Merge pull request #8712 from JacobBarthelmeh/release

prepare for release 5.8.0

.github/ISSUE_TEMPLATE/bug_report.yaml

@@ -6,8 +6,10 @@ body:
   - type: markdown
     attributes:
       value: >
-        Thanks for reporting an bug. If you would prefer a private method,
-        please email support@wolfssl.com
+        Thanks for reporting a bug. If you would prefer a private method,
+        or if this is a vulnerability report please email support@wolfssl.com
+        instead. This is publicly viewable and not appropriate for vulnerability
+        reports.
   - type: input
     id: contact
     attributes:

.github/ISSUE_TEMPLATE/other.yaml

@@ -6,7 +6,9 @@ body:
     attributes:
       value: >
         Thanks for reporting an issue. If you would prefer a private method,
-        please email support@wolfssl.com
+        or if this is a vulnerability report please email support@wolfssl.com
+        instead. This is publicly viewable and not appropriate for vulnerability
+        reports.
   - type: input
     id: version
     attributes:

.github/workflows/ada.yml

@@ -0,0 +1,33 @@
+name: WolfSSL Ada Build Tests
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@master
+
+    - name: Install gnat
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y gnat gprbuild
+
+    - name: Checkout wolfssl
+      uses: actions/checkout@master
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl
+
+    - name: Build wolfssl Ada
+      working-directory: ./wolfssl/wrapper/Ada
+      run: |
+        mkdir obj
+        gprbuild default.gpr
+        gprbuild examples.gpr

.github/workflows/async.yml

@@ -24,7 +24,7 @@ jobs:
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 6
     steps:

.github/workflows/bind.yml

@@ -0,0 +1,93 @@
+name: bind9 Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
+    # Just to keep it the same as the testing target
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-all
+          install: true
+          check: false
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-bind
+          path: build-dir.tgz
+          retention-days: 5
+
+  bind_check:
+    strategy:
+      fail-fast: false
+      matrix:
+        # List of releases to test
+        ref: [ 9.18.0, 9.18.28 ]
+    name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 10
+    needs: build_wolfssl
+    steps:
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-bind
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Install dependencies
+        run: |
+          # Don't prompt for anything
+          export DEBIAN_FRONTEND=noninteractive
+          sudo apt-get update
+          # hostap dependencies
+          sudo apt-get install -y libuv1-dev libnghttp2-dev libcap-dev libcmocka-dev
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Checkout bind9
+        uses: actions/checkout@v4
+        with:
+          repository: isc-projects/bind9
+          path: bind
+          ref: v${{ matrix.ref }}
+
+      - name: Build and test bind9
+        working-directory: bind
+        run: |
+          export PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig
+          patch -p1 < $GITHUB_WORKSPACE/osp/bind9/${{ matrix.ref }}.patch
+          autoreconf -ivf
+          ./configure --with-wolfssl
+          sed -i 's/SUBDIRS = system//g' bin/tests/Makefile # remove failing tests
+          make -j V=1
+          make -j V=1 check

.github/workflows/cmake.yml

@@ -0,0 +1,109 @@
+name: WolfSSL CMake Build Tests
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+# pull wolfSSL
+    - uses: actions/checkout@master
+
+# install cmake
+    - name: Install cmake
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y cmake
+
+# pull wolfssl
+    - name: Checkout wolfssl
+      uses: actions/checkout@master
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl
+
+# build wolfssl
+    - name: Build wolfssl
+      working-directory: ./wolfssl
+      run: |
+        mkdir build
+        cd build
+        cmake -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" \
+            -DWOLFSSL_16BIT:BOOL=no -DWOLFSSL_32BIT:BOOL=no -DWOLFSSL_AES:BOOL=yes \
+            -DWOLFSSL_AESCBC:BOOL=yes -DWOLFSSL_AESCCM:BOOL=yes -DWOLFSSL_AESCFB:BOOL=yes \
+            -DWOLFSSL_AESCTR:BOOL=yes -DWOLFSSL_AESGCM:STRING=yes -DWOLFSSL_AESKEYWRAP:BOOL=yes \
+            -DWOLFSSL_AESOFB:BOOL=yes -DWOLFSSL_AESSIV:BOOL=yes -DWOLFSSL_ALIGN_DATA:BOOL=yes \
+            -DWOLFSSL_ALPN:BOOL=ON -DWOLFSSL_ALT_CERT_CHAINS:BOOL=ON -DWOLFSSL_ARC4:BOOL=yes \
+            -DWOLFSSL_ARIA:BOOL=no -DWOLFSSL_ASIO:BOOL=no -DWOLFSSL_ASM:BOOL=yes -DWOLFSSL_ASN:BOOL=yes \
+            -DWOLFSSL_ASYNC_THREADS:BOOL=no -DWOLFSSL_BASE64_ENCODE:BOOL=yes -DWOLFSSL_CAAM:BOOL=no \
+            -DWOLFSSL_CERTEXT:BOOL=yes -DWOLFSSL_CERTGEN:BOOL=yes -DWOLFSSL_CERTGENCACHE:BOOL=no \
+            -DWOLFSSL_CERTREQ:BOOL=yes -DWOLFSSL_CHACHA:STRING=yes -DWOLFSSL_CMAC:BOOL=yes \
+            -DWOLFSSL_CODING:BOOL=yes -DWOLFSSL_CONFIG_H:BOOL=yes -DWOLFSSL_CRL:STRING=yes \
+            -DWOLFSSL_CRYPTOCB:BOOL=yes -DWOLFSSL_CRYPTOCB_NO_SW_TEST:BOOL=no \
+            -DWOLFSSL_CRYPT_TESTS:BOOL=yes -DWOLFSSL_CRYPT_TESTS_HELP:BOOL=no \
+            -DWOLFSSL_CRYPT_TESTS_LIBS:BOOL=no -DWOLFSSL_CURL:BOOL=yes -DWOLFSSL_CURVE25519:STRING=yes \
+            -DWOLFSSL_CURVE448:STRING=yes -DWOLFSSL_DEBUG:BOOL=yes -DWOLFSSL_DES3:BOOL=ON \
+            -DWOLFSSL_DES3_TLS_SUITES:BOOL=no -DWOLFSSL_DH:STRING=yes -DWOLFSSL_DH_DEFAULT_PARAMS:BOOL=yes \
+            -DWOLFSSL_DSA:BOOL=yes -DWOLFSSL_DTLS:BOOL=ON -DWOLFSSL_DTLS13:BOOL=yes \
+            -DWOLFSSL_DTLS_CID:BOOL=yes -DWOLFSSL_ECC:STRING=yes \
+            -DWOLFSSL_ECCCUSTCURVES:STRING=all -DWOLFSSL_ECCSHAMIR:BOOL=yes \
+            -DWOLFSSL_ECH:BOOL=yes -DWOLFSSL_ED25519:BOOL=yes -DWOLFSSL_ED448:STRING=yes \
+            -DWOLFSSL_ENCKEYS:BOOL=yes -DWOLFSSL_ENC_THEN_MAC:BOOL=yes -DWOLFSSL_ERROR_QUEUE:BOOL=yes \
+            -DWOLFSSL_ERROR_STRINGS:BOOL=yes -DWOLFSSL_EXAMPLES:BOOL=yes -DWOLFSSL_EXPERIMENTAL:BOOL=yes \
+            -DWOLFSSL_EXTENDED_MASTER:BOOL=yes -DWOLFSSL_EX_DATA:BOOL=yes -DWOLFSSL_FAST_MATH:BOOL=no \
+            -DWOLFSSL_FILESYSTEM:BOOL=yes -DWOLFSSL_HARDEN:BOOL=yes -DWOLFSSL_HASH_DRBG:BOOL=yes \
+            -DWOLFSSL_HKDF:BOOL=yes -DWOLFSSL_HPKE:BOOL=yes -DWOLFSSL_HRR_COOKIE:STRING=yes \
+            -DWOLFSSL_INLINE:BOOL=yes -DWOLFSSL_INSTALL:BOOL=yes -DWOLFSSL_IP_ALT_NAME:BOOL=ON \
+            -DWOLFSSL_KEYGEN:BOOL=yes -DWOLFSSL_KEYING_MATERIAL:BOOL=ON \
+            -DWOLFSSL_MD4:BOOL=ON -DWOLFSSL_MD5:BOOL=yes -DWOLFSSL_MEMORY:BOOL=yes -DWOLFSSL_NO_STUB:BOOL=no \
+            -DWOLFSSL_OAEP:BOOL=yes -DWOLFSSL_OCSP:BOOL=yes -DWOLFSSL_OCSPSTAPLING:BOOL=ON \
+            -DWOLFSSL_OCSPSTAPLING_V2:BOOL=ON -DWOLFSSL_OLD_NAMES:BOOL=yes -DWOLFSSL_OLD_TLS:BOOL=yes \
+            -DWOLFSSL_OPENSSLALL:BOOL=yes -DWOLFSSL_OPENSSLEXTRA:BOOL=ON -DWOLFSSL_OPTFLAGS:BOOL=yes \
+            -DWOLFSSL_OQS:BOOL=no -DWOLFSSL_PKCALLBACKS:BOOL=yes -DWOLFSSL_PKCS12:BOOL=yes \
+            -DWOLFSSL_PKCS7:BOOL=yes -DWOLFSSL_POLY1305:BOOL=yes -DWOLFSSL_POSTAUTH:BOOL=yes \
+            -DWOLFSSL_PWDBASED:BOOL=yes -DWOLFSSL_QUIC:BOOL=yes -DWOLFSSL_REPRODUCIBLE_BUILD:BOOL=no \
+            -DWOLFSSL_RNG:BOOL=yes -DWOLFSSL_RSA:BOOL=yes -DWOLFSSL_RSA_PSS:BOOL=yes \
+            -DWOLFSSL_SESSION_TICKET:BOOL=ON -DWOLFSSL_SHA:BOOL=yes -DWOLFSSL_SHA224:BOOL=yes \
+            -DWOLFSSL_SHA3:STRING=yes -DWOLFSSL_SHA384:BOOL=yes -DWOLFSSL_SHA512:BOOL=yes \
+            -DWOLFSSL_SHAKE128:STRING=yes -DWOLFSSL_SHAKE256:STRING=yes -DWOLFSSL_SINGLE_THREADED:BOOL=no \
+            -DWOLFSSL_SNI:BOOL=yes -DWOLFSSL_SP_MATH_ALL:BOOL=yes -DWOLFSSL_SRTP:BOOL=yes \
+            -DWOLFSSL_STUNNEL:BOOL=yes -DWOLFSSL_SUPPORTED_CURVES:BOOL=yes -DWOLFSSL_SYS_CA_CERTS:BOOL=yes \
+            -DWOLFSSL_TICKET_NONCE_MALLOC:BOOL=yes -DWOLFSSL_TLS13:BOOL=yes -DWOLFSSL_TLSV12:BOOL=yes \
+            -DWOLFSSL_TLSX:BOOL=yes -DWOLFSSL_TPM:BOOL=yes -DWOLFSSL_CLU:BOOL=yes -DWOLFSSL_USER_SETTINGS:BOOL=no \
+            -DWOLFSSL_USER_SETTINGS_ASM:BOOL=no -DWOLFSSL_WOLFSSH:BOOL=ON -DWOLFSSL_X86_64_BUILD_ASM:BOOL=yes \
+            -DWOLFSSL_MLKEM=1 -DWOLFSSL_LMS=1 -DWOLFSSL_LMSSHA256192=1 -DWOLFSSL_EXPERIMENTAL=1 \
+            -DWOLFSSL_X963KDF:BOOL=yes \
+            -DCMAKE_C_FLAGS="-DWOLFSSL_DTLS_CH_FRAG" \
+            ..
+        cmake --build .
+        ctest -j $(nproc)
+        cmake --install .
+
+        # clean up
+        cd ..
+        rm -rf build
+
+        # Kyber Cmake broken
+        # -DWOLFSSL_KYBER:BOOL=yes
+
+# build "lean-tls" wolfssl
+    - name: Build wolfssl with lean-tls
+      working-directory: ./wolfssl
+      run: |
+        mkdir build
+        cd build
+        cmake -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" \
+            -DWOLFSSL_LEAN_TLS:BOOL=yes \
+            ..
+        cmake --build .
+        cmake --install .
+
+        # clean up
+        cd ..
+        rm -rf build

.github/workflows/codespell.yml

@@ -14,7 +14,7 @@ concurrency:
 jobs:
   codespell:
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v4
 
@@ -23,8 +23,8 @@ jobs:
         check_filenames: true
         check_hidden: true
           # Add comma separated list of words that occur multiple times that should be ignored (sorted alphabetically, case sensitive)
-        ignore_words_list: adin,aNULL,carryIn,chainG,ciph,cLen,cliKs,dout,haveA,inCreated,inOut,inout,larg,LEAPYEAR,Merget,optionA,parm,parms,repid,rIn,userA,ser,siz,te,Te
+        ignore_words_list: adin,aNULL,brunch,carryIn,chainG,ciph,cLen,cliKs,dout,haveA,inCreated,inOut,inout,larg,LEAPYEAR,Merget,optionA,parm,parms,repid,rIn,userA,ser,siz,te,Te
           # The exclude_file contains lines of code that should be ignored. This is useful for individual lines which have non-words that can safely be ignored.
         exclude_file: '.codespellexcludelines'
           # To skip files entirely from being processed, add it to the following list:
-        skip: '*.cproject,*.der,*.mtpj,*.pem,*.vcxproj,.git,*.launch,*.scfg'
+        skip: '*.cproject,*.der,*.mtpj,*.pem,*.vcxproj,.git,*.launch,*.scfg,*.revoked'

.github/workflows/coverity-scan-fixes.yml

@@ -10,7 +10,7 @@ on:
 jobs:
   coverity:
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v4
       with:

.github/workflows/curl.yml

@@ -16,7 +16,7 @@ jobs:
   build_wolfssl:
     name: Build wolfSSL
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -40,7 +40,7 @@ jobs:
   test_curl:
     name: ${{ matrix.curl_ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 15
     needs: build_wolfssl

.github/workflows/cyrus-sasl.yml

@@ -17,7 +17,7 @@ jobs:
     name: Build wolfSSL
     if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -48,7 +48,7 @@ jobs:
         ref: [ 2.1.28 ]
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     needs: build_wolfssl

.github/workflows/disabled/msys2.yml

@@ -0,0 +1,41 @@
+name: MSYS2 Build Test
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  msys2:
+    runs-on: windows-latest
+    defaults:
+      run:
+        shell: msys2 {0}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - { sys: ucrt64,  compiler: mingw-w64-ucrt-x86_64-gcc }
+          - { sys: mingw64, compiler: mingw-w64-x86_64-gcc }
+          - { sys: msys, compiler: gcc }
+    steps:
+      - uses: actions/checkout@v3
+      - uses: msys2/setup-msys2@v2
+        with:
+          msystem: ${{ matrix.sys }}
+          update: true
+          install: git ${{matrix.compiler}} autotools base-devel autoconf netcat
+      - name: configure wolfSSL
+        run: ./autogen.sh && ./configure CFLAGS="-DUSE_CERT_BUFFERS_2048 -DUSE_CERT_BUFFERS_256 -DNO_WRITE_TEMP_FILES"
+      - name: build wolfSSL
+        run: make check
+      - name: Display log
+        if: always()
+        run: cat test-suite.log

.github/workflows/docker-Espressif.yml

@@ -15,7 +15,7 @@ jobs:
   espressif_latest:
     name: latest Docker container
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 12
     container:
@@ -27,7 +27,7 @@ jobs:
   espressif_v4_4:
     name: v4.4 Docker container
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     container:
       image: espressif/idf:release-v4.4
     steps:
@@ -37,7 +37,7 @@ jobs:
   espressif_v5_0:
     name: v5.0 Docker container
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     container:
       image: espressif/idf:release-v5.0
     steps:

.github/workflows/docker-OpenWrt.yml

@@ -18,7 +18,7 @@ jobs:
     build_library:
         name: Compile libwolfssl.so
         if: github.repository_owner == 'wolfssl'
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-22.04
         # This should be a safe limit for the tests to run.
         timeout-minutes: 4
         container:
@@ -42,7 +42,7 @@ jobs:
     compile_container:
         name: Compile container
         if: github.repository_owner == 'wolfssl'
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-22.04
         # This should be a safe limit for the tests to run.
         timeout-minutes: 2
         needs: build_library

.github/workflows/gencertbuf.yml

@@ -0,0 +1,41 @@
+name: Test gencertbuf script
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  gencertbuf:
+    name: gencertbuf
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 6
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: Test generate wolfssl/certs_test.h
+        run: ./gencertbuf.pl
+
+      - name: Test wolfSSL
+        run: |
+          ./autogen.sh
+          ./configure --enable-all --enable-experimental --enable-dilithium --enable-kyber
+          make
+          ./wolfcrypt/test/testwolfcrypt
+
+      - name: Print errors
+        if: ${{ failure() }}
+        run: |
+          if [ -f test-suite.log ] ; then
+            cat test-suite.log
+          fi

.github/workflows/grpc.yml

@@ -17,7 +17,7 @@ jobs:
     name: Build wolfSSL
     if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 10
     steps:
@@ -52,7 +52,7 @@ jobs:
               h2_ssl_cert_test h2_ssl_session_reuse_test
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 30
     needs: build_wolfssl
@@ -71,6 +71,11 @@ jobs:
         with:
           name: wolf-install-grpc
 
+      - name: Setup cmake version
+        uses: jwlawson/actions-setup-cmake@v2
+        with:
+          cmake-version: '3.25.x'
+
       - name: untar build-dir
         run: tar -xf build-dir.tgz
 
@@ -94,7 +99,7 @@ jobs:
           git submodule update --init
           mkdir cmake/build
           cd cmake/build
-          cmake -DgRPC_BUILD_TESTS=ON -DgRPC_SSL_PROVIDER=wolfssl \
+          cmake -DCMAKE_POLICY_VERSION_MINIMUM=3.1 -DgRPC_BUILD_TESTS=ON -DgRPC_SSL_PROVIDER=wolfssl \
             -DWOLFSSL_INSTALL_DIR=$GITHUB_WORKSPACE/build-dir ../..
           make -j $(nproc) ${{ matrix.tests }}
 

.github/workflows/haproxy.yml

@@ -0,0 +1,91 @@
+name: haproxy Test
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-haproxy
+          install: true
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-haproxy
+          path: build-dir.tgz
+          retention-days: 5
+
+  test_haproxy:
+    name: ${{ matrix.haproxy_ref }}
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 15
+    needs: build_wolfssl
+    strategy:
+      fail-fast: false
+      matrix:
+        haproxy_ref: [ 'v3.1.0' ]
+    steps:
+    - name: Install test dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install libpcre2-dev
+
+    - name: Download lib
+      uses: actions/download-artifact@v4
+      with:
+        name: wolf-install-haproxy
+
+    - name: untar build-dir
+      run: tar -xf build-dir.tgz
+
+    # check cache for haproxy if not there then download it
+    - name: Check haproxy cache
+      uses: actions/cache@v4
+      id: cache-haproxy
+      with:
+        path: build-dir/haproxy-${{matrix.haproxy_ref}}
+        key: haproxy-${{matrix.haproxy_ref}}
+
+    - name: Download haproxy if needed
+      if: steps.cache-haproxy.outputs.cache-hit != 'true'
+      uses: actions/checkout@v3
+      with:
+        repository: haproxy/haproxy
+        ref: ${{matrix.haproxy_ref}}
+        path: build-dir/haproxy-${{matrix.haproxy_ref}}
+
+    - name: Build haproxy
+      working-directory: build-dir/haproxy-${{matrix.haproxy_ref}}
+      run: make clean && make TARGET=linux-glibc USE_OPENSSL_WOLFSSL=1 SSL_LIB=$GITHUB_WORKSPACE/build-dir/lib SSL_INC=$GITHUB_WORKSPACE/build-dir/include ADDLIB=-Wl,-rpath,$GITHUB_WORKSPACE/build-dir/lib CFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address"
+
+    - name: Build haproxy vtest
+      working-directory: build-dir/haproxy-${{matrix.haproxy_ref}}
+      run: ./scripts/build-vtest.sh
+
+    - name: Test haproxy
+      working-directory: build-dir/haproxy-${{matrix.haproxy_ref}}
+      run: VTEST_PROGRAM=$GITHUB_WORKSPACE/build-dir/vtest/vtest make reg-tests -- --debug reg-tests/ssl/*

.github/workflows/hostap-vm.yml

@@ -13,7 +13,7 @@ concurrency:
 # END OF COMMON SECTION
 
 env:
-  LINUX_REF: v6.6
+  LINUX_REF: v6.12
 
 jobs:
   build_wolfssl:
@@ -28,7 +28,7 @@ jobs:
               --enable-tlsv10 --enable-oldtls
     name: Build wolfSSL
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 10
     steps:
@@ -63,27 +63,47 @@ jobs:
           path: build-dir.tgz
           retention-days: 5
 
+  checkout_hostap:
+    name: Checkout hostap repo
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 10
+    steps:
+      - name: Checking if we have hostap in cache
+        uses: actions/cache@v4
+        id: cache
+        with:
+          path: hostap
+          key: hostap-repo
+          lookup-only: true
+
+      - name: Checkout hostap
+        run: git clone git://w1.fi/hostap.git hostap
+
   build_uml_linux:
     name: Build UML (UserMode Linux)
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 10
+    needs: checkout_hostap
     steps:
       - name: Checking if we have kernel in cache
         uses: actions/cache@v4
         id: cache
         with:
           path: linux/linux
-          key: ${{ env.LINUX_REF }}
+          key: hostap-linux-${{ env.LINUX_REF }}
           lookup-only: true
 
-      - name: Checkout hostap
+      - name: Checking if we have hostap in cache
         if: steps.cache.outputs.cache-hit != 'true'
-        uses: actions/checkout@v4
+        uses: actions/cache/restore@v4
         with:
-          repository: julek-wolfssl/hostap-mirror
           path: hostap
+          key: hostap-repo
+          fail-on-cache-miss: true
 
       - name: Checkout linux
         if: steps.cache.outputs.cache-hit != 'true'
@@ -91,6 +111,7 @@ jobs:
         with:
           repository: torvalds/linux
           path: linux
+          ref: ${{ env.LINUX_REF }}
 
       - name: Compile linux
         if: steps.cache.outputs.cache-hit != 'true'
@@ -141,19 +162,18 @@ jobs:
               build_id: hostap-vm-build2
             }
     name: hwsim test
-    # For openssl 1.1
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 45
-    needs: [build_wolfssl, build_uml_linux]
+    needs: [build_wolfssl, build_uml_linux, checkout_hostap]
     steps:
       - name: Checking if we have kernel in cache
         uses: actions/cache/restore@v4
         id: cache
         with:
           path: linux/linux
-          key: ${{ env.LINUX_REF }}
+          key: hostap-linux-${{ env.LINUX_REF }}
           fail-on-cache-miss: true
 
       - name: show file structure
@@ -197,13 +217,18 @@ jobs:
           sudo apt-get install -y libpcap0.8 libpcap-dev curl libcurl4-openssl-dev \
             libnl-3-dev binutils-dev libssl-dev libiberty-dev libnl-genl-3-dev \
             libnl-route-3-dev libdbus-1-dev bridge-utils tshark python3-pycryptodome
+          sudo pip install pycryptodome
 
-      - name: Checkout hostap
-        uses: actions/checkout@v4
+      - name: Checking if we have hostap in cache
+        uses: actions/cache/restore@v4
         with:
-          repository: julek-wolfssl/hostap-mirror
           path: hostap
-          ref: ${{ matrix.config.hostap_ref }}
+          key: hostap-repo
+          fail-on-cache-miss: true
+
+      - name: Checkout correct ref
+        working-directory: hostap
+        run: git checkout ${{ matrix.config.hostap_ref }}
 
       - name: Update certs
         working-directory: hostap/tests/hwsim/auth_serv
@@ -288,6 +313,7 @@ jobs:
             KERNELDIR=$GITHUB_WORKSPACE/linux
             KVMARGS="-cpu host"
           EOF
+          git config --global --add safe.directory $GITHUB_WORKSPACE/hostap
           # Run tests in increments of 200 to not stall out the parallel-vm script
           while mapfile -t -n 200 ary && ((${#ary[@]})); do
             TESTS=$(printf '%s\n' "${ary[@]}" | tr '\n' ' ')

.github/workflows/intelasm-c-fallback.yml

@@ -0,0 +1,52 @@
+name: Dynamic C Fallback Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  make_check:
+    strategy:
+      matrix:
+        config: [
+          # Add new configs here
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -DWC_C_DYNAMIC_FALLBACK -DDEBUG_VECTOR_REGISTER_ACCESS -DDEBUG_VECTOR_REGISTER_ACCESS_FUZZING -DWC_DEBUG_CIPHER_LIFECYCLE"'
+        ]
+    name: make check
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 6
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: Test wolfSSL with WC_C_DYNAMIC_FALLBACK and DEBUG_VECTOR_REGISTER_ACCESS_FUZZING
+        run: |
+          ./autogen.sh
+          randseed=$(head -c 4 /dev/urandom | od -t u4 --address-radix=n)
+          randseed="${randseed#"${randseed%%[![:space:]]*}"}"
+          echo "fuzzing seed=${randseed}"
+          ./configure ${{ matrix.config }} CFLAGS="-DWC_DEBUG_VECTOR_REGISTERS_FUZZING_SEED=$randseed -fsanitize=leak -g -fno-omit-frame-pointer"
+          make -j 4
+          make check
+
+      - name: Print errors
+        if: ${{ failure() }}
+        run: |
+          for file in scripts/*.log
+          do
+              if [ -f "$file" ]; then
+                  echo "${file}:"
+                  cat "$file"
+                  echo "========================================================================"
+              fi
+          done

.github/workflows/ipmitool.yml

@@ -17,7 +17,7 @@ jobs:
   build_wolfssl:
     name: Build wolfSSL
     # Just to keep it the same as the testing target
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: github.repository_owner == 'wolfssl'
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
@@ -48,7 +48,7 @@ jobs:
         git_ref: [ c3939dac2c060651361fc71516806f9ab8c38901 ]
     name: ${{ matrix.git_ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: build_wolfssl
     steps:
       - name: Install dependencies

.github/workflows/jwt-cpp.yml

@@ -17,7 +17,7 @@ jobs:
     name: Build wolfSSL
     # Just to keep it the same as the testing target
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -47,7 +47,7 @@ jobs:
       matrix:
         config:
           - ref: 0.7.0
-            runner: ubuntu-latest
+            runner: ubuntu-22.04
           - ref: 0.6.0
             runner: ubuntu-22.04
     name: ${{ matrix.config.ref }}
@@ -66,6 +66,11 @@ jobs:
         with:
           name: wolf-install-jwt-cpp
 
+      - name: Setup cmake version
+        uses: jwlawson/actions-setup-cmake@v2
+        with:
+          cmake-version: '3.25.x'
+
       - name: untar build-dir
         run: tar -xf build-dir.tgz
 
@@ -87,7 +92,7 @@ jobs:
         run: |
           patch -p1 < ../osp/jwt-cpp/${{ matrix.config.ref }}.patch
           PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig \
-            cmake -B build -DJWT_SSL_LIBRARY:STRING=wolfSSL -DJWT_BUILD_TESTS=ON .
+            cmake -DCMAKE_POLICY_VERSION_MINIMUM=3.5 -B build -DJWT_SSL_LIBRARY:STRING=wolfSSL -DJWT_BUILD_TESTS=ON .
           make -j -C build
           ldd ./build/tests/jwt-cpp-test | grep wolfssl
 

.github/workflows/krb5.yml

@@ -17,7 +17,7 @@ jobs:
     name: Build wolfSSL
     # Just to keep it the same as the testing target
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 5
     steps:
@@ -50,7 +50,7 @@ jobs:
         ref: [ 1.21.1 ]
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 8
     needs: build_wolfssl
@@ -92,7 +92,7 @@ jobs:
           # Using rpath because LD_LIBRARY_PATH is overwritten during testing
           export WOLFSSL_CFLAGS="-I$GITHUB_WORKSPACE/build-dir/include -I$GITHUB_WORKSPACE/build-dir/include/wolfssl  -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib"
           export WOLFSSL_LIBS="-lwolfssl -L$GITHUB_WORKSPACE/build-dir/lib -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib"
-          ./configure --with-crypto-impl=wolfssl --with-tls-impl=wolfssl --disable-pkinit \
+          ./configure --with-crypto-impl=wolfssl --with-tls-impl=wolfssl --disable-pkinit --with-spake-openssl \
             CFLAGS='-fsanitize=address' LDFLAGS='-fsanitize=address'
           CFLAGS='-fsanitize=address' LDFLAGS='-fsanitize=address' make -j
 

.github/workflows/libspdm.yml

@@ -0,0 +1,91 @@
+name: libspdm Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
+    # Just to keep it the same as the testing target
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-all --enable-static CFLAGS='-DRSA_MIN_SIZE=512'
+          install: true
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-libspdm
+          path: build-dir.tgz
+          retention-days: 5
+
+  libspdm_check:
+    strategy:
+      fail-fast: false
+      matrix:
+        # List of releases to test
+        ref: [ 3.3.0 ]
+    name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    needs: build_wolfssl
+    steps:
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-libspdm
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Checkout libspdm
+        uses: actions/checkout@v4
+        with:
+          repository: DMTF/libspdm
+          path: libspdm
+          ref: ${{ matrix.ref }}
+
+      - name: Build and test libspdm
+        working-directory: libspdm
+        run: |
+          patch -p1 < ../osp/libspdm/${{ matrix.ref }}/libspdm-${{ matrix.ref }}.patch
+          git submodule update --init --recursive
+          # Silence cmake version warnings
+          find -name CMakeLists.txt -exec sed -i 's/cmake_minimum_required.*/cmake_minimum_required(VERSION 3.10)/g' {} \;
+          mkdir build
+          cd build
+          cmake -DARCH=x64 -DTOOLCHAIN=GCC -DTARGET=Debug -DCRYPTO=wolfssl -DENABLE_BINARY_BUILD=1 \
+            -DCOMPILED_LIBWOLFSSL_PATH=$GITHUB_WORKSPACE/build-dir/lib/libwolfssl.a \
+            -DWOLFSSL_INCDIR=$GITHUB_WORKSPACE/build-dir/include ..
+          make -j
+          cd ../unit_test/sample_key
+          ../../build/bin/test_crypt
+          ../../build/bin/test_spdm_secured_message
+          ../../build/bin/test_spdm_crypt

