Release notes from Arduino-wolfSSL

v5.8.4

2025-12-04T16:23:57Z

To download the release bundle of wolfSSL visit the download page at www.wolfssl.com/download/

wolfSSL Release 5.8.4 (November 20, 2025)

PR stands for Pull Request, and PR references a GitHub pull request number where the code change was added.

Vulnerabilities

[Low CVE-2025-12888] Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory implementations of X25519, which is now turned on as the default for Xtensa. Thanks to Adrian Cinal for the report. Fixed in PR 9275.
[Med. CVE-2025-11936] Potential DoS vulnerability due to a memory leak through multiple KeyShareEntry with the same group in malicious TLS 1.3 ClientHello messages. This affects users who are running wolfSSL on the server side with TLS 1.3. Thanks to Jaehun Lee and Kyungmin Bae, Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9117.
[Low CVE-2025-11935] PSK with PFS (Perfect Forward Secrecy) downgrades to PSK without PFS during TLS 1.3 handshake. If the client sends a ClientHello that has a key share extension and the server responds with a ServerHello that does not have a key share extension the connection would previously continue on without using PFS. Thanks to Jaehun Lee from Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9112.
[Low CVE-2025-11934] Signature Algorithm downgrade from ECDSA P521 to P256 during TLS 1.3 handshake. When a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256. Thanks to Jaehun Lee from Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9113.
[Low CVE-2025-11933] DoS Vulnerability in wolfSSL TLS 1.3 CKS extension parsing. Previously duplicate CKS extensions were not rejected leading to a potential memory leak when processing a ClientHello. Thanks to Jaehun Lee from Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9132.
[Low CVE-2025-11931] Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. This issue is hit specifically with a call to the function wc_XChaCha20Poly1305_Decrypt() which is not used with TLS connections, only from direct calls from an application. Thanks to Luigino Camastra from Aisle Research for the report. Fixed in PR 9223.
[Low CVE-2025-11932] Timing Side-Channel in PSK Binder Verification. The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder. Thanks to Luigino Camastra from Aisle Research for the report. Fixed in PR 9223.
[Low CVE-2025-12889] With TLS 1.2 connections a client can use any digest, specifically a weaker digest, rather than those in the CertificateRequest. Thanks to Jaehun Lee from Pohang University of Science and Technology (POSTECH) for the report. Fixed in PR 9395

New Features

New ML-KEM / ML-DSA APIs and seed/import PKCS8 support; added _new/_delete APIs for ML-KEM/ML-DSA. (PR 9039, 9000, 9049)
Initial wolfCrypt FreeBSD kernel module support (PR 9392)
Expanded PKCS7/CMS capabilities: decode SymmetricKeyPackage / OneSymmetricKey, add wc_PKCS7_GetEnvelopedDataKariRid, and allow PKCS7 builds with AES keywrap unset. (PR 9018, 9029, 9032)
Add custom AES key wrap/unwrap callbacks and crypto callback copy/free operations. (PR 9002, 9309)
Add support for certificate_authorities extension in ClientHello and certificate manager CA-type selection/unloading. (PR 9209, 9046)
Large expansion of Rust wrapper modules: random, aes, rsa, ecc, dh, sha, hmac, cmac, ed25519/ed448, pbkdf2/PKCS#12, kdf/prf, SRTP KDFs, and conditional compilation options. (PR 9191, 9212, 9273, 9306, 9320, 9328, 9368, 9389, 9357, 9433)
Rust: support optional heap and dev_id parameters and enable conditional compilation based on C build options. (PR 9407, 9433)
STM32 fixes (benchmarking and platform fixes) and PSoC6 hardware acceleration additions. (PR 9228, 9256, 9185)
STM32U5 added support for SAES and DHUK. (PR 9087)
Add --enable-curl=tiny option for a smaller build when used with cURL. (PR 9174)

Improvements / Optimizations

Regression test fixes and expansion: TLS 1.3/1.2 tests, ARDUINO examples, libssh2 tests, hostap workflows, and nightly test improvements. (PR 9096, 9141, 9091, 9122, 9388)
Improved test ordering and CI test stability (random tests run order changes, FIPS test fixes). (PR 9204, 9257)
Docs and readme fixes, docstring updates, AsconAEAD comment placement, and example certificate renewals. (PR 9131, 9293, 9262, 9429)
Updated GPL exception lists (GPLv2 and GPLv3 exception updates: add Fetchmail and OpenVPN). (PR 9398, 9413)
Introduced WOLFSSL_DEBUG_CERTS and additional debug/logging refinements. (PR 8902, 9055)
Expanded crypto-callback support (SHA family, HKDF, SHA-224, sha512_family digest selection) and improved crypto-only build cases. (PR 9070, 9252, 9271, 9100, 9194)
AES & HW offload improvements including AES-CTR support in PKCS11 driver and AES ECB offload sizing fix. (PR 9277, 9364)
ESP32: PSRAM allocator support and SHA HW fixes for ESP-IDF v6/v5. (PR 8987, 9225, 9264)
Renesas FSP / RA examples updated and security-module TLS context improvements. (PR 9047, 9010, 9158, 9150)
Broad configure/CMake/Autotools workflow improvements (Apple options tracking, Watcom pinning, Debian packaging, ESP-IDF pinning). (PR 9037, 9167, 9161, 9264)
New assembly introspection / performance helpers for RISC-V and PPC32; benchmarking enhancements (cycle counts). (PR 9101, 9317)
Update to SGX build for using assembly optimizations. (PR 8463, 9138)
Testing with Fil-C compiler version to 0.674 (PR 9396)
Refactors and compressing of small stack code (PR 9153)

