A new release of the compact cryptographic library is wolfSSL 5.0.0 now available IoT , optimized for use on embedded devices with limited processor and memory resources, such as devices, smart home systems, automotive information systems, routers and mobile phones. The code is written in C and is distributed under the GPLv2 license.
The library provides high-performance implementations of modern cryptoalgorithms, including ChaCha20, Curve25519, NTRU, RSA, Blake2b, TLS 1.0-1.3 and DTLS 1.2, which, according to the developers, are 20 times smaller than the OpenSSL implementations. Both its simplified API and a layer for compatibility with the OpenSSL API are provided. There is support for OCSP (Online Certificate Status Protocol) and CRL (Certificate Revocation List) for checking certificate revocation.
The main innovations in wolfSSL 5.0.0:
- Added platform support: IoT-Safe (with TLS support), SE050 (with RNG, SHA, AES, ECC and ED25519 support) and Renesas TSIP 1.13 (for RX72N microcontrollers).
- Added support for post-quantum cryptography algorithms resistant to on a quantum computer: groups NIST Round 3 KEM for TLS 1.3 and NIST ECC hybrid groups based on the brute force OQS (Open Quantum Safe, liboqs project ) . Groups that are resistant to selection on a quantum computer have also been added to the interlayer to ensure compatibility. Dropped support for NTRU and QSH algorithms.
- The module Linux kernel provides support for cryptographic algorithms that comply with the security standard FIPS 140-3 . A separate presented product with FIPS 140-3 implementation is , the code of which is still under testing, peer review, and validation.
- The module for the Linux kernel added variants of the algorithms RSA, ECC, DH, DSA, AES / AES-GCM, accelerated using vector instructions CPU x86. Interrupt handlers are also sped up with vector instructions. Added support for a subsystem for checking modules by digital signatures. The ability to build the embedded crypto engine wolfCrypt in “–enable-linuxkm-pie” (position-independent) mode is provided. The module provides support for Linux kernels 3.16, 4.4, 4.9, 5.4 and 5.10.
- Support for libssh2, pyOpenSSL, libimobiledevice, rsyslog, OpenSSH 8.5p1 and Python 3.8.5 has been added to the interlayer to ensure compatibility with other libraries and applications.
- Added a large chunk of new APIs including EVP_blake2, wolfSSL_set_client_CA_list, wolfSSL_EVP_sha512_256, wc_Sha512 *, EVP_shake256, SSL_CIPHER_ *, SSL_SESSION_ *, etc.
- Fixed two vulnerabilities that were deemed harmless: freeze when creating digital signatures for DSA with certain parameters and incorrect verification of certificates with multiple object aliases when using name-related restrictions.