|
| 1 | +# wolfSSL Release 5.7.6 (Dec 31, 2024) |
| 2 | + |
| 3 | +Release 5.7.6 has been developed according to wolfSSL's development and QA |
| 4 | +process (see link below) and successfully passed the quality criteria. |
| 5 | +https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance |
| 6 | + |
| 7 | +NOTE: |
| 8 | + * --enable-heapmath is deprecated. |
| 9 | + * In this release, the default cipher suite preference is updated to prioritize |
| 10 | + TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256 when enabled. |
| 11 | + * This release adds a sanity check for including wolfssl/options.h or |
| 12 | + user_settings.h. |
| 13 | + |
| 14 | + |
| 15 | +PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request |
| 16 | + number where the code change was added. |
| 17 | + |
| 18 | + |
| 19 | +## Vulnerabilities |
| 20 | +* [Med] An OCSP (non stapling) issue was introduced in wolfSSL version 5.7.4 |
| 21 | + when performing OCSP requests for intermediate certificates in a certificate |
| 22 | + chain. This affects only TLS 1.3 connections on the server side. It would not |
| 23 | + impact other TLS protocol versions or connections that are not using the |
| 24 | + traditional OCSP implementation. (Fix in pull request 8115) |
| 25 | + |
| 26 | + |
| 27 | +## New Feature Additions |
| 28 | +* Add support for RP2350 and improve RP2040 support, both with RNG optimizations |
| 29 | + (PR 8153) |
| 30 | +* Add support for STM32MP135F, including STM32CubeIDE support and HAL support |
| 31 | + for SHA2/SHA3/AES/RNG/ECC optimizations. (PR 8223, 8231, 8241) |
| 32 | +* Implement Renesas TSIP RSA Public Enc/Private support (PR 8122) |
| 33 | +* Add support for Fedora/RedHat system-wide crypto-policies (PR 8205) |
| 34 | +* Curve25519 generic keyparsing API added with wc_Curve25519KeyToDer and |
| 35 | + wc_Curve25519KeyDecode (PR 8129) |
| 36 | +* CRL improvements and update callback, added the functions |
| 37 | + wolfSSL_CertManagerGetCRLInfo and wolfSSL_CertManagerSetCRLUpdate_Cb (PR 8006) |
| 38 | +* For DTLS, add server-side stateless and CID quality-of-life API. (PR 8224) |
| 39 | + |
| 40 | + |
| 41 | +## Enhancements and Optimizations |
| 42 | +* Add a CMake dependency check for pthreads when required. (PR 8162) |
| 43 | +* Update OS_Seed declarations for legacy compilers and FIPS modules (boundary |
| 44 | + not affected). (PR 8170) |
| 45 | +* Enable WOLFSSL_ALWAYS_KEEP_SNI by default when using --enable-jni. (PR 8283) |
| 46 | +* Change the default cipher suite preference, prioritizing |
| 47 | + TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256. (PR 7771) |
| 48 | +* Add SRTP-KDF (FIPS module v6.0.0) to checkout script for release bundling |
| 49 | + (PR 8215) |
| 50 | +* Make library build when no hardware crypto available for Aarch64 (PR 8293) |
| 51 | +* Update assembly code to avoid `uint*_t` types for better compatibility with |
| 52 | + older C standards. (PR 8133) |
| 53 | +* Add initial documentation for writing ASN template code to decode BER/DER. |
| 54 | + (PR 8120) |
| 55 | +* Perform full reduction in sc_muladd for EdDSA with Curve448 (PR 8276) |
| 56 | +* Allow SHA-3 hardware cryptography instructions to be explicitly not used in |
| 57 | + MacOS builds (PR 8282) |
| 58 | +* Make Kyber and ML-KEM available individually and together. (PR 8143) |
| 59 | +* Update configuration options to include Kyber/ML-KEM and fix defines used in |
| 60 | + wolfSSL_get_curve_name. (PR 8183) |
| 61 | +* Make GetShortInt available with WOLFSSL_ASN_EXTRA (PR 8149) |
| 62 | +* Improved test coverage and minor improvements of X509 (PR 8176) |
| 63 | +* Add sanity checks for configuration methods, ensuring the inclusion of |
| 64 | + wolfssl/options.h or user_settings.h. (PR 8262) |
| 65 | +* Enable support for building without TLS (NO_TLS). Provides reduced code size |
| 66 | + option for non-TLS users who want features like the certificate manager or |
| 67 | + compatibility layer. (PR 8273) |
