Merge pull request #8712 from JacobBarthelmeh/release

prepare for release 5.8.0
remove trailing space character in changelog
2025-04-24 15:10:41 -07:00 · 2025-04-24 12:20:23 -07:00 · 2025-04-24 10:41:40 -07:00 · 2025-04-23 11:36:15 -06:00 · 2025-04-22 21:34:13 -05:00 · 2025-04-22 15:20:45 -07:00
513 changed files with 58941 additions and 39244 deletions
--- a/.github/workflows/ada.yml
+++ b/.github/workflows/ada.yml
@@ -0,0 +1,33 @@
+name: WolfSSL Ada Build Tests
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@master
+
+    - name: Install gnat
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y gnat gprbuild
+
+    - name: Checkout wolfssl
+      uses: actions/checkout@master
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl
+
+    - name: Build wolfssl Ada
+      working-directory: ./wolfssl/wrapper/Ada
+      run: |
+        mkdir obj
+        gprbuild default.gpr
+        gprbuild examples.gpr
--- a/.github/workflows/cmake.yml
+++ b/.github/workflows/cmake.yml
@@ -39,7 +39,7 @@ jobs:
            -DWOLFSSL_AESCBC:BOOL=yes -DWOLFSSL_AESCCM:BOOL=yes -DWOLFSSL_AESCFB:BOOL=yes \
            -DWOLFSSL_AESCTR:BOOL=yes -DWOLFSSL_AESGCM:STRING=yes -DWOLFSSL_AESKEYWRAP:BOOL=yes \
            -DWOLFSSL_AESOFB:BOOL=yes -DWOLFSSL_AESSIV:BOOL=yes -DWOLFSSL_ALIGN_DATA:BOOL=yes \
-            -DWOLFSSL_ALPN:BOOL=ON -DWOLFSSL_ALT_CERT_CHAINS:BOOL=ON -DWOLFSSL_ARC4:BOOL=no \
+            -DWOLFSSL_ALPN:BOOL=ON -DWOLFSSL_ALT_CERT_CHAINS:BOOL=ON -DWOLFSSL_ARC4:BOOL=yes \
            -DWOLFSSL_ARIA:BOOL=no -DWOLFSSL_ASIO:BOOL=no -DWOLFSSL_ASM:BOOL=yes -DWOLFSSL_ASN:BOOL=yes \
            -DWOLFSSL_ASYNC_THREADS:BOOL=no -DWOLFSSL_BASE64_ENCODE:BOOL=yes -DWOLFSSL_CAAM:BOOL=no \
            -DWOLFSSL_CERTEXT:BOOL=yes -DWOLFSSL_CERTGEN:BOOL=yes -DWOLFSSL_CERTGENCACHE:BOOL=no \
@@ -75,8 +75,9 @@ jobs:
            -DWOLFSSL_SNI:BOOL=yes -DWOLFSSL_SP_MATH_ALL:BOOL=yes -DWOLFSSL_SRTP:BOOL=yes \
            -DWOLFSSL_STUNNEL:BOOL=yes -DWOLFSSL_SUPPORTED_CURVES:BOOL=yes -DWOLFSSL_SYS_CA_CERTS:BOOL=yes \
            -DWOLFSSL_TICKET_NONCE_MALLOC:BOOL=yes -DWOLFSSL_TLS13:BOOL=yes -DWOLFSSL_TLSV12:BOOL=yes \
-            -DWOLFSSL_TLSX:BOOL=yes -DWOLFSSL_TPM:BOOL=yes -DWOLFSSL_USER_SETTINGS:BOOL=no \
+            -DWOLFSSL_TLSX:BOOL=yes -DWOLFSSL_TPM:BOOL=yes -DWOLFSSL_CLU:BOOL=yes -DWOLFSSL_USER_SETTINGS:BOOL=no \
            -DWOLFSSL_USER_SETTINGS_ASM:BOOL=no -DWOLFSSL_WOLFSSH:BOOL=ON -DWOLFSSL_X86_64_BUILD_ASM:BOOL=yes \
+            -DWOLFSSL_MLKEM=1 -DWOLFSSL_LMS=1 -DWOLFSSL_LMSSHA256192=1 -DWOLFSSL_EXPERIMENTAL=1 \
            -DWOLFSSL_X963KDF:BOOL=yes \
            -DCMAKE_C_FLAGS="-DWOLFSSL_DTLS_CH_FRAG" \
            ..
--- a/.github/workflows/grpc.yml
+++ b/.github/workflows/grpc.yml
@@ -71,6 +71,11 @@ jobs:
        with:
          name: wolf-install-grpc

+      - name: Setup cmake version
+        uses: jwlawson/actions-setup-cmake@v2
+        with:
+          cmake-version: '3.25.x'
+
      - name: untar build-dir
        run: tar -xf build-dir.tgz

@@ -94,7 +99,7 @@ jobs:
          git submodule update --init
          mkdir cmake/build
          cd cmake/build
-          cmake -DgRPC_BUILD_TESTS=ON -DgRPC_SSL_PROVIDER=wolfssl \
+          cmake -DCMAKE_POLICY_VERSION_MINIMUM=3.1 -DgRPC_BUILD_TESTS=ON -DgRPC_SSL_PROVIDER=wolfssl \
            -DWOLFSSL_INSTALL_DIR=$GITHUB_WORKSPACE/build-dir ../..
          make -j $(nproc) ${{ matrix.tests }}

--- a/.github/workflows/hostap-vm.yml
+++ b/.github/workflows/hostap-vm.yml
@@ -217,6 +217,7 @@ jobs:
          sudo apt-get install -y libpcap0.8 libpcap-dev curl libcurl4-openssl-dev \
            libnl-3-dev binutils-dev libssl-dev libiberty-dev libnl-genl-3-dev \
            libnl-route-3-dev libdbus-1-dev bridge-utils tshark python3-pycryptodome
+          sudo pip install pycryptodome

      - name: Checking if we have hostap in cache
        uses: actions/cache/restore@v4
@@ -312,6 +313,7 @@ jobs:
            KERNELDIR=$GITHUB_WORKSPACE/linux
            KVMARGS="-cpu host"
          EOF
+          git config --global --add safe.directory $GITHUB_WORKSPACE/hostap
          # Run tests in increments of 200 to not stall out the parallel-vm script
          while mapfile -t -n 200 ary && ((${#ary[@]})); do
            TESTS=$(printf '%s\n' "${ary[@]}" | tr '\n' ' ')
--- a/.github/workflows/intelasm-c-fallback.yml
+++ b/.github/workflows/intelasm-c-fallback.yml
@@ -18,7 +18,7 @@ jobs:
      matrix:
        config: [
          # Add new configs here
-          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -DWC_AES_C_DYNAMIC_FALLBACK -DWC_C_DYNAMIC_FALLBACK -DDEBUG_VECTOR_REGISTER_ACCESS -DDEBUG_VECTOR_REGISTER_ACCESS_FUZZING -DWC_DEBUG_CIPHER_LIFECYCLE"'
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -DWC_C_DYNAMIC_FALLBACK -DDEBUG_VECTOR_REGISTER_ACCESS -DDEBUG_VECTOR_REGISTER_ACCESS_FUZZING -DWC_DEBUG_CIPHER_LIFECYCLE"'
        ]
    name: make check
    if: github.repository_owner == 'wolfssl'
--- a/.github/workflows/jwt-cpp.yml
+++ b/.github/workflows/jwt-cpp.yml
@@ -66,6 +66,11 @@ jobs:
        with:
          name: wolf-install-jwt-cpp

+      - name: Setup cmake version
+        uses: jwlawson/actions-setup-cmake@v2
+        with:
+          cmake-version: '3.25.x'
+
      - name: untar build-dir
        run: tar -xf build-dir.tgz

@@ -87,7 +92,7 @@ jobs:
        run: |
          patch -p1 < ../osp/jwt-cpp/${{ matrix.config.ref }}.patch
          PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig \
-            cmake -B build -DJWT_SSL_LIBRARY:STRING=wolfSSL -DJWT_BUILD_TESTS=ON .
+            cmake -DCMAKE_POLICY_VERSION_MINIMUM=3.5 -B build -DJWT_SSL_LIBRARY:STRING=wolfSSL -DJWT_BUILD_TESTS=ON .
          make -j -C build
          ldd ./build/tests/jwt-cpp-test | grep wolfssl

--- a/.github/workflows/libvncserver.yml
+++ b/.github/workflows/libvncserver.yml
@@ -55,6 +55,11 @@ jobs:
        with:
          name: wolf-install-libvncserver

+      - name: Setup cmake version
+        uses: jwlawson/actions-setup-cmake@v2
+        with:
+          cmake-version: '3.25.x'
+
      - name: untar build-dir
        run: tar -xf build-dir.tgz

@@ -76,7 +81,7 @@ jobs:
        run: |
          patch -p1 < ../osp/libvncserver/${{ matrix.ref }}.patch
          PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig \
-            cmake -B build -DWITH_GNUTLS=OFF -DWITH_OPENSSL=OFF -DWITH_GCRYPT=OFF -DWITH_WOLFSSL=ON .
+            cmake -DCMAKE_POLICY_VERSION_MINIMUM=3.5 -B build -DWITH_GNUTLS=OFF -DWITH_OPENSSL=OFF -DWITH_GCRYPT=OFF -DWITH_WOLFSSL=ON .
          make -j -C build VERBOSE=1
          ldd build/libvncclient.so | grep wolfssl
          ldd build/libvncserver.so | grep wolfssl
--- a/.github/workflows/multi-compiler.yml
+++ b/.github/workflows/multi-compiler.yml
@@ -21,31 +21,28 @@ jobs:
        include:
          - CC: gcc-9
            CXX: g++-9
-            OS: ubuntu-22.04
+            OS: ubuntu-24.04
          - CC: gcc-10
            CXX: g++-10
-            OS: ubuntu-22.04
+            OS: ubuntu-24.04
          - CC: gcc-11
            CXX: g++-11
-            OS: ubuntu-22.04
+            OS: ubuntu-24.04
          - CC: gcc-12
            CXX: g++-12
-            OS: ubuntu-22.04
-          - CC: clang-10
-            CXX: clang++-10
-            OS: ubuntu-20.04
+            OS: ubuntu-24.04
          - CC: clang-11
            CXX: clang++-11
-            OS: ubuntu-20.04
+            OS: ubuntu-22.04
          - CC: clang-12
            CXX: clang++-12
-            OS: ubuntu-20.04
+            OS: ubuntu-22.04
          - CC: clang-13
            CXX: clang++-13
            OS: ubuntu-22.04
          - CC: clang-14
            CXX: clang++-14
-            OS: ubuntu-22.04
+            OS: ubuntu-24.04
    if: github.repository_owner == 'wolfssl'
    runs-on: ${{ matrix.OS }}
    # This should be a safe limit for the tests to run.
--- a/.github/workflows/pq-all.yml
+++ b/.github/workflows/pq-all.yml
@@ -18,7 +18,8 @@ jobs:
      matrix:
        config: [
          # Add new configs here
-          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST"'
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" CC=c++'
        ]
    name: make check
    if: github.repository_owner == 'wolfssl'
--- a/.github/workflows/zephyr.yml
+++ b/.github/workflows/zephyr.yml
@@ -49,6 +49,11 @@ jobs:
            python3-ply python3-setuptools python-is-python3 qemu-kvm rsync socat srecord sudo \
            texinfo unzip wget ovmf xz-utils

+      - name: Setup cmake version
+        uses: jwlawson/actions-setup-cmake@v2
+        with:
+          cmake-version: '3.25.x'
+
      - name: Install west
        run: sudo pip install west

--- a/.wolfssl_known_macro_extras
+++ b/.wolfssl_known_macro_extras
@@ -9,9 +9,17 @@ APP_ESP_HTTP_CLIENT_EXAMPLE
 APSTUDIO_INVOKED
 ARCH_sim
 ARDUINO
+ARDUINO_ARCH_ESP32
+ARDUINO_ARCH_ESP8266
+ARDUINO_ARCH_MBED
+ARDUINO_ARCH_NRF52
 ARDUINO_ARCH_RP2040
+ARDUINO_ARCH_SAMD
+ARDUINO_ARCH_STM32
 ARDUINO_SAMD_NANO_33_IOT
 ARDUINO_SAM_DUE
+ARDUINO_SEEED_XIAO
+ARDUINO_TEENSY41
 ASN_DUMP_OID
 ASN_TEMPLATE_SKIP_ISCA_CHECK
 ATCAPRINTF
@@ -81,10 +89,12 @@ CONFIG_IDF_TARGET_ESP32C2
 CONFIG_IDF_TARGET_ESP32C3
 CONFIG_IDF_TARGET_ESP32C6
 CONFIG_IDF_TARGET_ESP32H2
+CONFIG_IDF_TARGET_ESP32P4
 CONFIG_IDF_TARGET_ESP32S2
 CONFIG_IDF_TARGET_ESP32S3
 CONFIG_IDF_TARGET_ESP8266
 CONFIG_IDF_TARGET_ESP8684
+CONFIG_KASAN
 CONFIG_MAIN_TASK_STACK_SIZE
 CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
 CONFIG_MBEDTLS_PSA_CRYPTO_C
@@ -155,6 +165,7 @@ CRYP_KEYSIZE_192B
 CSM_UNSUPPORTED_ALGS
 CTYPE_USER
 CURVED448_SMALL
+CUSTOM_ENTROPY_TIMEHIRES
 CY_USING_HAL
 DCP_USE_DCACHE
 DILITHIUM_MUL_11_SLOW
@@ -175,6 +186,7 @@ ESP_IDF_VERSION_MAJOR
 ESP_IDF_VERSION_MINOR
 ESP_PLATFORM
 ESP_TASK_MAIN_STACK
+ETHERNET_AVAILABLE
 EV_TRIGGER
 FP_ECC_CONTROL
 FREERTOS_TCP_WINSIM
@@ -244,6 +256,7 @@ HSM_KEY_TYPE_HMAC_512
 HSM_OP_KEY_GENERATION_FLAGS_CREATE
 HSM_OP_KEY_GENERATION_FLAGS_UPDATE
 HSM_SVC_KEY_STORE_FLAGS_UPDATE
+HWCAP_ASIMDRDM
 IDIRECT_DEV_RANDOM
 IDIRECT_DEV_TIME
 ID_TRNG
@@ -255,7 +268,6 @@ INTIMEVER
 IOTSAFE_NO_GETDATA
 IOTSAFE_SIG_8BIT_LENGTH
 KCAPI_USE_XMALLOC
-KYBER_NONDETERMINISTIC
 K_SERIES
 LIBWOLFSSL_VERSION_GIT_BRANCH
 LIBWOLFSSL_VERSION_GIT_HASH
@@ -284,6 +296,7 @@ MICRIUM_MALLOC
 MICROCHIP_MPLAB_HARMONY
 MICROCHIP_MPLAB_HARMONY_3
 MICRO_SESSION_CACHEx
+MLKEM_NONDETERMINISTIC
 MODULE_SOCK_TCP
 MP_31BIT
 MP_8BIT
@@ -314,6 +327,7 @@ NO_ECC384
 NO_ECC521
 NO_ECC_CACHE_CURVE
 NO_ECC_CHECK_KEY
+NO_ECC_CHECK_PUBKEY_ORDER
 NO_ECC_KEY_IMPORT
 NO_ECC_MAKE_PUB
 NO_ED25519_CLIENT_AUTH
@@ -470,6 +484,7 @@ STM32U575xx
 STM32U585xx
 STM32U5A9xx
 STM32WB55xx
+STM32WBA52xx
 STM32WL55xx
 STM32_AESGCM_PARTIAL
 STM32_HW_CLOCK_AUTO
@@ -479,9 +494,12 @@ TCP_NODELAY
 TFM_ALREADY_SET
 TFM_SMALL_MONT_SET
 THREADED_SNIFFTEST
+TIF_NEED_FPU_LOAD
 TIME_T_NOT_LONG
 TI_DUMMY_BUILD
 TLS13_RSA_PSS_SIGN_CB_NO_PREHASH
+TSIP_RSAES_1024
+TSIP_RSAES_2048
 UNICODE
 USER_CA_CB
 USER_CUSTOM_SNIFFX
@@ -508,7 +526,7 @@ WC_AES_GCM_DEC_AUTH_EARLY
 WC_ASN_HASH_SHA256
 WC_ASYNC_ENABLE_3DES
 WC_ASYNC_ENABLE_AES
-/* ARC4 implementation has been removed */
+WC_ASYNC_ENABLE_ARC4
 WC_ASYNC_ENABLE_DH
 WC_ASYNC_ENABLE_ECC
 WC_ASYNC_ENABLE_ECC_KEYGEN
@@ -524,6 +542,7 @@ WC_ASYNC_ENABLE_SHA384
 WC_ASYNC_ENABLE_SHA512
 WC_ASYNC_NO_CRYPT
 WC_ASYNC_NO_HASH
+WC_CACHE_RESISTANT_BASE64_TABLE
 WC_DILITHIUM_CACHE_PRIV_VECTORS
 WC_DILITHIUM_CACHE_PUB_VECTORS
 WC_DILITHIUM_FIXED_ARRAY
@@ -545,7 +564,9 @@ WC_SHA384_DIGEST_SIZE
 WC_SHA512
 WC_SSIZE_TYPE
 WC_STRICT_SIG
+WC_WANT_FLAG_DONT_USE_AESNI
 WC_XMSS_FULL_HASH
+WIFI_AVAILABLE
 WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
 WOLFSENTRY_H
 WOLFSENTRY_NO_JSON
@@ -553,6 +574,7 @@ WOLFSSL_32BIT_MILLI_TIME
 WOLFSSL_AARCH64_PRIVILEGE_MODE
 WOLFSSL_AESNI_BY4
 WOLFSSL_AESNI_BY6
+WOLFSSL_AES_CTR_EXAMPLE
 WOLFSSL_AFTER_DATE_CLOCK_SKEW
 WOLFSSL_ALGO_HW_MUTEX
 WOLFSSL_ALLOW_CRIT_AIA
@@ -570,7 +592,6 @@ WOLFSSL_ARM_ARCH_NEON_64BIT
 WOLFSSL_ASCON_UNROLL
 WOLFSSL_ASNC_CRYPT
 WOLFSSL_ASN_EXTRA
-WOLFSSL_ASN_INT_LEAD_0_ANY
 WOLFSSL_ASN_TEMPLATE_NEED_SET_INT32
 WOLFSSL_ASN_TEMPLATE_TYPE_CHECK
 WOLFSSL_ATECC508
@@ -599,6 +620,7 @@ WOLFSSL_CHECK_DESKEY
 WOLFSSL_CHECK_MEM_ZERO
 WOLFSSL_CHIBIOS
 WOLFSSL_CLANG_TIDY
+WOLFSSL_CLIENT_EXAMPLE
 WOLFSSL_COMMERCIAL_LICENSE
 WOLFSSL_CONTIKI
 WOLFSSL_CRL_ALLOW_MISSING_CDP
@@ -663,10 +685,9 @@ WOLFSSL_IMXRT_DCP
 WOLFSSL_ISOTP
 WOLFSSL_KEIL
 WOLFSSL_KEIL_NET
-WOLFSSL_KYBER_INVNTT_UNROLL
-WOLFSSL_KYBER_NO_LARGE_CODE
-WOLFSSL_KYBER_NO_MALLOC
-WOLFSSL_KYBER_NTT_UNROLL
+WOLFSSL_KYBER_NO_DECAPSULATE
+WOLFSSL_KYBER_NO_ENCAPSULATE
+WOLFSSL_KYBER_NO_MAKE_KEY
 WOLFSSL_LIB
 WOLFSSL_LMS_CACHE_BITS
 WOLFSSL_LMS_FULL_HASH
@@ -681,7 +702,11 @@ WOLFSSL_MAKE_SYSTEM_NAME_WSL
 WOLFSSL_MDK5
 WOLFSSL_MEM_FAIL_COUNT
 WOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM
+WOLFSSL_MLKEM_INVNTT_UNROLL
 WOLFSSL_MLKEM_MAKEKEY_SMALL_MEM
+WOLFSSL_MLKEM_NO_LARGE_CODE
+WOLFSSL_MLKEM_NO_MALLOC
+WOLFSSL_MLKEM_NTT_UNROLL
 WOLFSSL_MONT_RED_CT
 WOLFSSL_MP_COND_COPY
 WOLFSSL_MP_INVMOD_CONSTANT_TIME
@@ -757,6 +782,7 @@ WOLFSSL_RENESAS_RSIP
 WOLFSSL_RENESAS_RZN2L
 WOLFSSL_RENESAS_TLS
 WOLFSSL_RENESAS_TSIP_IAREWRX
+WOLFSSL_REQUIRE_TCA
 WOLFSSL_RSA_CHECK_D_ON_DECRYPT
 WOLFSSL_RSA_DECRYPT_TO_0_LEN
 WOLFSSL_RW_THREADED
@@ -769,6 +795,7 @@ WOLFSSL_SE050_INIT
 WOLFSSL_SE050_NO_RSA
 WOLFSSL_SE050_NO_TRNG
 WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT
+WOLFSSL_SERVER_EXAMPLE
 WOLFSSL_SETTINGS_FILE
 WOLFSSL_SH224
 WOLFSSL_SHA256_ALT_CH_MAJ
@@ -777,7 +804,6 @@ WOLFSSL_SILABS_TRNG
 WOLFSSL_SM4_EBC
 WOLFSSL_SNIFFER_NO_RECOVERY
 WOLFSSL_SP_ARM32_UDIV
-WOLFSSL_SP_DH
 WOLFSSL_SP_FAST_NCT_EXPTMOD
 WOLFSSL_SP_INT_SQR_VOLATILE
 WOLFSSL_STACK_CHECK
@@ -786,6 +812,7 @@ WOLFSSL_STM32_RNG_NOLIB
 WOLFSSL_STRONGEST_HASH_SIG
 WOLFSSL_STSAFE_TAKES_SLOT
 WOLFSSL_TELIT_M2MB
+WOLFSSL_TEMPLATE_EXAMPLE
 WOLFSSL_THREADED_CRYPT
 WOLFSSL_TICKET_DECRYPT_NO_CREATE
 WOLFSSL_TICKET_ENC_AES128_GCM
@@ -831,6 +858,7 @@ WOLF_CRYPTO_CB_ONLY_ECC
 WOLF_CRYPTO_CB_ONLY_RSA
 WOLF_CRYPTO_DEV
 WOLF_NO_TRAILING_ENUM_COMMAS
+WindowsCE
 XGETPASSWD
 XMSS_CALL_PRF_KEYGEN
 XPAR_VERSAL_CIPS_0_PSPMC_0_PSV_CORTEXA72_0_TIMESTAMP_CLK_FREQ
@@ -880,6 +908,7 @@ __BIG_ENDIAN__
 __BORLANDC__
 __CCRX__
 __COMPILER_VER__
+__COUNTER__
 __CYGWIN__
 __DATE__
 __DCACHE_PRESENT
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -34,7 +34,7 @@ if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_BINARY_DIR}")
     You must delete them, or cmake will refuse to work.")
 endif()

-project(wolfssl VERSION 5.7.6 LANGUAGES C ASM)
+project(wolfssl VERSION 5.8.0 LANGUAGES C ASM)

 # Set WOLFSSL_ROOT if not already defined
 if ("${WOLFSSL_ROOT}" STREQUAL "")
@@ -53,7 +53,7 @@ set(WOLFSSL_LIBRARY_VERSION_FIRST 43)

 # increment if interfaces have been added
 # set to zero if WOLFSSL_LIBRARY_VERSION_FIRST is incremented
-set(WOLFSSL_LIBRARY_VERSION_SECOND 0)
+set(WOLFSSL_LIBRARY_VERSION_SECOND 1)

 # increment if source code has changed
 # set to zero if WOLFSSL_LIBRARY_VERSION_FIRST is incremented or
@@ -125,6 +125,9 @@ check_function_exists("socket" HAVE_SOCKET)
 check_function_exists("strftime" HAVE_STRFTIME)
 check_function_exists("__atomic_fetch_add" HAVE_C___ATOMIC)

+include(CheckSymbolExists)
+check_symbol_exists(isascii "ctype.h" HAVE_ISASCII)
+
 include(CheckTypeSize)

 check_type_size("__uint128_t" __UINT128_T)
@@ -569,9 +572,18 @@ add_option(WOLFSSL_OQS
    "Enable integration with the OQS (Open Quantum Safe) liboqs library (default: disabled)"
    "no" "yes;no")

-# Kyber
-add_option(WOLFSSL_KYBER
-    "Enable the wolfSSL PQ Kyber library (default: disabled)"
+# ML-KEM/Kyber
+add_option(WOLFSSL_MLKEM
+    "Enable the wolfSSL PQ ML-KEM library (default: disabled)"
+    "no" "yes;no")
+
+# LMS
+add_option(WOLFSSL_LMS
+    "Enable the PQ LMS Stateful Hash-based Signature Scheme (default: disabled)"
+    "no" "yes;no")
+
+add_option(WOLFSSL_LMSSHA256192
+    "Enable the LMS SHA_256_192 truncated variant (default: disabled)"
    "no" "yes;no")

 # Experimental features
@@ -587,7 +599,7 @@ if (WOLFSSL_EXPERIMENTAL)
    # check if any experimental features are also enabled:
    set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 0)

-    set_wolfssl_definitions("WOLFSSL_EXPERIMENTAL_SETTINGS" RESUlT)
+    set_wolfssl_definitions("WOLFSSL_EXPERIMENTAL_SETTINGS" RESULT)

    # Checking for experimental feature: OQS
    message(STATUS "Looking for WOLFSSL_OQS")
@@ -602,9 +614,9 @@ if (WOLFSSL_EXPERIMENTAL)
            list(APPEND WOLFSSL_LINK_LIBS ${OQS_LIBRARY})
            list(APPEND WOLFSSL_INCLUDE_DIRS ${OQS_INCLUDE_DIR})

-            set_wolfssl_definitions("HAVE_LIBOQS"          RESUlT)
-            set_wolfssl_definitions("HAVE_TLS_EXTENSIONS"  RESUlT)
-            set_wolfssl_definitions("OPENSSL_EXTRA"        RESUlT)
+            set_wolfssl_definitions("HAVE_LIBOQS"          RESULT)
+            set_wolfssl_definitions("HAVE_TLS_EXTENSIONS"  RESULT)
+            set_wolfssl_definitions("OPENSSL_EXTRA"        RESULT)

        else()
            message(STATUS "Checking OQS - not found")
@@ -614,20 +626,52 @@ if (WOLFSSL_EXPERIMENTAL)
        message(STATUS "Looking for WOLFSSL_OQS - not found")
    endif()

-    # Checking for experimental feature: Kyber
-    message(STATUS "Looking for WOLFSSL_KYBER")
-    if (WOLFSSL_KYBER)
+    # Checking for experimental feature: WOLFSSL_MLKEM
+    message(STATUS "Looking for WOLFSSL_MLKEM")
+    if (WOLFSSL_MLKEM)
        set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 1)

-        message(STATUS "Automatically set related requirements for Kyber:")
-        set_wolfssl_definitions("WOLFSSL_HAVE_KYBER" RESUlT)
-        set_wolfssl_definitions("WOLFSSL_WC_KYBER"   RESUlT)
-        set_wolfssl_definitions("WOLFSSL_SHA3"       RESUlT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE128"   RESUlT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESUlT)
-        message(STATUS "Looking for WOLFSSL_KYBER - found")
+        message(STATUS "Automatically set related requirements for ML-KEM:")
+        add_definitions("-DWOLFSSL_HAVE_MLKEM")
+        add_definitions("-DWOLFSSL_WC_MLKEM")
+        add_definitions("-DWOLFSSL_SHA3")
+        add_definitions("-DWOLFSSL_SHAKE128")
+        add_definitions("-DWOLFSSL_SHAKE256")
+
+        set_wolfssl_definitions("WOLFSSL_HAVE_MLKEM" RESULT)
+        set_wolfssl_definitions("WOLFSSL_WC_MLKEM"   RESULT)
+        set_wolfssl_definitions("WOLFSSL_SHA3"       RESULT)
+        set_wolfssl_definitions("WOLFSSL_SHAKE128"   RESULT)
+        set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESULT)
+        message(STATUS "Looking for WOLFSSL_MLKEM - found")
    else()
-        message(STATUS "Looking for WOLFSSL_KYBER - not found")
+        message(STATUS "Looking for WOLFSSL_MLKEM - not found")
+    endif()
+
+    # Checking for experimental feature: WOLFSSL_LMS
+    message(STATUS "Looking for WOLFSSL_LMS")
+    if (WOLFSSL_LMS)
+        set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 2)
+
+        message(STATUS "Automatically set related requirements for LMS")
+        add_definitions("-DWOLFSSL_HAVE_LMS")
+        add_definitions("-DWOLFSSL_WC_LMS")
+        set_wolfssl_definitions("WOLFSSL_HAVE_LMS" RESULT)
+        set_wolfssl_definitions("WOLFSSL_WC_LMS"   RESULT)
+        message(STATUS "Looking for WOLFSSL_LMS - found")
+        # Checking for experimental feature: WOLFSSL_LMSSHA256192
+        if (WOLFSSL_LMSSHA256192)
+            message(STATUS "Automatically set related requirements for LMS SHA256-192")
+            add_definitions("-DWOLFSSL_LMS_SHA256_192")
+            add_definitions("-DWOLFSSL_NO_LMS_SHA256_256")
+            set_wolfssl_definitions("WOLFSSL_LMS_SHA256_192"    RESULT)
+            set_wolfssl_definitions("WOLFSSL_NO_LMS_SHA256_256" RESULT)
+            message(STATUS "Looking for WOLFSSL_LMSSHA256192 - found")
+        else()
+            message(STATUS "Looking for WOLFSSL_LMSSHA256192 - not found")
+        endif()
+    else()
+        message(STATUS "Looking for WOLFSSL_LMS - not found")
    endif()

    # Other experimental feature detection can be added here...
@@ -640,8 +684,8 @@ if (WOLFSSL_EXPERIMENTAL)
    endif()

    # Sanity checks
-    if(WOLFSSL_OQS AND WOLFSSL_KYBER)
-        message(FATAL_ERROR "Error: cannot enable both WOLFSSL_OQS and WOLFSSL_KYBER at the same time.")
+    if(WOLFSSL_OQS AND WOLFSSL_MLKEM)
+        message(FATAL_ERROR "Error: cannot enable both WOLFSSL_OQS and WOLFSSL_MLKEM at the same time.")
    endif()

 else()
@@ -650,8 +694,8 @@ else()
    if (WOLFSSL_OQS)
        message(FATAL_ERROR "Error: WOLFSSL_OQS requires WOLFSSL_EXPERIMENTAL at this time.")
    endif()
-    if(WOLFSSL_KYBER)
-        message(FATAL_ERROR "Error: WOLFSSL_KYBER requires WOLFSSL_EXPERIMENTAL at this time.")
+    if(WOLFSSL_MLKEM)
+        message(FATAL_ERROR "Error: WOLFSSL_MLKEM requires WOLFSSL_EXPERIMENTAL at this time.")
    endif()
 endif()

@@ -752,7 +796,8 @@ add_option("WOLFSSL_AESCTR"

 if(WOLFSSL_OPENVPN OR
   WOLFSSL_LIBSSH2 OR
-   WOLFSSL_AESSIV)
+   WOLFSSL_AESSIV OR
+   WOLFSSL_CLU)
    override_cache(WOLFSSL_AESCTR "yes")
 endif()

@@ -892,7 +937,7 @@ endif()
 #       - SEP

 add_option("WOLFSSL_KEYGEN"
-    "Enable key generation (default: disabled)])"
+    "Enable key generation (default: disabled)"
    "no" "yes;no")

 add_option("WOLFSSL_CERTGEN"
@@ -1019,7 +1064,7 @@ add_option("WOLFSSL_ED25519"
    "Enable ED25519 (default: disabled)"
    "no" "yes;no")

-if(WOLFSSL_OPENSSH)
+if(WOLFSSL_OPENSSH OR WOLFSSL_CLU)
    override_cache(WOLFSSL_ED25519 "yes")
 endif()

@@ -1353,8 +1398,8 @@ if(NOT WOLFSSL_DES3_TLS_SUITES)
    list(APPEND WOLFSSL_DEFINITIONS "-DNO_DES3_TLS_SUITES")
 endif()

-# RC4 API (ARC4 implementation removed)
-set(WOLFSSL_ARC4_HELP_STRING "Enable RC4 API (default: disabled, ARC4 implementation removed)")
+# ARC4
+set(WOLFSSL_ARC4_HELP_STRING "Enable ARC4 (default: disabled)")
 add_option("WOLFSSL_ARC4" ${WOLFSSL_ARC4_HELP_STRING} "no" "yes;no")

 if(WOLFSSL_OPENSSH OR WOLFSSL_WPAS)
@@ -1694,6 +1739,9 @@ add_option(WOLFSSL_PKCS7 ${WOLFSSL_PKCS7_HELP_STRING} "no" "yes;no")
 set(WOLFSSL_TPM_HELP_STRING "Enable wolfTPM options (default: disabled)")
 add_option(WOLFSSL_TPM ${WOLFSSL_TPM_HELP_STRING} "no" "yes;no")

+set(WOLFSSL_CLU_HELP_STRING "Enable wolfCLU options (default: disabled)")
+add_option(WOLFSSL_CLU ${WOLFSSL_CLU_HELP_STRING} "no" "yes;no")
+
 set(WOLFSSL_AESKEYWRAP_HELP_STRING "Enable AES key wrap support (default: disabled)")
 add_option(WOLFSSL_AESKEYWRAP ${WOLFSSL_AESKEYWRAP_HELP_STRING} "no" "yes;no")

@@ -2038,6 +2086,25 @@ if(WOLFSSL_TPM)
    override_cache(WOLFSSL_AESCFB   "yes")
 endif()

+if(WOLFSSL_CLU)
+    override_cache(WOLFSSL_CERTGEN  "yes")
+    override_cache(WOLFSSL_CERTREQ  "yes")
+    override_cache(WOLFSSL_CERTEXT  "yes")
+    override_cache(WOLFSSL_MD5      "yes")
+    override_cache(WOLFSSL_AESCTR   "yes")
+    override_cache(WOLFSSL_KEYGEN   "yes")
+    override_cache(WOLFSSL_OPENSSLALL "yes")
+    override_cache(WOLFSSL_ED25519  "yes")
+    override_cache(WOLFSSL_SHA512   "yes")
+    override_cache(WOLFSSL_DES3     "yes")
+    override_cache(WOLFSSL_PKCS7    "yes")
+    list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_OID_ENCODING" "-DWOLFSSL_NO_ASN_STRICT" "-DWOLFSSL_ALT_NAMES")
+    # Add OPENSSL_ALL definition to ensure OpenSSL compatibility functions are available
+    list(APPEND WOLFSSL_DEFINITIONS "-DOPENSSL_ALL")
+    # Remove NO_DES3 from WOLFSSL_DEFINITIONS to ensure DES3 is enabled
+    list(REMOVE_ITEM WOLFSSL_DEFINITIONS "-DNO_DES3")
+endif()
+
 if(WOLFSSL_AESCFB)
    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_AES_CFB")
 endif()
@@ -2297,6 +2364,18 @@ if (ENABLE_SCCACHE AND (NOT WOLFSSL_SCCACHE_ALREADY_SET_FLAG))
    endif()
 endif()

+add_option("WOLFSSL_KEYLOG_EXPORT"
+    "Enable insecure export of TLS secrets to an NSS keylog file (default: disabled)"
+    "no" "yes;no")
+if(WOLFSSL_KEYLOG_EXPORT)
+    message(WARNING "Keylog export enabled -- Sensitive key data will be stored insecurely.")
+    list(APPEND WOLFSSL_DEFINITIONS
+        "-DSHOW_SECRETS"
+        "-DHAVE_SECRET_CALLBACK"
+        "-DWOLFSSL_SSLKEYLOGFILE"
+        "-DWOLFSSL_KEYLOG_EXPORT_WARNED")
+endif()
+

 file(REMOVE ${OPTION_FILE})

@@ -2530,16 +2609,30 @@ if(WOLFSSL_EXAMPLES)
        tests/api/test_poly1305.c
        tests/api/test_chacha20_poly1305.c
        tests/api/test_camellia.c
-        # ARC4 implementation has been removed
+        tests/api/test_arc4.c
        tests/api/test_rc2.c
        tests/api/test_aes.c
        tests/api/test_ascon.c
        tests/api/test_sm4.c
        tests/api/test_wc_encrypt.c
+        tests/api/test_random.c
+        tests/api/test_wolfmath.c
+        tests/api/test_rsa.c
+        tests/api/test_dsa.c
+        tests/api/test_dh.c
+        tests/api/test_ecc.c
+        tests/api/test_sm2.c
+        tests/api/test_curve25519.c
+        tests/api/test_ed25519.c
+        tests/api/test_curve448.c
+        tests/api/test_ed448.c
        tests/api/test_mlkem.c
+        tests/api/test_mldsa.c
+        tests/api/test_signature.c
        tests/api/test_dtls.c
        tests/api/test_ocsp.c
        tests/api/test_evp.c
+        tests/api/test_tls_ext.c
        tests/srp.c
        tests/suites.c
        tests/w64wrapper.c
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -1,3 +1,213 @@
+# wolfSSL Release 5.8.0 (Apr 24, 2025)
+
+Release 5.8.0 has been developed according to wolfSSL's development and QA
+process (see link below) and successfully passed the quality criteria.
+https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
+
+NOTE: * --enable-heapmath is deprecated
+
+PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request
+ number where the code change was added.
+
+
+## New Feature Additions
+* Algorithm registration in the Linux kernel module for all supported FIPS AES,
+ SHA, HMAC, ECDSA, ECDH, and RSA modes, key sizes, and digest sizes.
+* Implemented various fixes to support building for Open Watcom including OS/2
+ support and Open Watcom 1.9 compatibility (PR 8505, 8484)
+* Added support for STM32H7S (tested on NUCLEO-H7S3L8) (PR 8488)
+* Added support for STM32WBA (PR 8550)
+* Added Extended Master Secret Generation Callback to the --enable-pkcallbacks
+ build (PR 8303)
+* Implement AES-CTS (configure flag --enable-aescts) in wolfCrypt (PR 8594)
+* Added support for libimobiledevice commit 860ffb (PR 8373)
+* Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 IPD
+ (PR 8307)
+* Added blinding option when using a Curve25519 private key by defining the
+ macro WOLFSSL_CURVE25519_BLINDING (PR 8392)
+
+
+## Linux Kernel Module
+* Production-ready LKCAPI registration for cbc(aes), cfb(aes), gcm(aes),
+ rfc4106 (gcm(aes)), ctr(aes), ofb(aes), and ecb(aes), ECDSA with P192, P256,
+ P384, and P521 curves, ECDH with P192, P256, and P384 curves, and RSA with
+ bare and PKCS1 padding
+* Various fixes for LKCAPI wrapper for AES-CBC and AES-CFB (PR 8534, 8552)
+* Adds support for the legacy one-shot AES-GCM back end (PR 8614, 8567) for
+ compatibility with FIPS 140-3 Cert #4718.
+* On kernel >=6.8, for CONFIG_FORTIFY_SOURCE, use 5-arg fortify_panic() override
+ macro (PR 8654)
+* Update calls to scatterwalk_map() and scatterwalk_unmap() for linux commit
+ 7450ebd29c (merged for Linux 6.15) (PR 8667)
+* Inhibit LINUXKM_LKCAPI_REGISTER_ECDH on kernel <5.13 (PR 8673)
+* Fix for uninitialized build error with fedora (PR 8569)
+* Register ecdsa, ecdh, and rsa for use with linux kernel crypto (PR 8637, 8663,
+ 8646)
+* Added force zero shared secret buffer, and clear of old key with ecdh
+ (PR 8685)
+* Update fips-check.sh script to pickup XTS streaming support on aarch64 and
+ disable XTS-384 as an allowed use in FIPS mode (PR 8509, 8546)
+
+
+## Enhancements and Optimizations
+
+### Security & Cryptography
+* Add constant-time implementation improvements for encoding functions. We thank
+ Zhiyuan and Gilles for sharing a new constant-time analysis tool (CT-LLVM) and
+ reporting several non-constant-time implementations. (PR 8396, 8617)
+* Additional support for PKCS7 verify and decode with indefinite lengths
+ (PR 8520, 834, 8645)
+* Add more PQC hybrid key exchange algorithms such as support for combinations
+ with X25519 and X448 enabling compatibility with the PQC key exchange support
+ in Chromium browsers and Mozilla Firefox (PR 7821)
+* Add short-circuit comparisons to DH key validation for RFC 7919 parameters
+ (PR 8335)
+* Improve FIPS compatibility with various build configurations for more resource
+ constrained builds (PR 8370)
+* Added option to disable ECC public key order checking (PR 8581)
+* Allow critical alt and basic constraints extensions (PR 8542)
+* New codepoint for MLDSA to help with interoperability (PR 8393)
+* Add support for parsing trusted PEM certs having the header
+ “BEGIN_TRUSTED_CERT” (PR 8400)
+* Add support for parsing only of DoD certificate policy and Comodo Ltd PKI OIDs
+ (PR 8599, 8686)
+* Update ssl code in `src/*.c` to be consistent with wolfcrypt/src/asn.c
+ handling of ML_DSA vs Dilithium and add dual alg. test (PR 8360, 8425)
+
+### Build System, Configuration, CI & Protocols
+* Internal refactor for include of config.h and when building with
+ BUILDING_WOLFSSL macro. This refactor will give a warning of “deprecated
+ function” when trying to improperly use an internal API of wolfSSL in an
+ external application. (PR 8640, 8647, 8660, 8662, 8664)
+* Add WOLFSSL_CLU option to CMakeLists.txt (PR 8548)
+* Add CMake and Zephyr support for XMSS and LMS (PR 8494)
+* Added GitHub CI for CMake builds (PR 8439)
+* Added necessary macros when building wolfTPM Zephyr with wolfSSL (PR 8382)
+* Add MSYS2 build continuous integration test (PR 8504)
+* Update DevKitPro doc to list calico dependency with build commands (PR 8607)
+* Conversion compiler warning fixes and additional continuous integration test
+ added (PR 8538)
+* Enable DTLS 1.3 by default in --enable-jni builds (PR 8481)
+* Enabled TLS 1.3 middlebox compatibility by default for --enable-jni builds
+ (PR 8526)
+
+### Performance Improvements
+* Performance improvements AES-GCM and HMAC (in/out hash copy) (PR 8429)
+* LMS fixes and improvements adding API to get Key ID from raw private key,
+ change to identifiers to match standard, and fix for when
+ WOLFSSL_LMS_MAX_LEVELS is 1 (PR 8390, 8684, 8613, 8623)
+* ML-KEM/Kyber improvements and fixes; no malloc builds, small memory usage,
+ performance improvement, fix for big-endian (PR 8397, 8412, 8436, 8467, 8619,
+ 8622, 8588)
+* Performance improvements for AES-GCM and when doing multiple HMAC operations
+ (PR 8445)
+
+### Assembly and Platform-Specific Enhancements
+* Poly1305 arm assembly changes adding ARM32 NEON implementation and fix for
+ Aarch64 use (PR 8344, 8561, 8671)
+* Aarch64 assembly enhancement to use more CPU features, fix for FreeBSD/OpenBSD
+ (PR 8325, 8348)
+* Only perform ARM assembly CPUID checks if support was enabled at build time
+ (PR 8566)
+* Optimizations for ARM32 assembly instructions on platforms less than ARMv7
+ (PR 8395)
+* Improve MSVC feature detection for static assert macros (PR 8440)
+* Improve Espressif make and CMake for ESP8266 and ESP32 series (PR 8402)
+* Espressif updates for Kconfig, ESP32P4 and adding a sample user_settings.h
+ (PR 8422, PR 8641)
+
+### OpenSSL Compatibility Layer
+* Modification to the push/pop to/from in OpenSSL compatibility layer. This is
+ a pretty major API change in the OpenSSL compatibility stack functions.
+ Previously the API would push/pop from the beginning of the list but now they
+ operate on the tail of the list. This matters when using the sk_value with
+ index values. (PR 8616)
+* OpenSSL Compat Layer: OCSP response improvements (PR 8408, 8498)
+* Expand the OpenSSL compatibility layer to include an implementation of
+ BN_CTX_get (PR 8388)
+
+### API Additions and Modifications
+* Refactor Hpke to allow multiple uses of a context instead of just one shot
+ mode (PR 6805)
+* Add support for PSK client callback with Ada and use with Alire (thanks
+ @mgrojo, PR 8332, 8606)
+* Change wolfSSL_CTX_GenerateEchConfig to generate multiple configs and add
+ functions wolfSSL_CTX_SetEchConfigs and wolfSSL_CTX_SetEchConfigsBase64 to
+ rotate the server's echConfigs (PR 8556)
+* Added the public API wc_PkcsPad to do PKCS padding (PR 8502)
+* Add NULL_CIPHER_TYPE support to wolfSSL_EVP_CipherUpdate (PR 8518)
+* Update Kyber APIs to ML-KEM APIs (PR 8536)
+* Add option to disallow automatic use of "default" devId using the macro
+ WC_NO_DEFAULT_DEVID (PR 8555)
+* Detect unknown key format on ProcessBufferTryDecode() and handle RSA-PSSk
+ format (PR 8630)
+
+### Porting and Language Support
+* Update Python port to support version 3.12.6 (PR 8345)
+* New additions for MAXQ with wolfPKCS11 (PR 8343)
+* Port to ntp 4.2.8p17 additions (PR 8324)
+* Add version 0.9.14 to tested libvncserver builds (PR 8337)
+
+### General Improvements and Cleanups
+* Cleanups for STM32 AES GCM (PR 8584)
+* Improvements to isascii() and the CMake key log option (PR 8596)
+* Arduino documentation updates, comments and spelling corrections (PR 8381,
+ 8384, 8514)
+* Expanding builds with WOLFSSL_NO_REALLOC for use with --enable-opensslall and
+ --enable-all builds (PR 8369, 8371)
+
+
+## Fixes
+* Fix a use after free caused by an early free on error in the X509 store
+ (PR 8449)
+* Fix to account for existing PKCS8 header with
+ wolfSSL_PEM_write_PKCS8PrivateKey (PR 8612)
+* Fixed failing CMake build issue when standard threads support is not found in
+ the system (PR 8485)
+* Fix segmentation fault in SHA-512 implementation for AVX512 targets built with
+ gcc -march=native -O2 (PR 8329)
+* Fix Windows socket API compatibility warning with mingw32 build (PR 8424)
+* Fix potential null pointer increments in cipher list parsing (PR 8420)
+* Fix for possible stack buffer overflow read with wolfSSL_SMIME_write_PKCS7.
+ Thanks to the team at Code Intelligence for the report. (PR 8466)
+* Fix AES ECB implementation for Aarch64 ARM assembly (PR 8379)
+* Fixed building with VS2008 and .NET 3.5 (PR 8621)
+* Fixed possible error case memory leaks in CRL and EVP_Sign_Final (PR 8447)
+* Fixed SSL_set_mtu compatibility function return code (PR 8330)
+* Fixed Renesas RX TSIP (PR 8595)
+* Fixed ECC non-blocking tests (PR 8533)
+* Fixed CMake on MINGW and MSYS (PR 8377)
+* Fixed Watcom compiler and added new CI test (PR 8391)
+* Fixed STM32 PKA ECC 521-bit support (PR 8450)
+* Fixed STM32 PKA with P521 and shared secret (PR 8601)
+* Fixed crypto callback macro guards with `DEBUG_CRYPTOCB` (PR 8602)
+* Fix outlen return for RSA private decrypt with WOLF_CRYPTO_CB_RSA_PAD
+ (PR 8575)
+* Additional sanity check on r and s lengths in DecodeECC_DSA_Sig_Bin (PR 8350)
+* Fix compat. layer ASN1_TIME_diff to accept NULL output params (PR 8407)
+* Fix CMake lean_tls build (PR 8460)
+* Fix for QUIC callback failure (PR 8475)
+* Fix missing alert types in AlertTypeToString for print out with debugging
+ enabled (PR 8572)
+* Fixes for MSVS build issues with PQC configure (PR 8568)
+* Fix for SE050 port and minor improvements (PR 8431, 8437)
+* Fix for missing rewind function in zephyr and add missing files for compiling
+ with assembly optimizations (PR 8531, 8541)
+* Fix for quic_record_append to return the correct code (PR 8340, 8358)
+* Fixes for Bind 9.18.28 port (PR 8331)
+* Fix to adhere more closely with RFC8446 Appendix D and set haveEMS when
+ negotiating TLS 1.3 (PR 8487)
+* Fix to properly check for signature_algorithms from the client in a TLS 1.3
+ server (PR 8356)
+* Fix for when BIO data is less than seq buffer size. Thanks to the team at Code
+ Intelligence for the report (PR 8426)
+* ARM32/Thumb2 fixes for WOLFSSL_NO_VAR_ASSIGN_REG and td4 variable declarations
+ (PR 8590, 8635)
+* Fix for Intel AVX1/SSE2 assembly to not use vzeroupper instructions unless ymm
+ or zmm registers are used (PR 8479)
+* Entropy MemUse fix for when block size less than update bits (PR 8675)
+
+
 # wolfSSL Release 5.7.6 (Dec 31, 2024)

 Release 5.7.6 has been developed according to wolfSSL's development and QA
--- a/IDE/ARDUINO/README.md
+++ b/IDE/ARDUINO/README.md
@@ -2,8 +2,19 @@

 See the [example sketches](./sketches/README.md):

- [sketches/wolfssl_server](./sketches/wolfssl_server/README.md)
- [sketches/wolfssl_client](./sketches/wolfssl_client/README.md)
+NOTE: Moving; See https://github.com/wolfSSL/wolfssl-examples/pull/499
+
+Bare-bones templates:
+
+- [sketches/wolfssl_version](./sketches/wolfssl_version/README.md) single file.
+- [sketches/template](./sketches/template/README.md) multiple file example.
+
+Functional examples:
+- [sketches/wolfssl_AES_CTR](./sketches/wolfssl_AES_CTR/README.md) AES CTR Encrypt / decrypt.
+- [sketches/wolfssl_client](./sketches/wolfssl_client/README.md) TLS Client.
+- [sketches/wolfssl_server](./sketches/wolfssl_server/README.md) TLS Server.
+
+Both the `template` and `wolfssl_AES_CTR` examples include VisualGDB project files.

