Skip to content

Commit cccc884

Browse files
gojimmypigojimmypi
committed
wolfssl 5.8.0 Release for Arduino
1 parent 0703f7b commit cccc884

File tree

314 files changed

+30464
-8361
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

314 files changed

+30464
-8361
lines changed

ChangeLog.md

Lines changed: 210 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,213 @@
1+
# wolfSSL Release 5.8.0 (Apr 24, 2025)
2+
3+
Release 5.8.0 has been developed according to wolfSSL's development and QA
4+
process (see link below) and successfully passed the quality criteria.
5+
https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
6+
7+
NOTE: * --enable-heapmath is deprecated
8+
9+
PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request
10+
number where the code change was added.
11+
12+
13+
## New Feature Additions
14+
* Algorithm registration in the Linux kernel module for all supported FIPS AES,
15+
SHA, HMAC, ECDSA, ECDH, and RSA modes, key sizes, and digest sizes.
16+
* Implemented various fixes to support building for Open Watcom including OS/2
17+
support and Open Watcom 1.9 compatibility (PR 8505, 8484)
18+
* Added support for STM32H7S (tested on NUCLEO-H7S3L8) (PR 8488)
19+
* Added support for STM32WBA (PR 8550)
20+
* Added Extended Master Secret Generation Callback to the --enable-pkcallbacks
21+
build (PR 8303)
22+
* Implement AES-CTS (configure flag --enable-aescts) in wolfCrypt (PR 8594)
23+
* Added support for libimobiledevice commit 860ffb (PR 8373)
24+
* Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 IPD
25+
(PR 8307)
26+
* Added blinding option when using a Curve25519 private key by defining the
27+
macro WOLFSSL_CURVE25519_BLINDING (PR 8392)
28+
29+
30+
## Linux Kernel Module
31+
* Production-ready LKCAPI registration for cbc(aes), cfb(aes), gcm(aes),
32+
rfc4106 (gcm(aes)), ctr(aes), ofb(aes), and ecb(aes), ECDSA with P192, P256,
33+
P384, and P521 curves, ECDH with P192, P256, and P384 curves, and RSA with
34+
bare and PKCS1 padding
35+
* Various fixes for LKCAPI wrapper for AES-CBC and AES-CFB (PR 8534, 8552)
36+
* Adds support for the legacy one-shot AES-GCM back end (PR 8614, 8567) for
37+
compatibility with FIPS 140-3 Cert #4718.
38+
* On kernel >=6.8, for CONFIG_FORTIFY_SOURCE, use 5-arg fortify_panic() override
39+
macro (PR 8654)
40+
* Update calls to scatterwalk_map() and scatterwalk_unmap() for linux commit
41+
7450ebd29c (merged for Linux 6.15) (PR 8667)
42+
* Inhibit LINUXKM_LKCAPI_REGISTER_ECDH on kernel <5.13 (PR 8673)
43+
* Fix for uninitialized build error with fedora (PR 8569)
44+
* Register ecdsa, ecdh, and rsa for use with linux kernel crypto (PR 8637, 8663,
45+
8646)
46+
* Added force zero shared secret buffer, and clear of old key with ecdh
47+
(PR 8685)
48+
* Update fips-check.sh script to pickup XTS streaming support on aarch64 and
49+
disable XTS-384 as an allowed use in FIPS mode (PR 8509, 8546)
50+
51+
52+
## Enhancements and Optimizations
53+
54+
### Security & Cryptography
55+
* Add constant-time implementation improvements for encoding functions. We thank
56+
Zhiyuan and Gilles for sharing a new constant-time analysis tool (CT-LLVM) and
57+
reporting several non-constant-time implementations. (PR 8396, 8617)
58+
* Additional support for PKCS7 verify and decode with indefinite lengths
59+
(PR 8520, 834, 8645)
60+
* Add more PQC hybrid key exchange algorithms such as support for combinations
61+
with X25519 and X448 enabling compatibility with the PQC key exchange support
62+
in Chromium browsers and Mozilla Firefox (PR 7821)
63+
* Add short-circuit comparisons to DH key validation for RFC 7919 parameters
64+
(PR 8335)
65+
* Improve FIPS compatibility with various build configurations for more resource
66+
constrained builds (PR 8370)
67+
* Added option to disable ECC public key order checking (PR 8581)
68+
* Allow critical alt and basic constraints extensions (PR 8542)
69+
* New codepoint for MLDSA to help with interoperability (PR 8393)
70+
* Add support for parsing trusted PEM certs having the header
71+
“BEGIN_TRUSTED_CERT” (PR 8400)
72+
* Add support for parsing only of DoD certificate policy and Comodo Ltd PKI OIDs
73+
(PR 8599, 8686)
74+
* Update ssl code in `src/*.c` to be consistent with wolfcrypt/src/asn.c
75+
handling of ML_DSA vs Dilithium and add dual alg. test (PR 8360, 8425)
76+
77+
### Build System, Configuration, CI & Protocols
78+
* Internal refactor for include of config.h and when building with
79+
BUILDING_WOLFSSL macro. This refactor will give a warning of “deprecated
80+
function” when trying to improperly use an internal API of wolfSSL in an
81+
external application. (PR 8640, 8647, 8660, 8662, 8664)
82+
* Add WOLFSSL_CLU option to CMakeLists.txt (PR 8548)
83+
* Add CMake and Zephyr support for XMSS and LMS (PR 8494)
84+
* Added GitHub CI for CMake builds (PR 8439)
85+
* Added necessary macros when building wolfTPM Zephyr with wolfSSL (PR 8382)
86+
* Add MSYS2 build continuous integration test (PR 8504)
87+
* Update DevKitPro doc to list calico dependency with build commands (PR 8607)
88+
* Conversion compiler warning fixes and additional continuous integration test
89+
added (PR 8538)
90+
* Enable DTLS 1.3 by default in --enable-jni builds (PR 8481)
91+
* Enabled TLS 1.3 middlebox compatibility by default for --enable-jni builds
92+
(PR 8526)
93+
94+
### Performance Improvements
95+
* Performance improvements AES-GCM and HMAC (in/out hash copy) (PR 8429)
96+
* LMS fixes and improvements adding API to get Key ID from raw private key,
97+
change to identifiers to match standard, and fix for when
98+
WOLFSSL_LMS_MAX_LEVELS is 1 (PR 8390, 8684, 8613, 8623)
99+
* ML-KEM/Kyber improvements and fixes; no malloc builds, small memory usage,
100+
performance improvement, fix for big-endian (PR 8397, 8412, 8436, 8467, 8619,
101+
8622, 8588)
102+
* Performance improvements for AES-GCM and when doing multiple HMAC operations
103+
(PR 8445)
104+
105+
### Assembly and Platform-Specific Enhancements
106+
* Poly1305 arm assembly changes adding ARM32 NEON implementation and fix for
107+
Aarch64 use (PR 8344, 8561, 8671)
108+
* Aarch64 assembly enhancement to use more CPU features, fix for FreeBSD/OpenBSD
109+
(PR 8325, 8348)
110+
* Only perform ARM assembly CPUID checks if support was enabled at build time
111+
(PR 8566)
112+
* Optimizations for ARM32 assembly instructions on platforms less than ARMv7
113+
(PR 8395)
114+
* Improve MSVC feature detection for static assert macros (PR 8440)
115+
* Improve Espressif make and CMake for ESP8266 and ESP32 series (PR 8402)
116+
* Espressif updates for Kconfig, ESP32P4 and adding a sample user_settings.h
117+
(PR 8422, PR 8641)
118+
119+
### OpenSSL Compatibility Layer
120+
* Modification to the push/pop to/from in OpenSSL compatibility layer. This is
121+
a pretty major API change in the OpenSSL compatibility stack functions.
122+
Previously the API would push/pop from the beginning of the list but now they
123+
operate on the tail of the list. This matters when using the sk_value with
124+
index values. (PR 8616)
125+
* OpenSSL Compat Layer: OCSP response improvements (PR 8408, 8498)
126+
* Expand the OpenSSL compatibility layer to include an implementation of
127+
BN_CTX_get (PR 8388)
128+
129+
### API Additions and Modifications
130+
* Refactor Hpke to allow multiple uses of a context instead of just one shot
131+
mode (PR 6805)
132+
* Add support for PSK client callback with Ada and use with Alire (thanks
133+
@mgrojo, PR 8332, 8606)
134+
* Change wolfSSL_CTX_GenerateEchConfig to generate multiple configs and add
135+
functions wolfSSL_CTX_SetEchConfigs and wolfSSL_CTX_SetEchConfigsBase64 to
136+
rotate the server's echConfigs (PR 8556)
137+
* Added the public API wc_PkcsPad to do PKCS padding (PR 8502)
138+
* Add NULL_CIPHER_TYPE support to wolfSSL_EVP_CipherUpdate (PR 8518)
139+
* Update Kyber APIs to ML-KEM APIs (PR 8536)
140+
