc.html)
  289. [wolfSSL API Reference]
  290. (https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-17-wolfssl-api-reference.html)
  291. [wolfCrypt API Reference]
  292. (https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-18-wolfcrypt-api-reference.html)
  293. [TLS 1.3](https://www.wolfssl.com/docs/tls13/)
  294. [wolfSSL Vulnerabilities]
  295. (https://www.wolfssl.com/docs/security-vulnerabilities/)
  296. Additional wolfSSL Examples](https://github.com/wolfssl/wolfssl-examples)