wolfSSL Release 5.8.4 (November 20, 2025)

To download the release bundle of wolfSSL visit the download page at www.wolfssl.com/download/

PR stands for Pull Request, and PR references a GitHub pull request number where the code change was added.

Vulnerabilities

• [Low CVE-2025-12888] Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory implementations of X25519, which is now turned on as the default for Xtensa. Thanks to Adrian Cinal for the report. Fixed in PR 9275.

• [Med. CVE-2025-11936] Potential DoS vulnerability due to a memory leak through multiple KeyShareEntry with the same group in malicious TLS 1.3 ClientHello messages. This affects users who are running wolfSSL on the server side with TLS 1.3. Thanks to Jaehun Lee and Kyungmin Bae, Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9117.

• [Low CVE-2025-11935] PSK with PFS (Perfect Forward Secrecy) downgrades to PSK without PFS during TLS 1.3 handshake. If the client sends a ClientHello that has a key share extension and the server responds with a ServerHello that does not have a key share extension the connection would previously continue on without using PFS. Thanks to Jaehun Lee from Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9112.

• [Low CVE-2025-11934] Signature Algorithm downgrade from ECDSA P521 to P256 during TLS 1.3 handshake. When a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256. Thanks to Jaehun Lee from Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9113.

• [Low CVE-2025-11933] DoS Vulnerability in wolfSSL TLS 1.3 CKS extension parsing. Previously duplicate CKS extensions were not rejected leading to a potential memory leak when processing a ClientHello. Thanks to Jaehun Lee from Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9132.

• [Low CVE-2025-11931] Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. This issue is hit specifically with a call to the function wc_XChaCha20Poly1305_Decrypt() which is not used with TLS connections, only from direct calls from an application. Thanks to Luigino Camastra from Aisle Research for the report. Fixed in PR 9223.

• [Low CVE-2025-11932] Timing Side-Channel in PSK Binder Verification. The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder. Thanks to Luigino Camastra from Aisle Research for the report. Fixed in PR 9223.

• [Low CVE-2025-12889] With TLS 1.2 connections a client can use any digest, specifically a weaker digest, rather than those in the CertificateRequest. Thanks to Jaehun Lee from Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9395

New Features

• New ML-KEM / ML-DSA APIs and seed/import PKCS8 support; added _new/_delete APIs for ML-KEM/ML-DSA. (PR 9039, 9000, 9049)
• Initial wolfCrypt FreeBSD kernel module support (PR 9392)
• Expanded PKCS7/CMS capabilities: decode SymmetricKeyPackage / OneSymmetricKey, add wc_PKCS7_GetEnvelopedDataKariRid, and allow PKCS7 builds with AES keywrap unset. (PR 9018, 9029, 9032)
• Add custom AES key wrap/unwrap callbacks and crypto callback copy/free operations. (PR 9002, 9309)
• Add support for certificate_authorities extension in ClientHello and certificate manager CA-type selection/unloading. (PR 9209, 9046)
• Large expansion of Rust wrapper modules: random, aes, rsa, ecc, dh, sha, hmac, cmac, ed25519/ed448, pbkdf2/PKCS#12, kdf/prf, SRTP KDFs, and conditional compilation options. (PR 9191, 9212, 9273, 9306, 9320, 9328, 9368, 9389, 9357, 9433)
• Rust: support optional heap and dev_id parameters and enable conditional compilation based on C build options. (PR 9407, 9433)
• STM32 fixes (benchmarking and platform fixes) and PSoC6 hardware acceleration additions. (PR 9228, 9256, 9185)
• STM32U5 added support for SAES and DHUK. (PR 9087)
• Add --enable-curl=tiny option for a smaller build when used with cURL. (PR 9174)

Improvements / Optimizations

• Regression test fixes and expansion: TLS 1.3/1.2 tests, ARDUINO examples, libssh2 tests, hostap workflows, and nightly test improvements. (PR 9096, 9141, 9091, 9122, 9388)
• Improved test ordering and CI test stability (random tests run order changes, FIPS test fixes). (PR 9204, 9257)
• Docs and readme fixes, docstring updates, AsconAEAD comment placement, and example certificate renewals. (PR 9131, 9293, 9262, 9429)
• Updated GPL exception lists (GPLv2 and GPLv3 exception updates: add Fetchmail and OpenVPN). (PR 9398, 9413)
• Introduced WOLFSSL_DEBUG_CERTS and additional debug/logging refinements. (PR 8902, 9055)
• Expanded crypto-callback support (SHA family, HKDF, SHA-224, sha512_family digest selection) and improved crypto-only build cases. (PR 9070, 9252, 9271, 9100, 9194)
• AES & HW offload improvements including AES-CTR support in PKCS11 driver and AES ECB offload sizing fix. (PR 9277, 9364)
• ESP32: PSRAM allocator support and SHA HW fixes for ESP-IDF v6/v5. (PR 8987, 9225, 9264)
• Renesas FSP / RA examples updated and security-module TLS context improvements. (PR 9047, 9010, 9158, 9150)
• Broad configure/CMake/Autotools workflow improvements (Apple options tracking, Watcom pinning, Debian packaging, ESP-IDF pinning). (PR 9037, 9167, 9161, 9264)
• New assembly introspection / performance helpers for RISC-V and PPC32; benchmarking enhancements (cycle counts). (PR 9101, 9317)
• Update to SGX build for using assembly optimizations. (PR 8463, 9138)
• Testing with Fil-C compiler version to 0.674 (PR 9396)
• Refactors and compressing of small stack code (PR 9153)

Bug Fixes

• Removed the test feature using popen when defining the macro WOLFSSL_USE_POPEN_HOST and not having HAVE_GETADDRINFO defined, along with having the macro HAVE_HTTP_CLIENT set. There was the potential for vulnerable behavior with the use of popen when the API wolfSSL_BIO_new_connect() was called with this specific build. This exact build configuration is only intended for testing with QEMU and is not enabled with any autoconf/cmake flags. Thanks to linraymond2006 for the report. (PR 9038)
• Fix for C# wrapper Ed25519 potential crash and heap overwrite with raw public key import when using the API Ed25519ImportPublic.This was a broken API with the C# wrapper that would crash on use. Thanks to Luigino Camastra from Aisle Research for the bug report. (PR 9291)
• Coverity, cppcheck, MISRA, clang-tidy, ZeroPath and other static-analysis driven fixes across the codebase. (PR 9006, 9078, 9068, 9265, 9324)
• TLS 1.2/DTLS improvements: client message order checks, DTLS cookie/exchange and replay protections, better DTLS early-data handling. (PR 9387, 9253, 9205, 9367)
• Improved X.509 & cert handling: allow larger pathLen in Basic Constraints, restore inner server name for ECH, retrying cert candidate chains. (PR 8890, 9234, 8692)
• Sniffer robustness: fix infinite recursion, better handling of OOO appData and partial overlaps, and improved retransmission detection. (PR 9051, 9106, 9140, 9094)
• Numerous linuxkm (kernel-mode) fixes, relocation/PIE normalization, and FIPS-related build tweaks across many iterations. (PR 9025, 9035, 9067, 9111, 9121)
• ML-KEM/Kyber and ML-DSA fixes for out-of-bounds and seed-import correctness; multiple ML-related safety fixes. (PR 9142, 9105, 9439)
• Avoid uninitialized-variable and GCC warnings; several fixes for undefined-shift/overflow issues. (PR 9020, 9372, 9195)
• Memory & leak fixes in X509 verification and various struct sizing fixes for WOLFSSL_NO_MALLOC usage. (PR 9258, 9036)
• Fixed RSA / signing / verify-only warnings allowing WOLFSSL_NO_CT_OPS when WOLFSSL_RSA_VERIFY_ONLY is used and API cleanups for using const. (PR 9031, 9263)

wolfSSL Release 5.8.2 (July 17, 2025)

To download the release bundle of wolfSSL visit the download page at www.wolfssl.com/download/

NOTE: * wolfSSL is now GPLv3 instead of GPLv2
* --enable-heapmath is deprecated
* MD5 is now disabled by default

PR stands for Pull Request, and PR references a GitHub pull request number where the code change was added.

Vulnerabilities

• [Low] There is the potential for a fault injection attack on ECC and Ed25519 verify operations. In versions of wolfSSL 5.7.6 and later the --enable-faultharden option is available to help mitigate against potential fault injection attacks. The mitigation added in wolfSSL version 5.7.6 is to help harden applications relying on the results of the verify operations, such as when used with wolfBoot. If doing ECC or Ed25519 verify operations on a device at risk for fault injection attacks then --enable-faultharden could be used to help mitigate it. Thanks to Kevin from Fraunhofer AISEC for the report.

Hardening option added in PR #8289

• [High CVE-2025-7395] When using WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION on an Apple platform, the native trust store verification routine overrides errors produced elsewhere in the wolfSSL certificate verification process including failures due to hostname matching/SNI, OCSP, CRL, etc. This allows any trusted cert chain to override other errors detected during chain verification that should have resulted in termination of the TLS connection. If building wolfSSL on versions after 5.7.6 and before 5.8.2 with use of the system CA support and the apple native cert validation feature enabled on Apple devices (on by default for non-macOS Apple targets when using autotools or CMake) we recommend updating to the latest version of wolfSSL. Thanks to Thomas Leong from ExpressVPN for the report.

