luna - wolfssl/ChangeLog.md

   1# wolfSSL Release (unreleased)
   2
   3## Enhancements
   4
   5* **BREAKING (FIPS 205 SLH-DSA)**: `wc_SlhDsaKey_SignHash`,
   6  `wc_SlhDsaKey_SignHashDeterministic`, `wc_SlhDsaKey_SignHashWithRandom`, and
   7  `wc_SlhDsaKey_VerifyHash` now take the **caller-pre-hashed message digest**
   8  via `hash`/`hashSz` parameters (renamed from `msg`/`msgSz`), aligned with
   9  ML-DSA's `wc_dilithium_sign_ctx_hash` / `wc_dilithium_verify_ctx_hash`
  10  semantics, and NIST ACVP `signatureInterface=external` / `preHash=preHash`
  11  test vectors. `hashSz` must equal `wc_HashGetDigestSize(hashType)` (32 bytes
  12  for SHAKE128, 64 bytes for SHAKE256 per FIPS 205 Section 10.2.2); otherwise
  13  `BAD_LENGTH_E` is returned. Migration: hash the message yourself before the
  14  call (callers using positional arguments are source-compatible; only the
  15  parameter names changed). Caveat: callers who today pass a raw message
  16  whose length happens to equal the digest size for the chosen `hashType`
  17  (e.g., signing a 32-byte handle/IV/seed with `WC_HASH_TYPE_SHA256`) will
  18  not trip `BAD_LENGTH_E`; the resulting signature is syntactically valid
  19  but is over the wrong bytes. The pre-existing
  20  `wc_SlhDsaKey_SignMsgDeterministic` and `wc_SlhDsaKey_SignMsgWithRandom`
  21  retain their M'-supplied-directly contract (FIPS 205 internal interface,
  22  Algorithm 19); their input validation is hardened with the same
  23  NULL/length/`MISSING_KEY` checks as the `*Hash*` family.
  24  `wc_SlhDsaKey_VerifyMsg` is unchanged. All three gain doxygen coverage.
  25
  26* TLS 1.3: zero traffic key staging buffers in `SetKeysSide()` once a
  27  CryptoCB callback has imported the AES key into a Secure Element
  28  (`aes->devCtx != NULL`).  Clears `keys->{client,server}_write_key`
  29  on the provisioned side(s) after cipher init succeeds.  The static
  30  IV buffers (`keys->{client,server}_write_IV`,
  31  `keys->aead_{enc,dec}_imp_IV`) are intentionally left intact because
  32  `BuildTls13Nonce()` reads them on every AEAD record to construct the
  33  per-record nonce.  Scoped to TLS 1.3, non-DTLS, non-QUIC; requires
  34  `WOLF_CRYPTO_CB` and `WOLF_CRYPTO_CB_AES_SETKEY`.
  35
  36# wolfSSL Release 5.9.1 (Apr. 8, 2026)
  37
  38Release 5.9.1 has been developed according to wolfSSL's development and QA
  39process (see link below) and successfully passed the quality criteria.
  40https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
  41
  42NOTE:
  43* --enable-heapmath is deprecated
  44* MD5 is now disabled by default
  45
  46PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request number where the code change was added.
  47
  48## Vulnerabilities
  49
  50* [Critical] CVE-2026-5194
  51Missing hash/digest size and OID checks allow digests smaller than allowed by FIPS 186-4 or 186-5 (as appropriate), or smaller than is appropriate for the relevant key type, to be accepted by signature verification functions, reducing the security of certificate-based authentication. Affects multiple signature algorithms, including ECDSA/ECC, DSA, ML-DSA, ED25519, and ED448. Builds that have both ECC and EdDSA or ML-DSA enabled that are doing certificate verification are recommended to update to the latest wolfSSL release. Thanks to Nicholas Carlini from Anthropic for the report. Fixed in PR 10131.
  52
  53* [High] CVE-2026-5264
  54Heap buffer overflow in DTLS 1.3 ACK message processing. A remote attacker can send a crafted DTLS 1.3 ACK message that triggers a heap buffer overflow. Thanks to Sunwoo Lee and Seunghyun Yoon, Korea Institute of Energy Technology (KENTECH). Fixed in PR 10076.
  55
  56* [High] CVE-2026-5263
  57URI nameConstraints from constrained intermediate CAs are parsed but not enforced during certificate chain verification in wolfcrypt/src/asn.c. A compromised or malicious sub-CA could issue leaf certificates with URI SAN entries that violate the nameConstraints of the issuing CA, and wolfSSL would accept them as valid. Thanks to Oleh Konko @1seal for the report. Fixed in PR 10048.
  58
  59* [High] CVE-2026-5295
  60Stack buffer overflow in PKCS7 ORI (Other Recipient Info) OID processing. When parsing a PKCS7 envelope with a crafted ORI OID value, a stack-based buffer overflow can be triggered. Thanks to Sunwoo Lee, Woohyun Choi, and Seunghyun Yoon (Korea Institute of Energy Technology, KENTECH). Fixed in PR 10116.
  61
  62* [High] CVE-2026-5466
  63wolfSSL's ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and `s` scalars from the signature blob via `mp_read_unsigned_bin` with no check that they lie in `[1, q-1]`. A crafted forged signature could verify against any message for any identity, using only publicly-known constants. Thanks to Calif.io in collaboration with Claude and Anthropic Research for the report. Fixed in PR 10102.
  64
  65* [High] CVE-2026-5477
  66Potential for AES-EAX AEAD and CMAC authentication bypass on messages larger than 4 GiB. An attacker who observes one valid (ciphertext, tag) pair for a >4 GiB EAX message can replace the first 4 GiB of ciphertext arbitrarily while the tag still verifies. Thanks to Calif.io in collaboration with Claude and Anthropic Research for the report. Fixed in PR 10102.
  67
  68* [High] CVE-2026-5447
  69Heap buffer overflow in CertFromX509 via AuthorityKeyIdentifier size confusion. A heap buffer overflow occurs when converting an X.509 certificate internally due to incorrect size handling of the AuthorityKeyIdentifier extension. Thanks to Calif.io in collaboration with Claude and Anthropic Research for the report. Fixed in PR 10112.
  70
  71* [High] CVE-2026-5500
  72wolfSSL's `wc_PKCS7_DecodeAuthEnvelopedData()` does not properly sanitize the AES-GCM authentication tag length received and has no lower bounds check. A man-in-the-middle can therefore truncate the `mac` field from 16 bytes to 1 byte, reducing the tag check from 2⁻¹²⁸ to 2⁻⁸. Thanks to Calif.io in collaboration with Claude and Anthropic Research for the report. Fixed in PR 10102.
  73
  74* [High] CVE-2026-5501
  75`wolfSSL_X509_verify_cert()` in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's signature is not checked, if the attacker supplies an untrusted intermediate with Basic Constraints `CA:FALSE` that is legitimately signed by a trusted root. An attacker who obtains any leaf certificate from a trusted CA (e.g. a free DV cert from Let's Encrypt) can forge a certificate for any subject name with any public key and arbitrary signature bytes, and the function returns `WOLFSSL_SUCCESS` / `X509_V_OK`. The native wolfSSL TLS handshake path (`ProcessPeerCerts`) is not susceptible and the issue is limited to applications using the OpenSSL compatibility API directly. Thanks to Calif.io in collaboration with Claude and Anthropic Research for the report. Fixed in PR 10102.
  76
  77* [High] CVE-2026-5503
  78In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally even when TLSX_Find returned NULL. This caused TLSX_UseSNI to attach the attacker-controlled publicName to the shared WOLFSSL_CTX when no inner SNI was configured. TLSX_EchRestoreSNI then failed to clean it up because its removal was gated on serverNameX != NULL. The inner ClientHello was sized before the pollution but written after it, causing TLSX_SNI_Write to memcpy 255 bytes past the allocation boundary. Thanks to Calif.io in collaboration with Claude and Anthropic Research for the report. Fixed in PR 10102.
  79
  80* [High] CVE-2026-5479
  81In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path in wolfSSL_EVP_CipherFinal (and related EVP cipher finalization functions) fails to verify the authentication tag before returning plaintext to the caller. When an application uses the EVP API to perform ChaCha20-Poly1305 decryption, the implementation computes or accepts the tag but does not compare it against the expected value. Thanks to Calif.io in collaboration with Claude and Anthropic Research for the report. Fixed in PR 10102.
  82
  83* [Med] CVE-2026-5392
  84Heap out-of-bounds read in PKCS7 parsing. A crafted PKCS7 message can trigger an OOB read on the heap. The missing bounds check is in the indefinite-length end-of-content verification loop in PKCS7_VerifySignedData(). This only affects builds with PKCS7 support enabled. Thanks to J Laratro (d0sf3t) for the report. Fixed in PR 10039.
  85
  86* [Med] CVE-2026-5446
  87ARIA-GCM nonce reuse in TLS 1.2 record encryption. ARIA cipher support requires a proprietary Korean library (MagicCrypto) and --enable-aria, limiting real-world exposure. Thanks to Calif.io in collaboration with Claude and Anthropic Research for the report. Fixed in PR 10111.
  88
  89* [Med] CVE-2026-5460
  90When a malicious TLS 1.3 server sends a ServerHello with a truncated PQC hybrid KeyShare (e.g., P256_ML_KEM_512 with 10 bytes instead of the required 768+), the error cleanup path double-frees the KyberKey. Thanks to Calvin Young (eWalker Consulting Inc.) and Enoch Chow (Isomorph Cyber). Fixed in PR 10092.
  91
  92* [Med] CVE-2026-5504
  93A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allow an attacker to recover plaintext through repeated decryption queries with modified ciphertext. In previous versions of wolfSSL the interior padding bytes are not validated. Thanks to Sunwoo Lee, Woohyun Choi, and Seunghyun Yoon of Korea Institute of Energy Technology (KENTECH) for the report. Fixed in PR 10088.
  94
  95* [Med] CVE-2026-5507
  96When restoring a session from cache, a pointer from the serialized session data is used in a free operation without validation. An attacker who can poison the session cache could trigger an arbitrary free. Exploitation requires the ability to inject a crafted session into the cache and for the application to call specific session restore APIs. Thanks to Sunwoo Lee, Woohyun Choi, and Seunghyun Yoon of Korea Institute of Energy Technology (KENTECH) for the report. Fixed in PR 10088.
  97
  98* [Low] CVE-2026-5187
  99Heap out-of-bounds write in DecodeObjectId() caused by an off-by-one bounds check combined with a sizeof mismatch. A crafted ASN.1 object identifier can trigger a small heap OOB write. Thanks to Yuteng for the report. Fixed in PR 10025.
 100
 101* [Low] CVE-2026-5188
 102An integer underflow issue exists in wolfSSL when parsing the Subject Alternative Name (SAN) extension of X.509 certificates. A malformed certificate can specify an entry length larger than the enclosing sequence, causing the internal length counter to wrap during parsing. This results in incorrect handling of certificate data. The issue is limited to configurations using the original ASN.1 parsing implementation. The original ASN.1 parsing implementation is off by default. Thanks to Muhammad Arya Arjuna Habibullah for the report. Fixed in PR 10024.
 103
 104* [Low] CVE-2026-5448
 105X.509 date buffer overflow in wolfSSL_X509_notAfter / wolfSSL_X509_notBefore. A buffer overflow may occur when parsing date fields from a crafted X.509 certificate via the compatibility layer API. This is only triggered when calling these two APIs directly from an application, and does not affect TLS or certificate verify operations in wolfSSL. Thanks to Sunwoo Lee and Seunghyun Yoon, Korea Institute of Energy Technology (KENTECH) for the report. Fixed in PR 10071.
 106
 107* [Low] CVE-2026-5772
 108A 1-byte stack buffer over-read exists in the MatchDomainName function in src/internal.c when processing wildcard patterns with the LEFT_MOST_WILDCARD_ONLY flag active. When a wildcard '*' exhausts the entire hostname string (strLen reaches 0), the function proceeds to compare remaining pattern characters against the now-exhausted buffer without a bounds check, causing an out-of-bounds read. Thanks to Zou Dikai for the report. Fixed in PR 10119.
 109
 110* [Low] CVE-2026-5778
 111An integer underflow exists in the ChaCha20-Poly1305 decryption path where a malformed TLS 1.2 record with a payload shorter than the AEAD MAC size causes the message length calculation to underflow, resulting in an out-of-bounds read. This only affects sniffer builds. Thanks to Zou Dikai for the report. Fixed in PR 10125.
 112
 113## Experimental Build Vulnerability
 114
 115* [Med] CVE-2026-5393
 116Dual-Algorithm CertificateVerify out-of-bounds read. When processing a dual-algorithm CertificateVerify message, an out-of-bounds read can occur on crafted input. This can only occur when --enable-experimental and --enable-dual-alg-certs is used when building wolfSSL. Thanks to Sunwoo Lee, Woohyun Choi, and Seunghyun Yoon (Korea Institute of Energy Technology, KENTECH) for testing the fix. Fixed in PR 10079.
 117
 118## New Features
 119* Enabled PQC algorithm ML-KEM (FIPS203) on by default. by @Frauschi (PR 9732)
 120* Added brainpool curve support to wolfSSL_CTX_set1_sigalgs_list. by @kojo1 (PR 9993)
 121* Implemented wolfSSL_Atomic_Int_Exchange() in wolfssl/wolfcrypt/wc_port.h and wolfcrypt/src/wc_port.c. by @douzzer (PR 10036)
 122* Added a GPLv2 license exception for VDE (Virtual Distributed Ethernet) to the licensing terms. by @danielinux (PR 10107)
 123* Added DTLS 1.3/TLS 1.3 write-dup (Duplicate SSL) support so the read-side can delegate post-handshake work (KeyUpdate responses, DTLS13 ACK sending, post-handshake auth) to the write-side, along with new tests and CI coverage. (PR 10006)
 124
 125## Post-Quantum Cryptography (PQC)
 126* Fixed Dilithium API to use byte type for context length parameters, enforcing the 0–255 byte constraint. by @SparkiDev (PR 10010)
 127* Fixed benchmarking for ML-DSA with static memory enabled. by @JacobBarthelmeh (PR 9970)
 128* Added checks to verify the private key is set before performing private key operations in Ed25519, Ed448, ML-DSA, and ML-KEM. by @anhu (PR 10083)
 129* Added buffer size and callback validation checks to wc_LmsKey_Sign to prevent signing with insufficient output buffer or missing required callbacks. Thanks to Sunwoo Lee, Woohyun Choi, and Seunghyun Yoon (Korea Institute of Energy Technology, KENTECH) for the report. (PR 10084)
 130* Fixed an out-of-bounds shift in the ML-DSA implementation by ensuring the cast is performed before large shift operations in dilithium.c. Thanks to Dominik Blain / COBALT Security for the bug report. by @padelsbach (PR 10096)
 131* Zeroize sensitive memory buffers in the ML-DSA (Dilithium) implementation to prevent leakage of cryptographic material. by @Frauschi (PR 10100)
 132* Fixed undefined behavior in SLH-DSA key initialization by casting to unsigned before performing a left shift that could set the MSB. by @padelsbach (PR 10104)
 133* Added null checks for buffer size and callback validity in the external wc_LmsKey_Sign function to prevent CI failures. by @padelsbach (PR 10105)
 134* Ensured that the heap buffer used (among others) to store sensitive data during ML-DSA signing is zeroized before freeing the memory. Thanks to Abhinav Agarwal (@abhinavagarwal07) for the report. (PR 10113)
 135* The legacy non-context ML-DSA (Dilithium) API is now guarded behind WOLFSSL_DILITHIUM_NO_CTX, making the context-aware FIPS 204 API the default and adding a no-ctx configure option to explicitly re-enable the legacy path. by @Frauschi (PR 10047)
 136
 137## TLS/DTLS
 138* Fixed handling of OCSP_WANT_READ return value in the TLS 1.3 handshake message type processing to prevent incorrect error propagation during OCSP stapling operations. by @julek-wolfssl (PR 9995)
 139* Fixed a bug in the HPKE implementation where the KDF digest was incorrectly used for the KEM, and refactored HPKE-related code out of the TLS/ECH layer into dedicated local functions, adding tests for all 24 algorithm combination variants. by @sebastian-carpenter (PR 9999)
 140* Fixed DTLS 1.3 ServerHello to not echo the legacy_session_id field, bringing the implementation into compliance with the DTLS 1.3 specification. by @julek-wolfssl (PR 10007)
 141* Fixed a TLS 1.3 server issue where a mismatched ciphersuite in a second ClientHello following a HelloRetryRequest was incorrectly accepted instead of rejected. by @sebastian-carpenter (PR 10034)
 142* Fixed a possible memory leak in ECC non-blocking cryptography operations within the TLS layer. by @dgarske (PR 10065)
 143* Fixed multiple correctness issues in DTLS 1.3 and TLS 1.3 including wrong return values, missing bounds checks, a PSK identity buffer overread, swapped server/client parameters in finished secret derivation, a static array data race, resource leaks, and a potential NULL dereference in the SM3 exporter path. by @gasbytes (PR 10117)
 144
 145## ASN and Certificate Parsing
 146* Added wolfSSL_check_ip_address() to support filtering connections based on Subject Alternative Name (SAN) IP address entries, mirroring the existing domain name check functionality. by @padelsbach (PR 9935)
 147* Added host name verification from the verification context parameter when calling wolfSSL_X509_verify_cert. by @julek-wolfssl (PR 9952)
 148* Moved non-template (WOLFSSL_ASN_ORIGINAL) code into asn_orig.c and include from asn.c. by @dgarske (PR 9920)
 149* Fixed additional potential null pointer dereferences in ASN parsing code identified by Coverity static analysis. by @rlm2002 (PR 9990)
 150* Fixed wolfssl/wolfcrypt/asn.h to directly include wolfssl/wolfcrypt/sha512.h for WC_SHA384_DIGEST_SIZE and WC_SHA512_DIGEST_SIZE. Previously this relied on transitive include order and broke builds where asn.h is parsed before hash.h/sha512.h. by @danielinux (PR 10014)
 151* Removed FIPS-conditional guards from the GetASN_BitString length check so the validation applies in all builds. by @embhorn (PR 10027)
 152* Added validation to reject negative ASN.1 integers in CRL number fields during decoding, preventing an overflow that could corrupt the adjacent hash field. Thanks to Sunwoo Lee for the bug report. by @padelsbach (PR 10087)
 153
 154## Hardware and Embedded Ports
 155* Fixed SE050 hardware security module integration by routing RSA-PSS sign/verify operations through the software path to prevent double-hashing, releasing persistent SE050 key slots on free for RSA, ECC, Ed25519, and Curve25519 keys, and adding missing mutex unlock calls before early returns in RSA crypto functions. by @LinuxJedi (PR 9912)
 156* When WOLFSSL_NO_HASH_RAW is defined due to hardware hash offload, turn on LMS and XMSS full hash. Without this they will not compile automatically when there is hardware SHA acceleration. by @LinuxJedi (PR 9946)
 157* Applied AI-review fixes across hardware and embedded port implementations spanning Espressif, Renesas, Silicon Labs, NXP, STM32, TI, Xilinx, and numerous other targets to improve correctness and code quality. by @SparkiDev (PR 10003)
 158* Fixed issues found by the testing of the MAX32666 tests. by @night1rider (PR 10035)
 159* Fixed buffer overflows, key material exposure, mutex leaks, and logic errors across hardware crypto port backends. by @JeremiahM37 (PR 10080)
 160
 161## Rust Wrapper
 162* Released version 1.2.0 of the wolfssl-wolfcrypt Rust crate with updated changelog and README. by @holtrop-wolfssl (PR 9953)
 163* Updated the Rust wrapper's build script to support cross-compiling and bare-metal targets, including RISC-V architectures. by @holtrop-wolfssl (PR 10031)
 164
 165## Build System and Portability
 166* Removed default declaration of WC_ALLOC_DO_ON_FAILURE. by @julek-wolfssl (PR 9905)
 167* Refactored wc_Hash* so that known wc_HashType values are unconditionally defined in enum wc_HashType, and always either succeed if used properly, or return HASH_TYPE_E if gated out or used improperly; added detailed error code tracing. by @douzzer (PR 9937)
 168* Removed the forced enabling of MD5 when building with --enable-jni so that MD5 can be explicitly disabled in FIPS builds. by @mattia-moffa (PR 10011)
 169* Changed the example server/client to not modify macro defines that come from how the wolfSSL library is configured when built. by @JacobBarthelmeh (PR 10037)
 170* Added __extension__ to __GNUC__&&!__STRICT_ANSI__ variant of wc_debug_trace_error_codes_enabled() in wolfssl/wolfcrypt/error-crypt.h, to inhibit false positive "error: ISO C forbids braced-groups within expressions" with -pedantic. by @douzzer (PR 10041)
 171* Fixed IAR compiler warnings about undefined volatile access order by reading volatile values into local copies before use in expressions. by @embhorn (PR 10045)
 172* Automatically enables WOLFSSL_SP_4096 when WOLFSSL_HAVE_SP_DH is defined under the --enable-usersettings configuration to fix a missing dependency for C# user settings builds. by @kojo1 (PR 10054)
 173* Added volatile casting to a port header definition to address a correctness issue. by @anhu (PR 10062)
 174* Extended the WC_MAYBE_UNUSED macro definition to cover GCC versions greater than 3 to fix a build error in GCC 3.4.0. by @embhorn (PR 10101)
 175* Fixed a compile error when building with --enable-crl and --disable-ecc by adding the appropriate preprocessor guards around SetBitString in asn.c. by @padelsbach (PR 10118)
 176* Fixed -Wcast-qual hygiene in wolfCrypt. by @douzzer (PR 10120)
 177
 178## Bug Fixes
 179* Fixed stack memory tracking for the wolfCrypt benchmark. by @Frauschi (PR 9983)
 180* Fixed a bug in FillSigner where pubKeyStored and subjectCNStored flags were not cleared after transferring pointers from a DecodedCert to a signer, preventing stale NULL pointers from being copied on subsequent calls. by @embhorn (PR 10033)
 181* Fixed a heap overflow in ssl_DecodePacketInternal caused by silent truncation when summing 64-bit iov_len values into a 32-bit integer, which resulted in an undersized buffer allocation followed by an out-of-bounds copy. by @embhorn (PR 10017)
 182* Added a bounds check in GetSafeContent to prevent an unsigned integer underflow in the content size calculation when the OID parsed by GetObjectId exceeds the declared ContentInfo SEQUENCE length. by @embhorn (PR 10018)
 183* Fixed a potential double free issue in non-blocking async handling within ASN parsing. by @dgarske (PR 10022)
 184* Fixed bounds checking and buffer size calculation in DecodeObjectId to correctly validate two output slots before writing and pass the proper element count instead of byte count when handling unknown ASN.1 extensions. by @embhorn (PR 10025)
 185* Fixed stack buffer overflow in RSA exponent print via wolfSSL_EVP_PKEY_print_public in evp.c. Printing an RSA public key with a large exponent can overflow a stack buffer in the EVP printing routine. Thanks to Sunwoo Lee, Woohyun Choi, and Seunghyun Yoon (Korea Institute of Energy Technology, KENTECH) for the bug report. (PR 10088)
 186* Fixed sanity check on hashLen provided to wc_dilithium_verify_ctx_hash. Thanks to Sunwoo Lee, Woohyun Choi, and Seunghyun Yoon (Korea Institute of Energy Technology, KENTECH) for the bug report. (PR 10131)
 187* Disallowed wildcard partial domains when using MatchDomainName. Thanks to Oleh Konko (@1seal) for the report. (PR 9991)
 188* Fixed a buffer underflow that occurred when a zero-length size was passed to the devcrypto AES-CBC implementation. by @JeremiahM37 (PR 10005)
 189* Routed BIO_ctrl_pending, BIO_reset, and BIO_get_mem_data through the custom method's ctrlCb when set, enabling fully custom BIO types to handle these operations. by @julek-wolfssl (PR 10004)
 190* Fixed multiple issues in the SP integer implementation including negative number handling, edge cases when a->used is zero, missing bounds checks, and redundant code, while also re-implementing wc_PKCS12_PBKDF() without MP and adding 128-bit integer types for cleaner PKCS#12 support. by @SparkiDev (PR 10020)
 191* Fixed functional bugs in x86_64 AES-XTS register clobbering and ARM32 multiply/accumulate source registers, along with assembly label typos, instruction mnemonic corrections, and comment fixes across AES, ChaCha, SHA-3, SHA-512, ML-KEM, and Curve25519 assembly for x86_64, ARM32, and ARM64 targets. by @SparkiDev (PR 10023)
 192* Fixed a bug in the SP non-blocking ECC mont_inv_order function where the last bit was not being processed during modular inverse computation. by @SparkiDev (PR 10044)
 193* Added bounds check to prevent potential out-of-bounds access when parsing end-of-content octets in PKCS7 streaming indefinite-length encoding. by @anhu (PR 10039)
 194* Refactored the "Increment B by 1" loop in wc_PKCS12_PBKDF_ex() to avoid bugprone-inc-dec-in-conditions. by @douzzer (PR 10059)
 195* Fixed OpenSSL compatibility layer ASN1_INTEGER and ASN1_STRING to be compatible structs. by @julek-wolfssl (PR 10089)
 196* Fixed potential data truncation in wc_XChaCha20Poly1305_crypt_oneshot() by replacing long int casts with size_t to correctly handle 64-bit sizes on platforms where long int is 32-bit. by @rlm2002 (PR 10091)
 197* Fixed error handling in the Linux kernel AES AEAD glue code so that scatterwalk_map failures correctly propagate an error code instead of returning success with uninitialized data. by @sameehj (PR 9996)
 198* Fixed DTLS Fragment Reassembly to not read uninitialized heap contents. Thanks to Sunwoo Lee, Woohyun Choi, and Seunghyun Yoon (Korea Institute of Energy Technology, KENTECH) for the report. (PR 10090)
 199* Fixed DTLS 1.3 word16 truncation on handshake send size. A handshake message exceeding 65535 bytes causes silent integer truncation when the size is stored in a word16, leading to malformed or truncated handshake transmissions. Thanks to Sunwoo Lee, Woohyun Choi, and Seunghyun Yoon (Korea Institute of Energy Technology, KENTECH) for the report. (PR 10103)
 200* Fixed invalid-pointer-pair memory errors reported by clang sanitizer with detect_invalid_pointer_pairs=2 in ASAN_OPTIONS. by @douzzer (PR 10095)
 201* Hardened default builds by enabling ECC curve validation unconditionally, removing the previous dependency on USE_ECC_B_PARAM. Users on older versions can also harden their builds by enabling WOLFSSL_VALIDATE_ECC_IMPORT. by @Frauschi (PR 10133)
 202
 203## Documentation and Maintenance
 204* Added inline Doxygen documentation for previously undocumented macros across TLS, cryptography, and ASN source files, and corrected spelling errors throughout the codebase. by @dgarske (PR 9992)
 205* Fixed typos in documentation for SSL API function argument descriptions. by @dgarske (PR 10021)
 206* Updated documentation to reflect support for both FIPS 140-2 and FIPS 140-3. by @anhu (PR 10061)
 207
 208
 209# wolfSSL Release 5.9.0 (Mar. 18, 2026)
 210
 211Release 5.9.0 has been developed according to wolfSSL's development and QA
 212process (see link below) and successfully passed the quality criteria.
 213https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
 214
 215NOTE: * --enable-heapmath is deprecated
 216      * MD5 is now disabled by default
 217
 218PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request number where the code change was added.
 219
 220## Vulnerabilities
 221
 222* [High] CVE-2026-3548
 223Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsing CRL numbers: a heap-based buffer overflow could occur when improperly storing the CRL number as a hexadecimal string, and a stack-based overflow for sufficiently sized CRL numbers. With appropriately crafted CRLs, either of these out of bound writes could be triggered. Note this only affects builds that specifically enable CRL support, and the user would need to load a CRL from an untrusted source. Found with internal wolfSSL testing. Fixed in PR 9628 and PR 9873.
 224
 225* [High] CVE-2026-3549
 226Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ECH extension parsing logic when calculating a buffer length, which resulted in writing beyond the bounds of an allocated buffer. Note that in wolfSSL, ECH is off by default, and the ECH standard is still evolving. Found with internal wolfSSL testing, thanks to Oleh Konko for testing. Fixed in PR 9817.
 227
 228* [High] CVE-2026-3547
 229Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 and earlier contained an out-of-bounds read in ALPN handling when built with ALPN enabled (HAVE_ALPN / --enable-alpn). A crafted ALPN protocol list could trigger an out-of-bounds read, leading to a potential process crash (denial of service). Note that ALPN is disabled by default, but is enabled for these 3rd party compatibility features: enable-apachehttpd, enable-bind, enable-curl, enable-haproxy, enable-hitch, enable-lighty, enable-jni, enable-nginx, enable-quic. Users of these features are recommended to update to 5.9.0. Thanks to Oleh Konko for the report. Fixed in PR 9860.
 230
 231* [Med] CVE-2026-2646
 232A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. When deserializing session data with SESSION_CERTS enabled, certificate and session id lengths are read from an untrusted input without bounds validation, allowing an attacker to overflow fixed-size buffers and corrupt heap memory. A maliciously crafted session would need to be loaded from an external source to trigger this vulnerability. Internal sessions were not vulnerable. Thanks to Jonathan Bar Or, and Haruto Kimura (Stella) for the report. Fixed in PR 9748 and PR 9949.
 233
 234* [Med] CVE-2026-3849
 235Stack Buffer Overflow in wc_HpkeLabeledExtract via oversized ECH config. A vulnerability exists in wolfSSL 5.8.4 and earlier ECH (Encrypted Client Hello) support, where a maliciously crafted ECH config could cause a stack buffer overflow on the client side, leading to client program crash, with a potential for remote execution. This could be exploited by a malicious TLS server supporting ECH. Note that ECH is off by default, and is only enabled with enable-ech. Thanks to Haruto Kimura (Stella) for the report. Fixed in PR 9737.
 236
 237* [Low] CVE-2026-0819
 238wolfSSL PKCS7 SignedData encoding OOB write (signed attributes). A vulnerability existed in the API wc_PKCS7_EncodeSignedData, and wc_PKCS7_EncodeSignedData_ex, where when encoding signed data with custom attributes, wolfSSL could write past a fixed size array resulting in a stack out of bounds write. This vulnerability only occurred when trying to create a signed PKCS7 encoding with more than 7 signed attributes, and did not affect PKCS7 parsing in general. Thanks to Maor Caplan for the report. Fixed in PR 9630.
 239
 240* [Low] CVE-2026-1005
 241Integer underflow in wolfSSL packet sniffer. wolfSSL 5.8.4 and earlier allows an attacker to cause a buffer overflow in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket. The underflow wraps a 16-bit length to a large value that is passed to AEAD decryption routines, causing a heap buffer overflow and a potential crash. An unauthenticated attacker can trigger this remotely via malformed TLS Application Data records. The sniffer feature is disabled by default and this only affects builds with --enable-sniffer and AEAD support. Thanks to Prasanth Sundararajan for the report. Fixed in PR 9571.
 242
 243* [Low] CVE-2026-2645
 244In wolfSSL 5.8.2 and earlier, a logic flaw existed in the TLS 1.2 server state machine implementation. The server could incorrectly accept the CertificateVerify message before the ClientKeyExchange message had been received. This issue affects wolfSSL before 5.8.4 (wolfSSL 5.8.2 and earlier is vulnerable, 5.8.4 is not vulnerable). In 5.8.4 wolfSSL would detect the issue later in the handshake. 5.9.0 was further hardened to catch the issue earlier in the handshake. Thanks to Kai Tian for the report. Fixed in PR 9694.
 245
 246* [Low] CVE-2026-3230
 247In versions of wolfSSL 5.8.4 and earlier the client does not catch if the required key_share extension is missing from a ServerHello sent after a crafted HelloRetryRequest. In the missing key_share extension case the client still goes through the process of authenticating the server correctly, and would then continue on to establish a connection with a predictable key being derived. Since the authentication of the server is still established, this only is an issue if the server can unknowingly be forced to send the malformed HelloRetryRequest followed by the ServerHello that omits the key_share extension. Thanks to Jaehun Lee for the report. Fixed in PR 9754.
 248
 249* [Low] CVE-2026-3229. Integer Overflow in Certificate Chain Allocation. An integer overflow vulnerability existed in the static function wolfssl_add_to_chain, that caused heap corruption when certificate data was written out of bounds of an insufficiently sized certificate buffer. wolfssl_add_to_chain is called by these API: wolfSSL_CTX_add_extra_chain_cert, wolfSSL_CTX_add1_chain_cert, wolfSSL_add0_chain_cert. These API are enabled for 3rd party compatibility features: enable-opensslall, enable-opensslextra, enable-lighty, enable-stunnel, enable-nginx, enable-haproxy. This issue is not remotely exploitable, and would require that the application context loading certificates is compromised. Thanks to Pelioro and Kunyuk for responsibly reporting this issue. Fixed in PR 9827.
 250
 251* [Low] CVE-2026-3579
 252wolfSSL 5.8.4 and earlier on RISC-V RV32I architectures lacks a constant-time software implementation for 64-bit multiplication. The compiler-inserted __muldi3 subroutine executes in variable time based on operand values. This affects multiple SP math functions (sp_256_mul_9, sp_256_sqr_9, etc.), leading to a timing side-channel that may expose sensitive cryptographic data. Thanks to Wind Wong for the report. Fixed in PR 9855.
 253
 254* [Low] CVE-2026-3580. Compiler-induced timing leak in sp_256_get_entry_256_9 on RISC-V. In wolfSSL 5.8.4 and earlier, constant-time masking logic in sp_256_get_entry_256_9 is optimized into conditional branches (bnez) by GCC when targeting RISC-V RV32I with -O3. This transformation breaks the side-channel resistance of ECC scalar multiplication, potentially allowing a local attacker to recover secret keys via timing analysis. Thanks to Wind Wong for the report. Also fixed in PR 9855.
 255
 256* [Low] CVE-2026-3503
 257A protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion. This issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6. Thanks to Hariprasad Kelassery Valsaraj of Temasek Laboratories for the report. Fixed in PR 9734.
 258
 259* [Low] CVE-2026-4159
 2601-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default. Thanks to Haruto Kimura (Stella). Fixed in PR 9945.
 261
 262* [Low] CVE-2026-4395
 263A heap buffer out of bounds write case existed in wolfSSL version 5.8.4 and earlier when importing an ECC key while built with KCAPI support. The fix implemented added a check on the raw pubkey length in wc_ecc_import_x963 before copying it to an internal struct. KCAPI support is turned off by default and only enabled with builds using --enable-kcapi. Thanks to Haruto Kimura (Stella) for the report. Fixed in PR 9988.
 264
 265## New features
 266* FIPS 205, SLH-DSA implementation by @SparkiDev (PR 9838).
 267* Added OCSP responder API and support by @julek-wolfssl (PR 9761).
 268* Add AES CryptoCB key import support by @sameehj (PR 9658).
 269* Add the RNG bank facility to wolfCrypt, wc_rng_new_bankref() to avoid expensive seeding operations at runtime by @douzzer (PR 9616).
 270
 271## Ports, Hardware Integration, and ASM enhancements
 272* Add Renesas SK-S7G2 support by @miyazakh (PR 9561).
 273* Support for STM32 HMAC hardware by @dgarske (PR 9745).
 274* Add STM32G0 hardware crypto support by @danielinux (PR 9707).
 275* Misc STM32 fixes and testing improvements by @dgarske, @LinuxJedi (PRs 9446, 9563).
 276* Various Thumb2 AES/SP ASM enhancements and fixes by @SparkiDev (PRs 9464, 9491, 9547, 9615, 9767)
 277* Add Zephyr 4.1+ build compatibility for wolfssl_tls_sock sample by @night1rider (PR 9765)
 278
 279## Rust wrapper
 280* Added FIPS support by @holtrop (PR 9739).
 281* Added modules for dilithium (PR 9819), chacha20-poly1305 (PR 9599), curve25519 (PR 9594), blake2 (PR 9586), and LMS (PR 9910), ml-kem (PR 9833) by @holtrop.
 282* Miscellaneous fixes and enhancements for RSA, ECC, HASHDRBG, HMAC-BLAKE2, and XChaCha20-Poly1305 by @holtrop (PRs 9453, 9499, 9500, 9624, 9687).
 283
 284## Post-Quantum Cryptography (PQC)
 285* General improvements for WOLFSSL_NO_MALLOC PQC support by @douzzer (PR 9674).
 286* Various ML-DSA bug fixes by @SparkiDev  (PRs 9575, 9696).
 287* Fixed a bug with ML-DSA verification with WOLFSSL_DILITHIUM_SMALL, by @SparkiDev (PR 9760). Reported by Sunwoo Lee and Seunghyun Yoon of Korea Institute of Energy Technology (KENTECH).
 288* ML-KEM bug fixes and improvements by @lealem47, @SparkiDev (PRs 9470, 9621, 9822).
 289* Collection of ML-KEM fixes including DTLS 1.3 cookie and ClientHello fragment handling, static memory handling, a memory leak in TLS server PQC handling with ECH, and expanded hybrid/individual ML-KEM level test coverage. @Frauschi (PR 9968)
 290
 291## TLS/DTLS
 292* Add support for TLS 1.3 Brainpool curves by @Frauschi (PR 9701).
 293* DTLS retransmission enhancement by @julek-wolfssl (PR 9623).
 294* Fix DTLS header size calculation by @rizlik (PR 9513).
 295* Fix (D)TLS fragmentation size checks by @julek-wolfssl (PR 9592).
 296* Extend AIA interface by @padelsbach (PR 9728).
 297* Various TLS 1.3 and extension fixes by @SparkiDev, @AlexLanzano, @embhorn (PRs 9528, 9538, 9466, 9662, 9824, 9934). Thanks to Muhammad Arya Arjuna (pelioro) for the report.
 298* Improve TLS message order checks by @SparkiDev (PRs 9694, 9718).
 299* TLS ECH improvements by @sebastian-carpenter (PR 9737).
 300* Harden compare of mac with TLS 1.3 finished by @JacobBarthelmeh (PR 9864).
 301
 302## PKCS
 303* Add PKCS7 ECC raw sign callback support by @jackctj117 (PR 9656).
 304* Add RSA-PSS support for SignedData by @sameehj (PR 9742).
 305* Support for ML-DSA via PKCS#11 by @Frauschi (PRs 9726, 9836).
 306* Fix PKCS11 object leak in Pkcs11ECDH by @mattia-moffa (PR 9780).
 307* Fix PKCS#7 SignedData parsing for non-OCTET_STRING content types by @cconlon (PR 9559).
 308* Add RSA-PSS certificate support for PKCS7 EnvelopedData KTRI by @sameehj (PR 9854).
 309
 310## Kernel
 311* Various linuxkm fixes and enhancements for Tegra kernels by @sameehj, @douzzer (PRs 9478, 9540, 9512).
 312* freebsdkm: FIPS support (PR 9590), and x86 crypto acceleration support by @philljj (PR 9714).
 313* Support offline FIPS hash calculation in linuxkm by @douzzer (PR 9800).
 314
 315## Testing improvements
 316* Increase test coverage for PQC and CMake by @Frauschi (PR 9637).
 317* API testing: split out and better organized test cases by @SparkiDev (PR 9641).
 318* Added test for session deserialization input validation by @gasbytes (PR 9759).
 319* Added TLS Anvil workflow by @embhorn (PR 9804).
 320* Added rng-tools 6.17 testing by @julek-wolfssl (PR 9810).
 321* Added openldap 2.6.9 testing by @julek-wolfssl (PR 9805).
 322* Add bind 9.20.11 to the test matrix by @julek-wolfssl (PR 9806).
 323* Misc testing fixes by @miyazakh, @SparkiDev, @julek-wolfssl, @padelsbach, @rlm2002 (PRs 9584, 9670, 9688, 9710, 9716, 9755).
 324* Implement a stateful port tracking mechanism for test port assignment that eliminates collisions  during high-concurrency test loops in CI by @kaleb-himes (PR 9850).
 325
 326## Bug Fixes
 327* Fix for buffer overflow write in the wolfSSL CAAM (Cryptographic Acceleration and Assurance Module) driver for Integrity OS on i.MX6. Thanks to Luigino Camastra for the report.
 328* API Documentation: various fixes and improvements: @LinuxJedi, @tamasan238,  @kareem-wolfssl, @dgarske (PRs 9458, 9552, 9570, 9585).
 329* Fix potential memory under-read in TLS ticket processing function.  Thanks to Arjuna Arya for the report.
 330* Fix IP address check in wolfSSL_X509_check_host() by @rlm2002 (PR 9502).
 331* Check if ctx and ssl are null when checking public key in certificate by @rlm2002 (PR 9506).
 332* Fix test when ECH and harden are enabled by @embhorn (PR 9510).
 333* Fix wc_CmacFree() to use correct heap pointer from internal Aes structure by @night1rider (PR 9527).
 334* Various Coverity analyzer fixes by @rlm2002 (PRs 9437, 9534, 9619, 9646, 9812, 9842, 9887, 9933).
 335* Fix dereference before Null check by @rlm2002 (PR 9591).
 336* Fix memory leak in case of handshake error by @Frauschi (PR 9609).
 337* Fix MatchBaseName by @rizlik (PR 9626).
 338* ChaCha20 Aarch64 ASM fix by @SparkiDev (PR 9627).
 339* Fix TLSX_Parse to correctly handle client and server cert type ext with TLS1.3 by @embhorn (PR 9657).
 340* Fix cert SW issues in Aes and rng by @tmael (PR 9681).
 341* Various fixes for NO_RNG builds by @dgarske (PRs 9689, 9698).
 342* Fixes for STSAFE-A120 ECDHE by @dgarske (PR 9703).
 343* Fix Crash when using Sha224 Callback with MAX32666 by @night1rider (PR 9712).
 344* Fix for RSA private key parsing (allowing public) and RSA keygen no malloc support by @dgarske (PR 9715).
 345* Fix null check in ECDSA encode by @padelsbach (PR 9771).
 346* Various static analyzer fixes by @LinuxJedi (PRs 9786, 9788, 9795, 9801, 9817).
 347* Fix switch case handling in TLSX_IsGroupSupported function by @Pushyanth-Infineon (PR 9777).
 348* Fixes to big-endian bugs found in Curve448 and Blake2S by @LinuxJedi (PR 9778).
 349* Fix cert chain size issue by @embhorn (PR 9827).
 350* Fix potential memory leak when copying into existing SHA contexts and zero init tmpSha by @night1rider (PR 9829).
 351* Add sanity checks in key export by @embhorn (PR 9823). Thanks to Muhammad Arya Arjuna (pelioro) for the report.
 352* CRL enhancements for revoked entries by @padelsbach (PR 9839).
 353* Fix DRBG_internal alloc in wc_RNG_HealthTestLocal by @embhorn (PR 9847).
 354* Various CMake fixes and improvements by @Frauschi (PRs 9605, 9725).
 355* RISC-V 32 no mul SP C: implement multiplication by @SparkiDev (PR 9855).
 356* ASN: improve handling of ASN.1 parsing/encoding by @SparkiDev (PR 9872).
 357* Various fixes to CRL parsing by @miyazakh (PRs 9628, 9873).
 358* Harden hash comparison in TLS1.2 finished by @Frauschi (PR 9874).
 359* Various fixes to TLS sniffer by @mattia-moffa, @embhorn, @julek-wolfssl, @Frauschi (PRs 9571, 9643, 9867, 9901, 9924).
 360* Check ivLen in wolfSSL_EVP_CIPHER_CTX_set_iv_length by @philljj (PR 9943). Thanks to Haruto Kimura (Stella) for the report.
 361* Validate that the ticket length is at least ID_LEN before use in SetTicket, preventing an undersized buffer from being processed by @kareem-wolfssl (PR 9782).
 362* Enforce null compression in compression_methods list by @julek-wolfssl (PR 9913).
 363* Additional sanity check on number of groups in set groups function by @JacobBarthelmeh (PR 9861).
 364* Resolves issues with asynchronous and crypto callback handling, adding test coverage to prevent regressions by @dgarske (PR 9784).
 365* Fix checkPad to reject zero PKCS#7 padding value by @embhorn (PR 9878).
 366* Add sanity check on keysize found with ECC point import by @JacobBarthelmeh (PR 9989).
 367* Adds a range check to ensure session ticket lifetimes are within the bounds permitted by the TLS specification by @Frauschi (PR 9881).
 368* Fix potential overflows in hash used-size calculation for TI and SE050 implementations by @kareem-wolfssl (PR 9954).
 369* Correct a constant mismatch where the draft QUIC transport params branch was returning the wrong extension constant, causing incorrect version detection by @embhorn (PR 9868).
 370* Correct the key type detection logic in Falcon and the SPHINCS+ signature algorithm's else-if chain to properly identify all key variants by @anhu (PR 9979, 9980).
 371* XMSS: Fix index copy for signing by @SparkiDev (PR 9978).
 372* Fix pathlen not copied in ASN1_OBJECT_dup and not marked set in X509_add_ext by @cconlon (PR 9940).
 373* Ensure CheckHeaders length does not exceed packet size in sniffer by @kareem-wolfssl (PR 9947).
 374* SP fixes: 32-bit ARM assembly fixes modular exponentiation bug by @SparkiDev (PR 9964).
 375* Fix buffer-overflow in LMS leaf cache indexing by @anhu (PR 9919).
 376
 377
 378# wolfSSL Release 5.8.4 (Nov. 20, 2025)
 379
 380Release 5.8.4 has been developed according to wolfSSL's development and QA
 381process (see link below) and successfully passed the quality criteria.
 382https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
 383
 384NOTE: * --enable-heapmath is deprecated
 385            * MD5 is now disabled by default
 386
 387PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request number where the code change was added.
 388
 389## Vulnerabilities
 390* [Low CVE-2025-12888] Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory implementations of X25519, which is now turned on as the default for Xtensa. Thanks to Adrian Cinal for the report. Fixed in PR 9275.
 391
 392
 393* [Med. CVE-2025-11936] Potential DoS vulnerability due to a memory leak through multiple KeyShareEntry with the same group in malicious TLS 1.3 ClientHello messages. This affects users who are running wolfSSL on the server side with TLS 1.3. Thanks to Jaehun Lee and Kyungmin Bae, Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9117.
 394
 395* [Low CVE-2025-11935] PSK with PFS (Perfect Forward Secrecy) downgrades to PSK without PFS during TLS 1.3 handshake. If the client sends a ClientHello that has a key share extension and the server responds with a ServerHello that does not have a key share extension the connection would previously continue on without using PFS. Thanks to Jaehun Lee from Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9112.
 396
 397* [Low CVE-2025-11934] Signature Algorithm downgrade from ECDSA P521 to P256 during TLS 1.3 handshake. When a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256. Thanks to Jaehun Lee from Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9113.
 398
 399
 400* [Low CVE-2025-11933] DoS Vulnerability in wolfSSL TLS 1.3 CKS extension parsing. Previously duplicate CKS extensions were not rejected leading to a potential memory leak when processing a ClientHello. Thanks to Jaehun Lee from Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9132.
 401
 402
 403* [Low CVE-2025-11931] Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. This issue is hit specifically with a call to the function wc_XChaCha20Poly1305_Decrypt() which is not used with TLS connections, only from direct calls from an application. Thanks to Luigino Camastra from Aisle Research for the report. Fixed in PR 9223.
 404
 405* [Low CVE-2025-11932] Timing Side-Channel in PSK Binder Verification. The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder. Thanks to Luigino Camastra from Aisle Research for the report. Fixed in PR 9223.
 406
 407* [Low CVE-2025-12889] With TLS 1.2 connections a client can use any digest, specifically a weaker digest, rather than those in the CertificateRequest. Thanks to Jaehun Lee from Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9395
 408
 409* [Low CVE-2025-13912] When using the Clang compiler, various optimization levels or flags could result in non-constant-time compiled code. Assembly implementations of the functions in wolfSSL were not affected. The report was done specifically with Clang version 18 but there was shown to be similarities in timing variations when using the optimization levels with Clang 14 and Clang 20.
 410
 411On the following architectures, the expected constant-time functions were found to have potential timing variations when specific compiler flags or optimization levels were used.
 412
 413AArch64: Using O3, Ofast, or --enable-nontrivial-unswitch with O1/O2 flags leads to possible timing variations with the software implementations of sp_read_radix, sp_div_2_mod_ct, and sp_addmod_ct. Using O3, O2, Ofast, Os, or Oz with --unroll-force-peel-count=50 leads to possible timing variations with wc_AesGcmDecrypt.
 414
 415RISC-V: TLS HMAC update/final operations, RSA unpad operations, and DH key pair generation with O1, O2, O3, Ofast, Oz, or Os. wc_AesGcmDecrypt and wc_Chacha_Process with O1, O2, O3, Os, or Ofast. Also SP software operations sp_div_2_mod_ct and sp_addmod_ct using O3 or Ofast.
 416
 417
 418X86_64: TLS HMAC update/final operations and TimingVerifyPad used with verifying the TLS MAC with --fast-isel or --x86-cmov-converter-force-all compile flags. RSA unpad operations, ECC mulmod, and wc_Chacha_Process with the --x86-cmov-converter-force-all flag. DH key agreement, sp_div_2_mod_ct and sp_addmod_ct with O1, O2, O3, Os, or Ofast. wc_AesGcmDecrypt with the compiler flags O2, O3, Os, Ofast, Oz --x86-cmov-converter-force-all | --unroll-force-peel-count=50, or O1 --x86-cmov-converter-force-all.
