A new release of the compact cryptographic library wolfSSL 5.0.0 is available, optimized for use on processor- and memory-constrained embedded devices such as Internet of Things devices, smart home systems, automotive information systems, routers and mobile phones. The code is written in C language and distributed under the GPLv2 license.
The library provides high-performance implementations of modern cryptographic algorithms, including ChaCha20, Curve25519, NTRU, RSA, Blake2b, TLS 1.0-1.3 and DTLS 1.2, which, according to the developers, are 20 times more compact than OpenSSL implementations. It provides both its own simplified API and a layer for compatibility with the OpenSSL API. There is support for OCSP (Online Certificate Status Protocol) and CRL (Certificate Revocation List) for certificate revocation checking.
Key innovations in wolfSSL 5.0.0:
- Added platform support: IoT-Safe (with TLS support), SE050 (with RNG, SHA, AES, ECC and ED25519 support) and Renesas TSIP 1.13 (for RX72N microcontrollers).
- Added support for post-quantum cryptography algorithms that are resistant to selection on a quantum computer: NIST Round 3 KEM groups for TLS 1.3 and hybrid NIST ECC groups based on the OQS (Open Quantum Safe, liboqs) project. Groups that are resistant to selection on a quantum computer have also been added to the layer to ensure compatibility. Support for the NTRU and QSH algorithms has been discontinued.
- The module for the Linux kernel provides support for cryptographic algorithms that comply with the FIPS 140-3 security standard. A separate product is presented with the implementation of FIPS 140-3, the code of which is still at the stage of testing, review and verification.
- Variants of the RSA, ECC, DH, DSA, AES/AES-GCM algorithms, accelerated using x86 CPU vector instructions, have been added to the module for the Linux kernel. Using vector instructions, interrupt handlers are also accelerated. Added support for a subsystem for checking modules using digital signatures. It is possible to build the embedded wolfCrypt crypto engine in the ββenable-linuxkm-pieβ (position-independent) mode. The module provides support for Linux kernels 3.16, 4.4, 4.9, 5.4 and 5.10.
- To ensure compatibility with other libraries and applications, support for libssh2, pyOpenSSL, libimobiledevice, rsyslog, OpenSSH 8.5p1 and Python 3.8.5 has been added to the layer.
- Added a large portion of new APIs, including EVP_blake2, wolfSSL_set_client_CA_list, wolfSSL_EVP_sha512_256, wc_Sha512*, EVP_shake256, SSL_CIPHER_*, SSL_SESSION_*, etc.
- Fixed two vulnerabilities that are considered benign: a hang when creating DSA digital signatures with certain parameters and incorrect verification of certificates with multiple object alternative names when using naming restrictions.
Source: opennet.ru