.github/workflows/libssh2.yml

@@ -17,7 +17,7 @@ jobs:
     name: Build wolfSSL
     # Just to keep it the same as the testing target
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -44,10 +44,10 @@ jobs:
       fail-fast: false
       matrix:
         # List of releases to test
-        ref: [ 1.11.0 ]
+        ref: [ 1.11.1 ]
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 8
     needs: build_wolfssl
@@ -70,5 +70,8 @@ jobs:
           check: true
 
       - name: Confirm libssh2 built with wolfSSL
-        working-directory: ./libssh2
-        run: ldd src/.libs/libssh2.so | grep wolfssl
+        run: ldd libssh2/src/.libs/libssh2.so | grep wolfssl
+
+      - name: print server logs
+        if: ${{ failure() }}
+        run: tail -n +1 libssh2/tests/*.log

.github/workflows/libvncserver.yml

@@ -17,7 +17,7 @@ jobs:
     name: Build wolfSSL
     # Just to keep it the same as the testing target
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -44,10 +44,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ref: [ 0.9.13 ]
+        ref: [ 0.9.13, 0.9.14 ]
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: build_wolfssl
     steps:
       - name: Download lib
@@ -55,6 +55,11 @@ jobs:
         with:
           name: wolf-install-libvncserver
 
+      - name: Setup cmake version
+        uses: jwlawson/actions-setup-cmake@v2
+        with:
+          cmake-version: '3.25.x'
+
       - name: untar build-dir
         run: tar -xf build-dir.tgz
 
@@ -76,7 +81,7 @@ jobs:
         run: |
           patch -p1 < ../osp/libvncserver/${{ matrix.ref }}.patch
           PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig \
-            cmake -B build -DWITH_GNUTLS=OFF -DWITH_OPENSSL=OFF -DWITH_GCRYPT=OFF -DWITH_WOLFSSL=ON .
+            cmake -DCMAKE_POLICY_VERSION_MINIMUM=3.5 -B build -DWITH_GNUTLS=OFF -DWITH_OPENSSL=OFF -DWITH_GCRYPT=OFF -DWITH_WOLFSSL=ON .
           make -j -C build VERBOSE=1
           ldd build/libvncclient.so | grep wolfssl
           ldd build/libvncserver.so | grep wolfssl

.github/workflows/mbedtls.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+set -e
+set -x
+
+# Basic TLS test
+./mbedtls/build/programs/ssl/ssl_server2 > /tmp/server.log 2>&1 &
+SERVER_PID=$!
+sleep 0.1
+./mbedtls/build/programs/ssl/ssl_client2 # Confirm working with mbed
+env -C wolfssl ./examples/client/client -p 4433 -g \
+  -A ../mbedtls/framework/data_files/test-ca-sha256.crt \
+  -c ../mbedtls/framework/data_files/cli-rsa-sha256.crt \
+  -k ../mbedtls/framework/data_files/cli-rsa-sha256.key.pem
+kill $SERVER_PID
+sleep 0.1
+env -C wolfssl ./examples/server/server -p 4433 -i -g \
+  -A ../mbedtls/framework/data_files/test-ca-sha256.crt \
+  -c ../mbedtls/framework/data_files/server2-sha256.crt \
+  -k ../mbedtls/framework/data_files/server2.key.pem > /tmp/server.log 2>&1 &
+SERVER_PID=$!
+sleep 0.1
+./mbedtls/build/programs/ssl/ssl_client2
+env -C wolfssl ./examples/client/client -p 4433 -g \
+  -A ../mbedtls/framework/data_files/test-ca-sha256.crt \
+  -c ../mbedtls/framework/data_files/cli-rsa-sha256.crt \
+  -k ../mbedtls/framework/data_files/cli-rsa-sha256.key.pem
+kill $SERVER_PID
+sleep 0.1
+
+# Basic DTLS test
+./mbedtls/build/programs/ssl/ssl_server2 dtls=1 > /tmp/server.log 2>&1 &
+SERVER_PID=$!
+sleep 0.1
+./mbedtls/build/programs/ssl/ssl_client2 dtls=1 # Confirm working with mbed
+env -C wolfssl ./examples/client/client -p 4433 -g -u \
+  -A ../mbedtls/framework/data_files/test-ca-sha256.crt \
+  -c ../mbedtls/framework/data_files/cli-rsa-sha256.crt \
+  -k ../mbedtls/framework/data_files/cli-rsa-sha256.key.pem
+kill $SERVER_PID
+sleep 0.1
+env -C wolfssl ./examples/server/server -p 4433 -i -g -u \
+  -A ../mbedtls/framework/data_files/test-ca-sha256.crt \
+  -c ../mbedtls/framework/data_files/server2-sha256.crt \
+  -k ../mbedtls/framework/data_files/server2.key.pem > /tmp/server.log 2>&1 &
+SERVER_PID=$!
+sleep 0.1
+env -C wolfssl ./examples/client/client -p 4433 -g -u \
+  -A ../mbedtls/framework/data_files/test-ca-sha256.crt \
+  -c ../mbedtls/framework/data_files/cli-rsa-sha256.crt \
+  -k ../mbedtls/framework/data_files/cli-rsa-sha256.key.pem
+./mbedtls/build/programs/ssl/ssl_client2 dtls=1
+kill $SERVER_PID
+sleep 0.1
+
+# DTLS 1.2 CID test
+./mbedtls/build/programs/ssl/ssl_server2 dtls=1 cid=1 cid_val=121212 > /tmp/server.log 2>&1 &
+SERVER_PID=$!
+sleep 0.1
+./mbedtls/build/programs/ssl/ssl_client2 dtls=1 cid=1 cid_val=232323  # Confirm working with mbed
+env -C wolfssl ./examples/client/client -p 4433 -g -u --cid 232323 \
+  -A ../mbedtls/framework/data_files/test-ca-sha256.crt \
+  -c ../mbedtls/framework/data_files/cli-rsa-sha256.crt \
+  -k ../mbedtls/framework/data_files/cli-rsa-sha256.key.pem
+kill $SERVER_PID
+sleep 0.1
+env -C wolfssl ./examples/server/server -p 4433 -i -g -u --cid 121212 \
+  -A ../mbedtls/framework/data_files/test-ca-sha256.crt \
+  -c ../mbedtls/framework/data_files/server2-sha256.crt \
+  -k ../mbedtls/framework/data_files/server2.key.pem > /tmp/server.log 2>&1 &
+SERVER_PID=$!
+sleep 0.1
+./mbedtls/build/programs/ssl/ssl_client2 dtls=1 cid_val=232323
+env -C wolfssl ./examples/client/client -p 4433 -g -u --cid 232323 \
+  -A ../mbedtls/framework/data_files/test-ca-sha256.crt \
+  -c ../mbedtls/framework/data_files/cli-rsa-sha256.crt \
+  -k ../mbedtls/framework/data_files/cli-rsa-sha256.key.pem
+kill $SERVER_PID
+sleep 0.1

.github/workflows/mbedtls.yml

@@ -0,0 +1,86 @@
+name: mbedtls interop Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+env:
+  MBED_REF: v3.6.2
+
+jobs:
+  build_mbedtls:
+    name: Build mbedtls
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 10
+    steps:
+      - name: Checking if we have mbed in cache
+        uses: actions/cache@v4
+        id: cache
+        with:
+          path: mbedtls
+          key: mbedtls-${{ env.MBED_REF }}
+          lookup-only: true
+
+      - name: Checkout mbedtls
+        if: steps.cache.outputs.cache-hit != 'true'
+        uses: actions/checkout@v4
+        with:
+          repository: Mbed-TLS/mbedtls
+          ref: ${{ env.MBED_REF }}
+          path: mbedtls
+
+      - name: Compile mbedtls
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: mbedtls
+        run: |
+          git submodule update --init
+          mkdir build
+          cd build
+          cmake ..
+          make -j
+          # convert key to pem format
+          openssl pkey -in framework/data_files/cli-rsa-sha256.key.der -text > framework/data_files/cli-rsa-sha256.key.pem
+          openssl pkey -in framework/data_files/server2.key.der -text > framework/data_files/server2.key.pem
+
+  mbedtls_test:
+    name: Test interop with mbedtls
+    runs-on: ubuntu-latest
+    needs: build_mbedtls
+    timeout-minutes: 10
+    if: github.repository_owner == 'wolfssl'
+    steps:
+      - name: Disable IPv6 (IMPORTANT, OTHERWISE DTLS MBEDTLS CLIENT WON'T CONNECT)
+        run: echo 1 | sudo tee /proc/sys/net/ipv6/conf/lo/disable_ipv6
+
+      - name: Checking if we have mbed in cache
+        uses: actions/cache/restore@v4
+        id: cache
+        with:
+          path: mbedtls
+          key: mbedtls-${{ env.MBED_REF }}
+          fail-on-cache-miss: true
+
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-dtls --enable-dtlscid
+          install: false
+          check: false
+
+      - name: Test interop
+        run: bash wolfssl/.github/workflows/mbedtls.sh
+
+      - name: print server logs
+        if: ${{ failure() }}
+        run: cat /tmp/server.log

.github/workflows/memcached.yml

@@ -17,7 +17,7 @@ jobs:
     name: Build wolfSSL
     # Just to keep it the same as the testing target
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Build wolfSSL
         uses: wolfSSL/actions-build-autotools-project@v1
@@ -48,7 +48,7 @@ jobs:
           - ref: 1.6.22
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: build_wolfssl
     steps:
       - name: Download lib

.github/workflows/mosquitto.yml

@@ -17,7 +17,7 @@ jobs:
     name: Build wolfSSL
     # Just to keep it the same as the testing target
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -45,7 +45,7 @@ jobs:
         ref: [ 2.0.18 ]
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     needs: build_wolfssl
@@ -77,6 +77,12 @@ jobs:
           ref: v${{ matrix.ref }}
           path: mosquitto
 
+      - name: Update certs
+        run: |
+            cd $GITHUB_WORKSPACE/mosquitto/test/ssl
+            ./gen.sh
+            cat all-ca.crt >> server.crt
+
       - name: Configure and build mosquitto
         run: |
             cd $GITHUB_WORKSPACE/mosquitto/

.github/workflows/multi-arch.yml

@@ -37,7 +37,7 @@ jobs:
             ARCH: armel
             EXTRA_OPTS: --enable-sp-asm
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 10
     steps:

.github/workflows/multi-compiler.yml

@@ -21,31 +21,28 @@ jobs:
         include:
           - CC: gcc-9
             CXX: g++-9
-            OS: ubuntu-latest
+            OS: ubuntu-24.04
           - CC: gcc-10
             CXX: g++-10
-            OS: ubuntu-latest
+            OS: ubuntu-24.04
           - CC: gcc-11
             CXX: g++-11
-            OS: ubuntu-latest
+            OS: ubuntu-24.04
           - CC: gcc-12
             CXX: g++-12
-            OS: ubuntu-latest
-          - CC: clang-10
-            CXX: clang++-10
-            OS: ubuntu-20.04
+            OS: ubuntu-24.04
           - CC: clang-11
             CXX: clang++-11
-            OS: ubuntu-20.04
+            OS: ubuntu-22.04
           - CC: clang-12
             CXX: clang++-12
-            OS: ubuntu-20.04
+            OS: ubuntu-22.04
           - CC: clang-13
             CXX: clang++-13
-            OS: ubuntu-latest
+            OS: ubuntu-22.04
           - CC: clang-14
             CXX: clang++-14
-            OS: ubuntu-latest
+            OS: ubuntu-24.04
     if: github.repository_owner == 'wolfssl'
     runs-on: ${{ matrix.OS }}
     # This should be a safe limit for the tests to run.

.github/workflows/net-snmp.yml

@@ -17,7 +17,7 @@ jobs:
     name: Build wolfSSL
     if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -48,7 +48,7 @@ jobs:
             test_opts: -e 'agentxperl'
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     needs: build_wolfssl

.github/workflows/nginx.yml

@@ -17,7 +17,7 @@ jobs:
     name: Build wolfSSL
     if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -107,7 +107,7 @@ jobs:
               stream_proxy_ssl_verify.t
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 6
     needs: build_wolfssl

.github/workflows/no-malloc.yml

@@ -22,7 +22,7 @@ jobs:
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 6
     steps:

.github/workflows/nss.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+set -e
+set -x
+
+# Setup nss cert db
+mkdir nssdb
+./dist/Debug/bin/certutil -d nssdb -N --empty-password
+./dist/Debug/bin/certutil -d nssdb  -A -a -i  wolfssl/certs/test/server-localhost.pem \
+    -t TCP -n 'wolf localhost'
+
+# App data for nss
+echo Hello from nss > /tmp/in
+
+# TLS 1.3 test
+env -C wolfssl ./examples/server/server -v 4 -p 4433 \
+    -c certs/test/server-localhost.pem -d -w > /tmp/server.log 2>&1 &
+sleep 0.1
+./dist/Debug/bin/tstclnt -V tls1.3: -h localhost -p 4433 -d nssdb -C -4 -A /tmp/in -v
+sleep 0.1
+
+# DTLS 1.3 test
+env -C wolfssl ./examples/server/server -v 4 -p 4433 -u \
+    -c certs/test/server-localhost.pem -d -w > /tmp/server.log 2>&1 &
+sleep 0.1
+./dist/Debug/bin/tstclnt -V tls1.3: -P client -h localhost -p 4433 -d nssdb -C -4 -A /tmp/in -v
+sleep 0.1

.github/workflows/nss.yml

@@ -0,0 +1,89 @@
+name: nss interop Tests
+
+### TODO uncomment stuff
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+env:
+  NSS_REF: NSS_3_107_RTM
+
+jobs:
+  build_nss:
+    name: Build nss
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 30
+    steps:
+      - name: Checking if we have nss in cache
+        uses: actions/cache@v4
+        id: cache
+        with:
+          path: dist
+          key: nss-${{ env.NSS_REF }}
+          lookup-only: true
+
+      - name: Install dependencies
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: |
+          # Don't prompt for anything
+          export DEBIAN_FRONTEND=noninteractive
+          sudo apt-get update
+          # hostap dependencies
+          sudo apt-get install -y gyp ninja-build
+
+      - name: Checkout nss
+        if: steps.cache.outputs.cache-hit != 'true'
+        uses: actions/checkout@v4
+        with:
+          repository: nss-dev/nss
+          ref: ${{ env.NSS_REF }}
+          path: nss
+
+      - name: Compile nss
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: |
+          hg clone https://hg.mozilla.org/projects/nspr
+          cd nss
+          ./build.sh
+
+  nss_test:
+    name: Test interop with nss
+    runs-on: ubuntu-22.04
+    needs: build_nss
+    timeout-minutes: 10
+    if: github.repository_owner == 'wolfssl'
+    steps:
+      - name: Checking if we have nss in cache
+        uses: actions/cache/restore@v4
+        id: cache
+        with:
+          path: dist
+          key: nss-${{ env.NSS_REF }}
+          fail-on-cache-miss: true
+
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-dtls --enable-dtls13
+          install: false
+          check: false
+
+      - name: Test interop
+        run: bash wolfssl/.github/workflows/nss.sh
+
+      - name: print server logs
+        if: ${{ failure() }}
+        run: |
+          cat /tmp/server.log

.github/workflows/ntp.yml

@@ -17,7 +17,7 @@ jobs:
     name: Build wolfSSL
     if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -44,10 +44,10 @@ jobs:
       fail-fast: false
       matrix:
         # List of releases to test
-        ref: [ 4.2.8p15 ]
+        ref: [ 4.2.8p15, 4.2.8p17 ]
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 10
     needs: build_wolfssl

.github/workflows/ocsp.yml

@@ -16,7 +16,7 @@ jobs:
   ocsp_stapling:
     name: ocsp stapling
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     timeout-minutes: 10
     steps:
       - name: Checkout wolfSSL

.github/workflows/openldap.yml

@@ -16,7 +16,7 @@ jobs:
   build_wolfssl:
     name: Build wolfSSL
     # Just to keep it the same as the testing target
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -46,8 +46,10 @@ jobs:
           # List of releases to test
           - osp_ref: 2.5.13
             git_ref: OPENLDAP_REL_ENG_2_5_13
+          - osp_ref: 2.6.7
+            git_ref: OPENLDAP_REL_ENG_2_6_7
     name: ${{ matrix.osp_ref }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 20
     needs: build_wolfssl

.github/workflows/openssh.yml

@@ -17,7 +17,7 @@ jobs:
     name: Build wolfSSL
     if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -49,7 +49,7 @@ jobs:
             osp_ver: '9.6'
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: build_wolfssl
     steps:
       - name: Download lib

.github/workflows/opensslcoexist.yml

@@ -0,0 +1,50 @@
+name: OPENSSL_COEXIST and TEST_OPENSSL_COEXIST
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  make_check:
+    strategy:
+      matrix:
+        config: [
+          # Add new configs here
+          '--verbose --enable-all --disable-all-osp --disable-opensslall --enable-opensslcoexist CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -pedantic"',
+          '--verbose --enable-all --disable-all-osp --disable-opensslall --enable-opensslcoexist CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -pedantic -DTEST_OPENSSL_COEXIST"'
+        ]
+    name: make check
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 6
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: Test --enable-opensslcoexist and TEST_OPENSSL_COEXIST
+        run: |
+          ./autogen.sh || $(exit 2)
+          ./configure ${{ matrix.config }} || $(exit 3)
+          make -j 4 || $(exit 4)
+          make check
+
+      - name: Print errors
+        if: ${{ failure() }}
+        run: |
+          for file in config.log scripts/*.log
+          do
+              if [ -f "$file" ]; then
+                  echo "${file}:"
+                  cat "$file"
+                  echo "========================================================================"
+              fi
+          done

.github/workflows/openvpn.yml

@@ -17,7 +17,7 @@ jobs:
     name: Build wolfSSL
     if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -46,7 +46,7 @@ jobs:
         ref: [ release/2.6, master ]
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 10
     needs: build_wolfssl

.github/workflows/os-check.yml

@@ -17,7 +17,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ ubuntu-latest, macos-latest ]
+        os: [ ubuntu-22.04, macos-latest ]
         config: [
           # Add new configs here
           '',
@@ -40,6 +40,8 @@ jobs:
            --enable-dtls-mtu',
           '--enable-dtls --enable-dtlscid --enable-dtls13 --enable-secure-renegotiation
             --enable-psk --enable-aesccm --enable-nullcipher CPPFLAGS=-DWOLFSSL_STATIC_RSA',
+          '--enable-ascon --enable-experimental',
+          '--enable-ascon CPPFLAGS=-DWOLFSSL_ASCON_UNROLL --enable-experimental',
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'
@@ -57,7 +59,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ ubuntu-latest, macos-latest ]
+        os: [ ubuntu-22.04, macos-latest ]
         user-settings: [
           # Add new user_settings.h here
           'examples/configs/user_settings_all.h',
@@ -79,9 +81,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ ubuntu-latest, macos-latest ]
+        os: [ ubuntu-22.04, macos-latest ]
         user-settings: [
           # Add new user_settings.h here
+          'examples/configs/user_settings_eccnonblock.h',
           'examples/configs/user_settings_min_ecc.h',
           'examples/configs/user_settings_wolfboot_keytools.h',
           'examples/configs/user_settings_wolftpm.h',
@@ -109,7 +112,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ ubuntu-latest, macos-latest ]
+        os: [ ubuntu-22.04, macos-latest ]
     name: make user_setting.h (with sed)
     if: github.repository_owner == 'wolfssl'
     runs-on: ${{ matrix.os }}

.github/workflows/packaging.yml

@@ -16,7 +16,7 @@ jobs:
   build_wolfssl:
     name: Package wolfSSL
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 10
     steps:

.github/workflows/pam-ipmi.yml

@@ -18,7 +18,7 @@ jobs:
     name: Build wolfSSL
     if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -48,7 +48,7 @@ jobs:
         git_ref: [ e4b13e6725abb178f62ee897fe1c0e81b06a9431 ]
     name: ${{ matrix.git_ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: build_wolfssl
     steps:
       - name: Install dependencies

.github/workflows/pq-all.yml

@@ -0,0 +1,50 @@
+name: Quantum Resistant Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  make_check:
+    strategy:
+      matrix:
+        config: [
+          # Add new configs here
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" CC=c++'
+        ]
+    name: make check
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 6
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: Test wolfSSL
+        run: |
+          ./autogen.sh
+          ./configure ${{ matrix.config }}
+          make -j 4
+          make check
+
+      - name: Print errors
+        if: ${{ failure() }}
+        run: |
+          for file in scripts/*.log
+          do
+              if [ -f "$file" ]; then
+                  echo "${file}:"
+                  cat "$file"
+                  echo "========================================================================"
+              fi
+          done

.github/workflows/rng-tools.yml

@@ -17,7 +17,7 @@ jobs:
     name: Build wolfSSL
     if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -47,7 +47,7 @@ jobs:
         ref: [ 6.16 ]
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     needs: build_wolfssl

.github/workflows/socat.yml

@@ -16,7 +16,7 @@ jobs:
   build_wolfssl:
     name: Build wolfSSL
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     timeout-minutes: 4
     steps:
       - name: Build wolfSSL
@@ -39,7 +39,7 @@ jobs:
 
   socat_check:
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 30
     needs: build_wolfssl
@@ -78,4 +78,4 @@ jobs:
         run: |
           export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH
           export SHELL=/bin/bash
-          SOCAT=$GITHUB_WORKSPACE/socat-1.8.0.0/socat ./test.sh -t 0.5 --expect-fail 36,64,146,214,216,217,309,310,386,399,402,403,459,460,467,468,478,492,528,530
+          SOCAT=$GITHUB_WORKSPACE/socat-1.8.0.0/socat ./test.sh -t 0.5 --expect-fail 36,64,146,214,216,217,309,310,386,399,402,403,459,460,467,468,475,478,492,528,530

.github/workflows/softhsm.yml

@@ -17,7 +17,7 @@ jobs:
     name: Build wolfSSL
     if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 10
     steps:
@@ -47,7 +47,7 @@ jobs:
         ref: [ 2.6.1 ]
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 20
     needs: build_wolfssl

.github/workflows/sssd.yml

@@ -17,7 +17,7 @@ jobs:
     if: github.repository_owner == 'wolfssl'
     name: Build wolfSSL
     # Just to keep it the same as the testing target
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -47,7 +47,7 @@ jobs:
         # List of releases to test
         ref: [ 2.9.1 ]
     name: ${{ matrix.ref }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     container:
       image: quay.io/sssd/ci-client-devel:ubuntu-latest
       env:

.github/workflows/stunnel.yml

@@ -17,7 +17,7 @@ jobs:
     name: Build wolfSSL
     if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
@@ -46,7 +46,7 @@ jobs:
         ref: [ 5.67 ]
     name: ${{ matrix.ref }}
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     needs: build_wolfssl

.github/workflows/watcomc.yml

@@ -0,0 +1,84 @@
+name: Build Watcom C
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  wolfssl_watcomc_windows:
+    if: github.repository_owner == 'wolfssl'
+    strategy:
+      fail-fast: false
+      matrix:
+        common:
+          - cmake:    '-G "Watcom WMake" -DCMAKE_VERBOSE_MAKEFILE=TRUE -DWOLFSSL_ASM=no -DWOLFSSL_EXAMPLES=no -DWOLFSSL_CRYPT_TESTS=no'
+        platform:
+          - title:   'Windows OW 2.0'
+            system:   'Windows'
+            image:    'windows-latest'
+            owimage:  '2.0'
+            id:       'win32ow20'
+            cmake:    '-DCMAKE_SYSTEM_NAME=Windows -DCMAKE_SYSTEM_PROCESSOR=x86'
+          - title:   'Linux OW 2.0'
+            system:   'Linux'
+            image:    'ubuntu-latest'
+            owimage:  '2.0'
+            id:       'linuxow20'
+            cmake:    '-DCMAKE_SYSTEM_NAME=Linux -DCMAKE_SYSTEM_PROCESSOR=x86'
+          - title:   'OS/2 OW 2.0'
+            system:   'OS2'
+            image:    'windows-latest'
+            owimage:  '2.0'
+            id:       'os2ow20'
+            cmake:    '-DCMAKE_SYSTEM_NAME=OS2 -DCMAKE_SYSTEM_PROCESSOR=x86'
+        thread:
+          - id:       'multi'
+            cmake:    ''
+            owcmake:  '-DCMAKE_POLICY_DEFAULT_CMP0136=NEW -DCMAKE_WATCOM_RUNTIME_LIBRARY=MultiThreaded'
+          - id:       'single'
+            cmake:    '-DWOLFSSL_SINGLE_THREADED=yes'
+            owcmake:  '-DCMAKE_POLICY_DEFAULT_CMP0136=NEW -DCMAKE_WATCOM_RUNTIME_LIBRARY=SingleThreaded'
+        library:
+          - id:       'dll'
+            cmake:    ''
+            owcmake:  'DLL'
+          - id:       'static'
+            cmake:    '-DBUILD_SHARED_LIBS=no'
+            owcmake:  ''
+        exclude:
+          - { platform: { system: 'Linux' }, library: { id: 'dll' } }
+    runs-on: ${{ matrix.platform.image }}
+    name: ${{ matrix.platform.title }} (${{ matrix.thread.id }} ${{ matrix.library.id }})
+    steps:
+      - name: Setup Open Watcom ${{ matrix.platform.owimage }}
+        uses: open-watcom/setup-watcom@v0
+        with:
+          version: ${{ matrix.platform.owimage }}
+
+      - name: Checkout wolfSSL
+        uses: actions/checkout@v4
+        with:
+          path: wolfssl
+
+      - name: Build wolfSSL
+        working-directory: wolfssl
+        shell: bash
+        run: |
+          cmake -B build ${{matrix.common.cmake}} ${{ matrix.platform.cmake }} ${{ matrix.thread.cmake }} ${{ matrix.library.cmake }} ${{ matrix.thread.owcmake }}${{ matrix.library.owcmake }}
+          cmake --build build
+
+      - name: Upload build errors
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.platform.id }}-${{ matrix.thread.id }}-${{ matrix.library.id }}
+          path: |
+            build/**

.github/workflows/wolfCrypt-Wconversion.yml

@@ -0,0 +1,41 @@
+name: wolfCrypt conversion warnings
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_library:
+    strategy:
+      matrix:
+        config: [
+          # Add new configs here
+          '--disable-asm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion"',
+          '--enable-intelasm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion"',
+          '--enable-smallstack --disable-asm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion"',
+          '--enable-smallstack --enable-intelasm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion"',
+          '--enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -DNO_INT128"'
+        ]
+    name: build library
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 6
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: Build wolfCrypt with extra type conversion warnings
+        run: |
+          ./autogen.sh || $(exit 2)
+          echo "running ./configure ${{ matrix.config }}"
+          ./configure ${{ matrix.config }} || $(exit 3)
+          make -j 4 || $(exit 4)

.github/workflows/zephyr.yml

@@ -26,7 +26,7 @@ jobs:
           - zephyr-ref: v2.7.4
             zephyr-sdk: 0.16.3
     if: github.repository_owner == 'wolfssl'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     # This should be a safe limit for the tests to run.
     timeout-minutes: 25
     steps:
@@ -49,6 +49,11 @@ jobs:
             python3-ply python3-setuptools python-is-python3 qemu-kvm rsync socat srecord sudo \
             texinfo unzip wget ovmf xz-utils
 
+      - name: Setup cmake version
+        uses: jwlawson/actions-setup-cmake@v2
+        with:
+          cmake-version: '3.25.x'
+
       - name: Install west
         run: sudo pip install west
 

.gitignore

@@ -418,11 +418,16 @@ user_settings_asm.h
 # ESP8266 RTOS SDK has a slightly different sdkconfig filename to exclude:
 /IDE/Espressif/**/sdkconfig.debug
 /IDE/Espressif/**/sdkconfig.release
+/IDE/Espressif/**/sdkconfig-debug
+/IDE/Espressif/**/sdkconfig-release
 
 # Always include Espressif makefiles (typically only used for ESP8266)
 !/IDE/Espressif/**/Makefile
 !/IDE/Espressif/**/component.mk
 
+# Ignore all the example logs
+/IDE/Espressif/ESP-IDF/examples/**/logs/*
+
 # MPLAB
 /IDE/MPLABX16/wolfssl.X/dist/default/
 /IDE/MPLABX16/wolfssl.X/.generated_files

