wolfSSL is a small, portable, embedded SSL/TLS library targeted for use by embedded systems developers. It is an
open source implementation of
TLS
TLS may refer to:
Computing
* Transport Layer Security, a cryptographic protocol for secure computer network communication
* Thread level speculation, an optimisation on multiprocessor CPUs
* Thread-local storage, a mechanism for allocating vari ...
(SSL 3.0, TLS 1.0, 1.1, 1.2, 1.3, and
DTLS
Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol ...
1.0, 1.2, and 1.3) written in the
C programming language
''The C Programming Language'' (sometimes termed ''K&R'', after its authors' initials) is a computer programming book written by Brian Kernighan and Dennis Ritchie, the latter of whom originally designed and implemented the language, as well a ...
. It includes SSL/TLS client libraries and an SSL/TLS server implementation as well as support for multiple APIs, including those defined by
SSL SSL may refer to:
Entertainment
* RoboCup Small Size League, robotics football competition
* ''Sesame Street Live'', a touring version of the children's television show
* StarCraft II StarLeague, a Korean league in the video game
Natural language ...
and
TLS
TLS may refer to:
Computing
* Transport Layer Security, a cryptographic protocol for secure computer network communication
* Thread level speculation, an optimisation on multiprocessor CPUs
* Thread-local storage, a mechanism for allocating vari ...
. wolfSSL also includes an
OpenSSL
OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTT ...
compatibility interface with the most commonly used OpenSSL functions.
[wolfSSL – Embedded Communications Products](_blank)
/ref>
A predecessor of wolfSSL, yaSSL is a C++
C, or c, is the third letter in the Latin alphabet, used in the modern English alphabet, the alphabets of other western European languages and others worldwide. Its name in English is ''cee'' (pronounced ), plural ''cees''.
History
"C" ...
based SSL library for embedded environments and real time operating systems with constrained resources.
Platforms
wolfSSL is currently available for Win32/64, Linux, macOS, Solaris, Threadx, VxWorks
VxWorks is a real-time operating system (or RTOS) developed as proprietary software by Wind River Systems, a wholly-owned subsidiary of Aptiv. First released in 1987, VxWorks is designed for use in embedded systems requiring real-time, determi ...
, FreeBSD, NetBSD, OpenBSD, embedded Linux, Yocto Project
The Yocto Project is a Linux Foundation collaborative open source project whose goal is to produce tools and processes that enable the creation of Linux distributions for embedded and IoT software that are independent of the underlying architectu ...
, OpenEmbedded, WinCE, Haiku
is a type of short form poetry originally from Japan. Traditional Japanese haiku consist of three phrases that contain a ''kireji'', or "cutting word", 17 '' on'' (phonetic units similar to syllables) in a 5, 7, 5 pattern, and a '' kigo'', or s ...
, OpenWrt, iPhone, Android, Nintendo Wii and Gamecube
The is a home video game console developed and released by Nintendo in Japan on September 14, 2001, in North America on November 18, 2001, and in PAL territories in 2002. It is the successor to the Nintendo 64 (1996), and predecessor of the Wi ...
through DevKitPro support, QNX, MontaVista
MontaVista Software is a company that develops embedded Linux system software, development tools, and related software. Its products are made for other corporations developing embedded systems such as automotive electronics, communications ...
, Tron
''Tron'' (stylized as ''TRON'') is a 1982 American science fiction action-adventure film written and directed by Steven Lisberger from a story by Lisberger and Bonnie MacBird. The film stars Jeff Bridges as Kevin Flynn, a computer programmer an ...
variants, NonStop OS
NonStop is a series of server computers introduced to market in 1976 by Tandem Computers Inc., beginning with the NonStop product line, which was followed by the Hewlett-Packard Integrity NonStop product line extension. It is currently offered ...
, OpenCL
OpenCL (Open Computing Language) is a framework for writing programs that execute across heterogeneous platforms consisting of central processing units (CPUs), graphics processing units (GPUs), digital signal processors (DSPs), field-prog ...
, Micrium's MicroC/OS-II, FreeRTOS
FreeRTOS is a real-time operating system kernel for embedded devices that has been ported to 35 microcontroller platforms. It is distributed under the MIT License.
History
The FreeRTOS kernel was originally developed by Richard Barry around ...
, SafeRTOS, Freescale MQX, Nucleus
Nucleus ( : nuclei) is a Latin word for the seed inside a fruit. It most often refers to:
* Atomic nucleus, the very dense central region of an atom
*Cell nucleus, a central organelle of a eukaryotic cell, containing most of the cell's DNA
Nucl ...
, TinyOS
TinyOS is an embedded, component-based operating system and platform for low-power wireless devices, such as those used in wireless sensor networks (WSNs), smartdust, ubiquitous computing, personal area networks, building automation, and smart me ...
, TI-RTOS, HP-UX, uTasker, uT-kernel, embOS, INtime, mbed
Mbed is a platform and operating system for internet-connected devices based on 32-bit ARM Cortex-M microcontrollers. Such devices are also known as Internet of Things devices. The project is collaboratively developed by Arm and its technology p ...
