README 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255
  1. *** Description ***
  2. The wolfSSL embedded SSL library (formerly CyaSSL) is a lightweight SSL/TLS
  3. library written in ANSI C and targeted for embedded, RTOS, and
  4. resource-constrained environments - primarily because of its small size, speed,
  5. and feature set. It is commonly used in standard operating environments as well
  6. because of its royalty-free pricing and excellent cross platform support.
  7. wolfSSL supports industry standards up to the current TLS 1.3 and DTLS 1.2
  8. levels, is up to 20 times smaller than OpenSSL, and offers progressive ciphers
  9. such as ChaCha20, Curve25519, and Blake2b. User benchmarking and feedback
  10. reports dramatically better performance when using wolfSSL over OpenSSL.
  11. wolfSSL is powered by the wolfCrypt library. Two versions of the wolfCrypt
  12. cryptography library have been FIPS 140-2 validated (Certificate #2425 and
  13. certificate #3389). For additional information, visit the wolfCrypt FIPS FAQ
  14. (https://www.wolfssl.com/license/fips/) or contact fips@wolfssl.com
  15. *** Why choose wolfSSL? ***
  16. There are many reasons to choose wolfSSL as your embedded SSL solution. Some of
  17. the top reasons include size (typical footprint sizes range from 20-100 kB),
  18. support for the newest standards (SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3,
  19. DTLS 1.0, and DTLS 1.2), current and progressive cipher support (including
  20. stream ciphers), multi-platform, royalty free, and an OpenSSL compatibility API
  21. to ease porting into existing applications which have previously used the
  22. OpenSSL package. For a complete feature list, see chapter 4 of the wolfSSL
  23. manual. (https://www.wolfssl.com/docs/wolfssl-manual/ch4/)
  24. *** Notes, Please read ***
  25. Note 1)
  26. wolfSSL as of 3.6.6 no longer enables SSLv3 by default. wolfSSL also no longer
  27. supports static key cipher suites with PSK, RSA, or ECDH. This means if you
  28. plan to use TLS cipher suites you must enable DH (DH is on by default), or
  29. enable ECC (ECC is on by default), or you must enable static key cipher suites
  30. with
  31. WOLFSSL_STATIC_DH
  32. WOLFSSL_STATIC_RSA
  33. or
  34. WOLFSSL_STATIC_PSK
  35. though static key cipher suites are deprecated and will be removed from future
  36. versions of TLS. They also lower your security by removing PFS.
  37. When compiling ssl.c, wolfSSL will now issue a compiler error if no cipher
  38. suites are available. You can remove this error by defining
  39. WOLFSSL_ALLOW_NO_SUITES in the event that you desire that, i.e., you're not
  40. using TLS cipher suites.
  41. Note 2)
  42. wolfSSL takes a different approach to certificate verification than OpenSSL
  43. does. The default policy for the client is to verify the server, this means
  44. that if you don't load CAs to verify the server you'll get a connect error,
  45. no signer error to confirm failure (-188).
  46. If you want to mimic OpenSSL behavior of having SSL_connect succeed even if
  47. verifying the server fails and reducing security you can do this by calling:
  48. wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
  49. before calling wolfSSL_new();. Though it's not recommended.
  50. Note 3)
  51. The enum values SHA, SHA256, SHA384, SHA512 are no longer available when
  52. wolfSSL is built with --enable-opensslextra (OPENSSL_EXTRA) or with the macro
  53. NO_OLD_SHA_NAMES. These names get mapped to the OpenSSL API for a single call
  54. hash function. Instead the name WC_SHA, WC_SHA256, WC_SHA384 and WC_SHA512
  55. should be used for the enum name.
  56. *** end Notes ***
  57. # wolfSSL Release 5.4.0 (July 11, 2022)
  58. Note:
  59. ** Future releases of wolfSSL will turn off TLS 1.1 by default
  60. ** Release 5.4.0 made SP math the default math implementation. To make an equivalent build as –disable-fastmath from previous versions of wolfSSL, now requires using the configure option –enable-heapmath instead.
  61. Release 5.4.0 of wolfSSL embedded TLS has bug fixes and new features including:
  62. ## Vulnerabilities
  63. * [High] Potential for DTLS DoS attack. In wolfSSL versions before 5.4.0 the return-routability check is wrongly skipped in a specific edge case. The check on the return-routability is there for stopping attacks that either consume excessive resources on the server, or try to use the server as an amplifier sending an excessive amount of messages to a victim IP. If using DTLS 1.0/1.2 on the server side users should update to avoid the potential DoS attack. CVE-2022-34293
  64. * [Medium] Ciphertext side channel attack on ECC and DH operations. Users on systems where rogue agents can monitor memory use should update the version of wolfSSL and change private ECC keys. Thanks to Sen Deng from Southern University of Science and Technology (SUSTech) for the report.
  65. * [Medium] Public disclosure of a side channel vulnerability that has been fixed since wolfSSL version 5.1.0. When running on AMD there is the potential to leak private key information with ECDSA operations due to a ciphertext side channel attack. Users on AMD doing ECDSA operations with wolfSSL versions less than 5.1.0 should update their wolfSSL version used. Thanks to professor Yinqian Zhang from Southern University of Science and Technology (SUSTech), his Ph.D. student Mengyuan Li from The Ohio State University, and his M.S students Sen Deng and Yining Tang from SUStech along with other collaborators; Luca Wilke, Jan Wichelmann and Professor Thomas Eisenbarth from the University of Lubeck, Professor Shuai Wang from Hong Kong University of Science and Technology, Professor Radu Teodorescu from The Ohio State University, Huibo Wang, Kang Li and Yueqiang Cheng from Baidu Security and Shoumeng Yang from Ant Financial Services Group.
  66. CVE-2020-12966 https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1013 CVE-2021-46744 https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1033
  67. ## New Feature Additions
  68. ### DTLS 1.3
  69. * Support for using the new DTLSv1.3 protocol was added
  70. * Enhancements to bundled examples for an event driven server with DTLS 1.3 was added
  71. ### Ports
  72. * Update for the version of VxWorks supported, adding in support for version 6.x
  73. * Support for new DPP and EAP-TEAP/EAP-FAST in wpa_supplicant
  74. * Update for TSIP version support, adding support for version 1.15 for RX65N and RX72N
  75. * Improved TSIP build to handle having the options WOLFSSL_AEAD_ONLY defined or NO_AES_CBC defined
  76. * Added support for offloading TLS1.3 operations to Renesas RX boards with TSIP
  77. ### Misc.
  78. * Constant time improvements due to development of new constant time tests
  79. * Initial translation of API headers to Japanese and expansion of Japanese help message support in example applications
  80. * Add support for some FPKI (Federal PKI) certificate cases, UUID, FASC-N, PIV extension for use with smart cards
  81. * Add support for parsing additional CSR attributes such as unstructured name and content type
  82. * Add support for Linux getrandom() when defining the macro WOLFSSL_GETRANDOM
  83. * Add TLS 1.2 ciphersuite ECDHE_PSK_WITH_AES_128_GCM_SHA256 from RFC 8442
  84. * Expand CAAM support with QNX to include i.MX8 boards and add AES-CTR support
  85. * Enhanced glitching protection by hardening the TLS encrypt operations
  86. ## Math and Performance
  87. ### SP Math Additions
  88. * Support for ARMv3, ARMv6 and ARMv7a
  89. - Changes and improvements to get SP building for armv7-a
  90. - Updated assembly for moving large immediate values on ARMv6
  91. - Support for architectures with no ldrd/strd and clz
  92. * Reworked generation using common asm ruby code for 32bit ARM
  93. * Enable wolfSSL SP math all by default (sp_int.c)
  94. * Update SP math all to not use sp_int_word when SQR_MUL_ASM is available
  95. ### SP Math Fixes
  96. * Fixes for constant time with div function
  97. * Fix casting warnings for Windows builds and assembly changes to support XMM6-15 being non-volatile
  98. * Fix for div_word when not using div function
  99. * Fixes for user settings with SP ASM and ED/Curve25519 small
  100. * Additional Wycheproof tests ran and fixes
  101. * Fix for SP math ECC non-blocking to always check `hashLen`
  102. * Fix for SP math handling edge case with submod
  103. ## Improvements and Optimizations
  104. ### Compatibility Layer
  105. * Provide access to "Finished" messages outside of compatibility layer builds
  106. * Remove unneeded FIPS guard on wolfSSL_EVP_PKEY_derive
  107. * Fix control command issues with AES-GCM, control command EVP_CTRL_GCM_IV_GEN
  108. * Add support for importing private only EC key to a WOLFSSL_EVP_PKEY struct
  109. * Add support for more extensions to wolfSSL_X509_print_ex
  110. * Update for internal to DER (i2d) AIPs to move the buffer pointer when passed in and the operation is successful
  111. * Return subject and issuer X509_NAME object even when not set
  112. ### Ports
  113. * Renesas RA6M4 example update and fixes
  114. * Support multi-threaded use cases with Renesas SCE protected mode and TSIP
  115. * Add a global variable for heap-hint for use with TSIP
  116. * Changes to support v5.3.0 cube pack for STM32
  117. * Use the correct mutex type for embOS
  118. * ESP-IDF build cleanup and enhancements, adding in note regarding ESP-IDF Version
  119. * Support for SEGGER embOS and emNET
  120. * Fix to handle WOLFSSL_DTLS macro in Micrium build
  121. ### Build Options
  122. * Support for verify only and no-PSS builds updated
  123. * Add the enable options wolfssh (mapped to the existing –enable-ssh)
  124. * Remove WOLFSSL_ALT_NAMES restriction on notBefore/notAfter use in Cert struct
  125. * Move several more definitions outside the BUILDING_WOLFSSL gate with linux kernel module build
  126. * Modify --enable-openssh to not enable non-FIPS algos for FIPS builds
  127. * Remove the Python wrappers from wolfSSL source (use pip install instead of using wolfSSL with Python and our separate Python repository)
  128. * Add --enable-openldap option to configure.ac for building the OpenLDAP port
  129. * Resolve DTLS build to handle not having –enable-hrrcookie when not needed
  130. * Add an --enable-strongswan option to configure.ac for building the Strongswan port
  131. * Improve defaults for 64-bit BSDs in configure
  132. * Crypto only build can now be used openssl extra
  133. * Update ASN template build to properly handle WOLFSSL_CERT_EXT and HAVE_OID_ENCODING
  134. * Allow using 3DES and MD5 with FIPS 140-3, as they fall outside of the FIPS boundary
  135. * Add the build option --enable-dh=const which replaces setting the macro WOLFSSL_DH_CONST and now conditionally link to -lm as needed
  136. * Add the macro WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY which is used to verify hostname/ip address using alternate name (SAN) only and does not use the common name
  137. * WOLFSSL_DTLS_NO_HVR_ON_RESUME macro added (off by default to favor more security). If defined, a DTLS server will not do a cookie exchange on successful client resumption: the resumption will be faster (one RTT less) and will consume less bandwidth (one ClientHello and one HelloVerifyRequest less). On the other hand, if a valid SessionID is collected, forged clientHello messages will consume resources on the server.
  138. * Misc.
  139. * Refactoring of some internal TLS functions to reduce the memory usage
  140. * Make old less secure TimingPadVerify implementation available
  141. * Add support for aligned data with clang LLVM
  142. * Remove subject/issuer email from the list of alt. Email names in the DecodedCerts struct
  143. * Zeroizing of pre-master secret buffer in TLS 1.3
  144. * Update to allow TLS 1.3 application server to send session ticket
  145. * Improve the sniffer asynchronous test case to support multiple concurrent streams
  146. * Clean up wolfSSL_clear() and add more logging
  147. * Update to not error out on bad CRL next date if using NO_VERIFY when parsing
  148. * Add an example C# PSK client
  149. * Add ESP-IDF WOLFSSL_ESP8266 setting for ESP8266 devices
  150. * Support longer sigalg list for post quantum use cases and inter-op with OQS's OpenSSL fork
  151. * Improve AES-GCM word implementation of GMULT to be constant time
  152. * Additional sanity check with Ed25519/Ed448, now defaults to assume public key is not trusted
  153. * Support PSK ciphersuites in benchmark apps
  154. * FIPS in core hash using SHA2-256 and SHA2-384
  155. * Add ability to store issuer name components when parsing a certificate
  156. * Make the critical extension flags in DecodedCert always available
  157. * Updates to the default values for basic constraint with X509’s
  158. * Support using RSA OAEP with no malloc and add additional sanity checks
  159. * Leverage async code paths to support WANT_WRITE while sending packet fragments
  160. * New azsphere example for continuous integration testing
  161. * Update RSA key generation function to handle pairwise consistency tests with static memory pools used
  162. * Resolve build time warning by passing in and checking output length with internal SetCurve function
  163. * Support DTLS bidirectional shutdown in the examples
  164. * Improve DTLS version negotiation and downgrade capability
  165. ### General Fixes
  166. * Fixes for STM32 Hash/PKA, add some missing mutex frees, and add an additional benchmark
  167. * Fix missing return checks in KSDK ED25519 code
  168. * Fix compilation warnings from IAR
  169. * Fixes for STM32U5/H7 hash/crypto support
  170. * Fix for using track memory feature with FreeRTOS
  171. * Fixup XSTR processing for MICRIUM
  172. * Update Zephyr fs.h path
  173. * DTLS fixes with WANT_WRITE simulations
  174. * Fixes for BER use with PKCS7 to have additional sanity checks and guards on edge cases
  175. * Fix to handle exceptional edge case with TFM mp_exptmod_ex
  176. * Fix for stack and heap measurements of a 32-bit build
  177. * Fix to allow enabling AES key wrap (direct) with KCAPI
  178. * Fix --enable-openssh FIPS detection syntax in configure.ac
  179. * Fix to move wolfSSL_ERR_clear_error outside gate for OPENSSL_EXTRA
  180. * Remove MCAPI project's dependency on zlib version
  181. * Only use __builtin_offset on supported GCC versions (4+)
  182. * Fix for c89 builds with using WOLF_C89
  183. * Fix 64bit postfix for constants building with powerpc
  184. * Fixed async Sniffer with TLS v1.3, async removal of `WC_HW_WAIT_E` and sanitize leak
  185. * Fix for QAT ECC to gate use of HW based on marker
  186. * Fix the supported version extension to always check minDowngrade
  187. * Fix for TLS v1.1 length sanity check for large messages
  188. * Fixes for loading a long DER/ASN.1 certificate chain
  189. * Fix to expose the RSA public DER export functions with certgen
  190. * Fixes for building with small version of SHA3
  191. * Fix configure with WOLFSSL_WPAS_SMALL
  192. * Fix to free PKCS7 recipient list in error cases
  193. * Sanity check to confirm ssl->hsHashes is not NULL before attempting to dereference it
  194. * Clear the leftover byte count in Aes struct when setting IV
  195. For additional vulnerability information visit the vulnerability page at:
  196. https://www.wolfssl.com/docs/security-vulnerabilities/
  197. See INSTALL file for build instructions.
  198. More info can be found on-line at: https://wolfssl.com/wolfSSL/Docs.html
  199. # wolfSSL Release 5.3.0 (May 3rd, 2022)
  200. *** Resources ***
  201. [wolfSSL Website](https://www.wolfssl.com/)
  202. [wolfSSL Wiki](https://github.com/wolfSSL/wolfssl/wiki)
  203. [FIPS FAQ](https://wolfssl.com/license/fips)
  204. [wolfSSL Documents](https://wolfssl.com/wolfSSL/Docs.html)
  205. [wolfSSL Manual](https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-toc.html)
  206. [wolfSSL API Reference]
  207. (https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-17-wolfssl-api-reference.html)
  208. [wolfCrypt API Reference]
  209. (https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-18-wolfcrypt-api-reference.html)
  210. [TLS 1.3](https://www.wolfssl.com/docs/tls13/)
  211. [wolfSSL Vulnerabilities]
  212. (https://www.wolfssl.com/docs/security-vulnerabilities/)
  213. Additional wolfSSL Examples](https://github.com/wolfssl/wolfssl-examples)