.wolfssl_known_macro_extras

@@ -9,9 +9,17 @@ APP_ESP_HTTP_CLIENT_EXAMPLE
 APSTUDIO_INVOKED
 ARCH_sim
 ARDUINO
+ARDUINO_ARCH_ESP32
+ARDUINO_ARCH_ESP8266
+ARDUINO_ARCH_MBED
+ARDUINO_ARCH_NRF52
 ARDUINO_ARCH_RP2040
+ARDUINO_ARCH_SAMD
+ARDUINO_ARCH_STM32
 ARDUINO_SAMD_NANO_33_IOT
 ARDUINO_SAM_DUE
+ARDUINO_SEEED_XIAO
+ARDUINO_TEENSY41
 ASN_DUMP_OID
 ASN_TEMPLATE_SKIP_ISCA_CHECK
 ATCAPRINTF
@@ -28,6 +36,7 @@ BSP_SDCARD_ESDHC_CHANNEL
 BSP_SDCARD_SDHC_CHANNEL
 BSP_SDCARD_SPI_CHANNEL
 CAAM_OUT_INVALIDATE
+CERT_REL_PREFIX
 CIOCASYMFEAT
 CIOCGSESSINFO
 CMSIS_OS2_H_
@@ -80,10 +89,12 @@ CONFIG_IDF_TARGET_ESP32C2
 CONFIG_IDF_TARGET_ESP32C3
 CONFIG_IDF_TARGET_ESP32C6
 CONFIG_IDF_TARGET_ESP32H2
+CONFIG_IDF_TARGET_ESP32P4
 CONFIG_IDF_TARGET_ESP32S2
 CONFIG_IDF_TARGET_ESP32S3
 CONFIG_IDF_TARGET_ESP8266
 CONFIG_IDF_TARGET_ESP8684
+CONFIG_KASAN
 CONFIG_MAIN_TASK_STACK_SIZE
 CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
 CONFIG_MBEDTLS_PSA_CRYPTO_C
@@ -137,6 +148,7 @@ CONFIG_WOLFSSL_TARGET_PORT
 CONFIG_WOLFSSL_TLS13_ENABLED
 CONFIG_WOLFSSL_TLS_VERSION_1_2
 CONFIG_WOLFSSL_TLS_VERSION_1_3
+CONFIG_WOLFTPM
 CONFIG_WOLFTPM_EXAMPLE_NAME_ESPRESSIF
 CONFIG_X86
 CONV_WITH_DIV
@@ -153,6 +165,7 @@ CRYP_KEYSIZE_192B
 CSM_UNSUPPORTED_ALGS
 CTYPE_USER
 CURVED448_SMALL
+CUSTOM_ENTROPY_TIMEHIRES
 CY_USING_HAL
 DCP_USE_DCACHE
 DILITHIUM_MUL_11_SLOW
@@ -173,6 +186,7 @@ ESP_IDF_VERSION_MAJOR
 ESP_IDF_VERSION_MINOR
 ESP_PLATFORM
 ESP_TASK_MAIN_STACK
+ETHERNET_AVAILABLE
 EV_TRIGGER
 FP_ECC_CONTROL
 FREERTOS_TCP_WINSIM
@@ -216,8 +230,6 @@ HAVE_ECC512
 HAVE_ECC_CDH_CAST
 HAVE_ECC_SM2
 HAVE_ESP_CLK
-HAVE_EX_DATA_CRYPTO
-HAVE_EX_DATA_CLEANUP_HOOKS
 HAVE_FACON
 HAVE_FIPS_VERSION_PORT
 HAVE_FUZZER
@@ -244,6 +256,7 @@ HSM_KEY_TYPE_HMAC_512
 HSM_OP_KEY_GENERATION_FLAGS_CREATE
 HSM_OP_KEY_GENERATION_FLAGS_UPDATE
 HSM_SVC_KEY_STORE_FLAGS_UPDATE
+HWCAP_ASIMDRDM
 IDIRECT_DEV_RANDOM
 IDIRECT_DEV_TIME
 ID_TRNG
@@ -255,7 +268,6 @@ INTIMEVER
 IOTSAFE_NO_GETDATA
 IOTSAFE_SIG_8BIT_LENGTH
 KCAPI_USE_XMALLOC
-KYBER_NONDETERMINISTIC
 K_SERIES
 LIBWOLFSSL_VERSION_GIT_BRANCH
 LIBWOLFSSL_VERSION_GIT_HASH
@@ -284,6 +296,7 @@ MICRIUM_MALLOC
 MICROCHIP_MPLAB_HARMONY
 MICROCHIP_MPLAB_HARMONY_3
 MICRO_SESSION_CACHEx
+MLKEM_NONDETERMINISTIC
 MODULE_SOCK_TCP
 MP_31BIT
 MP_8BIT
@@ -314,6 +327,7 @@ NO_ECC384
 NO_ECC521
 NO_ECC_CACHE_CURVE
 NO_ECC_CHECK_KEY
+NO_ECC_CHECK_PUBKEY_ORDER
 NO_ECC_KEY_IMPORT
 NO_ECC_MAKE_PUB
 NO_ED25519_CLIENT_AUTH
@@ -374,6 +388,7 @@ NO_WOLFSSL_AUTOSAR_CRYIF
 NO_WOLFSSL_AUTOSAR_CRYPTO
 NO_WOLFSSL_AUTOSAR_CSM
 NO_WOLFSSL_BASE64_DECODE
+NO_WOLFSSL_BN_CTX
 NO_WOLFSSL_MSG_EX
 NO_WOLFSSL_RENESAS_FSPSM_AES
 NO_WOLFSSL_RENESAS_FSPSM_HASH
@@ -459,6 +474,7 @@ STM32H723xx
 STM32H725xx
 STM32H743xx
 STM32H753xx
+STM32H7S3xx
 STM32L475xx
 STM32L4A6xx
 STM32L552xx
@@ -468,6 +484,7 @@ STM32U575xx
 STM32U585xx
 STM32U5A9xx
 STM32WB55xx
+STM32WBA52xx
 STM32WL55xx
 STM32_AESGCM_PARTIAL
 STM32_HW_CLOCK_AUTO
@@ -477,9 +494,12 @@ TCP_NODELAY
 TFM_ALREADY_SET
 TFM_SMALL_MONT_SET
 THREADED_SNIFFTEST
+TIF_NEED_FPU_LOAD
 TIME_T_NOT_LONG
 TI_DUMMY_BUILD
 TLS13_RSA_PSS_SIGN_CB_NO_PREHASH
+TSIP_RSAES_1024
+TSIP_RSAES_2048
 UNICODE
 USER_CA_CB
 USER_CUSTOM_SNIFFX
@@ -522,6 +542,7 @@ WC_ASYNC_ENABLE_SHA384
 WC_ASYNC_ENABLE_SHA512
 WC_ASYNC_NO_CRYPT
 WC_ASYNC_NO_HASH
+WC_CACHE_RESISTANT_BASE64_TABLE
 WC_DILITHIUM_CACHE_PRIV_VECTORS
 WC_DILITHIUM_CACHE_PUB_VECTORS
 WC_DILITHIUM_FIXED_ARRAY
@@ -541,16 +562,19 @@ WC_RSA_NO_FERMAT_CHECK
 WC_SHA384
 WC_SHA384_DIGEST_SIZE
 WC_SHA512
-WC_SHA512_DIGEST_SIZE
 WC_SSIZE_TYPE
 WC_STRICT_SIG
+WC_WANT_FLAG_DONT_USE_AESNI
 WC_XMSS_FULL_HASH
+WIFI_AVAILABLE
 WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
 WOLFSENTRY_H
 WOLFSENTRY_NO_JSON
 WOLFSSL_32BIT_MILLI_TIME
+WOLFSSL_AARCH64_PRIVILEGE_MODE
 WOLFSSL_AESNI_BY4
 WOLFSSL_AESNI_BY6
+WOLFSSL_AES_CTR_EXAMPLE
 WOLFSSL_AFTER_DATE_CLOCK_SKEW
 WOLFSSL_ALGO_HW_MUTEX
 WOLFSSL_ALLOW_CRIT_AIA
@@ -565,9 +589,9 @@ WOLFSSL_ALLOW_TLS_SHA1
 WOLFSSL_ALTERNATIVE_DOWNGRADE
 WOLFSSL_ALT_NAMES_NO_REV
 WOLFSSL_ARM_ARCH_NEON_64BIT
+WOLFSSL_ASCON_UNROLL
 WOLFSSL_ASNC_CRYPT
 WOLFSSL_ASN_EXTRA
-WOLFSSL_ASN_INT_LEAD_0_ANY
 WOLFSSL_ASN_TEMPLATE_NEED_SET_INT32
 WOLFSSL_ASN_TEMPLATE_TYPE_CHECK
 WOLFSSL_ATECC508
@@ -596,9 +620,12 @@ WOLFSSL_CHECK_DESKEY
 WOLFSSL_CHECK_MEM_ZERO
 WOLFSSL_CHIBIOS
 WOLFSSL_CLANG_TIDY
+WOLFSSL_CLIENT_EXAMPLE
 WOLFSSL_COMMERCIAL_LICENSE
 WOLFSSL_CONTIKI
 WOLFSSL_CRL_ALLOW_MISSING_CDP
+WOLFSSL_CURVE25519_BLINDING
+WOLFSSL_CUSTOM_CONFIG
 WOLFSSL_DILITHIUM_ASSIGN_KEY
 WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM
 WOLFSSL_DILITHIUM_NO_ASN1
@@ -615,7 +642,6 @@ WOLFSSL_DILITHIUM_VERIFY_NO_MALLOC
 WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM
 WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
 WOLFSSL_DTLS_DISALLOW_FUTURE
-WOLFSSL_DTLS_DROP_STATS
 WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT
 WOLFSSL_DUMP_MEMIO_STREAM
 WOLFSSL_DUP_CERTPOL
@@ -659,9 +685,9 @@ WOLFSSL_IMXRT_DCP
 WOLFSSL_ISOTP
 WOLFSSL_KEIL
 WOLFSSL_KEIL_NET
-WOLFSSL_KYBER_INVNTT_UNROLL
-WOLFSSL_KYBER_NO_LARGE_CODE
-WOLFSSL_KYBER_NTT_UNROLL
+WOLFSSL_KYBER_NO_DECAPSULATE
+WOLFSSL_KYBER_NO_ENCAPSULATE
+WOLFSSL_KYBER_NO_MAKE_KEY
 WOLFSSL_LIB
 WOLFSSL_LMS_CACHE_BITS
 WOLFSSL_LMS_FULL_HASH
@@ -675,6 +701,12 @@ WOLFSSL_MAKE_SYSTEM_NAME_LINUX
 WOLFSSL_MAKE_SYSTEM_NAME_WSL
 WOLFSSL_MDK5
 WOLFSSL_MEM_FAIL_COUNT
+WOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM
+WOLFSSL_MLKEM_INVNTT_UNROLL
+WOLFSSL_MLKEM_MAKEKEY_SMALL_MEM
+WOLFSSL_MLKEM_NO_LARGE_CODE
+WOLFSSL_MLKEM_NO_MALLOC
+WOLFSSL_MLKEM_NTT_UNROLL
 WOLFSSL_MONT_RED_CT
 WOLFSSL_MP_COND_COPY
 WOLFSSL_MP_INVMOD_CONSTANT_TIME
@@ -723,6 +755,7 @@ WOLFSSL_NRF51_AES
 WOLFSSL_OLDTLS_AEAD_CIPHERSUITES
 WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
 WOLFSSL_OLD_SET_CURVES_LIST
+WOLFSSL_OLD_TIMINGPADVERIFY
 WOLFSSL_OLD_UNSUPPORTED_EXTENSION
 WOLFSSL_OPTIONS_IGNORE_SYS
 WOLFSSL_PASSTHRU_ERR
@@ -748,18 +781,21 @@ WOLFSSL_RENESAS_RA6M3G
 WOLFSSL_RENESAS_RSIP
 WOLFSSL_RENESAS_RZN2L
 WOLFSSL_RENESAS_TLS
-WOLFSSL_RENESAS_TSIP_CRYPTONLY
 WOLFSSL_RENESAS_TSIP_IAREWRX
+WOLFSSL_REQUIRE_TCA
 WOLFSSL_RSA_CHECK_D_ON_DECRYPT
 WOLFSSL_RSA_DECRYPT_TO_0_LEN
 WOLFSSL_RW_THREADED
 WOLFSSL_SAKKE_SMALL
 WOLFSSL_SAKKE_SMALL_MODEXP
+WOLFSSL_SE050_AUTO_ERASE
 WOLFSSL_SE050_CRYPT
 WOLFSSL_SE050_HASH
 WOLFSSL_SE050_INIT
+WOLFSSL_SE050_NO_RSA
 WOLFSSL_SE050_NO_TRNG
 WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT
+WOLFSSL_SERVER_EXAMPLE
 WOLFSSL_SETTINGS_FILE
 WOLFSSL_SH224
 WOLFSSL_SHA256_ALT_CH_MAJ
@@ -768,7 +804,6 @@ WOLFSSL_SILABS_TRNG
 WOLFSSL_SM4_EBC
 WOLFSSL_SNIFFER_NO_RECOVERY
 WOLFSSL_SP_ARM32_UDIV
-WOLFSSL_SP_DH
 WOLFSSL_SP_FAST_NCT_EXPTMOD
 WOLFSSL_SP_INT_SQR_VOLATILE
 WOLFSSL_STACK_CHECK
@@ -777,6 +812,7 @@ WOLFSSL_STM32_RNG_NOLIB
 WOLFSSL_STRONGEST_HASH_SIG
 WOLFSSL_STSAFE_TAKES_SLOT
 WOLFSSL_TELIT_M2MB
+WOLFSSL_TEMPLATE_EXAMPLE
 WOLFSSL_THREADED_CRYPT
 WOLFSSL_TICKET_DECRYPT_NO_CREATE
 WOLFSSL_TICKET_ENC_AES128_GCM
@@ -789,9 +825,9 @@ WOLFSSL_TICKET_ENC_HMAC_SHA512
 WOLFSSL_TI_CURRTIME
 WOLFSSL_TLS13_DRAFT
 WOLFSSL_TLS13_IGNORE_AEAD_LIMITS
-WOLFSSL_TLS13_MIDDLEBOX_COMPAT
 WOLFSSL_TLS13_SHA512
 WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
+WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY
 WOLFSSL_TRACK_MEMORY_FULL
 WOLFSSL_TRAP_MALLOC_SZ
 WOLFSSL_UNALIGNED_64BIT_ACCESS
@@ -815,21 +851,14 @@ WOLFSSL_XILINX_PATCH
 WOLFSSL_XIL_MSG_NO_SLEEP
 WOLFSSL_XMSS_LARGE_SECRET_KEY
 WOLFSSL_ZEPHYR
-WOLFSS_SP_MATH_ALL
 WOLF_ALLOW_BUILTIN
-WOLF_CONF_IO
-WOLF_CONF_KYBER
-WOLF_CONF_PK
-WOLF_CONF_RESUMPTION
-WOLF_CONF_TPM
 WOLF_CRYPTO_CB_CMD
 WOLF_CRYPTO_CB_FIND
 WOLF_CRYPTO_CB_ONLY_ECC
 WOLF_CRYPTO_CB_ONLY_RSA
-WOLF_CRYPTO_CB_RSA_PAD
 WOLF_CRYPTO_DEV
 WOLF_NO_TRAILING_ENUM_COMMAS
-WOLSSL_OLD_TIMINGPADVERIFY
+WindowsCE
 XGETPASSWD
 XMSS_CALL_PRF_KEYGEN
 XPAR_VERSAL_CIPS_0_PSPMC_0_PSV_CORTEXA72_0_TIMESTAMP_CLK_FREQ
@@ -856,6 +885,7 @@ _UINTPTR_T_DECLARED
 _WIN32
 _WIN32_WCE
 _WIN64
+_XOPEN_SOURCE_EXTENDED
 __32MZ2048ECH144__
 __32MZ2048ECM144__
 __32MZ2048EFM144__
@@ -878,6 +908,7 @@ __BIG_ENDIAN__
 __BORLANDC__
 __CCRX__
 __COMPILER_VER__
+__COUNTER__
 __CYGWIN__
 __DATE__
 __DCACHE_PRESENT
@@ -899,6 +930,7 @@ __INTEGRITY
 __INTEL_COMPILER
 __KEIL__
 __KEY_DATA_H__
+__LINUX__
 __LP64
 __LP64__
 __MACH__
@@ -907,6 +939,9 @@ __MINGW32__
 __MINGW64_VERSION_MAJOR
 __MINGW64__
 __MWERKS__
+__NT__
+__OS2__
+__OpenBSD__
 __PIE__
 __POWERPC__
 __PPC__
@@ -936,6 +971,7 @@ __SUNPRO_CC
 __SVR4
 __TI_COMPILER_VERSION__
 __TURBOC__
+__UNIX__
 __USE_GNU
 __USE_MISC
 __USE_XOPEN2K
@@ -966,6 +1002,7 @@ __ppc__
 __riscv
 __riscv_xlen
 __s390x__
+__sparc
 __sparc64__
 __sun
 __svr4__

CMakeLists.txt

@@ -34,7 +34,7 @@ if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_BINARY_DIR}")
      You must delete them, or cmake will refuse to work.")
 endif()
 
-project(wolfssl VERSION 5.7.4 LANGUAGES C ASM)
+project(wolfssl VERSION 5.8.0 LANGUAGES C ASM)
 
 # Set WOLFSSL_ROOT if not already defined
 if ("${WOLFSSL_ROOT}" STREQUAL "")
@@ -49,11 +49,11 @@ endif()
 
 # shared library versioning
 # increment if interfaces have been removed or changed
-set(WOLFSSL_LIBRARY_VERSION_FIRST 42)
+set(WOLFSSL_LIBRARY_VERSION_FIRST 43)
 
 # increment if interfaces have been added
 # set to zero if WOLFSSL_LIBRARY_VERSION_FIRST is incremented
-set(WOLFSSL_LIBRARY_VERSION_SECOND 3)
+set(WOLFSSL_LIBRARY_VERSION_SECOND 1)
 
 # increment if source code has changed
 # set to zero if WOLFSSL_LIBRARY_VERSION_FIRST is incremented or
@@ -125,6 +125,9 @@ check_function_exists("socket" HAVE_SOCKET)
 check_function_exists("strftime" HAVE_STRFTIME)
 check_function_exists("__atomic_fetch_add" HAVE_C___ATOMIC)
 
+include(CheckSymbolExists)
+check_symbol_exists(isascii "ctype.h" HAVE_ISASCII)
+
 include(CheckTypeSize)
 
 check_type_size("__uint128_t" __UINT128_T)
@@ -153,9 +156,14 @@ endif()
 # Thread local storage
 include(CheckCSourceCompiles)
 
-set(TLS_KEYWORDS "__thread" "__declspec(thread)")
-foreach(TLS_KEYWORD IN LISTS TLS_KEYWORDS)
-    set(TLS_CODE "#include <stdlib.h>
+if(CMAKE_C_COMPILER_ID STREQUAL "OpenWatcom")
+    if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+        list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_THREAD_LS")
+    endif()
+else()
+    set(TLS_KEYWORDS "__thread" "__declspec(thread)")
+    foreach(TLS_KEYWORD IN LISTS TLS_KEYWORDS)
+        set(TLS_CODE "#include <stdlib.h>
                   static void foo(void) {
                      static ${TLS_KEYWORD} int bar\;
                      exit(1)\;
@@ -164,21 +172,22 @@ foreach(TLS_KEYWORD IN LISTS TLS_KEYWORDS)
                   int main() {
                     return 0\;
                   }"
-    )
-    check_c_source_compiles(${TLS_CODE} THREAD_LS_ON)
+        )
+        check_c_source_compiles(${TLS_CODE} THREAD_LS_ON)
 
-    if(THREAD_LS_ON)
-        list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_THREAD_LS")
-        break()
-    else()
-        # THREAD_LS_ON is cached after each call to
-        # check_c_source_compiles, and the function
-        # won't run subsequent times if the variable
-        # is in the cache. To make it run again, we
-        # need to remove the variable from the cache.
-        unset(THREAD_LS_ON CACHE)
-    endif()
-endforeach()
+        if(THREAD_LS_ON)
+            list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_THREAD_LS")
+            break()
+        else()
+            # THREAD_LS_ON is cached after each call to
+            # check_c_source_compiles, and the function
+            # won't run subsequent times if the variable
+            # is in the cache. To make it run again, we
+            # need to remove the variable from the cache.
+            unset(THREAD_LS_ON CACHE)
+        endif()
+    endforeach()
+endif()
 
 # TODO: AX_PTHREAD does a lot. Need to implement the
 #       rest of its logic.
@@ -198,13 +207,20 @@ find_package(Threads)
 # Example for map file and custom linker script
 #set(CMAKE_EXE_LINKER_FLAGS " -Xlinker -Map=output.map -T\"${CMAKE_CURRENT_SOURCE_DIR}/linker.ld\"")
 
+message(STATUS "C Compiler ID: ${CMAKE_C_COMPILER_ID}")
+
 if(DEFINED WARNING_C_FLAGS)
-set(CMAKE_C_FLAGS "${WARNING_C_FLAGS} ${CMAKE_C_FLAGS}")
+    set(CMAKE_C_FLAGS "${WARNING_C_FLAGS} ${CMAKE_C_FLAGS}")
+endif()
+
+if(CMAKE_C_COMPILER_ID STREQUAL "OpenWatcom")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -wx -wcd=202")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_HAVE_MIN -DWOLFSSL_HAVE_MAX -DNO_WRITEV")
 elseif(WIN32)
-# Windows cl.exe does not support the -Wextra, -Wno-unused and -Werror flags.
-set(CMAKE_C_FLAGS "-Wall ${CMAKE_C_FLAGS}")
+    # Windows cl.exe does not support the -Wextra, -Wno-unused and -Werror flags.
+    set(CMAKE_C_FLAGS "-Wall ${CMAKE_C_FLAGS}")
 else()
-set(CMAKE_C_FLAGS "-Wall -Wextra -Wno-unused -Werror ${CMAKE_C_FLAGS}")
+    set(CMAKE_C_FLAGS "-Wall -Wextra -Wno-unused -Werror ${CMAKE_C_FLAGS}")
 endif()
 
 ####################################################
@@ -281,9 +297,7 @@ if(NOT WOLFSSL_SINGLE_THREADED)
     if(CMAKE_USE_PTHREADS_INIT)
         list(APPEND WOLFSSL_LINK_LIBS Threads::Threads)
         set(HAVE_PTHREAD 1)
-        list(APPEND WOLFSSL_DEFINITIONS
-            "-DHAVE_PTHREAD"
-            "-D_POSIX_THREADS")
+        list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_PTHREAD")
     endif()
 else()
     list(APPEND WOLFSSL_DEFINITIONS "-DSINGLE_THREADED")
@@ -558,9 +572,18 @@ add_option(WOLFSSL_OQS
     "Enable integration with the OQS (Open Quantum Safe) liboqs library (default: disabled)"
     "no" "yes;no")
 
-# Kyber
-add_option(WOLFSSL_KYBER
-    "Enable the wolfSSL PQ Kyber library (default: disabled)"
+# ML-KEM/Kyber
+add_option(WOLFSSL_MLKEM
+    "Enable the wolfSSL PQ ML-KEM library (default: disabled)"
+    "no" "yes;no")
+
+# LMS
+add_option(WOLFSSL_LMS
+    "Enable the PQ LMS Stateful Hash-based Signature Scheme (default: disabled)"
+    "no" "yes;no")
+
+add_option(WOLFSSL_LMSSHA256192
+    "Enable the LMS SHA_256_192 truncated variant (default: disabled)"
     "no" "yes;no")
 
 # Experimental features
@@ -576,7 +599,7 @@ if (WOLFSSL_EXPERIMENTAL)
     # check if any experimental features are also enabled:
     set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 0)
 
-    set_wolfssl_definitions("WOLFSSL_EXPERIMENTAL_SETTINGS" RESUlT)
+    set_wolfssl_definitions("WOLFSSL_EXPERIMENTAL_SETTINGS" RESULT)
 
     # Checking for experimental feature: OQS
     message(STATUS "Looking for WOLFSSL_OQS")
@@ -591,9 +614,9 @@ if (WOLFSSL_EXPERIMENTAL)
             list(APPEND WOLFSSL_LINK_LIBS ${OQS_LIBRARY})
             list(APPEND WOLFSSL_INCLUDE_DIRS ${OQS_INCLUDE_DIR})
 
-            set_wolfssl_definitions("HAVE_LIBOQS"          RESUlT)
-            set_wolfssl_definitions("HAVE_TLS_EXTENSIONS"  RESUlT)
-            set_wolfssl_definitions("OPENSSL_EXTRA"        RESUlT)
+            set_wolfssl_definitions("HAVE_LIBOQS"          RESULT)
+            set_wolfssl_definitions("HAVE_TLS_EXTENSIONS"  RESULT)
+            set_wolfssl_definitions("OPENSSL_EXTRA"        RESULT)
 
         else()
             message(STATUS "Checking OQS - not found")
@@ -603,20 +626,52 @@ if (WOLFSSL_EXPERIMENTAL)
         message(STATUS "Looking for WOLFSSL_OQS - not found")
     endif()
 
-    # Checking for experimental feature: Kyber
-    message(STATUS "Looking for WOLFSSL_KYBER")
-    if (WOLFSSL_KYBER)
+    # Checking for experimental feature: WOLFSSL_MLKEM
+    message(STATUS "Looking for WOLFSSL_MLKEM")
+    if (WOLFSSL_MLKEM)
         set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 1)
 
-        message(STATUS "Automatically set related requirements for Kyber:")
-        set_wolfssl_definitions("WOLFSSL_HAVE_KYBER" RESUlT)
-        set_wolfssl_definitions("WOLFSSL_WC_KYBER"   RESUlT)
-        set_wolfssl_definitions("WOLFSSL_SHA3"       RESUlT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE128"   RESUlT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESUlT)
-        message(STATUS "Looking for WOLFSSL_KYBER - found")
+        message(STATUS "Automatically set related requirements for ML-KEM:")
+        add_definitions("-DWOLFSSL_HAVE_MLKEM")
+        add_definitions("-DWOLFSSL_WC_MLKEM")
+        add_definitions("-DWOLFSSL_SHA3")
+        add_definitions("-DWOLFSSL_SHAKE128")
+        add_definitions("-DWOLFSSL_SHAKE256")
+
+        set_wolfssl_definitions("WOLFSSL_HAVE_MLKEM" RESULT)
+        set_wolfssl_definitions("WOLFSSL_WC_MLKEM"   RESULT)
+        set_wolfssl_definitions("WOLFSSL_SHA3"       RESULT)
+        set_wolfssl_definitions("WOLFSSL_SHAKE128"   RESULT)
+        set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESULT)
+        message(STATUS "Looking for WOLFSSL_MLKEM - found")
     else()
-        message(STATUS "Looking for WOLFSSL_KYBER - not found")
+        message(STATUS "Looking for WOLFSSL_MLKEM - not found")
+    endif()
+
+    # Checking for experimental feature: WOLFSSL_LMS
+    message(STATUS "Looking for WOLFSSL_LMS")
+    if (WOLFSSL_LMS)
+        set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 2)
+
+        message(STATUS "Automatically set related requirements for LMS")
+        add_definitions("-DWOLFSSL_HAVE_LMS")
+        add_definitions("-DWOLFSSL_WC_LMS")
+        set_wolfssl_definitions("WOLFSSL_HAVE_LMS" RESULT)
+        set_wolfssl_definitions("WOLFSSL_WC_LMS"   RESULT)
+        message(STATUS "Looking for WOLFSSL_LMS - found")
+        # Checking for experimental feature: WOLFSSL_LMSSHA256192
+        if (WOLFSSL_LMSSHA256192)
+            message(STATUS "Automatically set related requirements for LMS SHA256-192")
+            add_definitions("-DWOLFSSL_LMS_SHA256_192")
+            add_definitions("-DWOLFSSL_NO_LMS_SHA256_256")
+            set_wolfssl_definitions("WOLFSSL_LMS_SHA256_192"    RESULT)
+            set_wolfssl_definitions("WOLFSSL_NO_LMS_SHA256_256" RESULT)
+            message(STATUS "Looking for WOLFSSL_LMSSHA256192 - found")
+        else()
+            message(STATUS "Looking for WOLFSSL_LMSSHA256192 - not found")
+        endif()
+    else()
+        message(STATUS "Looking for WOLFSSL_LMS - not found")
     endif()
 
     # Other experimental feature detection can be added here...
@@ -629,8 +684,8 @@ if (WOLFSSL_EXPERIMENTAL)
     endif()
 
     # Sanity checks
-    if(WOLFSSL_OQS AND WOLFSSL_KYBER)
-        message(FATAL_ERROR "Error: cannot enable both WOLFSSL_OQS and WOLFSSL_KYBER at the same time.")
+    if(WOLFSSL_OQS AND WOLFSSL_MLKEM)
+        message(FATAL_ERROR "Error: cannot enable both WOLFSSL_OQS and WOLFSSL_MLKEM at the same time.")
     endif()
 
 else()
@@ -639,11 +694,21 @@ else()
     if (WOLFSSL_OQS)
         message(FATAL_ERROR "Error: WOLFSSL_OQS requires WOLFSSL_EXPERIMENTAL at this time.")
     endif()
-    if(WOLFSSL_KYBER)
-        message(FATAL_ERROR "Error: WOLFSSL_KYBER requires WOLFSSL_EXPERIMENTAL at this time.")
+    if(WOLFSSL_MLKEM)
+        message(FATAL_ERROR "Error: WOLFSSL_MLKEM requires WOLFSSL_EXPERIMENTAL at this time.")
     endif()
 endif()
 
+# LMS
+add_option(WOLFSSL_LMS
+    "Enable the wolfSSL LMS implementation (default: disabled)"
+    "no" "yes;no")
+
+# XMSS
+add_option(WOLFSSL_XMSS
+    "Enable the wolfSSL XMSS implementation (default: disabled)"
+    "no" "yes;no")
+
 # TODO: - Lean PSK
 #       - Lean TLS
 #       - Low resource
@@ -657,8 +722,6 @@ endif()
 #       - Atomic user record layer
 #       - Public key callbacks
 #       - Microchip/Atmel CryptoAuthLib
-#       - XMSS
-#       - LMS
 #       - dual-certs
 
 # AES-CBC
@@ -733,7 +796,8 @@ add_option("WOLFSSL_AESCTR"
 
 if(WOLFSSL_OPENVPN OR
    WOLFSSL_LIBSSH2 OR
-   WOLFSSL_AESSIV)
+   WOLFSSL_AESSIV OR
+   WOLFSSL_CLU)
     override_cache(WOLFSSL_AESCTR "yes")
 endif()
 
@@ -873,7 +937,7 @@ endif()
 #       - SEP
 
 add_option("WOLFSSL_KEYGEN"
-    "Enable key generation (default: disabled)])"
+    "Enable key generation (default: disabled)"
     "no" "yes;no")
 
 add_option("WOLFSSL_CERTGEN"
@@ -1000,7 +1064,7 @@ add_option("WOLFSSL_ED25519"
     "Enable ED25519 (default: disabled)"
     "no" "yes;no")
 
-if(WOLFSSL_OPENSSH)
+if(WOLFSSL_OPENSSH OR WOLFSSL_CLU)
     override_cache(WOLFSSL_ED25519 "yes")
 endif()
 
@@ -1130,8 +1194,7 @@ if(NOT WOLFSSL_MEMORY)
 else()
     # turn off memory cb if leanpsk or leantls on
     if(WOLFSSL_LEAN_PSK OR WOLFSSL_LEAN_TLS)
-        # but don't turn on NO_WOLFSSL_MEMORY because using own
-        override_cache(WOLFSSL_MEMORY "no")
+        list(APPEND WOLFSSL_DEFINITIONS "-DNO_WOLFSSL_MEMORY")
     endif()
 endif()
 
@@ -1676,6 +1739,9 @@ add_option(WOLFSSL_PKCS7 ${WOLFSSL_PKCS7_HELP_STRING} "no" "yes;no")
 set(WOLFSSL_TPM_HELP_STRING "Enable wolfTPM options (default: disabled)")
 add_option(WOLFSSL_TPM ${WOLFSSL_TPM_HELP_STRING} "no" "yes;no")
 
+set(WOLFSSL_CLU_HELP_STRING "Enable wolfCLU options (default: disabled)")
+add_option(WOLFSSL_CLU ${WOLFSSL_CLU_HELP_STRING} "no" "yes;no")
+
 set(WOLFSSL_AESKEYWRAP_HELP_STRING "Enable AES key wrap support (default: disabled)")
 add_option(WOLFSSL_AESKEYWRAP ${WOLFSSL_AESKEYWRAP_HELP_STRING} "no" "yes;no")
 