Bug Fixes

Removed the test feature using popen when defining the macro WOLFSSL_USE_POPEN_HOST and not having HAVE_GETADDRINFO defined, along with having the macro HAVE_HTTP_CLIENT set. There was the potential for vulnerable behavior with the use of popen when the API wolfSSL_BIO_new_connect() was called with this specific build. This exact build configuration is only intended for testing with QEMU and is not enabled with any autoconf/cmake flags. Thanks to linraymond2006 for the report. (PR 9038)
Fix for C# wrapper Ed25519 potential crash and heap overwrite with raw public key import when using the API Ed25519ImportPublic.This was a broken API with the C# wrapper that would crash on use. Thanks to Luigino Camastra from Aisle Research for the bug report. (PR 9291)
Coverity, cppcheck, MISRA, clang-tidy, ZeroPath and other static-analysis driven fixes across the codebase. (PR 9006, 9078, 9068, 9265, 9324)
TLS 1.2/DTLS improvements: client message order checks, DTLS cookie/exchange and replay protections, better DTLS early-data handling. (PR 9387, 9253, 9205, 9367)
Improved X.509 & cert handling: allow larger pathLen in Basic Constraints, restore inner server name for ECH, retrying cert candidate chains. (PR 8890, 9234, 8692)
Sniffer robustness: fix infinite recursion, better handling of OOO appData and partial overlaps, and improved retransmission detection. (PR 9051, 9106, 9140, 9094)
Numerous linuxkm (kernel-mode) fixes, relocation/PIE normalization, and FIPS-related build tweaks across many iterations. (PR 9025, 9035, 9067, 9111, 9121)
ML-KEM/Kyber and ML-DSA fixes for out-of-bounds and seed-import correctness; multiple ML-related safety fixes. (PR 9142, 9105, 9439)
Avoid uninitialized-variable and GCC warnings; several fixes for undefined-shift/overflow issues. (PR 9020, 9372, 9195)
Memory & leak fixes in X509 verification and various struct sizing fixes for WOLFSSL_NO_MALLOC usage. (PR 9258, 9036)
Fixed RSA / signing / verify-only warnings allowing WOLFSSL_NO_CT_OPS when WOLFSSL_RSA_VERIFY_ONLY is used and API cleanups for using const. (PR 9031, 9263)

v5.8.2

2025-07-22T17:30:32Z

wolfSSL Release 5.8.2 (July 17, 2025)

To download the release bundle of wolfSSL visit the download page at www.wolfssl.com/download/

NOTE: * wolfSSL is now GPLv3 instead of GPLv2
* --enable-heapmath is deprecated
* MD5 is now disabled by default

PR stands for Pull Request, and PR references a GitHub pull request number where the code change was added.

Vulnerabilities

[Low] There is the potential for a fault injection attack on ECC and Ed25519 verify operations. In versions of wolfSSL 5.7.6 and later the --enable-faultharden option is available to help mitigate against potential fault injection attacks. The mitigation added in wolfSSL version 5.7.6 is to help harden applications relying on the results of the verify operations, such as when used with wolfBoot. If doing ECC or Ed25519 verify operations on a device at risk for fault injection attacks then --enable-faultharden could be used to help mitigate it. Thanks to Kevin from Fraunhofer AISEC for the report.

Hardening option added in PR wolfSSL/wolfssl#8289

[High CVE-2025-7395] When using WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION on an Apple platform, the native trust store verification routine overrides errors produced elsewhere in the wolfSSL certificate verification process including failures due to hostname matching/SNI, OCSP, CRL, etc. This allows any trusted cert chain to override other errors detected during chain verification that should have resulted in termination of the TLS connection. If building wolfSSL on versions after 5.7.6 and before 5.8.2 with use of the system CA support and the apple native cert validation feature enabled on Apple devices (on by default for non-macOS Apple targets when using autotools or CMake) we recommend updating to the latest version of wolfSSL. Thanks to Thomas Leong from ExpressVPN for the report.

Fixed in PR wolfSSL/wolfssl#8833

[Med. CVE-2025-7394] In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in applications that are both using RAND_bytes() and doing fork() operations. This only affects applications explicitly calling RAND_bytes() after fork() and does not affect any internal TLS operations. Although RAND_bytes() documentation in OpenSSL calls out not being safe for use with fork() without first calling RAND_poll(), an additional code change was also made in wolfSSL to make RAND_bytes() behave similar to OpenSSL after a fork() call without calling RAND_poll(). Now the Hash-DRBG used gets reseeded after detecting running in a new process. If making use of RAND_bytes() and calling fork() we recommend updating to the latest version of wolfSSL. Thanks to Per Allansson from Appgate for the report.

Fixed in the following PR’s
wolfSSL/wolfssl#8849
wolfSSL/wolfssl#8867
wolfSSL/wolfssl#8898

[Low CVE-2025-7396] In wolfSSL 5.8.0 the option of hardening the C implementation of Curve25519 private key operations was added with the addition of blinding support (https://www.wolfssl.com/curve25519-blinding-support-added-in-wolfssl-5-8-0/). In wolfSSL release 5.8.2 that blinding support is turned on by default in applicable builds. The blinding configure option is only for the base C implementation of Curve25519. It is not needed, or available with; ARM assembly builds, Intel assembly builds, and the small Curve25519 feature. While the attack would be very difficult to execute in practice, enabling blinding provides an additional layer of protection for devices that may be more susceptible to physical access or side-channel observation. Thanks to Arnaud Varillon, Laurent Sauvage, and Allan Delautre from Telecom Paris for the report.