 419
 420Thanks to Jing Liu, Zhiyuan Zhang, LUCÍA MARTÍNEZ GAVIER, Gilles Barthe, Marcel Böhme from Max Planck Institute for Security and Privacy (MPI-SP) for the report. Fixed in PR 9148.
 421
 422## New Features
 423* New ML-KEM / ML-DSA APIs and seed/import PKCS8 support; added _new/_delete APIs for ML-KEM/ML-DSA. (PR 9039, 9000, 9049)
 424* Initial wolfCrypt FreeBSD kernel module support (PR 9392)
 425* Expanded PKCS7/CMS capabilities: decode SymmetricKeyPackage / OneSymmetricKey, add wc_PKCS7_GetEnvelopedDataKariRid, and allow PKCS7 builds with AES keywrap unset. (PR 9018, 9029, 9032)
 426* Add custom AES key wrap/unwrap callbacks and crypto callback copy/free operations. (PR 9002, 9309)
 427* Add support for certificate_authorities extension in ClientHello and certificate manager CA-type selection/unloading. (PR 9209, 9046)
 428* Large expansion of Rust wrapper modules: random, aes, rsa, ecc, dh, sha, hmac, cmac, ed25519/ed448, pbkdf2/PKCS#12, kdf/prf, SRTP KDFs, and conditional compilation options. (PR 9191, 9212, 9273, 9306, 9320, 9328, 9368, 9389, 9357, 9433)
 429* Rust: support optional heap and dev_id parameters and enable conditional compilation based on C build options. (PR 9407, 9433)
 430* STM32 fixes (benchmarking and platform fixes) and PSoC6 hardware acceleration additions. (PR 9228, 9256, 9185)
 431* STM32U5 added support for SAES and DHUK. (PR 9087)
 432* Add --enable-curl=tiny option for a smaller build when used with cURL. (PR 9174)
 433
 434## Improvements / Optimizations
 435* Regression test fixes and expansion: TLS 1.3/1.2 tests, ARDUINO examples, libssh2 tests, hostap workflows, and nightly test improvements. (PR 9096, 9141, 9091, 9122, 9388)
 436* Improved test ordering and CI test stability (random tests run order changes, FIPS test fixes). (PR 9204, 9257)
 437* Docs and readme fixes, docstring updates, AsconAEAD comment placement, and example certificate renewals. (PR 9131, 9293, 9262, 9429)
 438* Updated GPL exception lists (GPLv2 and GPLv3 exception updates: add Fetchmail and OpenVPN). (PR 9398, 9413)
 439* Introduced WOLFSSL_DEBUG_CERTS and additional debug/logging refinements. (PR 8902, 9055)
 440* Expanded crypto-callback support (SHA family, HKDF, SHA-224, sha512_family digest selection) and improved crypto-only build cases. (PR 9070, 9252, 9271, 9100, 9194)
 441* AES & HW offload improvements including AES-CTR support in PKCS11 driver and AES ECB offload sizing fix. (PR 9277, 9364)
 442* ESP32: PSRAM allocator support and SHA HW fixes for ESP-IDF v6/v5. (PR 8987, 9225, 9264)
 443* Renesas FSP / RA examples updated and security-module TLS context improvements. (PR 9047, 9010, 9158, 9150)
 444* Broad configure/CMake/Autotools workflow improvements (Apple options tracking, Watcom pinning, Debian packaging, ESP-IDF pinning). (PR 9037, 9167, 9161, 9264)
 445* New assembly introspection / performance helpers for RISC-V and PPC32; benchmarking enhancements (cycle counts). (PR 9101, 9317)
 446* Update to SGX build for using assembly optimizations. (PR 8463, 9138)
 447* Testing with Fil-C compiler version to 0.674 (PR 9396)
 448* Refactors and compressing of small stack code (PR 9153)
 449
 450## Bug Fixes
 451* Removed the test feature using popen when defining the macro WOLFSSL_USE_POPEN_HOST and not having HAVE_GETADDRINFO defined, along with having the macro HAVE_HTTP_CLIENT set. There was the potential for vulnerable behavior with the use of popen when the API wolfSSL_BIO_new_connect() was called with this specific build. This exact build configuration is only intended for testing with QEMU and is not enabled with any autoconf/cmake flags. Thanks to linraymond2006 for the report. (PR 9038)
 452* Fix for C# wrapper Ed25519 potential crash and heap overwrite with raw public key import when using the API Ed25519ImportPublic.This was a broken API with the C# wrapper that would crash on use. Thanks to Luigino Camastra from Aisle Research for the bug report. (PR 9291)
 453* Coverity, cppcheck, MISRA, clang-tidy, ZeroPath and other static-analysis driven fixes across the codebase. (PR 9006, 9078, 9068, 9265, 9324)
 454* TLS 1.2/DTLS improvements: client message order checks, DTLS cookie/exchange and replay protections, better DTLS early-data handling. (PR 9387, 9253, 9205, 9367)
 455* Improved X.509 & cert handling: allow larger pathLen in Basic Constraints, restore inner server name for ECH, retrying cert candidate chains. (PR 8890, 9234, 8692)
 456* Sniffer robustness: fix infinite recursion, better handling of OOO appData and partial overlaps, and improved retransmission detection. (PR 9051, 9106, 9140, 9094)
 457* Numerous linuxkm (kernel-mode) fixes, relocation/PIE normalization, and FIPS-related build tweaks across many iterations. (PR 9025, 9035, 9067, 9111, 9121)
 458* ML-KEM/Kyber and ML-DSA fixes for out-of-bounds and seed-import correctness; multiple ML-related safety fixes. (PR 9142, 9105, 9439)
 459* Avoid uninitialized-variable and GCC warnings; several fixes for undefined-shift/overflow issues. (PR 9020, 9372, 9195)
 460* Memory & leak fixes in X509 verification and various struct sizing fixes for WOLFSSL_NO_MALLOC usage. (PR 9258, 9036)
 461* Fixed RSA / signing / verify-only warnings allowing WOLFSSL_NO_CT_OPS when WOLFSSL_RSA_VERIFY_ONLY is used and API cleanups for using const. (PR 9031, 9263)
 462
 463
 464# wolfSSL Release 5.8.2 (July 17, 2025)
 465
 466Release 5.8.2 has been developed according to wolfSSL's development and QA
 467process (see link below) and successfully passed the quality criteria.
 468https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
 469
 470NOTE: * wolfSSL is now GPLv3 instead of GPLv2
 471            * --enable-heapmath is deprecated
 472            * MD5 is now disabled by default
 473
 474
 475PR stands for Pull Request, and PR (NUMBER) references a GitHub pull request number where the code change was added.
 476
 477## Vulnerabilities
 478
 479* [Low] There is the potential for a fault injection attack on ECC and Ed25519 verify operations. In versions of wolfSSL 5.7.6 and later the --enable-faultharden option is available to help mitigate against potential fault injection attacks. The mitigation added in wolfSSL version 5.7.6 is to help harden applications relying on the results of the verify operations, such as when used with wolfBoot. If doing ECC or Ed25519 verify operations on a device at risk for fault injection attacks then --enable-faultharden could be used to help mitigate it. Thanks to Kevin from Fraunhofer AISEC for the report.
 480
 481Hardening option added in PR https://github.com/wolfSSL/wolfssl/pull/8289
 482
 483
 484* [High CVE-2025-7395] When using WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION on an Apple platform, the native trust store verification routine overrides errors produced elsewhere in the wolfSSL certificate verification process including failures due to hostname matching/SNI, OCSP, CRL, etc. This allows any trusted cert chain to override other errors detected during chain verification that should have resulted in termination of the TLS connection. If building wolfSSL on versions after 5.7.6 and before 5.8.2 with use of the system CA support and the apple native cert validation feature enabled on Apple devices (on by default for non-macOS Apple targets when using autotools or CMake) we recommend updating to the latest version of wolfSSL. Thanks to Thomas Leong from ExpressVPN for the report.
 485
 486Fixed in PR https://github.com/wolfSSL/wolfssl/pull/8833
 487
 488
 489* [Med. CVE-2025-7394] In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in applications that are both using RAND_bytes() and doing fork() operations. This only affects applications explicitly calling RAND_bytes() after fork() and does not affect any internal TLS operations. Although RAND_bytes() documentation in OpenSSL calls out not being safe for use with fork() without first calling RAND_poll(), an additional code change was also made in wolfSSL to make RAND_bytes() behave similar to OpenSSL after a fork() call without calling RAND_poll(). Now the Hash-DRBG used gets reseeded after detecting running in a new process. If making use of RAND_bytes() and calling fork() we recommend updating to the latest version of wolfSSL. Thanks to Per Allansson from Appgate for the report.
 490
 491Fixed in the following PR’s
 492https://github.com/wolfSSL/wolfssl/pull/8849
 493https://github.com/wolfSSL/wolfssl/pull/8867
 494https://github.com/wolfSSL/wolfssl/pull/8898
 495
 496
 497
 498* [Low CVE-2025-7396] In wolfSSL 5.8.0 the option of hardening the C implementation of Curve25519 private key operations was added with the addition of blinding support (https://www.wolfssl.com/curve25519-blinding-support-added-in-wolfssl-5-8-0/). In wolfSSL release 5.8.2 that blinding support is turned on by default in applicable builds. The blinding configure option is only for the base C implementation of Curve25519. It is not needed, or available with; ARM assembly builds, Intel assembly builds, and the small Curve25519 feature. While the attack would be very difficult to execute in practice, enabling blinding provides an additional layer of protection for devices that may be more susceptible to physical access or side-channel observation. Thanks to Arnaud Varillon, Laurent Sauvage, and Allan Delautre from Telecom Paris for the report.
 499
 500Blinding enabled by default in PR https://github.com/wolfSSL/wolfssl/pull/8736
 501
 502
 503## New Features
 504* Multiple sessions are now supported in the sniffer due to the removal of a cached check. (PR #8723)
 505* New API ssl_RemoveSession() has been implemented for sniffer cleanup operations. (PR #8768)
 506* The new ASN X509 API, `wc_GetSubjectPubKeyInfoDerFromCert`, has been introduced for retrieving public key information from certificates. (PR #8758)
 507* `wc_PKCS12_create()` has been enhanced to support PBE_AES(256|128)_CBC key and certificate encryptions. (PR #8782, PR #8822, PR #8859)
 508* `wc_PKCS7_DecodeEncryptedKeyPackage()` has been added for decoding encrypted key packages. (PR #8976)
 509* All AES, SHA, and HMAC functionality has been implemented within the Linux Kernel Module. (PR #8998)
 510* Additions to the compatibility layer have been introduced for X.509 extensions and RSA PSS. Adding the API i2d_PrivateKey_bio, BN_ucmp and X509v3_get_ext_by_NID. (PR #8897)
 511* Added support for STM32N6. (PR #8914)
 512* Implemented SHA-256 for PPC 32 assembly. (PR #8894)
 513
 514## Improvements / Optimizations
 515
 516### Linux Kernel Module (LinuxKM) Enhancements
 517* Registered DH and FFDHE for the Linux Kernel Module. (PR #8707)
 518* Implemented fixes for standard RNG in the Linux Kernel Module. (PR #8718)
 519* Added an ECDSA workaround for the Linux Kernel Module. (PR #8727)
 520* Added more PKCS1 pad SHA variants for RSA in the Linux Kernel Module. (PR #8730)
 521* Set default priority to 100000 for LKCAPI in the Linux Kernel Module. (PR #8740)
 522* Ensured ECDH never has FIPS enabled in the Linux Kernel Module. (PR #8751)
 523* Implemented further Linux Kernel Module and SP tweaks. (PR #8773)
 524* Added sig_alg support for Linux 6.13 RSA in the Linux Kernel Module. (PR #8796)
 525* Optimized wc_linuxkm_fpu_state_assoc. (PR #8828)
 526* Ensured DRBG is multithread-round-1 in the Linux Kernel Module. (PR #8840)
 527* Prevented toggling of fips_enabled in the Linux Kernel Module. (PR #8873)
 528* Refactored drbg_ctx clear in the Linux Kernel Module. (PR #8876)
 529* Set sig_alg max_size and digest_size callbacks for RSA in the Linux Kernel Module. (PR #8915)
 530* Added get_random_bytes for the Linux Kernel Module. (PR #8943)
 531* Implemented distro fix for the Linux Kernel Module. (PR #8994)
 532* Fixed page-flags-h in the Linux Kernel Module. (PR #9001)
 533* Added MODULE_LICENSE for the Linux Kernel Module. (PR #9005)
 534
 535### Post-Quantum Cryptography (PQC) & Asymmetric Algorithms
 536* Kyber has been updated to the MLKEM ARM file for Zephyr (PR #8781)
 537* Backward compatibility has been implemented for ML_KEM IDs (PR #8827)
 538* ASN.1 is now ensured to be enabled when only building PQ algorithms (PR #8884)
 539* Building LMS with verify-only has been fixed (PR #8913)
 540* Parameters for LMS SHA-256_192 have been corrected (PR #8912)
 541* State can now be saved with the private key for LMS (PR #8836)
 542* Support for OpenSSL format has been added for ML-DSA/Dilithium (PR #8947)
 543* `dilithium_coeff_eta2[]` has been explicitly declared as signed (PR #8955)
 544
 545### Build System & Portability
 546* Prepared for the inclusion of v5.8.0 in the Ada Alire index. (PR #8714)
 547* Introduced a new build option to allow reuse of the Windows crypt provider handle. (PR #8706)
 548* Introduced general fixes for various build configurations. (PR #8763)
 549* Made improvements for portability using older GCC 4.8.2. (PR #8753)
 550* Macro guards updated to allow tests to build with opensslall and no server. (PR #8776)
 551* Added a check for STDC_NO_ATOMICS macro before use of atomics. (PR #8885)
 552* Introduced CMakePresets.json and CMakeSettings.json. (PR #8905)
 553* Added an option to not use constant time code with min/max. (PR #8830)
 554* Implemented proper MacOS dispatch for conditional signal/wait. (PR #8928)
 555* Disabled MD5 by default for both general and CMake builds. (PR #8895, PR #8948)
 556* Improved to allow building OPENSSL_EXTRA without KEEP_PEER_CERT. (PR #8926)
 557* Added introspection for Intel and ARM assembly speedups. (PR #8954)
 558* Fixed cURL config to set HAVE_EX_DATA and HAVE_ALPN. (PR #8973)
 559* Moved FREESCALE forced algorithm HAVE_ECC to IDE/MQX/user_settings.h. (PR #8977)
 560
 561### Testing & Debugging
 562* Fixed the exit status for testwolfcrypt. (PR #8762)
 563* Added WOLFSSL_DEBUG_PRINTF and WOLFSSL_DEBUG_CERTIFICATE_LOADS for improved debugging output. (PR #8769, PR #8770)
 564* Guarded some benchmark tests with NO_SW_BENCH. (PR #8760)
 565* Added an additional unit test for wolfcrypt PKCS12 file to improve code coverage. (PR #8831)
 566* Added an additional unit test for increased DH code coverage. (PR #8837)
 567* Adjusted for warnings with NO_TLS build and added GitHub actions test. (PR #8851)
 568* Added additional compatibility layer RAND tests. (PR #8852)
 569* Added an API unit test for checking domain name. (PR #8863)
 570* Added bind v9.18.33 testing. (PR #8888)
 571* Fixed issue with benchmark help options and descriptions not lining up. (PR #8957)
 572
 573### Certificates & ASN.1
 574* Changed the algorithm for sum in ASN.1 OIDs. (PR #8655)
 575* Updated PKCS7 to use X509 STORE for internal verification. (PR #8748)
 576* Improved handling of temporary buffer size for X509 extension printing. (PR #8710)
 577* Marked IP address as WOLFSSL_V_ASN1_OCTET_STRING for ALT_NAMES_OID. (PR #8842)
 578* Fixed printing empty names in certificates. (PR #8880)
 579* Allowed CA:FALSE on wolftpm. (PR #8925)
 580* Fixed several inconsistent function prototype parameter names in wc/asn. (PR #8949)
 581* Accounted for custom extensions when creating a Cert from a WOLFSSL_X509. (PR #8960)
 582
 583### TLS/DTLS & Handshake
 584* Checked group correctness outside of TLS 1.3 too for TLSX_UseSupportedCurve. (PR #8785)
 585* Dropped records that span datagrams in DTLS. (PR #8642)
 586* Implemented WC_NID_netscape_cert_type. (PR #8800)
 587* Refactored GetHandshakeHeader/GetHandShakeHeader into one function. (PR #8787)
 588* Correctly set the current peer in dtlsProcessPendingPeer. (PR #8848)
 589* Fixed set_groups for TLS. (PR #8824)
 590* Allowed trusted_ca_keys with TLSv1.3. (PR #8860)
 591* Moved Dtls13NewEpoch into DeriveTls13Keys. (PR #8858)
 592* Cleared tls1_3 on downgrade. (PR #8861)
 593* Always sent ACKs on detected retransmission for DTLS1.3. (PR #8882)
 594* Removed DTLS from echo examples. (PR #8889)
 595* Recalculated suites at SSL initialization. (PR #8757)
 596* No longer using BIO for ALPN. (PR #8969)
 597* Fixed wolfSSL_BIO_new_connect's handling of IPV6 addresses. (PR #8815)
 598* Memory Management & Optimizations
 599* Performed small stack refactors, improved stack size with mlkem and dilithium, and added additional tests. (PR #8779)
 600* Implemented FREE_MP_INT_SIZE in heap math. (PR #8881)
 601* Detected correct MAX_ENCODED_SIG_SZ based on max support in math lib. (PR #8931)
 602* Fixed improper access of sp_int_minimal using sp_int. (PR #8985)
 603
 604### Cryptography & Hash Functions
 605* Implemented WC_SIPHASH_NO_ASM for not using assembly optimizations with siphash. (PR #8789, PR #8791)
 606* Added missing DH_MAX_SIZE define for FIPS and corrected wolfssl.rc FILETYPE to VFT_DLL. (PR #8794)
 607* Implemented WC_SHA3_NO_ASM for not using assembly with SHA3. (PR #8817)
 608* Improved Aarch64 XFENCE. (PR #8832)
 609* Omitted frame pointer for ARM32/Thumb2/RISC-V 64 assembly. (PR #8893)
 610* Fixed branch instruction in ARMv7a ASM. (PR #8933)
 611* Enabled EVP HMAC to work with WOLFSSL_HMAC_COPY_HASH. (PR #8944)
 612* Platform-Specific & Hardware Integration
 613* Added HAVE_HKDF for wolfssl_test and explicit support for ESP32P4. (PR #8742)
 614* Corrected Espressif default time setting. (PR #8829)
 615* Made wc_tsip_* APIs public. (PR #8717)
 616* Improved PlatformIO Certificate Bundle Support. (PR #8847)
 617* Fixed the TSIP TLS example program. (PR #8857)
 618* Added crypto callback functions for TROPIC01 secure element. (PR #8812)
 619* Added Renesas RX TSIP AES CTR support. (PR #8854)
 620* Fixed TSIP port using crypto callback. (PR #8937)
 621
 622### General Improvements & Refactoring
 623* Attempted wolfssl_read_bio_file in read_bio even when XFSEEK is available. (PR #8703)
 624* Refactored GetHandshakeHeader/GetHandShakeHeader into one function. (PR #8787)
 625* Updated libspdm from 3.3.0 to 3.7.0. (PR #8906)
 626* Fixed missing dashes on the end of header and footer for Falcon PEM key. (PR #8904)
 627* Fixed minor code typos for macos signal and types.h max block size. (PR #8934)
 628* Make the API wolfSSL_X509_STORE_CTX_get_error accessible to more build configurations for ease of getting the "store" error code and depth with certificate failure callback implementations. (PR #8903)
 629
 630## Bug Fixes
 631* Fixed issues to support _WIN32_WCE (VS 2008 with WinCE 6.0/7.0). (PR #8709)
 632* Fixed STM32 Hash with IRQ enabled. (PR #8705)
 633* Fixed raw hash when using crypto instructions on RISC-V 64-bit. (PR #8733)
 634* Fixed ECDH decode secret in the Linux Kernel Module. (PR #8729)
 635* Passed in the correct hash type to wolfSSL_RSA_verify_ex. (PR #8726)
 636* Fixed issues for Intel QuickAssist latest driver (4.28). (PR #8728)
 637* Speculative fix for CodeSonar overflow issue in ssl_certman.c. (PR #8715)
 638* Fixed Arduino progmem print and AVR WOLFSSL_USER_IO. (PR #8668)
 639* Correctly advanced the index in wc_HKDF_Expand_ex. (PR #8737)
 640* Fixed STM32 hash status check logic, including NO_AES_192 and NO_AES_256. (PR #8732)
 641* Added missing call to wolfSSL_RefFree in FreeCRL to prevent memory leaks. (PR #8750)
 642* Fixed sanity check on --group with unit test app and null sanity check with des decrypt. (PR #8711)
 643* Fixed Curve25519 and static ephemeral issue with blinding. (PR #8766)
 644* Fixed edge case issue with STM32 AES GCM auth padding. (PR #8745)
 645* Removed redefinition of MlKemKey and fixed build issue in benchmark. (PR #8755)
 646* Used proper heap hint when freeing CRL in error case. (PR #8713)
 647* Added support for no malloc with wc_CheckCertSigPubKey. (PR #8725)
 648* Fixed C# wrapper Release build. (PR #8802)
 649* Handled malformed CCS and CCS before CH in TLS1.3. (PR #8788)
 650* Fixed ML-DSA with WOLFSSL_DILITHIUM_NO_SIGN. (PR #8798)
 651* Fixed AesGcmCrypt_1 no-stream in the Linux Kernel Module. (PR #8814)
 652* Fixed return value usage for crypto_sig_sign in the Linux Kernel Module. (PR #8816)
 653* Fixed issue with CSharp and Windows CE with conversion of ASCII and Unicode. (PR #8799)
 654* Fixed Renesas SCE on RA6M4. (PR #8838)
 655* Fixed tests for different configs for ML-DSA. (PR #8865)
 656* Fixed bug in ParseCRL_Extensions around the size of a CRL number handled and CRL number OID. (PR #8587)
 657* Fixed uninitialized wc_FreeRng in prime_test. (PR #8886)
 658* Fixed ECC configuration issues with ECC verify only and no RNG. (PR #8901)
 659* Fixed issues with max size, openssl.test netcat, and clang-tidy. (PR #8909)
 660* Fixed for casting down and uninit issues in Dilithium/ML-DSA. (PR #8868)
 661* Fixed memory allocation failure testing and related unit test cases. (PR #8945, PR #8952)
 662* Fixed build issue with ML-DSA 44 only. (PR #8981)
 663* Fixed possible memory leak with X509 reference counter when using x509small. (PR #8982)
 664
 665
 666# wolfSSL Release 5.8.0 (Apr 24, 2025)
 667
 668Release 5.8.0 has been developed according to wolfSSL's development and QA
 669process (see link below) and successfully passed the quality criteria.
 670https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
 671
 672NOTE: * --enable-heapmath is deprecated
 673
 674PR stands for Pull Request, and PR (NUMBER) references a GitHub pull request
 675 number where the code change was added.
 676
 677
 678## New Feature Additions
 679* Algorithm registration in the Linux kernel module for all supported FIPS AES,
 680 SHA, HMAC, ECDSA, ECDH, and RSA modes, key sizes, and digest sizes.
 681* Implemented various fixes to support building for Open Watcom including OS/2
 682 support and Open Watcom 1.9 compatibility (PR 8505, 8484)
 683* Added support for STM32H7S (tested on NUCLEO-H7S3L8) (PR 8488)
 684* Added support for STM32WBA (PR 8550)
 685* Added Extended Master Secret Generation Callback to the --enable-pkcallbacks
 686 build (PR 8303)
 687* Implement AES-CTS (configure flag --enable-aescts) in wolfCrypt (PR 8594)
 688* Added support for libimobiledevice commit 860ffb (PR 8373)
 689* Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 IPD
 690 (PR 8307)
 691* Added blinding option when using a Curve25519 private key by defining the
 692 macro WOLFSSL_CURVE25519_BLINDING (PR 8392)
 693
 694
 695## Linux Kernel Module
 696* Production-ready LKCAPI registration for cbc(aes), cfb(aes), gcm(aes),
 697 rfc4106 (gcm(aes)), ctr(aes), ofb(aes), and ecb(aes), ECDSA with P192, P256,
 698 P384, and P521 curves, ECDH with P192, P256, and P384 curves, and RSA with
 699 bare and PKCS1 padding
 700* Various fixes for LKCAPI wrapper for AES-CBC and AES-CFB (PR 8534, 8552)
 701* Adds support for the legacy one-shot AES-GCM back end (PR 8614, 8567) for
 702 compatibility with FIPS 140-3 Cert #4718.
 703* On kernel >=6.8, for CONFIG_FORTIFY_SOURCE, use 5-arg fortify_panic() override
 704 macro (PR 8654)
 705* Update calls to scatterwalk_map() and scatterwalk_unmap() for linux commit
 706 7450ebd29c (merged for Linux 6.15) (PR 8667)
 707* Inhibit LINUXKM_LKCAPI_REGISTER_ECDH on kernel <5.13 (PR 8673)
 708* Fix for uninitialized build error with fedora (PR 8569)
 709* Register ecdsa, ecdh, and rsa for use with linux kernel crypto (PR 8637, 8663,
 710 8646)
 711* Added force zero shared secret buffer, and clear of old key with ecdh
 712 (PR 8685)
 713* Update fips-check.sh script to pickup XTS streaming support on aarch64 and
 714 disable XTS-384 as an allowed use in FIPS mode (PR 8509, 8546)
 715
 716
 717## Enhancements and Optimizations
 718
 719### Security & Cryptography
 720* Add constant-time implementation improvements for encoding functions. We thank
 721 Zhiyuan and Gilles for sharing a new constant-time analysis tool (CT-LLVM) and
 722 reporting several non-constant-time implementations. (PR 8396, 8617)
 723* Additional support for PKCS7 verify and decode with indefinite lengths
 724 (PR 8520, 834, 8645)
 725* Add more PQC hybrid key exchange algorithms such as support for combinations
 726 with X25519 and X448 enabling compatibility with the PQC key exchange support
 727 in Chromium browsers and Mozilla Firefox (PR 7821)
 728* Add short-circuit comparisons to DH key validation for RFC 7919 parameters
 729 (PR 8335)
 730* Improve FIPS compatibility with various build configurations for more resource
 731 constrained builds (PR 8370)
 732* Added option to disable ECC public key order checking (PR 8581)
 733* Allow critical alt and basic constraints extensions (PR 8542)
 734* New codepoint for MLDSA to help with interoperability (PR 8393)
 735* Add support for parsing trusted PEM certs having the header
 736 “BEGIN_TRUSTED_CERT” (PR 8400)
 737* Add support for parsing only of DoD certificate policy and Comodo Ltd PKI OIDs
 738 (PR 8599, 8686)
 739* Update ssl code in `src/*.c` to be consistent with wolfcrypt/src/asn.c
 740 handling of ML_DSA vs Dilithium and add dual alg. test (PR 8360, 8425)
 741
 742### Build System, Configuration, CI & Protocols
 743* Internal refactor for include of config.h and when building with
 744 BUILDING_WOLFSSL macro. This refactor will give a warning of “deprecated
 745 function” when trying to improperly use an internal API of wolfSSL in an
 746 external application. (PR 8640, 8647, 8660, 8662, 8664)
 747* Add WOLFSSL_CLU option to CMakeLists.txt (PR 8548)
 748* Add CMake and Zephyr support for XMSS and LMS (PR 8494)
 749* Added GitHub CI for CMake builds (PR 8439)
 750* Added necessary macros when building wolfTPM Zephyr with wolfSSL (PR 8382)
 751* Add MSYS2 build continuous integration test (PR 8504)
 752* Update DevKitPro doc to list calico dependency with build commands (PR 8607)
 753* Conversion compiler warning fixes and additional continuous integration test
 754 added (PR 8538)
 755* Enable DTLS 1.3 by default in --enable-jni builds (PR 8481)
 756* Enabled TLS 1.3 middlebox compatibility by default for --enable-jni builds
 757 (PR 8526)
 758
 759### Performance Improvements
 760* Performance improvements AES-GCM and HMAC (in/out hash copy) (PR 8429)
 761* LMS fixes and improvements adding API to get Key ID from raw private key,
 762 change to identifiers to match standard, and fix for when
 763 WOLFSSL_LMS_MAX_LEVELS is 1 (PR 8390, 8684, 8613, 8623)
 764* ML-KEM/Kyber improvements and fixes; no malloc builds, small memory usage,
 765 performance improvement, fix for big-endian (PR 8397, 8412, 8436, 8467, 8619,
 766 8622, 8588)
 767* Performance improvements for AES-GCM and when doing multiple HMAC operations
 768 (PR 8445)
 769
 770### Assembly and Platform-Specific Enhancements
 771* Poly1305 arm assembly changes adding ARM32 NEON implementation and fix for
 772 Aarch64 use (PR 8344, 8561, 8671)
 773* Aarch64 assembly enhancement to use more CPU features, fix for FreeBSD/OpenBSD
 774 (PR 8325, 8348)
 775* Only perform ARM assembly CPUID checks if support was enabled at build time
 776 (PR 8566)
 777* Optimizations for ARM32 assembly instructions on platforms less than ARMv7
 778 (PR 8395)
 779* Improve MSVC feature detection for static assert macros (PR 8440)
 780* Improve Espressif make and CMake for ESP8266 and ESP32 series (PR 8402)
 781* Espressif updates for Kconfig, ESP32P4 and adding a sample user_settings.h
 782 (PR 8422, PR 8641)
 783
 784### OpenSSL Compatibility Layer
 785* Modification to the push/pop to/from in OpenSSL compatibility layer. This is
 786 a pretty major API change in the OpenSSL compatibility stack functions.
 787 Previously the API would push/pop from the beginning of the list but now they
 788 operate on the tail of the list. This matters when using the sk_value with
 789 index values. (PR 8616)
 790* OpenSSL Compat Layer: OCSP response improvements (PR 8408, 8498)
 791* Expand the OpenSSL compatibility layer to include an implementation of
 792 BN_CTX_get (PR 8388)
 793
 794### API Additions and Modifications
 795* Refactor Hpke to allow multiple uses of a context instead of just one shot
 796 mode (PR 6805)
 797* Add support for PSK client callback with Ada and use with Alire (thanks
 798 @mgrojo, PR 8332, 8606)
 799* Change wolfSSL_CTX_GenerateEchConfig to generate multiple configs and add
 800 functions wolfSSL_CTX_SetEchConfigs and wolfSSL_CTX_SetEchConfigsBase64 to
 801 rotate the server's echConfigs (PR 8556)
 802* Added the public API wc_PkcsPad to do PKCS padding (PR 8502)
 803* Add NULL_CIPHER_TYPE support to wolfSSL_EVP_CipherUpdate (PR 8518)
 804* Update Kyber APIs to ML-KEM APIs (PR 8536)
 805* Add option to disallow automatic use of "default" devId using the macro
 806 WC_NO_DEFAULT_DEVID (PR 8555)
 807* Detect unknown key format on ProcessBufferTryDecode() and handle RSA-PSSk
 808 format (PR 8630)
 809
 810### Porting and Language Support
 811* Update Python port to support version 3.12.6 (PR 8345)
 812* New additions for MAXQ with wolfPKCS11 (PR 8343)
 813* Port to ntp 4.2.8p17 additions (PR 8324)
 814* Add version 0.9.14 to tested libvncserver builds (PR 8337)
 815
 816### General Improvements and Cleanups
 817* Cleanups for STM32 AES GCM (PR 8584)
 818* Improvements to isascii() and the CMake key log option (PR 8596)
 819* Arduino documentation updates, comments and spelling corrections (PR 8381,
 820 8384, 8514)
 821* Expanding builds with WOLFSSL_NO_REALLOC for use with --enable-opensslall and
 822 --enable-all builds (PR 8369, 8371)
 823
 824
 825## Fixes
 826* Fix a use after free caused by an early free on error in the X509 store
 827 (PR 8449)
 828* Fix to account for existing PKCS8 header with
 829 wolfSSL_PEM_write_PKCS8PrivateKey (PR 8612)
 830* Fixed failing CMake build issue when standard threads support is not found in
 831 the system (PR 8485)
 832* Fix segmentation fault in SHA-512 implementation for AVX512 targets built with
 833 gcc -march=native -O2 (PR 8329)
 834* Fix Windows socket API compatibility warning with mingw32 build (PR 8424)
 835* Fix potential null pointer increments in cipher list parsing (PR 8420)
 836* Fix for possible stack buffer overflow read with wolfSSL_SMIME_write_PKCS7.
 837 Thanks to the team at Code Intelligence for the report. (PR 8466)
 838* Fix AES ECB implementation for Aarch64 ARM assembly (PR 8379)
 839* Fixed building with VS2008 and .NET 3.5 (PR 8621)
 840* Fixed possible error case memory leaks in CRL and EVP_Sign_Final (PR 8447)
 841* Fixed SSL_set_mtu compatibility function return code (PR 8330)
 842* Fixed Renesas RX TSIP (PR 8595)
 843* Fixed ECC non-blocking tests (PR 8533)
 844* Fixed CMake on MINGW and MSYS (PR 8377)
 845* Fixed Watcom compiler and added new CI test (PR 8391)
 846* Fixed STM32 PKA ECC 521-bit support (PR 8450)
 847* Fixed STM32 PKA with P521 and shared secret (PR 8601)
 848* Fixed crypto callback macro guards with `DEBUG_CRYPTOCB` (PR 8602)
 849* Fix outlen return for RSA private decrypt with WOLF_CRYPTO_CB_RSA_PAD
 850 (PR 8575)
 851* Additional sanity check on r and s lengths in DecodeECC_DSA_Sig_Bin (PR 8350)
 852* Fix compat. layer ASN1_TIME_diff to accept NULL output params (PR 8407)
 853* Fix CMake lean_tls build (PR 8460)
 854* Fix for QUIC callback failure (PR 8475)
 855* Fix missing alert types in AlertTypeToString for print out with debugging
 856 enabled (PR 8572)
 857* Fixes for MSVS build issues with PQC configure (PR 8568)
 858* Fix for SE050 port and minor improvements (PR 8431, 8437)
 859* Fix for missing rewind function in zephyr and add missing files for compiling
 860 with assembly optimizations (PR 8531, 8541)
 861* Fix for quic_record_append to return the correct code (PR 8340, 8358)
 862* Fixes for Bind 9.18.28 port (PR 8331)
 863* Fix to adhere more closely with RFC8446 Appendix D and set haveEMS when
 864 negotiating TLS 1.3 (PR 8487)
 865* Fix to properly check for signature_algorithms from the client in a TLS 1.3
 866 server (PR 8356)
 867* Fix for when BIO data is less than seq buffer size. Thanks to the team at Code
 868 Intelligence for the report (PR 8426)
 869* ARM32/Thumb2 fixes for WOLFSSL_NO_VAR_ASSIGN_REG and td4 variable declarations
 870 (PR 8590, 8635)
 871* Fix for Intel AVX1/SSE2 assembly to not use vzeroupper instructions unless ymm
 872 or zmm registers are used (PR 8479)
 873* Entropy MemUse fix for when block size less than update bits (PR 8675)
 874
 875
 876# wolfSSL Release 5.7.6 (Dec 31, 2024)
 877
 878Release 5.7.6 has been developed according to wolfSSL's development and QA
 879process (see link below) and successfully passed the quality criteria.
 880https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
 881
 882NOTE:
 883 * --enable-heapmath is deprecated.
 884 * In this release, the default cipher suite preference is updated to prioritize
 885 TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256 when enabled.
 886 * This release adds a sanity check for including wolfssl/options.h or
 887 user_settings.h.
 888
 889
 890PR stands for Pull Request, and PR (NUMBER) references a GitHub pull request
 891 number where the code change was added.
 892
 893
 894## Vulnerabilities
 895* [Med] An OCSP (non stapling) issue was introduced in wolfSSL version 5.7.4
 896 when performing OCSP requests for intermediate certificates in a certificate
 897 chain. This affects only TLS 1.3 connections on the server side. It would not
 898 impact other TLS protocol versions or connections that are not using the
 899 traditional OCSP implementation. (Fix in pull request 8115)
 900
 901
 902## New Feature Additions
 903* Add support for RP2350 and improve RP2040 support, both with RNG optimizations
 904 (PR 8153)
 905* Add support for STM32MP135F, including STM32CubeIDE support and HAL support
 906 for SHA2/SHA3/AES/RNG/ECC optimizations. (PR 8223, 8231, 8241)
 907* Implement Renesas TSIP RSA Public Enc/Private support (PR 8122)
 908* Add support for Fedora/RedHat system-wide crypto-policies (PR 8205)
 909* Curve25519 generic keyparsing API added with  wc_Curve25519KeyToDer and
 910 wc_Curve25519KeyDecode (PR 8129)
 911* CRL improvements and update callback, added the functions
 912 wolfSSL_CertManagerGetCRLInfo and wolfSSL_CertManagerSetCRLUpdate_Cb (PR 8006)
 913* For DTLS, add server-side stateless and CID quality-of-life API. (PR 8224)
 914
 915
 916## Enhancements and Optimizations
 917* Add a CMake dependency check for pthreads when required. (PR 8162)
 918* Update OS_Seed declarations for legacy compilers and FIPS modules (boundary
 919 not affected). (PR 8170)
 920* Enable WOLFSSL_ALWAYS_KEEP_SNI by default when using --enable-jni. (PR 8283)
 921* Change the default cipher suite preference, prioritizing
 922 TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256. (PR 7771)
 923* Add SRTP-KDF (FIPS module v6.0.0) to checkout script for release bundling
 924 (PR 8215)
 925* Make library build when no hardware crypto available for Aarch64 (PR 8293)
 926* Update assembly code to avoid `uint*_t` types for better compatibility with
 927 older C standards. (PR 8133)
 928* Add initial documentation for writing ASN template code to decode BER/DER.
 929 (PR 8120)
 930* Perform full reduction in sc_muladd for EdDSA with Curve448 (PR 8276)
 931* Allow SHA-3 hardware cryptography instructions to be explicitly not used in
 932 MacOS builds (PR 8282)
 933* Make Kyber and ML-KEM available individually and together. (PR 8143)
 934* Update configuration options to include Kyber/ML-KEM and fix defines used in
 935 wolfSSL_get_curve_name. (PR 8183)
 936* Make GetShortInt available with WOLFSSL_ASN_EXTRA (PR 8149)
 937* Improved test coverage and minor improvements of X509 (PR 8176)
 938* Add sanity checks for configuration methods, ensuring the inclusion of
 939 wolfssl/options.h or user_settings.h. (PR 8262)
 940* Enable support for building without TLS (NO_TLS). Provides reduced code size
 941 option for non-TLS users who want features like the certificate manager or
 942 compatibility layer. (PR 8273)
 943* Exposed get_verify functions with OPENSSL_EXTRA. (PR 8258)
 944* ML-DSA/Dilithium: obtain security level from DER when decoding (PR 8177)
 945* Implementation for using PKCS11 to retrieve certificate for SSL CTX (PR 8267)
 946* Add support for the RFC822 Mailbox attribute (PR 8280)
 947* Initialize variables and adjust types resolve warnings with Visual Studio in
 948 Windows builds. (PR 8181)
 949* Refactors and expansion of opensslcoexist build (PR 8132, 8216, 8230)
 950* Add DTLS 1.3 interoperability, libspdm and DTLS CID interoperability tests
 951 (PR 8261, 8255, 8245)
 952* Remove trailing error exit code in wolfSSL install setup script (PR 8189)
 953* Update Arduino files for wolfssl 5.7.4 (PR 8219)
 954* Improve Espressif SHA HW/SW mutex messages (PR 8225)
 955* Apply post-5.7.4 release updates for Espressif Managed Component examples
 956 (PR 8251)
 957* Expansion of c89 conformance (PR 8164)
 958* Added configure option for additional sanity checks with --enable-faultharden
 959 (PR 8289)
 960* Aarch64 ASM additions to check CPU features before hardware crypto instruction
 961 use (PR 8314)
 962
 963
 964## Fixes
 965* Fix a memory issue when using the compatibility layer with
 966 WOLFSSL_GENERAL_NAME and handling registered ID types. (PR 8155)
 967* Fix a build issue with signature fault hardening when using public key
 968 callbacks (HAVE_PK_CALLBACKS). (PR 8287)
 969* Fix for handling heap hint pointer properly when managing multiple WOLFSSL_CTX
 970 objects and free’ing one of them (PR 8180)
 971* Fix potential memory leak in error case with Aria. (PR 8268)
 972* Fix Set_Verify flag behaviour on Ada wrapper. (PR 8256)
 973* Fix a compilation error with the NO_WOLFSSL_DIR flag. (PR 8294)
 974* Resolve a corner case for Poly1305 assembly code on Aarch64. (PR 8275)
 975* Fix incorrect version setting in CSRs. (PR 8136)
 976* Correct debugging output for cryptodev. (PR 8202)
 977* Fix for benchmark application use with /dev/crypto GMAC auth error due to size
 978 of AAD (PR 8210)
 979* Add missing checks for the initialization of sp_int/mp_int with DSA to free
 980 memory properly in error cases. (PR 8209)
 981* Fix return value of wolfSSL_CTX_set_tlsext_use_srtp (8252)
 982* Check Root CA by Renesas TSIP before adding it to ca-table (PR 8101)
 983* Prevent adding a certificate to the CA cache for Renesas builds if it does not
 984 set CA:TRUE in basic constraints. (PR 8060)
 985* Fix attribute certificate holder entityName parsing. (PR 8166)
 986* Resolve build issues for configurations without any wolfSSL/openssl
 987 compatibility layer headers. (PR 8182)
 988* Fix for building SP RSA small and RSA public only (PR 8235)
 989* Fix for Renesas RX TSIP RSA Sign/Verify with wolfCrypt only (PR 8206)
 990* Fix to ensure all files have settings.h included (like wc_lms.c) and guards
 991 for building all `*.c` files (PR 8257 and PR 8140)
 992* Fix x86 target build issues in Visual Studio for non-Windows operating
 993 systems. (PR 8098)
 994* Fix wolfSSL_X509_STORE_get0_objects to handle no CA (PR 8226)
 995* Properly handle reference counting when adding to the X509 store. (PR 8233)
 996* Fix for various typos and improper size used with FreeRTOS_bind in the Renesas
 997 example. Thanks to Hongbo for the report on example issues. (PR 7537)
 998* Fix for potential heap use after free with wolfSSL_PEM_read_bio_PrivateKey.
 999 Thanks to Peter for the issue reported. (PR 8139)
1000
1001
1002# wolfSSL Release 5.7.4 (Oct 24, 2024)
1003
1004Release 5.7.4 has been developed according to wolfSSL's development and QA
1005process (see link below) and successfully passed the quality criteria.
1006https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
1007
1008NOTE: * --enable-heapmath is being deprecated and will be removed by end of 2024
1009
1010PR stands for Pull Request, and PR (NUMBER) references a GitHub pull request
1011 number where the code change was added.
1012
1013
1014## Vulnerabilities
1015* [Low] When the OpenSSL compatibility layer is enabled, certificate
1016 verification behaved differently in wolfSSL than OpenSSL, in the
1017 X509_STORE_add_cert() and X509_STORE_load_locations() implementations.
1018 Previously, in cases where an application explicitly loaded an intermediate
1019 certificate, wolfSSL was verifying only up to that intermediate certificate,
1020 rather than verifying up to the root CA. This only affects use cases where the
1021 API is called directly, and does not affect TLS connections. Users that call
1022 the API X509_STORE_add_cert() or X509_STORE_load_locations() directly in their
1023 applications are recommended to update the version of wolfSSL used or to have
1024 additional sanity checks on certificates loaded into the X509_STORE when
1025 verifying a certificate. (https://github.com/wolfSSL/wolfssl/pull/8087)
1026
1027
1028## PQC TLS Experimental Build Fix
1029* When using TLS with post quantum algorithms enabled, the connection uses a
1030 smaller EC curve than agreed on. Users building with --enable-experimental and
1031 enabling PQC cipher suites with TLS connections are recommended to update the
1032 version of wolfSSL used. Thanks to Daniel Correa for the report.
1033 (https://github.com/wolfSSL/wolfssl/pull/8084)
1034
1035
1036## New Feature Additions
1037* RISC-V 64 new assembly optimizations added for SHA-256, SHA-512, ChaCha20,
1038 Poly1305, and SHA-3 (PR 7758,7833,7818,7873,7916)
1039* Implement support for Connection ID (CID) with DTLS 1.2 (PR 7995)
1040* Add support for (DevkitPro)libnds (PR 7990)
1041* Add port for Mosquitto OSP (Open Source Project) (PR 6460)
1042* Add port for init sssd (PR 7781)
1043* Add port for eXosip2 (PR 7648)
1044* Add support for STM32G4 (PR 7997)
1045* Add support for MAX32665 and MAX32666 TPU HW and ARM ASM Crypto Callback
1046 Support (PR 7777)
1047* Add support for building wolfSSL to be used in libspdm (PR 7869)
1048* Add port for use with Nucleus Plus 2.3 (PR 7732)
1049* Initial support for RFC5755 x509 attribute certificates (acerts). Enabled with
1050 --enable-acert (PR 7926)
1051* PKCS#11 RSA Padding offload allows tokens to perform CKM_RSA_PKCS
1052 (sign/encrypt), CKM_RSA_PKCS_PSS (sign), and CKM_RSA_PKCS_OAEP (encrypt).
1053 (PR 7750)
1054* Added “new” and “delete” style functions for heap/pool allocation and freeing
1055 of low level crypto structures (PR 3166 and 8089)
1056
1057
1058## Enhancements and Optimizations
1059* Increase default max alt. names from 128 to 1024 (PR 7762)
1060* Added new constant time DH agree function wc_DhAgree_ct (PR 7802)
1061* Expanded compatibility layer with the API EVP_PKEY_is_a (PR 7804)
1062* Add option to disable cryptocb test software test using
1063 --disable-cryptocb-sw-test (PR 7862)
1064* Add a call to certificate verify callback before checking certificate dates
1065 (PR 7895)
1066* Expanded algorithms supported with the wolfCrypt CSharp wrapper. Adding
1067 support for RNG, ECC(ECIES and ECDHE), RSA, ED25519/Curve25519, AES-GCM, and
1068 Hashing (PR 3166)
1069* Expand MMCAU support for use with DES ECB (PR 7960)
1070* Update AES SIV to handle multiple associated data inputs (PR 7911)
1071* Remove HAVE_NULL_CIPHER from --enable-openssh (PR 7811)
1072* Removed duplicate if(NULL) checks when calling XFREE (macro does) (PR 7839)
1073* Set RSA_MIN_SIZE default to 2048 bits (PR 7923)
1074* Added support for wolfSSL to be used as the default TLS in the zephyr kernel
1075 (PR 7731)
1076* Add enable provider build using --enable-wolfprovider with autotools (PR 7550)
1077* Renesas RX TSIP ECDSA support (PR 7685)
1078* Support DTLS1.3 downgrade when the server supports CID (PR 7841)
1079* Server-side checks OCSP even if it uses v2 multi (PR 7828)
1080* Add handling of absent hash params in PKCS7 bundle parsing and creation
1081 (PR 7845)
1082* Add the use of w64wrapper for Poly1305, enabling Poly1305 to be used in
1083 environments that do not have a word64 type (PR 7759)
1084* Update to the maxq10xx support (PR 7824)
1085* Add support for parsing over optional PKCS8 attributes (PR 7944)
1086* Add support for either side method with DTLS 1.3 (PR 8012)
1087* Added PKCS7 PEM support for parsing PEM data with BEGIN/END PKCS7 (PR 7704)
1088* Add CMake support for WOLFSSL_CUSTOM_CURVES (PR 7962)
1089* Add left-most wildcard matching support to X509_check_host() (PR 7966)
1090* Add option to set custom SKID with PKCS7 bundle creation (PR 7954)
1091* Building wolfSSL as a library with Ada and corrections to Alire manifest
1092 (PR 7303,7940)
1093* Renesas RX72N support updated (PR 7849)
1094* New option WOLFSSL_COPY_KEY added to always copy the key to the SSL object
1095 (PR 8005)
1096* Add the new option WOLFSSL_COPY_CERT to always copy the cert buffer for each
1097 SSL object (PR 7867)
1098* Add an option to use AES-CBC with HMAC for default session ticket enc/dec.
1099 Defaults to AES-128-CBC with HMAC-SHA256 (PR 7703)
1100* Memory usage improvements in wc_PRF, sha256 (for small code when many
1101 registers are available) and sp_int objects (PR 7901)
1102* Change in the configure script to work around ">>" with no command. In older
1103 /bin/sh it can be ambiguous, as used in OS’s such as FreeBSD 9.2 (PR 7876)
1104* Don't attempt to include system headers when not required (PR 7813)
1105* Certificates: DER encoding of ECC signature algorithm parameter is now
1106 allowed to be NULL with a define (PR 7903)
1107* SP x86_64 asm: check for AVX2 support for VMs (PR 7979)
1108* Update rx64n support on gr-rose (PR 7889)
1109* Update FSP version to v5.4.0 for RA6M4 (PR 7994)
1110* Update TSIP driver version to v1.21 for RX65N RSK (PR 7993)
1111* Add a new crypto callback for RSA with padding (PR 7907)
1112* Replaced the use of pqm4 with wolfSSL implementations of Kyber/MLDSA
1113 (PR 7924)
1114* Modernized memory fence support for C11 and clang (PR 7938)
1115* Add a CRL error override callback (PR 7986)
1116* Extend the X509 unknown extension callback for use with a user context
1117 (PR 7730)
1118* Additional debug error tracing added with TLS (PR 7917)
1119* Added runtime support for library call stack traces with
1120 –enable-debug-trace-errcodes=backtrace, using libbacktrace (PR 7846)
1121* Expanded C89 conformance (PR 8077)
1122* Expanded support for WOLFSSL_NO_MALLOC (PR 8065)
1123* Added support for cross-compilation of Linux kernel module (PR 7746)
1124* Updated Linux kernel module with support for kernel 6.11 and 6.12 (PR 7826)
1125* Introduce WOLFSSL_ASN_ALLOW_0_SERIAL to allow parsing of certificates with a
1126 serial number of 0 (PR 7893)
1127* Add conditional repository_owner to all wolfSSL GitHub workflows (PR 7871)
1128
1129### Espressif / Arduino Updates
1130* Update wolfcrypt settings.h for Espressif ESP-IDF, template update (PR 7953)
1131* Update Espressif sha, util, mem, time helpers (PR 7955)
1132* Espressif _thread_local_start and _thread_local_end fix (PR 8030)
1133* Improve benchmark for Espressif devices (PR 8037)
1134* Introduce Espressif common CONFIG_WOLFSSL_EXAMPLE_NAME, Kconfig (PR 7866)
1135* Add wolfSSL esp-tls and Certificate Bundle Support for Espressif ESP-IDF
1136 (PR 7936)
1137* Update wolfssl Release for Arduino (PR 7775)
1138
1139### Post Quantum Crypto Updates
1140* Dilithium: support fixed size arrays in dilithium_key (PR 7727)
1141* Dilithium: add option to use precalc with small sign (PR 7744)
1142* Allow Kyber to be built with FIPS (PR 7788)
1143* Allow Kyber asm to be used in the Linux kernel module (PR 7872)
1144* Dilithium, Kyber: Update to final specification (PR 7877)
1145* Dilithium: Support FIPS 204 Draft and Final Draft (PR 7909,8016)
1146
1147### ARM Assembly Optimizations
1148* ARM32 assembly optimizations added for ChaCha20 and Poly1305 (PR 8020)
1149* Poly1305 assembly optimizations improvements for Aarch64 (PR 7859)
1150* Poly1305 assembly optimizations added for Thumb-2 (PR 7939)
1151* Adding ARM ASM build option to STM32CubePack (PR 7747)
1152* Add ARM64 to Visual Studio Project (PR 8010)
1153* Kyber assembly optimizations for ARM32 and Aarch64 (PR 8040,7998)
1154* Kyber assembly optimizations for ARMv7E-M/ARMv7-M (PR 7706)
1155
1156
1157## Fixes
1158* ECC key load: fixes for certificates with parameters that are not default for
1159 size (PR 7751)
1160* Fixes for building x86 in Visual Studio for non-windows OS (PR 7884)
1161* Fix for TLS v1.2 secret callback, incorrectly detecting bad master secret
1162 (PR 7812)
1163* Fixes for PowerPC assembly use with Darwin and SP math all (PR 7931)
1164* Fix for detecting older versions of Mac OS when trying to link with
1165 libdispatch (PR 7932)
1166* Fix for DTLS1.3 downgrade to DTLS1.2 when the server sends multiple handshake
1167 packets combined into a single transmission. (PR 7840)
1168* Fix for OCSP to save the request if it was stored in ssl->ctx->certOcspRequest
1169 (PR 7779)
1170* Fix to OCSP for searching for CA by key hash instead of ext. key id (PR 7934)
1171* Fix for staticmemory and singlethreaded build (PR 7737)
1172* Fix to not allow Shake128/256 with Xilinx AFALG (PR 7708)
1173* Fix to support PKCS11 without RSA key generation (PR 7738)
1174* Fix not calling the signing callback when using PK callbacks + TLS 1.3
1175 (PR 7761)
1176* Cortex-M/Thumb2 ASM fix label for IAR compiler (PR 7753)
1177* Fix with PKCS11 to iterate correctly over slotId (PR 7736)
1178* Stop stripping out the sequence header on the AltSigAlg extension (PR 7710)
1179* Fix ParseCRL_AuthKeyIdExt with ASN template to set extAuthKeyIdSet value
1180 (PR 7742)
1181* Use max key length for PSK encrypt buffer size (PR 7707)
1182* DTLS 1.3 fix for size check to include headers and CID fixes (PR 7912,7951)
1183* Fix STM32 Hash FIFO and add support for STM32U5A9xx (PR 7787)
1184* Fix CMake build error for curl builds (PR 8021)
1185* SP Maths: PowerPC ASM fix to use XOR instead of LI (PR 8038)
1186* SSL loading of keys/certs: testing and fixes (PR 7789)
1187* Misc. fixes for Dilithium and Kyber (PR 7721,7765,7803,8027,7904)
1188* Fixes for building wolfBoot sources for PQ LMS/XMSS (PR 7868)
1189* Fixes for building with Kyber enabled using CMake and zephyr port (PR 7773)
1190* Fix for edge cases with session resumption with TLS 1.2 (PR 8097)
1191* Fix issue with ARM ASM with AES CFB/OFB not initializing the "left" member
1192 (PR 8099)
1193
1194
1195# wolfSSL Release 5.7.2 (July 08, 2024)
1196
1197Release 5.7.2 has been developed according to wolfSSL's development and QA
1198process (see link below) and successfully passed the quality criteria.
1199https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
1200
1201NOTE: * --enable-heapmath is being deprecated and will be removed by end of 2024
1202
1203## Vulnerabilities
1204* [Medium] CVE-2024-1544
1205Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.6.6 with wc_ecc_sign_hash calls. Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Analyzing the division through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. Thanks to Luca Wilke, Florian Sieck and Thomas Eisenbarth (University of Lübeck) for reporting the vulnerability. Details will appear in the proceedings of CCS 24.
1206Fixed https://github.com/wolfSSL/wolfssl/pull/7020
1207
1208
1209* [Medium] CVE-2024-5288
1210A private key blinding operation, enabled by defining the macro WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer attack on ECC operations. If performing ECC private key operations in an environment where a malicious user could gain fine control over the device and perform row hammer style attacks it is recommended to update the version of wolfSSL used and to build with WOLFSSL_BLIND_PRIVATE_KEY defined. Thanks to Kemal Derya, M. Caner Tol, Berk Sunar for the report (Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute)
1211Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7416
1212
1213
1214* [Low] When parsing a provided maliciously crafted certificate directly using wolfSSL API, outside of a TLS connection, a certificate with an excessively large number of extensions could lead to a potential DoS. There are existing sanity checks during a TLS handshake with wolfSSL which mitigate this issue. Thanks to Bing Shi for the report.
1215Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7597
1216
1217* [Low] CVE-2024-5991
1218In the function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the Openssl compatibility function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. While calling without a NULL terminated string is very uncommon, it is still technically allowed. If a caller was attempting to do a name check on a non*NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.
1219Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7604
1220
1221* [Medium] CVE-2024-5814
1222A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello when downgrading from TLS 1.3.
1223Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7619
1224
1225* [Medium] OCSP stapling version 2 response verification bypass issue when a crafted response of length 0 is received. Found with internal testing.
1226Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7702
1227
1228* [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS connection attempt. A revoked CA certificate could incorrectly be loaded into the trusted signers list and used in a repeat connection attempt. Found with internal testing.
1229Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7702
1230
1231
1232## New Feature Additions
1233* Added Dilithium/ML-DSA: Implementation of ML-DSA-44/65/87 (PR 7622)
1234* AES RISC-V 64-bit ASM: ECB/CBC/CTR/GCM/CCM (PR 7569)
1235* Added CUDA support for AES encryption (PR 7436)
1236* Added support for gRPC (PR 7445)
1237* Added function wc_RsaPrivateKeyDecodeRaw to import raw RSA private keys (PR 7608)
1238* Added crypto callback for SHA-3 (PR 7670)
1239* Support for Infineon Modus Toolbox with wolfSSL (PR 7369)
1240* Allow user to send a user_canceled alert by calling wolfSSL_SendUserCanceled (PR 7590)
1241* C# wrapper SNI support added (PR 7610)
1242* Quantum-safe algorithm support added to the Linux kernel module (PR 7574)
1243* Support for NIST 800-56C Option 1 KDF, using the macro WC_KDF_NIST_SP_800_56C added (PR 7589)
1244* AES-XTS streaming mode added, along with hardware acceleration and kernel module use (PR 7522, 7560, 7424)
1245* PlatformIO FreeRTOS with ESP build and addition of benchmark and test example applications (PR 7528, 7413, 7559, 7542)
1246
1247
1248## Enhancements and Optimizations
1249* Expanded STM32 AES hardware acceleration support for use with STM32H5 (PR 7578)
1250* Adjusted wc_xmss and wc_lms settings to support use with wolfBoot (PR 7393)
1251* Added the --enable-rpk option to autotools build for using raw public key support (PR 7379)
1252* SHA-3 Thumb2, ARM32 assembly implementation added (PR 7667)
1253* Improvements to RSA padding to expose Pad/Unpad APIs (PR 7612)
1254* Updates and API additions for supporting socat version 1.8.0.0 (PR 7594)
1255* cmake build improvements, expanding build options with SINGLE_THREADED and post-quantum algorithms, adjusting the generation of options.h file and using “yes;no” boolean instead of strings (PR 7611, 7546, 7479, 7480, 7380)
1256* Improvements for Renesas RZ support (PR 7474)
1257* Improvements to dual algorithm certificates for post-quantum keys (PR 7286)
1258* Added wolfSSL_SessionIsSetup so the user can check if a session ticket has been sent by the server (PR 7430)
1259* hostap updates: Implement PACs for EAP-FAST and filter cipher list on TLS version change (PR 7446)
1260* Changed subject name comparison to match different upper and lower cases (PR 7420)
1261* Support for DTLS 1.3 downgrade when using PSK (PR 7367)
1262* Update to static memory build for more generic memory pools used (PR 7418)
1263* Improved performance of Kyber C implementation (PR 7654)
1264* Support for ECC_CACHE_CURVE with no malloc (PR 7490)
1265* Added the configure option --enable-debug-trace-errcodes (macro WOLFSSL_DEBUG_TRACE_ERROR_CODES) which enables more debug tracking of error code values (PR 7634)
1266* Enhanced wc_MakeRsaKey and wc_RsaKeyToDer to work with WOLFSSL_NO_MALLOC (PR 7362)
1267* Improvements to assembly implementations of ChaCha20 and Poly1305 ASM for use with MSVC (PR 7319)
1268* Cortex-M inline assembly labels with unique number appended (PR 7649)
1269* Added secret logging callback to TLS <= 1.2, enabled with the macro HAVE_SECRET_CALLBACK (PR 7372)
1270* Made wc_RNG_DRBG_Reseed() a public wolfCrypt API (PR 7386)
1271* Enabled DES3 support without the DES3 ciphers. To re-enable DES3 cipher suites, use the configure flag --enable-des3-tls-suites (PR 7315)
1272* Added stubs required for latest nginx (1.25.5) (PR 7449)
1273* Added option for using a custom salt with the function wc_ecc_ctx_set_own_salt (PR 7552)
1274* Added PQ files for Windows (PR 7419)
1275* Enhancements to static memory feature, adding the option for a global heap hint (PR 7478) and build options for a lean or debug setting, enabled with --enable-staticmemory=small or --enable-staticmemory=debug (PR 7597)
1276* Updated --enable-jni to define SESSION_CERTS for wolfJSSE (PR 7557)
1277* Exposed DTLS in Ada wrapper and updated examples (PR 7397)
1278* Added additional minimum TLS extension size sanity checks (PR 7602)
1279* ESP improvements: updating the examples and libraries, updates for Apple HomeKit SHA/SRP, and fix for endianness with SHA512 software fallback (PR 7607, 7392, 7505, 7535)
1280* Made the wc_CheckCertSigPubKey API publicly available with the define of the macro WOLFSSL_SMALL_CERT_VERIFY (PR 7599)
1281* Added an alpha/preview of additional FIPS 140-3 full submission, bringing additional algorithms such as SRTP-KDF, AES-XTS, GCM streaming, AES-CFB, ED25519, and ED448 into the FIPS module boundary (PR 7295)
1282* XCODE support for v5.2.3 of the FIPS module (PR 7140)
1283* Expanded OpenSSL compatibility layer and added EC_POINT_hex2point (PR 7191)
1284
1285## Fixes
1286* Fixed Kyber control-flow timing leak. Thanks to Antoon Purnal from PQShield for the report
1287* Fixed the NXP MMCAU HW acceleration for SHA-256 (PR 7389)
1288* Fixed AES-CFB1 encrypt/decrypt on size (8*x-1) bits (PR 7431)
1289* Fixed use of %rip with SHA-256 x64 assembly (PR 7409)
1290* Fixed OCSP response message build for DTLS (PR 7671)
1291* Handled edge case in wc_ecc_mulmod() with zero (PR 7532)
1292* Fixed RPK (Raw Public Key) to follow certificate use correctly (PR 7375)
1293* Added sanity check on record header with QUIC use (PR 7638)
1294* Added sanity check for empty directory strings in X.509 when parsing (PR 7669)
1295* Added sanity check on non-conforming serial number of 0 in certificates being parsed (PR 7625)
1296* Fixed wolfSSL_CTX_set1_sigalgs_list() to make the TLS connection conform to the selected sig hash algorithm (PR 7693)
1297* Various fixes for dual algorithm certificates including small stack use and support for Certificate Signing Requests (PR 7577)
1298* Added sanity check for critical policy extension when wolfSSL is built without policy extension support enabled (PR 7388)
1299* Added sanity check that the ed25519 signature is smaller than the order (PR 7513)
1300* Fixed Segger emNet to handle non-blocking want read/want write (PR 7581)
1301
1302
1303# wolfSSL Release 5.7.0 (Mar 20, 2024)
1304
1305Release 5.7.0 has been developed according to wolfSSL's development and QA
1306process (see link below) and successfully passed the quality criteria.
1307https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
1308
1309NOTE: * --enable-heapmath is being deprecated and will be removed by end of 2024
1310
1311NOTE: In future releases, --enable-des3 (which is disabled by default) will be insufficient in itself to enable DES3 in TLS cipher suites. A new option, --enable-des3-tls-suites, will need to be supplied in addition.  This option should only be used in backward compatibility scenarios, as it is inherently insecure.
1312
1313NOTE: This release switches the default ASN.1 parser to the new ASN template code. If the original ASN.1 code is preferred define `WOLFSSL_ASN_ORIGINAL` to use it. See PR #7199.
1314
1315
1316## Vulnerabilities
1317* [High] CVE-2024-0901 Potential denial of service and out of bounds read. Affects TLS 1.3 on the server side when accepting a connection from a malicious TLS 1.3 client. If using TLS 1.3 on the server side it is recommended to update the version of wolfSSL used. Fixed in this GitHub pull request https://github.com/wolfSSL/wolfssl/pull/7099
1318
1319
1320* [Med] CVE-2024-1545 Fault Injection vulnerability in RsaPrivateDecryption function that potentially allows an attacker that has access to the same system with a victims process to perform a Rowhammer fault injection. Thanks to Junkai Liang, Zhi Zhang, Xin Zhang, Qingni Shen for the report (Peking University, The University of Western Australia)."
1321Fixed in this GitHub pull request https://github.com/wolfSSL/wolfssl/pull/7167
1322
1323
1324* [Med] Fault injection attack with EdDSA signature operations. This affects ed25519 sign operations where the system could be susceptible to Rowhammer attacks. Thanks to Junkai Liang, Zhi Zhang, Xin Zhang, Qingni Shen for the report (Peking University, The University of Western Australia).
1325Fixed in this GitHub pull request https://github.com/wolfSSL/wolfssl/pull/7212
1326
1327
1328## New Feature Additions
1329
1330* Added --enable-experimental configure flag to gate out features that are currently experimental. Now liboqs, kyber, lms, xmss, and dual-alg-certs require the --enable-experimental flag.
1331
1332### POST QUANTUM SUPPORT ADDITIONS
1333* Experimental framework for using wolfSSL’s XMSS implementation (PR 7161)
1334* Experimental framework for using wolfSSL’s LMS implementation (PR 7283)
1335* Experimental wolfSSL Kyber implementation and assembly optimizations, enabled with --enable-experimental --enable-kyber (PR 7318)
1336* Experimental support for post quantum dual key/signature certificates. A few known issues and sanitizer checks are in progress with this feature. Enabled with the configure flags --enable-experimental --enable-dual-alg-certs (PR 7112)
1337* CryptoCb support for PQC algorithms (PR 7110)
1338
1339### OTHER FEATURE ADDITIONS
1340* The Linux kernel module now supports registration of AES-GCM, AES-XTS, AES-CBC, and AES-CFB with the kernel cryptosystem through the new --enable-linuxkm-lkcapi-register option, enabling automatic use of wolfCrypt implementations by the dm-crypt/luks and ESP subsystems.  In particular, wolfCrypt AES-XTS with –enable-aesni is faster than the native kernel implementation.
1341* CryptoCb hook to one-shot CMAC functions (PR 7059)
1342* BER content streaming support for PKCS7_VerifySignedData and sign/encrypt operations (PR 6961 & 7184)
1343* IoT-Safe SHA-384 and SHA-512 support (PR 7176)
1344* I/O callbacks for content and output with PKCS7 bundle sign/encrypt to reduce peak memory usage (PR 7272)
1345* Microchip PIC24 support and example project (PR 7151)
1346* AutoSAR shim layer for RNG, SHA256, and AES (PR 7296)
1347* wolfSSL_CertManagerUnloadIntermediateCerts API to clear intermediate certs added to certificate store (PR 7245)
1348* Implement SSL_get_peer_signature_nid and SSL_get_peer_signature_type_nid (PR 7236)
1349
1350
1351## Enhancements and Optimizations
1352
1353* Remove obsolete user-crypto functionality and Intel IPP support (PR 7097)
1354* Support for RSA-PSS signatures with CRL use (PR 7119)
1355* Enhancement for AES-GCM use with Xilsecure on Microblaze (PR 7051)
1356* Support for crypto cb only build with ECC and NXP CAAM (PR 7269)
1357* Improve liboqs integration adding locking and init/cleanup functions (PR 7026)
1358* Prevent memory access before clientSession->serverRow and clientSession->serverIdx are sanitized (PR 7096)
1359* Enhancements to reproducible build (PR 7267)
1360* Update Arduino example TLS Client/Server and improve support for ESP32 (PR 7304 & 7177)
1361* XC32 compiler version 4.x compatibility (PR 7128)
1362* Porting for build on PlayStation 3 and 4 (PR 7072)
1363* Improvements for Espressif use; SHA HW/SW selection and use on ESP32-C2/ESP8684, wolfSSL_NewThread() type, component cmake fix, and update TLS client example for ESP8266 (PR 7081, 7173, 7077, 7148, 7240)
1364* Allow crypto callbacks with SHA-1 HW (PR 7087)
1365* Update OpenSSH port to version 9.6p1(PR 7203)
1366* ARM Thumb2 enhancements, AES-GCM support for GCM_SMALL, alignment fix on key, fix for ASM clobber list (PR 7291,7301,7221)
1367* Expand heap hint support for static memory build with more x509 functions (PR 7136)
1368* Improving ARMv8 ChaCha20 ASM (alignment) (PR 7182)
1369* Unknown extension callback wolfSSL_CertManagerSetUnknownExtCallback added to CertManager (PR 7194)
1370* Implement wc_rng_new_ex for use with devID’s with crypto callback (PR 7271)
1371* Allow reading 0-RTT data after writing 0.5-RTT data (PR 7102)
1372* Send alert on bad PSK binder error (PR 7235)
1373* Enhancements to CMake build files for use with cross compiling (PR 7188)
1374
1375
1376## Fixes
1377
1378* Fix for checking result of MAC verify when no AAD is used with AES-GCM and Xilinx Xilsecure (PR 7051)
1379* Fix for Aria sign use (PR 7082)
1380* Fix for invalid `dh_ffdhe_test` test case using Intel QuickAssist (PR 7085)
1381* Fixes for TI AES and SHA on TM4C with HW acceleration and add full AES GCM and CCM support with TLS (PR 7018)
1382* Fixes for STM32 PKA use with ECC (PR 7098)
1383* Fixes for TLS 1.3 with crypto callbacks to offload KDF / HMAC operation (PR 7070)
1384* Fix include path for FSP 3.5 on Renesas RA6M4 (PR 7101)
1385* Siphash x64 asm fix for use with older compilers (PR 7299)
1386* Fix for SGX build with SP (PR 7308)
1387* Fix to Make it mandatory that the cookie is sent back in new ClientHello when seen in a HelloRetryRequest with (PR 7190)
1388* Fix for wrap around behavior with BIO pairs (PR 7169)
1389* OCSP fixes for parsing of response correctly when there was a revocation reason and returning correct error value with date checks (PR 7241 & 7255)
1390* Fix build with `NO_STDIO_FILESYSTEM` and improve checks for `XGETENV` (PR 7150)
1391* Fix for DTLS sequence number and cookie when downgrading DTLS version (PR 7214)
1392* Fix for write_dup use with chacha-poly cipher suites (PR 7206)
1393* Fix for multiple handshake messages in one record failing with OUT_OF_ORDER_E when downgrading from TLS 1.3 to TLS 1.2 (PR 7141)
1394* Fix for AES ECB build with Thumb and alignment (PR 7094)
1395* Fix for negotiate handshake until the end in wolfSSL_read/wolfSSL_write if hitting an edge case with want read/write (PR 7237)
1396
1397# wolfSSL Release 5.6.6 (Dec 19, 2023)
1398
1399Release 5.6.6 has been developed according to wolfSSL's development and QA
1400process (see link below) and successfully passed the quality criteria.
1401https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
1402
1403NOTE: * --enable-heapmath is being deprecated and will be removed by 2024
1404
1405REMINDER: When working with AES Block Cipher algorithms, `wc_AesInit()` should
1406always be called first to initialize the `Aes` structure, before calling other
1407Aes API functions. Recently we found several places in our documentation,
1408comments, and codebase where this pattern was not observed. We have since
1409fixed this omission in several PRs for this release.
1410
1411## Vulnerabilities
1412
1413* [Medium] CVE-2023-6935: After review of the previous RSA timing fix in wolfSSL 5.6.4, additional changes were found to be required. A complete resistant change is delivered in this release. This fix is for the Marvin attack, leading to being able to decrypt a saved TLS connection and potentially forge a signature after probing with a very large number of trial connections. This issue is around RSA decryption and affects the optional static RSA cipher suites on the server side, which are considered weak, not recommended to be used and are off by default in wolfSSL (even with `--enable-all`). Static RSA cipher suites were also removed from the TLS 1.3 protocol and are only present in TLS 1.2 and lower. All padding versions of RSA decrypt are affected since the code under review is outside of the padding processing. Information about the private keys is NOT compromised in affected code. It is recommended to disable static RSA cipher suites and update the version of wolfSSL used if using RSA private decryption alone outside of TLS. Thanks to Hubert Kario for the report. The fix for this issue is located in the following GitHub Pull Request: https://github.com/wolfSSL/wolfssl/pull/6955.
1414
1415* [Low] CVE-2023-6936: A potential heap overflow read is possible in servers connecting over TLS 1.3 when the optional `WOLFSSL_CALLBACKS` has been defined. The out of bounds read can occur when a server receives a malicious malformed ClientHello. Users should either discontinue use of `WOLFSSL_CALLBACKS` on the server side or update versions of wolfSSL to 5.6.6. Thanks to the tlspuffin fuzzer team for the report which was designed and developed by; Lucca Hirschi (Inria, LORIA), Steve Kremer (Inria, LORIA), and Max Ammann (Trail of Bits). The fix for this issue is located in the following GitHub Pull Request: https://github.com/wolfSSL/wolfssl/pull/6949.
1416
1417* [Low] CVE-2024-1543: A side channel vulnerability with AES T-Tables is possible in a very controlled environment where precision sub-cache-line inspection can happen, such as inside an Intel SGX enclave. This can lead to recovery of the AES key. To prevent this type of attack, wolfSSL added an AES bitsliced implementation which can be enabled with the “`--enable-aes-bitsliced`” configure option. Thanks to Florian Sieck, Zhiyuan Zhang, Sebastian Berndt, Chitchanok Chuengsatiansup, Thomas Eisenbarth, and Yuval Yarom for the report (Universities of Lübeck, Melbourne, Adelaide and Bochum). The fix for this issue is located in the following GitHub Pull Request: https://github.com/wolfSSL/wolfssl/pull/6854.
1418
1419* [Low] CVE-2023-6937: wolfSSL prior to 5.6.6 did not check that messages in a single (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and then the rest of the first server flight would be accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the ServerHello but a wolfSSL client would accept an unencrypted flight from the server. This does not compromise key negotiation and authentication so it is assigned a low severity rating. Thanks to Johannes Wilson for the report (Sectra Communications and Linköping University). The fix for this issue is located in the following GitHub Pull Request: https://github.com/wolfSSL/wolfssl/pull/7029.
1420
1421## New Feature Additions
1422
1423* Build option for disabling CRL date checks (`WOLFSSL_NO_CRL_DATE_CHECK`) (PR 6927)
1424* Support for STM32WL55 and improvements to PKA ECC support (PR 6937)
1425* Add option to skip cookie exchange on DTLS 1.3 session resumption (PR 6929)
1426* Add implementation of SRTP KDF and SRTCP KDF (`--enable-srtp-kdf`) (PR 6888)
1427* Add `wolfSSL_EXTENDED_KEY_USAGE_free()` (PR 6916)
1428* Add AES bitsliced implementation that is cache attack safe (`--enable-aes-bitsliced`) (PR 6854)
1429* Add memcached support and automated testing (PR 6430, 7022)
1430* Add Hardware Encryption Acceleration for ESP32-C3, ESP32-C6, and ESP32-S2 (PR 6990)
1431* Add (D)TLS 1.3 support for 0.5-RTT data (PR 7010)
1432
1433## Enhancements and Optimizations
1434
1435* Better built in testing of “`--sys-ca-certs`” configure option (PR 6910)
1436* Updated CMakeLists.txt for Espressif wolfSSL component usage (PR 6877)
1437* Disable TLS 1.1 by default (unless SSL 3.0 or TLS 1.0 is enabled) (PR 6946)
1438* Add “`--enable-quic`” to “`--enable-all`” configure option (PR 6957)
1439* Add support to SP C implementation for RSA exponent up to 64-bits (PR 6959)
1440* Add result of “`HAVE___UINT128_T`” to options.h for CMake builds (PR 6965)
1441* Add optimized assembly for AES-GCM on ARM64 using hardware crypto instructions (PR 6967)
1442* Add built-in cipher suite tests for DTLS 1.3 PQC (PR 6952)
1443* Add wolfCrypt test and unit test to ctest (PR 6977)
1444* Move OpenSSL compatibility crypto APIs into `ssl_crypto.c` file (PR 6935)
1445* Validate time generated from XGMTIME() (PR 6958)
1446* Allow wolfCrypt benchmark to run with microsecond accuracy (PR 6868)
1447* Add GitHub Actions testing with nginx 1.24.0 (PR 6982)
1448* Allow encoding of CA:FALSE BasicConstraint during cert generation (PR 6953)
1449* Add CMake option to enable DTLS-SRTP (PR 6991)
1450* Add CMake options for enabling QUIC and cURL (PR 7049)
1451* Improve RSA blinding to make code more constant time (PR 6955)
1452* Refactor AES-NI implementation macros to allow dynamic fallback to C (PR 6981)
1453* Default to native Windows threading API on MinGW (PR 7015)
1454* Return better error codes from OCSP response check (PR 7028)
1455* Updated Espressif ESP32 TLS client and server examples (PR 6844)
1456* Add/clean up support for ESP-IDF v5.1 for a variety of ESP32 chips (PR 7035, 7037)
1457* Add API to choose dynamic certs based on client ciphers/sigalgs (PR 6963)
1458* Improve Arduino IDE 1.5 project file to match recursive style (PR 7007)
1459* Simplify and improve apple-universal build script (PR 7025)
1460
1461## Fixes
1462
1463* Fix for async edge case with Intel QuickAssist/Cavium Nitrox (PR 6931)
1464* Fix for building PKCS#7 with RSA disabled (PR 6902)
1465* Fix for advancing output pointer in `wolfSSL_i2d_X509()` (PR 6891)
1466* Fix for `EVP_EncodeBlock()` appending a newline (PR 6900)
1467* Fix for `wolfSSL_RSA_verify_PKCS1_PSS()` with `RSA_PSS_SALTLEN_AUTO` (PR 6938)
1468* Fixes for CODESonar reports around `isalpha()` and `isalnum()` calls (PR 6810)
1469* Fix for SP ARM64 integer math to avoid compiler optimization issues (PR 6942)
1470* Fix for SP Thumb2 inline assembly to add IAR build support (PR 6943, 6971)
1471* Fix for SP Thumb2 to make functions not inlined (PR 6993)
1472* Fix for SP Cortex-M assembly large build with IAR (PR 6954)
1473* Fix for SP ARM64 assembly montgomery reduction by 4 (PR 6947)
1474* Fix for SP ARM64 P-256 for not inlining functions for iOS compatibility (PR 6979)
1475* Fix for `WOLFSSL_CALLBACKS` and potential memory error (PR 6949)
1476* Fixes for wolfSSL’s Zephyr OS port (PR 6930)
1477* Fix for build errors when building for NXP mmCAU (`FREESCALE_MMCAU`) (PR 6970)
1478* Fix for TLS 1.3 `SendBuffered()` return code in non-blocking mode (PR 7001)
1479* Fix for TLS `Hmac_UpdateFinal()` when padding byte is invalid (PR 6998)
1480* Fix for ARMv8 AES-GCM streaming to check size of IV before storing (PR 6996)
1481* Add missing calls to `wc_AesInit()` before `wc_AesSetKey()` (PR 7011)
1482* Fix build errors with DTLS 1.3 enabled but TLS 1.2 disabled (PR 6976)
1483* Fixes for building wolfSSL in Visual Studio (PR 7040)
1484
1485# wolfSSL Release 5.6.4 (Oct 30, 2023)
1486
1487Release 5.6.4 has been developed according to wolfSSL's development and QA process (see link below) and successfully passed the quality criteria.
1488https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
1489
1490NOTE: * --enable-heapmath is being deprecated and will be removed by 2024
1491      * Old CyaSSL/CtaoCrypt shim layer was removed in this release (5.6.4)
1492
1493## Vulnerabilities
1494
1495* [Medium] A fix was added, but still under review for completeness, for a Bleichenbacher style attack, leading to being able to decrypt a saved TLS connection and potentially forge a signature after probing with a large number of trial connections. This issue is around RSA decryption and affects static RSA cipher suites on the server side, which are not recommended to be used and are off by default. Static RSA cipher suites were also removed from the TLS 1.3 protocol and only present in TLS 1.2 and lower. All padding versions of RSA decrypt are affected since the code under review is outside of the padding processing. Information about the private keys is NOT compromised in affected code. It's recommended to disable static RSA cipher suites and update the version of wolfSSL used if using RSA private decryption alone outside of TLS. The fix is located in this pull request (https://github.com/wolfSSL/wolfssl/pull/6896)
1496
1497## New Feature Additions
1498
1499* DTLS 1.3 PQC: support fragmenting the second ClientHello message. This allows arbitrarily long keys to be used, opening up support for all PQC ciphersuites in DTLS 1.3.
1500* SM2/SM3/SM4: Chinese cipher support including TLS 1.3 and 1.2 cipher suites. SM2 SP implementation available.
1501* Ability to parse ASN1 only with SMIME_read_PKCS7
1502* Added support for MemUse Entropy on Windows
1503* Added Ada Bindings for wolfSSL
1504* Added a PEM example that converts to and from DER/PEM.
1505* Added LMS/HSS and XMSS/XMSS^MT wolfcrypt hooks, both normal and verify-only options.
1506* Added support for the AES EAX mode of operation
1507* Port for use with Hitch (https://github.com/varnish/hitch) added
1508* Add XTS API's to handle multiple sectors in new port to VeraCrypt
1509
1510## Enhancements and Optimizations
1511
1512* Turned on SNI by default on hosts with resources
1513* Improved support for Silicon Labs Simplicity Studio and the ERF32 Gecko SDK
1514* Thumb-2 and ARM32 Curve25519 and Ed25519 assembly have significantly improved performance.
1515* Thumb-2 AES assembly code added.
1516* Thumb-2 and ARM32 SP implementations of RSA, DH and ECC have significantly improved performance.
1517* Minor performance improvements to SP ECC for Intel x64.
1518* AES-XTS assembly code added for Intel x64, Aarch64 and ARM32.
1519* Added support for X963 KDFs to ECIES.
1520* Added 32-bit type only implementation of AES GMULT using tables.
1521* Add support for nginx version 1.25.0
1522* Add support for Kerberos version 5 1.21.1
1523* Check all CRL entries in case a single issuer has multiple CRL's loaded
1524* CRL verify the entire chain including loaded CA's
1525* Added example for building wolfSSL as an Apple universal binary framework using configure
1526* Sniffer tool now supports decrypting TLS sessions using secrets obtained from a SSLKEYLOGFILE
1527* Updates made for EBSNET port
1528* Update "--enable-jni" to include additional defines for expanded JNI support. Also includes JCE and JSSE builds under the single enable option now.
1529
1530## Fixes
1531
1532* Fixed error handling when decrypted pre-master secret is too long when using static RSA.
1533* Added a fix for keymod use with i.MX RT1170 CAAM blobs
1534* Added a fix for AES-GCM use with Petalinux Xilinx
1535* Fixed `wc_SignatureGenerate_ex` to not call verify twice
1536* Fixed wolfCrypt FIPS DLL on Win32
1537* Fixed TFM math library big-endian reading implementation when a zero length buffer is passed in.
1538* Fixed NO_CERT configurations to build correctly.
1539* Fixed ARM AES-GCM streaming assembly when –enable-opensslextra defined.
1540* Added modulus checks to heap math implementation of mp_exptmod().
1541* Fixed Windows assembly code to handle that certain XMM registers are non-volatile.
1542* Aarch64 SP ECC implementation of sp_256_mont_dbl_4 has the register list for the assembly code fixed to include all used registers.
1543* mp_sqrt_mod_prime fixed to limit the number of iterations of a loop to handle malicious non-prime values being passed in.
1544* Ignore session ID's shorter than 32 bytes instead of erroring out
1545
1546# wolfSSL Release 5.6.3 (Jun 16, 2023)
1547
1548Release 5.6.3 of wolfSSL embedded TLS has 4 bug fixes:
1549
1550* Fix for setting the atomic macro options introduced in release 5.6.2. This issue affects GNU gcc autoconf builds. The fix resolves a potential mismatch of the generated macros defined in options.h file and the macros used when the wolfSSL library is compiled. In version 5.6.2 this mismatch could result in unstable runtime behavior.
1551* Fix for invalid suffix error with Windows build using the macro GCM_TABLE_4BIT.
1552* Improvements to Encrypted Memory support (WC_PROTECT_ENCRYPTED_MEM) implementations for modular exponentiation in SP math-all (sp_int.c) and TFM (tfm.c).
1553* Improvements to SendAlert for getting output buffer.
1554
1555# wolfSSL Release 5.6.2 (Jun 09, 2023)
1556
1557Release 5.6.2 has been developed according to wolfSSL's development and QA process (see link below) and successfully passed the quality criteria.
1558https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
1559
1560NOTE: * --enable-heapmath is being deprecated and will be removed by 2024
1561
1562Release 5.6.2 of wolfSSL embedded TLS has bug fixes and new features including:
1563
1564## Vulnerabilities
1565* [Low] In cases where a malicious agent could analyze cache timing at a very detailed level, information about the AES key used could be leaked during T/S Box lookups. One such case was shown on RISC-V hardware using the MicroWalk tool (https://github.com/microwalk-project/Microwalk). A hardened version of T/S Box lookups was added in wolfSSL to help mitigate this potential attack and is now on by default with RISC-V builds and can be enabled on other builds if desired by compiling wolfSSL with the macro WOLFSSL_AES_TOUCH_LINES. Thanks to Jan Wichelmann, Christopher Peredy, Florian Sieck, Anna Pätschke, Thomas Eisenbarth (University of Lübeck): MAMBO-V: Dynamic Side-Channel Leakage Analysis on RISC-V. Fixed in the following GitHub pull request https://github.com/wolfSSL/wolfssl/pull/6309
1566* [High] In previous versions of wolfSSL if a TLS 1.3 client gets neither a PSK (pre shared key) extension nor a KSE (key share extension) when connecting to a malicious server, a default predictable buffer gets used for the IKM value when generating the session master secret. Using a potentially known IKM value when generating the session master secret key compromises the key generated, allowing an eavesdropper to reconstruct it and potentially allowing surreptitious access to or meddling with message contents in the session. This issue does not affect client validation of connected servers, nor expose private key information, but could result in an insecure TLS 1.3 session when not controlling both sides of the connection. We recommend that TLS 1.3 client side users update the version of wolfSSL used. Thanks to Johannes from Sectra Communications and Linköping University for the report. Fixed in the following GitHub pull request https://github.com/wolfSSL/wolfssl/pull/6412
1567
1568## New Feature Additions
1569
1570### New Ports and Expansions
1571* Add support for STM32H5
1572* Add support for Renesas TSIP v1.17
1573* Add Renesas SCE RSA crypto-only support
1574* STARCORE DSP port and example builds added
1575* Add the function wc_PKCS7_SetDefaultSignedAttribs for setting PKCS7 signed attributes to use with PKCS7 bundle creation
1576* NXP IMX6Q CAAM port with QNX and performance optimizations for AES-CTR
1577
1578### New Build Options
1579* ASN.1 print utility to decode ASN.1 syntax and print out human readable text --enable-asn-print. Utility app is located in the directory ./examples/asn1/
1580* Add introspection for math build, wc_GetMathInfo() to get information about the math library compiled into the linked wolfSSL library
1581* Implement TLS recommendations from RFC 9325 for hardening TLS/DTLS security. Enabled with the autoconf flag --enable-harden-tls.
1582* Add option to support disabling thread local storage, --disable-threadlocal
1583* Added wc_DsaSign_ex() and wc_DsaVerify_ex() for handling alternative digest algorithms with DSA Sign/Verify
1584* Implement atomic operations interface. Macros auto-detect if atomic operations are expected to be available, can be turned off with the macro WOLFSSL_NO_ATOMICS
1585* Added support for DTLS 1.3 Authentication and Integrity-Only Cipher Suites
1586* Expand crypto callback to have a device ID find callback function with wc_CryptoCb_SetDeviceFindCb. Enabled with the macro WOLF_CRYPTO_CB_FIND
1587
1588## Enhancements and Optimizations
1589
1590### Optimizations
1591* Increased performance with ChaCha20 C implementation and general XOR operations
1592* Added integer type to the ASN.1 sequencing with ASN.1 Integer sequence
1593* With wolfSSL_get_x509_next_altname reset alt name list to head once cycled through if compiling with the macro WOLFSSL_MULTICIRCULATE_ALTNAMELIST
1594* Additional key validity sanity checks on input to wolfSSL_EC_KEY_set_private_key
1595* adds support for TLSv1.3 stateful session tickets when using SSL_OP_NO_TICKET
1596
1597### Memory Optimizations
1598* Improvements to stack usage and management with SP int math library
1599* Optimization to TLS 1.3 server to remove caching messages for Ed25519/Ed448
1600* Added a HAVE_CURL macro build for building a subset of the wolfSSL library when linking with cURL
1601* Memory usage improvement with reducing the size of alignment needed with AES
1602* Reduce run time memory used with ECC operations and ALT_ECC_SIZE
1603* Fixes and improvements for building edge cases such as crypto callback without hash-drbg with low footprint options
1604* Support HAVE_SESSION_TICKET build option without depending on realloc
1605
1606### Documentation
1607* Instructions for GPDMA on STM32 configuration added
1608* Add in instructions for compiling with zephyr on STM32
1609* Documentation fixup for wolfSSL_get_chain_cert()
1610* Fix the file pointed to in the TI RTOS documentation that we maintain
1611* Documentation for wolfSSL_CertManagerFreeCRL
1612* Updates made to AES and Chacha documentation
1613* Update Japanese comments for Ed25519, AES, and other miscellaneous items
1614
1615### Tests
1616* Add in an option for easily testing malloc failures when building with WOLFSSL_MEM_FAIL_COUNT macro
1617* Updated in process for using Expect vs Assert to facilitate more malloc failure tests
1618* Enhance wolfCrypt test for builds that do not have ECC SECP curves enabled
1619* ESP32 platform-specific VisualGDB test & benchmark projects
1620* Update to dependencies in docker container file used for tests
1621* Fix up for base 10 output with bundled benchmark application
1622
1623### Port Updates
1624* Zephyr port update, compile time warning fixes, misc. fixes when used with TLS and update of includes
1625* Update RIOT-OS to not compile out use of writev by default
1626* Update Micrium port to enable use of STM32_RNG
1627* Micrium updates for XMEMOVE and XSTRTOK use
1628* Various Espressif HW crypto, SHA2, AES, MP updates
1629* Added in ASIO build option with CMake builds
1630
1631### General Enhancements
1632* Global codebase cleanup for C89 compliance and wolfCrypt -Wconversion hygiene
1633* PKCS#11 enhancement adding a callback for RSA key size when using a hardware key, by default 2048 bit key is used
1634* Allow for unknown OIDs in extensions in wolfSSL_X509_set_ext()
1635* Allow user to override XSTAT by defining the macro XSTAT when compiling
1636* Support UPN and SID with x509 certificate extensions and custom OID build
1637* Write next IV in wolfSSL_DES_ede3_cbc_encrypt for better handling of inline encryption
1638* Adding NO_ASN_TIME_CHECK build option for compiling out certificate before/after checks
1639* Improve different peer recvfrom handling and error reporting with ipv4 vs ipv6
1640
1641## Fixes
1642* Fix for STM32 ECC sign and verify out of bounds buffer write when the hash length passed in is larger than the key size. Thanks to Maximilian for the report.
1643* Fix to skip Async_DevCtxInit when using init rsa/ecc label/id api's
1644* Revert WOLFSSL_NO_ASN_STRICT macro guard around alternate names directory list
1645* In async mode, don't retry decrypting if a valid error is encountered on a packet parse attempt
1646* Add additional sanity check on PKCS7 index value in wc_PKCS7_DecryptKekri
1647* Fix for padding when using an AuthEnvelope PKCS7 type with GCM/CCM stream ciphers
1648* Fix siphash assembly so that no register is left behind
1649* Fix to not send a TLS 1.3 session ID resume response when resuming and downgrading to a protocol less than TLS 1.3
1650* Fix overwriting serialNumber by favouriteDrink when generating a certificate using Cert struct
1651* Fix for the default realloc used with EspressIf builds
1652* Track SetDigest usage to avoid invalid free under error conditions
1653* DTLS v1.3 fix for epoch 0 check on plaintext message
1654* Fix for session ticket memory leak in wolfSSL_Cleanup
1655* Fixes for propagating SendAlert errors when the peer disconnects
1656* Replace XMEMCPY with XMEMMOVE to fix valgrind-3.15.0 reports "Source and destination overlap in memcpy" when using --enable-aesgcm-stream
1657* Fix for potential out-of-bounds write edge case in fp_mod_2d with --enable-fastmath math library
1658* Fix getting ECC key size in stm32_ecc_sign_hash_ex
1659* Fix for case where wc_PeekErrorNodeLineData was not unlocking error queue on error
1660* Fix for async ECC shared secret state
1661* Fix for better error checking with sp_gcd with SP int math library
1662* Fix memory leak in TLSX_KeyShare_Setup when handling an error case
1663* Fix for double free edge case in InitOCSPRequest when handling a memory allocation failure
1664* X509 NAME Entry fix for leaking memory on error case
1665* Fix wolfssl_asn1_time_to_tm setting unexpected fields in tm struct
1666* Fix for FIPS ECC integrity check with crypto callback set
1667* BN_to_ASN1_INTEGER fix for handling leading zero byte padding when needed
1668* Fix a typo in PP macro and add a ceiling to guard against implementation bugs
1669* DTLS 1.3 fix for using the correct label when deriving the resumption key
1670* OCSP fix for GetDateInfo edge case with non ASN template builds
1671* Allow a user set certificate callback function to override the skipAddCA flag when parsing a certificate
1672* SP int: sp_radix_size when radix 10 fix temp size for handling edge case
1673* Fixes and improvements for handling failures with memory allocations
1674* Fix for DecodeECC_DSA_Sig to handle r and s being initialized
1675* Fix for wc_ecc_is_point to ensure that the x and y are in range [0, p-1] and z is one (affine ordinates)
1676
1677### Build Fixes
1678* Fix for building on Windows with CMake and using USER_SETTINGS and fix for options.h creation with CMake when using USER_SETTINGS
1679* CMake fixes and improvements for use with mingw32
1680* Fix for building with wpas and x509 small options
1681* Check if colrm is available for options.h creation when using autoconf
1682* Clean up NO_BIG_INT build, removing WOLFSSL_SP_MATH macro and heapmath compile
1683* Fix PKCS#7 build with NO_PKCS7_STREAM
1684* Fix compilation error in CC-RX and remove unnecessary public key import
1685* SP Build fixes for ARM assembly with ARMv6 clz and ARM thumb debug build
1686* For to not advertise support for RSA in TLS extensions when compiled with NO_RSA
1687
1688# wolfSSL Release 5.6.0 (Mar 24, 2023)
1689
1690Release 5.6.0 has been developed according to wolfSSL's development and QA process (see link below) and successfully passed the quality criteria.
1691https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
1692
1693NOTE: * --enable-heapmath is being deprecated and will be removed by 2024
1694      * This release makes ASN Template the default with ./configure, the previous ASN parsing can be built with --enable-asn=original
1695
1696Release 5.6.0 of wolfSSL embedded TLS has bug fixes and new features including:
1697
1698## New Feature Additions
1699
1700* ASN template is now the default ASN parsing implementation when compiling with configure
1701* Added in support for TLS v1.3 Encrypted Client Hello (ECH) and HPKE (Hybrid Public Key Encryption)
1702* DTLS 1.3 stateless server ClientHello parsing support added
1703
1704### Ports
1705* Add RX64/RX71 SHA hardware support
1706* Port to RT1170 and expand NXP CAAM driver support
1707* Add NuttX integration files for ease of use
1708* Updated Stunnel support for version 5.67
1709Compatibility Layer
1710* Add in support for AES-CCM with EVP
1711* BN compatibility API refactoring and separate API created
1712* Expanding public key type cipher suite list strings support
1713
1714### Misc.
