README 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248
  1. *** Description ***
  2. The wolfSSL embedded SSL library (formerly CyaSSL) is a lightweight SSL/TLS
  3. library written in ANSI C and targeted for embedded, RTOS, and
  4. resource-constrained environments - primarily because of its small size, speed,
  5. and feature set. It is commonly used in standard operating environments as well
  6. because of its royalty-free pricing and excellent cross platform support.
  7. wolfSSL supports industry standards up to the current TLS 1.3 and DTLS 1.2
  8. levels, is up to 20 times smaller than OpenSSL, and offers progressive ciphers
  9. such as ChaCha20, Curve25519, and Blake2b. User benchmarking and feedback
  10. reports dramatically better performance when using wolfSSL over OpenSSL.
  11. wolfSSL is powered by the wolfCrypt library. Two versions of the wolfCrypt
  12. cryptography library have been FIPS 140-2 validated (Certificate #2425 and
  13. certificate #3389). For additional information, visit the wolfCrypt FIPS FAQ
  14. (https://www.wolfssl.com/license/fips/) or contact fips@wolfssl.com
  15. *** Why choose wolfSSL? ***
  16. There are many reasons to choose wolfSSL as your embedded SSL solution. Some of
  17. the top reasons include size (typical footprint sizes range from 20-100 kB),
  18. support for the newest standards (SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3,
  19. DTLS 1.0, and DTLS 1.2), current and progressive cipher support (including
  20. stream ciphers), multi-platform, royalty free, and an OpenSSL compatibility API
  21. to ease porting into existing applications which have previously used the
  22. OpenSSL package. For a complete feature list, see chapter 4 of the wolfSSL
  23. manual. (https://www.wolfssl.com/docs/wolfssl-manual/ch4/)
  24. *** Notes, Please read ***
  25. Note 1)
  26. wolfSSL as of 3.6.6 no longer enables SSLv3 by default. wolfSSL also no longer
  27. supports static key cipher suites with PSK, RSA, or ECDH. This means if you
  28. plan to use TLS cipher suites you must enable DH (DH is on by default), or
  29. enable ECC (ECC is on by default), or you must enable static key cipher suites
  30. with
  31. WOLFSSL_STATIC_DH
  32. WOLFSSL_STATIC_RSA
  33. or
  34. WOLFSSL_STATIC_PSK
  35. though static key cipher suites are deprecated and will be removed from future
  36. versions of TLS. They also lower your security by removing PFS.
  37. When compiling ssl.c, wolfSSL will now issue a compiler error if no cipher
  38. suites are available. You can remove this error by defining
  39. WOLFSSL_ALLOW_NO_SUITES in the event that you desire that, i.e., you're not
  40. using TLS cipher suites.
  41. Note 2)
  42. wolfSSL takes a different approach to certificate verification than OpenSSL
  43. does. The default policy for the client is to verify the server, this means
  44. that if you don't load CAs to verify the server you'll get a connect error,
  45. no signer error to confirm failure (-188).
  46. If you want to mimic OpenSSL behavior of having SSL_connect succeed even if
  47. verifying the server fails and reducing security you can do this by calling:
  48. wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
  49. before calling wolfSSL_new();. Though it's not recommended.
  50. Note 3)
  51. The enum values SHA, SHA256, SHA384, SHA512 are no longer available when
  52. wolfSSL is built with --enable-opensslextra (OPENSSL_EXTRA) or with the macro
  53. NO_OLD_SHA_NAMES. These names get mapped to the OpenSSL API for a single call
  54. hash function. Instead the name WC_SHA, WC_SHA256, WC_SHA384 and WC_SHA512
  55. should be used for the enum name.
  56. *** end Notes ***
  57. # wolfSSL Release 5.6.3 (Jun 20, 2023)
  58. Release 5.6.3 has been developed according to wolfSSL's development and QA process (see link below) and successfully passed the quality criteria.
  59. Release 5.6.3 of wolfSSL embedded TLS has 4 bug fixes:
  60. * Fix for setting the atomic macro options introduced in release 5.6.2. This issue affects GNU gcc autoconf builds. The fix resolves a potential mismatch of the generated macros defined in options.h file and the macros used when the wolfSSL library is compiled. In version 5.6.2 this mismatch could result in unstable runtime behavior.