Blinding enabled by default in PR wolfSSL/wolfssl#8736

New Features

Multiple sessions are now supported in the sniffer due to the removal of a cached check. (PR #8723)
New API ssl_RemoveSession() has been implemented for sniffer cleanup operations. (PR #8768)
The new ASN X509 API, wc_GetSubjectPubKeyInfoDerFromCert, has been introduced for retrieving public key information from certificates. (PR #8758)
wc_PKCS12_create() has been enhanced to support PBE_AES(256|128)_CBC key and certificate encryptions. (PR #8782, PR #8822, PR #8859)
wc_PKCS7_DecodeEncryptedKeyPackage() has been added for decoding encrypted key packages. (PR #8976)
All AES, SHA, and HMAC functionality has been implemented within the Linux Kernel Module. (PR #8998)
Additions to the compatibility layer have been introduced for X.509 extensions and RSA PSS. Adding the API i2d_PrivateKey_bio, BN_ucmp and X509v3_get_ext_by_NID. (PR #8897)
Added support for STM32N6. (PR #8914)
Implemented SHA-256 for PPC 32 assembly. (PR #8894)

Improvements / Optimizations

Linux Kernel Module (LinuxKM) Enhancements

Registered DH and FFDHE for the Linux Kernel Module. (PR #8707)
Implemented fixes for standard RNG in the Linux Kernel Module. (PR #8718)
Added an ECDSA workaround for the Linux Kernel Module. (PR #8727)
Added more PKCS1 pad SHA variants for RSA in the Linux Kernel Module. (PR #8730)
Set default priority to 100000 for LKCAPI in the Linux Kernel Module. (PR #8740)
Ensured ECDH never has FIPS enabled in the Linux Kernel Module. (PR #8751)
Implemented further Linux Kernel Module and SP tweaks. (PR #8773)
Added sig_alg support for Linux 6.13 RSA in the Linux Kernel Module. (PR #8796)
Optimized wc_linuxkm_fpu_state_assoc. (PR #8828)
Ensured DRBG is multithread-round-1 in the Linux Kernel Module. (PR #8840)
Prevented toggling of fips_enabled in the Linux Kernel Module. (PR #8873)
Refactored drbg_ctx clear in the Linux Kernel Module. (PR #8876)
Set sig_alg max_size and digest_size callbacks for RSA in the Linux Kernel Module. (PR #8915)
Added get_random_bytes for the Linux Kernel Module. (PR #8943)
Implemented distro fix for the Linux Kernel Module. (PR #8994)
Fixed page-flags-h in the Linux Kernel Module. (PR #9001)
Added MODULE_LICENSE for the Linux Kernel Module. (PR #9005)
Post-Quantum Cryptography (PQC) & Asymmetric Algorithms
Kyber has been updated to the MLKEM ARM file for Zephyr (PR #8781)
Backward compatibility has been implemented for ML_KEM IDs (PR #8827)
ASN.1 is now ensured to be enabled when only building PQ algorithms (PR #8884)
Building LMS with verify-only has been fixed (PR #8913)
Parameters for LMS SHA-256_192 have been corrected (PR #8912)
State can now be saved with the private key for LMS (PR #8836)
Support for OpenSSL format has been added for ML-DSA/Dilithium (PR #8947)
dilithium_coeff_eta2[] has been explicitly declared as signed (PR #8955)

Build System & Portability

Prepared for the inclusion of v5.8.0 in the Ada Alire index. (PR #8714)
Introduced a new build option to allow reuse of the Windows crypt provider handle. (PR #8706)
Introduced general fixes for various build configurations. (PR #8763)
Made improvements for portability using older GCC 4.8.2. (PR #8753)
Macro guards updated to allow tests to build with opensslall and no server. (PR #8776)
Added a check for STDC_NO_ATOMICS macro before use of atomics. (PR #8885)
Introduced CMakePresets.json and CMakeSettings.json. (PR #8905)
Added an option to not use constant time code with min/max. (PR #8830)
Implemented proper MacOS dispatch for conditional signal/wait. (PR #8928)
Disabled MD5 by default for both general and CMake builds. (PR #8895, PR #8948)
Improved to allow building OPENSSL_EXTRA without KEEP_PEER_CERT. (PR #8926)
Added introspection for Intel and ARM assembly speedups. (PR #8954)
Fixed cURL config to set HAVE_EX_DATA and HAVE_ALPN. (PR #8973)
Moved FREESCALE forced algorithm HAVE_ECC to IDE/MQX/user_settings.h. (PR #8977)

Testing & Debugging

Fixed the exit status for testwolfcrypt. (PR #8762)
Added WOLFSSL_DEBUG_PRINTF and WOLFSSL_DEBUG_CERTIFICATE_LOADS for improved debugging output. (PR #8769, PR #8770)
Guarded some benchmark tests with NO_SW_BENCH. (PR #8760)
Added an additional unit test for wolfcrypt PKCS12 file to improve code coverage. (PR #8831)
Added an additional unit test for increased DH code coverage. (PR #8837)
Adjusted for warnings with NO_TLS build and added GitHub actions test. (PR #8851)
Added additional compatibility layer RAND tests. (PR #8852)
Added an API unit test for checking domain name. (PR #8863)
Added bind v9.18.33 testing. (PR #8888)
Fixed issue with benchmark help options and descriptions not lining up. (PR #8957)