@@ -2020,6 +2086,25 @@ if(WOLFSSL_TPM)
     override_cache(WOLFSSL_AESCFB   "yes")
 endif()
 
+if(WOLFSSL_CLU)
+    override_cache(WOLFSSL_CERTGEN  "yes")
+    override_cache(WOLFSSL_CERTREQ  "yes")
+    override_cache(WOLFSSL_CERTEXT  "yes")
+    override_cache(WOLFSSL_MD5      "yes")
+    override_cache(WOLFSSL_AESCTR   "yes")
+    override_cache(WOLFSSL_KEYGEN   "yes")
+    override_cache(WOLFSSL_OPENSSLALL "yes")
+    override_cache(WOLFSSL_ED25519  "yes")
+    override_cache(WOLFSSL_SHA512   "yes")
+    override_cache(WOLFSSL_DES3     "yes")
+    override_cache(WOLFSSL_PKCS7    "yes")
+    list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_OID_ENCODING" "-DWOLFSSL_NO_ASN_STRICT" "-DWOLFSSL_ALT_NAMES")
+    # Add OPENSSL_ALL definition to ensure OpenSSL compatibility functions are available
+    list(APPEND WOLFSSL_DEFINITIONS "-DOPENSSL_ALL")
+    # Remove NO_DES3 from WOLFSSL_DEFINITIONS to ensure DES3 is enabled
+    list(REMOVE_ITEM WOLFSSL_DEFINITIONS "-DNO_DES3")
+endif()
+
 if(WOLFSSL_AESCFB)
     list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_AES_CFB")
 endif()
@@ -2279,6 +2364,18 @@ if (ENABLE_SCCACHE AND (NOT WOLFSSL_SCCACHE_ALREADY_SET_FLAG))
     endif()
 endif()
 
+add_option("WOLFSSL_KEYLOG_EXPORT"
+    "Enable insecure export of TLS secrets to an NSS keylog file (default: disabled)"
+    "no" "yes;no")
+if(WOLFSSL_KEYLOG_EXPORT)
+    message(WARNING "Keylog export enabled -- Sensitive key data will be stored insecurely.")
+    list(APPEND WOLFSSL_DEFINITIONS
+        "-DSHOW_SECRETS"
+        "-DHAVE_SECRET_CALLBACK"
+        "-DWOLFSSL_SSLKEYLOGFILE"
+        "-DWOLFSSL_KEYLOG_EXPORT_WARNED")
+endif()
+
 
 file(REMOVE ${OPTION_FILE})
 
@@ -2409,17 +2506,24 @@ target_include_directories(wolfssl
 
 target_link_libraries(wolfssl PUBLIC ${WOLFSSL_LINK_LIBS})
 
-if(WIN32)
-    # For Windows link ws2_32
+if(CMAKE_C_COMPILER_ID STREQUAL "OpenWatcom")
+    if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+        target_link_libraries(wolfssl PUBLIC ws2_32 crypt32)
+    endif()
+elseif (WIN32 OR ${CMAKE_SYSTEM_NAME} MATCHES "^MSYS" OR ${CMAKE_SYSTEM_NAME} MATCHES "^MINGW")
+    # For Windows link required libraries
+    message("Building on Windows/MSYS/MINGW")
     target_link_libraries(wolfssl PUBLIC
-        $<$<PLATFORM_ID:Windows>:ws2_32 crypt32>)
+        ws2_32 crypt32 advapi32)
 elseif(APPLE)
+    message("Building on Apple")
     if(WOLFSSL_SYS_CA_CERTS)
         target_link_libraries(wolfssl PUBLIC
             ${CORE_FOUNDATION_FRAMEWORK}
             ${SECURITY_FRAMEWORK})
     endif()
 else()
+    message("Building on Linux (or other)")
     if(WOLFSSL_DH AND NOT WOLFSSL_DH_CONST)
         # DH requires math (m) library
         target_link_libraries(wolfssl
@@ -2476,7 +2580,9 @@ if(WOLFSSL_EXAMPLES)
         add_executable(tls_bench
             ${CMAKE_CURRENT_SOURCE_DIR}/examples/benchmark/tls_bench.c)
         target_link_libraries(tls_bench wolfssl)
-        target_link_libraries(tls_bench Threads::Threads)
+        if(CMAKE_USE_PTHREADS_INIT)
+            target_link_libraries(tls_bench Threads::Threads)
+        endif()
         set_property(TARGET tls_bench
                  PROPERTY RUNTIME_OUTPUT_DIRECTORY
                  ${WOLFSSL_OUTPUT_BASE}/examples/benchmark)
@@ -2485,19 +2591,65 @@ if(WOLFSSL_EXAMPLES)
     # Build unit tests
     add_executable(unit_test
         tests/api.c
-        tests/hash.c
+        tests/api/test_md2.c
+        tests/api/test_md4.c
+        tests/api/test_md5.c
+        tests/api/test_sha.c
+        tests/api/test_sha256.c
+        tests/api/test_sha512.c
+        tests/api/test_sha3.c
+        tests/api/test_blake2.c
+        tests/api/test_sm3.c
+        tests/api/test_ripemd.c
+        tests/api/test_hash.c
+        tests/api/test_hmac.c
+        tests/api/test_cmac.c
+        tests/api/test_des3.c
+        tests/api/test_chacha.c
+        tests/api/test_poly1305.c
+        tests/api/test_chacha20_poly1305.c
+        tests/api/test_camellia.c
+        tests/api/test_arc4.c
+        tests/api/test_rc2.c
+        tests/api/test_aes.c
+        tests/api/test_ascon.c
+        tests/api/test_sm4.c
+        tests/api/test_wc_encrypt.c
+        tests/api/test_random.c
+        tests/api/test_wolfmath.c
+        tests/api/test_rsa.c
+        tests/api/test_dsa.c
+        tests/api/test_dh.c
+        tests/api/test_ecc.c
+        tests/api/test_sm2.c
+        tests/api/test_curve25519.c
+        tests/api/test_ed25519.c
+        tests/api/test_curve448.c
+        tests/api/test_ed448.c
+        tests/api/test_mlkem.c
+        tests/api/test_mldsa.c
+        tests/api/test_signature.c
+        tests/api/test_dtls.c
+        tests/api/test_ocsp.c
+        tests/api/test_evp.c
+        tests/api/test_tls_ext.c
         tests/srp.c
         tests/suites.c
         tests/w64wrapper.c
         tests/unit.c
         tests/quic.c
+        tests/utils.c
+        testsuite/utils.c
         examples/server/server.c
-        examples/client/client.c)
+        examples/client/client.c
+        wolfcrypt/test/test.c)
     target_include_directories(unit_test PRIVATE
         ${CMAKE_CURRENT_BINARY_DIR})
     target_compile_options(unit_test PUBLIC "-DNO_MAIN_DRIVER")
     target_link_libraries(unit_test wolfssl)
-    target_link_libraries(unit_test Threads::Threads)
+    if(CMAKE_USE_PTHREADS_INIT)
+        target_link_libraries(unit_test Threads::Threads)
+    endif()
     set_property(TARGET unit_test
                  PROPERTY RUNTIME_OUTPUT_DIRECTORY
                  ${WOLFSSL_OUTPUT_BASE}/tests/)
@@ -2747,14 +2899,17 @@ if(WOLFSSL_INSTALL)
     set(includedir "\${prefix}/include")
     set(VERSION ${PROJECT_VERSION})
 
-    # Setting libm in Libs.private of wolfssl.pc.
-    # See "Link Libraries" in above about `m` insertion to LINK_LIBRARIES
-    get_target_property(_wolfssl_dep_libs wolfssl LINK_LIBRARIES)
-    list(FIND _wolfssl_dep_libs m _dep_libm)
-    if ("${_dep_libm}" GREATER -1)
-      set(LIBM -lm)
+    if(CMAKE_C_COMPILER_ID STREQUAL "OpenWatcom")
     else()
-      set(LIBM)
+        # Setting libm in Libs.private of wolfssl.pc.
+        # See "Link Libraries" in above about `m` insertion to LINK_LIBRARIES
+        get_target_property(_wolfssl_dep_libs wolfssl LINK_LIBRARIES)
+        list(FIND _wolfssl_dep_libs m _dep_libm)
+        if ("${_dep_libm}" GREATER -1)
+            set(LIBM -lm)
+        else()
+            set(LIBM)
+        endif()
     endif()
 
     configure_file(support/wolfssl.pc.in ${CMAKE_CURRENT_BINARY_DIR}/support/wolfssl.pc @ONLY)

ChangeLog.md

@@ -1,3 +1,339 @@
+# wolfSSL Release 5.8.0 (Apr 24, 2025)
+
+Release 5.8.0 has been developed according to wolfSSL's development and QA
+process (see link below) and successfully passed the quality criteria.
+https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
+
+NOTE: * --enable-heapmath is deprecated
+
+PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request
+ number where the code change was added.
+
+
+## New Feature Additions
+* Algorithm registration in the Linux kernel module for all supported FIPS AES,
+ SHA, HMAC, ECDSA, ECDH, and RSA modes, key sizes, and digest sizes.
+* Implemented various fixes to support building for Open Watcom including OS/2
+ support and Open Watcom 1.9 compatibility (PR 8505, 8484)
+* Added support for STM32H7S (tested on NUCLEO-H7S3L8) (PR 8488)
+* Added support for STM32WBA (PR 8550)
+* Added Extended Master Secret Generation Callback to the --enable-pkcallbacks
+ build (PR 8303)
+* Implement AES-CTS (configure flag --enable-aescts) in wolfCrypt (PR 8594)
+* Added support for libimobiledevice commit 860ffb (PR 8373)
+* Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 IPD
+ (PR 8307)
+* Added blinding option when using a Curve25519 private key by defining the
+ macro WOLFSSL_CURVE25519_BLINDING (PR 8392)
+
+
+## Linux Kernel Module
+* Production-ready LKCAPI registration for cbc(aes), cfb(aes), gcm(aes),
+ rfc4106 (gcm(aes)), ctr(aes), ofb(aes), and ecb(aes), ECDSA with P192, P256,
+ P384, and P521 curves, ECDH with P192, P256, and P384 curves, and RSA with
+ bare and PKCS1 padding
+* Various fixes for LKCAPI wrapper for AES-CBC and AES-CFB (PR 8534, 8552)
+* Adds support for the legacy one-shot AES-GCM back end (PR 8614, 8567) for
+ compatibility with FIPS 140-3 Cert #4718.
+* On kernel >=6.8, for CONFIG_FORTIFY_SOURCE, use 5-arg fortify_panic() override
+ macro (PR 8654)
+* Update calls to scatterwalk_map() and scatterwalk_unmap() for linux commit
+ 7450ebd29c (merged for Linux 6.15) (PR 8667)
+* Inhibit LINUXKM_LKCAPI_REGISTER_ECDH on kernel <5.13 (PR 8673)
+* Fix for uninitialized build error with fedora (PR 8569)
+* Register ecdsa, ecdh, and rsa for use with linux kernel crypto (PR 8637, 8663,
+ 8646)
+* Added force zero shared secret buffer, and clear of old key with ecdh
+ (PR 8685)
+* Update fips-check.sh script to pickup XTS streaming support on aarch64 and
+ disable XTS-384 as an allowed use in FIPS mode (PR 8509, 8546)
+
+
+## Enhancements and Optimizations
+
+### Security & Cryptography
+* Add constant-time implementation improvements for encoding functions. We thank
+ Zhiyuan and Gilles for sharing a new constant-time analysis tool (CT-LLVM) and
+ reporting several non-constant-time implementations. (PR 8396, 8617)
+* Additional support for PKCS7 verify and decode with indefinite lengths
+ (PR 8520, 834, 8645)
+* Add more PQC hybrid key exchange algorithms such as support for combinations
+ with X25519 and X448 enabling compatibility with the PQC key exchange support
+ in Chromium browsers and Mozilla Firefox (PR 7821)
+* Add short-circuit comparisons to DH key validation for RFC 7919 parameters
+ (PR 8335)
+* Improve FIPS compatibility with various build configurations for more resource
+ constrained builds (PR 8370)
+* Added option to disable ECC public key order checking (PR 8581)
+* Allow critical alt and basic constraints extensions (PR 8542)
+* New codepoint for MLDSA to help with interoperability (PR 8393)
+* Add support for parsing trusted PEM certs having the header
+ “BEGIN_TRUSTED_CERT” (PR 8400)
+* Add support for parsing only of DoD certificate policy and Comodo Ltd PKI OIDs
+ (PR 8599, 8686)
+* Update ssl code in `src/*.c` to be consistent with wolfcrypt/src/asn.c
+ handling of ML_DSA vs Dilithium and add dual alg. test (PR 8360, 8425)
+
+### Build System, Configuration, CI & Protocols
+* Internal refactor for include of config.h and when building with
+ BUILDING_WOLFSSL macro. This refactor will give a warning of “deprecated
+ function” when trying to improperly use an internal API of wolfSSL in an
+ external application. (PR 8640, 8647, 8660, 8662, 8664)
+* Add WOLFSSL_CLU option to CMakeLists.txt (PR 8548)
+* Add CMake and Zephyr support for XMSS and LMS (PR 8494)
+* Added GitHub CI for CMake builds (PR 8439)
+* Added necessary macros when building wolfTPM Zephyr with wolfSSL (PR 8382)
+* Add MSYS2 build continuous integration test (PR 8504)
+* Update DevKitPro doc to list calico dependency with build commands (PR 8607)
+* Conversion compiler warning fixes and additional continuous integration test
+ added (PR 8538)
+* Enable DTLS 1.3 by default in --enable-jni builds (PR 8481)
+* Enabled TLS 1.3 middlebox compatibility by default for --enable-jni builds
+ (PR 8526)
+
+### Performance Improvements
+* Performance improvements AES-GCM and HMAC (in/out hash copy) (PR 8429)
+* LMS fixes and improvements adding API to get Key ID from raw private key,
+ change to identifiers to match standard, and fix for when
+ WOLFSSL_LMS_MAX_LEVELS is 1 (PR 8390, 8684, 8613, 8623)
+* ML-KEM/Kyber improvements and fixes; no malloc builds, small memory usage,
+ performance improvement, fix for big-endian (PR 8397, 8412, 8436, 8467, 8619,
+ 8622, 8588)
+* Performance improvements for AES-GCM and when doing multiple HMAC operations
+ (PR 8445)
+
+### Assembly and Platform-Specific Enhancements
+* Poly1305 arm assembly changes adding ARM32 NEON implementation and fix for
+ Aarch64 use (PR 8344, 8561, 8671)
+* Aarch64 assembly enhancement to use more CPU features, fix for FreeBSD/OpenBSD
+ (PR 8325, 8348)
+* Only perform ARM assembly CPUID checks if support was enabled at build time
+ (PR 8566)
+* Optimizations for ARM32 assembly instructions on platforms less than ARMv7
+ (PR 8395)
+* Improve MSVC feature detection for static assert macros (PR 8440)
+* Improve Espressif make and CMake for ESP8266 and ESP32 series (PR 8402)
+* Espressif updates for Kconfig, ESP32P4 and adding a sample user_settings.h
+ (PR 8422, PR 8641)
+
+### OpenSSL Compatibility Layer
+* Modification to the push/pop to/from in OpenSSL compatibility layer. This is
+ a pretty major API change in the OpenSSL compatibility stack functions.
+ Previously the API would push/pop from the beginning of the list but now they
+ operate on the tail of the list. This matters when using the sk_value with
+ index values. (PR 8616)
+* OpenSSL Compat Layer: OCSP response improvements (PR 8408, 8498)
+* Expand the OpenSSL compatibility layer to include an implementation of
+ BN_CTX_get (PR 8388)
+
+### API Additions and Modifications
+* Refactor Hpke to allow multiple uses of a context instead of just one shot
+ mode (PR 6805)
+* Add support for PSK client callback with Ada and use with Alire (thanks
+ @mgrojo, PR 8332, 8606)
+* Change wolfSSL_CTX_GenerateEchConfig to generate multiple configs and add
+ functions wolfSSL_CTX_SetEchConfigs and wolfSSL_CTX_SetEchConfigsBase64 to
+ rotate the server's echConfigs (PR 8556)
+* Added the public API wc_PkcsPad to do PKCS padding (PR 8502)
+* Add NULL_CIPHER_TYPE support to wolfSSL_EVP_CipherUpdate (PR 8518)
+* Update Kyber APIs to ML-KEM APIs (PR 8536)
+* Add option to disallow automatic use of "default" devId using the macro
+ WC_NO_DEFAULT_DEVID (PR 8555)
+* Detect unknown key format on ProcessBufferTryDecode() and handle RSA-PSSk
+ format (PR 8630)
+
+### Porting and Language Support
+* Update Python port to support version 3.12.6 (PR 8345)
+* New additions for MAXQ with wolfPKCS11 (PR 8343)
+* Port to ntp 4.2.8p17 additions (PR 8324)
+* Add version 0.9.14 to tested libvncserver builds (PR 8337)
+
+### General Improvements and Cleanups
+* Cleanups for STM32 AES GCM (PR 8584)
+* Improvements to isascii() and the CMake key log option (PR 8596)
+* Arduino documentation updates, comments and spelling corrections (PR 8381,
+ 8384, 8514)
+* Expanding builds with WOLFSSL_NO_REALLOC for use with --enable-opensslall and
+ --enable-all builds (PR 8369, 8371)
+
+
+## Fixes
+* Fix a use after free caused by an early free on error in the X509 store
+ (PR 8449)
+* Fix to account for existing PKCS8 header with
+ wolfSSL_PEM_write_PKCS8PrivateKey (PR 8612)
+* Fixed failing CMake build issue when standard threads support is not found in
+ the system (PR 8485)
+* Fix segmentation fault in SHA-512 implementation for AVX512 targets built with
+ gcc -march=native -O2 (PR 8329)
+* Fix Windows socket API compatibility warning with mingw32 build (PR 8424)
+* Fix potential null pointer increments in cipher list parsing (PR 8420)
+* Fix for possible stack buffer overflow read with wolfSSL_SMIME_write_PKCS7.
+ Thanks to the team at Code Intelligence for the report. (PR 8466)
+* Fix AES ECB implementation for Aarch64 ARM assembly (PR 8379)
+* Fixed building with VS2008 and .NET 3.5 (PR 8621)
+* Fixed possible error case memory leaks in CRL and EVP_Sign_Final (PR 8447)
+* Fixed SSL_set_mtu compatibility function return code (PR 8330)
+* Fixed Renesas RX TSIP (PR 8595)
+* Fixed ECC non-blocking tests (PR 8533)
+* Fixed CMake on MINGW and MSYS (PR 8377)
+* Fixed Watcom compiler and added new CI test (PR 8391)
+* Fixed STM32 PKA ECC 521-bit support (PR 8450)
+* Fixed STM32 PKA with P521 and shared secret (PR 8601)
+* Fixed crypto callback macro guards with `DEBUG_CRYPTOCB` (PR 8602)
+* Fix outlen return for RSA private decrypt with WOLF_CRYPTO_CB_RSA_PAD
+ (PR 8575)
+* Additional sanity check on r and s lengths in DecodeECC_DSA_Sig_Bin (PR 8350)
+* Fix compat. layer ASN1_TIME_diff to accept NULL output params (PR 8407)
+* Fix CMake lean_tls build (PR 8460)
+* Fix for QUIC callback failure (PR 8475)
+* Fix missing alert types in AlertTypeToString for print out with debugging
+ enabled (PR 8572)
+* Fixes for MSVS build issues with PQC configure (PR 8568)
+* Fix for SE050 port and minor improvements (PR 8431, 8437)
+* Fix for missing rewind function in zephyr and add missing files for compiling
+ with assembly optimizations (PR 8531, 8541)
+* Fix for quic_record_append to return the correct code (PR 8340, 8358)
+* Fixes for Bind 9.18.28 port (PR 8331)
+* Fix to adhere more closely with RFC8446 Appendix D and set haveEMS when
+ negotiating TLS 1.3 (PR 8487)
+* Fix to properly check for signature_algorithms from the client in a TLS 1.3
+ server (PR 8356)
+* Fix for when BIO data is less than seq buffer size. Thanks to the team at Code
+ Intelligence for the report (PR 8426)
+* ARM32/Thumb2 fixes for WOLFSSL_NO_VAR_ASSIGN_REG and td4 variable declarations
+ (PR 8590, 8635)
+* Fix for Intel AVX1/SSE2 assembly to not use vzeroupper instructions unless ymm
+ or zmm registers are used (PR 8479)
+* Entropy MemUse fix for when block size less than update bits (PR 8675)
+
+
+# wolfSSL Release 5.7.6 (Dec 31, 2024)
+
+Release 5.7.6 has been developed according to wolfSSL's development and QA
+process (see link below) and successfully passed the quality criteria.
+https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
+
+NOTE:
+ * --enable-heapmath is deprecated.
+ * In this release, the default cipher suite preference is updated to prioritize
+ TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256 when enabled.
+ * This release adds a sanity check for including wolfssl/options.h or
+ user_settings.h.
+
+
+PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request
+ number where the code change was added.
+
+
+## Vulnerabilities
+* [Med] An OCSP (non stapling) issue was introduced in wolfSSL version 5.7.4
+ when performing OCSP requests for intermediate certificates in a certificate
+ chain. This affects only TLS 1.3 connections on the server side. It would not
+ impact other TLS protocol versions or connections that are not using the
+ traditional OCSP implementation. (Fix in pull request 8115)
+
+
+## New Feature Additions
+* Add support for RP2350 and improve RP2040 support, both with RNG optimizations
+ (PR 8153)
+* Add support for STM32MP135F, including STM32CubeIDE support and HAL support
+ for SHA2/SHA3/AES/RNG/ECC optimizations. (PR 8223, 8231, 8241)
+* Implement Renesas TSIP RSA Public Enc/Private support (PR 8122)
+* Add support for Fedora/RedHat system-wide crypto-policies (PR 8205)
+* Curve25519 generic keyparsing API added with  wc_Curve25519KeyToDer and
+ wc_Curve25519KeyDecode (PR 8129)
+* CRL improvements and update callback, added the functions
+ wolfSSL_CertManagerGetCRLInfo and wolfSSL_CertManagerSetCRLUpdate_Cb (PR 8006)
+* For DTLS, add server-side stateless and CID quality-of-life API. (PR 8224)
+
+
+## Enhancements and Optimizations
+* Add a CMake dependency check for pthreads when required. (PR 8162)
+* Update OS_Seed declarations for legacy compilers and FIPS modules (boundary
+ not affected). (PR 8170)
+* Enable WOLFSSL_ALWAYS_KEEP_SNI by default when using --enable-jni. (PR 8283)
+* Change the default cipher suite preference, prioritizing
+ TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256. (PR 7771)
+* Add SRTP-KDF (FIPS module v6.0.0) to checkout script for release bundling
+ (PR 8215)
+* Make library build when no hardware crypto available for Aarch64 (PR 8293)
+* Update assembly code to avoid `uint*_t` types for better compatibility with
+ older C standards. (PR 8133)
+* Add initial documentation for writing ASN template code to decode BER/DER.
+ (PR 8120)
+* Perform full reduction in sc_muladd for EdDSA with Curve448 (PR 8276)
+* Allow SHA-3 hardware cryptography instructions to be explicitly not used in
+ MacOS builds (PR 8282)
+* Make Kyber and ML-KEM available individually and together. (PR 8143)
+* Update configuration options to include Kyber/ML-KEM and fix defines used in
+ wolfSSL_get_curve_name. (PR 8183)
+* Make GetShortInt available with WOLFSSL_ASN_EXTRA (PR 8149)
+* Improved test coverage and minor improvements of X509 (PR 8176)
+* Add sanity checks for configuration methods, ensuring the inclusion of
+ wolfssl/options.h or user_settings.h. (PR 8262)
+* Enable support for building without TLS (NO_TLS). Provides reduced code size
+ option for non-TLS users who want features like the certificate manager or
+ compatibility layer. (PR 8273)
+* Exposed get_verify functions with OPENSSL_EXTRA. (PR 8258)
+* ML-DSA/Dilithium: obtain security level from DER when decoding (PR 8177)
+* Implementation for using PKCS11 to retrieve certificate for SSL CTX (PR 8267)
+* Add support for the RFC822 Mailbox attribute (PR 8280)
+* Initialize variables and adjust types resolve warnings with Visual Studio in
+ Windows builds. (PR 8181)
+* Refactors and expansion of opensslcoexist build (PR 8132, 8216, 8230)
+* Add DTLS 1.3 interoperability, libspdm and DTLS CID interoperability tests
+ (PR 8261, 8255, 8245)
+* Remove trailing error exit code in wolfSSL install setup script (PR 8189)
+* Update Arduino files for wolfssl 5.7.4 (PR 8219)
+* Improve Espressif SHA HW/SW mutex messages (PR 8225)
+* Apply post-5.7.4 release updates for Espressif Managed Component examples
+ (PR 8251)
+* Expansion of c89 conformance (PR 8164)
+* Added configure option for additional sanity checks with --enable-faultharden
+ (PR 8289)
+* Aarch64 ASM additions to check CPU features before hardware crypto instruction
+ use (PR 8314)
+
+
+## Fixes
+* Fix a memory issue when using the compatibility layer with
+ WOLFSSL_GENERAL_NAME and handling registered ID types. (PR 8155)
+* Fix a build issue with signature fault hardening when using public key
+ callbacks (HAVE_PK_CALLBACKS). (PR 8287)
+* Fix for handling heap hint pointer properly when managing multiple WOLFSSL_CTX
+ objects and free’ing one of them (PR 8180)
+* Fix potential memory leak in error case with Aria. (PR 8268)
+* Fix Set_Verify flag behaviour on Ada wrapper. (PR 8256)
+* Fix a compilation error with the NO_WOLFSSL_DIR flag. (PR 8294)
+* Resolve a corner case for Poly1305 assembly code on Aarch64. (PR 8275)
+* Fix incorrect version setting in CSRs. (PR 8136)
+* Correct debugging output for cryptodev. (PR 8202)
+* Fix for benchmark application use with /dev/crypto GMAC auth error due to size
+ of AAD (PR 8210)
+* Add missing checks for the initialization of sp_int/mp_int with DSA to free
+ memory properly in error cases. (PR 8209)
+* Fix return value of wolfSSL_CTX_set_tlsext_use_srtp (8252)
+* Check Root CA by Renesas TSIP before adding it to ca-table (PR 8101)
+* Prevent adding a certificate to the CA cache for Renesas builds if it does not
+ set CA:TRUE in basic constraints. (PR 8060)
+* Fix attribute certificate holder entityName parsing. (PR 8166)
+* Resolve build issues for configurations without any wolfSSL/openssl
+ compatibility layer headers. (PR 8182)
+* Fix for building SP RSA small and RSA public only (PR 8235)
+* Fix for Renesas RX TSIP RSA Sign/Verify with wolfCrypt only (PR 8206)
+* Fix to ensure all files have settings.h included (like wc_lms.c) and guards
+ for building all `*.c` files (PR 8257 and PR 8140)
+* Fix x86 target build issues in Visual Studio for non-Windows operating
+ systems. (PR 8098)
+* Fix wolfSSL_X509_STORE_get0_objects to handle no CA (PR 8226)
+* Properly handle reference counting when adding to the X509 store. (PR 8233)
+* Fix for various typos and improper size used with FreeRTOS_bind in the Renesas
+ example. Thanks to Hongbo for the report on example issues. (PR 7537)
+* Fix for potential heap use after free with wolfSSL_PEM_read_bio_PrivateKey.
+ Thanks to Peter for the issue reported. (PR 8139)
+
+
 # wolfSSL Release 5.7.4 (Oct 24, 2024)
 
 Release 5.7.4 has been developed according to wolfSSL's development and QA

IDE/ARDUINO/Arduino_README_prepend.md

@@ -4,16 +4,46 @@ This library is restructured from [wolfSSL](https://github.com/wolfSSL/wolfssl/)
 
 The Official wolfSSL Arduino Library is found in [The Library Manager index](http://downloads.arduino.cc/libraries/library_index.json).
 
-See the [Arduino-wolfSSL logs](https://downloads.arduino.cc/libraries/logs/github.com/wolfSSL/Arduino-wolfSSL/).
+See the [Arduino-wolfSSL logs](https://downloads.arduino.cc/libraries/logs/github.com/wolfSSL/Arduino-wolfSSL/) for publishing status.
+
+Instructions for installing and using libraries can be found in the [Arduino docs](https://docs.arduino.cc/software/ide-v1/tutorials/installing-libraries/).
+
+## wolfSSL Configuration
+
+As described in the [Getting Started with wolfSSL on Arduino](https://www.wolfssl.com/getting-started-with-wolfssl-on-arduino/), wolfSSL features are enabled and disabled in the `user_settings.h` file.
+
+The `user_settings.h` file is found in the `<Arduino>/libraries/wolfssl/src` directory.
+
+For Windows this is typically `C:\Users\%USERNAME%\Documents\Arduino\libraries\wolfssl\src`
+
+For Mac: `~/Documents/Arduino/libraries/wolfssl/src`
+
+For Linux: `~/Arduino/libraries/wolfssl/src`
+
+Tips for success:
+
+- The `WOLFSSL_USER_SETTINGS` macro must be defined project-wide. (see [wolfssl.h](https://github.com/wolfSSL/wolfssl/blob/master/IDE/ARDUINO/wolfssl.h))
+- Apply any customizations only to `user_settings.h`;  Do not edit wolfSSL `settings.h` or `configh.h` files.
+- Do not explicitly include `user_settings.h` in any source file.
+- For every source file that uses wolfssl, include `wolfssl/wolfcrypt/settings.h` before any other wolfSSL include, typically via `#include "wolfssl.h"`.
+- See the [wolfSSL docs](https://www.wolfssl.com/documentation/manuals/wolfssl/chapter02.html) for details on build configuration macros.
+
+## wolfSSL Examples
+
+Additional wolfSSL examples can be found at:
+
+- https://github.com/wolfSSL/wolfssl/tree/master/IDE/ARDUINO
+
+- https://github.com/wolfSSL/wolfssl/tree/master/examples
+
+- https://github.com/wolfSSL/wolfssl-examples/
 
 ## Arduino Releases
 
-This release of wolfSSL is version [5.7.4](https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.4-stable).
+This release of wolfSSL is version [5.7.6](https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.6-stable).
 
