Merge pull request #8238 from anhu/dsa_win

build dsa in visual studio

.codespellexcludelines

@@ -0,0 +1,18 @@
+###############################################################################
+# In this file, you should add the line of the file that needs to be ignored.
+# The line should be exactly as it appears in the file.
+###############################################################################
+        0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, /* .Enginee */
+        0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, /* fo@wolfs */
+        0x0a, 0x8b, 0x98, 0xf3, 0xe3, 0xff, 0x4e, 0x44, /* ......ND */
+ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd\n\
+static const byte plaintext[] = "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Cras lacus odio, pretium vel sagittis ac, facilisis quis diam. Vivamus condimentum velit sed dolor consequat interdum. Etiam eleifend ornare felis, eleifend egestas odio vulputate eu. Sed nec orci nunc. Etiam quis mi augue. Donec ullamcorper suscipit lorem, vel luctus augue cursus fermentum. Etiam a porta arcu, in convallis sem. Integer efficitur elementum diam, vel scelerisque felis posuere placerat. Donec vestibulum sit amet leo sit amet tincidunt. Etiam et vehicula turpis. Phasellus quis finibus sapien. Sed et tristique turpis. Nullam vitae sagittis tortor, et aliquet lorem. Cras a leo scelerisque, convallis lacus ut, fermentum urna. Mauris quis urna diam. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Nam aliquam vehicula orci id pulvinar. Proin mollis, libero sollicitudin tempor ultrices, massa augue tincidunt turpis, sit amet aliquam neque nibh nec dui. Fusce finibus massa quis rutrum suscipit cras amet";
+rsource "Kconfig.tls-generic"
+        /* Loop over authenticated associated data AD1..ADn */
+  /* no easy answer [c'est la vie].  Just division */
+    const uint8_t* hashIn, int hashSz)
+    XMEMCPY(hash + (curveSz - hashSz), hashIn, hashSz);
+        0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f, 0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69, /* creen would be i */
+\pagenumbering{alph}
+    DES3_KEY_SIZE       = 24,  /* 3 des ede               */
+/* functions added to support above needed, removed TOOM and KARATSUBA */

.cyignore

@@ -0,0 +1,40 @@
+# wolfSSL folders
+$(SEARCH_wolfssl)/IDE
+$(SEARCH_wolfssl)/examples
+$(SEARCH_wolfssl)/linuxkm
+$(SEARCH_wolfssl)/mcapi
+$(SEARCH_wolfssl)/mplabx
+$(SEARCH_wolfssl)/mqx
+$(SEARCH_wolfssl)/tirtos
+$(SEARCH_wolfssl)/tests
+$(SEARCH_wolfssl)/testsuite
+$(SEARCH_wolfssl)/wolfcrypt/src/port/autosar
+$(SEARCH_wolfssl)/zephyr
+
+# wolfSSL files
+$(SEARCH_wolfssl)/wolfcrypt/src/aes_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/aes_xts_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/aes_gcm_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/aes_gcm_x86_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/chacha_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/fe_x25519_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/poly1305_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/sha256_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/sha512_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/sha3_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/sm3_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/sp_x86_64_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/sp_sm2_x86_64_asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/wc_kyber_asm.S
+
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-32-aes-asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-32-curve25519.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-32-sha256-asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-32-sha512-asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-curve25519.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-sha3-asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/armv8-sha512-asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/thumb2-aes-asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/thumb2-curve25519.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/thumb2-sha256-asm.S
+$(SEARCH_wolfssl)/wolfcrypt/src/port/arm/thumb2-sha512-asm.S

.github/workflows/async.yml

@@ -1,7 +1,16 @@
 name: Async Tests
 
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   make_check:
@@ -14,6 +23,7 @@ jobs:
           '--enable-ocsp CFLAGS="-DTEST_NONBLOCK_CERTS"',
         ]
     name: make check
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
     timeout-minutes: 6
@@ -27,7 +37,7 @@ jobs:
           ./configure ${{ matrix.config }}
           make check
 
-      - name: Print errors 
+      - name: Print errors
         if: ${{ failure() }}
         run: |
           if [ -f test-suite.log ] ; then

.github/workflows/codespell.yml

@@ -0,0 +1,30 @@
+name: Codespell test
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  codespell:
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - uses: codespell-project/actions-codespell@v2.1
+      with:
+        check_filenames: true
+        check_hidden: true
+          # Add comma separated list of words that occur multiple times that should be ignored (sorted alphabetically, case sensitive)
+        ignore_words_list: adin,aNULL,carryIn,chainG,ciph,cLen,cliKs,dout,haveA,inCreated,inOut,inout,larg,LEAPYEAR,Merget,optionA,parm,parms,repid,rIn,userA,ser,siz,te,Te
+          # The exclude_file contains lines of code that should be ignored. This is useful for individual lines which have non-words that can safely be ignored.
+        exclude_file: '.codespellexcludelines'
+          # To skip files entirely from being processed, add it to the following list:
+        skip: '*.cproject,*.der,*.mtpj,*.pem,*.vcxproj,.git,*.launch,*.scfg'

.github/workflows/coverity-scan-fixes.yml

@@ -0,0 +1,53 @@
+name: Coverity Scan master branch
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * 1-5'
+    - cron: '0 0 * * 0'
+    - cron: '0 12 * * 0'
+
+jobs:
+  coverity:
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        ref: master
+
+    - name: Configure wolfSSL with enable-all M-F
+      if: github.event.schedule == '0 0 * * 1-5'
+      run: |
+        ./autogen.sh
+        ./configure --enable-all
+
+    - name: Configure wolfSSL with enable-all enable-smallstack Sun at 00:00
+      if: github.event.schedule == '0 0 * * 0'
+      run: |
+        ./autogen.sh
+        ./configure --enable-all --enable-smallstack
+
+    - name: Configure wolfSSL with bigendian Sun at 12:00
+      if: github.event.schedule == '0 12 * * 0'
+      run: |
+        ./autogen.sh
+        ./configure --enable-all CFLAGS="-DBIG_ENDIAN_ORDER"
+
+    - name: Check secrets
+      env:
+        token_var: ${{ secrets.COVERITY_SCAN_TOKEN }}
+        email_var: ${{ secrets.COVERITY_SCAN_EMAIL }}
+      run: |
+        token_len=${#token_var}
+        echo "$token_len"
+        email_len=${#email_var}
+        echo "$email_len"
+
+    - uses: vapier/coverity-scan-action@v1
+      with:
+        build_language: 'cxx'
+        project: "wolfSSL/wolfssl"
+        token: ${{ secrets.COVERITY_SCAN_TOKEN }}
+        email: ${{ secrets.COVERITY_SCAN_EMAIL }}
+        command: "make"

.github/workflows/curl.yml

@@ -1,11 +1,21 @@
 name: curl Test
 
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   build_wolfssl:
     name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
@@ -17,15 +27,19 @@ jobs:
           configure: --enable-curl
           install: true
 
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
       - name: Upload built lib
         uses: actions/upload-artifact@v4
         with:
           name: wolf-install-curl
-          path: build-dir
+          path: build-dir.tgz
           retention-days: 5
 
   test_curl:
     name: ${{ matrix.curl_ref }}
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
     timeout-minutes: 15
@@ -38,14 +52,15 @@ jobs:
     - name: Install test dependencies
       run: |
         sudo apt-get update
-        sudo apt-get install nghttp2 libpsl5 libpsl-dev
-        sudo pip install impacket
+        sudo apt-get install nghttp2 libpsl5 libpsl-dev python3-impacket
 
     - name: Download lib
       uses: actions/download-artifact@v4
       with:
         name: wolf-install-curl
-        path: build-dir
+
+    - name: untar build-dir
+      run: tar -xf build-dir.tgz
 
     - name: Build curl
       uses: wolfSSL/actions-build-autotools-project@v1
@@ -58,4 +73,4 @@ jobs:
 
     - name: Test curl
       working-directory: curl
-      run: make -j test-ci
+      run: make -j $(nproc) test-ci

.github/workflows/cyrus-sasl.yml

@@ -0,0 +1,105 @@
+name: cyrus-sasl Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
+    # Just to keep it the same as the testing target
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-all
+          install: true
+          # Don't run tests as this config is tested in many other places
+          check: false
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-sasl
+          path: build-dir.tgz
+          retention-days: 5
+
+  sasl_check:
+    strategy:
+      fail-fast: false
+      matrix:
+        # List of releases to test
+        ref: [ 2.1.28 ]
+    name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    needs: build_wolfssl
+    steps:
+      - name: Install dependencies
+        run: |
+          # Don't prompt for anything
+          export DEBIAN_FRONTEND=noninteractive
+          sudo apt-get update
+          sudo apt-get install krb5-kdc krb5-otp libkrb5-dev \
+            libsocket-wrapper libnss-wrapper krb5-admin-server libdb5.3-dev
+
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-sasl
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Checkout sasl
+        uses: actions/checkout@v4
+        with:
+          repository: cyrusimap/cyrus-sasl
+          ref: cyrus-sasl-${{ matrix.ref }}
+          path: sasl
+
+      - name: Build cyrus-sasl
+        working-directory: sasl
+        run: |
+          patch -p1 < $GITHUB_WORKSPACE/osp/cyrus-sasl/${{ matrix.ref }}/${{ matrix.ref }}.patch
+          autoreconf -ivf
+          ./configure --with-openssl=no --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-dblib=berkeley --disable-shared
+          # Need to run 'make' twice with '--disable-shared' for some reason
+          make -j || make -j
+
+      - name: Run testsuite
+        working-directory: sasl
+        run: |
+          make -j -C utils testsuite saslpasswd2
+          # Retry up to five times
+          for i in {1..5}; do
+             TEST_RES=0
+             $GITHUB_WORKSPACE/osp/cyrus-sasl/${{ matrix.ref }}/run-tests.sh || TEST_RES=$?
+             if [ "$TEST_RES" -eq "0" ]; then
+                break
+             fi
+          done

.github/workflows/disabled/haproxy.yml

@@ -1,7 +1,16 @@
 name: HaProxy Tests
 
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   haproxy_check:
@@ -11,6 +20,7 @@ jobs:
         # List of refs to test
         ref: [ master ]
     name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     steps:
       - name: Build wolfSSL
@@ -48,4 +58,3 @@ jobs:
       - name: Test HaProxy
         working-directory: haproxy
         run: make reg-tests reg-tests/ssl VTEST_PROGRAM=$GITHUB_WORKSPACE/VTest/vtest
- 

