Skip to content

wolfSSL Release 5.5.4 (Dec 21, 2022)

Compare
Choose a tag to compare
@JacobBarthelmeh JacobBarthelmeh released this 21 Dec 18:05
· 5198 commits to master since this release
4fbd4fd

New Feature Additions

  • QUIC related changes for HAProxy integration and config option
  • Support for Analog Devices MAXQ1080 and MAXQ1065
  • Testing and build of wolfSSL with NuttX
  • New software based entropy gatherer with configure option --enable-entropy-memuse
  • NXP SE050 feature expansion and fixes, adding in RSA support and conditional compile of AES and CMAC
  • Support for multi-threaded sniffer

Improvements / Optimizations

Benchmark and Tests

  • Add alternate test case for unsupported static memory API when testing mutex allocations
  • Additional unit test cases added for AES CCM 256-bit
  • Initialize and free AES object with benchmarking AES-OFB
  • Kyber with DTLS 1.3 tests added
  • Tidy up Espressif ESP32 test and benchmark examples
  • Rework to be able to run API tests individually and add display of time taken per test

Build and Port Improvements

  • Add check for 64-bit ABI on MIPS64 before declaring a 64-bit CPU
  • Add support to detect SIZEOF_LONG in armclang and diab
  • Added in a simple example working on Rx72n
  • Update azsphere support to prevent compilation of file included inline
  • --enable-brainpool configure option added and default to on when custom curves are also on
  • Add RSA PSS salt defines to engine builds if not FIPS v2

Post Quantum

  • Remove kyber-90s and route all Kyber through wolfcrypt
  • Purge older version of NTRU and SABER from wolfSSL

SP Math

  • Support static memory build with sp-math
  • SP C, SP int: improve performance
  • SP int: support mingw64 again
  • SP int: enhancements to guess 64-bit type and check on NO_64BIT macro set before using long long
  • SP int: check size required when using sp_int on stack
  • SP: --enable-sp-asm now enables SP by default if not set
  • SP: support aarch64 big endian

DTLS

  • Allow DTLS 1.3 to compile when FIPS is enabled
  • Allow for stateless DTLS client hello parsing

Misc.

  • Easier detection of DRBG health when using Intel’s RDRAND by updating the structures status value
  • Detection of duplicate known extensions with TLS
  • PKCS#11 handle a user PIN that is a NULL_PTR, compile time check in finding keys, add initialization API
  • Update max Cert Policy size based on RFC 5280
  • Add Android CA certs path for wolfSSL_CTX_load_system_CA_certs()
  • Improve logic for enabling system CA certs on Apple devices
  • Stub functions to allow for cpuid public functions with non-intel builds
  • Increase RNG_SECURITY_STRENGTH for FIPS
  • Improvements in OpenSSL Compat ERR Queue handling
  • Support ASN1/DER CRLs in LoadCertByIssuer
  • Expose more ECC math functions and improve async shared secret
  • Improvement for sniffer error messages
  • Warning added that renegotiation in TLS 1.3 requires session ticket
  • Adjustment for TLS 1.3 post auth support
  • Rework DH API and improve PEM read/write

Fixes

Build Fixes

  • Fix --enable-devcrypto build error for sys without u_int8_t type
  • Fix casts in evp.c and build issue in ParseCRL
  • Fixes for compatibility layer building with heap hint and OSSL callbacks
  • fix compile error due to Werro=undef on gcc-4.8
  • Fix mingw-w64 build issues on windows
  • Xcode project fixes for different build settings
  • Initialize variable causing failures with gcc-11 and gcc-12 with a unique wolfSSL build configuration
  • Prevent WOLFSSL_NO_MALLOC from breaking RSA certificate verification
  • Fixes for various tests that do not properly handle WC_PENDING_E with async. builds
  • Fix for misc HashObject to be excluded for WOLFCRYPT_ONLY

OCSP Fixes

  • Correctly save next status with OCSP response verify
  • When the OCSP responder returns an unknown exception, continue through to checking the CRL

Math Fixes

  • Fix for implicit conversion with 32-bit in SP math
  • Fix for error checks when modulus is even with SP int build
  • Fix for checking of err in _sp_exptmod_nct with SP int build
  • ECC cofactor fix when checking scalar bits
  • ARM32 ASM: don't use ldrd on user data
  • SP int, fix when ECC specific size code included

Port Fixes

  • Fixes for STM32 PKA ECC (not 256-bit) and improvements for AES-GCM
  • Fix for cryptocell signature verification with ECC
  • Benchmark devid changes, CCM with SECO fix, set IV on AES import into SECO

Compat. Layer Fixes

  • Fix for handling DEFAULT:... cipher suite list
  • Fix memory leak in wolfSSL_X509_NAME_ENTRY_get_object
  • Set alt name type to V_ASN1_IA5STRING
  • Update name hash functions wolfSSL_X509_subject_name_hash and wolfSSL_X509_issuer_name_hash to hash the canonical form of subject
  • Fix wolfSSL_set_SSL_CTX() to be usable during handshake
  • Fix X509_get1_ocsp to set num of elements in stack
  • X509v3 EXT d2i: fix freeing of aia
  • Fix to remove recreation of certificate with wolfSSL_PEM_write_bio_X509()
  • Link newly created x509 store's certificate manager to self by default to assist with CRL verification
  • Fix for compatibility EC_KEY_new_by_curve_name to not create a key if the curve is not found

Misc.

  • Free potential signer malloc in a fail case
  • fix other name san parsing and add RID cert to test parsing
  • WOLFSSL_OP_NO_TICKET fix for TLSv1.2
  • fix ASN template parsing of X509 subject directory attribute
  • Fix the wrong IV size with the cipher suite TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
  • Fix incorrect self signed error return when compiled with certreq and certgen.
  • Fix wrong function name in debug comment with wolfSSL_X509_get_name_oneline()
  • Fix for decryption after second handshake with async sniffer
  • Allow session tickets to properly resume when using PQ KEMs
  • Add sanity overflow check to DecodeAltNames input buffer access