The wolfSSL 5.1.0 compact cryptographic library has been released, optimized for use on embedded devices with limited processor and memory resources, such as IoT devices, smart home systems, automotive information systems, routers and mobile phones. The code is written in C language and distributed under the GPLv2 license.
The library provides high-performance implementations of modern cryptographic algorithms, including ChaCha20, Curve25519, NTRU, RSA, Blake2b, TLS 1.0-1.3 and DTLS 1.2, which, according to the developers, are 20 times more compact than OpenSSL implementations. It provides both its own simplified API and a layer for compatibility with the OpenSSL API. There is support for OCSP (Online Certificate Status Protocol) and CRL (Certificate Revocation List) for certificate revocation checking.
Key innovations in wolfSSL 5.1.0:
- Added support for platforms: NXP SE050 (with Curve25519 support) and Renesas RA6M4. Support for TSIP 65 (Trusted Secure IP) has been added for Renesas RX72N/RX1.14N.
- Added the ability to use post-quantum cryptography algorithms in the port for the Apache http server. For TLS 1.3, the NIST round 3 FALCON digital signature scheme is implemented. Added tests for cURL built with wolfSSL in crypto-algorithm application mode, resistant to selection on a quantum computer.
- Added support for NGINX 1.21.4 and Apache httpd 2.4.51 to ensure compatibility with other libraries and applications.
- Support for the SSL_OP_NO_TLSv1_2 flag and the functions SSL_CTX_get_max_early_data, SSL_CTX_set_max_early_data, SSL_set_max_early_data, SSL_get_max_early_data, SSL_CTX_clear_mode, SSL_CONF_cmd_value_type, SSL_read_early_data, SSL_write_early_data has been added to the code for compatibility with OpenSSL.
- Added the ability to register a callback function to replace the built-in implementation of the AES-CCM algorithm.
- Added WOLFSSL_CUSTOM_OID macro to generate custom OIDs for CSR (certificate signing request).
- Support for deterministic ECC signatures has been added, enabled by the FSSL_ECDSA_DETERMINISTIC_K_VARIANT macro.
- Added new functions wc_GetPubKeyDerFromCert, wc_InitDecodedCert, wc_ParseCert and wc_FreeDecodedCert.
- Two vulnerabilities have been fixed and assigned a low severity level. The first vulnerability allows a DoS attack on a client application during a MITM attack on a TLS 1.2 connection. The second vulnerability is related to the ability to gain control over the resumption of the client session when using a wolfSSL-based proxy or connections that do not verify the entire trust chain against the server certificate.
Source: opennet.ru