 When publishing a new version to the Arduino Registry, be sure to edit `WOLFSSL_VERSION_ARUINO_SUFFIX` in the `wolfssl-arduino.sh` script.

@@ -62,7 +73,7 @@ from within the `wolfssl/IDE/ARDUINO` directory:

 1. `./wolfssl-arduino.sh`
    - Creates an Arduino Library directory structure in the local `wolfSSL` directory of `IDE/ARDUINO`.
-    - You can add your own `user_settings.h`, or copy/rename the [default](../../examples/configs/user_settings_arduino.h).
+    - You can add your own `user_settings.h`, or copy/rename the [default](https://github.com/wolfSSL/wolfssl/blob/master/examples/configs/user_settings_arduino.h).

 2. `./wolfssl-arduino.sh INSTALL` (The most common option)
    - Creates an Arduino Library in the local `wolfSSL` directory
--- a/IDE/ARDUINO/include.am
+++ b/IDE/ARDUINO/include.am
@@ -2,16 +2,32 @@
 # included from Top Level Makefile.am
 # All paths should be given relative to the root

+# Library files:
 EXTRA_DIST+= IDE/ARDUINO/README.md
+
+# There's an Arduino-specific Arduino_README_prepend.md that will be prepended to wolfSSL README.md
+# Not to be confused with the interim PREPENDED_README.md that is created by script.
 EXTRA_DIST+= IDE/ARDUINO/Arduino_README_prepend.md
+
+# Core library files
+EXTRA_DIST+= IDE/ARDUINO/wolfssl.h
+EXTRA_DIST+= IDE/ARDUINO/wolfssl.h
+EXTRA_DIST+= IDE/ARDUINO/wolfssl-arduino.cpp
+
 EXTRA_DIST+= IDE/ARDUINO/keywords.txt
 EXTRA_DIST+= IDE/ARDUINO/library.properties.template
+
+# Sketch Examples
 EXTRA_DIST+= IDE/ARDUINO/sketches/README.md
+
+# wolfssl_client example sketch
 EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_client/README.md
-EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_client/wolfssl_client.ino
+
+# wolfssl_server example sketch
 EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_server/README.md
-EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_server/wolfssl_server.ino
+
+# wolfssl_version example sketch
 EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_version/README.md
-EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_version/wolfssl_version.ino
-EXTRA_DIST+= IDE/ARDUINO/wolfssl.h
+
+# Publishing script, either local install or to github.com/wolfSSL/Arduino-wolfSSL clone directory.
 EXTRA_DIST+= IDE/ARDUINO/wolfssl-arduino.sh
--- a/IDE/ARDUINO/sketches/README.md
+++ b/IDE/ARDUINO/sketches/README.md
@@ -1,15 +1,20 @@
 # wolfSSL Arduino Examples

-There are currently two example Arduino sketches:
+There are currently five example Arduino sketches:

-* [wolfssl_client](./wolfssl_client/README.md): Basic TLS listening client.
-* [wolfssl_server](./wolfssl_server/README.md): Basic TLS server.
+NOTE: Moving; See https://github.com/wolfSSL/wolfssl-examples/pull/499
+
+* `template`: Reference template wolfSSL example, including optional VisualGDB project files.
+* `wolfssl_AES_CTR`: Basic AES CTR Encryption / Decryption example.
+* `wolfssl_client`: Basic TLS listening client.
+* `wolfssl_server`: Basic TLS server.
+* `wolfssl_version`: Bare-bones wolfSSL example.

 Examples have been most recently confirmed operational on the
 [Arduino IDE](https://www.arduino.cc/en/software) 2.2.1.

 For examples on other platforms, see the [IDE directory](https://github.com/wolfssl/wolfssl/tree/master/IDE).
-Additional examples can be found on [wolfSSL/wolfssl-examples](https://github.com/wolfSSL/wolfssl-examples/).
+Additional wolfssl examples can be found at [wolfSSL/wolfssl-examples](https://github.com/wolfSSL/wolfssl-examples/).

 ## Using wolfSSL

@@ -20,7 +25,7 @@ The typical include will look something like this:

 /* wolfSSL user_settings.h must be included from settings.h
  * Make all configurations changes in user_settings.h
-  * Do not edit wolfSSL `settings.h` or `configh.h` files.
+  * Do not edit wolfSSL `settings.h` or `config.h` files.
  * Do not explicitly include user_settings.h in any source code.
  * Each Arduino sketch that uses wolfSSL must have: #include "wolfssl.h"
  * C/C++ source files can use: #include <wolfssl/wolfcrypt/settings.h>
@@ -28,7 +33,43 @@ The typical include will look something like this:
  * The wolfSSL "settings.h" must appear before any other wolfSSL include.
  */
 #include <wolfssl.h>
+
+/* settings.h is typically included in wolfssl.h, but here as a reminder: */
+#include <wolfssl/wolfcrypt/settings.h>
+
+/* Any other wolfSSL includes follow:*
 #include <wolfssl/version.h>
 ```

+## Configuring wolfSSL
+
+See the `user_settings.h` in the Arduino library `wolfssl/src` directory. For Windows users this is typically:
+
+```
+C:\Users\%USERNAME%\Documents\Arduino\libraries\wolfssl\src
+```
+
+WARNING: Changes to the library `user_settings.h` file will be lost when upgrading wolfSSL using the Arduino IDE.
+
+## Troubleshooting
+
+If compile problems are encountered, for example:
+
+```
+ctags: cannot open temporary file : File exists
+exit status 1
+
+Compilation error: exit status 1
+```
+
+Try deleting the Arduino cache directory:
+
+```
+C:\Users\%USERNAME%\AppData\Local\arduino\sketches
+```
+
+For VisualGDB users, delete the project `.vs`, `Output`, and `TraceReports` directories.
+
+## More Information
+
 For more details, see [IDE/ARDUINO/README.md](https://github.com/wolfSSL/wolfssl/blob/master/IDE/ARDUINO/README.md)
--- a/IDE/ARDUINO/sketches/wolfssl_client/README.md
+++ b/IDE/ARDUINO/sketches/wolfssl_client/README.md
@@ -1,6 +1,14 @@
 # Arduino Basic TLS Listening Client

-Open the [wolfssl_client.ino](./wolfssl_client.ino) file in the Arduino IDE.
+Open the `wolfssl_client.ino` file in the Arduino IDE.
+
+NOTE: Moving; See https://github.com/wolfSSL/wolfssl-examples/pull/499
+
+If using WiFi, be sure to set `ssid` and `password` values.
+
+May need "Ethernet by Various" library to be installed. Tested with v2.0.2 and v2.8.1.
+
+See the `#define WOLFSSL_TLS_SERVER_HOST` to set your own server address.

 Other IDE products are also supported, such as:

--- a/IDE/ARDUINO/sketches/wolfssl_client/wolfssl_client.ino
+++ b/IDE/ARDUINO/sketches/wolfssl_client/wolfssl_client.ino
@@ -1,903 +0,0 @@
-/* wolfssl_client.ino
- *
- * Copyright (C) 2006-2025 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
-
-/*
-Tested with:
-
-1) Intel Galileo acting as the Client, with a laptop acting as a server using
-   the server example provided in examples/server.
-   Legacy Arduino v1.86 was used to compile and program the Galileo
-
-2) Espressif ESP32 WiFi
-
-3) Arduino Due, Nano33 IoT, Nano RP-2040
-*/
-
-/*
- * Note to code editors: the Arduino client and server examples are edited in
- * parallel for side-by-side comparison between examples.
- */
-
-/* If you have a private include, define it here, otherwise edit WiFi params */
-#define MY_PRIVATE_CONFIG "/workspace/my_private_config.h"
-
-/* set REPEAT_CONNECTION to a non-zero value to continually run the example. */
-#define REPEAT_CONNECTION 0
-
-/* Edit this with your other TLS host server address to connect to: */
-#define WOLFSSL_TLS_SERVER_HOST "192.168.1.39"
-
-/* wolfssl TLS examples communicate on port 11111 */
-#define WOLFSSL_PORT 11111
-
-/* Choose a monitor serial baud rate: 9600, 14400, 19200, 57600, 74880, etc. */
-#define SERIAL_BAUD 115200
-
-/* We'll wait up to 2000 milliseconds to properly shut down connection */
-#define SHUTDOWN_DELAY_MS 2000
-
-/* Number of times to retry connection.  */
-#define RECONNECT_ATTEMPTS 20
-
-/* Optional stress test. Define to consume memory until exhausted: */
-/* #define MEMORY_STRESS_TEST */
-
-/* Choose client or server example, not both. */
-#define WOLFSSL_CLIENT_EXAMPLE
-/* #define WOLFSSL_SERVER_EXAMPLE */
-
-#if defined(MY_PRIVATE_CONFIG)
-    /* the /workspace directory may contain a private config
-     * excluded from GitHub with items such as WiFi passwords */
-    #include MY_PRIVATE_CONFIG
-    static const char* ssid PROGMEM = MY_ARDUINO_WIFI_SSID;
-    static const char* password PROGMEM = MY_ARDUINO_WIFI_PASSWORD;
-#else
-    /* when using WiFi capable boards: */
-    static const char* ssid PROGMEM  = "your_SSID";
-    static const char* password PROGMEM = "your_PASSWORD";
-#endif
-
-#define BROADCAST_ADDRESS "255.255.255.255"
-
-/* There's an optional 3rd party NTPClient library by Fabrice Weinberg.
- * If it is installed, uncomment define USE_NTP_LIB here: */
-/* #define USE_NTP_LIB */
-#ifdef USE_NTP_LIB
-    #include <NTPClient.h>
-#endif
-
-/* wolfSSL user_settings.h must be included from settings.h
- * Make all configurations changes in user_settings.h
- * Do not edit wolfSSL `settings.h` or `config.h` files.
- * Do not explicitly include user_settings.h in any source code.
- * Each Arduino sketch that uses wolfSSL must have: #include "wolfssl.h"
- * C/C++ source files can use: #include <wolfssl/wolfcrypt/settings.h>
- * The wolfSSL "settings.h" must be included in each source file using wolfSSL.
- * The wolfSSL "settings.h" must appear before any other wolfSSL include.
- */
-#include <wolfssl.h>
-/* Important: make sure settings.h appears before any other wolfSSL headers */
-#include <wolfssl/wolfcrypt/settings.h>
-/* Reminder: settings.h includes user_settings.h
- * For ALL project wolfSSL settings, see:
- * [your path]/Arduino\libraries\wolfSSL\src\user_settings.h   */
-#include <wolfssl/ssl.h>
-#include <wolfssl/certs_test.h>
-#include <wolfssl/wolfcrypt/error-crypt.h>
-
-/* Define DEBUG_WOLFSSL in user_settings.h for more verbose logging. */
-#if defined(DEBUG_WOLFSSL)
-    #define PROGRESS_DOT F("")
-#else
-    #define PROGRESS_DOT F(".")
-#endif
-
-/* Convert a macro to a string */
-#define xstr(x) str(x)
-#define str(x) #x
-
-/* optional board-specific networking includes */
-#if defined(ESP32)
-    #define USING_WIFI
-    #include <WiFi.h>
-    #include <WiFiUdp.h>
-    #ifdef USE_NTP_LIB
-        WiFiUDP ntpUDP;
-    #endif
-    /* Ensure the F() flash macro is defined */
-    #ifndef F
-        #define F
-    #endif
-    WiFiClient client;
-
-#elif defined(ESP8266)
-    #define USING_WIFI
-    #include <ESP8266WiFi.h>
-    WiFiClient client;
-
-#elif defined(ARDUINO_SAM_DUE)
-    #include <SPI.h>
-    /* There's no WiFi/Ethernet on the Due. Requires Ethernet Shield.
-    /* Needs "Ethernet by Various" library to be installed. Tested with V2.0.2 */
-    #include <Ethernet.h>
-    EthernetClient client;
-
-#elif defined(ARDUINO_SAMD_NANO_33_IOT)
-    #define USING_WIFI
-    #include <SPI.h>
-    #include <WiFiNINA.h> /* Needs Arduino WiFiNINA library installed manually */
-    WiFiClient client;
-
-#elif defined(ARDUINO_ARCH_RP2040)
-    #define USING_WIFI
-    #include <SPI.h>
-    #include <WiFiNINA.h>
-    WiFiClient client;
-
-#elif defined(USING_WIFI)
-    #define USING_WIFI
-    #include <WiFi.h>
-    #include <WiFiUdp.h>
-    #ifdef USE_NTP_LIB
-        WiFiUDP ntpUDP;
-    #endif
-    WiFiClient client;
-
-/* TODO
-#elif defined(OTHER_BOARD)
-*/
-#else
-    #define USING_WIFI
-    WiFiClient client;
-
-#endif
-
-/* Only for syntax highlighters to show interesting options enabled: */
-#if defined(HAVE_SNI)                           \
-   || defined(HAVE_MAX_FRAGMENT)                  \
-   || defined(HAVE_TRUSTED_CA)                    \
-   || defined(HAVE_TRUNCATED_HMAC)                \
-   || defined(HAVE_CERTIFICATE_STATUS_REQUEST)    \
-   || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) \
-   || defined(HAVE_SUPPORTED_CURVES)              \
-   || defined(HAVE_ALPN)                          \
-   || defined(HAVE_SESSION_TICKET)                \
-   || defined(HAVE_SECURE_RENEGOTIATION)          \
-   || defined(HAVE_SERVER_RENEGOTIATION_INFO)
-#endif
-
-static const char host[] PROGMEM = WOLFSSL_TLS_SERVER_HOST; /* server to connect to */
-static const int port PROGMEM = WOLFSSL_PORT; /* port on server to connect to */
-
-static WOLFSSL_CTX* ctx = NULL;
-static WOLFSSL* ssl = NULL;
-static char* wc_error_message = (char*)malloc(80 + 1);
-static char errBuf[80];
-
-#if defined(MEMORY_STRESS_TEST)
-    #define MEMORY_STRESS_ITERATIONS 100
-    #define MEMORY_STRESS_BLOCK_SIZE 1024
-    #define MEMORY_STRESS_INITIAL (4*1024)
-    static char* memory_stress[MEMORY_STRESS_ITERATIONS]; /* typically 1K per item */
-    static int mem_ctr        = 0;
-#endif
-
-static int EthernetSend(WOLFSSL* ssl, char* msg, int sz, void* ctx);
-static int EthernetReceive(WOLFSSL* ssl, char* reply, int sz, void* ctx);
-static int reconnect = RECONNECT_ATTEMPTS;
-static int lng_index PROGMEM = 0; /* 0 = English */
-
-#if defined(__arm__)
-    #include <malloc.h>
-    extern char _end;
-    extern "C" char *sbrk(int i);
-    static char *ramstart=(char *)0x20070000;
-    static char *ramend=(char *)0x20088000;
-#endif
-
-/*****************************************************************************/
-/* fail_wait - in case of unrecoverable error                                */
-/*****************************************************************************/
-int fail_wait(void) {
-    show_memory();
-
-    Serial.println(F("Failed. Halt."));
-    while (1) {
-        delay(1000);
-    }
-    return 0;
-}
-
-/*****************************************************************************/
-/* show_memory() to optionally view during debugging.                         */
-/*****************************************************************************/
-int show_memory(void)
-{
-#if defined(__arm__)
-    struct mallinfo mi = mallinfo();
-
-    char *heapend=sbrk(0);
-    register char * stack_ptr asm("sp");
-    #if defined(DEBUG_WOLFSSL_VERBOSE)
-        Serial.print("    arena=");
-        Serial.println(mi.arena);
-        Serial.print("  ordblks=");
-        Serial.println(mi.ordblks);
-        Serial.print(" uordblks=");
-        Serial.println(mi.uordblks);
-        Serial.print(" fordblks=");
-        Serial.println(mi.fordblks);
-        Serial.print(" keepcost=");
-        Serial.println(mi.keepcost);
-    #endif
-
-    #if defined(DEBUG_WOLFSSL) || defined(MEMORY_STRESS_TEST)
-        Serial.print("Estimated free memory: ");
-        Serial.print(stack_ptr - heapend + mi.fordblks);
-        Serial.println(F(" bytes"));
-    #endif
-
-    #if (0)
-        /* Experimental: not supported on all devices: */
-        Serial.print("RAM Start %lx\n", (unsigned long)ramstart);
-        Serial.print("Data/Bss end %lx\n", (unsigned long)&_end);
-        Serial.print("Heap End %lx\n", (unsigned long)heapend);
-        Serial.print("Stack Ptr %lx\n",(unsigned long)stack_ptr);
-        Serial.print("RAM End %lx\n", (unsigned long)ramend);
-
-        Serial.print("Heap RAM Used: ",mi.uordblks);
-        Serial.print("Program RAM Used ",&_end - ramstart);
-        Serial.print("Stack RAM Used ",ramend - stack_ptr);
-
-        Serial.print("Estimated Free RAM: %d\n\n",stack_ptr - heapend + mi.fordblks);
-    #endif
-#else
-    Serial.println(F("show_memory() not implemented for this platform"));
-#endif
-    return 0;
-}
-
-/*****************************************************************************/
-/* EthernetSend() to send a message string.                                  */
-/*****************************************************************************/
-int EthernetSend(WOLFSSL* ssl, char* message, int sz, void* ctx) {
-    int sent = 0;
-    (void)ssl;
-    (void)ctx;
-
-    sent = client.write((byte*)message, sz);
-    return sent;
-}
-
-/*****************************************************************************/
-/* EthernetReceive() to receive a reply string.                              */
-/*****************************************************************************/
-int EthernetReceive(WOLFSSL* ssl, char* reply, int sz, void* ctx) {
-    int ret = 0;
-    (void)ssl;
-    (void)ctx;
-
-    while (client.available() > 0 && ret < sz) {
-        reply[ret++] = client.read();
-    }
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_hardware()                                                  */
-/*****************************************************************************/
-int setup_hardware(void) {
-    int ret = 0;
-
-#if defined(ARDUINO_SAMD_NANO_33_IOT)
-    Serial.println(F("Detected known tested and working Arduino Nano 33 IoT"));
-#elif defined(ARDUINO_ARCH_RP2040)
-    Serial.println(F("Detected known tested and working Arduino RP-2040"));
-#elif defined(__arm__) && defined(ID_TRNG) && defined(TRNG)
-    /* need to manually turn on random number generator on Arduino Due, etc. */
-    pmc_enable_periph_clk(ID_TRNG);
-    trng_enable(TRNG);
-    Serial.println(F("Enabled ARM TRNG"));
-#endif
-
-    show_memory();
-    randomSeed(analogRead(0));
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_datetime()                                                  */
-/*   The device needs to have a valid date within the valid range of certs.  */
-/*****************************************************************************/
-int setup_datetime(void) {
-    int ret = 0;
-    int ntp_tries = 20;
-
-    /* we need a date in the range of cert expiration */
-#ifdef USE_NTP_LIB
-    #if defined(ESP32)
-        NTPClient timeClient(ntpUDP, "pool.ntp.org");
-
-        timeClient.begin();
-        timeClient.update();
-        delay(1000);
-        while (!timeClient.isTimeSet() && (ntp_tries > 0)) {
-            timeClient.forceUpdate();
-            Serial.println(F("Waiting for NTP update"));
-            delay(2000);
-            ntp_tries--;
-        }
-        if (ntp_tries <= 0) {
-            Serial.println(F("Warning: gave up waiting on NTP"));
-        }
-        Serial.println(timeClient.getFormattedTime());
-        Serial.println(timeClient.getEpochTime());
-    #endif
-#endif
-
-#if defined(ESP32)
-    /* see esp32-hal-time.c */
-    ntp_tries = 5;
-    /* Replace "pool.ntp.org" with your preferred NTP server */
-    configTime(0, 0, "pool.ntp.org");
-
-    /* Wait for time to be set */
-    while ((time(nullptr) <= 100000) && ntp_tries > 0) {
-        Serial.println(F("Waiting for time to be set..."));
-        delay(2000);
-        ntp_tries--;
-    }
-#endif
-
-    return ret;
-} /* setup_datetime */
-
-/*****************************************************************************/
-/* Arduino setup_network()                                                   */
-/*****************************************************************************/
-int setup_network(void) {
-    int ret = 0;
-
-#if defined(USING_WIFI)
-    int status = WL_IDLE_STATUS;
-
-    /* The ESP8266 & ESP32 support both AP and STA. We'll use STA: */
-    #if defined(ESP8266) || defined(ESP32)
-        WiFi.mode(WIFI_STA);
-    #else
-        String fv;
-        if (WiFi.status() == WL_NO_MODULE) {
-            Serial.println("Communication with WiFi module failed!");
-            /* don't continue if no network */
-            while (true) ;
-        }
-
-        fv = WiFi.firmwareVersion();
-        if (fv < WIFI_FIRMWARE_LATEST_VERSION) {
-            Serial.println("Please upgrade the firmware");
-        }
-    #endif
-
-    Serial.print(F("Connecting to WiFi "));
-    Serial.print(ssid);
-    status = WiFi.begin(ssid, password);
-    while (status != WL_CONNECTED) {
-        delay(1000);
-        Serial.print(F("."));
-        Serial.print(status);
-        status = WiFi.status();
-    }
-
-    Serial.println(F(" Connected!"));
-#else
-    /* Newer Ethernet shields have a
-     * MAC address printed on a sticker on the shield */
-    byte mac[] = { 0xDE, 0xAD, 0xBE, 0xEF, 0xFE, 0xED };
-    IPAddress ip(192, 168, 1, 42);
-    IPAddress myDns(192, 168, 1, 1);
-    Ethernet.init(10); /* Most Arduino shields */
-    /* Ethernet.init(5);   * MKR ETH Shield */
-    /* Ethernet.init(0);   * Teensy 2.0 */
-    /* Ethernet.init(20);  * Teensy++ 2.0 */
-    /* Ethernet.init(15);  * ESP8266 with Adafruit FeatherWing Ethernet */
-    /* Ethernet.init(33);  * ESP32 with Adafruit FeatherWing Ethernet */
-    Serial.println(F("Initialize Ethernet with DHCP:"));
-    if (Ethernet.begin(mac) == 0) {
-        Serial.println(F("Failed to configure Ethernet using DHCP"));
-        /* Check for Ethernet hardware present */
-        if (Ethernet.hardwareStatus() == EthernetNoHardware) {
-            Serial.println(F("Ethernet shield was not found."));
-            while (true) {
-                delay(1); /* do nothing */
-            }
-        }
-        if (Ethernet.linkStatus() == LinkOFF) {
-            Serial.println(F("Ethernet cable is not connected."));
-        }
-        /* try to configure using IP address instead of DHCP : */
-        Ethernet.begin(mac, ip, myDns);
-    }
-    else {
-        Serial.print(F("  DHCP assigned IP "));
-        Serial.println(Ethernet.localIP());
-    }
-    /* We'll assume the Ethernet connection is ready to go. */
-#endif
-
-    Serial.println(F("********************************************************"));
-    Serial.print(F("      wolfSSL Example Client IP = "));
-#if defined(USING_WIFI)
-    Serial.println(WiFi.localIP());
-#else
-    Serial.println(Ethernet.localIP());
-#endif
-    Serial.print(F("   Configured Server Host to connect to: "));
-    Serial.println(host);
-    Serial.println(F("********************************************************"));
-    Serial.println(F("Setup network complete."));
-
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_wolfssl()                                                   */
-/*****************************************************************************/
-int setup_wolfssl(void) {
-    int ret = 0;
-    WOLFSSL_METHOD* method;
-
-    /* Show a revision of wolfssl user_settings.h file in use when available: */
-#if defined(WOLFSSL_USER_SETTINGS_ID)
-    Serial.print(F("WOLFSSL_USER_SETTINGS_ID: "));
-    Serial.println(F(WOLFSSL_USER_SETTINGS_ID));
-#else
-    Serial.println(F("No WOLFSSL_USER_SETTINGS_ID found."));
-#endif
-
-#if defined(NO_WOLFSSL_SERVER)
-    Serial.println(F("wolfSSL server code disabled to save space."));
-#endif
-#if defined(NO_WOLFSSL_CLIENT)
-    Serial.println(F("wolfSSL client code disabled to save space."));
-#endif
-
-#if defined(DEBUG_WOLFSSL)
-    wolfSSL_Debugging_ON();
-    Serial.println(F("wolfSSL Debugging is On!"));
-#else
-    Serial.println(F("wolfSSL Debugging is Off! (enable with DEBUG_WOLFSSL)"));
-#endif
-
-    /* See ssl.c for TLS cache settings. Larger cache = use more RAM. */
-#if defined(NO_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS NO_SESSION_CACHE"));
-#elif defined(MICRO_SESSION_CACHEx)
-    Serial.println(F("wolfSSL TLS MICRO_SESSION_CACHE"));
-#elif defined(SMALL_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS SMALL_SESSION_CACHE"));
-#elif defined(MEDIUM_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS MEDIUM_SESSION_CACHE"));
-#elif defined(BIG_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS BIG_SESSION_CACHE"));
-#elif defined(HUGE_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS HUGE_SESSION_CACHE"));
-#elif defined(HUGE_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS HUGE_SESSION_CACHE"));
-#else
-    Serial.println(F("WARNING: Unknown or no TLS session cache setting."));
-    /* See wolfssl/src/ssl.c for amount of memory used.
-     * It is best on embedded devices to choose a TLS session cache size. */
-#endif
-
-    ret = wolfSSL_Init();
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.println("Successfully called wolfSSL_Init");
-    }
-    else {
-        Serial.println("ERROR: wolfSSL_Init failed");
-    }
-
-    /* See companion server example with wolfSSLv23_server_method here.
-     * method = wolfSSLv23_client_method());   SSL 3.0 - TLS 1.3.
-     * method = wolfTLSv1_2_client_method();   only TLS 1.2
-     * method = wolfTLSv1_3_client_method();   only TLS 1.3
-     *
-     * see Arduino\libraries\wolfssl\src\user_settings.h */
-
-    Serial.println("Here we go!");
-
-    method = wolfSSLv23_client_method();
-    if (method == NULL) {
-        Serial.println(F("unable to get wolfssl client method"));
-        fail_wait();
-    }
-    ctx = wolfSSL_CTX_new(method);
-    if (ctx == NULL) {
-        Serial.println(F("unable to get ctx"));
-        fail_wait();
-    }
-
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_certificates()                                              */
-/*****************************************************************************/
-int setup_certificates(void) {
-    int ret = 0;
-
-    Serial.println(F("Initializing certificates..."));
-    show_memory();
-
-    /* Use built-in validation, No verification callback function: */
-    wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);
-
-    /* Certificate */
-    Serial.println("Initializing certificates...");
-    ret = wolfSSL_CTX_use_certificate_buffer(ctx,
-                                             CTX_CLIENT_CERT,
-                                             CTX_CLIENT_CERT_SIZE,
-                                             CTX_CLIENT_CERT_TYPE);
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.print("Success: use certificate: ");
-        Serial.println(xstr(CTX_SERVER_CERT));
-    }
-    else {
-        Serial.println(F("Error: wolfSSL_CTX_use_certificate_buffer failed: "));
-        wc_ErrorString(ret, wc_error_message);
-        Serial.println(wc_error_message);
-        fail_wait();
-    }
-
-    /* Setup private client key */
-    ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx,
-                                            CTX_CLIENT_KEY,
-                                            CTX_CLIENT_KEY_SIZE,
-                                            CTX_CLIENT_KEY_TYPE);
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.print("Success: use private key buffer: ");
-        Serial.println(xstr(CTX_SERVER_KEY));
-    }
-    else {
-        Serial.println(F("Error: wolfSSL_CTX_use_PrivateKey_buffer failed: "));
-        wc_ErrorString(ret, wc_error_message);
-        Serial.println(wc_error_message);
-        fail_wait();
-    }
-
-    ret = wolfSSL_CTX_load_verify_buffer(ctx,
-                                         CTX_CA_CERT,
-                                         CTX_CA_CERT_SIZE,
-                                         CTX_CA_CERT_TYPE);
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.println(F("Success: load_verify CTX_CA_CERT"));
-    }
-    else {
-        Serial.println(F("Error: wolfSSL_CTX_load_verify_buffer failed: "));
-        wc_ErrorString(ret, wc_error_message);
-        Serial.println(wc_error_message);
-        fail_wait();
-    }
-
-
-
-    return ret;
-} /* Arduino setup */
-
-/*****************************************************************************/
-/*****************************************************************************/
-/* Arduino setup()                                                           */
-/*****************************************************************************/
-/*****************************************************************************/
-void setup(void) {
-    int i = 0;
-    Serial.begin(SERIAL_BAUD);
-    while (!Serial && (i < 10)) {
-        /* wait for serial port to connect. Needed for native USB port only */
-        delay(1000);
-        i++;
-    }
-    Serial.println(F(""));
-    Serial.println(F(""));
-    Serial.println(F("wolfSSL TLS Client Example Startup."));
-
-    /* define DEBUG_WOLFSSL in wolfSSL user_settings.h for diagnostics */
-#if defined(DEBUG_WOLFSSL)
-    wolfSSL_Debugging_ON();
-#endif
-
-    /* Optionally pre-allocate a large block of memory for testing */
-#if defined(MEMORY_STRESS_TEST)
-    Serial.println(F("WARNING: Memory Stress Test Active!"));
-    Serial.print(F("Allocating extra memory: "));
-    Serial.print(MEMORY_STRESS_INITIAL);
-    Serial.println(F(" bytes..."));
-    memory_stress[mem_ctr] = (char*)malloc(MEMORY_STRESS_INITIAL);
-    show_memory();
-#endif
-
-    setup_hardware();
-
-    setup_network();
-
-    setup_datetime();
-
-    setup_wolfssl();
-
-    setup_certificates();
-
-    /* Initialize wolfSSL using callback functions. */
-    wolfSSL_SetIOSend(ctx, EthernetSend);
-    wolfSSL_SetIORecv(ctx, EthernetReceive);
-
-    Serial.println(F("Completed Arduino setup!"));
-    /* See companion wolfssl_server.ino code; server begins listening here
-     * https://github.com/wolfSSL/wolfssl/tree/master/IDE/ARDUINO/sketches/wolfssl_server
-     * Any other server will work. See also:
-     * https://github.com/wolfSSL/wolfssl/tree/master/examples/client
-     */
-    /* See companion wolfssl_server.ino code */
-    return;
-} /* Arduino setup */
-
-/*****************************************************************************/
-/* wolfSSL error_check()                                                     */
-/*****************************************************************************/
-int error_check(int this_ret, bool halt_on_error,
-                      const __FlashStringHelper* message) {
-    int ret = 0;
-    if (this_ret == WOLFSSL_SUCCESS) {
-        Serial.print(F("Success: "));
-        Serial.println(message);
-    }
-    else {
-        Serial.print(F("ERROR: return = "));
-        Serial.print(this_ret);
-        Serial.print(F(": "));
-        Serial.println(message);
-        Serial.println(wc_GetErrorString(this_ret));
-        if (halt_on_error) {
-            fail_wait();
-        }
-    }
-    show_memory();
-
-    return ret;
-} /* error_check */
-
-/*****************************************************************************/
-/* wolfSSL error_check_ssl                                                   */
-/*   Parameters:                                                             */
-/*     ssl           is the current WOLFSSL object pointer                   */
-/*     halt_on_error set to true to suspend operations for critical error    */
-/*     message       is expected to be a memory-efficient F("") macro string */
-/*****************************************************************************/
-int error_check_ssl(WOLFSSL* ssl, int this_ret, bool halt_on_error,
-                           const __FlashStringHelper* message) {
-    int err = 0;
-
-    if (ssl == NULL) {
-        Serial.println(F("ssl is Null; Unable to allocate SSL object?"));
-#ifndef DEBUG_WOLFSSL
-        Serial.println(F("Define DEBUG_WOLFSSL in user_settings.h for more."));
-#else
-        Serial.println(F("See wolfssl/wolfcrypt/error-crypt.h for codes."));
-#endif
-        Serial.print(F("ERROR: "));
-        Serial.println(message);
-        show_memory();
-        if (halt_on_error) {
-            fail_wait();
-        }
-    }
-    else {
-        err = wolfSSL_get_error(ssl, this_ret);
-        if (err == WOLFSSL_SUCCESS) {
-            Serial.print(F("Success m: "));
-            Serial.println(message);
-        }
-        else {
-            if (err < 0) {
-                wolfSSL_ERR_error_string(err, errBuf);
-                Serial.print(F("WOLFSSL Error: "));
-                Serial.print(err);
-                Serial.print(F("; "));
-                Serial.println(errBuf);
-            }
-            else {
-                Serial.println(F("Success: ssl object."));
-            }
-        }
-    }
-
-    return err;
-}
-
-/*****************************************************************************/
-/*****************************************************************************/
-/* Arduino loop()                                                            */
-/*****************************************************************************/
-/*****************************************************************************/
-void loop() {
-    char reply[80];
-    char msg[32]       = "hello wolfssl!";
-    const char* cipherName;
-    int retry_shutdown = SHUTDOWN_DELAY_MS; /* max try, once per millisecond */
-    int total_input    = 0;
-    int msgSz          = 0;
-    int input          = 0;
-    int ret            = 0;
-    int err            = 0;
-    msgSz = (int)strlen(msg);
-    Serial.println(F(""));
-    Serial.println(F("Starting Arduino loop() ..."));
-
-    if (reconnect) {
-        reconnect--;
-        /* WiFi client returns true if connection succeeds, false if not.  */
-        /* Wired client returns int (1,-1,-2,-3,-4) for connection status. */
-        Serial.print(F("Connecting to "));
-        Serial.print(host);
-        Serial.print(F(":"));
-        Serial.println(port);
-        /* can also use: IPAddress server(192,168,1,37); */
-        Serial.println(F("Here we go..."));
-        ret = client.connect(host, port);
-        Serial.println(F("Ok, checking..."));
-        if (ret > 0) {
-            Serial.println(F("Connected!"));
-
-            /* initialize wolfSSL */
-            ret = wolfSSL_Init();
-            error_check(ret, false, F("calling wolfSSL_Init") );
-
-            /* create secure connection object. see setup for ctx certs. */
-            Serial.println(F("Calling ssl = wolfSSL_new(ctx)"));
-            ssl = wolfSSL_new(ctx);
-            error_check_ssl(ssl, 0, true, F("Create WOLFSSL object from ctx"));
-
-            Serial.print(F("Connecting to wolfSSL TLS Secure Server..."));
-            do {
-                err = 0; /* reset error */
-                Serial.println(F("wolfSSL_connect ..."));
-                ret = wolfSSL_connect(ssl);
-                Serial.print("wolfSSL_connect return result =");
-                Serial.println(ret);
-                if ((ret != WOLFSSL_SUCCESS) && (ret != WC_PENDING_E)) {
-                    Serial.println(F("Failed connection, checking error."));
-                    err = error_check_ssl(ssl, ret, true,
-                                    F("Create WOLFSSL object from ctx"));
-                    Serial.print("err =");
-                    Serial.println(err);
-                }
-                else {
-                   Serial.print(PROGRESS_DOT);
-                }
-            } while (err == WC_PENDING_E);
-
-            Serial.println();
-            Serial.println(F("Connected!"));
-            Serial.print(F("SSL version is "));
-            Serial.println(wolfSSL_get_version(ssl));
-
-            cipherName = wolfSSL_get_cipher(ssl);
-            Serial.print(F("SSL cipher suite is "));
-            Serial.println(cipherName);
-
-            /* see test.h
-             * TODO: test.h needs a little bit of Arduino work for these:
-            showPeerEx(ssl, lng_index);
-            showPeerPEM(ssl);
-            */
-
-            Serial.print(F("Sending secure message to server: "));
-            Serial.println(msg);
-            ret = wolfSSL_write(ssl, msg, msgSz);
-            if (ret == msgSz) {
-                Serial.print(F("Waiting for Server response..."));
-
-                while (!client.available()) {
-                    /* wait for data */
-                    delay(1); /* 1 ms delay */
-                }
-
-                Serial.print(F("Reading response.."));
-                /* read data */
-                do {
-                    ret = wolfSSL_read(ssl, reply, sizeof(reply) - 1);
-                    if (ret < 0) {
-                        error_check_ssl(ssl, ret, false,
-                                        F("during TLS Read"));
-                    }
-                    else {
-                        Serial.print(PROGRESS_DOT);
-                    }
-                } while (err == WC_PENDING_E);
-                Serial.println();
-
-                Serial.println();
-                Serial.println(reply); /* typically: I hear you fa shizzle! */
-                Serial.println();
-
-            } /* wolfSSL_write message size matched */
-            else {
-                error_check_ssl(ssl, ret, false,
-                    F("during TLS Write"));
-            }  /* any wolfSSL_write message size mismatch is an error */
-
-            Serial.print(F("Shutting down.."));
-            do {
-                delay(1);
-                Serial.print(PROGRESS_DOT);
-                retry_shutdown--;
-                ret = wolfSSL_shutdown(ssl);
-            } while (   (ret == WOLFSSL_SHUTDOWN_NOT_DONE)
-                     && (retry_shutdown > 0)
-                    ); /* There may be pending data, so wait until done. */
-            Serial.println();
-
-            if (retry_shutdown <= 0) {
-                /* if wolfSSL_free is called before properly shutting down the
-                 * ssl object, undesired results may occur. */
-                Serial.println(F("Warning! Shutdown did not properly complete."));
-            }
-
-            wolfSSL_free(ssl);
-            client.stop();
-            Serial.println(F("Connection complete."));
-            if (REPEAT_CONNECTION) {
-                reconnect = RECONNECT_ATTEMPTS;
-            }
-            else {
-                reconnect = 0;
-            }
-        } /* client.connect(host, port) */
-        else {
-            Serial.println(F("Problem sending message. Trying to reconnect..."));
-        }
-    }
-    delay(1000);
-    if ((reconnect > 0) && (REPEAT_CONNECTION)) {
-        Serial.println(F("Arduino loop repeating..."));
-        Serial.println();
-    }
-    else {
-        printf("wow");
-        Serial.println(F("Done!"));
-        while(1) {
-            /* wait forever */
-        }
-    }
-
-#if defined(MEMORY_STRESS_TEST)
-    if (mem_ctr < MEMORY_STRESS_ITERATIONS) {
-        /* reminder: mem_ctr == 0 is MEMORY_STRESS_INITIAL allocation */
-        mem_ctr++;
-        Serial.print(F("Memory stress increment: "));
-        Serial.print(mem_ctr);
-        Serial.print(F(". Allocating addition memory (bytes): "));
-        Serial.println(MEMORY_STRESS_BLOCK_SIZE);
-        memory_stress[mem_ctr] = (char*)malloc(MEMORY_STRESS_BLOCK_SIZE);
-        show_memory();
-    }
-#endif
-} /* Arduino loop repeats */
--- a/IDE/ARDUINO/sketches/wolfssl_server/README.md
+++ b/IDE/ARDUINO/sketches/wolfssl_server/README.md
@@ -1,6 +1,14 @@
 # Arduino Basic TLS Server

-Open the [wolfssl_server.ino](./wolfssl_server.ino) file in the Arduino IDE.
+Open the `wolfssl_server.ino` file in the Arduino IDE.
+
+NOTE: Moving; See https://github.com/wolfSSL/wolfssl-examples/pull/499
+
+If using WiFi, be sure to set `ssid` and `password` values.
+
+May need "Ethernet by Various" library to be installed. Tested with v2.0.2 and v2.8.1.
+
+See the `#define WOLFSSL_TLS_SERVER_HOST` to set your own server address.

 Other IDE products are also supported, such as:

--- a/IDE/ARDUINO/sketches/wolfssl_server/wolfssl_server.ino
+++ b/IDE/ARDUINO/sketches/wolfssl_server/wolfssl_server.ino
@@ -1,847 +0,0 @@
-/* wolfssl_server.ino
- *
- * Copyright (C) 2006-2025 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
-
-/*
-Tested with:
-
-1) Intel Galileo acting as the Client, with a laptop acting as a server using
-   the server example provided in examples/server.
-   Legacy Arduino v1.86 was used to compile and program the Galileo
-
-2) Espressif ESP32 WiFi
-
-3) Arduino Due, Nano33 IoT, Nano RP-2040
-*/
-
-/*
- * Note to code editors: the Arduino client and server examples are edited in
- * parallel for side-by-side comparison between examples.
- */
-
-/* If you have a private include, define it here, otherwise edit WiFi params */
-#define MY_PRIVATE_CONFIG "/workspace/my_private_config.h"
-
-/* set REPEAT_CONNECTION to a non-zero value to continually run the example. */
-#define REPEAT_CONNECTION 1
-
-/* Edit this with your other TLS host server address to connect to: */
-/* #define WOLFSSL_TLS_SERVER_HOST "192.168.1.34" */
-
-/* wolfssl TLS examples communicate on port 11111 */
-#define WOLFSSL_PORT 11111
-
-/* Choose a monitor serial baud rate: 9600, 14400, 19200, 57600, 74880, etc. */
-#define SERIAL_BAUD 115200
-
-/* We'll wait up to 2000 milliseconds to properly shut down connection */
-#define SHUTDOWN_DELAY_MS 2000
-
-/* Number of times to retry connection.  */
-#define RECONNECT_ATTEMPTS 20
-
-/* Optional stress test. Define to consume memory until exhausted: */
-/* #define MEMORY_STRESS_TEST */
-
-/* Choose client or server example, not both. */
-/* #define WOLFSSL_CLIENT_EXAMPLE */
-#define WOLFSSL_SERVER_EXAMPLE
-
-#if defined(MY_PRIVATE_CONFIG)
-    /* the /workspace directory may contain a private config
-     * excluded from GitHub with items such as WiFi passwords */
-    #include MY_PRIVATE_CONFIG
-    static const char* ssid PROGMEM = MY_ARDUINO_WIFI_SSID;
-    static const char* password PROGMEM = MY_ARDUINO_WIFI_PASSWORD;
-#else
-    /* when using WiFi capable boards: */
-    static const char* ssid PROGMEM  = "your_SSID";
-    static const char* password PROGMEM = "your_PASSWORD";
-#endif
-
-#define BROADCAST_ADDRESS "255.255.255.255"
-
-/* There's an optional 3rd party NTPClient library by Fabrice Weinberg.
- * If it is installed, uncomment define USE_NTP_LIB here: */
-/* #define USE_NTP_LIB */
-#ifdef USE_NTP_LIB
-    #include <NTPClient.h>
-#endif
-
-/* wolfSSL user_settings.h must be included from settings.h
- * Make all configurations changes in user_settings.h
- * Do not edit wolfSSL `settings.h` or `config.h` files.
- * Do not explicitly include user_settings.h in any source code.
- * Each Arduino sketch that uses wolfSSL must have: #include "wolfssl.h"
- * C/C++ source files can use: #include <wolfssl/wolfcrypt/settings.h>
- * The wolfSSL "settings.h" must be included in each source file using wolfSSL.
- * The wolfSSL "settings.h" must appear before any other wolfSSL include.
- */
-#include <wolfssl.h>
-/* Important: make sure settings.h appears before any other wolfSSL headers */
-#include <wolfssl/wolfcrypt/settings.h>
-/* Reminder: settings.h includes user_settings.h
- * For ALL project wolfSSL settings, see:
- * [your path]/Arduino\libraries\wolfSSL\src\user_settings.h   */
-#include <wolfssl/ssl.h>
-#include <wolfssl/certs_test.h>
-#include <wolfssl/wolfcrypt/error-crypt.h>
-
-/* Define DEBUG_WOLFSSL in user_settings.h for more verbose logging. */
-#if defined(DEBUG_WOLFSSL)
-    #define PROGRESS_DOT F("")
-#else
-    #define PROGRESS_DOT F(".")
-#endif
-
-/* Convert a macro to a string */
-#define xstr(x) str(x)
-#define str(x) #x
-
-/* optional board-specific networking includes */
-#if defined(ESP32)
-    #define USING_WIFI
-    #include <WiFi.h>
-    #include <WiFiUdp.h>
-    #ifdef USE_NTP_LIB
-        WiFiUDP ntpUDP;
-    #endif
-    /* Ensure the F() flash macro is defined */
-    #ifndef F
-        #define F
-    #endif
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-#elif defined(ESP8266)
-    #define USING_WIFI
-    #include <ESP8266WiFi.h>
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-#elif defined(ARDUINO_SAM_DUE)
-    #include <SPI.h>
-    /* There's no WiFi/Ethernet on the Due. Requires Ethernet Shield.
-    /* Needs "Ethernet by Various" library to be installed. Tested with V2.0.2 */
-    #include <Ethernet.h>
-    EthernetClient client;
-    EthernetClient server(WOLFSSL_PORT);
-#elif defined(ARDUINO_SAMD_NANO_33_IOT)
-    #define USING_WIFI
-    #include <SPI.h>
-    #include <WiFiNINA.h> /* Needs Arduino WiFiNINA library installed manually */
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-#elif defined(ARDUINO_ARCH_RP2040)
-    #define USING_WIFI
-    #include <SPI.h>
-    #include <WiFiNINA.h>
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-#elif defined(USING_WIFI)
-    #define USING_WIFI
-    #include <WiFi.h>
-    #include <WiFiUdp.h>
-    #ifdef USE_NTP_LIB
-        WiFiUDP ntpUDP;
-    #endif
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-/* TODO
-#elif defined(OTHER_BOARD)
-*/
-#else
-    #define USING_WIFI
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-#endif
-
-/* Only for syntax highlighters to show interesting options enabled: */
-#if defined(HAVE_SNI)                           \
-   || defined(HAVE_MAX_FRAGMENT)                  \
-   || defined(HAVE_TRUSTED_CA)                    \
-   || defined(HAVE_TRUNCATED_HMAC)                \
-   || defined(HAVE_CERTIFICATE_STATUS_REQUEST)    \
-   || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) \
-   || defined(HAVE_SUPPORTED_CURVES)              \
-   || defined(HAVE_ALPN)                          \
-   || defined(HAVE_SESSION_TICKET)                \
-   || defined(HAVE_SECURE_RENEGOTIATION)          \
-   || defined(HAVE_SERVER_RENEGOTIATION_INFO)
-#endif
-
-
-/* we expect our IP address from DHCP */
-
-static WOLFSSL_CTX* ctx = NULL;
-static WOLFSSL* ssl = NULL;
-static char* wc_error_message = (char*)malloc(80 + 1);
-static char errBuf[80];
-
-#if defined(MEMORY_STRESS_TEST)
-    #define MEMORY_STRESS_ITERATIONS 100
-    #define MEMORY_STRESS_BLOCK_SIZE 1024
-    #define MEMORY_STRESS_INITIAL (4*1024)
-    static char* memory_stress[MEMORY_STRESS_ITERATIONS]; /* typically 1K per item */
-    static int mem_ctr        = 0;
-#endif
-
-static int EthernetSend(WOLFSSL* ssl, char* msg, int sz, void* ctx);
-static int EthernetReceive(WOLFSSL* ssl, char* reply, int sz, void* ctx);
-static int reconnect = RECONNECT_ATTEMPTS;
-static int lng_index PROGMEM = 0; /* 0 = English */
-
-#if defined(__arm__)
-    #include <malloc.h>
-    extern char _end;
-    extern "C" char *sbrk(int i);
-    static char *ramstart=(char *)0x20070000;
-    static char *ramend=(char *)0x20088000;
-#endif
-
-/*****************************************************************************/
-/* fail_wait - in case of unrecoverable error                                */
-/*****************************************************************************/
-int fail_wait(void) {
-    show_memory();
-
-    Serial.println(F("Failed. Halt."));
-    while (1) {
-        delay(1000);
-    }
-    return 0;
-}
-
-/*****************************************************************************/
-/* show_memory() to optionally view during debugging.                         */
-/*****************************************************************************/
-int show_memory(void)
-{
-#if defined(__arm__)
-    struct mallinfo mi = mallinfo();
-
-    char *heapend=sbrk(0);
-    register char * stack_ptr asm("sp");
-    #if defined(DEBUG_WOLFSSL_VERBOSE)
-        Serial.print("    arena=");
-        Serial.println(mi.arena);
-        Serial.print("  ordblks=");
-        Serial.println(mi.ordblks);
-        Serial.print(" uordblks=");
-        Serial.println(mi.uordblks);
-        Serial.print(" fordblks=");
-        Serial.println(mi.fordblks);
-        Serial.print(" keepcost=");
-        Serial.println(mi.keepcost);
-    #endif
-
-    #if defined(DEBUG_WOLFSSL) || defined(MEMORY_STRESS_TEST)
-        Serial.print("Estimated free memory: ");
-        Serial.print(stack_ptr - heapend + mi.fordblks);
-        Serial.println(F(" bytes"));
-    #endif
-
-    #if (0)
-        /* Experimental: not supported on all devices: */
-        Serial.print("RAM Start %lx\n", (unsigned long)ramstart);
-        Serial.print("Data/Bss end %lx\n", (unsigned long)&_end);
-        Serial.print("Heap End %lx\n", (unsigned long)heapend);
-        Serial.print("Stack Ptr %lx\n",(unsigned long)stack_ptr);
-        Serial.print("RAM End %lx\n", (unsigned long)ramend);
-
-        Serial.print("Heap RAM Used: ",mi.uordblks);
-        Serial.print("Program RAM Used ",&_end - ramstart);
-        Serial.print("Stack RAM Used ",ramend - stack_ptr);
-
-        Serial.print("Estimated Free RAM: %d\n\n",stack_ptr - heapend + mi.fordblks);
-    #endif
-#else
-    Serial.println(F("show_memory() not implemented for this platform"));
-#endif
-    return 0;
-}
-
-/*****************************************************************************/
-/* EthernetSend() to send a message string.                                  */
-/*****************************************************************************/
-int EthernetSend(WOLFSSL* ssl, char* message, int sz, void* ctx) {
-    int sent = 0;
-    (void)ssl;
-    (void)ctx;
-
-    sent = client.write((byte*)message, sz);
-    return sent;
-}
-
-/*****************************************************************************/
-/* EthernetReceive() to receive a reply string.                              */
-/*****************************************************************************/
-int EthernetReceive(WOLFSSL* ssl, char* reply, int sz, void* ctx) {
-    int ret = 0;
-    (void)ssl;
-    (void)ctx;
-
-    while (client.available() > 0 && ret < sz) {
-        reply[ret++] = client.read();
-    }
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_hardware()                                                  */
-/*****************************************************************************/
-int setup_hardware(void) {
-    int ret = 0;
-
-#if defined(ARDUINO_SAMD_NANO_33_IOT)
-    Serial.println(F("Detected known tested and working Arduino Nano 33 IoT"));
-#elif defined(ARDUINO_ARCH_RP2040)
-    Serial.println(F("Detected known tested and working Arduino RP-2040"));
-#elif defined(__arm__) && defined(ID_TRNG) && defined(TRNG)
-    /* need to manually turn on random number generator on Arduino Due, etc. */
-    pmc_enable_periph_clk(ID_TRNG);
-    trng_enable(TRNG);
-    Serial.println(F("Enabled ARM TRNG"));
-#endif
-
-    show_memory();
-    randomSeed(analogRead(0));
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_datetime()                                                  */
-/*   The device needs to have a valid date within the valid range of certs.  */
-/*****************************************************************************/
-int setup_datetime(void) {
-    int ret = 0;
-    int ntp_tries = 20;
-
-    /* we need a date in the range of cert expiration */
-#ifdef USE_NTP_LIB
-    #if defined(ESP32)
-        NTPClient timeClient(ntpUDP, "pool.ntp.org");
-
-        timeClient.begin();
-        timeClient.update();
-        delay(1000);
-        while (!timeClient.isTimeSet() && (ntp_tries > 0)) {
-            timeClient.forceUpdate();
-            Serial.println(F("Waiting for NTP update"));
-            delay(2000);
-            ntp_tries--;
-        }
-        if (ntp_tries <= 0) {
-            Serial.println(F("Warning: gave up waiting on NTP"));
-        }
-        Serial.println(timeClient.getFormattedTime());
-        Serial.println(timeClient.getEpochTime());
-    #endif
-#endif
-
-#if defined(ESP32)
-    /* see esp32-hal-time.c */
-    ntp_tries = 5;
-    /* Replace "pool.ntp.org" with your preferred NTP server */
-    configTime(0, 0, "pool.ntp.org");
-
-    /* Wait for time to be set */
-    while ((time(nullptr) <= 100000) && ntp_tries > 0) {
-        Serial.println(F("Waiting for time to be set..."));
-        delay(2000);
-        ntp_tries--;
-    }
-#endif
-
-    return ret;
-} /* setup_datetime */
-
-/*****************************************************************************/
-/* Arduino setup_network()                                                   */
-/*****************************************************************************/
-int setup_network(void) {
-    int ret = 0;
-
-#if defined(USING_WIFI)
-    int status = WL_IDLE_STATUS;
-
-    /* The ESP8266 & ESP32 support both AP and STA. We'll use STA: */
-    #if defined(ESP8266) || defined(ESP32)
-        WiFi.mode(WIFI_STA);
-    #else
-        String fv;
-        if (WiFi.status() == WL_NO_MODULE) {
-            Serial.println("Communication with WiFi module failed!");
-            /* don't continue if no network */
-            while (true) ;
-        }
-
-        fv = WiFi.firmwareVersion();
-        if (fv < WIFI_FIRMWARE_LATEST_VERSION) {
-            Serial.println("Please upgrade the firmware");
-        }
-    #endif
-
-    Serial.print(F("Connecting to WiFi "));
-    Serial.print(ssid);
-    status = WiFi.begin(ssid, password);
-    while (status != WL_CONNECTED) {
-        delay(1000);
-        Serial.print(F("."));
-        Serial.print(status);
-        status = WiFi.status();
-    }
-
-    Serial.println(F(" Connected!"));
-#else
-    /* Newer Ethernet shields have a
-     * MAC address printed on a sticker on the shield */
-    byte mac[] = { 0xDE, 0xAD, 0xBE, 0xEF, 0xFE, 0xED };
-    IPAddress ip(192, 168, 1, 42);
-    IPAddress myDns(192, 168, 1, 1);
-    Ethernet.init(10); /* Most Arduino shields */
-    /* Ethernet.init(5);   * MKR ETH Shield */
-    /* Ethernet.init(0);   * Teensy 2.0 */
-    /* Ethernet.init(20);  * Teensy++ 2.0 */
-    /* Ethernet.init(15);  * ESP8266 with Adafruit FeatherWing Ethernet */
-    /* Ethernet.init(33);  * ESP32 with Adafruit FeatherWing Ethernet */
-    Serial.println(F("Initialize Ethernet with DHCP:"));
-    if (Ethernet.begin(mac) == 0) {
-        Serial.println(F("Failed to configure Ethernet using DHCP"));
-        /* Check for Ethernet hardware present */
-        if (Ethernet.hardwareStatus() == EthernetNoHardware) {
-            Serial.println(F("Ethernet shield was not found."));
-            while (true) {
-                delay(1); /* do nothing */
-            }
-        }
-        if (Ethernet.linkStatus() == LinkOFF) {
-            Serial.println(F("Ethernet cable is not connected."));
-        }
-        /* try to configure using IP address instead of DHCP : */
-        Ethernet.begin(mac, ip, myDns);
-    }
-    else {
-        Serial.print(F("  DHCP assigned IP "));
-        Serial.println(Ethernet.localIP());
-    }
-    /* We'll assume the Ethernet connection is ready to go. */
-#endif
-
-    Serial.println(F("********************************************************"));
-    Serial.print(F("      wolfSSL Example Server IP = "));
-#if defined(USING_WIFI)
-    Serial.println(WiFi.localIP());
-#else
-    Serial.println(Ethernet.localIP());
-#endif
-    /* In server mode, there's no host definition. */
-    /* See companion example: wolfssl_client.ino */
-    Serial.println(F("********************************************************"));
-    Serial.println(F("Setup network complete."));
-
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_wolfssl()                                                   */
-/*****************************************************************************/
-int setup_wolfssl(void) {
-    int ret = 0;
-    WOLFSSL_METHOD* method;
-
-    /* Show a revision of wolfssl user_settings.h file in use when available: */
-#if defined(WOLFSSL_USER_SETTINGS_ID)
-    Serial.print(F("WOLFSSL_USER_SETTINGS_ID: "));
-    Serial.println(F(WOLFSSL_USER_SETTINGS_ID));
-#else
-    Serial.println(F("No WOLFSSL_USER_SETTINGS_ID found."));
-#endif
-
-#if defined(NO_WOLFSSL_SERVER)
-    Serial.println(F("wolfSSL server code disabled to save space."));
-#endif
-#if defined(NO_WOLFSSL_CLIENT)
-    Serial.println(F("wolfSSL client code disabled to save space."));
-#endif
-
-#if defined(DEBUG_WOLFSSL)
-    wolfSSL_Debugging_ON();
-    Serial.println(F("wolfSSL Debugging is On!"));
-#else
-    Serial.println(F("wolfSSL Debugging is Off! (enable with DEBUG_WOLFSSL)"));
-#endif
-
-    /* See ssl.c for TLS cache settings. Larger cache = use more RAM. */
-#if defined(NO_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS NO_SESSION_CACHE"));
-#elif defined(MICRO_SESSION_CACHEx)
-    Serial.println(F("wolfSSL TLS MICRO_SESSION_CACHE"));
-#elif defined(SMALL_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS SMALL_SESSION_CACHE"));
-#elif defined(MEDIUM_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS MEDIUM_SESSION_CACHE"));
-#elif defined(BIG_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS BIG_SESSION_CACHE"));
-#elif defined(HUGE_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS HUGE_SESSION_CACHE"));
-#elif defined(HUGE_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS HUGE_SESSION_CACHE"));
-#else
-    Serial.println(F("WARNING: Unknown or no TLS session cache setting."));
-    /* See wolfssl/src/ssl.c for amount of memory used.
-     * It is best on embedded devices to choose a TLS session cache size. */
-#endif
-
-    ret = wolfSSL_Init();
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.println("Successfully called wolfSSL_Init");
-    }
-    else {
-        Serial.println("ERROR: wolfSSL_Init failed");
-    }
-
-    /* See companion server example with wolfSSLv23_server_method here.
-     * method = wolfSSLv23_client_method());   SSL 3.0 - TLS 1.3.
-     * method = wolfTLSv1_2_client_method();   only TLS 1.2
-     * method = wolfTLSv1_3_client_method();   only TLS 1.3
-     *
-     * see Arduino\libraries\wolfssl\src\user_settings.h */
-
-    Serial.println("Here we go!");
-
-    method = wolfSSLv23_server_method();
-    if (method == NULL) {
-        Serial.println(F("unable to get wolfssl server method"));
-        fail_wait();
-    }
-    ctx = wolfSSL_CTX_new(method);
-    if (ctx == NULL) {
-        Serial.println(F("unable to get ctx"));
-        fail_wait();
-    }
-
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_certificates()                                              */
-/*****************************************************************************/
-int setup_certificates(void) {
-    int ret = 0;
-
-    Serial.println(F("Initializing certificates..."));
-    show_memory();
-
-    /* Use built-in validation, No verification callback function: */
-    wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
-
-    /* Certificate */
-    Serial.println("Initializing certificates...");
-    ret = wolfSSL_CTX_use_certificate_buffer(ctx,
-                                             CTX_SERVER_CERT,
-                                             CTX_SERVER_CERT_SIZE,
-                                             CTX_CA_CERT_TYPE);
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.print("Success: use certificate: ");
-        Serial.println(xstr(CTX_SERVER_CERT));
-    }
-    else {
-        Serial.print("Error: wolfSSL_CTX_use_certificate_buffer failed: ");
-        wc_ErrorString(ret, wc_error_message);
-        Serial.println(wc_error_message);
-        fail_wait();
-    }
-
-    /* Setup private server key */
-    ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx,
-                                            CTX_SERVER_KEY,
-                                            CTX_SERVER_KEY_SIZE,
-                                            CTX_SERVER_KEY_TYPE);
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.print("Success: use private key buffer: ");
-        Serial.println(xstr(CTX_SERVER_KEY));
-    }
-    else {
-        Serial.print("Error: wolfSSL_CTX_use_PrivateKey_buffer failed: ");
-        wc_ErrorString(ret, wc_error_message);
-        Serial.println(wc_error_message);
-        fail_wait();
-    }
-
-    return ret;
-} /* Arduino setup */
-
-/*****************************************************************************/
-/*****************************************************************************/
-/* Arduino setup()                                                           */
-/*****************************************************************************/
-/*****************************************************************************/
-void setup(void) {
-    int i = 0;
-    Serial.begin(SERIAL_BAUD);
-    while (!Serial && (i < 10)) {
-        /* wait for serial port to connect. Needed for native USB port only */
-        delay(1000);
-        i++;
-    }
-
-    Serial.println(F(""));
-    Serial.println(F(""));
-    Serial.println(F("wolfSSL TLS Server Example Startup."));
-
-    /* define DEBUG_WOLFSSL in wolfSSL user_settings.h for diagnostics */
-#if defined(DEBUG_WOLFSSL)
-    wolfSSL_Debugging_ON();
-#endif
-
-    /* Optionally pre-allocate a large block of memory for testing */
-#if defined(MEMORY_STRESS_TEST)
-    Serial.println(F("WARNING: Memory Stress Test Active!"));
-    Serial.print(F("Allocating extra memory: "));
-    Serial.print(MEMORY_STRESS_INITIAL);
-    Serial.println(F(" bytes..."));
-    memory_stress[mem_ctr] = (char*)malloc(MEMORY_STRESS_INITIAL);
-    show_memory();
-#endif
-
-    setup_hardware();
-
-    setup_network();
-
-    setup_datetime();
-
-    setup_wolfssl();
-
-    setup_certificates();
-
-    /* Initialize wolfSSL using callback functions. */
-    wolfSSL_SetIOSend(ctx, EthernetSend);
-    wolfSSL_SetIORecv(ctx, EthernetReceive);
-
-#if defined THIS_USER_SETTINGS_VERSION
-    Serial.print(F("This user_settings.h version:"))
-    Serial.println(THIS_USER_SETTINGS_VERSION)
-#endif
-
-    /* Start the server
-     * See https://www.arduino.cc/reference/en/libraries/ethernet/server.begin/
-     */
-
-    Serial.println(F("Completed Arduino setup()"));
-
-    server.begin();
-    Serial.println("Begin Server... (waiting for remote client to connect)");
-
-    /* See companion wolfssl_client.ino code */
-    return;
-} /* Arduino setup */
-
-/*****************************************************************************/
-/* wolfSSL error_check()                                                     */
-/*****************************************************************************/
-int error_check(int this_ret, bool halt_on_error,
-                      const __FlashStringHelper* message) {
-    int ret = 0;
-    if (this_ret == WOLFSSL_SUCCESS) {
-        Serial.print(F("Success: "));
-        Serial.println(message);
-    }
-    else {
-        Serial.print(F("ERROR: return = "));
-        Serial.print(this_ret);
-        Serial.print(F(": "));
-        Serial.println(message);
-        Serial.println(wc_GetErrorString(this_ret));
-        if (halt_on_error) {
-            fail_wait();
-        }
-    }
-    show_memory();
-
-    return ret;
-} /* error_check */
-
-/*****************************************************************************/
-/* wolfSSL error_check_ssl                                                   */
-/*   Parameters:                                                             */
-/*     ssl           is the current WOLFSSL object pointer                   */
-/*     halt_on_error set to true to suspend operations for critical error    */
-/*     message       is expected to be a memory-efficient F("") macro string */
-/*****************************************************************************/
-int error_check_ssl(WOLFSSL* ssl, int this_ret, bool halt_on_error,
-                           const __FlashStringHelper* message) {
-    int err = 0;
-
-    if (ssl == NULL) {
-        Serial.println(F("ssl is Null; Unable to allocate SSL object?"));
-#ifndef DEBUG_WOLFSSL
-        Serial.println(F("Define DEBUG_WOLFSSL in user_settings.h for more."));
-#else
-        Serial.println(F("See wolfssl/wolfcrypt/error-crypt.h for codes."));
-#endif
-        Serial.print(F("ERROR: "));
-        Serial.println(message);
-        show_memory();
-        if (halt_on_error) {
-            fail_wait();
-        }
-    }
-    else {
-        err = wolfSSL_get_error(ssl, this_ret);
-        if (err == WOLFSSL_SUCCESS) {
-            Serial.print(F("Success m: "));
-            Serial.println(message);
-        }
-        else {
-            if (err < 0) {
-                wolfSSL_ERR_error_string(err, errBuf);
-                Serial.print(F("WOLFSSL Error: "));
-                Serial.print(err);
-                Serial.print(F("; "));
-                Serial.println(errBuf);
-            }
-            else {
-                Serial.println(F("Success: ssl object."));
-            }
-        }
-    }
-
-    return err;
-}
-
-/*****************************************************************************/
-/*****************************************************************************/
-/* Arduino loop()                                                            */
-/*****************************************************************************/
-/*****************************************************************************/
-void loop() {
-    char errBuf[80]    = "(no error";
-    char reply[80]     = "(no reply)";
-    const char msg[]   = "I hear you fa shizzle!";
-    const char* cipherName;
-    int input          = 0;
-    int replySz        = 0;
-    int retry_shutdown = SHUTDOWN_DELAY_MS; /* max try, once per millisecond */
-    int ret            = 0;
-    IPAddress broadcast_address(255, 255, 255, 255);
-
-    /* Listen for incoming client requests. */
-    client = server.available();
-    if (client)  {
-       Serial.println("Have Client");
-       while (!client.connected()) {
-           /* wait for the client to actually connect */
-           delay(10);
-       }
-        Serial.print("Client connected from remote IP: ");
-        Serial.println(client.remoteIP());
-
-        ssl = wolfSSL_new(ctx);
-        if (ssl == NULL) {
-            Serial.println("Unable to allocate SSL object");
-            fail_wait();
-        }
-
-        ret = wolfSSL_accept(ssl);
-        if (ret != WOLFSSL_SUCCESS) {
-            ret = wolfSSL_get_error(ssl, 0);
-            wolfSSL_ERR_error_string(ret, errBuf);
-            Serial.print("TLS Accept Error: ");
-            Serial.println(errBuf);
-        }
-
-        cipherName = wolfSSL_get_cipher(ssl);
-        Serial.print("SSL cipher suite is ");
-        Serial.println(cipherName);
-
-        Serial.print("Server Read: ");
-        while (!client.available()) {
-            /* wait for data */
-        }
-
-        /* read data */
-        while (wolfSSL_pending(ssl)) {
-            input = wolfSSL_read(ssl, reply, sizeof(reply) - 1);
-            if (input < 0) {
-                ret = wolfSSL_get_error(ssl, 0);
-                wolfSSL_ERR_error_string(ret, errBuf);
-                Serial.print("TLS Read Error: ");
-                Serial.println(errBuf);
-                break;
-            }
-            else if (input > 0) {
-                replySz = input;
-                reply[input] = '\0';
-                Serial.print(reply);
-            }
-            else {
-                Serial.println("<end of reply, input == 0>");
-            }
-        }
-
-        /* Write our message into reply buffer to send */
-        memset(reply, 0, sizeof(reply));
-        memcpy(reply, msg, sizeof(msg));
-        replySz = strnlen(reply, sizeof(reply));
-
-        Serial.println("Sending reply...");
-        if ((wolfSSL_write(ssl, reply, replySz)) != replySz) {
-            ret = wolfSSL_get_error(ssl, 0);
-            wolfSSL_ERR_error_string(ret, errBuf);
-            Serial.print("TLS Write Error: ");
-            Serial.println(errBuf);
-        }
-        else {
-            Serial.println("Reply sent!");
-        }
-
-        Serial.println("Shutdown!");
-        do {
-            delay(1);
-            retry_shutdown--;
-            ret = wolfSSL_shutdown(ssl);
-        } while ((ret == WOLFSSL_SHUTDOWN_NOT_DONE) && (retry_shutdown > 0));
-
-        if (retry_shutdown <= 0) {
-            /* if wolfSSL_free is called before properly shutting down the
-             * ssl object, undesired results may occur. */
-            Serial.println("Warning! Shutdown did not properly complete.");
-        }
-
-        wolfSSL_free(ssl);
-        Serial.println("Connection complete.");
-        if (REPEAT_CONNECTION) {
-            Serial.println();
-            Serial.println("Waiting for next connection.");
-        }
-        else {
-            client.stop();
-            Serial.println("Done!");
-            while (1) {
-                /* wait forever if not repeating */
-                delay(100);
-            }
-        }
-    }
-    else {
-        /* Serial.println("Client not connected. Trying again..."); */
-    }
-
-    delay(100);
-} /* Arduino loop repeats */
--- a/IDE/ARDUINO/sketches/wolfssl_version/README.md
+++ b/IDE/ARDUINO/sketches/wolfssl_version/README.md
@@ -1,3 +1,5 @@
 # Arduino Basic Hello World

 This example simply compiles in wolfSSL and shows the current version number.
+
+NOTE: Moving; See https://github.com/wolfSSL/wolfssl-examples/pull/499
--- a/IDE/ARDUINO/sketches/wolfssl_version/wolfssl_version.ino
+++ b/IDE/ARDUINO/sketches/wolfssl_version/wolfssl_version.ino
@@ -1,55 +0,0 @@
-/* wolfssl_server.ino
- *
- * Copyright (C) 2006-2025 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
-
-#include <Arduino.h>
-
- /* wolfSSL user_settings.h must be included from settings.h
-  * Make all configurations changes in user_settings.h
-  * Do not edit wolfSSL `settings.h` or `config.h` files.
-  * Do not explicitly include user_settings.h in any source code.
-  * Each Arduino sketch that uses wolfSSL must have: #include "wolfssl.h"
-  * C/C++ source files can use: #include <wolfssl/wolfcrypt/settings.h>
-  * The wolfSSL "settings.h" must be included in each source file using wolfSSL.
-  * The wolfSSL "settings.h" must appear before any other wolfSSL include.
-  */
-#include <wolfssl.h>
-#include <wolfssl/version.h>
-
-/* Choose a monitor serial baud rate: 9600, 14400, 19200, 57600, 74880, etc. */
-#define SERIAL_BAUD 115200
-
-/* Arduino setup */
-void setup() {
-    Serial.begin(SERIAL_BAUD);
-    while (!Serial) {
-        /* wait for serial port to connect. Needed for native USB port only */
-    }
-    Serial.println(F(""));
-    Serial.println(F(""));
-    Serial.println(F("wolfSSL setup complete!"));
-}
-
-/* Arduino main application loop. */
-void loop() {
-    Serial.print("wolfSSL Version: ");
-    Serial.println(LIBWOLFSSL_VERSION_STRING);
-    delay(60000);
-}
--- a/IDE/ARDUINO/wolfssl-arduino.cpp
+++ b/IDE/ARDUINO/wolfssl-arduino.cpp
@@ -0,0 +1,33 @@
+/* wolfssl-arduino.cpp
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#include <Arduino.h>
+#include "wolfssl.h"
+
+/* Function to allow wolfcrypt to use Arduino Serial.print for debug messages.
+ * See wolfssl/wolfcrypt/logging.c */
+
+int wolfSSL_Arduino_Serial_Print(const char* const s)
+{
+    /* Reminder: Serial.print is only available in C++ */
+    Serial.println(F(s));
+    return 0;
+};
--- a/IDE/ARDUINO/wolfssl-arduino.sh
+++ b/IDE/ARDUINO/wolfssl-arduino.sh
@@ -70,6 +70,9 @@ if [ "$ROOT_DIR" = "" ]; then
    exit 1
 fi

+
+ARDUINO_ROOT="$HOME/Arduino/libraries"
+
 # Check environment
 if [ -n "$WSL_DISTRO_NAME" ]; then
    # we found a non-blank WSL environment distro name
@@ -78,8 +81,6 @@ if [ -n "$WSL_DISTRO_NAME" ]; then
    if echo "$current_path" | grep -Eq "^$pattern"; then
        # if we are in WSL and shared Windows file system, 'ln' does not work.
        ARDUINO_ROOT="/mnt/c/Users/$USER/Documents/Arduino/libraries"
-    else
-        ARDUINO_ROOT="$HOME/Arduino/libraries"
    fi
 fi
 echo "The Arduino library root is: $ARDUINO_ROOT"
@@ -116,11 +117,21 @@ if [ $# -gt 0 ]; then
        echo "Error: not a valid operation: $THIS_OPERATION"
        exit 1
    fi
+else
+    echo "INSTALL parameter not specified. Installing to ROOT_DIR=$ROOT_DIR"
 fi


 ROOT_SRC_DIR="${ROOT_DIR}/src"
 EXAMPLES_DIR="${ROOT_DIR}/examples"
+
+if [ -n "$WOLFSSL_EXAMPLES_ROOT" ]; then
+    EXTRA_EXAMPLES_DIR="${WOLFSSL_EXAMPLES_ROOT}/Arduino"
+    echo "EXTRA_EXAMPLES_DIR=$EXTRA_EXAMPLES_DIR"
+else
+    echo "There are additional examples at https://github.com/wolfSSL/wolfssl-examples"
+    echo "Set WOLFSSL_EXAMPLES_ROOT to your local directory to include those examples."
+fi
 WOLFSSL_SRC="${ROOT_SRC_DIR}/src"
 WOLFSSL_HEADERS="${ROOT_SRC_DIR}/wolfssl"
 WOLFCRYPT_ROOT="${ROOT_SRC_DIR}/wolfcrypt"
@@ -141,8 +152,16 @@ OPENSSL_DIR_TOP="${WOLFSSL_HEADERS_TOP}/openssl"

 WOLFSSL_VERSION=$(grep -i "LIBWOLFSSL_VERSION_STRING" ${TOP_DIR}/wolfssl/version.h | cut -d '"' -f 2)
 if [ "$WOLFSSL_VERSION" = "" ]; then
-    echo "ERROR: Could not find wolfSSL Version in ${TOP_DIR}/wolfssl/version.h"
-    exit 1
+    echo "Current user: [$USER]"
+    if [ "$USER" = "" ] || [ "$USER" = "runner" ]; then
+        # Typically when there's no user, it is a GitHub workflow. It is not guaranteed to be "runner"
+        echo "No USER found, no version.h found. Setting Version text to [GitHub] for assumed workflow."
+        WOLFSSL_VERSION="GitHub"
+    else
+        echo "ERROR: Could not find wolfSSL Version in ${TOP_DIR}/wolfssl/version.h"
+        echo "Check autogen.sh and configure"
+        exit 1
+    fi
 else
    echo "Found wolfSSL version $WOLFSSL_VERSION"
    echo "# WOLFSSL_VERSION_ARUINO_SUFFIX $WOLFSSL_VERSION_ARUINO_SUFFIX"
@@ -235,26 +254,46 @@ if [ "$THIS_DIR" = "ARDUINO" ]; then
    $CP_CMD "${OPENSSL_DIR_TOP}"/* ."${OPENSSL_DIR}"                                          || exit 1

    # Finally, copy the Arduino-specific wolfssl library files into place: [lib]/src
-    $CP_CMD ./wolfssl.h ".${ROOT_SRC_DIR}"/wolfssl.h
+    $CP_CMD ./wolfssl.h           ".${ROOT_SRC_DIR}"/wolfssl.h           || exit 1
+    $CP_CMD ./wolfssl-arduino.cpp ".${ROOT_SRC_DIR}"/wolfssl-arduino.cpp || exit 1

+    unset NO_ARDUINO_EXAMPLES
    echo "Copy examples...."
    # Copy examples
    mkdir -p ".${ROOT_SRC_DIR}"/examples

-    echo "Copy wolfssl_client example...."
-    mkdir -p ".${EXAMPLES_DIR}"/wolfssl_client
-    $CP_CMD ./sketches/wolfssl_client/wolfssl_client.ino ".${EXAMPLES_DIR}"/wolfssl_client/wolfssl_client.ino || exit 1
-    $CP_CMD ./sketches/wolfssl_client/README.md          ".${EXAMPLES_DIR}"/wolfssl_client/README.md          || exit 1
+    if [ -n "$WOLFSSL_EXAMPLES_ROOT" ]; then
+        echo "Copy template example...."
+        mkdir -p ".${EXAMPLES_DIR}"/template/wolfssl_library/src
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/template.ino                             ".${EXAMPLES_DIR}"/template/template.ino                             || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/README.md                                ".${EXAMPLES_DIR}"/template/README.md                                || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/wolfssl_helper.c                         ".${EXAMPLES_DIR}"/template/wolfssl_helper.c                         || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/wolfssl_helper.h                         ".${EXAMPLES_DIR}"/template/wolfssl_helper.h                         || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/wolfssl_library/wolfssl_library.h        ".${EXAMPLES_DIR}"/template/wolfssl_library/wolfssl_library.h        || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/wolfssl_library/src/wolfssl_library.cpp  ".${EXAMPLES_DIR}"/template/wolfssl_library/src/wolfssl_library.cpp  || exit 1

-    echo "Copy wolfssl_server example...."
-    mkdir -p .${EXAMPLES_DIR}/wolfssl_server
-    $CP_CMD ./sketches/wolfssl_server/wolfssl_server.ino ".${EXAMPLES_DIR}"/wolfssl_server/wolfssl_server.ino || exit 1
-    $CP_CMD ./sketches/wolfssl_server/README.md          ".${EXAMPLES_DIR}"/wolfssl_server/README.md          || exit 1
+        echo "Copy wolfssl_AES_CTR example...."
+        mkdir -p ".${EXAMPLES_DIR}"/wolfssl_AES_CTR
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_AES_CTR/wolfssl_AES_CTR.ino ".${EXAMPLES_DIR}"/wolfssl_AES_CTR/wolfssl_AES_CTR.ino || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_AES_CTR/README.md           ".${EXAMPLES_DIR}"/wolfssl_AES_CTR/README.md           || exit 1

-    echo "Copy wolfssl_server example...."
-    mkdir -p .${EXAMPLES_DIR}/wolfssl_version
-    $CP_CMD ./sketches/wolfssl_version/wolfssl_version.ino ".${EXAMPLES_DIR}"/wolfssl_version/wolfssl_version.ino || exit 1
-    $CP_CMD ./sketches/wolfssl_version/README.md           ".${EXAMPLES_DIR}"/wolfssl_version/README.md           || exit 1
+        echo "Copy wolfssl_client example...."
+        mkdir -p ".${EXAMPLES_DIR}"/wolfssl_client
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_client/wolfssl_client.ino   ".${EXAMPLES_DIR}"/wolfssl_client/wolfssl_client.ino   || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_client/README.md            ".${EXAMPLES_DIR}"/wolfssl_client/README.md            || exit 1
+
+        echo "Copy wolfssl_server example...."
+        mkdir -p .${EXAMPLES_DIR}/wolfssl_server
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_server/wolfssl_server.ino   ".${EXAMPLES_DIR}"/wolfssl_server/wolfssl_server.ino   || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_server/README.md            ".${EXAMPLES_DIR}"/wolfssl_server/README.md            || exit 1
+
+        echo "Copy wolfssl_version example...."
+        mkdir -p .${EXAMPLES_DIR}/wolfssl_version
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_version/wolfssl_version.ino ".${EXAMPLES_DIR}"/wolfssl_version/wolfssl_version.ino || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_version/README.md           ".${EXAMPLES_DIR}"/wolfssl_version/README.md           || exit 1
+    else
+        NO_ARDUINO_EXAMPLES=1
+    fi
 else
    echo "ERROR: You must be in the IDE/ARDUINO directory to run this script"
    exit 1
@@ -273,6 +312,8 @@ fi
 # as an Arduino-specific README.md file.
 VERSION_PLACEHOLDER="\${WOLFSSL_VERSION}"
 ARDUINO_VERSION_SUFFIX_PLACEHOLDER="\${WOLFSSL_VERSION_ARUINO_SUFFIX}"
+
+# This is the SOURCE to prepend. Note the OUTPUT is PREPENDED_README.md later copied to README.md
 PREPEND_FILE="Arduino_README_prepend.md"
 PROPERTIES_FILE_TEMPLATE="library.properties.template"
 sed s/"$VERSION_PLACEHOLDER"/"$WOLFSSL_VERSION"/ "$PREPEND_FILE" > "$PREPEND_FILE.tmp"
@@ -340,4 +381,9 @@ if [ "$THIS_OPERATION" = "INSTALL" ]; then
    fi
 fi

+if [ -n "$NO_ARDUINO_EXAMPLES" ]; then
+    echo ""
+    echo "WARNING: No examples copied. Set WOLFSSL_EXAMPLES_ROOT as appropriate."
+    echo ""
+fi
 echo "Done!"
--- a/IDE/ARDUINO/wolfssl.h
+++ b/IDE/ARDUINO/wolfssl.h
@@ -22,6 +22,7 @@
 /* Edit with caution. This is an Arduino-library specific header for wolfSSL */

 #ifndef WOLFSSL_USER_SETTINGS
+    /* Should already be defined in settings.h for #if defined(ARDUINO) */
    #define WOLFSSL_USER_SETTINGS
 #endif

@@ -39,9 +40,10 @@
 #include <wolfssl/wolfcrypt/settings.h>
 #include <wolfssl/ssl.h>

-int wolfSSL_Arduino_Serial_Print(const char *const s)
-{
-    /* See wolfssl/wolfcrypt/logging.c */
-    Serial.println(F(s));
-    return 0;
-};
+#ifndef WOLFSSL_ARDUINO_H
+#define WOLFSSL_ARDUINO_H
+
+/* Declare a helper function to be used in wolfssl/wolfcrypt/logging.c */
+int wolfSSL_Arduino_Serial_Print(const char* const s);
+
+#endif /* WOLFSSL_ARDUINO_H */
--- a/IDE/Android/Android.bp
+++ b/IDE/Android/Android.bp
@@ -40,7 +40,7 @@ cc_library_shared {
        "./src/wolfio.c",
    ] + [
        "./wolfcrypt/src/aes.c",
-        // ARC4 implementation has been removed
+        "./wolfcrypt/src/arc4.c",
        "./wolfcrypt/src/asm.c",
        "./wolfcrypt/src/asn.c",
        "./wolfcrypt/src/blake2b.c",
--- a/IDE/Espressif/ESP-IDF/examples/template/CMakeLists.txt
+++ b/IDE/Espressif/ESP-IDF/examples/template/CMakeLists.txt
@@ -14,7 +14,6 @@ else()
    add_compile_definitions(WOLFSSL_ESP_NO_WATCHDOG=1)
 endif()

-
 # The wolfSSL CMake file should be able to find the source code.
 # Otherwise, assign an environment variable or set it here:
 #
@@ -129,7 +128,7 @@ endif()
 # an unintuitive error about  Unknown CMake command "esptool_py_flash_project_args".

 if(0)
-	message(STATUS "Begin optional PROTOCOL_EXAMPLES_DIR include")
+    message(STATUS "Begin optional PROTOCOL_EXAMPLES_DIR include")
    # This example uses an extra component for common functions such as Wi-Fi and Ethernet connection.
    set (PROTOCOL_EXAMPLES_DIR $ENV{IDF_PATH}/examples/common_components/protocol_examples_common)

@@ -140,7 +139,7 @@ if(0)
    else()
        message(STATUS "NOT FOUND: PROTOCOL_EXAMPLES_DIR=${PROTOCOL_EXAMPLES_DIR}")
    endif()
-	message(STATUS "End optional PROTOCOL_EXAMPLES_DIR include")
+    message(STATUS "End optional PROTOCOL_EXAMPLES_DIR include")
 endif()

 include($ENV{IDF_PATH}/tools/cmake/project.cmake)
--- a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/component.mk
+++ b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/component.mk
@@ -176,7 +176,7 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/wolfio.o
 ## wolfcrypt
 ##
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/aes.o
-# ARC4 implementation has been removed
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/arc4.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/asm.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/asn.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/async.o # autogen exclusion
@@ -203,7 +203,7 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed25519.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed448.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/error.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/evp.o
-# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_kyber.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_mlkem.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_xmss.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/falcon.o
@@ -266,8 +266,8 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/srp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/tfm.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_dsp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_encrypt.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber_poly.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem_poly.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_pkcs11.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_port.o
--- a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h
+++ b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h
@@ -110,7 +110,6 @@
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
    /* #define USE_WOLFSSL_ESP_SDK_WIFI */
    #define TEST_ESPIDF_ALL_WOLFSSL
-
 #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_BENCHMARK)
    /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark */
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
@@ -213,8 +212,8 @@
 #ifdef CONFIG_WOLFSSL_ENABLE_KYBER
    /* Kyber typically needs a minimum 10K stack */
    #define WOLFSSL_EXPERIMENTAL_SETTINGS
-    #define WOLFSSL_HAVE_KYBER
-    #define WOLFSSL_WC_KYBER
+    #define WOLFSSL_HAVE_MLKEM
+    #define WOLFSSL_WC_MLKEM
    #define WOLFSSL_SHA3
    #if defined(CONFIG_IDF_TARGET_ESP8266)
        /* With limited RAM, we'll disable some of the Kyber sizes: */
--- a/IDE/Espressif/ESP-IDF/examples/template/main/Kconfig.projbuild
+++ b/IDE/Espressif/ESP-IDF/examples/template/main/Kconfig.projbuild
@@ -65,11 +65,6 @@ choice WOLFSSL_EXAMPLE_CHOOSE
        help
            See wolfSSL/wolfssh on GitHub.

-    config WOLFSSL_EXAMPLE_NAME_WOLFSSH_ECHOSERVER
-        bool "SSH Echo Server"
-        help
-            See wolfSSL/wolfssh on GitHub.
-
    config WOLFSSL_EXAMPLE_NAME_ESP32_SSH_SERVER
        bool "SSH to UART Server for the ESP32"
        help
@@ -95,12 +90,6 @@ choice WOLFSSL_EXAMPLE_CHOOSE
        help
            See wolfSSL/wolfTPM on GitHub.

-    config WOLFSSL_APPLE_HOMEKIT
-        bool "Apple HomeKit for the ESP32"
-        help
-            See AchimPieters/esp32-homekit-demo on GitHub.
-
-
    config WOLFSSL_EXAMPLE_NAME_NONE
        bool "Other"
        help
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/component.mk
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/component.mk
@@ -176,7 +176,7 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/wolfio.o
 ## wolfcrypt
 ##
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/aes.o
-# ARC4 implementation has been removed
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/arc4.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/asm.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/asn.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/async.o # autogen exclusion
@@ -203,7 +203,7 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed25519.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed448.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/error.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/evp.o
-# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_kyber.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_mlkem.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_xmss.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/falcon.o
@@ -266,8 +266,8 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/srp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/tfm.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_dsp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_encrypt.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber_poly.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem_poly.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_pkcs11.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_port.o
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include/user_settings.h
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include/user_settings.h
@@ -110,7 +110,6 @@
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
    /* #define USE_WOLFSSL_ESP_SDK_WIFI */
    #define TEST_ESPIDF_ALL_WOLFSSL
-
 #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_BENCHMARK)
    /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark */
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
@@ -213,8 +212,8 @@
 #ifdef CONFIG_WOLFSSL_ENABLE_KYBER
    /* Kyber typically needs a minimum 10K stack */
    #define WOLFSSL_EXPERIMENTAL_SETTINGS
-    #define WOLFSSL_HAVE_KYBER
-    #define WOLFSSL_WC_KYBER
+    #define WOLFSSL_HAVE_MLKEM
+    #define WOLFSSL_WC_MLKEM
    #define WOLFSSL_SHA3
    #if defined(CONFIG_IDF_TARGET_ESP8266)
        /* With limited RAM, we'll disable some of the Kyber sizes: */
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/Kconfig.projbuild
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/Kconfig.projbuild
@@ -1,5 +1,102 @@
+# Kconfig main
+#
+# Copyright (C) 2006-2025 wolfSSL Inc.
+#
+# This file is part of wolfSSL.
+#
+# wolfSSL is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# wolfSSL is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+#
+
+# Kconfig File Version 5.7.2.001 for wolfssl_template
+
 menu "Example Configuration"

+choice WOLFSSL_EXAMPLE_CHOOSE
+    prompt "Choose Example (See wolfssl/include/user_settings.h)"
+    default WOLFSSL_EXAMPLE_NAME_NONE
+    help
+        The user settings file can be adjusted to specific wolfSSL examples.
+
+    config WOLFSSL_EXAMPLE_NAME_TEMPLATE
+        bool "wolfSSL Template"
+        help
+            The sample template app compiles in wolfSSL and prints the current wolfSSL Version. Nothing more.
+
+    config WOLFSSL_EXAMPLE_NAME_TEST
+        bool "wolfSSL Test"
+        help
+            This app tests all cryptographic functions currently enabled. See also Benchmark performance app.
+
+    config WOLFSSL_EXAMPLE_NAME_BENCHMARK
+        bool "wolfSSL Benchmark"
+        help
+            Benchmark performance app. See also cryptographic test.
+
+    config WOLFSSL_EXAMPLE_NAME_TLS_CLIENT
+        bool "TLS Client"
+        help
+            TLS Client Example app. Needs WiFi and a listening server on port 11111.
+
+    config WOLFSSL_EXAMPLE_NAME_TLS_SERVER
+        bool "TLS Server"
+        help
+            TLS Server Example app. Needs WiFi. More interesting with a TLS client using port 11111.
+
+    config WOLFSSL_EXAMPLE_NAME_WOLFSSH_TEMPLATE
+        bool "SSH Template App"
+        help
+            Bare-bones Hello World app that only compiles in wolfSSL and wolfSSH.
+            See wolfSSL/wolfssh on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_WOLFSSH_ECHOSERVER
+        bool "SSH Echo Server"
+        help
+            See wolfSSL/wolfssh on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_ESP32_SSH_SERVER
+        bool "SSH to UART Server for the ESP32"
+        help
+            See wolfSSL/wolfssh-examples on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_ESP8266_SSH_SERVER
+        bool "SSH to UART Server for the ESP8266"
+        help
+            See wolfSSL/wolfssh-examples on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_WOLFMQTT_TEMPLATE
+        bool "MQTT Template"
+        help
+            See wolfSSL/wolfmqtt on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_WOLFMQTT_AWS_IOT_MQTT
+        bool "MQTT AWS IoT"
+        help
+            See wolfSSL/wolfmqtt on GitHub.
+
+    config WOLFTPM_EXAMPLE_NAME_ESPRESSIF
+        bool "TPM Test Example for the ESP32"
+        help
+            See wolfSSL/wolfTPM on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_NONE
+        bool "Other"
+        help
+            A specific example app is not defined.
+
+endchoice
+
 config BENCH_ARGV
    string "Arguments for benchmark test"
    default "-lng 0"
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults
@@ -1,5 +1,5 @@
 # Set the known example app config to template example (see user_settings.h)
-CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSL_BENCHMARK=y
+CONFIG_WOLFSSL_EXAMPLE_NAME_BENCHMARK=y

 # CONFIG_EXAMPLE_WIFI_SSID="myssid"
 # CONFIG_EXAMPLE_WIFI_PASSWORD="mypassword"
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/CMakeLists.txt
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/CMakeLists.txt
@@ -14,7 +14,6 @@ else()
    add_compile_definitions(WOLFSSL_ESP_NO_WATCHDOG=1)
 endif()

-
 # The wolfSSL CMake file should be able to find the source code.
 # Otherwise, assign an environment variable or set it here:
 #
@@ -129,7 +128,7 @@ endif()
 # an unintuitive error about  Unknown CMake command "esptool_py_flash_project_args".

 if(0)
-	message(STATUS "Begin optional PROTOCOL_EXAMPLES_DIR include")
+    message(STATUS "Begin optional PROTOCOL_EXAMPLES_DIR include")
    # This example uses an extra component for common functions such as Wi-Fi and Ethernet connection.
    set (PROTOCOL_EXAMPLES_DIR $ENV{IDF_PATH}/examples/common_components/protocol_examples_common)

@@ -140,7 +139,7 @@ if(0)
    else()
        message(STATUS "NOT FOUND: PROTOCOL_EXAMPLES_DIR=${PROTOCOL_EXAMPLES_DIR}")
    endif()
-	message(STATUS "End optional PROTOCOL_EXAMPLES_DIR include")
+    message(STATUS "End optional PROTOCOL_EXAMPLES_DIR include")
 endif()

 include($ENV{IDF_PATH}/tools/cmake/project.cmake)
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/component.mk
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/component.mk
@@ -176,7 +176,7 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/wolfio.o
 ## wolfcrypt
 ##
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/aes.o
-# ARC4 implementation has been removed
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/arc4.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/asm.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/asn.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/async.o # autogen exclusion
@@ -203,7 +203,7 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed25519.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed448.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/error.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/evp.o
-# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_kyber.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_mlkem.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_xmss.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/falcon.o
@@ -266,8 +266,8 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/srp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/tfm.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_dsp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_encrypt.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber_poly.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem_poly.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_pkcs11.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_port.o
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include/user_settings.h
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include/user_settings.h
@@ -110,7 +110,6 @@
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
    /* #define USE_WOLFSSL_ESP_SDK_WIFI */
    #define TEST_ESPIDF_ALL_WOLFSSL
-
 #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_BENCHMARK)
    /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark */
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
@@ -213,8 +212,8 @@
 #ifdef CONFIG_WOLFSSL_ENABLE_KYBER
    /* Kyber typically needs a minimum 10K stack */
    #define WOLFSSL_EXPERIMENTAL_SETTINGS
-    #define WOLFSSL_HAVE_KYBER
-    #define WOLFSSL_WC_KYBER
+    #define WOLFSSL_HAVE_MLKEM
+    #define WOLFSSL_WC_MLKEM
    #define WOLFSSL_SHA3
    #if defined(CONFIG_IDF_TARGET_ESP8266)
        /* With limited RAM, we'll disable some of the Kyber sizes: */
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/Kconfig.projbuild
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/Kconfig.projbuild
@@ -65,11 +65,6 @@ choice WOLFSSL_EXAMPLE_CHOOSE
        help
            See wolfSSL/wolfssh on GitHub.

-    config WOLFSSL_EXAMPLE_NAME_WOLFSSH_ECHOSERVER
-        bool "SSH Echo Server"
-        help
-            See wolfSSL/wolfssh on GitHub.
-
    config WOLFSSL_EXAMPLE_NAME_ESP32_SSH_SERVER
        bool "SSH to UART Server for the ESP32"
        help
@@ -95,12 +90,6 @@ choice WOLFSSL_EXAMPLE_CHOOSE
        help
            See wolfSSL/wolfTPM on GitHub.

-    config WOLFSSL_APPLE_HOMEKIT
-        bool "Apple HomeKit for the ESP32"
-        help
-            See AchimPieters/esp32-homekit-demo on GitHub.
-
-
    config WOLFSSL_EXAMPLE_NAME_NONE
        bool "Other"
        help
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/client-tls.c
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/client-tls.c
@@ -41,9 +41,9 @@
 #undef USE_WOLFSSL_ESP_SDK_WIFI
 #include <wolfssl/ssl.h>

-#if defined(WOLFSSL_WC_KYBER)
-    #include <wolfssl/wolfcrypt/kyber.h>
-    #include <wolfssl/wolfcrypt/wc_kyber.h>
+#if defined(WOLFSSL_WC_MLKEM)
+    #include <wolfssl/wolfcrypt/mlkem.h>
+    #include <wolfssl/wolfcrypt/wc_mlkem.h>
 #endif
 #if defined(USE_CERT_BUFFERS_2048) || defined(USE_CERT_BUFFERS_1024)
    #include <wolfssl/certs_test.h>
@@ -397,22 +397,22 @@ WOLFSSL_ESP_TASK tls_smp_client_task(void* args)
        ESP_LOGI(TAG, "tls_smp_client_task heap @ %p = %d",
                      &this_heap, this_heap);
 #endif
-#if defined(WOLFSSL_HAVE_KYBER)
+#if defined(WOLFSSL_HAVE_MLKEM)
    #if defined(WOLFSSL_KYBER1024)
-        ESP_LOGI(TAG, "WOLFSSL_HAVE_KYBER is enabled, setting key share: "
+        ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is enabled, setting key share: "
                                        "WOLFSSL_P256_KYBER_LEVEL5");
        ret_i = wolfSSL_UseKeyShare(ssl, WOLFSSL_P521_KYBER_LEVEL5);
    #elif defined(WOLFSSL_KYBER768)
-        ESP_LOGI(TAG, "WOLFSSL_HAVE_KYBER is enabled, setting key share: "
+        ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is enabled, setting key share: "
                                        "WOLFSSL_P256_KYBER_LEVEL3");
        ret_i = wolfSSL_UseKeyShare(ssl, WOLFSSL_P256_KYBER_LEVEL3);
    #elif defined(WOLFSSL_KYBER512)
        /* This will typically be a low memory situation, such as ESP8266 */
-        ESP_LOGI(TAG, "WOLFSSL_HAVE_KYBER is enabled, setting key share: "
+        ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is enabled, setting key share: "
                                        "WOLFSSL_P256_KYBER_LEVEL1");
        ret_i = wolfSSL_UseKeyShare(ssl, WOLFSSL_P256_KYBER_LEVEL1);
    #else
-        ESP_LOGW(TAG, "WOLFSSL_HAVE_KYBER enabled but no key size available.");
+        ESP_LOGW(TAG, "WOLFSSL_HAVE_MLKEM enabled but no key size available.");
        ret_i = ESP_FAIL;
    #endif
        if (ret_i == WOLFSSL_SUCCESS) {
@@ -422,7 +422,7 @@ WOLFSSL_ESP_TASK tls_smp_client_task(void* args)
            ESP_LOGE(TAG, "UseKeyShare Kyber failed");
        }
 #else
-    ESP_LOGI(TAG, "WOLFSSL_HAVE_KYBER is not enabled");
+    ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is not enabled");
 #endif
    }

--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/client-tls.h
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/client-tls.h
@@ -44,7 +44,7 @@

 /* Reminder: Vanilla FreeRTOS is words, Espressif is bytes. */
 #if defined(WOLFSSL_ESP8266)
-    #if defined(WOLFSSL_HAVE_KYBER)
+    #if defined(WOLFSSL_HAVE_MLKEM)
        /* Minimum ESP8266 stack size = 10K with Kyber.
         * Note there's a maximum not far away as Kyber needs heap
         * and the total DRAM is typically only 80KB total. */
@@ -54,7 +54,7 @@
        #define TLS_SMP_CLIENT_TASK_BYTES (6 * 1024)
    #endif
 #else
-    #if defined(WOLFSSL_HAVE_KYBER)
+    #if defined(WOLFSSL_HAVE_MLKEM)
        /* Minimum ESP32 stack size = 12K with Kyber enabled. */
        #define TLS_SMP_CLIENT_TASK_BYTES (12 * 1024)
    #else
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/CMakeLists.txt
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/CMakeLists.txt
@@ -14,7 +14,6 @@ else()
    add_compile_definitions(WOLFSSL_ESP_NO_WATCHDOG=1)
 endif()

-
 # The wolfSSL CMake file should be able to find the source code.
 # Otherwise, assign an environment variable or set it here:
 #
@@ -129,7 +128,7 @@ endif()
 # an unintuitive error about  Unknown CMake command "esptool_py_flash_project_args".

 if(0)
-	message(STATUS "Begin optional PROTOCOL_EXAMPLES_DIR include")
+    message(STATUS "Begin optional PROTOCOL_EXAMPLES_DIR include")
    # This example uses an extra component for common functions such as Wi-Fi and Ethernet connection.
    set (PROTOCOL_EXAMPLES_DIR $ENV{IDF_PATH}/examples/common_components/protocol_examples_common)

@@ -140,7 +139,7 @@ if(0)
    else()
        message(STATUS "NOT FOUND: PROTOCOL_EXAMPLES_DIR=${PROTOCOL_EXAMPLES_DIR}")
    endif()
-	message(STATUS "End optional PROTOCOL_EXAMPLES_DIR include")
+    message(STATUS "End optional PROTOCOL_EXAMPLES_DIR include")
 endif()

 include($ENV{IDF_PATH}/tools/cmake/project.cmake)
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/component.mk
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/component.mk
@@ -176,7 +176,7 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/wolfio.o
 ## wolfcrypt
 ##
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/aes.o
-# ARC4 implementation has been removed
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/arc4.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/asm.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/asn.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/async.o # autogen exclusion
@@ -203,7 +203,7 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed25519.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed448.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/error.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/evp.o
-# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_kyber.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_mlkem.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_xmss.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/falcon.o
@@ -266,8 +266,8 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/srp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/tfm.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_dsp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_encrypt.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber_poly.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem_poly.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_pkcs11.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_port.o
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include/user_settings.h
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include/user_settings.h
@@ -110,7 +110,6 @@
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
    /* #define USE_WOLFSSL_ESP_SDK_WIFI */
    #define TEST_ESPIDF_ALL_WOLFSSL
-
 #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_BENCHMARK)
    /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark */
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
@@ -213,8 +212,8 @@
 #ifdef CONFIG_WOLFSSL_ENABLE_KYBER
    /* Kyber typically needs a minimum 10K stack */
    #define WOLFSSL_EXPERIMENTAL_SETTINGS
-    #define WOLFSSL_HAVE_KYBER
-    #define WOLFSSL_WC_KYBER
+    #define WOLFSSL_HAVE_MLKEM
+    #define WOLFSSL_WC_MLKEM
    #define WOLFSSL_SHA3
    #if defined(CONFIG_IDF_TARGET_ESP8266)
        /* With limited RAM, we'll disable some of the Kyber sizes: */
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/Kconfig.projbuild
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/Kconfig.projbuild
@@ -65,11 +65,6 @@ choice WOLFSSL_EXAMPLE_CHOOSE
        help
            See wolfSSL/wolfssh on GitHub.

-    config WOLFSSL_EXAMPLE_NAME_WOLFSSH_ECHOSERVER
-        bool "SSH Echo Server"
-        help
-            See wolfSSL/wolfssh on GitHub.
-
    config WOLFSSL_EXAMPLE_NAME_ESP32_SSH_SERVER
        bool "SSH to UART Server for the ESP32"
        help
@@ -95,12 +90,6 @@ choice WOLFSSL_EXAMPLE_CHOOSE
        help
            See wolfSSL/wolfTPM on GitHub.

-    config WOLFSSL_APPLE_HOMEKIT
-        bool "Apple HomeKit for the ESP32"
-        help
-            See AchimPieters/esp32-homekit-demo on GitHub.
-
-
    config WOLFSSL_EXAMPLE_NAME_NONE
        bool "Other"
        help
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/server-tls.c
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/server-tls.c
@@ -54,9 +54,9 @@
    #error "Missing WOLFSSL_USER_SETTINGS in CMakeLists or Makefile:\
    CFLAGS +=-DWOLFSSL_USER_SETTINGS"
 #endif
-#if defined(WOLFSSL_WC_KYBER)
-    #include <wolfssl/wolfcrypt/kyber.h>
-    #include <wolfssl/wolfcrypt/wc_kyber.h>
+#if defined(WOLFSSL_WC_MLKEM)
+    #include <wolfssl/wolfcrypt/mlkem.h>
+    #include <wolfssl/wolfcrypt/wc_mlkem.h>
 #endif
 #if defined(USE_CERT_BUFFERS_2048) || defined(USE_CERT_BUFFERS_1024)
    #include <wolfssl/certs_test.h>
@@ -329,7 +329,7 @@ WOLFSSL_ESP_TASK tls_smp_server_task(void *args)
        if ((ssl = wolfSSL_new(ctx)) == NULL) {
            ESP_LOGE(TAG, "ERROR: failed to create WOLFSSL object");
        }
-#if defined(WOLFSSL_HAVE_KYBER)
+#if defined(WOLFSSL_HAVE_MLKEM)
        else {
            /* If success creating CTX and Kyber enabled, set key share: */
            ret = wolfSSL_UseKeyShare(ssl, WOLFSSL_P521_KYBER_LEVEL5);
@@ -341,7 +341,7 @@ WOLFSSL_ESP_TASK tls_smp_server_task(void *args)
            }
        }
 #else
-        ESP_LOGI(TAG, "WOLFSSL_HAVE_KYBER is not enabled, not using PQ.");
+        ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is not enabled, not using PQ.");
 #endif
        /* show what cipher connected for this WOLFSSL* object */
        ShowCiphers(ssl);
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/CMakeLists.txt
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/CMakeLists.txt
@@ -14,7 +14,6 @@ else()
    add_compile_definitions(WOLFSSL_ESP_NO_WATCHDOG=1)
 endif()

-
 # The wolfSSL CMake file should be able to find the source code.
 # Otherwise, assign an environment variable or set it here:
 #
@@ -129,7 +128,7 @@ endif()
 # an unintuitive error about  Unknown CMake command "esptool_py_flash_project_args".

 if(0)
-	message(STATUS "Begin optional PROTOCOL_EXAMPLES_DIR include")
+    message(STATUS "Begin optional PROTOCOL_EXAMPLES_DIR include")
    # This example uses an extra component for common functions such as Wi-Fi and Ethernet connection.
    set (PROTOCOL_EXAMPLES_DIR $ENV{IDF_PATH}/examples/common_components/protocol_examples_common)

@@ -140,7 +139,7 @@ if(0)
    else()
        message(STATUS "NOT FOUND: PROTOCOL_EXAMPLES_DIR=${PROTOCOL_EXAMPLES_DIR}")
    endif()
-	message(STATUS "End optional PROTOCOL_EXAMPLES_DIR include")
+    message(STATUS "End optional PROTOCOL_EXAMPLES_DIR include")
 endif()

 include($ENV{IDF_PATH}/tools/cmake/project.cmake)
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/component.mk
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/component.mk
@@ -176,7 +176,7 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/wolfio.o
 ## wolfcrypt
 ##
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/aes.o
-# ARC4 implementation has been removed
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/arc4.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/asm.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/asn.o
 # COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/async.o # autogen exclusion
@@ -203,7 +203,7 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed25519.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed448.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/error.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/evp.o
-# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_kyber.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_mlkem.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_xmss.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/falcon.o
@@ -266,8 +266,8 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/srp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/tfm.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_dsp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_encrypt.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber_poly.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem_poly.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_pkcs11.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_port.o
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include/user_settings.h
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include/user_settings.h
@@ -110,7 +110,6 @@
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
    /* #define USE_WOLFSSL_ESP_SDK_WIFI */
    #define TEST_ESPIDF_ALL_WOLFSSL
-
 #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_BENCHMARK)
    /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark */
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
@@ -213,8 +212,8 @@
 #ifdef CONFIG_WOLFSSL_ENABLE_KYBER
    /* Kyber typically needs a minimum 10K stack */
    #define WOLFSSL_EXPERIMENTAL_SETTINGS
-    #define WOLFSSL_HAVE_KYBER
-    #define WOLFSSL_WC_KYBER
+    #define WOLFSSL_HAVE_MLKEM
+    #define WOLFSSL_WC_MLKEM
    #define WOLFSSL_SHA3
    #if defined(CONFIG_IDF_TARGET_ESP8266)
        /* With limited RAM, we'll disable some of the Kyber sizes: */
@@ -560,9 +559,6 @@
    defined(WOLFSSL_SP_RISCV32)
 #endif

-#define WOLFSSL_SMALL_STACK
-
-
 #define HAVE_VERSION_EXTENDED_INFO
 /* #define HAVE_WC_INTROSPECTION */

@@ -784,6 +780,15 @@
    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
    /***** END CONFIG_IDF_TARGET_ESP32H2 *****/

+#elif defined(CONFIG_IDF_TARGET_ESP32P4)
+    #define WOLFSSL_ESP32
+    /*  wolfSSL Hardware Acceleration not yet implemented */
+    #define NO_ESP32_CRYPT
+    #define NO_WOLFSSL_ESP32_CRYPT_HASH
+    #define NO_WOLFSSL_ESP32_CRYPT_AES
+    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
+    /***** END CONFIG_IDF_TARGET_ESP32P4 *****/
+
 #elif defined(CONFIG_IDF_TARGET_ESP8266)
    #define WOLFSSL_ESP8266

--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/Kconfig.projbuild
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/Kconfig.projbuild
@@ -1,29 +1,112 @@
-menu "Example Configuration"
+# Kconfig main
+#
+# Copyright (C) 2006-2025 wolfSSL Inc.
+#
+# This file is part of wolfSSL.
+#
+# wolfSSL is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# wolfSSL is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+#

-config BENCH_ARGV
-    string "Arguments for benchmark test"
-    default "-lng 0"
+# Kconfig File Version 5.7.2.001 for wolfssl_template
+
+menu "Example wolfSSL Configuration"
+
+choice WOLFSSL_EXAMPLE_CHOOSE
+    prompt "Choose Example (See wolfssl/include/user_settings.h)"
+    default WOLFSSL_EXAMPLE_NAME_NONE
    help
-        -? <num>    Help, print this usage
-                     0: English, 1: Japanese
-        -csv        Print terminal output in csv format
-        -base10     Display bytes as power of 10 (eg 1 kB = 1000 Bytes)
-        -no_aad     No additional authentication data passed.
-        -dgst_full  Full digest operation performed.
-        -rsa_sign   Measure RSA sign/verify instead of encrypt/decrypt.
-        -<alg>      Algorithm to benchmark. Available algorithms include:
-                    cipher aes-cbc aes-gcm chacha20 chacha20-poly1305
-                    digest md5 poly1305 sha sha2 sha224 sha256 sha384 sha512 sha3
-                    sha3-224 sha3-256 sha3-384 sha3-512
-                    mac hmac hmac-md5 hmac-sha hmac-sha224 hmac-sha256 hmac-sha384
-                    hmac-sha512
-                    asym rsa rsa-sz dh ecc-kg ecc
-                    other rng
-        -lng <num>  Display benchmark result by specified language.
-                    0: English, 1: Japanese
-        <num>       Size of block in bytes
+        The user settings file can be adjusted to specific wolfSSL examples.

-        e.g -lng 1
-        e.g sha
+    config WOLFSSL_EXAMPLE_NAME_TEMPLATE
+        bool "wolfSSL Template"
+        help
+            The sample template app compiles in wolfSSL and prints the current wolfSSL Version. Nothing more.
+
+    config WOLFSSL_EXAMPLE_NAME_TEST
+        bool "wolfSSL Test"
+        help
+            This app tests all cryptographic functions currently enabled. See also Benchmark performance app.
+
+    config WOLFSSL_EXAMPLE_NAME_BENCHMARK
+        bool "wolfSSL Benchmark"
+        help
+            Benchmark performance app. See also cryptographic test.
+
+    config WOLFSSL_EXAMPLE_NAME_TLS_CLIENT
+        bool "TLS Client"
+        help
+            TLS Client Example app. Needs WiFi and a listening server on port 11111.
+
+    config WOLFSSL_EXAMPLE_NAME_TLS_SERVER
+        bool "TLS Server"
+        help
+            TLS Server Example app. Needs WiFi. More interesting with a TLS client using port 11111.
+
+    config WOLFSSL_EXAMPLE_NAME_WOLFSSH_TEMPLATE
+        bool "SSH Template App"
+        help
+            Bare-bones Hello World app that only compiles in wolfSSL and wolfSSH.
+            See wolfSSL/wolfssh on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_WOLFSSH_ECHOSERVER
+        bool "SSH Echo Server"
+        help
+            See wolfSSL/wolfssh on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_ESP32_SSH_SERVER
+        bool "SSH to UART Server for the ESP32"
+        help
+            See wolfSSL/wolfssh-examples on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_ESP8266_SSH_SERVER
+        bool "SSH to UART Server for the ESP8266"
+        help
+            See wolfSSL/wolfssh-examples on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_WOLFMQTT_TEMPLATE
+        bool "MQTT Template"
+        help
+            See wolfSSL/wolfmqtt on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_WOLFMQTT_AWS_IOT_MQTT
+        bool "MQTT AWS IoT"
+        help
+            See wolfSSL/wolfmqtt on GitHub.
+
+    config WOLFTPM_EXAMPLE_NAME_ESPRESSIF
+        bool "TPM Test Example for the ESP32"
+        help
+            See wolfSSL/wolfTPM on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_NONE
+        bool "Other"
+        help
+            A specific example app is not defined.
+
+endchoice
+
+config WOLFSSL_TARGET_HOST
+    string "Target host"
+    default "127.0.0.1"
+    help
+        host address for the example to connect
+
+config WOLFSSL_TARGET_PORT
+    int "Target port"
+    default 11111
+    help
+        host port for the example to connect

 endmenu
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/main.c
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/main.c
@@ -164,6 +164,8 @@ void app_main(void)
        .stop_bits = UART_STOP_BITS_1,
    };
    int stack_start = 0;
+    int heap_start = 0;
+    int heap_current = 0;
    int loops = 0;
    esp_err_t ret = 0;

@@ -245,8 +247,12 @@ void app_main(void)
    ** note it is still always called in wolf_test_task.
    */
    stack_start = uxTaskGetStackHighWaterMark(NULL);
+    heap_start = heap_caps_get_free_size(MALLOC_CAP_8BIT);

    do {
+        heap_current = heap_caps_get_free_size(MALLOC_CAP_8BIT);
+        ESP_LOGI(TAG, "Free heap memory: %d bytes; Start %d",
+                                         heap_current, heap_start);
        ESP_LOGI(TAG, "Stack HWM: %d\n", uxTaskGetStackHighWaterMark(NULL));

        ret = wolf_test_task();
@@ -272,7 +278,7 @@ void app_main(void)
    ESP_LOGI(TAG, "Stack HWM: %d\n", uxTaskGetStackHighWaterMark(NULL));
 #endif

-#if defined(DEBUG_WOLFSSL) && defined(WOLFSSL_ESP32_CRYPT_RSA_PRI)
+#if defined(WOLFSSL_HW_METRICS) && defined(WOLFSSL_ESP32_CRYPT_RSA_PRI)
    esp_hw_show_mp_metrics();
 #endif

--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults
@@ -1,5 +1,5 @@
 # Set the known example app config to template example (see user_settings.h)
-CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSL_TEST=y
+CONFIG_WOLFSSL_EXAMPLE_NAME_TEST=y

 # CONFIG_EXAMPLE_WIFI_SSID="myssid"
 # CONFIG_EXAMPLE_WIFI_PASSWORD="mypassword"
--- a/IDE/GCC-ARM/Makefile.common
+++ b/IDE/GCC-ARM/Makefile.common
@@ -178,7 +178,7 @@ SRC_C += ../../wolfcrypt/src/selftest.c
 endif

 # wolfCrypt non-standard algorithms (disabled by default)
-# ARC4 implementation has been removed
+SRC_C += ../../wolfcrypt/src/arc4.c
 SRC_C += ../../wolfcrypt/src/blake2b.c
 SRC_C += ../../wolfcrypt/src/camellia.c
 SRC_C += ../../wolfcrypt/src/dsa.c
--- a/IDE/HEXAGON/DSP/Makefile
+++ b/IDE/HEXAGON/DSP/Makefile
@@ -80,7 +80,7 @@ libwolfssl_dsp_skel.C_SRCS += ../../../wolfcrypt/src/wolfmath.c
 #eccverify_q.C_SRCS += ../../../wolfcrypt/src/wc_encrypt.c
 #eccverify_q.C_SRCS += ../../../wolfcrypt/src/pwdbased.c
 #eccverify_q.C_SRCS += ../../../wolfcrypt/src/hash.c
-#eccverify_q.C_SRCS += # ../../../wolfcrypt/src/arc4.c - ARC4 implementation has been removed
+#eccverify_q.C_SRCS += ../../../wolfcrypt/src/arc4.c
 #eccverify_q.C_SRCS += ../../../wolfcrypt/src/hmac.c
 #eccverify_q.C_SRCS += ../../../wolfcrypt/src/md5.c
 #eccverify_q.C_SRCS += ../../../wolfcrypt/src/coding.c
--- a/IDE/HEXAGON/Makefile
+++ b/IDE/HEXAGON/Makefile
@@ -65,7 +65,7 @@ libwolfssl_LD_FLAGS += -ldl
 libwolfssl_C_SRCS += \
 	../../wolfcrypt/src/aes \
 	../../wolfcrypt/src/md2 \
-	# ARC4 implementation has been removed \
+	../../wolfcrypt/src/arc4 \
 	../../wolfcrypt/src/md4 \
 	../../wolfcrypt/src/asm \
 	../../wolfcrypt/src/md5 \
--- a/IDE/IAR-EWARM/Projects/lib/wolfSSL-Lib.ewp
+++ b/IDE/IAR-EWARM/Projects/lib/wolfSSL-Lib.ewp
@@ -1904,7 +1904,7 @@
      <name>$PROJ_DIR$\..\..\..\..\wolfcrypt\src\aes.c</name>
    </file>
    <file>
-      <!-- ARC4 implementation has been removed -->
+      <name>$PROJ_DIR$\..\..\..\..\wolfcrypt\src\arc4.c</name>
    </file>
    <file>
      <name>$PROJ_DIR$\..\..\..\..\wolfcrypt\src\asm.c</name>
--- a/IDE/INTIME-RTOS/libwolfssl.vcxproj
+++ b/IDE/INTIME-RTOS/libwolfssl.vcxproj
@@ -24,7 +24,7 @@
    <ClCompile Include="..\..\src\ssl.c" />
    <ClCompile Include="..\..\src\tls.c" />
    <ClCompile Include="..\..\wolfcrypt\src\aes.c" />
-    <!-- ARC4 implementation has been removed -->
+    <ClCompile Include="..\..\wolfcrypt\src\arc4.c" />
    <ClCompile Include="..\..\wolfcrypt\src\asm.c" />
    <ClCompile Include="..\..\wolfcrypt\src\asn.c" />
    <ClCompile Include="..\..\wolfcrypt\src\blake2b.c" />
@@ -87,7 +87,7 @@
    <ClInclude Include="..\..\wolfssl\test.h" />
    <ClInclude Include="..\..\wolfssl\version.h" />
    <ClInclude Include="..\..\wolfssl\wolfcrypt\aes.h" />
-    <!-- ARC4 implementation has been removed -->
+    <ClInclude Include="..\..\wolfssl\wolfcrypt\arc4.h" />
    <ClInclude Include="..\..\wolfssl\wolfcrypt\asn.h" />
    <ClInclude Include="..\..\wolfssl\wolfcrypt\asn_public.h" />
    <ClInclude Include="..\..\wolfssl\wolfcrypt\async.h" />
--- a/IDE/LINUX-SGX/sgx_t_static.mk
+++ b/IDE/LINUX-SGX/sgx_t_static.mk
@@ -47,7 +47,7 @@ Crypto_Library_Name := sgx_tcrypto
 Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX

 Wolfssl_C_Files :=$(WOLFSSL_ROOT)/wolfcrypt/src/aes.c\
-					# ARC4 implementation has been removed\
+					$(WOLFSSL_ROOT)/wolfcrypt/src/arc4.c\
 					$(WOLFSSL_ROOT)/wolfcrypt/src/asn.c\
 					$(WOLFSSL_ROOT)/wolfcrypt/src/blake2b.c\
 					$(WOLFSSL_ROOT)/wolfcrypt/src/camellia.c\
--- a/IDE/MCUEXPRESSO/RT1170/wolfssl_cm7/.cproject
+++ b/IDE/MCUEXPRESSO/RT1170/wolfssl_cm7/.cproject
@@ -241,7 +241,7 @@
 						<entry flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="drivers"/>
 						<entry excluding="freertos_kernel/portable/MemMang/heap_1.c|freertos_kernel/portable/MemMang/heap_2.c|freertos_kernel/portable/MemMang/heap_3.c|freertos_kernel/portable/MemMang/heap_5.c" flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="freertos"/>
 						<entry excluding="src/netif/ppp/polarssl/arc4.c|src/netif/ppp/polarssl/des.c|src/netif/ppp/polarssl/md4.c|src/netif/ppp/polarssl/md5.c|src/netif/ppp/polarssl/sha1.c" flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="lwip"/>
-						<entry excluding="wolfcrypt/src/misc.c|src/x509.c|src/x509_str.c|wolfcrypt/src/evp.c|src/conf.c|src/pk.c|src/bio.c|wolfcrypt/src/wc_kyber_asm.S|wolfcrypt/src/sp_x86_64_asm.S|wolfcrypt/src/sp_x86_64_asm.asm|wolfcrypt/src/sha512_asm.S|wolfcrypt/src/sha3_asm.S|wolfcrypt/src/sha256_asm.S|wolfcrypt/src/poly1305_asm.S|wolfcrypt/src/fe_x25519_asm.S|wolfcrypt/src/port|wolfcrypt/src/chacha_asm.S|wolfcrypt/src/aes_gcm_x86_asm.S|wolfcrypt/src/aes_gcm_asm.S|wolfcrypt/src/aes_asm.S|wolfcrypt/src/aes_asm.asm|wolfcrypt/user-crypto|wolfcrypt/test|wolfcrypt/benchmark" flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="source"/>
+						<entry excluding="wolfcrypt/src/misc.c|src/x509.c|src/x509_str.c|wolfcrypt/src/evp.c|src/conf.c|src/pk.c|src/bio.c|wolfcrypt/src/wc_mlkem_asm.S|wolfcrypt/src/sp_x86_64_asm.S|wolfcrypt/src/sp_x86_64_asm.asm|wolfcrypt/src/sha512_asm.S|wolfcrypt/src/sha3_asm.S|wolfcrypt/src/sha256_asm.S|wolfcrypt/src/poly1305_asm.S|wolfcrypt/src/fe_x25519_asm.S|wolfcrypt/src/port|wolfcrypt/src/chacha_asm.S|wolfcrypt/src/aes_gcm_x86_asm.S|wolfcrypt/src/aes_gcm_asm.S|wolfcrypt/src/aes_asm.S|wolfcrypt/src/aes_asm.asm|wolfcrypt/user-crypto|wolfcrypt/test|wolfcrypt/benchmark" flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="source"/>
 						<entry flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="source/wolfcrypt/src/port/caam"/>
 						<entry flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="startup"/>
 						<entry flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="utilities"/>
@@ -489,7 +489,7 @@
 						<entry flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="drivers"/>
 						<entry excluding="freertos_kernel/portable/MemMang/heap_1.c|freertos_kernel/portable/MemMang/heap_2.c|freertos_kernel/portable/MemMang/heap_3.c|freertos_kernel/portable/MemMang/heap_5.c" flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="freertos"/>
 						<entry excluding="src/netif/ppp/polarssl/arc4.c|src/netif/ppp/polarssl/des.c|src/netif/ppp/polarssl/md4.c|src/netif/ppp/polarssl/md5.c|src/netif/ppp/polarssl/sha1.c" flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="lwip"/>
-						<entry excluding="wolfcrypt/src/misc.c|src/x509.c|src/x509_str.c|wolfcrypt/src/evp.c|src/conf.c|src/pk.c|src/bio.c|wolfcrypt/src/wc_kyber_asm.S|wolfcrypt/src/sp_x86_64_asm.S|wolfcrypt/src/sp_x86_64_asm.asm|wolfcrypt/src/sha512_asm.S|wolfcrypt/src/sha3_asm.S|wolfcrypt/src/sha256_asm.S|wolfcrypt/src/poly1305_asm.S|wolfcrypt/src/fe_x25519_asm.S|wolfcrypt/src/port|wolfcrypt/src/chacha_asm.S|wolfcrypt/src/aes_gcm_x86_asm.S|wolfcrypt/src/aes_gcm_asm.S|wolfcrypt/src/aes_asm.S|wolfcrypt/src/aes_asm.asm|wolfcrypt/user-crypto|wolfcrypt/test|wolfcrypt/benchmark" flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="source"/>
+						<entry excluding="wolfcrypt/src/misc.c|src/x509.c|src/x509_str.c|wolfcrypt/src/evp.c|src/conf.c|src/pk.c|src/bio.c|wolfcrypt/src/wc_mlkem_asm.S|wolfcrypt/src/sp_x86_64_asm.S|wolfcrypt/src/sp_x86_64_asm.asm|wolfcrypt/src/sha512_asm.S|wolfcrypt/src/sha3_asm.S|wolfcrypt/src/sha256_asm.S|wolfcrypt/src/poly1305_asm.S|wolfcrypt/src/fe_x25519_asm.S|wolfcrypt/src/port|wolfcrypt/src/chacha_asm.S|wolfcrypt/src/aes_gcm_x86_asm.S|wolfcrypt/src/aes_gcm_asm.S|wolfcrypt/src/aes_asm.S|wolfcrypt/src/aes_asm.asm|wolfcrypt/user-crypto|wolfcrypt/test|wolfcrypt/benchmark" flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="source"/>
 						<entry flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="source/wolfcrypt/src/port/caam"/>
 						<entry flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="startup"/>
 						<entry flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="utilities"/>
@@ -565,4 +565,4 @@
 	</storageModule>
 	<storageModule moduleId="org.eclipse.cdt.make.core.buildtargets"/>
 	<storageModule moduleId="refreshScope"/>
-</cproject>
+</cproject>
--- a/IDE/MDK-ARM/MDK-ARM/wolfSSL/shell.c
+++ b/IDE/MDK-ARM/MDK-ARM/wolfSSL/shell.c
@@ -142,7 +142,7 @@ extern void hmac_sha384_test(void *arg) ;
    #endif
 #endif
 #ifndef NO_RC4
-extern void arc4_test(void *arg) ; /* ARC4 implementation has been removed */
+extern void arc4_test(void *arg) ;
 #endif

 #ifndef NO_DES3
@@ -257,7 +257,7 @@ static struct {
  #endif
 #endif
 #ifndef NO_RC4
-    "arc4",  arc4_test, /* ARC4 implementation has been removed */
+    "arc4",  arc4_test,
 #endif
 #ifndef NO_DES3
  "des",  des_test,
--- a/IDE/MDK5-ARM/Projects/wolfSSL-Full/Abstract.txt
+++ b/IDE/MDK5-ARM/Projects/wolfSSL-Full/Abstract.txt
@@ -27,7 +27,7 @@ SHA      test passed!

 >benchmark
 AES      25 kB took 0.025 seconds,   0.96 MB/s
-/* ARC4 implementation has been removed */
+ARC4     25 kB took 0.006 seconds,   3.83 MB/s
 ...

 DH  2048 key agreement   685.93 milliseconds, avg over 1 iterations
--- a/IDE/MDK5-ARM/Projects/wolfSSL-Full/shell.c
+++ b/IDE/MDK5-ARM/Projects/wolfSSL-Full/shell.c
@@ -149,7 +149,7 @@ extern void hmac_sha384_test(void *arg) ;
    #endif
 #endif
 #ifndef NO_RC4
-extern void arc4_test(void *arg) ; /* ARC4 implementation has been removed */
+extern void arc4_test(void *arg) ;
 #endif

 #ifndef NO_DES3
@@ -264,7 +264,7 @@ static struct {
  #endif
 #endif
 #ifndef NO_RC4
-    "arc4",  arc4_test, /* ARC4 implementation has been removed */
+    "arc4",  arc4_test,
 #endif
 #ifndef NO_DES3
  "des",  des_test,
--- a/IDE/MPLABX16/wolfssl.X/nbproject/configurations.xml
+++ b/IDE/MPLABX16/wolfssl.X/nbproject/configurations.xml
@@ -15,7 +15,7 @@
                   projectFiles="true">
      <logicalFolder name="f2" displayName="wolfcrypt" projectFiles="true">
        <itemPath>../../../wolfcrypt/src/aes.c</itemPath>
-        <!-- ARC4 implementation has been removed -->
+        <itemPath>../../../wolfcrypt/src/arc4.c</itemPath>
        <itemPath>../../../wolfcrypt/src/asm.c</itemPath>
        <itemPath>../../../wolfcrypt/src/asn.c</itemPath>
        <itemPath>../../../wolfcrypt/src/blake2b.c</itemPath>
--- a/IDE/MQX/Makefile
+++ b/IDE/MQX/Makefile
@@ -72,7 +72,7 @@ $(WOLF_ROOT)/src/tls13.o\
 $(WOLF_ROOT)/src/tls.o\
 $(WOLF_ROOT)/src/wolfio.o\
 $(WOLF_ROOT)/wolfcrypt/src/aes.o\
-# ARC4 implementation has been removed\
+$(WOLF_ROOT)/wolfcrypt/src/arc4.o\
 $(WOLF_ROOT)/wolfcrypt/src/asm.o\
 $(WOLF_ROOT)/wolfcrypt/src/asn.o\
 $(WOLF_ROOT)/wolfcrypt/src/blake2b.o\
--- a/IDE/MYSQL/CMakeLists_wolfCrypt.txt
+++ b/IDE/MYSQL/CMakeLists_wolfCrypt.txt
@@ -23,16 +23,14 @@ INCLUDE_DIRECTORIES(
  ${CMAKE_SOURCE_DIR}/extra/wolfssl)

 ADD_DEFINITIONS(${SSL_DEFINES})
-SET(WOLFCRYPT_SOURCES		src/aes.c # src/arc4.c - ARC4 implementation has been removed
-        src/asn.c src/blake2b.c
+SET(WOLFCRYPT_SOURCES		src/aes.c src/arc4.c src/asn.c src/blake2b.c
        src/camellia.c src/chacha.c src/coding.c src/compress.c src/des3.c
        src/dh.c src/dsa.c src/ecc.c src/error.c src/hmac.c
        src/integer.c src/kdf.c src/logging.c src/md2.c src/md4.c src/md5.c src/memory.c
        src/pkcs7.c src/pkcs12.c src/poly1305.c src/pwdbased.c
        src/random.c src/ripemd.c src/rsa.c src/sha.c src/sha256.c src/sha512.c
        src/tfm.c src/wc_port.c src/wc_encrypt.c src/hash.c src/wolfmath.c
-        ../wolfssl/wolfcrypt/aes.h # ../wolfssl/wolfcrypt/arc4.h - ARC4 implementation has been removed
-        ../wolfssl/wolfcrypt/asn.h ../wolfssl/wolfcrypt/blake2.h
+        ../wolfssl/wolfcrypt/aes.h ../wolfssl/wolfcrypt/arc4.h ../wolfssl/wolfcrypt/asn.h ../wolfssl/wolfcrypt/blake2.h
        ../wolfssl/wolfcrypt/camellia.h ../wolfssl/wolfcrypt/chacha.h ../wolfssl/wolfcrypt/coding.h ../wolfssl/wolfcrypt/compress.h ../wolfssl/wolfcrypt/des3.h
        ../wolfssl/wolfcrypt/dh.h ../wolfssl/wolfcrypt/dsa.h ../wolfssl/wolfcrypt/ecc.h ../wolfssl/wolfcrypt/error-crypt.h ../wolfssl/wolfcrypt/hmac.h
        ../wolfssl/wolfcrypt/integer.h ../wolfssl/wolfcrypt/logging.h ../wolfssl/wolfcrypt/md2.h ../wolfssl/wolfcrypt/md4.h ../wolfssl/wolfcrypt/md5.h ../wolfssl/wolfcrypt/memory.h
--- a/IDE/NDS/README.md
+++ b/IDE/NDS/README.md
@@ -15,13 +15,16 @@ $ ./configure \
    AR=$DEVKITARM/bin/arm-none-eabi-ar \
    STRIP=$DEVKITARM/bin/arm-none-eabi-strip \
    RANLIB=$DEVKITARM/bin/arm-none-eabi-ranlib \
-    LIBS="-lfat -lnds9" \
-    LDFLAGS="-L/opt/devkitpro/libnds/lib" \
+    LIBS="-lfat -lnds9 -lcalico_ds9" \
+    LDFLAGS="-L$DEVKITPRO/libnds/lib \
+        -L$DEVKITPRO/calico/lib" \
    --prefix=$DEVKITPRO/portlibs/nds \
    CFLAGS="-march=armv5te -mtune=arm946e-s \
-        --specs=ds_arm9.specs -DARM9 -DWOLFSSL_NDS \
+        -specs=$DEVKITPRO/calico/share/ds9.specs \
+        -D__NDS__ -DARM9 -D__thumb__=0 \
        -DWOLFSSL_MELONDS \
-        -DWOLFSSL_USER_IO \
+        -DWOLFSSL_NDS -DWOLFSSL_USER_IO \
+        -I$DEVKITPRO/calico/include \
        -I$DEVKITPRO/libnds/include" \
    --enable-fastmath --disable-benchmark \
    --disable-shared --disable-examples --disable-ecc
@@ -37,12 +40,15 @@ $ ./configure \
    AR=$DEVKITARM/bin/arm-none-eabi-ar \
    STRIP=$DEVKITARM/bin/arm-none-eabi-strip \
    RANLIB=$DEVKITARM/bin/arm-none-eabi-ranlib \
-    LIBS="-lfat -lnds9" \
-    LDFLAGS="-L/opt/devkitpro/libnds/lib" \
+    LIBS="-lfat -lnds9 -lcalico_ds9" \
+    LDFLAGS="-L$DEVKITPRO/libnds/lib \
+        -L$DEVKITPRO/calico/lib" \
    --prefix=$DEVKITPRO/portlibs/nds \
    CFLAGS="-march=armv5te -mtune=arm946e-s \
-        --specs=ds_arm9.specs -DARM9 -DWOLFSSL_NDS \
-        -DWOLFSSL_USER_IO \
+        -specs=$DEVKITPRO/calico/share/ds9.specs \
+        -D__NDS__ -DARM9 -D__thumb__=0 \
+        -DWOLFSSL_NDS -DWOLFSSL_USER_IO \
+        -I$DEVKITPRO/calico/include \
        -I$DEVKITPRO/libnds/include" \
    --enable-fastmath --disable-benchmark \
    --disable-shared --disable-examples --disable-ecc
--- a/IDE/NETOS/Makefile.wolfcrypt.inc
+++ b/IDE/NETOS/Makefile.wolfcrypt.inc
@@ -1,11 +1,11 @@
-WOLFSSL_ROOT=wolfCrypt_v4_5_2
+WOLFSSL_ROOT=wolfssl-5.7.2-commercial-fips-linuxv5.2.1
 APP_WOLFCRYPTOBJS = $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/wolfcrypt_first.o\
            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/aes.o\
            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/cmac.o\
-            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/des3.o\
            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/dh.o\
            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/ecc.o\
            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/hmac.o\
+            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/kdf.o\
            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/random.o\
            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/rsa.o\
            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/sha.o\
--- a/IDE/NETOS/include.am
+++ b/IDE/NETOS/include.am
@@ -4,6 +4,7 @@

 EXTRA_DIST+= IDE/NETOS/Makefile.wolfcrypt.inc
 EXTRA_DIST+= IDE/NETOS/user_settings.h
+EXTRA_DIST+= IDE/NETOS/user_settings.h-cert3389
 EXTRA_DIST+= IDE/NETOS/user_settings.h-cert2425
 EXTRA_DIST+= IDE/NETOS/wolfssl_netos_custom.c
 EXTRA_DIST+= IDE/NETOS/README.md
--- a/IDE/NETOS/user_settings.h
+++ b/IDE/NETOS/user_settings.h
@@ -1,5 +1,5 @@
 /* user_settings.h
-*
+ *
 * Copyright (C) 2006-2025 wolfSSL Inc.
 *
 * This file is part of wolfSSL.
@@ -19,7 +19,6 @@
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */

-/* Custom wolfSSL user settings for GCC ARM */

 #ifndef WOLFSSL_USER_SETTINGS_H
 #define WOLFSSL_USER_SETTINGS_H
@@ -28,11 +27,39 @@
 extern "C" {
 #endif

+#undef  HAVE_FIPS
+#if 1
+
+    #define HAVE_FIPS
+
+    #undef  HAVE_FIPS_VERSION
+    #define HAVE_FIPS_VERSION 5
+
+    #undef HAVE_FIPS_VERSION_MAJOR
+    #define HAVE_FIPS_VERSION_MAJOR 5
+
+    #undef HAVE_FIPS_VERSION_MINOR
+    #define HAVE_FIPS_VERSION_MINOR 2
+
+    #undef WOLFSSL_WOLFSSH
+    #define WOLFSSL_WOLFSSH
+
+    #undef WC_RNG_SEED_CB
+    #define WC_RNG_SEED_CB
+
+    #if 1
+        #undef NO_ATTRIBUTE_CONSTRUCTOR
+        #define NO_ATTRIBUTE_CONSTRUCTOR
+    #endif
+
+#endif
+
+
 /* ------------------------------------------------------------------------- */
 /* Platform */
 /* ------------------------------------------------------------------------- */
-#undef WOLFSSL_GENERAL_ALIGNMENT
-#define WOLFSSL_GENERAL_ALIGNMENT 4
+#undef  WOLFSSL_GENERAL_ALIGNMENT
+#define WOLFSSL_GENERAL_ALIGNMENT   4

 #undef THREADX
 #define THREADX
@@ -47,85 +74,99 @@ extern "C" {
 #undef BIG_ENDIAN_ORDER
 #define BIG_ENDIAN_ORDER

-#undef WOLFSSL_SMALL_STACK
-//#define WOLFSSL_SMALL_STACK
+#undef WOLFSSL_USE_ALIGN
+#define WOLFSSL_USE_ALIGN

-#undef WOLFSSL_USER_IO
-//#define WOLFSSL_USER_IO
-
-#undef NO_THREAD_LS
+#undef  NO_THREAD_LS
 #define NO_THREAD_LS

 /* ------------------------------------------------------------------------- */
 /* Math Configuration */
 /* ------------------------------------------------------------------------- */
-#undef SIZEOF_LONG_LONG
+
+    #define WOLFCRYPT_FIPS_CORE_HASH_VALUE \
+            F0E3A7F32D8FDE71DA017855072247B27D8C0F5A74CACE89AED272A7CF5EAC0E
+#if 0
+    #define WOLFSSL_SP_MATH_ALL
+    #define WOLFSSL_SP_RSA
+    #define WOLFSSL_SP_DH
+    #define WOLFSSL_SP_ECC
+    #define WOLFSSL_SP_4096
+    #define WOLFSSL_SP_384
+    #define WOLFSSL_SP_521
+    #define WOLFSSL_SP_SMALL
+    #define WOLFSSL_SP_NO_MALLOC
+    #define SP_INT_BITS 8192
+#endif
+#if 1
+    #undef  USE_FAST_MATH
+    #define USE_FAST_MATH
+    #if 1
+        #define WOLFSSL_SP_RSA
+        #define WOLFSSL_SP_DH
+        #define WOLFSSL_SP_ECC
+        #define WOLFSSL_SP_4096
+        #define WOLFSSL_SP_384
+        #define WOLFSSL_SP_521
+        #define WOLFSSL_SP_SMALL
+        #define SP_INT_BITS 8192
+    #endif
+#endif
+#if 0
+    #undef USE_INTEGER_HEAP_MATH
+    #define USE_INTEGER_HEAP_MATH
+
+    #undef WOLFSSL_SMALL_STACK
+    #define WOLFSSL_SMALL_STACK
+#endif
+
+#undef  SIZEOF_LONG_LONG
 #define SIZEOF_LONG_LONG 8

-#undef SIZEOF_LONG
-#define SIZEOF_LONG 4
-
-#undef USE_FAST_MATH
-#if 1
-    #define USE_FAST_MATH
-
-    #undef TFM_TIMING_RESISTANT
+#ifdef USE_FAST_MATH
+    #undef  TFM_TIMING_RESISTANT
    #define TFM_TIMING_RESISTANT

-    /* Optimizations */
-    #define TFM_ARM
+    #undef  FP_MAX_BITS
+    #define FP_MAX_BITS 16384
+
+    #define TFM_NO_ASM
+
+    /* Optimizations (on M0 UMULL is not supported, need another assembly
+     * solution) */
+    //#define TFM_ARM
 #endif

-/* ------------------------------------------------------------------------- */
-/* FIPS - Requires eval or license from wolfSSL */
-/* ------------------------------------------------------------------------- */
-#undef HAVE_FIPS
-#if 1
-    #define HAVE_FIPS
-
-    #undef HAVE_FIPS_VERSION
-    #define HAVE_FIPS_VERSION 2
-
-    #ifdef SINGLE_THREADED
-        #undef NO_THREAD_LS
-        #define NO_THREAD_LS
-    #endif
-
-    #if 1
-        #undef NO_ATTRIBUTE_CONSTRUCTOR
-        #define NO_ATTRIBUTE_CONSTRUCTOR
-    #endif
-#endif
-
-
 /* ------------------------------------------------------------------------- */
 /* Crypto */
 /* ------------------------------------------------------------------------- */
 /* RSA */
 #undef NO_RSA
 #if 1
-    #ifdef USE_FAST_MATH
-        /* Maximum math bits (Max RSA key bits * 2) */
-        #undef FP_MAX_BITS
-        #define FP_MAX_BITS 8192
-    #endif

    /* half as much memory but twice as slow */
-    #undef RSA_LOW_MEM
+    #undef  RSA_LOW_MEM
    //#define RSA_LOW_MEM

    /* Enables blinding mode, to prevent timing attacks */
    #if 0
-        #undef WC_RSA_BLINDING
+        #undef  WC_RSA_BLINDING
        #define WC_RSA_BLINDING
    #else
-        #undef WC_NO_HARDEN
+        #undef  WC_NO_HARDEN
        #define WC_NO_HARDEN
    #endif

    /* RSA PSS Support */
    #if 1
+        #undef WC_RSA_PSS
        #define WC_RSA_PSS
+
+        #undef WOLFSSL_PSS_LONG_SALT
+        #define WOLFSSL_PSS_LONG_SALT
+
+        #undef WOLFSSL_PSS_SALT_LEN_DISCOVER
+        #define WOLFSSL_PSS_SALT_LEN_DISCOVER
    #endif

    #if 1
@@ -141,86 +182,86 @@ extern "C" {
    #define HAVE_ECC

    /* Manually define enabled curves */
-    #undef ECC_USER_CURVES
-    //#define ECC_USER_CURVES
+    #undef  ECC_USER_CURVES
+    #define ECC_USER_CURVES

    #ifdef ECC_USER_CURVES
-    /* Manual Curve Selection */
-    //#define HAVE_ECC192
-    //#define HAVE_ECC224
-    #undef NO_ECC256
-    //#define HAVE_ECC384
-    //#define HAVE_ECC521
+        /* Manual Curve Selection */
+        #define HAVE_ECC192
+        #define HAVE_ECC224
+        #undef NO_ECC256
+        #define HAVE_ECC256
+        #define HAVE_ECC384
+        #define HAVE_ECC521
    #endif

-    /* Fixed point cache (speeds repeated operations against same private key) */
-    #undef FP_ECC
+    /* Fixed point cache (speeds repeated operations against same private key)
+     */
+    #undef  FP_ECC
    //#define FP_ECC
    #ifdef FP_ECC
        /* Bits / Entries */
-        #undef FP_ENTRIES
-        #define FP_ENTRIES 2
-        #undef FP_LUT
-        #define FP_LUT 4
+        #undef  FP_ENTRIES
+        #define FP_ENTRIES  2
+        #undef  FP_LUT
+        #define FP_LUT      4
    #endif

    /* Optional ECC calculation method */
    /* Note: doubles heap usage, but slightly faster */
-    #undef ECC_SHAMIR
+    #undef  ECC_SHAMIR
    #define ECC_SHAMIR

    /* Reduces heap usage, but slower */
-    #undef ECC_TIMING_RESISTANT
+    #undef  ECC_TIMING_RESISTANT
    #define ECC_TIMING_RESISTANT

    #ifdef HAVE_FIPS
-        #undef HAVE_ECC_CDH
+        #undef  HAVE_ECC_CDH
        #define HAVE_ECC_CDH /* Enable cofactor support */

        #undef NO_STRICT_ECDSA_LEN
        #define NO_STRICT_ECDSA_LEN /* Do not force fixed len w/ FIPS */

-        #undef WOLFSSL_VALIDATE_ECC_IMPORT
+        #undef  WOLFSSL_VALIDATE_ECC_IMPORT
        #define WOLFSSL_VALIDATE_ECC_IMPORT /* Validate import */
-    #endif

-    /* Compressed Key Support */
-    #undef HAVE_COMP_KEY
-    //#define HAVE_COMP_KEY
+        #undef WOLFSSL_VALIDATE_ECC_KEYGEN
+        #define WOLFSSL_VALIDATE_ECC_KEYGEN /* Validate generated keys */
+
+        #undef WOLFSSL_ECDSA_SET_K
+        #define WOLFSSL_ECDSA_SET_K
+
+        //#define WOLFCRYPT_HAVE_SAKKE
+
+    #endif

    /* Use alternate ECC size for ECC math */
    #ifdef USE_FAST_MATH
-        /* MAX ECC BITS = ROUND8(MAX ECC) * 2 */
-        #ifdef NO_RSA
-            /* Custom fastmath size if not using RSA */
-            #undef FP_MAX_BITS
-            #define FP_MAX_BITS (256 * 2)
-        #else
-            #undef ALT_ECC_SIZE
-            #define ALT_ECC_SIZE
-            /* wolfSSL will compute the FP_MAX_BITS_ECC, but it can be overridden */
-            //#undef FP_MAX_BITS_ECC
-            //#define FP_MAX_BITS_ECC (256 * 2)
-        #endif
+        #undef  ALT_ECC_SIZE
+        #define ALT_ECC_SIZE

        /* Speedups specific to curve */
        #ifndef NO_ECC256
-            #undef TFM_ECC256
+            #undef  TFM_ECC256
            #define TFM_ECC256
        #endif
    #endif
 #endif

 /* DH */
-#undef NO_DH
+#undef  NO_DH
 #if 1
+    #define HAVE_DH
    /* Use table for DH instead of -lm (math) lib dependency */
    #if 1
+        #define HAVE_DH_DEFAULT_PARAMS
        #define WOLFSSL_DH_CONST
        #define HAVE_FFDHE_2048
+        #define HAVE_FFDHE_3072
        #define HAVE_FFDHE_4096
-        //#define HAVE_FFDHE_6144
-        //#define HAVE_FFDHE_8192
+        #define HAVE_FFDHE_6144
+        #define HAVE_FFDHE_8192
    #endif

    #ifdef HAVE_FIPS
@@ -235,28 +276,31 @@ extern "C" {
 /* AES */
 #undef NO_AES
 #if 1
-    #undef HAVE_AES_CBC
+    #undef  HAVE_AES_CBC
    #define HAVE_AES_CBC

-    #undef HAVE_AESGCM
+    #undef  HAVE_AESGCM
    #define HAVE_AESGCM

-    /* GCM Method: GCM_SMALL, GCM_WORD32 or GCM_TABLE */
-    // #define GCM_SMALL
-    // #define GCM_WORD32
-    #define GCM_TABLE
+    /* GCM Method (slowest to fastest): GCM_SMALL, GCM_WORD32, GCM_TABLE or
+     *                                  GCM_TABLE_4BIT */
+    #define GCM_TABLE_4BIT

-    #undef WOLFSSL_AES_DIRECT
+    #undef  WOLFSSL_AES_DIRECT
    #define WOLFSSL_AES_DIRECT

-    #undef HAVE_AES_ECB
+    #undef  HAVE_AES_ECB
    #define HAVE_AES_ECB

-    #undef WOLFSSL_AES_COUNTER
+    #undef  WOLFSSL_AES_COUNTER
    #define WOLFSSL_AES_COUNTER

-    #undef HAVE_AESCCM
+    #undef  HAVE_AESCCM
    #define HAVE_AESCCM
+
+    #undef WOLFSSL_AES_OFB
+    #define WOLFSSL_AES_OFB
+
 #else
    #define NO_AES
 #endif
@@ -264,8 +308,11 @@ extern "C" {

 /* DES3 */
 #undef NO_DES3
-#if 1
-    /* No change */
+#if 0
+    #if 1
+        #undef WOLFSSL_DES_ECB
+        #define WOLFSSL_DES_ECB
+    #endif
 #else
    #define NO_DES3
 #endif
@@ -278,20 +325,29 @@ extern "C" {
    #define HAVE_POLY1305

    /* Needed for Poly1305 */
-    #undef HAVE_ONE_TIME_AUTH
+    #undef  HAVE_ONE_TIME_AUTH
    #define HAVE_ONE_TIME_AUTH
 #endif

-/* Ed25519 / Curve25519 */
+/* Curve25519 */
 #undef HAVE_CURVE25519
-#undef HAVE_ED25519
 #if 0
    #define HAVE_CURVE25519
+
+    /* Optionally use small math (less flash usage, but much slower) */
+    #if 1
+        #define CURVE25519_SMALL
+    #endif
+#endif
+
+/* Ed25519 */
+#undef HAVE_ED25519
+#if 0
    #define HAVE_ED25519 /* ED25519 Requires SHA512 */

    /* Optionally use small math (less flash usage, but much slower) */
    #if 1
-        #define CURVED25519_SMALL
+        #define ED25519_SMALL
    #endif
 #endif

@@ -303,7 +359,7 @@ extern "C" {
 #undef NO_SHA
 #if 1
    /* 1k smaller, but 25% slower */
-    //#define USE_SLOW_SHA
+    #define USE_SLOW_SHA
 #else
    #define NO_SHA
 #endif
@@ -312,7 +368,7 @@ extern "C" {
 #undef NO_SHA256
 #if 1
    /* not unrolled - ~2k smaller and ~25% slower */
-    //#define USE_SLOW_SHA256
+    #define USE_SLOW_SHA256

    /* Sha224 */
    #if 1
@@ -327,14 +383,17 @@ extern "C" {
 #if 1
    #define WOLFSSL_SHA512

+    #define  WOLFSSL_NOSHA512_224 /* Not in FIPS mode */
+    #define  WOLFSSL_NOSHA512_256 /* Not in FIPS mode */
+
    /* Sha384 */
-    #undef WOLFSSL_SHA384
+    #undef  WOLFSSL_SHA384
    #if 1
        #define WOLFSSL_SHA384
    #endif

    /* over twice as small, but 50% slower */
-    //#define USE_SLOW_SHA512
+    #define USE_SLOW_SHA512
 #endif

 /* Sha3 */
@@ -344,17 +403,18 @@ extern "C" {
 #endif

 /* MD5 */
-#undef NO_MD5
+#undef  NO_MD5
 #if 1
-    /* No change */
+
 #else
    #define NO_MD5
 #endif

-/* HKDF */
+/* HKDF / PRF */
 #undef HAVE_HKDF
 #if 1
    #define HAVE_HKDF
+    #define WOLFSSL_HAVE_PRF
 #endif

 /* CMAC */
@@ -363,101 +423,49 @@ extern "C" {
    #define WOLFSSL_CMAC
 #endif

-
-/* ------------------------------------------------------------------------- */
-/* Benchmark / Test */
-/* ------------------------------------------------------------------------- */
-/* Use reduced benchmark / test sizes */
-#undef BENCH_EMBEDDED
-#define BENCH_EMBEDDED
-
-#undef USE_CERT_BUFFERS_2048
-#define USE_CERT_BUFFERS_2048
-
-#undef USE_CERT_BUFFERS_1024
-//#define USE_CERT_BUFFERS_1024
-
-#undef USE_CERT_BUFFERS_256
-#define USE_CERT_BUFFERS_256
-
-#undef FORCE_BUFFER_TEST
-#define FORCE_BUFFER_TEST
-
-
 /* ------------------------------------------------------------------------- */
 /* Debugging */
 /* ------------------------------------------------------------------------- */

-#undef DEBUG_WOLFSSL
-#undef NO_ERROR_STRINGS
+#undef  DEBUG_WOLFSSL
+#define DEBUG_WOLFSSL
+
+/* Use this to measure / print heap usage */
 #if 0
-    #define DEBUG_WOLFSSL
-#else
-    #if 0
-        #define NO_ERROR_STRINGS
-    #endif
-#endif
-
-
-/* ------------------------------------------------------------------------- */
-/* Memory */
-/* ------------------------------------------------------------------------- */
-
-/* Override Memory API's */
-#if 0
-    #undef XMALLOC_OVERRIDE
-    #define XMALLOC_OVERRIDE
-
-    /* prototypes for user heap override functions */
-    /* Note: Realloc only required for normal math */
-    /* Note2: XFREE(NULL) must be properly handled */
-    #include <stddef.h> /* for size_t */
-    extern void *myMalloc(size_t n, void* heap, int type);
-    extern void myFree(void *p, void* heap, int type);
-    extern void *myRealloc(void *p, size_t n, void* heap, int type);
-
-    #define XMALLOC(n, h, t) myMalloc(n, h, t)
-    #define XFREE(p, h, t) myFree(p, h, t)
-    #define XREALLOC(p, n, h, t) myRealloc(p, n, h, t)
-#endif
-
-#if 0
-    /* Static memory requires fast math */
-    #define WOLFSSL_STATIC_MEMORY
-
-    /* Disable fallback malloc/free */
-    #define WOLFSSL_NO_MALLOC
-    #if 1
-    #define WOLFSSL_MALLOC_CHECK /* trap malloc failure */
-    #endif
-#endif
-
-/* Memory callbacks */
-#if 1
-    #undef USE_WOLFSSL_MEMORY
+    #undef  USE_WOLFSSL_MEMORY
    #define USE_WOLFSSL_MEMORY

-    /* Use this to measure / print heap usage */
-    #if 0
-        #undef WOLFSSL_TRACK_MEMORY
-        // #define WOLFSSL_TRACK_MEMORY
+    #undef  WOLFSSL_TRACK_MEMORY
+    //#define WOLFSSL_TRACK_MEMORY

-        #undef WOLFSSL_DEBUG_MEMORY
-        //#define WOLFSSL_DEBUG_MEMORY
-
-        #undef WOLFSSL_DEBUG_MEMORY_PRINT
-        //#define WOLFSSL_DEBUG_MEMORY_PRINT
-    #endif
+    #undef  WOLFSSL_DEBUG_MEMORY
+    //#define WOLFSSL_DEBUG_MEMORY
 #else
-    #ifndef WOLFSSL_STATIC_MEMORY
-        #define NO_WOLFSSL_MEMORY
-        /* Otherwise we will use stdlib malloc, free and realloc */
-    #endif
+    #undef  NO_WOLFSSL_MEMORY
+    #define NO_WOLFSSL_MEMORY
 #endif

+#ifndef DEBUG_WOLFSSL
+    #undef  NO_ERROR_STRINGS
+    #define NO_ERROR_STRINGS
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Port */
+/* ------------------------------------------------------------------------- */
+
+/* Override Current Time */
+/* Allows custom "custom_time()" function to be used for benchmark */
+//#define WOLFSSL_USER_CURRTIME
+//#define XTIME time
+
+
 /* ------------------------------------------------------------------------- */
 /* RNG */
 /* ------------------------------------------------------------------------- */
+/* Size of returned HW RNG value */
+//#define CUSTOM_RAND_TYPE      unsigned int

 /* Seed Source */
 #if 1
@@ -473,152 +481,194 @@ extern "C" {
    #define CUSTOM_RAND_TYPE      unsigned char
 #endif

+//#define WOLFSSL_GENSEED_FORTEST
 /* Choose RNG method */
 #if 1
    /* Use built-in P-RNG (SHA256 based) with HW RNG */
    /* P-RNG + HW RNG (P-RNG is ~8K) */
-    //#define WOLFSSL_GENSEED_FORTEST
-    #undef HAVE_HASHDRBG
+    #undef  HAVE_HASHDRBG
    #define HAVE_HASHDRBG
 #else
-    #undef WC_NO_HASHDRBG
+    #undef  WC_NO_HASHDRBG
    #define WC_NO_HASHDRBG

    /* Bypass P-RNG and use only HW RNG */
-    extern int my_rng_gen_block(unsigned char* output, unsigned int sz);
-    #undef CUSTOM_RAND_GENERATE_BLOCK
-    #define CUSTOM_RAND_GENERATE_BLOCK my_rng_gen_block
+    extern int custom_rand_generate_block(unsigned char* output,
+                                          unsigned int sz);
+    #undef  CUSTOM_RAND_GENERATE_BLOCK
+    #define CUSTOM_RAND_GENERATE_BLOCK  custom_rand_generate_block
 #endif

 /* ------------------------------------------------------------------------- */
 /* Enable Features */
 /* ------------------------------------------------------------------------- */
-#undef WOLFSSL_TLS13
 #if 0
+    #undef WOLFSSL_TLS13
    #define WOLFSSL_TLS13
 #endif

-#undef WOLFSSL_KEY_GEN
-#if 1
-    #define WOLFSSL_KEY_GEN
-#endif
+#undef  WOLFSSL_KEY_GEN
+#define WOLFSSL_KEY_GEN

-#if defined(HAVE_FIPS) && !defined(WOLFSSL_KEY_GEN)
-    #define WOLFSSL_OLD_PRIME_CHECK
-#endif
-
-#undef KEEP_PEER_CERT
+#undef  KEEP_PEER_CERT
 //#define KEEP_PEER_CERT

-#undef HAVE_COMP_KEY
+#undef  HAVE_COMP_KEY
 //#define HAVE_COMP_KEY

-#undef HAVE_TLS_EXTENSIONS
+#undef  HAVE_TLS_EXTENSIONS
 #define HAVE_TLS_EXTENSIONS

-#undef HAVE_SUPPORTED_CURVES
+#undef  HAVE_SUPPORTED_CURVES
 #define HAVE_SUPPORTED_CURVES

-#undef WOLFSSL_BASE64_ENCODE
+#undef  WOLFSSL_BASE64_ENCODE
 #define WOLFSSL_BASE64_ENCODE

+#undef WOLFSSL_BASE16
+#define WOLFSSL_BASE16
+
 /* TLS Session Cache */
-#if 0
+#if 1
    #define SMALL_SESSION_CACHE
 #else
    #define NO_SESSION_CACHE
 #endif

+#define BENCH_EMBEDDED

 /* ------------------------------------------------------------------------- */
 /* Disable Features */
 /* ------------------------------------------------------------------------- */
-#undef NO_WOLFSSL_SERVER
+#undef  NO_WOLFSSL_SERVER
 //#define NO_WOLFSSL_SERVER

-#undef NO_WOLFSSL_CLIENT
+#undef  NO_WOLFSSL_CLIENT
 //#define NO_WOLFSSL_CLIENT

-#undef NO_CRYPT_TEST
+#undef  NO_CRYPT_TEST
 //#define NO_CRYPT_TEST

-#undef NO_CRYPT_BENCHMARK
+#undef  NO_CRYPT_BENCHMARK
 //#define NO_CRYPT_BENCHMARK

-#undef WOLFCRYPT_ONLY
+#undef  WOLFCRYPT_ONLY
 //#define WOLFCRYPT_ONLY

 /* In-lining of misc.c functions */
 /* If defined, must include wolfcrypt/src/misc.c in build */
 /* Slower, but about 1k smaller */
-#undef NO_INLINE
+#undef  NO_INLINE
 //#define NO_INLINE

-#undef NO_FILESYSTEM
+#undef  NO_FILESYSTEM
 #define NO_FILESYSTEM

 #undef NO_WOLFSSL_DIR
 #define NO_WOLFSSL_DIR

-#undef NO_WRITEV
+#undef  NO_WRITEV
 #define NO_WRITEV

-#undef NO_MAIN_DRIVER
+#undef  NO_MAIN_DRIVER
 #define NO_MAIN_DRIVER

-#undef NO_DEV_RANDOM
+#undef  NO_DEV_RANDOM
 #define NO_DEV_RANDOM

-#undef NO_DSA
+#undef  NO_DSA
 #define NO_DSA

-#undef NO_RC4
+#undef  NO_DES3
+#define NO_DES3
+
+#undef  NO_RC4
 #define NO_RC4

-#undef NO_OLD_TLS
+#undef  NO_OLD_TLS
 #define NO_OLD_TLS

-#undef NO_PSK
+#undef  NO_PSK
 #define NO_PSK

-#undef NO_MD4
+#undef  NO_MD4
 #define NO_MD4

-#undef NO_PWDBASED
+#undef  NO_PWDBASED
 //#define NO_PWDBASED

-#undef NO_CODING
+#undef  NO_CODING
 //#define NO_CODING

-#undef NO_ASN_TIME
+#undef  NO_ASN_TIME
 //#define NO_ASN_TIME

-#undef NO_CERTS
+#undef  NO_CERTS
 //#define NO_CERTS

-#undef NO_SIG_WRAPPER
+#undef  NO_SIG_WRAPPER
 //#define NO_SIG_WRAPPER

-/* ACVP Testing ONLY specific settings */
+/* FIPS optesting for wolfSSL Engineering only, disable in production */
 #if 0
-    #undef USE_NORMAL_PRINTF
-    #define USE_NORMAL_PRINTF
-
-    #undef USE_UART_READ_LINE
+    #define DEBUG_FIPS_VERBOSE
+    #define NO_CAVP_TDES
    #define USE_UART_READ_LINE
-
-    #undef USE_SMALL_MONTE
-    #define USE_SMALL_MONTE
-
-    #undef WOLFSSL_PUBLIC_MP
+    #define USE_NORMAL_PRINTF
    #define WOLFSSL_PUBLIC_MP

-    #undef HAVE_FORCE_FIPS_FAILURE
+    #define NO_MAIN_OPTEST_DRIVER
+    #define OPTEST_LOGGING_ENABLED
+    #define DEBUG_FIPS_VERBOSE
+    #define OPTEST_INVALID_LOGGING_ENABLED
+    #define OPTEST_RUNNING_ORGANIC
    #define HAVE_FORCE_FIPS_FAILURE
-#endif

+    #define USE_CERT_BUFFERS_2048
+    #define USE_CERT_BUFFERS_256
+    #define FORCE_BUFFER_TEST
+    #define NO_MAIN_OPTEST_DRIVER
+    #define DEEPLY_EMBEDDED
+
+#endif
+/* End optesting only section */
+
+/* START Customer specified options */
+#if 1
+    #undef  HAVE_SECRET_CALLBACK
+    #define HAVE_SECRET_CALLBACK
+
+    #undef  ATOMIC_USER
+    #define ATOMIC_USER
+
+    #undef  HAVE_EX_DATA
+    #define HAVE_EX_DATA
+
+    #undef  NO_WOLFSSL_STUB
+    #define NO_WOLFSSL_STUB
+
+    #undef  OPENSSL_EXTRA
+    #define OPENSSL_EXTRA
+
+    #undef  OPENSSL_ALL
+    #define OPENSSL_ALL
+
+    #undef  HAVE_EXTENDED_MASTER
+    #define HAVE_EXTENDED_MASTER
+
+    #undef  WC_NO_ASYNC_THREADING
+    #define WC_NO_ASYNC_THREADING
+
+    #undef  NO_TESTSUITE_MAIN_DRIVER
+    #define NO_TESTSUITE_MAIN_DRIVER
+
+    #undef WOLFSSL_NO_ASN_STRICT
+    #define WOLFSSL_NO_ASN_STRICT
+#endif
+/* END Customer specified options */
 #ifdef __cplusplus
 }
 #endif

 #endif /* WOLFSSL_USER_SETTINGS_H */
+
--- a/IDE/NETOS/user_settings.h-cert2425
+++ b/IDE/NETOS/user_settings.h-cert2425
@@ -1,3 +1,25 @@
+/* user_settings.h
+ *
+ * Copyright (C) 2006-2024 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
 #ifndef _NETOS_USER_SETTINGS_H_
 #define _NETOS_USER_SETTINGS_H_

--- a/IDE/NETOS/user_settings.h-cert3389
+++ b/IDE/NETOS/user_settings.h-cert3389
@@ -0,0 +1,623 @@
+/* user_settings.h
+ *
+ * Copyright (C) 2006-2024 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Custom wolfSSL user settings for GCC ARM */
+
+#ifndef WOLFSSL_USER_SETTINGS_H
+#define WOLFSSL_USER_SETTINGS_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* ------------------------------------------------------------------------- */
+/* Platform */
+/* ------------------------------------------------------------------------- */
+#undef WOLFSSL_GENERAL_ALIGNMENT
+#define WOLFSSL_GENERAL_ALIGNMENT 4
+
+#undef THREADX
+#define THREADX
+
+#ifndef TX_TIMER_TICKS_PER_SECOND
+    #define TX_TIMER_TICKS_PER_SECOND 100
+#endif
+
+#undef NETOS
+#define NETOS
+
+#undef BIG_ENDIAN_ORDER
+#define BIG_ENDIAN_ORDER
+
+#undef WOLFSSL_SMALL_STACK
+//#define WOLFSSL_SMALL_STACK
+
+#undef WOLFSSL_USER_IO
+//#define WOLFSSL_USER_IO
+
+#undef NO_THREAD_LS
+#define NO_THREAD_LS
+
+/* ------------------------------------------------------------------------- */
+/* Math Configuration */
+/* ------------------------------------------------------------------------- */
+#undef SIZEOF_LONG_LONG
+#define SIZEOF_LONG_LONG 8
+
+#undef SIZEOF_LONG
+#define SIZEOF_LONG 4
+
+#undef USE_FAST_MATH
+#if 1
+    #define USE_FAST_MATH
+
+    #undef TFM_TIMING_RESISTANT
+    #define TFM_TIMING_RESISTANT
+
+    /* Optimizations */
+    #define TFM_ARM
+#endif
+
+/* ------------------------------------------------------------------------- */
+/* FIPS - Requires eval or license from wolfSSL */
+/* ------------------------------------------------------------------------- */
+#undef HAVE_FIPS
+#if 1
+    #define HAVE_FIPS
+
+    #undef HAVE_FIPS_VERSION
+    #define HAVE_FIPS_VERSION 2
+
+    #ifdef SINGLE_THREADED
+        #undef NO_THREAD_LS
+        #define NO_THREAD_LS
+    #endif
+
+    #if 1
+        #undef NO_ATTRIBUTE_CONSTRUCTOR
+        #define NO_ATTRIBUTE_CONSTRUCTOR
+    #endif
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Crypto */
+/* ------------------------------------------------------------------------- */
+/* RSA */
+#undef NO_RSA
+#if 1
+    #ifdef USE_FAST_MATH
+        /* Maximum math bits (Max RSA key bits * 2) */
+        #undef FP_MAX_BITS
+        #define FP_MAX_BITS 8192
+    #endif
+
+    /* half as much memory but twice as slow */
+    #undef RSA_LOW_MEM
+    //#define RSA_LOW_MEM
+
+    /* Enables blinding mode, to prevent timing attacks */
+    #if 0
+        #undef WC_RSA_BLINDING
+        #define WC_RSA_BLINDING
+    #else
+        #undef WC_NO_HARDEN
+        #define WC_NO_HARDEN
+    #endif
+
+    /* RSA PSS Support */
+    #if 1
+        #define WC_RSA_PSS
+    #endif
+
+    #if 1
+        #define WC_RSA_NO_PADDING
+    #endif
+#else
+    #define NO_RSA
+#endif
+
+/* ECC */
+#undef HAVE_ECC
+#if 1
+    #define HAVE_ECC
+
+    /* Manually define enabled curves */
+    #undef ECC_USER_CURVES
+    //#define ECC_USER_CURVES
+
+    #ifdef ECC_USER_CURVES
+    /* Manual Curve Selection */
+    //#define HAVE_ECC192
+    //#define HAVE_ECC224
+    #undef NO_ECC256
+    //#define HAVE_ECC384
+    //#define HAVE_ECC521
+    #endif
+
+    /* Fixed point cache (speeds repeated operations against same private key) */
+    #undef FP_ECC
+    //#define FP_ECC
+    #ifdef FP_ECC
+        /* Bits / Entries */
+        #undef FP_ENTRIES
+        #define FP_ENTRIES 2
+        #undef FP_LUT
+        #define FP_LUT 4
+    #endif
+
+    /* Optional ECC calculation method */
+    /* Note: doubles heap usage, but slightly faster */
+    #undef ECC_SHAMIR
+    #define ECC_SHAMIR
+
+    /* Reduces heap usage, but slower */
+    #undef ECC_TIMING_RESISTANT
+    #define ECC_TIMING_RESISTANT
+
+    #ifdef HAVE_FIPS
+        #undef HAVE_ECC_CDH
+        #define HAVE_ECC_CDH /* Enable cofactor support */
+
+        #undef NO_STRICT_ECDSA_LEN
+        #define NO_STRICT_ECDSA_LEN /* Do not force fixed len w/ FIPS */
+
+        #undef WOLFSSL_VALIDATE_ECC_IMPORT
+        #define WOLFSSL_VALIDATE_ECC_IMPORT /* Validate import */
+    #endif
+
+    /* Compressed Key Support */
+    #undef HAVE_COMP_KEY
+    //#define HAVE_COMP_KEY
+
+    /* Use alternate ECC size for ECC math */
+    #ifdef USE_FAST_MATH
+        /* MAX ECC BITS = ROUND8(MAX ECC) * 2 */
+        #ifdef NO_RSA
+            /* Custom fastmath size if not using RSA */
+            #undef FP_MAX_BITS
+            #define FP_MAX_BITS (256 * 2)
+        #else
+            #undef ALT_ECC_SIZE
+            #define ALT_ECC_SIZE
+            /* wolfSSL will compute the FP_MAX_BITS_ECC, but it can be overridden */
+            //#undef FP_MAX_BITS_ECC
+            //#define FP_MAX_BITS_ECC (256 * 2)
+        #endif
+
+        /* Speedups specific to curve */
+        #ifndef NO_ECC256
+            #undef TFM_ECC256
+            #define TFM_ECC256
+        #endif
+    #endif
+#endif
+
+/* DH */
+#undef NO_DH
+#if 1
+    /* Use table for DH instead of -lm (math) lib dependency */
+    #if 1
+        #define WOLFSSL_DH_CONST
+        #define HAVE_FFDHE_2048
+        #define HAVE_FFDHE_4096
+        //#define HAVE_FFDHE_6144
+        //#define HAVE_FFDHE_8192
+    #endif
+
+    #ifdef HAVE_FIPS
+        #define WOLFSSL_VALIDATE_FFC_IMPORT
+        #define HAVE_FFDHE_Q
+    #endif
+#else
+    #define NO_DH
+#endif
+
+
+/* AES */
+#undef NO_AES
+#if 1
+    #undef HAVE_AES_CBC
+    #define HAVE_AES_CBC
+
+    #undef HAVE_AESGCM
+    #define HAVE_AESGCM
+
+    /* GCM Method: GCM_SMALL, GCM_WORD32 or GCM_TABLE */
+    // #define GCM_SMALL
+    // #define GCM_WORD32
+    #define GCM_TABLE
+
+    #undef WOLFSSL_AES_DIRECT
+    #define WOLFSSL_AES_DIRECT
+
+    #undef HAVE_AES_ECB
+    #define HAVE_AES_ECB
+
+    #undef WOLFSSL_AES_COUNTER
+    #define WOLFSSL_AES_COUNTER
+
+    #undef HAVE_AESCCM
+    #define HAVE_AESCCM
+#else
+    #define NO_AES
+#endif
+
+
+/* DES3 */
+#undef NO_DES3
+#if 1
+    /* No change */
+#else
+    #define NO_DES3
+#endif
+
+/* ChaCha20 / Poly1305 */
+#undef HAVE_CHACHA
+#undef HAVE_POLY1305
+#if 0
+    #define HAVE_CHACHA
+    #define HAVE_POLY1305
+
+    /* Needed for Poly1305 */
+    #undef HAVE_ONE_TIME_AUTH
+    #define HAVE_ONE_TIME_AUTH
+#endif
+
+/* Ed25519 / Curve25519 */
+#undef HAVE_CURVE25519
+#undef HAVE_ED25519
+#if 0
+    #define HAVE_CURVE25519
+    #define HAVE_ED25519 /* ED25519 Requires SHA512 */
+
+    /* Optionally use small math (less flash usage, but much slower) */
+    #if 1
+        #define CURVED25519_SMALL
+    #endif
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Hashing */
+/* ------------------------------------------------------------------------- */
+/* Sha */
+#undef NO_SHA
+#if 1
+    /* 1k smaller, but 25% slower */
+    //#define USE_SLOW_SHA
+#else
+    #define NO_SHA
+#endif
+
+/* Sha256 */
+#undef NO_SHA256
+#if 1
+    /* not unrolled - ~2k smaller and ~25% slower */
+    //#define USE_SLOW_SHA256
+
+    /* Sha224 */
+    #if 1
+        #define WOLFSSL_SHA224
+    #endif
+#else
+    #define NO_SHA256
+#endif
+
+/* Sha512 */
+#undef WOLFSSL_SHA512
+#if 1
+    #define WOLFSSL_SHA512
+
+    /* Sha384 */
+    #undef WOLFSSL_SHA384
+    #if 1
+        #define WOLFSSL_SHA384
+    #endif
+
+    /* over twice as small, but 50% slower */
+    //#define USE_SLOW_SHA512
+#endif
+
+/* Sha3 */
+#undef WOLFSSL_SHA3
+#if 1
+    #define WOLFSSL_SHA3
+#endif
+
+/* MD5 */
+#undef NO_MD5
+#if 1
+    /* No change */
+#else
+    #define NO_MD5
+#endif
+
+/* HKDF */
+#undef HAVE_HKDF
+#if 1
+    #define HAVE_HKDF
+#endif
+
+/* CMAC */
+#undef WOLFSSL_CMAC
+#if 1
+    #define WOLFSSL_CMAC
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Benchmark / Test */
+/* ------------------------------------------------------------------------- */
+/* Use reduced benchmark / test sizes */
+#undef BENCH_EMBEDDED
+#define BENCH_EMBEDDED
+
+#undef USE_CERT_BUFFERS_2048
+#define USE_CERT_BUFFERS_2048
+
+#undef USE_CERT_BUFFERS_1024
+//#define USE_CERT_BUFFERS_1024
+
+#undef USE_CERT_BUFFERS_256
+#define USE_CERT_BUFFERS_256
+
+#undef FORCE_BUFFER_TEST
+#define FORCE_BUFFER_TEST
+
+
+/* ------------------------------------------------------------------------- */
+/* Debugging */
+/* ------------------------------------------------------------------------- */
+
+#undef DEBUG_WOLFSSL
+#undef NO_ERROR_STRINGS
+#if 0
+    #define DEBUG_WOLFSSL
+#else
+    #if 0
+        #define NO_ERROR_STRINGS
+    #endif
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Memory */
+/* ------------------------------------------------------------------------- */
+
+/* Override Memory API's */
+#if 0
+    #undef XMALLOC_OVERRIDE
+    #define XMALLOC_OVERRIDE
+
+    /* prototypes for user heap override functions */
+    /* Note: Realloc only required for normal math */
+    #include <stddef.h> /* for size_t */
+    extern void *myMalloc(size_t n, void* heap, int type);
+    extern void myFree(void *p, void* heap, int type);
+    extern void *myRealloc(void *p, size_t n, void* heap, int type);
+
+    #define XMALLOC(n, h, t) myMalloc(n, h, t)
+    #define XFREE(p, h, t) myFree(p, h, t)
+    #define XREALLOC(p, n, h, t) myRealloc(p, n, h, t)
+#endif
+
+#if 0
+    /* Static memory requires fast math */
+    #define WOLFSSL_STATIC_MEMORY
+
+    /* Disable fallback malloc/free */
+    #define WOLFSSL_NO_MALLOC
+    #if 1
+    #define WOLFSSL_MALLOC_CHECK /* trap malloc failure */
+    #endif
+#endif
+
+/* Memory callbacks */
+#if 1
+    #undef USE_WOLFSSL_MEMORY
+    #define USE_WOLFSSL_MEMORY
+
+    /* Use this to measure / print heap usage */
+    #if 0
+        #undef WOLFSSL_TRACK_MEMORY
+        // #define WOLFSSL_TRACK_MEMORY
+
+        #undef WOLFSSL_DEBUG_MEMORY
+        //#define WOLFSSL_DEBUG_MEMORY
+
+        #undef WOLFSSL_DEBUG_MEMORY_PRINT
+        //#define WOLFSSL_DEBUG_MEMORY_PRINT
+    #endif
+#else
+    #ifndef WOLFSSL_STATIC_MEMORY
+        #define NO_WOLFSSL_MEMORY
+        /* Otherwise we will use stdlib malloc, free and realloc */
+    #endif
+#endif
+
+/* ------------------------------------------------------------------------- */
+/* RNG */
+/* ------------------------------------------------------------------------- */
+
+/* Seed Source */
+#if 1
+    extern int my_rng_generate_seed(unsigned char* output, int sz);
+    #undef CUSTOM_RAND_GENERATE_SEED
+    #define CUSTOM_RAND_GENERATE_SEED my_rng_generate_seed
+#endif
+
+/* NETOS */
+#if 0
+    extern unsigned char get_byte_from_pool(void);
+    #define CUSTOM_RAND_GENERATE  get_byte_from_pool
+    #define CUSTOM_RAND_TYPE      unsigned char
+#endif
+
+/* Choose RNG method */
+#if 1
+    /* Use built-in P-RNG (SHA256 based) with HW RNG */
+    /* P-RNG + HW RNG (P-RNG is ~8K) */
+    //#define WOLFSSL_GENSEED_FORTEST
+    #undef HAVE_HASHDRBG
+    #define HAVE_HASHDRBG
+#else
+    #undef WC_NO_HASHDRBG
+    #define WC_NO_HASHDRBG
+
+    /* Bypass P-RNG and use only HW RNG */
+    extern int my_rng_gen_block(unsigned char* output, unsigned int sz);
+    #undef CUSTOM_RAND_GENERATE_BLOCK
+    #define CUSTOM_RAND_GENERATE_BLOCK my_rng_gen_block
+#endif
+
+/* ------------------------------------------------------------------------- */
+/* Enable Features */
+/* ------------------------------------------------------------------------- */
+#undef WOLFSSL_TLS13
+#if 0
+    #define WOLFSSL_TLS13
+#endif
+
+#undef WOLFSSL_KEY_GEN
+#if 1
+    #define WOLFSSL_KEY_GEN
+#endif
+
+#if defined(HAVE_FIPS) && !defined(WOLFSSL_KEY_GEN)
+    #define WOLFSSL_OLD_PRIME_CHECK
+#endif
+
+#undef KEEP_PEER_CERT
+//#define KEEP_PEER_CERT
+
+#undef HAVE_COMP_KEY
+//#define HAVE_COMP_KEY
+
+#undef HAVE_TLS_EXTENSIONS
+#define HAVE_TLS_EXTENSIONS
+
+#undef HAVE_SUPPORTED_CURVES
+#define HAVE_SUPPORTED_CURVES
+
+#undef WOLFSSL_BASE64_ENCODE
+#define WOLFSSL_BASE64_ENCODE
+
+/* TLS Session Cache */
+#if 0
+    #define SMALL_SESSION_CACHE
+#else
+    #define NO_SESSION_CACHE
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Disable Features */
+/* ------------------------------------------------------------------------- */
+#undef NO_WOLFSSL_SERVER
+//#define NO_WOLFSSL_SERVER
+
+#undef NO_WOLFSSL_CLIENT
+//#define NO_WOLFSSL_CLIENT
+
+#undef NO_CRYPT_TEST
+//#define NO_CRYPT_TEST
+
+#undef NO_CRYPT_BENCHMARK
+//#define NO_CRYPT_BENCHMARK
+
+#undef WOLFCRYPT_ONLY
+//#define WOLFCRYPT_ONLY
+
+/* In-lining of misc.c functions */
+/* If defined, must include wolfcrypt/src/misc.c in build */
+/* Slower, but about 1k smaller */
+#undef NO_INLINE
+//#define NO_INLINE
+
+#undef NO_FILESYSTEM
+#define NO_FILESYSTEM
+
+#undef NO_WOLFSSL_DIR
+#define NO_WOLFSSL_DIR
+
+#undef NO_WRITEV
+#define NO_WRITEV
+
+#undef NO_MAIN_DRIVER
+#define NO_MAIN_DRIVER
+
+#undef NO_DEV_RANDOM
+#define NO_DEV_RANDOM
+
+#undef NO_DSA
+#define NO_DSA
+
+#undef NO_RC4
+#define NO_RC4
+
+#undef NO_OLD_TLS
+#define NO_OLD_TLS
+
+#undef NO_PSK
+#define NO_PSK
+
+#undef NO_MD4
+#define NO_MD4
+
+#undef NO_PWDBASED
+//#define NO_PWDBASED
+
+#undef NO_CODING
+//#define NO_CODING
+
+#undef NO_ASN_TIME
+//#define NO_ASN_TIME
+
+#undef NO_CERTS
+//#define NO_CERTS
+
+#undef NO_SIG_WRAPPER
+//#define NO_SIG_WRAPPER
+
+/* ACVP Testing ONLY specific settings */
+#if 0
+    #undef USE_NORMAL_PRINTF
+    #define USE_NORMAL_PRINTF
+
+    #undef USE_UART_READ_LINE
+    #define USE_UART_READ_LINE
+
+    #undef USE_SMALL_MONTE
+    #define USE_SMALL_MONTE
+
+    #undef WOLFSSL_PUBLIC_MP
+    #define WOLFSSL_PUBLIC_MP
+
+    #undef HAVE_FORCE_FIPS_FAILURE
+    #define HAVE_FORCE_FIPS_FAILURE
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* WOLFSSL_USER_SETTINGS_H */
--- a/IDE/NETOS/wolfssl_netos_custom.c
+++ b/IDE/NETOS/wolfssl_netos_custom.c
@@ -68,7 +68,7 @@ unsigned char get_byte_from_pool(void)

 int my_rng_generate_seed(unsigned char* output, int sz)
 {
-    word32 i;
+    int i;
    srand(get_byte_from_pool());

    for (i = 0; i < sz; i++) {
--- a/IDE/ROWLEY-CROSSWORKS-ARM/benchmark_main.c
+++ b/IDE/ROWLEY-CROSSWORKS-ARM/benchmark_main.c
@@ -79,7 +79,7 @@ void main(void)
 SAMPLE OUTPUT: Freescale K64 running at 96MHz with no MMCAU:
 Benchmark Test 0:
 AES      25 kB took 0.073 seconds,    0.334 MB/s
-/* ARC4 implementation has been removed */
+ARC4     25 kB took 0.033 seconds,    0.740 MB/s
 RABBIT   25 kB took 0.027 seconds,    0.904 MB/s
 3DES     25 kB took 0.375 seconds,    0.065 MB/s
 MD5      25 kB took 0.016 seconds,    1.526 MB/s
@@ -94,7 +94,7 @@ Benchmark Test 0: Return code 0
 SAMPLE OUTPUT: Freescale K64 running at 96MHz with MMCAU enabled:
 Benchmark Test 0:
 AES      25 kB took 0.019 seconds,    1.285 MB/s
-/* ARC4 implementation has been removed */
+ARC4     25 kB took 0.033 seconds,    0.740 MB/s
 RABBIT   25 kB took 0.028 seconds,    0.872 MB/s
 3DES     25 kB took 0.026 seconds,    0.939 MB/s
 MD5      25 kB took 0.005 seconds,    4.883 MB/s
--- a/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp
+++ b/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp
@@ -18,7 +18,7 @@
        </folder>
        <folder Name="src">
          <file file_name="../../wolfcrypt/src/aes.c" />
-          <!-- ARC4 implementation has been removed -->
+          <file file_name="../../wolfcrypt/src/arc4.c" />
          <file file_name="../../wolfcrypt/src/asm.c" />
          <file file_name="../../wolfcrypt/src/asn.c" />
          <file file_name="../../wolfcrypt/src/blake2b.c" />
--- a/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl_ltc.hzp
+++ b/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl_ltc.hzp
@@ -18,7 +18,7 @@
        </folder>
        <folder Name="src">
          <file file_name="../../wolfcrypt/src/aes.c" />
-          <!-- ARC4 implementation has been removed -->
+          <file file_name="../../wolfcrypt/src/arc4.c" />
          <file file_name="../../wolfcrypt/src/asm.c">
            <configuration Name="ARM_Debug" build_exclude_from_build="Yes" />
          </file>
--- a/IDE/Renesas/cs+/Projects/README
+++ b/IDE/Renesas/cs+/Projects/README
@@ -13,3 +13,6 @@ test:
  - set stack size in "bsp/stacksct.h"
  Build "test" wolfCrypt

+
+Note: It could need to initialize clock for the device. You can refer the link below
+https://www.renesas.com/ja/document/apn/rx65n-group-rx651-group-initial-settings-example-rev211?language=en&r=1054461
--- a/IDE/Renesas/cs+/Projects/common/user_settings.h
+++ b/IDE/Renesas/cs+/Projects/common/user_settings.h
@@ -76,4 +76,5 @@

 #define NO_FILESYSTEM

+#define XSTRCASECMP(s1,s2) strcmp((s1),(s2))

--- a/IDE/Renesas/cs+/Projects/common/wolfssl_dummy.c
+++ b/IDE/Renesas/cs+/Projects/common/wolfssl_dummy.c
@@ -59,4 +59,9 @@ void abort(void)
    while(1);
 }

+/* dummy return true when char is alphanumeric character */
+int isascii(const char *s)
+{
+    return isalnum(s);
+}

--- a/IDE/Renesas/cs+/Projects/wolfssl_lib/wolfssl_lib.mtpj
+++ b/IDE/Renesas/cs+/Projects/wolfssl_lib/wolfssl_lib.mtpj
@@ -108,7 +108,7 @@
    <Instance Guid="5e231ff0-c118-4dc7-a48b-4a49019341fd">
      <Name>arc4.c</Name>
      <Type>File</Type>
-      <!-- ARC4 implementation has been removed -->
+      <RelativePath>..\..\..\..\..\wolfcrypt\src\arc4.c</RelativePath>
      <TreeImageGuid>941832c1-fc3b-4e1b-94e8-01ea17128b42</TreeImageGuid>
      <ParentItem>2170607d-803e-45b0-80af-6507d495a8de</ParentItem>
    </Instance>
@@ -2293,4 +2293,4 @@
      <ProductVersion>8.01.00.00</ProductVersion>
    </Instance>
  </Class>
-</CubeSuiteProject>
+</CubeSuiteProject>
--- a/IDE/Renesas/e2studio/RX65N/GR-ROSE/wolfssl/wolfssl.rcpc
+++ b/IDE/Renesas/e2studio/RX65N/GR-ROSE/wolfssl/wolfssl.rcpc
@@ -28,7 +28,7 @@
        </Category>
        <Category Name="src">
          <Path>..\..\..\..\..\..\wolfcrypt\src\aes.c</Path>
-          <!-- ARC4 implementation has been removed -->
+          <Path>..\..\..\..\..\..\wolfcrypt\src\arc4.c</Path>
          <Path>..\..\..\..\..\..\wolfcrypt\src\asm.c</Path>
          <Path>..\..\..\..\..\..\wolfcrypt\src\asn.c</Path>
          <Path>..\..\..\..\..\..\wolfcrypt\src\blake2b.c</Path>
--- a/IDE/Renesas/e2studio/RX65N/RSK/wolfssl/wolfssl.rcpc
+++ b/IDE/Renesas/e2studio/RX65N/RSK/wolfssl/wolfssl.rcpc
@@ -27,7 +27,7 @@
        </Category>
        <Category Name="src">
          <Path>..\..\..\..\..\..\wolfcrypt\src\aes.c</Path>
-          <!-- ARC4 implementation has been removed -->
+          <Path>..\..\..\..\..\..\wolfcrypt\src\arc4.c</Path>
          <Path>..\..\..\..\..\..\wolfcrypt\src\asm.c</Path>
          <Path>..\..\..\..\..\..\wolfcrypt\src\asn.c</Path>
          <Path>..\..\..\..\..\..\wolfcrypt\src\blake2b.c</Path>
--- a/IDE/Renesas/e2studio/RX72N/EnvisionKit/Simple/wolfssl/wolfssl.rcpc
+++ b/IDE/Renesas/e2studio/RX72N/EnvisionKit/Simple/wolfssl/wolfssl.rcpc
@@ -28,7 +28,7 @@
        </Category>
        <Category Name="src">
          <Path>..\..\..\..\..\..\..\wolfcrypt\src\aes.c</Path>
-          <!-- ARC4 implementation has been removed -->
+          <Path>..\..\..\..\..\..\..\wolfcrypt\src\arc4.c</Path>
          <Path>..\..\..\..\..\..\..\wolfcrypt\src\asm.c</Path>
          <Path>..\..\..\..\..\..\..\wolfcrypt\src\asn.c</Path>
          <Path>..\..\..\..\..\..\..\wolfcrypt\src\blake2b.c</Path>
--- a/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl/wolfssl.rcpc
+++ b/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl/wolfssl.rcpc
@@ -27,7 +27,7 @@
        </Category>
        <Category Name="src">
          <Path>..\..\..\..\..\..\wolfcrypt\src\aes.c</Path>
-          <!-- ARC4 implementation has been removed -->
+          <Path>..\..\..\..\..\..\wolfcrypt\src\arc4.c</Path>
          <Path>..\..\..\..\..\..\wolfcrypt\src\asm.c</Path>
          <Path>..\..\..\..\..\..\wolfcrypt\src\asn.c</Path>
          <Path>..\..\..\..\..\..\wolfcrypt\src\blake2b.c</Path>
--- a/IDE/STM32Cube/README.md
+++ b/IDE/STM32Cube/README.md
@@ -95,6 +95,7 @@ The section for "Hardware platform" may need to be adjusted depending on your pr
 * To enable STM32H7 support define `WOLFSSL_STM32H7`.
 * To enable STM32H7S support define `WOLFSSL_STM32H7S`.
 * To enable STM32WB support define `WOLFSSL_STM32WB`.
+* To enable STM32WBA support define `WOLFSSL_STM32WBA`.
 * To enable STM32WL support define `WOLFSSL_STM32WL`.
 * To enable STM32U5 support define `WOLFSSL_STM32U5`.
 * To enable STM32H5 support define `WOLFSSL_STM32H5`.
--- a/IDE/STM32Cube/STM32_Benchmarks.md
+++ b/IDE/STM32Cube/STM32_Benchmarks.md
@@ -10,6 +10,7 @@
 * [STM32L562E](#stm32l562e)
 * [STM32U585](#stm32u585)
 * [STM32WB55](#stm32wb55)
+* [STM32WBA52](#stm32wba52)
 * [STM32WL55](#stm32wl55)

 ## STM32H753ZI
@@ -181,6 +182,10 @@ CPU: Cortex-M7 at 600 MHz
 IDE: STM32CubeIDE
 RTOS: Bare-metal

+Notes:
+* The STM32H7S only has 64KB of onboard flash. Customers typically use an external SPI NOR flash with XIP. The `Template_XIP_Boot` project is flashed to onboard and it starts up the SPI Flash with XIP and loads the application. To use this you need to make sure the option byte `XSPI2_HSLB` is set to enable XSPIM_P2 high speed support, otherwise the MX_EXTMEM_MANAGER_Init() will timeout and fail.
+* These tests were run without the SP Cortex-M assembly speedups due to issues with release optimizations possibly related to execute in place or caching.
+
 ### STM32H7S3 (-Os, HW Crypto (AES/HASH/PKA), WOLF_CONF_MATH=3 (sp_c32.c))