, RIOT
A riot is a form of civil disorder commonly characterized by a group lashing out in a violent public disturbance against authority, property, or people.
Riots typically involve destruction of property, public or private. The property targeted ...
, CMSIS-RTOS, FROSTED, Green Hills INTEGRITY, Keil RTX, TOPPERS, PetaLinux, Apache Mynewt, and PikeOS
PikeOS is a commercial, hard real-time operating system (RTOS) that offers a separation kernel based hypervisor with multiple logical partition types for many other operating systems (OS), each called a GuestOS, and applications. It enables use ...
.
History
The genesis of yaSSL, or yet another SSL, dates to 2004. OpenSSL
OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTT ...
was available at the time, and was dual licensed under the ''OpenSSL License'' and the ''SSLeay license''. yaSSL, alternatively, was developed and dual-licensed under both a commercial license and the GPL. yaSSL offered a more modern API, commercial style developer support and was complete with an OpenSSL compatibility layer. The first major user of wolfSSL/CyaSSL/yaSSL was MySQL. Through bundling with MySQL, yaSSL has achieved extremely high distribution volumes in the millions.
In February 2019, Daniel Stenberg, the creator of cURL
cURL (pronounced like "curl", UK: , US: ) is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various network protocols. The name stands for "Client URL".
History
cURL was fir ...
, joined the wolfSSL project.
Protocols
The wolfSSL lightweight SSL library implements the following protocols:[wolfSSL – Docs , CyaSSL Manual – Chapter 4 (Features)](_blank)
/ref>
* SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3
* DTLS 1.0, DTLS 1.2, DTLS 1.3
* Extensions: Server Name Indication
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server ...
(SNI), Maximum Fragment Length, Truncated HMAC
In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret ...
, Application Layer Protocol Negotiation (ALPN), Extended Master Secret
* Ciphersuites: TLS Secure Remote Password, TLS Pre-Shared Key
* Post-quantum cryptography
In cryptography, post-quantum cryptography (sometimes referred to as quantum-proof, quantum-safe or quantum-resistant) refers to cryptographic algorithms (usually public-key algorithms) that are thought to be secure against a cryptanalytic attack ...
: QSH (quantum-safe handshake)
* Public Key Cryptography Standards:
** PKCS #1 - RSA Cryptography
** PKCS #3 - Diffie-Hellman Key Agreement
** PKCS #5 - Password-Based Encryption
** PKCS #7 - Cryptographic Message Syntax The Cryptographic Message Syntax (CMS) is the IETF's standard for cryptographically protected messages. It can be used by cryptographic schemes and protocols to digitally sign, digest, authenticate or encrypt any form of digital data.
CMS is b ...
(CMS)
** PKCS #8 - Private-Key Information Syntax
** PKCS #9 - Selected Attribute Types
** PKCS #10 - Certificate signing request
In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority of the public key infrastructure in order to apply for a digital identit ...
(CSR)
** PKCS #11 - Cryptographic Token Interface
** PKCS #12 - Certificate/Personal Information Exchange Syntax Standard
Protocol Notes:
* SSL 2.0 – SSL 2.0 was deprecated (prohibited) in 2011 by RFC 6176. wolfSSL does not support it.
* SSL 3.0 – SSL 3.0 was deprecated (prohibited) in 2015 by RFC 7568. In response to the POODLE attack, SSL 3.0 has been disabled by default since wolfSSL 3.6.6, but can be enabled with a compile-time option.
Algorithms
wolfSSL uses the following cryptography libraries:
wolfCrypt
By default, wolfSSL uses the cryptographic services provided by wolfCrypt. wolfCrypt Provides RSA, ECC, DSS, Diffie–Hellman, EDH, NTRU, DES
Des is a masculine given name, mostly a short form (hypocorism) of Desmond. People named Des include:
People
* Des Buckingham, English football manager
* Des Corcoran, (1928–2004), Australian politician
* Des Dillon (disambiguation), sever ...
, Triple DES, AES (CBC, CTR, CCM, GCM), Camellia
''Camellia'' (pronounced or ) is a genus of flowering plants in the family Theaceae. They are found in eastern and southern Asia, from the Himalayas east to Japan and Indonesia. There are more than 220 described species, with some controversy ...
, IDEA, ARC4
In cryptography, RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR, meaning Alleged RC4, see below) is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, re ...
, HC-128
HC-256 is a stream cipher designed to provide bulk encryption in software at high speeds while permitting strong confidence in its security. A 128-bit variant was submitted as an eSTREAM cipher candidate and has been selected as one of the four fin ...
, ChaCha20
Salsa20 and the closely related ChaCha are stream ciphers developed by Daniel J. Bernstein. Salsa20, the original cipher, was designed in 2005, then later submitted to the eSTREAM European Union cryptographic validation process by Bernstein. Ch ...
, MD2, MD4
The MD4 Message-Digest Algorithm is a cryptographic hash function developed by Ronald Rivest in 1990. The digest length is 128 bits. The algorithm has influenced later designs, such as the MD5, SHA-1 and RIPEMD algorithms. The initialism "MD" st ...