Certificates & ASN.1

Changed the algorithm for sum in ASN.1 OIDs. (PR #8655)
Updated PKCS7 to use X509 STORE for internal verification. (PR #8748)
Improved handling of temporary buffer size for X509 extension printing. (PR #8710)
Marked IP address as WOLFSSL_V_ASN1_OCTET_STRING for ALT_NAMES_OID. (PR #8842)
Fixed printing empty names in certificates. (PR #8880)
Allowed CA:FALSE on wolftpm. (PR #8925)
Fixed several inconsistent function prototype parameter names in wc/asn. (PR #8949)
Accounted for custom extensions when creating a Cert from a WOLFSSL_X509. (PR #8960)

TLS/DTLS & Handshake

Checked group correctness outside of TLS 1.3 too for TLSX_UseSupportedCurve. (PR #8785)
Dropped records that span datagrams in DTLS. (PR #8642)
Implemented WC_NID_netscape_cert_type. (PR #8800)
Refactored GetHandshakeHeader/GetHandShakeHeader into one function. (PR #8787)
Correctly set the current peer in dtlsProcessPendingPeer. (PR #8848)
Fixed set_groups for TLS. (PR #8824)
Allowed trusted_ca_keys with TLSv1.3. (PR #8860)
Moved Dtls13NewEpoch into DeriveTls13Keys. (PR #8858)
Cleared tls1_3 on downgrade. (PR #8861)
Always sent ACKs on detected retransmission for DTLS1.3. (PR #8882)
Removed DTLS from echo examples. (PR #8889)
Recalculated suites at SSL initialization. (PR #8757)
No longer using BIO for ALPN. (PR #8969)
Fixed wolfSSL_BIO_new_connect's handling of IPV6 addresses. (PR #8815)
Memory Management & Optimizations
Performed small stack refactors, improved stack size with mlkem and dilithium, and added additional tests. (PR #8779)
Implemented FREE_MP_INT_SIZE in heap math. (PR #8881)
Detected correct MAX_ENCODED_SIG_SZ based on max support in math lib. (PR #8931)
Fixed improper access of sp_int_minimal using sp_int. (PR #8985)

Cryptography & Hash Functions

Implemented WC_SIPHASH_NO_ASM for not using assembly optimizations with siphash. (PR #8789, PR #8791)
Added missing DH_MAX_SIZE define for FIPS and corrected wolfssl.rc FILETYPE to VFT_DLL. (PR #8794)
Implemented WC_SHA3_NO_ASM for not using assembly with SHA3. (PR #8817)
Improved Aarch64 XFENCE. (PR #8832)
Omitted frame pointer for ARM32/Thumb2/RISC-V 64 assembly. (PR #8893)
Fixed branch instruction in ARMv7a ASM. (PR #8933)
Enabled EVP HMAC to work with WOLFSSL_HMAC_COPY_HASH. (PR #8944)
Platform-Specific & Hardware Integration
Added HAVE_HKDF for wolfssl_test and explicit support for ESP32P4. (PR #8742)
Corrected Espressif default time setting. (PR #8829)
Made wc_tsip_* APIs public. (PR #8717)
Improved PlatformIO Certificate Bundle Support. (PR #8847)
Fixed the TSIP TLS example program. (PR #8857)
Added crypto callback functions for TROPIC01 secure element. (PR #8812)
Added Renesas RX TSIP AES CTR support. (PR #8854)
Fixed TSIP port using crypto callback. (PR #8937)

General Improvements & Refactoring

Attempted wolfssl_read_bio_file in read_bio even when XFSEEK is available. (PR #8703)
Refactored GetHandshakeHeader/GetHandShakeHeader into one function. (PR #8787)
Updated libspdm from 3.3.0 to 3.7.0. (PR #8906)
Fixed missing dashes on the end of header and footer for Falcon PEM key. (PR #8904)
Fixed minor code typos for macos signal and types.h max block size. (PR #8934)
Make the API wolfSSL_X509_STORE_CTX_get_error accessible to more build configurations for ease of getting the "store" error code and depth with certificate failure callback implementations. (PR #8903)