-Version [5.7.2](https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable) of the Arduino wolfSSL was published August 3, 2024.
-
-The next Official wolfSSL Arduino Library was [5.7.0](https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.0-stable)
+See GitHub for [all Arduino wolfSSL releases](https://github.com/wolfSSL/Arduino-wolfSSL/releases).
 
 The first Official wolfSSL Arduino Library was `5.6.6-Arduino.1`: a slightly modified, post [release 5.6.6](https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.6-stable) version update.
 
-See other [wolfSSL releases versions](https://github.com/wolfSSL/wolfssl/releases). The `./wolfssl-arduino.sh INSTALL` [script](https://github.com/wolfSSL/wolfssl/tree/master/IDE/ARDUINO) can be used to install specific GitHub versions as needed.
+The `./wolfssl-arduino.sh INSTALL` [script](https://github.com/wolfSSL/wolfssl/tree/master/IDE/ARDUINO) can be used to install specific GitHub versions as needed.

IDE/ARDUINO/README.md

@@ -2,18 +2,49 @@
 
 See the [example sketches](./sketches/README.md):
 
-- [sketches/wolfssl_server](./sketches/wolfssl_server/README.md)
-- [sketches/wolfssl_client](./sketches/wolfssl_client/README.md)
+NOTE: Moving; See https://github.com/wolfSSL/wolfssl-examples/pull/499
+
+Bare-bones templates:
+
+- [sketches/wolfssl_version](./sketches/wolfssl_version/README.md) single file.
+- [sketches/template](./sketches/template/README.md) multiple file example.
+
+Functional examples:
+- [sketches/wolfssl_AES_CTR](./sketches/wolfssl_AES_CTR/README.md) AES CTR Encrypt / decrypt.
+- [sketches/wolfssl_client](./sketches/wolfssl_client/README.md) TLS Client.
+- [sketches/wolfssl_server](./sketches/wolfssl_server/README.md) TLS Server.
+
+Both the `template` and `wolfssl_AES_CTR` examples include VisualGDB project files.
 
 When publishing a new version to the Arduino Registry, be sure to edit `WOLFSSL_VERSION_ARUINO_SUFFIX` in the `wolfssl-arduino.sh` script.
 
+## Getting Started
+
+See [Getting Started with wolfSSL on Arduino](https://www.wolfssl.com/getting-started-with-wolfssl-on-arduino/), wolfSSL features are enabled and disabled in the `user_settings.h` file.
+
+The `user_settings.h` file is found in the `<Arduino>/libraries/wolfssl/src` directory.
+
+For Windows this is typically `C:\Users\%USERNAME%\Documents\Arduino\libraries\wolfssl\src`
+
+For Mac: `~/Documents/Arduino/libraries/wolfssl/src`
+
+For Linux: `~/Arduino/libraries/wolfssl/src`
+
+Tips for success:
+
+- The `WOLFSSL_USER_SETTINGS` macro must be defined project-wide. (see [wolfssl.h](https://github.com/wolfSSL/wolfssl/blob/master/IDE/ARDUINO/wolfssl.h))
+- Apply any customizations only to `user_settings.h`;  Do not edit wolfSSL `settings.h` or `configh.h` files.
+- Do not explicitly include `user_settings.h` in any source file.
+- For every source file that uses wolfssl, include `wolfssl/wolfcrypt/settings.h` before any other wolfSSL include, typically via `#include "wolfssl.h"`.
+- See the [wolfSSL docs](https://www.wolfssl.com/documentation/manuals/wolfssl/chapter02.html) for details on build configuration macros.
+
 ## Boards
 
 Many of the supported boards are natively built-in to the [Arduino IDE Board Manager](https://docs.arduino.cc/software/ide-v2/tutorials/ide-v2-board-manager/)
 and by adding [additional cores](https://docs.arduino.cc/learn/starting-guide/cores/) as needed.
 