1715* Support pthread_rwlock and add enable option
1716* Add wolfSSL_CertManagerLoadCABuffer_ex() that takes a user certificate chain flag and additional verify flag options
1717* Docker build additions for wolfSSL library and wolfCLU application
1718* Add favorite drink pilot attribute type to get it from the encoding
1719* Added in support for indefinite length BER parsing with PKCS12
1720* Add dynamic session cache which allocates sessions from the heap with macro SESSION_CACHE_DYNAMIC_MEM
1721
1722
1723## Improvements / Optimizations
1724
1725### Tests
1726* Additional CI (continuous integration) testing and leveraging of GitHub workflows
1727* Add CI testing for wpa_supplicant, OpenWrt and OpenVPN using GitHub workflows
1728* Add compilation of Espressif to GitHub workflows tests
1729* Refactoring and improving error results with wolfCrypt unit test application
1730* Minor warning fixes from Coverity static analysis scan
1731* Add new SHA-512/224 and SHA-512/256 tests
1732* Used codespell and fixed some minor typos
1733
1734### Ports
1735* Improve TLS1.2 client authentication to use TSIP
1736* Updated Kyber macro to be WOLFSSL_HAVE_KYBER and made changes that make Kyber work on STM32
1737* AES-GCM Windows assembly additions
1738* CRLF line endings, trailing spaces for C# Wrapper Projects
1739Compatibility Layer
1740* Update `PubKey` and `Key` PEM-to-DER APIs to support return of needed DER size
1741* Allow reading ENC EC PRIVATE KEY as well via wolfSSL_PEM_read_bio_ECPrivateKey
1742* Improve wolfSSL_EC_POINT_cmp to handle Jacobian ordinates
1743* Fix issue with BIO_reset() and add BIO_FLAGS_MEM_RDONLY flag support for read only BIOs
1744
1745### SP
1746* In SP math library rework mod 3 and use count leading zero instruction
1747* Fix with SP ECC sign to reject the random k generated when r is 0
1748* With SP math add better detection of when add won't work and double is needed with point_add_qz1 internal function
1749* With SP int fail when buffer writing to is too small for number rather than discarding the extra values
1750
1751### Builds
1752* Define WOLFSSL_SP_SMALL_STACK if wolfSSL is build with --enable-smallstack
1753* Fix CMake to exclude libm when DH is not enabled
1754* Allow building of SAKKE as external non-FIPS algorithm with wolfmikey product
1755* Add option to add library suffix, --with-libsuffix
1756* ASN template compile option WOLFSSL_ASN_INT_LEAD_0_ANY to allow leading zeros
1757* Add user_settings.h template for wolfTPM to examples/configs/user_settings_wolftpm.h
1758* Purge the AES variant of Dilithium
1759* Expand WOLFSSL_NO_ASN_STRICT to allow parsing of explicit ECC public key
1760* Remove relocatable text in ARMv7a AES assembly for use with FIPS builds
1761* Expand checking for hardware that supports ARMv7a neon with autotools configure
1762* Sanity check on allocation fails with DSA and FP_ECC build when zeroizing internal buffer
1763* Additional TLS alerts sent when compiling with WOLFSSL_EXTRA_ALERTS macro defined
1764
1765### Benchmarking
1766* Update wolfCrypt benchmark Windows build files to support x64 Platform
1767* Add SHA512/224 and SHA512/256 benchmarks, fixed CVS macro and display sizes
1768* Separate AES-GCM streaming runs when benchmarked
1769* No longer call external implementation of Kyber from benchmark
1770* Fix for benchmarking shake with custom block size
1771* Fixes for benchmark help `-alg` list and block format
1772Documentation/Examples
1773* Document use of wc_AesFree() and update documentation of Ed25519 with Doxygen
1774* Move the wolfSSL Configuration section higher in QUIC.md
1775* Add Japanese Doxygen documentation for cmac.h, quic.h and remove incomplete Japanese doxygen in asn_public.h
1776* Espressif examples run with local wolfSSL now with no additional setup needed
1777* Added a fix for StartTLS use In the example client
1778* Add a base-line user_settings.h for use with FIPS 140-3 in XCode example app
1779
1780### Optimizations
1781* AES-NI usage added for AES modes ECB/CTR/XTS
1782
1783### Misc
1784* Update AES-GCM stream decryption to allow long IVs
1785* Internal refactor to use wolfSSL_Ref functions when incrementing or decrementing the structures reference count and fixes for static analysis reports
1786* Cleanup function logging making adjustments to the debug log print outs
1787* Remove realloc dependency in DtlsMsgCombineFragBuckets function
1788* Refactor to use WOLFSSL_CTX’s cipher suite list when possible
1789* Update internal padding of 0’s with DSA sign and additional tests with mp_to_unsigned_bin_len function
1790* With DTLS SRTP use wolfSSL_export_keying_material instead of wc_PRF_TLS
1791* Updated macro naming from HAVE_KYBER to be WOLFSSL_HAVE_KYBER
1792* Update AES XTS encrypt to handle in-place encryption properly
1793* With TLS 1.3 add option to require only PSK with DHE
1794
1795## Fixes
1796
1797### Ports
1798* Fix for AES use with CAAM on imx8qxp with SECO builds
1799* Fix for PIC32 crypto HW and unused `TLSX_SetResponse`
1800* Fix warning if ltime is unsigned seen with QNX build
1801* Updates and fix for Zephyr project support
1802* Include sys/time.h for WOLFSSL_RIOT_OS
1803* Move X509_V errors from enums to defines for use with HAProxy CLI
1804* Fix IAR compiler warnings resolved
1805* Fix for STM32 Hash peripherals (like on F437) with FIFO depth = 1
1806* ESP32 fix for SHA384 init with hardware acceleration
1807
1808### Builds
1809* Add WOLFSSL_IP_ALT_NAME macro define to --enable-curl
1810* Fixes for building with C++17 and avoiding clashing with byte naming
1811* Fixes SP math all build issue with small-stack and no hardening
1812* Fix for building with ASN template with `NO_ASN_TIME` defined
1813* Fix building FIPSv2 with WOLFSSL_ECDSA_SET_K defined
1814* Don't allow aesgcm-stream option with kcapi
1815* Fix DTLS test case for when able to read peers close notify alert on FreeBSD systems
1816* Fix for "expression must have a constant value" in tls13.c with Green Hills compiler
1817* Fixes for building KCAPI with opensslextra enabled
1818* Fix warnings of shadows min and subscript with i486-netbsd-gcc compiler
1819* Fix issue with async and `WOLFSSL_CHECK_ALERT_ON_ERR`
1820* Fix for PKCS7 with asynchronous crypto enabled
1821
1822### Math Library
1823* SP Aarch64 fix for conditional changed in asm needing "cc" and fix for ECC P256 mont reduce
1824* In SP builds add sanity check with DH exp. to check the output length for minimum size
1825* In SP math fix scalar length check with EC scalar multiply
1826* With SP int fix handling negative character properly with read radix
1827* Add error checks before setting variable err in SP int with the function sp_invmod_mont_ct
1828* Fix to add sanity check for malloc of zero size in fastmath builds
1829* In fastmath  fix a possible overflow in fp_to_unsigned_bin_len length check
1830* Heapmath fast mod. reduce fix
1831
1832### Compatibility Layer
1833* Fixes for encoding/decoding ecc public keys and ensure i2d public key functions do not include any private key information
1834* Fix for EVP_EncryptUpdate to update outl on empty input
1835* Fix SE050 RSA public key loading and RSA/ECC SE050 TLS Compatibility
1836* Rework EC API and validate point after setting it
1837* Fix for X509 RSA PSS with compatibility layer functions
1838* Fix size of structures used with SHA operations when built with opensslextra for Espressif hardware accelerated hashing
1839* Added sanity check on key length with wolfSSL_CMAC_Init function
1840* Fix for return value type conversion of bad mutex error in logging function
1841* Fix NID conflict NID_givenName and NID_md5WithRSAEncryption
1842* Fix unguarded XFPRINTF calls with opensslextra build
1843* Fix wolfSSL_ASN1_INTEGER_to_BN for negative values
1844* Fix for potential ASN1_STRING leak in wolfSSL_X509_NAME_ENTRY_create_by_txt  and wolfSSL_X509_NAME_ENTRY_create_by_NID when memory allocation fails
1845
1846### Misc.
1847* Add sanity check to prevent an out of bounds read with OCSP response decoding
1848* Sanity check to not allow 0 length with bit string and integer when parsing ASN1 syntax
1849* Adjust RNG sanity checks and remove error prone first byte comparison
1850* With PKCS7 add a fix for GetAsnTimeString() to correctly increment internal data pointer
1851* PKCS7 addition of sequence around algo parameters with authenvelop
1852* DSA fixes for clearing mp_int before re-reading data and avoid mp_clear without first calling mp_init
1853* Fix for SRTP setting bitfield when it is encoded for the TLS extension
1854* Fix for handling small http headers when doing CRL verification
1855* Fix for ECCSI hash function to validate the output size and curve size
1856* Fix for value of givenName and name being reversed with CSR generation
1857* Fix for error type returned (OCSP_CERT_UNKNOWN) with OCSP verification
1858* Fix for a potential memory leak with ProcessCSR when handling OCSP responses
1859* Fix for VERIFY_SKIP_DATE flag not ignoring date errors when set
1860* Fix for zlib decompression buffer issue with PKCS7
1861* Fix for DTLS message pool send size used and DTLS server saving of the handshake sequence
1862* Fix to propagate WOLFSSL_TICKET_RET_CREATE error return value from DoDecryptTicket()
1863* Fix for handling long session IDs with TLS 1.3 session tickets
1864* Fix for AES-GCM streaming when caching an IV
1865* Fix for test case with older selftest that returns bad padding instead of salt len error
1866* Add fix for siphash cache and added in additional tests
1867* Fix potential out of bounds memset to 0 in error case with session export function used with --enable-sessionexport builds
1868* Fix possible NULL dereference in TLSX_CSR_Parse with TLS 1.3
1869* Fix for sanity check on RSA pad length with no padding using the build macro WC_RSA_NO_PADDING
1870
1871# wolfSSL Release 5.5.4 (Dec 21, 2022)
1872
1873Release 5.5.4 of wolfSSL embedded TLS has bug fixes and new features including:
1874
1875## New Feature Additions
1876
1877* QUIC related changes for HAProxy integration and config option
1878* Support for Analog Devices MAXQ1080 and MAXQ1065
1879* Testing and build of wolfSSL with NuttX
1880* New software based entropy gatherer with configure option --enable-entropy-memuse
1881* NXP SE050 feature expansion and fixes, adding in RSA support and conditional compile of AES and CMAC
1882* Support for multi-threaded sniffer
1883
1884## Improvements / Optimizations
1885
1886### Benchmark and Tests
1887* Add alternate test case for unsupported static memory API when testing mutex allocations
1888* Additional unit test cases added for AES CCM 256-bit
1889* Initialize and free AES object with benchmarking AES-OFB
1890* Kyber with DTLS 1.3 tests added
1891* Tidy up Espressif ESP32 test and benchmark examples
1892* Rework to be able to run API tests individually and add display of time taken per test
1893
1894### Build and Port Improvements
1895* Add check for 64-bit ABI on MIPS64 before declaring a 64-bit CPU
1896* Add support to detect SIZEOF_LONG in armclang and diab
1897* Added in a simple example working on Rx72n
1898* Update azsphere support to prevent compilation of file included inline
1899* --enable-brainpool configure option added and default to on when custom curves are also on
1900* Add RSA PSS salt defines to engine builds if not FIPS v2
1901
1902### Post Quantum
1903* Remove kyber-90s and route all Kyber through wolfcrypt
1904* Purge older version of NTRU and SABER from wolfSSL
1905
1906### SP Math
1907* Support static memory build with sp-math
1908* SP C, SP int: improve performance
1909* SP int: support mingw64 again
1910* SP int: enhancements to guess 64-bit type and check on NO_64BIT macro set before using long long
1911* SP int: check size required when using sp_int on stack
1912* SP: --enable-sp-asm now enables SP by default if not set
1913* SP: support aarch64 big endian
1914
1915### DTLS
1916* Allow DTLS 1.3 to compile when FIPS is enabled
1917* Allow for stateless DTLS client hello parsing
1918
1919### Misc.
1920* Easier detection of DRBG health when using Intel’s RDRAND by updating the structures status value
1921* Detection of duplicate known extensions with TLS
1922* PKCS#11 handle a user PIN that is a NULL_PTR, compile time check in finding keys, add initialization API
1923* Update max Cert Policy size based on RFC 5280
1924* Add Android CA certs path for wolfSSL_CTX_load_system_CA_certs()
1925* Improve logic for enabling system CA certs on Apple devices
1926* Stub functions to allow for cpuid public functions with non-intel builds
1927* Increase RNG_SECURITY_STRENGTH for FIPS
1928* Improvements in OpenSSL Compat ERR Queue handling
1929* Support ASN1/DER CRLs in LoadCertByIssuer
1930* Expose more ECC math functions and improve async shared secret
1931* Improvement for sniffer error messages
1932* Warning added that renegotiation in TLS 1.3 requires session ticket
1933* Adjustment for TLS 1.3 post auth support
1934* Rework DH API and improve PEM read/write
1935
1936## Fixes
1937
1938### Build Fixes
1939* Fix --enable-devcrypto build error for sys without u_int8_t type
1940* Fix casts in evp.c and build issue in ParseCRL
1941* Fixes for compatibility layer building with heap hint and OSSL callbacks
1942* fix compile error due to Werro=undef on gcc-4.8
1943* Fix mingw-w64 build issues on windows
1944* Xcode project fixes for different build settings
1945* Initialize variable causing failures with gcc-11 and gcc-12 with a unique wolfSSL build configuration
1946* Prevent WOLFSSL_NO_MALLOC from breaking RSA certificate verification
1947* Fixes for various tests that do not properly handle `WC_PENDING_E` with async. builds
1948* Fix for misc `HashObject` to be excluded for `WOLFCRYPT_ONLY`
1949
1950### OCSP Fixes
1951* Correctly save next status with OCSP response verify
1952* When the OCSP responder returns an unknown exception, continue through to checking the CRL
1953
1954### Math Fixes
1955* Fix for implicit conversion with 32-bit in SP math
1956* Fix for error checks when modulus is even with SP int build
1957* Fix for checking of err in _sp_exptmod_nct with SP int build
1958* ECC cofactor fix when checking scalar bits
1959* ARM32 ASM: don't use ldrd on user data
1960* SP int, fix when ECC specific size code included
1961
1962### Port Fixes
1963* Fixes for STM32 PKA ECC (not 256-bit) and improvements for AES-GCM
1964* Fix for cryptocell signature verification with ECC
1965* Benchmark devid changes, CCM with SECO fix, set IV on AES import into SECO
1966
1967### Compat. Layer Fixes
1968* Fix for handling DEFAULT:... cipher suite list
1969* Fix memory leak in wolfSSL_X509_NAME_ENTRY_get_object
1970* Set alt name type to V_ASN1_IA5STRING
1971* Update name hash functions wolfSSL_X509_subject_name_hash and wolfSSL_X509_issuer_name_hash to hash the canonical form of subject
1972* Fix wolfSSL_set_SSL_CTX() to be usable during handshake
1973* Fix X509_get1_ocsp to set num of elements in stack
1974* X509v3 EXT d2i: fix freeing of aia
1975* Fix to remove recreation of certificate with wolfSSL_PEM_write_bio_X509()
1976* Link newly created x509 store's certificate manager to self by default to assist with CRL verification
1977* Fix for compatibility `EC_KEY_new_by_curve_name` to not create a key if the curve is not found
1978
1979### Misc.
1980* Free potential signer malloc in a fail case
1981* fix other name san parsing and add RID cert to test parsing
1982* WOLFSSL_OP_NO_TICKET fix for TLSv1.2
1983* fix ASN template parsing of X509 subject directory attribute
1984* Fix the wrong IV size with the cipher suite TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
1985* Fix incorrect self signed error return when compiled with certreq and certgen.
1986* Fix wrong function name in debug comment with wolfSSL_X509_get_name_oneline()
1987* Fix for decryption after second handshake with async sniffer
1988* Allow session tickets to properly resume when using PQ KEMs
1989* Add sanity overflow check to DecodeAltNames input buffer access
1990
1991# wolfSSL Release 5.5.3 (Nov 2, 2022)
1992
1993Release 5.5.3 of wolfSSL embedded TLS has the following bug fix:
1994
1995## Fixes
1996
1997* Fix for possible buffer zeroization overrun introduced at the end of v5.5.2 release cycle in GitHub pull request 5743 (https://github.com/wolfSSL/wolfssl/pull/5743) and fixed in pull request 5757 (https://github.com/wolfSSL/wolfssl/pull/5757). In the case where a specific memory allocation failed or a hardware fault happened there was the potential for an overrun of 0’s when masking the buffer used for (D)TLS 1.2 and lower operations. (D)TLS 1.3 only and crypto only users are not affected by the issue. This is not related in any way to recent issues reported in OpenSSL.
1998
1999
2000# wolfSSL Release 5.5.2 (Oct 28, 2022)
2001Release 5.5.2 of wolfSSL embedded TLS has bug fixes and new features including:
2002
2003## Vulnerabilities
2004* [Med] In the case that the WOLFSSL_CALLBACKS macro is set when building wolfSSL, there is a potential heap over read of 5 bytes when handling TLS 1.3 client connections. This heap over read is limited to wolfSSL builds explicitly setting the macro WOLFSSL_CALLBACKS, the feature does not get turned on by any other build options. The macro WOLFSSL_CALLBACKS is intended for debug use only, but if having it enabled in production, users are recommended to disable WOLFSSL_CALLBACKS. Users enabling WOLFSSL_CALLBACKS are recommended to update their version of wolfSSL. Thanks to Lucca Hirschi and Steve Kremer from LORIA, Inria and Max Ammann from Trail of Bits for finding and reporting the bug with the tlspuffin tool developed partly at LORIA and Trail of Bits. CVE 2022-42905
2005
2006Release 5.5.2 of wolfSSL embedded TLS has bug fixes and new features including:
2007
2008## New Feature Additions
2009* Add function wolfSSL_CTX_load_system_CA_certs to load system CA certs into a WOLFSSL_CTX and  --sys-ca-certs option to example client
2010* Add wolfSSL_set1_host to OpenSSL compatible API
2011* Added the function sk_X509_shift
2012* AES x86 ASM for AES-CBC and GCM performance enhancements
2013* Add assembly for AES for ARM32 without using crypto hardware instructions
2014* Xilinx Versal port and hardware acceleration tie in
2015* SP Cortex-M support for ICCARM
2016
2017## Enhancements
2018* Add snifftest vcxproj file and documentation
2019* Nucleus Thread Types supported
2020* Handle certificates with RSA-PSS signature that have RSAk public keys
2021* Small stack build improvements
2022* DTLS 1.3 improvements for Alerts and unit tests
2023* Add a binary search for CRL
2024* Improvement of SSL/CTX_set_max_early_data() for client side
2025* Remove unused ASN1_GENERALIZEDTIME enum value from wolfssl/ssl.h
2026* Add user_settings.h for Intel/M1 FIPSv2 macOS C++ projects
2027* Add dtlscid.test to ‘make check’ unit testing
2028* Generate an assembler-safe user_settings.h in configure.ac and CMakeLists.txt
2029* ForceZero enabled with USE_FAST_MATH
2030* Add TLS 1.3 support of ticketNonce sizes bigger than MAX_TICKET_NONCE_SZ
2031* FIPSv2 builds on win10 adjust for new fastmath default in settings.h
2032* Add IRQ install for Aruix example
2033
2034## Fixes
2035* When looking up the session by ID on the server, check that the protocol version of the SSL and session match on TLS 1.3 or not
2036* Fix for potential EVP_PKEY_DH memory leak with OPENSSL_EXTRA
2037* Curve448 32-bit C code: handle corner case
2038* Fixup builds using WOLFSSL_LOG_PRINTF
2039* Correct DIST_POINT_NAME type value
2040* Do not perform IV Wrap test when using cert3389 inlined armasm
2041* Fix for Linux kernel module and stdio.h
2042* (D)TLS: send alert on version mismatch
2043* Fix PKCS#7 SignedData verification when signer cert is not first in SET
2044* Fix bug with wolfIO_TcpConnect not working with timeout on Windows
2045* Fix output length bug in SP non-blocking ECC shared secret gen
2046* Fix build with enable-fastmath and disable-rsa
2047* Correct wolfSSL_sk_X509_new in OpenSSL compatible API
2048* Fixes for SP and x86_64 with MSVC
2049* Fix wrong size using DTLSv1.3 in RestartHandshakeHashWithCookie
2050* Fix redundant file include with TI RTOS build
2051* Fix wolfCrypt only build with wincrypt.h
2052* DTLS 1.2: Reset state when sending HelloVerifyRequest
2053
2054# wolfSSL Release 5.5.1 (Sep 28, 2022)
2055Release 5.5.1 of wolfSSL embedded TLS has bug fixes and new features including:
2056
2057## Vulnerabilities
2058* [Med] Denial of service attack and buffer overflow against TLS 1.3 servers using session ticket resumption. When built with --enable-session-ticket and making use of TLS 1.3 server code in wolfSSL, there is the possibility of a malicious client to craft a malformed second ClientHello packet that causes the server to crash. This issue is limited to when using both --enable-session-ticket and TLS 1.3 on the server side. Users with TLS 1.3 servers, and having --enable-session-ticket, should update to the latest version of wolfSSL. Thanks to Max at Trail of Bits for the report, found by Lucca Hirschi from LORIA, Inria, France with the tlspuffin tool developed partly at LORIA and Trail of Bits. CVE-2022-39173
2059
2060## New Feature Additions
2061* Add support for non-blocking ECC key gen and shared secret gen for P-256/384/521
2062* Add support for non-blocking ECDHE/ECDSA in TLS/DTLS layer.
2063* Port to NXP RT685 with FreeRTOS
2064* Add option to build post quantum Kyber API (--enable-kyber)
2065* Add post quantum algorithm sphincs to wolfCrypt
2066* Config. option to force no asm with SP build (--enable-sp=noasm)
2067* Allow post quantum keyshare for DTLS 1.3
2068
2069## Enhancements
2070* DTLSv1.3: Do HRR Cookie exchange by default
2071* Add wolfSSL_EVP_PKEY_new_CMAC_key to OpenSSL compatible API
2072* Update ide win10 build files to add missing sp source files
2073* Improve Workbench docs
2074* Improve EVP support for CHACHA20_POLY1305
2075* Improve `wc_SetCustomExtension` documentation
2076* RSA-PSS with OCSP and add simple OCSP response DER verify test case
2077* Clean up some FIPS versioning logic in configure.ac and WIN10 user_settings.h
2078* Don't over-allocate memory for DTLS fragments
2079* Add WOLFSSL_ATECC_TFLXTLS for Atmel port
2080* SHA-3 performance improvements with x86_64 assembly
2081* Add code to fallback to S/W if TSIP cannot handle
2082* Improves entropy with VxWorks
2083* Make time in milliseconds 64-bits for longer session ticket lives
2084* Support for setting cipher list with bytes
2085* wolfSSL_set1_curves_list(), wolfSSL_CTX_set1_curves_list() improvements
2086* Add to RSAES-OAEP key parsing for pkcs7
2087* Add missing DN nid to work with PrintName()
2088* SP int: default to 16 bit word size when NO_64BIT defined
2089* Limit the amount of fragments we store per a DTLS connection and error out when max limit is reached
2090* Detect when certificate's RSA public key size is too big and fail on loading of certificate
2091
2092## Fixes
2093* Fix for async with OCSP non-blocking in `ProcessPeerCerts`
2094* Fixes for building with 32-bit and socket size sign/unsigned mismatch
2095* Fix Windows CMakeList compiler options
2096* TLS 1.3 Middle-Box compat: fix missing brace
2097* Configuration consistency fixes for RSA keys and way to force disable of private keys
2098* Fix for Aarch64 Mac M1 SP use
2099* Fix build errors and warnings for MSVC with DTLS 1.3
2100* Fix HMAC compat layer function for SHA-1
2101* Fix DTLS 1.3 do not negotiate ConnectionID in HelloRetryRequest
2102* Check return from call to wc_Time
2103* SP math: fix build configuration with opensslall
2104* Fix for async session tickets
2105* SP int mp_init_size fixes when SP_WORD_SIZE == 8
2106* Ed. function to make public key now checks for if the private key flag is set
2107* Fix HashRaw WC_SHA256_DIGEST_SIZE for wc_Sha256GetHash
2108* Fix for building with PSK only
2109* Set correct types in wolfSSL_sk_*_new functions
2110* Sanity check that size passed to mp_init_size() is no more than SP_INT_DIGITS
2111
2112
2113# wolfSSL Release 5.5.0 (Aug 30, 2022)
2114
2115Note:
2116** If not free’ing FP_ECC caches per thread by calling wc_ecc_fp_free there is a possible memory leak during TLS 1.3 handshakes which use ECC. Users are urged to confirm they are free’ing FP_ECC caches per thread if enabled to avoid this issue.
2117
2118Release 5.5.0 of wolfSSL embedded TLS has bug fixes and new features including:
2119
2120## Vulnerabilities
2121* [Low] Fault injection attack on RAM via Rowhammer leads to ECDSA key disclosure. Users doing operations with private ECC keys such as server side TLS connections and creating ECC signatures, who also have hardware that could be targeted with a sophisticated Rowhammer attack should update the version of wolfSSL and compile using the macro WOLFSSL_CHECK_SIG_FAULTS. Thanks to Yarkin Doroz, Berk Sunar, Koksal Must, Caner Tol, and Kristi Rahman all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute for the report.
2122* [Low] In wolfSSL version 5.3.0 if compiled with --enable-session-ticket and the client has non-empty session cache, with TLS 1.2 there is the possibility of a man in the middle passing a large session ticket to the client and causing a crash due to an invalid free. There is also the potential for a malicious TLS 1.3 server to crash a client in a similar manner except in TLS 1.3 it is not susceptible to a man in the middle attack. Users on the client side with –enable-session-ticket compiled in and using wolfSSL version 5.3.0 should update their version of wolfSSL. Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France" for research on tlspuffin.
2123* [Low] If using wolfSSL_clear to reset a WOLFSSL object (vs the normal wolfSSL_free/wolfSSL_new) it can result in runtime issues. This exists with builds using the wolfSSL compatibility layer (--enable-opnesslextra) and only when the application is making use of wolfSSL_clear instead of SSL_free/SSL_new. In the case of a TLS 1.3 resumption, after continuing to use the WOLFSSH object after having called wolfSSL_clear, an application could crash. It is suggested that users calling wolfSSL_clear update the version of wolfSSL used. Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France" for research on tlspuffin.
2124* Potential DoS attack on DTLS 1.2. In the case of receiving a malicious plaintext handshake message at epoch 0 the connection will enter an error state reporting a duplicate message. This affects both server and client side. Users that have DTLS enabled and in use should update their version of wolfSSL to mitigate the potential for a DoS attack.
2125
2126## New Feature Additions
2127* QUIC support added, for using wolfSSL with QUIC implementations like ngtcp2
2128* SE050 port additions and fixes
2129* Added support for Dilithium post quantum algorithm use with TLS
2130* Support for RSA-PSS signed certificates
2131* Support for Infineon AURIX IDE
2132* Add Zephyr support for nRF5340 with CryptoCell-312
2133
2134## Enhancements
2135* Expanded ABI support by 50 APIs to include wolfCrypt and Certificates making a total of 113 ABIs controlled and maintained
2136* DTLS 1.3 partial support for ConnectionID as described by RFC9146 and RFC9147
2137* Added support for X509_CRL_print function
2138* Remove deprecated algorithms in Renesas cs+ project
2139* Support more build options disable/enable with i.MX CAAM build
2140* wolfSSL_CTX_set_options and wolfSSL_CTX_get_options functions added to non compatibility layer builds
2141* TFM: change inline x86 asm code to compile with clang
2142* Improvements to error queue and fix for behavior of wolfSSL_ERR_get_error
2143* scripts/makedistsmall.sh script added for creating a small source/header only package
2144* TLS 1.3: restrict extension validity by message, Extensions ServerName, SupportedGroups and ALPN must not appear in server_hello
2145* Add liboqs integration to CMake build system
2146* Adds wolfSSL_PEM_read_RSAPrivateKey() to the OpenSSL compatible API
2147* Added support for P384 pre-share in bundled example server
2148* Replace clz assembly instruction in ARM 32 builds when not supported
2149* Integrate chacha20-poly1305 into the EVP interface
2150* Additional validation that extensions appear in correct messages
2151* Allow SAN to be critical with ASN template build
2152* Support wolfSSL_CTX_set1_curves_list being available when X25519 and/or X448 only defined
2153* Adds wolfSSL_PEM_read_RSA_PUBKEY() to the OpenSSL compatible API
2154* Match OpenSSL self signed error return with compatibility layer build
2155* Added wolfSSL_dtls_create_peer and wolfSSL_dtls_free_peer to help with Python and Go wrappers for DTLS
2156
2157## Fixes
2158* DTLS 1.3 asynchronous use case fixes
2159* Fix handling of counter to support incrementing across all bytes in ARM crypto asm
2160* Fixes for ED25519/ED448 private key with public key export (RFC8410)
2161* Fix for build with NO_TLS macro
2162* Fix for write dup function to copy over TLS version
2163* Fix to handle path lengths of 0 when checking certificate CA path lengths
2164* Fix for CMake not installing sp_int.h for SP math all
2165* When WOLFSSL_VALIDATE_ECC_IMPORT is defined ECC import validates private key value is less than order
2166* PSA crypto fixes
2167* Fix for not having default pkcs7 signed attributes
2168* DTLS socket and timeout fixes
2169* SP int: exptmod ensure base is less than modulus
2170* Fix for AddPacketInfo with WOLFSSL_CALLBACKS to not pass encrypted TLS 1.3 handshake messages to callbacks
2171* Fix for sniffer to ensure the session was polled before trying to reprocess it
2172
2173# wolfSSL Release 5.4.0 (July 11, 2022)
2174
2175Note:
2176** Future releases of wolfSSL will turn off TLS 1.1 by default
2177** Release 5.4.0 made SP math the default math implementation. To make an equivalent build as –disable-fastmath from previous versions of wolfSSL, now requires using the configure option –enable-heapmath instead.
2178
2179Release 5.4.0 of wolfSSL embedded TLS has bug fixes and new features including:
2180
2181## Vulnerabilities
2182* [High]  Potential for DTLS DoS attack. In wolfSSL versions before 5.4.0 the return-routability check is wrongly skipped in a specific edge case. The check on the return-routability is there for stopping attacks that either consume excessive resources on the server, or try to use the server as an amplifier sending an excessive amount of messages to a victim IP. If using DTLS 1.0/1.2 on the server side users should update to avoid the potential DoS attack. CVE-2022-34293
2183* [Medium] Ciphertext side channel attack on ECC and DH operations. Users on systems where rogue agents can monitor memory use should update the version of wolfSSL and change private ECC keys. Thanks to Sen Deng from Southern University of Science and Technology (SUSTech) for the report.
2184* [Medium] Public disclosure of a side channel vulnerability that has been fixed since wolfSSL version 5.1.0. When running on AMD there is the potential to leak private key information with ECDSA operations due to a ciphertext side channel attack. Users on AMD doing ECDSA operations with wolfSSL versions less than 5.1.0 should update their wolfSSL version used. Thanks to professor Yinqian Zhang from Southern University of Science and Technology (SUSTech), his Ph.D. student Mengyuan Li from The Ohio State University, and his M.S students Sen Deng and Yining Tang from SUStech along with other collaborators; Luca Wilke, Jan Wichelmann and Professor Thomas Eisenbarth from the University of Lubeck, Professor Shuai Wang from Hong Kong University of Science and Technology, Professor Radu Teodorescu from The Ohio State University, Huibo Wang, Kang Li and Yueqiang Cheng from Baidu Security and Shoumeng Yang from Ant Financial Services Group.
2185CVE-2020-12966 https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1013 CVE-2021-46744 https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1033
2186
2187
2188## New Feature Additions
2189
2190### DTLS 1.3
2191* Support for using the new DTLSv1.3 protocol was added
2192* Enhancements to bundled examples for an event driven server with DTLS 1.3 was added
2193### Ports
2194* Update for the version of VxWorks supported, adding in support for version 6.x
2195* Support for new DPP and EAP-TEAP/EAP-FAST in wpa_supplicant
2196* Update for TSIP version support, adding support for version 1.15 for RX65N and RX72N
2197* Improved TSIP build to handle having the options WOLFSSL_AEAD_ONLY defined or NO_AES_CBC defined
2198* Added support for offloading TLS1.3 operations to Renesas RX boards with TSIP
2199### Misc.
2200* Constant time improvements due to development of new constant time tests
2201* Initial translation of API headers to Japanese and expansion of Japanese help message support in example applications
2202* Add support for some FPKI (Federal PKI) certificate cases, UUID, FASC-N, PIV extension for use with smart cards
2203* Add support for parsing additional CSR attributes such as unstructured name and content type
2204* Add support for Linux getrandom() when defining the macro WOLFSSL_GETRANDOM
2205* Add TLS 1.2 ciphersuite ECDHE_PSK_WITH_AES_128_GCM_SHA256 from RFC 8442
2206* Expand CAAM support with QNX to include i.MX8 boards and add AES-CTR support
2207* Enhanced glitching protection by hardening the TLS encrypt operations
2208
2209## Math and Performance
2210
2211### SP Math Additions
2212* Support for ARMv3, ARMv6 and ARMv7a
2213    - Changes and improvements to get SP building for armv7-a
2214    - Updated assembly for moving large immediate values on ARMv6
2215    - Support for architectures with no ldrd/strd and clz
2216* Reworked generation using common asm ruby code for 32bit ARM
2217* Enable wolfSSL SP math all by default (sp_int.c)
2218* Update SP math all to not use sp_int_word when SQR_MUL_ASM is available
2219### SP Math Fixes
2220* Fixes for constant time with div function
2221* Fix casting warnings for Windows builds and assembly changes to support XMM6-15 being non-volatile
2222* Fix for div_word when not using div function
2223* Fixes for user settings with SP ASM and ED/Curve25519 small
2224* Additional Wycheproof tests ran and fixes
2225* Fix for SP math ECC non-blocking to always check `hashLen`
2226* Fix for SP math handling edge case with submod
2227
2228## Improvements and Optimizations
2229
2230### Compatibility Layer
2231* Provide access to "Finished" messages outside of compatibility layer builds
2232* Remove unneeded FIPS guard on wolfSSL_EVP_PKEY_derive
2233* Fix control command issues with AES-GCM, control command EVP_CTRL_GCM_IV_GEN
2234* Add support for importing private only EC key to a WOLFSSL_EVP_PKEY struct
2235* Add support for more extensions to wolfSSL_X509_print_ex
2236* Update for internal to DER (i2d) AIPs to move the buffer pointer when passed in and the operation is successful
2237* Return subject and issuer X509_NAME object even when not set
2238### Ports
2239* Renesas RA6M4 example update and fixes
2240* Support multi-threaded use cases with Renesas SCE protected mode and TSIP
2241* Add a global variable for heap-hint for use with TSIP
2242* Changes to support v5.3.0 cube pack for STM32
2243* Use the correct mutex type for embOS
2244* ESP-IDF build cleanup and enhancements, adding in note regarding ESP-IDF Version
2245* Support for SEGGER embOS and emNET
2246* Fix to handle WOLFSSL_DTLS macro in Micrium build
2247### Build Options
2248* Support for verify only and no-PSS builds updated
2249* Add the enable options wolfssh (mapped to the existing –enable-ssh)
2250* Remove WOLFSSL_ALT_NAMES restriction on notBefore/notAfter use in Cert struct
2251* Move several more definitions outside the BUILDING_WOLFSSL gate with linux kernel module build
2252* Modify --enable-openssh to not enable non-FIPS algos for FIPS builds
2253* Remove the Python wrappers from wolfSSL source (use pip install instead of using wolfSSL with Python and our separate Python repository)
2254* Add --enable-openldap option to configure.ac for building the OpenLDAP port
2255* Resolve DTLS build to handle not having –enable-hrrcookie when not needed
2256* Add an --enable-strongswan option to configure.ac for building the Strongswan port
2257* Improve defaults for 64-bit BSDs in configure
2258* Crypto only build can now be used openssl extra
2259* Update ASN template build to properly handle WOLFSSL_CERT_EXT and HAVE_OID_ENCODING
2260* Allow using 3DES and MD5 with FIPS 140-3, as they fall outside of the FIPS boundary
2261* Add the build option --enable-dh=const which replaces setting the macro WOLFSSL_DH_CONST and now conditionally link to -lm as needed
2262* Add the macro WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY which is used to verify hostname/ip address using alternate name (SAN) only and does not use the common name
2263* WOLFSSL_DTLS_NO_HVR_ON_RESUME macro added (off by default to favor more security). If defined, a DTLS server will not do a cookie exchange on successful client resumption: the resumption will be faster (one RTT less) and will consume less bandwidth (one ClientHello and one HelloVerifyRequest less). On the other hand, if a valid SessionID is collected, forged clientHello messages will consume resources on the server.
2264* Misc.
2265* Refactoring of some internal TLS functions to reduce the memory usage
2266* Make old less secure TimingPadVerify implementation available
2267* Add support for aligned data with clang LLVM
2268* Remove subject/issuer email from the list of alt. Email names in the DecodedCerts struct
2269* Zeroizing of pre-master secret buffer in TLS 1.3
2270* Update to allow TLS 1.3 application server to send session ticket
2271* Improve the sniffer asynchronous test case to support multiple concurrent streams
2272* Clean up wolfSSL_clear() and add more logging
2273* Update to not error out on bad CRL next date if using NO_VERIFY when parsing
2274* Add an example C# PSK client
2275* Add ESP-IDF WOLFSSL_ESP8266 setting for ESP8266 devices
2276* Support longer sigalg list for post quantum use cases and inter-op with OQS's OpenSSL fork
2277* Improve AES-GCM word implementation of GMULT to be constant time
2278* Additional sanity check with Ed25519/Ed448, now defaults to assume public key is not trusted
2279* Support PSK ciphersuites in benchmark apps
2280* FIPS in core hash using SHA2-256 and SHA2-384
2281* Add ability to store issuer name components when parsing a certificate
2282* Make the critical extension flags in DecodedCert always available
2283* Updates to the default values for basic constraint with X509’s
2284* Support using RSA OAEP with no malloc and add additional sanity checks
2285* Leverage async code paths to support WANT_WRITE while sending packet fragments
2286* New azsphere example for continuous integration testing
2287* Update RSA key generation function to handle pairwise consistency tests with static memory pools used
2288* Resolve build time warning by passing in and checking output length with internal SetCurve function
2289* Support DTLS bidirectional shutdown in the examples
2290* Improve DTLS version negotiation and downgrade capability
2291
2292### General Fixes
2293* Fixes for STM32 Hash/PKA, add some missing mutex frees, and add an additional benchmark
2294* Fix missing return checks in KSDK ED25519 code
2295* Fix compilation warnings from IAR
2296* Fixes for STM32U5/H7 hash/crypto support
2297* Fix for using track memory feature with FreeRTOS
2298* Fixup XSTR processing for MICRIUM
2299* Update Zephyr fs.h path
2300* DTLS fixes with WANT_WRITE simulations
2301* Fixes for BER use with PKCS7 to have additional sanity checks and guards on edge cases
2302* Fix to handle exceptional edge case with TFM mp_exptmod_ex
2303* Fix for stack and heap measurements of a 32-bit build
2304* Fix to allow enabling AES key wrap (direct) with KCAPI
2305* Fix --enable-openssh FIPS detection syntax in configure.ac
2306* Fix to move wolfSSL_ERR_clear_error outside gate for OPENSSL_EXTRA
2307* Remove MCAPI project's dependency on zlib version
2308* Only use __builtin_offset on supported GCC versions (4+)
2309* Fix for c89 builds with using WOLF_C89
2310* Fix 64bit postfix for constants building with powerpc
2311* Fixed async Sniffer with TLS v1.3, async removal of `WC_HW_WAIT_E` and sanitize leak
2312* Fix for QAT ECC to gate use of HW based on marker
2313* Fix the supported version extension to always check minDowngrade
2314* Fix for TLS v1.1 length sanity check for large messages
2315* Fixes for loading a long DER/ASN.1 certificate chain
2316* Fix to expose the RSA public DER export functions with certgen
2317* Fixes for building with small version of SHA3
2318* Fix configure with WOLFSSL_WPAS_SMALL
2319* Fix to free PKCS7 recipient list in error cases
2320* Sanity check to confirm ssl->hsHashes is not NULL before attempting to dereference it
2321* Clear the leftover byte count in Aes struct when setting IV
2322
2323# wolfSSL Release 5.3.0 (May 3rd, 2022)
2324
2325Release 5.3.0 of wolfSSL embedded TLS has bug fixes and new features including:
2326
2327## New Feature Additions
2328
2329### Ports
2330* Updated support for Stunnel to version 5.61
2331* Add i.MX8 NXP SECO use for secure private ECC keys and expand cryptodev-linux for use with the RSA/Curve25519 with the Linux CAAM driver
2332* Allow encrypt then mac with Apache port
2333* Update Renesas TSIP version to 1.15 on GR-ROSE and certificate signature data for TSIP / SCE example
2334* Add IAR MSP430 example, located in IDE/IAR-MSP430 directory
2335* Add support for FFMPEG with the enable option `--enable-ffmpeg`, FFMPEG is used for recording and converting video and audio (https://ffmpeg.org/)
2336* Update the bind port to version 9.18.0
2337
2338### Post Quantum
2339* Add Post-quantum KEM benchmark for STM32
2340* Enable support for using post quantum algorithms with embedded STM32 boards and port to STM32U585
2341
2342### Compatibility Layer Additions
2343* Add port to support libspdm (https://github.com/DMTF/libspdm/blob/main/README.md), compatibility functions added for the port were:
2344    - ASN1_TIME_compare
2345    - DH_new_by_nid
2346    - OBJ_length, OBJ_get0_data,
2347    - EVP layer ChaCha20-Poly1305, HKDF
2348    - EC_POINT_get_affine_coordinates
2349    - EC_POINT_set_affine_coordinates
2350* Additional functions added were:
2351    - EC_KEY_print_fp
2352    - EVP_PKEY_paramgen
2353    - EVP_PKEY_sign/verify functionality
2354    - PEM_write_RSAPublicKey
2355    - PEM_write_EC_PUBKEY
2356    - PKCS7_sign
2357    - PKCS7_final
2358    - SMIME_write_PKCS7
2359    - EC_KEY/DH_up_ref
2360    - EVP_DecodeBlock
2361    - EVP_EncodeBlock
2362    - EC_KEY_get_conv_form
2363    - BIO_eof
2364    - Add support for BIO_CTRL_SET and BIO_CTRL_GET
2365* Add compile time support for the type SSL_R_NULL_SSL_METHOD_PASSED
2366* Enhanced X509_NAME_print_ex() to support RFC5523 basic escape
2367* More checks on OPENSSL_VERSION_NUMBER for API prototype differences
2368* Add extended key usage support to wolfSSL_X509_set_ext
2369* SSL_VERIFY_FAIL_IF_NO_PEER_CERT now can also connect with compatibility layer enabled and a TLS 1.3 PSK connection is used
2370* Improve wolfSSL_BN_rand to handle non byte boundaries and top/bottom parameters
2371* Changed X509_V_ERR codes to better match OpenSSL values used
2372* Improve wolfSSL_i2d_X509_name to allow for a NULL input in order to get the expected resulting size
2373* Enhance the smallstack build to reduce stack size farther when built with compatibility layer enabled
2374
2375### Misc.
2376* Sniffer asynchronous support addition, handling of DH shared secret and tested with Intel QuickAssist
2377* Added in support for OCSP with IPv6
2378* Enhance SP (single precision) optimizations for use with the ECC P521
2379* Add new public API wc_CheckCertSigPubKey() for use to easily check the signature of a certificate given a public key buffer
2380* Add CSR (Certificate Signing Request) userId support in subject name
2381* Injection and parsing of custom extensions in X.509 certificates
2382* Add WOLF_CRYPTO_CB_ONLY_RSA and WOLF_CRYPTO_CB_ONLY_ECC to reduce code size if using only crypto callback functions with RSA and ECC
2383* Created new --enable-engine configure flag used to build wolfSSL for use with wolfEngine
2384* With TLS 1.3 PSK, when WOLFSSL_PSK_MULTI_ID_PER_CS is defined multiple IDs for a cipher suite can be handled
2385* Added private key id/label support with improving the PK (Public Key) callbacks
2386* Support for Intel QuickAssist ECC KeyGen acceleration
2387* Add the function wolfSSL_CTX_SetCertCbCtx to set user context for certificate call back
2388* Add the functions wolfSSL_CTX_SetEccSignCtx(WOLFSSL_CTX* ctx, void *userCtx) and wolfSSL_CTX_GetEccSignCtx(WOLFSSL_CTX* ctx) for setting and getting a user context
2389* wolfRand for AMD --enable-amdrand
2390
2391## Fixes
2392### PORT Fixes
2393* KCAPI memory optimizations and page alignment fixes for ECC, AES mode fixes and reduction to memory usage
2394* Add the new kdf.c file to the TI-RTOS build
2395* Fix wait-until-done in RSA hardware primitive acceleration of ESP-IDF port
2396* IOTSafe workarounds when reading files with ending 0’s and for ECC signatures
2397
2398### Math Library Fixes
2399* Sanity check with SP math that ECC points ordinates are not greater than modulus length
2400* Additional sanity checks that _sp_add_d does not error due to overflow
2401* Wycheproof fixes, testing integration, and fixes for AVX / AArch64 ASM edge case tests
2402* TFM fp_div_2_ct rework to avoid potential overflow
2403
2404### Misc.
2405* Fix for PKCS#7 with Crypto Callbacks
2406* Fix for larger curve sizes with deterministic ECC sign
2407* Fixes for building wolfSSL alongside openssl using --enable-opensslcoexist
2408* Fix for compatibility layer handling of certificates with SHA256 SKID (Subject Key ID)
2409* Fix for wolfSSL_ASN1_TIME_diff erroring out on a return value of 0 from mktime
2410* Remove extra padding when AES-CBC encrypted with PemToDer
2411* Fixes for TLS v1.3 early data with async.
2412* Fixes for async disables around the DevCopy calls
2413* Fixes for Windows AES-NI with clang compiler
2414* Fix for handling the detection of processing a plaintext TLS alert packet
2415* Fix for potential memory leak in an error case with TLSX supported groups
2416* Sanity check on `input` size in `DecodeNsCertType`
2417* AES-GCM stack alignment fixes with assembly code written for AVX/AVX2
2418* Fix for PK callbacks with server side and setting a public key
2419
2420## Improvements/Optimizations
2421### Build Options and Warnings
2422* Added example user settings template for FIPS v5 ready
2423* Automake file touch cleanup for use with Yocto devtool
2424* Allow disabling forced 'make clean' at the end of ./configure by using --disable-makeclean
2425* Enable TLS 1.3 early data when specifying `--enable-all` option
2426* Disable PK Callbacks with JNI FIPS builds
2427* Add a FIPS cert 3389 ready option, this is the fips-ready build
2428* Support (no)inline with Wind River Diab compiler
2429* ECDH_compute_key allow setting of globalRNG with FIPS 140-3
2430* Add logic equivalent to configure.ac in settings.h for Poly1305
2431* Fixes to support building opensslextra with SP math
2432* CPP protection for extern references to x86_64 asm code
2433* Updates and enhancements for Espressif ESP-IDF wolfSSL setup_win.bat
2434* Documentation improvements with auto generation
2435* Fix reproducible-build for working an updated version of libtool, version 2.4.7
2436* Fixes for Diab C89 and armclang
2437* Fix `mcapi_test.c` to include the settings.h before crypto.h
2438* Update and handle builds with NO_WOLFSSL_SERVER and NO_WOLFSSL_CLIENT
2439* Fix for some macro defines with FIPS 140-3 build so that RSA_PKCS1_PSS_PADDING can be used with RSA sign/verify functions
2440
2441### Math Libraries
2442* Add RSA/DH check for even modulus
2443* Enhance TFM math to handle more alloc failure cases gracefully
2444* SP ASM performance improvements mostly around AArch64
2445* SP ASM improvements for additional cache attack resistance
2446* Add RSA check for small difference between p and q
2447* 6-8% performance increase with ECC operations using SP int by improving the Montgomery Reduction
2448
2449### Testing and Validation
2450* All shell scripts in source tree now tested for correctness using shellcheck and bash -n
2451* Added build testing under gcc-12 and -std=c++17 and fixed warnings
2452* TLS 1.3 script test improvement to wait for server to write file
2453* Unit tests for ECC r/s zeroness handling
2454* CI server was expanded with a very “quiet” machine that can support multiple ContantTime tests ensuring ongoing mitigation against side-channel timing based attacks. Algorithms being assessed on this machine are: AES-CBC, AES-GCM, CHACHA20, ECC, POLY1305, RSA, SHA256, SHA512, CURVE25519.
2455* Added new multi configuration windows builds to CI testing for greater testing coverage of windows use-cases
2456
2457### Misc.
2458* Support for ECC import to check validity of key on import even if one of the coordinates (x or y) is 0
2459* Modify example app to work with FreeRTOS+IoT
2460* Ease of access for cert used for verifying a PKCS#7 bundle
2461* Clean up Visual Studio output and intermediate directories
2462* With TLS 1.3 fail immediately if a server sends empty certificate message
2463* Enhance the benchmark application to support multi-threaded testing
2464* Improvement for `wc_EccPublicKeyToDer` to not overestimate the buffer size required
2465* Fix to check if `wc_EccPublicKeyToDer` has enough output buffer space
2466* Fix year 2038 problem in wolfSSL_ASN1_TIME_diff
2467* Various portability improvements (Time, DTLS epoch size, IV alloc)
2468* Prefer status_request_v2 over status_request when both are present
2469* Add separate "struct stat" definition XSTATSTRUCT to make overriding XSTAT easier for portability
2470* With SipHash replace gcc specific ASM instruction with generic
2471* Don't force a ECC CA when a custom CA is passed with `-A`
2472* Add peer authentication failsafe for TLS 1.2 and below
2473* Improve parsing of UID from subject and issuer name with the compatibility layer by
2474* Fallback to full TLS handshake if session ticket fails
2475* Internal refactoring of code to reduce ssl.c file size
2476
2477# wolfSSL Release 5.2.0 (Feb 21, 2022)
2478
2479## Vulnerabilities
2480
2481* \[High\] A TLS v1.3 server who requires mutual authentication can be
2482  bypassed. If a malicious client does not send the certificate_verify
2483  message a client can connect without presenting a certificate even
2484  if the server requires one. Thank you to Aina Toky Rasoamanana and
2485  Olivier Levillain of Télécom SudParis.
2486* \[High\] A TLS v1.3 client attempting to authenticate a TLS v1.3
2487  server can have its certificate check bypassed. If the sig_algo in
2488  the certificate_verify message is different than the certificate
2489  message checking may be bypassed. Thank you to Aina Toky Rasoamanana and
2490  Olivier Levillain of Télécom SudParis.
2491
2492## New Feature Additions
2493
2494* Example applications for Renesas RX72N with FreeRTOS+IoT
2495* Renesas FSP 3.5.0 support for RA6M3
2496* For TLS 1.3, improved checks on order of received messages.
2497* Support for use of SHA-3 cryptography instructions available in
2498  ARMv8.2-A architecture extensions. (For Apple M1)
2499* Support for use of SHA-512 cryptography instructions available in
2500  ARMv8.2-A architecture extensions.  (For Apple M1)
2501* Fixes for clang -Os on clang >= 12.0.0
2502* Expose Sequence Numbers so that Linux TLS (kTLS) can be configured
2503* Fix bug in TLSX_ALPN_ParseAndSet when using ALPN select callback.
2504* Allow DES3 with FIPS v5-dev.
2505* Include HMAC for deterministic ECC sign build
2506* Add --enable-chrony configure option. This sets build options needed
2507  to build the Chrony NTP (Network Time Protocol) service.
2508* Add support for STM32U575xx boards.
2509* Fixes for NXP’s SE050 Ed25519/Curve25519.
2510* TLS: Secure renegotiation info on by default for compatibility.
2511* Inline C code version of ARM32 assembly for cryptographic algorithms
2512  available and compiling for improved performance on ARM platforms
2513* Configure HMAC: define NO_HMAC to disable HMAC (default: enabled)
2514* ISO-TP transport layer support added to wolfio for TLS over CAN Bus
2515* Fix initialization bug in SiLabs AES support
2516* Domain and IP check is only performed on leaf certificates
2517
2518## ARM PSA Support (Platform Security Architecture) API
2519
2520* Initial support added for ARM’s Platform Security Architecture (PSA)
2521  API in wolfCrypt which allows support of ARM PSA enabled devices by
2522  wolfSSL, wolfSSH, and wolfBoot and wolfCrypt FIPS.
2523* Included algorithms: ECDSA, ECDH, HKDF, AES, SHA1, SHA256, SHA224, RNG
2524
2525## ECICE Updates
2526
2527* Support for more encryption algorithms: AES-256-CBC, AES-128-CTR,
2528  AES-256-CTR
2529* Support for compressed public keys in messages.
2530
2531## Math Improvements
2532
2533* Improved performance of X448 and Ed448 through inlining Karatsuba in
2534  square and multiplication operations for 128-bit implementation
2535  (64-bit platforms with 128-bit type support).
2536* SP Math C implementation: fix for corner case in curve specific
2537  implementations of Montgomery Reduction (P-256, P-384).
2538* SP math all: assembly snippets added for ARM Thumb. Performance
2539  improvement on platform.
2540* SP math all: ARM64/32 sp_div_word assembly snippets added to remove
2541  dependency on __udiv3.
2542* SP C implementation: multiplication of two signed types with overflow
2543  is undefined in C. Now cast to unsigned type before multiplication is
2544  performed.
2545* SP C implementation correctly builds when using CFLAG: -m32
2546
2547## OpenSSL Compatibility Layer
2548
2549* Added DH_get_2048_256 to compatibility layer.
2550* wolfSSLeay_version now returns the version of wolfSSL
2551* Added C++ exports for API’s in wolfssl/openssl/crypto.h. This allows
2552  better compatibility when building with a C++ compiler.
2553* Fix for OpenSSL x509_NAME_hash mismatch
2554* Implement FIPS_mode and FIPS_mode_set in the compat layer.
2555* Fix for certreq and certgen options with openssl compatibility
2556* wolfSSL_BIO_dump() and wolfSSL_OBJ_obj2txt() rework
2557* Fix IV length bug in EVP AES-GCM code.
2558* Add new ASN1_INTEGER compatibility functions.
2559* Fix wolfSSL_PEM_X509_INFO_read with NO_FILESYSTEM
2560
2561## CMake Updates
2562
2563* Check for valid override values.
2564* Add `KEYGEN` option.
2565* Cleanup help messages.
2566* Add options to support wolfTPM.
2567
2568## VisualStudio Updates
2569
2570* Remove deprecated VS solution
2571* Fix VS unreachable code warning
2572
2573## New Algorithms and Protocols
2574
2575* AES-SIV (RFC 5297)
2576* DTLS SRTP (RFC 5764), used with WebRTC to agree on profile for new
2577  real-time session keys
2578* SipHash MAC/PRF for hash tables. Includes inline assembly for
2579  x86_64 and Aarch64.
2580
2581## Remove Obsolete Algorithms
2582
2583* IDEA
2584* Rabbit
2585* HC-128
2586
2587
2588# wolfSSL Release 5.1.1 (Jan 3rd, 2022)
2589Release 5.1.1 of wolfSSL embedded TLS has a high vulnerability fix:
2590
2591### Vulnerabilities
2592* \[High\]  In connections using AES-CBC or DES3 with TLS/DTLS 1.2 or 1.1 the IV being used is not random. Users using wolfSSL version 5.0.0 or 5.1.0 doing TLS/DTLS 1.2 or 1.1 connections, without AEAD only, should update the version of wolfSSL used. (CVE-2022-23408)
2593
2594# wolfSSL Release 5.1.0 (Dec 27, 2021)
2595Release 5.1.0 of wolfSSL embedded TLS has bug fixes and new features including:
2596
2597### Vulnerabilities
2598* \[Low\]  Potential for DoS attack on a wolfSSL client due to processing hello packets of the incorrect side. This affects only connections using TLS v1.2 or less that have also been compromised by a man in the middle attack. Thanks to James Henderson, Mathy Vanhoef, Chris M. Stone, Sam L. Thomas, Nicolas Bailleut, and Tom Chothia (University of Birmingham, KU Leuven, ENS Rennes for the report.
2599* \[Low\] Client side session resumption issue once the session resumption cache has been filled up. The hijacking of a session resumption has been demonstrated so far with only non verified peer connections. That is where the client is not verifying the server’s CA that it is connecting to. There is the potential though for other cases involving proxies that are verifying the server to be at risk, if using wolfSSL in a case involving proxies use wolfSSL_get1_session and then wolfSSL_SESSION_free when done where possible. If not adding in the session get/free function calls we recommend that users of wolfSSL that are resuming sessions update to the latest version (wolfSSL version 5.1.0 or later). Thanks to the UK's National Cyber Security Centre (NCSC) for the report.
2600
2601### New Feature Additions
2602###### Ports
2603* Curve25519 support with NXP SE050 added
2604* Renesas RA6M4 support with SCE Protected Mode and FSP 3.5.0
2605* Renesas TSIP 1.14 support for RX65N/RX72N
2606
2607###### Post Quantum
2608* Post quantum resistant algorithms used with Apache port
2609* NIST round 3 FALCON Signature Scheme support added to TLS 1.3 connections
2610* FALCON added to the benchmarking application
2611* Testing of cURL with wolfSSL post quantum resistant build
2612
2613###### Compatibility Layer Additions
2614* Updated NGINX port to NGINX version 1.21.4
2615* Updated Apache port to Apache version 2.4.51
2616* Add support for SSL_OP_NO_TLSv1_2 flag with wolfSSL_CTX_set_options function
2617* Support added for the functions
2618    - SSL_CTX_get_max_early_data
2619    - SSL_CTX_set_max_early_data
2620    - SSL_set_max_early_data
2621    - SSL_get_max_early_data
2622    - SSL_CTX_clear_mode
2623    - SSL_CONF_cmd_value_type
2624    - SSL_read_early_data
2625    - SSL_write_early_data
2626
2627###### Misc.
2628* Crypto callback support for AES-CCM added. A callback function can be registered and used instead of the default AES-CCM implementation in wolfSSL.
2629* Added AES-OFB to the FIPS boundary for future FIPS validations.
2630* Add support for custom OIDs used with CSR (certificate signing request) generation using the macro WOLFSSL_CUSTOM_OID
2631* Added HKDF extract callback function for use with TLS 1.3
2632* Add variant from RFC6979 of deterministic ECC signing that can be enabled using the macro WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT
2633* Added the function wc_GetPubKeyDerFromCert to get the public key from a DecodedCert structure
2634* Added the functions wc_InitDecodedCert, wc_ParseCert and wc_FreeDecodedCert for access to decoding a certificate into a DecodedCert structure
2635* Added the macro WOLFSSL_ECC_NO_SMALL_STACK for hybrid builds where the numerous malloc/free with ECC is undesired but small stack use is desired throughout the rest of the library
2636* Added the function wc_d2i_PKCS12_fp for reading a PKCS12 file and parsing it
2637
2638### Fixes
2639###### PORT Fixes
2640* Building with Android wpa_supplicant and KeyStore
2641* Setting initial value of CA certificate with TSIP enabled
2642* Cryptocell ECC build fix and fix with RSA disabled
2643* IoT-SAFE improvement for Key/File slot ID size, fix for C++ compile, and fixes for retrieving the public key after key generation
2644
2645###### Math Library Fixes
2646* Check return values on TFM library montgomery function in case the system runs out of memory. This resolves an edge case of invalid ECC signatures being created.
2647* SP math library sanity check on size of values passed to sp_gcd.
2648* SP math library sanity check on exponentiation by 0 with mod_exp
2649* Update base ECC mp_sqrtmod_prime function to handle an edge case of zero
2650* TFM math library with Intel MULX multiply fix for carry in assembly code
2651
2652###### Misc.
2653* Fix for potential heap buffer overflow with compatibility layer PEM parsing
2654* Fix for edge memory leak case with an error encountered during TLS resumption
2655* Fix for length on inner sequence created with wc_DhKeyToDer when handling small DH keys
2656* Fix for sanity check on input argument to DSA sign and verify
2657* Fix for setting of the return value with ASN1 integer get on an i386 device
2658* Fix for BER to DER size checks with PKCS7 decryption
2659* Fix for memory leak with PrintPubKeyEC function in compatibility layer
2660* Edge case with deterministic ECC key generation when the private key has leading 0’s
2661* Fix for build with OPENSSL_EXTRA and NO_WOLFSSL_STUB both defined
2662* Use page aligned memory with ECDSA signing and KCAPI
2663* Skip expired sessions for TLS 1.3 rather than turning off the resume behavior
2664* Fix for DTLS handling dropped or retransmitted messages
2665
2666### Improvements/Optimizations
2667###### Build Options and Warnings
2668* Bugfix: could not build with liboqs and without DH enabled
2669* Build with macro NO_ECC_KEY_EXPORT fixed
2670* Fix for building with the macro HAVE_ENCRYPT_THEN_MAC when session export is enabled
2671* Building with wolfSentry and HAVE_EX_DATA macro set
2672
2673###### Math Libraries
2674* Improvement for performance with SP C implementation of montgomery reduction for ECC (P256 and P384) and SP ARM64 implementation for ECC (P384)
2675* With SP math handle case of dividing by length of dividend
2676* SP math improvement for lo/hi register names to be used with older GCC compilers
2677
2678###### Misc.
2679* ASN name constraints checking code refactor for better efficiency and readability
2680* Refactor of compatibility layer stack free’ing calls to simplify and reduce code
2681* Scrubbed code for trailing spaces, hard tabs, and any control characters
2682* Explicit check that leaf certificate's public key type match cipher suite signature algorithm
2683* Additional NULL sanity checks on WOLFSSL struct internally and improve switch statement fallthrough
2684* Retain OCSP error value when CRL is enabled with certificate parsing
2685* Update to NATIVE LwIP support for TCP use
2686* Sanity check on PEM size when parsing a PEM with OpenSSL compatibility layer API.
2687* SWIG wrapper was removed from the codebase in favor of dedicated Java and Python wrappers.
2688* Updates to bundled example client for when to load the CA, handling print out of IP alt names, and printing out the peers certificate in PEM format
2689* Handling BER encoded inner content type with PKCS7 verify
2690* Checking for SOCKET_EPIPE errors from low level socket
2691* Improvements to cleanup in the case that wolfSSL_Init fails
2692* Update test and example certificates expiration dates
2693
2694
2695# wolfSSL Release 5.0.0 (Nov 01, 2021)
2696Release 5.0.0 of wolfSSL embedded TLS has bug fixes and new features including:
2697
2698### Vulnerabilities
2699* [\Low\] Hang with DSA signature creation when a specific q value is used in a maliciously crafted key. If a DSA key with an invalid q value of either 1 or 0 was decoded and used for creating a signature, it would result in a hang in wolfSSL. Users that are creating signatures with DSA and are using keys supplied from an outside source are affected.
2700* [\Low\] Issue with incorrectly validating a certificate that has multiple subject alternative names when given a name constraint. In the case where more than one subject alternative name is used in the certificate, previous versions of wolfSSL could incorrectly validate the certificate. Users verifying certificates with multiple alternative names and name constraints, are recommended to either use the certificate verify callback to check for this case or update the version of wolfSSL used. Thanks to Luiz Angelo Daros de Luca for the report.
2701
2702### New Feature Additions
2703###### New Product
2704* FIPS 140-3 -- currently undergoing laboratory testing, code review and ultimately CMVP validation. Targeting the latest FIPS standard.
2705
2706###### Ports
2707* IoT-Safe with TLS demo
2708* SE050 port with support for RNG, SHA, AES, ECC (sign/verify/shared secret) and ED25519
2709* Support for Renesas TSIP v1.13 on RX72N
2710
2711###### Post Quantum
2712* Support for OQS's (liboqs version 0.7.0) implementation of NIST Round 3 KEMs as TLS 1.3 groups --with-liboqs
2713* Hybridizing NIST ECC groups with the OQS groups
2714* Remove legacy NTRU and QSH
2715* Make quantum-safe groups available to the compatibility layer
2716
2717###### Linux Kernel Module
2718* Full support for FIPS 140-3, with in-kernel power on self test (POST) and conditional algorithm self test(s) (CAST)
2719* --enable-linuxkm-pie -- position-independent in-kernel wolfCrypt container, for FIPS
2720* Vectorized x86 acceleration in PK algs (RSA, ECC, DH, DSA) and AES/AES-GCM
2721* Vectorized x86 acceleration in interrupt handlers
2722* Support for Linux-native module signatures
2723* Complete SSL/TLS and Crypto API callable from other kernel module(s)
2724* Support for LTS kernel lines: 3.16, 4.4, 4.9, 5.4, 5.10
2725
2726###### Compatibility Layer Additions
2727* Ports
2728    - Add support for libssh2
2729    - Add support for pyOpenSSL
2730    - Add support for libimobiledevice
2731    - Add support for rsyslog
2732    - Add support for OpenSSH 8.5p1
2733    - Add support for Python 3.8.5
2734* API/Structs Added
2735    - ERR_lib_error_string
2736    - EVP_blake2
2737    - wolfSSL_set_client_CA_list
2738    - wolfSSL_EVP_sha512_224
2739    - wolfSSL_EVP_sha512_256
2740    - wc_Sha512_224/2256Hash
2741    - wc_Sha512_224/256Hash
2742    - wc_InitSha512_224/256
2743    - wc_InitSha512_224/256_ex
2744    - wc_Sha512_224/256Update
2745    - wc_Sha512_224/256FinalRaw
2746    - wc_Sha512_224/256Final
2747    - wc_Sha512_224/256Free
2748    - wc_Sha512_224/256GetHash
2749    - wc_Sha512_224/256Copy
2750    - wc_Sha512_224/256SetFlags
2751    - wc_Sha512_224/256GetFlags
2752    - wc_Sha512_224/256Transform
2753    - EVP_MD_do_all and OBJ_NAME_do_all
2754    - EVP_shake128
2755    - EVP_shake256
2756    - SSL_CTX_set_num_tickets
2757    - SSL_CTX_get_num_tickets
2758    - SSL_CIPHER_get_auth_nid
2759    - SSL_CIPHER_get_cipher_nid
2760    - SSL_CIPHER_get_digest_nid
2761    - SSL_CIPHER_get_kx_nid
2762    - SSL_CIPHER_is_aead
2763    - SSL_CTX_set_msg_callback
2764    - a2i_IPADDRESS
2765    - GENERAL_NAME_print
2766    - X509_VERIFY_PARAM_set1_ip
2767    - EVP_CIPHER_CTX_set_iv_length
2768    - PEM_read_bio_RSA_PUBKEY
2769    - i2t_ASN1_OBJECT
2770    - DH_set_length
2771    - Set_tlsext_max_fragment_length
2772    - AUTHORITY_iNFO_ACCESS_free
2773    - EVP_PBE_scrypt
2774    - ASN1_R_HEADER_TOO_LONG
2775    - ERR_LIB
2776    - X509_get_default_cert_file/file_env/dir/dir_env() stubs
2777    - SSL_get_read_ahead/SSL_set_read_ahead()
2778    - SSL_SESSION_has_ticket()
2779    - SSL_SESSION_get_ticket_lifetime_hint()
2780    - DIST_POINT_new
2781    - DIST_POINT_free
2782    - DIST_POINTS_free
2783    - CRL_DIST_POINTS_free
2784    - sk_DIST_POINT_push
2785    - sk_DIST_POINT_value
2786    - sk_DIST_POINT_num
2787    - sk_DIST_POINT_pop_free
2788    - sk_DIST_POINT_free
2789    - X509_get_extension_flags
2790    - X509_get_key_usage
2791    - X509_get_extended_key_usage
2792    - ASN1_TIME_to_tm
2793    - ASN1_TIME_diff
2794    - PEM_read_X509_REQ
2795    - ERR_load_ERR_strings
2796    - BIO_ssl_shutdown
2797    - BIO_get_ssl
2798    - BIO_new_ssl_connect
2799    - BIO_set_conn_hostname
2800    - NID_pkcs9_contentType
2801
2802###### Misc.
2803* KCAPI: add support for using libkcapi for crypto (Linux Kernel)
2804* Configure option for --with-max-rsa-bits= and --with-max-ecc-bits=
2805* SP ARM Thumb support for Keil and performance improvements
2806* Add support for WOLFSSL_VERIFY_POST_HANDSHAKE verify mode
2807* PKCS #11: support static linking with PKCS #11 library --enable-pkcs11=static LIBS=-l
2808* Add build option --enable-wolfclu for use with wolfCLU product
2809* Add support for X9.42 header i.e “BEGIN X9.42 DH PARAMETERS”
2810* Add --enable-altcertchains for configuring wolfSSL with alternate certificate chains feature enabled
2811* Add public API wc_RsaKeyToPublicDer_ex to allow getting RSA public key without ASN.1 header (can return only seq + n + e)
2812* Add SNI and TLSx options to CMake build
2813
2814### Fixes
2815###### PORT Fixes
2816* Add return value checking for FREESCALE_RNGA
2817* Fix MMCAU_SHA256 type warnings
2818* Fixes for building with Microchip XC32 and ATECC
2819
2820###### Math Library Fixes
2821* TFM check that the modulus length is valid for fixed data array size
2822* TFM fp_submod_ct fix check for greater
2823* Check return value of mp_grow in mp_mod_2d
2824* Fix for ECC point multiply to error out on large multipliers
2825* SP ECC error on multiplier larger than curve order
2826
2827###### TLS 1.3
2828* TLS1.3 sanity check for cases where a private key is larger than the configured maximum
2829* Fix early data max size handling in TLS v1.3
2830* Fixes for PK callbacks with TLS v1.3
2831* Check min downgrade when no extensions are sent with the ServerHello
2832
2833###### Misc.
2834* Previously wolfSSL enum values were used as NID’s. Now only the compatibility layer NID enums are the NID values:
2835    - CTC_SHAwDSA -> NID_dsaWithSHA1
2836    - CTC_SHA256wDSA -> NID_dsa_with_SHA256
2837    - CTC_MD2wRSA -> NID_md2WithRSAEncryption
2838    - CTC_MD5wRSA -> NID_md5WithRSAEncryption
2839    - CTC_SHAwRSA -> NID_sha1WithRSAEncryption
2840    - CTC_SHA224wRSA -> NID_sha224WithRSAEncryption
2841    - CTC_SHA256wRSA -> NID_sha256WithRSAEncryption
2842    - CTC_SHA384wRSA -> NID_sha384WithRSAEncryption
2843    - CTC_SHA512wRSA -> NID_sha512WithRSAEncryption
2844    - CTC_SHA3_224wRSA -> NID_RSA_SHA3_224
2845    - CTC_SHA3_256wRSA -> NID_RSA_SHA3_256
2846    - CTC_SHA3_384wRSA -> NID_RSA_SHA3_384
2847    - CTC_SHA3_512wRSA -> NID_RSA_SHA3_512
2848    - CTC_SHAwECDSA -> NID_ecdsa_with_SHA1
2849    - CTC_SHA224wECDSA -> NID_ecdsa_with_SHA224
2850    - CTC_SHA256wECDSA -> NID_ecdsa_with_SHA256
2851    - CTC_SHA384wECDSA -> NID_ecdsa_with_SHA384
2852    - CTC_SHA512wECDSA -> NID_ecdsa_with_SHA512
2853    - CTC_SHA3_224wECDSA -> NID_ecdsa_with_SHA3_224
2854    - CTC_SHA3_256wECDSA -> NID_ecdsa_with_SHA3_256
2855    - CTC_SHA3_384wECDSA -> NID_ecdsa_with_SHA3_384
2856    - CTC_SHA3_512wECDSA -> NID_ecdsa_with_SHA3_512
2857    - DSAk -> NID_dsa
2858    - RSAk -> NID_rsaEncryption
2859    - ECDSAk -> NID_X9_62_id_ecPublicKey
2860    - BASIC_CA_OID -> NID_basic_constraints
2861    - ALT_NAMES_OID -> NID_subject_alt_name
2862    - CRL_DIST_OID -> NID_crl_distribution_points
2863    - AUTH_INFO_OID -> NID_info_access
2864    - AUTH_KEY_OID -> NID_authority_key_identifier
2865    - SUBJ_KEY_OID -> NID_subject_key_identifier
2866    - INHIBIT_ANY_OID -> NID_inhibit_any_policy
2867* Fix for DES IV size used with FIPSv2
2868* Fix signed comparison issue with serialSz
2869* Fix missing CBIOSend and properly guard hmac in DupSSL()
2870* Fix calculation of length of encoding in ssl.c
2871* Fix encoding to check proper length in asn.c
2872* Fix for wc_ecc_ctx_free and heap hint
2873* Fix for debug messages with AF_ALG build
2874* Fix for static memory with bucket size matching.
2875* Fixes for SRP with heap hint.
2876* Fixes for CAAM build macros and spelling for Keil build
2877* Sniffer fix for possible math issue around 64-bit pointer and 32-bit unsigned int
2878* Fix for sniffer TCP sequence rollover
2879* wolfSSL_PEM_write_bio_PUBKEY to write only the public part
2880* Fix for sending only supported groups in TLS extension
2881* Fix for sniffer to better handle spurious retransmission edge case
2882* SSL_set_alpn_protos and SSL_CTX_set_alpn_protos now returns 0 on successFixes issue with SSL_CTX_set1_curves_list and SSL_set1_curves_list not checking the last character of the names variable provided, non-0 on failure to better match expected return values
2883* Fixes and improvements for crypto callbacks with TLS (mutual auth)
2884* Fix for bad memory_mutex lock on static memory cleanup
2885* Zero terminate name constraints strings when parsing certificates
2886* Fix for verifying a certificate when multiple permitted name constraints are used
2887* Fix typo in ifdef for HAVE_ED448
2888* Fix typos in comments in SHA512
2889* Add sanity check on buffer size with ED25519 key decode
2890* Sanity check on PKCS7 stream amount read
2891* PKCS7 fix for double free on error case and sanity check on set serial number
2892* Sanity check on PKCS7 input size wc_PKCS7_ParseSignerInfo
2893* Forgive a DTLS session trying to send too much at once
2894
2895### Improvements/Optimizations
2896###### Build Options and Warnings
2897* Rework of RC4 disable by default and depreciation
2898* wolfSSL as a Zephyr module (without setup.sh)
2899* Add include config.h to bio.c
2900* Support for PKCS7 without AES CBC.
2901* Fixes for building without AES CBC
2902* Added WOLFSSL_DH_EXTRA to --enable-all and --enable-sniffer
2903* Add a CMake option to build wolfcrypt test and bench code as libraries
2904* GCC makefile: allow overriding and provide more flexibility
2905
2906###### Math Libraries
2907* Improve performance of fp_submod_ct() and fp_addmod_ct()
2908* Improve performance of sp_submod_ct() and sp_addmod_ct()
2909* SP int, handle even modulus with exponentiation
2910
2911###### Misc.
2912* Cleanups for Arduino examples and memory documentation
2913* Refactor hex char to byte conversions
2914* Added GCC-ARM TLS server example
2915* Improvements to session locking to allow per-row
2916* Improved sniffer statistics and documentation
2917* EVP key support for heap hint and crypto callbacks
2918* Reduced stack size for dh_generation_test and Curve ASN functions
2919* Espressif README Syntax / keyword highlighting / clarifications
2920* AARCH64 SHA512: implementation using crypto instructions added
2921* wc_RsaPSS_CheckPadding_ex2 added for use with HEAP hint
2922* wc_AesKeyWrap_ex and wc_AesKeyUnWrap_ex bound checks on input and output sizes
2923* Add additional error handling to wolfSSL_BIO_get_len
2924* Add code to use popen and the command 'host', useful with qemu
2925* Adjustment to subject alt names order with compatibility layer to better match expected order
2926* Reduce BIO compatibility layer verbosity
2927* Set a default upper bound on error queue size with compatibility layer
2928* WOLFSSL_CRL_ALLOW_MISSING_CDP macro for Skip CRL verification in case no CDP in peer cert
2929* Fixes for scan-build LLVM-13 and expanded coverage
2930* Increase the default DTLS_MTU_ADDITIONAL_READ_BUFFER and make it adjustable
2931
2932# wolfSSL Release 4.8.1 (July 16, 2021)
2933Release 4.8.1 of wolfSSL embedded TLS has an OCSP vulnerability fix:
2934
2935### Vulnerabilities
2936* [High] OCSP verification issue when response is for a certificate with no relation to the chain in question BUT that response contains the NoCheck extension which effectively disables ALL verification of that one cert. Users who should upgrade to 4.8.1 are TLS client users doing OCSP, TLS server users doing mutual auth with OCSP, and CertManager users doing OCSP independent of TLS. Thanks to Jan Nauber, Marco Smeets, Werner Rueschenbaum and Alissa Kim of Volkswagen Infotainment for the report.
2937
2938
2939# wolfSSL Release 4.8.0 (July 09, 2021)
2940Release 4.8.0 of wolfSSL embedded TLS has bug fixes and new features including:
2941
2942### Vulnerabilities
2943* [Low] CVE-2021-37155: OCSP request/response verification issue. In the case that the serial number in the OCSP request differs from the serial number in the OCSP response the error from the comparison was not resulting in a failed verification. We recommend users that have wolfSSL version 4.6.0 and 4.7.0 with OCSP enabled update their version of wolfSSL. Version 4.5.0 and earlier are not affected by this report. Thanks to Rainer Mueller-Amersdorffer, Roee Yankelevsky, Barak Gutman, Hila Cohen and Shoshi Berko (from CYMOTIVE Technologies and CARIAD) for the report.
2944* [Low] CVE-2021-24116: Side-Channel cache look up vulnerability in base64 PEM decoding for versions of wolfSSL 4.5.0 and earlier. Versions 4.6.0 and up contain a fix and do not need to be updated for this report. If decoding a PEM format private key using version 4.5.0 and older of wolfSSL then we recommend updating the version of wolfSSL used. Thanks to Florian Sieck, Jan Wichelmann, Sebastian Berndt and Thomas Eisenbarth for the report.
2945
2946### New Feature Additions
2947###### New Product
2948* Added wolfSentry build with --enable-wolfsentry and tie-ins to wolfSSL code for use with wolfSentry
2949
2950###### Ports
2951* QNX CAAM driver added, supporting ECC black keys, CMAC, BLOBs, and TRNG use
2952*  _WIN32_WCE wolfCrypt port added
2953* INTIME_RTOS directory support added
2954* Added support for STM32G0
2955* Renesas RX: Added intrinsics for rot[rl], revl (thanks @rliebscher)
2956* Added support for running wolfcrypt/test/testwolfcrypt on Dolphin emulator to test DEVKITPRO port
2957* Zephyr project port updated to latest version 2.6.X
2958
2959###### ASN1 and PKCS
2960* Storing policy constraint extension from certificate added
2961* Added support for NID_favouriteDrink pilot
2962* Added the API function wc_EncryptPKCS8Key to handle encrypting a DER, PKCS#8-formatted key
2963
2964###### Compatibility Layer Additions
2965* Open Source PORTS Added/Updated
2966    - OpenVPN
2967    - OpenLDAP
2968    - socat-1.7.4.1
2969    - Updated QT port for 5.15.2
2970* Changes to extend set_cipher_list() compatibility layer API to have set_ciphersuites compatibility layer API capability
2971* Added more support for SHA3 in the EVP layer
2972* API Added
2973    - MD5/MD5_Transform
2974    - SHA/SHA_Transform/SHA1_Transform
2975    - SHA224/SHA256_Transform/SHA512_Transform
2976    - SSL_CTX_get0_param/SSL_CTX_set1_param
2977    - X509_load_crl_file
2978    - SSL_CTX_get_min_proto_version
2979    - EVP_ENCODE_CTX_new
2980    - EVP_ENCODE_CTX_free
2981    - EVP_EncodeInit
2982    - EVP_EncodeUpdate
2983    - EVP_EncodeFinal
2984    - EVP_DecodeInit
2985    - EVP_DecodeUpdate
2986    - EVP_DecodeFinal
2987    - EVP_PKEY_print_public
2988    - BIO_tell
2989    - THREADID_current
2990    - THREADID_hash
2991    - SSL_CTX_set_ecdh_auto
2992    - RAND_set_rand_method()
2993    - X509_LOOKUP_ctrl()
2994    - RSA_bits
2995    - EC_curve_nist2nid
2996    - EC_KEY_set_group
2997    - SSL_SESSION_set_cipher
2998    - SSL_set_psk_use_session_callback
2999    - EVP_PKEY_param_check
3000    - DH_get0_pqg
3001    - CRYPTO_get_ex_new_index
3002    - SSL_SESSION_is_resumable
3003    - SSL_CONF_cmd
3004    - SSL_CONF_CTX_finish
3005    - SSL_CTX_keylog_cb_func
3006    - SSL_CTX_set_keylog_callback
3007    - SSL_CTX_get_keylog_callback
3008
3009###### Misc.
3010* Added wolfSSL_CTX_get_TicketEncCtx getter function to return the ticket encryption ctx value
3011* Added wc_AesKeyWrap_ex and wc_AesKeyUnWrap_ex APIs to accept an Aes object to use for the AES operations
3012* Added implementation of AES-GCM streaming (--enable-aesgcm-stream)
3013* Added deterministic generation of k with ECC following RFC6979 when the macro WOLFSSL_ECDSA_DETERMINISTIC_K is defined and wc_ecc_set_deterministic function is called
3014* Implemented wc_DsaParamsDecode and wc_DsaKeyToParamsDer
3015* Asynchronous support for TLS v1.3 TLSX ECC/DH key generation and key agreement
3016* Added crypto callback support for Ed/Curve25519 and SHA2-512/384
3017* TLS 1.3 wolfSSL_key_update_response function added to see if a update response is needed
3018
3019### Fixes
3020* Fix for detecting extra unused bytes that are in an ASN1 sequence appended to the end of a valid ECC signature
3021* Fix for keyid with ktri CMS (breaks compatibility with previous keyid ASN1 syntax)
3022* Fix for failed handshake if a client offers more than 150 cipher suites. Thanks to Marcel Maehren, Philipp Nieting, Robert Merget from Ruhr University Bochum Sven Hebrok, Juraj Somorovsky from Paderborn University
3023* Fix for default order of deprecated elliptic curves SECP224R1, SECP192R1, SECP160R1. Thanks to Marcel Maehren, Philipp Nieting, Robert Merget from Ruhr University Bochum Sven Hebrok, Juraj Somorovsky from Paderborn University
3024* Fix for corner TLS downgrade case where a TLS 1.3 setup that allows for downgrades but has TLS 1.3 set as the minimum version would still downgrade to TLS 1.2
3025
3026###### PKCS7 (Multiple fixes throughout regarding memory leaks with SMIME and heap buffer overflows due to streaming functionality)
3027* Fix PKCS7 dynamic content save/restore in PKCS7_VerifySignedData
3028* Fix for heap buffer overflow on compare with wc_PKCS7_DecryptKtri
3029* Fix for heap buffer overflow with wc_PKCS7_VerifySignedData
3030* Fix for heap buffer overflow with wc_PKCS7_DecodeEnvelopedData
3031* Check size of public key used with certificate passed into wc_PKCS7_InitWithCert before XMEMCPY to avoid overflow
3032* Fix for heap buffer overflow fix for wolfSSL_SMIME_read_PKCS7
3033* Fix to cleanly free memory in error state with wolfSSL_SMIME_read_PKCS7
3034* SMIME error checking improvements and canonicalize multi-part messages before hashing
3035
3036###### DTLS Fixes
3037* DTLS fix to correctly move the Tx sequence number forward
3038* DTLS fix for sequence and epoch number with secure renegotiation cookie exchange
3039* Fix for Chacha-Poly AEAD for DTLS 1.2 with secure renegotiation
3040
3041###### PORT Fixes
3042* Fix AES, aligned key for the HW module with DCP port
3043* Fix ATECC608A TNGTLS certificate size issue (thanks @vppillai)
3044* Fixes for mingw compile warnings
3045* Fixes for NXP LTC ECC/RSA
3046* Fix ESP32 RSA hw accelerator initialization issue
3047* Fixes for STM32 PKA with ECC
3048* Fixes for STM32 AES GCM for HAL's that support byte sized headers
3049* Espressif ESP32 SHA_CTX macro conflict resolved
3050
3051###### Math Library Fixes
3052* For platforms that support limits.h or windows make sure both SIZEOF_LONG_LONG and SIZEOF_LONG are set to avoid issues with CTC_SETTINGS
3053* SP C 32/64: fix corner cases around subtraction affecting RSA PSS use
3054* Fix to return the error code from sp_cond_swap_ct when malloc fails
3055* Fix potential memory leak with small stack in the function fp_gcd
3056* Static Analysis Fixes
3057* Fixes made from Coverity analysis including:
3058* Cleanups for some return values,
3059* Fix for leak with wolfSSL_a2i_ASN1_INTEGER
3060* Sanity check on length in wolfSSL_BN_rand
3061* Sanity check size in TLSX_Parse catching a possible integer overflow
3062* Fixes found with -fsanitize=undefined testing
3063* Fix null dereferences or undefined memcpy calls
3064* Fix alignment in myCryptoDevCb
3065* Fix default DTLS context assignment
3066* Added align configure option to force data alignment
3067
3068###### Misc.
3069* Fix for wolfSSL_ASN1_TIME_adj set length
3070* Fix for freeing structure on error case in the function AddTrustedPeer
3071* Return value of SSL_read when called after bidirectional shutdown
3072* Fix for build options ./configure --enable-dtls --disable-asn
3073* FIx for detection of a salt length from an RSA PSS signature
3074* Fix to free up globalRNGMutex mutex when cleaning up global RNG
3075* Fix leak when multiple hardware names are in SAN
3076* Fix nonblocking ret value from CRL I/O callbacks
3077* Fix wolfSSL_BIO_free_all return type to better match for compatibility layer
3078* Fix for make distcheck, maintainer-clean, to allow distribution builds
3079* Fix for async with fragmented packets
3080* Fix for the build or RSA verify or public only
3081* Fix for return value of wolfSSL_BIO_set_ssl to better match expected compatibility layer return value
3082* Fix for sanity checks on size of issuer hash and key along with better freeing on error cases with DecodeBasicOcspResponse
3083* Fix for potential memory leak with wolfSSL_OCSP_cert_to_id
3084
3085### Improvements/Optimizations
3086###### DTLS/TLS Code Base
3087* Improved TLS v1.3 time rollover support
3088* TLS 1.3 PSK: use the hash algorithm to choose cipher suite
3089* TLS Extended Master Secret ext: TLS13 - send in second Client Hello if in first
3090* TLS Encrypt then MAC: check all padding bytes are the same value
3091* wolfSSL_GetMaxRecordSize updated to now take additional cipher data into account
3092* Updated session export/import with DTLS to handle a new internal options flag
3093* Refactored dtls_expected_peer_handshake_number handling
3094* Added wolfSSL_CTX_get_ephemeral_key and wolfSSL_get_ephemeral_key for loading a constant key in place of an ephemeral one
3095* Improved checking of XSNPRINTF return value in DecodePolicyOID
3096
3097###### Build Options and Warnings
3098* Added wolfSSL_CTX_set_verify to the ABI list
3099* Adjusted FP_ECC build to not allow SECP160R1, SECP160R2, SECP160K1 and SECP224K1. FP_ECC does not work with scalars that are the length of the order when the order is longer than the prime.
3100* Added CMake support for CURVE25519, ED25519, CURVE448, and ED448
3101* cmake addition to test paths when building
3102* Added support for session tickets in CMake
3103* Added support for reproducible builds with CMake
3104* Turn on reproducible-build by default when enable-distro
3105* Windows Project: Include the X448 and Ed448 files
3106* GCC-11 compile time warning fixes
3107* Fix for compiling build of ./configure '--disable-tlsv12' '-enable-pkcallbacks'
3108* Added build error for insecure build combination of secure renegotiation enabled with extended master secret disabled when session resumption is enabled
3109* Updated building and running with Apple M1
3110* Apache httpd build without TLS 1.3 macro guard added
3111* Enable SHA3 and SHAKE256 requirements automatically when ED448 is enabled
3112* Added option for AES CBC cipher routines to return BAD_LENGTH_E when called with an input buffer length not a multiple of AES_BLOCK_SIZE
3113* Macro WOLFSSL_SP_INT_DIGIT_ALIGN added for alignment on buffers with SP build. This was needed for compiler building on a Renesas board.
3114* Build support with no hashes enabled an no RNG compiled in
3115* Allow use of FREESCALE hardware RNG without a specific port
3116* Resolved some warnings with Windows builds and PBKDF disabled
3117* Updated the version of autoconf and automake along with fixes for some new GCC-10 warnings
3118
3119###### Math Libraries
3120* SP: Thumb implementation that works with clang
3121* SP math all: sp_cmp handling of negative values
3122* SP C ECC: mont sub - always normalize after sub before check for add
3123* TFM math library prime checking, added more error checks with small stack build
3124* Sanity checks on 0 value with GCD math function
3125* fp_exptmod_ct error checking and small stack variable free on error
3126* Sanity check on supported digit size when calling mp_add_d in non fastmath builds
3127* Support for mp_dump with SP Math ALL
3128* WOLFSSL_SP_NO_MALLOC for both the normal SP build and small SP build now
3129* WOLFSSL_SP_NO_DYN_STACK added for SP small code that is not small stack build to avoid dynamic stack
3130
3131###### PKCS 7/8
3132* wc_PKCS7_DecodeCompressedData to optionally handle a packet without content wrapping
3133* Added setting of content type parsed with PKCS7  wc_PKCS7_DecodeAuthEnvelopedData and wc_PKCS7_DecodeEnvelopedData
3134* PKCS8 code improvements and refactoring
3135
3136###### Misc.
3137* Sanity checks on null inputs to the functions wolfSSL_X509_get_serialNumber and wolfSSL_X509_NAME_print_ex
3138* Added ARM CryptoCell support for importing public key with wc_ecc_import_x963_ex()
3139* Improved checking for possible use of key->dp == NULL cases with ECC functions
3140* Updated SHAKE256 to compile with NIST FIPS 202 standard and added support for OID values (thanks to strongX509)
3141* Improved ECC operations when using WOLFSSL_NO_MALLOC
3142* Added WOLFSSL_SNIFFER_FATAL_ERROR for an return value when sniffer is in a fatal state
3143* Allow parsing spaces in Base64_SkipNewline
3144* Issue callback when exceeding depth limit rather than error out with OPENSSL_EXTRA build
3145* Added NXP LTC RSA key generation acceleration
3146
3147# wolfSSL Release 4.7.0 (February 16, 2021)
3148Release 4.7.0 of wolfSSL embedded TLS has bug fixes and new features including:
3149
3150### New Feature Additions
3151* Compatibility Layer expansion SSL_get_verify_mode, X509_VERIFY_PARAM API, X509_STORE_CTX API added
3152* WOLFSSL_PSK_IDENTITY_ALERT macro added for enabling a subset of TLS alerts
3153* Function wolfSSL_CTX_NoTicketTLSv12 added to enable turning off session tickets with TLS 1.2 while keeping TLS 1.3 session tickets available
3154* Implement RFC 5705: Keying Material Exporters for TLS
3155* Added --enable-reproducible-build flag for making more deterministic library outputs to assist debugging
3156* Added support for S/MIME (Secure/Multipurpose Internet Mail Extensions) bundles
3157
3158### Fixes
3159* Fix to free mutex when cert manager is free’d
3160* Compatibility layer EVP function to return the correct block size and type
3161* DTLS secure renegotiation fixes including resetting timeout and retransmit on duplicate HelloRequest
3162* Fix for edge case with shrink buffer and secure renegotiation
3163* Compile fix for type used with curve448 and PPC64
3164* Fixes for SP math all with PPC64 and other embedded compilers
3165* SP math all fix when performing montgomery reduction on one word modulus
3166* Fixes to SP math all to better support digit size of 8-bit
3167* Fix for results of edge case with SP integer square operation
3168* Stop non-ct mod inv from using register x29 with SP ARM64 build
3169* Fix edge case when generating z value of ECC with SP code
3170* Fixes for PKCS7 with crypto callback (devId) with RSA and RNG
3171* Fix for compiling builds with RSA verify and public only
3172* Fix for PKCS11 not properly exporting the public key due to a missing key type field
3173* Call certificate callback with certificate depth issues
3174* Fix for out-of-bounds read in TLSX_CSR_Parse()
3175* Fix incorrect AES-GCM tag generation in the EVP layer
3176* Fix for out of bounds write with SP math all enabled and an edge case of calling sp_tohex on the result of sp_mont_norm
3177* Fix for parameter check in sp_rand_prime to handle 0 length values
3178* Fix for edge case of failing malloc resulting in an out of bounds write with SHA256/SHA512 when small stack is enabled
3179
3180
3181### Improvements/Optimizations
3182* Added --enable-wolftpm option for easily building wolfSSL to be used with wolfTPM
3183* DTLS macro WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT added for resending flight only after a timeout
3184* Update linux kernel module to use kvmalloc and kvfree
3185* Add user settings option to cmake build
3186* Added support for AES GCM session ticket encryption
3187* Thread protection for global RNG used by wolfSSL_RAND_bytes function calls
3188* Sanity check on FIPs configure flag used against the version of FIPs bundle
3189* --enable-aesgcm=table now is compatible with --enable-linuxkm
3190* Increase output buffer size that wolfSSL_RAND_bytes can handle
3191* Out of directory builds resolved, wolfSSL can now be built in a separate directory than the root wolfssl directory
3192
3193### Vulnerabilities
3194* [HIGH] CVE-2021-3336: In earlier versions of wolfSSL there exists a potential man in the middle attack on TLS 1.3 clients. Malicious attackers with a privileged network position can impersonate TLS 1.3 servers and bypass authentication. Users that have applications with client side code and have TLS 1.3 turned on, should update to the latest version of wolfSSL. Users that do not have TLS 1.3 turned on, or that are server side only, are NOT affected by this report. For the code change see https://github.com/wolfSSL/wolfssl/pull/3676. Thanks to Aina Toky Rasoamanana and Olivier Levillain from Télécom SudParis for the report.
3195* [LOW] In the case of using custom ECC curves there is the potential for a crafted compressed ECC key that has a custom prime value to cause a hang when imported. This only affects applications that are loading in ECC keys with wolfSSL builds that have compressed ECC keys and custom ECC curves enabled.
3196* [LOW] With TLS 1.3 authenticated-only ciphers a section of the server hello could contain 16 bytes of uninitialized data when sent to the connected peer. This affects only a specific build of wolfSSL with TLS 1.3 early data enabled and using authenticated-only ciphers with TLS 1.3.
3197
3198# wolfSSL Release 4.6.0 (December 22, 2020)
3199Release 4.6.0 of wolfSSL embedded TLS has bug fixes and new features including:
3200
3201### New Feature Additions
3202###### New Build Options
3203* wolfSSL now enables linux kernel module support. Big news for Linux kernel module developers with crypto requirements! wolfCrypt and wolfSSL are now loadable as modules in the Linux kernel, providing the entire libwolfssl API natively to other kernel modules. For the first time on Linux, the entire TLS protocol stack can be loaded as a module, allowing fully kernel-resident TLS/DTLS endpoints with in-kernel handshaking.  (--enable-linuxkm, --enable-linuxkm-defaults, --with-linux-source) (https://www.wolfssl.com/loading-wolfssl-into-the-linux-kernel/)
3204* Build tests and updated instructions for use with Apple’s A12Z chipset  (https://www.wolfssl.com/preliminary-cryptographic-benchmarks-on-new-apple-a12z-bionic-platform/)
3205* Expansion of wolfSSL SP math implementation and addition of --enable-sp-math-all build option
3206* Apache httpd w/TLS 1.3 support added
3207* Sniffer support for TLS 1.3 and AES CCM
3208* Support small memory footprint build with only TLS 1.3 and PSK without code for (EC)DHE and certificates
3209
3210###### New Hardware Acceleration
3211* Added support for NXP DCP (i.MX RT1060/1062) crypto co-processor
3212* Add Silicon Labs hardware acceleration using [SL SE Manager](https://docs.silabs.com/gecko-platform/latest/service/api/group-sl-se-manager)
3213
3214###### New Algorithms
3215* RC2 ECB/CBC added for use with PKCS#12 bundles
3216* XChaCha and the XChaCha20-Poly1305 AEAD algorithm support added
3217
3218###### Misc
3219* Added support for 802.11Q VLAN frames to sniffer
3220* Added OCSP function wolfSSL_get_ocsp_producedDate
3221* Added API to set CPU ID flags cpuid_select_flags, cpuid_set_flag, cpuid_clear_flag
3222* New DTLS/TLS non-blocking Secure Renegotiation example added to server.c and client.c
3223
3224### Fixes
3225###### Math Library
3226* Fix mp_to_unsigned_bin_len out of bounds read with buffers longer than maximum MP
3227* Fix for fp_read_radix_16 out of bounds read
3228* Fix to add wrapper for new timing resistant wc_ecc_mulmod_ex2 function version in HW ECC acceleration
3229* Handle an edge case with RSA-PSS encoding message to hash
3230
3231###### Compatibility Layer Fixes
3232* Fix for setting serial number wolfSSL_X509_set_serialNumber
3233* Fix for setting ASN1 time not before / not after with WOLFSSL_X509
3234* Fix for order of components in issuer name when using X509_sign
3235* Fix for compatibility layer API DH_compute_key
3236* EVP fix incorrect block size for GCM and buffer up AAD for encryption/decryption
3237* EVP fix for AES-XTS key length return value and fix for string compare calls
3238* Fix for mutex freeing during RNG failure case with EVP_KEY creation
3239* Non blocking use with compatibility layer BIOs in TLS connections
3240
3241###### Build Configuration
3242* Fix for custom build with WOLFSSL_USER_MALLOC defined
3243* ED448 compiler warning on Intel 32bit systems
3244* CURVE448_SMALL build fix for 32bit systems with Curve448
3245* Fix to build SP math with IAR
3246* CMake fix to only set ranlib arguments for Mac, and for stray typo of , -> ;
3247* Build with --enable-wpas=small fix
3248* Fix for building fips ready using openssl extra
3249* Fixes for building with Microchip (min/max and undef SHA_BLOCK_SIZE)
3250* FIx for NO_FILESYSTEM build on Windows
3251* Fixed SHA256 support for IMX-RT1060
3252* Fix for ECC key gen with NO_TFM_64BIT
3253
3254###### Sniffer
3255* Fixes for sniffer when using static ECC keys. Adds back TLS v1.2 static ECC key fallback detection and fixes new ECC RNG requirement for timing resistance
3256* Fix for sniffer with SNI enabled to properly handle WOLFSSL_SUCCESS error code in ProcessClientHello
3257* Fix for sniffer using HAVE_MAX_FRAGMENT in "certificate" type message
3258* Fix build error with unused "ret" when building with WOLFSSL_SNIFFER_WATCH.
3259* Fix to not treat cert/key not found as error in myWatchCb and WOLFSSL_SNIFFER_WATCH.
3260* Sniffer fixes for handling TCP `out-of-range sequence number`
3261* Fixes SSLv3 use of ECDH in sniffer
3262
3263###### PKCS
3264* PKCS#11 fix to generate ECC key for decrypt/sign or derive
3265* Fix for resetting internal variables when parsing a malformed PKCS#7 bundle with PKCS7_VerifySignedData()
3266* Verify the extracted public key in wc_PKCS7_InitWithCert
3267* Fix for internal buffer size when using decompression with PKCS#7
3268
3269###### Misc
3270* Pin the C# verify callback function to keep from garbage collection
3271* DH fixes for when public key is owned and free’d after a handshake
3272* Fix for TLS 1.3 early data packets
3273* Fix for STM32 issue with some Cube HAL versions and STM32 example timeout
3274* Fix mmCAU and LTC hardware mutex locking to prevent double lock
3275* Fix potential race condition with CRL monitor
3276* Fix for possible malformed encrypted key with 3DES causing negative length
3277* AES-CTR performance fixed with AES-NI
3278
3279### Improvements/Optimizations
3280##### SP and Math
3281* mp_radix_size adjustment for leading 0
3282* Resolve implicit cast warnings with SP build
3283* Change mp_sqr to return an error if the result won't fit into the fixed length dp
3284* ARM64 assembly with clang improvements, clang doesn't always handle use of x29 (FP or Frame Pointer) in inline assembly code correctly - reworked sp_2048_sqr_8 to not use x29
3285* SP mod exp changed to support exponents of different lengths
3286* TFM div: fix initial value of size in q so clamping doesn't OOB read
3287* Numerous stack depth improvements with --enable-smallstack
3288* Improve cache resistance with Base64 operations
3289
3290###### TLS 1.3
3291* TLS 1.3 wolfSSL_peek want read return addition
3292* TLS 1.3: Fix P-521 algorithm matching
3293
3294###### PKCS
3295* Improvements and refactoring to PKCS#11 key look up
3296* PKCS #11 changes for signing and loading RSA public key from private
3297* check PKCS#7 SignedData private key is valid before using it
3298* check PKCS#7 VerifySignedData content length against total bundle size to avoid large malloc
3299
3300###### Compatibility Layer
3301* EVP add block size for more ciphers in wolfSSL_EVP_CIPHER_block_size()
3302* Return long names instead of short names in wolfSSL_OBJ_obj2txt()
3303* Add additional OpenSSL compatibility functions to update the version of Apache httpd supported
3304* add "CCM8" variants to cipher_names "CCM-8" ciphers, for OpenSSL compat
3305
3306###### Builds
3307* Cortex-M SP ASM support for IAR 6.70
3308* STM Cube pack support (IDE/STM32Cube)
3309* Build option --enable-aesgcm=4bit added for AES-GCM GMULT using 4 bit table
3310* Xilinx IDE updates to allow XTIME override for Xilinx, spelling fixes in Xilinx README.md, and add Xilinx SDK printf support
3311* Added ED448 to the "all" options and ED448 check key null argument sanity check
3312* Added ARC4, 3DES, nullcipher, BLAKE2, BLAKE2s, XChaCha, MD2, and MD4 to the “all” options
3313* Added an --enable-all-crypto option, to enable only the wolfCrypt features of --enable-all, combinable with --enable-cryptonly
3314* Added the ability to selectively remove features from --enable-all and --enable-all-crypto using specific --disable-<feature> options
3315* Use Intel intrinsics with Windows for RDSEED and RDRAND (thanks to dr-m from MariaDB)
3316* Add option to build with WOLFSSL_NO_CLIENT_AUTH
3317* Updated build requirements for wolfSSH use to be less restrictive
3318* lighttpd support update for v1.4.56
3319* Added batch file to copy files to ESP-IDF folders and resolved warnings when using v4.0 ESP-IDF
3320* Added --enable-stacksize=verbose, showing at a glance the stack high water mark for each subtest in testwolfcrypt
3321
3322###### ECC
3323* Performance increase for ECC verify only, using non constant time SP modinv
3324* During ECC verify add validation of r and s before any use
3325* Always use safe add and dbl with ECC
3326* Timing resistant scalar multiplication updated with use of Joye double-add ladder
3327* Update mp_jacobi function to reduce stack and increase performance for base ECC build
3328* Reduce heap memory use with wc_EccPrivateKeyDecode, Improvement to ECC wc_ecc_sig_to_rs and wc_ecc_rs_raw_to_sig to reduce memory use (avoid the mp_int)
3329* Improve StoreECC_DSA_Sig bounds checking
3330
3331###### OCSP
3332* OCSP improvement to handle extensions in singleResponse
3333* support for OCSP request/response for multiple certificates
3334* OCSP Must Staple option added to require OCSP stapling response
3335* Add support for id-pkix-ocsp-nocheck extension
3336
3337###### Misc
3338* Additional code coverage added for ECC and RSA, PKCS#7, 3DES, EVP and Blake2b operations
3339* DTLS MTU: check MTU on write
3340* Refactor hash sig selection and add the macros WOLFSSL_STRONGEST_HASH_SIG (picks the strongest hash) and WOLFSSL_ECDSA_MATCH_HASH (will pick the hash to match the ECC curve)
3341* Strict certificate version allowed from client, TLS 1.2 / 1.3 can not accept client certificates lower than version 3
3342* wolfSSL_get_ciphers_compat(), skip the fake indicator ciphers like the renegotiation indication and the quantum-safe hybrid
3343* When parsing session ticket, check TLS version to see whether they are version compatible
3344* Additional sanity check for invalid ASN1 padding on integer type
3345* Adding in ChaCha20 streaming feature with Mac and Intel assembly build
3346* Sniffer build with --enable-oldtls option on
3347
3348# wolfSSL Release 4.5.0 (August 19, 2020)
3349
3350If you have questions about this release, feel free to contact us on our
3351info@ address.
3352
3353Release 4.5.0 of wolfSSL embedded TLS has bug fixes and new features including:
3354
3355## New Feature Additions
3356
3357* Added Xilinx Vitis 2019.2 example and README updates
3358* TLS v1.3 is now enabled by default
3359* Building FIPS 140-2 code and test on Solaris
3360* Secure renegotiation with DTLS 1.2
3361* Update RSA calls for hardware acceleration with Xilsecure
3362* Additional OpenSSL compatibility layer functions added
3363* Cypress PSoC6 wolfCrypt driver added
3364* Added STM32CubeIDE support
3365* Added certificate parsing and inspection to C# wrapper layer
3366* TLS v1.3 sniffer support added
3367* TSIP v1.09 for target board GR-ROSE support added
3368* Added support for the "X72N Envision Kit" evaluation board
3369* Support for ECC nonblocking using the configure options
3370  "--enable-ecc=nonblock --enable-sp=yes,nonblock CFLAGS=-DWOLFSSL_PUBLIC_MP"
3371* Added wc_curve25519_make_pub function to generate a public key given the
3372  private one
3373
3374## Fixes
3375
3376* PIC32MZ hardware cache and large hashes fix
3377* AES-GCM use with EVP layer in compatibility layer code
3378* Fix for RSA_LOW_MEM with ARM build of SP code
3379* Sanity check on tag length with AES-CCM to conform with RFC 3610
3380* Fixes for 32 and 64 bit software implementations of SP code when
3381  WOLFSSL_SP_CACHE_RESISTANT is defined
3382* GCC warning fixes for GCC 9 and later
3383* Sanity check on HKDF expand length to conform with RFC 5869
3384* Fixes for STM32 CubeMX HAL with AES-GCM
3385* Fixed point cache look up table (LUT) implementation fixes
3386* Fix for ARM 32bit SP code when calling div word
3387* Fix for potential out of bounds read when parsing CRLs
3388* Fix for potential out of bounds read with RSA unpadding
3389* AES-CCM optimized counter fix
3390* Updates to Xcode projects for new files and features
3391* Fix for adding CRL’s to a WOLFSSL_X509_STORE structure
3392* FIPSv2 build with opensslall build fixes
3393* Fixes for CryptoCell use with ECC and signature wrappers
3394* Fix for mod calculation with SP code dealing with 3072 bit keys
3395* Fix for handling certificates with multiple OU’s in name
3396* Fix for SP math implementation of sp_add_d and add a sanity check on
3397  rshb range
3398* Fix for sanity check on padding with DES3 conversion of PEM to DER
3399* Sanity check for potential out of bounds read with fp_read_radix_16
3400* Additional checking of ECC scalars.
3401* Fixing the FIPS Ready build w.r.t. ecc.c.
3402* When processing certificate names with OpenSSL compatibility layer
3403  enabled, unknown name item types were getting handled as having NID 0,
3404  and failing. Added a couple more items to what is handled correctly,
3405  and ignoring anything that is an unknown type.
3406
3407## Improvements/Optimizations
3408
3409* TLS 1.3 certificate verify update to handle 8192 bit RSA keys
3410* wpa_supplicant support with reduced code size option
3411* TLS 1.3 alerts encrypted when possible
3412* Many minor coverity fixes added
3413* Error checking when parsing PKCS12 DER
3414* IAR warning in test.c resolved
3415* ATECC608A improvements for use with Harmony 3 and PIC32 MZ
3416* Support for AES-GCM and wc_SignatureVerifyHash with static memory and no
3417  malloc’s
3418* Enable SNI by default with JNI/JSSE builds
3419* NetBSD GCC compiler warnings resolved
3420* Additional test cases and code coverage added including curve25519 and
3421  curve448 tests
3422* Option for user defined mutexes with WOLFSSL_USER_MUTEX
3423* Sniffer API’s for loading buffer directly
3424* Fixes and improvements from going through the DO-178 process were added
3425* Doxygen updates and fixes for auto documentation generation
3426* Changed the configure option for FIPS Ready builds to be
3427  `--enable-fips=ready`.
3428
3429## This release of wolfSSL includes fixes for 6 security vulnerabilities.
3430
3431wolfSSL version 4.5.0 contains 6 vulnerability fixes: 2 fixes for TLS 1.3,
34322 side channel attack mitigations, 1 fix for a potential private key leak
3433in a specific use case, 1 fix for DTLS.
3434
3435* In earlier versions of wolfSSL there exists a potential man in the middle
3436  attack on TLS 1.3 clients. Malicious attackers with a privileged network
3437  position can impersonate TLS 1.3 servers and bypass authentication. Users
3438  that have applications with client side code and have TLS 1.3 turned on,
3439  should update to the latest version of wolfSSL. Users that do not have
3440  TLS 1.3 turned on, or that are server side only, are NOT affected by this
3441  report. Thanks to Gerald Doussot from NCC group for the report.
3442* Denial of service attack on TLS 1.3 servers from repetitively sending
3443  ChangeCipherSpecs messages. This denial of service results from the
3444  relatively low effort of sending a ChangeCipherSpecs message versus the
3445  effort of the server to process that message. Users with TLS 1.3 servers are
3446  recommended to update to the most recent version of wolfSSL which limits the
3447  number of TLS 1.3 ChangeCipherSpecs that can be received in order to avoid
3448  this DoS attack. CVE-2020-12457 was reserved for the report. Thanks to
3449  Lenny Wang of Tencent Security Xuanwu LAB.
3450* Potential cache timing attacks on public key operations in builds that are
3451  not using SP (single precision). Users that have a system where malicious
3452  agents could execute code on the system, are not using the SP build with
3453  wolfSSL, and are doing private key operations on the system (such as signing
3454  with a private key) are recommended to regenerate private keys and update to
3455  the most recent version of wolfSSL. CVE-2020-15309 is reserved for this
3456  issue. Thanks to Ida Bruhns from Universität zu Lübeck and Samira Briongos
3457  from NEC Laboratories Europe for the report.
3458* When using SGX with EC scalar multiplication the possibility of side-channel
3459  attacks are present. To mitigate the risk of side channel attacks wolfSSL’s
3460  single precision EC operations should be used instead. Release 4.5.0 turns
3461  this on be default now with SGX builds and in previous versions of wolfSSL
3462  this can be turned on by using the WOLFSSL_SP macros. Thank you to
3463  Alejandro Cabrera Aldaya, Cesar Pereida García and Billy Bob Brumley from
3464  the Network and Information Security Group (NISEC) at Tampere University for
3465  the report.
3466* Leak of private key in the case that PEM format private keys are bundled in
3467  with PEM certificates into a single file. This is due to the
3468  misclassification of certificate type versus private key type when parsing
3469  through the PEM file. To be affected, wolfSSL would need to have been built
3470  with OPENSSL_EXTRA (--enable-opensslextra). Some build variants such as
3471  --enable-all and --enable-opensslall also turn on this code path, checking
3472  wolfssl/options.h for OPENSSL_EXTRA will show if the macro was used with the
3473  build. If having built with the opensslextra enable option and having placed
3474  PEM certificates with PEM private keys in the same file when loading up the
3475  certificate file, then we recommend updating wolfSSL for this use case and
3476  also recommend regenerating any private keys in the file.
3477* During the handshake, clear application_data messages in epoch 0 are
3478  processed and returned to the application. Fixed by dropping received
3479  application_data messages in epoch 0. Thank you to Paul Fiterau of Uppsala
3480  University and Robert Merget of Ruhr-University Bochum for the report.
3481
3482For additional vulnerability information visit the vulnerability page at
3483https://www.wolfssl.com/docs/security-vulnerabilities/
3484
3485See INSTALL file for build instructions.
3486More info can be found on-line at https://wolfssl.com/wolfSSL/Docs.html
3487
3488
3489# wolfSSL Release 4.4.0 (04/22/2020)
3490
3491If you have questions about this release, then feel free to contact us on our
3492info@ address.
3493
3494Release 4.4.0 of wolfSSL embedded TLS has bug fixes and new features including:
3495
3496## New Feature Additions
3497
3498* Hexagon support.
3499* DSP builds to offload ECC verify operations.
3500* Certificate Manager callback support.
3501* New APIs for running updates to ChaCha20/Poly1305 AEAD.
3502* Support for use with Apache.
3503* Add support for IBM s390x.
3504* PKCS8 support for ED25519.
3505* OpenVPN support.
3506* Add P384 curve support to SP.
3507* Add BIO and EVP API.
3508* Add AES-OFB mode.
3509* Add AES-CFB mode.
3510* Add Curve448, X448, and Ed448.
3511* Add Renesas Synergy S7G2 build and hardware acceleration.
3512
3513## Fixes
3514
3515* Fix for RSA public encrypt / private sign with RSA key sizes over 2048-bit.
3516* Correct misspellings.
3517* Secure renegotiation fix.
3518* Fix memory leak when using ATECC and non-SECP256R1 curves for sign, verify,
3519  or shared secret.
3520* Fix for K64 MMCAU with `WOLFSSL_SMALL_STACK_CACHE`.
3521* Fix the RSA verify only build.
3522* Fix in SP C implementation for small stack.
3523* Fix using the auth key id extension is set, hash might not be present.
3524* Fix when flattening certificate structure to include the subject alt names.
3525* Fixes for building with ECC sign/verify only.
3526* Fix for ECC and no cache resistance.
3527* Fix memory leak in DSA.
3528* Fix build on minGW.
3529* Fix `PemToDer()` call in `ProcessBuffer()` to set more than ECC.
3530* Fix for using RSA without SHA-512.
3531* Add some close tags to the echoserver HTTP example output.
3532* Miscellaneous fixes and updates for static analysis reports.
3533* Fixes for time structure support.
3534* Fixes for VxWorks support.
3535* Fixes for Async crypto support.
3536* Fix cache resist compile to work with SP C code.
3537* Fixes for Curve25519 x64 asm.
3538* Fix for SP x64 div.
3539* Fix for DTLS edge case where CCS and Finished come out of order and the
3540  retransmit pool gets flushed.
3541* Fix for infinite loop in SHA-1 with small inputs. Thanks to Peter W.
3542* Fix for FIPS Hmac where `wc_HmacInit()` isn't used. `wc_HmacSetKey()` needs
3543  to initialize the Hmac structure. Type is set to NONE, and checked against
3544  NONE, not 0.
3545* Fixes for SP RSA private operations.
3546* Fixes for Xilinx SDK and Zynq UltraScale+ MPSoC
3547* Fix leak when building with HAVE_AESGCM and NO_AES_DECRYPT. Thanks G.G.
3548* Fixes for building ECC without ASN.
3549* Fix for async TLSv1.3 issues.
3550* Fix `wc_KeyPemToDer()` with PKCS1 and empty key.
3551* Omit `-fomit-frame-pointer` from CFLAGS in configure.ac.
3552
3553## Improvements/Optimizations
3554
3555* Qt 5.12 and 5.13 support.
3556* Added more digest types to Cryptocell RSA sign/verify.
3557* Some memory usage improvements.
3558* Speed improvements for mp_rand.
3559* Improvements to CRL and OCSP support.
3560* Refactor Poly1305 AEAD/MAC to reduce duplicate code.
3561* Add blinding to RSA key gen.
3562* Improvements to blinding.
3563* Improvement and expansion of OpenSSL Compatibility Layer.
3564* Improvements to ChaCha20.
3565* Improvements to X.509 processing.
3566* Improvements to ECC support.
3567* Improvement in detecting 64-bit support.
3568* Refactor to combine duplicate ECC parameter parsing code.
3569* Improve keyFormat to be set by algId and let later key parsing produce fail.
3570* Add test cases for 3072-bit and 4096-bit RSA keys.
3571* Improve signature wrapper and DH test cases.
3572* Improvements to the configure.ac script.
3573* Added constant time RSA q modinv p.
3574* Improve performance of SP Intel 64-bit asm.
3575* Added a few more functions to the ABI list.
3576* Improve TLS bidirectional shutdown behavior.
3577* OpenSSH 8.1 support.
3578* Improve performance of RSA/DH operations on x64.
3579* Add support for PKCS7/CMS Enveloped data with fragmented encrypted content.
3580* Example linker description for FIPS builds to enforce object ordering.
3581* C# wrapper improvements. Added TLS client example and TLSv1.3 methods.
3582* Allow setting MTU in DTLS.
3583* Improve PKCS12 create for outputting encrypted bundles.
3584* Constant time EC map to affine for private operations.
3585* Improve performance of RSA public key ops with TFM.
3586* Smaller table version of AES encrypt/decrypt.
3587* Support IAR with position independent code (ROPI).
3588* Improve speed of AArch64 assembly.
3589* Support AES-CTR on esp32.
3590* Add a no malloc option for small SP math.
3591
3592## This release of wolfSSL includes fixes for 2 security vulnerabilities.
3593
3594* For fast math, use a constant time modular inverse when mapping to affine
3595  when operation involves a private key - keygen, calc shared secret, sign.
3596  Thank you to Alejandro Cabrera Aldaya, Cesar Pereida García and
3597  Billy Bob Brumley from the Network and Information Security Group (NISEC)
3598  at Tampere University for the report.
3599
3600* Change constant time and cache resistant ECC mulmod. Ensure points being
3601  operated on change to make constant time. Thank you to Pietro Borrello at
3602  Sapienza University of Rome.
3603
3604For additional vulnerability information visit the vulnerability page at
3605https://www.wolfssl.com/docs/security-vulnerabilities/
3606
3607See INSTALL file for build instructions.
3608More info can be found on-line at https://wolfssl.com/wolfSSL/Docs.html
3609
3610
3611
3612# wolfSSL Release 4.3.0 (12/20/2019)
3613
3614If you have questions about this release, then feel free to contact us on our info@ address.
3615
3616Release 4.3.0 of wolfSSL embedded TLS has bug fixes and new features including:
3617
3618##### New Feature Additions
3619* Add --enable-libwebsockets option for support of libwebsockets build
3620* Updated support for NGINX 1.15.0 and added support for 1.16.1
3621* Add wc_scrypt_ex API which can take in iterations rather than cost
3622* Updates to RSA-PSS salt lengths. Macro WOLFSSL_PSS_SALT_LEN_DISCOVER allows for discovering the salt length. Passing RSA_PSS_SALT_LEN_DISCOVER value into wc_RsaPSS_Verify_ex attempts to discover salt length and can use larger salt lengths
3623* Additional OpenSSL compatibility API wolfSSL_CertManagerGetCerts and wolfSSL_X509_STORE_GetCerts for retrieving certificates
3624* Add support for 4096-bit RSA/DH operations to SP (single precision) build
3625* Update support for Google WebRTC to branch m79
3626* Adds new FREESCALE_MQX_5_0 macro for MQX 5.0 support
3627* Adds a CMS/PKCS#7 callback for signing SignedData raw digests enabled with macro HAVE_PKCS7_RSA_RAW_SIGN_CALLBACK and call to function wc_PKCS7_SetRsaSignRawDigestCb
3628* Add --disable-errorqueue feature to disable adding debug nodes to queue with --enable-opensslextra build
3629* After defining WOLFSSL_SHUTDOWNONCE macro the function wolfSSL_shutdown will return a specific error code of SSL_SHUTDOWN_ALREADY_DONE_E, to indicate to the application that the shutdown has already occurred
3630* Add AES-CCM decryption to benchmarking app bundled with wolfSSL
3631
3632
3633##### Fixes
3634* Fixes IAR warnings with IAR-EWARM 7.50.2
3635* Alignment fixes for mmCAU with AES and hashing algorithms
3636* Fix check for plaintext length when using Encrypt-Then-MAC
3637* Fix for unit tests with NGINX and debug mode
3638* Fix for macro names in test cases (WOLFSSL_PUBLIC_MP) and pkcs7.c (HAVE_AESCCM)
3639* Fix for Apache want read case with BIO retry flag
3640* Fix for PKCS7 streaming mode that would error rather than verify bundle
3641* Fix for freeing mutex for X509 and wolfSSL_EVP_PKEY_free, applies to OPENSSL_EXTRA / --enable-opensslextra builds
3642* Fix for encrypt then MAC when re-handshaking, encrypted handshakes change over to ETM now
3643* Fix for curve25519 assembly optimizations with GCC + AVX2
3644* Fix to hang onto certificate for retrieval if using secure renegotiation and session resumption
3645* Fixes case where the heap hint is created before WOLFSSL_CTX, when calling wc_LoadStaticMemory instead of wolfSSL_CTX_load_static_memory
3646* Fix for setting correct return value in PKCS12 parse error case
3647* Reset certificate extension policy count
3648* Fix for memcpy with TLS I/O buffers when using staticmemory pools and loading memory as WOLFMEM_IO_POOL_FIXED
3649* Fixes and updates for STM32 port, including additional mutex protection, AES-GCM decrypt auth tag, AES-CTR mode with CubeMX, update to OpenSTM32 project
3650* Fix for EVP CipherUpdate decrypt and add a test case
3651* DTLS fixes including; some DTLS sequence number issues in general where the sequence was incremented twice for each record and some offset values in the DTLS window checking
3652* Fix sp_add to handle carries properly (--enable-sp-math build)
3653* Additional sanity check on OCSP response decoder
3654* Fix for vasprintf with Solaris and AIX builds
3655* Fix for missing variable declaration with --enable-scep --with-libz build
3656* Fix for certificate date check with async build
3657* Sanity check on “out” length with Base64_Decode added
3658* Decode X.509 name - check input length for jurisdiction
3659* Additional sanity check on variable out index with DecodePolicyOID
3660* Fix for PKCS#12 PBKDF buffer size for buffer overflow
3661* TLS supported curve extension check curve name is in range before checking for disabled
3662* Sanity check for non TLS 1.3 cipher suite with TLS 1.3 connection
3663* Poly1305 AVX2 assembly optimization fix for carry with large input values
3664* Fixes for coverity report including null termination of test case strings and initialization of PKCS7 variables
3665* Fix for API visibility of wc_ed25519_check_key which resolves a wolfcrypt-py install issue
3666* Sanity check on max ALPN length accepted
3667* Additional sanity check when parsing CRL’s for copying the structure, fix for bounds checking
3668* Additional checks on error string length for debug mode and check for null termination
3669* ProcessPeerCerts allocating memory for exts with OPENSSL_EXTRA properly
3670* Clear the top bit when generating a serial number
3671* Sanity check that ASN date characters are valid ASCII characters
3672* Fix to add deterministic ECDSA and fix corner cases for add point.
3673* When getting the DH public key, initialize the P, G, and Pub pointers to NULL, then set that we own the DH parameters flag. This allows FreeSSL to correctly clean up the DH key.
3674
3675##### Improvements/Optimizations
3676* Added configure error report with using invalid build of --enable-opensslextra and --enable-opensslcoexist together
3677* Update PKCS11 for determining key type given the private key type
3678* Update DoVerifyCallback to check verify param hostName and ipasc (--enable-opensslextra builds)
3679* additional null sanity checks on input arguments with QSH and Cryptocell builds
3680* Additional checks on RSA key added to the function wc_CheckRsaKey
3681* Updates for EBSNET support, including fseek, revised macros in settings.h, and realloc support
3682* MISRA-C updates for SP math code
3683* Update to allow compiling for pwdbased/PBKDF2 with having NO_ASN defined
3684* Modify KeyShare and PreSharedKey TLS 1.3 extension linked list advancement to be easier for compilers to handle
3685* Optimization to parsing certificate extension name strings
3686* Adjustment to example server -x runtime behavior when encountering an unrecoverable error case
3687* Remove Blake2b support from HMAC
3688* Adds new hash wrapper init wc_HashInit_ex and Adds new PBKDF2 API wc_PBKDF2_ex for using heap hints for custom memory pools
3689* Adding script to cleanup generated test files,  scripts/cleanup_testfiles.sh
3690* Support 20-byte serial numbers and disallow 0
3691* sp_div improved to handle when a has less digits than d (--enable-sp-math build)
3692* When decoding a policy OID and turning it into a human readable string use snprintf()
3693* set the IV length of EVP AES GCM to 96-bits by default
3694* Allow adding CAs for root CA's over the wire that do not have the extended key usage cert_sign set
3695* Added logging messages for SendAlert call and update to send alert after verify certificate callback
3696* updates for synchronous OCTEON support in the Sniffer
3697* Rework BER to DER functions to not be recursive
3698* Updates to find CRL by AuthKeyId
3699* Add a check for subject name hash after matching AKID
3700* Enhancement to mp_invmod/fp_exptmod/sp_exptmod to handle more inputs
3701* Remove requirement for macro NO_SKID when CRL use is enabled
3702* Improvements on XFTELL return code and MAX_WOLFSSL_FILE_SIZE checking
3703* When checking if value is prime return NO in the case of the value 1
3704* Improve Cortex-M RSA/DH assembly code performance
3705* Additional sanity checks on arrays and buffers with OCSP
3706
3707
3708##### This release of wolfSSL includes a fix for 6 security vulnerabilities.
3709
3710
3711A fix for having an additional sanity check when parsing certificate domain names was added. This fix checks that the domain name location index is not past the maximum value before setting it. The reported issue affects users that are parsing certificates and have --enable-opensslextra (macro OPENSSL_EXTRA), or build options that turn this on such as --enable-all, when building wolfSSL. The CVE associated with the fix is CVE-2019-18840.
3712
3713Fix to set a limit on the maximum size of DTLS handshake messages. By default the RFC allows for handshake message sizes of up to 2^24-1 bytes long but in typical field use cases the handshake messages are not this large. Setting a maximum size limit on the handshake message helps avoid a potential DoS attack due to memory being malloc’d. The new default max size is set to handle a certificate chain length of approximately 9, 2048 bit RSA certificates. This only effects builds that have DTLS turned on and have applications that are using DTLS.
3714
3715Fix for a potential hang when ECC caching is enabled (off by default) and --enable-fastmath is used. ECC caching is off by default and is turned on in builds that are using --enable-all or --enable-fpecc. This issue does not affect builds that are using the macro WOLFSSL_VALIDATE_ECC_IMPORT which turns on validating all ECC keys that are imported. To fix this potential hang case a sanity check on the input values to the internal invmod function was added.
3716
3717
3718To fix a potential fault injection attack on a wrapper function for wolfCrypt RSA signature generations an additional sanity check verifying the signature after it’s creation was added. This check is already done automatically in current versions of wolfSSL with TLS connections (internal function call of VerifyRsaSign during TLS state machine). The report only affects users making calls to the wolfCrypt function wc_SignatureGenerateHash and does not affect current TLS use cases. Thanks to Daniel Moghimi (@danielmgmi) from Worcester Polytechnic Institute for the report.
3719
3720
3721Blinding was added for DSA signing operations. The DSA signing uses the BEEA algorithm during modular inversion of the nonce which can potentially leak the nonce through side channels such as cache and power fluctuations. The fix of adding in blinding makes the DSA signing operation more resistant to side channel attacks. Users who have turned on DSA (disabled by default) and are performing signing operations should update. Note that DSA is not used in any TLS connections. Thanks to Daniel Moghimi (@danielmgmi) from Worcester Polytechnic Institute for the report.
3722
3723
3724Fix to add additional side channel cache attack resistance to the internal ECC function wc_ecc_mulmod_ex. This function by default is used with ECDSA signing operations. Users should update if performing ECDSA singing operations (server side ECC TLS connections, mutual authentication on client side) or calling wolfCrypt ECC sign functions and have the potential for outside users to perform sophisticated monitoring of the cache.Thanks to Daniel Moghimi (@danielmgmi) from Worcester Polytechnic Institute for the report.
3725
3726
3727For additional vulnerability information visit the vulnerability page at https://www.wolfssl.com/docs/security-vulnerabilities/
3728
3729See INSTALL file for build instructions.
3730More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
3731
3732
3733# wolfSSL Release 4.2.0 (10/22/2019)
3734
3735If you have questions about this release, then feel free to contact us on our info@ address.
3736
3737Release 4.2.0 of wolfSSL embedded TLS has bug fixes and new features including:
3738
3739
3740##### New Feature Additions
3741* Over 198 OpenSSL compatibility API’s added
3742* Apache port added for compiling with wolfSSL using --enable-apachehttpd
3743* Port for using wolfSSL with OpenVSwitch
3744* Port for Renesas TSIP added
3745* Visual Studio Solution for Azure Sphere Devices (MT3620 and MT3620-mini) added to the directory IDE/VS-AZURE-SPHERE
3746* Addition of Coldfire MCF5441X NetBurner example to the directory IDE/M68K/
3747* Added support for prime checking to SP math build
3748* Addition of DYNAMIC_TYPE_BIGINT type for tracking mp_int allocations
3749* Addition of wc_ecc_get_curve_params API for getting ecc_set_type params for a curve
3750* Adding in TLS_SHA256_SHA256 and TLS_SHA384_SHA384 TLS1.3 cipher suites (null ciphers)
3751* Added in PKCS7 decryption callbacks for CMS operations
3752* Added handling for optional ECC parameters with PKCS7 KARI
3753* Addition to configure.ac for FIPS wolfRand builds
3754* Adding the flag WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY for ignoring certificate date checks with the functions wolfSSL_CTX_load_verify_buffer_ex and wolfSSL_CTX_load_verify_locations_ex
3755* Support for PKCS8 keys added to the function wolfSSL_CTX_use_PrivateKey_buffer
3756* Support for KECCAK hashing. Build with macro WOLFSSL_HASH_FLAGS and call wc_Sha3_SetFlags(&sha, WC_HASH_SHA3_KECCAK256) before the first SHA3 update
3757* Addition of setting secure renegotiation at CTX level
3758* Addition of KDS (NXP Kinetis Design Studio) example project to directory IDE/KDS/
3759* Support for Encrypt-Then-MAC to TLS 1.2 and below
3760* Added a new build option for a TITAN session cache that can hold just over 2 million session entries (--enable-titancache)
3761* Synchronous Quick Assist Support for Sniffer
3762* Added Support for SiFive HiFive Unleashed board
3763* Support for Google WebRTC added in to compatibility layer build
3764* Additional Sniffer features; IPv6 sniffer support, Fragment chain input, Data store callback, Various statistics tweaks and other Sniffer fixes
3765
3766
3767##### Fixes
3768* Addition of internal content digest checks for PKCS7 SignedData message types that also have signed attributes present. Users could previously check the content digest against the messageDigest attribute, but this adds a default internal check. It’s advised that if users are not doing their own checks that they update wolfSSL version.
3769* A fix for BIO and base64 encoding/decoding
3770* A fix for memory management of CTX / WOLFSSL_METHOD pointer with staticmemory build
3771* A fix for detection of AES-NI support to read bit 25 from ECX
3772* A fix a DTLS handshake message retransmit bug corner case
3773* Additional fixes to coding style and uninitialized values using cppcheck tool
3774* Fixes for failing IAR builds, thanks to Joseph C. for the report
3775* Fixes for ARMv8 Poly1305 inline assembly code to compile with clang 3.5
3776* Fixes for esp-idf build warnings
3777* A fix for XSNPRINTF with mingw32 builds
3778* Fixes for strncpy warnings when compiling with newer versions of GCC
3779* A fix for using IV of all 0’s as default case with AES-NI when no IV passed in
3780* Fixes for types with 16 bit systems, thanks to Ralf Schlatterbeck
3781* Fixes for build with devcrypto/afalg and aesccm, thanks to GitHub user cotequeiroz for the report
3782* Fixes for addressing handling of pathLen constraint when parsing certificate chains
3783* A DTLS fix for alert packet injection at end of handshake
3784* Fixes for Poly1305 AArch64 assembly code
3785* A fix for memory management in error cases when adding a CA, this resolves a coverity report
3786* A fix for SP math for precomputation tables to not include infinity field
3787* Fixes for checks on defines with AVX2 and Poly1305 build
3788* Fixes for CubeMX HAL v1.15 with STM32F7
3789* A fix for TLS 1.3 to always send Key Share extension
3790* A fix for a potential buffer over read in TLS 1.3 DoTls13SupportedVersions, thanks to Artem for the report
3791
3792
3793##### Improvements/Optimizations
3794* Optimization to SP math, changing variables to const where possible. Thanks to Yair Poleg (yair.poleg@ayyeka.com) of Ayyeka for proposing static declaration of global constant variables in SP code
3795* Additional fuzz testing and fixes for TLS 1.3 use, including additional TLS 1.3 alert messages (PR#2440 for more information)
3796* Additional sanity check that ciphersuite from client hello is used in server hello response (check can be removed with the macro WOLFSSL_NO_STRICT_CIPHER_SUITE)
3797* Improved MMCAU performance: SHA-1 by 35%, SHA-256 by 20% and MD5 by 78%
3798* By default, disallow SHA-2 cipher suites from being used in TLS 1.0 and 1.1 handshakes (can be ignored with macro WOLFSSL_OLDTLS_SHA2_CIPHERSUITES)
3799* Optimization of export session buffer size with enable option --enable-sessionexport=nopeer
3800* Spelling fixes in comments and some cast warnings resolved
3801* Updates to abstract atoi to XATOI when used, this allows for better portability when making calls to the system function atoi for converting strings to integers
3802* Improvements to the STSAFE-A100 error code handling, providing better debug information
3803* Adding a sanity check on TLS 1.3 ticket encrypt callback
3804* Specialized implementations of mod exp when base is 2
3805
3806
3807
3808##### This release of wolfSSL includes a fix for 5 security vulnerabilities.
3809
3810Fix for sanity check on reading TLS 1.3 pre-shared key extension. This fixes a potential for an invalid read when TLS 1.3 and pre-shared keys is enabled. Users without TLS 1.3 enabled are unaffected. Users with TLS 1.3 enabled and HAVE_SESSION_TICKET defined or NO_PSK not defined should update wolfSSL versions. Thanks to Robert Hoerr for the report.
3811
3812Fix for potential program hang when ocspstapling2 is enabled. This is a moderate level fix that affects users who have ocspstapling2 enabled(off by default) and are on the server side. In parsing a CSR2 (Certificate Status Request v2 ) on the server side, there was the potential for a malformed extension to cause a program hang. Thanks to Robert Hoerr for the report.
3813
3814Two moderate level fixes involving an ASN.1 over read by one byte. CVE-2019-15651 is for a fix that is due to a potential one byte over read when decoding certificate extensions. CVE-2019-16748 is for a fix on a potential one byte overread with checking certificate signatures. This affects builds that do certificate parsing and do not have the macro NO_SKID defined.Thanks to Yan Jia and the researcher team  from Institute of Software, Chinese Academy of Sciences for the report.
3815
3816High level fix for DSA operations involving an attack on recovering DSA private keys. This fix affects users that have DSA enabled and are performing DSA operations (off by default). All users that have DSA enabled and are using DSA keys are advised to regenerate DSA keys and update wolfSSL version. ECDSA is NOT affected by this and TLS code is NOT affected by this issue. Thanks to Ján Jančár for the report.
3817
3818
3819For additional vulnerability information visit the vulnerability page at https://www.wolfssl.com/docs/security-vulnerabilities/
3820
3821See INSTALL file for build instructions.
3822More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
3823
3824
3825
3826# wolfSSL Release 4.1.0 (07/22/2019)
3827
3828Release 4.1.0 of wolfSSL embedded TLS has bug fixes and new features including:
3829
3830* A fix for the check on return value when verifying PKCS7 bundle signatures, all users with applications using the function wc_PKCS7_VerifySignedData should update
3831* Adding the function wc_PKCS7_GetSignerSID for PKCS7 firmware bundles as a getter function for the signers SID
3832* PKCS7 callback functions for unwrapping of CEK and for decryption
3833* Adding the error value PKCS7_SIGNEEDS_CHECK when no certificates are available in a PKCS7 bundle to verify the signature
3834* TLS 1.3 fixes including if major version is TLS Draft then it is now ignored and if version negotiation occurs but none were matched then an alert is now sent
3835* Addition of the WOLFSSL_PSK_ONE_ID macro for indicating that only one identity in TLS 1.3 PSK is available and will be cached
3836* Adding sanity checks on length of PSK identity from a TLS 1.3 pre-shared key extension
3837* Additional sanity checks and alert messages added for TLS 1.3
3838* Adding XTIME_MS macro to simplify the tls13.c time requirement
3839* Improvements and refactoring of code related to parsing and creating TLS 1.3 client hello packets
3840* TLS 1.3 version renegotiation now happens before interpreting ClientHello message
3841* Chacha20 algorithm optimizations on the ARM architecture for performance increase
3842* Poly1305 algorithm performance enhancements for the ARM architecture using the SIMD NEON extension
3843* Curve25519 and Ed25519 optimized for ARM architecture for performance increase
3844* SHA-512/384 optimizations for performance with ARM architecture using the SIMD NEON extension
3845* Sniffer updates including adding support for the null cipher and static ECDH key exchange and new SSLWatchCb callback
3846* Cipher suite TLS_RSA_WITH_NULL_MD5 for use with the sniffer (off by default)
3847* Sniffer statistic print outs with the macro WOLFSSL_SNIFFER_STATS defined
3848* A fix for wolfSSL_DH_generate_key when WOLFSSL_SMALL_STACK is defined
3849* wolfSSL_BN_Init implementation for opensslextra builds
3850* Updates to the function wolfSSL_i2d_RSAPrivateKey and additional automated tests
3851* Fixes for EVP_CipherFinal edge cases to match behavior desired
3852* Check for appropriate private vs public flag with ECC key decode in wolfSSL_EC_KEY_LoadDer_ex, thanks to Eric Miller for the report
3853* Implementation of the function wolfSSL_PEM_write_DHparams
3854* wolfSSL_RAND_seed is called in wolfSSL_Init now when opensslextra is enabled
3855* CryptoCell-310 support on nRF52840 added
3856* Fixes for atmel_ecc_create_pms to free the used slot.
3857* Fixes for building ATECC with ATCAPRINTF or WOLFSSL_PUBLIC_MP
3858* Cortex-M code changes to support IAR compiler
3859* Improvements to STM32 AES-GCM performance
3860* Fixes for 16-bit systems including PK callbacks, ATECC and LowResTimer function ptoto.
3861* IAR-EWARM compiler warning fix
3862* Clean up of user_settings for CS+ port
3863* Updating Renesas example projects to the latest version
3864* Micrium updates adjusting STATIC macro name and added inline flag
3865* Fixes for building with WOLFSSL_CUSTOM_CURVES on Windows
3866* Updates and refactor to the default build settings with Arduino
3867* Fixes for visibility tags with Cygwin build
3868* STSAFE Improvements to support wolfSSL Crypto Callbacks
3869* Improvements to NetBSD builds and mutex use in test case
3870* Updating TI hardware offload with WOLFSSL_TI_CRYPT build
3871* Maintaining Xilinx FreeRTOS port by adjusting time.h include in wolfSSL
3872* SiFive HiFive E31 RISC‐V core family port
3873* Port for Telit IoT AppZone SDK
3874* OCSP Response signed by issuer with identical SKID fix
3875* Fix for sending revoked certificate with OCSP
3876* Honor the status sent over connection with peers and do not perform an internal OCSP lookup
3877* Adding the build flag `--enable-ecccustcurves=all` to enable all curve types
3878* Support add for Ed25519ctx and Ed25519ph sign/verify algorithms as per RFC 8032
3879* Addition of the macro WOLFSSL_NO_SIGALG to disable signature algorithms extension
3880* wc_AesCtrEncrypt in place addition, where input and output buffer can be the same buffer
3881* Single shot API added for SHA3; wc_Sha3_224Hash, wc_Sha3_256Hash, wc_Sha3_384Hash, wc_Sha3_512Hash
3882* Function additions for JSSE support some of which are wolfSSL_get_ciphers_iana and wolfSSL_X509_verify along with expansion of the --enable-jni option
3883* Macro guards for more modular SHA3 build (i.e. support for 384 size only)
3884* Benchmarking -thread <num> argument support for asynchronous crypto
3885* Blake2s support (--enable-blake2s), which provides 32-bit Blake2 support
3886* Macro SHA256_MANY_REGISTERS addition to potentially speed up SHA256 depending on architecture
3887* Additional TLS alert messages sent with the macro WOLFSSL_EXTRA_ALERTS defined
3888* Feature to fail resumption of a session if the session’s cipher suite is not in the client’s list, this can be overridden by defining the macro NO_RESUME_SUITE_CHECK
3889* Fallback SCSV (Signaling Cipher Suite Value) support on Server only (--enable-fallback-scsv)
3890* DTLS export state only (wolfSSL_dtls_export_state_only) which is a subset of the information exported from previous DTLS export function
3891* Function wc_DhCheckPubValue added to perform simple validity checks on DH keys
3892* Support for RSA SHA-224 signatures with TLS added
3893* Additional option “-print” to the benchmark app for printing out a brief summary after benchmarks are complete
3894*  Adding (--disable-pkcs12) option and improvements for disabled sections in pwdbased.c, asn.c, rsa.c, pkcs12.c and wc_encrypt
3895* Added DES3 support to the wolfSSL crypto callbacks
3896* Compile time fixes for build case with SP math and RSA only
3897* Fixes for Coverity static analysis report including explicit initialization of reported stack variables some additional Coverity fixes added thanks to Martin
3898* Fixes for scan build warnings (i.e possible null dereference in ecc.c)
3899* Resetting verify send value with a call to wolfSSL_clear function
3900* Fix for extern with sp_ModExp_2048 when building with --cpp option
3901* Fix for typo issue with --enable-sp=cortexm
3902* Adding #pragma warning disable 4127 for tfm.c when building with Visual Studio
3903* Improvements to the maximum ECC signature calculations
3904* Improvements to TLS write handling in error cases which helps user application not go through with a wolfSSL_write attempt after a wolfSSL_read failure
3905* Fix for read directory functions with Windows (wc_ReadDirFirst and wc_ReadDirNext)
3906* Sanity check on index before accessing domain component buffer in call to wolfSSL_X509_NAME_get_entry
3907* Sending fatal alert from client side on version error
3908* Fix for static RSA cipher suite with PK callback and no loaded private key
3909* Fix for potential memory leak in error case with the function wc_DsaKeyToDer, thanks to Chris H. for the report
3910* Adjusting STRING_USER macro to remove includes of standard lib <string.h> or <stdio.h>
3911* Bug fix for checking wrong allocation assignment in the function wc_PBKDF2 and handling potential leak on allocation failure. This case is only hit when the specific call to malloc fails in the function wc_PBKDF2. Thanks to Robert Altnoeder (Linbit) for the report
3912* Improved length checks when parsing ASN.1 certificates
3913* extern "C" additions to header files that were missing them
3914* Improved checking of return values with TLS extension functions and error codes
3915* Removing redundant calls to the generate function when instantiating and reseeding DRBG
3916* Refactoring and improvements to autoconf code with consolidating AM_CONDITIONAL statements
3917* Improvements for handling error return codes when reading input from transport layer
3918* Improvements to efficiency of SNI extension parsing and error checking with ALPN parsing
3919* Macro WOLFSSL_DEBUG_TLS addition for printing out extension data being parsed during a TLS connection
3920* Adjustment of prime testing with --disable-fastmath builds
3921
3922
3923This release of wolfSSL includes a fix for 2 security vulnerabilities.
3924
3925There is a fix for a potential buffer overflow case with the TLSv1.3 PSK extension parsing. This affects users that are enabling TLSv1.3 (--enable-tls13). Thanks to Robert Hoerr for the report. The CVE associated with the report is CVE-2019-11873.
3926
3927There is a fix for the potential leak of nonce sizes when performing ECDSA signing operations. The leak is considered to be difficult to exploit but it could potentially be used maliciously to perform a lattice based timing attack against previous wolfSSL versions. ECC operations with --enable-sp and --enable-sp-asm are not affected, users with private ECC keys in other builds that are performing ECDSA signing operations should update versions of wolfSSL along with private ECC keys. Thanks to Ján Jančár from Masaryk University for the report.
3928
3929
3930# wolfSSL Release 4.0.0 (03/20/2019)
3931
3932Release 4.0.0 of wolfSSL embedded TLS has bug fixes and new features including:
3933
3934* Support for wolfCrypt FIPS v4.0.0, certificate #3389
3935* FIPS Ready Initiative
3936* Compatibility fixes for secure renegotiation with Chrome
3937* Better size check for TLS record fragment reassembly
3938* Improvements to non-blocking and handshake message retry support for DTLS
3939* Improvements to OCSP with ECDSA signers
3940* Added TLS server side secure renegotiation
3941* Added TLS Trusted CA extension
3942* Add support for the Deos Safety Critical RTOS
3943* OCSP fixes for memory management and initializations
3944* Fixes for EVP Cipher decryption padding checks
3945* Removal of null terminators on `wolfSSL_X509_print` substrings
3946* `wolfSSL_sk_ASN1_OBJCET_pop` function renamed to `wolfSSL_sk_ASN1_OBJECT_pop`
3947* Adjustment to include path in compatibility layer for evp.h and objects.h
3948* Fixes for decoding BER encoded PKCS7 contents
3949* TLS handshake now supports using PKCS #11 for private keys
3950* PKCS #11 support of HMAC, AES-CBC and random seeding/generation
3951* Support for named FFDHE parameters in TLS 1.2 (RFC 7919)
3952* Port to Zephyr Project
3953* Move the TLS PRF to wolfCrypt.
3954* Update to CMS KARI support
3955* Added ESP32 WROOM support
3956* Fixes and additions to the OpenSSL compatibility layer
3957* Added WICED Studio Support
3958* MDK CMSIS RTOS v2
3959* Xcode project file update
3960* Fixes for ATECC508A/ATECC608A
3961* Fixes issue with CA path length for self signed root CA's
3962* Fixes for Single Precision (SP) ASM when building sources directly
3963* Fixes for STM32 AES GCM
3964* Fixes for ECC sign with hardware to ensure the input is truncated
3965* Fixes for proper detection of PKCS7 buffer overflow case
3966* Fixes to handle degenerate PKCS 7 with BER encoding
3967* Fixes for TLS v1.3 handling of 6144 and 8192 bit keys
3968* Fixes for possible build issues with SafeRTOS
3969* Added `ECC_PUBLICKEY_TYPE` to the support PEM header types
3970* Added strict checking of the ECDSA signature DER encoding length
3971* Added ECDSA option to limit sig/algos in client_hello to key size with
3972  `USE_ECDSA_KEYSZ_HASH_ALGO`
3973* Added Cortex-M support for Single Precision (SP) math
3974* Added wolfCrypt RSA non-blocking time support
3975* Added 16-bit compiler support using --enable-16bit option
3976* Improved Arduino sketch example
3977* Improved crypto callback features
3978* Improved TLS benchmark tool
3979* Added new wrapper for snprintf for use with certain Visual Studio builds,
3980  thanks to David Parnell (Cambridge Consultants)
3981
3982This release of wolfSSL includes a fix for 1 security vulnerability.
3983
3984* Fixed a bug in tls_bench.c example test application unrelated to the crypto
3985  or TLS portions of the library. (CVE-2019-6439)
3986
3987
3988# wolfSSL Release 3.15.7 (12/26/2018)
3989
3990Release 3.15.7 of wolfSSL embedded TLS has bug fixes and new features including:
3991
3992* Support for Espressif ESP-IDF development framework
3993* Fix for XCode build with iPhone simulator on i386
3994* PKCS7 support for generating and verify bundles using a detached signature
3995* Fix for build disabling AES-CBC and enabling opensslextra compatibility layer
3996* Updates to sniffer for showing session information and handling split messages across records
3997* Port update for Micrium uC/OS-III
3998* Feature to adjust max fragment size post handshake when compiled with the macro WOLFSSL_ALLOW_MAX_FRAGMENT_ADJUST
3999* Adding the macro NO_MULTIBYTE_PRINT for compiling out special characters that embedded devices may have problems with
4000* Updates for Doxygen documentation, including PKCS #11 API and more
4001* Adding Intel QuickAssist v1.7 driver support for asynchronous crypto
4002* Adding Intel QuickAssist RSA key generation and SHA-3 support
4003* RSA verify only (--enable-rsavfy) and RSA public only (--enable-rsapub) builds added
4004* Enhancements to test cases for increased code coverage
4005* Updates to VxWorks port for use with Mongoose, including updates to the OpenSSL compatibility layer
4006* Yocto Project ease of use improvements along with many updates and build instructions added to the INSTALL file
4007* Maximum ticket nonce size was increased to 8
4008* Updating --enable-armasm build for ease of use with autotools
4009* Updates to internal code checking TLS 1.3 version with a connection
4010* Removing unnecessary extended master secret from ServerHello if using TLS 1.3
4011* Fix for TLS v1.3 HelloRetryRequest to be sent immediately and not grouped
4012
4013
4014
4015This release of wolfSSL includes a fix for 1 security vulnerability.
4016
4017Medium level fix for potential cache attack with a variant of Bleichenbacher’s attack. Earlier versions of wolfSSL leaked PKCS #1 v1.5 padding information during private key decryption that could lead to a potential padding oracle attack. It is recommended that users update to the latest version of wolfSSL if they have RSA cipher suites enabled and have the potential for malicious software to be ran on the same system that is performing RSA operations. Users that have only ECC cipher suites enabled and are not performing RSA PKCS #1 v1.5 Decryption operations are not vulnerable. Also users with TLS 1.3 only connections are not vulnerable to this attack. Thanks to Eyal Ronen (Weizmann Institute), Robert Gillham (University of Adelaide), Daniel Genkin (University of Michigan), Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom (University of Adelaide and Data61) for the report.
4018
4019The paper for further reading on the attack details can be found at http://cat.eyalro.net/cat.pdf.
4020
4021
4022See INSTALL file for build instructions.
4023More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
4024
4025
4026# wolfSSL Release 3.15.5 (11/07/2018)
4027
4028Release 3.15.5 of wolfSSL embedded TLS has bug fixes and new features including:
4029
4030* Fixes for GCC-8 warnings with strings
4031* Additional compatibility API’s added, including functions like wolfSSL_X509_CA_num and wolfSSL_PEM_read_X509_CRL
4032* Fixes for OCSP use with NGINX port
4033* Renamed the macro INLINE to WC_INLINE for inline functions
4034* Doxygen updates and formatting for documentation generation
4035* Added support for the STM32L4 with AES/SHA hardware acceleration
4036* Adds checking for critical extension with certificate Auth ID and the macro WOLFSSL_ALLOW_CRIT_SKID to override the check
4037* Added public key callbacks to ConfirmSignature function to expand public key callback support
4038* Added ECC and Curve25519 key generation callback support
4039* Fix for memory management with wolfSSL_BN_hex2bn function
4040* Added support for dynamic allocation of PKCS7 structure using wc_PKCS7_New and wc_PKCS7_Free
4041* Port to apache mynewt added in the directory wolfssl-3.15.5/IDE/mynewt/*
4042* OCSP stapling in TLS 1.3 additions
4043* Port for ASIO added with --enable-asio configure flag
4044* Contiki port added with macro WOLFSSL_CONTIKI
4045* Memory free optimizations with adding in earlier free’s where possible
4046* Made modifications to the primality testing so that the Miller-Rabin tests check against up to 40 random numbers rather than a fixed list of small primes
4047* Certificate validation time generation updated
4048* Fixes for MQX classic 4.0 with IAR-EWARM
4049* Fix for assembly optimized version of Curve25519
4050* Make SOCKET_PEER_CLOSED_E consistent between read and write cases
4051* Relocate compatibility layer functions for OpenSSH port update
4052* Update to Intel® SGX port, files included by Windows version and macros defined when using WOLFSSL_SGX
4053* Updates to Nucleus version supported
4054* Stack size reduction with smallstack build
4055* Updates to Rowley-Crossworks settings for CMSIS 4
4056* Added reference STSAFE-A100 public key callbacks for TLS support
4057* Added reference ATECC508A/ATECC608A public key callbacks for TLS support
4058* Updated support for latest CryptoAuthLib (10/25/2018)
4059* Added a wolfSSL static library project for Atollic TrueSTUDIO
4060* Flag to disable AES-CBC and have only AEAD cipher suites with TLS
4061* AF_ALG and cryptodev-linux crypto support added
4062* Update to IO callbacks with use of WOLFSSL_BIO
4063* Additional support for parsing certificate subject OIDs (businessCategory, jurisdiction of incorporation country, and jurisdiction of incorporation state)
4064* Added  wc_ecc_ecport_ex and wc_export_inti API's for ECC hex string exporting
4065* Updates to XCODE build with wolfSSL
4066* Fix for guard on when to include sys/time.h header
4067* Updates and enhancements to the GCC-ARM example
4068* Fix for PKCS8 padding with encryption
4069* Updates for wolfcrypt JNI wrapper
4070* ALT_ECC_SIZE use with SP math
4071* PIC32MZ hardware acceleration buffer alignment fixes
4072* Renesas e2studio project files added
4073* Renesas RX example project added
4074* Fix for DH algorithm when using SP math with ARM assembly
4075* Fixes and enhancements for NXP K82 support
4076* Benchmark enhancements to print in CSV format and in Japanese
4077* Support for PKCS#11 added with --enable-pkcs11
4078* Fixes for asynchronous crypto use with TLS 1.3
4079* TLS 1.3 only build, allows for disabling TLS 1.2 and earlier protocols
4080* Fix for GCC warnings in function wolfSSL_ASN1_TIME_adj
4081* Added --enable-asn=nocrypt for certificate only parsing support
4082* Added support for parsing PIV format certificates with the function wc_ParseCertPIV and macro WOLFSSL_CERT_PIV
4083* Added APIs to support GZIP
4084* Updates to support Lighttpd
4085* Version resource added for Windows DLL builds
4086* Increased code coverage with additional testing
4087* Added support for constructed OCTET_STRING with PKCS#7 signed data
4088* Added DTLS either (server/client) side initialization setting
4089* Minor fixes for building with MINGW32 compiler
4090* Added support for generic ECC PEM header/footer with PKCS8 parsing
4091* Added Japanese output to example server and client with “-1 1” flag
4092* Added USE_ECDSA_KEYSZ_HASH_ALGO macro for building to use digest sizes that match ephemeral key size
4093* Expand PKCS#7 CMS support with KEKRI, PWRI and ORI
4094* Streaming capability for PKCS#7 decoding and sign verify added
4095
4096
4097See INSTALL file for build instructions.
4098More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
4099
4100
4101# wolfSSL Release 3.15.3 (6/20/2018)
4102
4103Release 3.15.3 of wolfSSL embedded TLS has bug fixes and new features including:
4104
4105* ECDSA blinding added for hardening against side channel attacks
4106* Fix for compatibility layer build with no server and no client defined
4107* Use of optimized Intel assembly instructions on compatible AMD processor
4108* wolfCrypt Nucleus port additions
4109* Fix added for MatchDomainName and additional tests added
4110* Fixes for building with ‘WOLFSSL_ATECC508A’ defined
4111* Fix for verifying a PKCS7 file in BER format with indefinite size
4112
4113
4114This release of wolfSSL fixes 2 security vulnerability fixes.
4115
4116Medium level fix for PRIME + PROBE attack combined with a variant of Lucky 13. Constant time hardening was done to avoid potential cache-based side channel attacks when verifying the MAC on a TLS packet. CBC cipher suites are susceptible on systems where an attacker could gain access and run a parallel program for inspecting caching. Only wolfSSL users that are using TLS/DTLS CBC cipher suites need to update. Users that have only AEAD and stream cipher suites set, or have built with WOLFSSL_MAX_STRENGTH (--enable-maxstrength), are not vulnerable. Thanks to Eyal Ronen, Kenny Paterson, and Adi Shamir for the report.
4117
4118Medium level fix for a ECDSA side channel attack. wolfSSL is one of over a dozen vendors mentioned in the recent Technical Advisory “ROHNP” by author Ryan Keegan. Only wolfSSL users with long term ECDSA private keys using our fastmath or normal math libraries on systems where attackers can get access to the machine using the ECDSA key need to update.  An attacker gaining access to the system could mount a memory cache side channel attack that could recover the key within a few thousand signatures. wolfSSL users that are not using ECDSA private keys, that are using the single precision math library, or that are using ECDSA offloading do not need to update. (blog with more information https://www.wolfssl.com/wolfssh-and-rohnp/)
4119
4120
4121See INSTALL file for build instructions.
4122More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
4123
4124# wolfSSL Release 3.15.0 (06/05/2018)
4125
4126Release 3.15.0 of wolfSSL embedded TLS has bug fixes and new features including:
4127
4128* Support for TLS 1.3 Draft versions 23, 26 and 28.
4129* Add FIPS SGX support!
4130* Single Precision assembly code added for ARM and 64-bit ARM to enhance performance.
4131* Improved performance for Single Precision maths on 32-bit.
4132* Improved downgrade support for the TLS 1.3 handshake.
4133* Improved TLS 1.3 support from interoperability testing.
4134* Added option to allow TLS 1.2 to be compiled out to reduce size and enhance security.
4135* Added option to support Ed25519 in TLS 1.2 and 1.3.
4136* Update wolfSSL_HMAC_Final() so the length parameter is optional.
4137* Various fixes for Coverity static analysis reports.
4138* Add define to use internal struct timeval (USE_WOLF_TIMEVAL_T).
4139* Switch LowResTimer() to call XTIME instead of time(0) for better portability.
4140* Expanded OpenSSL compatibility layer with a bevy of new functions.
4141* Added Renesas CS+ project files.
4142* Align DH support with NIST SP 800-56A, add wc_DhSetKey_ex() for q parameter.
4143* Add build option for CAVP self test build (--enable-selftest).
4144* Expose mp_toradix() when WOLFSSL_PUBLIC_MP is defined.
4145* Example certificate expiration dates and generation script updated.
4146* Additional optimizations to trim out unused strings depending on build options.
4147* Fix for DN tag strings to have “=” when returning the string value to users.
4148* Fix for wolfSSL_ERR_get_error_line_data return value if no more errors are in the queue.
4149* Fix for AES-CBC IV value with PIC32 hardware acceleration.
4150* Fix for wolfSSL_X509_print with ECC certificates.
4151* Fix for strict checking on URI absolute vs relative path.
4152* Added crypto device framework to handle PK RSA/ECC operations using callbacks, which adds new build option `./configure --enable-cryptodev` or `WOLF_CRYPTO_DEV`.
4153* Added devId support to ECC and PKCS7 for hardware based private key.
4154* Fixes in PKCS7 for handling possible memory leak in some error cases.
4155* Added test for invalid cert common name when set with `wolfSSL_check_domain_name`.
4156* Refactor of the cipher suite names to use single array, which contains internal name, IANA name and cipher suite bytes.
4157* Added new function `wolfSSL_get_cipher_name_from_suite` for getting IANA cipher suite name using bytes.
4158* Fixes for fsanitize reports.
4159* Fix for openssl compatibility function `wolfSSL_RSA_verify` to check returned size.
4160* Fixes and improvements for FreeRTOS AWS.
4161* Fixes for building openssl compatibility with FreeRTOS.
4162* Fix and new test for handling match on domain name that may have a null terminator inside.
4163* Cleanup of the socket close code used for examples, CRL/OCSP and BIO to use single macro `CloseSocket`.
4164* Refactor of the TLSX code to support returning error codes.
4165* Added new signature wrapper functions `wc_SignatureVerifyHash` and `wc_SignatureGenerateHash` to allow direct use of hash.
4166* Improvement to GCC-ARM IDE example.
4167* Enhancements and cleanups for the ASN date/time code including new API's `wc_GetDateInfo`, `wc_GetCertDates` and `wc_GetDateAsCalendarTime`.
4168* Fixes to resolve issues with C99 compliance. Added build option `WOLF_C99` to force C99.
4169* Added a new `--enable-opensslall` option to enable all openssl compatibility features.
4170* Added new `--enable-webclient` option for enabling a few HTTP API's.
4171* Added new `wc_OidGetHash` API for getting the hash type from a hash OID.
4172* Moved `wolfSSL_CertPemToDer`, `wolfSSL_KeyPemToDer`, `wolfSSL_PubKeyPemToDer` to asn.c and renamed to `wc_`. Added backwards compatibility macro for old function names.
4173* Added new `WC_MAX_SYM_KEY_SIZE` macro for helping determine max key size.
4174* Added `--enable-enckeys` or (`WOLFSSL_ENCRYPTED_KEYS`) to enable support for encrypted PEM private keys using password callback without having to use opensslextra.
4175* Added ForceZero on the password buffer after done using it.
4176* Refactor unique hash types to use same internal values (ex WC_MD5 == WC_HASH_TYPE_MD5).
4177* Refactor the Sha3 types to use `wc_` naming, while retaining old names for compatibility.
4178* Improvements to `wc_PBKDF1` to support more hash types and the non-standard extra data option.
4179* Fix TLS 1.3 with ECC disabled and CURVE25519 enabled.
4180* Added new define `NO_DEV_URANDOM` to disable the use of `/dev/urandom`.
4181* Added `WC_RNG_BLOCKING` to indicate block w/sleep(0) is okay.
4182* Fix for `HAVE_EXT_CACHE` callbacks not being available without `OPENSSL_EXTRA` defined.
4183* Fix for ECC max bits `MAX_ECC_BITS` not always calculating correctly due to macro order.
4184* Added support for building and using PKCS7 without RSA (assuming ECC is enabled).
4185* Fixes and additions for Cavium Nitrox V to support ECC, AES-GCM and HMAC (SHA-224 and SHA3).
4186* Enabled ECC, AES-GCM and SHA-512/384 by default in (Linux and Windows)
4187* Added `./configure --enable-base16` and `WOLFSSL_BASE16` configuration option to enable Base16 API's.
4188* Improvements to ATECC508A support for building without `WOLFSSL_ATMEL` defined.
4189* Refactor IO callback function names to use `_CTX_` to eliminate confusion about the first parameter.
4190* Added support for not loading a private key for server or client when `HAVE_PK_CALLBACK` is defined and the private PK callback is set.
4191* Added new ECC API `wc_ecc_sig_size_calc` to return max signature size for a key size.
4192* Cleanup ECC point import/export code and added new API `wc_ecc_import_unsigned`.
4193* Fixes for handling OCSP with non-blocking.
4194* Added new PK (Primary Key) callbacks for the VerifyRsaSign. The new callbacks API's are `wolfSSL_CTX_SetRsaVerifySignCb` and `wolfSSL_CTX_SetRsaPssVerifySignCb`.
4195* Added new ECC API `wc_ecc_rs_raw_to_sig` to take raw unsigned R and S and encodes them into ECDSA signature format.
4196* Added support for `WOLFSSL_STM32F1`.
4197* Cleanup of the ASN X509 header/footer and XSTRNCPY logic.
4198* Add copyright notice to autoconf files. (Thanks Brian Aker!)
4199* Updated the M4 files for autotools. (Thanks Brian Aker!)
4200* Add support for the cipher suite TLS_DH_anon_WITH_AES256_GCM_SHA384 with test cases. (Thanks Thivya Ashok!)
4201* Add the TLS alert message unknown_psk_identity (115) from RFC 4279, section 2. (Thanks Thivya Ashok!)
4202* Fix the case when using TCP with timeouts with TLS. wolfSSL shall be agnostic to network socket behavior for TLS. (DTLS is another matter.) The functions `wolfSSL_set_using_nonblock()` and `wolfSSL_get_using_nonblock()` are deprecated.
4203* Hush the AR warning when building the static library with autotools.
4204* Hush the “-pthread” warning when building in some environments.
4205* Added a dist-hook target to the Makefile to reset the default options.h file.
4206* Removed the need for the darwin-clang.m4 file with the updates provided by Brian A.
4207* Renamed the AES assembly file so GCC on the Mac will build it using the preprocessor.
4208* Add a disable option (--disable-optflags) to turn off the default optimization flags so user may supply their own custom flags.
4209* Correctly touch the dummy fips.h header.
4210
4211If you have questions on any of this, then email us at info@wolfssl.com.
4212See INSTALL file for build instructions.
4213More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
4214
4215
4216# wolfSSL Release 3.14.0 (03/02/2018)
4217
4218Release 3.14.0 of wolfSSL embedded TLS has bug fixes and new features including:
4219
4220* TLS 1.3 draft 22 and 23 support added
4221* Additional unit tests for; SHA3, AES-CMAC, Ed25519, ECC, RSA-PSS, AES-GCM
4222* Many additions to the OpenSSL compatibility layer were made in this release. Some of these being enhancements to PKCS12, WOLFSSL_X509 use, WOLFSSL_EVP_PKEY, and WOLFSSL_BIO operations
4223* AVX1 and AVX2 performance improvements with ChaCha20 and Poly1305
4224* Added i.MX CAAM driver support with Integrity OS support
4225* Improvements to logging with debugging, including exposing more API calls and adding options to reduce debugging code size
4226* Fix for signature type detection with PKCS7 RSA SignedData
4227* Public key call back functions added for DH Agree
4228* RSA-PSS API added for operating on non inline buffers (separate input and output buffers)
4229* API added for importing and exporting raw DSA parameters
4230* Updated DSA key generation to be FIPS 186-4 compliant
4231* Fix for wolfSSL_check_private_key when comparing ECC keys
4232* Support for AES Cipher Feedback(CFB) mode added
4233* Updated RSA key generation to be FIPS 186-4 compliant
4234* Update added for the ARM CMSIS software pack
4235* WOLFSSL_IGNORE_FILE_WARN macro added for avoiding build warnings when not working with autotools
4236* Performance improvements for AES-GCM with AVX1 and AVX2
4237* Fix for possible memory leak on error case with wc_RsaKeyToDer function
4238* Make wc_PKCS7_PadData function available
4239* Updates made to building SGX on Linux
4240* STM32 hashing algorithm improvements including clock/power optimizations and auto detection of if SHA2 is supported
4241* Update static memory feature for FREERTOS use
4242* Reverse the order that certificates are compared during PKCS12 parse to account for case where multiple certificates have the same matching private key
4243* Update NGINX port to version 1.13.8
4244* Support for HMAC-SHA3 added
4245* Added stricter ASN checks to enforce RFC 5280 rules. Thanks to the report from Professor Zhenhua Duan, Professor Cong Tian, and Ph.D candidate Chu Chen from Institute of Computing Theory and Technology (ICTT) of Xidian University.
4246* Option to have ecc_mul2add function public facing
4247* Getter function wc_PKCS7_GetAttributeValue added for PKCS7 attributes
4248* Macros NO_AES_128, NO_AES_192, NO_AES_256 added for AES key size selection at compile time
4249* Support for writing multiple organizations units (OU) and domain components (DC) with CSR and certificate creation
4250* Support for indefinite length BER encodings in PKCS7
4251* Added API for additional validation of prime q in a public DH key
4252* Added support for RSA encrypt and decrypt without padding
4253
4254
4255See INSTALL file for build instructions.
4256More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
4257
4258
4259# wolfSSL (Formerly CyaSSL) Release 3.13.0 (12/21/2017)
4260
4261wolfSSL 3.13.0 includes bug fixes and new features, including support for
4262TLS 1.3 Draft 21, performance and footprint optimizations, build fixes,
4263updated examples and project files, and one vulnerability fix. The full list
4264of changes and additions in this release include:
4265
4266* Fixes for TLS 1.3, support for Draft 21
4267* TLS 1.0 disabled by default, addition of “--enable-tlsv10” configure option
4268* New option to reduce SHA-256 code size at expense of performance
4269  (USE_SLOW_SHA256)
4270* New option for memory reduced build (--enable-lowresource)
4271* AES-GCM performance improvements on AVX1 (IvyBridge) and AVX2
4272* SHA-256 and SHA-512 performance improvements using AVX1/2 ASM
4273* SHA-3 size and performance optimizations
4274* Fixes for Intel AVX2 builds on Mac/OSX
4275* Intel assembly for Curve25519, and Ed25519 performance optimizations
4276* New option to force 32-bit mode with “--enable-32bit”
4277* New option to disable all inline assembly with “--disable-asm”
4278* Ability to override maximum signature algorithms using WOLFSSL_MAX_SIGALGO
4279* Fixes for handling of unsupported TLS extensions.
4280* Fixes for compiling AES-GCM code with GCC 4.8.*
4281* Allow adjusting static I/O buffer size with WOLFMEM_IO_SZ
4282* Fixes for building without a filesystem
4283* Removes 3DES and SHA1 dependencies from PKCS#7
4284* Adds ability to disable PKCS#7 EncryptedData type (NO_PKCS7_ENCRYPTED_DATA)
4285* Add ability to get client-side SNI
4286* Expanded OpenSSL compatibility layer
4287* Fix for logging file names with OpenSSL compatibility layer enabled, with
4288  WOLFSSL_MAX_ERROR_SZ user-overridable
4289* Adds static memory support to the wolfSSL example client
4290* Fixes for sniffer to use TLS 1.2 client method
4291* Adds option to wolfCrypt benchmark to benchmark individual algorithms
4292* Adds option to wolfCrypt benchmark to display benchmarks in powers
4293  of 10 (-base10)
4294* Updated Visual Studio for ARM builds (for ECC supported curves and SHA-384)
4295* Updated Texas Instruments TI-RTOS build
4296* Updated STM32 CubeMX build with fixes for SHA
4297* Updated IAR EWARM project files
4298* Updated Apple Xcode projects with the addition of a benchmark example project
4299
4300This release of wolfSSL fixes 1 security vulnerability.
4301
4302wolfSSL is cited in the recent ROBOT Attack by Böck, Somorovsky, and Young.
4303The paper notes that wolfSSL only gives a weak oracle without a practical
4304attack but this is still a flaw.  This release contains a fix for this report.
4305Please note that wolfSSL has static RSA cipher suites disabled by default as
4306of version 3.6.6 because of the lack of perfect forward secrecy.  Only users
4307who have explicitly enabled static RSA cipher suites with WOLFSSL_STATIC_RSA
4308and use those suites on a host are affected.  More information will be
4309available on our website at:
4310
4311https://wolfssl.com/wolfSSL/security/vulnerabilities.php
4312
4313See INSTALL file for build instructions.
4314More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
4315
4316
4317# wolfSSL (Formerly CyaSSL) Release 3.12.2 (10/23/2017)
4318
4319## Release 3.12.2 of wolfSSL has bug fixes and new features including:
4320
4321This release includes many performance improvements with Intel ASM (AVX/AVX2) and AES-NI. New single precision math option to speedup RSA, DH and ECC. Embedded hardware support has been expanded for STM32, PIC32MZ and ATECC508A. AES now supports XTS mode for disk encryption. Certificate improvements for setting serial number, key usage and extended key usage. Refactor of SSL_ and hash types to allow openssl coexistence. Improvements for TLS 1.3. Fixes for OCSP stapling to allow disable and WOLFSSL specific user context for callbacks. Fixes for openssl and MySQL compatibility. Updated Micrium port. Fixes for asynchronous modes.
4322
4323* Added TLS extension for Supported Point Formats (ec_point_formats)
4324* Fix to not send OCSP stapling extensions in client_hello when not enabled
4325* Added new API's for disabling OCSP stapling
4326* Add check for SIZEOF_LONG with sun and LP64
4327* Fixes for various TLS 1.3 disable options (RSA, ECC and ED/Curve 25519).
4328* Fix to disallow upgrading to TLS v1.3
4329* Fixes for wolfSSL_EVP_CipherFinal() when message size is a round multiple of a block size.
4330* Add HMAC benchmark and expanded AES key size benchmarks
4331* Added simple GCC ARM Makefile example
4332* Add tests for 3072-bit RSA and DH.
4333* Fixed DRAFT_18 define and fixed downgrading with TLS v1.3
4334* Fixes to allow custom serial number during certificate generation
4335* Add method to get WOLFSSL_CTX certificate manager
4336* Improvement to `wolfSSL_SetOCSP_Cb` to allow context per WOLFSSL object
4337* Alternate certificate chain support `WOLFSSL_ALT_CERT_CHAINS`. Enables checking cert against multiple CA's.
4338* Added new `--disable-oldnames` option to allow for using openssl along-side wolfssl headers (without OPENSSL_EXTRA).
4339* Refactor SSL_ and hashing types to use wolf specific prefix (WOLFSSL and WC_) to allow openssl coexistence.
4340* Fixes for HAVE_INTEL_MULX
4341* Cleanup include paths for MySQL cmake build
4342* Added configure option for building library for wolfSSH (--enable-wolfssh)
4343* Openssl compatibility layer improvements
4344* Expanded API unit tests
4345* Fixes for STM32 crypto hardware acceleration
4346* Added AES XTS mode (--enable-xts)
4347* Added ASN Extended Key Usage Support (see wc_SetExtKeyUsage).
4348* Math updates and added TFM_MIPS speedup.
4349* Fix for creation of the KeyUsage BitString
4350* Fix for 8k keys with MySQL compatibility
4351* Fixes for ATECC508A.
4352* Fixes for PIC32MZ hashing.
4353* Fixes and improvements to asynchronous modes for Intel QuickAssist and Cavium Nitrox V.
4354* Update HASH_DRBG Reseed mechanism and add test case
4355* Rename the file io.h/io.c to wolfio.h/wolfio.c
4356* Cleanup the wolfIO_Send function.
4357* OpenSSL Compatibility Additions and Fixes
4358* Improvements to Visual Studio DLL project/solution.
4359* Added function to generate public ECC key from private key
4360* Added async blocking support for sniffer tool.
4361* Added wolfCrypt hash tests for empty string and large data.
4362* Added ability to use of wolf implementation of `strtok` using `USE_WOLF_STRTOK`.
4363* Updated Micrium uC/OS-III Port
4364* Updated root certs for OCSP scripts
4365* New Single Precision math option for RSA, DH and ECC (off by default). See `--enable-sp`.
4366* Speedups for AES GCM with AESNI (--enable-aesni)
4367* Speedups for SHA2, ChaCha20/Poly1035 using AVX/AVX2
4368
4369
4370# wolfSSL (Formerly CyaSSL) Release 3.12.0 (8/04/2017)
4371
4372## Release 3.12.0 of wolfSSL has bug fixes and new features including:
4373
4374- TLS 1.3 with Nginx! TLS 1.3 with ARMv8! TLS 1.3 with Async Crypto! (--enable-tls13)
4375- TLS 1.3 0RTT feature added
4376- Added port for using Intel SGX with Linux
4377- Update and fix PIC32MZ port
4378- Additional unit testing for MD5, SHA, SHA224, SHA256, SHA384, SHA512, RipeMd, HMAC, 3DES, IDEA, ChaCha20, ChaCha20Poly1305 AEAD, Camellia, Rabbit, ARC4, AES, RSA, Hc128
4379- AVX and AVX2 assembly for improved ChaCha20 performance
4380- Intel QAT fixes for when using --disable-fastmath
4381- Update how DTLS handles decryption and MAC failures
4382- Update DTLS session export version number for --enable-sessionexport feature
4383- Add additional input argument sanity checks to ARMv8 assembly port
4384- Fix for making PKCS12 dynamic types match
4385- Fixes for potential memory leaks when using --enable-fast-rsa
4386- Fix for when using custom ECC curves and add BRAINPOOLP256R1 test
4387- Update TI-RTOS port for dependency on new wolfSSL source files
4388- DTLS multicast feature added, --enable-mcast
4389- Fix for Async crypto with GCC 7.1 and HMAC when not using Intel QuickAssist
4390- Improvements and enhancements to Intel QuickAssist support
4391- Added Xilinx port
4392- Added SHA3 Keccak feature, --enable-sha3
4393- Expand wolfSSL Python wrapper to now include a client side implementation
4394- Adjust example servers to not treat a peer closed error as a hard error
4395- Added more sanity checks to fp_read_unsigned_bin function
4396- Add SHA224 and AES key wrap to ARMv8 port
4397- Update MQX classics and mmCAU ports
4398- Fix for potential buffer over read with wolfSSL_CertPemToDer
4399- Add PKCS7/CMS decode support for KARI with IssuerAndSerialNumber
4400- Fix ThreadX/NetX warning
4401- Fixes for OCSP and CRL non blocking sockets and for incomplete cert chain with OCSP
4402- Added RSA PSS sign and verify
4403- Fix for STM32F4 AES-GCM
4404- Added enable all feature (--enable-all)
4405- Added trackmemory feature (--enable-trackmemory)
4406- Fixes for AES key wrap and PKCS7 on Windows VS
4407- Added benchmark block size argument
4408- Support use of staticmemory with PKCS7
4409- Fix for Blake2b build with GCC 5.4
4410- Fixes for compiling wolfSSL with GCC version 7, most dealing with switch statement fall through warnings.
4411- Added warning when compiling without hardened math operations
4412
4413
4414Note:
4415There is a known issue with using ChaCha20 AVX assembly on versions of GCC earlier than 5.2. This is encountered with using the wolfSSL enable options --enable-intelasm and --enable-chacha. To avoid this issue ChaCha20 can be enabled with --enable-chacha=noasm.
4416If using --enable-intelasm and also using --enable-sha224 or --enable-sha256 there is a known issue with trying to use -fsanitize=address.
4417
4418This release of wolfSSL fixes 1 low level security vulnerability.
4419
4420Low level fix for a potential DoS attack on a wolfSSL client. Previously a client would accept many warning alert messages without a limit. This fix puts a limit to the number of warning alert messages received and if this limit is reached a fatal error ALERT_COUNT_E is returned. The max number of warning alerts by default is set to 5 and can be adjusted with the macro WOLFSSL_ALERT_COUNT_MAX. Thanks for the report from Tarun Yadav and Koustav Sadhukhan from Defence Research and Development Organization, INDIA.
4421
4422
4423See INSTALL file for build instructions.
4424More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
4425
4426
4427# wolfSSL (Formerly CyaSSL) Release 3.11.1 (5/11/2017)
4428
4429## Release 3.11.1 of wolfSSL is a TLS 1.3 BETA release, which includes:
4430
4431- TLS 1.3 client and server support for TLS 1.3 with Draft 18 support
4432
4433This is strictly a BETA release, and designed for testing and user feedback.
4434Please send any comments, testing results, or feedback to wolfSSL at
4435support@wolfssl.com.
4436
4437See INSTALL file for build instructions.
4438More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
4439
4440
4441# wolfSSL (Formerly CyaSSL) Release 3.11.0 (5/04/2017)
4442
4443## Release 3.11.0 of wolfSSL has bug fixes and new features including:
4444
4445- Code updates for warnings reported by Coverity scans
4446- Testing and warning fixes for FreeBSD on PowerPC
4447- Updates and refactoring done to ASN1 parsing functions
4448- Change max PSK identity buffer to account for an identity length of 128 characters
4449- Update Arduino script to handle recent files and additions
4450- Added support for PKCS#7 Signed Data with ECDSA
4451- Fix for interoperability with ChaCha20-Poly1305 suites using older draft versions
4452- DTLS update to allow multiple handshake messages in one DTLS record. Thanks to Eric Samsel over at Welch Allyn for reporting this bug.
4453- Intel QuickAssist asynchronous support (PR #715 - https://www.wolfssl.com/wolfSSL/Blog/Entries/2017/1/18_wolfSSL_Asynchronous_Intel_QuickAssist_Support.html)
4454- Added support for HAproxy load balancer
4455- Added option to allow SHA1 with TLS 1.2 for IIS compatibility (WOLFSSL_ALLOW_TLS_SHA1)
4456- Added Curve25519 51-bit Implementation, increasing performance on systems that have 128 bit types
4457- Fix to not send session ID on server side if session cache is off unless we're echoing
4458session ID as part of session tickets
4459- Fixes for ensuring all default ciphers are setup correctly (see PR #830)
4460- Added NXP Hexiwear example in `IDE/HEXIWEAR`.
4461- Added wolfSSL_write_dup() to create write only WOLFSSL object for concurrent access
4462- Fixes for TLS elliptic curve selection on private key import.
4463- Fixes for RNG with Intel rdrand and rdseed speedups.
4464- Improved performance with Intel rdrand to use full 64-bit output
4465- Added new --enable-intelrand option to indicate use of RDRAND preference for RNG source
4466- Removed RNG ARC4 support
4467- Added ECC helpers to get size and id from curve name.
4468- Added ECC Cofactor DH (ECC-CDH) support
4469- Added ECC private key only import / export functions.
4470- Added PKCS8 create function
4471- Improvements to TLS layer CTX handling for switching keys / certs.
4472- Added check for duplicate certificate policy OID in certificates.
4473- Normal math speed-up to not allocate on mp_int and defer until mp_grow
4474- Reduce heap usage with fast math when not using ALT_ECC_SIZE
4475- Fixes for building CRL with Windows
4476- Added support for inline CRL lookup when HAVE_CRL_IO is defined
4477- Added port for tenAsys INtime RTOS
4478- Improvements to uTKernel port (WOLFSSL_uTKERNEL2)
4479- Updated WPA Supplicant support
4480- Added support for Nginx
4481- Update stunnel port for version 5.40
4482- Fixes for STM32 hardware crypto acceleration
4483- Extended test code coverage in bundled test.c
4484- Added a sanity check for minimum authentication tag size with AES-GCM. Thanks to Yueh-Hsun Lin and Peng Li at KNOX Security at Samsung Research America for suggesting this.
4485- Added a sanity check that subject key identifier is marked as non-critical and a check that no policy OIDS appear more than once in the cert policies extension. Thanks to the report from Professor Zhenhua Duan, Professor Cong Tian, and Ph.D candidate Chu Chen from Institute of Computing Theory and Technology (ICTT) of Xidian University, China. Profs. Zhenhua Duan and Cong Tian are supervisors of Ph.D candidate Chu Chen.
4486
4487This release of wolfSSL fixes 5 low and 1 medium level security vulnerability.
4488
44893 Low level fixes reported by Yueh-Hsun Lin and Peng Li from KNOX Security, Samsung Research America.
4490- Fix for out of bounds memory access in wc_DhParamsLoad() when GetLength() returns a zero. Before this fix there is a case where wolfSSL would read out of bounds memory in the function wc_DhParamsLoad.
4491- Fix for DH key accepted by wc_DhAgree when the key was malformed.
4492- Fix for a double free case when adding CA cert into X509_store.
4493
4494Low level fix for memory management with static memory feature enabled. By default static memory is disabled. Thanks to GitHub user hajjihraf for reporting this.
4495
4496
4497Low level fix for out of bounds write in the function wolfSSL_X509_NAME_get_text_by_NID. This function is not used by TLS or crypto operations but could result in a buffer out of bounds write by one if called explicitly in an application. Discovered by Aleksandar Nikolic of Cisco Talos. http://talosintelligence.com/vulnerability-reports/
4498
4499Medium level fix for check on certificate signature. There is a case in release versions 3.9.10, 3.10.0 and 3.10.2 where a corrupted signature on a peer certificate would not be properly flagged. Thanks to Wens Lo, James Tsai, Kenny Chang, and Oscar Yang at Castles Technology.
4500
4501
4502See INSTALL file for build instructions.
4503More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
4504
4505
4506# wolfSSL (Formerly CyaSSL) Release 3.10.2 (2/10/2017)
4507
4508## Release 3.10.2 of wolfSSL has bug fixes and new features including:
4509
4510- Poly1305 Windows macros fix. Thanks to GitHub user Jay Satiro
4511- Compatibility layer expanded with multiple functions added
4512- Improve fp_copy performance with ALT_ECC_SIZE
4513- OCSP updates and improvements
4514- Fixes for IAR EWARM 8 compiler warnings
4515- Reduce stack usage with ECC_CACHE_CURVE disabled
4516- Added ECC export raw for public and private key
4517- Fix for NO_ASN_TIME build
4518- Supported curves extensions now populated by default
4519- Add DTLS build without big integer math
4520- Fix for static memory feature with wc_ecc_verify_hash_ex and not SHAMIR
4521- Added PSK interoperability testing to script bundled with wolfSSL
4522- Fix for Python wrapper random number generation. Compiler optimizations with Python could place the random number in same buffer location each time. Thanks to GitHub user Erik Bray (embray)
4523- Fix for tests on unaligned memory with static memory feature
4524- Add macro WOLFSSL_NO_OCSP_OPTIONAL_CERTS to skip optional OCSP certificates
4525- Sanity checks on NULL arguments added to wolfSSL_set_fd and wolfSSL_DTLS_SetCookieSecret
4526- mp_jacobi stack use reduced, thanks to Szabi Tolnai for providing a solution to reduce stack usage
4527
4528
4529This release of wolfSSL fixes 2 low and 1 medium level security vulnerability.
4530
4531Low level fix of buffer overflow for when loading in a malformed temporary DH file. Thanks to Yueh-Hsun Lin and Peng Li from KNOX Security, Samsung Research America for the report.
4532
4533Medium level fix for processing of OCSP response. If using OCSP without hard faults enforced and no alternate revocation checks like OCSP stapling then it is recommended to update.
4534
4535Low level fix for potential cache attack on RSA operations. If using wolfSSL RSA on a server that other users can have access to monitor the cache, then it is recommended to update wolfSSL. Thanks to Andreas Zankl, Johann Heyszl and Georg Sigl at Fraunhofer AISEC for the initial report.
4536
4537See INSTALL file for build instructions.
4538More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
4539
4540
4541# wolfSSL (Formerly CyaSSL) Release 3.10.0 (12/21/2016)
4542
4543## Release 3.10.0 of wolfSSL has bug fixes and new features including:
4544
4545- Added support for SHA224
4546- Added scrypt feature
4547- Build for Intel SGX use, added in directory IDE/WIN-SGX
4548- Fix for ChaCha20-Poly1305 ECDSA certificate type request
4549- Enhance PKCS#7 with ECC enveloped data and AES key wrap support
4550- Added support for RIOT OS
4551- Add support for parsing PKCS#12 files
4552- ECC performance increased with custom curves
4553- ARMv8 expanded to AArch32 and performance increased
4554- Added ANSI-X9.63-KDF support
4555- Port to STM32 F2/F4 CubeMX
4556- Port to Atmel ATECC508A board
4557- Removed fPIE by default when wolfSSL library is compiled
4558- Update to Python wrapper, dropping DES and adding wc_RSASetRNG
4559- Added support for NXP K82 hardware acceleration
4560- Added SCR client and server verify check
4561- Added a disable rng option with autoconf
4562- Added more tests vectors to test.c with AES-CTR
4563- Updated DTLS session export version number
4564- Updated DTLS for 64 bit sequence numbers
4565- Fix for memory management with TI and WOLFSSL_SMALL_STACK
4566- Hardening RSA CRT to be constant time
4567- Fix uninitialized warning with IAR compiler
4568- Fix for C# wrapper example IO hang on unexpected connection termination
4569
4570
4571This release of wolfSSL fixes a low level security vulnerability. The vulnerability reported was a potential cache attack on RSA operations. If using wolfSSL RSA on a server that other users can have access to monitor the cache, then it is recommended to update wolfSSL. Thanks to Andreas Zankl, Johann Heyszl and Georg Sigl at Fraunhofer AISEC for the report. More information will be available on our site:
4572
4573https://wolfssl.com/wolfSSL/security/vulnerabilities.php
4574
4575See INSTALL file for build instructions.
4576More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
4577
4578
4579# wolfSSL (Formerly CyaSSL) Release 3.9.10 (9/23/2016)
4580
4581## Release 3.9.10 of wolfSSL has bug fixes and new features including:
4582
4583- Default configure option changes:
4584  1. DES3 disabled by default
4585  2. ECC Supported Curves Extension enabled by default
4586  3. New option Extended Master Secret enabled by default
4587- Added checking CA certificate path length, and new test certs
4588- Fix to DSA pre padding and sanity check on R/S values
4589- Added CTX level RNG for single-threaded builds
4590- Intel RDSEED enhancements
4591- ARMv8 hardware acceleration support for AES-CBC/CTR/GCM, SHA-256
4592- Arduino support updates
4593- Added the Extended Master Secret TLS extension
4594  1. Enabled by default in configure options, API to disable
4595  2. Added support for Extended Master Secret to sniffer
4596- OCSP fix with issuer key hash, lookup refactor
4597- Added support for Frosted OS
4598- Added support for DTLS over SCTP
4599- Added support for static memory with wolfCrypt
4600- Fix to ECC Custom Curve support
4601- Support for asynchronous wolfCrypt RSA and TLS client
4602- Added distribution build configure option
4603- Update the test certificates
4604
4605This release of wolfSSL fixes medium level security vulnerabilities.  Fixes for
4606potential AES, RSA, and ECC side channel leaks is included that a local user
4607monitoring the same CPU core cache could exploit.  VM users, hyper-threading
4608users, and users where potential attackers have access to the CPU cache will
4609need to update if they utilize AES, RSA private keys, or ECC private keys.
4610Thanks to Gorka Irazoqui Apecechea and Xiaofei Guo from Intel Corporation for
4611the report.  More information will be available on our site:
4612
4613https://wolfssl.com/wolfSSL/security/vulnerabilities.php
4614
4615See INSTALL file for build instructions.
4616More info can be found on-line at https://wolfssl.com/wolfSSL/Docs.html
4617
4618
4619# wolfSSL (Formerly CyaSSL) Release 3.9.8 (7/29/2016)
4620
4621##Release 3.9.8 of wolfSSL has bug fixes and new features including:
4622
4623- Add support for custom ECC curves.
4624- Add cipher suite ECDHE-ECDSA-AES128-CCM.
4625- Add compkey enable option. This option is for compressed ECC keys.
4626- Add in the option to use test.h without gettimeofday function using the macro
4627  WOLFSSL_USER_CURRTIME.
4628- Add RSA blinding for private key operations. Enable option of harden which is
4629  on by default. This negates timing attacks.
4630- Add ECC and TLS support for all SECP, Koblitz and Brainpool curves.
4631- Add helper functions for static memory option to allow getting optimum buffer
4632  sizes.
4633- Update DTLS behavior on bad MAC. DTLS silently drops packets with bad MACs now.
4634- Update fp_isprime function from libtom enhancement/cleanup repository.
4635- Update sanity checks on inputs and return values for AES-CMAC.
4636- Update wolfSSL for use with MYSQL v5.6.30.
4637- Update LPCXpresso eclipse project to not include misc.c when not needed.
4638- Fix retransmit of last DTLS flight with timeout notification. The last flight
4639  is no longer retransmitted on timeout.
4640- Fixes to some code in math sections for compressed ECC keys. This includes
4641  edge cases for buffer size on allocation and adjustments for compressed curves
4642  build. The code and full list can be found on github with pull request #456.
4643- Fix function argument mismatch for build with secure renegotiation.
4644- X.509 bug fixes for reading in malformed certificates, reported by researchers
4645  at Columbia University
4646- Fix GCC version 6 warning about hard tabs in poly1305.c. This was a warning
4647  produced by GCC 6 trying to determine the intent of code.
4648- Fixes for static memory option. Including avoid potential race conditions with
4649  counters, decrement handshake counter correctly.
4650- Fix anonymous cipher with Diffie Hellman on the server side. Was an issue of a
4651  possible buffer corruption. For information and code see pull request #481.
4652
4653
4654- One high level security fix that requires an update for use with static RSA
4655  cipher suites was submitted. This fix was the addition of RSA blinding for
4656  private RSA operations. We recommend servers who allow static RSA cipher
4657  suites to also generate new private RSA keys. Static RSA cipher suites are
4658  turned off by default.
4659
4660See INSTALL file for build instructions.
4661More info can be found on-line at //http://wolfssl.com/wolfSSL/Docs.html
4662
4663# wolfSSL (Formerly CyaSSL) Release 3.9.6 (6/14/2016)
4664
4665##Release 3.9.6 of wolfSSL has bug fixes and new features including:
4666
4667- Add staticmemory feature
4668- Add public wc_GetTime API with base64encode feature
4669- Add AES CMAC algorithm
4670- Add DTLS sessionexport feature
4671- Add python wolfCrypt wrapper
4672- Add ECC encrypt/decrypt benchmarks
4673- Add dynamic session tickets
4674- Add eccshamir option
4675- Add Whitewood netRandom support --with-wnr
4676- Add embOS port
4677- Add minimum key size checks for RSA and ECC
4678- Add STARTTLS support to examples
4679- Add uTasker port
4680- Add asynchronous crypto and wolf event support
4681- Add compile check for misc.c with inline
4682- Add RNG benchmark
4683- Add reduction to stack usage with hash-based RNG
4684- Update STM32F2_CRYPTO port with additional algorithms supported
4685- Update MDK5 projects
4686- Update AES-NI
4687- Fix for STM32 with STM32F2_HASH defined
4688- Fix for building with MinGw
4689- Fix ECC math bugs with ALT_ECC_SIZE and key sizes over 256 bit (1)
4690- Fix certificate buffers github issue #422
4691- Fix decrypt max size with RSA OAEP
4692- Fix DTLS sanity check with DTLS timeout notification
4693- Fix free of WOLFSSL_METHOD on failure to create CTX
4694- Fix memory leak in failure case with wc_RsaFunction (2)
4695
4696- No high level security fixes that requires an update though we always
4697recommend updating to the latest
4698- (1) Code changes for ECC fix can be found at pull requests #411, #416, and #428
4699- (2) Builds using RSA with using normal math and not RSA_LOW_MEM should update
4700
4701See INSTALL file for build instructions.
4702More info can be found on-line at //http://wolfssl.com/wolfSSL/Docs.html
4703
4704# wolfSSL (Formerly CyaSSL) Release 3.9.0 (03/18/2016)
4705
4706##Release 3.9.0 of wolfSSL has bug fixes and new features including:
4707
4708- Add new leantls configuration
4709- Add RSA OAEP padding at wolfCrypt level
4710- Add Arduino port and example client
4711- Add fixed point DH operation
4712- Add CUSTOM_RAND_GENRATE_SEED_OS and CUSTOM_RAND_GENERATE_BLOCK
4713- Add ECDHE-PSK cipher suites
4714- Add PSK ChaCha20-Poly1305 cipher suites
4715- Add option for fail on no peer cert except PSK suites
4716- Add port for Nordic nRF51
4717- Add additional ECC NIST test vectors for 256, 384 and 521
4718- Add more granular ECC, Ed25519/Curve25519 and AES configs
4719- Update to ChaCha20-Poly1305
4720- Update support for Freescale KSDK 1.3.0
4721- Update DER buffer handling code, refactoring and reducing memory
4722- Fix to AESNI 192 bit key expansion
4723- Fix to C# wrapper character encoding
4724- Fix sequence number issue with DTLS epoch 0 messages
4725- Fix RNGA with K64 build
4726- Fix ASN.1 X509 V3 certificate policy extension parsing
4727- Fix potential free of uninitialized RSA key in asn.c
4728- Fix potential underflow when using ECC build with FP_ECC
4729- Fixes for warnings in Visual Studio 2015 build
4730
4731- No high level security fixes that requires an update though we always
4732recommend updating to the latest
4733- FP_ECC is off by default, users with it enabled should update for the zero
4734sized hash fix
4735
4736See INSTALL file for build instructions.
4737More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
4738
4739# wolfSSL (Formerly CyaSSL) Release 3.8.0 (12/30/2015)
4740
4741##Release 3.8.0 of wolfSSL has bug fixes and new features including:
4742
4743- Example client/server with VxWorks
4744- AESNI use with AES-GCM
4745- Stunnel compatibility enhancements
4746- Single shot hash and signature/verify API added
4747- Update cavium nitrox port
4748- LPCXpresso IDE support added
4749- C# wrapper to support wolfSSL use by a C# program
4750- (BETA version)OCSP stapling added
4751- Update OpenSSH compatibility
4752- Improve DTLS handshake when retransmitting finished message
4753- fix idea_mult() for 16 and 32bit systems
4754- fix LowResTimer on Microchip ports
4755
4756- No high level security fixes that requires an update though we always
4757recommend updating to the latest
4758
4759See INSTALL file for build instructions.
4760More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
4761
4762# wolfSSL (Formerly CyaSSL) Release 3.7.0 (10/26/2015)
4763
4764##Release 3.7.0 of wolfSSL has bug fixes and new features including:
4765
4766- ALPN extension support added for HTTP2 connections with --enable-alpn
4767- Change of example/client/client max fragment flag -L -> -F
4768- Throughput benchmarking, added scripts/benchmark.test
4769- Sniffer API ssl_FreeDecodeBuffer added
4770- Addition of AES_GCM to Sniffer
4771- Sniffer change to handle unlimited decrypt buffer size
4772- New option for the sniffer where it will try to pick up decoding after a
4773  sequence number acknowldgement fault. Also includes some additional stats.
4774- JNI API setter and getter function for jobject added
4775- User RSA crypto plugin abstraction. An example placed in wolfcrypt/user-crypto
4776- fix to asn configuration bug
4777- AES-GCM/CCM fixes.
4778- Port for Rowley added
4779- Rowley Crossworks bare metal examples added
4780- MDK5-ARM project update
4781- FreeRTOS support updates.
4782- VXWorks support updates.
4783- Added the IDEA cipher and support in wolfSSL.
4784- Update wolfSSL website CA.
4785- CFLAGS is usable when configuring source.
4786
4787- No high level security fixes that requires an update though we always
4788recommend updating to the latest
4789
4790See INSTALL file for build instructions.
4791More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
4792
4793#wolfSSL (Formerly CyaSSL) Release 3.6.8 (09/17/2015)
4794
4795##Release 3.6.8 of wolfSSL fixes two high severity vulnerabilities.
4796##It also includes bug fixes and new features including:
4797
4798- Two High level security fixes, all users SHOULD update.
4799  a) If using wolfSSL for DTLS on the server side of a publicly accessible
4800     machine you MUST update.
4801  b) If using wolfSSL for TLS on the server side with private RSA keys allowing
4802     ephemeral key exchange without low memory optimizations you MUST update and
4803     regenerate the private RSA keys.
4804
4805     Please see https://www.wolfssl.com/wolfSSL/Blog/Blog.html for more details
4806
4807- No filesystem build fixes for various configurations
4808- Certificate generation now supports several extensions including KeyUsage,
4809    SKID, AKID, and Certificate Policies
4810- CRLs can be loaded from buffers as well as files now
4811- SHA-512 Certificate Signing generation
4812- Fixes for sniffer reassembly processing
4813
4814See INSTALL file for build instructions.
4815More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
4816
4817#wolfSSL (Formerly CyaSSL) Release 3.6.6 (08/20/2015)
4818
4819##Release 3.6.6 of wolfSSL has bug fixes and new features including:
4820
4821- OpenSSH  compatibility with --enable-openssh
4822- stunnel  compatibility with --enable-stunnel
4823- lighttpd compatibility with --enable-lighty
4824- SSLv3 is now disabled by default, can be enabled with --enable-sslv3
4825- Ephemeral key cipher suites only are now supported by default
4826    To enable static ECDH cipher suites define WOLFSSL_STATIC_DH
4827    To enable static  RSA cipher suites define WOLFSSL_STATIC_RSA
4828    To enable static  PSK cipher suites define WOLFSSL_STATIC_PSK
4829- Added QSH (quantum-safe handshake) extension with --enable-ntru
4830- SRP is now part of wolfCrypt, enable with --enabe-srp
4831- Certificate handshake messages can now be sent fragmented if the record
4832  size is smaller than the total message size, no user action required.
4833- DTLS duplicate message fixes
4834- Visual Studio project files now support DLL and static builds for 32/64bit.
4835- Support for new Freesacle I/O
4836- FreeRTOS FIPS support
4837
4838- No high level security fixes that requires an update though we always
4839  recommend updating to the latest
4840
4841See INSTALL file for build instructions.
4842More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
4843
4844
4845#wolfSSL (Formerly CyaSSL) Release 3.6.0 (06/19/2015)
4846
4847##Release 3.6.0 of wolfSSL has bug fixes and new features including:
4848
4849- Max Strength build that only allows TLSv1.2, AEAD ciphers, and PFS (Perfect
4850   Forward Secrecy).  With --enable-maxstrength
4851- Server side session ticket support, the example server and echosever use the
4852   example callback myTicketEncCb(), see wolfSSL_CTX_set_TicketEncCb()
4853- FIPS version submitted for iOS.
4854- TI Crypto Hardware Acceleration
4855- DTLS fragmentation fixes
4856- ECC key check validation with wc_ecc_check_key()
4857- 32bit code options to reduce memory for Curve25519 and Ed25519
4858- wolfSSL JNI build switch with --enable-jni
4859- PicoTCP support improvements
4860- DH min ephemeral key size enforcement with wolfSSL_CTX_SetMinDhKey_Sz()
4861- KEEP_PEER_CERT and AltNames can now be used together
4862- ChaCha20 big endian fix
4863- SHA-512 signature algorithm support for key exchange and verify messages
4864- ECC make key crash fix on RNG failure, ECC users must update.
4865- Improvements to usage of time code.
4866- Improvements to VS solution files.
4867- GNU Binutils 2.24 ld has problems with some debug builds, to fix an ld error
4868  add -fdebug-types-section to C_EXTRA_FLAGS
4869
4870- No high level security fixes that requires an update though we always
4871  recommend updating to the latest (except note 14, ecc RNG failure)
4872
4873See INSTALL file for build instructions.
4874More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
4875
4876
4877#wolfSSL (Formerly CyaSSL) Release 3.4.8 (04/06/2015)
4878
4879##Release 3.4.8 of wolfSSL has bug fixes and new features including:
4880
4881- FIPS version submitted for iOS.
4882- Max Strength build that only allows TLSv1.2, AEAD ciphers, and PFS.
4883- Improvements to usage of time code.
4884- Improvements to VS solution files.
4885
4886See INSTALL file for build instructions.
4887More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
4888
4889
4890#wolfSSL (Formerly CyaSSL) Release 3.4.6 (03/30/2015)
4891
4892##Release 3.4.6 of wolfSSL has bug fixes and new features including:
4893
4894- Intel Assembly Speedups using instructions rdrand, rdseed, aesni, avx1/2,
4895  rorx, mulx, adox, adcx .  They can be enabled with --enable-intelasm.
4896  These speedup the use of RNG, SHA2, and public key algorithms.
4897- Ed25519 support at the crypto level. Turn on with --enable-ed25519.  Examples
4898  in wolcrypt/test/test.c ed25519_test().
4899- Post Handshake Memory reductions.  wolfSSL can now hold less than 1,000 bytes
4900  of memory per secure connection including cipher state.
4901- wolfSSL API and wolfCrypt API fixes, you can still include the cyassl and
4902  ctaocrypt headers which will enable the compatibility APIs for the
4903  foreseeable future
4904- INSTALL file to help direct users to build instructions for their environment
4905- For ECC users with the normal math library a fix that prevents a crash when
4906  verify signature fails.  Users of 3.4.0 with ECC and the normal math library
4907  must update
4908- RC4 is now disabled by default in autoconf mode
4909- AES-GCM and ChaCha20/Poly1305 are now enabled by default to make AEAD ciphers
4910  available without a switch
4911- External ChaCha-Poly AEAD API, thanks to Andrew Burks for the contribution
4912- DHE-PSK cipher suites can now be built without ASN or Cert support
4913- Fix some NO MD5 build issues with optional features
4914- Freescale CodeWarrior project updates
4915- ECC curves can be individually turned on/off at build time.
4916- Sniffer handles Cert Status message and other minor fixes
4917- SetMinVersion() at the wolfSSL Context level instead of just SSL session level
4918  to allow minimum protocol version allowed at runtime
4919- RNG failure resource cleanup fix
4920
4921- No high level security fixes that requires an update though we always
4922  recommend updating to the latest (except note 6 use case of ecc/normal math)
4923
4924See INSTALL file for build instructions.
4925More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
4926
4927
4928#wolfSSL (Formerly CyaSSL) Release 3.4.0 (02/23/2015)
4929
4930## Release 3.4.0 wolfSSL has bug fixes and new features including:
4931
4932- wolfSSL API and wolfCrypt API, you can still include the cyassl and ctaocrypt
4933  headers which will enable the compatibility APIs for the foreseeable future
4934- Example use of the wolfCrypt API can be found in wolfcrypt/test/test.c
4935- Example use of the wolfSSL API can be found in examples/client/client.c
4936- Curve25519 now supported at the wolfCrypt level, wolfSSL layer coming soon
4937- Improvements in the build configuration under AIX
4938- Microchip Pic32 MZ updates
4939- TIRTOS updates
4940- PowerPC updates
4941- Xcode project update
4942- Bidirectional shutdown examples in client/server with -w (wait for full
4943  shutdown) option
4944- Cycle counts on benchmarks for x86_64, more coming soon
4945- ALT_ECC_SIZE for reducing ecc heap use with fastmath when also using large RSA
4946  keys
4947- Various compile warnings
4948- Scan-build warning fixes
4949- Changed a memcpy to memmove in the sniffer (if using sniffer please update)
4950- No high level security fixes that requires an update though we always
4951  recommend updating to the latest
4952
4953
4954# CyaSSL Release 3.3.0 (12/05/2014)
4955
4956- Countermeasuers for Handshake message duplicates, CHANGE CIPHER without
4957  FINISHED, and fast forward attempts.  Thanks to Karthikeyan Bhargavan from
4958  the Prosecco team at INRIA Paris-Rocquencourt for the report.
4959- FIPS version submitted
4960- Removes SSLv2 Client Hello processing, can be enabled with OLD_HELLO_ALLOWED
4961- User can set minimum downgrade version with CyaSSL_SetMinVersion()
4962- Small stack improvements at TLS/SSL layer
4963- TLS Master Secret generation and Key Expansion are now exposed
4964- Adds client side Secure Renegotiation, * not recommended *
4965- Client side session ticket support, not fully tested with Secure Renegotiation
4966- Allows up to 4096bit DHE at TLS Key Exchange layer
4967- Handles non standard SessionID sizes in Hello Messages
4968- PicoTCP Support
4969- Sniffer now supports SNI Virtual Hosts
4970- Sniffer now handles non HTTPS protocols using STARTTLS
4971- Sniffer can now parse records with multiple messages
4972- TI-RTOS updates
4973- Fix for ColdFire optimized fp_digit read only in explicit 32bit case
4974- ADH Cipher Suite ADH-AES128-SHA for EAP-FAST
4975
4976The CyaSSL manual is available at:
4977http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
4978and comments about the new features please check the manual.
4979
4980
4981# CyaSSL Release 3.2.0 (09/10/2014)
4982
4983#### Release 3.2.0 CyaSSL has bug fixes and new features including:
4984
4985- ChaCha20 and Poly1305 crypto and suites
4986- Small stack improvements for OCSP, CRL, TLS, DTLS
4987- NTRU Encrypt and Decrypt benchmarks
4988- Updated Visual Studio project files
4989- Updated Keil MDK5 project files
4990- Fix for DTLS sequence numbers with GCM/CCM
4991- Updated HashDRBG with more secure struct declaration
4992- TI-RTOS support and example Code Composer Studio project files
4993- Ability to get enabled cipher suites, CyaSSL_get_ciphers()
4994- AES-GCM/CCM/Direct support for Freescale mmCAU and CAU
4995- Sniffer improvement checking for decrypt key setup
4996- Support for raw ECC key import
4997- Ability to convert ecc_key to DER, EccKeyToDer()
4998- Security fix for RSA Padding check vulnerability reported by Intel Security
4999  Advanced Threat Research team
5000
5001The CyaSSL manual is available at:
5002http://www.wolfssl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5003and comments about the new features please check the manual.
5004
5005
5006# CyaSSL Release 3.1.0 (07/14/2014)
5007
5008#### Release 3.1.0 CyaSSL has bug fixes and new features including:
5009
5010- Fix for older versions of icc without 128-bit type
5011- Intel ASM syntax for AES-NI
5012- Updated NTRU support, keygen benchmark
5013- FIPS check for minimum required HMAC key length
5014- Small stack (--enable-smallstack) improvements for PKCS#7, ASN
5015- TLS extension support for DTLS
5016- Default I/O callbacks external to user
5017- Updated example client with bad clock test
5018- Ability to set optional ECC context info
5019- Ability to enable/disable DH separate from opensslextra
5020- Additional test key/cert buffers for CA and server
5021- Updated example certificates
5022
5023The CyaSSL manual is available at:
5024http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5025and comments about the new features please check the manual.
5026
5027
5028# CyaSSL Release 3.0.2 (05/30/2014)
5029
5030#### Release 3.0.2 CyaSSL has bug fixes and new features including:
5031
5032- Added the following cipher suites:
5033  * TLS_PSK_WITH_AES_128_GCM_SHA256
5034  * TLS_PSK_WITH_AES_256_GCM_SHA384
5035  * TLS_PSK_WITH_AES_256_CBC_SHA384
5036  * TLS_PSK_WITH_NULL_SHA384
5037  * TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
5038  * TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
5039  * TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
5040  * TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
5041  * TLS_DHE_PSK_WITH_NULL_SHA256
5042  * TLS_DHE_PSK_WITH_NULL_SHA384
5043  * TLS_DHE_PSK_WITH_AES_128_CCM
5044  * TLS_DHE_PSK_WITH_AES_256_CCM
5045- Added AES-NI support for Microsoft Visual Studio builds.
5046- Changed small stack build to be disabled by default.
5047- Updated the Hash DRBG and provided a configure option to enable.
5048
5049The CyaSSL manual is available at:
5050http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5051and comments about the new features please check the manual.
5052
5053
5054# CyaSSL Release 3.0.0 (04/29/2014)
5055
5056#### Release 3.0.0 CyaSSL has bug fixes and new features including:
5057
5058- FIPS release candidate
5059- X.509 improvements that address items reported by Suman Jana with security
5060  researchers at UT Austin and UC Davis
5061- Small stack size improvements, --enable-smallstack. Offloads large local
5062  variables to the heap. (Note this is not complete.)
5063- Updated AES-CCM-8 cipher suites to use approved suite numbers.
5064
5065The CyaSSL manual is available at:
5066http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5067and comments about the new features please check the manual.
5068
5069
5070# CyaSSL Release 2.9.4 (04/09/2014)
5071
5072#### Release 2.9.4 CyaSSL has bug fixes and new features including:
5073
5074- Security fixes that address items reported by Ivan Fratric of the Google
5075  Security Team
5076- X.509 Unknown critical extensions treated as errors, report by Suman Jana with
5077  security researchers at UT Austin and UC Davis
5078- Sniffer fixes for corrupted packet length and Jumbo frames
5079- ARM thumb mode assembly fixes
5080- Xcode 5.1 support including new clang
5081- PIC32 MZ hardware support
5082- CyaSSL Object has enough room to read the Record Header now w/o allocs
5083- FIPS wrappers for AES, 3DES, SHA1, SHA256, SHA384, HMAC, and RSA.
5084- A sample I/O pool is demonstrated with --enable-iopool to overtake memory
5085  handling and reduce memory fragmentation on I/O large sizes
5086
5087The CyaSSL manual is available at:
5088http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5089and comments about the new features please check the manual.
5090
5091
5092# CyaSSL Release 2.9.0 (02/07/2014)
5093
5094#### Release 2.9.0 CyaSSL has bug fixes and new features including:
5095- Freescale Kinetis RNGB support
5096- Freescale Kinetis mmCAU support
5097- TLS Hello extensions
5098  - ECC
5099  - Secure Renegotiation (null)
5100  - Truncated HMAC
5101- SCEP support
5102  - PKCS #7 Enveloped data and signed data
5103  - PKCS #10 Certificate Signing Request generation
5104- DTLS sliding window
5105- OCSP Improvements
5106  - API change to integrate into Certificate Manager
5107  - IPv4/IPv6 agnostic
5108  - example client/server support for OCSP
5109  - OCSP nonces are optional
5110- GMAC hashing
5111- Windows build additions
5112- Windows CYGWIN build fixes
5113- Updated test certificates
5114- Microchip MPLAB Harmony support
5115- Update autoconf scripts
5116- Additional X.509 inspection functions
5117- ECC encrypt/decrypt primitives
5118- ECC Certificate generation
5119
5120The Freescale Kinetis K53 RNGB documentation can be found in Chapter 33 of the
5121K53 Sub-Family Reference Manual:
5122http://cache.freescale.com/files/32bit/doc/ref_manual/K53P144M100SF2RM.pdf
5123
5124Freescale Kinetis K60 mmCAU (AES, DES, 3DES, MD5, SHA, SHA256) documentation
5125can be found in the "ColdFire/ColdFire+ CAU and Kinetis mmCAU Software Library
5126User Guide":
5127http://cache.freescale.com/files/32bit/doc/user_guide/CAUAPIUG.pdf
5128
5129
5130# CyaSSL Release 2.8.0 (8/30/2013)
5131
5132#### Release 2.8.0 CyaSSL has bug fixes and new features including:
5133- AES-GCM and AES-CCM use AES-NI
5134- NetX default IO callback handlers
5135- IPv6 fixes for DTLS Hello Cookies
5136- The ability to unload Certs/Keys after the handshake, CyaSSL_UnloadCertsKeys()
5137- SEP certificate extensions
5138- Callback getters for easier resource freeing
5139- External CYASSL_MAX_ERROR_SZ for correct error buffer sizing
5140- MacEncrypt and DecryptVerify Callbacks for User Atomic Record Layer Processing
5141- Public Key Callbacks for ECC and RSA
5142- Client now sends blank cert upon request if doesn't have one with TLS <= 1.2
5143
5144
5145The CyaSSL manual is available at:
5146http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5147and comments about the new features please check the manual.
5148
5149
5150# CyaSSL Release 2.7.0 (6/17/2013)
5151
5152#### Release 2.7.0 CyaSSL has bug fixes and new features including:
5153- SNI support for client and server
5154- KEIL MDK-ARM projects
5155- Wildcard check to domain name match, and Subject altnames are checked too
5156- Better error messages for certificate verification errors
5157- Ability to discard session during handshake verify
5158- More consistent error returns across all APIs
5159- Ability to unload CAs at the CTX or CertManager level
5160- Authority subject id support for Certificate matching
5161- Persistent session cache functionality
5162- Persistent CA cache functionality
5163- Client session table lookups to push serverID table to library level
5164- Camellia support to sniffer
5165- User controllable settings for DTLS timeout values
5166- Sniffer fixes for caching long lived sessions
5167- DTLS reliability enhancements for the handshake
5168- Better ThreadX support
5169
5170When compiling with Mingw, libtool may give the following warning due to
5171path conversion errors:
5172
5173```
5174libtool: link: Could not determine host file name corresponding to **
5175libtool: link: Continuing, but uninstalled executables may not work.
5176```
5177
5178If so, examples and testsuite will have problems when run, showing an
5179error while loading shared libraries. To resolve, please run "make install".
5180
5181The CyaSSL manual is available at:
5182http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5183and comments about the new features please check the manual.
5184
5185
5186# CyaSSL Release 2.6.0 (04/15/2013)
5187
5188#### Release 2.6.0 CyaSSL has bug fixes and new features including:
5189- DTLS 1.2 support including AEAD ciphers
5190- SHA-3 finalist Blake2 support, it's fast and uses little resources
5191- SHA-384 cipher suites including ECC ones
5192- HMAC now supports SHA-512
5193- Track memory use for example client/server with -t option
5194- Better IPv6 examples with --enable-ipv6, before if ipv6 examples/tests were
5195  turned on, localhost only was used.  Now link-local (with scope ids) and ipv6
5196  hosts can be used as well.
5197- Xcode v4.6 project for iOS v6.1 update
5198- settings.h is now checked in all *.c files for true one file setting detection
5199- Better alignment at SSL layer for hardware crypto alignment needs
5200    * Note, SSL itself isn't friendly to alignment with 5 byte TLS headers and
5201      13 bytes DTLS headers, but every effort is now made to align with the
5202      CYASSL_GENERAL_ALIGNMENT flag which sets desired alignment requirement
5203- NO_64BIT flag to turn off 64bit data type accumulators in public key code
5204    * Note, some systems are faster with 32bit accumulators
5205- --enable-stacksize for example client/server stack use
5206    * Note, modern desktop Operating Systems may add bytes to each stack frame
5207- Updated compression/decompression with direct crypto access
5208- All ./configure options are now lowercase only for consistency
5209- ./configure builds default to fastmath option
5210    * Note, if on ia32 and building in shared mode this may produce a problem
5211      with a missing register being available because of PIC, there are at least
5212      6 solutions to this:
5213      1) --disable-fastmath , don't use fastmath
5214      2) --disable-shared, don't build a shared library
5215      3) C_EXTRA_FLAGS=-DTFM_NO_ASM , turn off assembly use
5216      4) use clang, it just seems to work
5217      5) play around with no PIC options to force all registers being open,
5218         e.g., --without-pic
5219      6) if static lib is still a problem try removing fPIE
5220- Many new ./configure switches for option enable/disable for example
5221    * rsa
5222    * dh
5223    * dsa
5224    * md5
5225    * sha
5226    * arc4
5227    * null    (allow NULL ciphers)
5228    * oldtls  (only use TLS 1.2)
5229    * asn     (no certs or public keys allowed)
5230- ./configure generates cyassl/options.h which allows a header the user can
5231  include in their app to make sure the same options are set at the app and
5232  CyaSSL level.
5233- autoconf no longer needs serial-tests which lowers version requirements of
5234  automake to 1.11 and autoconf to 2.63
5235
5236The CyaSSL manual is available at:
5237http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5238and comments about the new features please check the manual.
5239
5240
5241
5242# CyaSSL Release 2.5.0 (02/04/2013)
5243
5244#### Release 2.5.0 CyaSSL has bug fixes and new features including:
5245- Fix for TLS CBC padding timing attack identified by Nadhem Alfardan and
5246  Kenny Paterson: http://www.isg.rhul.ac.uk/tls/
5247- Microchip PIC32 (MIPS16, MIPS32) support
5248- Microchip MPLAB X example projects for PIC32 Ethernet Starter Kit
5249- Updated CTaoCrypt benchmark app for embedded systems
5250- 1024-bit test certs/keys and cert/key buffers
5251- AES-CCM-8 crypto and cipher suites
5252- Camellia crypto and cipher suites
5253- Bumped minimum autoconf version to 2.65, automake version to 1.12
5254- Addition of OCSP callbacks
5255- STM32F2 support with hardware crypto and RNG
5256- Cavium NITROX support
5257
5258CTaoCrypt now has support for the Microchip PIC32 and has been tested with
5259the Microchip PIC32 Ethernet Starter Kit, the XC32 compiler and
5260MPLAB X IDE in both MIPS16 and MIPS32 instruction set modes. See the README
5261located under the <cyassl_root>/mplabx directory for more details.
5262
5263To add Cavium NITROX support do:
5264
5265./configure --with-cavium=/home/user/cavium/software
5266
5267pointing to your licensed cavium/software directory.  Since Cavium doesn't
5268build a library we pull in the cavium_common.o file which gives a libtool
5269warning about the portability of this.  Also, if you're using the github source
5270tree you'll need to remove the -Wredundant-decls warning from the generated
5271Makefile because the cavium headers don't conform to this warning.  Currently
5272CyaSSL supports Cavium RNG, AES, 3DES, RC4, HMAC, and RSA directly at the crypto
5273layer.  Support at the SSL level is partial and currently just does AES, 3DES,
5274and RC4.  RSA and HMAC are slower until the Cavium calls can be utilized in non
5275blocking mode.  The example client turns on cavium support as does the crypto
5276test and benchmark.  Please see the HAVE_CAVIUM define.
5277
5278CyaSSL is able to use the STM32F2 hardware-based cryptography and random number
5279generator through the STM32F2 Standard Peripheral Library. For necessary
5280defines, see the CYASSL_STM32F2 define in settings.h. Documentation for the
5281STM32F2 Standard Peripheral Library can be found in the following document:
5282http://www.st.com/internet/com/TECHNICAL_RESOURCES/TECHNICAL_LITERATURE/USER_MANUAL/DM00023896.pdf
5283
5284The CyaSSL manual is available at:
5285http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5286and comments about the new features please check the manual.
5287
5288
5289
5290# CyaSSL Release 2.4.6 (12/20/2012)
5291
5292#### Release 2.4.6 CyaSSL has bug fixes and a few new features including:
5293- ECC into main version
5294- Lean PSK build (reduced code size, RAM usage, and stack usage)
5295- FreeBSD CRL monitor support
5296- CyaSSL_peek()
5297- CyaSSL_send() and CyaSSL_recv() for I/O flag setting
5298- CodeWarrior Support
5299- MQX Support
5300- Freescale Kinetis support including Hardware RNG
5301- autoconf builds use jobserver
5302- cyassl-config
5303- Sniffer memory reductions
5304
5305Thanks to Brian Aker for the improved autoconf system, make rpm, cyassl-config,
5306warning system, and general good ideas for improving CyaSSL!
5307
5308The Freescale Kinetis K70 RNGA documentation can be found in Chapter 37 of the
5309K70 Sub-Family Reference Manual:
5310http://cache.freescale.com/files/microcontrollers/doc/ref_manual/K70P256M150SF3RM.pdf
5311
5312The CyaSSL manual is available at:
5313http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5314and comments about the new features please check the manual.
5315
5316
5317# CyaSSL Release 2.4.0 (10/10/2012)
5318
5319#### Release 2.4.0 CyaSSL has bug fixes and a few new features including:
5320- DTLS reliability
5321- Reduced memory usage after handshake
5322- Updated build process
5323
5324The CyaSSL manual is available at:
5325http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5326and comments about the new features please check the manual.
5327
5328
5329
5330# CyaSSL Release 2.3.0 (8/10/2012)
5331
5332#### Release 2.3.0 CyaSSL has bug fixes and a few new features including:
5333- AES-GCM crypto and cipher suites
5334- make test cipher suite checks
5335- Subject AltName processing
5336- Command line support for client/server examples
5337- Sniffer SessionTicket support
5338- SHA-384 cipher suites
5339- Verify cipher suite validity when user overrides
5340- CRL dir monitoring
5341- DTLS Cookie support, reliability coming soon
5342
5343The CyaSSL manual is available at:
5344http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5345and comments about the new features please check the manual.
5346
5347
5348
5349# CyaSSL Release 2.2.0 (5/18/2012)
5350
5351#### Release 2.2.0 CyaSSL has bug fixes and a few new features including:
5352- Initial CRL support (--enable-crl)
5353- Initial OCSP support (--enable-ocsp)
5354- Add static ECDH suites
5355- SHA-384 support
5356- ECC client certificate support
5357- Add medium session cache size (1055 sessions)
5358- Updated unit tests
5359- Protection against mutex reinitialization
5360
5361
5362The CyaSSL manual is available at:
5363http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5364and comments about the new features please check the manual.
5365
5366
5367
5368# CyaSSL Release 2.0.8 (2/24/2012)
5369
5370#### Release 2.0.8 CyaSSL has bug fixes and a few new features including:
5371- A fix for malicious certificates pointed out by Remi Gacogne (thanks)
5372  resulting in NULL pointer use.
5373- Respond to renegotiation attempt with no_renegoatation alert
5374- Add basic path support for load_verify_locations()
5375- Add set Temp EC-DHE key size
5376- Extra checks on rsa test when porting into
5377
5378
5379The CyaSSL manual is available at:
5380http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5381and comments about the new features please check the manual.
5382
5383
5384
5385# CyaSSL Release 2.0.6 (1/27/2012)
5386
5387#### Release 2.0.6 CyaSSL has bug fixes and a few new features including:
5388- Fixes for CA basis constraint check
5389- CTX reference counting
5390- Initial unit test additions
5391- Lean and Mean Windows fix
5392- ECC benchmarking
5393- SSMTP build support
5394- Ability to group handshake messages with set_group_messages(ctx/ssl)
5395- CA cache addition callback
5396- Export Base64_Encode for general use
5397
5398The CyaSSL manual is available at:
5399http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5400and comments about the new features please check the manual.
5401
5402
5403
5404# CyaSSL Release 2.0.2 (12/05/2011)
5405
5406#### Release 2.0.2 CyaSSL has bug fixes and a few new features including:
5407- CTaoCrypt Runtime library detection settings when directly using the crypto
5408  library
5409- Default certificate generation now uses SHAwRSA and adds SHA256wRSA generation
5410- All test certificates now use 2048bit and SHA-1 for better modern browser
5411  support
5412- Direct AES block access and AES-CTR (counter) mode
5413- Microchip pic32 support
5414
5415The CyaSSL manual is available at:
5416http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5417and comments about the new features please check the manual.
5418
5419
5420
5421# CyaSSL Release 2.0.0rc3 (9/28/2011)
5422
5423#### Release 2.0.0rc3 for CyaSSL has bug fixes and a few new features including:
5424- updated autoconf support
5425- better make install and uninstall  (uses system directories)
5426- make test / make check
5427- CyaSSL headers now in <cyassl/*.h>
5428- CTaocrypt headers now in <cyassl/ctaocrypt/*.h>
5429- OpenSSL compatibility headers now in <cyassl/openssl/*.h>
5430- examples and tests all run from home directory so can use certs in ./certs
5431        (see note 1)
5432
5433So previous applications that used the OpenSSL compatibility header
5434<openssl/ssl.h> now need to include <cyassl/openssl/ssl.h> instead, no other
5435changes are required.
5436
5437Special Thanks to Brian Aker for his autoconf, install, and header patches.
5438
5439The CyaSSL manual is available at:
5440http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5441and comments about the new features please check the manual.
5442
5443# CyaSSL Release 2.0.0rc2 (6/6/2011)
5444
5445#### Release 2.0.0rc2 for CyaSSL has bug fixes and a few new features including:
5446- bug fixes (Alerts, DTLS with DHE)
5447- FreeRTOS support
5448- lwIP support
5449- Wshadow warnings removed
5450- asn public header
5451- CTaoCrypt public headers now all have ctc_ prefix (the manual is still being
5452        updated to reflect this change)
5453- and more.
5454
5455This is the 2nd and perhaps final release candidate for version 2.
5456Please send any comments or questions to support@yassl.com.
5457
5458The CyaSSL manual is available at:
5459http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5460and comments about the new features please check the manual.
5461
5462# CyaSSL Release 2.0.0rc1 (5/2/2011)
5463
5464#### Release 2.0.0rc1 for CyaSSL has many new features including:
5465- bug fixes
5466- SHA-256 cipher suites
5467- Root Certificate Verification (instead of needing all certs in the chain)
5468- PKCS #8 private key encryption (supports PKCS #5 v1-v2 and PKCS #12)
5469- Serial number retrieval for x509
5470- PBKDF2 and PKCS #12 PBKDF
5471- UID parsing for x509
5472- SHA-256 certificate signatures
5473- Client and server can send chains (SSL_CTX_use_certificate_chain_file)
5474- CA loading can now parse multiple certificates per file
5475- Dynamic memory runtime hooks
5476- Runtime hooks for logging
5477- EDH on server side
5478- More informative error codes
5479- More informative logging messages
5480- Version downgrade more robust (use SSL_v23*)
5481- Shared build only by default through ./configure
5482- Compiler visibility is now used, internal functions not polluting namespace
5483- Single Makefile, no recursion, for faster and simpler building
5484- Turn on all warnings possible build option, warning fixes
5485- and more.
5486
5487Because of all the new features and the multiple OS, compiler, feature-set
5488options that CyaSSL allows, there may be some configuration fixes needed.
5489Please send any comments or questions to support@yassl.com.
5490
5491The CyaSSL manual is available at:
5492http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
5493and comments about the new features please check the manual.
5494
5495# CyaSSL Release 1.9.0 (3/2/2011)
5496
5497Release 1.9.0 for CyaSSL adds bug fixes, improved TLSv1.2 through testing and
5498better hash/sig algo ids, --enable-webServer for the yaSSL embedded web server,
5499improper AES key setup detection, user cert verify callback improvements, and
5500more.
5501
5502The CyaSSL manual offering is included in the doc/ directory.  For build
5503instructions and comments about the new features please check the manual.
5504
5505Please send any comments or questions to support@yassl.com.
5506
5507# CyaSSL Release 1.8.0 (12/23/2010)
5508
5509Release 1.8.0 for CyaSSL adds bug fixes, x509 v3 CA signed certificate
5510generation, a C standard library abstraction layer, lower memory use, increased
5511portability through the os_settings.h file, and the ability to use NTRU cipher
5512suites when used in conjunction with an NTRU license and library.
5513
5514The initial CyaSSL manual offering is included in the doc/ directory.  For
5515build instructions and comments about the new features please check the manual.
5516
5517Please send any comments or questions to support@yassl.com.
5518
5519Happy Holidays.
5520
5521
5522# CyaSSL Release 1.6.5 (9/9/2010)
5523
5524Release 1.6.5 for CyaSSL adds bug fixes and x509 v3 self signed certificate
5525generation.
5526
5527For general build instructions see doc/Building_CyaSSL.pdf.
5528
5529To enable certificate generation support add this option to ./configure
5530./configure --enable-certgen
5531
5532An example is included in ctaocrypt/test/test.c and documentation is provided
5533in doc/CyaSSL_Extensions_Reference.pdf item 11.
5534
5535# CyaSSL Release 1.6.0 (8/27/2010)
5536
5537Release 1.6.0 for CyaSSL adds bug fixes, RIPEMD-160, SHA-512, and RSA key
5538generation.
5539
5540For general build instructions see doc/Building_CyaSSL.pdf.
5541
5542To add RIPEMD-160 support add this option to ./configure
5543./configure --enable-ripemd
5544
5545To add SHA-512 support add this option to ./configure
5546./configure --enable-sha512
5547
5548To add RSA key generation support add this option to ./configure
5549./configure --enable-keygen
5550
5551Please see ctaocrypt/test/test.c for examples and usage.
5552
5553For Windows, RIPEMD-160 and SHA-512 are enabled by default but key generation is
5554off by default.  To turn key generation on add the define CYASSL_KEY_GEN to
5555CyaSSL.
5556
5557
5558# CyaSSL Release 1.5.6 (7/28/2010)
5559
5560Release 1.5.6 for CyaSSL adds bug fixes, compatibility for our JSSE provider,
5561and a fix for GCC builds on some systems.
5562
5563For general build instructions see doc/Building_CyaSSL.pdf.
5564
5565To add AES-NI support add this option to ./configure
5566./configure --enable-aesni
5567
5568You'll need GCC 4.4.3 or later to make use of the assembly.
5569
5570# CyaSSL Release 1.5.4 (7/7/2010)
5571
5572Release 1.5.4 for CyaSSL adds bug fixes, support for AES-NI, SHA1 speed
5573improvements from loop unrolling, and support for the Mongoose Web Server.
5574
5575For general build instructions see doc/Building_CyaSSL.pdf.
5576
5577To add AES-NI support add this option to ./configure
5578./configure --enable-aesni
5579
5580You'll need GCC 4.4.3 or later to make use of the assembly.
5581
5582# CyaSSL Release 1.5.0 (5/11/2010)
5583
5584Release 1.5.0 for CyaSSL adds bug fixes, GoAhead WebServer support, sniffer
5585support, and initial swig interface support.
5586
5587For general build instructions see doc/Building_CyaSSL.pdf.
5588
5589To add support for GoAhead WebServer either --enable-opensslExtra or if you
5590don't want all the features of opensslExtra you can just define GOAHEAD_WS
5591instead.  GOAHEAD_WS can be added to ./configure with CFLAGS=-DGOAHEAD_WS or
5592you can define it yourself.
5593
5594To look at the sniffer support please see the sniffertest app in
5595sslSniffer/sslSnifferTest.  Build with --enable-sniffer on *nix or use the
5596vcproj files on windows.  You'll need to have pcap installed on *nix and
5597WinPcap on windows.
5598
5599A swig interface file is now located in the swig directory for using Python,
5600Java, Perl, and others with CyaSSL.  This is initial support and experimental,
5601please send questions or comments to support@yassl.com.
5602
5603When doing load testing with CyaSSL, on the echoserver example say, the client
5604machine may run out of tcp ephemeral ports, they will end up in the TIME_WAIT
5605queue, and can't be reused by default.  There are generally two ways to fix
5606this.
5607
56081. Reduce the length sockets remain on the TIME_WAIT queue OR
56092. Allow items on the TIME_WAIT queue to be reused.
5610
5611
5612To reduce the TIME_WAIT length in OS X to 3 seconds (3000 milliseconds)
5613
5614`sudo sysctl -w net.inet.tcp.msl=3000`
5615
5616In Linux
5617
5618`sudo sysctl -w net.ipv4.tcp_tw_reuse=1`
5619
5620allows reuse of sockets in TIME_WAIT
5621
5622`sudo sysctl -w net.ipv4.tcp_tw_recycle=1`
5623
5624works but seems to remove sockets from  TIME_WAIT entirely?
5625
5626`sudo sysctl -w net.ipv4.tcp_fin_timeout=1`
5627
5628doesn't control TIME_WAIT, it controls FIN_WAIT(2) contrary to some posts
5629
5630
5631# CyaSSL Release 1.4.0 (2/18/2010)
5632
5633Release 1.3.0 for CyaSSL adds bug fixes, better multi TLS/SSL version support
5634through SSLv23_server_method(), and improved documentation in the doc/ folder.
5635
5636For general build instructions doc/Building_CyaSSL.pdf.
5637
5638# CyaSSL Release 1.3.0 (1/21/2010)
5639
5640Release 1.3.0 for CyaSSL adds bug fixes, a potential security problem fix,
5641better porting support, removal of assert()s, and a complete THREADX port.
5642
5643For general build instructions see rc1 below.
5644
5645# CyaSSL Release 1.2.0 (11/2/2009)
5646
5647Release 1.2.0 for CyaSSL adds bug fixes and session negotiation if first use is
5648read or write.
5649
5650For general build instructions see rc1 below.
5651
5652# CyaSSL Release 1.1.0 (9/2/2009)
5653
5654Release 1.1.0 for CyaSSL adds bug fixes, a check against malicious session
5655cache use, support for lighttpd, and TLS 1.2.
5656
5657To get TLS 1.2 support please use the client and server functions:
5658
5659```c
5660SSL_METHOD *TLSv1_2_server_method(void);
5661SSL_METHOD *TLSv1_2_client_method(void);
5662```
5663
5664CyaSSL was tested against lighttpd 1.4.23.  To build CyaSSL for use with
5665lighttpd use the following commands from the CyaSSL install dir <CyaSSLDir>:
5666
5667```
5668./configure --disable-shared --enable-opensslExtra --enable-fastmath --without-zlib
5669
5670make
5671make openssl-links
5672```
5673
5674Then to build lighttpd with CyaSSL use the following commands from the
5675lighttpd install dir:
5676
5677```
5678./configure --with-openssl --with-openssl-includes=<CyaSSLDir>/include --with-openssl-libs=<CyaSSLDir>/lib LDFLAGS=-lm
5679
5680make
5681```
5682
5683On some systems you may get a linker error about a duplicate symbol for
5684MD5_Init or other MD5 calls.  This seems to be caused by the lighttpd src file
5685md5.c, which defines MD5_Init(), and is included in liblightcomp_la-md5.o.
5686When liblightcomp is linked with the SSL_LIBs the linker may complain about
5687the duplicate symbol.  This can be fixed by editing the lighttpd src file md5.c
5688and adding this line to the beginning of the file:
5689
5690\#if 0
5691
5692and this line to the end of the file
5693
5694\#endif
5695
5696Then from the lighttpd src dir do a:
5697
5698```
5699make clean
5700make
5701```
5702
5703If you get link errors about undefined symbols more than likely the actual
5704OpenSSL libraries are found by the linker before the CyaSSL openssl-links that
5705point to the CyaSSL library, causing the linker confusion.  This can be fixed
5706by editing the Makefile in the lighttpd src directory and changing the line:
5707
5708`SSL_LIB = -lssl -lcrypto`
5709
5710to
5711
5712`SSL_LIB = -lcyassl`
5713
5714Then from the lighttpd src dir do a:
5715
5716```
5717make clean
5718make
5719```
5720
5721This should remove any confusion the linker may be having with missing symbols.
5722
5723For any questions or concerns please contact support@yassl.com .
5724
5725For general build instructions see rc1 below.
5726
5727# CyaSSL Release 1.0.6 (8/03/2009)
5728
5729Release 1.0.6 for CyaSSL adds bug fixes, an improved session cache, and faster
5730math with a huge code option.
5731
5732The session cache now defaults to a client mode, also good for embedded servers.
5733For servers not under heavy load (less than 200 new sessions per minute), define
5734BIG_SESSION_CACHE.  If the server will be under heavy load, define
5735HUGE_SESSION_CACHE.
5736
5737There is now a fasthugemath option for configure.  This enables fastmath plus
5738even faster math by greatly increasing the code size of the math library. Use
5739the benchmark utility to compare public key operations.
5740
5741
5742For general build instructions see rc1 below.
5743
5744# CyaSSL Release 1.0.3 (5/10/2009)
5745
5746Release 1.0.3 for CyaSSL adds bug fixes and add increased support for OpenSSL
5747compatibility when building other applications.
5748
5749Release 1.0.3 includes an alpha release of DTLS for both client and servers.
5750This is only for testing purposes at this time.  Rebroadcast and reordering
5751aren't fully implemented at this time but will be for the next release.
5752
5753For general build instructions see rc1 below.
5754
5755# CyaSSL Release 1.0.2 (4/3/2009)
5756
5757Release 1.0.2 for CyaSSL adds bug fixes for a couple I/O issues.  Some systems
5758will send a SIGPIPE on socket recv() at any time and this should be handled by
5759the application by turning off SIGPIPE through setsockopt() or returning from
5760the handler.
5761
5762Release 1.0.2 includes an alpha release of DTLS for both client and servers.
5763This is only for testing purposes at this time.  Rebroadcast and reordering
5764aren't fully implemented at this time but will be for the next release.
5765
5766For general build instructions see rc1 below.
5767
5768## CyaSSL Release Candidate 3 rc3-1.0.0 (2/25/2009)
5769
5770
5771Release Candidate 3 for CyaSSL 1.0.0 adds bug fixes and adds a project file for
5772iPhone development with Xcode.  cyassl-iphone.xcodeproj is located in the root
5773directory.  This release also includes a fix for supporting other
5774implementations that bundle multiple messages at the record layer, this was
5775lost when cyassl i/o was re-implemented but is now fixed.
5776
5777For general build instructions see rc1 below.
5778
5779## CyaSSL Release Candidate 2 rc2-1.0.0 (1/21/2009)
5780
5781
5782Release Candidate 2 for CyaSSL 1.0.0 adds bug fixes and adds two new stream
5783ciphers along with their respective cipher suites.  CyaSSL adds support for
5784HC-128 and RABBIT stream ciphers.  The new suites are:
5785
5786```
5787TLS_RSA_WITH_HC_128_SHA
5788TLS_RSA_WITH_RABBIT_SHA
5789```
5790
5791And the corresponding cipher names are
5792
5793```
5794HC128-SHA
5795RABBIT-SHA
5796```
5797
5798CyaSSL also adds support for building with devkitPro for PPC by changing the
5799library proper to use libogc.  The examples haven't been changed yet but if
5800there's interest they can be.  Here's an example ./configure to build CyaSSL
5801for devkitPro:
5802
5803```
5804./configure --disable-shared CC=/pathTo/devkitpro/devkitPPC/bin/powerpc-gekko-gcc --host=ppc --without-zlib --enable-singleThreaded RANLIB=/pathTo/devkitpro/devkitPPC/bin/powerpc-gekko-ranlib CFLAGS="-DDEVKITPRO -DGEKKO"
5805```
5806
5807For linking purposes you'll need
5808
5809`LDFLAGS="-g -mrvl -mcpu=750 -meabi -mhard-float -Wl,-Map,$(notdir $@).map"`
5810
5811For general build instructions see rc1 below.
5812
5813
5814## CyaSSL Release Candidate 1 rc1-1.0.0 (12/17/2008)
5815
5816
5817Release Candidate 1 for CyaSSL 1.0.0 contains major internal changes.  Several
5818areas have optimization improvements, less dynamic memory use, and the I/O
5819strategy has been refactored to allow alternate I/O handling or Library use.
5820Many thanks to Thierry Fournier for providing these ideas and most of the work.
5821
5822Because of these changes, this release is only a candidate since some problems
5823are probably inevitable on some platform with some I/O use.  Please report any
5824problems and we'll try to resolve them as soon as possible.  You can contact us
5825at support@yassl.com or todd@yassl.com.
5826
5827Using TomsFastMath by passing --enable-fastmath to ./configure now uses assembly
5828on some platforms.  This is new so please report any problems as every compiler,
5829mode, OS combination hasn't been tested.  On ia32 all of the registers need to
5830be available so be sure to pass these options to CFLAGS:
5831
5832`CFLAGS="-O3 -fomit-frame-pointer"`
5833
5834OS X will also need -mdynamic-no-pic added to CFLAGS
5835
5836Also if you're building in shared mode for ia32 you'll need to pass options to
5837LDFLAGS as well on OS X:
5838
5839`LDFLAGS=-Wl,-read_only_relocs,warning`
5840
5841This gives warnings for some symbols but seems to work.
5842
5843
5844#### To build on Linux, Solaris, *BSD, Mac OS X, or Cygwin:
5845
5846    ./configure
5847    make
5848
5849    from the ./testsuite/ directory run ./testsuite
5850
5851#### To make a debug build:
5852
5853    ./configure --enable-debug --disable-shared
5854    make
5855
5856
5857
5858#### To build on Win32
5859
5860Choose (Re)Build All from the project workspace
5861
5862Run the testsuite program
5863
5864
5865
5866
5867
5868# CyaSSL version 0.9.9 (7/25/2008)
5869
5870This release of CyaSSL adds bug fixes, Pre-Shared Keys, over-rideable memory
5871handling, and optionally TomsFastMath.  Thanks to Moisés Guimarães for the
5872work on TomsFastMath.
5873
5874To optionally use TomsFastMath pass --enable-fastmath to ./configure
5875Or define USE_FAST_MATH in each project from CyaSSL for MSVC.
5876
5877Please use the benchmark routine before and after to see the performance
5878difference, on some platforms the gains will be little but RSA encryption
5879always seems to be faster.  On x86-64 machines with GCC the normal math library
5880may outperform the fast one when using CFLAGS=-m64 because TomsFastMath can't
5881yet use -m64 because of GCCs inability to do 128bit division.
5882
5883     *** UPDATE GCC 4.2.1 can now do 128bit division ***
5884
5885See notes below (0.2.0) for complete build instructions.
5886
5887
5888# CyaSSL version 0.9.8 (5/7/2008)
5889
5890This release of CyaSSL adds bug fixes, client side Diffie-Hellman, and better
5891socket handling.
5892
5893See notes below (0.2.0) for complete build instructions.
5894
5895
5896# CyaSSL version 0.9.6 (1/31/2008)
5897
5898This release of CyaSSL adds bug fixes, increased session management, and a fix
5899for gnutls.
5900
5901See notes below (0.2.0) for complete build instructions.
5902
5903
5904# CyaSSL version 0.9.0 (10/15/2007)
5905
5906This release of CyaSSL adds bug fixes, MSVC 2005 support, GCC 4.2 support,
5907IPV6 support and test, and new test certificates.
5908
5909See notes below (0.2.0) for complete build instructions.
5910
5911
5912# CyaSSL version 0.8.0 (1/10/2007)
5913
5914This release of CyaSSL adds increased socket support, for non-blocking writes,
5915connects, and interrupted system calls.
5916
5917See notes below (0.2.0) for complete build instructions.
5918
5919
5920# CyaSSL version 0.6.3 (10/30/2006)
5921
5922This release of CyaSSL adds debug logging to stderr to aid in the debugging of
5923CyaSSL on systems that may not provide the best support.
5924
5925If CyaSSL is built with debugging support then you need to call
5926CyaSSL_Debugging_ON() to turn logging on.
5927
5928On Unix use ./configure --enable-debug
5929
5930On Windows define DEBUG_CYASSL when building CyaSSL
5931
5932
5933To turn logging back off call CyaSSL_Debugging_OFF()
5934
5935See notes below (0.2.0) for complete build instructions.
5936
5937
5938# CyaSSL version 0.6.2 (10/29/2006)
5939
5940This release of CyaSSL adds TLS 1.1.
5941
5942Note that CyaSSL has certificate verification on by default, unlike OpenSSL.
5943To emulate OpenSSL behavior, you must call SSL_CTX_set_verify() with
5944SSL_VERIFY_NONE.  In order to have full security you should never do this,
5945provide CyaSSL with the proper certificates to eliminate impostors and call
5946CyaSSL_check_domain_name() to prevent man in the middle attacks.
5947
5948See notes below (0.2.0) for build instructions.
5949
5950# CyaSSL version 0.6.0 (10/25/2006)
5951
5952This release of CyaSSL adds more SSL functions, better autoconf, nonblocking
5953I/O for accept, connect, and read.  There is now an --enable-small configure
5954option that turns off TLS, AES, DES3, HMAC, and ERROR_STRINGS, see configure.in
5955for the defines.  Note that TLS requires HMAC and AES requires TLS.
5956
5957See notes below (0.2.0) for build instructions.
5958
5959
5960# CyaSSL version 0.5.5 (09/27/2006)
5961
5962This mini release of CyaSSL adds better input processing through buffered input
5963and big message support.  Added SSL_pending() and some sanity checks on user
5964settings.
5965
5966See notes below (0.2.0) for build instructions.
5967
5968
5969# CyaSSL version 0.5.0 (03/27/2006)
5970
5971This release of CyaSSL adds AES support and minor bug fixes.
5972
5973See notes below (0.2.0) for build instructions.
5974
5975
5976# CyaSSL version 0.4.0 (03/15/2006)
5977
5978This release of CyaSSL adds TLSv1 client/server support and libtool.
5979
5980See notes below for build instructions.
5981
5982
5983# CyaSSL version 0.3.0 (02/26/2006)
5984
5985This release of CyaSSL adds SSLv3 server support and session resumption.
5986
5987See notes below for build instructions.
5988
5989
5990# CyaSSL version 0.2.0 (02/19/2006)
5991
5992
5993This is the first release of CyaSSL and its crypt brother, CTaoCrypt.  CyaSSL
5994is written in ANSI C with the idea of a small code size, footprint, and memory
5995usage in mind.  CTaoCrypt can be as small as 32K, and the current client
5996version of CyaSSL can be as small as 12K.
5997
5998
5999The first release of CTaoCrypt supports MD5, SHA-1, 3DES, ARC4, Big Integer
6000Support, RSA, ASN parsing, and basic x509 (en/de)coding.
6001
6002The first release of CyaSSL supports normal client RSA mode SSLv3 connections
6003with support for SHA-1 and MD5 digests.  Ciphers include 3DES and RC4.
6004
6005
6006#### To build on Linux, Solaris, *BSD, Mac OS X, or Cygwin:
6007
6008    ./configure
6009    make
6010
6011    from the ./testsuite/ directory run ./testsuite
6012
6013#### to make a debug build:
6014
6015    ./configure --enable-debug --disable-shared
6016    make
6017
6018
6019
6020#### To build on Win32
6021
6022Choose (Re)Build All from the project workspace
6023
6024Run the testsuite program
6025
6026
6027
6028*** The next release of CyaSSL will support a server and more OpenSSL
6029compatibility functions.
6030
6031
6032Please send questions or comments to todd@wolfssl.com