Bug Fixes

Fixed issues to support _WIN32_WCE (VS 2008 with WinCE 6.0/7.0). (PR #8709)
Fixed STM32 Hash with IRQ enabled. (PR #8705)
Fixed raw hash when using crypto instructions on RISC-V 64-bit. (PR #8733)
Fixed ECDH decode secret in the Linux Kernel Module. (PR #8729)
Passed in the correct hash type to wolfSSL_RSA_verify_ex. (PR #8726)
Fixed issues for Intel QuickAssist latest driver (4.28). (PR #8728)
Speculative fix for CodeSonar overflow issue in ssl_certman.c. (PR #8715)
Fixed Arduino progmem print and AVR WOLFSSL_USER_IO. (PR #8668)
Correctly advanced the index in wc_HKDF_Expand_ex. (PR #8737)
Fixed STM32 hash status check logic, including NO_AES_192 and NO_AES_256. (PR #8732)
Added missing call to wolfSSL_RefFree in FreeCRL to prevent memory leaks. (PR #8750)
Fixed sanity check on --group with unit test app and null sanity check with des decrypt. (PR #8711)
Fixed Curve25519 and static ephemeral issue with blinding. (PR #8766)
Fixed edge case issue with STM32 AES GCM auth padding. (PR #8745)
Removed redefinition of MlKemKey and fixed build issue in benchmark. (PR #8755)
Used proper heap hint when freeing CRL in error case. (PR #8713)
Added support for no malloc with wc_CheckCertSigPubKey. (PR #8725)
Fixed C# wrapper Release build. (PR #8802)
Handled malformed CCS and CCS before CH in TLS1.3. (PR #8788)
Fixed ML-DSA with WOLFSSL_DILITHIUM_NO_SIGN. (PR #8798)
Fixed AesGcmCrypt_1 no-stream in the Linux Kernel Module. (PR #8814)
Fixed return value usage for crypto_sig_sign in the Linux Kernel Module. (PR #8816)
Fixed issue with CSharp and Windows CE with conversion of ASCII and Unicode. (PR #8799)
Fixed Renesas SCE on RA6M4. (PR #8838)
Fixed tests for different configs for ML-DSA. (PR #8865)
Fixed bug in ParseCRL_Extensions around the size of a CRL number handled and CRL number OID. (PR #8587)
Fixed uninitialized wc_FreeRng in prime_test. (PR #8886)
Fixed ECC configuration issues with ECC verify only and no RNG. (PR #8901)
Fixed issues with max size, openssl.test netcat, and clang-tidy. (PR #8909)
Fixed for casting down and uninit issues in Dilithium/ML-DSA. (PR #8868)
Fixed memory allocation failure testing and related unit test cases. (PR #8945, PR #8952)
Fixed build issue with ML-DSA 44 only. (PR #8981)
Fixed possible memory leak with X509 reference counter when using x509small. (PR #8982)

v5.8.0

2025-05-19T14:56:50Z

See: wolfSSL 5.8.0 Release for Arduino #15 and Post Release Arduino 5.8.0 post release #16 from wolfSSL Release 5.8.0 (Apr 24, 2025).

Text from wolfSSL 5.8.0 Release:

NOTE: * --enable-heapmath is deprecated

PR stands for Pull Request, and PR references a GitHub pull request
number where the code change was added.

New Feature Additions

Algorithm registration in the Linux kernel module for all supported FIPS AES,
SHA, HMAC, ECDSA, ECDH, and RSA modes, key sizes, and digest sizes.
Implemented various fixes to support building for Open Watcom including OS/2
support and Open Watcom 1.9 compatibility (PR 8505, 8484)
Added support for STM32H7S (tested on NUCLEO-H7S3L8) (PR 8488)
Added support for STM32WBA (PR 8550)
Added Extended Master Secret Generation Callback to the --enable-pkcallbacks
build (PR 8303)
Implement AES-CTS (configure flag --enable-aescts) in wolfCrypt (PR 8594)
Added support for libimobiledevice commit 860ffb (PR 8373)
Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 IPD
(PR 8307)
Added blinding option when using a Curve25519 private key by defining the
macro WOLFSSL_CURVE25519_BLINDING (PR 8392)

Linux Kernel Module

Production-ready LKCAPI registration for cbc(aes), cfb(aes), gcm(aes),
rfc4106 (gcm(aes)), ctr(aes), ofb(aes), and ecb(aes), ECDSA with P192, P256,
P384, and P521 curves, ECDH with P192, P256, and P384 curves, and RSA with
bare and PKCS1 padding
Various fixes for LKCAPI wrapper for AES-CBC and AES-CFB (PR 8534, 8552)
Adds support for the legacy one-shot AES-GCM back end (PR 8614, 8567) for
compatibility with FIPS 140-3 Cert #4718.
On kernel >=6.8, for CONFIG_FORTIFY_SOURCE, use 5-arg fortify_panic() override
macro (PR 8654)
Update calls to scatterwalk_map() and scatterwalk_unmap() for linux commit
7450ebd29c (merged for Linux 6.15) (PR 8667)
Inhibit LINUXKM_LKCAPI_REGISTER_ECDH on kernel <5.13 (PR 8673)
Fix for uninitialized build error with fedora (PR 8569)
Register ecdsa, ecdh, and rsa for use with linux kernel crypto (PR 8637, 8663,

Added force zero shared secret buffer, and clear of old key with ecdh
(PR 8685)
Update fips-check.sh script to pickup XTS streaming support on aarch64 and
disable XTS-384 as an allowed use in FIPS mode (PR 8509, 8546)

Enhancements and Optimizations

Security & Cryptography

Add constant-time implementation improvements for encoding functions. We thank
Zhiyuan and Gilles for sharing a new constant-time analysis tool (CT-LLVM) and
reporting several non-constant-time implementations. (PR 8396, 8617)
Additional support for PKCS7 verify and decode with indefinite lengths
(PR 8520, 834, 8645)
Add more PQC hybrid key exchange algorithms such as support for combinations
with X25519 and X448 enabling compatibility with the PQC key exchange support
in Chromium browsers and Mozilla Firefox (PR 7821)
Add short-circuit comparisons to DH key validation for RFC 7919 parameters
(PR 8335)
Improve FIPS compatibility with various build configurations for more resource
constrained builds (PR 8370)
Added option to disable ECC public key order checking (PR 8581)
Allow critical alt and basic constraints extensions (PR 8542)
New codepoint for MLDSA to help with interoperability (PR 8393)
Add support for parsing trusted PEM certs having the header
“BEGIN_TRUSTED_CERT” (PR 8400)
Add support for parsing only of DoD certificate policy and Comodo Ltd PKI OIDs
(PR 8599, 8686)
Update ssl code in src/*.c to be consistent with wolfcrypt/src/asn.c
handling of ML_DSA vs Dilithium and add dual alg. test (PR 8360, 8425)

Build System, Configuration, CI & Protocols

Internal refactor for include of config.h and when building with
BUILDING_WOLFSSL macro. This refactor will give a warning of “deprecated
function” when trying to improperly use an internal API of wolfSSL in an
external application. (PR 8640, 8647, 8660, 8662, 8664)
Add WOLFSSL_CLU option to CMakeLists.txt (PR 8548)
Add CMake and Zephyr support for XMSS and LMS (PR 8494)
Added GitHub CI for CMake builds (PR 8439)
Added necessary macros when building wolfTPM Zephyr with wolfSSL (PR 8382)
Add MSYS2 build continuous integration test (PR 8504)
Update DevKitPro doc to list calico dependency with build commands (PR 8607)
Conversion compiler warning fixes and additional continuous integration test
added (PR 8538)
Enable DTLS 1.3 by default in --enable-jni builds (PR 8481)
Enabled TLS 1.3 middlebox compatibility by default for --enable-jni builds
(PR 8526)

Performance Improvements

Performance improvements AES-GCM and HMAC (in/out hash copy) (PR 8429)
LMS fixes and improvements adding API to get Key ID from raw private key,
change to identifiers to match standard, and fix for when
WOLFSSL_LMS_MAX_LEVELS is 1 (PR 8390, 8684, 8613, 8623)
ML-KEM/Kyber improvements and fixes; no malloc builds, small memory usage,
performance improvement, fix for big-endian (PR 8397, 8412, 8436, 8467, 8619,
8622, 8588)
Performance improvements for AES-GCM and when doing multiple HMAC operations
(PR 8445)

Assembly and Platform-Specific Enhancements

Poly1305 arm assembly changes adding ARM32 NEON implementation and fix for
Aarch64 use (PR 8344, 8561, 8671)
Aarch64 assembly enhancement to use more CPU features, fix for FreeBSD/OpenBSD
(PR 8325, 8348)
Only perform ARM assembly CPUID checks if support was enabled at build time
(PR 8566)
Optimizations for ARM32 assembly instructions on platforms less than ARMv7
(PR 8395)
Improve MSVC feature detection for static assert macros (PR 8440)
Improve Espressif make and CMake for ESP8266 and ESP32 series (PR 8402)
Espressif updates for Kconfig, ESP32P4 and adding a sample user_settings.h
(PR 8422, PR 8641)

OpenSSL Compatibility Layer

Modification to the push/pop to/from in OpenSSL compatibility layer. This is
a pretty major API change in the OpenSSL compatibility stack functions.
Previously the API would push/pop from the beginning of the list but now they
operate on the tail of the list. This matters when using the sk_value with
index values. (PR 8616)
OpenSSL Compat Layer: OCSP response improvements (PR 8408, 8498)
Expand the OpenSSL compatibility layer to include an implementation of
BN_CTX_get (PR 8388)

API Additions and Modifications

Refactor Hpke to allow multiple uses of a context instead of just one shot
mode (PR 6805)
Add support for PSK client callback with Ada and use with Alire (thanks
mgrojo, PR 8332, 8606)
Change wolfSSL_CTX_GenerateEchConfig to generate multiple configs and add
functions wolfSSL_CTX_SetEchConfigs and wolfSSL_CTX_SetEchConfigsBase64 to
rotate the server's echConfigs (PR 8556)
Added the public API wc_PkcsPad to do PKCS padding (PR 8502)
Add NULL_CIPHER_TYPE support to wolfSSL_EVP_CipherUpdate (PR 8518)
Update Kyber APIs to ML-KEM APIs (PR 8536)
Add option to disallow automatic use of "default" devId using the macro
WC_NO_DEFAULT_DEVID (PR 8555)
Detect unknown key format on ProcessBufferTryDecode() and handle RSA-PSSk
format (PR 8630)

Porting and Language Support

Update Python port to support version 3.12.6 (PR 8345)
New additions for MAXQ with wolfPKCS11 (PR 8343)
Port to ntp 4.2.8p17 additions (PR 8324)
Add version 0.9.14 to tested libvncserver builds (PR 8337)

General Improvements and Cleanups

Cleanups for STM32 AES GCM (PR 8584)
Improvements to isascii() and the CMake key log option (PR 8596)
Arduino documentation updates, comments and spelling corrections (PR 8381,
8384, 8514)
Expanding builds with WOLFSSL_NO_REALLOC for use with --enable-opensslall and
--enable-all builds (PR 8369, 8371)

Fixes

Fix a use after free caused by an early free on error in the X509 store
(PR 8449)
Fix to account for existing PKCS8 header with
wolfSSL_PEM_write_PKCS8PrivateKey (PR 8612)
Fixed failing CMake build issue when standard threads support is not found in
the system (PR 8485)
Fix segmentation fault in SHA-512 implementation for AVX512 targets built with
gcc -march=native -O2 (PR 8329)
Fix Windows socket API compatibility warning with mingw32 build (PR 8424)
Fix potential null pointer increments in cipher list parsing (PR 8420)
Fix for possible stack buffer overflow read with wolfSSL_SMIME_write_PKCS7.
Thanks to the team at Code Intelligence for the report. (PR 8466)
Fix AES ECB implementation for Aarch64 ARM assembly (PR 8379)
Fixed building with VS2008 and .NET 3.5 (PR 8621)
Fixed possible error case memory leaks in CRL and EVP_Sign_Final (PR 8447)
Fixed SSL_set_mtu compatibility function return code (PR 8330)
Fixed Renesas RX TSIP (PR 8595)
Fixed ECC non-blocking tests (PR 8533)
Fixed CMake on MINGW and MSYS (PR 8377)
Fixed Watcom compiler and added new CI test (PR 8391)
Fixed STM32 PKA ECC 521-bit support (PR 8450)
Fixed STM32 PKA with P521 and shared secret (PR 8601)
Fixed crypto callback macro guards with DEBUG_CRYPTOCB (PR 8602)
Fix outlen return for RSA private decrypt with WOLF_CRYPTO_CB_RSA_PAD
(PR 8575)
Additional sanity check on r and s lengths in DecodeECC_DSA_Sig_Bin (PR 8350)
Fix compat. layer ASN1_TIME_diff to accept NULL output params (PR 8407)
Fix CMake lean_tls build (PR 8460)
Fix for QUIC callback failure (PR 8475)
Fix missing alert types in AlertTypeToString for print out with debugging
enabled (PR 8572)
Fixes for MSVS build issues with PQC configure (PR 8568)
Fix for SE050 port and minor improvements (PR 8431, 8437)
Fix for missing rewind function in zephyr and add missing files for compiling
with assembly optimizations (PR 8531, 8541)
Fix for quic_record_append to return the correct code (PR 8340, 8358)
Fixes for Bind 9.18.28 port (PR 8331)
Fix to adhere more closely with RFC8446 Appendix D and set haveEMS when
negotiating TLS 1.3 (PR 8487)
Fix to properly check for signature_algorithms from the client in a TLS 1.3
server (PR 8356)
Fix for when BIO data is less than seq buffer size. Thanks to the team at Code
Intelligence for the report (PR 8426)
ARM32/Thumb2 fixes for WOLFSSL_NO_VAR_ASSIGN_REG and td4 variable declarations
(PR 8590, 8635)
Fix for Intel AVX1/SSE2 assembly to not use vzeroupper instructions unless ymm
or zmm registers are used (PR 8479)
Entropy MemUse fix for when block size less than update bits (PR 8675)

v5.7.6

2025-02-04T23:35:28Z

See wolfSSL Release 5.7.6 (Dec 31, 2024) via wolfssl 5.7.6 Release for Arduino #12

NOTE:

This release is based on a branch with minor post-release updates. See: wolfSSL/wolfssl#8381 and wolfSSL/wolfssl#8384 that mainly improved visibility to tips on wolfSSL user settings customization, in particular:

/* wolfSSL user_settings.h must be included from settings.h
 * Make all configurations changes in user_settings.h
 * Do not edit wolfSSL `settings.h` or `config.h` files.
 * Do not explicitly include user_settings.h in any source code.
 * Each Arduino sketch that uses wolfSSL must have: #include "wolfssl.h"
 * C/C++ source files can use: #include <wolfssl/wolfcrypt/settings.h>
 * The wolfSSL "settings.h" must be included in each source file using wolfSSL.
 * The wolfSSL "settings.h" must be listed before any other wolfSSL include.
 */

To download the release bundle of wolfSSL visit the download page at www.wolfssl.com/download/

NOTE:

--enable-heapmath is deprecated.
In this release, the default cipher suite preference is updated to prioritize
TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256 when enabled.
This release adds a sanity check for including wolfssl/options.h or
user_settings.h.

PR stands for Pull Request, and PR references a GitHub pull request
number where the code change was added.

Vulnerabilities

[Med] An OCSP (non stapling) issue was introduced in wolfSSL version 5.7.4
when performing OCSP requests for intermediate certificates in a certificate
chain. This affects only TLS 1.3 connections on the server side. It would not
impact other TLS protocol versions or connections that are not using the
traditional OCSP implementation. (Fix in pull request 8115)

New Feature Additions

Add support for RP2350 and improve RP2040 support, both with RNG optimizations
(PR 8153)
Add support for STM32MP135F, including STM32CubeIDE support and HAL support
for SHA2/SHA3/AES/RNG/ECC optimizations. (PR 8223, 8231, 8241)
Implement Renesas TSIP RSA Public Enc/Private support (PR 8122)
Add support for Fedora/RedHat system-wide crypto-policies (PR 8205)
Curve25519 generic keyparsing API added with wc_Curve25519KeyToDer and
wc_Curve25519KeyDecode (PR 8129)
CRL improvements and update callback, added the functions
wolfSSL_CertManagerGetCRLInfo and wolfSSL_CertManagerSetCRLUpdate_Cb (PR 8006)
For DTLS, add server-side stateless and CID quality-of-life API. (PR 8224)