Fixed in PR #8833

• [Med. CVE-2025-7394] In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in applications that are both using RAND_bytes() and doing fork() operations. This only affects applications explicitly calling RAND_bytes() after fork() and does not affect any internal TLS operations. Although RAND_bytes() documentation in OpenSSL calls out not being safe for use with fork() without first calling RAND_poll(), an additional code change was also made in wolfSSL to make RAND_bytes() behave similar to OpenSSL after a fork() call without calling RAND_poll(). Now the Hash-DRBG used gets reseeded after detecting running in a new process. If making use of RAND_bytes() and calling fork() we recommend updating to the latest version of wolfSSL. Thanks to Per Allansson from Appgate for the report.

Fixed in the following PR’s
#8849
#8867
#8898

• [Low CVE-2025-7396] In wolfSSL 5.8.0 the option of hardening the C implementation of Curve25519 private key operations was added with the addition of blinding support (https://www.wolfssl.com/curve25519-blinding-support-added-in-wolfssl-5-8-0/). In wolfSSL release 5.8.2 that blinding support is turned on by default in applicable builds. The blinding configure option is only for the base C implementation of Curve25519. It is not needed, or available with; ARM assembly builds, Intel assembly builds, and the small Curve25519 feature. While the attack would be very difficult to execute in practice, enabling blinding provides an additional layer of protection for devices that may be more susceptible to physical access or side-channel observation. Thanks to Arnaud Varillon, Laurent Sauvage, and Allan Delautre from Telecom Paris for the report.

Blinding enabled by default in PR #8736

New Features

• Multiple sessions are now supported in the sniffer due to the removal of a cached check. (PR #8723)
• New API ssl_RemoveSession() has been implemented for sniffer cleanup operations. (PR #8768)
• The new ASN X509 API, wc_GetSubjectPubKeyInfoDerFromCert, has been introduced for retrieving public key information from certificates. (PR #8758)
• wc_PKCS12_create() has been enhanced to support PBE_AES(256|128)_CBC key and certificate encryptions. (PR #8782, PR #8822, PR #8859)
• wc_PKCS7_DecodeEncryptedKeyPackage() has been added for decoding encrypted key packages. (PR #8976)
• All AES, SHA, and HMAC functionality has been implemented within the Linux Kernel Module. (PR #8998)
• Additions to the compatibility layer have been introduced for X.509 extensions and RSA PSS. Adding the API i2d_PrivateKey_bio, BN_ucmp and X509v3_get_ext_by_NID. (PR #8897)
• Added support for STM32N6. (PR #8914)
• Implemented SHA-256 for PPC 32 assembly. (PR #8894)

Improvements / Optimizations

Linux Kernel Module (LinuxKM) Enhancements

• Registered DH and FFDHE for the Linux Kernel Module. (PR #8707)
• Implemented fixes for standard RNG in the Linux Kernel Module. (PR #8718)
• Added an ECDSA workaround for the Linux Kernel Module. (PR #8727)
• Added more PKCS1 pad SHA variants for RSA in the Linux Kernel Module. (PR #8730)
• Set default priority to 100000 for LKCAPI in the Linux Kernel Module. (PR #8740)
• Ensured ECDH never has FIPS enabled in the Linux Kernel Module. (PR #8751)
• Implemented further Linux Kernel Module and SP tweaks. (PR #8773)
• Added sig_alg support for Linux 6.13 RSA in the Linux Kernel Module. (PR #8796)
• Optimized wc_linuxkm_fpu_state_assoc. (PR #8828)
• Ensured DRBG is multithread-round-1 in the Linux Kernel Module. (PR #8840)
• Prevented toggling of fips_enabled in the Linux Kernel Module. (PR #8873)
• Refactored drbg_ctx clear in the Linux Kernel Module. (PR #8876)
• Set sig_alg max_size and digest_size callbacks for RSA in the Linux Kernel Module. (PR #8915)
• Added get_random_bytes for the Linux Kernel Module. (PR #8943)
• Implemented distro fix for the Linux Kernel Module. (PR #8994)
• Fixed page-flags-h in the Linux Kernel Module. (PR #9001)
• Added MODULE_LICENSE for the Linux Kernel Module. (PR #9005)
• Post-Quantum Cryptography (PQC) & Asymmetric Algorithms
• Kyber has been updated to the MLKEM ARM file for Zephyr (PR #8781)
• Backward compatibility has been implemented for ML_KEM IDs (PR #8827)
• ASN.1 is now ensured to be enabled when only building PQ algorithms (PR #8884)
• Building LMS with verify-only has been fixed (PR #8913)
• Parameters for LMS SHA-256_192 have been corrected (PR #8912)
• State can now be saved with the private key for LMS (PR #8836)
• Support for OpenSSL format has been added for ML-DSA/Dilithium (PR #8947)
• dilithium_coeff_eta2[] has been explicitly declared as signed (PR #8955)

Build System & Portability

• Prepared for the inclusion of v5.8.0 in the Ada Alire index. (PR #8714)
• Introduced a new build option to allow reuse of the Windows crypt provider handle. (PR #8706)
• Introduced general fixes for various build configurations. (PR #8763)
• Made improvements for portability using older GCC 4.8.2. (PR #8753)
• Macro guards updated to allow tests to build with opensslall and no server. (PR #8776)
• Added a check for STDC_NO_ATOMICS macro before use of atomics. (PR #8885)
• Introduced CMakePresets.json and CMakeSettings.json. (PR #8905)
• Added an option to not use constant time code with min/max. (PR #8830)
• Implemented proper MacOS dispatch for conditional signal/wait. (PR #8928)
• Disabled MD5 by default for both general and CMake builds. (PR #8895, PR #8948)
• Improved to allow building OPENSSL_EXTRA without KEEP_PEER_CERT. (PR #8926)
• Added introspection for Intel and ARM assembly speedups. (PR #8954)
• Fixed cURL config to set HAVE_EX_DATA and HAVE_ALPN. (PR #8973)
• Moved FREESCALE forced algorithm HAVE_ECC to IDE/MQX/user_settings.h. (PR #8977)

Testing & Debugging

• Fixed the exit status for testwolfcrypt. (PR #8762)
• Added WOLFSSL_DEBUG_PRINTF and WOLFSSL_DEBUG_CERTIFICATE_LOADS for improved debugging output. (PR #8769, PR #8770)
• Guarded some benchmark tests with NO_SW_BENCH. (PR #8760)
• Added an additional unit test for wolfcrypt PKCS12 file to improve code coverage. (PR #8831)
• Added an additional unit test for increased DH code coverage. (PR #8837)
• Adjusted for warnings with NO_TLS build and added GitHub actions test. (PR #8851)
• Added additional compatibility layer RAND tests. (PR #8852)
• Added an API unit test for checking domain name. (PR #8863)
• Added bind v9.18.33 testing. (PR #8888)
• Fixed issue with benchmark help options and descriptions not lining up. (PR #8957)

Certificates & ASN.1

• Changed the algorithm for sum in ASN.1 OIDs. (PR #8655)
• Updated PKCS7 to use X509 STORE for internal verification. (PR #8748)
• Improved handling of temporary buffer size for X509 extension printing. (PR #8710)
• Marked IP address as WOLFSSL_V_ASN1_OCTET_STRING for ALT_NAMES_OID. (PR #8842)
• Fixed printing empty names in certificates. (PR #8880)
• Allowed CA:FALSE on wolftpm. (PR #8925)
• Fixed several inconsistent function prototype parameter names in wc/asn. (PR #8949)
• Accounted for custom extensions when creating a Cert from a WOLFSSL_X509. (PR #8960)

TLS/DTLS & Handshake

• Checked group correctness outside of TLS 1.3 too for TLSX_UseSupportedCurve. (PR #8785)
• Dropped records that span datagrams in DTLS. (PR #8642)
• Implemented WC_NID_netscape_cert_type. (PR #8800)
• Refactored GetHandshakeHeader/GetHandShakeHeader into one function. (PR #8787)
• Correctly set the current peer in dtlsProcessPendingPeer. (PR #8848)
• Fixed set_groups for TLS. (PR #8824)
• Allowed trusted_ca_keys with TLSv1.3. (PR #8860)
• Mo...

wolfSSL Release 5.8.0 (Apr 24, 2025)

To download the release bundle of wolfSSL visit the download page at www.wolfssl.com/download/

NOTE: * --enable-heapmath is deprecated

PR stands for Pull Request, and PR references a GitHub pull request
number where the code change was added.

