wolfSSL Release 5.5.4 (Dec 21, 2022)
JacobBarthelmeh
released this
21 Dec 18:05
·
5198 commits
to master
since this release
New Feature Additions
- QUIC related changes for HAProxy integration and config option
- Support for Analog Devices MAXQ1080 and MAXQ1065
- Testing and build of wolfSSL with NuttX
- New software based entropy gatherer with configure option --enable-entropy-memuse
- NXP SE050 feature expansion and fixes, adding in RSA support and conditional compile of AES and CMAC
- Support for multi-threaded sniffer
Improvements / Optimizations
Benchmark and Tests
- Add alternate test case for unsupported static memory API when testing mutex allocations
- Additional unit test cases added for AES CCM 256-bit
- Initialize and free AES object with benchmarking AES-OFB
- Kyber with DTLS 1.3 tests added
- Tidy up Espressif ESP32 test and benchmark examples
- Rework to be able to run API tests individually and add display of time taken per test
Build and Port Improvements
- Add check for 64-bit ABI on MIPS64 before declaring a 64-bit CPU
- Add support to detect SIZEOF_LONG in armclang and diab
- Added in a simple example working on Rx72n
- Update azsphere support to prevent compilation of file included inline
- --enable-brainpool configure option added and default to on when custom curves are also on
- Add RSA PSS salt defines to engine builds if not FIPS v2
Post Quantum
- Remove kyber-90s and route all Kyber through wolfcrypt
- Purge older version of NTRU and SABER from wolfSSL
SP Math
- Support static memory build with sp-math
- SP C, SP int: improve performance
- SP int: support mingw64 again
- SP int: enhancements to guess 64-bit type and check on NO_64BIT macro set before using long long
- SP int: check size required when using sp_int on stack
- SP: --enable-sp-asm now enables SP by default if not set
- SP: support aarch64 big endian
DTLS
- Allow DTLS 1.3 to compile when FIPS is enabled
- Allow for stateless DTLS client hello parsing
Misc.
- Easier detection of DRBG health when using Intel’s RDRAND by updating the structures status value
- Detection of duplicate known extensions with TLS
- PKCS#11 handle a user PIN that is a NULL_PTR, compile time check in finding keys, add initialization API
- Update max Cert Policy size based on RFC 5280
- Add Android CA certs path for wolfSSL_CTX_load_system_CA_certs()
- Improve logic for enabling system CA certs on Apple devices
- Stub functions to allow for cpuid public functions with non-intel builds
- Increase RNG_SECURITY_STRENGTH for FIPS
- Improvements in OpenSSL Compat ERR Queue handling
- Support ASN1/DER CRLs in LoadCertByIssuer
- Expose more ECC math functions and improve async shared secret
- Improvement for sniffer error messages
- Warning added that renegotiation in TLS 1.3 requires session ticket
- Adjustment for TLS 1.3 post auth support
- Rework DH API and improve PEM read/write
Fixes
Build Fixes
- Fix --enable-devcrypto build error for sys without u_int8_t type
- Fix casts in evp.c and build issue in ParseCRL
- Fixes for compatibility layer building with heap hint and OSSL callbacks
- fix compile error due to Werro=undef on gcc-4.8
- Fix mingw-w64 build issues on windows
- Xcode project fixes for different build settings
- Initialize variable causing failures with gcc-11 and gcc-12 with a unique wolfSSL build configuration
- Prevent WOLFSSL_NO_MALLOC from breaking RSA certificate verification
- Fixes for various tests that do not properly handle
WC_PENDING_E
with async. builds - Fix for misc
HashObject
to be excluded forWOLFCRYPT_ONLY
OCSP Fixes
- Correctly save next status with OCSP response verify
- When the OCSP responder returns an unknown exception, continue through to checking the CRL
Math Fixes
- Fix for implicit conversion with 32-bit in SP math
- Fix for error checks when modulus is even with SP int build
- Fix for checking of err in _sp_exptmod_nct with SP int build
- ECC cofactor fix when checking scalar bits
- ARM32 ASM: don't use ldrd on user data
- SP int, fix when ECC specific size code included
Port Fixes
- Fixes for STM32 PKA ECC (not 256-bit) and improvements for AES-GCM
- Fix for cryptocell signature verification with ECC
- Benchmark devid changes, CCM with SECO fix, set IV on AES import into SECO
Compat. Layer Fixes
- Fix for handling DEFAULT:... cipher suite list
- Fix memory leak in wolfSSL_X509_NAME_ENTRY_get_object
- Set alt name type to V_ASN1_IA5STRING
- Update name hash functions wolfSSL_X509_subject_name_hash and wolfSSL_X509_issuer_name_hash to hash the canonical form of subject
- Fix wolfSSL_set_SSL_CTX() to be usable during handshake
- Fix X509_get1_ocsp to set num of elements in stack
- X509v3 EXT d2i: fix freeing of aia
- Fix to remove recreation of certificate with wolfSSL_PEM_write_bio_X509()
- Link newly created x509 store's certificate manager to self by default to assist with CRL verification
- Fix for compatibility
EC_KEY_new_by_curve_name
to not create a key if the curve is not found
Misc.
- Free potential signer malloc in a fail case
- fix other name san parsing and add RID cert to test parsing
- WOLFSSL_OP_NO_TICKET fix for TLSv1.2
- fix ASN template parsing of X509 subject directory attribute
- Fix the wrong IV size with the cipher suite TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
- Fix incorrect self signed error return when compiled with certreq and certgen.
- Fix wrong function name in debug comment with wolfSSL_X509_get_name_oneline()
- Fix for decryption after second handshake with async sniffer
- Allow session tickets to properly resume when using PQ KEMs
- Add sanity overflow check to DecodeAltNames input buffer access