 STM32 Support can be added by including this link in the "Additional Boards Managers URLs" field
-from [stm32duino/Arduino_Core_STM32](https://github.com/stm32duino/Arduino_Core_STM32?tab=readme-ov-file#getting-started)   .
+from [stm32duino/Arduino_Core_STM32](https://github.com/stm32duino/Arduino_Core_STM32?tab=readme-ov-file#getting-started).
 
 ```
 https://github.com/stm32duino/BoardManagerFiles/raw/main/package_stmicroelectronics_index.json
@@ -42,7 +73,7 @@ from within the `wolfssl/IDE/ARDUINO` directory:
 
 1. `./wolfssl-arduino.sh`
     - Creates an Arduino Library directory structure in the local `wolfSSL` directory of `IDE/ARDUINO`.
-    - You can add your own `user_settings.h`, or copy/rename the [default](../../examples/configs/user_settings_arduino.h).
+    - You can add your own `user_settings.h`, or copy/rename the [default](https://github.com/wolfSSL/wolfssl/blob/master/examples/configs/user_settings_arduino.h).
 
 2. `./wolfssl-arduino.sh INSTALL` (The most common option)
     - Creates an Arduino Library in the local `wolfSSL` directory

IDE/ARDUINO/include.am

@@ -2,16 +2,32 @@
 # included from Top Level Makefile.am
 # All paths should be given relative to the root
 
+# Library files:
 EXTRA_DIST+= IDE/ARDUINO/README.md
+
+# There's an Arduino-specific Arduino_README_prepend.md that will be prepended to wolfSSL README.md
+# Not to be confused with the interim PREPENDED_README.md that is created by script.
 EXTRA_DIST+= IDE/ARDUINO/Arduino_README_prepend.md
+
+# Core library files
+EXTRA_DIST+= IDE/ARDUINO/wolfssl.h
+EXTRA_DIST+= IDE/ARDUINO/wolfssl.h
+EXTRA_DIST+= IDE/ARDUINO/wolfssl-arduino.cpp
+
 EXTRA_DIST+= IDE/ARDUINO/keywords.txt
 EXTRA_DIST+= IDE/ARDUINO/library.properties.template
+
+# Sketch Examples
 EXTRA_DIST+= IDE/ARDUINO/sketches/README.md
+
+# wolfssl_client example sketch
 EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_client/README.md
-EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_client/wolfssl_client.ino
+
+# wolfssl_server example sketch
 EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_server/README.md
-EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_server/wolfssl_server.ino
+
+# wolfssl_version example sketch
 EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_version/README.md
-EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_version/wolfssl_version.ino
-EXTRA_DIST+= IDE/ARDUINO/wolfssl.h
+
+# Publishing script, either local install or to github.com/wolfSSL/Arduino-wolfSSL clone directory.
 EXTRA_DIST+= IDE/ARDUINO/wolfssl-arduino.sh

IDE/ARDUINO/sketches/README.md

@@ -1,12 +1,75 @@
 # wolfSSL Arduino Examples
 
-There are currently two example Arduino sketches:
+There are currently five example Arduino sketches:
 
-* [wolfssl_client](./wolfssl_client/README.md): Basic TLS listening client.
-* [wolfssl_server](./wolfssl_server/README.md): Basic TLS server.
+NOTE: Moving; See https://github.com/wolfSSL/wolfssl-examples/pull/499
+
+* `template`: Reference template wolfSSL example, including optional VisualGDB project files.
+* `wolfssl_AES_CTR`: Basic AES CTR Encryption / Decryption example.
+* `wolfssl_client`: Basic TLS listening client.
+* `wolfssl_server`: Basic TLS server.
+* `wolfssl_version`: Bare-bones wolfSSL example.
 
 Examples have been most recently confirmed operational on the
 [Arduino IDE](https://www.arduino.cc/en/software) 2.2.1.
 
 For examples on other platforms, see the [IDE directory](https://github.com/wolfssl/wolfssl/tree/master/IDE).
-Additional examples can be found on [wolfSSL/wolfssl-examples](https://github.com/wolfSSL/wolfssl-examples/).
+Additional wolfssl examples can be found at [wolfSSL/wolfssl-examples](https://github.com/wolfSSL/wolfssl-examples/).
+
+## Using wolfSSL
+
+The typical include will look something like this:
+
+```
+#include <Arduino.h>
+
+ /* wolfSSL user_settings.h must be included from settings.h
+  * Make all configurations changes in user_settings.h
+  * Do not edit wolfSSL `settings.h` or `config.h` files.
+  * Do not explicitly include user_settings.h in any source code.
+  * Each Arduino sketch that uses wolfSSL must have: #include "wolfssl.h"
+  * C/C++ source files can use: #include <wolfssl/wolfcrypt/settings.h>
+  * The wolfSSL "settings.h" must be included in each source file using wolfSSL.
+  * The wolfSSL "settings.h" must appear before any other wolfSSL include.
+  */
+#include <wolfssl.h>
+
+/* settings.h is typically included in wolfssl.h, but here as a reminder: */
+#include <wolfssl/wolfcrypt/settings.h>
+
+/* Any other wolfSSL includes follow:*
+#include <wolfssl/version.h>
+```
+
+## Configuring wolfSSL
+
+See the `user_settings.h` in the Arduino library `wolfssl/src` directory. For Windows users this is typically:
+
+```
+C:\Users\%USERNAME%\Documents\Arduino\libraries\wolfssl\src
+```
+
+WARNING: Changes to the library `user_settings.h` file will be lost when upgrading wolfSSL using the Arduino IDE.
+
+## Troubleshooting
+
+If compile problems are encountered, for example:
+
+```
+ctags: cannot open temporary file : File exists
+exit status 1
+
+Compilation error: exit status 1
+```
+
+Try deleting the Arduino cache directory:
+
+```
+C:\Users\%USERNAME%\AppData\Local\arduino\sketches
+```
+
+For VisualGDB users, delete the project `.vs`, `Output`, and `TraceReports` directories.
+
+## More Information
+
+For more details, see [IDE/ARDUINO/README.md](https://github.com/wolfSSL/wolfssl/blob/master/IDE/ARDUINO/README.md)

IDE/ARDUINO/sketches/wolfssl_client/README.md

@@ -1,6 +1,14 @@
 # Arduino Basic TLS Listening Client
 
-Open the [wolfssl_client.ino](./wolfssl_client.ino) file in the Arduino IDE.
+Open the `wolfssl_client.ino` file in the Arduino IDE.
+
+NOTE: Moving; See https://github.com/wolfSSL/wolfssl-examples/pull/499
+
+If using WiFi, be sure to set `ssid` and `password` values.
+
+May need "Ethernet by Various" library to be installed. Tested with v2.0.2 and v2.8.1.
+
+See the `#define WOLFSSL_TLS_SERVER_HOST` to set your own server address.
 
 Other IDE products are also supported, such as:
 

IDE/ARDUINO/sketches/wolfssl_client/wolfssl_client.ino

@@ -1,894 +0,0 @@
-/* wolfssl_client.ino
- *
- * Copyright (C) 2006-2024 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
-
-/*
-Tested with:
-
-1) Intel Galileo acting as the Client, with a laptop acting as a server using
-   the server example provided in examples/server.
-   Legacy Arduino v1.86 was used to compile and program the Galileo
-
-2) Espressif ESP32 WiFi
-
-3) Arduino Due, Nano33 IoT, Nano RP-2040
-*/
-
-/*
- * Note to code editors: the Arduino client and server examples are edited in
- * parallel for side-by-side comparison between examples.
- */
-
-/* If you have a private include, define it here, otherwise edit WiFi params */
-#define MY_PRIVATE_CONFIG "/workspace/my_private_config.h"
-
-/* set REPEAT_CONNECTION to a non-zero value to continually run the example. */
-#define REPEAT_CONNECTION 0
-
-/* Edit this with your other TLS host server address to connect to: */
-#define WOLFSSL_TLS_SERVER_HOST "192.168.1.39"
-
-/* wolfssl TLS examples communicate on port 11111 */
-#define WOLFSSL_PORT 11111
-
-/* Choose a monitor serial baud rate: 9600, 14400, 19200, 57600, 74880, etc. */
-#define SERIAL_BAUD 115200
-
-/* We'll wait up to 2000 milliseconds to properly shut down connection */
-#define SHUTDOWN_DELAY_MS 2000
-
-/* Number of times to retry connection.  */
-#define RECONNECT_ATTEMPTS 20
-
-/* Optional stress test. Define to consume memory until exhausted: */
-/* #define MEMORY_STRESS_TEST */
-
-/* Choose client or server example, not both. */
-#define WOLFSSL_CLIENT_EXAMPLE
-/* #define WOLFSSL_SERVER_EXAMPLE */
-
-#if defined(MY_PRIVATE_CONFIG)
-    /* the /workspace directory may contain a private config
-     * excluded from GitHub with items such as WiFi passwords */
-    #include MY_PRIVATE_CONFIG
-    static const char* ssid PROGMEM = MY_ARDUINO_WIFI_SSID;
-    static const char* password PROGMEM = MY_ARDUINO_WIFI_PASSWORD;
-#else
-    /* when using WiFi capable boards: */
-    static const char* ssid PROGMEM  = "your_SSID";
-    static const char* password PROGMEM = "your_PASSWORD";
-#endif
-
-#define BROADCAST_ADDRESS "255.255.255.255"
-
-/* There's an optional 3rd party NTPClient library by Fabrice Weinberg.
- * If it is installed, uncomment define USE_NTP_LIB here: */
-/* #define USE_NTP_LIB */
-#ifdef USE_NTP_LIB
-    #include <NTPClient.h>
-#endif
-
-#include <wolfssl.h>
-/* Important: make sure settings.h appears before any other wolfSSL headers */
-#include <wolfssl/wolfcrypt/settings.h>
-/* Reminder: settings.h includes user_settings.h
- * For ALL project wolfSSL settings, see:
- * [your path]/Arduino\libraries\wolfSSL\src\user_settings.h   */
-#include <wolfssl/ssl.h>
-#include <wolfssl/certs_test.h>
-#include <wolfssl/wolfcrypt/error-crypt.h>
-
-/* Define DEBUG_WOLFSSL in user_settings.h for more verbose logging. */
-#if defined(DEBUG_WOLFSSL)
-    #define PROGRESS_DOT F("")
-#else
-    #define PROGRESS_DOT F(".")
-#endif
-
-/* Convert a macro to a string */
-#define xstr(x) str(x)
-#define str(x) #x
-
-/* optional board-specific networking includes */
-#if defined(ESP32)
-    #define USING_WIFI
-    #include <WiFi.h>
-    #include <WiFiUdp.h>
-    #ifdef USE_NTP_LIB
-        WiFiUDP ntpUDP;
-    #endif
-    /* Ensure the F() flash macro is defined */
-    #ifndef F
-        #define F
-    #endif
-    WiFiClient client;
-
-#elif defined(ESP8266)
-    #define USING_WIFI
-    #include <ESP8266WiFi.h>
-    WiFiClient client;
-
-#elif defined(ARDUINO_SAM_DUE)
-    #include <SPI.h>
-    /* There's no WiFi/Ethernet on the Due. Requires Ethernet Shield.
-    /* Needs "Ethernet by Various" library to be installed. Tested with V2.0.2 */
-    #include <Ethernet.h>
-    EthernetClient client;
-
-#elif defined(ARDUINO_SAMD_NANO_33_IOT)
-    #define USING_WIFI
-    #include <SPI.h>
-    #include <WiFiNINA.h> /* Needs Arduino WiFiNINA library installed manually */
-    WiFiClient client;
-
-#elif defined(ARDUINO_ARCH_RP2040)
-    #define USING_WIFI
-    #include <SPI.h>
-    #include <WiFiNINA.h>
-    WiFiClient client;
-
-#elif defined(USING_WIFI)
-    #define USING_WIFI
-    #include <WiFi.h>
-    #include <WiFiUdp.h>
-    #ifdef USE_NTP_LIB
-        WiFiUDP ntpUDP;
-    #endif
-    WiFiClient client;
-
-/* TODO
-#elif defined(OTHER_BOARD)
-*/
-#else
-    #define USING_WIFI
-    WiFiClient client;
-
-#endif
-
-/* Only for syntax highlighters to show interesting options enabled: */
-#if defined(HAVE_SNI)                           \
-   || defined(HAVE_MAX_FRAGMENT)                  \
-   || defined(HAVE_TRUSTED_CA)                    \
-   || defined(HAVE_TRUNCATED_HMAC)                \
-   || defined(HAVE_CERTIFICATE_STATUS_REQUEST)    \
-   || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) \
-   || defined(HAVE_SUPPORTED_CURVES)              \
-   || defined(HAVE_ALPN)                          \
-   || defined(HAVE_SESSION_TICKET)                \
-   || defined(HAVE_SECURE_RENEGOTIATION)          \
-   || defined(HAVE_SERVER_RENEGOTIATION_INFO)
-#endif
-
-static const char host[] PROGMEM = WOLFSSL_TLS_SERVER_HOST; /* server to connect to */
-static const int port PROGMEM = WOLFSSL_PORT; /* port on server to connect to */
-
-static WOLFSSL_CTX* ctx = NULL;
-static WOLFSSL* ssl = NULL;
-static char* wc_error_message = (char*)malloc(80 + 1);
-static char errBuf[80];
-
-#if defined(MEMORY_STRESS_TEST)
-    #define MEMORY_STRESS_ITERATIONS 100
-    #define MEMORY_STRESS_BLOCK_SIZE 1024
-    #define MEMORY_STRESS_INITIAL (4*1024)
-    static char* memory_stress[MEMORY_STRESS_ITERATIONS]; /* typically 1K per item */
-    static int mem_ctr        = 0;
-#endif
-
-static int EthernetSend(WOLFSSL* ssl, char* msg, int sz, void* ctx);
-static int EthernetReceive(WOLFSSL* ssl, char* reply, int sz, void* ctx);
-static int reconnect = RECONNECT_ATTEMPTS;
-static int lng_index PROGMEM = 0; /* 0 = English */
-
-#if defined(__arm__)
-    #include <malloc.h>
-    extern char _end;
-    extern "C" char *sbrk(int i);
-    static char *ramstart=(char *)0x20070000;
-    static char *ramend=(char *)0x20088000;
-#endif
-
-/*****************************************************************************/
-/* fail_wait - in case of unrecoverable error                                */
-/*****************************************************************************/
-int fail_wait(void) {
-    show_memory();
-
-    Serial.println(F("Failed. Halt."));
-    while (1) {
-        delay(1000);
-    }
-    return 0;
-}
-
-/*****************************************************************************/
-/* show_memory() to optionally view during debugging.                         */
-/*****************************************************************************/
-int show_memory(void)
-{
-#if defined(__arm__)
-    struct mallinfo mi = mallinfo();
-
-    char *heapend=sbrk(0);
-    register char * stack_ptr asm("sp");
-    #if defined(DEBUG_WOLFSSL_VERBOSE)
-        Serial.print("    arena=");
-        Serial.println(mi.arena);
-        Serial.print("  ordblks=");
-        Serial.println(mi.ordblks);
-        Serial.print(" uordblks=");
-        Serial.println(mi.uordblks);
-        Serial.print(" fordblks=");
-        Serial.println(mi.fordblks);
-        Serial.print(" keepcost=");
-        Serial.println(mi.keepcost);
-    #endif
-
-    #if defined(DEBUG_WOLFSSL) || defined(MEMORY_STRESS_TEST)
-        Serial.print("Estimated free memory: ");
-        Serial.print(stack_ptr - heapend + mi.fordblks);
-        Serial.println(F(" bytes"));
-    #endif
-
-    #if (0)
-        /* Experimental: not supported on all devices: */
-        Serial.print("RAM Start %lx\n", (unsigned long)ramstart);
-        Serial.print("Data/Bss end %lx\n", (unsigned long)&_end);
-        Serial.print("Heap End %lx\n", (unsigned long)heapend);
-        Serial.print("Stack Ptr %lx\n",(unsigned long)stack_ptr);
-        Serial.print("RAM End %lx\n", (unsigned long)ramend);
-
-        Serial.print("Heap RAM Used: ",mi.uordblks);
-        Serial.print("Program RAM Used ",&_end - ramstart);
-        Serial.print("Stack RAM Used ",ramend - stack_ptr);
-
-        Serial.print("Estimated Free RAM: %d\n\n",stack_ptr - heapend + mi.fordblks);
-    #endif
-#else
-    Serial.println(F("show_memory() not implemented for this platform"));
-#endif
-    return 0;
-}
-
-/*****************************************************************************/
-/* EthernetSend() to send a message string.                                  */
-/*****************************************************************************/
-int EthernetSend(WOLFSSL* ssl, char* message, int sz, void* ctx) {
-    int sent = 0;
-    (void)ssl;
-    (void)ctx;
-
-    sent = client.write((byte*)message, sz);
-    return sent;
-}
-
-/*****************************************************************************/
-/* EthernetReceive() to receive a reply string.                              */
-/*****************************************************************************/
-int EthernetReceive(WOLFSSL* ssl, char* reply, int sz, void* ctx) {
-    int ret = 0;
-    (void)ssl;
-    (void)ctx;
-
-    while (client.available() > 0 && ret < sz) {
-        reply[ret++] = client.read();
-    }
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_hardware()                                                  */
-/*****************************************************************************/
-int setup_hardware(void) {
-    int ret = 0;
-
-#if defined(ARDUINO_SAMD_NANO_33_IOT)
-    Serial.println(F("Detected known tested and working Arduino Nano 33 IoT"));
-#elif defined(ARDUINO_ARCH_RP2040)
-    Serial.println(F("Detected known tested and working Arduino RP-2040"));
-#elif defined(__arm__) && defined(ID_TRNG) && defined(TRNG)
-    /* need to manually turn on random number generator on Arduino Due, etc. */
-    pmc_enable_periph_clk(ID_TRNG);
-    trng_enable(TRNG);
-    Serial.println(F("Enabled ARM TRNG"));
-#endif
-
-    show_memory();
-    randomSeed(analogRead(0));
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_datetime()                                                  */
-/*   The device needs to have a valid date within the valid range of certs.  */
-/*****************************************************************************/
-int setup_datetime(void) {
-    int ret = 0;
-    int ntp_tries = 20;
-
-    /* we need a date in the range of cert expiration */
-#ifdef USE_NTP_LIB
-    #if defined(ESP32)
-        NTPClient timeClient(ntpUDP, "pool.ntp.org");
-
-        timeClient.begin();
-        timeClient.update();
-        delay(1000);
-        while (!timeClient.isTimeSet() && (ntp_tries > 0)) {
-            timeClient.forceUpdate();
-            Serial.println(F("Waiting for NTP update"));
-            delay(2000);
-            ntp_tries--;
-        }
-        if (ntp_tries <= 0) {
-            Serial.println(F("Warning: gave up waiting on NTP"));
-        }
-        Serial.println(timeClient.getFormattedTime());
-        Serial.println(timeClient.getEpochTime());
-    #endif
-#endif
-
-#if defined(ESP32)
-    /* see esp32-hal-time.c */
-    ntp_tries = 5;
-    /* Replace "pool.ntp.org" with your preferred NTP server */
-    configTime(0, 0, "pool.ntp.org");
-
-    /* Wait for time to be set */
-    while ((time(nullptr) <= 100000) && ntp_tries > 0) {
-        Serial.println(F("Waiting for time to be set..."));
-        delay(2000);
-        ntp_tries--;
-    }
-#endif
-
-    return ret;
-} /* setup_datetime */
-
-/*****************************************************************************/
-/* Arduino setup_network()                                                   */
-/*****************************************************************************/
-int setup_network(void) {
-    int ret = 0;
-
-#if defined(USING_WIFI)
-    int status = WL_IDLE_STATUS;
-
-    /* The ESP8266 & ESP32 support both AP and STA. We'll use STA: */
-    #if defined(ESP8266) || defined(ESP32)
-        WiFi.mode(WIFI_STA);
-    #else
-        String fv;
-        if (WiFi.status() == WL_NO_MODULE) {
-            Serial.println("Communication with WiFi module failed!");
-            /* don't continue if no network */
-            while (true) ;
-        }
-
-        fv = WiFi.firmwareVersion();
-        if (fv < WIFI_FIRMWARE_LATEST_VERSION) {
-            Serial.println("Please upgrade the firmware");
-        }
-    #endif
-
-    Serial.print(F("Connecting to WiFi "));
-    Serial.print(ssid);
-    status = WiFi.begin(ssid, password);
-    while (status != WL_CONNECTED) {
-        delay(1000);
-        Serial.print(F("."));
-        Serial.print(status);
-        status = WiFi.status();
-    }
-
-    Serial.println(F(" Connected!"));
-#else
-    /* Newer Ethernet shields have a
-     * MAC address printed on a sticker on the shield */
-    byte mac[] = { 0xDE, 0xAD, 0xBE, 0xEF, 0xFE, 0xED };
-    IPAddress ip(192, 168, 1, 42);
-    IPAddress myDns(192, 168, 1, 1);
-    Ethernet.init(10); /* Most Arduino shields */
-    /* Ethernet.init(5);   * MKR ETH Shield */
-    /* Ethernet.init(0);   * Teensy 2.0 */
-    /* Ethernet.init(20);  * Teensy++ 2.0 */
-    /* Ethernet.init(15);  * ESP8266 with Adafruit FeatherWing Ethernet */
-    /* Ethernet.init(33);  * ESP32 with Adafruit FeatherWing Ethernet */
-    Serial.println(F("Initialize Ethernet with DHCP:"));
-    if (Ethernet.begin(mac) == 0) {
-        Serial.println(F("Failed to configure Ethernet using DHCP"));
-        /* Check for Ethernet hardware present */
-        if (Ethernet.hardwareStatus() == EthernetNoHardware) {
-            Serial.println(F("Ethernet shield was not found."));
-            while (true) {
-                delay(1); /* do nothing */
-            }
-        }
-        if (Ethernet.linkStatus() == LinkOFF) {
-            Serial.println(F("Ethernet cable is not connected."));
-        }
-        /* try to configure using IP address instead of DHCP : */
-        Ethernet.begin(mac, ip, myDns);
-    }
-    else {
-        Serial.print(F("  DHCP assigned IP "));
-        Serial.println(Ethernet.localIP());
-    }
-    /* We'll assume the Ethernet connection is ready to go. */
-#endif
-
-    Serial.println(F("********************************************************"));
-    Serial.print(F("      wolfSSL Example Client IP = "));
-#if defined(USING_WIFI)
-    Serial.println(WiFi.localIP());
-#else
-    Serial.println(Ethernet.localIP());
-#endif
-    Serial.print(F("   Configured Server Host to connect to: "));
-    Serial.println(host);
-    Serial.println(F("********************************************************"));
-    Serial.println(F("Setup network complete."));
-
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_wolfssl()                                                   */
-/*****************************************************************************/
-int setup_wolfssl(void) {
-    int ret = 0;
-    WOLFSSL_METHOD* method;
-
-    /* Show a revision of wolfssl user_settings.h file in use when available: */
-#if defined(WOLFSSL_USER_SETTINGS_ID)
-    Serial.print(F("WOLFSSL_USER_SETTINGS_ID: "));
-    Serial.println(F(WOLFSSL_USER_SETTINGS_ID));
-#else
-    Serial.println(F("No WOLFSSL_USER_SETTINGS_ID found."));
-#endif
-
-#if defined(NO_WOLFSSL_SERVER)
-    Serial.println(F("wolfSSL server code disabled to save space."));
-#endif
-#if defined(NO_WOLFSSL_CLIENT)
-    Serial.println(F("wolfSSL client code disabled to save space."));
-#endif
-
-#if defined(DEBUG_WOLFSSL)
-    wolfSSL_Debugging_ON();
-    Serial.println(F("wolfSSL Debugging is On!"));
-#else
-    Serial.println(F("wolfSSL Debugging is Off! (enable with DEBUG_WOLFSSL)"));
-#endif
-
-    /* See ssl.c for TLS cache settings. Larger cache = use more RAM. */
-#if defined(NO_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS NO_SESSION_CACHE"));
-#elif defined(MICRO_SESSION_CACHEx)
-    Serial.println(F("wolfSSL TLS MICRO_SESSION_CACHE"));
-#elif defined(SMALL_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS SMALL_SESSION_CACHE"));
-#elif defined(MEDIUM_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS MEDIUM_SESSION_CACHE"));
-#elif defined(BIG_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS BIG_SESSION_CACHE"));
-#elif defined(HUGE_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS HUGE_SESSION_CACHE"));
-#elif defined(HUGE_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS HUGE_SESSION_CACHE"));
-#else
-    Serial.println(F("WARNING: Unknown or no TLS session cache setting."));
-    /* See wolfssl/src/ssl.c for amount of memory used.
-     * It is best on embedded devices to choose a TLS session cache size. */
-#endif
-
-    ret = wolfSSL_Init();
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.println("Successfully called wolfSSL_Init");
-    }
-    else {
-        Serial.println("ERROR: wolfSSL_Init failed");
-    }
-
-    /* See companion server example with wolfSSLv23_server_method here.
-     * method = wolfSSLv23_client_method());   SSL 3.0 - TLS 1.3.
-     * method = wolfTLSv1_2_client_method();   only TLS 1.2
-     * method = wolfTLSv1_3_client_method();   only TLS 1.3
-     *
-     * see Arduino\libraries\wolfssl\src\user_settings.h */
-
-    Serial.println("Here we go!");
-
-    method = wolfSSLv23_client_method();
-    if (method == NULL) {
-        Serial.println(F("unable to get wolfssl client method"));
-        fail_wait();
-    }
-    ctx = wolfSSL_CTX_new(method);
-    if (ctx == NULL) {
-        Serial.println(F("unable to get ctx"));
-        fail_wait();
-    }
-
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_certificates()                                              */
-/*****************************************************************************/
-int setup_certificates(void) {
-    int ret = 0;
-
-    Serial.println(F("Initializing certificates..."));
-    show_memory();
-
-    /* Use built-in validation, No verification callback function: */
-    wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);
-
-    /* Certificate */
-    Serial.println("Initializing certificates...");
-    ret = wolfSSL_CTX_use_certificate_buffer(ctx,
-                                             CTX_CLIENT_CERT,
-                                             CTX_CLIENT_CERT_SIZE,
-                                             CTX_CLIENT_CERT_TYPE);
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.print("Success: use certificate: ");
-        Serial.println(xstr(CTX_SERVER_CERT));
-    }
-    else {
-        Serial.println(F("Error: wolfSSL_CTX_use_certificate_buffer failed: "));
-        wc_ErrorString(ret, wc_error_message);
-        Serial.println(wc_error_message);
-        fail_wait();
-    }
-
-    /* Setup private client key */
-    ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx,
-                                            CTX_CLIENT_KEY,
-                                            CTX_CLIENT_KEY_SIZE,
-                                            CTX_CLIENT_KEY_TYPE);
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.print("Success: use private key buffer: ");
-        Serial.println(xstr(CTX_SERVER_KEY));
-    }
-    else {
-        Serial.println(F("Error: wolfSSL_CTX_use_PrivateKey_buffer failed: "));
-        wc_ErrorString(ret, wc_error_message);
-        Serial.println(wc_error_message);
-        fail_wait();
-    }
-
-    ret = wolfSSL_CTX_load_verify_buffer(ctx,
-                                         CTX_CA_CERT,
-                                         CTX_CA_CERT_SIZE,
-                                         CTX_CA_CERT_TYPE);
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.println(F("Success: load_verify CTX_CA_CERT"));
-    }
-    else {
-        Serial.println(F("Error: wolfSSL_CTX_load_verify_buffer failed: "));
-        wc_ErrorString(ret, wc_error_message);
-        Serial.println(wc_error_message);
-        fail_wait();
-    }
-
-
-
-    return ret;
-} /* Arduino setup */
-
-/*****************************************************************************/
-/*****************************************************************************/
-/* Arduino setup()                                                           */
-/*****************************************************************************/
-/*****************************************************************************/
-void setup(void) {
-    int i = 0;
-    Serial.begin(SERIAL_BAUD);
-    while (!Serial && (i < 10)) {
-        /* wait for serial port to connect. Needed for native USB port only */
-        delay(1000);
-        i++;
-    }
-    Serial.println(F(""));
-    Serial.println(F(""));
-    Serial.println(F("wolfSSL TLS Client Example Startup."));
-
-    /* define DEBUG_WOLFSSL in wolfSSL user_settings.h for diagnostics */
-#if defined(DEBUG_WOLFSSL)
-    wolfSSL_Debugging_ON();
-#endif
-
-    /* Optionally pre-allocate a large block of memory for testing */
-#if defined(MEMORY_STRESS_TEST)
-    Serial.println(F("WARNING: Memory Stress Test Active!"));
-    Serial.print(F("Allocating extra memory: "));
-    Serial.print(MEMORY_STRESS_INITIAL);
-    Serial.println(F(" bytes..."));
-    memory_stress[mem_ctr] = (char*)malloc(MEMORY_STRESS_INITIAL);
-    show_memory();
-#endif
-
-    setup_hardware();
-
-    setup_network();
-
-    setup_datetime();
-
-    setup_wolfssl();
-
-    setup_certificates();
-
-    /* Initialize wolfSSL using callback functions. */
-    wolfSSL_SetIOSend(ctx, EthernetSend);
-    wolfSSL_SetIORecv(ctx, EthernetReceive);
-
-    Serial.println(F("Completed Arduino setup!"));
-    /* See companion wolfssl_server.ino code; server begins listening here
-     * https://github.com/wolfSSL/wolfssl/tree/master/IDE/ARDUINO/sketches/wolfssl_server
-     * Any other server will work. See also:
-     * https://github.com/wolfSSL/wolfssl/tree/master/examples/client
-     */
-    /* See companion wolfssl_server.ino code */
-    return;
-} /* Arduino setup */
-
-/*****************************************************************************/
-/* wolfSSL error_check()                                                     */
-/*****************************************************************************/
-int error_check(int this_ret, bool halt_on_error,
-                      const __FlashStringHelper* message) {
-    int ret = 0;
-    if (this_ret == WOLFSSL_SUCCESS) {
-        Serial.print(F("Success: "));
-        Serial.println(message);
-    }
-    else {
-        Serial.print(F("ERROR: return = "));
-        Serial.print(this_ret);
-        Serial.print(F(": "));
-        Serial.println(message);
-        Serial.println(wc_GetErrorString(this_ret));
-        if (halt_on_error) {
-            fail_wait();
-        }
-    }
-    show_memory();
-
-    return ret;
-} /* error_check */
-
-/*****************************************************************************/
-/* wolfSSL error_check_ssl                                                   */
-/*   Parameters:                                                             */
-/*     ssl           is the current WOLFSSL object pointer                   */
-/*     halt_on_error set to true to suspend operations for critical error    */
-/*     message       is expected to be a memory-efficient F("") macro string */
-/*****************************************************************************/
-int error_check_ssl(WOLFSSL* ssl, int this_ret, bool halt_on_error,
-                           const __FlashStringHelper* message) {
-    int err = 0;
-
-    if (ssl == NULL) {
-        Serial.println(F("ssl is Null; Unable to allocate SSL object?"));
-#ifndef DEBUG_WOLFSSL
-        Serial.println(F("Define DEBUG_WOLFSSL in user_settings.h for more."));
-#else
-        Serial.println(F("See wolfssl/wolfcrypt/error-crypt.h for codes."));
-#endif
-        Serial.print(F("ERROR: "));
-        Serial.println(message);
-        show_memory();
-        if (halt_on_error) {
-            fail_wait();
-        }
-    }
-    else {
-        err = wolfSSL_get_error(ssl, this_ret);
-        if (err == WOLFSSL_SUCCESS) {
-            Serial.print(F("Success m: "));
-            Serial.println(message);
-        }
-        else {
-            if (err < 0) {
-                wolfSSL_ERR_error_string(err, errBuf);
-                Serial.print(F("WOLFSSL Error: "));
-                Serial.print(err);
-                Serial.print(F("; "));
-                Serial.println(errBuf);
-            }
-            else {
-                Serial.println(F("Success: ssl object."));
-            }
-        }
-    }
-
-    return err;
-}
-
-/*****************************************************************************/
-/*****************************************************************************/
-/* Arduino loop()                                                            */
-/*****************************************************************************/
-/*****************************************************************************/
-void loop() {
-    char reply[80];
-    char msg[32]       = "hello wolfssl!";
-    const char* cipherName;
-    int retry_shutdown = SHUTDOWN_DELAY_MS; /* max try, once per millisecond */
-    int total_input    = 0;
-    int msgSz          = 0;
-    int input          = 0;
-    int ret            = 0;
-    int err            = 0;
-    msgSz = (int)strlen(msg);
-    Serial.println(F(""));
-    Serial.println(F("Starting Arduino loop() ..."));
-
-    if (reconnect) {
-        reconnect--;
-        /* WiFi client returns true if connection succeeds, false if not.  */
-        /* Wired client returns int (1,-1,-2,-3,-4) for connection status. */
-        Serial.print(F("Connecting to "));
-        Serial.print(host);
-        Serial.print(F(":"));
-        Serial.println(port);
-        /* can also use: IPAddress server(192,168,1,37); */
-        Serial.println(F("Here we go..."));
-        ret = client.connect(host, port);
-        Serial.println(F("Ok, checking..."));
-        if (ret > 0) {
-            Serial.println(F("Connected!"));
-
-            /* initialize wolfSSL */
-            ret = wolfSSL_Init();
-            error_check(ret, false, F("calling wolfSSL_Init") );
-
-            /* create secure connection object. see setup for ctx certs. */
-            Serial.println(F("Calling ssl = wolfSSL_new(ctx)"));
-            ssl = wolfSSL_new(ctx);
-            error_check_ssl(ssl, 0, true, F("Create WOLFSSL object from ctx"));
-
-            Serial.print(F("Connecting to wolfSSL TLS Secure Server..."));
-            do {
-                err = 0; /* reset error */
-                Serial.println(F("wolfSSL_connect ..."));
-                ret = wolfSSL_connect(ssl);
-                Serial.print("wolfSSL_connect return result =");
-                Serial.println(ret);
-                if ((ret != WOLFSSL_SUCCESS) && (ret != WC_PENDING_E)) {
-                    Serial.println(F("Failed connection, checking error."));
-                    err = error_check_ssl(ssl, ret, true,
-                                    F("Create WOLFSSL object from ctx"));
-                    Serial.print("err =");
-                    Serial.println(err);
-                }
-                else {
-                   Serial.print(PROGRESS_DOT);
-                }
-            } while (err == WC_PENDING_E);
-
-            Serial.println();
-            Serial.println(F("Connected!"));
-            Serial.print(F("SSL version is "));
-            Serial.println(wolfSSL_get_version(ssl));
-
-            cipherName = wolfSSL_get_cipher(ssl);
-            Serial.print(F("SSL cipher suite is "));
-            Serial.println(cipherName);
-
-            /* see test.h
-             * TODO: test.h needs a little bit of Arduino work for these:
-            showPeerEx(ssl, lng_index);
-            showPeerPEM(ssl);
-            */
-
-            Serial.print(F("Sending secure message to server: "));
-            Serial.println(msg);
-            ret = wolfSSL_write(ssl, msg, msgSz);
-            if (ret == msgSz) {
-                Serial.print(F("Waiting for Server response..."));
-
-                while (!client.available()) {
-                    /* wait for data */
-                    delay(1); /* 1 ms delay */
-                }
-
-                Serial.print(F("Reading response.."));
-                /* read data */
-                do {
-                    ret = wolfSSL_read(ssl, reply, sizeof(reply) - 1);
-                    if (ret < 0) {
-                        error_check_ssl(ssl, ret, false,
-                                        F("during TLS Read"));
-                    }
-                    else {
-                        Serial.print(PROGRESS_DOT);
-                    }
-                } while (err == WC_PENDING_E);
-                Serial.println();
-
-                Serial.println();
-                Serial.println(reply); /* typically: I hear you fa shizzle! */
-                Serial.println();
-
-            } /* wolfSSL_write message size matched */
-            else {
-                error_check_ssl(ssl, ret, false,
-                    F("during TLS Write"));
-            }  /* any wolfSSL_write message size mismatch is an error */
-
-            Serial.print(F("Shutting down.."));
-            do {
-                delay(1);
-                Serial.print(PROGRESS_DOT);
-                retry_shutdown--;
-                ret = wolfSSL_shutdown(ssl);
-            } while (   (ret == WOLFSSL_SHUTDOWN_NOT_DONE)
-                     && (retry_shutdown > 0)
-                    ); /* There may be pending data, so wait until done. */
-            Serial.println();
-
-            if (retry_shutdown <= 0) {
-                /* if wolfSSL_free is called before properly shutting down the
-                 * ssl object, undesired results may occur. */
-                Serial.println(F("Warning! Shutdown did not properly complete."));
-            }
-
-            wolfSSL_free(ssl);
-            client.stop();
-            Serial.println(F("Connection complete."));
-            if (REPEAT_CONNECTION) {
-                reconnect = RECONNECT_ATTEMPTS;
-            }
-            else {
-                reconnect = 0;
