The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
NOTE: * --enable-heapmath is being deprecated and will be removed by end of 2024
NOTE: In future releases, --enable-des3 (which is disabled by default) will be insufficient in itself to enable DES3 in TLS cipher suites. A new option, --enable-des3-tls-suites, will need to be supplied in addition. This option should only be used in backward compatibility scenarios, as it is inherently insecure.
NOTE: This release switches the default ASN.1 parser to the new ASN template code. If the original ASN.1 code is preferred define WOLFSSL_ASN_ORIGINAL
to use it. See PR #7199.
[High] CVE-2024-0901 Potential denial of service and out of bounds read. Affects TLS 1.3 on the server side when accepting a connection from a malicious TLS 1.3 client. If using TLS 1.3 on the server side it is recommended to update the version of wolfSSL used. Fixed in this GitHub pull request https://github.com/wolfSSL/wolfssl/pull/7099
[Med] CVE-2024-1545 Fault Injection vulnerability in RsaPrivateDecryption function that potentially allows an attacker that has access to the same system with a victims process to perform a Rowhammer fault injection. Thanks to Junkai Liang, Zhi Zhang, Xin Zhang, Qingni Shen for the report (Peking University, The University of Western Australia)." Fixed in this GitHub pull request https://github.com/wolfSSL/wolfssl/pull/7167
[Med] Fault injection attack with EdDSA signature operations. This affects ed25519 sign operations where the system could be susceptible to Rowhammer attacks. Thanks to Junkai Liang, Zhi Zhang, Xin Zhang, Qingni Shen for the report (Peking University, The University of Western Australia). Fixed in this GitHub pull request https://github.com/wolfSSL/wolfssl/pull/7212
dh_ffdhe_test
test case using Intel QuickAssist (PR 7085)NO_STDIO_FILESYSTEM
and improve checks for XGETENV
(PR 7150)NOTE: * --enable-heapmath is being deprecated and will be removed by 2024
REMINDER: When working with AES Block Cipher algorithms, wc_AesInit()
should always be called first to initialize the Aes
structure, before calling other Aes API functions. Recently we found several places in our documentation, comments, and codebase where this pattern was not observed. We have since fixed this omission in several PRs for this release.
[Medium] CVE-2023-6935: After review of the previous RSA timing fix in wolfSSL 5.6.4, additional changes were found to be required. A complete resistant change is delivered in this release. This fix is for the Marvin attack, leading to being able to decrypt a saved TLS connection and potentially forge a signature after probing with a very large number of trial connections. This issue is around RSA decryption and affects the optional static RSA cipher suites on the server side, which are considered weak, not recommended to be used and are off by default in wolfSSL (even with --enable-all
). Static RSA cipher suites were also removed from the TLS 1.3 protocol and are only present in TLS 1.2 and lower. All padding versions of RSA decrypt are affected since the code under review is outside of the padding processing. Information about the private keys is NOT compromised in affected code. It is recommended to disable static RSA cipher suites and update the version of wolfSSL used if using RSA private decryption alone outside of TLS. Thanks to Hubert Kario for the report. The fix for this issue is located in the following GitHub Pull Request: https://github.com/wolfSSL/wolfssl/pull/6955.
[Low] CVE-2023-6936: A potential heap overflow read is possible in servers connecting over TLS 1.3 when the optional WOLFSSL_CALLBACKS
has been defined. The out of bounds read can occur when a server receives a malicious malformed ClientHello. Users should either discontinue use of WOLFSSL_CALLBACKS
on the server side or update versions of wolfSSL to 5.6.6. Thanks to the tlspuffin fuzzer team for the report which was designed and developed by; Lucca Hirschi (Inria, LORIA), Steve Kremer (Inria, LORIA), and Max Ammann (Trail of Bits). The fix for this issue is located in the following GitHub Pull Request: https://github.com/wolfSSL/wolfssl/pull/6949.
[Low] A side channel vulnerability with AES T-Tables is possible in a very controlled environment where precision sub-cache-line inspection can happen, such as inside an Intel SGX enclave. This can lead to recovery of the AES key. To prevent this type of attack, wolfSSL added an AES bitsliced implementation which can be enabled with the “--enable-aes-bitsliced
” configure option. Thanks to Florian Sieck, Zhiyuan Zhang, Sebastian Berndt, Chitchanok Chuengsatiansup, Thomas Eisenbarth, and Yuval Yarom for the report (Universities of Lübeck, Melbourne, Adelaide and Bochum). The fix for this issue is located in the following GitHub Pull Request: https://github.com/wolfSSL/wolfssl/pull/6854.
[Low] CVE-2023-6937: wolfSSL prior to 5.6.6 did not check that messages in a single (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and then the rest of the first server flight would be accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the ServerHello but a wolfSSL client would accept an unencrypted flight from the server. This does not compromise key negotiation and authentication so it is assigned a low severity rating. Thanks to Johannes Wilson for the report (Sectra Communications and Linköping University). The fix for this issue is located in the following GitHub Pull Request: https://github.com/wolfSSL/wolfssl/pull/7029.
WOLFSSL_NO_CRL_DATE_CHECK
) (PR 6927)--enable-srtp-kdf
) (PR 6888)wolfSSL_EXTENDED_KEY_USAGE_free()
(PR 6916)--enable-aes-bitsliced
) (PR 6854)--sys-ca-certs
” configure option (PR 6910)--enable-quic
” to “--enable-all
” configure option (PR 6957)HAVE___UINT128_T
” to options.h for CMake builds (PR 6965)ssl_crypto.c
file (PR 6935)wolfSSL_i2d_X509()
(PR 6891)EVP_EncodeBlock()
appending a newline (PR 6900)wolfSSL_RSA_verify_PKCS1_PSS()
with RSA_PSS_SALTLEN_AUTO
(PR 6938)isalpha()
and isalnum()
calls (PR 6810)WOLFSSL_CALLBACKS
and potential memory error (PR 6949)FREESCALE_MMCAU
) (PR 6970)SendBuffered()
return code in non-blocking mode (PR 7001)Hmac_UpdateFinal()
when padding byte is invalid (PR 6998)wc_AesInit()
before wc_AesSetKey()
(PR 7011)NOTE: * --enable-heapmath is being deprecated and will be removed by 2024 * Old CyaSSL/CtaoCrypt shim layer was removed in this release (5.6.4)
wc_SignatureGenerate_ex
to not call verify twiceRelease 5.6.3 of wolfSSL embedded TLS has 4 bug fixes:
Release 5.6.2 has been developed according to wolfSSL's development and QA process (see link below) and successfully passed the quality criteria. https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
NOTE: * --enable-heapmath is being deprecated and will be removed by 2024
Release 5.6.2 of wolfSSL embedded TLS has bug fixes and new features including:
Release 5.6.0 has been developed according to wolfSSL's development and QA process (see link below) and successfully passed the quality criteria. https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
NOTE: * --enable-heapmath is being deprecated and will be removed by 2024 * This release makes ASN Template the default with ./configure, the previous ASN parsing can be built with --enable-asn=original
Release 5.6.0 of wolfSSL embedded TLS has bug fixes and new features including:
PubKey
and Key
PEM-to-DER APIs to support return of needed DER size-alg
list and block format
Documentation/ExamplesTLSX_SetResponse
NO_ASN_TIME
definedWOLFSSL_CHECK_ALERT_ON_ERR
WC_PENDING_E
with async. buildsHashObject
to be excluded for WOLFCRYPT_ONLY
EC_KEY_new_by_curve_name
to not create a key if the curve is not foundRelease 5.5.2 of wolfSSL embedded TLS has bug fixes and new features including:
wc_SetCustomExtension
documentationProcessPeerCerts