| 68 | +* Exposed get_verify functions with OPENSSL_EXTRA. (PR 8258) |
| 69 | +* ML-DSA/Dilithium: obtain security level from DER when decoding (PR 8177) |
| 70 | +* Implementation for using PKCS11 to retrieve certificate for SSL CTX (PR 8267) |
| 71 | +* Add support for the RFC822 Mailbox attribute (PR 8280) |
| 72 | +* Initialize variables and adjust types resolve warnings with Visual Studio in |
| 73 | + Windows builds. (PR 8181) |
| 74 | +* Refactors and expansion of opensslcoexist build (PR 8132, 8216, 8230) |
| 75 | +* Add DTLS 1.3 interoperability, libspdm and DTLS CID interoperability tests |
| 76 | + (PR 8261, 8255, 8245) |
| 77 | +* Remove trailing error exit code in wolfSSL install setup script (PR 8189) |
| 78 | +* Update Arduino files for wolfssl 5.7.4 (PR 8219) |
| 79 | +* Improve Espressif SHA HW/SW mutex messages (PR 8225) |
| 80 | +* Apply post-5.7.4 release updates for Espressif Managed Component examples |
| 81 | + (PR 8251) |
| 82 | +* Expansion of c89 conformance (PR 8164) |
| 83 | +* Added configure option for additional sanity checks with --enable-faultharden |
| 84 | + (PR 8289) |
| 85 | +* Aarch64 ASM additions to check CPU features before hardware crypto instruction |
| 86 | + use (PR 8314) |
| 87 | + |
| 88 | + |
| 89 | +## Fixes |
| 90 | +* Fix a memory issue when using the compatibility layer with |
| 91 | + WOLFSSL_GENERAL_NAME and handling registered ID types. (PR 8155) |
| 92 | +* Fix a build issue with signature fault hardening when using public key |
| 93 | + callbacks (HAVE_PK_CALLBACKS). (PR 8287) |
| 94 | +* Fix for handling heap hint pointer properly when managing multiple WOLFSSL_CTX |
| 95 | + objects and free’ing one of them (PR 8180) |
| 96 | +* Fix potential memory leak in error case with Aria. (PR 8268) |
| 97 | +* Fix Set_Verify flag behaviour on Ada wrapper. (PR 8256) |
| 98 | +* Fix a compilation error with the NO_WOLFSSL_DIR flag. (PR 8294) |
| 99 | +* Resolve a corner case for Poly1305 assembly code on Aarch64. (PR 8275) |
| 100 | +* Fix incorrect version setting in CSRs. (PR 8136) |
| 101 | +* Correct debugging output for cryptodev. (PR 8202) |
| 102 | +* Fix for benchmark application use with /dev/crypto GMAC auth error due to size |
| 103 | + of AAD (PR 8210) |
| 104 | +* Add missing checks for the initialization of sp_int/mp_int with DSA to free |
| 105 | + memory properly in error cases. (PR 8209) |
| 106 | +* Fix return value of wolfSSL_CTX_set_tlsext_use_srtp (8252) |
| 107 | +* Check Root CA by Renesas TSIP before adding it to ca-table (PR 8101) |
| 108 | +* Prevent adding a certificate to the CA cache for Renesas builds if it does not |
| 109 | + set CA:TRUE in basic constraints. (PR 8060) |
| 110 | +* Fix attribute certificate holder entityName parsing. (PR 8166) |
| 111 | +* Resolve build issues for configurations without any wolfSSL/openssl |
| 112 | + compatibility layer headers. (PR 8182) |
| 113 | +* Fix for building SP RSA small and RSA public only (PR 8235) |
| 114 | +* Fix for Renesas RX TSIP RSA Sign/Verify with wolfCrypt only (PR 8206) |
| 115 | +* Fix to ensure all files have settings.h included (like wc_lms.c) and guards |
| 116 | + for building all `*.c` files (PR 8257 and PR 8140) |
| 117 | +* Fix x86 target build issues in Visual Studio for non-Windows operating |
| 118 | + systems. (PR 8098) |
| 119 | +* Fix wolfSSL_X509_STORE_get0_objects to handle no CA (PR 8226) |
| 120 | +* Properly handle reference counting when adding to the X509 store. (PR 8233) |
| 121 | +* Fix for various typos and improper size used with FreeRTOS_bind in the Renesas |
| 122 | + example. Thanks to Hongbo for the report on example issues. (PR 7537) |
| 123 | +* Fix for potential heap use after free with wolfSSL_PEM_read_bio_PrivateKey. |
| 124 | + Thanks to Peter for the issue reported. (PR 8139) |
| 125 | + |
| 126 | + |
1 | 127 | # wolfSSL Release 5.7.4 (Oct 24, 2024) |
2 | 128 |
|
3 | 129 | Release 5.7.4 has been developed according to wolfSSL's development and QA |
|
0 commit comments