 ```
@@ -188,123 +193,156 @@ RTOS: Bare-metal
 wolfSSL version 5.7.6
 ------------------------------------------------------------------------------
 wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each)
-RNG                          2 MiB took 1.004 seconds,    1.897 MiB/s
+RNG                          2 MiB took 1.000 seconds,    1.880 MiB/s
 AES-128-CBC-enc             16 MiB took 1.000 seconds,   15.747 MiB/s
-AES-128-CBC-dec             16 MiB took 1.000 seconds,   15.527 MiB/s
+AES-128-CBC-dec             15 MiB took 1.000 seconds,   15.454 MiB/s
 AES-192-CBC-enc             16 MiB took 1.000 seconds,   15.723 MiB/s
 AES-192-CBC-dec             16 MiB took 1.000 seconds,   15.527 MiB/s
-AES-256-CBC-enc             16 MiB took 1.000 seconds,   15.698 MiB/s
-AES-256-CBC-dec             16 MiB took 1.000 seconds,   15.527 MiB/s
-AES-128-GCM-enc              1 MiB took 1.012 seconds,    1.037 MiB/s
-AES-128-GCM-dec              1 MiB took 1.012 seconds,    1.037 MiB/s
-AES-192-GCM-enc              1 MiB took 1.008 seconds,    1.041 MiB/s
-AES-192-GCM-dec              1 MiB took 1.012 seconds,    1.037 MiB/s
-AES-256-GCM-enc              1 MiB took 1.016 seconds,    1.033 MiB/s
-AES-256-GCM-dec              1 MiB took 1.016 seconds,    1.033 MiB/s
-AES-128-GCM-enc-no_AAD       1 MiB took 1.004 seconds,    1.046 MiB/s
-AES-128-GCM-dec-no_AAD       1 MiB took 1.000 seconds,    1.050 MiB/s
-AES-192-GCM-enc-no_AAD       1 MiB took 1.000 seconds,    1.050 MiB/s
-AES-192-GCM-dec-no_AAD       1 MiB took 1.019 seconds,    1.054 MiB/s
-AES-256-GCM-enc-no_AAD       1 MiB took 1.004 seconds,    1.046 MiB/s
-AES-256-GCM-dec-no_AAD       1 MiB took 1.008 seconds,    1.041 MiB/s
-GMAC Table 4-bit             2 MiB took 1.000 seconds,    1.716 MiB/s
-CHACHA                      32 MiB took 1.000 seconds,   31.714 MiB/s
-CHA-POLY                    15 MiB took 1.000 seconds,   15.308 MiB/s
-POLY1305                    58 MiB took 1.000 seconds,   57.861 MiB/s
-SHA-256                     88 MiB took 1.000 seconds,   88.062 MiB/s
-HMAC-SHA256                 83 MiB took 1.000 seconds,   83.032 MiB/s
+AES-256-CBC-enc             16 MiB took 1.000 seconds,   15.723 MiB/s
+AES-256-CBC-dec             15 MiB took 1.000 seconds,   15.356 MiB/s
+AES-128-GCM-enc             10 MiB took 1.000 seconds,   10.132 MiB/s
+AES-128-GCM-dec             10 MiB took 1.000 seconds,   10.083 MiB/s
+AES-192-GCM-enc             10 MiB took 1.000 seconds,   10.156 MiB/s
+AES-192-GCM-dec             10 MiB took 1.000 seconds,   10.083 MiB/s
+AES-256-GCM-enc             10 MiB took 1.000 seconds,   10.156 MiB/s
+AES-256-GCM-dec             10 MiB took 1.000 seconds,   10.107 MiB/s
+AES-128-GCM-enc-no_AAD      10 MiB took 1.000 seconds,   10.229 MiB/s
+AES-128-GCM-dec-no_AAD      10 MiB took 1.000 seconds,   10.132 MiB/s
+AES-192-GCM-enc-no_AAD      10 MiB took 1.000 seconds,   10.181 MiB/s
+AES-192-GCM-dec-no_AAD      10 MiB took 1.000 seconds,   10.107 MiB/s
+AES-256-GCM-enc-no_AAD      10 MiB took 1.000 seconds,   10.181 MiB/s
+AES-256-GCM-dec-no_AAD      10 MiB took 1.000 seconds,   10.132 MiB/s
+GMAC Table 4-bit            46 MiB took 1.000 seconds,   45.835 MiB/s
+CHACHA                      32 MiB took 1.000 seconds,   31.519 MiB/s
+CHA-POLY                    15 MiB took 1.000 seconds,   15.259 MiB/s
+POLY1305                    57 MiB took 1.000 seconds,   56.934 MiB/s
+SHA-256                     90 MiB took 1.000 seconds,   90.381 MiB/s
+SHA-384                     98 MiB took 1.000 seconds,   97.925 MiB/s
+SHA-512                     98 MiB took 1.000 seconds,   97.925 MiB/s
+SHA-512/224                 98 MiB took 1.000 seconds,   98.120 MiB/s
+SHA-512/256                 98 MiB took 1.000 seconds,   98.096 MiB/s
+HMAC-SHA256                 71 MiB took 1.000 seconds,   71.265 MiB/s
+HMAC-SHA384                 89 MiB took 1.000 seconds,   88.599 MiB/s
+HMAC-SHA512                 89 MiB took 1.000 seconds,   88.843 MiB/s
 RSA     2048   public       352 ops took 1.000 sec, avg 2.841 ms, 352.000 ops/sec
-RSA     2048  private         6 ops took 1.004 sec, avg 167.333 ms, 5.976 ops/sec
-DH      2048  key gen        15 ops took 1.027 sec, avg 68.467 ms, 14.606 ops/sec
-DH      2048    agree        16 ops took 1.113 sec, avg 69.563 ms, 14.376 ops/sec
-ECC   [      SECP256R1]   256  key gen        60 ops took 1.012 sec, avg 16.867 ms, 59.289 ops/sec
-ECDHE [      SECP256R1]   256    agree        60 ops took 1.008 sec, avg 16.800 ms, 59.524 ops/sec
-ECDSA [      SECP256R1]   256     sign       106 ops took 1.008 sec, avg 9.509 ms, 105.159 ops/sec
-ECDSA [      SECP256R1]   256   verify       100 ops took 1.011 sec, avg 10.110 ms, 98.912 ops/sec
-```
-
-### STM32H7S3 (-Os, No HW Crypto, WOLF_CONF_ARMASM=1, WOLF_CONF_MATH=6 (sp_int.c))
-
-```
------------------------------------------------------------------------------
- wolfSSL version 5.7.6
------------------------------------------------------------------------------
-wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each)
-RNG                          4 MiB took 1.000 seconds,    3.516 MiB/s
-AES-128-CBC-enc            425 KiB took 1.027 seconds,  413.827 KiB/s
-AES-128-CBC-dec            425 KiB took 1.016 seconds,  418.307 KiB/s
-AES-192-CBC-enc            350 KiB took 1.015 seconds,  344.828 KiB/s
-AES-192-CBC-dec            350 KiB took 1.020 seconds,  343.137 KiB/s
-AES-256-CBC-enc            300 KiB took 1.015 seconds,  295.567 KiB/s
-AES-256-CBC-dec            300 KiB took 1.004 seconds,  298.805 KiB/s
-AES-128-GCM-enc            375 KiB took 1.067 seconds,  351.453 KiB/s
-AES-128-GCM-dec            375 KiB took 1.062 seconds,  353.107 KiB/s
-AES-192-GCM-enc            300 KiB took 1.004 seconds,  298.805 KiB/s
-AES-192-GCM-dec            300 KiB took 1.004 seconds,  298.805 KiB/s
-AES-256-GCM-enc            275 KiB took 1.047 seconds,  262.655 KiB/s
-AES-256-GCM-dec            275 KiB took 1.051 seconds,  261.656 KiB/s
-AES-128-GCM-enc-no_AAD     375 KiB took 1.067 seconds,  351.453 KiB/s
-AES-128-GCM-dec-no_AAD     375 KiB took 1.062 seconds,  353.107 KiB/s
-AES-192-GCM-enc-no_AAD     300 KiB took 1.004 seconds,  298.805 KiB/s
-AES-192-GCM-dec-no_AAD     300 KiB took 1.004 seconds,  298.805 KiB/s
-AES-256-GCM-enc-no_AAD     275 KiB took 1.051 seconds,  261.656 KiB/s
-AES-256-GCM-dec-no_AAD     275 KiB took 1.051 seconds,  261.656 KiB/s
-GMAC Table 4-bit             8 MiB took 1.000 seconds,    8.456 MiB/s
-CHACHA                      51 MiB took 1.000 seconds,   50.879 MiB/s
-CHA-POLY                    27 MiB took 1.000 seconds,   27.100 MiB/s
-POLY1305                   165 MiB took 1.000 seconds,  164.990 MiB/s
-SHA-256                     16 MiB took 1.000 seconds,   16.382 MiB/s
-HMAC-SHA256                 16 MiB took 1.000 seconds,   16.187 MiB/s
-RSA     2048   public       358 ops took 1.004 sec, avg 2.804 ms, 356.574 ops/sec
-RSA     2048  private         6 ops took 1.004 sec, avg 167.333 ms, 5.976 ops/sec
+RSA     2048  private         6 ops took 1.008 sec, avg 168.000 ms, 5.952 ops/sec
 DH      2048  key gen        15 ops took 1.027 sec, avg 68.467 ms, 14.606 ops/sec
 DH      2048    agree        16 ops took 1.094 sec, avg 68.375 ms, 14.625 ops/sec
-ECC   [      SECP256R1]   256  key gen        60 ops took 1.015 sec, avg 16.917 ms, 59.113 ops/sec
-ECDHE [      SECP256R1]   256    agree        60 ops took 1.012 sec, avg 16.867 ms, 59.289 ops/sec
-ECDSA [      SECP256R1]   256     sign        48 ops took 1.008 sec, avg 21.000 ms, 47.619 ops/sec
-ECDSA [      SECP256R1]   256   verify        28 ops took 1.019 sec, avg 36.393 ms, 27.478 ops/sec
+ECC   [      SECP256R1]   256  key gen        60 ops took 1.016 sec, avg 16.933 ms, 59.055 ops/sec
+ECDHE [      SECP256R1]   256    agree        60 ops took 1.011 sec, avg 16.850 ms, 59.347 ops/sec
+ECDSA [      SECP256R1]   256     sign       106 ops took 1.008 sec, avg 9.509 ms, 105.159 ops/sec
+ECDSA [      SECP256R1]   256   verify       102 ops took 1.004 sec, avg 9.843 ms, 101.594 ops/sec
+CURVE  25519  key gen        14 ops took 1.011 sec, avg 72.214 ms, 13.848 ops/sec
+CURVE  25519    agree        18 ops took 1.079 sec, avg 59.944 ms, 16.682 ops/sec
+ED     25519  key gen        11 ops took 1.063 sec, avg 96.636 ms, 10.348 ops/sec
+ED     25519     sign        12 ops took 1.173 sec, avg 97.750 ms, 10.230 ops/sec
+ED     25519   verify         6 ops took 1.015 sec, avg 169.167 ms, 5.911 ops/sec
 ```

-### STM32H7S3 (-Os, No HW Crypto, WOLF_CONF_ARMASM=1, WOLF_CONF_MATH=3 (sp_c32.c))
+### STM32H7S3 (-O2, No HW Crypto, WOLF_CONF_ARMASM=1, WOLF_CONF_MATH=4 (sp_cortexm.c))

 ```
 ------------------------------------------------------------------------------
 wolfSSL version 5.7.6
 ------------------------------------------------------------------------------
 wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each)
-RNG                          4 MiB took 1.004 seconds,    3.939 MiB/s
-AES-128-CBC-enc            425 KiB took 1.028 seconds,  413.424 KiB/s
-AES-128-CBC-dec            425 KiB took 1.019 seconds,  417.076 KiB/s
-AES-192-CBC-enc            350 KiB took 1.016 seconds,  344.488 KiB/s
-AES-192-CBC-dec            350 KiB took 1.016 seconds,  344.488 KiB/s
+RNG                          4 MiB took 1.004 seconds,    4.231 MiB/s
+AES-128-CBC-enc            425 KiB took 1.027 seconds,  413.827 KiB/s
+AES-128-CBC-dec            425 KiB took 1.020 seconds,  416.667 KiB/s
+AES-192-CBC-enc            350 KiB took 1.011 seconds,  346.192 KiB/s
+AES-192-CBC-dec            350 KiB took 1.012 seconds,  345.850 KiB/s
 AES-256-CBC-enc            300 KiB took 1.012 seconds,  296.443 KiB/s
 AES-256-CBC-dec            300 KiB took 1.012 seconds,  296.443 KiB/s
-AES-128-GCM-enc            375 KiB took 1.066 seconds,  351.782 KiB/s
+AES-128-GCM-enc            350 KiB took 1.000 seconds,  350.000 KiB/s
 AES-128-GCM-dec            375 KiB took 1.067 seconds,  351.453 KiB/s
 AES-192-GCM-enc            300 KiB took 1.004 seconds,  298.805 KiB/s
-AES-192-GCM-dec            300 KiB took 1.003 seconds,  299.103 KiB/s
+AES-192-GCM-dec            300 KiB took 1.004 seconds,  298.805 KiB/s
 AES-256-GCM-enc            275 KiB took 1.051 seconds,  261.656 KiB/s
-AES-256-GCM-dec            275 KiB took 1.051 seconds,  261.656 KiB/s
-AES-128-GCM-enc-no_AAD     375 KiB took 1.067 seconds,  351.453 KiB/s
-AES-128-GCM-dec-no_AAD     375 KiB took 1.066 seconds,  351.782 KiB/s
-AES-192-GCM-enc-no_AAD     300 KiB took 1.000 seconds,  300.000 KiB/s
+AES-256-GCM-dec            275 KiB took 1.047 seconds,  262.655 KiB/s
+AES-128-GCM-enc-no_AAD     350 KiB took 1.000 seconds,  350.000 KiB/s
+AES-128-GCM-dec-no_AAD     350 KiB took 1.000 seconds,  350.000 KiB/s
+AES-192-GCM-enc-no_AAD     300 KiB took 1.003 seconds,  299.103 KiB/s
 AES-192-GCM-dec-no_AAD     300 KiB took 1.004 seconds,  298.805 KiB/s
-AES-256-GCM-enc-no_AAD     275 KiB took 1.047 seconds,  262.655 KiB/s
-AES-256-GCM-dec-no_AAD     275 KiB took 1.051 seconds,  261.656 KiB/s
-GMAC Table 4-bit             8 MiB took 1.000 seconds,    8.439 MiB/s
-CHACHA                      51 MiB took 1.000 seconds,   51.147 MiB/s
-CHA-POLY                    28 MiB took 1.000 seconds,   27.588 MiB/s
-POLY1305                   168 MiB took 1.000 seconds,  168.140 MiB/s
-SHA-256                     16 MiB took 1.000 seconds,   16.333 MiB/s
-HMAC-SHA256                 16 MiB took 1.000 seconds,   16.016 MiB/s
-RSA     2048   public       360 ops took 1.004 sec, avg 2.789 ms, 358.566 ops/sec
-RSA     2048  private         6 ops took 1.008 sec, avg 168.000 ms, 5.952 ops/sec
-DH      2048  key gen        15 ops took 1.050 sec, avg 70.000 ms, 14.286 ops/sec
-DH      2048    agree        16 ops took 1.098 sec, avg 68.625 ms, 14.572 ops/sec
-ECC   [      SECP256R1]   256  key gen        60 ops took 1.016 sec, avg 16.933 ms, 59.055 ops/sec
-ECDHE [      SECP256R1]   256    agree        60 ops took 1.012 sec, avg 16.867 ms, 59.289 ops/sec
-ECDSA [      SECP256R1]   256     sign        48 ops took 1.012 sec, avg 21.083 ms, 47.431 ops/sec
-ECDSA [      SECP256R1]   256   verify        28 ops took 1.020 sec, avg 36.429 ms, 27.451 ops/sec
+AES-256-GCM-enc-no_AAD     275 KiB took 1.051 seconds,  261.656 KiB/s
+AES-256-GCM-dec-no_AAD     275 KiB took 1.047 seconds,  262.655 KiB/s
+GMAC Table 4-bit             9 MiB took 1.000 seconds,    8.525 MiB/s
+CHACHA                      52 MiB took 1.000 seconds,   51.636 MiB/s
+CHA-POLY                    28 MiB took 1.000 seconds,   28.052 MiB/s
+POLY1305                   164 MiB took 1.000 seconds,  164.258 MiB/s
+SHA-256                     16 MiB took 1.000 seconds,   16.064 MiB/s
+SHA-384                      8 MiB took 1.000 seconds,    8.398 MiB/s
+SHA-512                      8 MiB took 1.000 seconds,    8.398 MiB/s
+SHA-512/224                  8 MiB took 1.000 seconds,    8.398 MiB/s
+SHA-512/256                  8 MiB took 1.000 seconds,    8.374 MiB/s
+HMAC-SHA256                 16 MiB took 1.000 seconds,   15.894 MiB/s
+HMAC-SHA384                  8 MiB took 1.000 seconds,    8.252 MiB/s
+HMAC-SHA512                  8 MiB took 1.000 seconds,    8.276 MiB/s
+RSA     2048   public       598 ops took 1.000 sec, avg 1.672 ms, 598.000 ops/sec
+RSA     2048  private        18 ops took 1.074 sec, avg 59.667 ms, 16.760 ops/sec
+DH      2048  key gen        37 ops took 1.024 sec, avg 27.676 ms, 36.133 ops/sec
+DH      2048    agree        38 ops took 1.051 sec, avg 27.658 ms, 36.156 ops/sec
+ECC   [      SECP256R1]   256  key gen       906 ops took 1.000 sec, avg 1.104 ms, 906.000 ops/sec
+ECDHE [      SECP256R1]   256    agree       562 ops took 1.000 sec, avg 1.779 ms, 562.000 ops/sec
+ECDSA [      SECP256R1]   256     sign       304 ops took 1.004 sec, avg 3.303 ms, 302.789 ops/sec
+ECDSA [      SECP256R1]   256   verify       232 ops took 1.004 sec, avg 4.328 ms, 231.076 ops/sec
+CURVE  25519  key gen        16 ops took 1.008 sec, avg 63.000 ms, 15.873 ops/sec
+CURVE  25519    agree        20 ops took 1.023 sec, avg 51.150 ms, 19.550 ops/sec
+ED     25519  key gen        12 ops took 1.016 sec, avg 84.667 ms, 11.811 ops/sec
+ED     25519     sign        12 ops took 1.028 sec, avg 85.667 ms, 11.673 ops/sec
+ED     25519   verify         8 ops took 1.176 sec, avg 147.000 ms, 6.803 ops/sec
+```
+
+### STM32H7S3 (-O2, No HW Crypto, WOLF_CONF_ARMASM=0, WOLF_CONF_MATH=6 (sp_int.c))
+
+```
+------------------------------------------------------------------------------
+ wolfSSL version 5.7.6
+------------------------------------------------------------------------------
+wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each)
+RNG                          2 MiB took 1.004 seconds,    2.189 MiB/s
+AES-128-CBC-enc            425 KiB took 1.044 seconds,  407.088 KiB/s
+AES-128-CBC-dec            350 KiB took 1.032 seconds,  339.147 KiB/s
+AES-192-CBC-enc            350 KiB took 1.031 seconds,  339.476 KiB/s
+AES-192-CBC-dec            300 KiB took 1.059 seconds,  283.286 KiB/s
+AES-256-CBC-enc            300 KiB took 1.027 seconds,  292.113 KiB/s
+AES-256-CBC-dec            250 KiB took 1.027 seconds,  243.427 KiB/s
+AES-128-GCM-enc            350 KiB took 1.055 seconds,  331.754 KiB/s
+AES-128-GCM-dec            350 KiB took 1.055 seconds,  331.754 KiB/s
+AES-192-GCM-enc            300 KiB took 1.059 seconds,  283.286 KiB/s
+AES-192-GCM-dec            300 KiB took 1.059 seconds,  283.286 KiB/s
+AES-256-GCM-enc            250 KiB took 1.008 seconds,  248.016 KiB/s
+AES-256-GCM-dec            250 KiB took 1.008 seconds,  248.016 KiB/s
+AES-128-GCM-enc-no_AAD     350 KiB took 1.051 seconds,  333.016 KiB/s
+AES-128-GCM-dec-no_AAD     350 KiB took 1.071 seconds,  326.797 KiB/s
+AES-192-GCM-enc-no_AAD     300 KiB took 1.055 seconds,  284.360 KiB/s
+AES-192-GCM-dec-no_AAD     300 KiB took 1.055 seconds,  284.360 KiB/s
+AES-256-GCM-enc-no_AAD     250 KiB took 1.004 seconds,  249.004 KiB/s
+AES-256-GCM-dec-no_AAD     250 KiB took 1.004 seconds,  249.004 KiB/s
+GMAC Table 4-bit             2 MiB took 1.000 seconds,    1.690 MiB/s
+CHACHA                      36 MiB took 1.000 seconds,   35.522 MiB/s
+CHA-POLY                    14 MiB took 1.000 seconds,   14.185 MiB/s
+POLY1305                    78 MiB took 1.000 seconds,   77.686 MiB/s
+SHA-256                      6 MiB took 1.000 seconds,    5.591 MiB/s
+SHA-384                      6 MiB took 1.000 seconds,    6.470 MiB/s
+SHA-512                      6 MiB took 1.000 seconds,    6.348 MiB/s
+SHA-512/224                  6 MiB took 1.000 seconds,    6.348 MiB/s
+SHA-512/256                  6 MiB took 1.000 seconds,    6.348 MiB/s
+HMAC-SHA256                  6 MiB took 1.000 seconds,    5.542 MiB/s
+HMAC-SHA384                  6 MiB took 1.000 seconds,    6.250 MiB/s
+HMAC-SHA512                  6 MiB took 1.000 seconds,    6.299 MiB/s
+RSA     2048   public       382 ops took 1.000 sec, avg 2.618 ms, 382.000 ops/sec
+RSA     2048  private         8 ops took 1.196 sec, avg 149.500 ms, 6.689 ops/sec
+DH      2048  key gen        17 ops took 1.039 sec, avg 61.118 ms, 16.362 ops/sec
+DH      2048    agree        18 ops took 1.098 sec, avg 61.000 ms, 16.393 ops/sec
+ECC   [      SECP256R1]   256  key gen        64 ops took 1.020 sec, avg 15.937 ms, 62.745 ops/sec
+ECDHE [      SECP256R1]   256    agree        64 ops took 1.016 sec, avg 15.875 ms, 62.992 ops/sec
+ECDSA [      SECP256R1]   256     sign        52 ops took 1.035 sec, avg 19.904 ms, 50.242 ops/sec
+ECDSA [      SECP256R1]   256   verify        30 ops took 1.035 sec, avg 34.500 ms, 28.986 ops/sec
+CURVE  25519  key gen        16 ops took 1.008 sec, avg 63.000 ms, 15.873 ops/sec
+CURVE  25519    agree        20 ops took 1.020 sec, avg 51.000 ms, 19.608 ops/sec
+ED     25519  key gen        13 ops took 1.094 sec, avg 84.154 ms, 11.883 ops/sec
+ED     25519     sign        12 ops took 1.004 sec, avg 83.667 ms, 11.952 ops/sec
+ED     25519   verify         8 ops took 1.149 sec, avg 143.625 ms, 6.963 ops/sec
 ```


@@ -426,6 +464,57 @@ Benchmark Test: Return code 0
 ```