New Feature Additions

• Algorithm registration in the Linux kernel module for all supported FIPS AES,
  SHA, HMAC, ECDSA, ECDH, and RSA modes, key sizes, and digest sizes.
• Implemented various fixes to support building for Open Watcom including OS/2
  support and Open Watcom 1.9 compatibility (PR 8505, 8484)
• Added support for STM32H7S (tested on NUCLEO-H7S3L8) (PR 8488)
• Added support for STM32WBA (PR 8550)
• Added Extended Master Secret Generation Callback to the --enable-pkcallbacks
  build (PR 8303)
• Implement AES-CTS (configure flag --enable-aescts) in wolfCrypt (PR 8594)
• Added support for libimobiledevice commit 860ffb (PR 8373)
• Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 IPD
  (PR 8307)
• Added blinding option when using a Curve25519 private key by defining the
  macro WOLFSSL_CURVE25519_BLINDING (PR 8392)

Linux Kernel Module

• Production-ready LKCAPI registration for cbc(aes), cfb(aes), gcm(aes),
  rfc4106 (gcm(aes)), ctr(aes), ofb(aes), and ecb(aes), ECDSA with P192, P256,
  P384, and P521 curves, ECDH with P192, P256, and P384 curves, and RSA with
  bare and PKCS1 padding
• Various fixes for LKCAPI wrapper for AES-CBC and AES-CFB (PR 8534, 8552)
• Adds support for the legacy one-shot AES-GCM back end (PR 8614, 8567) for
  compatibility with FIPS 140-3 Cert #4718.
• On kernel >=6.8, for CONFIG_FORTIFY_SOURCE, use 5-arg fortify_panic() override
  macro (PR 8654)
• Update calls to scatterwalk_map() and scatterwalk_unmap() for linux commit
  7450ebd29c (merged for Linux 6.15) (PR 8667)
• Inhibit LINUXKM_LKCAPI_REGISTER_ECDH on kernel <5.13 (PR 8673)
• Fix for uninitialized build error with fedora (PR 8569)
• Register ecdsa, ecdh, and rsa for use with linux kernel crypto (PR 8637, 8663,

• Added force zero shared secret buffer, and clear of old key with ecdh
  (PR 8685)
• Update fips-check.sh script to pickup XTS streaming support on aarch64 and
  disable XTS-384 as an allowed use in FIPS mode (PR 8509, 8546)

Enhancements and Optimizations

Security & Cryptography

• Add constant-time implementation improvements for encoding functions. We thank
  Zhiyuan and Gilles for sharing a new constant-time analysis tool (CT-LLVM) and
  reporting several non-constant-time implementations. (PR 8396, 8617)
• Additional support for PKCS7 verify and decode with indefinite lengths
  (PR 8520, 834, 8645)
• Add more PQC hybrid key exchange algorithms such as support for combinations
  with X25519 and X448 enabling compatibility with the PQC key exchange support
  in Chromium browsers and Mozilla Firefox (PR 7821)
• Add short-circuit comparisons to DH key validation for RFC 7919 parameters
  (PR 8335)
• Improve FIPS compatibility with various build configurations for more resource
  constrained builds (PR 8370)
• Added option to disable ECC public key order checking (PR 8581)
• Allow critical alt and basic constraints extensions (PR 8542)
• New codepoint for MLDSA to help with interoperability (PR 8393)
• Add support for parsing trusted PEM certs having the header
  “BEGIN_TRUSTED_CERT” (PR 8400)
• Add support for parsing only of DoD certificate policy and Comodo Ltd PKI OIDs
  (PR 8599, 8686)
• Update ssl code in src/*.c to be consistent with wolfcrypt/src/asn.c
  handling of ML_DSA vs Dilithium and add dual alg. test (PR 8360, 8425)

Build System, Configuration, CI & Protocols

• Internal refactor for include of config.h and when building with
  BUILDING_WOLFSSL macro. This refactor will give a warning of “deprecated
  function” when trying to improperly use an internal API of wolfSSL in an
  external application. (PR 8640, 8647, 8660, 8662, 8664)
• Add WOLFSSL_CLU option to CMakeLists.txt (PR 8548)
• Add CMake and Zephyr support for XMSS and LMS (PR 8494)
• Added GitHub CI for CMake builds (PR 8439)
• Added necessary macros when building wolfTPM Zephyr with wolfSSL (PR 8382)
• Add MSYS2 build continuous integration test (PR 8504)
• Update DevKitPro doc to list calico dependency with build commands (PR 8607)
• Conversion compiler warning fixes and additional continuous integration test
  added (PR 8538)
• Enable DTLS 1.3 by default in --enable-jni builds (PR 8481)
• Enabled TLS 1.3 middlebox compatibility by default for --enable-jni builds
  (PR 8526)

Performance Improvements

• Performance improvements AES-GCM and HMAC (in/out hash copy) (PR 8429)
• LMS fixes and improvements adding API to get Key ID from raw private key,
  change to identifiers to match standard, and fix for when
  WOLFSSL_LMS_MAX_LEVELS is 1 (PR 8390, 8684, 8613, 8623)
• ML-KEM/Kyber improvements and fixes; no malloc builds, small memory usage,
  performance improvement, fix for big-endian (PR 8397, 8412, 8436, 8467, 8619,
  8622, 8588)
• Performance improvements for AES-GCM and when doing multiple HMAC operations
  (PR 8445)

Assembly and Platform-Specific Enhancements

• Poly1305 arm assembly changes adding ARM32 NEON implementation and fix for
  Aarch64 use (PR 8344, 8561, 8671)
• Aarch64 assembly enhancement to use more CPU features, fix for FreeBSD/OpenBSD
  (PR 8325, 8348)
• Only perform ARM assembly CPUID checks if support was enabled at build time
  (PR 8566)
• Optimizations for ARM32 assembly instructions on platforms less than ARMv7
  (PR 8395)
• Improve MSVC feature detection for static assert macros (PR 8440)
• Improve Espressif make and CMake for ESP8266 and ESP32 series (PR 8402)
• Espressif updates for Kconfig, ESP32P4 and adding a sample user_settings.h
  (PR 8422, PR 8641)

OpenSSL Compatibility Layer

• Modification to the push/pop to/from in OpenSSL compatibility layer. This is
  a pretty major API change in the OpenSSL compatibility stack functions.
  Previously the API would push/pop from the beginning of the list but now they
  operate on the tail of the list. This matters when using the sk_value with
  index values. (PR 8616)
• OpenSSL Compat Layer: OCSP response improvements (PR 8408, 8498)
• Expand the OpenSSL compatibility layer to include an implementation of
  BN_CTX_get (PR 8388)

API Additions and Modifications

• Refactor Hpke to allow multiple uses of a context instead of just one shot
  mode (PR 6805)
• Add support for PSK client callback with Ada and use with Alire (thanks
  mgrojo, PR 8332, 8606)
• Change wolfSSL_CTX_GenerateEchConfig to generate multiple configs and add
  functions wolfSSL_CTX_SetEchConfigs and wolfSSL_CTX_SetEchConfigsBase64 to
  rotate the server's echConfigs (PR 8556)
• Added the public API wc_PkcsPad to do PKCS padding (PR 8502)
• Add NULL_CIPHER_TYPE support to wolfSSL_EVP_CipherUpdate (PR 8518)
• Update Kyber APIs to ML-KEM APIs (PR 8536)
• Add option to disallow automatic use of "default" devId using the macro
  WC_NO_DEFAULT_DEVID (PR 8555)
• Detect unknown key format on ProcessBufferTryDecode() and handle RSA-PSSk
  format (PR 8630)

Porting and Language Support

• Update Python port to support version 3.12.6 (PR 8345)
• New additions for MAXQ with wolfPKCS11 (PR 8343)
• Port to ntp 4.2.8p17 additions (PR 8324)
• Add version 0.9.14 to tested libvncserver builds (PR 8337)

General Improvements and Cleanups

• Cleanups for STM32 AES GCM (PR 8584)
• Improvements to isascii() and the CMake key log option (PR 8596)
• Arduino documentation updates, comments and spelling corrections (PR 8381,
  8384, 8514)
• Expanding builds with WOLFSSL_NO_REALLOC for use with --enable-opensslall and
  --enable-all builds (PR 8369, 8371)

Fixes

• Fix a use after free caused by an early free on error in the X509 store
  (PR 8449)
• Fix to account for existing PKCS8 header with
  wolfSSL_PEM_write_PKCS8PrivateKey (PR 8612)
• Fixed failing CMake build issue when standard threads support is not found in
  the system (PR 8485)
• Fix segmentation fault in SHA-512 implementation for AVX512 targets built with
  gcc -march=native -O2 (PR 8329)
• Fix Windows socket API compatibility warning with mingw32 build (PR 8424)
• Fix potential null pointer increments in cipher list parsing (PR 8420)
• Fix for possible stack buffer overflow read with wolfSSL_SMIME_write_PKCS7.
  Thanks to the team at Code Intelligence for the report. (PR 8466)
• Fix AES ECB implementation for Aarch64 ARM assembly (PR 8379)
• Fixed building with VS2008 and .NET 3.5 (PR 8621)
• Fixed possible error case memory leaks in CRL and EVP_Sign_Final (PR 8447)
• Fixed SSL_set_mtu compatibility function return code (PR 8330)
• Fixed Renesas RX TSIP (PR 8595)
• Fixed ECC non-blocking tests (PR 8533)
• Fixed CMake on MINGW and MSYS (PR 8377)
• Fixed Watcom compiler and added new CI test (PR 8391)
• Fixed STM32 PKA ECC 521-bit support (PR 8450)
• Fixed STM32 PKA with P521 and shared secret (PR 8601)
• Fixed crypto callback macro guards with DEBUG_CRYPTOCB (PR 8602)
• Fix outlen return for RSA private decrypt with WOLF_CRYPTO_CB_RSA_PAD
  (PR 8575)
• Additional sanity check on r and s lengths in DecodeECC_DSA_Sig_Bin (PR 8350)
• Fix compat. layer ASN1_TIME_diff to accept NULL output params (PR 8407)
• Fix CMake lean_tls build (PR 8460)
• Fix for QUIC callback failure (PR 8475)
• Fix missing alert types in AlertTypeToString for print out with debugging
  enabled (PR 8572)
• Fixes for MSVS build issues with PQC configure (PR 8568)
• Fix for SE050 port and minor improvements (PR 8431, 8437)
• Fix for missing rewind function in zephyr and add missing files for compiling
  with assembly optimizations (PR 8531, 8541)
• Fix for quic_record_append to return the correct code (PR 8340, 8358)
• Fixes for Bind 9.18.28 port (PR 8331)
• Fix to adhere more closely with RFC8446 Appendix D and set haveEMS when
  ...

wolfSSL Release 5.7.6 (Dec 31, 2024)

To download the release bundle of wolfSSL visit the download page at www.wolfssl.com/download/

NOTE:

• --enable-heapmath is deprecated.
• In this release, the default cipher suite preference is updated to prioritize
  TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256 when enabled.
• This release adds a sanity check for including wolfssl/options.h or
  user_settings.h.