* Add option to disallow automatic use of "default" devId using the macro
141+
WC_NO_DEFAULT_DEVID (PR 8555)
142+
* Detect unknown key format on ProcessBufferTryDecode() and handle RSA-PSSk
143+
format (PR 8630)
144+
145+
### Porting and Language Support
146+
* Update Python port to support version 3.12.6 (PR 8345)
147+
* New additions for MAXQ with wolfPKCS11 (PR 8343)
148+
* Port to ntp 4.2.8p17 additions (PR 8324)
149+
* Add version 0.9.14 to tested libvncserver builds (PR 8337)
150+
151+
### General Improvements and Cleanups
152+
* Cleanups for STM32 AES GCM (PR 8584)
153+
* Improvements to isascii() and the CMake key log option (PR 8596)
154+
* Arduino documentation updates, comments and spelling corrections (PR 8381,
155+
8384, 8514)
156+
* Expanding builds with WOLFSSL_NO_REALLOC for use with --enable-opensslall and
157+
--enable-all builds (PR 8369, 8371)
158+
159+
160+
## Fixes
161+
* Fix a use after free caused by an early free on error in the X509 store
162+
(PR 8449)
163+
* Fix to account for existing PKCS8 header with
164+
wolfSSL_PEM_write_PKCS8PrivateKey (PR 8612)
165+
* Fixed failing CMake build issue when standard threads support is not found in
166+
the system (PR 8485)
167+
* Fix segmentation fault in SHA-512 implementation for AVX512 targets built with
168+
gcc -march=native -O2 (PR 8329)
169+
* Fix Windows socket API compatibility warning with mingw32 build (PR 8424)
170+
* Fix potential null pointer increments in cipher list parsing (PR 8420)
171+
* Fix for possible stack buffer overflow read with wolfSSL_SMIME_write_PKCS7.
172+
Thanks to the team at Code Intelligence for the report. (PR 8466)
173+
* Fix AES ECB implementation for Aarch64 ARM assembly (PR 8379)
174+
* Fixed building with VS2008 and .NET 3.5 (PR 8621)
175+
* Fixed possible error case memory leaks in CRL and EVP_Sign_Final (PR 8447)
176+
* Fixed SSL_set_mtu compatibility function return code (PR 8330)
177+
* Fixed Renesas RX TSIP (PR 8595)
178+
* Fixed ECC non-blocking tests (PR 8533)
179+
* Fixed CMake on MINGW and MSYS (PR 8377)
180+
* Fixed Watcom compiler and added new CI test (PR 8391)
181+
* Fixed STM32 PKA ECC 521-bit support (PR 8450)
182+
* Fixed STM32 PKA with P521 and shared secret (PR 8601)
183+
* Fixed crypto callback macro guards with `DEBUG_CRYPTOCB` (PR 8602)
184+
* Fix outlen return for RSA private decrypt with WOLF_CRYPTO_CB_RSA_PAD
185+
(PR 8575)
186+
* Additional sanity check on r and s lengths in DecodeECC_DSA_Sig_Bin (PR 8350)
187+
* Fix compat. layer ASN1_TIME_diff to accept NULL output params (PR 8407)
188+
* Fix CMake lean_tls build (PR 8460)
189+
* Fix for QUIC callback failure (PR 8475)
190+
* Fix missing alert types in AlertTypeToString for print out with debugging
191+
enabled (PR 8572)
192+
* Fixes for MSVS build issues with PQC configure (PR 8568)
193+
* Fix for SE050 port and minor improvements (PR 8431, 8437)
194+
* Fix for missing rewind function in zephyr and add missing files for compiling
195+
with assembly optimizations (PR 8531, 8541)
196+
* Fix for quic_record_append to return the correct code (PR 8340, 8358)
197+
* Fixes for Bind 9.18.28 port (PR 8331)
198+
* Fix to adhere more closely with RFC8446 Appendix D and set haveEMS when
199+
negotiating TLS 1.3 (PR 8487)
200+
* Fix to properly check for signature_algorithms from the client in a TLS 1.3
201+
server (PR 8356)
202+
* Fix for when BIO data is less than seq buffer size. Thanks to the team at Code
203+
Intelligence for the report (PR 8426)
204+
* ARM32/Thumb2 fixes for WOLFSSL_NO_VAR_ASSIGN_REG and td4 variable declarations
205+
(PR 8590, 8635)
206+
* Fix for Intel AVX1/SSE2 assembly to not use vzeroupper instructions unless ymm
207+
or zmm registers are used (PR 8479)
208+
* Entropy MemUse fix for when block size less than update bits (PR 8675)
209+
210+
1211
# wolfSSL Release 5.7.6 (Dec 31, 2024)
2212

3213
Release 5.7.6 has been developed according to wolfSSL's development and QA

0 commit comments

Comments
 (0)