.github/workflows/disabled/hostap.yml

@@ -1,7 +1,16 @@
 name: hostap and wpa-supplicant Tests
 
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   build_wolfssl:
@@ -13,6 +22,7 @@ jobs:
           - build_id: hostap-build2
             wolf_extra_config: --enable-brainpool --enable-wpas-dpp
     name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
     runs-on: ubuntu-20.04
     # This should be a safe limit for the tests to run.
@@ -62,7 +72,7 @@ jobs:
         config: [
           {
             hostap_ref: hostap_2_10,
-            hostap_cherry_pick: 5679ec5c3dda25a0547a5f66407fd9b0b55fd04a,
+            hostap_cherry_pick: 36fcbb1a4ee4aa604f15079eae2ffa4fe7f44680,
             remove_teap: true,
             # TLS 1.3 does not work for this version
             build_id: hostap-build1,
@@ -70,7 +80,7 @@ jobs:
           # Test the dpp patch
           {
             hostap_ref: b607d2723e927a3446d89aed813f1aa6068186bb,
-            hostap_cherry_pick: 5679ec5c3dda25a0547a5f66407fd9b0b55fd04a,
+            hostap_cherry_pick: 36fcbb1a4ee4aa604f15079eae2ffa4fe7f44680,
             osp_ref: ad5b52a49b3cc2a5bfb47ccc1d6a5137132e9446,
             build_id: hostap-build2
           },
@@ -90,6 +100,7 @@ jobs:
               build_id: hostap-build2
             }
     name: hwsim test
+    if: github.repository_owner == 'wolfssl'
     # For openssl 1.1
     runs-on: ubuntu-20.04
     # This should be a safe limit for the tests to run.
@@ -172,7 +183,7 @@ jobs:
       - name: Checkout hostap
         uses: actions/checkout@v4
         with:
-          repository: julek-wolfssl/hostap-mirror 
+          repository: julek-wolfssl/hostap-mirror
           path: hostap
           ref: ${{ matrix.config.hostap_ref }}
           # necessary for cherry pick step
@@ -201,7 +212,7 @@ jobs:
           done
 
       - if: ${{ matrix.hostapd }}
-        name: Setup hostapd config file 
+        name: Setup hostapd config file
         run: |
           cp wolfssl/.github/workflows/hostap-files/configs/${{ matrix.config.hostap_ref }}/hostapd.config \
              hostap/hostapd/.config
@@ -211,7 +222,7 @@ jobs:
           EOF
 
       - if: ${{ matrix.wpa_supplicant }}
-        name: Setup wpa_supplicant config file 
+        name: Setup wpa_supplicant config file
         run: |
           cp wolfssl/.github/workflows/hostap-files/configs/${{ matrix.config.hostap_ref }}/wpa_supplicant.config \
              hostap/wpa_supplicant/.config

.github/workflows/docker-Espressif.yml

@@ -1,10 +1,20 @@
 name: Espressif examples tests
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   espressif_latest:
     name: latest Docker container
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
     timeout-minutes: 12
@@ -13,22 +23,24 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Initialize Espressif IDE and build examples
-        run: . /opt/esp/idf/export.sh; IDE/Espressif/ESP-IDF/compileAllExamples.sh
+        run: cd /opt/esp/idf && . ./export.sh && cd $GITHUB_WORKSPACE; IDE/Espressif/ESP-IDF/compileAllExamples.sh
   espressif_v4_4:
     name: v4.4 Docker container
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     container:
       image: espressif/idf:release-v4.4
     steps:
       - uses: actions/checkout@v4
       - name: Initialize Espressif IDE and build examples
-        run: . /opt/esp/idf/export.sh; IDE/Espressif/ESP-IDF/compileAllExamples.sh
+        run: cd /opt/esp/idf && . ./export.sh && cd $GITHUB_WORKSPACE; IDE/Espressif/ESP-IDF/compileAllExamples.sh
   espressif_v5_0:
     name: v5.0 Docker container
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     container:
       image: espressif/idf:release-v5.0
     steps:
       - uses: actions/checkout@v4
       - name: Initialize Espressif IDE and build examples
-        run: . /opt/esp/idf/export.sh; IDE/Espressif/ESP-IDF/compileAllExamples.sh
+        run: cd /opt/esp/idf && . ./export.sh && cd $GITHUB_WORKSPACE; IDE/Espressif/ESP-IDF/compileAllExamples.sh

.github/workflows/docker-OpenWrt.yml

@@ -2,12 +2,22 @@
 # there aren't any compatibility issues. Take a look at Docker/OpenWrt/README.md
 name: OpenWrt test
 
+# START OF COMMON SECTION
 on:
-    workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
     build_library:
         name: Compile libwolfssl.so
+        if: github.repository_owner == 'wolfssl'
         runs-on: ubuntu-latest
         # This should be a safe limit for the tests to run.
         timeout-minutes: 4
@@ -19,14 +29,19 @@ jobs:
             - uses: actions/checkout@v4
             - name: Compile libwolfssl.so
               run: ./autogen.sh && ./configure --enable-all && make
+              # 2024-08-05 - Something broke in the actions. They are no longer following links.
+            - name: tar libwolfssl.so
+              working-directory: src/.libs
+              run: tar -zcf libwolfssl.tgz libwolfssl.so*
             - name: Upload libwolfssl.so
               uses: actions/upload-artifact@v4
               with:
                 name: openwrt-libwolfssl.so
-                path: src/.libs/libwolfssl.so
+                path: src/.libs/libwolfssl.tgz
                 retention-days: 5
     compile_container:
         name: Compile container
+        if: github.repository_owner == 'wolfssl'
         runs-on: ubuntu-latest
         # This should be a safe limit for the tests to run.
         timeout-minutes: 2
@@ -41,7 +56,9 @@ jobs:
             - uses: actions/download-artifact@v4
               with:
                 name: openwrt-libwolfssl.so
-                path: Docker/OpenWrt/.
+                path: .
+            - name: untar libwolfssl.so
+              run: tar -xf libwolfssl.tgz -C Docker/OpenWrt
             - name: Build but dont push
               uses: docker/build-push-action@v5
               with:

.github/workflows/grpc.yml

@@ -0,0 +1,108 @@
+name: grpc Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
+    # Just to keep it the same as the testing target
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 10
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-all 'CPPFLAGS=-DWOLFSSL_RSA_KEY_CHECK -DHAVE_EX_DATA_CLEANUP_HOOKS'
+          install: true
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-grpc
+          path: build-dir.tgz
+          retention-days: 5
+
+  grpc_check:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - ref: v1.60.0
+            tests: >-
+              bad_ssl_alpn_test bad_ssl_cert_test client_ssl_test
+              crl_ssl_transport_security_test server_ssl_test
+              ssl_transport_security_test ssl_transport_security_utils_test
+              test_core_security_ssl_credentials_test test_cpp_end2end_ssl_credentials_test
+              h2_ssl_cert_test h2_ssl_session_reuse_test
+    name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 30
+    needs: build_wolfssl
+    steps:
+      - name: Confirm IPv4 and IPv6 support
+        run: |
+          ip addr list lo | grep 'inet '
+          ip addr list lo | grep 'inet6 '
+
+      - name: Install prereqs
+        run:
+          sudo apt-get install build-essential autoconf libtool pkg-config cmake clang libc++-dev
+
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-grpc
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Checkout grpc
+        uses: actions/checkout@v4
+        with:
+          repository: grpc/grpc
+          path: grpc
+          ref: ${{ matrix.ref }}
+
+      - name: Build grpc
+        working-directory: ./grpc
+        run: |
+          patch -p1 < ../osp/grpc/grpc-${{ matrix.ref }}.patch
+          git submodule update --init
+          mkdir cmake/build
+          cd cmake/build
+          cmake -DgRPC_BUILD_TESTS=ON -DgRPC_SSL_PROVIDER=wolfssl \
+            -DWOLFSSL_INSTALL_DIR=$GITHUB_WORKSPACE/build-dir ../..
+          make -j $(nproc) ${{ matrix.tests }}
+
+      - name: Run grpc tests
+        working-directory: ./grpc
+        run: |
+          export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH
+          ./tools/run_tests/start_port_server.py
+          for t in ${{ matrix.tests }} ; do
+            ./cmake/build/$t
+          done

.github/workflows/hitch.yml

@@ -1,11 +1,21 @@
 name: hitch Tests
 
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   build_wolfssl:
     name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
@@ -18,11 +28,14 @@ jobs:
           configure: --enable-hitch
           install: true
 
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
       - name: Upload built lib
         uses: actions/upload-artifact@v4
         with:
           name: wolf-install-hitch
-          path: build-dir
+          path: build-dir.tgz
           retention-days: 5
 
   hitch_check:
@@ -35,6 +48,7 @@ jobs:
             ignore-tests: >-
               test13-r82.sh test15-proxy-v2-npn.sh test39-client-cert-proxy.sh
     name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
@@ -44,7 +58,9 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           name: wolf-install-hitch
-          path: build-dir
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
 
       - name: Checkout OSP
         uses: actions/checkout@v4
@@ -91,4 +107,4 @@ jobs:
         working-directory: ./hitch
         run: |
           export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH
-          make check
+          make check

.github/workflows/hostap-files/configs/07c9f183ea744ac04585fb6dd10220c75a5e2e74/hostapd.config

@@ -0,0 +1,122 @@
+#CC=ccache gcc
+
+CONFIG_DRIVER_NONE=y
+CONFIG_DRIVER_NL80211=y
+CONFIG_RSN_PREAUTH=y
+
+#CONFIG_TLS=internal
+#CONFIG_INTERNAL_LIBTOMMATH=y
+#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
+#CONFIG_TLS=openssl
+CONFIG_TLS=wolfssl
+
+CONFIG_EAP=y
+CONFIG_ERP=y
+CONFIG_EAP_MD5=y
+CONFIG_EAP_TLS=y
+CONFIG_EAP_MSCHAPV2=y
+CONFIG_EAP_PEAP=y
+CONFIG_EAP_GTC=y
+CONFIG_EAP_TTLS=y
+CONFIG_EAP_SIM=y
+CONFIG_EAP_AKA=y
+CONFIG_EAP_AKA_PRIME=y
+CONFIG_EAP_GPSK=y
+CONFIG_EAP_GPSK_SHA256=y
+CONFIG_EAP_SAKE=y
+CONFIG_EAP_PAX=y
+CONFIG_EAP_PSK=y
+CONFIG_EAP_VENDOR_TEST=y
+CONFIG_EAP_FAST=y
+CONFIG_EAP_TEAP=y
+CONFIG_EAP_IKEV2=y
+CONFIG_EAP_TNC=y
+CFLAGS += -DTNC_CONFIG_FILE=\"tnc/tnc_config\"
+LIBS += -rdynamic
+CONFIG_EAP_UNAUTH_TLS=y
+ifeq ($(CONFIG_TLS), openssl)
+CONFIG_EAP_PWD=y
+endif
+ifeq ($(CONFIG_TLS), wolfssl)
+CONFIG_EAP_PWD=y
+endif
+CONFIG_EAP_EKE=y
+CONFIG_PKCS12=y
+CONFIG_RADIUS_SERVER=y
+CONFIG_IPV6=y
+CONFIG_TLSV11=y
+CONFIG_TLSV12=y
+
+CONFIG_FULL_DYNAMIC_VLAN=y
+CONFIG_VLAN_NETLINK=y
+CONFIG_LIBNL32=y
+CONFIG_LIBNL3_ROUTE=y
+CONFIG_IEEE80211R=y
+CONFIG_IEEE80211AC=y
+CONFIG_IEEE80211AX=y
+
+CONFIG_OCV=y
+
+CONFIG_WPS=y
+CONFIG_WPS_UPNP=y
+CONFIG_WPS_NFC=y
+#CONFIG_WPS_STRICT=y
+CONFIG_WPA_TRACE=y
+CONFIG_WPA_TRACE_BFD=y
+
+CONFIG_P2P_MANAGER=y
+CONFIG_DEBUG_FILE=y
+CONFIG_DEBUG_LINUX_TRACING=y
+CONFIG_WPA_CLI_EDIT=y
+CONFIG_ACS=y
+CONFIG_NO_RANDOM_POOL=y
+CONFIG_WNM=y
+CONFIG_INTERWORKING=y
+CONFIG_HS20=y
+CONFIG_SQLITE=y
+CONFIG_SAE=y
+CONFIG_SAE_PK=y
+CFLAGS += -DALL_DH_GROUPS
+
+CONFIG_FST=y
+CONFIG_FST_TEST=y
+
+CONFIG_TESTING_OPTIONS=y
+CFLAGS += -DCONFIG_RADIUS_TEST
+CONFIG_MODULE_TESTS=y
+
+CONFIG_SUITEB=y
+CONFIG_SUITEB192=y
+
+# AddressSanitizer (ASan) can be enabled by uncommenting the following lines.
+# This can be used as a more efficient memory error detector than valgrind
+# (though, with still some CPU and memory cost, so VM cases will need more
+# memory allocated for the guest).
+#CFLAGS += -fsanitize=address -O1 -fno-omit-frame-pointer -g
+#LIBS += -fsanitize=address -fno-omit-frame-pointer -g
+#LIBS_h += -fsanitize=address -fno-omit-frame-pointer -g
+#LIBS_n += -fsanitize=address -fno-omit-frame-pointer -g
+#LIBS_c += -fsanitize=address -fno-omit-frame-pointer -g
+
+# Undefined Behavior Sanitizer (UBSan) can be enabled by uncommenting the
+# following lines.
+#CFLAGS += -Wno-format-nonliteral
+#CFLAGS += -fsanitize=undefined
+##CFLAGS += -fno-sanitize-recover
+#LIBS += -fsanitize=undefined
+##LIBS += -fno-sanitize-recover
+#LIBS_h += -fsanitize=undefined
+#LIBS_n += -fsanitize=undefined
+#LIBS_c += -fsanitize=undefined
+CONFIG_MBO=y
+
+CONFIG_TAXONOMY=y
+CONFIG_FILS=y
+CONFIG_FILS_SK_PFS=y
+CONFIG_OWE=y
+CONFIG_DPP=y
+CONFIG_DPP2=y
+CONFIG_WEP=y
+CONFIG_PASN=y
+CONFIG_AIRTIME_POLICY=y
+CONFIG_IEEE80211BE=y