  61. * Fix for invalid suffix error with Windows build using the macro GCM_TABLE_4BIT.
  62. * Improvements to Encrypted Memory support (WC_PROTECT_ENCRYPTED_MEM) implementations for modular exponentiation in SP math-all (sp_int.c) and TFM (tfm.c).
  63. * Improvements to SendAlert for getting output buffer.
  64. # wolfSSL Release 5.6.2 (Jun 09, 2023)
  65. Release 5.6.2 has been developed according to wolfSSL's development and QA process (see link below) and successfully passed the quality criteria.
  66. https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
  67. NOTE: * --enable-heapmath is being deprecated and will be removed by 2024
  68. Release 5.6.2 of wolfSSL embedded TLS has bug fixes and new features including:
  69. ## Vulnerabilities
  70. * [Low] In cases where a malicious agent could analyze cache timing at a very detailed level, information about the AES key used could be leaked during T/S Box lookups. One such case was shown on RISC-V hardware using the MicroWalk tool (https://github.com/microwalk-project/Microwalk). A hardened version of T/S Box lookups was added in wolfSSL to help mitigate this potential attack and is now on by default with RISC-V builds and can be enabled on other builds if desired by compiling wolfSSL with the macro WOLFSSL_AES_TOUCH_LINES. Thanks to Jan Wichelmann, Christopher Peredy, Florian Sieck, Anna Pätschke, Thomas Eisenbarth (University of Lübeck): MAMBO-V: Dynamic Side-Channel Leakage Analysis on RISC-V. Fixed in the following GitHub pull request https://github.com/wolfSSL/wolfssl/pull/6309
  71. * [High] In previous versions of wolfSSL if a TLS 1.3 client gets neither a PSK (pre shared key) extension nor a KSE (key share extension) when connecting to a malicious server, a default predictable buffer gets used for the IKM value when generating the session master secret. Using a potentially known IKM value when generating the session master secret key compromises the key generated, allowing an eavesdropper to reconstruct it and potentially allowing surreptitious access to or meddling with message contents in the session. This issue does not affect client validation of connected servers, nor expose private key information, but could result in an insecure TLS 1.3 session when not controlling both sides of the connection. We recommend that TLS 1.3 client side users update the version of wolfSSL used. Thanks to Johannes from Sectra Communications and Linköping University for the report. Fixed in the following GitHub pull request https://github.com/wolfSSL/wolfssl/pull/6412
  72. ## New Feature Additions
  73. ### New Ports and Expansions
  74. * Add support for STM32H5
  75. * Add support for Renesas TSIP v1.17
  76. * Add Renesas SCE RSA crypto-only support
  77. * STARCORE DSP port and example builds added
  78. * Add the function wc_PKCS7_SetDefaultSignedAttribs for setting PKCS7 signed attributes to use with PKCS7 bundle creation
  79. * NXP IMX6Q CAAM port with QNX and performance optimizations for AES-CTR
  80. ### New Build Options
  81. * ASN.1 print utility to decode ASN.1 syntax and print out human readable text --enable-asn-print. Utility app is located in the directory ./examples/asn1/
  82. * Add introspection for math build, wc_GetMathInfo() to get information about the math library compiled into the linked wolfSSL library
  83. * Implement TLS recommendations from RFC 9325 for hardening TLS/DTLS security. Enabled with the autoconf flag --enable-harden-tls.