+## STM32WBA52
+
+Supports RNG, ECC P-256, AES-CBC and SHA-256 acceleration.
+
+Board: NUCLEO-WBA52CG
+CPU: Cortex-M33 at 96MHz
+IDE: STM32CubeIDE
+RTOS: Bare-metal
+
+### STM32WBA52 (STM AES/Hash/PKA ECC Acceleration, -Os, SP-C32)
+
+```
+------------------------------------------------------------------------------
+ wolfSSL version 5.7.6
+------------------------------------------------------------------------------
+Running wolfCrypt Benchmarks...
+wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each)
+RNG                        275 KiB took 1.020 seconds,  269.608 KiB/s
+AES-128-CBC-enc              4 MiB took 1.000 seconds,    4.395 MiB/s
+AES-128-CBC-dec              4 MiB took 1.000 seconds,    4.370 MiB/s
+AES-256-CBC-enc              4 MiB took 1.000 seconds,    4.102 MiB/s
+AES-256-CBC-dec              4 MiB took 1.000 seconds,    4.077 MiB/s
+AES-128-GCM-enc            575 KiB took 1.031 seconds,  557.711 KiB/s
+AES-128-GCM-dec            575 KiB took 1.032 seconds,  557.171 KiB/s
+AES-256-GCM-enc            550 KiB took 1.000 seconds,  550.000 KiB/s
+AES-256-GCM-dec            550 KiB took 1.000 seconds,  550.000 KiB/s
+AES-128-GCM-enc-no_AAD     575 KiB took 1.024 seconds,  561.523 KiB/s
+AES-128-GCM-dec-no_AAD     575 KiB took 1.023 seconds,  562.072 KiB/s
+AES-256-GCM-enc-no_AAD     575 KiB took 1.039 seconds,  553.417 KiB/s
+AES-256-GCM-dec-no_AAD     575 KiB took 1.039 seconds,  553.417 KiB/s
+GMAC Table 4-bit             1 MiB took 1.000 seconds,    1.266 MiB/s
+CHACHA                       3 MiB took 1.004 seconds,    2.942 MiB/s
+CHA-POLY                     2 MiB took 1.008 seconds,    1.865 MiB/s
+POLY1305                     7 MiB took 1.000 seconds,    7.251 MiB/s
+SHA-256                      7 MiB took 1.000 seconds,    7.495 MiB/s
+SHA-384                    600 KiB took 1.039 seconds,  577.478 KiB/s
+HMAC-SHA256                  7 MiB took 1.000 seconds,    7.275 MiB/s
+HMAC-SHA384                575 KiB took 1.012 seconds,  568.182 KiB/s
+RSA     2048   public        62 ops took 1.019 sec, avg 16.435 ms, 60.844 ops/sec
+RSA     2048  private         2 ops took 1.102 sec, avg 551.000 ms, 1.815 ops/sec
+DH      2048  key gen         4 ops took 1.086 sec, avg 271.500 ms, 3.683 ops/sec
+DH      2048    agree         4 ops took 1.086 sec, avg 271.500 ms, 3.683 ops/sec
+ECC   [      SECP256R1]   256  key gen       114 ops took 1.000 sec, avg 8.772 ms, 114.000 ops/sec
+ECDHE [      SECP256R1]   256    agree        54 ops took 1.024 sec, avg 18.963 ms, 52.734 ops/sec
+ECDSA [      SECP256R1]   256     sign        36 ops took 1.047 sec, avg 29.083 ms, 34.384 ops/sec
+ECDSA [      SECP256R1]   256   verify        34 ops took 1.019 sec, avg 29.971 ms, 33.366 ops/sec
+Benchmark complete
+Benchmark Test: Return code 0
+```
+
+
 ## STM32WL55

 Supports RNG, ECC P-256 and AES-CBC acceleration.
--- a/IDE/STM32Cube/default_conf.ftl
+++ b/IDE/STM32Cube/default_conf.ftl
@@ -76,6 +76,13 @@ extern ${variable.value} ${variable.name};
    #define WOLFSSL_STM32_PKA
    #undef  NO_STM32_CRYPTO
    #define HAL_CONSOLE_UART huart1
+#elif defined(STM32WBA52xx)
+    #define WOLFSSL_STM32WBA
+    #define WOLFSSL_STM32_PKA
+    #undef  NO_STM32_HASH
+    #undef  NO_STM32_CRYPTO
+    /* NUCLEO-WBA52CG USART1 (TX=PB12 / RX=PA8) */
+    #define HAL_CONSOLE_UART huart1
 #elif defined(STM32WL55xx)
    #define WOLFSSL_STM32WL
    #define WOLFSSL_STM32_PKA
@@ -588,11 +595,11 @@ extern ${variable.value} ${variable.name};
    #undef  WOLFSSL_EXPERIMENTAL_SETTINGS
    #define WOLFSSL_EXPERIMENTAL_SETTINGS

-    #undef  WOLFSSL_HAVE_KYBER
-    #define WOLFSSL_HAVE_KYBER
+    #undef  WOLFSSL_HAVE_MLKEM
+    #define WOLFSSL_HAVE_MLKEM

-    #undef  WOLFSSL_WC_KYBER
-    #define WOLFSSL_WC_KYBER
+    #undef  WOLFSSL_WC_MLKEM
+    #define WOLFSSL_WC_MLKEM

    #undef  WOLFSSL_NO_SHAKE128
    #undef  WOLFSSL_SHAKE128
--- a/IDE/STM32Cube/wolfssl_example.c
+++ b/IDE/STM32Cube/wolfssl_example.c
@@ -1750,7 +1750,7 @@ static int tls13_uart_client(void)

    wolfSSL_SetIOReadCtx(ssl, tbuf);

-#ifdef WOLFSSL_HAVE_KYBER
+#ifdef WOLFSSL_HAVE_MLKEM
 #ifndef WOLFSSL_NO_ML_KEM
    if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ML_KEM_512) != WOLFSSL_SUCCESS) {
        printf("wolfSSL_UseKeyShare Error!!");
--- a/IDE/VS-ARM/wolfssl.vcxproj
+++ b/IDE/VS-ARM/wolfssl.vcxproj
@@ -44,7 +44,7 @@
    <ClCompile Include="..\..\src\tls.c" />
    <ClCompile Include="..\..\src\tls13.c" />
    <ClCompile Include="..\..\wolfcrypt\src\aes.c" />
-    <!-- ARC4 implementation has been removed -->
+    <ClCompile Include="..\..\wolfcrypt\src\arc4.c" />
    <ClCompile Include="..\..\wolfcrypt\src\asn.c" />
    <ClCompile Include="..\..\wolfcrypt\src\blake2b.c" />
    <ClCompile Include="..\..\wolfcrypt\src\camellia.c" />
--- a/IDE/VS-AZURE-SPHERE/wolfssl.vcxproj
+++ b/IDE/VS-AZURE-SPHERE/wolfssl.vcxproj
@@ -22,7 +22,7 @@
    <ClCompile Include="..\..\src\tls13.c" />
    <ClCompile Include="..\..\src\wolfio.c" />
    <ClCompile Include="..\..\wolfcrypt\src\aes.c" />
-    <!-- ARC4 implementation has been removed -->
+    <ClCompile Include="..\..\wolfcrypt\src\arc4.c" />
    <ClCompile Include="..\..\wolfcrypt\src\asn.c" />
    <ClCompile Include="..\..\wolfcrypt\src\blake2b.c" />
    <ClCompile Include="..\..\wolfcrypt\src\camellia.c" />
--- a/IDE/WIN10/wolfssl-fips.rc
+++ b/IDE/WIN10/wolfssl-fips.rc
@@ -51,8 +51,8 @@ END
 //