PR stands for Pull Request, and PR references a GitHub pull request
number where the code change was added.

Vulnerabilities

• [Med] An OCSP (non stapling) issue was introduced in wolfSSL version 5.7.4
  when performing OCSP requests for intermediate certificates in a certificate
  chain. This affects only TLS 1.3 connections on the server side. It would not
  impact other TLS protocol versions or connections that are not using the
  traditional OCSP implementation. (Fix in pull request 8115)

New Feature Additions

• Add support for RP2350 and improve RP2040 support, both with RNG optimizations
  (PR 8153)
• Add support for STM32MP135F, including STM32CubeIDE support and HAL support
  for SHA2/SHA3/AES/RNG/ECC optimizations. (PR 8223, 8231, 8241)
• Implement Renesas TSIP RSA Public Enc/Private support (PR 8122)
• Add support for Fedora/RedHat system-wide crypto-policies (PR 8205)
• Curve25519 generic keyparsing API added with wc_Curve25519KeyToDer and
  wc_Curve25519KeyDecode (PR 8129)
• CRL improvements and update callback, added the functions
  wolfSSL_CertManagerGetCRLInfo and wolfSSL_CertManagerSetCRLUpdate_Cb (PR 8006)
• For DTLS, add server-side stateless and CID quality-of-life API. (PR 8224)

Enhancements and Optimizations

• Add a CMake dependency check for pthreads when required. (PR 8162)
• Update OS_Seed declarations for legacy compilers and FIPS modules (boundary
  not affected). (PR 8170)
• Enable WOLFSSL_ALWAYS_KEEP_SNI by default when using --enable-jni. (PR 8283)
• Change the default cipher suite preference, prioritizing
  TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256. (PR 7771)
• Add SRTP-KDF (FIPS module v6.0.0) to checkout script for release bundling
  (PR 8215)
• Make library build when no hardware crypto available for Aarch64 (PR 8293)
• Update assembly code to avoid uint*_t types for better compatibility with
  older C standards. (PR 8133)
• Add initial documentation for writing ASN template code to decode BER/DER.
  (PR 8120)
• Perform full reduction in sc_muladd for EdDSA with Curve448 (PR 8276)
• Allow SHA-3 hardware cryptography instructions to be explicitly not used in
  MacOS builds (PR 8282)
• Make Kyber and ML-KEM available individually and together. (PR 8143)
• Update configuration options to include Kyber/ML-KEM and fix defines used in
  wolfSSL_get_curve_name. (PR 8183)
• Make GetShortInt available with WOLFSSL_ASN_EXTRA (PR 8149)
• Improved test coverage and minor improvements of X509 (PR 8176)
• Add sanity checks for configuration methods, ensuring the inclusion of
  wolfssl/options.h or user_settings.h. (PR 8262)
• Enable support for building without TLS (NO_TLS). Provides reduced code size
  option for non-TLS users who want features like the certificate manager or
  compatibility layer. (PR 8273)
• Exposed get_verify functions with OPENSSL_EXTRA. (PR 8258)
• ML-DSA/Dilithium: obtain security level from DER when decoding (PR 8177)
• Implementation for using PKCS11 to retrieve certificate for SSL CTX (PR 8267)
• Add support for the RFC822 Mailbox attribute (PR 8280)
• Initialize variables and adjust types resolve warnings with Visual Studio in
  Windows builds. (PR 8181)
• Refactors and expansion of opensslcoexist build (PR 8132, 8216, 8230)
• Add DTLS 1.3 interoperability, libspdm and DTLS CID interoperability tests
  (PR 8261, 8255, 8245)
• Remove trailing error exit code in wolfSSL install setup script (PR 8189)
• Update Arduino files for wolfssl 5.7.4 (PR 8219)
• Improve Espressif SHA HW/SW mutex messages (PR 8225)
• Apply post-5.7.4 release updates for Espressif Managed Component examples
  (PR 8251)
• Expansion of c89 conformance (PR 8164)
• Added configure option for additional sanity checks with --enable-faultharden
  (PR 8289)
• Aarch64 ASM additions to check CPU features before hardware crypto instruction
  use (PR 8314)

Fixes

• Fix a memory issue when using the compatibility layer with
  WOLFSSL_GENERAL_NAME and handling registered ID types. (PR 8155)
• Fix a build issue with signature fault hardening when using public key
  callbacks (HAVE_PK_CALLBACKS). (PR 8287)
• Fix for handling heap hint pointer properly when managing multiple WOLFSSL_CTX
  objects and free’ing one of them (PR 8180)
• Fix potential memory leak in error case with Aria. (PR 8268)
• Fix Set_Verify flag behaviour on Ada wrapper. (PR 8256)
• Fix a compilation error with the NO_WOLFSSL_DIR flag. (PR 8294)
• Resolve a corner case for Poly1305 assembly code on Aarch64. (PR 8275)
• Fix incorrect version setting in CSRs. (PR 8136)
• Correct debugging output for cryptodev. (PR 8202)
• Fix for benchmark application use with /dev/crypto GMAC auth error due to size
  of AAD (PR 8210)
• Add missing checks for the initialization of sp_int/mp_int with DSA to free
  memory properly in error cases. (PR 8209)
• Fix return value of wolfSSL_CTX_set_tlsext_use_srtp (8252)
• Check Root CA by Renesas TSIP before adding it to ca-table (PR 8101)
• Prevent adding a certificate to the CA cache for Renesas builds if it does not
  set CA:TRUE in basic constraints. (PR 8060)
• Fix attribute certificate holder entityName parsing. (PR 8166)
• Resolve build issues for configurations without any wolfSSL/openssl
  compatibility layer headers. (PR 8182)
• Fix for building SP RSA small and RSA public only (PR 8235)
• Fix for Renesas RX TSIP RSA Sign/Verify with wolfCrypt only (PR 8206)
• Fix to ensure all files have settings.h included (like wc_lms.c) and guards
  for building all *.c files (PR 8257 and PR 8140)
• Fix x86 target build issues in Visual Studio for non-Windows operating
  systems. (PR 8098)
• Fix wolfSSL_X509_STORE_get0_objects to handle no CA (PR 8226)
• Properly handle reference counting when adding to the X509 store. (PR 8233)
• Fix for various typos and improper size used with FreeRTOS_bind in the Renesas
  example. Thanks to Hongbo for the report on example issues. (PR 7537)
• Fix for potential heap use after free with wolfSSL_PEM_read_bio_PrivateKey.
  Thanks to Peter for the issue reported. (PR 8139)

wolfSSL Release 5.7.4 (Oct 24, 2024)

To download the release bundle of wolfSSL visit the download page at www.wolfssl.com/download/

Vulnerabilities

• [Low] When the OpenSSL compatibility layer is enabled, certificate
  verification behaved differently in wolfSSL than OpenSSL, in the
  X509_STORE_add_cert() and X509_STORE_load_locations() implementations.
  Previously, in cases where an application explicitly loaded an intermediate
  certificate, wolfSSL was verifying only up to that intermediate certificate,
  rather than verifying up to the root CA. This only affects use cases where the
  API is called directly, and does not affect TLS connections. Users that call
  the API X509_STORE_add_cert() or X509_STORE_load_locations() directly in their
  applications are recommended to update the version of wolfSSL used or to have
  additional sanity checks on certificates loaded into the X509_STORE when
  verifying a certificate. (#8087)

PQC TLS Experimental Build Fix

• When using TLS with post quantum algorithms enabled, the connection uses a
  smaller EC curve than agreed on. Users building with --enable-experimental and
  enabling PQC cipher suites with TLS connections are recommended to update the
  version of wolfSSL used. Thanks to Daniel Correa for the report.
  (#8084)