  84. * Add option to support disabling thread local storage, --disable-threadlocal
  85. * Added wc_DsaSign_ex() and wc_DsaVerify_ex() for handling alternative digest algorithms with DSA Sign/Verify
  86. * Implement atomic operations interface. Macros auto-detect if atomic operations are expected to be available, can be turned off with the macro WOLFSSL_NO_ATOMICS
  87. * Added support for DTLS 1.3 Authentication and Integrity-Only Cipher Suites
  88. * Expand crypto callback to have a device ID find callback function with wc_CryptoCb_SetDeviceFindCb. Enabled with the macro WOLF_CRYPTO_CB_FIND
  89. ## Enhancements and Optimizations
  90. ### Optimizations
  91. * Increased performance with ChaCha20 C implementation and general XOR operations
  92. * Added integer type to the ASN.1 sequencing with ASN.1 Integer sequence
  93. * With wolfSSL_get_x509_next_altname reset alt name list to head once cycled through if compiling with the macro WOLFSSL_MULTICIRCULATE_ALTNAMELIST
  94. * Additional key validity sanity checks on input to wolfSSL_EC_KEY_set_private_key
  95. * adds support for TLSv1.3 stateful session tickets when using SSL_OP_NO_TICKET
  96. ### Memory Optimizations
  97. * Improvements to stack usage and management with SP int math library
  98. * Optimization to TLS 1.3 server to remove caching messages for Ed25519/Ed448
  99. * Added a HAVE_CURL macro build for building a subset of the wolfSSL library when linking with cURL
  100. * Memory usage improvement with reducing the size of alignment needed with AES
  101. * Reduce run time memory used with ECC operations and ALT_ECC_SIZE
  102. * Fixes and improvements for building edge cases such as crypto callback without hash-drbg with low footprint options
  103. * Support HAVE_SESSION_TICKET build option without depending on realloc
  104. ### Documentation
  105. * Instructions for GPDMA on STM32 configuration added
  106. * Add in instructions for compiling with zephyr on STM32
  107. * Documentation fixup for wolfSSL_get_chain_cert()
  108. * Fix the file pointed to in the TI RTOS documentation that we maintain
  109. * Documentation for wolfSSL_CertManagerFreeCRL
  110. * Updates made to AES and Chacha documentation
  111. * Update Japanese comments for Ed25519, AES, and other miscellaneous items
  112. ### Tests
  113. * Add in an option for easily testing malloc failures when building with WOLFSSL_MEM_FAIL_COUNT macro
  114. * Updated in process for using Expect vs Assert to facilitate more malloc failure tests
  115. * Enhance wolfCrypt test for builds that do not have ECC SECP curves enabled
  116. * ESP32 platform-specific VisualGDB test & benchmark projects
  117. * Update to dependencies in docker container file used for tests
  118. * Fix up for base 10 output with bundled benchmark application
  119. ### Port Updates
  120. * Zephyr port update, compile time warning fixes, misc. fixes when used with TLS and update of includes
  121. * Update RIOT-OS to not compile out use of writev by default
  122. * Update Micrium port to enable use of STM32_RNG
  123. * Micrium updates for XMEMOVE and XSTRTOK use
  124. * Various Espressif HW crypto, SHA2, AES, MP updates
  125. * Added in ASIO build option with CMake builds
  126. ### General Enhancements
  127. * Global codebase cleanup for C89 compliance and wolfCrypt -Wconversion hygiene
  128. * PKCS#11 enhancement adding a callback for RSA key size when using a hardware key, by default 2048 bit key is used
  129. * Allow for unknown OIDs in extensions in wolfSSL_X509_set_ext()
  130. * Allow user to override XSTAT by defining the macro XSTAT when compiling
  131. * Support UPN and SID with x509 certificate extensions and custom OID build
  132. * Write next IV in wolfSSL_DES_ede3_cbc_encrypt for better handling of inline encryption
  133. * Adding NO_ASN_TIME_CHECK build option for compiling out certificate before/after checks
  134. * Improve different peer recvfrom handling and error reporting with ipv4 vs ipv6
  135. ## Fixes
  136. * Fix for STM32 ECC sign and verify out of bounds buffer write when the hash length passed in is larger than the key size. Thanks to Maximilian for the report.