-            }
-        } /* client.connect(host, port) */
-        else {
-            Serial.println(F("Problem sending message. Trying to reconnect..."));
-        }
-    }
-    delay(1000);
-    if ((reconnect > 0) && (REPEAT_CONNECTION)) {
-        Serial.println(F("Arduino loop repeating..."));
-        Serial.println();
-    }
-    else {
-        printf("wow");
-        Serial.println(F("Done!"));
-        while(1) {
-            /* wait forever */
-        }
-    }
-
-#if defined(MEMORY_STRESS_TEST)
-    if (mem_ctr < MEMORY_STRESS_ITERATIONS) {
-        /* reminder: mem_ctr == 0 is MEMORY_STRESS_INITIAL allocation */
-        mem_ctr++;
-        Serial.print(F("Memory stress increment: "));
-        Serial.print(mem_ctr);
-        Serial.print(F(". Allocating addition memory (bytes): "));
-        Serial.println(MEMORY_STRESS_BLOCK_SIZE);
-        memory_stress[mem_ctr] = (char*)malloc(MEMORY_STRESS_BLOCK_SIZE);
-        show_memory();
-    }
-#endif
-} /* Arduino loop repeats */

IDE/ARDUINO/sketches/wolfssl_server/README.md

@@ -1,6 +1,14 @@
 # Arduino Basic TLS Server
 
-Open the [wolfssl_server.ino](./wolfssl_server.ino) file in the Arduino IDE.
+Open the `wolfssl_server.ino` file in the Arduino IDE.
+
+NOTE: Moving; See https://github.com/wolfSSL/wolfssl-examples/pull/499
+
+If using WiFi, be sure to set `ssid` and `password` values.
+
+May need "Ethernet by Various" library to be installed. Tested with v2.0.2 and v2.8.1.
+
+See the `#define WOLFSSL_TLS_SERVER_HOST` to set your own server address.
 
 Other IDE products are also supported, such as:
 

IDE/ARDUINO/sketches/wolfssl_server/wolfssl_server.ino

@@ -1,838 +0,0 @@
-/* wolfssl_server.ino
- *
- * Copyright (C) 2006-2024 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
-
-/*
-Tested with:
-
-1) Intel Galileo acting as the Client, with a laptop acting as a server using
-   the server example provided in examples/server.
-   Legacy Arduino v1.86 was used to compile and program the Galileo
-
-2) Espressif ESP32 WiFi
-
-3) Arduino Due, Nano33 IoT, Nano RP-2040
-*/
-
-/*
- * Note to code editors: the Arduino client and server examples are edited in
- * parallel for side-by-side comparison between examples.
- */
-
-/* If you have a private include, define it here, otherwise edit WiFi params */
-#define MY_PRIVATE_CONFIG "/workspace/my_private_config.h"
-
-/* set REPEAT_CONNECTION to a non-zero value to continually run the example. */
-#define REPEAT_CONNECTION 1
-
-/* Edit this with your other TLS host server address to connect to: */
-/* #define WOLFSSL_TLS_SERVER_HOST "192.168.1.34" */
-
-/* wolfssl TLS examples communicate on port 11111 */
-#define WOLFSSL_PORT 11111
-
-/* Choose a monitor serial baud rate: 9600, 14400, 19200, 57600, 74880, etc. */
-#define SERIAL_BAUD 115200
-
-/* We'll wait up to 2000 milliseconds to properly shut down connection */
-#define SHUTDOWN_DELAY_MS 2000
-
-/* Number of times to retry connection.  */
-#define RECONNECT_ATTEMPTS 20
-
-/* Optional stress test. Define to consume memory until exhausted: */
-/* #define MEMORY_STRESS_TEST */
-
-/* Choose client or server example, not both. */
-/* #define WOLFSSL_CLIENT_EXAMPLE */
-#define WOLFSSL_SERVER_EXAMPLE
-
-#if defined(MY_PRIVATE_CONFIG)
-    /* the /workspace directory may contain a private config
-     * excluded from GitHub with items such as WiFi passwords */
-    #include MY_PRIVATE_CONFIG
-    static const char* ssid PROGMEM = MY_ARDUINO_WIFI_SSID;
-    static const char* password PROGMEM = MY_ARDUINO_WIFI_PASSWORD;
-#else
-    /* when using WiFi capable boards: */
-    static const char* ssid PROGMEM  = "your_SSID";
-    static const char* password PROGMEM = "your_PASSWORD";
-#endif
-
-#define BROADCAST_ADDRESS "255.255.255.255"
-
-/* There's an optional 3rd party NTPClient library by Fabrice Weinberg.
- * If it is installed, uncomment define USE_NTP_LIB here: */
-/* #define USE_NTP_LIB */
-#ifdef USE_NTP_LIB
-    #include <NTPClient.h>
-#endif
-
-#include <wolfssl.h>
-/* Important: make sure settings.h appears before any other wolfSSL headers */
-#include <wolfssl/wolfcrypt/settings.h>
-/* Reminder: settings.h includes user_settings.h
- * For ALL project wolfSSL settings, see:
- * [your path]/Arduino\libraries\wolfSSL\src\user_settings.h   */
-#include <wolfssl/ssl.h>
-#include <wolfssl/certs_test.h>
-#include <wolfssl/wolfcrypt/error-crypt.h>
-
-/* Define DEBUG_WOLFSSL in user_settings.h for more verbose logging. */
-#if defined(DEBUG_WOLFSSL)
-    #define PROGRESS_DOT F("")
-#else
-    #define PROGRESS_DOT F(".")
-#endif
-
-/* Convert a macro to a string */
-#define xstr(x) str(x)
-#define str(x) #x
-
-/* optional board-specific networking includes */
-#if defined(ESP32)
-    #define USING_WIFI
-    #include <WiFi.h>
-    #include <WiFiUdp.h>
-    #ifdef USE_NTP_LIB
-        WiFiUDP ntpUDP;
-    #endif
-    /* Ensure the F() flash macro is defined */
-    #ifndef F
-        #define F
-    #endif
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-#elif defined(ESP8266)
-    #define USING_WIFI
-    #include <ESP8266WiFi.h>
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-#elif defined(ARDUINO_SAM_DUE)
-    #include <SPI.h>
-    /* There's no WiFi/Ethernet on the Due. Requires Ethernet Shield.
-    /* Needs "Ethernet by Various" library to be installed. Tested with V2.0.2 */
-    #include <Ethernet.h>
-    EthernetClient client;
-    EthernetClient server(WOLFSSL_PORT);
-#elif defined(ARDUINO_SAMD_NANO_33_IOT)
-    #define USING_WIFI
-    #include <SPI.h>
-    #include <WiFiNINA.h> /* Needs Arduino WiFiNINA library installed manually */
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-#elif defined(ARDUINO_ARCH_RP2040)
-    #define USING_WIFI
-    #include <SPI.h>
-    #include <WiFiNINA.h>
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-#elif defined(USING_WIFI)
-    #define USING_WIFI
-    #include <WiFi.h>
-    #include <WiFiUdp.h>
-    #ifdef USE_NTP_LIB
-        WiFiUDP ntpUDP;
-    #endif
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-/* TODO
-#elif defined(OTHER_BOARD)
-*/
-#else
-    #define USING_WIFI
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-#endif
-
-/* Only for syntax highlighters to show interesting options enabled: */
-#if defined(HAVE_SNI)                           \
-   || defined(HAVE_MAX_FRAGMENT)                  \
-   || defined(HAVE_TRUSTED_CA)                    \
-   || defined(HAVE_TRUNCATED_HMAC)                \
-   || defined(HAVE_CERTIFICATE_STATUS_REQUEST)    \
-   || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) \
-   || defined(HAVE_SUPPORTED_CURVES)              \
-   || defined(HAVE_ALPN)                          \
-   || defined(HAVE_SESSION_TICKET)                \
-   || defined(HAVE_SECURE_RENEGOTIATION)          \
-   || defined(HAVE_SERVER_RENEGOTIATION_INFO)
-#endif
-
-
-/* we expect our IP address from DHCP */
-
-static WOLFSSL_CTX* ctx = NULL;
-static WOLFSSL* ssl = NULL;
-static char* wc_error_message = (char*)malloc(80 + 1);
-static char errBuf[80];
-
-#if defined(MEMORY_STRESS_TEST)
-    #define MEMORY_STRESS_ITERATIONS 100
-    #define MEMORY_STRESS_BLOCK_SIZE 1024
-    #define MEMORY_STRESS_INITIAL (4*1024)
-    static char* memory_stress[MEMORY_STRESS_ITERATIONS]; /* typically 1K per item */
-    static int mem_ctr        = 0;
-#endif
-
-static int EthernetSend(WOLFSSL* ssl, char* msg, int sz, void* ctx);
-static int EthernetReceive(WOLFSSL* ssl, char* reply, int sz, void* ctx);
-static int reconnect = RECONNECT_ATTEMPTS;
-static int lng_index PROGMEM = 0; /* 0 = English */
-
-#if defined(__arm__)
-    #include <malloc.h>
-    extern char _end;
-    extern "C" char *sbrk(int i);
-    static char *ramstart=(char *)0x20070000;
-    static char *ramend=(char *)0x20088000;
-#endif
-
-/*****************************************************************************/
-/* fail_wait - in case of unrecoverable error                                */
-/*****************************************************************************/
-int fail_wait(void) {
-    show_memory();
-
-    Serial.println(F("Failed. Halt."));
-    while (1) {
-        delay(1000);
-    }
-    return 0;
-}
-
-/*****************************************************************************/
-/* show_memory() to optionally view during debugging.                         */
-/*****************************************************************************/
-int show_memory(void)
-{
-#if defined(__arm__)
-    struct mallinfo mi = mallinfo();
-
-    char *heapend=sbrk(0);
-    register char * stack_ptr asm("sp");
-    #if defined(DEBUG_WOLFSSL_VERBOSE)
-        Serial.print("    arena=");
-        Serial.println(mi.arena);
-        Serial.print("  ordblks=");
-        Serial.println(mi.ordblks);
-        Serial.print(" uordblks=");
-        Serial.println(mi.uordblks);
-        Serial.print(" fordblks=");
-        Serial.println(mi.fordblks);
-        Serial.print(" keepcost=");
-        Serial.println(mi.keepcost);
-    #endif
-
-    #if defined(DEBUG_WOLFSSL) || defined(MEMORY_STRESS_TEST)
-        Serial.print("Estimated free memory: ");
-        Serial.print(stack_ptr - heapend + mi.fordblks);
-        Serial.println(F(" bytes"));
-    #endif
-
-    #if (0)
-        /* Experimental: not supported on all devices: */
-        Serial.print("RAM Start %lx\n", (unsigned long)ramstart);
-        Serial.print("Data/Bss end %lx\n", (unsigned long)&_end);
-        Serial.print("Heap End %lx\n", (unsigned long)heapend);
-        Serial.print("Stack Ptr %lx\n",(unsigned long)stack_ptr);
-        Serial.print("RAM End %lx\n", (unsigned long)ramend);
-
-        Serial.print("Heap RAM Used: ",mi.uordblks);
-        Serial.print("Program RAM Used ",&_end - ramstart);
-        Serial.print("Stack RAM Used ",ramend - stack_ptr);
-
-        Serial.print("Estimated Free RAM: %d\n\n",stack_ptr - heapend + mi.fordblks);
-    #endif
-#else
-    Serial.println(F("show_memory() not implemented for this platform"));
-#endif
-    return 0;
-}
-
-/*****************************************************************************/
-/* EthernetSend() to send a message string.                                  */
-/*****************************************************************************/
-int EthernetSend(WOLFSSL* ssl, char* message, int sz, void* ctx) {
-    int sent = 0;
-    (void)ssl;
-    (void)ctx;
-
-    sent = client.write((byte*)message, sz);
-    return sent;
-}
-
-/*****************************************************************************/
-/* EthernetReceive() to receive a reply string.                              */
-/*****************************************************************************/
-int EthernetReceive(WOLFSSL* ssl, char* reply, int sz, void* ctx) {
-    int ret = 0;
-    (void)ssl;
-    (void)ctx;
-
-    while (client.available() > 0 && ret < sz) {
-        reply[ret++] = client.read();
-    }
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_hardware()                                                  */
-/*****************************************************************************/
-int setup_hardware(void) {
-    int ret = 0;
-
-#if defined(ARDUINO_SAMD_NANO_33_IOT)
-    Serial.println(F("Detected known tested and working Arduino Nano 33 IoT"));
-#elif defined(ARDUINO_ARCH_RP2040)
-    Serial.println(F("Detected known tested and working Arduino RP-2040"));
-#elif defined(__arm__) && defined(ID_TRNG) && defined(TRNG)
-    /* need to manually turn on random number generator on Arduino Due, etc. */
-    pmc_enable_periph_clk(ID_TRNG);
-    trng_enable(TRNG);
-    Serial.println(F("Enabled ARM TRNG"));
-#endif
-
-    show_memory();
-    randomSeed(analogRead(0));
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_datetime()                                                  */
-/*   The device needs to have a valid date within the valid range of certs.  */
-/*****************************************************************************/
-int setup_datetime(void) {
-    int ret = 0;
-    int ntp_tries = 20;
-
-    /* we need a date in the range of cert expiration */
-#ifdef USE_NTP_LIB
-    #if defined(ESP32)
-        NTPClient timeClient(ntpUDP, "pool.ntp.org");
-
-        timeClient.begin();
-        timeClient.update();
-        delay(1000);
-        while (!timeClient.isTimeSet() && (ntp_tries > 0)) {
-            timeClient.forceUpdate();
-            Serial.println(F("Waiting for NTP update"));
-            delay(2000);
-            ntp_tries--;
-        }
-        if (ntp_tries <= 0) {
-            Serial.println(F("Warning: gave up waiting on NTP"));
-        }
-        Serial.println(timeClient.getFormattedTime());
-        Serial.println(timeClient.getEpochTime());
-    #endif
-#endif
-
-#if defined(ESP32)
-    /* see esp32-hal-time.c */
-    ntp_tries = 5;
-    /* Replace "pool.ntp.org" with your preferred NTP server */
-    configTime(0, 0, "pool.ntp.org");
-
-    /* Wait for time to be set */
-    while ((time(nullptr) <= 100000) && ntp_tries > 0) {
-        Serial.println(F("Waiting for time to be set..."));
-        delay(2000);
-        ntp_tries--;
-    }
-#endif
-
-    return ret;
-} /* setup_datetime */
-
-/*****************************************************************************/
-/* Arduino setup_network()                                                   */
-/*****************************************************************************/
-int setup_network(void) {
-    int ret = 0;
-
-#if defined(USING_WIFI)
-    int status = WL_IDLE_STATUS;
-
-    /* The ESP8266 & ESP32 support both AP and STA. We'll use STA: */
-    #if defined(ESP8266) || defined(ESP32)
-        WiFi.mode(WIFI_STA);
-    #else
-        String fv;
-        if (WiFi.status() == WL_NO_MODULE) {
-            Serial.println("Communication with WiFi module failed!");
-            /* don't continue if no network */
-            while (true) ;
-        }
-
-        fv = WiFi.firmwareVersion();
-        if (fv < WIFI_FIRMWARE_LATEST_VERSION) {
-            Serial.println("Please upgrade the firmware");
-        }
-    #endif
-
-    Serial.print(F("Connecting to WiFi "));
-    Serial.print(ssid);
-    status = WiFi.begin(ssid, password);
-    while (status != WL_CONNECTED) {
-        delay(1000);
-        Serial.print(F("."));
-        Serial.print(status);
-        status = WiFi.status();
-    }
-
-    Serial.println(F(" Connected!"));
-#else
-    /* Newer Ethernet shields have a
-     * MAC address printed on a sticker on the shield */
-    byte mac[] = { 0xDE, 0xAD, 0xBE, 0xEF, 0xFE, 0xED };
-    IPAddress ip(192, 168, 1, 42);
-    IPAddress myDns(192, 168, 1, 1);
-    Ethernet.init(10); /* Most Arduino shields */
-    /* Ethernet.init(5);   * MKR ETH Shield */
-    /* Ethernet.init(0);   * Teensy 2.0 */
-    /* Ethernet.init(20);  * Teensy++ 2.0 */
-    /* Ethernet.init(15);  * ESP8266 with Adafruit FeatherWing Ethernet */
-    /* Ethernet.init(33);  * ESP32 with Adafruit FeatherWing Ethernet */
-    Serial.println(F("Initialize Ethernet with DHCP:"));
-    if (Ethernet.begin(mac) == 0) {
-        Serial.println(F("Failed to configure Ethernet using DHCP"));
-        /* Check for Ethernet hardware present */
-        if (Ethernet.hardwareStatus() == EthernetNoHardware) {
-            Serial.println(F("Ethernet shield was not found."));
-            while (true) {
-                delay(1); /* do nothing */
-            }
-        }
-        if (Ethernet.linkStatus() == LinkOFF) {
-            Serial.println(F("Ethernet cable is not connected."));
-        }
-        /* try to configure using IP address instead of DHCP : */
-        Ethernet.begin(mac, ip, myDns);
-    }
-    else {
-        Serial.print(F("  DHCP assigned IP "));
-        Serial.println(Ethernet.localIP());
-    }
-    /* We'll assume the Ethernet connection is ready to go. */
-#endif
-
-    Serial.println(F("********************************************************"));
-    Serial.print(F("      wolfSSL Example Server IP = "));
-#if defined(USING_WIFI)
-    Serial.println(WiFi.localIP());
-#else
-    Serial.println(Ethernet.localIP());
-#endif
-    /* In server mode, there's no host definition. */
-    /* See companion example: wolfssl_client.ino */
-    Serial.println(F("********************************************************"));
-    Serial.println(F("Setup network complete."));
-
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_wolfssl()                                                   */
-/*****************************************************************************/
-int setup_wolfssl(void) {
-    int ret = 0;
-    WOLFSSL_METHOD* method;
-
-    /* Show a revision of wolfssl user_settings.h file in use when available: */
-#if defined(WOLFSSL_USER_SETTINGS_ID)
-    Serial.print(F("WOLFSSL_USER_SETTINGS_ID: "));
-    Serial.println(F(WOLFSSL_USER_SETTINGS_ID));
-#else
-    Serial.println(F("No WOLFSSL_USER_SETTINGS_ID found."));
-#endif
-
-#if defined(NO_WOLFSSL_SERVER)
-    Serial.println(F("wolfSSL server code disabled to save space."));
-#endif
-#if defined(NO_WOLFSSL_CLIENT)
-    Serial.println(F("wolfSSL client code disabled to save space."));
-#endif
-
-#if defined(DEBUG_WOLFSSL)
-    wolfSSL_Debugging_ON();
-    Serial.println(F("wolfSSL Debugging is On!"));
-#else
-    Serial.println(F("wolfSSL Debugging is Off! (enable with DEBUG_WOLFSSL)"));
-#endif
-
-    /* See ssl.c for TLS cache settings. Larger cache = use more RAM. */
-#if defined(NO_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS NO_SESSION_CACHE"));
-#elif defined(MICRO_SESSION_CACHEx)
-    Serial.println(F("wolfSSL TLS MICRO_SESSION_CACHE"));
-#elif defined(SMALL_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS SMALL_SESSION_CACHE"));
-#elif defined(MEDIUM_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS MEDIUM_SESSION_CACHE"));
-#elif defined(BIG_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS BIG_SESSION_CACHE"));
-#elif defined(HUGE_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS HUGE_SESSION_CACHE"));
-#elif defined(HUGE_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS HUGE_SESSION_CACHE"));
-#else
-    Serial.println(F("WARNING: Unknown or no TLS session cache setting."));
-    /* See wolfssl/src/ssl.c for amount of memory used.
-     * It is best on embedded devices to choose a TLS session cache size. */
-#endif
-
-    ret = wolfSSL_Init();
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.println("Successfully called wolfSSL_Init");
-    }
-    else {
-        Serial.println("ERROR: wolfSSL_Init failed");
-    }
-
-    /* See companion server example with wolfSSLv23_server_method here.
-     * method = wolfSSLv23_client_method());   SSL 3.0 - TLS 1.3.
-     * method = wolfTLSv1_2_client_method();   only TLS 1.2
-     * method = wolfTLSv1_3_client_method();   only TLS 1.3
-     *
-     * see Arduino\libraries\wolfssl\src\user_settings.h */
-
-    Serial.println("Here we go!");
-
-    method = wolfSSLv23_server_method();
-    if (method == NULL) {
-        Serial.println(F("unable to get wolfssl server method"));
-        fail_wait();
-    }
-    ctx = wolfSSL_CTX_new(method);
-    if (ctx == NULL) {
-        Serial.println(F("unable to get ctx"));
-        fail_wait();
-    }
-
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_certificates()                                              */
-/*****************************************************************************/
-int setup_certificates(void) {
-    int ret = 0;
-
-    Serial.println(F("Initializing certificates..."));
-    show_memory();
-
-    /* Use built-in validation, No verification callback function: */
-    wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
-
-    /* Certificate */
-    Serial.println("Initializing certificates...");
-    ret = wolfSSL_CTX_use_certificate_buffer(ctx,
-                                             CTX_SERVER_CERT,
-                                             CTX_SERVER_CERT_SIZE,
-                                             CTX_CA_CERT_TYPE);
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.print("Success: use certificate: ");
-        Serial.println(xstr(CTX_SERVER_CERT));
-    }
-    else {
-        Serial.print("Error: wolfSSL_CTX_use_certificate_buffer failed: ");
-        wc_ErrorString(ret, wc_error_message);
-        Serial.println(wc_error_message);
-        fail_wait();
-    }
-
-    /* Setup private server key */
-    ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx,
-                                            CTX_SERVER_KEY,
-                                            CTX_SERVER_KEY_SIZE,
-                                            CTX_SERVER_KEY_TYPE);
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.print("Success: use private key buffer: ");
-        Serial.println(xstr(CTX_SERVER_KEY));
-    }
-    else {
-        Serial.print("Error: wolfSSL_CTX_use_PrivateKey_buffer failed: ");
-        wc_ErrorString(ret, wc_error_message);
-        Serial.println(wc_error_message);
-        fail_wait();
-    }
-
-    return ret;
-} /* Arduino setup */
-
-/*****************************************************************************/
-/*****************************************************************************/
-/* Arduino setup()                                                           */
-/*****************************************************************************/
-/*****************************************************************************/
-void setup(void) {
-    int i = 0;
-    Serial.begin(SERIAL_BAUD);
-    while (!Serial && (i < 10)) {
-        /* wait for serial port to connect. Needed for native USB port only */
-        delay(1000);
-        i++;
-    }
-
-    Serial.println(F(""));
-    Serial.println(F(""));
-    Serial.println(F("wolfSSL TLS Server Example Startup."));
-
-    /* define DEBUG_WOLFSSL in wolfSSL user_settings.h for diagnostics */
-#if defined(DEBUG_WOLFSSL)
-    wolfSSL_Debugging_ON();
-#endif
-
-    /* Optionally pre-allocate a large block of memory for testing */
-#if defined(MEMORY_STRESS_TEST)
-    Serial.println(F("WARNING: Memory Stress Test Active!"));
-    Serial.print(F("Allocating extra memory: "));
-    Serial.print(MEMORY_STRESS_INITIAL);
-    Serial.println(F(" bytes..."));
-    memory_stress[mem_ctr] = (char*)malloc(MEMORY_STRESS_INITIAL);
-    show_memory();
-#endif
-
-    setup_hardware();
-
-    setup_network();
-
-    setup_datetime();
-
-    setup_wolfssl();
-
-    setup_certificates();
-
-    /* Initialize wolfSSL using callback functions. */
-    wolfSSL_SetIOSend(ctx, EthernetSend);
-    wolfSSL_SetIORecv(ctx, EthernetReceive);
-
-#if defined THIS_USER_SETTINGS_VERSION
-    Serial.print(F("This user_settings.h version:"))
-    Serial.println(THIS_USER_SETTINGS_VERSION)
-#endif
-
-    /* Start the server
-     * See https://www.arduino.cc/reference/en/libraries/ethernet/server.begin/
-     */
-
-    Serial.println(F("Completed Arduino setup()"));
-
-    server.begin();
-    Serial.println("Begin Server... (waiting for remote client to connect)");
-
-    /* See companion wolfssl_client.ino code */
-    return;
-} /* Arduino setup */
-
-/*****************************************************************************/
-/* wolfSSL error_check()                                                     */
-/*****************************************************************************/
-int error_check(int this_ret, bool halt_on_error,
-                      const __FlashStringHelper* message) {
-    int ret = 0;
-    if (this_ret == WOLFSSL_SUCCESS) {
-        Serial.print(F("Success: "));
-        Serial.println(message);
-    }
-    else {
-        Serial.print(F("ERROR: return = "));
-        Serial.print(this_ret);
-        Serial.print(F(": "));
-        Serial.println(message);
-        Serial.println(wc_GetErrorString(this_ret));
-        if (halt_on_error) {
-            fail_wait();
-        }
-    }
-    show_memory();
-
-    return ret;
-} /* error_check */
-
-/*****************************************************************************/
-/* wolfSSL error_check_ssl                                                   */
-/*   Parameters:                                                             */
-/*     ssl           is the current WOLFSSL object pointer                   */
-/*     halt_on_error set to true to suspend operations for critical error    */
-/*     message       is expected to be a memory-efficient F("") macro string */
-/*****************************************************************************/
-int error_check_ssl(WOLFSSL* ssl, int this_ret, bool halt_on_error,
-                           const __FlashStringHelper* message) {
-    int err = 0;
-
-    if (ssl == NULL) {
-        Serial.println(F("ssl is Null; Unable to allocate SSL object?"));
-#ifndef DEBUG_WOLFSSL
-        Serial.println(F("Define DEBUG_WOLFSSL in user_settings.h for more."));
-#else
-        Serial.println(F("See wolfssl/wolfcrypt/error-crypt.h for codes."));
-#endif
-        Serial.print(F("ERROR: "));
-        Serial.println(message);
-        show_memory();
-        if (halt_on_error) {
-            fail_wait();
-        }
-    }
-    else {
-        err = wolfSSL_get_error(ssl, this_ret);
-        if (err == WOLFSSL_SUCCESS) {
-            Serial.print(F("Success m: "));
-            Serial.println(message);
-        }
-        else {
-            if (err < 0) {
-                wolfSSL_ERR_error_string(err, errBuf);
-                Serial.print(F("WOLFSSL Error: "));
-                Serial.print(err);
-                Serial.print(F("; "));
-                Serial.println(errBuf);
-            }
-            else {
-                Serial.println(F("Success: ssl object."));
-            }
-        }
-    }
-
-    return err;
-}
-
-/*****************************************************************************/
-/*****************************************************************************/
-/* Arduino loop()                                                            */
-/*****************************************************************************/
-/*****************************************************************************/
-void loop() {
-    char errBuf[80]    = "(no error";
-    char reply[80]     = "(no reply)";
-    const char msg[]   = "I hear you fa shizzle!";
-    const char* cipherName;
-    int input          = 0;
-    int replySz        = 0;
-    int retry_shutdown = SHUTDOWN_DELAY_MS; /* max try, once per millisecond */
-    int ret            = 0;
-    IPAddress broadcast_address(255, 255, 255, 255);
-
-    /* Listen for incoming client requests. */
-    client = server.available();
-    if (client)  {
-       Serial.println("Have Client");
-       while (!client.connected()) {
-           /* wait for the client to actually connect */
-           delay(10);
-       }
-        Serial.print("Client connected from remote IP: ");
-        Serial.println(client.remoteIP());
-
-        ssl = wolfSSL_new(ctx);
-        if (ssl == NULL) {
-            Serial.println("Unable to allocate SSL object");
-            fail_wait();
-        }
-
-        ret = wolfSSL_accept(ssl);
-        if (ret != WOLFSSL_SUCCESS) {
-            ret = wolfSSL_get_error(ssl, 0);
-            wolfSSL_ERR_error_string(ret, errBuf);
-            Serial.print("TLS Accept Error: ");
-            Serial.println(errBuf);
-        }
-
-        cipherName = wolfSSL_get_cipher(ssl);
-        Serial.print("SSL cipher suite is ");
-        Serial.println(cipherName);
-
-        Serial.print("Server Read: ");
-        while (!client.available()) {
-            /* wait for data */
-        }
-
-        /* read data */
-        while (wolfSSL_pending(ssl)) {
-            input = wolfSSL_read(ssl, reply, sizeof(reply) - 1);
-            if (input < 0) {
-                ret = wolfSSL_get_error(ssl, 0);
-                wolfSSL_ERR_error_string(ret, errBuf);
-                Serial.print("TLS Read Error: ");
-                Serial.println(errBuf);
-                break;
-            }
-            else if (input > 0) {
-                replySz = input;
-                reply[input] = '\0';
-                Serial.print(reply);
-            }
-            else {
-                Serial.println("<end of reply, input == 0>");
-            }
-        }
-
-        /* Write our message into reply buffer to send */
-        memset(reply, 0, sizeof(reply));
-        memcpy(reply, msg, sizeof(msg));
-        replySz = strnlen(reply, sizeof(reply));
-
-        Serial.println("Sending reply...");
-        if ((wolfSSL_write(ssl, reply, replySz)) != replySz) {
-            ret = wolfSSL_get_error(ssl, 0);
-            wolfSSL_ERR_error_string(ret, errBuf);
-            Serial.print("TLS Write Error: ");
-            Serial.println(errBuf);
-        }
-        else {
-            Serial.println("Reply sent!");
-        }
-
-        Serial.println("Shutdown!");
-        do {
-            delay(1);
-            retry_shutdown--;
-            ret = wolfSSL_shutdown(ssl);
-        } while ((ret == WOLFSSL_SHUTDOWN_NOT_DONE) && (retry_shutdown > 0));
-
-        if (retry_shutdown <= 0) {
-            /* if wolfSSL_free is called before properly shutting down the
-             * ssl object, undesired results may occur. */
-            Serial.println("Warning! Shutdown did not properly complete.");
-        }
-
-        wolfSSL_free(ssl);
-        Serial.println("Connection complete.");
-        if (REPEAT_CONNECTION) {
-            Serial.println();
-            Serial.println("Waiting for next connection.");
-        }
-        else {
-            client.stop();
-            Serial.println("Done!");
-            while (1) {
-                /* wait forever if not repeating */
-                delay(100);
-            }
-        }
-    }
-    else {
-        /* Serial.println("Client not connected. Trying again..."); */
-    }
-
-    delay(100);
-} /* Arduino loop repeats */

IDE/ARDUINO/sketches/wolfssl_version/README.md

@@ -1,3 +1,5 @@
 # Arduino Basic Hello World
 
 This example simply compiles in wolfSSL and shows the current version number.
+
+NOTE: Moving; See https://github.com/wolfSSL/wolfssl-examples/pull/499

IDE/ARDUINO/sketches/wolfssl_version/wolfssl_version.ino

@@ -1,24 +0,0 @@
-#include <Arduino.h>
-#include <wolfssl.h>
-#include <wolfssl/version.h>
-
-/* Choose a monitor serial baud rate: 9600, 14400, 19200, 57600, 74880, etc. */
-#define SERIAL_BAUD 115200
-
-/* Arduino setup */
-void setup() {
-    Serial.begin(SERIAL_BAUD);
-    while (!Serial) {
-        /* wait for serial port to connect. Needed for native USB port only */
-    }
-    Serial.println(F(""));
-    Serial.println(F(""));
-    Serial.println(F("wolfSSL setup complete!"));
-}
-
-/* Arduino main application loop. */
-void loop() {
-    Serial.print("wolfSSL Version: ");
-    Serial.println(LIBWOLFSSL_VERSION_STRING);
-    delay(60000);
-}

IDE/ARDUINO/wolfssl-arduino.cpp

@@ -0,0 +1,33 @@
+/* wolfssl-arduino.cpp
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#include <Arduino.h>
+#include "wolfssl.h"
+
+/* Function to allow wolfcrypt to use Arduino Serial.print for debug messages.
+ * See wolfssl/wolfcrypt/logging.c */
+
+int wolfSSL_Arduino_Serial_Print(const char* const s)
+{
+    /* Reminder: Serial.print is only available in C++ */
+    Serial.println(F(s));
+    return 0;
+};

IDE/ARDUINO/wolfssl-arduino.sh

@@ -70,6 +70,9 @@ if [ "$ROOT_DIR" = "" ]; then
     exit 1
 fi
 
+
+ARDUINO_ROOT="$HOME/Arduino/libraries"
+
 # Check environment
 if [ -n "$WSL_DISTRO_NAME" ]; then
     # we found a non-blank WSL environment distro name
@@ -78,8 +81,6 @@ if [ -n "$WSL_DISTRO_NAME" ]; then
     if echo "$current_path" | grep -Eq "^$pattern"; then
         # if we are in WSL and shared Windows file system, 'ln' does not work.
         ARDUINO_ROOT="/mnt/c/Users/$USER/Documents/Arduino/libraries"
-    else
-        ARDUINO_ROOT="$HOME/Arduino/libraries"
     fi
 fi
 echo "The Arduino library root is: $ARDUINO_ROOT"
@@ -116,11 +117,21 @@ if [ $# -gt 0 ]; then
         echo "Error: not a valid operation: $THIS_OPERATION"
         exit 1
     fi
+else
+    echo "INSTALL parameter not specified. Installing to ROOT_DIR=$ROOT_DIR"
 fi
 
 
 ROOT_SRC_DIR="${ROOT_DIR}/src"
 EXAMPLES_DIR="${ROOT_DIR}/examples"
+
+if [ -n "$WOLFSSL_EXAMPLES_ROOT" ]; then
+    EXTRA_EXAMPLES_DIR="${WOLFSSL_EXAMPLES_ROOT}/Arduino"
+    echo "EXTRA_EXAMPLES_DIR=$EXTRA_EXAMPLES_DIR"
+else
+    echo "There are additional examples at https://github.com/wolfSSL/wolfssl-examples"
+    echo "Set WOLFSSL_EXAMPLES_ROOT to your local directory to include those examples."
+fi
 WOLFSSL_SRC="${ROOT_SRC_DIR}/src"
 WOLFSSL_HEADERS="${ROOT_SRC_DIR}/wolfssl"
 WOLFCRYPT_ROOT="${ROOT_SRC_DIR}/wolfcrypt"
@@ -141,8 +152,16 @@ OPENSSL_DIR_TOP="${WOLFSSL_HEADERS_TOP}/openssl"
 
 WOLFSSL_VERSION=$(grep -i "LIBWOLFSSL_VERSION_STRING" ${TOP_DIR}/wolfssl/version.h | cut -d '"' -f 2)
 if [ "$WOLFSSL_VERSION" = "" ]; then
-    echo "ERROR: Could not find wolfSSL Version in ${TOP_DIR}/wolfssl/version.h"
-    exit 1
+    echo "Current user: [$USER]"
+    if [ "$USER" = "" ] || [ "$USER" = "runner" ]; then
+        # Typically when there's no user, it is a GitHub workflow. It is not guaranteed to be "runner"
+        echo "No USER found, no version.h found. Setting Version text to [GitHub] for assumed workflow."
+        WOLFSSL_VERSION="GitHub"
+    else
+        echo "ERROR: Could not find wolfSSL Version in ${TOP_DIR}/wolfssl/version.h"
+        echo "Check autogen.sh and configure"
+        exit 1
+    fi
 else
     echo "Found wolfSSL version $WOLFSSL_VERSION"
     echo "# WOLFSSL_VERSION_ARUINO_SUFFIX $WOLFSSL_VERSION_ARUINO_SUFFIX"
@@ -235,26 +254,46 @@ if [ "$THIS_DIR" = "ARDUINO" ]; then
     $CP_CMD "${OPENSSL_DIR_TOP}"/* ."${OPENSSL_DIR}"                                          || exit 1
 
     # Finally, copy the Arduino-specific wolfssl library files into place: [lib]/src
-    $CP_CMD ./wolfssl.h ".${ROOT_SRC_DIR}"/wolfssl.h
+    $CP_CMD ./wolfssl.h           ".${ROOT_SRC_DIR}"/wolfssl.h           || exit 1
+    $CP_CMD ./wolfssl-arduino.cpp ".${ROOT_SRC_DIR}"/wolfssl-arduino.cpp || exit 1
 
+    unset NO_ARDUINO_EXAMPLES
     echo "Copy examples...."
     # Copy examples
     mkdir -p ".${ROOT_SRC_DIR}"/examples
 
-    echo "Copy wolfssl_client example...."
-    mkdir -p ".${EXAMPLES_DIR}"/wolfssl_client
-    $CP_CMD ./sketches/wolfssl_client/wolfssl_client.ino ".${EXAMPLES_DIR}"/wolfssl_client/wolfssl_client.ino || exit 1
-    $CP_CMD ./sketches/wolfssl_client/README.md          ".${EXAMPLES_DIR}"/wolfssl_client/README.md          || exit 1
+    if [ -n "$WOLFSSL_EXAMPLES_ROOT" ]; then
+        echo "Copy template example...."
+        mkdir -p ".${EXAMPLES_DIR}"/template/wolfssl_library/src
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/template.ino                             ".${EXAMPLES_DIR}"/template/template.ino                             || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/README.md                                ".${EXAMPLES_DIR}"/template/README.md                                || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/wolfssl_helper.c                         ".${EXAMPLES_DIR}"/template/wolfssl_helper.c                         || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/wolfssl_helper.h                         ".${EXAMPLES_DIR}"/template/wolfssl_helper.h                         || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/wolfssl_library/wolfssl_library.h        ".${EXAMPLES_DIR}"/template/wolfssl_library/wolfssl_library.h        || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/wolfssl_library/src/wolfssl_library.cpp  ".${EXAMPLES_DIR}"/template/wolfssl_library/src/wolfssl_library.cpp  || exit 1
 
-    echo "Copy wolfssl_server example...."
-    mkdir -p .${EXAMPLES_DIR}/wolfssl_server
-    $CP_CMD ./sketches/wolfssl_server/wolfssl_server.ino ".${EXAMPLES_DIR}"/wolfssl_server/wolfssl_server.ino || exit 1
-    $CP_CMD ./sketches/wolfssl_server/README.md          ".${EXAMPLES_DIR}"/wolfssl_server/README.md          || exit 1
+        echo "Copy wolfssl_AES_CTR example...."
+        mkdir -p ".${EXAMPLES_DIR}"/wolfssl_AES_CTR