.github/workflows/hostap-files/configs/07c9f183ea744ac04585fb6dd10220c75a5e2e74/wpa_supplicant.config

@@ -0,0 +1,164 @@
+#CC=ccache gcc
+
+#CONFIG_TLS=openssl
+CONFIG_TLS=wolfssl
+#CONFIG_TLS=internal
+#CONFIG_INTERNAL_LIBTOMMATH=y
+#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
+
+CONFIG_IEEE8021X_EAPOL=y
+
+CONFIG_ERP=y
+CONFIG_EAP_MD5=y
+CONFIG_MSCHAPV2=y
+CONFIG_EAP_TLS=y
+CONFIG_EAP_PEAP=y
+CONFIG_EAP_TTLS=y
+CONFIG_EAP_GTC=y
+CONFIG_EAP_OTP=y
+CONFIG_EAP_PSK=y
+CONFIG_EAP_PAX=y
+CONFIG_EAP_LEAP=y
+CONFIG_EAP_SIM=y
+CONFIG_EAP_AKA=y
+CONFIG_EAP_AKA_PRIME=y
+CONFIG_EAP_VENDOR_TEST=y
+CONFIG_EAP_TLV=y
+CONFIG_EAP_SAKE=y
+CONFIG_EAP_GPSK=y
+CONFIG_EAP_GPSK_SHA256=y
+CONFIG_EAP_EKE=y
+CONFIG_EAP_TNC=y
+CFLAGS += -DTNC_CONFIG_FILE=\"tnc/tnc_config\"
+LIBS += -rdynamic
+CONFIG_EAP_FAST=y
+CONFIG_EAP_TEAP=y
+CONFIG_EAP_IKEV2=y
+
+ifeq ($(CONFIG_TLS), openssl)
+CONFIG_EAP_PWD=y
+endif
+ifeq ($(CONFIG_TLS), wolfssl)
+CONFIG_EAP_PWD=y
+endif
+
+CONFIG_USIM_SIMULATOR=y
+CONFIG_SIM_SIMULATOR=y
+
+#CONFIG_PCSC=y
+CONFIG_IPV6=y
+CONFIG_DRIVER_NONE=y
+CONFIG_PKCS12=y
+CONFIG_CTRL_IFACE=unix
+
+CONFIG_WPA_CLI_EDIT=y
+
+CONFIG_OCSP=y
+
+#CONFIG_ELOOP_POLL=y
+
+CONFIG_CTRL_IFACE_DBUS_NEW=y
+CONFIG_CTRL_IFACE_DBUS_INTRO=y
+
+CONFIG_IEEE80211R=y
+CONFIG_IEEE80211AC=y
+CONFIG_IEEE80211AX=y
+
+CONFIG_OCV=y
+
+CONFIG_DEBUG_FILE=y
+
+CONFIG_WPS=y
+#CONFIG_WPS_STRICT=y
+CONFIG_WPS_UPNP=y
+CONFIG_WPS_NFC=y
+CONFIG_WPS_ER=y
+#CONFIG_WPS_REG_DISABLE_OPEN=y
+
+CONFIG_DRIVER_WEXT=y
+
+CONFIG_DRIVER_NL80211=y
+CFLAGS += -I/usr/include/libnl3
+CONFIG_LIBNL32=y
+
+CONFIG_IBSS_RSN=y
+
+CONFIG_AP=y
+CONFIG_MESH=y
+CONFIG_P2P=y
+CONFIG_WIFI_DISPLAY=y
+
+CONFIG_ACS=y
+
+CONFIG_BGSCAN_SIMPLE=y
+CONFIG_BGSCAN_LEARN=y
+
+CONFIG_WPA_TRACE=y
+CONFIG_WPA_TRACE_BFD=y
+
+CONFIG_TDLS=y
+CONFIG_TDLS_TESTING=y
+CONFIG_NO_RANDOM_POOL=y
+
+CONFIG_TLSV11=y
+CONFIG_TLSV12=y
+
+CONFIG_HT_OVERRIDES=y
+CONFIG_VHT_OVERRIDES=y
+CONFIG_HE_OVERRIDES=y
+
+CONFIG_DEBUG_LINUX_TRACING=y
+
+CONFIG_INTERWORKING=y
+CONFIG_HS20=y
+
+CONFIG_AUTOSCAN_EXPONENTIAL=y
+CONFIG_AUTOSCAN_PERIODIC=y
+
+CONFIG_EXT_PASSWORD_TEST=y
+CONFIG_EXT_PASSWORD_FILE=y
+
+CONFIG_EAP_UNAUTH_TLS=y
+
+CONFIG_SAE=y
+CONFIG_SAE_PK=y
+CFLAGS += -DALL_DH_GROUPS
+
+CONFIG_WNM=y
+
+CONFIG_FST=y
+CONFIG_FST_TEST=y
+
+CONFIG_TESTING_OPTIONS=y
+CONFIG_MODULE_TESTS=y
+
+CONFIG_SUITEB=y
+CONFIG_SUITEB192=y
+
+# AddressSanitizer (ASan) can be enabled by uncommenting the following lines.
+# This can be used as a more efficient memory error detector than valgrind
+# (though, with still some CPU and memory cost, so VM cases will need more
+# memory allocated for the guest).
+#CFLAGS += -fsanitize=address -O1 -fno-omit-frame-pointer -g
+#LIBS += -fsanitize=address -fno-omit-frame-pointer -g
+#LIBS_c += -fsanitize=address -fno-omit-frame-pointer -g
+#LIBS_p += -fsanitize=address -fno-omit-frame-pointer -g
+
+# Undefined Behavior Sanitizer (UBSan) can be enabled by uncommenting the
+# following lines.
+#CFLAGS += -Wno-format-nonliteral
+#CFLAGS += -fsanitize=undefined
+##CFLAGS += -fno-sanitize-recover
+#LIBS += -fsanitize=undefined
+##LIBS += -fno-sanitize-recover
+#LIBS_c += -fsanitize=undefined
+#LIBS_p += -fsanitize=undefined
+CONFIG_MBO=y
+CONFIG_FILS=y
+CONFIG_FILS_SK_PFS=y
+CONFIG_PMKSA_CACHE_EXTERNAL=y
+CONFIG_OWE=y
+CONFIG_DPP=y
+CONFIG_DPP2=y
+CONFIG_WEP=y
+CONFIG_PASN=y

.github/workflows/hostap-files/configs/b607d2723e927a3446d89aed813f1aa6068186bb/tests