, MD5, SHA-1, SHA-2, SHA-3, BLAKE2
BLAKE is a cryptographic hash function based on Daniel J. Bernstein's ChaCha stream cipher, but a permuted copy of the input block, XORed with round constants, is added before each ChaCha round. Like SHA-2, there are two variants differing in the ...
, RIPEMD-160
RIPEMD (RIPE Message Digest) is a family of cryptographic hash functions developed in 1992 (the original RIPEMD) and 1996 (other variants). There are five functions in the family: RIPEMD, RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320, of w ...
, Poly1305, Random Number Generation, Large Integer support, and base 16/64 encoding/decoding. An experimental cipher called Rabbit, a public domain software stream cipher from the EU's eSTREAM project, is also included. Rabbit is potentially useful to those encrypting streaming media in high performance, high demand environments.
wolfCrypt also includes support for the recent Curve25519
In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security (256-bit key size) and designed for use with the elliptic curve Diffie–Hellman (ECDH) key agreement scheme. It is one of t ...
and Ed25519
In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves.
It is designed to be faster than existing digital signature schem ...
algorithms.
wolfCrypt acts as a back-end crypto implementation for several popular software packages and libraries, including MIT Kerberos (where it can be enabled using a build option).
NTRU
CyaSSL+ includes NTRU[NTRU CryptoLabs](_blank)
public key encryption. The addition of NTRU in CyaSSL+ was a result of the partnership between yaSSL and Security Innovation. NTRU works well in mobile and embedded environments due to the reduced bit size needed to provide the same security as other public key systems. In addition, it's not known to be vulnerable to quantum attacks. Several cipher suites utilizing NTRU are available with CyaSSL+ including AES-256, RC4, and HC-128.
Hardware Integration
Secure Element Support
wolfSSL supports the following Secure Elements:
* STMicroelectronics STSAFE
* Microchip
An integrated circuit or monolithic integrated circuit (also referred to as an IC, a chip, or a microchip) is a set of electronic circuits on one small flat piece (or "chip") of semiconductor material, usually silicon. Large numbers of tiny ...
CryptoAuthentication ATECC508A
* NXP
NXP Semiconductors N.V. (NXP) is a Dutch semiconductor designer and manufacturer with headquarters in Eindhoven, Netherlands. The company employs approximately 31,000 people in more than 30 countries. NXP reported revenue of $11.06 billion in 2 ...
EdgeLock SE050 Secure Element
Technology Support
wolfSSL supports the following hardware technologies:
* Intel SGX ( Software Guard Extensions) - Intel SGX allows a smaller attack surface and has been shown to provide a higher level of security for executing code without a significant impact on performance.
Hardware Encryption Support
The following tables list wolfSSL's support for using various devices' hardware encryption with various algorithms.
- "All" denotes 128, 192, and 256-bit supported block sizes
Certifications
wolfSSL supports the following certifications:
* Federal Information Processing Standards (FIPS 140
The 140 series of Federal Information Processing Standards ( FIPS) are U.S. government computer security standards that specify requirements for cryptography modules.
, FIPS 140-2 and FIPS 140-3 are both accepted as current and active. FIPS 140-3 ...
)
** FIPS 140-2
*** wolfCrypt FIPS Module: 3.6.0
NIST certificate #2425
- ''Historical''
*** wolfCrypt FIPS Module: 4.0
NIST certificate #3389
* Radio Technical Commission for Aeronautics
RTCA, Inc. (formerly known as Radio Technical Commission for Aeronautics) is a United States non-profit organization that develops technical guidance for use by government regulatory authorities and by industry. It was founded in 1935 and was re-in ...
(RTCA)
** DO-178C
DO-178C, Software Considerations in Airborne Systems and Equipment Certification is the primary document by which the certification authorities such as FAA, EASA and Transport Canada approve all commercial software-based aerospace systems. The d ...
*** wolfCrypt COTS DO-178C certification kit (DAL A) wolfSSL Support for DO-178C DAL A
/ref>
Licensing
wolfSSL is dual licensed:
* Licensed under the GPL-2.0-or-later license. This is good for GPL open source projects and evaluation.
* Licensed under a commercial non-GPL license. This comes with additional support and maintenance packages and is priced at 6,000 USD per ''product'' or ''SKU'' as of 2022.
See also
* Transport Layer Security
*Comparison of TLS implementations
The Transport Layer Security (TLS) protocol provides the ability to secure communications across networks. This comparison of TLS implementations compares several of the most notable libraries. There are several TLS implementations which are free ...
*Comparison of cryptography libraries
The tables below compare cryptography libraries that deal with cryptography algorithms and have API function calls to each of the supported features.
Cryptography libraries
FIPS 140
This table denotes, if a cryptography library provides t ...
* GnuTLS
*Network Security Services
Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the ...
*OpenSSL
OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTT ...
References
External links
wolfSSL/CyaSSL Homepage
wolfSSL Now With ChaCha20 and Poly1305
{{SSL/TLS
C (programming language) libraries
Cryptographic software
Transport Layer Security implementation