 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 5,7,6,0
- PRODUCTVERSION 5,7,6,0
+ FILEVERSION 5,8,0,0
+ PRODUCTVERSION 5,8,0,0
 FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
 FILEFLAGS 0x1L
@@ -69,12 +69,12 @@ BEGIN
        BEGIN
            VALUE "CompanyName", "wolfSSL Inc."
            VALUE "FileDescription", "The wolfSSL FIPS embedded SSL library is a lightweight, portable, C-language-based SSL/TLS library targeted at IoT, embedded, and RTOS environments primarily because of its size, speed, and feature set."
-            VALUE "FileVersion", "5.7.6.0"
+            VALUE "FileVersion", "5.8.0.0"
            VALUE "InternalName", "wolfssl-fips"
-            VALUE "LegalCopyright", "Copyright (C) 2024"
+            VALUE "LegalCopyright", "Copyright (C) 2025"
            VALUE "OriginalFilename", "wolfssl-fips.dll"
            VALUE "ProductName", "wolfSSL FIPS"
-            VALUE "ProductVersion", "5.7.6.0"
+            VALUE "ProductVersion", "5.8.0.0"
        END
    END
    BLOCK "VarFileInfo"
--- a/IDE/XCODE-FIPSv6/README
+++ b/IDE/XCODE-FIPSv6/README
@@ -0,0 +1,7 @@
+- The user_settings.h in this directory is intended for use with the FIPS 140-3
+submission candidate for upcoming SRTP-KDF submission. As such it is subject to
+change between now and when the CMVP issues the wolfCrypt FIPS 140-3
+certificate.
+
+- Last updated: 28 Feb 2025
+
--- a/IDE/XCODE-FIPSv6/include.am
+++ b/IDE/XCODE-FIPSv6/include.am
@@ -0,0 +1,9 @@
+# vim:ft=automake
+# included from Top Level Makefile.am
+# All paths should be given relative to the root
+
+# NOTE: The app will be stored in wolfssl/fips repository and copied
+#       into the proper release bundles when packaging the release.
+
+EXTRA_DIST+= IDE/XCODE-FIPSv6/user_settings.h
+EXTRA_DIST+= IDE/XCODE-FIPSv6/README
--- a/IDE/XCODE-FIPSv6/user_settings.h
+++ b/IDE/XCODE-FIPSv6/user_settings.h
@@ -0,0 +1,949 @@
+/* user_settings.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Custom wolfSSL user settings for GCC ARM */
+
+#ifndef WOLFSSL_USER_SETTINGS_H
+#define WOLFSSL_USER_SETTINGS_H
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* ------------------------------------------------------------------------- */
+/* Platform */
+/* ------------------------------------------------------------------------- */
+#undef  WOLFSSL_GENERAL_ALIGNMENT
+#define WOLFSSL_GENERAL_ALIGNMENT   4
+
+#undef  SINGLE_THREADED
+//#define SINGLE_THREADED
+
+#undef  WOLFSSL_SMALL_STACK
+//#define WOLFSSL_SMALL_STACK
+
+#undef  WOLFSSL_USER_IO
+//#define WOLFSSL_USER_IO
+
+#undef ANDROID_V454
+/* #define ANDROID_V454 */ /* application specific stuff in benchmark and harness from 140-2 days, carry
+                      * over to 140-3 work also */
+
+#undef NO_WRITE_TEMP_FILES
+#define NO_WRITE_TEMP_FILES
+
+#ifdef ANDROID_V454
+    #define MAX_FIPS_DATA_SZ 50000000
+    #define MAX_FIPS_CODE_SZ 50000000
+    #if 0
+       /* To have all printouts go to the app view on the device use: */
+       extern int appendToTextView(const char* fmt, ...);
+       #undef printf
+       #define printf(format, ...) appendToTextView(format, ## __VA_ARGS__)
+    #else
+       #include <stdio.h>
+       #include <android/log.h>
+       #include <unistd.h>
+       /* Inline function for WOLFLOGV */
+       static inline int wolf_logv(const char* fmt, ...) {
+           usleep(500); /* Sleep for 0.5 millisecond */
+           va_list args;
+           va_start(args, fmt);
+           int n = __android_log_vprint(ANDROID_LOG_VERBOSE,
+                                        "wolfCrypt_android", fmt, args);
+           va_end(args);
+           usleep(500); /* Sleep for 0.5 millisecond */
+           return n;
+       }
+
+       #define WOLFLOGV(...) wolf_logv(__VA_ARGS__)
+       #undef printf
+       #define printf WOLFLOGV
+    #endif
+#endif
+
+/* Uncomment for iOS devices with PAA */
+#undef IPHONE
+#define IPHONE
+
+/* ------------------------------------------------------------------------- */
+/* Math Configuration */
+/* ------------------------------------------------------------------------- */
+#undef  SIZEOF_LONG_LONG
+#define SIZEOF_LONG_LONG 8
+
+/* Maximum math bits (Max RSA key bits * 2) */
+#undef  FP_MAX_BITS
+#define FP_MAX_BITS 16384
+
+/* Maximum math bits (largest supported key bits) */
+#undef SP_INT_BITS
+#define SP_INT_BITS 8192
+
+#undef USE_FAST_MATH
+#if 0 /* Flip to 1 for PAA with single precision */
+    #define WOLFSSL_SP_MATH_ALL
+    #define WOLFSSL_SP_INT_NEGATIVE
+#else
+    #define USE_FAST_MATH
+
+    #undef  TFM_TIMING_RESISTANT
+    #define TFM_TIMING_RESISTANT
+
+    #define WOLFCRYPT_HAVE_SAKKE /* Note: Sakke can be enabled with 1024-bit support */
+
+    #undef TFM_NO_ASM
+    //#define TFM_NO_ASM
+
+    #if 0 /* Flip to 1 for PAA with tfm */
+        /* Optimizations */
+        #define TFM_ARM
+    #endif
+#endif
+
+/* Wolf Single Precision Math */
+#undef WOLFSSL_SP
+#if 0 /* SP Assembly Speedups (wPAA) */  /* Flip to 1 for PAA with tfm or single precision */
+    #define WOLFSSL_SP
+    //#define WOLFSSL_SP_SMALL      /* use smaller version of code */
+    #define WOLFSSL_SP_1024
+    #undef WOLFCRYPT_HAVE_SAKKE
+    #define WOLFCRYPT_HAVE_SAKKE /* Note: Sakke can be enabled with 1024-bit support */
+    #define WOLFSSL_SP_4096 /* Explicitly enable 4096-bit support (2048/3072 on by default) */
+    #define WOLFSSL_SP_384 /* Explicitly enable 384-bit support (others on by default) */
+    #define WOLFSSL_SP_521 /* Explicitly enable 521-bit support (others on by default) */
+    #define WOLFSSL_HAVE_SP_RSA
+    #define WOLFSSL_HAVE_SP_DH
+    #define WOLFSSL_HAVE_SP_ECC
+    /* Customer indicated no desire for PAA, leave out */
+    #if 0 /* Flip to 1 for PAA with single precision */
+        #define WOLFSSL_ARMASM
+        #define WOLFSSL_SP_ARM64
+        #define WOLFSSL_SP_ARM64_ASM
+        #define WOLFSSL_ARMASM_INLINE
+    #endif
+#endif
+
+/* ------------------------------------------------------------------------- */
+/* FIPS - Requires eval or license from wolfSSL */
+/* ------------------------------------------------------------------------- */
+#undef  HAVE_FIPS
+#if 1
+
+    #define WOLFCRYPT_FIPS_CORE_HASH_VALUE \
+1EF567FF471CFF983D21DA74623BDD14CCBCD0B14DADA8E4A9A79A47DEE82F3C
+    #define HAVE_FIPS
+
+    #undef  HAVE_FIPS_VERSION
+    #define HAVE_FIPS_VERSION 6
+
+    #undef HAVE_FIPS_VERSION_MAJOR
+    #define HAVE_FIPS_VERSION_MAJOR HAVE_FIPS_VERSION
+
+    #undef HAVE_FIPS_VERSION_MINOR
+    #define HAVE_FIPS_VERSION_MINOR 0
+
+    #undef HAVE_FIPS_VERSION_PATCH
+    #define HAVE_FIPS_VERSION_PATCH 0
+
+    #undef WOLFSSL_WOLFSSH
+    #define WOLFSSL_WOLFSSH
+
+    #undef WOLFSSL_ECDSA_SET_K
+    #define WOLFSSL_ECDSA_SET_K
+
+    #undef WC_RNG_SEED_CB
+    #define WC_RNG_SEED_CB
+
+    #ifdef SINGLE_THREADED
+        #undef  NO_THREAD_LS
+        #define NO_THREAD_LS
+    #endif
+
+    #if 0
+        #undef NO_ATTRIBUTE_CONSTRUCTOR
+        #define NO_ATTRIBUTE_CONSTRUCTOR
+    #endif
+
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Crypto */
+/* ------------------------------------------------------------------------- */
+/* RSA */
+#undef NO_RSA
+#if 1
+
+    /* half as much memory but twice as slow */
+    #undef  RSA_LOW_MEM
+    //#define RSA_LOW_MEM
+
+    /* Enables blinding mode, to prevent timing attacks */
+    #if 1
+        #undef  WC_RSA_BLINDING
+        #define WC_RSA_BLINDING
+    #else
+        #undef  WC_NO_HARDEN
+        #define WC_NO_HARDEN
+    #endif
+
+    /* RSA PSS Support */
+    #if 1
+        #undef WC_RSA_PSS
+        #define WC_RSA_PSS
+
+        #undef WOLFSSL_PSS_LONG_SALT
+        #define WOLFSSL_PSS_LONG_SALT
+
+        #undef WOLFSSL_PSS_SALT_LEN_DISCOVER /* ? */
+        #define WOLFSSL_PSS_SALT_LEN_DISCOVER /* ? */
+    #endif
+
+    #if 1
+        #define WC_RSA_NO_PADDING
+    #endif
+#else
+    #define NO_RSA
+#endif
+
+/* ECC */
+#undef HAVE_ECC
+#if 1
+    #define HAVE_ECC
+
+    /* Manually define enabled curves */
+    #undef  ECC_USER_CURVES
+    #define ECC_USER_CURVES
+
+    #ifdef ECC_USER_CURVES
+        /* Manual Curve Selection */
+        #define HAVE_ECC192
+        #define HAVE_ECC224
+        #undef NO_ECC256
+        #define HAVE_ECC256
+        #define HAVE_ECC384
+        #define HAVE_ECC521
+    #endif
+
+    /* Fixed point cache (speeds repeated operations against same private key) */
+    #undef  FP_ECC
+    //#define FP_ECC
+    #ifdef FP_ECC
+        /* Bits / Entries */
+        #undef  FP_ENTRIES
+        #define FP_ENTRIES  2
+        #undef  FP_LUT
+        #define FP_LUT      4
+    #endif
+
+    /* Optional ECC calculation method */
+    /* Note: doubles heap usage, but slightly faster */
+    #undef  ECC_SHAMIR
+    #define ECC_SHAMIR
+
+    /* Reduces heap usage, but slower */
+    #undef  ECC_TIMING_RESISTANT
+    #define ECC_TIMING_RESISTANT
+
+    #ifdef HAVE_FIPS
+        #undef  HAVE_ECC_CDH
+        #define HAVE_ECC_CDH /* Enable cofactor support */
+
+        #undef NO_STRICT_ECDSA_LEN
+        #define NO_STRICT_ECDSA_LEN /* Do not force fixed len w/ FIPS */
+
+        #undef  WOLFSSL_VALIDATE_ECC_IMPORT
+        #define WOLFSSL_VALIDATE_ECC_IMPORT /* Validate import */
+
+        #undef WOLFSSL_VALIDATE_ECC_KEYGEN
+        #define WOLFSSL_VALIDATE_ECC_KEYGEN /* Validate generated keys */
+
+    #endif
+
+    /* Compressed Key Support */
+    #undef  HAVE_COMP_KEY
+    //#define HAVE_COMP_KEY
+
+    /* Use alternate ECC size for ECC math */
+    #ifdef USE_FAST_MATH
+        /* MAX ECC BITS = ROUND8(MAX ECC) * 2 */
+        #ifdef NO_RSA
+            /* Custom fastmath size if not using RSA */
+            #undef  FP_MAX_BITS
+            #define FP_MAX_BITS     (256 * 2)
+        #else
+            #undef  ALT_ECC_SIZE
+            #define ALT_ECC_SIZE
+            /* wolfSSL will compute the FP_MAX_BITS_ECC, but it can be overridden */
+            //#undef  FP_MAX_BITS_ECC
+            //#define FP_MAX_BITS_ECC (256 * 2)
+        #endif
+
+        /* Speedups specific to curve */
+        #ifndef NO_ECC256
+            #undef  TFM_ECC256
+            #define TFM_ECC256
+        #endif
+    #endif
+#endif
+
+/* DH */
+#undef  NO_DH
+#if 1
+    /* Use table for DH instead of -lm (math) lib dependency */
+    #if 1
+        #define HAVE_DH_DEFAULT_PARAMS
+        #define WOLFSSL_DH_CONST
+        #define HAVE_FFDHE_2048
+        #define HAVE_FFDHE_3072
+        #define HAVE_FFDHE_4096
+        #define HAVE_FFDHE_6144
+        #define HAVE_FFDHE_8192
+    #endif
+
+    #ifdef HAVE_FIPS
+        #define WOLFSSL_VALIDATE_FFC_IMPORT
+        #define HAVE_FFDHE_Q
+    #endif
+#else
+    #define NO_DH
+#endif
+
+
+/* AES */
+#undef NO_AES
+#if 1
+    #undef  HAVE_AES_CBC
+    #define HAVE_AES_CBC
+
+    #undef  HAVE_AESGCM
+    #define HAVE_AESGCM
+
+    /* GCM Method (slowest to fastest): GCM_SMALL, GCM_WORD32, GCM_TABLE or
+     *                                  GCM_TABLE_4BIT */
+    #define GCM_TABLE_4BIT
+
+    #undef  WOLFSSL_AES_DIRECT
+    #define WOLFSSL_AES_DIRECT
+
+    #undef  HAVE_AES_ECB
+    #define HAVE_AES_ECB
+
+    #undef  WOLFSSL_AES_COUNTER
+    #define WOLFSSL_AES_COUNTER
+
+    #undef  HAVE_AESCCM
+    #define HAVE_AESCCM
+
+    #undef WOLFSSL_AES_OFB
+    #define WOLFSSL_AES_OFB
+
+    /* Required for module v6.0.0 */
+    #undef WOLFSSL_AES_CFB
+    #define WOLFSSL_AES_CFB
+
+    #undef WOLFSSL_AES_XTS
+    #define WOLFSSL_AES_XTS
+
+    #undef WOLFSSL_AESXTS_STREAM
+    #define WOLFSSL_AESXTS_STREAM
+
+    #undef WOLFSSL_AES_128
+    #define WOLFSSL_AES_128
+
+    #undef WOLFSSL_AES_256
+    #define WOLFSSL_AES_256
+
+    #undef WOLFSSL_AESGCM_STREAM
+    #define WOLFSSL_AESGCM_STREAM
+
+    #undef HAVE_AES_KEYWRAP
+    #define HAVE_AES_KEYWRAP
+#else
+    #define NO_AES
+#endif
+
+
+/* DES3 */
+#undef NO_DES3
+#if 0
+    #if 1
+        #undef WOLFSSL_DES_ECB
+        #define WOLFSSL_DES_ECB
+    #endif
+#else
+    #define NO_DES3
+#endif
+
+/* ChaCha20 / Poly1305 */
+#undef HAVE_CHACHA
+#undef HAVE_POLY1305
+#if 0
+    #define HAVE_CHACHA
+    #define HAVE_POLY1305
+
+    /* Needed for Poly1305 */
+    #undef  HAVE_ONE_TIME_AUTH
+    #define HAVE_ONE_TIME_AUTH
+#endif
+
+/* Ed25519 / Curve25519 */
+#undef HAVE_CURVE25519
+#undef HAVE_ED25519
+/* Required for module v6.0.0 */
+#if 1
+    #define HAVE_CURVE25519
+    #define HAVE_ED25519 /* ED25519 Requires SHA512 */
+    #define WOLFSSL_ED25519_STREAMING_VERIFY
+    #define HAVE_ED25519_KEY_IMPORT
+
+    /* Optionally use small math (less flash usage, but much slower) */
+    #if 0
+        #define CURVED25519_SMALL
+    #endif
+#endif
+
+/* Ed448 / Curve448 */
+/* Required for module v6.0.0 */
+#if 1
+    #define HAVE_CURVE448
+    #define HAVE_ED448
+    #define WOLFSSL_ED448_STREAMING_VERIFY
+    #define HAVE_ED448_KEY_IMPORT
+#endif
+
+/* ------------------------------------------------------------------------- */
+/* Hashing */
+/* ------------------------------------------------------------------------- */
+/* Sha */
+#undef NO_SHA
+#if 1
+    /* 1k smaller, but 25% slower */
+    //#define USE_SLOW_SHA
+#else
+    #define NO_SHA
+#endif
+
+/* Sha256 */
+#undef NO_SHA256
+#if 1
+    /* not unrolled - ~2k smaller and ~25% slower */
+    //#define USE_SLOW_SHA256
+
+    /* Sha224 */
+    #if 1
+        #define WOLFSSL_SHA224
+    #endif
+#else
+    #define NO_SHA256
+#endif
+
+/* Sha512 */
+#undef WOLFSSL_SHA512
+#if 1
+    #define WOLFSSL_SHA512
+
+    #define  WOLFSSL_NOSHA512_224 /* Not in FIPS mode */
+    #define  WOLFSSL_NOSHA512_256 /* Not in FIPS mode */
+
+
+    /* Sha384 */
+    #undef  WOLFSSL_SHA384
+    #if 1
+        #define WOLFSSL_SHA384
+    #endif
+
+    /* over twice as small, but 50% slower */
+    //#define USE_SLOW_SHA512
+#endif
+
+/* Sha3 */
+#undef WOLFSSL_SHA3
+#if 1
+    #define WOLFSSL_SHA3
+    /* Required to not be disabled for module v6.0.0 */
+    #if 0
+        #undef WOLFSSL_NO_SHAKE128
+        #define WOLFSSL_NO_SHAKE128
+
+        #undef WOLFSSL_NO_SHAKE256
+        #define WOLFSSL_NO_SHAKE256
+    #else
+        #define WOLFSSL_SHAKE256
+        #define WOLFSSL_SHAKE128
+    #endif
+#endif
+
+/* MD5 */
+#undef  NO_MD5
+#if 0
+
+#else
+    #define NO_MD5
+#endif
+
+/* HKDF / PRF */
+#undef HAVE_HKDF
+#if 1
+    #define HAVE_HKDF
+    #define WOLFSSL_HAVE_PRF
+
+    /* Required for module v6.0.0 */
+    #define WC_SRTP_KDF
+    #define HAVE_PBKDF2
+#endif
+
+/* CMAC */
+#undef WOLFSSL_CMAC
+#if 1
+    #define WOLFSSL_CMAC
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Benchmark / Test */
+/* ------------------------------------------------------------------------- */
+/* Use reduced benchmark / test sizes */
+#undef  BENCH_EMBEDDED
+#define BENCH_EMBEDDED
+
+#undef  USE_CERT_BUFFERS_2048
+#define USE_CERT_BUFFERS_2048
+
+#undef  USE_CERT_BUFFERS_1024
+//#define USE_CERT_BUFFERS_1024
+
+#undef  USE_CERT_BUFFERS_256
+#define USE_CERT_BUFFERS_256
+
+
+/* ------------------------------------------------------------------------- */
+/* Debugging */
+/* ------------------------------------------------------------------------- */
+
+#undef DEBUG_WOLFSSL
+#undef NO_ERROR_STRINGS
+#if 1
+    //#define DEBUG_WOLFSSL
+#else
+    #if 0
+        #define NO_ERROR_STRINGS
+    #endif
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Memory */
+/* ------------------------------------------------------------------------- */
+
+/* Override Memory API's */
+#if 0
+    #undef  XMALLOC_OVERRIDE
+    #define XMALLOC_OVERRIDE
+
+    /* prototypes for user heap override functions */
+    /* Note: Realloc only required for normal math */
+    #include <stddef.h>  /* for size_t */
+    extern void *myMalloc(size_t n, void* heap, int type);
+    extern void myFree(void *p, void* heap, int type);
+    extern void *myRealloc(void *p, size_t n, void* heap, int type);
+
+    #define XMALLOC(n, h, t)     myMalloc(n, h, t)
+    #define XFREE(p, h, t)       myFree(p, h, t)
+    #define XREALLOC(p, n, h, t) myRealloc(p, n, h, t)
+#endif
+
+#if 0
+    /* Static memory requires fast math */
+    #define WOLFSSL_STATIC_MEMORY
+
+    /* Disable fallback malloc/free */
+    #define WOLFSSL_NO_MALLOC
+    #if 1
+        #define WOLFSSL_MALLOC_CHECK /* trap malloc failure */
+    #endif
+#endif
+
+/* Memory callbacks */
+#if 1
+    #undef  USE_WOLFSSL_MEMORY
+    #define USE_WOLFSSL_MEMORY
+
+    /* Use this to measure / print heap usage */
+    #if 0
+        #undef  WOLFSSL_TRACK_MEMORY
+//        #define WOLFSSL_TRACK_MEMORY
+
+        #undef  WOLFSSL_DEBUG_MEMORY
+        //#define WOLFSSL_DEBUG_MEMORY
+
+        #undef WOLFSSL_DEBUG_MEMORY_PRINT
+        //#define WOLFSSL_DEBUG_MEMORY_PRINT
+    #endif
+#else
+    #ifndef WOLFSSL_STATIC_MEMORY
+        #define NO_WOLFSSL_MEMORY
+        /* Otherwise we will use stdlib malloc, free and realloc */
+    #endif
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Port */
+/* ------------------------------------------------------------------------- */
+
+/* Override Current Time */
+/* Allows custom "custom_time()" function to be used for benchmark */
+//#define WOLFSSL_USER_CURRTIME
+//#define WOLFSSL_GMTIME
+//#define USER_TICKS
+//extern unsigned long my_time(unsigned long* timer);
+//#define XTIME my_time
+
+
+/* ------------------------------------------------------------------------- */
+/* RNG */
+/* ------------------------------------------------------------------------- */
+
+/* Seed Source */
+ /* Seed Source */
+// extern int my_rng_generate_seed(unsigned char* output, int sz);
+// #undef  CUSTOM_RAND_GENERATE_SEED
+// #define CUSTOM_RAND_GENERATE_SEED  my_rng_generate_seed
+
+/* Choose RNG method */
+#if 1
+    /* Use built-in P-RNG (SHA256 based) with HW RNG */
+    /* P-RNG + HW RNG (P-RNG is ~8K) */
+    //#define WOLFSSL_GENSEED_FORTEST
+    #undef  HAVE_HASHDRBG
+    #define HAVE_HASHDRBG
+#else
+    #undef  WC_NO_HASHDRBG
+    #define WC_NO_HASHDRBG
+
+    /* Bypass P-RNG and use only HW RNG */
+    extern int my_rng_gen_block(unsigned char* output, unsigned int sz);
+    #undef  CUSTOM_RAND_GENERATE_BLOCK
+    #define CUSTOM_RAND_GENERATE_BLOCK  my_rng_gen_block
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Custom Standard Lib */
+/* ------------------------------------------------------------------------- */
+/* Allows override of all standard library functions */
+#undef STRING_USER
+#if 0
+    #define STRING_USER
+
+    #include <string.h>
+
+    #undef  USE_WOLF_STRSEP
+    #define USE_WOLF_STRSEP
+    #define XSTRSEP(s1,d)     wc_strsep((s1),(d))
+
+    #undef  USE_WOLF_STRTOK
+    #define USE_WOLF_STRTOK
+    #define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr))
+
+    #define XSTRNSTR(s1,s2,n) mystrnstr((s1),(s2),(n))
+
+    #define XMEMCPY(d,s,l)    memcpy((d),(s),(l))
+    #define XMEMSET(b,c,l)    memset((b),(c),(l))
+    #define XMEMCMP(s1,s2,n)  memcmp((s1),(s2),(n))
+    #define XMEMMOVE(d,s,l)   memmove((d),(s),(l))
+
+    #define XSTRLEN(s1)       strlen((s1))
+    #define XSTRNCPY(s1,s2,n) strncpy((s1),(s2),(n))
+    #define XSTRSTR(s1,s2)    strstr((s1),(s2))
+
+    #define XSTRNCMP(s1,s2,n)     strncmp((s1),(s2),(n))
+    #define XSTRNCAT(s1,s2,n)     strncat((s1),(s2),(n))
+    #define XSTRNCASECMP(s1,s2,n) strncasecmp((s1),(s2),(n))
+
+    #define XSNPRINTF snprintf
+#endif
+
+
+
+/* ------------------------------------------------------------------------- */
+/* Enable Features */
+/* ------------------------------------------------------------------------- */
+#undef WOLFSSL_ASN_TEMPLATE
+#define WOLFSSL_ASN_TEMPLATE
+
+#undef WOLFSSL_ASN_PRINT
+#define WOLFSSL_ASN_PRINT
+
+#undef WOLFSSL_TLS13
+#if 1
+    #define WOLFSSL_TLS13
+#endif
+
+#undef WOLFSSL_KEY_GEN
+#if 1
+    #define WOLFSSL_KEY_GEN
+#endif
+
+#if defined(HAVE_FIPS) && !defined(WOLFSSL_KEY_GEN)
+    #define WOLFSSL_OLD_PRIME_CHECK
+#endif
+
+#undef  KEEP_PEER_CERT
+//#define KEEP_PEER_CERT
+
+#undef  HAVE_COMP_KEY
+//#define HAVE_COMP_KEY
+
+#undef  HAVE_TLS_EXTENSIONS
+#define HAVE_TLS_EXTENSIONS
+
+#undef HAVE_EXTENDED_MASTER
+#define HAVE_EXTENDED_MASTER
+
+#undef  HAVE_SUPPORTED_CURVES
+#define HAVE_SUPPORTED_CURVES
+
+#undef  WOLFSSL_BASE64_ENCODE
+#define WOLFSSL_BASE64_ENCODE
+
+/* TLS Session Cache */
+#if 0
+    #define SMALL_SESSION_CACHE
+#else
+    #define NO_SESSION_CACHE
+#endif
+
+#undef OPENSSL_EXTRA
+#define OPENSSL_EXTRA
+
+#undef WOLFSSL_DER_LOAD
+#define WOLFSSL_DER_LOAD
+
+#undef HAVE_SESSION_TICKET
+#define HAVE_SESSION_TICKET
+
+#undef HAVE_EX_DATA
+#define HAVE_EX_DATA
+
+#undef HAVE_ENCRYPT_THEN_MAC
+#define HAVE_ENCRYPT_THEN_MAC
+
+#undef WOLFSSL_CERT_GEN
+#define WOLFSSL_CERT_GEN
+
+#undef ATOMIC_USER
+#define ATOMIC_USER
+
+#undef HAVE_SECRET_CALLBACK
+#define HAVE_SECRET_CALLBACK
+
+/* wolfEngine */
+#if 0
+    #define OPENSSL_COEXIST
+
+    /* HKDF for engine */
+    #undef HAVE_HKDF
+    #if 1
+        #define HAVE_HKDF
+        #define HAVE_X963_KDF
+    #endif
+
+    #undef WOLFSSL_PUBLIC_MP
+    #define WOLFSSL_PUBLIC_MP
+
+    #undef NO_OLD_RNGNAME
+    #define NO_OLD_RNGNAME
+
+    #undef NO_OLD_WC_NAMES
+    #define NO_OLD_WC_NAMES
+
+    #undef NO_OLD_SSL_NAMES
+    #define NO_OLD_SSL_NAMES
+
+    #undef NO_OLD_SHA_NAMES
+    #define NO_OLD_SHA_NAMES
+
+    #undef NO_OLD_MD5_NAME
+    #define NO_OLD_MD5_NAME
+
+    #undef NO_OLD_SHA256_NAMES
+    #define NO_OLD_SHA256_NAMES
+#endif
+
+#undef WOLFSSL_SYS_CA_CERTS
+//#define WOLFSSL_SYS_CA_CERTS
+
+#undef LIBWOLFSSL_GLOBAL_EXTRA_CFLAGS
+#define LIBWOLFSSL_GLOBAL_EXTRA_CFLAGS
+
+#undef HAVE_SERVER_RENEGOTIATION_INFO
+#define HAVE_SERVER_RENEGOTIATION_INFO
+
+#undef WOLFSSL_PEM_TO_DER
+#define WOLFSSL_PEM_TO_DER
+
+#undef WOLFSSL_PUB_PEM_TO_DER
+#define WOLFSSL_PUB_PEM_TO_DER
+
+/* ------------------------------------------------------------------------- */
+/* Disable Features */
+/* ------------------------------------------------------------------------- */
+#undef  NO_WOLFSSL_SERVER
+//#define NO_WOLFSSL_SERVER
+
+#undef  NO_WOLFSSL_CLIENT
+//#define NO_WOLFSSL_CLIENT
+
+#undef  NO_CRYPT_TEST
+//#define NO_CRYPT_TEST
+
+#undef  NO_CRYPT_BENCHMARK
+//#define NO_CRYPT_BENCHMARK
+
+#undef  WOLFCRYPT_ONLY
+#define WOLFCRYPT_ONLY
+
+/* In-lining of misc.c functions */
+/* If defined, must include wolfcrypt/src/misc.c in build */
+/* Slower, but about 1k smaller */
+#undef  NO_INLINE
+//#define NO_INLINE
+
+#undef  NO_FILESYSTEM
+//#define NO_FILESYSTEM
+
+#undef  NO_WRITEV
+//#define NO_WRITEV
+
+#undef  NO_MAIN_DRIVER
+#define NO_MAIN_DRIVER
+
+#undef  NO_DEV_RANDOM
+//#define NO_DEV_RANDOM
+
+#undef  NO_DSA
+#define NO_DSA
+
+#undef  NO_RC4
+#define NO_RC4
+
+#undef  NO_OLD_TLS
+#define NO_OLD_TLS
+
+#undef  NO_PSK
+#define NO_PSK
+
+#undef  NO_MD4
+#define NO_MD4
+
+#undef  NO_PWDBASED
+//#define NO_PWDBASED
+
+#undef  NO_CODING
+//#define NO_CODING
+
+#undef  NO_ASN_TIME
+//#define NO_ASN_TIME
+
+#undef  NO_CERTS
+//#define NO_CERTS
+
+#undef  NO_SIG_WRAPPER
+//#define NO_SIG_WRAPPER
+
+#undef NO_DO178
+#define NO_DO178
+
+/* wolfSSL engineering ACVP algo and operational testing only (Default: Off) */
+#if 1
+    #ifndef WOLFSSL_PUBLIC_MP
+        #define WOLFSSL_PUBLIC_MP
+    #endif
+    #define OPTEST_LOGGING_ENABLED
+    #define DEBUG_FIPS_VERBOSE
+    #ifndef DEBUG_WOLFSSL
+        //#define DEBUG_WOLFSSL
+    #endif
+    #define OPTEST_RUNNING_ORGANIC
+    #define OPTEST_INVALID_LOGGING_ENABLED
+    #define HAVE_FORCE_FIPS_FAILURE
+    #define DEEPLY_EMBEDDED
+    #define OPTEST_LOG_TE_MAPPING
+    #define NO_MAIN_OPTEST_DRIVER
+    #define NO_MAIN_DRIVER
+    #define NO_MAIN_HARNESS_DRIVER
+
+    #ifdef BENCH_EMBEDDED
+    /* NOTE: Can not be on for operational testing */
+        #undef BENCH_EMBEDDED
+    #endif
+
+    #define NO_WRITE_TEMP_FILES
+#endif
+
+/* Customer Specific Section */
+/* #define CUSTOMER_1_IOS */
+#ifdef CUSTOMER_1_IOS
+
+    /* not certified, disable for full FIPS compliance, will attempt to include
+     * in UPDT submission and/or next FS submission */
+    #undef HAVE_PKCS7
+    #define HAVE_PKCS7
+
+    #undef HAVE_SNI
+    #define HAVE_SNI
+
+    #undef HAVE_THREAD_LS
+    #define HAVE_THREAD_LS
+
+    /* Not certifiable but external to module boundary and out of scope */
+    #undef WOLFCRYPT_HAVE_ECCSI
+    #define WOLFCRYPT_HAVE_ECCSI
+
+    #undef WOLFSSL_DTLS
+    #define WOLFSSL_DTLS
+
+    #undef WOLFSSL_DTLS_MTU
+    #define WOLFSSL_DTLS_MTU
+
+    /* OpenSSL Compatibility (NOTE: Incompatible with wolfEngine and
+       OPENSSL_COEXIST) */
+    #ifndef OPENSSL_COEXIST
+        #undef OPENSSL_EXTRA
+        #if 1
+            #define OPENSSL_EXTRA
+            /* Larger footprint but enable ALL compatibility not just a subset */
+            #if 1
+                #define OPENSSL_ALL
+            #endif
+        #endif
+    #endif
+#endif /* CUSTOMER_1_IOS */
+
+#ifdef __cplusplus
+}
+#endif
+
+
+#endif /* WOLFSSL_USER_SETTINGS_H */
+
--- a/IDE/XCODE/Benchmark/wolfBench.xcodeproj/project.pbxproj
+++ b/IDE/XCODE/Benchmark/wolfBench.xcodeproj/project.pbxproj
@@ -63,7 +63,7 @@
 		A4ADF8E51FCE0C5600A06E90 /* sha.c in Sources */ = {isa = PBXBuildFile; fileRef = A4ADF8891FCE0C4D00A06E90 /* sha.c */; };
 		A4ADF8EA1FCE0C5600A06E90 /* ge_operations.c in Sources */ = {isa = PBXBuildFile; fileRef = A4ADF88E1FCE0C4E00A06E90 /* ge_operations.c */; };
 		A4ADF8EB1FCE0C5600A06E90 /* chacha20_poly1305.c in Sources */ = {isa = PBXBuildFile; fileRef = A4ADF88F1FCE0C4E00A06E90 /* chacha20_poly1305.c */; };
-		/* ARC4 implementation has been removed */
+		A4ADF8EE1FCE0C5600A06E90 /* arc4.c in Sources */ = {isa = PBXBuildFile; fileRef = A4ADF8921FCE0C4E00A06E90 /* arc4.c */; };
 		A4ADF8F01FCE0C5600A06E90 /* memory.c in Sources */ = {isa = PBXBuildFile; fileRef = A4ADF8941FCE0C4E00A06E90 /* memory.c */; };
 		A4ADF8F31FCE0C5600A06E90 /* rsa.c in Sources */ = {isa = PBXBuildFile; fileRef = A4ADF8971FCE0C4F00A06E90 /* rsa.c */; };
 		A4ADF8F41FCE0C5600A06E90 /* pkcs7.c in Sources */ = {isa = PBXBuildFile; fileRef = A4ADF8981FCE0C4F00A06E90 /* pkcs7.c */; };
@@ -168,7 +168,7 @@
 		A4ADF8891FCE0C4D00A06E90 /* sha.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = sha.c; path = ../../../wolfcrypt/src/sha.c; sourceTree = "<group>"; };
 		A4ADF88E1FCE0C4E00A06E90 /* ge_operations.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = ge_operations.c; path = ../../../wolfcrypt/src/ge_operations.c; sourceTree = "<group>"; };
 		A4ADF88F1FCE0C4E00A06E90 /* chacha20_poly1305.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = chacha20_poly1305.c; path = ../../../wolfcrypt/src/chacha20_poly1305.c; sourceTree = "<group>"; };
-		/* ARC4 implementation has been removed */
+		A4ADF8921FCE0C4E00A06E90 /* arc4.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = arc4.c; path = ../../../wolfcrypt/src/arc4.c; sourceTree = "<group>"; };
 		A4ADF8941FCE0C4E00A06E90 /* memory.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = memory.c; path = ../../../wolfcrypt/src/memory.c; sourceTree = "<group>"; };
 		A4ADF8971FCE0C4F00A06E90 /* rsa.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = rsa.c; path = ../../../wolfcrypt/src/rsa.c; sourceTree = "<group>"; };
 		A4ADF8981FCE0C4F00A06E90 /* pkcs7.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = pkcs7.c; path = ../../../wolfcrypt/src/pkcs7.c; sourceTree = "<group>"; };
@@ -283,7 +283,7 @@
 			isa = PBXGroup;
 			children = (
 				A4ADF8821FCE0C4D00A06E90 /* aes.c */,
-				/* ARC4 implementation has been removed */,
+				A4ADF8921FCE0C4E00A06E90 /* arc4.c */,
 				A4DFEC0F1FD4CB8500A7BB33 /* armv8-aes.c */,
 				A46FE14C2493E8F500A25BE7 /* armv8-chacha.c */,
 				CB81DE1E24C93EC000B98DA6 /* armv8-curve25519.S */,
@@ -522,7 +522,7 @@
 				A4ADF8E01FCE0C5600A06E90 /* ecc_fp.c in Sources */,
 				A4ADF8EB1FCE0C5600A06E90 /* chacha20_poly1305.c in Sources */,
 				A4ADF86B1FCE0C1C00A06E90 /* keys.c in Sources */,
-				/* ARC4 implementation has been removed */,
+				A4ADF8EE1FCE0C5600A06E90 /* arc4.c in Sources */,
 				A4DFEC111FD4CB8500A7BB33 /* armv8-aes.c in Sources */,
 				A46FE1812493E8F800A25BE7 /* wc_dsp.c in Sources */,
 				A4ADF9061FCE0C5600A06E90 /* wc_encrypt.c in Sources */,
--- a/IDE/XCODE/wolfssl-FIPS.xcodeproj/project.pbxproj
+++ b/IDE/XCODE/wolfssl-FIPS.xcodeproj/project.pbxproj
@@ -125,7 +125,7 @@
 		700F0CF52A2FC11300755BA7 /* eccsi.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CDB2A2FC0D500755BA7 /* eccsi.h */; };
 		700F0CF62A2FC11300755BA7 /* ed448.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD22A2FC0D500755BA7 /* ed448.h */; };
 		700F0CF72A2FC11300755BA7 /* ed25519.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CE12A2FC0D500755BA7 /* ed25519.h */; };
-		700F0CF82A2FC11300755BA7 /* ext_kyber.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD52A2FC0D500755BA7 /* ext_kyber.h */; };
+		700F0CF82A2FC11300755BA7 /* ext_mlkem.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD52A2FC0D500755BA7 /* ext_mlkem.h */; };
 		700F0CF92A2FC11300755BA7 /* falcon.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CDD2A2FC0D500755BA7 /* falcon.h */; };
 		700F0CFA2A2FC11300755BA7 /* fe_448.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CDE2A2FC0D500755BA7 /* fe_448.h */; };
 		700F0CFB2A2FC11300755BA7 /* fe_operations.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CC72A2FC0D400755BA7 /* fe_operations.h */; };
@@ -133,7 +133,7 @@
 		700F0CFD2A2FC11300755BA7 /* ge_448.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CE22A2FC0D500755BA7 /* ge_448.h */; };
 		700F0CFE2A2FC11300755BA7 /* ge_operations.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CCA2A2FC0D500755BA7 /* ge_operations.h */; };
 		700F0CFF2A2FC11300755BA7 /* hpke.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CCD2A2FC0D500755BA7 /* hpke.h */; };
-		700F0D002A2FC11300755BA7 /* kyber.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CCC2A2FC0D500755BA7 /* kyber.h */; };
+		700F0D002A2FC11300755BA7 /* mlkem.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CCC2A2FC0D500755BA7 /* mlkem.h */; };
 		700F0D012A2FC11300755BA7 /* mem_track.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CDA2A2FC0D500755BA7 /* mem_track.h */; };
 		700F0D022A2FC11300755BA7 /* pkcs11.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD92A2FC0D500755BA7 /* pkcs11.h */; };
 		700F0D032A2FC11300755BA7 /* pkcs12.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CE42A2FC0D500755BA7 /* pkcs12.h */; };
@@ -147,7 +147,7 @@
 		700F0D0B2A2FC11300755BA7 /* sp.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD12A2FC0D500755BA7 /* sp.h */; };
 		700F0D0C2A2FC11300755BA7 /* sphincs.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CEC2A2FC0D500755BA7 /* sphincs.h */; };
 		700F0D0D2A2FC11300755BA7 /* srp.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CDC2A2FC0D500755BA7 /* srp.h */; };
-		700F0D0E2A2FC11300755BA7 /* wc_kyber.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD82A2FC0D500755BA7 /* wc_kyber.h */; };
+		700F0D0E2A2FC11300755BA7 /* wc_mlkem.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD82A2FC0D500755BA7 /* wc_mlkem.h */; };
 		700F0D0F2A2FC11300755BA7 /* wc_pkcs11.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CE82A2FC0D500755BA7 /* wc_pkcs11.h */; };
 		700F0D102A2FC11300755BA7 /* wolfevent.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD62A2FC0D500755BA7 /* wolfevent.h */; };
 		700F0D112A2FC11300755BA7 /* wolfmath.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CEB2A2FC0D500755BA7 /* wolfmath.h */; };
@@ -285,7 +285,7 @@
 				700F0CF52A2FC11300755BA7 /* eccsi.h in CopyFiles */,
 				700F0CF62A2FC11300755BA7 /* ed448.h in CopyFiles */,
 				700F0CF72A2FC11300755BA7 /* ed25519.h in CopyFiles */,
-				700F0CF82A2FC11300755BA7 /* ext_kyber.h in CopyFiles */,
+				700F0CF82A2FC11300755BA7 /* ext_mlkem.h in CopyFiles */,
 				700F0CF92A2FC11300755BA7 /* falcon.h in CopyFiles */,
 				700F0CFA2A2FC11300755BA7 /* fe_448.h in CopyFiles */,
 				700F0CFB2A2FC11300755BA7 /* fe_operations.h in CopyFiles */,
@@ -293,7 +293,7 @@
 				700F0CFD2A2FC11300755BA7 /* ge_448.h in CopyFiles */,
 				700F0CFE2A2FC11300755BA7 /* ge_operations.h in CopyFiles */,
 				700F0CFF2A2FC11300755BA7 /* hpke.h in CopyFiles */,
-				700F0D002A2FC11300755BA7 /* kyber.h in CopyFiles */,
+				700F0D002A2FC11300755BA7 /* mlkem.h in CopyFiles */,
 				700F0D012A2FC11300755BA7 /* mem_track.h in CopyFiles */,
 				700F0D022A2FC11300755BA7 /* pkcs11.h in CopyFiles */,
 				700F0D032A2FC11300755BA7 /* pkcs12.h in CopyFiles */,
@@ -307,7 +307,7 @@
 				700F0D0B2A2FC11300755BA7 /* sp.h in CopyFiles */,
 				700F0D0C2A2FC11300755BA7 /* sphincs.h in CopyFiles */,
 				700F0D0D2A2FC11300755BA7 /* srp.h in CopyFiles */,
-				700F0D0E2A2FC11300755BA7 /* wc_kyber.h in CopyFiles */,
+				700F0D0E2A2FC11300755BA7 /* wc_mlkem.h in CopyFiles */,
 				700F0D0F2A2FC11300755BA7 /* wc_pkcs11.h in CopyFiles */,
 				700F0D102A2FC11300755BA7 /* wolfevent.h in CopyFiles */,
 				700F0D112A2FC11300755BA7 /* wolfmath.h in CopyFiles */,
@@ -563,7 +563,7 @@
 		700F0CC92A2FC0D500755BA7 /* selftest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = selftest.h; path = ../../wolfssl/wolfcrypt/selftest.h; sourceTree = "<group>"; };
 		700F0CCA2A2FC0D500755BA7 /* ge_operations.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ge_operations.h; path = ../../wolfssl/wolfcrypt/ge_operations.h; sourceTree = "<group>"; };
 		700F0CCB2A2FC0D500755BA7 /* async.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = async.h; path = ../../wolfssl/wolfcrypt/async.h; sourceTree = "<group>"; };
-		700F0CCC2A2FC0D500755BA7 /* kyber.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = kyber.h; path = ../../wolfssl/wolfcrypt/kyber.h; sourceTree = "<group>"; };
+		700F0CCC2A2FC0D500755BA7 /* mlkem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = mlkem.h; path = ../../wolfssl/wolfcrypt/mlkem.h; sourceTree = "<group>"; };
 		700F0CCD2A2FC0D500755BA7 /* hpke.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = hpke.h; path = ../../wolfssl/wolfcrypt/hpke.h; sourceTree = "<group>"; };
 		700F0CCE2A2FC0D500755BA7 /* cpuid.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cpuid.h; path = ../../wolfssl/wolfcrypt/cpuid.h; sourceTree = "<group>"; };
 		700F0CCF2A2FC0D500755BA7 /* fips.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = fips.h; path = ../../wolfssl/wolfcrypt/fips.h; sourceTree = "<group>"; };
@@ -572,10 +572,10 @@
 		700F0CD22A2FC0D500755BA7 /* ed448.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ed448.h; path = ../../wolfssl/wolfcrypt/ed448.h; sourceTree = "<group>"; };
 		700F0CD32A2FC0D500755BA7 /* curve448.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = curve448.h; path = ../../wolfssl/wolfcrypt/curve448.h; sourceTree = "<group>"; };
 		700F0CD42A2FC0D500755BA7 /* siphash.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = siphash.h; path = ../../wolfssl/wolfcrypt/siphash.h; sourceTree = "<group>"; };
-		700F0CD52A2FC0D500755BA7 /* ext_kyber.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ext_kyber.h; path = ../../wolfssl/wolfcrypt/ext_kyber.h; sourceTree = "<group>"; };
+		700F0CD52A2FC0D500755BA7 /* ext_mlkem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ext_mlkem.h; path = ../../wolfssl/wolfcrypt/ext_mlkem.h; sourceTree = "<group>"; };
 		700F0CD62A2FC0D500755BA7 /* wolfevent.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = wolfevent.h; path = ../../wolfssl/wolfcrypt/wolfevent.h; sourceTree = "<group>"; };
 		700F0CD72A2FC0D500755BA7 /* cmac.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cmac.h; path = ../../wolfssl/wolfcrypt/cmac.h; sourceTree = "<group>"; };
-		700F0CD82A2FC0D500755BA7 /* wc_kyber.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = wc_kyber.h; path = ../../wolfssl/wolfcrypt/wc_kyber.h; sourceTree = "<group>"; };
+		700F0CD82A2FC0D500755BA7 /* wc_mlkem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = wc_mlkem.h; path = ../../wolfssl/wolfcrypt/wc_mlkem.h; sourceTree = "<group>"; };
 		700F0CD92A2FC0D500755BA7 /* pkcs11.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = pkcs11.h; path = ../../wolfssl/wolfcrypt/pkcs11.h; sourceTree = "<group>"; };
 		700F0CDA2A2FC0D500755BA7 /* mem_track.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = mem_track.h; path = ../../wolfssl/wolfcrypt/mem_track.h; sourceTree = "<group>"; };
 		700F0CDB2A2FC0D500755BA7 /* eccsi.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = eccsi.h; path = ../../wolfssl/wolfcrypt/eccsi.h; sourceTree = "<group>"; };
@@ -643,7 +643,7 @@
 				700F0CDB2A2FC0D500755BA7 /* eccsi.h */,
 				700F0CD22A2FC0D500755BA7 /* ed448.h */,
 				700F0CE12A2FC0D500755BA7 /* ed25519.h */,
-				700F0CD52A2FC0D500755BA7 /* ext_kyber.h */,
+				700F0CD52A2FC0D500755BA7 /* ext_mlkem.h */,
 				700F0CDD2A2FC0D500755BA7 /* falcon.h */,
 				700F0CDE2A2FC0D500755BA7 /* fe_448.h */,
 				700F0CC72A2FC0D400755BA7 /* fe_operations.h */,
@@ -651,7 +651,7 @@
 				700F0CE22A2FC0D500755BA7 /* ge_448.h */,
 				700F0CCA2A2FC0D500755BA7 /* ge_operations.h */,
 				700F0CCD2A2FC0D500755BA7 /* hpke.h */,
-				700F0CCC2A2FC0D500755BA7 /* kyber.h */,
+				700F0CCC2A2FC0D500755BA7 /* mlkem.h */,
 				700F0CDA2A2FC0D500755BA7 /* mem_track.h */,
 				700F0CD92A2FC0D500755BA7 /* pkcs11.h */,
 				700F0CE42A2FC0D500755BA7 /* pkcs12.h */,
@@ -665,7 +665,7 @@
 				700F0CD12A2FC0D500755BA7 /* sp.h */,
 				700F0CEC2A2FC0D500755BA7 /* sphincs.h */,
 				700F0CDC2A2FC0D500755BA7 /* srp.h */,
-				700F0CD82A2FC0D500755BA7 /* wc_kyber.h */,
+				700F0CD82A2FC0D500755BA7 /* wc_mlkem.h */,
 				700F0CE82A2FC0D500755BA7 /* wc_pkcs11.h */,
 				700F0CD62A2FC0D500755BA7 /* wolfevent.h */,
 				700F0CEB2A2FC0D500755BA7 /* wolfmath.h */,
--- a/IDE/XCODE/wolfssl.xcodeproj/project.pbxproj
+++ b/IDE/XCODE/wolfssl.xcodeproj/project.pbxproj
@@ -256,7 +256,7 @@
 		700F0C0D2A2FBC5100755BA7 /* eccsi.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF72A2FBC1600755BA7 /* eccsi.h */; };
 		700F0C0E2A2FBC5100755BA7 /* ed448.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF82A2FBC1600755BA7 /* ed448.h */; };
 		700F0C0F2A2FBC5100755BA7 /* ed25519.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF42A2FBC1600755BA7 /* ed25519.h */; };
-		700F0C102A2FBC5100755BA7 /* ext_kyber.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF92A2FBC1600755BA7 /* ext_kyber.h */; };
+		700F0C102A2FBC5100755BA7 /* ext_mlkem.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF92A2FBC1600755BA7 /* ext_mlkem.h */; };
 		700F0C112A2FBC5100755BA7 /* falcon.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0C022A2FBC1600755BA7 /* falcon.h */; };
 		700F0C122A2FBC5100755BA7 /* fe_448.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BEB2A2FBC1500755BA7 /* fe_448.h */; };
 		700F0C132A2FBC5100755BA7 /* fe_operations.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF62A2FBC1600755BA7 /* fe_operations.h */; };
@@ -264,7 +264,7 @@
 		700F0C152A2FBC5100755BA7 /* ge_448.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BE72A2FBC1500755BA7 /* ge_448.h */; };
 		700F0C162A2FBC5100755BA7 /* ge_operations.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0C012A2FBC1600755BA7 /* ge_operations.h */; };
 		700F0C172A2FBC5100755BA7 /* hpke.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BE12A2FBC1500755BA7 /* hpke.h */; };
-		700F0C182A2FBC5100755BA7 /* kyber.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BEA2A2FBC1500755BA7 /* kyber.h */; };
+		700F0C182A2FBC5100755BA7 /* mlkem.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BEA2A2FBC1500755BA7 /* mlkem.h */; };
 		700F0C192A2FBC5100755BA7 /* pkcs11.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BFD2A2FBC1600755BA7 /* pkcs11.h */; };
 		700F0C1A2A2FBC5100755BA7 /* pkcs12.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BEC2A2FBC1500755BA7 /* pkcs12.h */; };
 		700F0C1B2A2FBC5100755BA7 /* rc2.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BE02A2FBC1500755BA7 /* rc2.h */; };
@@ -277,7 +277,7 @@
 		700F0C222A2FBC5100755BA7 /* sp.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BE92A2FBC1500755BA7 /* sp.h */; };
 		700F0C232A2FBC5100755BA7 /* sphincs.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BE22A2FBC1500755BA7 /* sphincs.h */; };
 		700F0C242A2FBC5100755BA7 /* srp.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF32A2FBC1600755BA7 /* srp.h */; };
-		700F0C252A2FBC5100755BA7 /* wc_kyber.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BFF2A2FBC1600755BA7 /* wc_kyber.h */; };
+		700F0C252A2FBC5100755BA7 /* wc_mlkem.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BFF2A2FBC1600755BA7 /* wc_mlkem.h */; };
 		700F0C262A2FBC5100755BA7 /* wc_pkcs11.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF52A2FBC1600755BA7 /* wc_pkcs11.h */; };
 		700F0C272A2FBC5100755BA7 /* wolfevent.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BE62A2FBC1500755BA7 /* wolfevent.h */; };
 		700F0C282A2FBC5100755BA7 /* kdf.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 6AC8513B272CB04F00F2B32A /* kdf.h */; };
@@ -625,7 +625,7 @@
 				700F0C0D2A2FBC5100755BA7 /* eccsi.h in CopyFiles */,
 				700F0C0E2A2FBC5100755BA7 /* ed448.h in CopyFiles */,
 				700F0C0F2A2FBC5100755BA7 /* ed25519.h in CopyFiles */,
-				700F0C102A2FBC5100755BA7 /* ext_kyber.h in CopyFiles */,
+				700F0C102A2FBC5100755BA7 /* ext_mlkem.h in CopyFiles */,
 				700F0C112A2FBC5100755BA7 /* falcon.h in CopyFiles */,
 				700F0C122A2FBC5100755BA7 /* fe_448.h in CopyFiles */,
 				700F0C132A2FBC5100755BA7 /* fe_operations.h in CopyFiles */,
@@ -633,7 +633,7 @@
 				700F0C152A2FBC5100755BA7 /* ge_448.h in CopyFiles */,
 				700F0C162A2FBC5100755BA7 /* ge_operations.h in CopyFiles */,
 				700F0C172A2FBC5100755BA7 /* hpke.h in CopyFiles */,
-				700F0C182A2FBC5100755BA7 /* kyber.h in CopyFiles */,
+				700F0C182A2FBC5100755BA7 /* mlkem.h in CopyFiles */,
 				700F0C192A2FBC5100755BA7 /* pkcs11.h in CopyFiles */,
 				700F0C1A2A2FBC5100755BA7 /* pkcs12.h in CopyFiles */,
 				700F0C1B2A2FBC5100755BA7 /* rc2.h in CopyFiles */,
@@ -646,7 +646,7 @@
 				700F0C222A2FBC5100755BA7 /* sp.h in CopyFiles */,
 				700F0C232A2FBC5100755BA7 /* sphincs.h in CopyFiles */,
 				700F0C242A2FBC5100755BA7 /* srp.h in CopyFiles */,
-				700F0C252A2FBC5100755BA7 /* wc_kyber.h in CopyFiles */,
+				700F0C252A2FBC5100755BA7 /* wc_mlkem.h in CopyFiles */,
 				700F0C262A2FBC5100755BA7 /* wc_pkcs11.h in CopyFiles */,
 				700F0C272A2FBC5100755BA7 /* wolfevent.h in CopyFiles */,
 				700F0C282A2FBC5100755BA7 /* kdf.h in CopyFiles */,
@@ -985,7 +985,7 @@
 		700F0BE72A2FBC1500755BA7 /* ge_448.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ge_448.h; path = ../../wolfssl/wolfcrypt/ge_448.h; sourceTree = "<group>"; };
 		700F0BE82A2FBC1500755BA7 /* sp_int.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = sp_int.h; path = ../../wolfssl/wolfcrypt/sp_int.h; sourceTree = "<group>"; };
 		700F0BE92A2FBC1500755BA7 /* sp.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = sp.h; path = ../../wolfssl/wolfcrypt/sp.h; sourceTree = "<group>"; };
-		700F0BEA2A2FBC1500755BA7 /* kyber.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = kyber.h; path = ../../wolfssl/wolfcrypt/kyber.h; sourceTree = "<group>"; };
+		700F0BEA2A2FBC1500755BA7 /* mlkem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = mlkem.h; path = ../../wolfssl/wolfcrypt/mlkem.h; sourceTree = "<group>"; };
 		700F0BEB2A2FBC1500755BA7 /* fe_448.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = fe_448.h; path = ../../wolfssl/wolfcrypt/fe_448.h; sourceTree = "<group>"; };
 		700F0BEC2A2FBC1500755BA7 /* pkcs12.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = pkcs12.h; path = ../../wolfssl/wolfcrypt/pkcs12.h; sourceTree = "<group>"; };
 		700F0BED2A2FBC1500755BA7 /* chacha20_poly1305.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = chacha20_poly1305.h; path = ../../wolfssl/wolfcrypt/chacha20_poly1305.h; sourceTree = "<group>"; };
@@ -1000,13 +1000,13 @@
 		700F0BF62A2FBC1600755BA7 /* fe_operations.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = fe_operations.h; path = ../../wolfssl/wolfcrypt/fe_operations.h; sourceTree = "<group>"; };
 		700F0BF72A2FBC1600755BA7 /* eccsi.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = eccsi.h; path = ../../wolfssl/wolfcrypt/eccsi.h; sourceTree = "<group>"; };
 		700F0BF82A2FBC1600755BA7 /* ed448.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ed448.h; path = ../../wolfssl/wolfcrypt/ed448.h; sourceTree = "<group>"; };
-		700F0BF92A2FBC1600755BA7 /* ext_kyber.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ext_kyber.h; path = ../../wolfssl/wolfcrypt/ext_kyber.h; sourceTree = "<group>"; };
+		700F0BF92A2FBC1600755BA7 /* ext_mlkem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ext_mlkem.h; path = ../../wolfssl/wolfcrypt/ext_mlkem.h; sourceTree = "<group>"; };
 		700F0BFA2A2FBC1600755BA7 /* sha3.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = sha3.h; path = ../../wolfssl/wolfcrypt/sha3.h; sourceTree = "<group>"; };
 		700F0BFB2A2FBC1600755BA7 /* signature.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = signature.h; path = ../../wolfssl/wolfcrypt/signature.h; sourceTree = "<group>"; };
 		700F0BFC2A2FBC1600755BA7 /* cmac.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cmac.h; path = ../../wolfssl/wolfcrypt/cmac.h; sourceTree = "<group>"; };
 		700F0BFD2A2FBC1600755BA7 /* pkcs11.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = pkcs11.h; path = ../../wolfssl/wolfcrypt/pkcs11.h; sourceTree = "<group>"; };
 		700F0BFE2A2FBC1600755BA7 /* siphash.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = siphash.h; path = ../../wolfssl/wolfcrypt/siphash.h; sourceTree = "<group>"; };
-		700F0BFF2A2FBC1600755BA7 /* wc_kyber.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = wc_kyber.h; path = ../../wolfssl/wolfcrypt/wc_kyber.h; sourceTree = "<group>"; };
+		700F0BFF2A2FBC1600755BA7 /* wc_mlkem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = wc_mlkem.h; path = ../../wolfssl/wolfcrypt/wc_mlkem.h; sourceTree = "<group>"; };
 		700F0C002A2FBC1600755BA7 /* fips.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = fips.h; path = ../../wolfssl/wolfcrypt/fips.h; sourceTree = "<group>"; };
 		700F0C012A2FBC1600755BA7 /* ge_operations.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ge_operations.h; path = ../../wolfssl/wolfcrypt/ge_operations.h; sourceTree = "<group>"; };
 		700F0C022A2FBC1600755BA7 /* falcon.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = falcon.h; path = ../../wolfssl/wolfcrypt/falcon.h; sourceTree = "<group>"; };
@@ -1157,7 +1157,7 @@
 				700F0BF72A2FBC1600755BA7 /* eccsi.h */,
 				700F0BF82A2FBC1600755BA7 /* ed448.h */,
 				700F0BF42A2FBC1600755BA7 /* ed25519.h */,
-				700F0BF92A2FBC1600755BA7 /* ext_kyber.h */,
+				700F0BF92A2FBC1600755BA7 /* ext_mlkem.h */,
 				700F0C022A2FBC1600755BA7 /* falcon.h */,
 				700F0BEB2A2FBC1500755BA7 /* fe_448.h */,
 				700F0BF62A2FBC1600755BA7 /* fe_operations.h */,
@@ -1165,7 +1165,7 @@
 				700F0BE72A2FBC1500755BA7 /* ge_448.h */,
 				700F0C012A2FBC1600755BA7 /* ge_operations.h */,
 				700F0BE12A2FBC1500755BA7 /* hpke.h */,
-				700F0BEA2A2FBC1500755BA7 /* kyber.h */,
+				700F0BEA2A2FBC1500755BA7 /* mlkem.h */,
 				700F0BFD2A2FBC1600755BA7 /* pkcs11.h */,
 				700F0BEC2A2FBC1500755BA7 /* pkcs12.h */,
 				700F0BE02A2FBC1500755BA7 /* rc2.h */,
@@ -1178,7 +1178,7 @@
 				700F0BE92A2FBC1500755BA7 /* sp.h */,
 				700F0BE22A2FBC1500755BA7 /* sphincs.h */,
 				700F0BF32A2FBC1600755BA7 /* srp.h */,
-				700F0BFF2A2FBC1600755BA7 /* wc_kyber.h */,
+				700F0BFF2A2FBC1600755BA7 /* wc_mlkem.h */,
 				700F0BF52A2FBC1600755BA7 /* wc_pkcs11.h */,
 				700F0BE62A2FBC1500755BA7 /* wolfevent.h */,
 				5216465E1A8993770062516A /* aes.h */,
--- a/IDE/include.am
+++ b/IDE/include.am
@@ -61,6 +61,7 @@ include IDE/WINCE/include.am
 include IDE/WORKBENCH/include.am
 include IDE/XCODE-FIPSv2/include.am
 include IDE/XCODE-FIPSv5/include.am
+include IDE/XCODE-FIPSv6/include.am
 include IDE/XCODE/include.am
 include IDE/XilinxSDK/include.am
 include IDE/zephyr/include.am
--- a/Makefile.am
+++ b/Makefile.am
@@ -213,7 +213,8 @@ if BUILD_LINUXKM
        EXTRA_CFLAGS EXTRA_CPPFLAGS EXTRA_CCASFLAGS EXTRA_LDFLAGS \
 	AM_CPPFLAGS CPPFLAGS AM_CFLAGS CFLAGS \
        AM_CCASFLAGS CCASFLAGS \
-        src_libwolfssl_la_OBJECTS ENABLED_CRYPT_TESTS ENABLED_LINUXKM_PIE ENABLED_ASM \
+        src_libwolfssl_la_OBJECTS ENABLED_CRYPT_TESTS ENABLED_LINUXKM_LKCAPI_REGISTER \
+        ENABLED_LINUXKM_PIE ENABLED_ASM \
        CFLAGS_FPU_DISABLE CFLAGS_FPU_ENABLE CFLAGS_SIMD_DISABLE CFLAGS_SIMD_ENABLE \
        CFLAGS_AUTO_VECTORIZE_DISABLE CFLAGS_AUTO_VECTORIZE_ENABLE \
        ASFLAGS_FPU_DISABLE_SIMD_ENABLE ASFLAGS_FPU_ENABLE_SIMD_DISABLE \
--- a/300
+++ b/300
@@ -70,130 +70,214 @@ should be used for the enum name.

