wolfSSL is a small, portable, embedded SSL/TLS library targeted for use by embedded systems developers. It is an

open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...

implementation of TLS (SSL 3.0, TLS 1.0, 1.1, 1.2, 1.3, and

DTLS Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol i ...

1.0, 1.2, and 1.3) written in the

C programming language ''The C Programming Language'' (sometimes termed ''K&R'', after its authors' initials) is a computer programming book written by Brian Kernighan and Dennis Ritchie, the latter of whom originally designed and implemented the language, as well as ...

. It includes SSL/TLS client libraries and an SSL/TLS server implementation as well as support for multiple APIs, including those defined by SSL and TLS. wolfSSL also includes an

OpenSSL OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTT ...

compatibility interface with the most commonly used OpenSSL functions.wolfSSL – Embedded Communications Products
/ref> A predecessor of wolfSSL, yaSSL is a

C++ C++ (pronounced "C plus plus") is a high-level general-purpose programming language created by Danish computer scientist Bjarne Stroustrup as an extension of the C programming language, or "C with Classes". The language has expanded significan ...

based SSL library for embedded environments and real time operating systems with constrained resources.

Platforms

wolfSSL is currently available for Win32/64,

Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...

macOS macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and lapt ...

Solaris Solaris may refer to: Arts and entertainment Literature, television and film * ''Solaris'' (novel), a 1961 science fiction novel by Stanisław Lem ** ''Solaris'' (1968 film), directed by Boris Nirenburg ** ''Solaris'' (1972 film), directed by ...

, Threadx,

VxWorks VxWorks is a real-time operating system (or RTOS) developed as proprietary software by Wind River Systems, a wholly-owned subsidiary of Aptiv. First released in 1987, VxWorks is designed for use in embedded systems requiring real-time, determin ...

FreeBSD FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD), which was based on Research Unix. The first version of FreeBSD was released in 1993. In 2005, FreeBSD was the most popular ...

NetBSD NetBSD is a free and open-source Unix operating system based on the Berkeley Software Distribution (BSD). It was the first open-source BSD descendant officially released after 386BSD was forked. It continues to be actively developed and is a ...

OpenBSD OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. According to the website, the OpenBSD project em ...

embedded Linux Operating systems based on the Linux kernel are used in embedded systems such as consumer electronics (eg. set-top boxes, smart TVs and personal video recorders (PVRs)), in-vehicle infotainment (IVI), networking equipment (such as routers, switch ...

Yocto Project The Yocto Project is a Linux Foundation collaborative open source project whose goal is to produce tools and processes that enable the creation of Linux distributions for embedded and IoT software that are independent of the underlying architectu ...

OpenEmbedded OpenEmbedded is a build automation framework and cross-compile environment used to create Linux distributions for embedded devices. The OpenEmbedded framework is developed by the OpenEmbedded community, which was formally established in 2003. ...

WinCE Windows Embedded Compact, formerly Windows Embedded CE, Windows Powered and Windows CE, is an operating system subfamily developed by Microsoft as part of its Windows Embedded family of products. Unlike Windows Embedded Standard, which is ba ...

Haiku is a type of short form poetry originally from Japan. Traditional Japanese haiku consist of three phrases that contain a ''kireji'', or "cutting word", 17 '' on'' (phonetic units similar to syllables) in a 5, 7, 5 pattern, and a ''kigo'', or se ...

OpenWrt OpenWrt (from ''open wireless router'') is an open-source project for embedded operating systems based on Linux, primarily used on embedded devices to route network traffic. The main components are Linux, util-linux, musl, and BusyBox. All com ...

, iPhone, Android,

Nintendo Wii The Wii ( ) is a home video game console developed and marketed by Nintendo. It was released on November 19, 2006, in North America and in December 2006 for most other regions of the world. It is Nintendo's fifth major home game console, f ...

and

Gamecube The is a home video game console developed and released by Nintendo in Japan on September 14, 2001, in North America on November 18, 2001, and in PAL territories in 2002. It is the successor to the Nintendo 64 (1996), and predecessor of the Wii ...

through DevKitPro support,

QNX QNX ( or ) is a commercial Unix-like real-time operating system, aimed primarily at the embedded systems market. QNX was one of the first commercially successful microkernel operating systems. The product was originally developed in the early ...

MontaVista MontaVista Software is a company that develops embedded Linux system software, development tools, and related software. Its products are made for other corporations developing embedded systems such as Automotive industry, automotive electronics ...

Tron ''Tron'' (stylized as ''TRON'') is a 1982 American science fiction action-adventure film written and directed by Steven Lisberger from a story by Lisberger and Bonnie MacBird. The film stars Jeff Bridges as Kevin Flynn, a computer programmer a ...

variants,

NonStop OS NonStop is a series of server computers introduced to market in 1976 by Tandem Computers Inc., beginning with the NonStop product line, which was followed by the Hewlett-Packard Integrity NonStop product line extension. It is currently offered ...

OpenCL OpenCL (Open Computing Language) is a framework for writing programs that execute across heterogeneous platforms consisting of central processing units (CPUs), graphics processing units (GPUs), digital signal processors (DSPs), field-progra ...

, Micrium's

MicroC/OS-II Micro-Controller Operating Systems (MicroC/OS, stylized as μC/OS) is a real-time operating system (RTOS) designed by Jean J. Labrosse in 1991. It is a priority-based preemptive real-time kernel for microprocessors, written mostly in the programm ...

FreeRTOS FreeRTOS is a real-time operating system kernel for embedded devices that has been ported to 35 microcontroller platforms. It is distributed under the MIT License. History The FreeRTOS kernel was originally developed by Richard Barry around ...

SafeRTOS FreeRTOS is a real-time operating system kernel for embedded devices that has been ported to 35 microcontroller platforms. It is distributed under the MIT License. History The FreeRTOS kernel was originally developed by Richard Barry around 2 ...

, Freescale MQX,

Nucleus Nucleus ( : nuclei) is a Latin word for the seed inside a fruit. It most often refers to: *Atomic nucleus, the very dense central region of an atom *Cell nucleus, a central organelle of a eukaryotic cell, containing most of the cell's DNA Nucle ...

TinyOS TinyOS is an embedded, component-based operating system and platform for low-power wireless devices, such as those used in wireless sensor networks (WSNs), smartdust, ubiquitous computing, personal area networks, building automation, and smart me ...

TI-RTOS TI-RTOS is an embedded tools ecosystem created and offered by Texas Instruments (TI) for use in a range of their embedded system processors. It includes a real-time operating system (RTOS) component named ''TI-RTOS Kernel'' (formerly named ''SYS ...

HP-UX HP-UX (from "Hewlett Packard Unix") is Hewlett Packard Enterprise's proprietary implementation of the Unix operating system, based on Unix System V (initially System III) and first released in 1984. Current versions support HPE Integrity Ser ...

, uTasker, uT-kernel, embOS, INtime,

mbed Mbed is a platform and operating system for internet-connected devices based on 32-bit ARM Cortex-M microcontrollers. Such devices are also known as Internet of Things devices. The project is collaboratively developed by Arm and its technology ...

RIOT A riot is a form of civil disorder commonly characterized by a group lashing out in a violent public disturbance against authority, property, or people. Riots typically involve destruction of property, public or private. The property targete ...

, CMSIS-RTOS, FROSTED, Green Hills INTEGRITY, Keil RTX, TOPPERS, PetaLinux,

Apache Mynewt Apache Mynewt is a modular real-time operating system for connected Internet of things (IoT) devices that must operate for long times under power, memory, and storage constraints. It is free and open-source software incubating under the Apache S ...

, and

PikeOS PikeOS is a commercial, hard real-time operating system (RTOS) that offers a separation kernel based hypervisor with multiple logical partition types for many other operating systems (OS), each called a GuestOS, and applications. It enables user ...

History

The genesis of yaSSL, or yet another SSL, dates to 2004.

was available at the time, and was dual licensed under the ''OpenSSL License'' and the ''SSLeay license''. yaSSL, alternatively, was developed and dual-licensed under both a commercial license and the GPL. yaSSL offered a more modern API, commercial style developer support and was complete with an OpenSSL compatibility layer. The first major user of wolfSSL/CyaSSL/yaSSL was

MySQL MySQL () is an open-source relational database management system (RDBMS). Its name is a combination of "My", the name of co-founder Michael Widenius's daughter My, and "SQL", the acronym for Structured Query Language. A relational database o ...

. Through bundling with MySQL, yaSSL has achieved extremely high distribution volumes in the millions. In February 2019,

Daniel Stenberg Magnus Daniel Stenberg is a Swedish developer, recipient of the Polhem Prize 2017 for his work on cURL. He was born and raised in Huddinge, a suburb south of Sweden's capital Stockholm. He created a utility which, after various name and licens ...

, the creator of

cURL cURL (pronounced like "curl", UK: , US: ) is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various network protocols. The name stands for "Client URL". History cURL was fi ...

, joined the wolfSSL project.

Protocols

The wolfSSL lightweight SSL library implements the following protocols:wolfSSL – Docs , CyaSSL Manual – Chapter 4 (Features)
/ref> * SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3 * DTLS 1.0, DTLS 1.2, DTLS 1.3 * Extensions:

Server Name Indication Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a serv ...

(SNI), Maximum Fragment Length, Truncated

HMAC In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret ...

Application Layer Protocol Negotiation Application-Layer Protocol Negotiation (ALPN) is a Transport Layer Security (TLS) extension that allows the application layer to negotiate which protocol should be performed over a secure connection in a manner that avoids additional round trips an ...

(ALPN), Extended Master Secret * Ciphersuites: TLS Secure Remote Password, TLS Pre-Shared Key *

Post-quantum cryptography In cryptography, post-quantum cryptography (sometimes referred to as quantum-proof, quantum-safe or quantum-resistant) refers to cryptographic algorithms (usually public-key algorithms) that are thought to be secure against a cryptanalytic attack ...

: QSH (quantum-safe handshake) * Public Key Cryptography Standards: ** PKCS #1 - RSA Cryptography ** PKCS #3 - Diffie-Hellman Key Agreement ** PKCS #5 - Password-Based Encryption ** PKCS #7 -

Cryptographic Message Syntax The Cryptographic Message Syntax (CMS) is the IETF's standard for cryptographically protected messages. It can be used by cryptographic schemes and protocols to digitally sign, digest, authenticate or encrypt any form of digital data. CMS is base ...

(CMS) ** PKCS #8 - Private-Key Information Syntax ** PKCS #9 - Selected Attribute Types ** PKCS #10 -

Certificate signing request In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority of the public key infrastructure in order to apply for a digital identity ...

(CSR) ** PKCS #11 - Cryptographic Token Interface ** PKCS #12 - Certificate/Personal Information Exchange Syntax Standard Protocol Notes: * SSL 2.0 – SSL 2.0 was deprecated (prohibited) in 2011 by RFC 6176. wolfSSL does not support it. * SSL 3.0 – SSL 3.0 was deprecated (prohibited) in 2015 by RFC 7568. In response to the POODLE attack, SSL 3.0 has been disabled by default since wolfSSL 3.6.6, but can be enabled with a compile-time option.

Algorithms

wolfSSL uses the following cryptography libraries:

wolfCrypt

By default, wolfSSL uses the cryptographic services provided by wolfCrypt. wolfCrypt Provides RSA, ECC, DSS, Diffie–Hellman, EDH,

NTRU NTRU is an open-source public-key cryptosystem that uses lattice-based cryptography to encrypt and decrypt data. It consists of two algorithms: NTRUEncrypt, which is used for encryption, and NTRUSign, which is used for digital signatures. Unli ...

DES Des is a masculine given name, mostly a short form (hypocorism) of Desmond. People named Des include: People * Des Buckingham, English football manager * Des Corcoran, (1928–2004), Australian politician * Des Dillon (disambiguation), sever ...

Triple DES In cryptography, Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The Data Encryption Standa ...

, AES (CBC, CTR, CCM, GCM),

Camellia ''Camellia'' (pronounced or ) is a genus of flowering plants in the family Theaceae. They are found in eastern and southern Asia, from the Himalayas east to Japan and Indonesia. There are more than 220 described species, with some controversy ...

IDEA In common usage and in philosophy, ideas are the results of thought. Also in philosophy, ideas can also be mental representational images of some object. Many philosophers have considered ideas to be a fundamental ontological category of being ...

ARC4 In cryptography, RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR, meaning Alleged RC4, see below) is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, re ...

HC-128 HC-256 is a stream cipher designed to provide bulk encryption in software at high speeds while permitting strong confidence in its security. A 128-bit variant was submitted as an eSTREAM cipher candidate and has been selected as one of the four fi ...

ChaCha20 Salsa20 and the closely related ChaCha are stream ciphers developed by Daniel J. Bernstein. Salsa20, the original cipher, was designed in 2005, then later submitted to the eSTREAM European Union cryptographic validation process by Bernstein. Ch ...

, MD2,

MD4 The MD4 Message-Digest Algorithm is a cryptographic hash function developed by Ronald Rivest in 1990. The digest length is 128 bits. The algorithm has influenced later designs, such as the MD5, SHA-1 and RIPEMD algorithms. The initialism "MD" s ...

, MD5,

SHA-1 In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographically broken but still widely used hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecima ...

SHA-2 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression ...

SHA-3 SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like struct ...

BLAKE2 BLAKE is a cryptographic hash function based on Daniel J. Bernstein's ChaCha stream cipher, but a permuted copy of the input block, XORed with round constants, is added before each ChaCha round. Like SHA-2, there are two variants differing in t ...

, RIPEMD-160,

Poly1305 Poly1305 is a universal hash family designed by Daniel J. Bernstein for use in cryptography. As with any universal hash family, Poly1305 can be used as a one-time message authentication code to authenticate a single message using a key shared ...

, Random Number Generation, Large Integer support, and base 16/64 encoding/decoding. An experimental cipher called

Rabbit Rabbits, also known as bunnies or bunny rabbits, are small mammals in the family Leporidae (which also contains the hares) of the order Lagomorpha (which also contains the pikas). ''Oryctolagus cuniculus'' includes the European rabbit speci ...

, a

public domain software Public-domain software is software that has been placed in the public domain, in other words, software for which there is absolutely no ownership such as copyright, trademark, or patent. Software in the public domain can be modified, distributed, ...

stream cipher from the EU's eSTREAM project, is also included. Rabbit is potentially useful to those encrypting streaming media in high performance, high demand environments. wolfCrypt also includes support for the recent

Curve25519 In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security (256-bit key size) and designed for use with the elliptic curve Diffie–Hellman (ECDH) key agreement scheme. It is one of t ...

and

Ed25519 In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature scheme ...

algorithms. wolfCrypt acts as a back-end crypto implementation for several popular software packages and libraries, including MIT Kerberos (where it can be enabled using a build option).

NTRU

CyaSSL+ includes

NTRU CryptoLabs
public key encryption. The addition of NTRU in CyaSSL+ was a result of the partnership between yaSSL and Security Innovation. NTRU works well in mobile and embedded environments due to the reduced bit size needed to provide the same security as other public key systems. In addition, it's not known to be vulnerable to quantum attacks. Several cipher suites utilizing NTRU are available with CyaSSL+ including AES-256, RC4, and HC-128.

Hardware Integration

Secure Element Support

wolfSSL supports the following Secure Elements: *

STMicroelectronics STMicroelectronics N.V. commonly referred as ST or STMicro is a Dutch multinational corporation and technology company of French-Italian origin headquartered in Plan-les-Ouates near Geneva, Switzerland and listed on the French stock market. ST ...

STSAFE *

Microchip An integrated circuit or monolithic integrated circuit (also referred to as an IC, a chip, or a microchip) is a set of electronic circuits on one small flat piece (or "chip") of semiconductor material, usually silicon. Large numbers of tiny ...

CryptoAuthentication ATECC508A *

NXP NXP Semiconductors N.V. (NXP) is a Dutch semiconductor designer and manufacturer with headquarters in Eindhoven, Netherlands. The company employs approximately 31,000 people in more than 30 countries. NXP reported revenue of $11.06 billion in 2 ...

EdgeLock SE050 Secure Element

Technology Support

wolfSSL supports the following hardware technologies: *

Intel Intel Corporation is an American multinational corporation and technology company headquartered in Santa Clara, California. It is the world's largest semiconductor chip manufacturer by revenue, and is one of the developers of the x86 seri ...

SGX (

Software Guard Extensions Intel Software Guard Extensions (SGX) is a set of security-related instruction codes that are built into some Intel central processing units (CPUs). They allow user-level and operating system code to define protected private regions of memory, ca ...

) - Intel SGX allows a smaller attack surface and has been shown to provide a higher level of security for executing code without a significant impact on performance.

Hardware Encryption Support

The following tables list wolfSSL's support for using various devices' hardware encryption with various algorithms. - "All" denotes 128, 192, and 256-bit supported block sizes

Certifications

wolfSSL supports the following certifications: *

Federal Information Processing Standards The Federal Information Processing Standards (FIPS) of the United States are a set of publicly announced standards that the National Institute of Standards and Technology (NIST) has developed for use in computer systems of non-military, American ...

(

FIPS 140 The 140 series of Federal Information Processing Standards ( FIPS) are U.S. government computer security standards that specify requirements for cryptography modules. , FIPS 140-2 and FIPS 140-3 are both accepted as current and active. FIPS 140-3 ...

) **

FIPS 140-2 The Federal Information Processing Standard Publication 140-2, (FIPS PUB 140-2), is a U.S. government computer security standard used to approve cryptographic modules. The title is ''Security Requirements for Cryptographic Modules''. Initial publ ...

*** wolfCrypt FIPS Module: 3.6.0
NIST certificate #2425
- ''Historical'' *** wolfCrypt FIPS Module: 4.0
NIST certificate #3389
*

Radio Technical Commission for Aeronautics RTCA, Inc. (formerly known as Radio Technical Commission for Aeronautics) is a United States non-profit organization that develops technical guidance for use by government regulatory authorities and by industry. It was founded in 1935 and was re-in ...

(RTCA) **

DO-178C DO-178C, Software Considerations in Airborne Systems and Equipment Certification is the primary document by which the certification authorities such as FAA, EASA and Transport Canada approve all commercial software-based aerospace systems. The do ...

*** wolfCrypt COTS DO-178C certification kit (DAL A) wolfSSL Support for DO-178C DAL A
/ref>

Licensing

wolfSSL is dual licensed: * Licensed under the GPL-2.0-or-later license. This is good for GPL open source projects and evaluation. * Licensed under a commercial non-GPL license. This comes with additional support and maintenance packages and is priced at 6,000 USD per ''product'' or ''SKU'' as of 2022.

References

External links

wolfSSL/CyaSSL Homepage

wolfSSL Now With ChaCha20 and Poly1305
{{SSL/TLS C (programming language) libraries Cryptographic software Transport Layer Security implementation