  137. * Fix to skip Async_DevCtxInit when using init rsa/ecc label/id api's
  138. * Revert WOLFSSL_NO_ASN_STRICT macro guard around alternate names directory list
  139. * In async mode, don't retry decrypting if a valid error is encountered on a packet parse attempt
  140. * Add additional sanity check on PKCS7 index value in wc_PKCS7_DecryptKekri
  141. * Fix for padding when using an AuthEnvelope PKCS7 type with GCM/CCM stream ciphers
  142. * Fix siphash assembly so that no register is left behind
  143. * Fix to not send a TLS 1.3 session ID resume response when resuming and downgrading to a protocol less than TLS 1.3
  144. * Fix overwriting serialNumber by favouriteDrink when generating a certificate using Cert struct
  145. * Fix for the default realloc used with EspressIf builds
  146. * Track SetDigest usage to avoid invalid free under error conditions
  147. * DTLS v1.3 fix for epoch 0 check on plaintext message
  148. * Fix for session ticket memory leak in wolfSSL_Cleanup
  149. * Fixes for propagating SendAlert errors when the peer disconnects
  150. * Replace XMEMCPY with XMEMMOVE to fix valgrind-3.15.0 reports "Source and destination overlap in memcpy" when using --enable-aesgcm-stream
  151. * Fix for potential out-of-bounds write edge case in fp_mod_2d with --enable-fastmath math library
  152. * Fix getting ECC key size in stm32_ecc_sign_hash_ex
  153. * Fix for case where wc_PeekErrorNodeLineData was not unlocking error queue on error
  154. * Fix for async ECC shared secret state
  155. * Fix for better error checking with sp_gcd with SP int math library
  156. * Fix memory leak in TLSX_KeyShare_Setup when handling an error case
  157. * Fix for double free edge case in InitOCSPRequest when handling a memory allocation failure
  158. * X509 NAME Entry fix for leaking memory on error case
  159. * Fix wolfssl_asn1_time_to_tm setting unexpected fields in tm struct
  160. * Fix for FIPS ECC integrity check with crypto callback set
  161. * BN_to_ASN1_INTEGER fix for handling leading zero byte padding when needed
  162. * Fix a typo in PP macro and add a ceiling to guard against implementation bugs
  163. * DTLS 1.3 fix for using the correct label when deriving the resumption key
  164. * OCSP fix for GetDateInfo edge case with non ASN template builds
  165. * Allow a user set certificate callback function to override the skipAddCA flag when parsing a certificate
  166. * SP int: sp_radix_size when radix 10 fix temp size for handling edge case
  167. * Fixes and improvements for handling failures with memory allocations
  168. * Fix for DecodeECC_DSA_Sig to handle r and s being initialized
  169. * Fix for wc_ecc_is_point to ensure that the x and y are in range [0, p-1] and z is one (affine ordinates)
  170. ### Build Fixes
  171. * Fix for building on Windows with CMake and using USER_SETTINGS and fix for options.h creation with CMake when using USER_SETTINGS
  172. * CMake fixes and improvements for use with mingw32
  173. * Fix for building with wpas and x509 small options
  174. * Check if colrm is available for options.h creation when using autoconf
  175. * Clean up NO_BIG_INT build, removing WOLFSSL_SP_MATH macro and heapmath compile
  176. * Fix PKCS#7 build with NO_PKCS7_STREAM
  177. * Fix compilation error in CC-RX and remove unnecessary public key import
  178. * SP Build fixes for ARM assembly with ARMv6 clz and ARM thumb debug build
  179. * For to not advertise support for RSA in TLS extensions when compiled with NO_RSA
  180. For additional vulnerability information visit the vulnerability page at:
  181. https://www.wolfssl.com/docs/security-vulnerabilities/
  182. See INSTALL file for build instructions.
  183. More info can be found on-line at: https://wolfssl.com/wolfSSL/Docs.html
  184. *** Resources ***
  185. [wolfSSL Website](https://www.wolfssl.com/)
  186. [wolfSSL Wiki](https://github.com/wolfSSL/wolfssl/wiki)
  187. [FIPS FAQ](https://wolfssl.com/license/fips)
  188. [wolfSSL Documents](https://wolfssl.com/wolfSSL/Docs.html)
  189. [wolfSSL Manual](https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-toc.html)
  190. [wolfSSL API Reference]
  191. (https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-17-wolfssl-api-reference.html)
  192. [wolfCrypt API Reference]
  193. (https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-18-wolfcrypt-api-reference.html)
  194. [TLS 1.3](https://www.wolfssl.com/docs/tls13/)
  195. [wolfSSL Vulnerabilities]
  196. (https://www.wolfssl.com/docs/security-vulnerabilities/)
  197. Additional wolfSSL Examples](https://github.com/wolfssl/wolfssl-examples)