New Feature Additions

• RISC-V 64 new assembly optimizations added for SHA-256, SHA-512, ChaCha20,
  Poly1305, and SHA-3 (PR 7758,7833,7818,7873,7916)
• Implement support for Connection ID (CID) with DTLS 1.2 (PR 7995)
• Add support for (DevkitPro)libnds (PR 7990)
• Add port for Mosquitto OSP (Open Source Project) (PR 6460)
• Add port for init sssd (PR 7781)
• Add port for eXosip2 (PR 7648)
• Add support for STM32G4 (PR 7997)
• Add support for MAX32665 and MAX32666 TPU HW and ARM ASM Crypto Callback
  Support (PR 7777)
• Add support for building wolfSSL to be used in libspdm (PR 7869)
• Add port for use with Nucleus Plus 2.3 (PR 7732)
• Initial support for RFC5755 x509 attribute certificates (acerts). Enabled with
  --enable-acert (PR 7926)
• PKCS#11 RSA Padding offload allows tokens to perform CKM_RSA_PKCS
  (sign/encrypt), CKM_RSA_PKCS_PSS (sign), and CKM_RSA_PKCS_OAEP (encrypt).
  (PR 7750)
• Added “new” and “delete” style functions for heap/pool allocation and freeing
  of low level crypto structures (PR 3166 and 8089)

Enhancements and Optimizations

• Increase default max alt. names from 128 to 1024 (PR 7762)
• Added new constant time DH agree function wc_DhAgree_ct (PR 7802)
• Expanded compatibility layer with the API EVP_PKEY_is_a (PR 7804)
• Add option to disable cryptocb test software test using
  --disable-cryptocb-sw-test (PR 7862)
• Add a call to certificate verify callback before checking certificate dates
  (PR 7895)
• Expanded algorithms supported with the wolfCrypt CSharp wrapper. Adding
  support for RNG, ECC(ECIES and ECDHE), RSA, ED25519/Curve25519, AES-GCM, and
  Hashing (PR 3166)
• Expand MMCAU support for use with DES ECB (PR 7960)
• Update AES SIV to handle multiple associated data inputs (PR 7911)
• Remove HAVE_NULL_CIPHER from --enable-openssh (PR 7811)
• Removed duplicate if(NULL) checks when calling XFREE (macro does) (PR 7839)
• Set RSA_MIN_SIZE default to 2048 bits (PR 7923)
• Added support for wolfSSL to be used as the default TLS in the zephyr kernel
  (PR 7731)
• Add enable provider build using --enable-wolfprovider with autotools (PR 7550)
• Renesas RX TSIP ECDSA support (PR 7685)
• Support DTLS1.3 downgrade when the server supports CID (PR 7841)
• Server-side checks OCSP even if it uses v2 multi (PR 7828)
• Add handling of absent hash params in PKCS7 bundle parsing and creation
  (PR 7845)
• Add the use of w64wrapper for Poly1305, enabling Poly1305 to be used in
  environments that do not have a word64 type (PR 7759)
• Update to the maxq10xx support (PR 7824)
• Add support for parsing over optional PKCS8 attributes (PR 7944)
• Add support for either side method with DTLS 1.3 (PR 8012)
• Added PKCS7 PEM support for parsing PEM data with BEGIN/END PKCS7 (PR 7704)
• Add CMake support for WOLFSSL_CUSTOM_CURVES (PR 7962)
• Add left-most wildcard matching support to X509_check_host() (PR 7966)
• Add option to set custom SKID with PKCS7 bundle creation (PR 7954)
• Building wolfSSL as a library with Ada and corrections to Alire manifest
  (PR 7303,7940)
• Renesas RX72N support updated (PR 7849)
• New option WOLFSSL_COPY_KEY added to always copy the key to the SSL object
  (PR 8005)
• Add the new option WOLFSSL_COPY_CERT to always copy the cert buffer for each
  SSL object (PR 7867)
• Add an option to use AES-CBC with HMAC for default session ticket enc/dec.
  Defaults to AES-128-CBC with HMAC-SHA256 (PR 7703)
• Memory usage improvements in wc_PRF, sha256 (for small code when many
  registers are available) and sp_int objects (PR 7901)
• Change in the configure script to work around ">>" with no command. In older
  /bin/sh it can be ambiguous, as used in OS’s such as FreeBSD 9.2 (PR 7876)
• Don't attempt to include system headers when not required (PR 7813)
• Certificates: DER encoding of ECC signature algorithm parameter is now
  allowed to be NULL with a define (PR 7903)
• SP x86_64 asm: check for AVX2 support for VMs (PR 7979)
• Update rx64n support on gr-rose (PR 7889)
• Update FSP version to v5.4.0 for RA6M4 (PR 7994)
• Update TSIP driver version to v1.21 for RX65N RSK (PR 7993)
• Add a new crypto callback for RSA with padding (PR 7907)
• Replaced the use of pqm4 with wolfSSL implementations of Kyber/MLDSA
  (PR 7924)
• Modernized memory fence support for C11 and clang (PR 7938)
• Add a CRL error override callback (PR 7986)
• Extend the X509 unknown extension callback for use with a user context
  (PR 7730)
• Additional debug error tracing added with TLS (PR 7917)
• Added runtime support for library call stack traces with
  –enable-debug-trace-errcodes=backtrace, using libbacktrace (PR 7846)
• Expanded C89 conformance (PR 8077)
• Expanded support for WOLFSSL_NO_MALLOC (PR 8065)
• Added support for cross-compilation of Linux kernel module (PR 7746)
• Updated Linux kernel module with support for kernel 6.11 and 6.12 (PR 7826)
• Introduce WOLFSSL_ASN_ALLOW_0_SERIAL to allow parsing of certificates with a
  serial number of 0 (PR 7893)
• Add conditional repository_owner to all wolfSSL GitHub workflows (PR 7871)

Espressif / Arduino Updates

• Update wolfcrypt settings.h for Espressif ESP-IDF, template update (PR 7953)
• Update Espressif sha, util, mem, time helpers (PR 7955)
• Espressif _thread_local_start and _thread_local_end fix (PR 8030)
• Improve benchmark for Espressif devices (PR 8037)
• Introduce Espressif common CONFIG_WOLFSSL_EXAMPLE_NAME, Kconfig (PR 7866)
• Add wolfSSL esp-tls and Certificate Bundle Support for Espressif ESP-IDF
  (PR 7936)
• Update wolfssl Release for Arduino (PR 7775)

Post Quantum Crypto Updates

• Dilithium: support fixed size arrays in dilithium_key (PR 7727)
• Dilithium: add option to use precalc with small sign (PR 7744)
• Allow Kyber to be built with FIPS (PR 7788)
• Allow Kyber asm to be used in the Linux kernel module (PR 7872)
• Dilithium, Kyber: Update to final specification (PR 7877)
• Dilithium: Support FIPS 204 Draft and Final Draft (PR 7909,8016)

ARM Assembly Optimizations

• ARM32 assembly optimizations added for ChaCha20 and Poly1305 (PR 8020)
• Poly1305 assembly optimizations improvements for Aarch64 (PR 7859)
• Poly1305 assembly optimizations added for Thumb-2 (PR 7939)
• Adding ARM ASM build option to STM32CubePack (PR 7747)
• Add ARM64 to Visual Studio Project (PR 8010)
• Kyber assembly optimizations for ARM32 and Aarch64 (PR 8040,7998)
• Kyber assembly optimizations for ARMv7E-M/ARMv7-M (PR 7706)

Fixes

• ECC key load: fixes for certificates with parameters that are not default for
  size (PR 7751)
• Fixes for building x86 in Visual Studio for non-windows OS (PR 7884)
• Fix for TLS v1.2 secret callback, incorrectly detecting bad master secret
  (PR 7812)
• Fixes for PowerPC assembly use with Darwin and SP math all (PR 7931)
• Fix for detecting older versions of Mac OS when trying to link with
  libdispatch (PR 7932)
• Fix for DTLS1.3 downgrade to DTLS1.2 when the server sends multiple handshake
  packets combined into a single transmission. (PR 7840)
• Fix for OCSP to save the request if it was stored in ssl->ctx->certOcspRequest
  (PR 7779)
• Fix to OCSP for searching for CA by key hash instead of ext. key id (PR 7934)
• Fix for staticmemory and singlethreaded build (PR 7737)
• Fix to not allow Shake128/256 with Xilinx AFALG (PR 7708)
• Fix to support PKCS11 without RSA key generation (PR 7738)
• Fix not calling the signing callback when using PK callbacks + TLS 1.3
  (PR 7761)
• Cortex-M/Thumb2 ASM fix label for IAR compiler (PR 7753)
• Fix with PKCS11 to iterate correctly over slotId (PR 7736)
• Stop stripping out the sequence header on the AltSigAlg extension (PR 7710)
• Fix ParseCRL_AuthKeyIdExt with ASN template to set extAuthKeyIdSet value
  (PR 7742)
• Use max key length for PSK encrypt buffer size (PR 7707)
• DTLS 1.3 fix for size check to include headers and CID fixes (PR 7912,7951)
• Fix STM32 Hash FIFO and add support for STM32U5A9xx (PR 7787)
• Fix CMake build error for curl builds (PR 8021)
• SP Maths: PowerPC ASM fix to use XOR instead of LI (PR 8038)
• SSL loading of keys/certs: testing and fixes (PR 7789)
• Misc. fixes for Dilithium and Kyber (PR 7721,7765,7803,8027,7904)
• Fixes for building wolfBoot sources for PQ LMS/XMSS (PR 7868)
• Fixes for building with Kyber enabled using CMake and zephyr port (PR 7773)
• Fix for edge cases with session resumption with TLS 1.2 (PR 8097)
• Fix issue with ARM ASM with AES CFB/OFB not initializing the "left" member
  (PR 8099)

wolfSSL Release 5.7.2 (July 8, 2024)