 *** end Notes ***

-# wolfSSL Release 5.7.6 (Dec 31, 2024)
+# wolfSSL Release 5.8.0 (Apr 24, 2025)

-Release 5.7.6 has been developed according to wolfSSL's development and QA
+Release 5.8.0 has been developed according to wolfSSL's development and QA
 process (see link below) and successfully passed the quality criteria.
 https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance

-NOTE:
- * --enable-heapmath is deprecated.
- * In this release, the default cipher suite preference is updated to prioritize
- TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256 when enabled.
- * This release adds a sanity check for including wolfssl/options.h or
- user_settings.h.
-
+NOTE: * --enable-heapmath is deprecated

 PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request
 number where the code change was added.


-## Vulnerabilities
-* [Med] An OCSP (non stapling) issue was introduced in wolfSSL version 5.7.4
- when performing OCSP requests for intermediate certificates in a certificate
- chain. This affects only TLS 1.3 connections on the server side. It would not
- impact other TLS protocol versions or connections that are not using the
- traditional OCSP implementation. (Fix in pull request 8115)
-
-
 ## New Feature Additions
-* Add support for RP2350 and improve RP2040 support, both with RNG optimizations
- (PR 8153)
-* Add support for STM32MP135F, including STM32CubeIDE support and HAL support
- for SHA2/SHA3/AES/RNG/ECC optimizations. (PR 8223, 8231, 8241)
-* Implement Renesas TSIP RSA Public Enc/Private support (PR 8122)
-* Add support for Fedora/RedHat system-wide crypto-policies (PR 8205)
-* Curve25519 generic keyparsing API added with  wc_Curve25519KeyToDer and
- wc_Curve25519KeyDecode (PR 8129)
-* CRL improvements and update callback, added the functions
- wolfSSL_CertManagerGetCRLInfo and wolfSSL_CertManagerSetCRLUpdate_Cb (PR 8006)
-* For DTLS, add server-side stateless and CID quality-of-life API. (PR 8224)
+* Algorithm registration in the Linux kernel module for all supported FIPS AES,
+ SHA, HMAC, ECDSA, ECDH, and RSA modes, key sizes, and digest sizes.
+* Implemented various fixes to support building for Open Watcom including OS/2
+ support and Open Watcom 1.9 compatibility (PR 8505, 8484)
+* Added support for STM32H7S (tested on NUCLEO-H7S3L8) (PR 8488)
+* Added support for STM32WBA (PR 8550)
+* Added Extended Master Secret Generation Callback to the --enable-pkcallbacks
+ build (PR 8303)
+* Implement AES-CTS (configure flag --enable-aescts) in wolfCrypt (PR 8594)
+* Added support for libimobiledevice commit 860ffb (PR 8373)
+* Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 IPD
+ (PR 8307)
+* Added blinding option when using a Curve25519 private key by defining the
+ macro WOLFSSL_CURVE25519_BLINDING (PR 8392)
+
+
+## Linux Kernel Module
+* Production-ready LKCAPI registration for cbc(aes), cfb(aes), gcm(aes),
+ rfc4106 (gcm(aes)), ctr(aes), ofb(aes), and ecb(aes), ECDSA with P192, P256,
+ P384, and P521 curves, ECDH with P192, P256, and P384 curves, and RSA with
+ bare and PKCS1 padding
+* Various fixes for LKCAPI wrapper for AES-CBC and AES-CFB (PR 8534, 8552)
+* Adds support for the legacy one-shot AES-GCM back end (PR 8614, 8567) for
+ compatibility with FIPS 140-3 Cert #4718.
+* On kernel >=6.8, for CONFIG_FORTIFY_SOURCE, use 5-arg fortify_panic() override
+ macro (PR 8654)
+* Update calls to scatterwalk_map() and scatterwalk_unmap() for linux commit
+ 7450ebd29c (merged for Linux 6.15) (PR 8667)
+* Inhibit LINUXKM_LKCAPI_REGISTER_ECDH on kernel <5.13 (PR 8673)
+* Fix for uninitialized build error with fedora (PR 8569)
+* Register ecdsa, ecdh, and rsa for use with linux kernel crypto (PR 8637, 8663,
+ 8646)
+* Added force zero shared secret buffer, and clear of old key with ecdh
+ (PR 8685)
+* Update fips-check.sh script to pickup XTS streaming support on aarch64 and
+ disable XTS-384 as an allowed use in FIPS mode (PR 8509, 8546)


 ## Enhancements and Optimizations
-* Add a CMake dependency check for pthreads when required. (PR 8162)
-* Update OS_Seed declarations for legacy compilers and FIPS modules (boundary
- not affected). (PR 8170)
-* Enable WOLFSSL_ALWAYS_KEEP_SNI by default when using --enable-jni. (PR 8283)
-* Change the default cipher suite preference, prioritizing
- TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256. (PR 7771)
-* Add SRTP-KDF (FIPS module v6.0.0) to checkout script for release bundling
- (PR 8215)
-* Make library build when no hardware crypto available for Aarch64 (PR 8293)
-* Update assembly code to avoid `uint*_t` types for better compatibility with
- older C standards. (PR 8133)
-* Add initial documentation for writing ASN template code to decode BER/DER.
- (PR 8120)
-* Perform full reduction in sc_muladd for EdDSA with Curve448 (PR 8276)
-* Allow SHA-3 hardware cryptography instructions to be explicitly not used in
- MacOS builds (PR 8282)
-* Make Kyber and ML-KEM available individually and together. (PR 8143)
-* Update configuration options to include Kyber/ML-KEM and fix defines used in
- wolfSSL_get_curve_name. (PR 8183)
-* Make GetShortInt available with WOLFSSL_ASN_EXTRA (PR 8149)
-* Improved test coverage and minor improvements of X509 (PR 8176)
-* Add sanity checks for configuration methods, ensuring the inclusion of
- wolfssl/options.h or user_settings.h. (PR 8262)
-* Enable support for building without TLS (NO_TLS). Provides reduced code size
- option for non-TLS users who want features like the certificate manager or
- compatibility layer. (PR 8273)
-* Exposed get_verify functions with OPENSSL_EXTRA. (PR 8258)
-* ML-DSA/Dilithium: obtain security level from DER when decoding (PR 8177)
-* Implementation for using PKCS11 to retrieve certificate for SSL CTX (PR 8267)
-* Add support for the RFC822 Mailbox attribute (PR 8280)
-* Initialize variables and adjust types resolve warnings with Visual Studio in
- Windows builds. (PR 8181)
-* Refactors and expansion of opensslcoexist build (PR 8132, 8216, 8230)
-* Add DTLS 1.3 interoperability, libspdm and DTLS CID interoperability tests
- (PR 8261, 8255, 8245)
-* Remove trailing error exit code in wolfSSL install setup script (PR 8189)
-* Update Arduino files for wolfssl 5.7.4 (PR 8219)
-* Improve Espressif SHA HW/SW mutex messages (PR 8225)
-* Apply post-5.7.4 release updates for Espressif Managed Component examples
- (PR 8251)
-* Expansion of c89 conformance (PR 8164)
-* Added configure option for additional sanity checks with --enable-faultharden
- (PR 8289)
-* Aarch64 ASM additions to check CPU features before hardware crypto instruction
- use (PR 8314)
+
+### Security & Cryptography
+* Add constant-time implementation improvements for encoding functions. We thank
+ Zhiyuan and Gilles for sharing a new constant-time analysis tool (CT-LLVM) and
+ reporting several non-constant-time implementations. (PR 8396, 8617)
+* Additional support for PKCS7 verify and decode with indefinite lengths
+ (PR 8520, 834, 8645)
+* Add more PQC hybrid key exchange algorithms such as support for combinations
+ with X25519 and X448 enabling compatibility with the PQC key exchange support
+ in Chromium browsers and Mozilla Firefox (PR 7821)
+* Add short-circuit comparisons to DH key validation for RFC 7919 parameters
+ (PR 8335)
+* Improve FIPS compatibility with various build configurations for more resource
+ constrained builds (PR 8370)
+* Added option to disable ECC public key order checking (PR 8581)
+* Allow critical alt and basic constraints extensions (PR 8542)
+* New codepoint for MLDSA to help with interoperability (PR 8393)
+* Add support for parsing trusted PEM certs having the header
+ “BEGIN_TRUSTED_CERT” (PR 8400)
+* Add support for parsing only of DoD certificate policy and Comodo Ltd PKI OIDs
+ (PR 8599, 8686)
+* Update ssl code in `src/*.c` to be consistent with wolfcrypt/src/asn.c
+ handling of ML_DSA vs Dilithium and add dual alg. test (PR 8360, 8425)
+
+### Build System, Configuration, CI & Protocols
+* Internal refactor for include of config.h and when building with
+ BUILDING_WOLFSSL macro. This refactor will give a warning of “deprecated
+ function” when trying to improperly use an internal API of wolfSSL in an
+ external application. (PR 8640, 8647, 8660, 8662, 8664)
+* Add WOLFSSL_CLU option to CMakeLists.txt (PR 8548)
+* Add CMake and Zephyr support for XMSS and LMS (PR 8494)
+* Added GitHub CI for CMake builds (PR 8439)
+* Added necessary macros when building wolfTPM Zephyr with wolfSSL (PR 8382)
+* Add MSYS2 build continuous integration test (PR 8504)
+* Update DevKitPro doc to list calico dependency with build commands (PR 8607)
+* Conversion compiler warning fixes and additional continuous integration test
+ added (PR 8538)
+* Enable DTLS 1.3 by default in --enable-jni builds (PR 8481)
+* Enabled TLS 1.3 middlebox compatibility by default for --enable-jni builds
+ (PR 8526)
+
+### Performance Improvements
+* Performance improvements AES-GCM and HMAC (in/out hash copy) (PR 8429)
+* LMS fixes and improvements adding API to get Key ID from raw private key,
+ change to identifiers to match standard, and fix for when
+ WOLFSSL_LMS_MAX_LEVELS is 1 (PR 8390, 8684, 8613, 8623)
+* ML-KEM/Kyber improvements and fixes; no malloc builds, small memory usage,
+ performance improvement, fix for big-endian (PR 8397, 8412, 8436, 8467, 8619,
+ 8622, 8588)
+* Performance improvements for AES-GCM and when doing multiple HMAC operations
+ (PR 8445)
+
+### Assembly and Platform-Specific Enhancements
+* Poly1305 arm assembly changes adding ARM32 NEON implementation and fix for
+ Aarch64 use (PR 8344, 8561, 8671)
+* Aarch64 assembly enhancement to use more CPU features, fix for FreeBSD/OpenBSD
+ (PR 8325, 8348)
+* Only perform ARM assembly CPUID checks if support was enabled at build time
+ (PR 8566)
+* Optimizations for ARM32 assembly instructions on platforms less than ARMv7
+ (PR 8395)
+* Improve MSVC feature detection for static assert macros (PR 8440)
+* Improve Espressif make and CMake for ESP8266 and ESP32 series (PR 8402)
+* Espressif updates for Kconfig, ESP32P4 and adding a sample user_settings.h
+ (PR 8422, PR 8641)
+
+### OpenSSL Compatibility Layer
+* Modification to the push/pop to/from in OpenSSL compatibility layer. This is
+ a pretty major API change in the OpenSSL compatibility stack functions.
+ Previously the API would push/pop from the beginning of the list but now they
+ operate on the tail of the list. This matters when using the sk_value with
+ index values. (PR 8616)
+* OpenSSL Compat Layer: OCSP response improvements (PR 8408, 8498)
+* Expand the OpenSSL compatibility layer to include an implementation of
+ BN_CTX_get (PR 8388)
+
+### API Additions and Modifications
+* Refactor Hpke to allow multiple uses of a context instead of just one shot
+ mode (PR 6805)
+* Add support for PSK client callback with Ada and use with Alire (thanks
+ @mgrojo, PR 8332, 8606)
+* Change wolfSSL_CTX_GenerateEchConfig to generate multiple configs and add
+ functions wolfSSL_CTX_SetEchConfigs and wolfSSL_CTX_SetEchConfigsBase64 to
+ rotate the server's echConfigs (PR 8556)
+* Added the public API wc_PkcsPad to do PKCS padding (PR 8502)
+* Add NULL_CIPHER_TYPE support to wolfSSL_EVP_CipherUpdate (PR 8518)
+* Update Kyber APIs to ML-KEM APIs (PR 8536)
+* Add option to disallow automatic use of "default" devId using the macro
+ WC_NO_DEFAULT_DEVID (PR 8555)
+* Detect unknown key format on ProcessBufferTryDecode() and handle RSA-PSSk
+ format (PR 8630)
+
+### Porting and Language Support
+* Update Python port to support version 3.12.6 (PR 8345)
+* New additions for MAXQ with wolfPKCS11 (PR 8343)
+* Port to ntp 4.2.8p17 additions (PR 8324)
+* Add version 0.9.14 to tested libvncserver builds (PR 8337)
+
+### General Improvements and Cleanups
+* Cleanups for STM32 AES GCM (PR 8584)
+* Improvements to isascii() and the CMake key log option (PR 8596)
+* Arduino documentation updates, comments and spelling corrections (PR 8381,
+ 8384, 8514)
+* Expanding builds with WOLFSSL_NO_REALLOC for use with --enable-opensslall and
+ --enable-all builds (PR 8369, 8371)


 ## Fixes
-* Fix a memory issue when using the compatibility layer with
- WOLFSSL_GENERAL_NAME and handling registered ID types. (PR 8155)
-* Fix a build issue with signature fault hardening when using public key
- callbacks (HAVE_PK_CALLBACKS). (PR 8287)
-* Fix for handling heap hint pointer properly when managing multiple WOLFSSL_CTX
- objects and free’ing one of them (PR 8180)
-* Fix potential memory leak in error case with Aria. (PR 8268)
-* Fix Set_Verify flag behaviour on Ada wrapper. (PR 8256)
-* Fix a compilation error with the NO_WOLFSSL_DIR flag. (PR 8294)
-* Resolve a corner case for Poly1305 assembly code on Aarch64. (PR 8275)
-* Fix incorrect version setting in CSRs. (PR 8136)
-* Correct debugging output for cryptodev. (PR 8202)
-* Fix for benchmark application use with /dev/crypto GMAC auth error due to size
- of AAD (PR 8210)
-* Add missing checks for the initialization of sp_int/mp_int with DSA to free
- memory properly in error cases. (PR 8209)
-* Fix return value of wolfSSL_CTX_set_tlsext_use_srtp (8252)
-* Check Root CA by Renesas TSIP before adding it to ca-table (PR 8101)
-* Prevent adding a certificate to the CA cache for Renesas builds if it does not
- set CA:TRUE in basic constraints. (PR 8060)
-* Fix attribute certificate holder entityName parsing. (PR 8166)
-* Resolve build issues for configurations without any wolfSSL/openssl
- compatibility layer headers. (PR 8182)
-* Fix for building SP RSA small and RSA public only (PR 8235)
-* Fix for Renesas RX TSIP RSA Sign/Verify with wolfCrypt only (PR 8206)
-* Fix to ensure all files have settings.h included (like wc_lms.c) and guards
- for building all `*.c` files (PR 8257 and PR 8140)
-* Fix x86 target build issues in Visual Studio for non-Windows operating
- systems. (PR 8098)
-* Fix wolfSSL_X509_STORE_get0_objects to handle no CA (PR 8226)
-* Properly handle reference counting when adding to the X509 store. (PR 8233)
-* Fix for various typos and improper size used with FreeRTOS_bind in the Renesas
- example. Thanks to Hongbo for the report on example issues. (PR 7537)
-* Fix for potential heap use after free with wolfSSL_PEM_read_bio_PrivateKey.
- Thanks to Peter for the issue reported. (PR 8139)
+* Fix a use after free caused by an early free on error in the X509 store
+ (PR 8449)
+* Fix to account for existing PKCS8 header with
+ wolfSSL_PEM_write_PKCS8PrivateKey (PR 8612)
+* Fixed failing CMake build issue when standard threads support is not found in
+ the system (PR 8485)
+* Fix segmentation fault in SHA-512 implementation for AVX512 targets built with
+ gcc -march=native -O2 (PR 8329)
+* Fix Windows socket API compatibility warning with mingw32 build (PR 8424)
+* Fix potential null pointer increments in cipher list parsing (PR 8420)
+* Fix for possible stack buffer overflow read with wolfSSL_SMIME_write_PKCS7.
+ Thanks to the team at Code Intelligence for the report. (PR 8466)
+* Fix AES ECB implementation for Aarch64 ARM assembly (PR 8379)
+* Fixed building with VS2008 and .NET 3.5 (PR 8621)
+* Fixed possible error case memory leaks in CRL and EVP_Sign_Final (PR 8447)
+* Fixed SSL_set_mtu compatibility function return code (PR 8330)
+* Fixed Renesas RX TSIP (PR 8595)
+* Fixed ECC non-blocking tests (PR 8533)
+* Fixed CMake on MINGW and MSYS (PR 8377)
+* Fixed Watcom compiler and added new CI test (PR 8391)
+* Fixed STM32 PKA ECC 521-bit support (PR 8450)
+* Fixed STM32 PKA with P521 and shared secret (PR 8601)
+* Fixed crypto callback macro guards with `DEBUG_CRYPTOCB` (PR 8602)
+* Fix outlen return for RSA private decrypt with WOLF_CRYPTO_CB_RSA_PAD
+ (PR 8575)
+* Additional sanity check on r and s lengths in DecodeECC_DSA_Sig_Bin (PR 8350)
+* Fix compat. layer ASN1_TIME_diff to accept NULL output params (PR 8407)
+* Fix CMake lean_tls build (PR 8460)
+* Fix for QUIC callback failure (PR 8475)
+* Fix missing alert types in AlertTypeToString for print out with debugging
+ enabled (PR 8572)
+* Fixes for MSVS build issues with PQC configure (PR 8568)
+* Fix for SE050 port and minor improvements (PR 8431, 8437)
+* Fix for missing rewind function in zephyr and add missing files for compiling
+ with assembly optimizations (PR 8531, 8541)
+* Fix for quic_record_append to return the correct code (PR 8340, 8358)
+* Fixes for Bind 9.18.28 port (PR 8331)
+* Fix to adhere more closely with RFC8446 Appendix D and set haveEMS when
+ negotiating TLS 1.3 (PR 8487)
+* Fix to properly check for signature_algorithms from the client in a TLS 1.3
+ server (PR 8356)
+* Fix for when BIO data is less than seq buffer size. Thanks to the team at Code
+ Intelligence for the report (PR 8426)
+* ARM32/Thumb2 fixes for WOLFSSL_NO_VAR_ASSIGN_REG and td4 variable declarations
+ (PR 8590, 8635)
+* Fix for Intel AVX1/SSE2 assembly to not use vzeroupper instructions unless ymm
+ or zmm registers are used (PR 8479)
+* Entropy MemUse fix for when block size less than update bits (PR 8675)


 For additional vulnerability information visit the vulnerability page at:
--- a/README.md
+++ b/README.md
@@ -75,131 +75,214 @@ single call hash function. Instead the name `WC_SHA`, `WC_SHA256`, `WC_SHA384` a
 `WC_SHA512` should be used for the enum name.


-# wolfSSL Release 5.7.6 (Dec 31, 2024)
+# wolfSSL Release 5.8.0 (Apr 24, 2025)

-Release 5.7.6 has been developed according to wolfSSL's development and QA
+Release 5.8.0 has been developed according to wolfSSL's development and QA
 process (see link below) and successfully passed the quality criteria.
 https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance

-NOTE:
- * --enable-heapmath is deprecated.
- * In this release, the default cipher suite preference is updated to prioritize
- TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256 when enabled.
- * This release adds a sanity check for including wolfssl/options.h or
- user_settings.h.
-
+NOTE: * --enable-heapmath is deprecated

 PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request
 number where the code change was added.


-## Vulnerabilities
-* [Med] An OCSP (non stapling) issue was introduced in wolfSSL version 5.7.4
- when performing OCSP requests for intermediate certificates in a certificate
- chain. This affects only TLS 1.3 connections on the server side. It would not
- impact other TLS protocol versions or connections that are not using the
- traditional OCSP implementation. (Fix in pull request 8115)
-
-
 ## New Feature Additions
-* Add support for RP2350 and improve RP2040 support, both with RNG optimizations
- (PR 8153)
-* Add support for STM32MP135F, including STM32CubeIDE support and HAL support
- for SHA2/SHA3/AES/RNG/ECC optimizations. (PR 8223, 8231, 8241)
-* Implement Renesas TSIP RSA Public Enc/Private support (PR 8122)
-* Add support for Fedora/RedHat system-wide crypto-policies (PR 8205)
-* Curve25519 generic keyparsing API added with  wc_Curve25519KeyToDer and
- wc_Curve25519KeyDecode (PR 8129)
-* CRL improvements and update callback, added the functions
- wolfSSL_CertManagerGetCRLInfo and wolfSSL_CertManagerSetCRLUpdate_Cb (PR 8006)
-* For DTLS, add server-side stateless and CID quality-of-life API. (PR 8224)
+* Algorithm registration in the Linux kernel module for all supported FIPS AES,
+ SHA, HMAC, ECDSA, ECDH, and RSA modes, key sizes, and digest sizes.
+* Implemented various fixes to support building for Open Watcom including OS/2
+ support and Open Watcom 1.9 compatibility (PR 8505, 8484)
+* Added support for STM32H7S (tested on NUCLEO-H7S3L8) (PR 8488)
+* Added support for STM32WBA (PR 8550)
+* Added Extended Master Secret Generation Callback to the --enable-pkcallbacks
+ build (PR 8303)
+* Implement AES-CTS (configure flag --enable-aescts) in wolfCrypt (PR 8594)
+* Added support for libimobiledevice commit 860ffb (PR 8373)
+* Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 IPD
+ (PR 8307)
+* Added blinding option when using a Curve25519 private key by defining the
+ macro WOLFSSL_CURVE25519_BLINDING (PR 8392)
+
+
+## Linux Kernel Module
+* Production-ready LKCAPI registration for cbc(aes), cfb(aes), gcm(aes),
+ rfc4106 (gcm(aes)), ctr(aes), ofb(aes), and ecb(aes), ECDSA with P192, P256,
+ P384, and P521 curves, ECDH with P192, P256, and P384 curves, and RSA with
+ bare and PKCS1 padding
+* Various fixes for LKCAPI wrapper for AES-CBC and AES-CFB (PR 8534, 8552)
+* Adds support for the legacy one-shot AES-GCM back end (PR 8614, 8567) for
+ compatibility with FIPS 140-3 Cert #4718.
+* On kernel >=6.8, for CONFIG_FORTIFY_SOURCE, use 5-arg fortify_panic() override
+ macro (PR 8654)
+* Update calls to scatterwalk_map() and scatterwalk_unmap() for linux commit
+ 7450ebd29c (merged for Linux 6.15) (PR 8667)
+* Inhibit LINUXKM_LKCAPI_REGISTER_ECDH on kernel <5.13 (PR 8673)
+* Fix for uninitialized build error with fedora (PR 8569)
+* Register ecdsa, ecdh, and rsa for use with linux kernel crypto (PR 8637, 8663,
+ 8646)
+* Added force zero shared secret buffer, and clear of old key with ecdh
+ (PR 8685)
+* Update fips-check.sh script to pickup XTS streaming support on aarch64 and
+ disable XTS-384 as an allowed use in FIPS mode (PR 8509, 8546)


 ## Enhancements and Optimizations
-* Add a CMake dependency check for pthreads when required. (PR 8162)
-* Update OS_Seed declarations for legacy compilers and FIPS modules (boundary
- not affected). (PR 8170)
-* Enable WOLFSSL_ALWAYS_KEEP_SNI by default when using --enable-jni. (PR 8283)
-* Change the default cipher suite preference, prioritizing
- TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256. (PR 7771)
-* Add SRTP-KDF (FIPS module v6.0.0) to checkout script for release bundling
- (PR 8215)
-* Make library build when no hardware crypto available for Aarch64 (PR 8293)
-* Update assembly code to avoid `uint*_t` types for better compatibility with
- older C standards. (PR 8133)
-* Add initial documentation for writing ASN template code to decode BER/DER.
- (PR 8120)
-* Perform full reduction in sc_muladd for EdDSA with Curve448 (PR 8276)
-* Allow SHA-3 hardware cryptography instructions to be explicitly not used in
- MacOS builds (PR 8282)
-* Make Kyber and ML-KEM available individually and together. (PR 8143)
-* Update configuration options to include Kyber/ML-KEM and fix defines used in
- wolfSSL_get_curve_name. (PR 8183)
-* Make GetShortInt available with WOLFSSL_ASN_EXTRA (PR 8149)
-* Improved test coverage and minor improvements of X509 (PR 8176)
-* Add sanity checks for configuration methods, ensuring the inclusion of
- wolfssl/options.h or user_settings.h. (PR 8262)
-* Enable support for building without TLS (NO_TLS). Provides reduced code size
- option for non-TLS users who want features like the certificate manager or
- compatibility layer. (PR 8273)
-* Exposed get_verify functions with OPENSSL_EXTRA. (PR 8258)
-* ML-DSA/Dilithium: obtain security level from DER when decoding (PR 8177)
-* Implementation for using PKCS11 to retrieve certificate for SSL CTX (PR 8267)
-* Add support for the RFC822 Mailbox attribute (PR 8280)
-* Initialize variables and adjust types resolve warnings with Visual Studio in
- Windows builds. (PR 8181)
-* Refactors and expansion of opensslcoexist build (PR 8132, 8216, 8230)
-* Add DTLS 1.3 interoperability, libspdm and DTLS CID interoperability tests
- (PR 8261, 8255, 8245)
-* Remove trailing error exit code in wolfSSL install setup script (PR 8189)
-* Update Arduino files for wolfssl 5.7.4 (PR 8219)
-* Improve Espressif SHA HW/SW mutex messages (PR 8225)
-* Apply post-5.7.4 release updates for Espressif Managed Component examples
- (PR 8251)
-* Expansion of c89 conformance (PR 8164)
-* Added configure option for additional sanity checks with --enable-faultharden
- (PR 8289)
-* Aarch64 ASM additions to check CPU features before hardware crypto instruction
- use (PR 8314)
+
+### Security & Cryptography
+* Add constant-time implementation improvements for encoding functions. We thank
+ Zhiyuan and Gilles for sharing a new constant-time analysis tool (CT-LLVM) and
+ reporting several non-constant-time implementations. (PR 8396, 8617)
+* Additional support for PKCS7 verify and decode with indefinite lengths
+ (PR 8520, 834, 8645)
+* Add more PQC hybrid key exchange algorithms such as support for combinations
+ with X25519 and X448 enabling compatibility with the PQC key exchange support
+ in Chromium browsers and Mozilla Firefox (PR 7821)
+* Add short-circuit comparisons to DH key validation for RFC 7919 parameters
+ (PR 8335)
+* Improve FIPS compatibility with various build configurations for more resource
+ constrained builds (PR 8370)
+* Added option to disable ECC public key order checking (PR 8581)
+* Allow critical alt and basic constraints extensions (PR 8542)
+* New codepoint for MLDSA to help with interoperability (PR 8393)
+* Add support for parsing trusted PEM certs having the header
+ “BEGIN_TRUSTED_CERT” (PR 8400)
+* Add support for parsing only of DoD certificate policy and Comodo Ltd PKI OIDs
+ (PR 8599, 8686)
+* Update ssl code in `src/*.c` to be consistent with wolfcrypt/src/asn.c
+ handling of ML_DSA vs Dilithium and add dual alg. test (PR 8360, 8425)
+
+### Build System, Configuration, CI & Protocols
+* Internal refactor for include of config.h and when building with
+ BUILDING_WOLFSSL macro. This refactor will give a warning of “deprecated
+ function” when trying to improperly use an internal API of wolfSSL in an
+ external application. (PR 8640, 8647, 8660, 8662, 8664)
+* Add WOLFSSL_CLU option to CMakeLists.txt (PR 8548)
+* Add CMake and Zephyr support for XMSS and LMS (PR 8494)
+* Added GitHub CI for CMake builds (PR 8439)
+* Added necessary macros when building wolfTPM Zephyr with wolfSSL (PR 8382)
+* Add MSYS2 build continuous integration test (PR 8504)
+* Update DevKitPro doc to list calico dependency with build commands (PR 8607)
+* Conversion compiler warning fixes and additional continuous integration test
+ added (PR 8538)
+* Enable DTLS 1.3 by default in --enable-jni builds (PR 8481)
+* Enabled TLS 1.3 middlebox compatibility by default for --enable-jni builds
+ (PR 8526)
+
+### Performance Improvements
+* Performance improvements AES-GCM and HMAC (in/out hash copy) (PR 8429)
+* LMS fixes and improvements adding API to get Key ID from raw private key,
+ change to identifiers to match standard, and fix for when
+ WOLFSSL_LMS_MAX_LEVELS is 1 (PR 8390, 8684, 8613, 8623)
+* ML-KEM/Kyber improvements and fixes; no malloc builds, small memory usage,
+ performance improvement, fix for big-endian (PR 8397, 8412, 8436, 8467, 8619,
+ 8622, 8588)
+* Performance improvements for AES-GCM and when doing multiple HMAC operations
+ (PR 8445)
+
+### Assembly and Platform-Specific Enhancements
+* Poly1305 arm assembly changes adding ARM32 NEON implementation and fix for
+ Aarch64 use (PR 8344, 8561, 8671)
+* Aarch64 assembly enhancement to use more CPU features, fix for FreeBSD/OpenBSD
+ (PR 8325, 8348)
+* Only perform ARM assembly CPUID checks if support was enabled at build time
+ (PR 8566)
+* Optimizations for ARM32 assembly instructions on platforms less than ARMv7
+ (PR 8395)
+* Improve MSVC feature detection for static assert macros (PR 8440)
+* Improve Espressif make and CMake for ESP8266 and ESP32 series (PR 8402)
+* Espressif updates for Kconfig, ESP32P4 and adding a sample user_settings.h
+ (PR 8422, PR 8641)
+
+### OpenSSL Compatibility Layer
+* Modification to the push/pop to/from in OpenSSL compatibility layer. This is
+ a pretty major API change in the OpenSSL compatibility stack functions.
+ Previously the API would push/pop from the beginning of the list but now they
+ operate on the tail of the list. This matters when using the sk_value with
+ index values. (PR 8616)
+* OpenSSL Compat Layer: OCSP response improvements (PR 8408, 8498)
+* Expand the OpenSSL compatibility layer to include an implementation of
+ BN_CTX_get (PR 8388)
+
+### API Additions and Modifications
+* Refactor Hpke to allow multiple uses of a context instead of just one shot
+ mode (PR 6805)
+* Add support for PSK client callback with Ada and use with Alire (thanks
+ @mgrojo, PR 8332, 8606)
+* Change wolfSSL_CTX_GenerateEchConfig to generate multiple configs and add
+ functions wolfSSL_CTX_SetEchConfigs and wolfSSL_CTX_SetEchConfigsBase64 to
+ rotate the server's echConfigs (PR 8556)
+* Added the public API wc_PkcsPad to do PKCS padding (PR 8502)
+* Add NULL_CIPHER_TYPE support to wolfSSL_EVP_CipherUpdate (PR 8518)
+* Update Kyber APIs to ML-KEM APIs (PR 8536)
+* Add option to disallow automatic use of "default" devId using the macro
+ WC_NO_DEFAULT_DEVID (PR 8555)
+* Detect unknown key format on ProcessBufferTryDecode() and handle RSA-PSSk
+ format (PR 8630)
+
+### Porting and Language Support
+* Update Python port to support version 3.12.6 (PR 8345)
+* New additions for MAXQ with wolfPKCS11 (PR 8343)
+* Port to ntp 4.2.8p17 additions (PR 8324)
+* Add version 0.9.14 to tested libvncserver builds (PR 8337)
+
+### General Improvements and Cleanups
+* Cleanups for STM32 AES GCM (PR 8584)
+* Improvements to isascii() and the CMake key log option (PR 8596)
+* Arduino documentation updates, comments and spelling corrections (PR 8381,
+ 8384, 8514)
+* Expanding builds with WOLFSSL_NO_REALLOC for use with --enable-opensslall and
+ --enable-all builds (PR 8369, 8371)


 ## Fixes
-* Fix a memory issue when using the compatibility layer with
- WOLFSSL_GENERAL_NAME and handling registered ID types. (PR 8155)
-* Fix a build issue with signature fault hardening when using public key
- callbacks (HAVE_PK_CALLBACKS). (PR 8287)
-* Fix for handling heap hint pointer properly when managing multiple WOLFSSL_CTX
- objects and free’ing one of them (PR 8180)
-* Fix potential memory leak in error case with Aria. (PR 8268)
-* Fix Set_Verify flag behaviour on Ada wrapper. (PR 8256)
-* Fix a compilation error with the NO_WOLFSSL_DIR flag. (PR 8294)
-* Resolve a corner case for Poly1305 assembly code on Aarch64. (PR 8275)
-* Fix incorrect version setting in CSRs. (PR 8136)
-* Correct debugging output for cryptodev. (PR 8202)
-* Fix for benchmark application use with /dev/crypto GMAC auth error due to size
- of AAD (PR 8210)
-* Add missing checks for the initialization of sp_int/mp_int with DSA to free
- memory properly in error cases. (PR 8209)
-* Fix return value of wolfSSL_CTX_set_tlsext_use_srtp (8252)
-* Check Root CA by Renesas TSIP before adding it to ca-table (PR 8101)
-* Prevent adding a certificate to the CA cache for Renesas builds if it does not
- set CA:TRUE in basic constraints. (PR 8060)
-* Fix attribute certificate holder entityName parsing. (PR 8166)
-* Resolve build issues for configurations without any wolfSSL/openssl
- compatibility layer headers. (PR 8182)
-* Fix for building SP RSA small and RSA public only (PR 8235)
-* Fix for Renesas RX TSIP RSA Sign/Verify with wolfCrypt only (PR 8206)
-* Fix to ensure all files have settings.h included (like wc_lms.c) and guards
- for building all `*.c` files (PR 8257 and PR 8140)
-* Fix x86 target build issues in Visual Studio for non-Windows operating
- systems. (PR 8098)
-* Fix wolfSSL_X509_STORE_get0_objects to handle no CA (PR 8226)
-* Properly handle reference counting when adding to the X509 store. (PR 8233)
-* Fix for various typos and improper size used with FreeRTOS_bind in the Renesas
- example. Thanks to Hongbo for the report on example issues. (PR 7537)
-* Fix for potential heap use after free with wolfSSL_PEM_read_bio_PrivateKey.
- Thanks to Peter for the issue reported. (PR 8139)
-
+* Fix a use after free caused by an early free on error in the X509 store
+ (PR 8449)
+* Fix to account for existing PKCS8 header with
+ wolfSSL_PEM_write_PKCS8PrivateKey (PR 8612)
+* Fixed failing CMake build issue when standard threads support is not found in
+ the system (PR 8485)
+* Fix segmentation fault in SHA-512 implementation for AVX512 targets built with
+ gcc -march=native -O2 (PR 8329)
+* Fix Windows socket API compatibility warning with mingw32 build (PR 8424)
+* Fix potential null pointer increments in cipher list parsing (PR 8420)
+* Fix for possible stack buffer overflow read with wolfSSL_SMIME_write_PKCS7.
+ Thanks to the team at Code Intelligence for the report. (PR 8466)
+* Fix AES ECB implementation for Aarch64 ARM assembly (PR 8379)
+* Fixed building with VS2008 and .NET 3.5 (PR 8621)
+* Fixed possible error case memory leaks in CRL and EVP_Sign_Final (PR 8447)
+* Fixed SSL_set_mtu compatibility function return code (PR 8330)
+* Fixed Renesas RX TSIP (PR 8595)
+* Fixed ECC non-blocking tests (PR 8533)
+* Fixed CMake on MINGW and MSYS (PR 8377)
+* Fixed Watcom compiler and added new CI test (PR 8391)
+* Fixed STM32 PKA ECC 521-bit support (PR 8450)
+* Fixed STM32 PKA with P521 and shared secret (PR 8601)
+* Fixed crypto callback macro guards with `DEBUG_CRYPTOCB` (PR 8602)
+* Fix outlen return for RSA private decrypt with WOLF_CRYPTO_CB_RSA_PAD
+ (PR 8575)
+* Additional sanity check on r and s lengths in DecodeECC_DSA_Sig_Bin (PR 8350)
+* Fix compat. layer ASN1_TIME_diff to accept NULL output params (PR 8407)
+* Fix CMake lean_tls build (PR 8460)
+* Fix for QUIC callback failure (PR 8475)
+* Fix missing alert types in AlertTypeToString for print out with debugging
+ enabled (PR 8572)
+* Fixes for MSVS build issues with PQC configure (PR 8568)
+* Fix for SE050 port and minor improvements (PR 8431, 8437)
+* Fix for missing rewind function in zephyr and add missing files for compiling
+ with assembly optimizations (PR 8531, 8541)
+* Fix for quic_record_append to return the correct code (PR 8340, 8358)
+* Fixes for Bind 9.18.28 port (PR 8331)
+* Fix to adhere more closely with RFC8446 Appendix D and set haveEMS when
+ negotiating TLS 1.3 (PR 8487)
+* Fix to properly check for signature_algorithms from the client in a TLS 1.3
+ server (PR 8356)
+* Fix for when BIO data is less than seq buffer size. Thanks to the team at Code
+ Intelligence for the report (PR 8426)
+* ARM32/Thumb2 fixes for WOLFSSL_NO_VAR_ASSIGN_REG and td4 variable declarations
+ (PR 8590, 8635)
+* Fix for Intel AVX1/SSE2 assembly to not use vzeroupper instructions unless ymm
+ or zmm registers are used (PR 8479)
+* Entropy MemUse fix for when block size less than update bits (PR 8675)

 For additional vulnerability information visit the vulnerability page at:
 https://www.wolfssl.com/docs/security-vulnerabilities/
--- a/certs/fpki-certpol-cert.der
+++ b/certs/fpki-certpol-cert.der
--- a/Show More
+++ b/Show More