Enhancements and Optimizations

Add a CMake dependency check for pthreads when required. (PR 8162)
Update OS_Seed declarations for legacy compilers and FIPS modules (boundary
not affected). (PR 8170)
Enable WOLFSSL_ALWAYS_KEEP_SNI by default when using --enable-jni. (PR 8283)
Change the default cipher suite preference, prioritizing
TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256. (PR 7771)
Add SRTP-KDF (FIPS module v6.0.0) to checkout script for release bundling
(PR 8215)
Make library build when no hardware crypto available for Aarch64 (PR 8293)
Update assembly code to avoid uint*_t types for better compatibility with
older C standards. (PR 8133)
Add initial documentation for writing ASN template code to decode BER/DER.
(PR 8120)
Perform full reduction in sc_muladd for EdDSA with Curve448 (PR 8276)
Allow SHA-3 hardware cryptography instructions to be explicitly not used in
MacOS builds (PR 8282)
Make Kyber and ML-KEM available individually and together. (PR 8143)
Update configuration options to include Kyber/ML-KEM and fix defines used in
wolfSSL_get_curve_name. (PR 8183)
Make GetShortInt available with WOLFSSL_ASN_EXTRA (PR 8149)
Improved test coverage and minor improvements of X509 (PR 8176)
Add sanity checks for configuration methods, ensuring the inclusion of
wolfssl/options.h or user_settings.h. (PR 8262)
Enable support for building without TLS (NO_TLS). Provides reduced code size
option for non-TLS users who want features like the certificate manager or
compatibility layer. (PR 8273)
Exposed get_verify functions with OPENSSL_EXTRA. (PR 8258)
ML-DSA/Dilithium: obtain security level from DER when decoding (PR 8177)
Implementation for using PKCS11 to retrieve certificate for SSL CTX (PR 8267)
Add support for the RFC822 Mailbox attribute (PR 8280)
Initialize variables and adjust types resolve warnings with Visual Studio in
Windows builds. (PR 8181)
Refactors and expansion of opensslcoexist build (PR 8132, 8216, 8230)
Add DTLS 1.3 interoperability, libspdm and DTLS CID interoperability tests
(PR 8261, 8255, 8245)
Remove trailing error exit code in wolfSSL install setup script (PR 8189)
Update Arduino files for wolfssl 5.7.4 (PR 8219)
Improve Espressif SHA HW/SW mutex messages (PR 8225)
Apply post-5.7.4 release updates for Espressif Managed Component examples
(PR 8251)
Expansion of c89 conformance (PR 8164)
Added configure option for additional sanity checks with --enable-faultharden
(PR 8289)
Aarch64 ASM additions to check CPU features before hardware crypto instruction
use (PR 8314)

Fixes

Fix a memory issue when using the compatibility layer with
WOLFSSL_GENERAL_NAME and handling registered ID types. (PR 8155)
Fix a build issue with signature fault hardening when using public key
callbacks (HAVE_PK_CALLBACKS). (PR 8287)
Fix for handling heap hint pointer properly when managing multiple WOLFSSL_CTX
objects and free’ing one of them (PR 8180)
Fix potential memory leak in error case with Aria. (PR 8268)
Fix Set_Verify flag behaviour on Ada wrapper. (PR 8256)
Fix a compilation error with the NO_WOLFSSL_DIR flag. (PR 8294)
Resolve a corner case for Poly1305 assembly code on Aarch64. (PR 8275)
Fix incorrect version setting in CSRs. (PR 8136)
Correct debugging output for cryptodev. (PR 8202)
Fix for benchmark application use with /dev/crypto GMAC auth error due to size
of AAD (PR 8210)
Add missing checks for the initialization of sp_int/mp_int with DSA to free
memory properly in error cases. (PR 8209)
Fix return value of wolfSSL_CTX_set_tlsext_use_srtp (8252)
Check Root CA by Renesas TSIP before adding it to ca-table (PR 8101)
Prevent adding a certificate to the CA cache for Renesas builds if it does not
set CA:TRUE in basic constraints. (PR 8060)
Fix attribute certificate holder entityName parsing. (PR 8166)
Resolve build issues for configurations without any wolfSSL/openssl
compatibility layer headers. (PR 8182)
Fix for building SP RSA small and RSA public only (PR 8235)
Fix for Renesas RX TSIP RSA Sign/Verify with wolfCrypt only (PR 8206)
Fix to ensure all files have settings.h included (like wc_lms.c) and guards
for building all *.c files (PR 8257 and PR 8140)
Fix x86 target build issues in Visual Studio for non-Windows operating
systems. (PR 8098)
Fix wolfSSL_X509_STORE_get0_objects to handle no CA (PR 8226)
Properly handle reference counting when adding to the X509 store. (PR 8233)
Fix for various typos and improper size used with FreeRTOS_bind in the Renesas
example. Thanks to Hongbo for the report on example issues. (PR 7537)
Fix for potential heap use after free with wolfSSL_PEM_read_bio_PrivateKey.
Thanks to Peter for the issue reported. (PR 8139)

v5.7.4

2024-11-25T19:24:27Z

See wolfSSL Release 5.7.4 (October 24, 2024)

After the merge of #10 (that was essentially a "restructured copy" of wolfSSL 5.7.4 via the IDE/ARDUINO/wolfssl-arduino.sh script), creating this release should propagate to the Arduino Registry as noted in the FAQ Submission Requirements:

There's sometimes been a publishing delay observed as noted in #8.

v5.7.2

2024-08-04T00:58:20Z

See wolfSSL Release 5.7.2 (July 8, 2024)

After the merge of #8 (that was essentially a "restructured copy" of wolfSSL 5.7.2), creating this release should propagate to the Arduino Registry as noted in the FAQ Submission Requirements:

wolfSSL for Arduino Release 5.7.0 (Mar 20, 2024)

2024-04-01T16:31:50Z

This is the Arduino formatted library of wolfSSL 5.7.0

What's Changed

wolfSSL v5.7.0 for Arduino in #6

Full Changelog: 5.6.6-Arduino.2...5.7.0

5.6.6-Arduino.2

2024-03-08T22:49:10Z

This is the second interim release of wolfSSL 5.6.6 with Arduino updates.

What's Changed

wolfSSL 5.6.6-Arduino.2 update by @gojimmypi in #5

Full Changelog: 5.6.6-Arduino.1...5.6.6-Arduino.2

5.6.6-Arduino.1

2024-02-15T22:58:42Z

This is the initial wolfSSL Arduino library, with library name in all lower case to match wolfssl.h