NOTE: * --enable-heapmath is being deprecated and will be removed by end of 2024

Vulnerabilities

• [Medium] CVE-2024-1544
  Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.6.6 with wc_ecc_sign_hash calls. Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Analyzing the division through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. Thanks to Luca Wilke, Florian Sieck and Thomas Eisenbarth (University of Lübeck) for reporting the vulnerability. Details will appear in the proceedings of CCS 24.
  Fixed #7020

• [Medium] CVE-2024-5288
  A private key blinding operation, enabled by defining the macro WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer attack on ECC operations. If performing ECC private key operations in an environment where a malicious user could gain fine control over the device and perform row hammer style attacks it is recommended to update the version of wolfSSL used and to build with WOLFSSL_BLIND_PRIVATE_KEY defined. Thanks to Kemal Derya, M. Caner Tol, Berk Sunar for the report (Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute)
  Fixed in github pull request #7416

• [Low] When parsing a provided maliciously crafted certificate directly using wolfSSL API, outside of a TLS connection, a certificate with an excessively large number of extensions could lead to a potential DoS. There are existing sanity checks during a TLS handshake with wolfSSL which mitigate this issue. Thanks to Bing Shi for the report.
  Fixed in github pull request #7597

• [Low] CVE-2024-5991
  In the function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the Openssl compatibility function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. While calling without a NULL terminated string is very uncommon, it is still technically allowed. If a caller was attempting to do a name check on a non*NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.
  Fixed in github pull request #7604

• [Medium] CVE-2024-5814
  A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello when downgrading from TLS 1.3.
  Fixed in github pull request #7619

• [Medium] OCSP stapling version 2 response verification bypass issue when a crafted response of length 0 is received. Found with internal testing.
  Fixed in github pull request #7702

• [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS connection attempt. A revoked CA certificate could incorrectly be loaded into the trusted signers list and used in a repeat connection attempt. Found with internal testing.
  Fixed in github pull request #7702

New Feature Additions

• Added Dilithium/ML-DSA: Implementation of ML-DSA-44/65/87 (PR 7622)
• AES RISC-V 64-bit ASM: ECB/CBC/CTR/GCM/CCM (PR 7569)
• Added CUDA support for AES encryption (PR 7436)
• Added support for gRPC (PR 7445)
• Added function wc_RsaPrivateKeyDecodeRaw to import raw RSA private keys (PR 7608)
• Added crypto callback for SHA-3 (PR 7670)
• Support for Infineon Modus Toolbox with wolfSSL (PR 7369)
• Allow user to send a user_canceled alert by calling wolfSSL_SendUserCanceled (PR 7590)
• C# wrapper SNI support added (PR 7610)
• Quantum-safe algorithm support added to the Linux kernel module (PR 7574)
• Support for NIST 800-56C Option 1 KDF, using the macro WC_KDF_NIST_SP_800_56C added (PR 7589)
• AES-XTS streaming mode added, along with hardware acceleration and kernel module use (PR 7522, 7560, 7424)
• PlatformIO FreeRTOS with ESP build and addition of benchmark and test example applications (PR 7528, 7413, 7559, 7542)

Enhancements and Optimizations

• Expanded STM32 AES hardware acceleration support for use with STM32H5 (PR 7578)
• Adjusted wc_xmss and wc_lms settings to support use with wolfBoot (PR 7393)
• Added the --enable-rpk option to autotools build for using raw public key support (PR 7379)
• SHA-3 Thumb2, ARM32 assembly implementation added (PR 7667)
• Improvements to RSA padding to expose Pad/Unpad APIs (PR 7612)
• Updates and API additions for supporting socat version 1.8.0.0 (PR 7594)
• cmake build improvements, expanding build options with SINGLE_THREADED and post-quantum algorithms, adjusting the generation of options.h file and using “yes;no” boolean instead of strings (PR 7611, 7546, 7479, 7480, 7380)
• Improvements for Renesas RZ support (PR 7474)
• Improvements to dual algorithm certificates for post-quantum keys (PR 7286)
• Added wolfSSL_SessionIsSetup so the user can check if a session ticket has been sent by the server (PR 7430)
• hostap updates: Implement PACs for EAP-FAST and filter cipher list on TLS version change (PR 7446)
• Changed subject name comparison to match different upper and lower cases (PR 7420)
• Support for DTLS 1.3 downgrade when using PSK (PR 7367)
• Update to static memory build for more generic memory pools used (PR 7418)
• Improved performance of Kyber C implementation (PR 7654)
• Support for ECC_CACHE_CURVE with no malloc (PR 7490)
• Added the configure option --enable-debug-trace-errcodes (macro WOLFSSL_DEBUG_TRACE_ERROR_CODES) which enables more debug tracking of error code values (PR 7634)
• Enhanced wc_MakeRsaKey and wc_RsaKeyToDer to work with WOLFSSL_NO_MALLOC (PR 7362)
• Improvements to assembly implementations of ChaCha20 and Poly1305 ASM for use with MSVC (PR 7319)
• Cortex-M inline assembly labels with unique number appended (PR 7649)
• Added secret logging callback to TLS <= 1.2, enabled with the macro HAVE_SECRET_CALLBACK (PR 7372)
• Made wc_RNG_DRBG_Reseed() a public wolfCrypt API (PR 7386)
• Enabled DES3 support without the DES3 ciphers. To re-enable DES3 cipher suites, use the configure flag --enable-des3-tls-suites (PR 7315)
• Added stubs required for latest nginx (1.25.5) (PR 7449)
• Added option for using a custom salt with the function wc_ecc_ctx_set_own_salt (PR 7552)
• Added PQ files for Windows (PR 7419)
• Enhancements to static memory feature, adding the option for a global heap hint (PR 7478) and build options for a lean or debug setting, enabled with --enable-staticmemory=small or --enable-staticmemory=debug (PR 7597)
• Updated --enable-jni to define SESSION_CERTS for wolfJSSE (PR 7557)
• Exposed DTLS in Ada wrapper and updated examples (PR 7397)
• Added additional minimum TLS extension size sanity checks (PR 7602)
• ESP improvements: updating the examples and libraries, updates for Apple HomeKit SHA/SRP, and fix for endianness with SHA512 software fallback (PR 7607, 7392, 7505, 7535)
• Made the wc_CheckCertSigPubKey API publicly available with the define of the macro WOLFSSL_SMALL_CERT_VERIFY (PR 7599)
• Added an alpha/preview of additional FIPS 140-3 full submission, bringing additional algorithms such as SRTP-KDF, AES-XTS, GCM streaming, AES-CFB, ED25519, and ED448 into the FIPS module boundary (PR 7295)
• XCODE support for v5.2.3 of the FIPS module (PR 7140)
• Expanded OpenSSL compatibility layer and added EC_POINT_hex2point (PR 7191)

Fixes

• Fixed Kyber control-flow timing leak. Thanks to Antoon Purnal from PQShield for the report.
• Fixed the NXP MMCAU HW acceleration for SHA-256 (PR 7389)
• Fixed AES-CFB1 encrypt/decrypt on size (8*x-1) bits (PR 7431)
• Fixed use of %rip with SHA-256 x64 assembly (PR 7409)
• Fixed OCSP response message build for DTLS (PR 7671)
• Handled edge case in wc_ecc_mulmod() with zero (PR 7532)
• Fixed RPK (Raw Public Key) to follow certificate use correctly (PR 7375)
• Added sanity check on record header with QUIC use (PR 7638)
• Added sanity check for empty directory strings in X.509 when parsing (PR 7669)
• Added sanity check on non-conforming serial number of 0 in certificates being parsed (PR 7625)
• Fixed wolfSSL_CTX_set1_sigalgs_list() to make the TLS connection conform to the selected sig hash algorithm (PR 7693)
• Various fixes for dual algorithm certificates including small stack use and support for Certificate Signing Requests (PR 7577)
• Added sanity check for critical policy extension when wolfSSL is built without policy extension support enabled (PR 7388)
• Added sanity check that the ed25519 signature is smaller than the order (PR 7513)
• Fixed Segger emNet to handle non-blocking want read/want write (PR 7581)

wolfSSL Release 5.7.0 (Mar 20, 2024)

NOTE: * --enable-heapmath is being deprecated and will be removed by end of 2024

NOTE: In future releases, --enable-des3 (which is disabled by default) will be insufficient in itself to enable DES3 in TLS cipher suites. A new option, --enable-des3-tls-suites, will need to be supplied in addition. This option should only be used in backward compatibility scenarios, as it is inherently insecure.

NOTE: This release switches the default ASN.1 parser to the new ASN template code. If the original ASN.1 code is preferred define WOLFSSL_ASN_ORIGINAL to use it. See PR #7199.

Vulnerabilities

• [High] CVE-2024-0901 Potential denial of service and out of bounds read. Affects TLS 1.3 on the server side when accepting a connection from a malicious TLS 1.3 client. If using TLS 1.3 on the server side it is recommended to update the version of wolfSSL used. Fixed in this GitHub pull request #7099

• [Med] CVE-2024-1545 Fault Injection vulnerability in RsaPrivateDecryption function that potentially allows an attacker that has access to the same system with a victims process to perform a Rowhammer fault injection. Thanks to Junkai Liang, Zhi Zhang, Xin Zhang, Qingni Shen for the report (Peking University, The University of Western Australia)."
  Fixed in this GitHub pull request #7167

• [Med] Fault injection attack with EdDSA signature operations. This affects ed25519 sign operations where the system could be susceptible to Rowhammer attacks. Thanks to Junkai Liang, Zhi Zhang, Xin Zhang, Qingni Shen for the report (Peking University, The University of Western Australia).
  Fixed in this GitHub pull request #7212

New Feature Additions

• Added --enable-experimental configure flag to gate out features that are currently experimental. Now liboqs, kyber, lms, xmss, and dual-alg-certs require the --enable-experimental flag.

POST QUANTUM SUPPORT ADDITIONS

• Experimental framework for using wolfSSL’s XMSS implementation (PR 7161)
• Experimental framework for using wolfSSL’s LMS implementation (PR 7283)
• Experimental wolfSSL Kyber implementation and assembly optimizations, enabled with --enable-experimental --enable-kyber (PR 7318)
• Experimental support for post quantum dual key/signature certificates. A few known issues and sanitizer checks are in progress with this feature. Enabled with the configure flags --enable-experimental --enable-dual-alg-certs (PR 7112)
• CryptoCb support for PQC algorithms (PR 7110)

OTHER FEATURE ADDITIONS

• The Linux kernel module now supports registration of AES-GCM, AES-XTS, AES-CBC, and AES-CFB with the kernel cryptosystem through the new --enable-linuxkm-lkcapi-register option, enabling automatic use of wolfCrypt implementations by the dm-crypt/luks and ESP subsystems. In particular, wolfCrypt AES-XTS with –enable-aesni is faster than the native kernel implementation.
• CryptoCb hook to one-shot CMAC functions (PR 7059)
• BER content streaming support for PKCS7_VerifySignedData and sign/encrypt operations (PR 6961 & 7184)
• IoT-Safe SHA-384 and SHA-512 support (PR 7176)
• I/O callbacks for content and output with PKCS7 bundle sign/encrypt to reduce peak memory usage (PR 7272)
• Microchip PIC24 support and example project (PR 7151)
• AutoSAR shim layer for RNG, SHA256, and AES (PR 7296)
• wolfSSL_CertManagerUnloadIntermediateCerts API to clear intermediate certs added to certificate store (PR 7245)
• Implement SSL_get_peer_signature_nid and SSL_get_peer_signature_type_nid (PR 7236)

Enhancements and Optimizations

• Remove obsolete user-crypto functionality and Intel IPP support (PR 7097)
• Support for RSA-PSS signatures with CRL use (PR 7119)
• Enhancement for AES-GCM use with Xilsecure on Microblaze (PR 7051)
• Support for crypto cb only build with ECC and NXP CAAM (PR 7269)
• Improve liboqs integration adding locking and init/cleanup functions (PR 7026)
• Prevent memory access before clientSession->serverRow and clientSession->serverIdx are sanitized (PR 7096)
• Enhancements to reproducible build (PR 7267)
• Update Arduino example TLS Client/Server and improve support for ESP32 (PR 7304 & 7177)
• XC32 compiler version 4.x compatibility (PR 7128)
• Porting for build on PlayStation 3 and 4 (PR 7072)
• Improvements for Espressif use; SHA HW/SW selection and use on ESP32-C2/ESP8684, wolfSSL_NewThread() type, component cmake fix, and update TLS client example for ESP8266 (PR 7081, 7173, 7077, 7148, 7240)
• Allow crypto callbacks with SHA-1 HW (PR 7087)
• Update OpenSSH port to version 9.6p1(PR 7203)
• ARM Thumb2 enhancements, AES-GCM support for GCM_SMALL, alignment fix on key, fix for ASM clobber list (PR 7291,7301,7221)
• Expand heap hint support for static memory build with more x509 functions (PR 7136)
• Improving ARMv8 ChaCha20 ASM (alignment) (PR 7182)
• Unknown extension callback wolfSSL_CertManagerSetUnknownExtCallback added to CertManager (PR 7194)
• Implement wc_rng_new_ex for use with devID’s with crypto callback (PR 7271)
• Allow reading 0-RTT data after writing 0.5-RTT data (PR 7102)
• Send alert on bad PSK binder error (PR 7235)
• Enhancements to CMake build files for use with cross compiling (PR 7188)

Fixes

• Fix for checking result of MAC verify when no AAD is used with AES-GCM and Xilinx Xilsecure (PR 7051)
• Fix for Aria sign use (PR 7082)
• Fix for invalid dh_ffdhe_test test case using Intel QuickAssist (PR 7085)
• Fixes for TI AES and SHA on TM4C with HW acceleration and add full AES GCM and CCM support with TLS (PR 7018)
• Fixes for STM32 PKA use with ECC (PR 7098)
• Fixes for TLS 1.3 with crypto callbacks to offload KDF / HMAC operation (PR 7070)
• Fix include path for FSP 3.5 on Renesas RA6M4 (PR 7101)
• Siphash x64 asm fix for use with older compilers (PR 7299)
• Fix for SGX build with SP (PR 7308)
• Fix to Make it mandatory that the cookie is sent back in new ClientHello when seen in a HelloRetryRequest with (PR 7190)
• Fix for wrap around behavior with BIO pairs (PR 7169)
• OCSP fixes for parsing of response correctly when there was a revocation reason and returning correct error value with date checks (PR 7241 & 7255)
• Fix build with NO_STDIO_FILESYSTEM and improve checks for XGETENV (PR 7150)
• Fix for DTLS sequence number and cookie when downgrading DTLS version (PR 7214)
• Fix for write_dup use with chacha-poly cipher suites (PR 7206)
• Fix for multiple handshake messages in one record failing with OUT_OF_ORDER_E when downgrading from TLS 1.3 to TLS 1.2 (PR 7141)
• Fix for AES ECB build with Thumb and alignment (PR 7094)
• Fix for negotiate handshake until the end in wolfSSL_read/wolfSSL_write if hitting an edge case with want read/write (PR 7237)

wolfSSL Release 5.6.6 (Dec 19, 2023)

NOTE: * --enable-heapmath is being deprecated and will be removed by 2024

REMINDER: When working with AES Block Cipher algorithms, wc_AesInit() should always be called first to initialize the Aes structure, before calling other Aes API functions. Recently we found several places in our documentation, comments, and codebase where this pattern was not observed. We have since fixed this omission in several PRs for this release.

Vulnerabilities

• [Medium] CVE-2023-6935: After review of the previous RSA timing fix in wolfSSL 5.6.4, additional changes were found to be required. A complete resistant change is delivered in this release. This fix is for the Marvin attack, leading to being able to decrypt a saved TLS connection and potentially forge a signature after probing with a very large number of trial connections. This issue is around RSA decryption and affects the optional static RSA cipher suites on the server side, which are considered weak, not recommended to be used and are off by default in wolfSSL (even with --enable-all). Static RSA cipher suites were also removed from the TLS 1.3 protocol and are only present in TLS 1.2 and lower. All padding versions of RSA decrypt are affected since the code under review is outside of the padding processing. Information about the private keys is NOT compromised in affected code. It is recommended to disable static RSA cipher suites and update the version of wolfSSL used if using RSA private decryption alone outside of TLS. Thanks to Hubert Kario for the report. The fix for this issue is located in the following GitHub Pull Request: #6955.

• [Low] CVE-2023-6936: A potential heap overflow read is possible in servers connecting over TLS 1.3 when the optional WOLFSSL_CALLBACKS has been defined. The out of bounds read can occur when a server receives a malicious malformed ClientHello. Users should either discontinue use of WOLFSSL_CALLBACKS on the server side or update versions of wolfSSL to 5.6.6. Thanks to the tlspuffin fuzzer team for the report which was designed and developed by; Lucca Hirschi (Inria, LORIA), Steve Kremer (Inria, LORIA), and Max Ammann (Trail of Bits). The fix for this issue is located in the following GitHub Pull Request: #6949.

• [Low] A side channel vulnerability with AES T-Tables is possible in a very controlled environment where precision sub-cache-line inspection can happen, such as inside an Intel SGX enclave. This can lead to recovery of the AES key. To prevent this type of attack, wolfSSL added an AES bitsliced implementation which can be enabled with the “--enable-aes-bitsliced” configure option. Thanks to Florian Sieck, Zhiyuan Zhang, Sebastian Berndt, Chitchanok Chuengsatiansup, Thomas Eisenbarth, and Yuval Yarom for the report (Universities of Lübeck, Melbourne, Adelaide and Bochum). The fix for this issue is located in the following GitHub Pull Request: #6854.

• [Low] CVE-2023-6937: wolfSSL prior to 5.6.6 did not check that messages in a single (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and then the rest of the first server flight would be accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the ServerHello but a wolfSSL client would accept an unencrypted flight from the server. This does not compromise key negotiation and authentication so it is assigned a low severity rating. Thanks to Johannes Wilson for the report (Sectra Communications and Linköping University). The fix for this issue is located in the following GitHub Pull Request: #7029.