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_AES_CTR/wolfssl_AES_CTR.ino ".${EXAMPLES_DIR}"/wolfssl_AES_CTR/wolfssl_AES_CTR.ino || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_AES_CTR/README.md           ".${EXAMPLES_DIR}"/wolfssl_AES_CTR/README.md           || exit 1
 
-    echo "Copy wolfssl_server example...."
-    mkdir -p .${EXAMPLES_DIR}/wolfssl_version
-    $CP_CMD ./sketches/wolfssl_version/wolfssl_version.ino ".${EXAMPLES_DIR}"/wolfssl_version/wolfssl_version.ino || exit 1
-    $CP_CMD ./sketches/wolfssl_version/README.md           ".${EXAMPLES_DIR}"/wolfssl_version/README.md           || exit 1
+        echo "Copy wolfssl_client example...."
+        mkdir -p ".${EXAMPLES_DIR}"/wolfssl_client
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_client/wolfssl_client.ino   ".${EXAMPLES_DIR}"/wolfssl_client/wolfssl_client.ino   || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_client/README.md            ".${EXAMPLES_DIR}"/wolfssl_client/README.md            || exit 1
+
+        echo "Copy wolfssl_server example...."
+        mkdir -p .${EXAMPLES_DIR}/wolfssl_server
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_server/wolfssl_server.ino   ".${EXAMPLES_DIR}"/wolfssl_server/wolfssl_server.ino   || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_server/README.md            ".${EXAMPLES_DIR}"/wolfssl_server/README.md            || exit 1
+
+        echo "Copy wolfssl_version example...."
+        mkdir -p .${EXAMPLES_DIR}/wolfssl_version
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_version/wolfssl_version.ino ".${EXAMPLES_DIR}"/wolfssl_version/wolfssl_version.ino || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_version/README.md           ".${EXAMPLES_DIR}"/wolfssl_version/README.md           || exit 1
+    else
+        NO_ARDUINO_EXAMPLES=1
+    fi
 else
     echo "ERROR: You must be in the IDE/ARDUINO directory to run this script"
     exit 1
@@ -273,6 +312,8 @@ fi
 # as an Arduino-specific README.md file.
 VERSION_PLACEHOLDER="\${WOLFSSL_VERSION}"
 ARDUINO_VERSION_SUFFIX_PLACEHOLDER="\${WOLFSSL_VERSION_ARUINO_SUFFIX}"
+
+# This is the SOURCE to prepend. Note the OUTPUT is PREPENDED_README.md later copied to README.md
 PREPEND_FILE="Arduino_README_prepend.md"
 PROPERTIES_FILE_TEMPLATE="library.properties.template"
 sed s/"$VERSION_PLACEHOLDER"/"$WOLFSSL_VERSION"/ "$PREPEND_FILE" > "$PREPEND_FILE.tmp"
@@ -340,4 +381,9 @@ if [ "$THIS_OPERATION" = "INSTALL" ]; then
     fi
 fi
 
+if [ -n "$NO_ARDUINO_EXAMPLES" ]; then
+    echo ""
+    echo "WARNING: No examples copied. Set WOLFSSL_EXAMPLES_ROOT as appropriate."
+    echo ""
+fi
 echo "Done!"

IDE/ARDUINO/wolfssl.h

@@ -1,6 +1,6 @@
 /* wolfssl.h
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *
@@ -22,18 +22,28 @@
 /* Edit with caution. This is an Arduino-library specific header for wolfSSL */
 
 #ifndef WOLFSSL_USER_SETTINGS
+    /* Should already be defined in settings.h for #if defined(ARDUINO) */
     #define WOLFSSL_USER_SETTINGS
 #endif
 
 #include <Arduino.h>
 
-/* wolfSSL user_settings.h must be included from settings.h */
+/* wolfSSL user_settings.h must be included from settings.h
+ * Make all configurations changes in user_settings.h
+ * Do not edit wolfSSL `settings.h` or `config.h` files.
+ * Do not explicitly include user_settings.h in any source code.
+ * Each Arduino sketch that uses wolfSSL must have: #include "wolfssl.h"
+ * C/C++ source files can use: #include <wolfssl/wolfcrypt/settings.h>
+ * The wolfSSL "settings.h" must be included in each source file using wolfSSL.
+ * The wolfSSL "settings.h" must be listed before any other wolfSSL include.
+ */
 #include <wolfssl/wolfcrypt/settings.h>
 #include <wolfssl/ssl.h>
 
-int wolfSSL_Arduino_Serial_Print(const char *const s)
-{
-    /* See wolfssl/wolfcrypt/logging.c */
-    Serial.println(F(s));
-    return 0;
-};
+#ifndef WOLFSSL_ARDUINO_H
+#define WOLFSSL_ARDUINO_H
+
+/* Declare a helper function to be used in wolfssl/wolfcrypt/logging.c */
+int wolfSSL_Arduino_Serial_Print(const char* const s);
+
+#endif /* WOLFSSL_ARDUINO_H */

IDE/AURIX/Cpu0_Main.c

@@ -1,6 +1,6 @@
 /* Cpu0_Main.c
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/AURIX/user_settings.h

@@ -1,6 +1,6 @@
 /* user_settings.h
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/AURIX/wolf_main.c

@@ -1,6 +1,6 @@
 /* wolf_main.c
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/CRYPTOCELL/main.c

@@ -1,6 +1,6 @@
 /* main.c
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/CRYPTOCELL/user_settings.h

@@ -1,6 +1,6 @@
 /* user_settings.h
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/DEOS/deos_malloc.c

@@ -1,6 +1,6 @@
 /* deos_malloc.c
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/DEOS/tls_wolfssl.c

@@ -1,6 +1,6 @@
 /* tls_wolfssl.c
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/DEOS/tls_wolfssl.h

@@ -1,6 +1,6 @@
 /* tls_wolfssl.h
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/DEOS/user_settings.h

@@ -1,6 +1,6 @@
 /* user_setting.h
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/MICRIUM/client_wolfssl.c

@@ -1,6 +1,6 @@
 /* client_wolfssl.c
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/MICRIUM/client_wolfssl.h

@@ -1,6 +1,6 @@
 /* client_wolfssl.h
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/MICRIUM/server_wolfssl.c

@@ -1,6 +1,6 @@
 /* server_wolfssl.c
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/MICRIUM/server_wolfssl.h

@@ -1,6 +1,6 @@
 /* server_wolfssl.h
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/MICRIUM/user_settings.h

@@ -1,6 +1,6 @@
 /* user_setting.h
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/MICRIUM/wolfsslRunTests.c

@@ -1,6 +1,6 @@
 /* wolfsslRunTests.c
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/RTTHREAD/user_settings.h

@@ -1,6 +1,6 @@
 /* user_setting.h
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/RTTHREAD/wolfssl_test.c

@@ -1,6 +1,6 @@
 /* wolfsslRunTests.c
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/Espressif/ESP-IDF/dummy_config_h

@@ -1,6 +1,6 @@
 /* config.h - dummy
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/Espressif/ESP-IDF/dummy_test_paths.h

@@ -1,6 +1,6 @@
 /* wolfcrypt/test/test_paths.h
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/Espressif/ESP-IDF/examples/template/CMakeLists.txt

@@ -3,10 +3,16 @@
 #
 # The following lines of boilerplate have to be in your project's
 # CMakeLists in this exact order for cmake to work correctly
+message(STATUS "Begin project ${CMAKE_PROJECT_NAME}")
+
 cmake_minimum_required(VERSION 3.16)
 
 # Optional no watchdog typically used for test & benchmark
-add_compile_options(-DWOLFSSL_ESP_NO_WATCHDOG=1)
+if (idf_target STREQUAL "esp8266" OR IDF_TARGET STREQUAL "esp8266" OR IDF_VERSION_MAJOR VERSION_LESS "5.0")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_ESP_NO_WATCHDOG=1")
+else()
+    add_compile_definitions(WOLFSSL_ESP_NO_WATCHDOG=1)
+endif()
 
 # The wolfSSL CMake file should be able to find the source code.
 # Otherwise, assign an environment variable or set it here:
@@ -25,34 +31,63 @@ add_compile_options(-DWOLFSSL_ESP_NO_WATCHDOG=1)
 if(WIN32)
     # Windows-specific configuration here
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WINDOWS")
-    message("Detected Windows")
+    message(STATUS "Detected Windows")
 endif()
 if(CMAKE_HOST_UNIX)
-    message("Detected UNIX")
+    message(STATUS "Detected UNIX")
 endif()
 if(APPLE)
-    message("Detected APPLE")
+    message(STATUS "Detected APPLE")
 endif()
 if(CMAKE_HOST_UNIX AND (NOT APPLE) AND EXISTS "/proc/sys/fs/binfmt_misc/WSLInterop")
     # Windows-specific configuration here
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WSL")
-    message("Detected WSL")
+    message(STATUS "Detected WSL")
 endif()
 if(CMAKE_HOST_UNIX AND (NOT APPLE) AND (NOT WIN32))
     # Windows-specific configuration here
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_LINUX")
-    message("Detected Linux")
+    message(STATUS "Detected Linux")
 endif()
 if(APPLE)
     # Windows-specific configuration here
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_APPLE")
-    message("Detected Apple")
+    message(STATUS "Detected Apple")
 endif()
 # End optional WOLFSSL_CMAKE_SYSTEM_NAME
 
+# This example uses an extra component for common functions such as Wi-Fi and Ethernet connection.
+# set (PROTOCOL_EXAMPLES_DIR $ENV{IDF_PATH}/examples/common_components/protocol_examples_common)
+string(REPLACE "\\" "/" PROTOCOL_EXAMPLES_DIR "$ENV{IDF_PATH}/examples/common_components/protocol_examples_common")
+
+if (EXISTS "${PROTOCOL_EXAMPLES_DIR}")
+    message(STATUS "Found PROTOCOL_EXAMPLES_DIR=${PROTOCOL_EXAMPLES_DIR}")
+    set(EXTRA_COMPONENT_DIRS $ENV{IDF_PATH}/examples/common_components/protocol_examples_common)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DFOUND_PROTOCOL_EXAMPLES_DIR")
+else()
+    message(STATUS "NOT FOUND: PROTOCOL_EXAMPLES_DIR=${PROTOCOL_EXAMPLES_DIR}")
+endif()
+
+# Find the user name to search for possible "wolfssl-username"
+# Reminder: Windows is  %USERNAME%, Linux is $USER
+message(STATUS "USERNAME = $ENV{USERNAME}")
+if(  "$ENV{USER}" STREQUAL "" ) # the bash user
+    if(  "$ENV{USERNAME}" STREQUAL "" ) # the Windows user
+        message(STATUS "could not find USER or USERNAME")
+    else()
+        # the bash user is not blank, so we'll use it.
+        set(THIS_USER "$ENV{USERNAME}")
+    endif()
+else()
+    # the bash user is not blank, so we'll use it.
+    set(THIS_USER "$ENV{USER}")
+endif()
+message(STATUS "THIS_USER = ${THIS_USER}")
+
 # Check that there are not conflicting wolfSSL components
 # The ESP Registry Component will be in ./managed_components/wolfssl__wolfssl
 # The local component wolfSSL directory will be in ./components/wolfssl
+message(STATUS "Checking for wolfSSL as Managed Component or not... ${CMAKE_HOME_DIRECTORY}")
 if( EXISTS "${CMAKE_HOME_DIRECTORY}/managed_components/wolfssl__wolfssl" AND EXISTS "${CMAKE_HOME_DIRECTORY}/components/wolfssl" )
     # These exclude statements don't seem to be honored by the $ENV{IDF_PATH}/tools/cmake/project.cmake'
     # add_subdirectory("${CMAKE_HOME_DIRECTORY}/managed_components/wolfssl__wolfssl" EXCLUDE_FROM_ALL)
@@ -67,16 +102,47 @@ if( EXISTS "${CMAKE_HOME_DIRECTORY}/managed_components/wolfssl__wolfssl" AND EXI
     message(FATAL_ERROR "\nPlease use either the ESP Registry Managed Component or the wolfSSL component directory but not both.\n"
                         "If removing the ./managed_components/wolfssl__wolfssl directory, remember to also remove "
                         "or rename the idf_component.yml file typically found in ./main/")
-else()
+elseif(EXISTS "${CMAKE_HOME_DIRECTORY}/components/wolfssl")
+    # A standard project component (not a Managed Component)
     message(STATUS "No conflicting wolfSSL components found.")
+    set(WOLFSSL_PATH "${CMAKE_HOME_DIRECTORY}/components/wolfssl")
+elseif(EXISTS "${CMAKE_HOME_DIRECTORY}/managed_components/wolfssl__wolfssl")
+    # The official Managed Component called wolfssl from the wolfssl user.
+    message(STATUS "No conflicting wolfSSL components found as a Managed Component.")
+    set(WOLFSSL_PATH "${CMAKE_HOME_DIRECTORY}/managed_components/wolfssl__wolfssl")
+elseif(EXISTS "${CMAKE_HOME_DIRECTORY}/managed_components/gojimmypi__mywolfssl")
+    # There is a known gojimmypi staging component available for anyone:
+    message(STATUS "No conflicting wolfSSL components found as a gojimmypi staging Managed Component.")
+elseif(EXISTS "${CMAKE_HOME_DIRECTORY}/managed_components/${THIS_USER}__mywolfssl")
+    # Other users with permissions might publish their own mywolfssl staging Managed Component
+    message(STATUS "No conflicting wolfSSL components found as a Managed Component.")
+    set(WOLFSSL_PATH "${CMAKE_HOME_DIRECTORY}/managed_components/${THIS_USER}__mywolfssl")
+else()
+    message(STATUS "WARNING: wolfssl component directory not found.")
 endif()
 
-# Ensure the this wolfSSL component directory is included
-set(WOLFSSL_PATH "${CMAKE_HOME_DIRECTORY}/components/wolfssl")
-list(APPEND EXTRA_COMPONENT_DIRS ${WOLFSSL_PATH})
+# message(STATUS "EXTRA_COMPONENT_DIRS WOLFSSL_PATH: ${WOLFSSL_PATH}")
+# list(APPEND EXTRA_COMPONENT_DIRS ${WOLFSSL_PATH})
 
 # Not only is a project-level "set(COMPONENTS" not needed here, this will cause
 # an unintuitive error about  Unknown CMake command "esptool_py_flash_project_args".
+
+if(0)
+    message(STATUS "Begin optional PROTOCOL_EXAMPLES_DIR include")
+    # This example uses an extra component for common functions such as Wi-Fi and Ethernet connection.
+    set (PROTOCOL_EXAMPLES_DIR $ENV{IDF_PATH}/examples/common_components/protocol_examples_common)
+
+    if (EXISTS "${PROTOCOL_EXAMPLES_DIR}")
+        message(STATUS "Found PROTOCOL_EXAMPLES_DIR=${PROTOCOL_EXAMPLES_DIR}")
+        set(EXTRA_COMPONENT_DIRS $ENV{IDF_PATH}/examples/common_components/protocol_examples_common)
+        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DFOUND_PROTOCOL_EXAMPLES_DIR")
+    else()
+        message(STATUS "NOT FOUND: PROTOCOL_EXAMPLES_DIR=${PROTOCOL_EXAMPLES_DIR}")
+    endif()
+    message(STATUS "End optional PROTOCOL_EXAMPLES_DIR include")
+endif()
+
 include($ENV{IDF_PATH}/tools/cmake/project.cmake)
 
 project(wolfssl_template)
+message(STATUS "end project")

IDE/Espressif/ESP-IDF/examples/template/Makefile

@@ -0,0 +1,14 @@
+#
+# This is a project Makefile. It is assumed the directory this Makefile resides in is a
+# project subdirectory.
+#
+
+CFLAGS += -DWOLFSSL_USER_SETTINGS
+
+# Some of the tests are CPU intenstive, so we'll force the watchdog timer off.
+# There's an espressif NO_WATCHDOG; we don't use it, as it is reset by sdkconfig.
+CFLAGS += -DWOLFSSL_ESP_NO_WATCHDOG=1
+
+PROJECT_NAME := wolfssl_template
+
+include $(IDF_PATH)/make/project.mk

IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/CMakeLists.txt

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2006-2024 wolfSSL Inc.
+# Copyright (C) 2006-2025 wolfSSL Inc.
 #
 # This file is part of wolfSSL.
 #
@@ -102,28 +102,28 @@ if(VERBOSE_COMPONENT_MESSAGES)
     if(WIN32)
         # Windows-specific configuration here
         set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WINDOWS")
-        message("Detected Windows")
+        message(STATUS "Detected Windows")
     endif()
     if(CMAKE_HOST_UNIX)
-        message("Detected UNIX")
+        message(STATUS "Detected UNIX")
     endif()
     if(APPLE)
-        message("Detected APPLE")
+        message(STATUS "Detected APPLE")
     endif()
     if(CMAKE_HOST_UNIX AND (NOT APPLE) AND EXISTS "/proc/sys/fs/binfmt_misc/WSLInterop")
         # Windows-specific configuration here
         set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WSL")
-        message("Detected WSL")
+        message(STATUS "Detected WSL")
     endif()
     if(CMAKE_HOST_UNIX AND (NOT APPLE) AND (NOT WIN32))
         # Windows-specific configuration here
         set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_LINUX")
-        message("Detected Linux")
+        message(STATUS "Detected Linux")
     endif()
     if(APPLE)
         # Windows-specific configuration here
         set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_APPLE")
-        message("Detected Apple")
+        message(STATUS "Detected Apple")
     endif()
 endif() # End optional WOLFSSL_CMAKE_SYSTEM_NAME
 
@@ -159,7 +159,8 @@ else()
     set(COMPONENT_REQUIRES lwip "${THIS_ESP_TLS}") # we typically don't need lwip directly in wolfssl component
 endif()
 
-# find the user name to search for possible "wolfssl-username"
+# Find the user name to search for possible "wolfssl-username"
+# Reminder: Windows is  %USERNAME%, Linux is $USER
 message(STATUS "USERNAME = $ENV{USERNAME}")
 if(  "$ENV{USER}" STREQUAL "" ) # the bash user
     if(  "$ENV{USERNAME}" STREQUAL "" ) # the Windows user
@@ -407,17 +408,22 @@ endif()
 
 if ( ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") OR ("${IDF_TARGET}" STREQUAL "esp8266") )
     # There's no esp_timer, no driver components for the ESP8266
-    message(STATUS "Early expansion EXCLUDES esp_timer for esp8266: ${THIS_INCLUDE_TIMER}")
-    message(STATUS "Early expansion EXCLUDES driver for esp8266: ${THIS_INCLUDE_DRIVER}")
-    set(THIS_INCLUDE_TIMER "")
-    set(THIS_INCLUDE_DRIVER "")
-    set(THIS_ESP_TLS "")
+    message(STATUS "Early expansion EXCLUDES for esp8266:")
+    message(STATUS "THIS_INCLUDE_DRIVER:  '${THIS_INCLUDE_DRIVER}'")
+    message(STATUS "THIS_INCLUDE_TIMER:   '${THIS_INCLUDE_TIMER}'")
+    message(STATUS "Early expansion INCLUDE for esp8266:")
+    message(STATUS "THIS_INCLUDE_PTHREAD: '${THIS_INCLUDE_PTHREAD}'")
+    set(THIS_ESP_TLS         "")
+    set(THIS_INCLUDE_DRIVER  "")
+    set(THIS_INCLUDE_TIMER   "")
+    set(THIS_INCLUDE_PTHREAD "pthread")
 else()
     message(STATUS "Early expansion includes esp_timer: ${THIS_INCLUDE_TIMER}")
     message(STATUS "Early expansion includes driver: ${THIS_INCLUDE_DRIVER}")
-    set(THIS_INCLUDE_TIMER "esp_timer")
+    set(THIS_ESP_TLS        "esp-tls")
     set(THIS_INCLUDE_DRIVER "driver")
-    set(THIS_ESP_TLS "esp-tls")
+    set(THIS_INCLUDE_TIMER  "esp_timer")
+    set(THIS_INCLUDE_PTHREAD "")
     # Let the app know that we've included the esp-tls component requirement.
     # This is critical for use the the esp-tls component. See wolfssl esp_crt_bundle.c file.
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_REQUIRED_ESP_TLS=1")
@@ -429,6 +435,7 @@ if(CMAKE_BUILD_EARLY_EXPANSION)
                             REQUIRES "${COMPONENT_REQUIRES}"
                             PRIV_REQUIRES # esp_hw_support
                                           "${THIS_ESP_TLS}"
+                                          "${THIS_INCLUDE_PTHREAD}"
                                           "${THIS_INCLUDE_TIMER}"
                                           "${THIS_INCLUDE_DRIVER}" # this will typically only be needed for wolfSSL benchmark
                            )
@@ -524,7 +531,7 @@ else()
     set(WOLFSSL_PROJECT_DIR "${CMAKE_HOME_DIRECTORY}/components/wolfssl")
 
     string(REPLACE "/" "//" STR_WOLFSSL_PROJECT_DIR "${WOLFSSL_PROJECT_DIR}")
-    add_definitions(-DWOLFSSL_USER_SETTINGS_DIR="${STR_WOLFSSL_PROJECT_DIR}/include/user_settings.h")
+    add_compile_definitions(WOLFSSL_USER_SETTINGS_DIR="${STR_WOLFSSL_PROJECT_DIR}/include/user_settings.h")
     message(STATUS "Added definition for user_settings.h: -DWOLFSSL_USER_SETTINGS_DIR=\"${STR_WOLFSSL_PROJECT_DIR}//include//user_settings.h\"")
     # Espressif may take several passes through this makefile. Check to see if we found IDF
     string(COMPARE EQUAL "${PROJECT_SOURCE_DIR}" "" WOLFSSL_FOUND_IDF)
@@ -951,7 +958,7 @@ function ( LIBWOLFSSL_SAVE_INFO VAR_OUPUT THIS_VAR VAR_RESULT )
         message(STATUS "Found ${VAR_OUPUT}=${VAR_VALUE}")
 
         # the interesting part is defining the VAR_OUPUT name a value to use in the app
-        add_definitions(-D${VAR_OUPUT}=\"${VAR_VALUE}\")
+        add_compile_definitions(${VAR_OUPUT}=\"${VAR_VALUE}\")
     else()
         # if we get here, check the execute_process command and parameters.
         message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT")
@@ -959,9 +966,16 @@ function ( LIBWOLFSSL_SAVE_INFO VAR_OUPUT THIS_VAR VAR_RESULT )
     endif()
 endfunction() # LIBWOLFSSL_SAVE_INFO
 
+execute_process(
+    COMMAND ${git_cmd} "rev-parse" "--is-inside-work-tree"
+    OUTPUT_VARIABLE IS_GIT_REPO
+    OUTPUT_STRIP_TRAILING_WHITESPACE
+    ERROR_QUIET
+)
+
 # create some programmatic #define values that will be used by ShowExtendedSystemInfo().
 # see wolfcrypt\src\port\Espressif\esp32_utl.c
-if(NOT CMAKE_BUILD_EARLY_EXPANSION AND WOLFSSL_ROOT)
+if(NOT CMAKE_BUILD_EARLY_EXPANSION AND WOLFSSL_ROOT AND (IS_GIT_REPO STREQUAL "true"))
     set (git_cmd "git")
     message(STATUS "Adding macro definitions:")
 

IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/Kconfig

@@ -1,6 +1,6 @@
 # Kconfig template
 #
-# Copyright (C) 2006-2024 wolfSSL Inc.  All rights reserved.
+# Copyright (C) 2006-2025 wolfSSL Inc.
 #
 # This file is part of wolfSSL.
 #

IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/component.mk

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2006-2024 wolfSSL Inc.
+# Copyright (C) 2006-2025 wolfSSL Inc.
 #
 # This file is part of wolfSSL.
 #
@@ -66,7 +66,19 @@ CFLAGS +=-DWOLFSSL_USER_SETTINGS
 #   https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples
 # When this wolfssl component.mk makefile is in [project]/components/wolfssl
 # The root is 7 directories up from here (the location of of this component.mk):
-WOLFSSL_ROOT := ../../../../../../..
+#
+WOLFSSL_ROOT     ?= ../../../../../../..
+THIS_DIR         := $(shell pwd)
+WOLFSSL_ROOT_OBJ := $(THIS_DIR)
+
+# When running make from commandline or VisualGDB, the current path varies:
+ifeq ("$(VISUALGDB_DIR)","")
+    # current path is typically /mnt/c/workspace/wolfssl-gojimmypi/IDE/Espressif/ESP-IDF/examples/wolfssl_test/build/wolfssl
+    $(info VISUALGDB_DIR build not detected. shell: $(shell echo $$SHELL))
+else
+    # current path is typically /C/workspace/wolfssl-gojimmypi/IDE/Espressif/ESP-IDF/examples/wolfssl_test/build/Debug/wolfssl
+    $(info Detected VisualGDB in: $(VISUALGDB_DIR) shell: $(shell echo $$SHELL))
+endif
 
 # To set the location of a different location, it is best to use relative paths.
 #
@@ -92,14 +104,16 @@ WOLFSSL_ROOT := ../../../../../../..
 # CFLAGS += -I$(WOLFSSL_ROOT)/wolfssl/wolfcrypt
 # CFLAGS += -I$(WOLFSSL_ROOT)/wolfssl/wolfcrypt/port/Espressif
 
-abs_WOLFSSL_ROOT := $(shell realpath $(WOLFSSL_ROOT))
+abs_WOLFSSL_ROOT     := $(shell realpath $(WOLFSSL_ROOT))
 
 # print-wolfssl-path-value:
 #	@echo "WOLFSSL_ROOT defined: $(WOLFSSL_ROOT)"
 #	@echo "WOLFSSL_ROOT actual:  $(abs_WOLFSSL_ROOT)"
 
-$(info WOLFSSL_ROOT defined: $(WOLFSSL_ROOT))
-$(info WOLFSSL_ROOT actual:  $(abs_WOLFSSL_ROOT))
+$(info WOLFSSL_ROOT     defined: $(WOLFSSL_ROOT))
+$(info WOLFSSL_ROOT     actual:  $(abs_WOLFSSL_ROOT))
+$(info THIS_DIR         defined: $(THIS_DIR))
+$(info WOLFSSL_ROOT_OBJ defined: $(WOLFSSL_ROOT_OBJ))
 
 # NOTE: The wolfSSL include directory (e.g. user_settings.h) is
 # located HERE in THIS project, and *not* in the wolfSSL root.
@@ -109,6 +123,7 @@ COMPONENT_ADD_INCLUDEDIRS += $(WOLFSSL_ROOT)/.
 COMPONENT_ADD_INCLUDEDIRS += $(WOLFSSL_ROOT)/wolfssl
 COMPONENT_ADD_INCLUDEDIRS += $(WOLFSSL_ROOT)/wolfssl/wolfcrypt
 COMPONENT_ADD_INCLUDEDIRS += $(WOLFSSL_ROOT)/wolfssl/wolfcrypt/port/Espressif
+
 # COMPONENT_ADD_INCLUDEDIRS += $ENV(IDF_PATH)/components/freertos/include/freertos
 # COMPONENT_ADD_INCLUDEDIRS += "$ENV(IDF_PATH)/soc/esp32s3/include/soc"
 
@@ -122,27 +137,27 @@ COMPONENT_SRCDIRS += $(WOLFSSL_ROOT)/wolfcrypt/src
 COMPONENT_SRCDIRS += $(WOLFSSL_ROOT)/wolfcrypt/src/port/Espressif
 COMPONENT_SRCDIRS += $(WOLFSSL_ROOT)/wolfcrypt/src/port/atmel
 
-COMPONENT_OBJEXCLUDE := $(WOLFSSL_ROOT)/wolfcrypt/src/aes_asm.o
-COMPONENT_OBJEXCLUDE += $(WOLFSSL_ROOT)/wolfcrypt/src/evp.o
-COMPONENT_OBJEXCLUDE += $(WOLFSSL_ROOT)/wolfcrypt/src/misc.o
-COMPONENT_OBJEXCLUDE += $(WOLFSSL_ROOT)/wolfcrypt/src/sha512_asm.o
-COMPONENT_OBJEXCLUDE += $(WOLFSSL_ROOT)/wolfcrypt/src/fe_x25519_asm.o
-COMPONENT_OBJEXCLUDE += $(WOLFSSL_ROOT)/wolfcrypt/src/aes_gcm_x86_asm.o
-COMPONENT_OBJEXCLUDE += $(WOLFSSL_ROOT)/src/bio.o
-
+COMPONENT_OBJEXCLUDE := $(WOLFSSL_ROOT_OBJ)/wolfcrypt/src/aes_asm.o
+COMPONENT_OBJEXCLUDE += $(WOLFSSL_ROOT_OBJ)/wolfcrypt/src/evp.o
+COMPONENT_OBJEXCLUDE += $(WOLFSSL_ROOT_OBJ)/wolfcrypt/src/misc.o
+COMPONENT_OBJEXCLUDE += $(WOLFSSL_ROOT_OBJ)/wolfcrypt/src/sha512_asm.o
+COMPONENT_OBJEXCLUDE += $(WOLFSSL_ROOT_OBJ)/wolfcrypt/src/fe_x25519_asm.o
+COMPONENT_OBJEXCLUDE += $(WOLFSSL_ROOT_OBJ)/wolfcrypt/src/aes_gcm_x86_asm.o
 
 ##
 ## wolfSSL
 ##
-COMPONENT_OBJS := $(WOLFSSL_ROOT)/src/bio.o
-# COMPONENT_OBJS += src/conf.o
+## reminder object files may end up in `./build` or `build/debug` or `build/release`, depending on build environment & settings.
+##
+# COMPONENT_OBJS := $(WOLFSSL_ROOT)/src/bio.o  # part of ssl.c, omitted to avoid "does not need to be compiled separately"
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/conf.o # part of ssl.c
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/crl.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/dtls.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/dtls13.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/internal.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/keys.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/ocsp.o
-# COMPONENT_OBJS += src/pk.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/pk.o   # part of ssl.c
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/quic.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/sniffer.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/ssl.o
@@ -154,8 +169,8 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/ssl.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/tls.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/tls13.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/wolfio.o
-# COMPONENT_OBJS += src/x509.o
-# COMPONENT_OBJS += src/x509_str.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/x509.o     # part of ssl.c
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/x509_str.o # part of ssl.c
 
 ##
 ## wolfcrypt
@@ -188,7 +203,7 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed25519.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed448.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/error.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/evp.o
-# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_kyber.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_mlkem.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_xmss.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/falcon.o
@@ -251,8 +266,8 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/srp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/tfm.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_dsp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_encrypt.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber_poly.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem_poly.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_pkcs11.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_port.o
@@ -276,21 +291,16 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/port/Espressif/esp_sdk_wifi_lib.
 ##
 ## wolfcrypt benchmark  (optional)
 ##
-## COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/benchmark/benchmark.o
-## COMPONENT_SRCDIRS += $(WOLFSSL_ROOT)/wolfcrypt/benchmark
+## COMPONENT_OBJS            += $(WOLFSSL_ROOT)/wolfcrypt/benchmark/benchmark.o
+## COMPONENT_SRCDIRS         += $(WOLFSSL_ROOT)/wolfcrypt/benchmark
 ## COMPONENT_ADD_INCLUDEDIRS += $(WOLFSSL_ROOT)/wolfcrypt/benchmark
 
 
 ##
 ## wolfcrypt test (optional)
 ##
-## COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/test/test.o
-## COMPONENT_SRCDIRS += $(WOLFSSL_ROOT)/wolfcrypt/test
-
-##
-## wolfcrypt
-##
-## COMPONENT_PRIV_INCLUDEDIRS += $(PROJECT_PATH)/components/wolfssl/include
-## COMPONENT_SRCDIRS += $(WOLFSSL_ROOT)/wolfcrypt/src
+## COMPONENT_OBJS            += $(WOLFSSL_ROOT)/wolfcrypt/test/test.o
+## COMPONENT_SRCDIRS         += $(WOLFSSL_ROOT)/wolfcrypt/test
+## COMPONENT_ADD_INCLUDEDIRS += $(WOLFSSL_ROOT)/wolfcrypt/test/include
 
 $(info ********** end wolfssl component **********)

IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h

@@ -1,6 +1,6 @@
 /* wolfssl-component include/user_settings.h
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *
@@ -20,6 +20,11 @@
  */
 #define WOLFSSL_ESPIDF_COMPONENT_VERSION 0x01
 
+/* Examples such as test and benchmark are known to cause watchdog timeouts.
+ * Note this is often set in project Makefile:
+ * CFLAGS += -DWOLFSSL_ESP_NO_WATCHDOG=1 */
+#define WOLFSSL_ESP_NO_WATCHDOG 1
+
 /* The Espressif project config file. See also sdkconfig.defaults */
 #include "sdkconfig.h"
 
@@ -105,7 +110,6 @@
     /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
     /* #define USE_WOLFSSL_ESP_SDK_WIFI */
     #define TEST_ESPIDF_ALL_WOLFSSL
-
 #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_BENCHMARK)
     /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark */
     /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
@@ -208,8 +212,8 @@
 #ifdef CONFIG_WOLFSSL_ENABLE_KYBER
     /* Kyber typically needs a minimum 10K stack */
     #define WOLFSSL_EXPERIMENTAL_SETTINGS
-    #define WOLFSSL_HAVE_KYBER
-    #define WOLFSSL_WC_KYBER
+    #define WOLFSSL_HAVE_MLKEM
+    #define WOLFSSL_WC_MLKEM
     #define WOLFSSL_SHA3
     #if defined(CONFIG_IDF_TARGET_ESP8266)
         /* With limited RAM, we'll disable some of the Kyber sizes: */
@@ -219,6 +223,17 @@
     #endif
 #endif
 
+/* Enable AES for all examples */
+#ifdef NO_AES
+    #warning "Found NO_AES, wolfSSL AES Cannot be enabled. Check config."
+#else
+    #define WOLFSSL_AES
+    #define WOLFSSL_AES_COUNTER
+
+    /* Typically only needed for wolfssl_test, see docs. */
+    #define WOLFSSL_AES_DIRECT
+#endif
+
 /* Pick a cert buffer size: */
 /* #define USE_CERT_BUFFERS_2048 */
 /* #define USE_CERT_BUFFERS_1024 */
@@ -273,6 +288,10 @@
 
 /* Optionally enable some wolfSSH settings */
 #if defined(ESP_ENABLE_WOLFSSH) || defined(CONFIG_ESP_ENABLE_WOLFSSH)
+    /* Enable wolfSSH. Espressif examples need a few more settings, below */
+    #undef  WOLFSSL_WOLFSSH
+    #define WOLFSSL_WOLFSSH
+
     /* The default SSH Windows size is massive for an embedded target.
      * Limit it: */
     #define DEFAULT_WINDOW_SZ 2000
@@ -386,7 +405,10 @@
 #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
     defined(CONFIG_IDF_TARGET_ESP8684)
     /* Optionally set smaller size here */
-    #define HAVE_FFDHE_4096
+    #ifdef HAVE_FFDHE_4096
+        /* this size may be problematic on the C2 */
+    #endif
+    #define HAVE_FFDHE_2048
 #else
     #define HAVE_FFDHE_4096
 #endif

IDE/Espressif/ESP-IDF/examples/template/main/CMakeLists.txt

@@ -1,35 +1,43 @@
 # wolfSSL Espressif Example Project/main CMakeLists.txt
-#   v1.1
+#   v1.2
 #
 # wolfssl template
 #
+message(STATUS "Begin wolfSSL main CMakeLists.txt")
 set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS")
 
+if (idf_target STREQUAL "esp8266" OR IDF_TARGET STREQUAL "esp8266" OR IDF_VERSION_MAJOR VERSION_LESS "5.0")
+    # `driver` component not available for ESP8266
+    SET(THIS_PRIV_REQUIRES_DRIVER "")
+else()
+    SET(THIS_PRIV_REQUIRES_DRIVER "driver")
+endif()
+
 if(WIN32)
     # Windows-specific configuration here
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WINDOWS")
-    message("Detected Windows")
+    message(STATUS "Detected Windows")
 endif()
 if(CMAKE_HOST_UNIX)
-    message("Detected UNIX")
+    message(STATUS "Detected UNIX")
 endif()
 if(APPLE)
-    message("Detected APPLE")
+    message(STATUS "Detected APPLE")
 endif()
 if(CMAKE_HOST_UNIX AND (NOT APPLE) AND EXISTS "/proc/sys/fs/binfmt_misc/WSLInterop")
     # Windows-specific configuration here
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WSL")
-    message("Detected WSL")
+    message(STATUS "Detected WSL")
 endif()
 if(CMAKE_HOST_UNIX AND (NOT APPLE) AND (NOT WIN32))
     # Windows-specific configuration here
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_LINUX")
-    message("Detected Linux")
+    message(STATUS "Detected Linux")
 endif()
 if(APPLE)
     # Windows-specific configuration here
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_APPLE")
-    message("Detected Apple")
+    message(STATUS "Detected Apple")
 endif()
 set (git_cmd "git")
 
@@ -43,10 +51,22 @@ if( EXISTS "${CMAKE_HOME_DIRECTORY}/components/wolfssl/" AND EXISTS "$ENV{IDF_PA
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_MULTI_INSTALL_WARNING")
 endif()
 
+# The wolfSL component name is named "mywolfssl" on the staging site for Managed Components.
+if( NOT EXISTS "../components/wolfssl" AND ("$ENV{IDF_COMPONENT_REGISTRY_URL}" STREQUAL "https://components-staging.espressif.com") )
+    message(STATUS "WARNING: Using a staging instance of wolfssl.")
+    set(MAIN_WOLFSSL_COMPONENT_NAME "mywolfssl")
+else()
+    message(STATUS "Using release wolfssl component.")
+    set(MAIN_WOLFSSL_COMPONENT_NAME "wolfssl")
+endif()
+
 ## register_component()
 idf_component_register(SRCS main.c
                        INCLUDE_DIRS "."
-                                    "./include")
+                            "./include"
+                       PRIV_REQUIRES "${THIS_PRIV_REQUIRES_DRIVER}"
+                                     "${MAIN_WOLFSSL_COMPONENT_NAME}"
+                       )
 
 #
 # LIBWOLFSSL_SAVE_INFO(VAR_OUPUT THIS_VAR VAR_RESULT)
@@ -76,15 +96,24 @@ function ( LIBWOLFSSL_SAVE_INFO VAR_OUPUT THIS_VAR VAR_RESULT )
         message(STATUS "Found ${VAR_OUPUT}=${VAR_VALUE}")
 
         # the interesting part is defining the VAR_OUPUT name a value to use in the app
-        add_definitions(-D${VAR_OUPUT}=\"${VAR_VALUE}\")
+        add_compile_definitions(${VAR_OUPUT}=\"${VAR_VALUE}\")
     else()
         # if we get here, check the execute_process command and parameters.
-        message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT")
+        message(STATUS "LIBWOLFSSL_SAVE_INFO encountered a non-zero VAR_RESULT.")
+        message(STATUS "Setting ${VAR_OUPUT} to \"Unknown\"")
         set(${VAR_OUPUT} "Unknown")
     endif()
 endfunction() # LIBWOLFSSL_SAVE_INFO
 
-if(NOT CMAKE_BUILD_EARLY_EXPANSION)
+execute_process(
+    COMMAND ${git_cmd} "rev-parse" "--is-inside-work-tree"
+    OUTPUT_VARIABLE IS_GIT_REPO
+    OUTPUT_STRIP_TRAILING_WHITESPACE
+    ERROR_QUIET
+)
+
+# Save some project-specific details. Repo may be different than component, or may not even be a repo at all:
+if(NOT CMAKE_BUILD_EARLY_EXPANSION AND (IS_GIT_REPO STREQUAL "true"))
     # LIBWOLFSSL_VERSION_GIT_HASH
     execute_process(COMMAND ${git_cmd} "rev-parse" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET )
     LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_HASH "${TMP_OUT}" "${TMP_RES}")
@@ -100,3 +129,4 @@ endif()
 
 message(STATUS "")
 
+message(STATUS "End wolfSSL main CMakeLists.txt")

IDE/Espressif/ESP-IDF/examples/template/main/Kconfig.projbuild

@@ -1,6 +1,6 @@
 # Kconfig main
 #
-# Copyright (C) 2006-2024 wolfSSL Inc.  All rights reserved.
+# Copyright (C) 2006-2025 wolfSSL Inc.
 #
 # This file is part of wolfSSL.
 #
@@ -65,11 +65,6 @@ choice WOLFSSL_EXAMPLE_CHOOSE
         help
             See wolfSSL/wolfssh on GitHub.
 
-    config WOLFSSL_EXAMPLE_NAME_WOLFSSH_ECHOSERVER
-        bool "SSH Echo Server"
-        help
-            See wolfSSL/wolfssh on GitHub.
-
     config WOLFSSL_EXAMPLE_NAME_ESP32_SSH_SERVER
         bool "SSH to UART Server for the ESP32"
         help
@@ -95,12 +90,6 @@ choice WOLFSSL_EXAMPLE_CHOOSE
         help
             See wolfSSL/wolfTPM on GitHub.
 
-    config WOLFSSL_APPLE_HOMEKIT
-        bool "Apple HomeKit for the ESP32"
-        help
-            See AchimPieters/esp32-homekit-demo on GitHub.
-
-
     config WOLFSSL_EXAMPLE_NAME_NONE
         bool "Other"
         help

IDE/Espressif/ESP-IDF/examples/template/main/component.mk

@@ -0,0 +1,23 @@
+#
+# Main component makefile.
+#
+# This Makefile can be left empty. By default, it will take the sources in the
+# src/ directory, compile them and link them into lib(subdirectory_name).a
+# in the build directory. This behavior is entirely configurable,
+# please read the ESP-IDF documents if you need to do this.
+#
+# (Uses default behavior of compiling all source files in directory, adding 'include' to include path.)
+
+# We'll add the explicit lines only for old SDK requirements (e.h. ESP8266)
+
+ifeq ("$(VISUALGDB_DIR)","")
+    $(info VISUALGDB_DIR build not detected. shell: $(shell echo $$SHELL) )
+else
+    $(info Detected VisualGDB in: $(VISUALGDB_DIR) shell: $(shell echo $$SHELL) )
+    COMPONENT_SRCDIRS := .
+    COMPONENT_ADD_INCLUDEDIRS := .
+    COMPONENT_ADD_INCLUDEDIRS += include
+
+    # Ensure main.c gets compiled
+    COMPONENT_OBJS := main.o
+endif

IDE/Espressif/ESP-IDF/examples/template/main/include/main.h

@@ -1,6 +1,6 @@
 /* template main.h
  *
- * Copyright (C) 2006-2024 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *