Merge pull request #3586 from tmael/cc310_tests

Fix Cryptocell and revert test.c use of static const

.gitignore

@@ -5,18 +5,21 @@ ctaocrypt/src/src/
 *.o
 *.patch
 *.deps
+*.d
 *.libs
 *.cache
 .dirstamp
 *.user
 configure
 config.*
+!cmake/config.in
 *Debug/
 *Release/
 *.ncb
 *.suo
 *.sdf
 *.opensdf
+*.cmd
 ipch/
 build-aux/
 rpm/spec
@@ -227,6 +230,17 @@ IDE/MDK-ARM/LPC43xx/LPC43xx/
 *.gcno
 *.gcda
 *.gcov
+!linuxkm/Makefile
+/Kbuild
+linuxkm/*.ko
+linuxkm/Module.symvers
+linuxkm/built-in.a
+linuxkm/modules.order
+linuxkm/wolfcrypt
+linuxkm/libwolfssl.mod
+linuxkm/libwolfssl.mod.c
+linuxkm/module_exports.c
+linuxkm/linuxkm/get_thread_size
 
 # MPLAB Generated Files (OS X)
 mcapi/wolfcrypt_mcapi.X/nbproject/Makefile-*
@@ -336,3 +350,11 @@ IDE/XCODE/Index
 /IDE/Renesas/e2studio/Projects/test/trash
 /IDE/Renesas/e2studio/Projects/test/*.launch
 /IDE/Renesas/e2studio/Projects/test/*.scfg
+
+# Emacs
+*~
+
+# CMake
+CMakeFiles/
+CMakeCache.txt
+cmake_install.cmake

ChangeLog.md

@@ -1,3 +1,153 @@
+# wolfSSL Release 4.6.0 (December 22, 2020)
+Release 4.6.0 of wolfSSL embedded TLS has bug fixes and new features including:
+
+### New Feature Additions
+###### New Build Options
+* wolfSSL now enables linux kernel module support. Big news for Linux kernel module developers with crypto requirements! wolfCrypt and wolfSSL are now loadable as modules in the Linux kernel, providing the entire libwolfssl API natively to other kernel modules. For the first time on Linux, the entire TLS protocol stack can be loaded as a module, allowing fully kernel-resident TLS/DTLS endpoints with in-kernel handshaking.  (--enable-linuxkm, --enable-linuxkm-defaults, --with-linux-source) (https://www.wolfssl.com/loading-wolfssl-into-the-linux-kernel/)
+* Build tests and updated instructions for use with Apple’s A12Z chipset  (https://www.wolfssl.com/preliminary-cryptographic-benchmarks-on-new-apple-a12z-bionic-platform/)
+* Expansion of wolfSSL SP math implementation and addition of --enable-sp-math-all build option
+* Apache httpd w/TLS 1.3 support added
+* Sniffer support for TLS 1.3 and AES CCM
+* Support small memory footprint build with only TLS 1.3 and PSK without code for (EC)DHE and certificates
+
+###### New Hardware Acceleration
+* Added support for NXP DCP (i.MX RT1060/1062) crypto co-processor
+* Add Silicon Labs hardware acceleration using [SL SE Manager](https://docs.silabs.com/gecko-platform/latest/service/api/group-sl-se-manager)
+
+###### New Algorithms
+* RC2 ECB/CBC added for use with PKCS#12 bundles
+* XChaCha and the XChaCha20-Poly1305 AEAD algorithm support added
+
+###### Misc
+* Added support for 802.11Q VLAN frames to sniffer
+* Added OCSP function wolfSSL_get_ocsp_producedDate
+* Added API to set CPU ID flags cpuid_select_flags, cpuid_set_flag, cpuid_clear_flag
+* New DTLS/TLS non-blocking Secure Renegotiation example added to server.c and client.c
+
+### Fixes
+###### Math Library
+* Fix mp_to_unsigned_bin_len out of bounds read with buffers longer than maximum MP
+* Fix for fp_read_radix_16 out of bounds read
+* Fix to add wrapper for new timing resistant wc_ecc_mulmod_ex2 function version in HW ECC acceleration
+* Handle an edge case with RSA-PSS encoding message to hash
+
+###### Compatibility Layer Fixes
+* Fix for setting serial number wolfSSL_X509_set_serialNumber
+* Fix for setting ASN1 time not before / not after with WOLFSSL_X509
+* Fix for order of components in issuer name when using X509_sign
+* Fix for compatibility layer API DH_compute_key
+* EVP fix incorrect block size for GCM and buffer up AAD for encryption/decryption
+* EVP fix for AES-XTS key length return value and fix for string compare calls
+* Fix for mutex freeing during RNG failure case with EVP_KEY creation
+* Non blocking use with compatibility layer BIOs in TLS connections
+
+###### Build Configuration
+* Fix for custom build with WOLFSSL_USER_MALLOC defined
+* ED448 compiler warning on Intel 32bit systems
+* CURVE448_SMALL build fix for 32bit systems with Curve448
+* Fix to build SP math with IAR
+* CMake fix to only set ranlib arguments for Mac, and for stray typo of , -> ;
+* Build with --enable-wpas=small fix
+* Fix for building fips ready using openssl extra
+* Fixes for building with Microchip (min/max and undef SHA_BLOCK_SIZE)
+* FIx for NO_FILESYSTEM build on Windows
+* Fixed SHA256 support for IMX-RT1060
+* Fix for ECC key gen with NO_TFM_64BIT
+
+###### Sniffer
+* Fixes for sniffer when using static ECC keys. Adds back TLS v1.2 static ECC key fallback detection and fixes new ECC RNG requirement for timing resistance
+* Fix for sniffer with SNI enabled to properly handle WOLFSSL_SUCCESS error code in ProcessClientHello
+* Fix for sniffer using HAVE_MAX_FRAGMENT in "certificate" type message
+* Fix build error with unused "ret" when building with WOLFSSL_SNIFFER_WATCH.
+* Fix to not treat cert/key not found as error in myWatchCb and WOLFSSL_SNIFFER_WATCH.
+* Sniffer fixes for handling TCP `out-of-range sequence number`
+* Fixes SSLv3 use of ECDH in sniffer
+
+###### PKCS
+* PKCS#11 fix to generate ECC key for decrypt/sign or derive
+* Fix for resetting internal variables when parsing a malformed PKCS#7 bundle with PKCS7_VerifySignedData()
+* Verify the extracted public key in wc_PKCS7_InitWithCert
+* Fix for internal buffer size when using decompression with PKCS#7
+
+###### Misc
+* Pin the C# verify callback function to keep from garbage collection
+* DH fixes for when public key is owned and free’d after a handshake
+* Fix for TLS 1.3 early data packets
+* Fix for STM32 issue with some Cube HAL versions and STM32 example timeout
+* Fix mmCAU and LTC hardware mutex locking to prevent double lock
+* Fix potential race condition with CRL monitor
+* Fix for possible malformed encrypted key with 3DES causing negative length
+* AES-CTR performance fixed with AES-NI
+
+### Improvements/Optimizations
+##### SP and Math
+* mp_radix_size adjustment for leading 0
+* Resolve implicit cast warnings with SP build
+* Change mp_sqr to return an error if the result won't fit into the fixed length dp
+* ARM64 assembly with clang improvements, clang doesn't always handle use of x29 (FP or Frame Pointer) in inline assembly code correctly - reworked sp_2048_sqr_8 to not use x29
+* SP mod exp changed to support exponents of different lengths
+* TFM div: fix initial value of size in q so clamping doesn't OOB read
+* Numerous stack depth improvements with --enable-smallstack
+* Improve cache resistance with Base64 operations
+
+###### TLS 1.3
+* TLS 1.3 wolfSSL_peek want read return addition
+* TLS 1.3: Fix P-521 algorithm matching
+
+###### PKCS
+* Improvements and refactoring to PKCS#11 key look up
+* PKCS #11 changes for signing and loading RSA public key from private
+* check PKCS#7 SignedData private key is valid before using it
+* check PKCS#7 VerifySignedData content length against total bundle size to avoid large malloc
+
+###### Compatibility Layer
+* EVP add block size for more ciphers in wolfSSL_EVP_CIPHER_block_size()
+* Return long names instead of short names in wolfSSL_OBJ_obj2txt()
+* Add additional OpenSSL compatibility functions to update the version of Apache httpd supported
+* add "CCM8" variants to cipher_names "CCM-8" ciphers, for OpenSSL compat
+
+###### Builds
+* Cortex-M SP ASM support for IAR 6.70
+* STM Cube pack support (IDE/STM32Cube)
+* Build option --enable-aesgcm=4bit added for AES-GCM GMULT using 4 bit table
+* Xilinx IDE updates to allow XTIME override for Xilinx, spelling fixes in Xilinx README.md, and add Xilinx SDK printf support
+* Added ED448 to the "all" options and ED448 check key null argument sanity check
+* Added ARC4, 3DES, nullcipher, BLAKE2, BLAKE2s, XChaCha, MD2, and MD4 to the “all” options
+* Added an --enable-all-crypto option, to enable only the wolfCrypt features of --enable-all, combinable with --enable-cryptonly
+* Added the ability to selectively remove features from --enable-all and --enable-all-crypto using specific --disable-<feature> options
+* Use Intel intrinsics with Windows for RDSEED and RDRAND (thanks to dr-m from MariaDB)
+* Add option to build with WOLFSSL_NO_CLIENT_AUTH
+* Updated build requirements for wolfSSH use to be less restrictive
+* lighttpd support update for v1.4.56
+* Added batch file to copy files to ESP-IDF folders and resolved warnings when using v4.0 ESP-IDF
+* Added --enable-stacksize=verbose, showing at a glance the stack high water mark for each subtest in testwolfcrypt
+
+###### ECC
+* Performance increase for ECC verify only, using non constant time SP modinv
+* During ECC verify add validation of r and s before any use
+* Always use safe add and dbl with ECC
+* Timing resistant scalar multiplication updated with use of Joye double-add ladder
+* Update mp_jacobi function to reduce stack and increase performance for base ECC build
+* Reduce heap memory use with wc_EccPrivateKeyDecode, Improvement to ECC wc_ecc_sig_to_rs and wc_ecc_rs_raw_to_sig to reduce memory use (avoid the mp_int)
+* Improve StoreECC_DSA_Sig bounds checking
+
+###### OCSP
+* OCSP improvement to handle extensions in singleResponse
+* support for OCSP request/response for multiple certificates
+* OCSP Must Staple option added to require OCSP stapling response
+* Add support for id-pkix-ocsp-nocheck extension
+
+###### Misc
+* Additional code coverage added for ECC and RSA, PKCS#7, 3DES, EVP and Blake2b operations
+* DTLS MTU: check MTU on write
+* Refactor hash sig selection and add the macros WOLFSSL_STRONGEST_HASH_SIG (picks the strongest hash) and WOLFSSL_ECDSA_MATCH_HASH (will pick the hash to match the ECC curve)
+* Strict certificate version allowed from client, TLS 1.2 / 1.3 can not accept client certificates lower than version 3
+* wolfSSL_get_ciphers_compat(), skip the fake indicator ciphers like the renegotiation indication and the quantum-safe hybrid
+* When parsing session ticket, check TLS version to see whether they are version compatible
+* Additional sanity check for invalid ASN1 padding on integer type
+* Adding in ChaCha20 streaming feature with Mac and Intel assembly build
+* Sniffer build with --enable-oldtls option on
+
 # wolfSSL Release 4.5.0 (August 19, 2020)
 
 If you have questions about this release, feel free to contact us on our
@@ -106,7 +256,8 @@ in a specific use case, 1 fix for DTLS.
   wolfSSL, and are doing private key operations on the system (such as signing
   with a private key) are recommended to regenerate private keys and update to
   the most recent version of wolfSSL. CVE-2020-15309 is reserved for this
-  issue. Thanks to Ida Bruhns from Universität zu Lübeck for the report.
+  issue. Thanks to Ida Bruhns from Universität zu Lübeck and Samira Briongos
+  from NEC Laboratories Europe for the report.
 * When using SGX with EC scalar multiplication the possibility of side-channel
   attacks are present. To mitigate the risk of side channel attacks wolfSSL’s
   single precision EC operations should be used instead. Release 4.5.0 turns
@@ -335,13 +486,13 @@ Release 4.3.0 of wolfSSL embedded TLS has bug fixes and new features including:
 * Update to allow compiling for pwdbased/PBKDF2 with having NO_ASN defined
 * Modify KeyShare and PreSharedKey TLS 1.3 extension linked list advancement to be easier for compilers to handle
 * Optimization to parsing certificate extension name strings
-* Adjustment to example server -x runtime behavior when encountering an unrecoverable error case 
+* Adjustment to example server -x runtime behavior when encountering an unrecoverable error case
 * Remove Blake2b support from HMAC
 * Adds new hash wrapper init wc_HashInit_ex and Adds new PBKDF2 API wc_PBKDF2_ex for using heap hints for custom memory pools
 * Adding script to cleanup generated test files,  scripts/cleanup_testfiles.sh
 * Support 20-byte serial numbers and disallow 0
 * sp_div improved to handle when a has less digits than d (--enable-sp-math build)
-* When decoding a policy OID and turning it into a human readable string use snprintf() 
+* When decoding a policy OID and turning it into a human readable string use snprintf()
 * set the IV length of EVP AES GCM to 96-bits by default
 * Allow adding CAs for root CA's over the wire that do not have the extended key usage cert_sign set
 * Added logging messages for SendAlert call and update to send alert after verify certificate callback
@@ -405,13 +556,13 @@ Release 4.2.0 of wolfSSL embedded TLS has bug fixes and new features including:
 * Addition to configure.ac for FIPS wolfRand builds
 * Adding the flag WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY for ignoring certificate date checks with the functions wolfSSL_CTX_load_verify_buffer_ex and wolfSSL_CTX_load_verify_locations_ex
 * Support for PKCS8 keys added to the function wolfSSL_CTX_use_PrivateKey_buffer
-* Support for KECCAK hashing. Build with macro WOLFSSL_HASH_FLAGS and call wc_Sha3_SetFlags(&sha, WC_HASH_SHA3_KECCAK256) before the first SHA3 update 
+* Support for KECCAK hashing. Build with macro WOLFSSL_HASH_FLAGS and call wc_Sha3_SetFlags(&sha, WC_HASH_SHA3_KECCAK256) before the first SHA3 update
 * Addition of setting secure renegotiation at CTX level
 * Addition of KDS (NXP Kinetis Design Studio) example project to directory IDE/KDS/
 * Support for Encrypt-Then-MAC to TLS 1.2 and below
-* Added a new build option for a TITAN session cache that can hold just over 2 million session entries (--enable-titancache)  
+* Added a new build option for a TITAN session cache that can hold just over 2 million session entries (--enable-titancache)
 * Synchronous Quick Assist Support for Sniffer
-* Added Support for SiFive HiFive Unleashed board 
+* Added Support for SiFive HiFive Unleashed board
 * Support for Google WebRTC added in to compatibility layer build
 * Additional Sniffer features; IPv6 sniffer support, Fragment chain input, Data store callback, Various statistics tweaks and other Sniffer fixes
 
@@ -446,7 +597,7 @@ Release 4.2.0 of wolfSSL embedded TLS has bug fixes and new features including:
 * Optimization to SP math, changing variables to const where possible. Thanks to Yair Poleg (yair.poleg@ayyeka.com) of Ayyeka for proposing static declaration of global constant variables in SP code
 * Additional fuzz testing and fixes for TLS 1.3 use, including additional TLS 1.3 alert messages (PR#2440 for more information)
 * Additional sanity check that ciphersuite from client hello is used in server hello response (check can be removed with the macro WOLFSSL_NO_STRICT_CIPHER_SUITE)
-* Improved MMCAU performance: SHA-1 by 35%, SHA-256 by 20% and MD5 by 78% 
+* Improved MMCAU performance: SHA-1 by 35%, SHA-256 by 20% and MD5 by 78%
 * By default, disallow SHA-2 cipher suites from being used in TLS 1.0 and 1.1 handshakes (can be ignored with macro WOLFSSL_OLDTLS_SHA2_CIPHERSUITES)
 * Optimization of export session buffer size with enable option --enable-sessionexport=nopeer
 * Spelling fixes in comments and some cast warnings resolved
@@ -986,7 +1137,7 @@ This release includes many performance improvements with Intel ASM (AVX/AVX2) an
 * Fixes to allow custom serial number during certificate generation
 * Add method to get WOLFSSL_CTX certificate manager
 * Improvement to `wolfSSL_SetOCSP_Cb` to allow context per WOLFSSL object
-* Alternate certificate chain support `WOLFSSL_ALT_CERT_CHAINS`. Enables checking cert against multiple CA's. 
+* Alternate certificate chain support `WOLFSSL_ALT_CERT_CHAINS`. Enables checking cert against multiple CA's.
 * Added new `--disable-oldnames` option to allow for using openssl along-side wolfssl headers (without OPENSSL_EXTRA).
 * Refactor SSL_ and hashing types to use wolf specific prefix (WOLFSSL and WC_) to allow openssl coexistence.
 * Fixes for HAVE_INTEL_MULX
@@ -1106,7 +1257,7 @@ More info can be found on-line at http://wolfssl.com/wolfSSL/Docs.html
 - Added support for HAproxy load balancer
 - Added option to allow SHA1 with TLS 1.2 for IIS compatibility (WOLFSSL_ALLOW_TLS_SHA1)
 - Added Curve25519 51-bit Implementation, increasing performance on systems that have 128 bit types
-- Fix to not send session ID on server side if session cache is off unless we're echoing 
+- Fix to not send session ID on server side if session cache is off unless we're echoing
 session ID as part of session tickets
 - Fixes for ensuring all default ciphers are setup correctly (see PR #830)
 - Added NXP Hexiwear example in `IDE/HEXIWEAR`.
@@ -1114,7 +1265,7 @@ session ID as part of session tickets
 - Fixes for TLS elliptic curve selection on private key import.
 - Fixes for RNG with Intel rdrand and rdseed speedups.
 - Improved performance with Intel rdrand to use full 64-bit output
-- Added new --enable-intelrand option to indicate use of RDRAND preference for RNG source 
+- Added new --enable-intelrand option to indicate use of RDRAND preference for RNG source
 - Removed RNG ARC4 support
 - Added ECC helpers to get size and id from curve name.
 - Added ECC Cofactor DH (ECC-CDH) support
@@ -1737,7 +1888,7 @@ and comments about the new features please check the manual.
   handling and reduce memory fragmentation on I/O large sizes
 
 The CyaSSL manual is available at:
-http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions 
+http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
 and comments about the new features please check the manual.
 
 
@@ -1748,7 +1899,7 @@ and comments about the new features please check the manual.
 - Freescale Kinetis mmCAU support
 - TLS Hello extensions
   - ECC
-  - Secure Renegotiation (null) 
+  - Secure Renegotiation (null)
   - Truncated HMAC
 - SCEP support
   - PKCS #7 Enveloped data and signed data
@@ -1795,7 +1946,7 @@ http://cache.freescale.com/files/32bit/doc/user_guide/CAUAPIUG.pdf
 
 
 The CyaSSL manual is available at:
-http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions 
+http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
 and comments about the new features please check the manual.
 
 
@@ -1821,7 +1972,7 @@ and comments about the new features please check the manual.
 
 When compiling with Mingw, libtool may give the following warning due to
 path conversion errors:
- 
+
 ```
 libtool: link: Could not determine host file name corresponding to **
 libtool: link: Continuing, but uninstalled executables may not work.
@@ -1831,7 +1982,7 @@ If so, examples and testsuite will have problems when run, showing an
 error while loading shared libraries. To resolve, please run "make install".
 
 The CyaSSL manual is available at:
-http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions 
+http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
 and comments about the new features please check the manual.
 
 
@@ -1853,7 +2004,7 @@ and comments about the new features please check the manual.
       13 bytes DTLS headers, but every effort is now made to align with the
       CYASSL_GENERAL_ALIGNMENT flag which sets desired alignment requirement
 - NO_64BIT flag to turn off 64bit data type accumulators in public key code
-    * Note, some systems are faster with 32bit accumulators 
+    * Note, some systems are faster with 32bit accumulators
 - --enable-stacksize for example client/server stack use
     * Note, modern desktop Operating Systems may add bytes to each stack frame
 - Updated compression/decompression with direct crypto access
@@ -1874,19 +2025,19 @@ and comments about the new features please check the manual.
     * dh
     * dsa
     * md5
-    * sha 
+    * sha
     * arc4
     * null    (allow NULL ciphers)
     * oldtls  (only use TLS 1.2)
     * asn     (no certs or public keys allowed)
-- ./configure generates cyassl/options.h which allows a header the user can 
+- ./configure generates cyassl/options.h which allows a header the user can
   include in their app to make sure the same options are set at the app and
   CyaSSL level.
 - autoconf no longer needs serial-tests which lowers version requirements of
   automake to 1.11 and autoconf to 2.63
 
 The CyaSSL manual is available at:
-http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions 
+http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
 and comments about the new features please check the manual.
 
 
@@ -1904,7 +2055,7 @@ and comments about the new features please check the manual.
 - Camellia crypto and cipher suites
 - Bumped minimum autoconf version to 2.65, automake version to 1.12
 - Addition of OCSP callbacks
-- STM32F2 support with hardware crypto and RNG 
+- STM32F2 support with hardware crypto and RNG
 - Cavium NITROX support
 
 CTaoCrypt now has support for the Microchip PIC32 and has been tested with
@@ -1917,7 +2068,7 @@ To add Cavium NITROX support do:
 ./configure --with-cavium=/home/user/cavium/software
 
 pointing to your licensed cavium/software directory.  Since Cavium doesn't
-build a library we pull in the cavium_common.o file which gives a libtool 
+build a library we pull in the cavium_common.o file which gives a libtool
 warning about the portability of this.  Also, if you're using the github source
 tree you'll need to remove the -Wredundant-decls warning from the generated
 Makefile because the cavium headers don't conform to this warning.  Currently
@@ -1930,11 +2081,11 @@ test and benchmark.  Please see the HAVE_CAVIUM define.
 CyaSSL is able to use the STM32F2 hardware-based cryptography and random number
 generator through the STM32F2 Standard Peripheral Library. For necessary
 defines, see the CYASSL_STM32F2 define in settings.h. Documentation for the
-STM32F2 Standard Peripheral Library can be found in the following document: 
+STM32F2 Standard Peripheral Library can be found in the following document:
 http://www.st.com/internet/com/TECHNICAL_RESOURCES/TECHNICAL_LITERATURE/USER_MANUAL/DM00023896.pdf
 
 The CyaSSL manual is available at:
-http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions 
+http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
 and comments about the new features please check the manual.
 
 
@@ -1962,7 +2113,7 @@ K70 Sub-Family Reference Manual:
 http://cache.freescale.com/files/microcontrollers/doc/ref_manual/K70P256M150SF3RM.pdf
 
 The CyaSSL manual is available at:
-http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions 
+http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
 and comments about the new features please check the manual.
 
 
@@ -1974,7 +2125,7 @@ and comments about the new features please check the manual.
 - Updated build process
 
 The CyaSSL manual is available at:
-http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions 
+http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
 and comments about the new features please check the manual.
 
 
@@ -1993,7 +2144,7 @@ and comments about the new features please check the manual.
 - DTLS Cookie support, reliability coming soon
 
 The CyaSSL manual is available at:
-http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions 
+http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
 and comments about the new features please check the manual.
 
 
@@ -2006,13 +2157,13 @@ and comments about the new features please check the manual.
 - Add static ECDH suites
 - SHA-384 support
 - ECC client certificate support
-- Add medium session cache size (1055 sessions) 
+- Add medium session cache size (1055 sessions)
 - Updated unit tests
 - Protection against mutex reinitialization
 
 
 The CyaSSL manual is available at:
-http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions 
+http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
 and comments about the new features please check the manual.
 
 
@@ -2029,7 +2180,7 @@ and comments about the new features please check the manual.
 
 
 The CyaSSL manual is available at:
-http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions 
+http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
 and comments about the new features please check the manual.
 
 
@@ -2048,7 +2199,7 @@ and comments about the new features please check the manual.
 - Export Base64_Encode for general use
 
 The CyaSSL manual is available at:
-http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions 
+http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
 and comments about the new features please check the manual.
 
 
@@ -2065,7 +2216,7 @@ and comments about the new features please check the manual.
 - Microchip pic32 support
 
 The CyaSSL manual is available at:
-http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions 
+http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
 and comments about the new features please check the manual.
 
 
@@ -2089,7 +2240,7 @@ changes are required.
 Special Thanks to Brian Aker for his autoconf, install, and header patches.
 
 The CyaSSL manual is available at:
-http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions 
+http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
 and comments about the new features please check the manual.
 
 # CyaSSL Release 2.0.0rc2 (6/6/2011)
@@ -2108,21 +2259,21 @@ This is the 2nd and perhaps final release candidate for version 2.
 Please send any comments or questions to support@yassl.com.
 
 The CyaSSL manual is available at:
-http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions 
+http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
 and comments about the new features please check the manual.
 
 # CyaSSL Release 2.0.0rc1 (5/2/2011)
 
 #### Release 2.0.0rc1 for CyaSSL has many new features including:
 - bug fixes
-- SHA-256 cipher suites 
-- Root Certificate Verification (instead of needing all certs in the chain) 
-- PKCS #8 private key encryption (supports PKCS #5 v1-v2 and PKCS #12) 
-- Serial number retrieval for x509 
-- PBKDF2 and PKCS #12 PBKDF 
-- UID parsing for x509 
-- SHA-256 certificate signatures 
-- Client and server can send chains (SSL_CTX_use_certificate_chain_file) 
+- SHA-256 cipher suites
+- Root Certificate Verification (instead of needing all certs in the chain)
+- PKCS #8 private key encryption (supports PKCS #5 v1-v2 and PKCS #12)
+- Serial number retrieval for x509
+- PBKDF2 and PKCS #12 PBKDF
+- UID parsing for x509
+- SHA-256 certificate signatures
+- Client and server can send chains (SSL_CTX_use_certificate_chain_file)
 - CA loading can now parse multiple certificates per file
 - Dynamic memory runtime hooks
 - Runtime hooks for logging
@@ -2141,7 +2292,7 @@ options that CyaSSL allows, there may be some configuration fixes needed.
 Please send any comments or questions to support@yassl.com.
 
 The CyaSSL manual is available at:
-http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions 
+http://www.yassl.com/documentation/CyaSSL-Manual.pdf.  For build instructions
 and comments about the new features please check the manual.
 
 # CyaSSL Release 1.9.0 (3/2/2011)
@@ -2169,13 +2320,13 @@ build instructions and comments about the new features please check the manual.
 Please send any comments or questions to support@yassl.com.
 
 Happy Holidays.
- 
+
 
 # CyaSSL Release 1.6.5 (9/9/2010)
 
 Release 1.6.5 for CyaSSL adds bug fixes and x509 v3 self signed certificate
 generation.
- 
+
 For general build instructions see doc/Building_CyaSSL.pdf.
 
 To enable certificate generation support add this option to ./configure
@@ -2188,7 +2339,7 @@ in doc/CyaSSL_Extensions_Reference.pdf item 11.
 
 Release 1.6.0 for CyaSSL adds bug fixes, RIPEMD-160, SHA-512, and RSA key
 generation.
- 
+
 For general build instructions see doc/Building_CyaSSL.pdf.
 
 To add RIPEMD-160 support add this option to ./configure
@@ -2211,7 +2362,7 @@ CyaSSL.
 
 Release 1.5.6 for CyaSSL adds bug fixes, compatibility for our JSSE provider,
 and a fix for GCC builds on some systems.
- 
+
 For general build instructions see doc/Building_CyaSSL.pdf.
 
 To add AES-NI support add this option to ./configure
@@ -2221,9 +2372,9 @@ You'll need GCC 4.4.3 or later to make use of the assembly.
 
 # CyaSSL Release 1.5.4 (7/7/2010)
 
-Release 1.5.4 for CyaSSL adds bug fixes, support for AES-NI, SHA1 speed 
+Release 1.5.4 for CyaSSL adds bug fixes, support for AES-NI, SHA1 speed
 improvements from loop unrolling, and support for the Mongoose Web Server.
- 
+
 For general build instructions see doc/Building_CyaSSL.pdf.
 
 To add AES-NI support add this option to ./configure
@@ -2255,7 +2406,7 @@ please send questions or comments to support@yassl.com.
 When doing load testing with CyaSSL, on the echoserver example say, the client
 machine may run out of tcp ephemeral ports, they will end up in the TIME_WAIT
 queue, and can't be reused by default.  There are generally two ways to fix
-this. 
+this.
 
 1. Reduce the length sockets remain on the TIME_WAIT queue OR
 2. Allow items on the TIME_WAIT queue to be reused.
@@ -2313,7 +2464,7 @@ SSL_METHOD *TLSv1_2_server_method(void);
 SSL_METHOD *TLSv1_2_client_method(void);
 ```
 
-CyaSSL was tested against lighttpd 1.4.23.  To build CyaSSL for use with 
+CyaSSL was tested against lighttpd 1.4.23.  To build CyaSSL for use with
 lighttpd use the following commands from the CyaSSL install dir <CyaSSLDir>:
 
 ```
@@ -2498,7 +2649,7 @@ This gives warnings for some symbols but seems to work.
     ./configure
     make
 
-    from the ./testsuite/ directory run ./testsuite 
+    from the ./testsuite/ directory run ./testsuite
 
 #### To make a debug build:
 
@@ -2517,7 +2668,7 @@ Run the testsuite program
 
 
 
-# CyaSSL version 0.9.9 (7/25/2008) 
+# CyaSSL version 0.9.9 (7/25/2008)
 
 This release of CyaSSL adds bug fixes, Pre-Shared Keys, over-rideable memory
 handling, and optionally TomsFastMath.  Thanks to Moisés Guimarães for the
@@ -2537,7 +2688,7 @@ yet use -m64 because of GCCs inability to do 128bit division.
 See notes below (0.2.0) for complete build instructions.
 
 
-# CyaSSL version 0.9.8 (5/7/2008) 
+# CyaSSL version 0.9.8 (5/7/2008)
 
 This release of CyaSSL adds bug fixes, client side Diffie-Hellman, and better
 socket handling.
@@ -2545,7 +2696,7 @@ socket handling.
 See notes below (0.2.0) for complete build instructions.
 
 
-# CyaSSL version 0.9.6 (1/31/2008) 
+# CyaSSL version 0.9.6 (1/31/2008)
 
 This release of CyaSSL adds bug fixes, increased session management, and a fix
 for gnutls.
@@ -2553,15 +2704,15 @@ for gnutls.
 See notes below (0.2.0) for complete build instructions.
 
 
-# CyaSSL version 0.9.0 (10/15/2007) 
+# CyaSSL version 0.9.0 (10/15/2007)
 
-This release of CyaSSL adds bug fixes, MSVC 2005 support, GCC 4.2 support, 
+This release of CyaSSL adds bug fixes, MSVC 2005 support, GCC 4.2 support,
 IPV6 support and test, and new test certificates.
 
 See notes below (0.2.0) for complete build instructions.
 
 
-# CyaSSL version 0.8.0 (1/10/2007) 
+# CyaSSL version 0.8.0 (1/10/2007)
 
 This release of CyaSSL adds increased socket support, for non-blocking writes,
 connects, and interrupted system calls.
@@ -2569,7 +2720,7 @@ connects, and interrupted system calls.
 See notes below (0.2.0) for complete build instructions.
 
 
-# CyaSSL version 0.6.3 (10/30/2006) 
+# CyaSSL version 0.6.3 (10/30/2006)
 
 This release of CyaSSL adds debug logging to stderr to aid in the debugging of
 CyaSSL on systems that may not provide the best support.
@@ -2587,19 +2738,19 @@ To turn logging back off call CyaSSL_Debugging_OFF()
 See notes below (0.2.0) for complete build instructions.
 
 
-# CyaSSL version 0.6.2 (10/29/2006) 
+# CyaSSL version 0.6.2 (10/29/2006)
 
 This release of CyaSSL adds TLS 1.1.
 
 Note that CyaSSL has certificate verification on by default, unlike OpenSSL.
 To emulate OpenSSL behavior, you must call SSL_CTX_set_verify() with
-SSL_VERIFY_NONE.  In order to have full security you should never do this, 
+SSL_VERIFY_NONE.  In order to have full security you should never do this,
 provide CyaSSL with the proper certificates to eliminate impostors and call
 CyaSSL_check_domain_name() to prevent man in the middle attacks.
 
 See notes below (0.2.0) for build instructions.
 
-# CyaSSL version 0.6.0 (10/25/2006) 
+# CyaSSL version 0.6.0 (10/25/2006)
 
 This release of CyaSSL adds more SSL functions, better autoconf, nonblocking
 I/O for accept, connect, and read.  There is now an --enable-small configure
@@ -2609,7 +2760,7 @@ for the defines.  Note that TLS requires HMAC and AES requires TLS.
 See notes below (0.2.0) for build instructions.
 
 
-# CyaSSL version 0.5.5 (09/27/2006) 
+# CyaSSL version 0.5.5 (09/27/2006)
 
 This mini release of CyaSSL adds better input processing through buffered input
 and big message support.  Added SSL_pending() and some sanity checks on user
@@ -2618,23 +2769,23 @@ settings.
 See notes below (0.2.0) for build instructions.
 
 
-# CyaSSL version 0.5.0 (03/27/2006) 
+# CyaSSL version 0.5.0 (03/27/2006)
 
-This release of CyaSSL adds AES support and minor bug fixes. 
+This release of CyaSSL adds AES support and minor bug fixes.
 
 See notes below (0.2.0) for build instructions.
 
 
 # CyaSSL version 0.4.0 (03/15/2006)
 
-This release of CyaSSL adds TLSv1 client/server support and libtool. 
+This release of CyaSSL adds TLSv1 client/server support and libtool.
 
 See notes below for build instructions.
 
 
 # CyaSSL version 0.3.0 (02/26/2006)
 
-This release of CyaSSL adds SSLv3 server support and session resumption. 
+This release of CyaSSL adds SSLv3 server support and session resumption.
 
 See notes below for build instructions.
 
@@ -2660,7 +2811,7 @@ with support for SHA-1 and MD5 digests.  Ciphers include 3DES and RC4.
     ./configure
     make
 
-    from the ./testsuite/ directory run ./testsuite 
+    from the ./testsuite/ directory run ./testsuite
 
 #### to make a debug build:
 

IDE/ECLIPSE/MICRIUM/README.md

@@ -1,7 +1,7 @@
 
 # Micrium μC/OS-III Port
 ## Overview
-You can enable the wolfSSL support for Micrium μC/OS-III RTOS available [here](http://www.micriums.com/) using the define `MICRIUM`.
+You can enable the wolfSSL support for Micrium μC/OS-III RTOS available [here](http://www.micrium.com/) using the define `MICRIUM`.
 
 ## Usage
 
@@ -72,7 +72,7 @@ The test results below were collected from the NXP Kinetis K70 (Freescale TWR-K7
 
 - IAR Embedded Workbench IDE - ARM 8.32.1 (IAR ELF Linker V8.32.1.169/W32 for ARM)
 
-- The starting project is based on an IAR EWARM project from Micrium download center at [micrium_twr-k70f120m-os3/](https://www.micrium.com/download/micrium_twr-k70f120m-os3/) but the K70X_FLASH.icf linker script file was slightly modified to configure the stack and heap sizes to 16KB and 20KB. The test was run on a 1 MBytes of program flash and 128 KBytes of static RAM.
+- The starting project is based on an IAR EWARM project from Micrium download center at [micrium_twr-k70f120m-os3/](https://www.micrium.com/download/micrium_twr-k70f120m-os3/) but the K70X_FLASH.icf linker script file was slightly modified to configure the stack and heap sizes to 16KB and 20KB. The test was run on a 1 MBytes of program flash and 128 KBytes of static RAM. ([Similar TCP version](https://www.micrium.com/download/twr-k70f120m_os3-tcpip-wifi-lib/))
 
 - wolfssl [latest version](https://github.com/wolfSSL/wolfssl)
 

IDE/ECLIPSE/RTTHREAD/README.md

@@ -0,0 +1,175 @@
+# RT-Thread Port
+## Overview
+You can enable the wolfSSL support for RT-Thread available [here](https://www.rt-thread.io) using the define `RTTHREAD`.
+
+## Usage
+
+wolfSSL supports a compile-time user configurable options in the `IDE/ECLIPSE/RTTHREAD/user_settings.h` file.
+
+The `wolfssl_test.c` example application provides a simple function to run the test and benchmark.
+
+1. Open your IDE-based example project for RT-Thread.
+
+2. Create the following folder and sub-folders structures in your project.
+```
+wolfssl
+   |src
+   |wolfcrypt
+          |benchmark
+          |src
+          |test
+   |wolfssl
+          |openssl
+          |wolfcrypt
+   |example
+```
+The folder hierarchy is the same as the wolfSSL folders with an exception of the example folder.
+
+3. Add or link all of the header and source files in `IDE/ECLIPSE/RTTHREAD/` folder into the example folder.
+
+4. Add or link all the source code in the corresponding folder in wolfSSL.
+
+5. Remove non-C platform dependent files from your build.
+
+6. In your C/C++ compiler preprocessor settings, add the wolfSSL directories to your include paths.
+Here's an example of the paths that must be added.
+
+```
+$PROJ_DIR$\...
+$PROJ_DIR$\...\wolfcrypt
+$PROJ_DIR$\...\wolfssl
+$PROJ_DIR$\...\IDE\ECLIPSE\RTTHREAD
+```
+
+7. In your C/C++ compiler preprocessor settings, define the WOLFSSL_USER_SETTINGS symbol to add user_settings.h file in your project.
+
+8. Add a call to `wolfssl_test()` from your startup task. Here's an example:
+
+```c
+static void test_task (void *p_arg)
+{
+    ...
+    while (1) {
+           wolfssl_test();
+           rt_thread_mdelay(500);
+        }
+}
+```
+9. Rebuild all your project.
+
+10. Now you are ready to download and debug your image on the board.
+
+
+The test results below were collected from the RT-Thread ART-Pi with the following software and tool chains:
+
+- STM32H750XBH6
+
+- RT-Thread Studio (Version: 2.0.0)
+
+- GNU ARM Cross C Compiler (Optimization level: -O0)
+
+- The starting project is based on [RT-Thread ART-Pi SDK](https://github.com/RT-Thread-Studio/sdk-bsp-stm32h750-realthread-artpi) (./projects/art_pi_wifi)
+
+- wolfssl [latest version](https://github.com/wolfSSL/wolfssl)
+
+
+### `WOLFSSL_WOLFCRYPT_TEST` output of wolfcrypt_test()
+```
+error    test passed!
+MEMORY   test passed!
+base64   test passed!
+asn      test passed!
+RANDOM   test passed!
+MD5      test passed!
+MD4      test passed!
+SHA      test passed!
+SHA-256  test passed!
+SHA-512  test passed!
+Hash     test passed!
+HMAC-MD5 test passed!
+HMAC-SHA test passed!
+HMAC-SHA256 test passed!
+HMAC-SHA512 test passed!
+X963-KDF    test passed!
+GMAC     test passed!
+ARC4     test passed!
+HC-128   test passed!
+Rabbit   test passed!
+DES      test passed!
+DES3     test passed!
+AES      test passed!
+AES192   test passed!
+AES256   test passed!
+AES-GCM  test passed!
+AES Key Wrap test passed!
+RSA      test passed!
+DH       test passed!
+DSA      test passed!
+PWDBASED test passed!
+ECC      test passed!
+ECC buffer test passed!
+CURVE25519 test passed!
+ED25519  test passed!
+PKCS7encrypted  test passed!
+PKCS7signed     test passed!
+PKCS7enveloped  test passed!
+PKCS7authenveloped  test passed!
+logging  test passed!
+mutex    test passed!
+memcb    test passed!
+```
+### `WOLFSSL_BENCHMARK_TEST` output of benchmark_test()
+```
+------------------------------------------------------------------------------
+ wolfSSL version 4.5.0
+------------------------------------------------------------------------------
+wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each)
+RNG                 50 KB took 1.000 seconds,   50.000 KB/s
+AES-128-CBC-enc      2 MB took 1.000 seconds,    2.075 MB/s
+AES-128-CBC-dec      2 MB took 1.000 seconds,    1.611 MB/s
+AES-192-CBC-enc      2 MB took 1.000 seconds,    2.002 MB/s
+AES-192-CBC-dec      2 MB took 1.000 seconds,    1.514 MB/s
+AES-256-CBC-enc      2 MB took 1.000 seconds,    1.855 MB/s
+AES-256-CBC-dec      1 MB took 1.000 seconds,    1.465 MB/s
+AES-128-GCM-enc    700 KB took 1.000 seconds,  700.000 KB/s
+AES-128-GCM-dec    675 KB took 1.000 seconds,  675.000 KB/s
+AES-192-GCM-enc    675 KB took 1.000 seconds,  675.000 KB/s
+AES-192-GCM-dec    675 KB took 1.000 seconds,  675.000 KB/s
+AES-256-GCM-enc    650 KB took 1.000 seconds,  650.000 KB/s
+AES-256-GCM-dec    650 KB took 1.000 seconds,  650.000 KB/s
+AES-128-ECB-enc      2 MB took 1.000 seconds,    1.902 MB/s
+AES-128-ECB-dec      2 MB took 1.000 seconds,    1.521 MB/s
+AES-192-ECB-enc      2 MB took 1.000 seconds,    1.780 MB/s
+AES-192-ECB-dec      1 MB took 1.000 seconds,    1.433 MB/s
+AES-256-ECB-enc      2 MB took 1.000 seconds,    1.638 MB/s
+AES-256-ECB-dec      1 MB took 1.000 seconds,    1.405 MB/s
+ARC4                 5 MB took 1.000 seconds,    4.956 MB/s
+RABBIT               6 MB took 1.000 seconds,    6.470 MB/s
+3DES               750 KB took 1.000 seconds,  750.000 KB/s
+MD5                 12 MB took 1.000 seconds,   12.061 MB/s
+SHA                  4 MB took 1.000 seconds,    3.979 MB/s
+SHA-256              2 MB took 1.000 seconds,    1.782 MB/s
+SHA-512              1 MB took 1.000 seconds,    1.001 MB/s
+HMAC-MD5            12 MB took 1.000 seconds,   12.329 MB/s
+HMAC-SHA             4 MB took 1.000 seconds,    3.662 MB/s
+HMAC-SHA256          2 MB took 1.000 seconds,    1.758 MB/s
+HMAC-SHA512          1 MB took 1.000 seconds,    1.001 MB/s
+PBKDF2             224 bytes took 1.000 seconds,  224.000 bytes/s
+RSA     2048 public         20 ops took 1.000 sec, avg 50.000 ms, 20.000 ops/sec
+RSA     2048 private         2 ops took 1.000 sec, avg 500.000 ms, 2.000 ops/sec
+DH      2048 key gen         4 ops took 1.000 sec, avg 250.000 ms, 4.000 ops/sec
+DH      2048 agree           4 ops took 1.000 sec, avg 250.000 ms, 4.000 ops/sec
+ECC      256 key gen         6 ops took 1.000 sec, avg 166.667 ms, 6.000 ops/sec
+ECDHE    256 agree           6 ops took 1.000 sec, avg 166.667 ms, 6.000 ops/sec
+ECDSA    256 sign            6 ops took 1.000 sec, avg 166.667 ms, 6.000 ops/sec
+ECDSA    256 verify          4 ops took 1.000 sec, avg 250.000 ms, 4.000 ops/sec
+CURVE  25519 key gen         4 ops took 1.000 sec, avg 250.000 ms, 4.000 ops/sec
+CURVE  25519 agree           2 ops took 1.000 sec, avg 500.000 ms, 2.000 ops/sec
+ED     25519 key gen         4 ops took 1.000 sec, avg 250.000 ms, 4.000 ops/sec
+ED     25519 sign            2 ops took 1.000 sec, avg 500.000 ms, 2.000 ops/sec
+ED     25519 verify          2 ops took 1.000 sec, avg 500.000 ms, 2.000 ops/sec
+```
+
+## References
+
+For more information please contact info@wolfssl.com.

IDE/ECLIPSE/RTTHREAD/include.am

@@ -0,0 +1,8 @@
+# vim:ft=automake
+# included from Top Level Makefile.am
+# All paths should be given relative to the root
+
+EXTRA_DIST += \
+    IDE/ECLIPSE/RTTHREAD/README.md \
+    IDE/ECLIPSE/RTTHREAD/user_settings.h \
+    IDE/ECLIPSE/RTTHREAD/wolfssl_test.c

IDE/ECLIPSE/RTTHREAD/user_settings.h

@@ -0,0 +1,81 @@
+/* user_setting.h
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WOLFSSL_USER_SETTINGS_H_
+#define WOLFSSL_USER_SETTINGS_H_
+
+#ifdef __cplusplus
+    extern "C" {
+#endif
+
+#define RTTHREAD
+
+/* You can select one or all of the following tests */
+#define WOLFSSL_WOLFCRYPT_TEST
+#define WOLFSSL_BENCHMARK_TEST
+#define WOLFSSL_CLIENT_TEST
+#define WOLFSSL_SERVER_TEST
+#define USE_TEST_GENSEED
+#define NO_DEV_RANDOM
+#define HAVE_PKCS7
+#define HAVE_AES_KEYWRAP
+#define HAVE_X963_KDF
+#define WOLFSSL_AES_DIRECT
+/* adjust CURRENT_UNIX_TS to seconds since Jan 01 1970. (UTC)
+You can get the current time from https://www.unixtimestamp.com/
+*/
+#define CURRENT_UNIX_TS 1542605837UL
+
+/* When using Windows simulator, you must define USE_WINDOWS_API for test.h to build */
+#ifdef _WIN32
+#define USE_WINDOWS_API
+#endif
+
+#define NO_FILESYSTEM
+#define SIZEOF_LONG_LONG 8
+
+/* prevents from including multiple definition of main() */
+#define NO_MAIN_DRIVER
+#define NO_TESTSUITE_MAIN_DRIVER
+
+/* includes certificate test buffers via header files */
+#define USE_CERT_BUFFERS_2048
+/*use kB instead of mB for embedded benchmarking*/
+#define BENCH_EMBEDDED
+
+#define NO_WRITE_TEMP_FILES
+
+#define XSNPRINTF snprintf
+#define NO_WRITEV
+
+#define HAVE_AESGCM
+#define WOLFSSL_SHA512
+#define HAVE_ECC
+#define HAVE_CURVE25519
+#define CURVE25519_SMALL
+#define HAVE_ED25519
+#define ED25519_SMALL
+
+#ifdef __cplusplus
+    }   /* extern "C" */
+#endif
+
+#endif

IDE/ECLIPSE/RTTHREAD/wolfssl_test.c

@@ -0,0 +1,33 @@
+/* wolfsslRunTests.c
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+#include <stdint.h>
+#include <wolfcrypt/test/test.h>
+#include <wolfcrypt/benchmark/benchmark.h>
+
+int wolfssl_test(void) {
+#if !defined(NO_CRYPT_TEST)
+    wolfcrypt_test(NULL);
+#endif
+#if !defined(NO_CRYPT_BENCHMARK)
+    benchmark_test(NULL);
+#endif
+    return 0;
+}

IDE/Espressif/ESP-IDF/README.md

@@ -16,8 +16,9 @@ Including the following examples:
 
     Note: This expects to use Linux version.
 
-## Setup
- 1. Run *setup.sh* to deploy files into ESP-IDF tree
+## Setup for Linux
+ 1. Run *setup.sh* at /path/to/wolfssl/IDE/Espressif/ESP-IDF/ to deploy files into ESP-IDF tree  
+    For Windows : Run *setup_win.bat* at \IDE\Espressif\ESP-IDF\
  2. Find Wolfssl files at /path/to/esp-idf/components/wolfssl/
  3. Find Example programs under /path/to/esp-idf/examples/protocols/wolfssl_xxx
  4. Uncomment out #define WOLFSSL_ESPIDF in /path/to/wolfssl/wolfssl/wolfcrypt/settings.h  
@@ -32,4 +33,8 @@ Including the following examples:
 ## Support
  For question please email [support@wolfssl.com]
 
- Note: This is tested with "Ubuntu 18.04.1 LTS" and ESP32-WROOM-32.
+ Note: This is tested with :  
+   - OS: Ubuntu 18.04.1 LTS and Microsoft Windows 10 Pro 10.0.19041  
+   - ESP-IDF: v4.1 and v4.0.1  
+   - Module : ESP32-WROOM-32
+

IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults

@@ -1,5 +1,5 @@
 CONFIG_BENCH_ARGV="-lng 0"
-CONFIG_MAIN_TASK_STACK_SIZE=7000
+CONFIG_MAIN_TASK_STACK_SIZE=7500
 CONFIG_FREERTOS_HZ=1000
 CONFIG_TASK_WDT_CHECK_IDLE_TASK_CPU0=
 CONFIG_ESP32_DEFAULT_CPU_FREQ_240=y

IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/wifi_connect.h

@@ -24,7 +24,7 @@
 #include "esp_idf_version.h"
 #include "esp_log.h"
 #include "esp_wifi.h"
-#if ESP_IDF_VERSION_MAJOR >= 4 && ESP_IDF_VERSION_MINOR >= 1
+#if ESP_IDF_VERSION_MAJOR >= 4
 #include "esp_event.h"
 #else
 #include "esp_event_loop.h"

IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/wifi_connect.c

@@ -27,7 +27,7 @@
 #include "lwip/netdb.h"
 #include "lwip/apps/sntp.h"
 #include "nvs_flash.h"
-#if ESP_IDF_VERSION_MAJOR >= 4 && ESP_IDF_VERSION_MINOR >= 1
+#if ESP_IDF_VERSION_MAJOR >= 4
 #include "protocol_examples_common.h"
 #endif
 
@@ -53,7 +53,8 @@ static void set_time()
     char strftime_buf[64];
     /* please update the time if seeing unknown failure. */
     /* this could cause TLS communication failure due to time expiration */
-    utctime.tv_sec = 1567125910; /* dummy time: Fri Aug 30 09:45:00 2019 */
+    /* incleasing 31536000 seconds is close to spend 356 days.           */
+    utctime.tv_sec = 1598661910; /* dummy time: Fri Aug 29 09:45:00 2020 */
     utctime.tv_usec = 0;
     tz.tz_minuteswest = 0;
     tz.tz_dsttime = 0;
@@ -122,11 +123,14 @@ void app_main(void)
     ESP_ERROR_CHECK(nvs_flash_init());
 
     ESP_LOGI(TAG, "Initialize wifi");
-    /* TCP/IP adapter initialization */
+#if ESP_IDF_VERSION_MAJOR >= 4 && ESP_IDF_VERSION_MINOR >= 1
+    esp_netif_init();
+#else
     tcpip_adapter_init();
+#endif
 
     /* */
-#if ESP_IDF_VERSION_MAJOR >= 4 && ESP_IDF_VERSION_MINOR >= 1
+#if ESP_IDF_VERSION_MAJOR >= 4
     (void) wifi_event_handler;
    ESP_ERROR_CHECK(esp_event_loop_create_default());
    /* This helper function configures Wi-Fi or Ethernet, as selected in menuconfig.

IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/include/wifi_connect.h

@@ -24,7 +24,7 @@
 #include "esp_idf_version.h"
 #include "esp_log.h"
 #include "esp_wifi.h"
-#if ESP_IDF_VERSION_MAJOR >= 4 && ESP_IDF_VERSION_MINOR >= 1
+#if ESP_IDF_VERSION_MAJOR >= 4
 #include "esp_event.h"
 #else
 #include "esp_event_loop.h"

IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/wifi_connect.c

@@ -27,7 +27,7 @@
 #include "lwip/netdb.h"
 #include "lwip/apps/sntp.h"
 #include "nvs_flash.h"
-#if ESP_IDF_VERSION_MAJOR >= 4 && ESP_IDF_VERSION_MINOR >= 1
+#if ESP_IDF_VERSION_MAJOR >= 4
 #include "protocol_examples_common.h"
 #endif
 
@@ -50,7 +50,8 @@ static void set_time()
     char strftime_buf[64];
     /* please update the time if seeing unknown failure. */
     /* this could cause TLS communication failure due to time expiration */
-    utctime.tv_sec = 1567125910; /* dummy time: Fri Aug 30 09:45:00 2019 */
+    /* incleasing 31536000 seconds is close to spend 356 days.           */
+    utctime.tv_sec = 1598661910; /* dummy time: Fri Aug 29 09:45:00 2020 */
     utctime.tv_usec = 0;
     tz.tz_minuteswest = 0;
     tz.tz_dsttime = 0;
@@ -98,7 +99,7 @@ static esp_err_t wifi_event_handler(void *ctx, system_event_t *event)
         esp_wifi_connect();
         break;
     case SYSTEM_EVENT_STA_GOT_IP:
-#if ESP_IDF_VERSION_MAJOR >= 4 && ESP_IDF_VERSION_MINOR >= 1
+#if ESP_IDF_VERSION_MAJOR >= 4
         ESP_LOGI(TAG, "got ip:" IPSTR "\n",
                  IP2STR(&event->event_info.got_ip.ip_info.ip));
 #else
@@ -131,7 +132,7 @@ void app_main(void)
     tcpip_adapter_init();
 #endif
     /* */
-#if ESP_IDF_VERSION_MAJOR >= 4 && ESP_IDF_VERSION_MINOR >= 1
+#if ESP_IDF_VERSION_MAJOR >= 4
     (void) wifi_event_handler;
    ESP_ERROR_CHECK(esp_event_loop_create_default());
    /* This helper function configures Wi-Fi or Ethernet, as selected in menuconfig.

IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults

@@ -1,2 +1,2 @@
-CONFIG_MAIN_TASK_STACK_SIZE=9000
+CONFIG_MAIN_TASK_STACK_SIZE=11000
 CONFIG_TASK_WDT_CHECK_IDLE_TASK_CPU0=

IDE/Espressif/ESP-IDF/setup_win.bat

@@ -0,0 +1,73 @@
+@echo off
+REM Expect the script at /path/to/wolfssl/IDE/Espressif/ESP-IDF/
+
+if NOT EXIST "setup.sh" ( 
+  echo "Please run this script at /path/to/wolfssl/IDE/Espressif/ESP-IDF/
+  goto exit
+)
+
+if "%IDF_PATH%" == "" (
+  echo "Please launch the script from ESP-IDF command prompt."
+  goto exit
+)
+
+set SCRIPTDIR=%CD%
+set BASEDIR=%SCRIPTDIR%\..\..\..\
+set WOLFSSL_ESPIDFDIR=%BASEDIR%\IDE\Espressif\ESP-IDF
+set WOLFSSLLIB_TRG_DIR=%IDF_PATH%\components\wolfssl
+set WOLFSSLEXP_TRG_DIR=%IDF_PATH%\examples\protocols
+
+echo Copy files into $IDF_PATH%
+rem Remove/Create directories
+rmdir /S/Q %WOLFSSLLIB_TRG_DIR%
+mkdir      %WOLFSSLLIB_TRG_DIR%
+mkdir      %WOLFSSLLIB_TRG_DIR%\src
+mkdir      %WOLFSSLLIB_TRG_DIR%\wolfcrypt\src
+mkdir      %WOLFSSLLIB_TRG_DIR%\wolfssl
+mkdir      %WOLFSSLLIB_TRG_DIR%\test
+mkdir      %WOLFSSLLIB_TRG_DIR%\include
+
+rem copying ... files in src/ into $WOLFSSLLIB_TRG_DIR%/src
+xcopy /Y/Q %BASEDIR%\src\*.c %WOLFSSLLIB_TRG_DIR%\src\
+xcopy /Y/Q %BASEDIR%\wolfcrypt\src\*.c %WOLFSSLLIB_TRG_DIR%\wolfcrypt\src
+xcopy /Y/Q %BASEDIR%\wolfcrypt\src\*.i %WOLFSSLLIB_TRG_DIR%\wolfcrypt\src
+xcopy /E/Y/Q %BASEDIR%\wolfcrypt\src\port %WOLFSSLLIB_TRG_DIR%\wolfcrypt\src\port\
+xcopy /E/Y/Q %BASEDIR%\wolfcrypt\test\ %WOLFSSLLIB_TRG_DIR%\wolfcrypt\test\
+xcopy /E/Y/Q %BASEDIR%\wolfcrypt\benchmark\ %WOLFSSLLIB_TRG_DIR%\wolfcrypt\benchmark\
+xcopy /Y/Q %BASEDIR%\wolfssl\*.h %WOLFSSLLIB_TRG_DIR%\wolfssl\
+xcopy /E/Y/Q %BASEDIR%\wolfssl\wolfcrypt\ %WOLFSSLLIB_TRG_DIR%\wolfssl\wolfcrypt\
+
+rem user_settings.h
+xcopy /F/Q %WOLFSSL_ESPIDFDIR%\user_settings.h %WOLFSSLLIB_TRG_DIR%\include\
+echo F |xcopy /F/Q %WOLFSSL_ESPIDFDIR%\dummy_config_h %WOLFSSLLIB_TRG_DIR%\include\config.h
+
+rem unit test app
+xcopy /E/Y/Q %WOLFSSL_ESPIDFDIR%\test %WOLFSSLLIB_TRG_DIR%\test\
+xcopy /F/Q   %WOLFSSL_ESPIDFDIR%\libs\CMakeLists.txt %WOLFSSLLIB_TRG_DIR%\
+xcopy /F/Q   %WOLFSSL_ESPIDFDIR%\libs\component.mk   %WOLFSSLLIB_TRG_DIR%\
+
+rem Benchmark program
+rmdir /S/Q %WOLFSSLEXP_TRG_DIR%\wolfssl_benchmark\
+mkdir      %WOLFSSLEXP_TRG_DIR%\wolfssl_benchmark\main\
+xcopy /F/Q %BASEDIR%\wolfcrypt\benchmark\benchmark.c %WOLFSSLEXP_TRG_DIR%\wolfssl_benchmark\main\
+xcopy /E/F/Q %WOLFSSL_ESPIDFDIR%\examples\wolfssl_benchmark %WOLFSSLEXP_TRG_DIR%\wolfssl_benchmark\
+
+rem Crypt Test program
+rmdir /S/Q %WOLFSSLEXP_TRG_DIR%\wolfssl_test\
+mkdir      %WOLFSSLEXP_TRG_DIR%\wolfssl_test\main\
+xcopy /F/Q %BASEDIR%\wolfcrypt\test\test.c %WOLFSSLEXP_TRG_DIR%\wolfssl_test\main\
+xcopy /E/F/Q %WOLFSSL_ESPIDFDIR%\examples\wolfssl_test %WOLFSSLEXP_TRG_DIR%\wolfssl_test\
+
+rem TLS Client program
+rmdir /S/Q %WOLFSSLEXP_TRG_DIR%\wolfssl_client\
+mkdir      %WOLFSSLEXP_TRG_DIR%\wolfssl_client\main\
+xcopy /E/F/Q %WOLFSSL_ESPIDFDIR%\examples\wolfssl_client %WOLFSSLEXP_TRG_DIR%\wolfssl_client\
+
+rem TLS Server program
+rmdir /S/Q %WOLFSSLEXP_TRG_DIR%\wolfssl_server\
+mkdir      %WOLFSSLEXP_TRG_DIR%\wolfssl_server\main\
+xcopy /E/F/Q %WOLFSSL_ESPIDFDIR%\examples\wolfssl_server %WOLFSSLEXP_TRG_DIR%\wolfssl_server\
+
+:exit
+ echo completed
+

IDE/Espressif/ESP-IDF/test/CMakeLists.txt

@@ -1,3 +1,5 @@
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DNO_MAIN_DRIVER -DWOLFSSL_USER_SETTINGS")
+
 set(COMPONENT_SRCDIRS ".")
 set(COMPONENT_ADD_INCLUDEDIRS ".")
 

IDE/Espressif/ESP-IDF/test/README.md

@@ -5,7 +5,7 @@ The test contains of wolfSSL unit-test app on Unity.
 When you want to run the app  
 1. Copy *test.c* file at /path/to/esp-idf/components/wolfssl/wolfcrypt/test/ folder to the  wolfssl/test folder  
 2. Go to /esp-idf/tools/unit-test-app/ folder  
-3. "make menuconfig" to configure unit test app.  
-4. "make TEST_COMPONENTS=wolfssl" to build wolfssl unit test app.  
+3. "idf.py menuconfig" to configure unit test app.  
+4. "idf.py -T wolfssl build" to build wolfssl unit test app.  
 
 See [https://docs.espressif.com/projects/esp-idf/en/latest/api-guides/unit-tests.html] for more information about unit test app.

IDE/Espressif/ESP-IDF/test/test_wolfssl.c

@@ -308,8 +308,8 @@ int mp_performance_check(int mul, int mulmod, int exptmod)
 int mp_unitest_mul(const char* strZ, const char* strX, const char* strY, int verbose)
 {
     int ret = 0;
-    char* buf;
-    char* bufZ;
+    char* buf = NULL;
+    char* bufZ = NULL;
     int radixX_size;
     int radixZ_size;
     int radixY_size;
@@ -335,10 +335,10 @@ int mp_unitest_mul(const char* strZ, const char* strX, const char* strY, int ver
     }
 
     mp_radix_size(&z, 16, &radixZ_size);
-    bufZ = (char*)XMALLOC(radixZ_size + 1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    bufZ = (char*)XMALLOC(radixZ_size, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     if(bufZ != NULL) {
         mp_toradix(&z, bufZ, 16);
-        bufZ[radixZ_size] ='\0';
+        bufZ[radixZ_size-1] ='\0';
     }
 
     if(verbose) {
@@ -350,14 +350,14 @@ int mp_unitest_mul(const char* strZ, const char* strX, const char* strY, int ver
         mp_radix_size(&y, 16, &radixY_size);
         radixX_size = max(radixX_size, radixY_size);
 
-        buf = (char*)XMALLOC(radixX_size + 1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        buf = (char*)XMALLOC(radixX_size, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         if(buf != NULL) {
             mp_toradix(&x, buf, 16);
-            buf[radixX_size] ='\0';
+            buf[radixX_size-1] ='\0';
             printf("X : %s ", buf);
 
             mp_toradix(&y, buf, 16);
-            buf[radixY_size] ='\0';
+            buf[radixY_size-1] ='\0';
             printf("Y : %s ", buf);
         }
         if(bufZ != NULL) {
@@ -410,10 +410,10 @@ int mp_unitest_mulmod(const char* strZ, const char* strX, const char* strY,
     }
 
     mp_radix_size(&z, 16, &radixZ_size);
-    bufZ = (char*)XMALLOC(radixZ_size + 1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    bufZ = (char*)XMALLOC(radixZ_size, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     if(bufZ != NULL) {
         mp_toradix(&z, bufZ, 16);
-        bufZ[radixZ_size] ='\0';
+        bufZ[radixZ_size-1] ='\0';
     }
 
     if(verbose) {
@@ -427,18 +427,18 @@ int mp_unitest_mulmod(const char* strZ, const char* strX, const char* strY,
         mp_radix_size(&m, 16, &radixM_size);
         radixX_size = max(radixX_size, max(radixY_size, radixM_size));
 
-        buf = (char*)XMALLOC(radixX_size + 1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        buf = (char*)XMALLOC(radixX_size, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         if(buf != NULL) {
             mp_toradix(&x, buf, 16);
-            buf[radixX_size] ='\0';
+            buf[radixX_size-1] ='\0';
             printf("X : %s ", buf);
 
             mp_toradix(&y, buf, 16);
-            buf[radixY_size] ='\0';
+            buf[radixY_size-1] ='\0';
             printf("Y : %s ", buf);
 
             mp_toradix(&m, buf, 16);
-            buf[radixM_size] ='\0';
+            buf[radixM_size-1] ='\0';
             printf("M : %s ", buf);
         }
         if(bufZ != NULL) {
@@ -459,8 +459,8 @@ int mp_unitest_exptmod(const char* strZ, const char* strX, const char* strY,
                const char* strM, int verbose)
 {
     int ret = 0;
-    char* buf;
-    char* bufZ;
+    char* buf = NULL;
+    char* bufZ = NULL;
     int radixX_size;
     int radixZ_size;
     int radixY_size;
@@ -491,10 +491,10 @@ int mp_unitest_exptmod(const char* strZ, const char* strX, const char* strY,
     }
 
     mp_radix_size(&z, 16, &radixZ_size);
-    bufZ = (char*)XMALLOC(radixZ_size + 1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    bufZ = (char*)XMALLOC(radixZ_size, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     if(bufZ != NULL) {
         mp_toradix(&z, bufZ, 16);
-        bufZ[radixZ_size] ='\0';
+        bufZ[radixZ_size-1] ='\0';
     }
 
     if(verbose) {
@@ -508,18 +508,18 @@ int mp_unitest_exptmod(const char* strZ, const char* strX, const char* strY,
         mp_radix_size(&m, 16, &radixM_size);
         radixX_size = max(radixX_size, max(radixY_size, radixM_size));
 
-        buf = (char*)XMALLOC(radixX_size + 1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        buf = (char*)XMALLOC(radixX_size, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         if(buf != NULL) {
             mp_toradix(&x, buf, 16);
-            buf[radixX_size] ='\0';
+            buf[radixX_size-1] ='\0';
             printf("X : %s ", buf);
 
             mp_toradix(&y, buf, 16);
-            buf[radixY_size] ='\0';
+            buf[radixY_size-1] ='\0';
             printf("Y : %s ", buf);
 
             mp_toradix(&m, buf, 16);
-            buf[radixM_size] ='\0';
+            buf[radixM_size-1] ='\0';
             printf("M : %s ", buf);
         }
         if(bufZ != NULL) {
@@ -562,7 +562,7 @@ TEST_CASE("wolfssl mp exptmod test"   , "[wolfssl]")
 TEST_CASE("wolfssl mp mulmod test"   , "[wolfssl]")
 {
     ESP_LOGI(TAG, "mp test");
-    int verbose = 0;
+    int verbose = 1;
     /*                                      Z    X    Y    M */
     TEST_ASSERT_EQUAL(0, mp_unitest_mulmod("02", "5", "1", "3", verbose));
     TEST_ASSERT_EQUAL(0, mp_unitest_mulmod("01", "-5", "1", "3", verbose));
@@ -602,7 +602,7 @@ TEST_CASE("wolfssl mp mulmod test"   , "[wolfssl]")
 TEST_CASE("wolfssl mp mul test"   , "[wolfssl]")
 {
     ESP_LOGI(TAG, "mp test");
-    int verbose = 0;
+    int verbose = 1;
 
     TEST_ASSERT_EQUAL(0, mp_unitest_mul("0A", "5", "2", verbose));
     TEST_ASSERT_EQUAL(0, mp_unitest_mul("-0A", "-5", "2", verbose));

IDE/Espressif/ESP-IDF/user_settings.h

@@ -43,6 +43,15 @@
 #define CURVE25519_SMALL
 #define HAVE_ED25519
 
+/* when you want to use pkcs7 */
+/* #define HAVE_PKCS7 */
+
+#if defined(HAVE_PKCS7)
+    #define HAVE_AES_KEYWRAP
+    #define HAVE_X963_KDF
+    #define WOLFSSL_AES_DIRECT
+#endif
+
 /* when you want to use aes counter mode */
 /* #define WOLFSSL_AES_DIRECT */
 /* #define WOLFSSL_AES_COUNTER */

IDE/GCC-ARM/Header/user_settings.h

@@ -70,13 +70,15 @@ extern "C" {
     #define WOLFSSL_HAVE_SP_RSA
     #define WOLFSSL_HAVE_SP_DH
     #define WOLFSSL_HAVE_SP_ECC
-    #define WOLFSSL_SP_CACHE_RESISTANT
-    //#define WOLFSSL_SP_MATH     /* only SP math - eliminates fast math code */
+    //#define WOLFSSL_SP_CACHE_RESISTANT
+    #define WOLFSSL_SP_MATH     /* only SP math - eliminates fast math code */
 
-    /* 64 or 32 bit version */
-    //#define WOLFSSL_SP_ASM      /* required if using the ASM versions */
+    /* SP Assembly Speedups */
+    #define WOLFSSL_SP_ASM      /* required if using the ASM versions */
     //#define WOLFSSL_SP_ARM32_ASM
     //#define WOLFSSL_SP_ARM64_ASM
+    //#define WOLFSSL_SP_ARM_THUMB_ASM
+    #define WOLFSSL_SP_ARM_CORTEX_M_ASM
 #endif
 
 /* ------------------------------------------------------------------------- */

IDE/GCC-ARM/Makefile.common

@@ -27,7 +27,8 @@ INC = -I./Header \
 DEF = -DWOLFSSL_USER_SETTINGS
 
 # Architecture
-ARCHFLAGS = -mcpu=cortex-m0 -mthumb -mabi=aapcs -DUSE_WOLF_ARM_STARTUP
+ARCHFLAGS = -mcpu=cortex-m4 -mthumb -mabi=aapcs -DUSE_WOLF_ARM_STARTUP
+#ARCHFLAGS = -mcpu=cortex-m0 -mthumb -mabi=aapcs -DUSE_WOLF_ARM_STARTUP
 #ARCHFLAGS = -mcpu=cortex-r5 -mthumb -mabi=aapcs
 #ARCHFLAGS = -mcpu=cortex-a53 -mthumb -mabi=aapcs
 
@@ -132,7 +133,10 @@ SRC_C += ../../wolfcrypt/src/signature.c
 SRC_C += ../../wolfcrypt/src/srp.c
 SRC_C += ../../wolfcrypt/src/sp_arm32.c
 SRC_C += ../../wolfcrypt/src/sp_arm64.c
+SRC_C += ../../wolfcrypt/src/sp_armthumb.c
 SRC_C += ../../wolfcrypt/src/sp_c32.c
+SRC_C += ../../wolfcrypt/src/sp_c64.c
+SRC_C += ../../wolfcrypt/src/sp_cortexm.c
 SRC_C += ../../wolfcrypt/src/sp_int.c
 SRC_C += ../../wolfcrypt/src/tfm.c
 SRC_C += ../../wolfcrypt/src/wc_encrypt.c

IDE/GCC-ARM/Source/wolf_main.c

@@ -59,12 +59,12 @@ unsigned int LowResTimer(void)
 /* This is used by wolfCrypt benchmark tool only */
 double current_time(int reset)
 {
-    double time;
-	int timeMs = gTimeMs;
+    double timeNow;
+    int timeMs = gTimeMs;
     (void)reset;
-    time = (timeMs / 1000); // sec
-    time += (double)(timeMs % 1000) / 1000; // ms
-    return time;
+    timeNow = (timeMs / 1000); // sec
+    timeNow += (double)(timeMs % 1000) / 1000; // ms
+    return timeNow;
 }
 #endif
 

IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h

@@ -24,6 +24,7 @@ extern "C" {
 #undef  WOLFSSL_SMALL_STACK_CACHE
 //#define WOLFSSL_SMALL_STACK_CACHE
 
+#define WOLFSSL_IGNORE_FILE_WARN
 
 /* ------------------------------------------------------------------------- */
 /* Math Configuration */
@@ -44,6 +45,25 @@ extern "C" {
 #undef  WOLFSSL_DEBUG_MATH
 //#define WOLFSSL_DEBUG_MATH
 
+/* Wolf Single Precision Math */
+#undef WOLFSSL_SP
+#if 0
+    #define WOLFSSL_SP
+    #define WOLFSSL_SP_SMALL      /* use smaller version of code */
+    #define WOLFSSL_HAVE_SP_RSA
+    #define WOLFSSL_HAVE_SP_DH
+    #define WOLFSSL_HAVE_SP_ECC
+    //#define WOLFSSL_SP_CACHE_RESISTANT
+    #define WOLFSSL_SP_MATH     /* only SP math - eliminates fast math code */
+
+    /* SP Assembly Speedups */
+    #define WOLFSSL_SP_ASM      /* required if using the ASM versions */
+    //#define WOLFSSL_SP_ARM32_ASM
+    //#define WOLFSSL_SP_ARM64_ASM
+    //#define WOLFSSL_SP_ARM_THUMB_ASM
+    #define WOLFSSL_SP_ARM_CORTEX_M_ASM
+#endif
+
 
 /* ------------------------------------------------------------------------- */
 /* Crypto */

IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp

@@ -104,6 +104,9 @@
           <file file_name="../../wolfcrypt/src/wc_port.c" />
           <file file_name="../../wolfcrypt/src/wolfmath.c" />
           <file file_name="../../wolfcrypt/src/wolfevent.c" />
+          <file file_name="../../wolfcrypt/src/sp_c32.c" />
+          <file file_name="../../wolfcrypt/src/sp_cortexm.c" />
+          <file file_name="../../wolfcrypt/src/sp_int.c" />
         </folder>
         <folder Name="test">
           <file file_name="../../wolfcrypt/test/include.am" />

IDE/Renesas/e2studio/RA6M3/README.md

@@ -4,7 +4,7 @@ wolfSSL for Renesas RA Evaluation Kit (EK-RA6M3G)
 ## Description
 
 This directory contains e2studio projects targeted at the Renesas RA 32-bit MCUs.\
-The example projects include a wolfSSL TLS 1.2 client and server.\
+The example projects include a wolfSSL TLS client and server.\
 They also include benchmark and cryptography tests for the wolfCrypt library.
 
 The wolfssl project contains both the wolfSSL and wolfCrypt libraries.\
@@ -15,28 +15,31 @@ The other projects (benchmark, client, server and test) are built as a\
 `Renesas RA C Project Using RA Library`, where the RA library is the wolfssl project.\
 The wolfssl Project Summary is listed below and is relevant for every project.
 
-#### Project Summary
+### Project Summary
+|Item|Name/Version|
+|:--|:--|
+|Board|EK-RA6M3G|
+|Device|R7FA6M3AH3CFC|
+|Toolchain|GCC ARM Embedded|
+|FSP Version|0.8.0|
 
-`Board:   EK-RA6M3G`\
-`Device:  R7FA6M3AH3CFC`\
-`Toolchain:   GCC ARM Embedded`\
-`FSP Version:   0.8.0`
+#### Selected software components
 
-##### Selected software components
-
-`Board Support Package Common Files   v0.8.0`\
-`Arm CMSIS Version 5 - Core (M)   v5.5.1`\
-`Amazon FreeRTOS   v0.8.0`\
-`RA6M3G-EK Board Support Files   v0.8.0`\
-`Board support package for R7FA6M3AH3CFC   v0.8.0`\
-`Board support package for RA6M3   v0.8.0`\
-`Board support package for RA6M3   v0.8.0`\
-`Amazon FreeRTOS - Memory Management - Heap 4   v0.8.0`\
-`r_ether to FreeRTOS+TCP Wrapper   v0.8.0`\
-`Ethernet       v0.8.0`\
-`Ethernet PHY   v0.8.0`\
-`FreeRTOS+TCP   v0.8.0`\
-`Amazon FreeRTOS - Buffer Allocation 2   v0.8.0`
+|Components|Version|
+|:--|:--|
+|Board Support Package Common Files|v0.8.0`|
+|Arm CMSIS Version 5 - Core (M)|v5.5.1|
+|Amazon FreeRTOS|v0.8.0|
+|RA6M3G-EK Board Support Files|v0.8.0|
+|Board support package for R7FA6M3AH3CFC|v0.8.0|
+|Board support package for RA6M3|v0.8.0|
+|Board support package for RA6M3|v0.8.0|
+|Amazon FreeRTOS - Memory Management - Heap 4|v0.8.0|
+|r_ether to FreeRTOS+TCP Wrapper|v0.8.0|
+|Ethernet|v0.8.0|
+|Ethernet PHY|v0.8.0|
+|FreeRTOS+TCP|v0.8.0|
+|Amazon FreeRTOS - Buffer Allocation 2|v0.8.0|
 
 
 ## Setup Steps
@@ -46,55 +49,64 @@ These files can be generated when creating a new Renesas RA Project.\
 The following steps explain how to generate the missing files and where to place them.
 
 1.) Create a 'dummy' Renesas RA C Library Project.
-   + Click File->New->`RA C/C++ Project`
-   + Click `Renesas RA C Library Project`. Click Next
-   + Enter `dummy_library` as the project name. Click Next.
-   + Under `Board: Custom User Board`, select `EK-RA6M3G`.
-   + Under `RTOS: No RTOS`, select `Amazon FreeRTOS`.
-   + Click Next. Select `Amazon FreeRTOS - Minimal - Static Allocation`
-   + Click Finish.
+
++ Click File->New->`RA C/C++ Project`
++ Click `Renesas RA C Library Project`. Click Next
++ Enter `dummy_library` as the project name. Click Next.
++ Under `Board: Custom User Board`, select `EK-RA6M3G`.
++ Under `RTOS: No RTOS`, select `Amazon FreeRTOS`.
++ Click Next. Select `Amazon FreeRTOS - Minimal - Static Allocation`
++ Click Finish.
 
 2.) Create a 'dummy' Renesas RA C Project Using RA Library.
-   + Click File->New->`RA C/C++ Project`
-   + Click `Renesas RA C Project Using RA Library`. Click Next
-   + Enter `dummy_app` as the project name. Click Next.
-   + Under `RA library project`, select `dummy_library`.
-   + Click Finish.
+
++ Click File->New->`RA C/C++ Project`
++ Click `Renesas RA C Project Using RA Library`. Click Next
++ Enter `dummy_app` as the project name. Click Next.
++ Under `RA library project`, select `dummy_library`.
++ Click Finish.
 
 3.) Import all the wolfSSL Projects into e2studio workspace.
-   + Click File->`Open Projects from File System`
-   + Click `Directory...` to the right of Import source
-   + Select the RA6M3G folder location that contains the projects\
-      example path: wolfssl/IDE/Renesas/e2studio/RA6M3
-   + Deselect the Non-Eclipse project, RA6M3G, by clicking the checkbox\
-      Only the folders with 'Eclipse project' under 'Import as' need to be selected.
-  + Click Finish.
+
++ Click File->`Open Projects from File System`
++ Click `Directory...` to the right of Import source
++ Select the RA6M3G folder location that contains the projects\
+   example path: wolfssl/IDE/Renesas/e2studio/RA6M3
++ Deselect the Non-Eclipse project, RA6M3G, by clicking the checkbox\
+   Only the folders with 'Eclipse project' under 'Import as' need to be selected.
++ Click Finish.
 
 4.) Copy files from `dummy_library` into `wolfSSL_RA6M3G`
-   + Expand the dummy_library and wolfSSL_RA6M3G projects\
-     (Click the drop-down arrow to the left of the project name.)
-   + Select and Copy the following folders/files inside dummy_library\
-`       ra/`\
-`       ra_gen/`\
-`       ra_cfg/`\
-`       script/`\
-`       R7FA6M3AH3CFC.pincfg`\
-`       RA6M3G-EK.pingcfg`
-   + Paste the copied folders/files into wolfSSL_RA6M3G
-   + The `dummy_library` project can now be deleted.
-   + Generate Project Content.
-     + Click `Open RA Configuration` in the top bar (Grey Settings Cog)
-     + Click `Generate Project Content` at top right (Green Icon)
-   + Build wolfSSL_RA6M3G.
+
++ Expand the dummy_library and wolfSSL_RA6M3G projects\
+  (Click the drop-down arrow to the left of the project name.)
++ Select and Copy the following folders/files inside dummy_library\
+
+  `ra/`\
+  `ra_gen/`\
+  `ra_cfg/`\
+  `script/`\
+  `R7FA6M3AH3CFC.pincfg`\
+  `RA6M3G-EK.pingcfg`
+
++ Paste the copied folders/files into wolfSSL_RA6M3G
++ The `dummy_library` project can now be deleted.
++ Generate Project Content.
+  + Click `Open RA Configuration` in the top bar (Grey Settings Cog)
+  + Click `Generate Project Content` at top right (Green Icon)
++ Build wolfSSL_RA6M3G.
 
 5.) Copy files from `dummy_app` into `./IDE/Renesas/e2studio/RA6M3/common/ra6m3g/`\
     **NOTE:** This may need to be done outside of the e2studio environment (e.g. File Explorer).
-   + Select and Copy the followng folder inside dummy_app\
-`         src/`\
-`         script/`
-   + Paste the copied folders into `./IDE/Renesas/e2studio/RA6M3/common/ra6m3g/`\
-`     (The test, benchmark, client and server projects link to this folder.)`
-   + The `dummy_app` project can now be deleted.
+
++ Select and Copy the followng folder inside dummy_app\
+  
+  `src/`\
+  `script/`
+
++ Paste the copied folders into `./IDE/Renesas/e2studio/RA6M3/common/ra6m3g/`\
+  `(The test, benchmark, client and server projects link to this folder.)`
++ The `dummy_app` project can now be deleted.
 
 6.) Setup Network Environment
 
@@ -112,12 +124,14 @@ The following steps explain how to generate the missing files and where to place
 Right-Click each Project and select Build.
 
 ### Run wolfCrypt Test and Benchmark
+
 1.) Right-Click the Project name.\
 2.) Select `Debug As` -> `Renesas GDB Hardware Debugging`\
 3.) Select J-Link ARM. Click OK.\
 4.) Select R7Fa6M3AH. Click OK.
 
 ### Run the wolfSSL TLS Server Example.
+
 1.) Right-Click the Project name.\
 2.) Select `Debug As` -> `Renesas GDB Hardware Debugging`\
 3.) Select J-Link ARM. Click OK.\
@@ -125,34 +139,35 @@ Right-Click each Project and select Build.
 5.) Run the following wolfSSL example client command inside the base of the wolfssl directory.
 
 ```
-./examples/client/client -h "ucIPAddress" -p 11111 -A ./certs/1024/ca-cert.pem
+./examples/client/client -v 4 -h "ucIPAddress" -p 11111 -A ./certs/1024/ca-cert.pem
 ```
+
 **NOTE:** "ucIPAddress" is "192.168.1.241" by default. (See wolfssl_thread_entry.h)
 
 ### Run the wolfSSL TLS Client Example.
+
  1.) Run the following wolfSSL example server command inside the base of the wolfssl directory.
 
 ```
-./examples/server/server -b -d -p 11111 -c ./certs/1024/server-cert.pem -k ./certs/1024/server-key.pem
+./examples/server/server -v 4 -b -d -p 11111 -c ./certs/1024/server-cert.pem -k ./certs/1024/server-key.pem
 ```
-**NOTE:** The port 11111 is the DEFAULT_PORT inside wolfssl_thread_entry.h.\
-If DEFAULT_PORT was changed then the above command will need to match it.
+
+  **NOTE:** The port 11111 is the DEFAULT_PORT inside wolfssl_thread_entry.h.\
 
  2.) Right-Click the Project name.\
  3.) Select `Debug As` -> `Renesas GDB Hardware Debugging`\
  4.) Select J-Link ARM. Click OK.\
  5.) Select R7Fa6M3AH. Click OK.
 
-
 ## Troubleshooting
 
-* The commands for the example client/server assumes it is being run from the
++ The commands for the example client/server assumes it is being run from the
   base directory of wolfssl.
 
-* Enter "#define DEBUG_WOLFSSL" inside user_settings.h or wolfssl_thread_entry.c\
++ Enter "#define DEBUG_WOLFSSL" inside user_settings.h or wolfssl_thread_entry.c\
    to enable wolfssl debug messages to the Renesas Virtual Debug Console.
-   
-* Some linking errors can be caused by the e2studio project files needing to be rebuilt and freshened.
+
++ Some linking errors can be caused by the e2studio project files needing to be rebuilt and freshened.
 Right-Click a project, select Index, click Rebuild and then click Freshen Files. Repeat for each project.
 
 [Support Forum](https://www.wolfssl.com/forums/)

IDE/Renesas/e2studio/RA6M3/README_APRA6M_en.md

@@ -0,0 +1,198 @@
+wolfSSL for Alpha Project AP-RA6M-0A Setup Guide
+=================================================
+
+## Description
+
+This directory contains e2studio projects targeted at the Alpha Project AP-RA6M-0A board including the Renesas RA 32-bit MCUs.
+The example projects include a wolfSSL TLS client and server. They also include benchmark and cryptography tests for the wolfCrypt library.
+
+The wolfssl project contains both the wolfSSL and wolfCrypt libraries. It is built as a `Renesas RA C Library Project` and contains the Renesas RA configuration.
+
+The other projects (benchmark, client, server and test) are built as a `Renesas RA C Project Using RA Library`, where the RA library is the wolfssl project.
+The wolfssl Project Summary is listed below and is relevant for every project.
+
+### Project Summary
+|Item|Name/Version|
+|:--|:----|
+|e2studio|2020-07|
+|Board    |AP-RA6M-0A   |
+|Device   |R7FA6M3AH3CFC|
+|Toolchain|GCC ARM Embedded
+|FSP Version|1.3.0|
+
+### Selected software components
+|Component|Version|
+|:--|:---|
+|Board Support Package Common Files|v1.3.0|
+|Arm CMSIS Version 5 - Core (M) |v5.7.0|
+|Board support package for R7FA6M3AH3CFC |v1.3.0|
+|Board support package for RA6M3|v1.3.0  |
+|Board support package for RA6M3 - FSP Data|v1.3.0|
+|FreeRTOS|v1.3.0|
+|FreeRTOS - Buffer Allocation 2 |v1.3.0|
+|FreeRTOS+TCP|v1.3.0|
+|r_ether to FreeRTOS+TCP Wrapper|v1.3.0|
+|Ethernet |v1.3.0   |
+|Ethernet PHY|v1.3.0|
+|I/O Port|v1.3.0    |
+|BSP-Board|v1.2.0   |
+
+## Setup Steps
+
+The project directories are missing files necessary to build the project.\
+These files can be generated when creating a new Renesas RA Project.\
+The following steps explain how to generate the missing files and where to place them.
+
+1.) Download Alpha project example program from [Alpha Project Home Page](https://www.apnet.co.jp/product/ra/ap-ra6m-0a.html)
+
++ Unzip the downloaded example project
+
+2.) Create a 'dummy' Renesas RA C Library Project on e2studio
+
++ Click File->New->`RA C/C++ Project`
++ Enter `dummy_library` as the project name. Click Next.
++ Select `Board: Custom User Board`.
++ Select `R7FA6M3AH3CFC
++ Under `RTOS: No RTOS`, select `FreeRTOS`.
++ Click Next. Select `FreeRTOS - Minimal - Static Allocation`
++ Click `Renesas RA C Library Project`. Click Next
++ Click Finish.
+
+3.) Create a 'dummy' Renesas RA C Project Using RA Library  on e2studio
+
++ Click File->New->`RA C/C++ Project`
++ Enter `dummy_app` as the project name. Click Next.
++ Under `RA library project`, select `dummy_library`.
++ Click `Executable Using an RA Static Library`. Click Next
++ Click Finish.
++ Enter `dummy_app` as Project name
++ Select RA library project `dummy_library`
+
+4.) Import all the wolfSSL Projects into e2studio workspace.
+
++ Click File->`Open Projects from File System`
++ Click `Directory...` to the right of Import source
++ Select the RA6M3G folder location that contains the projects
+   example path: wolfssl/IDE/Renesas/e2studio/RA6M3
++ Deselect the Non-Eclipse project, RA6M3G, by clicking the checkbox
+   Only the folders with 'Eclipse project' under 'Import as' need to be selected.
++ Click Finish.
+
+5.) Copy files from `dummy_library` into `wolfSSL_RA6M3G`
+
++ Expand the dummy_library and wolfSSL_RA6M3G projects
+  (Click the drop-down arrow to the left of the project name.)
++ Select and Copy the following folders/files inside dummy_library
+
+    `ra/`  
+    `ra_gen/`  
+    `ra_cfg/`  
+    `script/`
+
++ Paste the copied folders/files into wolfSSL_RA6M3G
++ The `dummy_library` project can now be deleted.
++ Copy `APRA6M0A.pincfg` from ap_ra6m_0a_sample\sample\ap_ra6m_0a_ether_sample to wolfSSL_RA6M3G
++ Delete `R7FA6M3AH3CFC.pincfg` from wolfSSL_RA6M3G
++ Generate Project Content.
+
+  + Click `Open RA Configuration` in the top bar (Grey Settings Cog)
+  + Go to `BSP` tab and import CMSIS pack file, AP.APRA6M0A.x.x.x.pack, from ap_ra6m_0a_sample\sample folder
+  + Select APRA6M0A as Board
+  + Go to `Pins` tab and select APRA6M0A.pincfg
+  + Go to `Stacks` tab and add Heap 4 stack from New Stack(+ Icon)
+  + Click `Generate Project Content` at top right (Green Icon)
++ Build wolfSSL_RA6M3G.
+
+6.) Copy files from `dummy_app` into `./IDE/Renesas/e2studio/RA6M3/common/ra6m3g/`
+    **NOTE:** This may need to be done outside of the e2studio environment (e.g. File Explorer).
+
++ Select and Copy the followng folder inside dummy_app
+
+    `src/`  
+    `script/`
+
++ Paste the copied folders into `./IDE/Renesas/e2studio/RA6M3/common/ra6m3g/`
+`(The test, benchmark, client and server projects link to this folder.)`
++ The `dummy_app` project can now be deleted.
+
+7.) Setup Network Environment
+
+        The client and server projects have defines inside their wolfssl_thread_entry.h.
+        These defines (ucIPAddress ... ucDNSServerAddress) may need to be changed
+        based on your internal network environment.  The g_ether0_mac_address is the default
+        mac address found inside the RA configuration inside the wolfssl project.
+        The client wolfssl_thread_entry.h has defines (SERVER_IP and DEFAULT_PORT) that
+        will need to be changed based on the server you're trying to connect to over
+        the ethernet connection.
+
+## Build and Run
+
+### Build Each Project
+Right-Click each Project and select Build.
+
+### Run wolfCrypt Test and Benchmark
+
+1.) Right-Click the Project name.  
+2.) Select `Debug As` -> `Renesas GDB Hardware Debugging`  
+3.) Select J-Link ARM. Click OK.  
+4.) Select R7Fa6M3AH. Click OK.
+
+### Run the wolfSSL TLS Server Example.
+
+1.) Right-Click the Project name.  
+2.) Select `Debug As` -> `Renesas GDB Hardware Debugging`  
+3.) Select J-Link ARM. Click OK.  
+4.) Select R7Fa6M3AH. Click OK.  
+5.) Run the following wolfSSL example client command inside the base of the wolfssl directory.
+
+```
+./examples/client/client -v 4 -h "ucIPAddress" -p 11111 -A ./certs/1024/ca-cert.pem
+```
+
+**NOTE:** "ucIPAddress" is "192.168.1.241" by default. (See wolfssl_thread_entry.h)
+
+### Run the wolfSSL TLS Client Example.
+
+ 1.) Run the following wolfSSL example server command inside the base of the wolfssl directory.
+
+```
+./examples/server/server -v 4 -b -d -p 11111 -c ./certs/1024/server-cert.pem -k ./certs/1024/server-key.pem
+```
+
+   **NOTE:** The port 11111 is the DEFAULT_PORT inside wolfssl_thread_entry.h.
+   If DEFAULT_PORT was changed then the above command will need to match it.
+
+ 2.) Right-Click the Project name.\
+ 3.) Select `Debug As` -> `Renesas GDB Hardware Debugging`\
+ 4.) Select J-Link ARM. Click OK.\
+ 5.) Select R7Fa6M3AH. Click OK.
+
+## Troubleshooting
+
++ The commands for the example client/server assumes it is being run from the
+  base directory of wolfssl.
+
++ Enter "#define DEBUG_WOLFSSL" inside user_settings.h or wolfssl_thread_entry.c
+   to enable wolfssl debug messages to the Renesas Virtual Debug Console.
+
++ Some linking errors can be caused by the e2studio project files needing to be rebuilt and freshened.
+Right-Click a project, select Index, click Rebuild and then click Freshen Files. Repeat for each project.
+
+[Support Forum](https://www.wolfssl.com/forums/)
+
+Support Email: support@wolfssl.com
+
+
+## Resources
+
+[wolfSSL Website](https://www.wolfssl.com/)
+
+[wolfSSL Wiki](https://github.com/wolfSSL/wolfssl/wiki)
+
+[wolfSSL Manual](https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-toc.html)
+
+[wolfSSL API Reference](https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-17-wolfssl-api-reference.html)
+
+[wolfCrypt API Reference](https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-18-wolfcrypt-api-reference.html)
+
+[TLS 1.3](https://www.wolfssl.com/docs/tls13/)

IDE/Renesas/e2studio/RA6M3/README_APRA6M_jp.md

@@ -0,0 +1,197 @@
+wolfSSL/AlphaProject AP-RA6M-0A ボードデモ　セットアップガイド
+=================================================
+
+## はじめに
+
+このフォルダにはルネサス社製 RA 32-bit MCU を搭載するアルファプロジェクト製 AP-RA6M-0A で wolfSSL を動作させるための手順です。
+サンプルプログラムには、暗号テスト、ベンチマーク、及びクライアント・サーバーを含んでいます。
+
+wolfSSL のプロジェクトファイルは、wolfSSL と wolfCrypt の両方で構成され、Renesas RA のコンフィグレーションを含む`Renesas RA C/C++ Library Project`としてビルドされます。
+その他、ベンチマーク、暗号テスト、及びクライアント・サーバーのサンプルプログラムは、`Renesas RA C Project Using RA Library`としてビルドされます。
+
+プロジェクトの概要と全ての関連するソフトウェアコンポーネントに関する情報を下記になります。
+
+### プロジェクトの概要
+|要素|名前/バージョン|
+|:--|:--|
+|e2studio|2020-07|
+|Board|AP-RA6M-0A|
+|Device|R7FA6M3AH3CFC|
+|Toolchain|GCC ARM Embedded|
+|FSP Version|1.3.0|
+
+#### 必要なソフトウェアコンポーネント
+|コンポーネント|バージョン|
+|:--|:--|
+|Board Support Package Common Files|v1.3.0|
+|Arm CMSIS Version 5 - Core (M) |v5.7.0|
+|Board support package for R7FA6M3AH3CFC |v1.3.0|
+|Board support package for RA6M3|v1.3.0  |
+|Board support package for RA6M3 - FSP Data|v1.3.0|
+|FreeRTOS|v1.3.0|
+|FreeRTOS - Buffer Allocation 2 |v1.3.0|
+|FreeRTOS+TCP|v1.3.0|
+|r_ether to FreeRTOS+TCP Wrapper|v1.3.0|
+|Ethernet |v1.3.0   |
+|Ethernet PHY|v1.3.0|
+|I/O Port|v1.3.0    |
+|BSP-Board|v1.2.0   |
+
+## セットアップ手順
+
+プロジェクトのフォルダーには、ビルドに必要なファイルが不足しています。そららのファイルをダミーのプロジェクトを作成し補います。
+
+次に続くステップは、不足しているファイルを作成し、それらを必要としているプロジェクトにコピーする手順です。
+
+1.) [アルファプロジェクト社のホームページ](https://www.apnet.co.jp/product/ra/ap-ra6m-0a.html)からサンプルプログラムをダウンロード
+
++ ダウンロードしたサンプルプログラムを適当なフォルダーへ解凍
+
+2.) e2Studio で'ダミー' Renesas RA C Library プロジェクトを作成
+
++ ファイル→新規→`RA C/C++ Project`をクリック
++ `Renesas RA C/C++ Library Project`を選択し、次へをクリック
++ 'dummy_library` とプロジェクト名を入力します。
++ `Board:` ドロップダウンから `EK-RA6M3T`を選択します
++ `RTOS: No TROS` を `FreeRTOS` を選択します。
++ `Build Artifact Selection` の `Static Library`を選択し、次へをクリック
++ `FreeRTOS - Minimal - Static Allocation` を選択し、終了をクリック
+
+3.) e2Studio で 'ダミー'の Renesas RA C/C++ Project Using RA Library を作成
+
++ ファイル→新規→`RA C/C++ Project`をクリック
++ `Renesas RA C/C++ Library Project`を選択し、次へをクリック
++ 'dummy_app` とプロジェクト名を入力します。
++ `Board:` ドロップダウンから `EK-RA6M3T`を選択します
++ `RTOS: No TROS` を `FreeRTOS` を選択しまし、次へをクリック
++ `Build Artifact Selection` の `Executable Using an RA Static Library`を選択し、終了をクリック
++ 'dummy_app` とプロジェクト名を入力し、次へクリック
++ `RA library project`の `Select RA Library`から, `dummy_library`を選択し、終了をクリック
+
+4.) 全ての wolfSSL e2studio プロジェクトをインポート
+
++ メニューの「ファイル」→「ファイル・システムからプロジェクトを開く」をクリック
++ インポート元の `ディレクトリー...` をクリック
++ RA6M3 フォルダーを選択。wolfssl/IDE/Renesas/e2studio/RA6M3
++ Eclipseのプロジェクトではない、RA6M3を除外します。
+   その他、ベンチマーク、暗号テスト、クライアント・サーバーの各プロジェクトは選択しておく。
++ 終了をクリック
+
+5.) `dummy_library`からwolfSSL_RA6M3Gへ必要なファイルをコピー
+
++ `dummy_library` と `wolfSSL_RA6M3G` プロジェクトを開く
+  プロジェクト名横にある矢印マークをクリック
++ `dummy_library` の以下のフォルダーとファイルを選択
+
+    `ra/`  
+    `ra_gen/`  
+    `ra_cfg/`  
+    `script/`
+
++ 選択したフォルダーとファイルを `wolfSSL_RA6M3G`プロジェクトに貼り付け
++ `dummy_library`プロジェクトは削除しても構いません
++ `APRA6M0A.pincfg` を解凍した ap_ra6m_0a_sample\sample\ap_ra6m_0a_ether_sample から `wolfSSL_RA6M3G`プロジェクトへコピー
++ `wolfSSL_RA6M3G`フォルダー内の `R7FA6M3AH3CFC.pincfg` は削除します。
++ プロジェクトに必要なファイルを生成します。
++ `Open RA Configuration`(上部のアイコンバーにある灰色歯車ボタン)をクリック
+
+  + `BSP`　タブに移動し、CMSIS Pack のインポートボタンをクリック
+  + インポート画面で、CMSIS pack ファイルを指定
+   ステップ 1で解凍したap_ra6m_0a_sample\sampleフォルダー中の AP.APRA6M0A.x.x.x.pack を指定します。
+  + `APRA6M0A` を Board として指定
+  + `Pins`タブに移動し、`APRA6M0A.pincfg`を選択
+  + `Stacks`タブに移動し、Heap 4 stack を New Stack から追加
+  + `Generate Project Content`（右上部にある緑色アイコン）をクリックし、ファイルを生成
++ `wolfSSL_RA6M3G`をビルド
+
+6.) `dummy_app` から必要なファイルを`./IDE/Renesas/e2studio/RA6M3/common/ra6m3g/`へコピー
+
+    **NOTE:** この作業は、e2studio ではなく、Explorer などを使用します。
+
++ `dummy_app`の以下のフォルダーをコピー
+
+    `src/`  
+    `script/`
+
++ 選択したフォルダーを`./IDE/Renesas/e2studio/RA6M3/common/ra6m3g/`へコピー
+`(暗号テスト、ベンチマーク、クライアント・サーバーの各プロジェクトはこのフォルダーを参照)`
++ `dummy_app`プロジェクトは削除しても構いません
+
+7.) ネットワーク環境について
+
+        クライアント・サーバーのプロジェクト内のwolfssl_thread_entry.hにネットワーク設定があります。
+        それらの設定（ucIPAddress ... ucDNSServerAddress)は、ご使用のネットワーク環境に合わせて変更して
+        してください。g_ether0_mac_address は、`wolfSSL_RA6M3G`プロジェクト内の RA configuration
+        で定義されているデフォルトのMACアドレスです。クライアントのwolfssl_thread_entry.h は
+        ターゲットのサーバーのSERVER_IP と DEFAULT_PORTの定義を持ちます。それらはご使用のサーバーの
+        の設定に応じて変更してください。
+
+## ビルドと実行
+
+### 各プロジェクトをビルド
+各プロジェクトで右クリックし、ビルドを選択
+
+### 暗号テストとベンチマークを実行
+
+1.) プロジェクト名を選択し、右クリック\
+2.) `デバック` → `Renesas GDB Hardware Debugging`\
+3.) `J-Link ARM`を選択し、OK をクリック\
+4.) `R7FA6M3AH`を選択し、OK をクリック
+
+### wolfSSL TLS サンプルサーバーを実行
+
+1.) プロジェクト名を選択し、右クリック\
+2.) `デバック` → `Renesas GDB Hardware Debugging`\
+3.) `J-Link ARM`を選択し、OK をクリック\
+4.) `R7FA6M3AH`を選択し、OK をクリック\
+5.)以下のサンプルのクライアントプログラムを実行
+
+```
+./examples/client/client -v 4 -h "ucIPAddress" -p 11111 -A ./certs/1024/ca-cert.pem
+```
+
+**NOTE:** "ucIPAddress" はデフォルトでは "192.168.1.241"  (参照： wolfssl_thread_entry.h)
+
+### wolfSSL TLS サンプルクライアントを実行
+1.)以下のサンプルのサーバープログラムを実行
+
+```
+./examples/server/server -b -d -p 11111 -c ./certs/1024/server-cert.pem -k ./certs/1024/server-key.pem
+```
+
+TLS 1.3 で接続する際には、引数に "-v 4" を追加します。
+```
+./examples/server/server -v 4 -b -d -p 11111 -c ./certs/1024/server-cert.pem -k ./certs/1024/server-key.pem
+```
+**NOTE:** wolfssl_thread_entry.h中にデフォルトのポート番号 11111 定義(DEFAULT_PORT)
+もし、DEFAULT_PORTを変更している場合、、上記のコマンドの "-p" の値は対応するポート番号に要変更
+
+2.) プロジェクト名を選択し、右クリック\
+3.) `デバック` → `Renesas GDB Hardware Debugging`\
+4.) `J-Link ARM`を選択し、OK をクリック\
+5.) `R7FA6M3AH`を選択し、OK をクリック
+
+## トラブルシューティング
+
++ サンプルのクライアント・サーバープログラムは、wolfSSL のルートディレクトリから実行する必要があります。
++ user_settings.h の #define DEBUG_WOLFSSL を有効にすることで、デバックメッセージを\
+  `Renesas Virtual Debug Console`へ出力します。
++ プロジェクトのビルドでリンクエラーが出た場合、リビルドしリフレッシュすることで解決することがあります。
+
+[Support Forum](https://www.wolfssl.com/forums/)
+
+Support Email: support@wolfssl.com
+
+## 参考リンク
+
+[wolfSSL Website](https://www.wolfssl.com/)
+
+[wolfSSL Wiki](https://github.com/wolfSSL/wolfssl/wiki)
+
+[wolfSSL Manual](https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-toc.html)
+
+[wolfSSL API Reference](https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-17-wolfssl-api-reference.html)
+
+[wolfCrypt API Reference](https://wolfssl.com/wolfSSL/Docs-wolfssl-manual-18-wolfcrypt-api-reference.html)
+
+[TLS 1.3](https://www.wolfssl.com/docs/tls13/)

IDE/Renesas/e2studio/RA6M3/client-wolfssl/src/wolfssl_thread_entry.c

@@ -95,7 +95,7 @@ void wolfssl_thread_entry(void *pvParameters) {
     wolfSSL_Init();
 
     /* Create and initialize WOLFSSL_CTX */
-    ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());
+    ctx = wolfSSL_CTX_new(wolfSSLv23_client_method_ex((void *)NULL));
     if (ctx == NULL) {
         printf("Error: wolfSSL_CTX_new.\n");
         util_inf_loop(xClientSocket, ctx, ssl);

IDE/Renesas/e2studio/RA6M3/client-wolfssl/wolfssl_thread_entry.h

@@ -24,11 +24,12 @@
 #include <errno.h>
 #include <wolfssl/certs_test.h>
 
+extern uint8_t g_ether0_mac_address[6];
+
 static const byte ucIPAddress[4]          = { 192, 168, 1, 241 };
 static const byte ucNetMask[4]            = { 255, 255, 255, 0 };
 static const byte ucGatewayAddress[4]     = { 192, 168, 1, 1 };
 static const byte ucDNSServerAddress[4]   = { 192, 168, 1, 1 };
-static const byte g_ether0_mac_address[6] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55 };
 
 /* Client connects to the server with these details. */
 #define SERVER_IP    "192.168.1.240"

IDE/Renesas/e2studio/RA6M3/common/user_settings.h

@@ -21,10 +21,16 @@
 #ifndef USER_SETTINGS_H_
 #define USER_SETTINGS_H_
 
+
 /* Temporary defines. Not suitable for production. */
 #define WOLFSSL_GENSEED_FORTEST /* Warning: define your own seed gen */
 /* End temporary defines */
 
+/* TLS 1.3 */
+#define WOLFSSL_TLS13
+#define HAVE_HKDF
+#define WC_RSA_PSS
+
 /* Operating Environment and Threading */
 #define FREERTOS
 #define FREERTOS_TCP
@@ -73,5 +79,6 @@
 
 void wolfssl_thread_entry(void *pvParameters);
 extern void initialise_monitor_handles(void);
+int strncasecmp(const char *s1, const char * s2, unsigned int sz);
 
 #endif /* USER_SETTINGS_H_ */

IDE/Renesas/e2studio/RA6M3/include.am

@@ -31,3 +31,6 @@ EXTRA_DIST+= IDE/Renesas/e2studio/RA6M3/wolfssl/configuration.xml
 
 EXTRA_DIST+= IDE/Renesas/e2studio/RA6M3/README.md
 EXTRA_DIST+= IDE/Renesas/e2studio/RA6M3G/README.md
+
+EXTRA_DIST+= IDE/Renesas/e2studio/RA6M3/README_APRA6M_en.md
+EXTRA_DIST+= IDE/Renesas/e2studio/RA6M3/README_APRA6M_jp.md

IDE/Renesas/e2studio/RA6M3/server-wolfssl/src/wolfssl_thread_entry.c

@@ -96,7 +96,7 @@ void wolfssl_thread_entry(void *pvParameters) {
         configASSERT(xConnectedSocket != FREERTOS_INVALID_SOCKET);
 
         /* Create WOLFSSL_CTX object */
-        ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method());
+        ctx = wolfSSL_CTX_new(wolfSSLv23_server_method_ex((void *)NULL));
 
         /* Load server certificates into WOLFSSL_CTX */
         if (ctx == NULL) {
@@ -142,7 +142,6 @@ void wolfssl_thread_entry(void *pvParameters) {
         }
         memset(buff, 0, sizeof(buff));
         ret = wolfSSL_read(ssl, buff, sizeof(buff) - 1);
-
         if (ret < 0)
             break;
 
@@ -156,6 +155,8 @@ void wolfssl_thread_entry(void *pvParameters) {
 
         /* Reply back to the client */
         ret = wolfSSL_write(ssl, buff, (int) strlen(buff));
+        if (ret < 0)
+            break;
 
         /* Cleanup after this connection */
         util_Cleanup(xConnectedSocket, ctx, ssl);

IDE/Renesas/e2studio/RA6M3/server-wolfssl/wolfssl_thread_entry.h

@@ -23,11 +23,12 @@
 
 #include <wolfssl/certs_test.h>
 
+extern uint8_t g_ether0_mac_address[6];
+
 static const byte ucIPAddress[4]          = { 192, 168, 1, 241 };
 static const byte ucNetMask[4]            = { 255, 255, 255, 0 };
 static const byte ucGatewayAddress[4]     = { 192, 168, 1, 1 };
 static const byte ucDNSServerAddress[4]   = { 192, 168, 1, 1 };
-static const byte g_ether0_mac_address[6] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55 };
 
 /* Server Cert and Key */
 #define CERT_BUF        server_cert_der_1024

IDE/Renesas/e2studio/RA6M3/wolfssl/.project

@@ -30,11 +30,6 @@
 		<nature>com.renesas.cdt.ra.contentgen.raNature</nature>
 	</natures>
 	<linkedResources>
-		<link>
-			<name>src/bio.c</name>
-			<type>1</type>
-			<locationURI>PARENT-5-PROJECT_LOC/src/bio.c</locationURI>
-		</link>
 		<link>
 			<name>src/crl.c</name>
 			<type>1</type>
@@ -195,11 +190,6 @@
 			<type>1</type>
 			<locationURI>PARENT-5-PROJECT_LOC/wolfcrypt/src/error.c</locationURI>
 		</link>
-		<link>
-			<name>wolfcrypt/evp.c</name>
-			<type>1</type>
-			<locationURI>PARENT-5-PROJECT_LOC/wolfcrypt/src/evp.c</locationURI>
-		</link>
 		<link>
 			<name>wolfcrypt/fe_low_mem.c</name>
 			<type>1</type>
@@ -275,11 +265,6 @@
 			<type>1</type>
 			<locationURI>PARENT-5-PROJECT_LOC/wolfcrypt/src/memory.c</locationURI>
 		</link>
-		<link>
-			<name>wolfcrypt/misc.c</name>
-			<type>1</type>
-			<locationURI>PARENT-5-PROJECT_LOC/wolfcrypt/src/misc.c</locationURI>
-		</link>
 		<link>
 			<name>wolfcrypt/pkcs12.c</name>
 			<type>1</type>

IDE/STM32Cube/README.md

@@ -14,8 +14,13 @@ These examples use the Cube HAL for STM32.
 
 ## Configuration
 
-The settings for the wolfSTM32 project are located in `<wolfssl-root>/IDE/STM32Cube/wolfSSL.wolfSSL_conf.h`. The section for "Hardware platform" may need to be adjusted depending on your processor and board:
+The settings for the wolfSSL CubeMX pack are in the generated `wolfSSL.wolfSSL_conf.h` file. An example of this is located in `IDE/STM32Cube/wolfSSL_conf.h` (renamed to avoid possible conflicts with generated file).
 
+The template used for generation is `IDE/STM32Cube/default_conf.ftl` which can be updated at `STM32Cube/Repository/Packs/wolfSSL/wolfSSL/[Version]/CubeMX/templates/default_conf.ftl`.
+
+The section for "Hardware platform" may need to be adjusted depending on your processor and board:
+
+* To enable STM32F1 support define `WOLFSSL_STM32F1`.
 * To enable STM32F2 support define `WOLFSSL_STM32F2`.
 * To enable STM32F4 support define `WOLFSSL_STM32F4`.
 * To enable STM32F7 support define `WOLFSSL_STM32F7`.
@@ -39,16 +44,17 @@ If you'd like to use the older Standard Peripheral library undefine `WOLFSSL_STM
 
 If you are using FreeRTOS make sure your `FreeRTOSConfig.h` has its `configTOTAL_HEAP_SIZE` increased.
 
-The TLS client/server benchmark example requires about 76 KB for allocated tasks (with stack) and peak heap.
+The TLS client/server benchmark example requires about 76 KB for allocated tasks (with stack) and peak heap. This uses both a TLS client and server to test a TLS connection locally for each enabled TLS cipher suite.
 
 ## STM32 Cube Pack
 
 ### STM32 Cube Pack Installation
 
-1. Download [wolfSSL Cube Pack](https://www.wolfssl.com/files/ide/I-CUBE-WOLFSSL-WOLFSSL.pack)
+1. Download [wolfSSL Cube Pack](https://www.wolfssl.com/files/ide/I-CUBE-wolfSSL.pack)
 2. Run the “STM32CubeMX” tool.
 3. Under “Manage software installations” click “INSTALL/REMOVE” button.
-4. From Local and choose “I-CUBE-WOLFSSL-WOLFSSL.pack”.
+4. From Local and choose “I-CUBE-wolfSSL.pack”.
+5. Accept the GPLv2 license. Contact wolfSSL at sales@wolfssl.com for a commercial license and support/maintenance.
 
 ### STM32 Cube Pack Usage
 
@@ -56,13 +62,14 @@ The TLS client/server benchmark example requires about 76 KB for allocated tasks
 2. Under “Software Packs” choose “Select Components”.
 3. Find and check all components for the wolfSSL.wolfSSL packs (wolfSSL / Core, wolfCrypt / Core and wolfCrypt / Test). Close
 4. Under the “Software Packs” section click on “wolfSSL.wolfSSL” and configure the parameters.
-5. For Cortex-M recommend “Math Configuration” -> “Single Precision Cortex-M Math”
+5. For Cortex-M recommend “Math Configuration” -> “Single Precision Cortex-M Math” for the fastest option.
 6. Generate Code
 7. The Benchmark example uses float. To enable go to "Project Properties" -> "C/C++ Build" -> "Settings" -> "Tool Settings" -> "MCU Settings" -> Check "Use float with printf".
+8. To enable printf make the `main.c` changes below in the [STM32 Printf](#stm32-printf) section.
 
 ### STM32 Cube Pack Examples
 
-In the `I-CUBE-WOLFSSL-WOLFSSL.pack` pack there are pre-assembled example projects available.
+In the `I-CUBE-wolfSSL.pack` pack there are pre-assembled example projects available.
 After installing the pack you can find these example projects in `STM32Cube/Repository/Packs/wolfSSL/wolfSSL/[Version]/Projects`.
 To use an example:
 
@@ -87,6 +94,49 @@ Please select one of the above options:
 
 See [STM32_Benchmarks.md](STM32_Benchmarks.md).
 
+Note: The Benchmark example uses float. To enable go to "Project Properties" -> "C/C++ Build" -> "Settings" -> "Tool Settings" -> "MCU Settings" -> Check "Use float with printf".
+
+## STM32 Printf
+
+In main.c make the following changes:
+
+```
+/* Retargets the C library printf function to the USART. */
+#include <stdio.h>
+#include <wolfssl/wolfcrypt/settings.h>
+#ifdef __GNUC__
+int __io_putchar(int ch)
+#else
+int fputc(int ch, FILE *f)
+#endif
+{
+    HAL_UART_Transmit(&HAL_CONSOLE_UART, (uint8_t *)&ch, 1, 0xFFFF);
+
+    return ch;
+}
+#ifdef __GNUC__
+int _write(int file,char *ptr, int len)
+{
+    int DataIdx;
+    for (DataIdx= 0; DataIdx< len; DataIdx++) {
+        __io_putchar(*ptr++);
+    }
+    return len;
+}
+#endif
+
+int main(void)
+{
+    /* Reset of all peripherals, Initializes the Flash interface and the Systick. */
+    HAL_Init();
+
+    /* Turn off buffers, so I/O occurs immediately */
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+
+```
+
 ## Support
 
 For questions please email [support@wolfssl.com](mailto:support@wolfssl.com)

IDE/STM32Cube/default_conf.ftl

@@ -0,0 +1,535 @@
+[#ftl]
+/**
+  ******************************************************************************
+  * File Name          : ${name}
+  * Description        : This file provides code for the configuration
+  *                      of the ${name} instances.
+  ******************************************************************************
+[@common.optinclude name=mxTmpFolder+"/license.tmp"/][#--include License text --]
+  ******************************************************************************
+  */
+[#assign s = name]
+[#assign toto = s?replace(".","_")]
+[#assign toto = toto?replace("/","")]
+[#assign inclusion_protection = toto?upper_case]
+/* Define to prevent recursive inclusion -------------------------------------*/
+#ifndef __${inclusion_protection}__
+#define __${inclusion_protection}__
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+/* Includes ------------------------------------------------------------------*/
+[#if includes??]
+[#list includes as include]
+#include "${include}"
+[/#list]
+[/#if]
+
+[#-- SWIPdatas is a list of SWIPconfigModel --]  
+[#list SWIPdatas as SWIP]  
+[#-- Global variables --]
+[#if SWIP.variables??]
+	[#list SWIP.variables as variable]
+extern ${variable.value} ${variable.name};
+	[/#list]
+[/#if]
+
+[#-- Global variables --]
+
+[#assign instName = SWIP.ipName]   
+[#assign fileName = SWIP.fileName]   
+[#assign version = SWIP.version]   
+
+/**
+	MiddleWare name : ${instName}
+	MiddleWare fileName : ${fileName}
+	MiddleWare version : ${version}
+*/
+[#if SWIP.defines??]
+	[#list SWIP.defines as definition]	
+/*---------- [#if definition.comments??]${definition.comments}[/#if] -----------*/
+#define ${definition.name} #t#t ${definition.value} 
+[#if definition.description??]${definition.description} [/#if]
+	[/#list]
+[/#if]
+
+
+
+[/#list]
+
+/* ------------------------------------------------------------------------- */
+/* Hardware platform */
+/* ------------------------------------------------------------------------- */
+#define NO_STM32_HASH
+#define NO_STM32_CRYPTO
+
+#if defined(STM32WB55xx)
+    #define WOLFSSL_STM32WB
+    #define WOLFSSL_STM32_PKA
+    #undef  NO_STM32_CRYPTO
+    #define HAL_CONSOLE_UART huart1
+#elif defined(STM32F407xx)
+    #define WOLFSSL_STM32F4
+    #define HAL_CONSOLE_UART huart2
+#elif defined(STM32F437xx)
+    #define WOLFSSL_STM32F4
+    #undef  NO_STM32_HASH
+    #undef  NO_STM32_CRYPTO
+    #define STM32_HAL_V2
+    #define HAL_CONSOLE_UART huart4
+#elif defined(STM32F777xx)
+    #define WOLFSSL_STM32F7
+    #undef  NO_STM32_HASH
+    #undef  NO_STM32_CRYPTO
+    #define STM32_HAL_V2
+    #define HAL_CONSOLE_UART huart2
+#elif defined(STM32H753xx)
+    #define WOLFSSL_STM32H7
+    #undef  NO_STM32_HASH
+    #undef  NO_STM32_CRYPTO
+    #define HAL_CONSOLE_UART huart3
+#elif defined(STM32L4A6xx)
+    #define WOLFSSL_STM32L4
+    #undef  NO_STM32_HASH
+    #undef  NO_STM32_CRYPTO
+    #define HAL_CONSOLE_UART hlpuart1
+#elif defined(STM32L475xx)
+    #define WOLFSSL_STM32L4
+    #define HAL_CONSOLE_UART huart1
+#elif defined(STM32L562xx)
+    #define WOLFSSL_STM32L5
+    #define WOLFSSL_STM32_PKA
+    #undef  NO_STM32_HASH
+    #undef  NO_STM32_CRYPTO
+    #define HAL_CONSOLE_UART huart1
+#elif defined(STM32L552xx)
+    #define WOLFSSL_STM32L5
+    #undef  NO_STM32_HASH
+    #define HAL_CONSOLE_UART hlpuart1
+#elif defined(STM32F207xx)
+    #define WOLFSSL_STM32F2
+    #define HAL_CONSOLE_UART huart3
+#elif defined(STM32F107xC)
+    #define WOLFSSL_STM32F1
+    #define HAL_CONSOLE_UART huart4
+    #define NO_STM32_RNG
+#elif defined(STM32F401xE)
+    #define WOLFSSL_STM32F4
+    #define HAL_CONSOLE_UART huart2
+    #define NO_STM32_RNG
+    #define WOLFSSL_GENSEED_FORTEST
+#else
+    #warning Please define a hardware platform!
+    /* This means there is not a pre-defined platform for your board/CPU */
+    /* You need to define a CPU type, HW crypto and debug UART */
+    /* CPU Type: WOLFSSL_STM32F1, WOLFSSL_STM32F2, WOLFSSL_STM32F4, 
+        WOLFSSL_STM32F7, WOLFSSL_STM32H7, WOLFSSL_STM32L4 and WOLFSSL_STM32L5 */
+    #define WOLFSSL_STM32F4
+
+    /* Debug UART */
+    #define HAL_CONSOLE_UART huart4
+
+    /* Hardware Crypto - uncomment as available on hardware */
+    //#define WOLFSSL_STM32_PKA
+    //#define NO_STM32_RNG
+    //#undef  NO_STM32_HASH
+    //#undef  NO_STM32_CRYPTO
+    //#define WOLFSSL_GENSEED_FORTEST
+    //#define STM32_HAL_V2
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Platform */
+/* ------------------------------------------------------------------------- */
+#define SIZEOF_LONG_LONG 8
+#define WOLFSSL_GENERAL_ALIGNMENT 4
+#define WOLFSSL_STM32_CUBEMX
+#define WOLFSSL_SMALL_STACK
+#define WOLFSSL_USER_IO
+#define WOLFSSL_NO_SOCK
+#define WOLFSSL_IGNORE_FILE_WARN
+
+
+/* ------------------------------------------------------------------------- */
+/* Operating System */
+/* ------------------------------------------------------------------------- */
+#if defined(WOLF_CONF_RTOS) && WOLF_CONF_RTOS == 2
+    #define FREERTOS
+#else
+    #define SINGLE_THREADED
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Math Configuration */
+/* ------------------------------------------------------------------------- */
+/* 1=Fast, 2=Normal, 3=SP C, 4=SP Cortex-M */
+#if defined(WOLF_CONF_MATH) && WOLF_CONF_MATH != 2
+    /* fast (stack) math */
+    #define USE_FAST_MATH
+    #define TFM_TIMING_RESISTANT
+
+    /* Optimizations (TFM_ARM, TFM_ASM or none) */
+    //#define TFM_NO_ASM
+    //#define TFM_ASM
+#endif
+#if defined(WOLF_CONF_MATH) && (WOLF_CONF_MATH == 3 || WOLF_CONF_MATH == 4)
+    /* single precision only */
+    #define WOLFSSL_SP
+    #define WOLFSSL_SP_SMALL      /* use smaller version of code */
+    #define WOLFSSL_HAVE_SP_RSA
+    #define WOLFSSL_HAVE_SP_DH
+    #define WOLFSSL_HAVE_SP_ECC
+    #define WOLFSSL_SP_MATH
+    #define SP_WORD_SIZE 32
+
+    //#define WOLFSSL_SP_NO_MALLOC
+    //#define WOLFSSL_SP_CACHE_RESISTANT
+
+    /* single precision Cortex-M only */
+    #if WOLF_CONF_MATH == 4
+        #define WOLFSSL_SP_ASM /* required if using the ASM versions */
+        #define WOLFSSL_SP_ARM_CORTEX_M_ASM
+    #endif
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Enable Features */
+/* ------------------------------------------------------------------------- */
+/* Required for TLS */
+#define HAVE_TLS_EXTENSIONS
+#define HAVE_SUPPORTED_CURVES
+#define HAVE_ENCRYPT_THEN_MAC
+#define HAVE_EXTENDED_MASTER
+
+#if defined(WOLF_CONF_TLS13) && WOLF_CONF_TLS13 == 1
+    #define WOLFSSL_TLS13
+    #define HAVE_HKDF
+#endif
+#if defined(WOLF_CONF_DTLS) && WOLF_CONF_DTLS == 1
+    #define WOLFSSL_DTLS
+#endif
+#if defined(WOLF_CONF_PSK) && WOLF_CONF_PSK == 0
+    #define NO_PSK
+#endif
+#if defined(WOLF_CONF_PWDBASED) && WOLF_CONF_PWDBASED == 0
+    #define NO_PWDBASED
+#endif
+#if defined(WOLF_CONF_KEEP_PEER_CERT) && WOLF_CONF_KEEP_PEER_CERT == 1
+    #define KEEP_PEER_CERT
+#endif
+#if defined(WOLF_CONF_BASE64_ENCODE) && WOLF_CONF_BASE64_ENCODE == 1
+    #define WOLFSSL_BASE64_ENCODE
+#endif
+#if defined(WOLF_CONF_OPENSSL_EXTRA) && WOLF_CONF_OPENSSL_EXTRA == 1
+    #define OPENSSL_EXTRA
+#endif
+
+/* TLS Session Cache */
+#if 0
+    #define SMALL_SESSION_CACHE
+#else
+    #define NO_SESSION_CACHE
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Crypto */
+/* ------------------------------------------------------------------------- */
+/* RSA */
+#undef NO_RSA
+#if defined(WOLF_CONF_RSA) && WOLF_CONF_RSA == 1
+    #ifdef USE_FAST_MATH
+        /* Maximum math bits (Max RSA key bits * 2) */
+        #undef  FP_MAX_BITS
+        #define FP_MAX_BITS     4096
+    #endif
+
+    /* half as much memory but twice as slow */
+    #undef  RSA_LOW_MEM
+    //#define RSA_LOW_MEM
+
+    /* Enables blinding mode, to prevent timing attacks */
+    #undef  WC_RSA_BLINDING
+    #define WC_RSA_BLINDING
+
+    /* RSA PSS Support (required for TLS v1.3) */
+    #ifdef WOLFSSL_TLS13
+        #define WC_RSA_PSS
+    #endif
+#else
+    #define NO_RSA
+#endif
+
+/* ECC */
+#undef HAVE_ECC
+#if defined(WOLF_CONF_ECC) && WOLF_CONF_ECC == 1
+    #define HAVE_ECC
+
+    /* Manually define enabled curves */
+    #define ECC_USER_CURVES
+
+    //#define HAVE_ECC192
+    //#define HAVE_ECC224
+    #undef NO_ECC256
+    //#define HAVE_ECC384
+    //#define HAVE_ECC521
+
+    /* Fixed point cache (speeds repeated operations against same private key) */
+    #undef  FP_ECC
+    //#define FP_ECC
+    #ifdef FP_ECC
+        /* Bits / Entries */
+        #undef  FP_ENTRIES
+        #define FP_ENTRIES  2
+        #undef  FP_LUT
+        #define FP_LUT      4
+    #endif
+
+    /* Optional ECC calculation method */
+    /* Note: doubles heap usage, but slightly faster */
+    #undef  ECC_SHAMIR
+    #define ECC_SHAMIR
+
+    /* Reduces heap usage, but slower */
+    #define ECC_TIMING_RESISTANT
+
+    /* Compressed ECC key support */
+    //#define HAVE_COMP_KEY
+
+    #ifdef USE_FAST_MATH
+        #ifdef NO_RSA
+            /* Custom fastmath size if not using RSA */
+            /* MAX = ROUND32(ECC BITS) * 2 */
+            #define FP_MAX_BITS     (256 * 2)
+        #else
+            #define ALT_ECC_SIZE
+        #endif
+
+        /* Enable TFM optimizations for ECC */
+        //#define TFM_ECC192
+        //#define TFM_ECC224
+        //#define TFM_ECC256
+        //#define TFM_ECC384
+        //#define TFM_ECC521
+    #endif
+#endif
+
+/* DH */
+#undef NO_DH
+#if defined(WOLF_CONF_DH) && WOLF_CONF_DH == 1
+    #define HAVE_DH /* freeRTOS settings.h requires this */
+    #define HAVE_FFDHE_2048
+    #define HAVE_DH_DEFAULT_PARAMS
+#else
+    #define NO_DH
+#endif
+
+/* AES */
+#if defined(WOLF_CONF_AESGCM) && WOLF_CONF_AESGCM == 1
+    #define HAVE_AESGCM
+    /* GCM Method: GCM_SMALL, GCM_WORD32 or GCM_TABLE */
+    /* GCM_TABLE is about 4K larger and 3x faster */
+    #define GCM_SMALL
+    #define HAVE_AES_DECRYPT
+#endif
+
+#if defined(WOLF_CONF_AESCBC) && WOLF_CONF_AESCBC == 1
+    #define HAVE_AES_CBC
+    #define HAVE_AES_DECRYPT
+#endif
+
+/* Other possible AES modes */    
+//#define WOLFSSL_AES_COUNTER
+//#define HAVE_AESCCM
+//#define WOLFSSL_AES_XTS
+//#define WOLFSSL_AES_DIRECT
+//#define HAVE_AES_ECB
+//#define HAVE_AES_KEYWRAP
+//#define AES_MAX_KEY_SIZE 256
+
+/* ChaCha20 / Poly1305 */
+#undef HAVE_CHACHA
+#undef HAVE_POLY1305
+#if defined(WOLF_CONF_CHAPOLY) && WOLF_CONF_CHAPOLY == 1
+    #define HAVE_CHACHA
+    #define HAVE_POLY1305
+
+    /* Needed for Poly1305 */
+    #undef  HAVE_ONE_TIME_AUTH
+    #define HAVE_ONE_TIME_AUTH
+#endif
+
+/* Ed25519 / Curve25519 */
+#undef HAVE_CURVE25519
+#undef HAVE_ED25519
+#if defined(WOLF_CONF_EDCURVE25519) && WOLF_CONF_EDCURVE25519 == 1
+    #define HAVE_CURVE25519
+    #define HAVE_ED25519
+
+    /* Optionally use small math (less flash usage, but much slower) */
+    #define CURVED25519_SMALL
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Hashing */
+/* ------------------------------------------------------------------------- */
+/* Sha1 */
+#undef NO_SHA
+#if defined(WOLF_CONF_SHA1) && WOLF_CONF_SHA1 == 1
+    /* 1k smaller, but 25% slower */
+    //#define USE_SLOW_SHA
+#else
+    #define NO_SHA
+#endif
+
+/* Sha2-256 */
+#undef NO_SHA256
+#if defined(WOLF_CONF_SHA2_256) && WOLF_CONF_SHA2_256 == 1
+    /* not unrolled - ~2k smaller and ~25% slower */
+    //#define USE_SLOW_SHA256
+
+    //#define WOLFSSL_SHAKE256
+
+    /* Sha2-224 */
+    #if defined(WOLF_CONF_SHA2_224) && WOLF_CONF_SHA2_224 == 1
+        #define WOLFSSL_SHA224
+    #endif
+#else
+    #define NO_SHA256
+#endif
+
+/* Sha2-512 */
+#undef WOLFSSL_SHA512
+#if defined(WOLF_CONF_SHA2_512) && WOLF_CONF_SHA2_512 == 1
+    /* over twice as small, but 50% slower */
+    //#define USE_SLOW_SHA512
+
+    #define WOLFSSL_SHA512
+    #define HAVE_SHA512 /* freeRTOS settings.h requires this */
+#endif
+
+/* Sha2-384 */
+#undef WOLFSSL_SHA384
+#if defined(WOLF_CONF_SHA2_384) && WOLF_CONF_SHA2_384 == 1
+    #define WOLFSSL_SHA384
+#endif
+
+/* Sha3 */
+#undef WOLFSSL_SHA3
+#if defined(WOLF_CONF_SHA3) && WOLF_CONF_SHA3 == 1
+	#define WOLFSSL_SHA3
+#endif
+
+/* MD5 */
+#if defined(WOLF_CONF_MD5) && WOLF_CONF_MD5 == 1
+	/* enabled */
+#else
+    #define NO_MD5
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Benchmark / Test */
+/* ------------------------------------------------------------------------- */
+/* Use reduced benchmark / test sizes */
+#define BENCH_EMBEDDED
+#define USE_CERT_BUFFERS_2048
+#define USE_CERT_BUFFERS_256
+
+
+/* ------------------------------------------------------------------------- */
+/* Debugging */
+/* ------------------------------------------------------------------------- */
+#if defined(WOLF_CONF_DEBUG) && WOLF_CONF_DEBUG == 1
+    #define DEBUG_WOLFSSL
+
+    /* Use this to measure / print heap usage */
+    #if 0
+        #define USE_WOLFSSL_MEMORY
+        #define WOLFSSL_TRACK_MEMORY
+  		  #define WOLFSSL_DEBUG_MEMORY
+	  	  #define WOLFSSL_DEBUG_MEMORY_PRINT
+    #endif
+#else
+    //#define NO_WOLFSSL_MEMORY
+    //#define NO_ERROR_STRINGS
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Port */
+/* ------------------------------------------------------------------------- */
+
+/* Override Current Time */
+/* Allows custom "custom_time()" function to be used for benchmark */
+#define WOLFSSL_USER_CURRTIME
+
+
+/* ------------------------------------------------------------------------- */
+/* RNG */
+/* ------------------------------------------------------------------------- */
+#define NO_OLD_RNGNAME /* conflicts with STM RNG macro */
+#define HAVE_HASHDRBG
+
+
+/* ------------------------------------------------------------------------- */
+/* Disable Features */
+/* ------------------------------------------------------------------------- */
+#if defined(WOLF_CONF_TLS12) && WOLF_CONF_TLS12 == 0
+    #define WOLFSSL_NO_TLS12
+#endif
+#if defined(WOLF_CONF_WOLFCRYPT_ONLY) && WOLF_CONF_WOLFCRYPT_ONLY == 1
+    #define WOLFCRYPT_ONLY
+#endif
+//#define NO_WOLFSSL_SERVER
+//#define NO_WOLFSSL_CLIENT
+
+#if defined(WOLF_CONF_TEST) && WOLF_CONF_TEST == 0
+    #define NO_CRYPT_TEST
+    #define NO_CRYPT_BENCHMARK
+#endif
+
+#define NO_FILESYSTEM
+#define NO_WRITEV
+#define NO_MAIN_DRIVER
+#define NO_DEV_RANDOM
+#define NO_OLD_TLS
+#define WOLFSSL_NO_CLIENT_AUTH /* disable client auth for Ed25519/Ed448 */
+
+#define NO_DSA
+#define NO_RC4
+#define NO_HC128
+#define NO_RABBIT
+#define NO_MD4
+#define NO_DES3
+
+/* In-lining of misc.c functions */
+/* If defined, must include wolfcrypt/src/misc.c in build */
+/* Slower, but about 1k smaller */
+//#define NO_INLINE
+
+/* Base16 / Base64 encoding */
+//#define NO_CODING
+
+/* bypass certificate date checking, due to lack of properly configured RTC source */
+#ifndef HAL_RTC_MODULE_ENABLED
+    #define NO_ASN_TIME
+#endif
+
+
+#ifdef __cplusplus
+}
+#endif
+#endif /*__ ${inclusion_protection}_H */
+
+/**
+  * @}
+  */
+
+/*****END OF FILE****/

IDE/STM32Cube/include.am

@@ -5,6 +5,7 @@
 EXTRA_DIST+= IDE/STM32Cube/README.md
 EXTRA_DIST+= IDE/STM32Cube/main.c
 EXTRA_DIST+= IDE/STM32Cube/wolfssl_example.c
-EXTRA_DIST+= IDE/STM32Cube/wolfSSL.wolfSSL_conf.h
+EXTRA_DIST+= IDE/STM32Cube/wolfSSL_conf.h
 EXTRA_DIST+= IDE/STM32Cube/wolfssl_example.h
 EXTRA_DIST+= IDE/STM32Cube/STM32_Benchmarks.md
+EXTRA_DIST+= IDE/STM32Cube/default_conf.ftl

IDE/STM32Cube/main.c

@@ -25,6 +25,7 @@
 
 /* Includes ------------------------------------------------------------------*/
 #include "wolfssl_example.h"
+#include "wolfssl/wolfcrypt/settings.h"
 
 /* Private variables ---------------------------------------------------------*/
 CRYP_HandleTypeDef hcryp;
@@ -66,7 +67,7 @@ int __io_putchar(int ch)
 int fputc(int ch, FILE *f)
 #endif
 {
-    HAL_UART_Transmit(&huart4, (uint8_t *)&ch, 1, 0xFFFF);
+    HAL_UART_Transmit(&HAL_CONSOLE_UART, (uint8_t *)&ch, 1, 0xFFFF);
 
     return ch;
 }

IDE/STM32Cube/wolfSSL_conf.h

@@ -1,4 +1,4 @@
-/* wolfSSL.wolfSSL_conf.h
+/* wolfSSL_conf.h (example of generated wolfSSL.wolfSSL_conf.h)
  *
  * Copyright (C) 2006-2020 wolfSSL Inc.
  *
@@ -19,7 +19,9 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
-/* STM32 Cube Configuration File 
+/* STM32 Cube Sample Configuration File 
+ * Generated automatically using `default_conf.ftl` template
+ *
  * Included automatically when USE_HAL_DRIVER is defined 
  * (and not WOLFSSL_USER_SETTINGS or HAVE_CONF_H).
  */
@@ -169,6 +171,11 @@ extern "C" {
     #define WOLFSSL_STM32F1
     #define HAL_CONSOLE_UART huart4
     #define NO_STM32_RNG
+#elif defined(STM32F401xE)
+    #define WOLFSSL_STM32F4
+    #define HAL_CONSOLE_UART huart2
+    #define NO_STM32_RNG
+    #define WOLFSSL_GENSEED_FORTEST
 #else
 	#warning Please define a hardware platform!
     #define WOLFSSL_STM32F4 /* default */

IDE/STM32Cube/wolfssl_example.c

@@ -64,7 +64,7 @@
 	#undef  MEM_BUFFER_SZ
 	#define MEM_BUFFER_SZ 2048
 #endif
-#define SHOW_VERBOSE         0 /* Default output is tab delimited format */
+#define SHOW_VERBOSE         0 /* 0=tab del (minimal), 1=info, 2=debug, 3=debug w/wolf logs */
 #ifndef WOLFSSL_CIPHER_LIST_MAX_SIZE
 #define WOLFSSL_CIPHER_LIST_MAX_SIZE 2048
 #endif
@@ -77,7 +77,7 @@
     #define BENCH_USE_NONBLOCK
 #endif
 #ifndef RECV_WAIT_TIMEOUT
-    #define RECV_WAIT_TIMEOUT 4000
+    #define RECV_WAIT_TIMEOUT 10000
 #endif
 
 /*****************************************************************************
@@ -510,6 +510,8 @@ static int ServerMemSend(info_t* info, char* buf, int sz)
         sz = MEM_BUFFER_SZ - info->to_client.write_idx;
 #endif
 
+    if (info->showVerbose >= 2)
+        printf("Server Send: %d\n", sz);
     XMEMCPY(&info->to_client.buf[info->to_client.write_idx], buf, sz);
     info->to_client.write_idx += sz;
     info->to_client.write_bytes += sz;
@@ -543,11 +545,13 @@ static int ServerMemRecv(info_t* info, char* buf, int sz)
         osSemaphoreRelease(info->server.mutex);
 #ifdef CMSIS_OS2_H_
         if (osThreadFlagsWait(1, osFlagsWaitAny, RECV_WAIT_TIMEOUT) == osFlagsErrorTimeout) {
+        	printf("Server Recv: Timeout!\n");
         	return WOLFSSL_CBIO_ERR_TIMEOUT;
         }
         osSemaphoreAcquire(info->server.mutex, osWaitForever);
 #else
         if (osSignalWait(1, RECV_WAIT_TIMEOUT) == osEventTimeout) {
+        	printf("Server Recv: Timeout!\n");
             return WOLFSSL_CBIO_ERR_TIMEOUT;
         }
         osSemaphoreWait(info->server.mutex, osWaitForever);
@@ -567,9 +571,12 @@ static int ServerMemRecv(info_t* info, char* buf, int sz)
         info->to_server.read_bytes = info->to_server.read_idx = 0;
         info->to_server.write_bytes = info->to_server.write_idx = 0;
     }
+    if (info->showVerbose >= 2)
+        printf("Server Recv: %d\n", sz);
 
     osSemaphoreRelease(info->server.mutex);
 
+
 #ifdef BENCH_USE_NONBLOCK
     if (sz == 0)
         return WOLFSSL_CBIO_ERR_WANT_READ;
@@ -599,6 +606,8 @@ static int ClientMemSend(info_t* info, char* buf, int sz)
         sz = MEM_BUFFER_SZ - info->to_server.write_idx;
 #endif
 
+    if (info->showVerbose >= 2)
+        printf("Client Send: %d\n", sz);
     XMEMCPY(&info->to_server.buf[info->to_server.write_idx], buf, sz);
     info->to_server.write_idx += sz;
     info->to_server.write_bytes += sz;
@@ -632,11 +641,13 @@ static int ClientMemRecv(info_t* info, char* buf, int sz)
         osSemaphoreRelease(info->client.mutex);
 #ifdef CMSIS_OS2_H_
         if (osThreadFlagsWait(1, osFlagsWaitAny, RECV_WAIT_TIMEOUT) == osFlagsErrorTimeout) {
+        	printf("Client Recv: Timeout!\n");
         	return WOLFSSL_CBIO_ERR_TIMEOUT;
         }
         osSemaphoreAcquire(info->client.mutex, osWaitForever);
 #else
         if (osSignalWait(1, RECV_WAIT_TIMEOUT) == osEventTimeout) {
+        	printf("Client Recv: Timeout!\n");
         	return WOLFSSL_CBIO_ERR_TIMEOUT;
         }
         osSemaphoreWait(info->client.mutex, osWaitForever);
@@ -656,6 +667,8 @@ static int ClientMemRecv(info_t* info, char* buf, int sz)
         info->to_client.read_bytes = info->to_client.read_idx = 0;
         info->to_client.write_bytes = info->to_client.write_idx = 0;
     }
+    if (info->showVerbose >= 2)
+        printf("Client Recv: %d\n", sz);
 
     osSemaphoreRelease(info->client.mutex);
 
@@ -1277,7 +1290,7 @@ int bench_tls(void* args)
     int argShowPeerInfo = BENCH_SHOW_PEER_INFO;
 
 #ifdef DEBUG_WOLFSSL
-    if (argShowVerbose) {
+    if (argShowVerbose >= 3) {
         wolfSSL_Debugging_ON();
     }
     else {

IDE/WIN/README.txt

@@ -3,6 +3,8 @@
 First, if you did not get the FIPS files with your archive, you must contact
 wolfSSL to obtain them.
 
+The IDE/WIN/wolfssl-fips.sln solution is for the original FIPS #2425 certificate. 
+See IDE/WIN10/wolfssl-fips.sln for the FIPS v2 #3389 or later Visual Studio solution.
 
 # Building the wolfssl-fips project
 

IDE/WIN10/README.txt

@@ -3,6 +3,7 @@
 First, if you did not get the FIPS files with your archive, you must contact
 wolfSSL to obtain them.
 
+The IDE/WIN10/wolfssl-fips.sln solution is for the FIPS v2 #3389 certificate or later.
 
 # Building the wolfssl-fips project
 
@@ -47,6 +48,7 @@ check value when changing your application.
 The default build options should be the proper default set of options:
 
  * HAVE_FIPS
+ * HAVE_FIPS_VERSION=2 (or 3 with WOLFSSL_FIPS_READY)
  * HAVE_THREAD_LS
  * HAVE_AESGCM
  * HAVE_HASHDRBG
@@ -67,4 +69,4 @@ Additionally one may enable:
  * OPENSSL_EXTRA
  * WOLFSSL_KEY_GEN
 
-These settings are defined in IDE/WIN/user_settings.h.
+These settings are defined in IDE/WIN10/user_settings.h.

IDE/WIN10/user_settings.h

@@ -1,6 +1,14 @@
 #ifndef _WIN_USER_SETTINGS_H_
 #define _WIN_USER_SETTINGS_H_
 
+/* For FIPS Ready, uncomment the following: */
+/* #define WOLFSSL_FIPS_READY */
+#ifdef WOLFSSL_FIPS_READY
+    #undef HAVE_FIPS_VERSION
+    #define HAVE_FIPS_VERSION 3
+#endif
+
+
 /* Verify this is Windows */
 #ifndef _WIN32
 #error This user_settings.h header is only designed for Windows

IDE/XilinxSDK/README.md

@@ -1,6 +1,6 @@
 # Common Gotcha's
 
-- If compiling all code togther (ie no sperate wolfssl library) than the -fPIC compiler flag should be used. Without using -fPIC in this build setup there could be unexpected failures.
+- If compiling all code together (ie no separate wolfssl library) than the -fPIC compiler flag should be used. Without using -fPIC in this build setup there could be unexpected failures.
 - If building with ARMv8 crypto extensions then the compiler flags "-mstrict-align -mcpu=generic+crypto" must be used.
 - Check that enough stack and heap memory is set for the operations if a crash or stall happens.
 
@@ -20,14 +20,14 @@ To use this example project:
    - File->New->Platform Project
    - Setting "Project name" to standalone_bsp_0, then click "Next"
    - Select the "Create from hardware specification" radius and click "Next"
-   - "Browse..." to the desired XSA file for the hardare
+   - "Browse..." to the desired XSA file for the hardware
    - (optional) change Processor to R5 now
    - click "Finish"
 3. (optional) If building for TLS support than expand the standalone_bsp_0 project, double click on platform_spr, Expand the cpu (i.e psu_cortexa53_0), click on Board Support Package, select the "Modify BSP Settings..." box and click on lwip211. Note that the api_mode should be changed from RAW API to SOCKET API.
 4. Right click on the standalone_bsp_0 project and click on "Build Project"
 5. Import the wolfcrypt example project "File->Import->Eclipse workspace or zip file"
 6. Uncheck "Copy projects into workspace"
-7. Select the root directory of wolfssl/IDE/XilinxSDK/2019_2, and select wolfCrypt_example and wolfCrypt_example_system. Then click "Finish"
+7. Select the root directory of `wolfssl/IDE/XilinxSDK/2019_2`, and select `wolfCrypt_example` and `wolfCrypt_example_system`. Then click "Finish"
 
 
 # Steps For Creating Project From Scratch
@@ -37,7 +37,7 @@ To use this example project:
    - File->New->Platform Project
    - Setting "Project name" to standalone_bsp_0, then click "Next"
    - Select the "Create from hardware specification" radius and click "Next"
-   - "Browse..." to the desired XSA file for the hardare
+   - "Browse..." to the desired XSA file for the hardware
    - (optional) change Processor to R5 now
    - click "Finish"
 3. (optional) If building for TLS support than expand the standalone_bsp_0 project, double click on platform_spr, Expand the cpu (i.e psu_cortexa53_0), click on Board Support Package, select the "Modify BSP Settings..." box and click on lwip211. Note that the api_mode should be changed from RAW API to SOCKET API.
@@ -49,10 +49,10 @@ To use this example project:
 9. Expand the wolfCrypt_example project and right click on the folder "src".
 10. Select "Import Sources" and set the "From directory" to be the wolfssl root directory.
 11. Select the folders to import as ./src, ./IDE/XilinxSDK, ./wolfcrypt/benchmark, ./wolfcrypt/test, ./wolfcrypt/src
-12. (optional) Expand the Advanced tabe and select "Create links in workspace"
+12. (optional) Expand the Advanced table and select "Create links in workspace"
 13. Click on "Finish"
-14. Expand the wolfcrypt/src directory and exlude all .S files from the build
-15. Right click on the wolfCrypt_example project and got to Properties. Set the macro WOLFSSL_USER_SETTINGS in C/C++ Build->Settings->ARM v8 gcc compiler->Symbols
+14. Expand the wolfcrypt/src directory and exclude all .S files from the build
+15. Right click on the wolfCrypt_example project and got to Properties. Set the macro `WOLFSSL_USER_SETTINGS` in C/C++ Build->Settings->ARM v8 gcc compiler->Symbols
 16. Set the include path for finding user_settings.h by going to the Properties and setting it in C/C++ Build->Settings->ARM v8 gcc compiler->Directories. This is to the directory wolfssl/IDE/XilinxSDK
 17. Set the include path for finding wolfSSL headers. To the root directory wolfssl
 18. Add compiler flags "-fPIC -mstrict-align -mcpu=generic+crypto" to the project properties. C/C++ Build->Settings->ARM v8 gcc compiler->Miscellaneous

IDE/include.am

@@ -20,6 +20,7 @@ include IDE/CSBENCH/include.am
 include IDE/ECLIPSE/DEOS/include.am
 include IDE/ECLIPSE/MICRIUM/include.am
 include IDE/ECLIPSE/SIFIVE/include.am
+include IDE/ECLIPSE/RTTHREAD/include.am
 include IDE/mynewt/include.am
 include IDE/Renesas/e2studio/DK-S7G2/include.am
 include IDE/Renesas/cs+/Projects/include.am
@@ -36,3 +37,4 @@ include IDE/XilinxSDK/include.am
 
 EXTRA_DIST+= IDE/IAR-EWARM IDE/MDK-ARM IDE/MDK5-ARM IDE/MYSQL IDE/LPCXPRESSO IDE/HEXIWEAR IDE/Espressif IDE/zephyr
 EXTRA_DIST+= IDE/OPENSTM32/README.md
+EXTRA_DIST+= IDE/Espressif/ESP-IDF/setup_win.bat

INSTALL

@@ -17,44 +17,48 @@
     Use on the xcode project in IDE/iOS/wolfssl.xcodeproj
     There is a README in IDE/iOS with more information
 
-3. Building on Windows
+3. Building for Apple ARM64
+
+    When building for an Apple ARM64 platform, ensure the host CPU type is detected as "aarch64" during configure, if not, pass --host=aarch64-apple-darwin to configure.
+
+4. Building on Windows
 
     Use the 32bit Visual Studio Solution wolfssl.sln
     For a 64bit solution please use wolfssl64.sln
 
-4. Building with IAR
+5. Building with IAR
 
     Please see the README in IDE/IAR-EWARM for detailed instructions
 
-5. Building with Keil
+6. Building with Keil
 
     Please see the Keil Projects in IDE/MDK5-ARM/Projects
 
-6. Building with Microchip tools
+7. Building with Microchip tools
 
     Please see the README in mplabx
 
-7. Building with Freescale MQX
+8. Building with Freescale MQX
 
     Please see the README in mqx
 
-8. Building with Rowley CrossWorks for ARM
+9. Building with Rowley CrossWorks for ARM
 
     Use the CrossWorks project in IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp
     There is a README.md in IDE/ROWLEY-CROSSWORKS-ARM with more information
 
-9. Building with Arduino
+10. Building with Arduino
 
     Use the script IDE/ARDUINO/wolfssl-arduino.sh to reformat the wolfSSL
     library for compatibility with the Arduino IDE. There is a README.md in
     IDE/ARDUINO for detailed instructions.
 
-10. Building for Android with Visual Studio 2017
+11. Building for Android with Visual Studio 2017
 
     Please see the README in IDE/VS-ARM.
     Use the Visual Studio solution IDE/VS-ARM/wolfssl.sln.
 
-11. Building for Yocto Project or OpenEmbedded
+12. Building for Yocto Project or OpenEmbedded
 
     Please see the README in the "meta-wolfssl" repository. This repository
     holds wolfSSL's Yocto and OpenEmbedded layer, which contains recipes
@@ -68,35 +72,67 @@
 
     https://github.com/openembedded/meta-openembedded
 
-12. Porting to a new platform
+13. Porting to a new platform
 
     Please see section 2.4 in the manual:
     http://www.wolfssl.com/yaSSL/Docs-cyassl-manual-2-building-cyassl.html
 
-13. Building with CMake
-    Note: Primary development uses automake (./configure). The support for CMake is minimal.
+14. Building with CMake
+    Note: Primary development uses automake (./configure). The support for CMake
+    is still under development.
 
-    Internally cmake is setup to do the following:
-    1. Uses the ./configure generated wolfssl/options.h as the build options by coping it to the build directory as user_settings.h.
-    2. Builds wolfSSL as library.
-    3. Builds the examples.
+    For configuring wolfssl using CMake, we recommend downloading the CMake
+    GUI (https://cmake.org/download/). This tool allows you to see all of
+    wolfssl's configuration variables, set them, and view their descriptions.
+    Looking at the GUI or CMakeCache.txt (generated after running cmake once) is
+    the best way to find out what configuration options are available and what
+    they do. You can also invoke CMake from the GUI, which is described in the
+    Windows instructions below. For Unix-based systems, we describe the command
+    line work flow. Regardless of your chosen workflow, cmake will generate
+    a header options.h in the wolfssl directory that contains the options used
+    to configure the build.
 
-    Build Steps:
-    $ mkdir build
-    $ cd build
-    $ cmake ..
-    $ cmake --build .
-    $ cmake --install .
+    Unix-based Platforms
+    ---
+    1) Navigate to the wolfssl root directory containing "CMakeLists.txt".
+    2) Create a directory called "build" and change into it. This is where
+       CMake will store build files.
+    3) Run `cmake ..` to generate the target build files (e.g. UNIX Makefiles).
+       To enable or disable features, set them using -D<option>=[yes/no]. For
+       example, to disable TLS 1.3 support, run cmake .. -DWOLFSSL_TLS13=no
+       (autoconf equivalent: ./configure --disable-tls13) To enable DSA, run
+       cmake .. -DWOLFSSL_DSA=yes (autoconf equivalent: ./configure
+       --enable-dsa). Again, you can find a list of these options and their
+       descriptions either using the CMake GUI or by looking at CMakeCache.txt.
+    5) The build directory should now contain the generated build files. Build
+       with `cmake --build .`. Under the hood, this runs the target build tool
+       (by default, make). You can also invoke the target build tool directly
+       (e.g. make).
 
-    To build library only and not build examples and test apps use:
-    $ cmake .. -DBUILD_TESTS=NO
+       To build with debugging use: `cmake .. -DCMAKE_BUILD_TYPE=Debug`.
 
-    To build with debugging use:
-    $ cmake .. -DCMAKE_BUILD_TYPE=Debug
+    Windows (Visual Studio)
+    ---
+    1) Go to this page, download the appropriate Windows installer, and install
+       to get the CMake GUI: https://cmake.org/download/ Native CMake support in
+       Visual Studio 16 2019 (and possibly older versions) has proven buggy. We
+       recommend using the CMake GUI in concert with Visual Studio, as described
+    in these steps.
+    2) Open CMake.
+    3) Where is the soure code: <root directory of wolfssl containing
+       CMakeLists.txt>
+    4) Where to build the binaries: <build directory, e.g. wolfssl/build>
+    5) Hit Configure. CMake runs the code in CMakeLists.txt and builds up an
+       internal representation of the project.
+    6) Hit Generate. CMake generates the build files. For Windows, this will
+       be Visual Studio project (.vcxproj) and solution (.sln) files.
+    7) Open Visual Studio and select "Open a project or solution".
+    8) Navigate to the build directory and select wolfssl.sln to load the
+       project.
 
-    Make sure and run the built examples and test from the wolfssl-root to properly find the ./certs directory.
-
-    CMake on Windows with Visual Studio
-    1. Open Command Prompt
-    2. Run the Visual Studio batch to setup command line variables: Example: C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvars64.bat
-    3. Then use steps above
+    Windows (command line)
+    ---
+    1) Open Command Prompt
+    2) Run the Visual Studio batch to setup command line variables, e.g. C:\Program Files (x86)\Microsoft Visual   
+       Studio\2017\Community\VC\Auxiliary\Build\vcvars64.bat
+    3) Follow steps in "Unix-based Platforms" above.

Makefile.am

@@ -19,6 +19,9 @@ dist_doc_DATA=
 dist_noinst_SCRIPTS =
 noinst_SCRIPTS =
 check_SCRIPTS =
+noinst_DATA =
+SUBDIRS_OPT =
+DIST_SUBDIRS_OPT =
 
 #includes additional rules from aminclude.am
 @INC_AMINCLUDE@
@@ -149,6 +152,7 @@ EXTRA_DIST+= LPCExpresso.project
 EXTRA_DIST+= resource.h wolfssl.rc
 EXTRA_DIST+= CMakeLists.txt
 
+include cmake/include.am
 include wrapper/include.am
 include cyassl/include.am
 include wolfssl/include.am
@@ -167,6 +171,7 @@ include testsuite/include.am
 include tests/include.am
 include sslSniffer/sslSnifferTest/include.am
 include rpm/include.am
+include linuxkm/include.am
 
 # Exclude references to non-DFSG sources from build files
 if !BUILD_DISTRO
@@ -189,6 +194,31 @@ include IDE/include.am
 endif
 include scripts/include.am
 
+if BUILD_LINUXKM
+    # rather than setting $SUBDIRS here directly, we set an auxiliary variable.
+    # autotools see the SUBDIRS assignment here even if BUILD_LINUXKM is false,
+    # at least for purposes of recursing for "make distdir", which we don't want to happen.
+    SUBDIRS_OPT += linuxkm
+    DIST_SUBDIRS_OPT += linuxkm
+
+    export KERNEL_ROOT KERNEL_ARCH KERNEL_EXTRA_CFLAGS AM_CFLAGS CFLAGS AM_CCASFLAGS CCASFLAGS \
+        src_libwolfssl_la_OBJECTS ENABLED_CRYPT_TESTS ENABLED_ASM CFLAGS_FPU_DISABLE \
+        CFLAGS_FPU_ENABLE CFLAGS_SIMD_DISABLE CFLAGS_SIMD_ENABLE \
+        CFLAGS_AUTO_VECTORIZE_DISABLE CFLAGS_AUTO_VECTORIZE_ENABLE \
+        ASFLAGS_FPU_DISABLE_SIMD_ENABLE ASFLAGS_FPU_ENABLE_SIMD_DISABLE \
+        ASFLAGS_FPUSIMD_DISABLE ASFLAGS_FPUSIMD_ENABLE
+
+module:
+	+make -C linuxkm libwolfssl.ko
+
+clean_module:
+	+make -C linuxkm clean
+
+install_module modules_install:
+	+make -C linuxkm modules_install
+
+endif
+
 if USE_VALGRIND
 TESTS_ENVIRONMENT=./valgrind-error.sh
 endif
@@ -201,10 +231,14 @@ TESTS += $(check_SCRIPTS)
 
 test: check
 tests/unit.log: testsuite/testsuite.log
+scripts/unit.log: testsuite/testsuite.log
 
 DISTCLEANFILES+= cyassl-config
 DISTCLEANFILES+= wolfssl-config
 
+SUBDIRS=$(SUBDIRS_OPT)
+DIST_SUBDIRS=$(DIST_SUBDIRS_OPT)
+
 maintainer-clean-local:
 	-rm Makefile.in
 	-rm aclocal.m4

README

@@ -73,138 +73,155 @@ should be used for the enum name.
 *** end Notes ***
 
 
-# wolfSSL Release 4.5.0 (August 19, 2020)
+# wolfSSL Release 4.6.0 (December 22, 2020)
+Release 4.6.0 of wolfSSL embedded TLS has bug fixes and new features including:
 
-If you have questions about this release, feel free to contact us on our
-info@ address.
+### New Feature Additions
+###### New Build Options
+* wolfSSL now enables linux kernel module support. Big news for Linux kernel module developers with crypto requirements! wolfCrypt and wolfSSL are now loadable as modules in the Linux kernel, providing the entire libwolfssl API natively to other kernel modules. For the first time on Linux, the entire TLS protocol stack can be loaded as a module, allowing fully kernel-resident TLS/DTLS endpoints with in-kernel handshaking.  (--enable-linuxkm, --enable-linuxkm-defaults, --with-linux-source) (https://www.wolfssl.com/loading-wolfssl-into-the-linux-kernel/)
+* Build tests and updated instructions for use with Apple’s A12Z chipset  (https://www.wolfssl.com/preliminary-cryptographic-benchmarks-on-new-apple-a12z-bionic-platform/)
+* Expansion of wolfSSL SP math implementation and addition of --enable-sp-math-all build option
+* Apache httpd w/TLS 1.3 support added
+* Sniffer support for TLS 1.3 and AES CCM
+* Support small memory footprint build with only TLS 1.3 and PSK without code for (EC)DHE and certificates
 
-Release 4.5.0 of wolfSSL embedded TLS has bug fixes and new features including:
+###### New Hardware Acceleration
+* Added support for NXP DCP (i.MX RT1060/1062) crypto co-processor
+* Add Silicon Labs hardware acceleration using [SL SE Manager](https://docs.silabs.com/gecko-platform/latest/service/api/group-sl-se-manager)
 
-## New Feature Additions
+###### New Algorithms
+* RC2 ECB/CBC added for use with PKCS#12 bundles
+* XChaCha and the XChaCha20-Poly1305 AEAD algorithm support added
 
-* Added Xilinx Vitis 2019.2 example and README updates
-* TLS v1.3 is now enabled by default
-* Building FIPS 140-2 code and test on Solaris
-* Secure renegotiation with DTLS 1.2
-* Update RSA calls for hardware acceleration with Xilsecure
-* Additional OpenSSL compatibility layer functions added
-* Cypress PSoC6 wolfCrypt driver added
-* Added STM32CubeIDE support
-* Added certificate parsing and inspection to C# wrapper layer
-* TLS v1.3 sniffer support added
-* TSIP v1.09 for target board GR-ROSE support added
-* Added support for the "X72N Envision Kit" evaluation board
-* Support for ECC nonblocking using the configure options
-  "--enable-ecc=nonblock --enable-sp=yes,nonblock CFLAGS=-DWOLFSSL_PUBLIC_MP"
-* Added wc_curve25519_make_pub function to generate a public key given the
-  private one
+###### Misc
+* Added support for 802.11Q VLAN frames to sniffer
+* Added OCSP function wolfSSL_get_ocsp_producedDate
+* Added API to set CPU ID flags cpuid_select_flags, cpuid_set_flag, cpuid_clear_flag
+* New DTLS/TLS non-blocking Secure Renegotiation example added to server.c and client.c
 
-## Fixes
+### Fixes
+###### Math Library
+* Fix mp_to_unsigned_bin_len out of bounds read with buffers longer than maximum MP
+* Fix for fp_read_radix_16 out of bounds read
+* Fix to add wrapper for new timing resistant wc_ecc_mulmod_ex2 function version in HW ECC acceleration
+* Handle an edge case with RSA-PSS encoding message to hash
 
-* PIC32MZ hardware cache and large hashes fix
-* AES-GCM use with EVP layer in compatibility layer code
-* Fix for RSA_LOW_MEM with ARM build of SP code
-* Sanity check on tag length with AES-CCM to conform with RFC 3610
-* Fixes for 32 and 64 bit software implementations of SP code when
-  WOLFSSL_SP_CACHE_RESISTANT is defined
-* GCC warning fixes for GCC 9 and later
-* Sanity check on HKDF expand length to conform with RFC 5869
-* Fixes for STM32 CubeMX HAL with AES-GCM
-* Fixed point cache look up table (LUT) implementation fixes
-* Fix for ARM 32bit SP code when calling div word
-* Fix for potential out of bounds read when parsing CRLs
-* Fix for potential out of bounds read with RSA unpadding
-* AES-CCM optimized counter fix
-* Updates to Xcode projects for new files and features
-* Fix for adding CRL’s to a WOLFSSL_X509_STORE structure
-* FIPSv2 build with opensslall build fixes
-* Fixes for CryptoCell use with ECC and signature wrappers
-* Fix for mod calculation with SP code dealing with 3072 bit keys
-* Fix for handling certificates with multiple OU’s in name
-* Fix for SP math implementation of sp_add_d and add a sanity check on
-  rshb range
-* Fix for sanity check on padding with DES3 conversion of PEM to DER
-* Sanity check for potential out of bounds read with fp_read_radix_16
-* Additional checking of ECC scalars.
-* Fixing the FIPS Ready build w.r.t. ecc.c.
-* When processing certificate names with OpenSSL compatibility layer
-  enabled, unknown name item types were getting handled as having NID 0,
-  and failing. Added a couple more items to what is handled correctly,
-  and ignoring anything that is an unknown type.
+###### Compatibility Layer Fixes
+* Fix for setting serial number wolfSSL_X509_set_serialNumber
+* Fix for setting ASN1 time not before / not after with WOLFSSL_X509
+* Fix for order of components in issuer name when using X509_sign
+* Fix for compatibility layer API DH_compute_key
+* EVP fix incorrect block size for GCM and buffer up AAD for encryption/decryption
+* EVP fix for AES-XTS key length return value and fix for string compare calls
+* Fix for mutex freeing during RNG failure case with EVP_KEY creation
+* Non blocking use with compatibility layer BIOs in TLS connections
 
-## Improvements/Optimizations
+###### Build Configuration
+* Fix for custom build with WOLFSSL_USER_MALLOC defined
+* ED448 compiler warning on Intel 32bit systems
+* CURVE448_SMALL build fix for 32bit systems with Curve448
+* Fix to build SP math with IAR
+* CMake fix to only set ranlib arguments for Mac, and for stray typo of , -> ;
+* Build with --enable-wpas=small fix
+* Fix for building fips ready using openssl extra
+* Fixes for building with Microchip (min/max and undef SHA_BLOCK_SIZE)
+* FIx for NO_FILESYSTEM build on Windows
+* Fixed SHA256 support for IMX-RT1060
+* Fix for ECC key gen with NO_TFM_64BIT
 
-* TLS 1.3 certificate verify update to handle 8192 bit RSA keys
-* wpa_supplicant support with reduced code size option
-* TLS 1.3 alerts encrypted when possible
-* Many minor coverity fixes added
-* Error checking when parsing PKCS12 DER
-* IAR warning in test.c resolved
-* ATECC608A improvements for use with Harmony 3 and PIC32 MZ
-* Support for AES-GCM and wc_SignatureVerifyHash with static memory and no
-  malloc’s
-* Enable SNI by default with JNI/JSSE builds
-* NetBSD GCC compiler warnings resolved
-* Additional test cases and code coverage added including curve25519 and
-  curve448 tests
-* Option for user defined mutexes with WOLFSSL_USER_MUTEX
-* Sniffer API’s for loading buffer directly
-* Fixes and improvements from going through the DO-178 process were added
-* Doxygen updates and fixes for auto documentation generation
-* Changed the configure option for FIPS Ready builds to be
-  `--enable-fips=ready`.
+###### Sniffer
+* Fixes for sniffer when using static ECC keys. Adds back TLS v1.2 static ECC key fallback detection and fixes new ECC RNG requirement for timing resistance
+* Fix for sniffer with SNI enabled to properly handle WOLFSSL_SUCCESS error code in ProcessClientHello
+* Fix for sniffer using HAVE_MAX_FRAGMENT in "certificate" type message
+* Fix build error with unused "ret" when building with WOLFSSL_SNIFFER_WATCH.
+* Fix to not treat cert/key not found as error in myWatchCb and WOLFSSL_SNIFFER_WATCH.
+* Sniffer fixes for handling TCP `out-of-range sequence number`
+* Fixes SSLv3 use of ECDH in sniffer
 
-## This release of wolfSSL includes fixes for 6 security vulnerabilities.
+###### PKCS
+* PKCS#11 fix to generate ECC key for decrypt/sign or derive
+* Fix for resetting internal variables when parsing a malformed PKCS#7 bundle with PKCS7_VerifySignedData()
+* Verify the extracted public key in wc_PKCS7_InitWithCert
+* Fix for internal buffer size when using decompression with PKCS#7
 
-wolfSSL version 4.5.0 contains 6 vulnerability fixes: 2 fixes for TLS 1.3,
-2 side channel attack mitigations, 1 fix for a potential private key leak
-in a specific use case, 1 fix for DTLS.
+###### Misc
+* Pin the C# verify callback function to keep from garbage collection
+* DH fixes for when public key is owned and free’d after a handshake
+* Fix for TLS 1.3 early data packets
+* Fix for STM32 issue with some Cube HAL versions and STM32 example timeout
+* Fix mmCAU and LTC hardware mutex locking to prevent double lock
+* Fix potential race condition with CRL monitor
+* Fix for possible malformed encrypted key with 3DES causing negative length
+* AES-CTR performance fixed with AES-NI
 
-* In earlier versions of wolfSSL there exists a potential man in the middle
-  attack on TLS 1.3 clients. Malicious attackers with a privileged network
-  position can impersonate TLS 1.3 servers and bypass authentication. Users
-  that have applications with client side code and have TLS 1.3 turned on,
-  should update to the latest version of wolfSSL. Users that do not have
-  TLS 1.3 turned on, or that are server side only, are NOT affected by this
-  report. Thanks to Gerald Doussot from NCC group for the report.
-* Denial of service attack on TLS 1.3 servers from repetitively sending
-  ChangeCipherSpecs messages. This denial of service results from the
-  relatively low effort of sending a ChangeCipherSpecs message versus the
-  effort of the server to process that message. Users with TLS 1.3 servers are
-  recommended to update to the most recent version of wolfSSL which limits the
-  number of TLS 1.3 ChangeCipherSpecs that can be received in order to avoid
-  this DoS attack. CVE-2020-12457 was reserved for the report. Thanks to
-  Lenny Wang of Tencent Security Xuanwu LAB.
-* Potential cache timing attacks on public key operations in builds that are
-  not using SP (single precision). Users that have a system where malicious
-  agents could execute code on the system, are not using the SP build with
-  wolfSSL, and are doing private key operations on the system (such as signing
-  with a private key) are recommended to regenerate private keys and update to
-  the most recent version of wolfSSL. CVE-2020-15309 is reserved for this
-  issue. Thanks to Ida Bruhns from Universität zu Lübeck for the report.
-* When using SGX with EC scalar multiplication the possibility of side-channel
-  attacks are present. To mitigate the risk of side channel attacks wolfSSL’s
-  single precision EC operations should be used instead. Release 4.5.0 turns
-  this on be default now with SGX builds and in previous versions of wolfSSL
-  this can be turned on by using the WOLFSSL_SP macros. Thank you to
-  Alejandro Cabrera Aldaya, Cesar Pereida García and Billy Bob Brumley from
-  the Network and Information Security Group (NISEC) at Tampere University for
-  the report.
-* Leak of private key in the case that PEM format private keys are bundled in
-  with PEM certificates into a single file. This is due to the
-  misclassification of certificate type versus private key type when parsing
-  through the PEM file. To be affected, wolfSSL would need to have been built
-  with OPENSSL_EXTRA (--enable-opensslextra). Some build variants such as
-  --enable-all and --enable-opensslall also turn on this code path, checking
-  wolfssl/options.h for OPENSSL_EXTRA will show if the macro was used with the
-  build. If having built with the opensslextra enable option and having placed
-  PEM certificates with PEM private keys in the same file when loading up the
-  certificate file, then we recommend updating wolfSSL for this use case and
-  also recommend regenerating any private keys in the file.
-* During the handshake, clear application_data messages in epoch 0 are
-  processed and returned to the application. Fixed by dropping received
-  application_data messages in epoch 0. Thank you to Paul Fiterau of Uppsala
-  University and Robert Merget of Ruhr-University Bochum for the report.
+### Improvements/Optimizations
+##### SP and Math
+* mp_radix_size adjustment for leading 0
+* Resolve implicit cast warnings with SP build
+* Change mp_sqr to return an error if the result won't fit into the fixed length dp
+* ARM64 assembly with clang improvements, clang doesn't always handle use of x29 (FP or Frame Pointer) in inline assembly code correctly - reworked sp_2048_sqr_8 to not use x29
+* SP mod exp changed to support exponents of different lengths
+* TFM div: fix initial value of size in q so clamping doesn't OOB read
+* Numerous stack depth improvements with --enable-smallstack
+* Improve cache resistance with Base64 operations
+
+###### TLS 1.3
+* TLS 1.3 wolfSSL_peek want read return addition
+* TLS 1.3: Fix P-521 algorithm matching
+
+###### PKCS
+* Improvements and refactoring to PKCS#11 key look up
+* PKCS #11 changes for signing and loading RSA public key from private
+* check PKCS#7 SignedData private key is valid before using it
+* check PKCS#7 VerifySignedData content length against total bundle size to avoid large malloc
+
+###### Compatibility Layer
+* EVP add block size for more ciphers in wolfSSL_EVP_CIPHER_block_size()
+* Return long names instead of short names in wolfSSL_OBJ_obj2txt()
+* Add additional OpenSSL compatibility functions to update the version of Apache httpd supported
+* add "CCM8" variants to cipher_names "CCM-8" ciphers, for OpenSSL compat
+
+###### Builds
+* Cortex-M SP ASM support for IAR 6.70
+* STM Cube pack support (IDE/STM32Cube)
+* Build option --enable-aesgcm=4bit added for AES-GCM GMULT using 4 bit table
+* Xilinx IDE updates to allow XTIME override for Xilinx, spelling fixes in Xilinx README.md, and add Xilinx SDK printf support
+* Added ED448 to the "all" options and ED448 check key null argument sanity check
+* Added ARC4, 3DES, nullcipher, BLAKE2, BLAKE2s, XChaCha, MD2, and MD4 to the “all” options
+* Added an --enable-all-crypto option, to enable only the wolfCrypt features of --enable-all, combinable with --enable-cryptonly
+* Added the ability to selectively remove features from --enable-all and --enable-all-crypto using specific --disable-<feature> options
+* Use Intel intrinsics with Windows for RDSEED and RDRAND (thanks to dr-m from MariaDB)
+* Add option to build with WOLFSSL_NO_CLIENT_AUTH
+* Updated build requirements for wolfSSH use to be less restrictive
+* lighttpd support update for v1.4.56
+* Added batch file to copy files to ESP-IDF folders and resolved warnings when using v4.0 ESP-IDF
+* Added --enable-stacksize=verbose, showing at a glance the stack high water mark for each subtest in testwolfcrypt
+
+###### ECC
+* Performance increase for ECC verify only, using non constant time SP modinv
+* During ECC verify add validation of r and s before any use
+* Always use safe add and dbl with ECC
+* Timing resistant scalar multiplication updated with use of Joye double-add ladder
+* Update mp_jacobi function to reduce stack and increase performance for base ECC build
+* Reduce heap memory use with wc_EccPrivateKeyDecode, Improvement to ECC wc_ecc_sig_to_rs and wc_ecc_rs_raw_to_sig to reduce memory use (avoid the mp_int)
+* Improve StoreECC_DSA_Sig bounds checking
+
+###### OCSP
+* OCSP improvement to handle extensions in singleResponse
+* support for OCSP request/response for multiple certificates
+* OCSP Must Staple option added to require OCSP stapling response
+* Add support for id-pkix-ocsp-nocheck extension
+
+###### Misc
+* Additional code coverage added for ECC and RSA, PKCS#7, 3DES, EVP and Blake2b operations
+* DTLS MTU: check MTU on write
+* Refactor hash sig selection and add the macros WOLFSSL_STRONGEST_HASH_SIG (picks the strongest hash) and WOLFSSL_ECDSA_MATCH_HASH (will pick the hash to match the ECC curve)
+* Strict certificate version allowed from client, TLS 1.2 / 1.3 can not accept client certificates lower than version 3
+* wolfSSL_get_ciphers_compat(), skip the fake indicator ciphers like the renegotiation indication and the quantum-safe hybrid
+* When parsing session ticket, check TLS version to see whether they are version compatible
+* Additional sanity check for invalid ASN1 padding on integer type
+* Adding in ChaCha20 streaming feature with Mac and Intel assembly build
+* Sniffer build with --enable-oldtls option on
 
 For additional vulnerability information visit the vulnerability page at
 https://www.wolfssl.com/docs/security-vulnerabilities/

README.md

@@ -73,138 +73,156 @@ should be used for the enum name.
 *** end Notes ***
 
 
-# wolfSSL Release 4.5.0 (August 19, 2020)
+# wolfSSL Release 4.6.0 (December 22, 2020)
+Release 4.6.0 of wolfSSL embedded TLS has bug fixes and new features including:
 
-If you have questions about this release, feel free to contact us on our
-info@ address.
+### New Feature Additions
+###### New Build Options
+* wolfSSL now enables linux kernel module support. Big news for Linux kernel module developers with crypto requirements! wolfCrypt and wolfSSL are now loadable as modules in the Linux kernel, providing the entire libwolfssl API natively to other kernel modules. For the first time on Linux, the entire TLS protocol stack can be loaded as a module, allowing fully kernel-resident TLS/DTLS endpoints with in-kernel handshaking.  (--enable-linuxkm, --enable-linuxkm-defaults, --with-linux-source) (https://www.wolfssl.com/loading-wolfssl-into-the-linux-kernel/)
+* Build tests and updated instructions for use with Apple’s A12Z chipset  (https://www.wolfssl.com/preliminary-cryptographic-benchmarks-on-new-apple-a12z-bionic-platform/)
+* Expansion of wolfSSL SP math implementation and addition of --enable-sp-math-all build option
+* Apache httpd w/TLS 1.3 support added
+* Sniffer support for TLS 1.3 and AES CCM
+* Support small memory footprint build with only TLS 1.3 and PSK without code for (EC)DHE and certificates
 
-Release 4.5.0 of wolfSSL embedded TLS has bug fixes and new features including:
+###### New Hardware Acceleration
+* Added support for NXP DCP (i.MX RT1060/1062) crypto co-processor
+* Add Silicon Labs hardware acceleration using [SL SE Manager](https://docs.silabs.com/gecko-platform/latest/service/api/group-sl-se-manager)
 
-## New Feature Additions
+###### New Algorithms
+* RC2 ECB/CBC added for use with PKCS#12 bundles
+* XChaCha and the XChaCha20-Poly1305 AEAD algorithm support added
 
-* Added Xilinx Vitis 2019.2 example and README updates
-* TLS v1.3 is now enabled by default
-* Building FIPS 140-2 code and test on Solaris
-* Secure renegotiation with DTLS 1.2
-* Update RSA calls for hardware acceleration with Xilsecure
-* Additional OpenSSL compatibility layer functions added
-* Cypress PSoC6 wolfCrypt driver added
-* Added STM32CubeIDE support
-* Added certificate parsing and inspection to C# wrapper layer
-* TLS v1.3 sniffer support added
-* TSIP v1.09 for target board GR-ROSE support added
-* Added support for the "X72N Envision Kit" evaluation board
-* Support for ECC nonblocking using the configure options
-  "--enable-ecc=nonblock --enable-sp=yes,nonblock CFLAGS=-DWOLFSSL_PUBLIC_MP"
-* Added wc_curve25519_make_pub function to generate a public key given the
-  private one
+###### Misc
+* Added support for 802.11Q VLAN frames to sniffer
+* Added OCSP function wolfSSL_get_ocsp_producedDate
+* Added API to set CPU ID flags cpuid_select_flags, cpuid_set_flag, cpuid_clear_flag
+* New DTLS/TLS non-blocking Secure Renegotiation example added to server.c and client.c
 
-## Fixes
+### Fixes
+###### Math Library
+* Fix mp_to_unsigned_bin_len out of bounds read with buffers longer than maximum MP
+* Fix for fp_read_radix_16 out of bounds read
+* Fix to add wrapper for new timing resistant wc_ecc_mulmod_ex2 function version in HW ECC acceleration
+* Handle an edge case with RSA-PSS encoding message to hash
 
-* PIC32MZ hardware cache and large hashes fix
-* AES-GCM use with EVP layer in compatibility layer code
-* Fix for RSA_LOW_MEM with ARM build of SP code
-* Sanity check on tag length with AES-CCM to conform with RFC 3610
-* Fixes for 32 and 64 bit software implementations of SP code when
-  WOLFSSL_SP_CACHE_RESISTANT is defined
-* GCC warning fixes for GCC 9 and later
-* Sanity check on HKDF expand length to conform with RFC 5869
-* Fixes for STM32 CubeMX HAL with AES-GCM
-* Fixed point cache look up table (LUT) implementation fixes
-* Fix for ARM 32bit SP code when calling div word
-* Fix for potential out of bounds read when parsing CRLs
-* Fix for potential out of bounds read with RSA unpadding
-* AES-CCM optimized counter fix
-* Updates to Xcode projects for new files and features
-* Fix for adding CRL’s to a WOLFSSL_X509_STORE structure
-* FIPSv2 build with opensslall build fixes
-* Fixes for CryptoCell use with ECC and signature wrappers
-* Fix for mod calculation with SP code dealing with 3072 bit keys
-* Fix for handling certificates with multiple OU’s in name
-* Fix for SP math implementation of sp_add_d and add a sanity check on
-  rshb range
-* Fix for sanity check on padding with DES3 conversion of PEM to DER
-* Sanity check for potential out of bounds read with fp_read_radix_16
-* Additional checking of ECC scalars.
-* Fixing the FIPS Ready build w.r.t. ecc.c.
-* When processing certificate names with OpenSSL compatibility layer
-  enabled, unknown name item types were getting handled as having NID 0,
-  and failing. Added a couple more items to what is handled correctly,
-  and ignoring anything that is an unknown type.
+###### Compatibility Layer Fixes
+* Fix for setting serial number wolfSSL_X509_set_serialNumber
+* Fix for setting ASN1 time not before / not after with WOLFSSL_X509
+* Fix for order of components in issuer name when using X509_sign
+* Fix for compatibility layer API DH_compute_key
+* EVP fix incorrect block size for GCM and buffer up AAD for encryption/decryption
+* EVP fix for AES-XTS key length return value and fix for string compare calls
+* Fix for mutex freeing during RNG failure case with EVP_KEY creation
+* Non blocking use with compatibility layer BIOs in TLS connections
 
-## Improvements/Optimizations
+###### Build Configuration
+* Fix for custom build with WOLFSSL_USER_MALLOC defined
+* ED448 compiler warning on Intel 32bit systems
+* CURVE448_SMALL build fix for 32bit systems with Curve448
+* Fix to build SP math with IAR
+* CMake fix to only set ranlib arguments for Mac, and for stray typo of , -> ;
+* Build with --enable-wpas=small fix
+* Fix for building fips ready using openssl extra
+* Fixes for building with Microchip (min/max and undef SHA_BLOCK_SIZE)
+* FIx for NO_FILESYSTEM build on Windows
+* Fixed SHA256 support for IMX-RT1060
+* Fix for ECC key gen with NO_TFM_64BIT
 
-* TLS 1.3 certificate verify update to handle 8192 bit RSA keys
-* wpa_supplicant support with reduced code size option
-* TLS 1.3 alerts encrypted when possible
-* Many minor coverity fixes added
-* Error checking when parsing PKCS12 DER
-* IAR warning in test.c resolved
-* ATECC608A improvements for use with Harmony 3 and PIC32 MZ
-* Support for AES-GCM and wc_SignatureVerifyHash with static memory and no
-  malloc’s
-* Enable SNI by default with JNI/JSSE builds
-* NetBSD GCC compiler warnings resolved
-* Additional test cases and code coverage added including curve25519 and
-  curve448 tests
-* Option for user defined mutexes with WOLFSSL_USER_MUTEX
-* Sniffer API’s for loading buffer directly
-* Fixes and improvements from going through the DO-178 process were added
-* Doxygen updates and fixes for auto documentation generation
-* Changed the configure option for FIPS Ready builds to be
-  `--enable-fips=ready`.
+###### Sniffer
+* Fixes for sniffer when using static ECC keys. Adds back TLS v1.2 static ECC key fallback detection and fixes new ECC RNG requirement for timing resistance
+* Fix for sniffer with SNI enabled to properly handle WOLFSSL_SUCCESS error code in ProcessClientHello
+* Fix for sniffer using HAVE_MAX_FRAGMENT in "certificate" type message
+* Fix build error with unused "ret" when building with WOLFSSL_SNIFFER_WATCH.
+* Fix to not treat cert/key not found as error in myWatchCb and WOLFSSL_SNIFFER_WATCH.
+* Sniffer fixes for handling TCP `out-of-range sequence number`
+* Fixes SSLv3 use of ECDH in sniffer
 
-## This release of wolfSSL includes fixes for 6 security vulnerabilities.
+###### PKCS
+* PKCS#11 fix to generate ECC key for decrypt/sign or derive
+* Fix for resetting internal variables when parsing a malformed PKCS#7 bundle with PKCS7_VerifySignedData()
+* Verify the extracted public key in wc_PKCS7_InitWithCert
+* Fix for internal buffer size when using decompression with PKCS#7
 
-wolfSSL version 4.5.0 contains 6 vulnerability fixes: 2 fixes for TLS 1.3,
-2 side channel attack mitigations, 1 fix for a potential private key leak
-in a specific use case, 1 fix for DTLS.
+###### Misc
+* Pin the C# verify callback function to keep from garbage collection
+* DH fixes for when public key is owned and free’d after a handshake
+* Fix for TLS 1.3 early data packets
+* Fix for STM32 issue with some Cube HAL versions and STM32 example timeout
+* Fix mmCAU and LTC hardware mutex locking to prevent double lock
+* Fix potential race condition with CRL monitor
+* Fix for possible malformed encrypted key with 3DES causing negative length
+* AES-CTR performance fixed with AES-NI
+
+### Improvements/Optimizations
+##### SP and Math
+* mp_radix_size adjustment for leading 0
+* Resolve implicit cast warnings with SP build
+* Change mp_sqr to return an error if the result won't fit into the fixed length dp
+* ARM64 assembly with clang improvements, clang doesn't always handle use of x29 (FP or Frame Pointer) in inline assembly code correctly - reworked sp_2048_sqr_8 to not use x29
+* SP mod exp changed to support exponents of different lengths
+* TFM div: fix initial value of size in q so clamping doesn't OOB read
+* Numerous stack depth improvements with --enable-smallstack
+* Improve cache resistance with Base64 operations
+
+###### TLS 1.3
+* TLS 1.3 wolfSSL_peek want read return addition
+* TLS 1.3: Fix P-521 algorithm matching
+
+###### PKCS
+* Improvements and refactoring to PKCS#11 key look up
+* PKCS #11 changes for signing and loading RSA public key from private
+* check PKCS#7 SignedData private key is valid before using it
+* check PKCS#7 VerifySignedData content length against total bundle size to avoid large malloc
+
+###### Compatibility Layer
+* EVP add block size for more ciphers in wolfSSL_EVP_CIPHER_block_size()
+* Return long names instead of short names in wolfSSL_OBJ_obj2txt()
+* Add additional OpenSSL compatibility functions to update the version of Apache httpd supported
+* add "CCM8" variants to cipher_names "CCM-8" ciphers, for OpenSSL compat
+
+###### Builds
+* Cortex-M SP ASM support for IAR 6.70
+* STM Cube pack support (IDE/STM32Cube)
+* Build option --enable-aesgcm=4bit added for AES-GCM GMULT using 4 bit table
+* Xilinx IDE updates to allow XTIME override for Xilinx, spelling fixes in Xilinx README.md, and add Xilinx SDK printf support
+* Added ED448 to the "all" options and ED448 check key null argument sanity check
+* Added ARC4, 3DES, nullcipher, BLAKE2, BLAKE2s, XChaCha, MD2, and MD4 to the “all” options
+* Added an --enable-all-crypto option, to enable only the wolfCrypt features of --enable-all, combinable with --enable-cryptonly
+* Added the ability to selectively remove features from --enable-all and --enable-all-crypto using specific --disable-<feature> options
+* Use Intel intrinsics with Windows for RDSEED and RDRAND (thanks to dr-m from MariaDB)
+* Add option to build with WOLFSSL_NO_CLIENT_AUTH
+* Updated build requirements for wolfSSH use to be less restrictive
+* lighttpd support update for v1.4.56
+* Added batch file to copy files to ESP-IDF folders and resolved warnings when using v4.0 ESP-IDF
+* Added --enable-stacksize=verbose, showing at a glance the stack high water mark for each subtest in testwolfcrypt
+
+###### ECC
+* Performance increase for ECC verify only, using non constant time SP modinv
+* During ECC verify add validation of r and s before any use
+* Always use safe add and dbl with ECC
+* Timing resistant scalar multiplication updated with use of Joye double-add ladder
+* Update mp_jacobi function to reduce stack and increase performance for base ECC build
+* Reduce heap memory use with wc_EccPrivateKeyDecode, Improvement to ECC wc_ecc_sig_to_rs and wc_ecc_rs_raw_to_sig to reduce memory use (avoid the mp_int)
+* Improve StoreECC_DSA_Sig bounds checking
+
+###### OCSP
+* OCSP improvement to handle extensions in singleResponse
+* support for OCSP request/response for multiple certificates
+* OCSP Must Staple option added to require OCSP stapling response
+* Add support for id-pkix-ocsp-nocheck extension
+
+###### Misc
+* Additional code coverage added for ECC and RSA, PKCS#7, 3DES, EVP and Blake2b operations
+* DTLS MTU: check MTU on write
+* Refactor hash sig selection and add the macros WOLFSSL_STRONGEST_HASH_SIG (picks the strongest hash) and WOLFSSL_ECDSA_MATCH_HASH (will pick the hash to match the ECC curve)
+* Strict certificate version allowed from client, TLS 1.2 / 1.3 can not accept client certificates lower than version 3
+* wolfSSL_get_ciphers_compat(), skip the fake indicator ciphers like the renegotiation indication and the quantum-safe hybrid
+* When parsing session ticket, check TLS version to see whether they are version compatible
+* Additional sanity check for invalid ASN1 padding on integer type
+* Adding in ChaCha20 streaming feature with Mac and Intel assembly build
+* Sniffer build with --enable-oldtls option on
 
-* In earlier versions of wolfSSL there exists a potential man in the middle
-  attack on TLS 1.3 clients. Malicious attackers with a privileged network
-  position can impersonate TLS 1.3 servers and bypass authentication. Users
-  that have applications with client side code and have TLS 1.3 turned on,
-  should update to the latest version of wolfSSL. Users that do not have
-  TLS 1.3 turned on, or that are server side only, are NOT affected by this
-  report. Thanks to Gerald Doussot from NCC group for the report.
-* Denial of service attack on TLS 1.3 servers from repetitively sending
-  ChangeCipherSpecs messages. This denial of service results from the
-  relatively low effort of sending a ChangeCipherSpecs message versus the
-  effort of the server to process that message. Users with TLS 1.3 servers are
-  recommended to update to the most recent version of wolfSSL which limits the
-  number of TLS 1.3 ChangeCipherSpecs that can be received in order to avoid
-  this DoS attack. CVE-2020-12457 was reserved for the report. Thanks to
-  Lenny Wang of Tencent Security Xuanwu LAB.
-* Potential cache timing attacks on public key operations in builds that are
-  not using SP (single precision). Users that have a system where malicious
-  agents could execute code on the system, are not using the SP build with
-  wolfSSL, and are doing private key operations on the system (such as signing
-  with a private key) are recommended to regenerate private keys and update to
-  the most recent version of wolfSSL. CVE-2020-15309 is reserved for this
-  issue. Thanks to Ida Bruhns from Universität zu Lübeck for the report.
-* When using SGX with EC scalar multiplication the possibility of side-channel
-  attacks are present. To mitigate the risk of side channel attacks wolfSSL’s
-  single precision EC operations should be used instead. Release 4.5.0 turns
-  this on be default now with SGX builds and in previous versions of wolfSSL
-  this can be turned on by using the WOLFSSL_SP macros. Thank you to
-  Alejandro Cabrera Aldaya, Cesar Pereida García and Billy Bob Brumley from
-  the Network and Information Security Group (NISEC) at Tampere University for
-  the report.
-* Leak of private key in the case that PEM format private keys are bundled in
-  with PEM certificates into a single file. This is due to the
-  misclassification of certificate type versus private key type when parsing
-  through the PEM file. To be affected, wolfSSL would need to have been built
-  with OPENSSL_EXTRA (--enable-opensslextra). Some build variants such as
-  --enable-all and --enable-opensslall also turn on this code path, checking
-  wolfssl/options.h for OPENSSL_EXTRA will show if the macro was used with the
-  build. If having built with the opensslextra enable option and having placed
-  PEM certificates with PEM private keys in the same file when loading up the
-  certificate file, then we recommend updating wolfSSL for this use case and
-  also recommend regenerating any private keys in the file.
-* During the handshake, clear application_data messages in epoch 0 are
-  processed and returned to the application. Fixed by dropping received
-  application_data messages in epoch 0. Thank you to Paul Fiterau of Uppsala
-  University and Robert Merget of Ruhr-University Bochum for the report.
 
 For additional vulnerability information visit the vulnerability page at
 https://www.wolfssl.com/docs/security-vulnerabilities/

certs/check_dates.sh

@@ -0,0 +1,143 @@
+#!/bin/sh
+
+# Whether a certificate or CRLs needs updating
+expired=0
+# Default to checking expiry within 6 months
+offset="+6 months"
+
+# First command line argument is the new expiry time
+if [ "$1" != "" ]
+then
+    offset=$1
+fi
+
+# Certificates that are expired and are intentionally or irrelevantly so.
+exp_expired="\
+/test/crit-cert.pem \
+/test/expired/expired-cert.pem \
+/test/expired/expired-ca.pem \
+/test/expired/expired-cert.der \
+/test/expired/expired-ca.der \
+/certeccrsa.pem \
+/certeccrsa.der
+"
+
+# Files that are not certificates or CRLs put get matched anyway
+ignore="\
+/test/cert-ext-ns.der \
+/rsa3072.der \
+/rsa2048.der \
+/1024/rsa1024.der \
+"
+
+# Get the date offset from now - earliest expiry - in seconds
+earliest=`date -d "$offset" +%s`
+
+# Compare the date with earliest allowed expiry.
+#
+# $1  Name of file being checked.
+# $2  Expiry date in file (notAfter or nextUpdate).
+check_expiry() {
+    # Convert date to a number of seconds
+    expiry=`date -d "$2" +%s`
+
+    # Check expiry is not too soon
+    if [ $expiry -lt $earliest ]
+    then
+        # Reset result
+        result=expired
+        # Ignore files that are expected to be expired
+        for exp in $exp_expired
+        do
+            case $1 in
+            *$exp)
+                result=ignore
+                break
+                ;;
+            esac
+        done
+        # Report any unexpected expiries
+        if [ "$result" = "expired" ]
+        then
+            echo "$1 expires at:"
+            echo "    '$2' (< $offset)"
+            expired=1
+        fi
+    fi
+}
+
+# Check file expiry.
+#
+# The file is of any format.
+# Try to guess from name what it is.
+#
+# $1       Name of file to check
+# $inform  Command line argument to use with openssl for input file format
+check_file() {
+    # Check file is not in list of files to ignore
+    for i in $ignore
+    do
+        case $1 in
+        *$i)
+            return
+            ;;
+        esac
+    done
+
+    # Use pattern matching to guess format
+    case $1 in
+    *key*) ;;
+    *dh*) ;;
+    *params*) ;;
+    *priv*) ;;
+    *pub*) ;;
+    *dsa*) ;;
+    *crl*)
+        # Get the nextUpdate field from the CRL
+        next_update=`openssl crl -in $file $inform -noout -nextupdate 2>&1`
+        if [ "$?" != "0" ]
+        then
+            # Didn't work so report failure
+            echo "$file not a crl"
+        else
+            # Get the date after the equal sign and check file
+            next_update="${next_update#*=}"
+            check_expiry $file "$next_update"
+        fi
+        ;;
+    *)
+        # Get the notAfter field from the certificate
+        not_after=`openssl x509 -in $file $inform -noout -enddate 2>&1`
+        if [ "$?" != "0" ]
+        then
+            # Didn't work, maybe wasn't a certificate, so report failure
+            echo "$file not a certificate"
+        else
+            # Get the date after the equal sign and check file
+            not_after="${not_after#*=}"
+            check_expiry $file "$not_after"
+        fi
+        ;;
+    esac
+}
+
+# Check all PEM files
+inform="-inform PEM"
+pem_files=`find . -name '*.pem'`
+for file in $pem_files
+do
+    check_file $file
+done
+
+# Check all DER files
+inform="-inform DER"
+der_files=`find . -name '*.der'`
+for file in $der_files
+do
+    check_file $file
+done
+
+# Return result of check
+# 0 on success
+# 1 on failure
+return $expired

certs/csr.dsa.pem

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICSjCCAgcCAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCAbcwggEsBgcqhkjO
+OAQBMIIBHwKBgQDN3iVogFMN5XfW0pA5P5CiPzOUbuhPK2OrMKsVuhHqil2NzLjU
+odXBR51ac2piSdEGB2f2L6M5vU4NtNMiI4TskyZaSe58iUhmTejo2FD7pXGfIhjl
+5gtGh2buUo9GT7UDzu3jvuW1gdJZ6cCtTdBNJve6UOjJj/4kGT0up1I8bQIVAPtH
+++yBIMgc6Uq6BG8Zm5TugmfTAoGBAJuVu4XFWEoynKpEhdZo3D4U9M5to0k46tZh
+SJJaQJVJOKrhOSloWEeKSwHhLo5sY29AylA/jAuZ5HJCuLHCJkjxnIPGNy5arhEJ
+2fOtH2+trVDjeDLm3o6qv9EAn7MCEhmiFewUGFwOJs75rsx7tdEm/IX+FJO2nX12
+4zWXHt7EA4GEAAKBgHFJ1dk2HPSn5Nh8tybEFs1iP/NE9Pa+2Qmea/Z/uRToZ2Uv
+dM1qRagMyJfEco8fLcL1mkFH+U+HYt5Y7/rK5bD1zCYklqvMgckgHv4tRO9FKhpo
+3EDe9oMz3325wzakq69O5ZfvCD4PDA3crrZaGc0ahXF7nYnNErdyhYrNkPgJoAAw
+CwYJYIZIAWUDBAMCAzAAMC0CFQCLSYH6QBDBF2c0ii0bvXXzM5qJIwIUUlCx5kp7
+/DnfWP/hdw9xNrbD4jc=
+-----END CERTIFICATE REQUEST-----

certs/ecc/bp256r1-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHgCAQEEIALRjSn7gQicLnRopI92xvo14rrdLVl0IEzDB40t3Pa7oAsGCSskAwMC
+CAEBB6FEA0IABC7vJ8tXOtxiJba1QlzuKVbjqM6GbkRSIxXIQ8BiEBYeSsuI0HXg
+OGuAhGSfcKrYuzOQwduBRq7pgckDabXOres=
+-----END EC PRIVATE KEY-----

certs/ecc/client-bp256r1-cert.pem

@@ -0,0 +1,57 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            23:c2:32:32:87:c0:20:35:77:e6:56:4b:ba:d3:ba:19:de:0e:ed:9e
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Oct 15 20:13:58 2020 GMT
+            Not After : Oct 13 20:13:58 2030 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:2e:ef:27:cb:57:3a:dc:62:25:b6:b5:42:5c:ee:
+                    29:56:e3:a8:ce:86:6e:44:52:23:15:c8:43:c0:62:
+                    10:16:1e:4a:cb:88:d0:75:e0:38:6b:80:84:64:9f:
+                    70:aa:d8:bb:33:90:c1:db:81:46:ae:e9:81:c9:03:
+                    69:b5:ce:ad:eb
+                ASN1 OID: brainpoolP256r1
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, S/MIME
+            X509v3 Subject Key Identifier: 
+                B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5
+            X509v3 Authority Key Identifier: 
+                keyid:B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5
+
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, E-mail Protection
+    Signature Algorithm: ecdsa-with-SHA256
+         30:44:02:20:28:b6:b4:eb:ae:c1:9b:71:0a:15:92:93:d6:2d:
+         12:a6:ff:2d:2a:f5:23:a8:e2:df:6c:d9:33:d4:7f:e9:2e:08:
+         02:20:33:eb:45:aa:c1:7c:36:c1:60:52:09:0e:2d:e4:2a:49:
+         1d:d8:b2:c5:79:3e:be:d4:61:c5:14:d0:b6:f2:42:d4
+-----BEGIN CERTIFICATE-----
+MIICyTCCAnCgAwIBAgIUI8IyMofAIDV35lZLutO6Gd4O7Z4wCgYIKoZIzj0EAwIw
+gZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
+ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLUNM
+STEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QHdvbGZzc2wuY29tMB4XDTIwMTAxNTIwMTM1OFoXDTMwMTAxMzIwMTM1OFowgZox
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0
+dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLUNMSTEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMFowFAYHKoZIzj0CAQYJKyQDAwIIAQEHA0IABC7vJ8tXOtxiJba1
+QlzuKVbjqM6GbkRSIxXIQ8BiEBYeSsuI0HXgOGuAhGSfcKrYuzOQwduBRq7pgckD
+abXOreujgZAwgY0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwHQYDVR0O
+BBYEFLQbO09l8r+eio/jM5ZEH2fqszTVMB8GA1UdIwQYMBaAFLQbO09l8r+eio/j
+M5ZEH2fqszTVMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
+KwYBBQUHAwQwCgYIKoZIzj0EAwIDRwAwRAIgKLa0667Bm3EKFZKT1i0Spv8tKvUj
+qOLfbNkz1H/pLggCIDPrRarBfDbBYFIJDi3kKkkd2LLFeT6+1GHFFNC28kLU
+-----END CERTIFICATE-----

certs/ecc/client-secp256k1-cert.pem

@@ -0,0 +1,57 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3d:12:fd:a2:a8:15:63:d8:4e:3f:48:81:46:92:ae:65:f3:27:7f:f2
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Oct 15 20:13:49 2020 GMT
+            Not After : Oct 13 20:13:49 2030 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-CLI, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:d7:0d:0b:f1:0e:22:88:fe:fb:d5:e5:e1:09:a4:
+                    3e:90:76:b3:29:cb:d9:13:60:b7:ea:88:82:d7:8c:
+                    b6:db:21:dc:93:0f:e9:58:bb:c5:f2:a2:c2:f5:23:
+                    36:c5:d5:eb:24:a6:24:db:ee:02:b0:05:31:a6:33:
+                    1f:cd:79:82:10
+                ASN1 OID: secp256k1
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Client, S/MIME
+            X509v3 Subject Key Identifier: 
+                44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77
+            X509v3 Authority Key Identifier: 
+                keyid:44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77
+
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, E-mail Protection
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:20:73:08:4a:18:d1:ad:81:f6:5c:59:27:da:36:9a:
+         cd:fb:4e:97:5a:58:b3:61:fe:b0:ec:7e:76:ca:0c:5a:d3:c1:
+         02:21:00:a5:05:b4:f5:2f:d3:bf:71:d4:0c:fb:bf:a0:64:0b:
+         cd:bb:18:ef:df:92:bc:5c:cc:6c:74:82:c8:52:5a:f6:46
+-----BEGIN CERTIFICATE-----
+MIICwjCCAmigAwIBAgIUPRL9oqgVY9hOP0iBRpKuZfMnf/IwCgYIKoZIzj0EAwIw
+gZgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
+ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRUwEwYDVQQLDAxFQ0MyNTZLMS1DTEkx
+GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
+b2xmc3NsLmNvbTAeFw0yMDEwMTUyMDEzNDlaFw0zMDEwMTMyMDEzNDlaMIGYMQsw
+CQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRs
+ZTEQMA4GA1UECgwHRWxpcHRpYzEVMBMGA1UECwwMRUNDMjU2SzEtQ0xJMRgwFgYD
+VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
+bC5jb20wVjAQBgcqhkjOPQIBBgUrgQQACgNCAATXDQvxDiKI/vvV5eEJpD6QdrMp
+y9kTYLfqiILXjLbbIdyTD+lYu8XyosL1IzbF1eskpiTb7gKwBTGmMx/NeYIQo4GQ
+MIGNMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMB0GA1UdDgQWBBREathx
+batiGCECJyOQvx13tnlLdzAfBgNVHSMEGDAWgBREathxbatiGCECJyOQvx13tnlL
+dzAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME
+MAoGCCqGSM49BAMCA0gAMEUCIHMIShjRrYH2XFkn2jaazftOl1pYs2H+sOx+dsoM
+WtPBAiEApQW09S/Tv3HUDPu/oGQLzbsY79+SvFzMbHSCyFJa9kY=
+-----END CERTIFICATE-----

certs/ecc/genecc.sh

@@ -88,6 +88,39 @@ rm ./certs/client-ecc384-req.pem
 rm ./certs/client-ecc384-key.par
 
 
+# Generate ECC Kerberos Keys
+if [ -f ./certs/ecc/secp256k1-key.pem ]; then
+	openssl ecparam -name secp256k1 -genkey -noout -out ./certs/ecc/secp256k1-key.pem
+	openssl ec -in ./certs/ecc/secp256k1-key.pem -inform PEM -out ./certs/ecc/secp256k1-key.der -outform DER
+fi
+# Create self-signed ECC Kerberos certificates
+openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/secp256k1-key.pem -out ./certs/ecc/server-secp256k1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256K1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl x509 -req -in ./certs/ecc/server-secp256k1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions server_cert -signkey ./certs/ecc/secp256k1-key.pem -text -out ./certs/ecc/server-secp256k1-cert.pem
+openssl x509 -inform pem -in ./certs/ecc/server-secp256k1-cert.pem -outform der -out ./certs/ecc/server-secp256k1-cert.der
+rm ./certs/ecc/server-secp256k1-req.pem
+
+openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/secp256k1-key.pem -out ./certs/ecc/client-secp256k1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256K1-CLI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl x509 -req -in ./certs/ecc/client-secp256k1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions usr_cert -signkey ./certs/ecc/secp256k1-key.pem -text -out ./certs/ecc/client-secp256k1-cert.pem
+openssl x509 -inform pem -in ./certs/ecc/client-secp256k1-cert.pem -outform der -out ./certs/ecc/client-secp256k1-cert.der
+rm ./certs/ecc/client-secp256k1-req.pem
+
+# Generate ECC Brainpool Keys
+if [ -f ./certs/ecc/bp256r1-key.pem ]; then
+	openssl ecparam -name brainpoolP256r1 -genkey -noout -out ./certs/ecc/bp256r1-key.pem
+	openssl ec -in ./certs/ecc/bp256r1-key.pem -inform PEM -out ./certs/ecc/bp256r1-key.der -outform DER
+fi
+# Create self-signed ECC Brainpool certificates
+openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/bp256r1-key.pem -out ./certs/ecc/server-bp256r1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256BPR1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl x509 -req -in ./certs/ecc/server-bp256r1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions server_cert -signkey ./certs/ecc/bp256r1-key.pem -text -out ./certs/ecc/server-bp256r1-cert.pem
+openssl x509 -inform pem -in ./certs/ecc/server-bp256r1-cert.pem -outform der -out ./certs/ecc/server-bp256r1-cert.der
+rm ./certs/ecc/server-bp256r1-req.pem
+
+openssl req -config ./certs/ecc/wolfssl.cnf -sha256 -new -key ./certs/ecc/bp256r1-key.pem -out ./certs/ecc/client-bp256r1-req.pem -subj "/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256BPR1-CLI/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/"
+openssl x509 -req -in ./certs/ecc/client-bp256r1-req.pem -days 3650 -extfile ./certs/ecc/wolfssl.cnf -extensions usr_cert -signkey ./certs/ecc/bp256r1-key.pem -text -out ./certs/ecc/client-bp256r1-cert.pem
+openssl x509 -inform pem -in ./certs/ecc/client-bp256r1-cert.pem -outform der -out ./certs/ecc/client-bp256r1-cert.der
+rm ./certs/ecc/client-bp256r1-req.pem
+
+
 # Also manually need to:
 # 1. Copy ./certs/server-ecc.der into ./certs/test/server-cert-ecc-badsig.der `cp ./certs/server-ecc.der ./certs/test/server-cert-ecc-badsig.der`
 # 2. Modify last byte so its invalidates signature in ./certs/test/server-cert-ecc-badsig.der

certs/ecc/include.am

@@ -6,3 +6,21 @@ EXTRA_DIST += \
 	     certs/ecc/genecc.sh \
 	     certs/ecc/wolfssl.cnf \
 	     certs/ecc/wolfssl_384.cnf
+
+# Koblitz Curves
+EXTRA_DIST += \
+	     certs/ecc/secp256k1-key.der \
+		 certs/ecc/secp256k1-key.pem \
+		 certs/ecc/client-secp256k1-cert.der \
+		 certs/ecc/client-secp256k1-cert.pem \
+		 certs/ecc/server-secp256k1-cert.der \
+		 certs/ecc/server-secp256k1-cert.pem
+
+# Brainpool Curves
+EXTRA_DIST += \
+		 certs/ecc/bp256r1-key.der \
+		 certs/ecc/bp256r1-key.pem \
+		 certs/ecc/client-bp256r1-cert.der \
+		 certs/ecc/client-bp256r1-cert.pem \
+		 certs/ecc/server-bp256r1-cert.der \
+		 certs/ecc/server-bp256r1-cert.pem

certs/ecc/secp256k1-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHQCAQEEILlFjaVww/Q8MLWZOcmS3ZCx3VCJWWoNXxRYRA3e4IApoAcGBSuBBAAK
+oUQDQgAE1w0L8Q4iiP771eXhCaQ+kHazKcvZE2C36oiC14y22yHckw/pWLvF8qLC
+9SM2xdXrJKYk2+4CsAUxpjMfzXmCEA==
+-----END EC PRIVATE KEY-----

certs/ecc/server-bp256r1-cert.pem

@@ -0,0 +1,63 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            2f:f8:fa:8b:cf:ec:8f:2c:bc:40:fb:95:a0:3e:04:db:dd:c5:7f:08
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Oct 15 20:13:55 2020 GMT
+            Not After : Oct 13 20:13:55 2030 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256BPR1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:2e:ef:27:cb:57:3a:dc:62:25:b6:b5:42:5c:ee:
+                    29:56:e3:a8:ce:86:6e:44:52:23:15:c8:43:c0:62:
+                    10:16:1e:4a:cb:88:d0:75:e0:38:6b:80:84:64:9f:
+                    70:aa:d8:bb:33:90:c1:db:81:46:ae:e9:81:c9:03:
+                    69:b5:ce:ad:eb
+                ASN1 OID: brainpoolP256r1
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            X509v3 Subject Key Identifier: 
+                B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5
+            X509v3 Authority Key Identifier: 
+                keyid:B4:1B:3B:4F:65:F2:BF:9E:8A:8F:E3:33:96:44:1F:67:EA:B3:34:D5
+                DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256BPR1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+                serial:2F:F8:FA:8B:CF:EC:8F:2C:BC:40:FB:95:A0:3E:04:DB:DD:C5:7F:08
+
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment, Key Agreement
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:21:00:81:37:b3:f7:a7:e7:9d:1b:62:3f:25:20:02:
+         45:93:45:5c:91:23:1b:8b:bc:09:0c:f7:ef:51:29:a4:90:ec:
+         91:02:20:74:dd:26:c3:eb:24:e1:33:ce:b4:c6:f8:5f:9f:99:
+         6d:2b:9a:ee:ac:33:d8:08:29:19:3c:00:f1:83:de:a6:af
+-----BEGIN CERTIFICATE-----
+MIIDfjCCAySgAwIBAgIUL/j6i8/sjyy8QPuVoD4E293FfwgwCgYIKoZIzj0EAwIw
+gZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
+ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLVNS
+VjEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QHdvbGZzc2wuY29tMB4XDTIwMTAxNTIwMTM1NVoXDTMwMTAxMzIwMTM1NVowgZox
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0
+dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcwFQYDVQQLDA5FQ0MyNTZCUFIxLVNSVjEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMFowFAYHKoZIzj0CAQYJKyQDAwIIAQEHA0IABC7vJ8tXOtxiJba1
+QlzuKVbjqM6GbkRSIxXIQ8BiEBYeSsuI0HXgOGuAhGSfcKrYuzOQwduBRq7pgckD
+abXOreujggFDMIIBPzAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAdBgNV
+HQ4EFgQUtBs7T2Xyv56Kj+MzlkQfZ+qzNNUwgdoGA1UdIwSB0jCBz4AUtBs7T2Xy
+v56Kj+MzlkQfZ+qzNNWhgaCkgZ0wgZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApX
+YXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRcw
+FQYDVQQLDA5FQ0MyNTZCUFIxLVNSVjEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
+MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tghQv+PqLz+yPLLxA+5Wg
+PgTb3cV/CDAOBgNVHQ8BAf8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCgYI
+KoZIzj0EAwIDSAAwRQIhAIE3s/en550bYj8lIAJFk0VckSMbi7wJDPfvUSmkkOyR
+AiB03SbD6yThM860xvhfn5ltK5rurDPYCCkZPADxg96mrw==
+-----END CERTIFICATE-----

certs/ecc/server-secp256k1-cert.pem

@@ -0,0 +1,63 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            60:d5:b7:78:ff:06:14:3b:1e:c5:ba:8b:dd:5e:67:b2:16:aa:b2:c7
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Oct 15 20:13:46 2020 GMT
+            Not After : Oct 13 20:13:46 2030 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = Eliptic, OU = ECC256K1-SRV, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:d7:0d:0b:f1:0e:22:88:fe:fb:d5:e5:e1:09:a4:
+                    3e:90:76:b3:29:cb:d9:13:60:b7:ea:88:82:d7:8c:
+                    b6:db:21:dc:93:0f:e9:58:bb:c5:f2:a2:c2:f5:23:
+                    36:c5:d5:eb:24:a6:24:db:ee:02:b0:05:31:a6:33:
+                    1f:cd:79:82:10
+                ASN1 OID: secp256k1
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Cert Type: 
+                SSL Server
+            X509v3 Subject Key Identifier: 
+                44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77
+            X509v3 Authority Key Identifier: 
+                keyid:44:6A:D8:71:6D:AB:62:18:21:02:27:23:90:BF:1D:77:B6:79:4B:77
+                DirName:/C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC256K1-SRV/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+                serial:60:D5:B7:78:FF:06:14:3B:1E:C5:BA:8B:DD:5E:67:B2:16:AA:B2:C7
+
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment, Key Agreement
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+    Signature Algorithm: ecdsa-with-SHA256
+         30:44:02:20:01:71:b5:5f:e4:5b:b7:95:b4:59:9a:b0:dc:ef:
+         64:01:76:ef:04:07:d8:b4:44:e5:db:86:e4:05:8c:c1:22:19:
+         02:20:3e:93:fb:30:f9:4c:89:39:35:df:b3:79:d5:29:bb:2b:
+         08:84:8a:f8:55:7c:f9:68:d6:2c:11:28:af:a9:33:0f
+-----BEGIN CERTIFICATE-----
+MIIDczCCAxqgAwIBAgIUYNW3eP8GFDsexbqL3V5nshaqsscwCgYIKoZIzj0EAwIw
+gZgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
+ZWF0dGxlMRAwDgYDVQQKDAdFbGlwdGljMRUwEwYDVQQLDAxFQ0MyNTZLMS1TUlYx
+GDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
+b2xmc3NsLmNvbTAeFw0yMDEwMTUyMDEzNDZaFw0zMDEwMTMyMDEzNDZaMIGYMQsw
+CQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRs
+ZTEQMA4GA1UECgwHRWxpcHRpYzEVMBMGA1UECwwMRUNDMjU2SzEtU1JWMRgwFgYD
+VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
+bC5jb20wVjAQBgcqhkjOPQIBBgUrgQQACgNCAATXDQvxDiKI/vvV5eEJpD6QdrMp
+y9kTYLfqiILXjLbbIdyTD+lYu8XyosL1IzbF1eskpiTb7gKwBTGmMx/NeYIQo4IB
+QTCCAT0wCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwHQYDVR0OBBYEFERq
+2HFtq2IYIQInI5C/HXe2eUt3MIHYBgNVHSMEgdAwgc2AFERq2HFtq2IYIQInI5C/
+HXe2eUt3oYGepIGbMIGYMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3Rv
+bjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UECgwHRWxpcHRpYzEVMBMGA1UECwwM
+RUNDMjU2SzEtU1JWMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG
+9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFGDVt3j/BhQ7HsW6i91eZ7IWqrLHMA4G
+A1UdDwEB/wQEAwIDqDATBgNVHSUEDDAKBggrBgEFBQcDATAKBggqhkjOPQQDAgNH
+ADBEAiABcbVf5Fu3lbRZmrDc72QBdu8EB9i0ROXbhuQFjMEiGQIgPpP7MPlMiTk1
+37N51Sm7KwiEivhVfPlo1iwRKK+pMw8=
+-----END CERTIFICATE-----

certs/include.am

@@ -45,13 +45,18 @@ EXTRA_DIST += \
 	     certs/test-degenerate.p7b \
 	     certs/test-ber-exp02-05-2022.p7b \
 	     certs/test-servercert.p12 \
+	     certs/test-servercert-rc2.p12 \
 	     certs/ecc-rsa-server.p12 \
 	     certs/dsaparams.pem \
 	     certs/ecc-privOnlyKey.pem \
 	     certs/ecc-privOnlyCert.pem \
 	     certs/dh3072.pem \
 	     certs/dh4096.pem \
-	     certs/client-cert-ext.pem
+	     certs/client-cert-ext.pem \
+	     certs/csr.attr.der \
+	     certs/csr.dsa.pem \
+	     certs/csr.signed.der \
+	     certs/csr.ext.der
 
 EXTRA_DIST += \
 	     certs/ca-key.der \
@@ -106,9 +111,11 @@ include certs/crl/include.am
 include certs/ecc/include.am
 include certs/ed25519/include.am
 include certs/ed448/include.am
+include certs/p521/include.am
 include certs/external/include.am
 include certs/ocsp/include.am
 include certs/statickeys/include.am
 include certs/test/include.am
 include certs/test-pathlen/include.am
 include certs/intermediate/include.am
+

certs/p521/ca-p521-key.pem

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQALRgkLeTbbMNpm9sYZzPxYGiUFM2R
+Sldl7zb6JIKI7Mfwy0hFbpZff+t2vkRAwxnAM2jEBgSOwiWxloMiDnvHsvwBhpHt
+Q1044AwljbPbsdzetyGAz4feZPQhPi2veb320ABLgXn69xCqGc1A1x51NFMpA+1I
+VCHlj5W1m0GNX91y0lo=
+-----END PUBLIC KEY-----

certs/p521/ca-p521-priv.pem

@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIB29qI0BYpdJXJ61gEQtz5rWlWL8B+ZKslEzyZlA5Z2iAKjwKUxd6Q
+js0MrD6yn1lne9FGISDUo+sjDDOiQvxx8F2gBwYFK4EEACOhgYkDgYYABAAtGCQt
+5Ntsw2mb2xhnM/FgaJQUzZFKV2XvNvokgojsx/DLSEVull9/63a+REDDGcAzaMQG
+BI7CJbGWgyIOe8ey/AGGke1DXTjgDCWNs9ux3N63IYDPh95k9CE+La95vfbQAEuB
+efr3EKoZzUDXHnU0UykD7UhUIeWPlbWbQY1f3XLSWg==
+-----END EC PRIVATE KEY-----

certs/p521/ca-p521.pem

@@ -0,0 +1,63 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Sep 14 23:57:18 2020 GMT
+            Not After : Jun 11 23:57:18 2023 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = CA-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (521 bit)
+                pub:
+                    04:00:2d:18:24:2d:e4:db:6c:c3:69:9b:db:18:67:
+                    33:f1:60:68:94:14:cd:91:4a:57:65:ef:36:fa:24:
+                    82:88:ec:c7:f0:cb:48:45:6e:96:5f:7f:eb:76:be:
+                    44:40:c3:19:c0:33:68:c4:06:04:8e:c2:25:b1:96:
+                    83:22:0e:7b:c7:b2:fc:01:86:91:ed:43:5d:38:e0:
+                    0c:25:8d:b3:db:b1:dc:de:b7:21:80:cf:87:de:64:
+                    f4:21:3e:2d:af:79:bd:f6:d0:00:4b:81:79:fa:f7:
+                    10:aa:19:cd:40:d7:1e:75:34:53:29:03:ed:48:54:
+                    21:e5:8f:95:b5:9b:41:8d:5f:dd:72:d2:5a
+                ASN1 OID: secp521r1
+                NIST CURVE: P-521
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                40:89:1D:30:5E:0C:6E:D5:3D:C6:D5:25:90:DA:B6:42:67:ED:E9:82
+            X509v3 Authority Key Identifier: 
+                keyid:64:A7:68:95:53:33:18:A2:20:92:BC:64:55:A6:AB:CA:76:68:9B:C8
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+    Signature Algorithm: ecdsa-with-SHA256
+         30:81:87:02:41:60:cd:fa:94:0d:23:c3:4e:3c:b1:6e:d9:b6:
+         5b:0e:97:1e:a4:df:0a:7c:05:2e:61:0c:d7:c0:e5:86:16:0c:
+         7b:01:a5:33:9a:e6:31:a0:62:91:da:dc:22:d1:ba:4f:75:43:
+         94:43:67:91:20:08:66:96:27:53:b2:61:0e:59:0a:50:02:42:
+         01:ec:87:8d:ca:6d:e0:bf:30:ba:ef:37:13:ad:f6:d1:c4:fc:
+         b5:e5:4b:96:c2:83:a0:d8:ed:04:73:85:8d:54:d7:e9:9a:67:
+         8a:cf:11:36:4a:f2:2f:85:5a:24:5e:3c:79:e1:a7:c4:ec:78:
+         82:7a:52:25:c4:55:57:95:0e:6f:c9:d5
+-----BEGIN CERTIFICATE-----
+MIIDBzCCAmmgAwIBAgIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEDAO
+BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZT
+U0xfUDUyMTESMBAGA1UECwwJUm9vdC1QNTIxMRgwFgYDVQQDDA93d3cud29sZnNz
+bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjAwOTE0
+MjM1NzE4WhcNMjMwNjExMjM1NzE4WjCBlTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM
+B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xfcDUy
+MTEQMA4GA1UECwwHQ0EtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8w
+HQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIGbMBAGByqGSM49AgEGBSuB
+BAAjA4GGAAQALRgkLeTbbMNpm9sYZzPxYGiUFM2RSldl7zb6JIKI7Mfwy0hFbpZf
+f+t2vkRAwxnAM2jEBgSOwiWxloMiDnvHsvwBhpHtQ1044AwljbPbsdzetyGAz4fe
+ZPQhPi2veb320ABLgXn69xCqGc1A1x51NFMpA+1IVCHlj5W1m0GNX91y0lqjYzBh
+MB0GA1UdDgQWBBRAiR0wXgxu1T3G1SWQ2rZCZ+3pgjAfBgNVHSMEGDAWgBRkp2iV
+UzMYoiCSvGRVpqvKdmibyDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
+hjAKBggqhkjOPQQDAgOBiwAwgYcCQWDN+pQNI8NOPLFu2bZbDpcepN8KfAUuYQzX
+wOWGFgx7AaUzmuYxoGKR2twi0bpPdUOUQ2eRIAhmlidTsmEOWQpQAkIB7IeNym3g
+vzC67zcTrfbRxPy15UuWwoOg2O0Ec4WNVNfpmmeKzxE2SvIvhVokXjx54afE7HiC
+elIlxFVXlQ5vydU=
+-----END CERTIFICATE-----

certs/p521/client-p521-key.pem

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBYm7xAOzYmVibgGv+LPGy8MhI36zS
+O3Epq/BmY9iOtcjC/JlE4kWxWnu5cwHaeeycJic0RSbViUtE/mlOchTji7wADwmi
+A8Na3JWC9vn2nP+1a3WVS6QoXZ6QBNHAHtX9Q54eg8ARKysHbal6ENdn51E3JNi/
+Aw2LtUBcT9YTc0K8kdk=
+-----END PUBLIC KEY-----

certs/p521/client-p521-priv.pem

@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBaJEzU+KQaBGPqqh2DPcqBxuSKqeCPfqDznDIwmCC/hiIaNpqg0Z4
+5OnpzFF/7YECMu4mh8ztYz85J/DXF3ehpDagBwYFK4EEACOhgYkDgYYABAFibvEA
+7NiZWJuAa/4s8bLwyEjfrNI7cSmr8GZj2I61yML8mUTiRbFae7lzAdp57JwmJzRF
+JtWJS0T+aU5yFOOLvAAPCaIDw1rclYL2+fac/7VrdZVLpChdnpAE0cAe1f1Dnh6D
+wBErKwdtqXoQ12fnUTck2L8DDYu1QFxP1hNzQryR2Q==
+-----END EC PRIVATE KEY-----

certs/p521/client-p521.pem

@@ -0,0 +1,73 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            24:9d:c6:98:df:09:87:30:42:bd:e6:4f:86:05:af:dc:82:89:d7:0e
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Client-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Sep 14 23:57:18 2020 GMT
+            Not After : Jun 11 23:57:18 2023 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Client-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (521 bit)
+                pub:
+                    04:01:62:6e:f1:00:ec:d8:99:58:9b:80:6b:fe:2c:
+                    f1:b2:f0:c8:48:df:ac:d2:3b:71:29:ab:f0:66:63:
+                    d8:8e:b5:c8:c2:fc:99:44:e2:45:b1:5a:7b:b9:73:
+                    01:da:79:ec:9c:26:27:34:45:26:d5:89:4b:44:fe:
+                    69:4e:72:14:e3:8b:bc:00:0f:09:a2:03:c3:5a:dc:
+                    95:82:f6:f9:f6:9c:ff:b5:6b:75:95:4b:a4:28:5d:
+                    9e:90:04:d1:c0:1e:d5:fd:43:9e:1e:83:c0:11:2b:
+                    2b:07:6d:a9:7a:10:d7:67:e7:51:37:24:d8:bf:03:
+                    0d:8b:b5:40:5c:4f:d6:13:73:42:bc:91:d9
+                ASN1 OID: secp521r1
+                NIST CURVE: P-521
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                20:E1:BF:57:E5:F3:C3:0C:72:84:6A:C6:DF:BC:22:D0:B7:25:E5:A4
+            X509v3 Authority Key Identifier: 
+                keyid:20:E1:BF:57:E5:F3:C3:0C:72:84:6A:C6:DF:BC:22:D0:B7:25:E5:A4
+                DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_p521/OU=Client-p521/CN=www.wolfssl.com/emailAddress=info@wolfssl.com
+                serial:24:9D:C6:98:DF:09:87:30:42:BD:E6:4F:86:05:AF:DC:82:89:D7:0E
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+            X509v3 Subject Alternative Name: 
+                DNS:example.com, IP Address:127.0.0.1
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+    Signature Algorithm: ecdsa-with-SHA256
+         30:81:87:02:42:01:e1:85:a5:0e:81:ff:b0:2a:d3:b8:73:8c:
+         1d:8e:1f:42:4c:de:cb:d1:63:69:ce:53:d0:2a:52:14:e4:7a:
+         2f:1e:c4:0b:1b:db:1e:36:97:72:ed:9b:2f:d4:93:79:06:ec:
+         41:6c:6c:18:28:99:56:b6:0b:58:c4:bc:47:db:64:a8:7e:02:
+         41:2b:d0:32:2e:03:81:32:f3:9a:65:58:a4:51:7e:9a:ad:c2:
+         99:bf:21:f1:a1:70:61:4b:ee:8e:df:3b:9c:79:e3:12:b4:3b:
+         9e:64:da:d0:ef:5b:50:7b:a1:b0:30:8f:af:66:71:9d:41:20:
+         cf:e8:9c:bd:f5:3b:c4:fe:00:43:35:24
+-----BEGIN CERTIFICATE-----
+MIIECTCCA2ugAwIBAgIUJJ3GmN8JhzBCveZPhgWv3IKJ1w4wCgYIKoZIzj0EAwIw
+gZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
+bWFuMRUwEwYDVQQKDAx3b2xmU1NMX3A1MjExFDASBgNVBAsMC0NsaWVudC1wNTIx
+MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9A
+d29sZnNzbC5jb20wHhcNMjAwOTE0MjM1NzE4WhcNMjMwNjExMjM1NzE4WjCBmTEL
+MAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4x
+FTATBgNVBAoMDHdvbGZTU0xfcDUyMTEUMBIGA1UECwwLQ2xpZW50LXA1MjExGDAW
+BgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
+c3NsLmNvbTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAWJu8QDs2JlYm4Br/izx
+svDISN+s0jtxKavwZmPYjrXIwvyZROJFsVp7uXMB2nnsnCYnNEUm1YlLRP5pTnIU
+44u8AA8JogPDWtyVgvb59pz/tWt1lUukKF2ekATRwB7V/UOeHoPAESsrB22pehDX
+Z+dRNyTYvwMNi7VAXE/WE3NCvJHZo4IBSjCCAUYwHQYDVR0OBBYEFCDhv1fl88MM
+coRqxt+8ItC3JeWkMIHZBgNVHSMEgdEwgc6AFCDhv1fl88MMcoRqxt+8ItC3JeWk
+oYGfpIGcMIGZMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UE
+BwwHQm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTF9wNTIxMRQwEgYDVQQLDAtDbGll
+bnQtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkB
+FhBpbmZvQHdvbGZzc2wuY29tghQkncaY3wmHMEK95k+GBa/cgonXDjAMBgNVHRME
+BTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjAKBggqhkjOPQQDAgOBiwAwgYcCQgHhhaUOgf+w
+KtO4c4wdjh9CTN7L0WNpzlPQKlIU5HovHsQLG9seNpdy7Zsv1JN5BuxBbGwYKJlW
+tgtYxLxH22SofgJBK9AyLgOBMvOaZVikUX6arcKZvyHxoXBhS+6O3zuceeMStDue
+ZNrQ71tQe6GwMI+vZnGdQSDP6Jy99TvE/gBDNSQ=
+-----END CERTIFICATE-----

certs/p521/gen-p521-certs.sh

@@ -0,0 +1,105 @@
+#!/bin/bash
+
+check_result(){
+    if [ $1 -ne 0 ]; then
+        echo "Failed at \"$2\", Abort"
+        exit 1
+    else
+        echo "Step Succeeded!"
+    fi
+}
+
+openssl pkey -in root-p521-priv.pem -noout >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+    echo "OpenSSL does not support P521"
+    echo "Skipping P521 certificate renewal"
+    exit 0
+fi
+
+############################################################
+###### update the self-signed root-p521.pem ###############
+############################################################
+echo "Updating root-p521.pem"
+echo ""
+#pipe the following arguments to openssl req...
+echo -e "US\\nMontana\\nBozeman\\nwolfSSL_P521\\nRoot-P521\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | \
+openssl req -new -key root-p521-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out root-p521.csr
+check_result $? "Generate request"
+
+openssl x509 -req -in root-p521.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey root-p521-priv.pem -out root-p521.pem
+check_result $? "Generate certificate"
+rm root-p521.csr
+
+openssl x509 -in root-p521.pem -outform DER > root-p521.der
+check_result $? "Convert to DER"
+openssl x509 -in root-p521.pem -text > tmp.pem
+check_result $? "Add text"
+mv tmp.pem root-p521.pem
+echo "End of section"
+echo "---------------------------------------------------------------------"
+
+############################################################
+###### update ca-p521.pem signed by root ##################
+############################################################
+echo "Updating ca-p521.pem"
+echo ""
+#pipe the following arguments to openssl req...
+echo -e "US\\nMontana\\nBozeman\\nwolfSSL_p521\\nCA-p521\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key ca-p521-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out ca-p521.csr
+check_result $? "Generate request"
+
+openssl x509 -req -in ca-p521.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -CA root-p521.pem -CAkey root-p521-priv.pem -set_serial 01 -out ca-p521.pem
+check_result $? "Generate certificate"
+rm ca-p521.csr
+
+openssl x509 -in ca-p521.pem -outform DER > ca-p521.der
+check_result $? "Convert to DER"
+openssl x509 -in ca-p521.pem -text > tmp.pem
+check_result $? "Add text"
+mv tmp.pem ca-p521.pem
+echo "End of section"
+echo "---------------------------------------------------------------------"
+
+############################################################
+###### update server-p521.pem signed by ca ################
+############################################################
+echo "Updating server-p521.pem"
+echo ""
+#pipe the following arguments to openssl req...
+echo -e "US\\nMontana\\nBozeman\\nwolfSSL_p521\\nServer-p521\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key server-p521-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out server-p521.csr
+check_result $? "Generate request"
+
+openssl x509 -req -in server-p521.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions server_ecc -CA ca-p521.pem -CAkey ca-p521-priv.pem -set_serial 01 -out server-p521-cert.pem
+check_result $? "Generate certificate"
+rm server-p521.csr
+
+openssl x509 -in server-p521-cert.pem -outform DER > server-p521.der
+check_result $? "Convert to DER"
+openssl x509 -in server-p521-cert.pem -text > tmp.pem
+check_result $? "Add text"
+mv tmp.pem server-p521-cert.pem
+cat server-p521-cert.pem ca-p521.pem > server-p521.pem
+check_result $? "Add CA into server cert"
+echo "End of section"
+echo "---------------------------------------------------------------------"
+
+############################################################
+###### update the self-signed client-p521.pem #############
+############################################################
+echo "Updating client-p521.pem"
+echo ""
+#pipe the following arguments to openssl req...
+echo -e "US\\nMontana\\nBozeman\\nwolfSSL_p521\\nClient-p521\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n\\n\\n\\n" | openssl req -new -key client-p521-priv.pem -config ../renewcerts/wolfssl.cnf -nodes -out client-p521.csr
+check_result $? "Generate request"
+
+openssl x509 -req -in client-p521.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions wolfssl_opts -signkey client-p521-priv.pem -out client-p521.pem
+check_result $? "Generate certificate"
+rm client-p521.csr
+
+openssl x509 -in client-p521.pem -outform DER > client-p521.der
+check_result $? "Convert to DER"
+openssl x509 -in client-p521.pem -text > tmp.pem
+check_result $? "Add text"
+mv tmp.pem client-p521.pem
+echo "End of section"
+echo "---------------------------------------------------------------------"
+

certs/p521/gen-p521-keys.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+for key in root ca server client
+do
+
+  openssl ecparam -name secp521r1 -genkey -noout > ${key}-p521-priv.pem
+
+  openssl pkey -in ${key}-p521-priv.pem -outform DER -out ${key}-p521-priv.der
+
+  openssl pkey -in ${key}-p521-priv.pem -outform PEM -pubout -out ${key}-p521-key.pem
+
+  openssl pkey -in ${key}-p521-priv.pem -outform DER -pubout -out ${key}-p521-key.der
+
+done
+
+

certs/p521/include.am

@@ -0,0 +1,31 @@
+# vim:ft=automake
+# All paths should be given relative to the root
+#
+
+EXTRA_DIST += \
+         certs/p521/ca-p521.der \
+         certs/p521/ca-p521.pem \
+         certs/p521/ca-p521-key.der \
+         certs/p521/ca-p521-key.pem \
+         certs/p521/ca-p521-priv.der \
+         certs/p521/ca-p521-priv.pem \
+         certs/p521/client-p521.der \
+         certs/p521/client-p521.pem \
+         certs/p521/client-p521-key.der \
+         certs/p521/client-p521-key.pem \
+         certs/p521/client-p521-priv.der \
+         certs/p521/client-p521-priv.pem \
+         certs/p521/root-p521.der \
+         certs/p521/root-p521.pem \
+         certs/p521/root-p521-key.der \
+         certs/p521/root-p521-key.pem \
+         certs/p521/root-p521-priv.der \
+         certs/p521/root-p521-priv.pem \
+         certs/p521/server-p521.der \
+         certs/p521/server-p521.pem \
+         certs/p521/server-p521-cert.pem \
+         certs/p521/server-p521-key.der \
+         certs/p521/server-p521-key.pem \
+         certs/p521/server-p521-priv.der \
+         certs/p521/server-p521-priv.pem
+

certs/p521/root-p521-key.pem

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBQWDU5cw32/RMEsz2ejLM8hy3UxW9
+X1Pvy3OpyBRsb33FfLS7jlbCQ0X7WBzGRT1/5U6AzETBBnp14WnJiqgBet8ARElz
+nC9QP4OgHovRqvsIDJAFDQwXMVE+1oU7CRKC0aYIzchPalrIjI5dv9rMW5Wh6Fop
+eCKyukmhhcZIinFTjYk=
+-----END PUBLIC KEY-----

certs/p521/root-p521-priv.pem

@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIB+0L/Wo+9bKC8iEmkLdgQkDyeJkbDp0bmhUqOevrpeBqs/Q/0dtg9
+WFwp7ceTJkuLr/osgWrNpTxgVscecuiYRGSgBwYFK4EEACOhgYkDgYYABAFBYNTl
+zDfb9EwSzPZ6MszyHLdTFb1fU+/Lc6nIFGxvfcV8tLuOVsJDRftYHMZFPX/lToDM
+RMEGenXhacmKqAF63wBESXOcL1A/g6Aei9Gq+wgMkAUNDBcxUT7WhTsJEoLRpgjN
+yE9qWsiMjl2/2sxblaHoWil4IrK6SaGFxkiKcVONiQ==
+-----END EC PRIVATE KEY-----

certs/p521/root-p521.pem

@@ -0,0 +1,64 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            23:0c:f9:b8:9a:a1:1d:4f:ec:23:8f:4b:f2:20:5d:7d:ac:43:4e:98
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Sep 14 23:57:18 2020 GMT
+            Not After : Jun 11 23:57:18 2023 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_P521, OU = Root-P521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (521 bit)
+                pub:
+                    04:01:41:60:d4:e5:cc:37:db:f4:4c:12:cc:f6:7a:
+                    32:cc:f2:1c:b7:53:15:bd:5f:53:ef:cb:73:a9:c8:
+                    14:6c:6f:7d:c5:7c:b4:bb:8e:56:c2:43:45:fb:58:
+                    1c:c6:45:3d:7f:e5:4e:80:cc:44:c1:06:7a:75:e1:
+                    69:c9:8a:a8:01:7a:df:00:44:49:73:9c:2f:50:3f:
+                    83:a0:1e:8b:d1:aa:fb:08:0c:90:05:0d:0c:17:31:
+                    51:3e:d6:85:3b:09:12:82:d1:a6:08:cd:c8:4f:6a:
+                    5a:c8:8c:8e:5d:bf:da:cc:5b:95:a1:e8:5a:29:78:
+                    22:b2:ba:49:a1:85:c6:48:8a:71:53:8d:89
+                ASN1 OID: secp521r1
+                NIST CURVE: P-521
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                64:A7:68:95:53:33:18:A2:20:92:BC:64:55:A6:AB:CA:76:68:9B:C8
+            X509v3 Authority Key Identifier: 
+                keyid:64:A7:68:95:53:33:18:A2:20:92:BC:64:55:A6:AB:CA:76:68:9B:C8
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+    Signature Algorithm: ecdsa-with-SHA256
+         30:81:87:02:41:55:16:68:aa:bc:e1:5e:b6:d3:4c:3e:aa:e6:
+         64:e6:ca:94:ec:7d:0f:a8:ea:70:00:33:26:95:27:bd:23:ae:
+         69:5b:29:60:28:1e:0d:fa:69:3d:21:36:f9:9d:80:74:b1:ae:
+         d0:2c:bd:12:13:ce:98:0c:69:39:ab:99:88:90:17:02:02:42:
+         01:f7:b2:95:d0:bf:64:4d:f9:2e:0e:98:40:00:1c:a7:0a:b3:
+         2e:09:f8:c2:27:56:3e:b4:2a:c0:fc:1a:3a:87:c6:6f:ac:20:
+         d4:df:90:f0:00:88:a0:a6:63:79:74:9c:91:c0:ce:7c:21:6b:
+         65:64:a8:fb:83:48:78:eb:78:e0:51:95
+-----BEGIN CERTIFICATE-----
+MIIDHDCCAn6gAwIBAgIUIwz5uJqhHU/sI49L8iBdfaxDTpgwCgYIKoZIzj0EAwIw
+gZcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
+bWFuMRUwEwYDVQQKDAx3b2xmU1NMX1A1MjExEjAQBgNVBAsMCVJvb3QtUDUyMTEY
+MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMB4XDTIwMDkxNDIzNTcxOFoXDTIzMDYxMTIzNTcxOFowgZcxCzAJ
+BgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUw
+EwYDVQQKDAx3b2xmU1NMX1A1MjExEjAQBgNVBAsMCVJvb3QtUDUyMTEYMBYGA1UE
+AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
+Y29tMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBQWDU5cw32/RMEsz2ejLM8hy3
+UxW9X1Pvy3OpyBRsb33FfLS7jlbCQ0X7WBzGRT1/5U6AzETBBnp14WnJiqgBet8A
+RElznC9QP4OgHovRqvsIDJAFDQwXMVE+1oU7CRKC0aYIzchPalrIjI5dv9rMW5Wh
+6FopeCKyukmhhcZIinFTjYmjYzBhMB0GA1UdDgQWBBRkp2iVUzMYoiCSvGRVpqvK
+dmibyDAfBgNVHSMEGDAWgBRkp2iVUzMYoiCSvGRVpqvKdmibyDAPBgNVHRMBAf8E
+BTADAQH/MA4GA1UdDwEB/wQEAwIBhjAKBggqhkjOPQQDAgOBiwAwgYcCQVUWaKq8
+4V6200w+quZk5sqU7H0PqOpwADMmlSe9I65pWylgKB4N+mk9ITb5nYB0sa7QLL0S
+E86YDGk5q5mIkBcCAkIB97KV0L9kTfkuDphAABynCrMuCfjCJ1Y+tCrA/Bo6h8Zv
+rCDU35DwAIigpmN5dJyRwM58IWtlZKj7g0h463jgUZU=
+-----END CERTIFICATE-----

certs/p521/server-p521-cert.pem

@@ -0,0 +1,68 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = CA-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Sep 14 23:57:18 2020 GMT
+            Not After : Jun 11 23:57:18 2023 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_p521, OU = Server-p521, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (521 bit)
+                pub:
+                    04:00:de:70:69:f6:d1:9e:c4:fe:5f:82:52:98:ce:
+                    52:c1:6a:4c:12:22:0f:76:88:22:11:a5:0d:a6:02:
+                    47:91:ab:79:8d:f6:08:70:2d:20:14:15:df:1b:57:
+                    58:b3:51:ab:20:a8:2b:bd:6a:3f:a9:ee:c2:6d:ae:
+                    99:44:b4:a1:12:10:70:00:ca:1f:14:1d:b0:e7:0c:
+                    41:18:52:37:04:a7:84:53:a1:02:46:93:1f:d5:60:
+                    63:a6:2e:7d:8d:ea:3f:e0:5b:e5:c8:6e:1f:a7:d9:
+                    a3:59:e5:96:27:22:f4:02:2b:af:5b:78:1f:13:a8:
+                    22:8b:ec:ae:01:7d:c0:61:13:a4:35:0a:21
+                ASN1 OID: secp521r1
+                NIST CURVE: P-521
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                85:86:9F:AE:73:5F:94:77:27:3B:15:15:C6:79:07:A8:42:4B:1E:F3
+            X509v3 Authority Key Identifier: 
+                keyid:40:89:1D:30:5E:0C:6E:D5:3D:C6:D5:25:90:DA:B6:42:67:ED:E9:82
+
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment, Key Agreement
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            Netscape Cert Type: 
+                SSL Server
+    Signature Algorithm: ecdsa-with-SHA256
+         30:81:88:02:42:01:95:31:ef:ac:8f:c7:79:c8:b1:27:21:70:
+         24:d1:78:d6:d4:da:d0:1d:44:52:6f:3f:0a:f1:33:ac:70:14:
+         cf:62:e6:23:a8:a5:30:04:e1:40:7b:05:c5:45:c9:be:b0:32:
+         d5:00:77:c7:6b:1d:37:7a:2c:83:02:9d:ef:5d:9e:9c:91:02:
+         42:01:f8:7c:5b:fc:b3:1a:26:2c:b4:41:c8:bf:0d:ae:74:5a:
+         0d:25:10:7d:9d:33:ec:5c:29:c0:7c:6a:96:f3:28:b6:06:de:
+         13:1f:b1:a1:76:38:ea:a1:db:81:21:b6:81:0c:8f:67:b7:3d:
+         7b:6b:e0:72:67:e3:d1:71:11:92:8b:d0:f1
+-----BEGIN CERTIFICATE-----
+MIIDMTCCApKgAwIBAgIBATAKBggqhkjOPQQDAjCBlTELMAkGA1UEBhMCVVMxEDAO
+BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZT
+U0xfcDUyMTEQMA4GA1UECwwHQ0EtcDUyMTEYMBYGA1UEAwwPd3d3LndvbGZzc2wu
+Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIwMDkxNDIz
+NTcxOFoXDTIzMDYxMTIzNTcxOFowgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN
+b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMX3A1MjEx
+FDASBgNVBAsMC1NlcnZlci1wNTIxMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wgZswEAYHKoZIzj0CAQYF
+K4EEACMDgYYABADecGn20Z7E/l+CUpjOUsFqTBIiD3aIIhGlDaYCR5GreY32CHAt
+IBQV3xtXWLNRqyCoK71qP6nuwm2umUS0oRIQcADKHxQdsOcMQRhSNwSnhFOhAkaT
+H9VgY6YufY3qP+Bb5chuH6fZo1nllici9AIrr1t4HxOoIovsrgF9wGETpDUKIaOB
+iTCBhjAdBgNVHQ4EFgQUhYafrnNflHcnOxUVxnkHqEJLHvMwHwYDVR0jBBgwFoAU
+QIkdMF4MbtU9xtUlkNq2Qmft6YIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMC
+A6gwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYJYIZIAYb4QgEBBAQDAgZAMAoGCCqG
+SM49BAMCA4GMADCBiAJCAZUx76yPx3nIsSchcCTReNbU2tAdRFJvPwrxM6xwFM9i
+5iOopTAE4UB7BcVFyb6wMtUAd8drHTd6LIMCne9dnpyRAkIB+Hxb/LMaJiy0Qci/
+Da50Wg0lEH2dM+xcKcB8apbzKLYG3hMfsaF2OOqh24EhtoEMj2e3PXtr4HJn49Fx
+EZKL0PE=
+-----END CERTIFICATE-----

certs/p521/server-p521-key.pem

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA3nBp9tGexP5fglKYzlLBakwSIg92
+iCIRpQ2mAkeRq3mN9ghwLSAUFd8bV1izUasgqCu9aj+p7sJtrplEtKESEHAAyh8U
+HbDnDEEYUjcEp4RToQJGkx/VYGOmLn2N6j/gW+XIbh+n2aNZ5ZYnIvQCK69beB8T
+qCKL7K4BfcBhE6Q1CiE=
+-----END PUBLIC KEY-----

certs/p521/server-p521-priv.pem

@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBA/UQ99abMXYOwp9KaXiqAj86ltsFQghlThjy9iBcnWkX1HwOvRd7
+cQFcIMmwK3LwktTPTcFOo0hgfvdwPKVlVJSgBwYFK4EEACOhgYkDgYYABADecGn2
+0Z7E/l+CUpjOUsFqTBIiD3aIIhGlDaYCR5GreY32CHAtIBQV3xtXWLNRqyCoK71q
+P6nuwm2umUS0oRIQcADKHxQdsOcMQRhSNwSnhFOhAkaTH9VgY6YufY3qP+Bb5chu
+H6fZo1nllici9AIrr1t4HxOoIovsrgF9wGETpDUKIQ==
+-----END EC PRIVATE KEY-----