New Feature Additions

• Build option for disabling CRL date checks (WOLFSSL_NO_CRL_DATE_CHECK) (PR 6927)
• Support for STM32WL55 and improvements to PKA ECC support (PR 6937)
• Add option to skip cookie exchange on DTLS 1.3 session resumption (PR 6929)
• Add implementation of SRTP KDF and SRTCP KDF (--enable-srtp-kdf) (PR 6888)
• Add wolfSSL_EXTENDED_KEY_USAGE_free() (PR 6916)
• Add AES bitsliced implementation that is cache attack safe (--enable-aes-bitsliced) (PR 6854)
• Add memcached support and automated testing (PR 6430, 7022)
• Add Hardware Encryption Acceleration for ESP32-C3, ESP32-C6, and ESP32-S2 (PR 6990)
• Add (D)TLS 1.3 support for 0.5-RTT data (PR 7010)

Enhancements and Optimizations

• Better built in testing of “--sys-ca-certs” configure option (PR 6910)
• Updated CMakeLists.txt for Espressif wolfSSL component usage (PR 6877)
• Disable TLS 1.1 by default (unless SSL 3.0 or TLS 1.0 is enabled) (PR 6946)
• Add “--enable-quic” to “--enable-all” configure option (PR 6957)
• Add support to SP C implementation for RSA exponent up to 64-bits (PR 6959)
• Add result of “HAVE___UINT128_T” to options.h for CMake builds (PR 6965)
• Add optimized assembly for AES-GCM on ARM64 using hardware crypto instructions (PR 6967)
• Add built-in cipher suite tests for DTLS 1.3 PQC (PR 6952)
• Add wolfCrypt test and unit test to ctest (PR 6977)
• Move OpenSSL compatibility crypto APIs into ssl_crypto.c file (PR 6935)
• Validate time generated from XGMTIME() (PR 6958)
• Allow wolfCrypt benchmark to run with microsecond accuracy (PR 6868)
• Add GitHub Actions testing with nginx 1.24.0 (PR 6982)
• Allow encoding of CA:FALSE BasicConstraint during cert generation (PR 6953)
• Add CMake option to enable DTLS-SRTP (PR 6991)
• Add CMake options for enabling QUIC and cURL (PR 7049)
• Improve RSA blinding to make code more constant time (PR 6955)
• Refactor AES-NI implementation macros to allow dynamic fallback to C (PR 6981)
• Default to native Windows threading API on MinGW (PR 7015)
• Return better error codes from OCSP response check (PR 7028)
• Updated Espressif ESP32 TLS client and server examples (PR 6844)
• Add/clean up support for ESP-IDF v5.1 for a variety of ESP32 chips (PR 7035, 7037)
• Add API to choose dynamic certs based on client ciphers/sigalgs (PR 6963)
• Improve Arduino IDE 1.5 project file to match recursive style (PR 7007)
• Simplify and improve apple-universal build script (PR 7025)

Fixes

• Fix for async edge case with Intel QuickAssist/Cavium Nitrox (PR 6931)
• Fix for building PKCS#7 with RSA disabled (PR 6902)
• Fix for advancing output pointer in wolfSSL_i2d_X509() (PR 6891)
• Fix for EVP_EncodeBlock() appending a newline (PR 6900)
• Fix for wolfSSL_RSA_verify_PKCS1_PSS() with RSA_PSS_SALTLEN_AUTO (PR 6938)
• Fixes for CODESonar reports around isalpha() and isalnum() calls (PR 6810)
• Fix for SP ARM64 integer math to avoid compiler optimization issues (PR 6942)
• Fix for SP Thumb2 inline assembly to add IAR build support (PR 6943, 6971)
• Fix for SP Thumb2 to make functions not inlined (PR 6993)
• Fix for SP Cortex-M assembly large build with IAR (PR 6954)
• Fix for SP ARM64 assembly montgomery reduction by 4 (PR 6947)
• Fix for SP ARM64 P-256 for not inlining functions for iOS compatibility (PR 6979)
• Fix for WOLFSSL_CALLBACKS and potential memory error (PR 6949)
• Fixes for wolfSSL’s Zephyr OS port (PR 6930)
• Fix for build errors when building for NXP mmCAU (FREESCALE_MMCAU) (PR 6970)
• Fix for TLS 1.3 SendBuffered() return code in non-blocking mode (PR 7001)
• Fix for TLS Hmac_UpdateFinal() when padding byte is invalid (PR 6998)
• Fix for ARMv8 AES-GCM streaming to check size of IV before storing (PR 6996)
• Add missing calls to wc_AesInit() before wc_AesSetKey() (PR 7011)
• Fix build errors with DTLS 1.3 enabled but TLS 1.2 disabled (PR 6976)
• Fixes for building wolfSSL in Visual Studio (PR 7040)

wolfSSL Release 5.6.4 (October 30, 2023)

NOTE: * --enable-heapmath is being deprecated and will be removed by 2024
* Old CyaSSL/CtaoCrypt shim layer was removed in this release (5.6.4)

Vulnerabilities

• [Medium] A fix was added, but still under review for completeness, for a Bleichenbacher style attack, leading to being able to decrypt a saved TLS connection and potentially forge a signature after probing with a large number of trial connections. This issue is around RSA decryption and affects static RSA cipher suites on the server side, which are not recommended to be used and are off by default. Static RSA cipher suites were also removed from the TLS 1.3 protocol and only present in TLS 1.2 and lower. All padding versions of RSA decrypt are affected since the code under review is outside of the padding processing. Information about the private keys is NOT compromised in affected code. It's recommended to disable static RSA cipher suites and update the version of wolfSSL used if using RSA private decryption alone outside of TLS. The fix is located in this pull request (#6896)

New Feature Additions

• DTLS 1.3 PQC: support fragmenting the second ClientHello message. This allows arbitrarily long keys to be used, opening up support for all PQC ciphersuites in DTLS 1.3.
• SM2/SM3/SM4: Chinese cipher support including TLS 1.3 and 1.2 cipher suites. SM2 SP implementation available.
• Ability to parse ASN1 only with SMIME_read_PKCS7
• Added support for MemUse Entropy on Windows
• Added Ada Bindings for wolfSSL
• Added a PEM example that converts to and from DER/PEM.
• Added LMS/HSS and XMSS/XMSS^MT wolfcrypt hooks, both normal and verify-only options.
• Added support for the AES EAX mode of operation
• Port for use with Hitch (https://github.com/varnish/hitch) added
• Add XTS API's to handle multiple sectors in new port ot VeraCrypt

Enhancements and Optimizations

• Turned on SNI by default on hosts with resources
• Improved support for Silicon Labs Simplicity Studio and the ERF32 Gecko SDK
• Thumb-2 and ARM32 Curve25519 and Ed25519 assembly have significantly improved performance.
• Thumb-2 AES assembly code added.
• Thumb-2 and ARM32 SP implementations of RSA, DH and ECC have significantly improved performance.
• Minor performance improvements to SP ECC for Intel x64.
• AES-XTS assembly code added for Intel x64, Aarch64 and ARM32.
• Added support for X963 KDFs to ECIES.
• Added 32-bit type only implementation of AES GMULT using tables.
• Add support for nginx version 1.25.0
• Add support for Kerberos version 5 1.21.1
• Check all CRL entries in case a single issuer has multiple CRL's loaded
• CRL verify the entire chain including loaded CA's
• Added example for building wolfSSL as an Apple universal binary framework using configure
• Sniffer tool now supports decrypting TLS sessions using secrets obtained from a SSLKEYLOGFILE
• Updates made for EBSNET port
• Update "--enable-jni" to include additional defines for expanded JNI support. Also includes JCE and JSSE builds under the single enable option now.

Fixes

• Fixed error handling when decrypted pre-master secret is too long when using static RSA.
• Added a fix for keymod use with i.MX RT1170 CAAM blobs
• Added a fix for AES-GCM use with Petalinux Xilinx
• Fixed wc_SignatureGenerate_ex to not call verify twice
• Fixed wolfCrypt FIPS DLL on Win32
• Fixed TFM math library big-endian reading implementation when a zero length buffer is passed in.
• Fixed NO_CERT configurations to build correctly.
• Fixed ARM AES-GCM streaming assembly when –enable-opensslextra defined.
• Added modulus checks to heap math implementation of mp_exptmod().
• Fixed Windows assembly code to handle that certain XMM registers are non-volatile.
• Aarch64 SP ECC implementation of sp_256_mont_dbl_4 has the register list for the assembly code fixed to include all used registers.
• mp_sqrt_mod_prime fixed to limit the number of iterations of a loop to handle malicious non-prime values being passed in.
• Ignore session ID's shorter than 32 bytes instead of erroring out

wolfSSL Release 5.6.3 (June 20, 2023)

Release 5.6.3 of wolfSSL embedded TLS has 4 bug fixes:

• Fix for setting the atomic macro options introduced in release 5.6.2. This issue affects GNU gcc autoconf builds. The fix resolves a potential mismatch of the generated macros defined in options.h file and the macros used when the wolfSSL library is compiled. In version 5.6.2 this mismatch could result in unstable runtime behavior.
• Fix for invalid suffix error with Windows build using the macro GCM_TABLE_4BIT.
• Improvements to Encrypted Memory support (WC_PROTECT_ENCRYPTED_MEM) implementations for modular exponentiation in SP math-all (sp_int.c) and TFM (tfm.c).
• Improvements to SendAlert for getting output buffer.