@@ -191,13 +191,7 @@ ap_wpa2_psk_supp_proto_no_gtk_in_group_msg
 ap_wpa2_psk_supp_proto_too_long_gtk_in_group_msg
 ap_wpa2_psk_supp_proto_too_long_gtk_kde
 ap_wpa2_psk_supp_proto_gtk_not_encrypted
-ap_wpa2_psk_supp_proto_no_igtk
-ap_wpa2_psk_supp_proto_igtk_ok
-ap_wpa2_psk_supp_proto_igtk_keyid_swap
-ap_wpa2_psk_supp_proto_igtk_keyid_too_large
-ap_wpa2_psk_supp_proto_igtk_keyid_unexpected
 ap_wpa2_psk_wep
-ap_wpa2_psk_ifdown
 ap_wpa2_psk_drop_first_msg_4
 ap_wpa2_psk_disable_enable
 ap_wpa2_psk_incorrect_passphrase
@@ -210,10 +204,7 @@ ap_wpa2_disable_eapol_retry
 ap_wpa2_disable_eapol_retry_group
 ap_wpa2_psk_mic_0
 ap_wpa2_psk_local_error
-ap_wpa2_psk_inject_assoc
-ap_wpa2_psk_no_control_port
 ap_wpa2_psk_ap_control_port
-ap_wpa2_psk_ap_control_port_disabled
 ap_wpa2_psk_rsne_mismatch_ap
 ap_wpa2_psk_rsne_mismatch_ap2
 ap_wpa2_psk_rsne_mismatch_ap3
@@ -253,10 +244,8 @@ ap_wpa2_eap_aka_sql
 ap_wpa2_eap_aka_config
 ap_wpa2_eap_aka_ext
 ap_wpa2_eap_aka_ext_auth_fail
-ap_wpa2_eap_aka_prime
 ap_wpa2_eap_aka_prime_imsi_identity
 ap_wpa2_eap_aka_prime_imsi_privacy_key
-ap_wpa2_eap_aka_prime_sql
 ap_wpa2_eap_aka_prime_ext_auth_fail
 ap_wpa2_eap_aka_prime_ext
 ap_wpa2_eap_ttls_pap
@@ -416,19 +405,6 @@ ap_wpa2_radius_server_get_id
 ap_wpa2_eap_tls_tod
 ap_wpa2_eap_tls_tod_tofu
 ap_wpa2_eap_sake_no_control_port
-ap_wpa2_tdls
-ap_wpa2_tdls_concurrent_init
-ap_wpa2_tdls_concurrent_init2
-ap_wpa2_tdls_decline_resp
-ap_wpa2_tdls_long_lifetime
-ap_wpa2_tdls_long_frame
-ap_wpa2_tdls_reneg
-ap_wpa2_tdls_wrong_lifetime_resp
-ap_wpa2_tdls_diff_rsnie
-ap_wpa2_tdls_wrong_tpk_m2_mic
-ap_wpa2_tdls_wrong_tpk_m3_mic
-ap_wpa2_tdls_double_tpk_m2
-ap_wpa2_tdls_responder_teardown
 dpp_network_intro_version
 dpp_network_intro_version_change
 dpp_network_intro_version_missing_req
@@ -459,12 +435,9 @@ dpp_qr_code_curves
 dpp_qr_code_curves_brainpool
 dpp_qr_code_unsupported_curve
 dpp_qr_code_keygen_fail
-dpp_qr_code_curve_select
 dpp_qr_code_auth_broadcast
-dpp_configurator_enrollee
 dpp_configurator_enrollee_prime256v1
 dpp_configurator_enrollee_secp384r1
-dpp_configurator_enrollee_secp521r1
 dpp_configurator_enrollee_brainpoolP256r1
 dpp_configurator_enrollee_brainpoolP384r1
 dpp_configurator_enrollee_brainpoolP512r1
@@ -477,7 +450,6 @@ dpp_qr_code_curve_brainpoolP384r1
 dpp_qr_code_curve_brainpoolP512r1
 dpp_qr_code_set_key
 dpp_qr_code_auth_mutual
-dpp_qr_code_auth_mutual2
 dpp_qr_code_auth_mutual_p_256
 dpp_qr_code_auth_mutual_p_384
 dpp_qr_code_auth_mutual_p_521
@@ -514,13 +486,11 @@ dpp_config_no_signed_connector
 dpp_config_unexpected_signed_connector_char
 dpp_config_root_not_an_object
 dpp_config_no_wi_fi_tech
-dpp_config_unsupported_wi_fi_tech
 dpp_config_no_discovery
 dpp_config_no_discovery_ssid
 dpp_config_too_long_discovery_ssid
 dpp_config_no_cred
 dpp_config_no_cred_akm
-dpp_config_unsupported_cred_akm
 dpp_config_error_legacy_no_pass
 dpp_config_error_legacy_too_long_pass
 dpp_config_error_legacy_psk_with_sae
@@ -531,13 +501,10 @@ dpp_config_connector_error_ext_sign
 dpp_config_connector_error_too_short_timestamp
 dpp_config_connector_error_invalid_timestamp
 dpp_config_connector_error_invalid_timestamp_date
-dpp_config_connector_error_invalid_time_zone
-dpp_config_connector_error_invalid_time_zone_2
 dpp_config_connector_error_expired_1
 dpp_config_connector_error_expired_2
 dpp_config_connector_error_expired_3
 dpp_config_connector_error_expired_4
-dpp_config_connector_error_expired_5
 dpp_config_connector_error_expired_6
 dpp_config_connector_error_no_groups
 dpp_config_connector_error_empty_groups
@@ -565,13 +532,6 @@ dpp_ap_config_p256_bp256
 dpp_ap_config_bp256_p256
 dpp_ap_config_p521_bp512
 dpp_ap_config_reconfig_configurator
-dpp_auto_connect_1
-dpp_auto_connect_2
-dpp_auto_connect_2_connect_cmd
-dpp_auto_connect_2_sta_ver1
-dpp_auto_connect_2_ap_ver1
-dpp_auto_connect_2_ver1
-dpp_auto_connect_2_conf_ver1
 dpp_auto_connect_legacy
 dpp_auto_connect_legacy_ssid_charset
 dpp_auto_connect_legacy_sae_1
@@ -580,13 +540,6 @@ dpp_auto_connect_legacy_psk_sae_1
 dpp_auto_connect_legacy_psk_sae_2
 dpp_auto_connect_legacy_psk_sae_3
 dpp_auto_connect_legacy_pmf_required
-dpp_qr_code_auth_responder_configurator
-dpp_qr_code_auth_responder_configurator_group_id
-dpp_qr_code_auth_enrollee_init_netrole
-dpp_qr_code_hostapd_init
-dpp_qr_code_hostapd_init_offchannel
-dpp_qr_code_hostapd_init_offchannel_neg_freq
-dpp_qr_code_hostapd_ignore_mismatch
 dpp_test_vector_p_256
 dpp_test_vector_p_256_b
 dpp_test_vector_p_521
@@ -603,7 +556,6 @@ dpp_pkex_no_identifier
 dpp_pkex_identifier_mismatch
 dpp_pkex_identifier_mismatch2
 dpp_pkex_identifier_mismatch3
-dpp_pkex_5ghz
 dpp_pkex_test_vector
 dpp_pkex_code_mismatch
 dpp_pkex_code_mismatch_limit
@@ -625,7 +577,6 @@ dpp_pkex_hostapd_errors
 dpp_pkex_nak_curve_change
 dpp_pkex_nak_curve_change2
 dpp_hostapd_configurator
-dpp_hostapd_configurator_enrollee_v1
 dpp_hostapd_configurator_responder
 dpp_hostapd_configurator_fragmentation
 dpp_hostapd_enrollee_fragmentation
@@ -650,7 +601,6 @@ dpp_proto_stop_at_pkex_cr_req
 dpp_proto_stop_at_pkex_cr_resp
 dpp_proto_network_introduction
 dpp_hostapd_auth_conf_timeout
-dpp_hostapd_auth_resp_retries
 dpp_tcp
 dpp_tcp_port
 dpp_tcp_mutual
@@ -702,6 +652,5 @@ dpp_qr_code_config_event_initiator_failure
 dpp_qr_code_config_event_initiator_no_response
 dpp_qr_code_config_event_initiator_both
 dpp_tcp_qr_code_config_event_initiator
-dpp_qr_code_config_event_responder
 dpp_discard_public_action
 

.github/workflows/hostap-files/configs/hostap_2_10/extra.patch

@@ -0,0 +1,47 @@
+From a53a6a67dc121b45d611318e2a37815cc209839c Mon Sep 17 00:00:00 2001
+From: Juliusz Sosinowicz <juliusz@wolfssl.com>
+Date: Fri, 19 Apr 2024 16:41:38 +0200
+Subject: [PATCH] Fixes for running tests under UML
+
+- Apply commit ID fix from more recent commit
+- priv_sz and pub_sz are checked and fail on UML. Probably because stack is zeroed out.
+---
+ src/crypto/crypto_wolfssl.c | 2 +-
+ tests/hwsim/run-all.sh      | 8 +++++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c
+index 00ecf61352..a57fa50697 100644
+--- a/src/crypto/crypto_wolfssl.c
++++ b/src/crypto/crypto_wolfssl.c
+@@ -785,7 +785,7 @@ int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
+ 	int ret = -1;
+ 	WC_RNG rng;
+ 	DhKey *dh = NULL;
+-	word32 priv_sz, pub_sz;
++	word32 priv_sz = prime_len, pub_sz = prime_len;
+ 
+ 	if (TEST_FAIL())
+ 		return -1;
+diff --git a/tests/hwsim/run-all.sh b/tests/hwsim/run-all.sh
+index ee48cd0581..75c3a58b52 100755
+--- a/tests/hwsim/run-all.sh
++++ b/tests/hwsim/run-all.sh
+@@ -15,7 +15,13 @@ export LOGDIR
+ if [ -z "$DBFILE" ]; then
+     DB=""
+ else
+-    DB="-S $DBFILE --commit $(git rev-parse HEAD)"
++    DB="-S $DBFILE"
++    if [ -z "$COMMITID" ]; then
++	COMMITID="$(git rev-parse HEAD)"
++    fi
++    if [ -n "$COMMITID" ]; then
++	DB="$DB --commit $COMMITID"
++    fi
+     if [ -n "$BUILD" ]; then
+ 	DB="$DB -b $BUILD"
+     fi
+-- 
+2.34.1
+

.github/workflows/hostap-files/configs/hostap_2_10/tests

@@ -163,7 +163,6 @@ ap_wpa2_disable_eapol_retry_group
 ap_wpa2_psk_mic_0
 ap_wpa2_psk_local_error
 ap_wpa2_psk_inject_assoc
-ap_wpa2_psk_no_control_port
 ap_wpa2_psk_ap_control_port
 ap_wpa2_psk_ap_control_port_disabled
 ap_wpa2_psk_rsne_mismatch_ap
@@ -269,16 +268,3 @@ ap_wpa2_eap_psk_mac_addr_change
 ap_wpa2_eap_server_get_id
 ap_wpa2_radius_server_get_id
 ap_wpa2_eap_sake_no_control_port
-ap_wpa2_tdls
-ap_wpa2_tdls_concurrent_init
-ap_wpa2_tdls_concurrent_init2
-ap_wpa2_tdls_decline_resp
-ap_wpa2_tdls_long_lifetime
-ap_wpa2_tdls_long_frame
-ap_wpa2_tdls_reneg
-ap_wpa2_tdls_wrong_lifetime_resp
-ap_wpa2_tdls_diff_rsnie
-ap_wpa2_tdls_wrong_tpk_m2_mic
-ap_wpa2_tdls_wrong_tpk_m3_mic
-ap_wpa2_tdls_double_tpk_m2
-ap_wpa2_tdls_responder_teardown

.github/workflows/hostap-vm.yml

@@ -0,0 +1,320 @@
+name: hostap and wpa-supplicant Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+env:
+  LINUX_REF: v6.6
+
+jobs:
+  build_wolfssl:
+    strategy:
+      matrix:
+        include:
+          - build_id: hostap-vm-build1
+            wolf_extra_config: --disable-tls13
+          - build_id: hostap-vm-build2
+            wolf_extra_config: >-
+              --enable-wpas-dpp --enable-brainpool --with-eccminsz=192
+              --enable-tlsv10 --enable-oldtls
+    name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 10
+    steps:
+        # No way to view the full strategy in the browser (really weird)
+      - name: Print strategy
+        run: |
+          cat <<EOF
+          ${{ toJSON(matrix) }}
+          EOF
+
+      - if: ${{ runner.debug }}
+        name: Enable wolfSSL debug logging
+        run: |
+          echo "wolf_debug_flags=--enable-debug" >> $GITHUB_ENV
+
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: >-
+            --enable-wpas CPPFLAGS=-DWOLFSSL_STATIC_RSA
+            ${{ env.wolf_debug_flags }} ${{ matrix.wolf_extra_config }}
+          install: true
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.build_id }}
+          path: build-dir.tgz
+          retention-days: 5
+
+  build_uml_linux:
+    name: Build UML (UserMode Linux)
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 10
+    steps:
+      - name: Checking if we have kernel in cache
+        uses: actions/cache@v4
+        id: cache
+        with:
+          path: linux/linux
+          key: ${{ env.LINUX_REF }}
+          lookup-only: true
+
+      - name: Checkout hostap
+        if: steps.cache.outputs.cache-hit != 'true'
+        uses: actions/checkout@v4
+        with:
+          repository: julek-wolfssl/hostap-mirror
+          path: hostap
+
+      - name: Checkout linux
+        if: steps.cache.outputs.cache-hit != 'true'
+        uses: actions/checkout@v4
+        with:
+          repository: torvalds/linux
+          path: linux
+
+      - name: Compile linux
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: |
+          cp hostap/tests/hwsim/vm/kernel-config.uml linux/.config
+          cd linux
+          yes "" | ARCH=um make -j $(nproc)
+
+  hostap_test:
+    strategy:
+      fail-fast: false
+      matrix:
+        # should hostapd be compiled with wolfssl
+        hostapd: [true, false]
+        # should wpa_supplicant be compiled with wolfssl
+        wpa_supplicant: [true, false]
+        # Fix the versions of hostap and osp to not break testing when a new
+        # patch is added in to osp. Tests are read from the corresponding
+        # configs/hostap_ref/tests file.
+        config: [
+          {
+            hostap_ref: hostap_2_10,
+            remove_teap: true,
+            # TLS 1.3 does not work for this version
+            build_id: hostap-vm-build1,
+          },
+          # Test the dpp patch
+          {
+            hostap_ref: b607d2723e927a3446d89aed813f1aa6068186bb,
+            osp_ref: ad5b52a49b3cc2a5bfb47ccc1d6a5137132e9446,
+            build_id: hostap-vm-build2
+          },
+          {
+            hostap_ref: 07c9f183ea744ac04585fb6dd10220c75a5e2e74,
+            osp_ref: e1876fbbf298ee442bc7ab8561331ebc7de17528,
+            build_id: hostap-vm-build2
+          },
+        ]
+        exclude:
+          # don't test openssl on both sides
+          - hostapd: false
+            wpa_supplicant: false
+          # no hostapd support for dpp yet
+          - hostapd: true
+            config: {
+              hostap_ref: b607d2723e927a3446d89aed813f1aa6068186bb,
+              osp_ref: ad5b52a49b3cc2a5bfb47ccc1d6a5137132e9446,
+              build_id: hostap-vm-build2
+            }
+    name: hwsim test
+    # For openssl 1.1
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 45
+    needs: [build_wolfssl, build_uml_linux]
+    steps:
+      - name: Checking if we have kernel in cache
+        uses: actions/cache/restore@v4
+        id: cache
+        with:
+          path: linux/linux
+          key: ${{ env.LINUX_REF }}
+          fail-on-cache-miss: true
+
+      - name: show file structure
+        run: tree
+
+        # No way to view the full strategy in the browser (really weird)
+      - name: Print strategy
+        run: |
+          cat <<EOF
+          ${{ toJSON(matrix) }}
+          EOF
+
+      - name: Print computed job run ID
+        run: |
+          SHA_SUM=$(sha256sum << 'END_OF_HEREDOC' | cut -d " " -f 1
+          ${{ toJSON(github) }}
+          END_OF_HEREDOC
+          )
+          echo "our_job_run_id=$SHA_SUM" >> $GITHUB_ENV
+          echo Our job run ID is $SHA_SUM
+
+      - name: Checkout wolfSSL
+        uses: actions/checkout@v4
+        with:
+          path: wolfssl
+
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ matrix.config.build_id }}
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Install dependencies
+        run: |
+          # Don't prompt for anything
+          export DEBIAN_FRONTEND=noninteractive
+          sudo apt-get update
+          # hostap dependencies
+          sudo apt-get install -y libpcap0.8 libpcap-dev curl libcurl4-openssl-dev \
+            libnl-3-dev binutils-dev libssl-dev libiberty-dev libnl-genl-3-dev \
+            libnl-route-3-dev libdbus-1-dev bridge-utils tshark python3-pycryptodome
+
+      - name: Checkout hostap
+        uses: actions/checkout@v4
+        with:
+          repository: julek-wolfssl/hostap-mirror
+          path: hostap
+          ref: ${{ matrix.config.hostap_ref }}
+
+      - name: Update certs
+        working-directory: hostap/tests/hwsim/auth_serv
+        run: ./update.sh
+
+      - if: ${{ matrix.config.osp_ref }}
+        name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+          ref: ${{ matrix.config.osp_ref }}
+
+      - if: ${{ matrix.config.osp_ref }}
+        name: Apply patch files
+        working-directory: hostap
+        run: |
+          for f in $GITHUB_WORKSPACE/osp/hostap-patches/pending/*
+          do
+            patch -p1 < $f
+          done
+
+      - name: Apply extra patches
+        working-directory: hostap
+        run: |
+          FILE=$GITHUB_WORKSPACE/wolfssl/.github/workflows/hostap-files/configs/${{ matrix.config.hostap_ref }}/extra.patch
+          if [ -f "$FILE" ]; then
+            patch -p1 < $FILE
+          fi
+
+      - if: ${{ matrix.hostapd }}
+        name: Setup hostapd config file
+        run: |
+          cp wolfssl/.github/workflows/hostap-files/configs/${{ matrix.config.hostap_ref }}/hostapd.config \
+             hostap/hostapd/.config
+          cat <<EOF >> hostap/hostapd/.config
+            CFLAGS += -I$GITHUB_WORKSPACE/build-dir/include -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib
+            LIBS += -L$GITHUB_WORKSPACE/build-dir/lib -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib
+          EOF
+
+      - if: ${{ matrix.wpa_supplicant }}
+        name: Setup wpa_supplicant config file
+        run: |
+          cp wolfssl/.github/workflows/hostap-files/configs/${{ matrix.config.hostap_ref }}/wpa_supplicant.config \
+             hostap/wpa_supplicant/.config
+          cat <<EOF >> hostap/wpa_supplicant/.config
+            CFLAGS += -I$GITHUB_WORKSPACE/build-dir/include -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib
+            LIBS += -L$GITHUB_WORKSPACE/build-dir/lib -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib
+          EOF
+
+      - name: Build hostap and wpa_supplicant
+        working-directory: hostap/tests/hwsim/
+        run: ./build.sh
+
+      - if: ${{ matrix.hostapd }}
+        name: Confirm hostapd linking with wolfSSL
+        run: ldd hostap/hostapd/hostapd | grep wolfssl
+
+      - if: ${{ matrix.wpa_supplicant }}
+        name: Confirm wpa_supplicant linking with wolfSSL
+        run: ldd hostap/wpa_supplicant/wpa_supplicant | grep wolfssl
+
+      - if: ${{ matrix.config.remove_teap }}
+        name: Remove EAP-TEAP from test configuration
+        working-directory: hostap/tests/hwsim/auth_serv
+        run: |
+          sed -e 's/"erp-teap@example.com"\tTEAP//' -i eap_user.conf
+          sed -e 's/"erp-teap@example.com"\tMSCHAPV2\t"password"\t\[2\]//' -i eap_user.conf
+          sed -e 's/"TEAP"\t\tTEAP//' -i eap_user.conf
+          sed -e 's/TEAP,//' -i eap_user.conf
+
+      - if: ${{ runner.debug }}
+        name: Enable hostap debug logging
+        run: |
+          echo "hostap_debug_flags=--debug" >> $GITHUB_ENV
+
+      - name: Run tests
+        id: testing
+        working-directory: hostap/tests/hwsim/
+        run: |
+          cat <<EOF >> vm/vm-config
+            KERNELDIR=$GITHUB_WORKSPACE/linux
+            KVMARGS="-cpu host"
+          EOF
+          # Run tests in increments of 200 to not stall out the parallel-vm script
+          while mapfile -t -n 200 ary && ((${#ary[@]})); do
+            TESTS=$(printf '%s\n' "${ary[@]}" | tr '\n' ' ')
+            HWSIM_RES=0 # Not set when command succeeds
+            ./vm/parallel-vm.py ${{ env.hostap_debug_flags }} --nocurses $(nproc) $TESTS  || HWSIM_RES=$?
+            if [ "$HWSIM_RES" -ne "0" ]; then
+              # Let's re-run the failing tests. We gather the failed tests from the log file.
+              FAILED_TESTS=$(grep 'failed tests' /tmp/hwsim-test-logs/*-parallel.log | sed 's/failed tests: //' | tr ' ' '\n' | sort | uniq | tr '\n' ' ')
+              printf 'failed tests: %s\n' "$FAILED_TESTS"
+              ./vm/parallel-vm.py ${{ env.hostap_debug_flags }} --nocurses $(nproc) $FAILED_TESTS
+            fi
+            rm -r /tmp/hwsim-test-logs
+          done < $GITHUB_WORKSPACE/wolfssl/.github/workflows/hostap-files/configs/${{ matrix.config.hostap_ref }}/tests
+
+      # The logs are quite big. It hasn't been useful so far so let's not waste
+      # precious gh space.
+      #- name: zip logs
+      #  if: ${{ failure() && steps.testing.outcome == 'failure' }}
+      #  working-directory: hostap/tests/hwsim/
+      #  run: |
+      #    rm /tmp/hwsim-test-logs/latest
+      #    zip -9 -r logs.zip /tmp/hwsim-test-logs
+      #
+      #- name: Upload failure logs
+      #  if: ${{ failure() && steps.testing.outcome == 'failure' }}
+      #  uses: actions/upload-artifact@v4
+      #  with:
+      #    name: hostap-logs-${{ env.our_job_run_id }}
+      #    path: hostap/tests/hwsim/logs.zip
+      #    retention-days: 5

.github/workflows/ipmitool.yml

@@ -0,0 +1,85 @@
+name: ipmitool Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    # Just to keep it the same as the testing target
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'wolfssl'
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-all
+          install: true
+          # Don't run tests as this config is tested in many other places
+          check: false
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-ipmitool
+          path: build-dir.tgz
+          retention-days: 5
+
+  build_ipmitool:
+    strategy:
+      fail-fast: false
+      matrix:
+        git_ref: [ c3939dac2c060651361fc71516806f9ab8c38901 ]
+    name: ${{ matrix.git_ref }}
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    needs: build_wolfssl
+    steps:
+      - name: Install dependencies
+        run: export DEBIAN_FRONTEND=noninteractive && sudo apt-get update && sudo apt-get install -y libreadline8
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-ipmitool
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Build ipmitool
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          repository: ipmitool/ipmitool
+          ref: ${{ matrix.git_ref }}
+          path: ipmitool
+          patch-file: $GITHUB_WORKSPACE/osp/ipmitool/*-${{ matrix.git_ref }}.patch
+          configure: --with-wolfssl=$GITHUB_WORKSPACE/build-dir
+          # No checks included and not running since it depends on hardware
+          check: false
+
+      - name: Confirm built with wolfSSL
+        working-directory: ipmitool
+        run: |
+          ldd src/ipmitool | grep wolfssl
+          ldd src/ipmievd | grep wolfssl

.github/workflows/jwt-cpp.yml

@@ -0,0 +1,96 @@
+name: jwt-cpp Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    # Just to keep it the same as the testing target
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-all
+          install: true
+          # Don't run tests as this config is tested in many other places
+          check: false
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-jwt-cpp
+          path: build-dir.tgz
+          retention-days: 5
+
+  build_pam-ipmi:
+    if: github.repository_owner == 'wolfssl'
+    strategy:
+      fail-fast: false
+      matrix:
+        config:
+          - ref: 0.7.0
+            runner: ubuntu-latest
+          - ref: 0.6.0
+            runner: ubuntu-22.04
+    name: ${{ matrix.config.ref }}
+    runs-on: ${{ matrix.config.runner }}
+    needs: build_wolfssl
+    steps:
+      - name: Install dependencies
+        run: |
+          # Don't prompt for anything
+          export DEBIAN_FRONTEND=noninteractive
+          sudo apt-get update
+          sudo apt-get install libgtest-dev
+
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-jwt-cpp
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Checkout jwt-cpp
+        uses: actions/checkout@v4
+        with:
+          repository: Thalhammer/jwt-cpp
+          path: jwt-cpp
+          ref: v${{ matrix.config.ref }}
+
+      - name: Build pam-ipmi
+        working-directory: jwt-cpp
+        run: |
+          patch -p1 < ../osp/jwt-cpp/${{ matrix.config.ref }}.patch
+          PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig \
+            cmake -B build -DJWT_SSL_LIBRARY:STRING=wolfSSL -DJWT_BUILD_TESTS=ON .
+          make -j -C build
+          ldd ./build/tests/jwt-cpp-test | grep wolfssl
+
+      - name: Run jwt-cpp tests
+        working-directory: jwt-cpp
+        run: ./build/tests/jwt-cpp-test

.github/workflows/krb5.yml

@@ -1,12 +1,22 @@
 name: Kerberos 5 Tests
 
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   build_wolfssl:
     name: Build wolfSSL
     # Just to keep it the same as the testing target
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
     timeout-minutes: 5
@@ -22,11 +32,14 @@ jobs:
           configure: --enable-krb CC='gcc -fsanitize=address'
           install: true
 
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
       - name: Upload built lib
         uses: actions/upload-artifact@v4
         with:
           name: wolf-install-krb5
-          path: build-dir
+          path: build-dir.tgz
           retention-days: 5
 
   krb5_check:
@@ -36,6 +49,7 @@ jobs:
         # List of releases to test
         ref: [ 1.21.1 ]
     name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
     timeout-minutes: 8
@@ -45,7 +59,9 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           name: wolf-install-krb5
-          path: build-dir
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
 
       - name: Checkout OSP
         uses: actions/checkout@v4

.github/workflows/libssh2.yml

@@ -1,12 +1,22 @@
 name: libssh2 Tests
 
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   build_wolfssl:
     name: Build wolfSSL
     # Just to keep it the same as the testing target
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
@@ -19,11 +29,14 @@ jobs:
           check: false # config is already tested in many other PRB's
           install: true
 
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
       - name: Upload built lib
         uses: actions/upload-artifact@v4
         with:
           name: wolf-install-libssh2
-          path: build-dir
+          path: build-dir.tgz
           retention-days: 5
 
   libssh2_check:
@@ -33,6 +46,7 @@ jobs:
         # List of releases to test
         ref: [ 1.11.0 ]
     name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
     timeout-minutes: 8
@@ -42,7 +56,9 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           name: wolf-install-libssh2
-          path: build-dir
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
 
       - name: Build and test libssh2
         uses: wolfSSL/actions-build-autotools-project@v1

.github/workflows/libvncserver.yml

@@ -0,0 +1,86 @@
+name: libvncserver Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    # Just to keep it the same as the testing target
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-all
+          install: true
+          # Don't run tests as this config is tested in many other places
+          check: false
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-libvncserver
+          path: build-dir.tgz
+          retention-days: 5
+
+  build_libvncserver:
+    strategy:
+      fail-fast: false
+      matrix:
+        ref: [ 0.9.13 ]
+    name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    needs: build_wolfssl
+    steps:
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-libvncserver
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Checkout libvncserver
+        uses: actions/checkout@v4
+        with:
+          repository: LibVNC/libvncserver
+          path: libvncserver
+          ref: LibVNCServer-${{ matrix.ref }}
+
+      - name: Build libvncserver
+        working-directory: libvncserver
+        run: |
+          patch -p1 < ../osp/libvncserver/${{ matrix.ref }}.patch
+          PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig \
+            cmake -B build -DWITH_GNUTLS=OFF -DWITH_OPENSSL=OFF -DWITH_GCRYPT=OFF -DWITH_WOLFSSL=ON .
+          make -j -C build VERBOSE=1
+          ldd build/libvncclient.so | grep wolfssl
+          ldd build/libvncserver.so | grep wolfssl
+
+      - name: Run libvncserver tests
+        working-directory: libvncserver
+        run: make -C build test

.github/workflows/main.yml

@@ -1,52 +0,0 @@
-name: CI
-concurrency:
-  group: ${{ github.ref }}
-  cancel-in-progress: true
-
-on:
-  push:
-    branches: [ 'master', 'main', 'release/**' ]
-  pull_request:
-    branches: [ '*' ]
-
-jobs:
-    espressif:
-        uses: ./.github/workflows/docker-Espressif.yml
-    multi-compiler:
-        uses: ./.github/workflows/multi-compiler.yml
-    multi-arch:
-        uses: ./.github/workflows/multi-arch.yml
-    openwrt:
-        uses: ./.github/workflows/docker-OpenWrt.yml
-    os-check:
-        uses: ./.github/workflows/os-check.yml
-    async:
-        uses: ./.github/workflows/async.yml
-    stunnel:
-        uses: ./.github/workflows/stunnel.yml
-    openvpn:
-        uses: ./.github/workflows/openvpn.yml
-    hostap:
-        uses: ./.github/workflows/hostap.yml
-    nginx:
-        uses: ./.github/workflows/nginx.yml
-    zephyr:
-        uses: ./.github/workflows/zephyr.yml
-    hitch:
-        uses: ./.github/workflows/hitch.yml
-    curl:
-        uses: ./.github/workflows/curl.yml
-    krb5:
-        uses: ./.github/workflows/krb5.yml
-    packaging:
-        uses: ./.github/workflows/packaging.yml
-    memcached:
-        uses: ./.github/workflows/memcached.yml
-# TODO: Currently this test fails. Enable it once it becomes passing.        
-#    libssh2:
-#        uses: ./.github/workflows/libssh2.yml
-    openssh:
-        uses: ./.github/workflows/openssh.yml
-# TODO: Currently this test fails. Enable it once it becomes passing.        
-#    haproxy:
-#        uses: ./.github/workflows/haproxy.yml

.github/workflows/memcached.yml

@@ -1,12 +1,22 @@
 name: memcached Tests
 
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   build_wolfssl:
     name: Build wolfSSL
     # Just to keep it the same as the testing target
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     steps:
       - name: Build wolfSSL
@@ -19,11 +29,14 @@ jobs:
       - name: Bundle Docker entry point
         run: cp wolfssl/.github/workflows/memcached.sh build-dir/bin
 
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
       - name: Upload built lib
         uses: actions/upload-artifact@v4
         with:
           name: wolf-install-memcached
-          path: build-dir
+          path: build-dir.tgz
           retention-days: 5
 
   memcached_check:
@@ -34,6 +47,7 @@ jobs:
         include:
           - ref: 1.6.22
     name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     needs: build_wolfssl
     steps:
@@ -41,7 +55,9 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           name: wolf-install-memcached
-          path: build-dir
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
 
       - name: Checkout OSP
         uses: actions/checkout@v4

.github/workflows/mosquitto.yml

@@ -0,0 +1,99 @@
+name: mosquitto Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    # Just to keep it the same as the testing target
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-mosquitto CFLAGS="-DALLOW_INVALID_CERTSIGN"
+          install: true
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-mosquitto
+          path: build-dir.tgz
+          retention-days: 5
+
+  mosquitto_check:
+    strategy:
+      fail-fast: false
+      matrix:
+        ref: [ 2.0.18 ]
+    name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    needs: build_wolfssl
+    steps:
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-mosquitto
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Install dependencies
+        run: |
+            export DEBIAN_FRONTEND=noninteractive
+            sudo apt-get update
+            sudo apt-get install -y build-essential libev-dev libssl-dev automake python3-docutils libcunit1 libcunit1-doc libcunit1-dev pkg-config make python3-psutil
+
+      - name: Checkout mosquitto
+        uses: actions/checkout@v4
+        with:
+          repository: eclipse/mosquitto
+          ref: v${{ matrix.ref }}
+          path: mosquitto
+
+      - name: Configure and build mosquitto
+        run: |
+            cd $GITHUB_WORKSPACE/mosquitto/
+            patch -p1 < $GITHUB_WORKSPACE/osp/mosquitto/${{ matrix.ref }}.patch
+            make WITH_TLS=wolfssl WITH_CJSON=no WITH_DOCS=no WOLFSSLDIR=$GITHUB_WORKSPACE/build-dir
+
+      - name: Run mosquitto tests
+        working-directory: ./mosquitto
+        run: |
+          # Retry up to five times
+          for i in {1..5}; do
+            TEST_RES=0
+            make WITH_TLS=wolfssl WITH_CJSON=no WITH_DOCS=no WOLFSSLDIR=$GITHUB_WORKSPACE/build-dir ptest || TEST_RES=$?
+            if [ "$TEST_RES" -eq "0" ]; then
+              break
+            fi
+          done
+          if [ "$TEST_RES" -ne "0" ]; then
+            exit $TEST_RES
+          fi

.github/workflows/multi-arch.yml

@@ -1,7 +1,16 @@
 name: Multiple architectures
 
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   my_matrix:
@@ -27,6 +36,7 @@ jobs:
             CFLAGS: -marm -DWOLFSSL_SP_ARM_ARCH=6
             ARCH: armel
             EXTRA_OPTS: --enable-sp-asm
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
     timeout-minutes: 10
@@ -42,7 +52,7 @@ jobs:
             CFLAGS: ${{ matrix.CFLAGS }}
             QEMU_LD_PREFIX: /usr/${{ matrix.HOST }}
         run: ./autogen.sh && ./configure --host=${{ matrix.HOST }} --enable-all --disable-examples ${{ matrix.EXTRA_OPTS }} && make
-      - name: Print errors 
+      - name: Print errors
         if: ${{ failure() }}
         run: |
           if [ -f config.log ] ; then

.github/workflows/multi-compiler.yml

@@ -1,7 +1,16 @@
 name: Multiple compilers and versions
 
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   my_matrix:
@@ -37,10 +46,13 @@ jobs:
           - CC: clang-14
             CXX: clang++-14
             OS: ubuntu-latest
+    if: github.repository_owner == 'wolfssl'
     runs-on: ${{ matrix.OS }}
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
     steps:
+      - name: Install dependencies
+        run: export DEBIAN_FRONTEND=noninteractive && sudo apt-get update && sudo apt-get install -y ${{ matrix.CC }}
       - uses: actions/checkout@v4
       - name: Build
         env:

.github/workflows/net-snmp.yml

@@ -0,0 +1,84 @@
+name: net-snmp Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
+    # Just to keep it the same as the testing target
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-net-snmp
+          install: true
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-net-snmp
+          path: build-dir.tgz
+          retention-days: 5
+
+  net-snmp_check:
+    strategy:
+      fail-fast: false
+      matrix:
+        # List of releases to test
+        include:
+          - ref: 5.9.3
+            test_opts: -e 'agentxperl'
+    name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    needs: build_wolfssl
+    steps:
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-net-snmp
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Build net-snmp
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          repository: net-snmp/net-snmp
+          ref: v${{ matrix.ref }}
+          path: net-snmp
+          patch-file: $GITHUB_WORKSPACE/osp/net-snmp/${{ matrix.ref }}.patch
+          configure: --disable-shared --with-wolfssl=$GITHUB_WORKSPACE/build-dir
+          check: false
+
+      - name: Run net-snmp tests
+        working-directory: net-snmp
+        run: |
+          autoconf --version | grep -P '2\.\d\d' -o > dist/autoconf-version
+          make -j test TESTOPTS="${{ matrix.test_opts }}"

.github/workflows/nginx.yml

@@ -1,11 +1,21 @@
 name: nginx Tests
 
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   build_wolfssl:
     name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
@@ -24,11 +34,14 @@ jobs:
           configure: --enable-nginx ${{ env.wolf_debug_flags }}
           install: true
 
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
       - name: Upload built lib
         uses: actions/upload-artifact@v4
         with:
           name: wolf-install-nginx
-          path: build-dir
+          path: build-dir.tgz
           retention-days: 5
 
   nginx_check:
@@ -84,7 +97,7 @@ jobs:
               stream_ssl_preread.t stream_ssl_realip.t stream_ssl_session_reuse.t stream_ssl.t
               stream_ssl_variables.t stream_ssl_verify_client.t stream_upstream_zone_ssl.t
               upstream_zone_ssl.t uwsgi_ssl_certificate.t uwsgi_ssl_certificate_vars.t
-              uwsgi_ssl.t uwsgi_ssl_verify.t 
+              uwsgi_ssl.t uwsgi_ssl_verify.t
             # Following tests do not pass with sanitizer on (with OpenSSL too)
             sanitize-not-ok: >-
               grpc_ssl.t h2_proxy_request_buffering_ssl.t h2_proxy_ssl.t
@@ -93,6 +106,7 @@ jobs:
               stream_proxy_protocol_ssl.t stream_proxy_ssl_conf_command.t stream_proxy_ssl.t
               stream_proxy_ssl_verify.t
     name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
     timeout-minutes: 6
@@ -102,7 +116,9 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           name: wolf-install-nginx
-          path: build-dir
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
 
       - name: Install dependencies
         run: |
@@ -207,4 +223,4 @@ jobs:
           LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib \
             TMPDIR=$GITHUB_WORKSPACE TEST_NGINX_BINARY=../nginx/objs/nginx \
             prove ${{ matrix.sanitize-ok }}
- 
+

.github/workflows/no-malloc.yml

@@ -0,0 +1,44 @@
+name: No Malloc Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  make_check:
+    strategy:
+      matrix:
+        config: [
+          # Add new configs here
+          '--enable-rsa --enable-keygen --disable-dh CFLAGS="-DWOLFSSL_NO_MALLOC -DRSA_MIN_SIZE=1024"',
+        ]
+    name: make check
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 6
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: Test wolfSSL
+        run: |
+          ./autogen.sh
+          ./configure ${{ matrix.config }}
+          make
+          ./wolfcrypt/test/testwolfcrypt
+
+      - name: Print errors
+        if: ${{ failure() }}
+        run: |
+          if [ -f test-suite.log ] ; then
+            cat test-suite.log
+          fi

.github/workflows/ntp.yml

@@ -0,0 +1,93 @@
+name: ntp Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
+    # Just to keep it the same as the testing target
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-all
+          install: true
+          check: false
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-ntp
+          path: build-dir.tgz
+          retention-days: 5
+
+  ntp_check:
+    strategy:
+      fail-fast: false
+      matrix:
+        # List of releases to test
+        ref: [ 4.2.8p15 ]
+    name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 10
+    needs: build_wolfssl
+    steps:
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-ntp
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      # Avoid DoS'ing ntp site so cache the tar.gz
+      - name: Check if we have ntp
+        uses: actions/cache@v4
+        id: cache
+        with:
+          path: ntp-${{ matrix.ref }}.tar.gz
+          key: ntp-${{ matrix.ref }}.tar.gz
+
+      - name: Download ntp
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: |
+          wget https://downloads.nwtime.org/ntp/4.2.8/ntp-${{ matrix.ref }}.tar.gz
+
+      - name: Extract ntp
+        run: |
+          tar -xf ntp-${{ matrix.ref }}.tar.gz
+
+      - name: Build and test ntp
+        working-directory: ntp-${{ matrix.ref }}
+        run: |
+          patch -p1 < $GITHUB_WORKSPACE/osp/ntp/${{ matrix.ref }}/ntp-${{ matrix.ref }}.patch
+          ./bootstrap
+          ./configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir
+          make -j
+          make -j check

.github/workflows/ocsp.yml

@@ -0,0 +1,38 @@
+name: OCSP Test
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  ocsp_stapling:
+    name: ocsp stapling
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout wolfSSL
+        uses: actions/checkout@v4
+
+      - name: Build wolfSSL
+        run: autoreconf -ivf && ./configure --enable-ocsp --enable-ocspstapling && make
+
+      - name: Start OCSP responder 1
+        run: openssl ocsp -port 22221 -ndays 1000 -index certs/ocsp/index-intermediate1-ca-issued-certs.txt -rsigner certs/ocsp/ocsp-responder-cert.pem -rkey certs/ocsp/ocsp-responder-key.pem -CA certs/ocsp/intermediate1-ca-cert.pem &
+
+      - name: Start OCSP responder 2
+        run: openssl ocsp -port 22220 -ndays 1000 -index certs/ocsp/index-ca-and-intermediate-cas.txt -rsigner certs/ocsp/ocsp-responder-cert.pem -rkey certs/ocsp/ocsp-responder-key.pem -CA certs/ocsp/root-ca-cert.pem &
+
+      - name: Start TLS server
+        run: ./examples/server/server -p 11111 -c ./certs/ocsp/server1-cert.pem -k ./certs/ocsp/server1-key.pem -d &
+
+      - name: Test Look Up
+        run: ./examples/client/client -A ./certs/ocsp/root-ca-cert.pem -o

.github/workflows/openldap.yml

@@ -0,0 +1,89 @@
+name: openldap Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    # Just to keep it the same as the testing target
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-openldap CPPFLAGS=-DWOLFSSL_NO_ASN_STRICT
+          install: true
+          check: true
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-openldap
+          path: build-dir.tgz
+          retention-days: 5
+
+  openldap_check:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # List of releases to test
+          - osp_ref: 2.5.13
+            git_ref: OPENLDAP_REL_ENG_2_5_13
+    name: ${{ matrix.osp_ref }}
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 20
+    needs: build_wolfssl
+    steps:
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-openldap
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Checkout openldap
+        uses: actions/checkout@v4
+        with:
+          repository: openldap/openldap
+          path: openldap
+          ref: ${{ matrix.git_ref }}
+
+      - name: Build and test OpenLDAP
+        working-directory: openldap
+        run: |
+          export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH
+          patch -p1 < $GITHUB_WORKSPACE/osp/openldap/${{ matrix.osp_ref }}/openldap-${{ matrix.osp_ref }}.patch
+          rm aclocal.m4
+          autoreconf -ivf
+          ./configure --with-tls=wolfssl --disable-bdb --disable-hdb \
+            CFLAGS="-I$GITHUB_WORKSPACE/build-dir/include \
+              -I$GITHUB_WORKSPACE/build-dir/include/wolfssl \
+              -L$GITHUB_WORKSPACE/build-dir/lib"
+          make -j depend
+          make -j
+          make -j check

.github/workflows/openssh.yml

@@ -1,11 +1,21 @@
 name: openssh Tests
 
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   build_wolfssl:
     name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
@@ -17,14 +27,17 @@ jobs:
           path: wolfssl
           configure: >-
             --enable-openssh --enable-dsa --with-max-rsa-bits=8192
-            --enable-intelasm --enable-sp-asm
+            --enable-intelasm --enable-sp-asm CFLAGS="-DRSA_MIN_SIZE=1024"
           install: true
 
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
       - name: Upload built lib
         uses: actions/upload-artifact@v4
         with:
           name: wolf-install-openssh
-          path: build-dir
+          path: build-dir.tgz
           retention-days: 5
 
   openssh_check:
@@ -35,6 +48,7 @@ jobs:
           - git_ref: 'V_9_6_P1'
             osp_ver: '9.6'
     name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     needs: build_wolfssl
     steps:
@@ -42,7 +56,9 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           name: wolf-install-openssh
-          path: build-dir
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
 
       - name: Checkout OSP
         uses: actions/checkout@v4
@@ -60,7 +76,7 @@ jobs:
           configure: --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-rpath=-Wl,-rpath=
           check: false
 
-      # make tests take >20 minutes. Consider limiting? 
+      # make tests take >20 minutes. Consider limiting?
       - name: Run tests
         working-directory: ./openssh
         run: |

.github/workflows/openvpn.yml

@@ -1,11 +1,21 @@
 name: OpenVPN Tests
 
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   build_wolfssl:
     name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
@@ -18,11 +28,14 @@ jobs:
           configure: --enable-openvpn
           install: true
 
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
       - name: Upload built lib
         uses: actions/upload-artifact@v4
         with:
           name: wolf-install-openvpn
-          path: build-dir
+          path: build-dir.tgz
           retention-days: 5
 
   openvpn_check:
@@ -30,18 +43,21 @@ jobs:
       fail-fast: false
       matrix:
         # List of refs to test
-        ref: [ release/2.6, v2.6.0, master ]
+        ref: [ release/2.6, master ]
     name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
-    timeout-minutes: 6
+    timeout-minutes: 10
     needs: build_wolfssl
     steps:
       - name: Download lib
         uses: actions/download-artifact@v4
         with:
           name: wolf-install-openvpn
-          path: build-dir
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
 
       - name: Install dependencies
         run: |

.github/workflows/os-check.yml

@@ -1,7 +1,16 @@
 name: Ubuntu-Macos-Windows Tests
 
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   make_check:
@@ -16,16 +25,24 @@ jobs:
           '--enable-all --enable-asn=original',
           '--enable-harden-tls',
           '--enable-tls13 --enable-session-ticket --enable-dtls --enable-dtls13
-             --enable-opensslextra --enable-sessioncerts 
-             CPPFLAGS=''-DWOLFSSL_DTLS_NO_HVR_ON_RESUME -DHAVE_EXT_CACHE 
+             --enable-opensslextra --enable-sessioncerts
+             CPPFLAGS=''-DWOLFSSL_DTLS_NO_HVR_ON_RESUME -DHAVE_EXT_CACHE
              -DWOLFSSL_TICKET_HAVE_ID -DHAVE_EX_DATA -DSESSION_CACHE_DYNAMIC_MEM'' ',
           '--enable-all --enable-secure-renegotiation',
           '--enable-all --enable-haproxy --enable-quic',
-          '--enable-dtls --enable-dtls13 --enable-earlydata 
-             --enable-session-ticket --enable-psk 
+          '--enable-dtls --enable-dtls13 --enable-earlydata
+             --enable-session-ticket --enable-psk
              CPPFLAGS=''-DWOLFSSL_DTLS13_NO_HRR_ON_RESUME'' ',
+          '--enable-experimental --enable-kyber --enable-dtls --enable-dtls13
+             --enable-dtls-frag-ch',
+          '--enable-all --enable-dtls13 --enable-dtls-frag-ch',
+          '--enable-dtls --enable-dtls13 --enable-dtls-frag-ch
+           --enable-dtls-mtu',
+          '--enable-dtls --enable-dtlscid --enable-dtls13 --enable-secure-renegotiation
+            --enable-psk --enable-aesccm --enable-nullcipher CPPFLAGS=-DWOLFSSL_STATIC_RSA',
         ]
     name: make check
+    if: github.repository_owner == 'wolfssl'
     runs-on: ${{ matrix.os }}
     # This should be a safe limit for the tests to run.
     timeout-minutes: 14
@@ -46,6 +63,7 @@ jobs:
           'examples/configs/user_settings_all.h',
         ]
     name: make user_setting.h
+    if: github.repository_owner == 'wolfssl'
     runs-on: ${{ matrix.os }}
     # This should be a safe limit for the tests to run.
     timeout-minutes: 14
@@ -67,9 +85,11 @@ jobs:
           'examples/configs/user_settings_min_ecc.h',
           'examples/configs/user_settings_wolfboot_keytools.h',
           'examples/configs/user_settings_wolftpm.h',
+          'examples/configs/user_settings_wolfssh.h',
           'examples/configs/user_settings_tls12.h',
         ]
     name: make user_setting.h (testwolfcrypt only)
+    if: github.repository_owner == 'wolfssl'
     runs-on: ${{ matrix.os }}
     # This should be a safe limit for the tests to run.
     timeout-minutes: 14
@@ -91,6 +111,7 @@ jobs:
       matrix:
         os: [ ubuntu-latest, macos-latest ]
     name: make user_setting.h (with sed)
+    if: github.repository_owner == 'wolfssl'
     runs-on: ${{ matrix.os }}
     # This should be a safe limit for the tests to run.
     timeout-minutes: 14
@@ -109,7 +130,12 @@ jobs:
 
   windows_build:
     name: Windows Build Test
+    if: github.repository_owner == 'wolfssl'
     runs-on: windows-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [ x64, Win32, ARM64 ]
     # This should be a safe limit for the tests to run.
     timeout-minutes: 6
     env:
@@ -120,7 +146,6 @@ jobs:
       # You can convert this to a build matrix if you need coverage of multiple configuration types.
       # https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
       BUILD_CONFIGURATION: Release
-      BUILD_PLATFORM: x64
     steps:
     - uses: actions/checkout@v4
 
@@ -135,8 +160,9 @@ jobs:
       working-directory: ${{env.GITHUB_WORKSPACE}}
       # Add additional options to the MSBuild command line here (like platform or verbosity level).
       # See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference
-      run: msbuild /m /p:PlatformToolset=v142 /p:Platform=${{env.BUILD_PLATFORM}} /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}}
+      run: msbuild /m /p:PlatformToolset=v142 /p:Platform=${{matrix.arch}} /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}}
 
-    - name: Run Test
+    - if: ${{ matrix.arch != 'ARM64' }}
+      name: Run Test
       working-directory: ${{env.GITHUB_WORKSPACE}}
-      run: Release/x64/testsuite.exe
+      run: Release/${{matrix.arch}}/testsuite.exe

.github/workflows/packaging.yml

@@ -1,11 +1,21 @@
 name: Packaging Tests
 
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   build_wolfssl:
     name: Package wolfSSL
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
     timeout-minutes: 10
@@ -28,8 +38,9 @@ jobs:
       - name: Build wolfSSL .deb
         run: make deb-docker
 
-      - name: Build wolfSSL .rpm
-        run: make rpm-docker
+# disabled 20240919 -- broken target.
+#      - name: Build wolfSSL .rpm
+#        run: make rpm-docker
 
       - name: Confirm packages built
         run: |
@@ -38,8 +49,9 @@ jobs:
             echo Did not find exactly two deb packages!!!
             exit 1
           fi
-          RPM_COUNT=$(find -name 'wolfssl*.rpm' | wc -l)
-          if [ "$RPM_COUNT" != "4" ]; then
-            echo Did not find exactly four rpm packages!!!
-            exit 1
-          fi
+# disabled 20240919 -- broken target.
+#          RPM_COUNT=$(find -name 'wolfssl*.rpm' | wc -l)
+#          if [ "$RPM_COUNT" != "4" ]; then
+#            echo Did not find exactly four rpm packages!!!
+#            exit 1
+#          fi

.github/workflows/pam-ipmi.yml

@@ -0,0 +1,92 @@
+name: pam-ipmi Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
+    # Just to keep it the same as the testing target
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-all
+          install: true
+          # Don't run tests as this config is tested in many other places
+          check: false
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-pam-ipmi
+          path: build-dir.tgz
+          retention-days: 5
+
+  build_pam-ipmi:
+    strategy:
+      fail-fast: false
+      matrix:
+        git_ref: [ e4b13e6725abb178f62ee897fe1c0e81b06a9431 ]
+    name: ${{ matrix.git_ref }}
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    needs: build_wolfssl
+    steps:
+      - name: Install dependencies
+        run: |
+          # Don't prompt for anything
+          export DEBIAN_FRONTEND=noninteractive
+          sudo apt-get update
+          sudo apt-get install libpam-dev ninja-build meson
+
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-pam-ipmi
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Checkout pam-ipmi
+        uses: actions/checkout@v4
+        with:
+          repository: openbmc/pam-ipmi
+          path: pam-ipmi
+          ref: ${{ matrix.git_ref }}
+
+      - name: Build pam-ipmi
+        working-directory: pam-ipmi
+        run: |
+          patch -p1 < ../osp/pam-ipmi/*-${{ matrix.git_ref }}.patch
+          PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig meson setup build
+          ninja -C build
+
+      - name: Confirm built with wolfSSL
+        working-directory: pam-ipmi
+        run: |
+          ldd ./build/src/pam_ipmisave/pam_ipmisave.so | grep wolfssl

.github/workflows/rng-tools.yml

@@ -0,0 +1,116 @@
+name: rng-tools Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
+    # Just to keep it the same as the testing target
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-all
+          install: true
+          check: false
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-rng-tools
+          path: build-dir.tgz
+          retention-days: 5
+
+  rng-tools_check:
+    strategy:
+      fail-fast: false
+      matrix:
+        # List of releases to test
+        ref: [ 6.16 ]
+    name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    needs: build_wolfssl
+    steps:
+      - name: Install dependencies
+        run: |
+          # Don't prompt for anything
+          export DEBIAN_FRONTEND=noninteractive
+          sudo apt-get update
+          sudo apt-get install -y libcurl4-openssl-dev libjansson-dev libp11-dev librtlsdr-dev libcap-dev
+
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-rng-tools
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Checkout jitterentropy-library
+        uses: actions/checkout@v4
+        with:
+          repository: smuellerDD/jitterentropy-library
+          path: jitterentropy-library
+          ref: v3.5.0
+
+      - name: Build jitterentropy-library
+        working-directory: jitterentropy-library
+        run: make -j
+
+      - name: Build rng-tools
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          repository: nhorman/rng-tools
+          ref: v${{ matrix.ref }}
+          path: rng-tools
+          patch-file: $GITHUB_WORKSPACE/osp/rng-tools/${{ matrix.ref }}.patch
+          configure: --without-pkcs11 --enable-jitterentropy=$GITHUB_WORKSPACE/jitterentropy-library --with-wolfssl=$GITHUB_WORKSPACE/build-dir
+          check: false
+
+      - name: Testing rng-tools
+        id: testing
+        working-directory: rng-tools
+        run: |
+          # Retry up to five times
+          for i in {1..5}; do
+            TEST_RES=0
+            LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$GITHUB_WORKSPACE/build-dir/lib make check || TEST_RES=$?
+            if [ "$TEST_RES" -eq "0" ]; then
+               break
+            fi
+          done
+          if [ "$TEST_RES" -ne "0" ]; then
+            exit $TEST_RES
+          fi
+
+      - name: Print logs
+        if: ${{ failure() && steps.testing.outcome == 'failure' }}
+        working-directory: rng-tools/tests
+        run: cat test-suite.log

.github/workflows/socat.yml

@@ -0,0 +1,81 @@
+name: socat Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-maxfragment --enable-opensslall --enable-opensslextra --enable-dtls --enable-oldtls --enable-tlsv10 --enable-ipv6 'CPPFLAGS=-DWOLFSSL_NO_DTLS_SIZE_CHECK -DOPENSSL_COMPATIBLE_DEFAULTS'
+          install: true
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-socat
+          path: build-dir.tgz
+          retention-days: 5
+
+
+  socat_check:
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 30
+    needs: build_wolfssl
+    steps:
+      - name: Install prereqs
+        run:
+          sudo apt-get install build-essential autoconf libtool pkg-config clang libc++-dev
+
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-socat
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Download socat
+        run: curl -O http://www.dest-unreach.org/socat/download/socat-1.8.0.0.tar.gz && tar xvf socat-1.8.0.0.tar.gz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Build socat
+        working-directory: ./socat-1.8.0.0
+        run: |
+          patch -p1 < ../osp/socat/1.8.0.0/socat-1.8.0.0.patch
+          autoreconf -vfi
+          ./configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --enable-default-ipv=4
+          make
+
+      - name: Run socat tests
+        working-directory: ./socat-1.8.0.0
+        run: |
+          export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH
+          export SHELL=/bin/bash
+          SOCAT=$GITHUB_WORKSPACE/socat-1.8.0.0/socat ./test.sh -t 0.5 --expect-fail 36,64,146,214,216,217,309,310,386,399,402,403,459,460,467,468,478,492,528,530

.github/workflows/softhsm.yml

@@ -0,0 +1,94 @@
+name: SoftHSMv2 Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
+    # Just to keep it the same as the testing target
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 10
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-all CFLAGS=-DRSA_MIN_SIZE=1024
+          install: true
+          check: false
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-softhsm
+          path: build-dir.tgz
+          retention-days: 5
+
+  softhsm_check:
+    strategy:
+      fail-fast: false
+      matrix:
+        # List of releases to test
+        ref: [ 2.6.1 ]
+    name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 20
+    needs: build_wolfssl
+    steps:
+      - name: Install dependencies
+        run: |
+          # Don't prompt for anything
+          export DEBIAN_FRONTEND=noninteractive
+          sudo apt-get update
+          sudo apt-get install -y libcppunit-dev
+
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-softhsm
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Checkout SoftHSMv2
+        uses: actions/checkout@v4
+        with:
+          repository: opendnssec/SoftHSMv2
+          path: softhsm
+          ref: ${{ matrix.ref }}
+
+      # Not using wolfSSL/actions-build-autotools-project@v1 because autogen.sh doesn't work
+      - name: Build softhsm
+        working-directory: softhsm
+        run: |
+          patch -p1 < $GITHUB_WORKSPACE/osp/softhsm/${{ matrix.ref }}.patch
+          autoreconf -if
+          ./configure --with-crypto-backend=wolfssl WOLFSSL_INSTALL_DIR=$GITHUB_WORKSPACE/build-dir
+          make -j
+
+      - name: Test softhsm
+        working-directory: softhsm
+        run: make -j check

.github/workflows/sssd.yml

@@ -0,0 +1,99 @@
+name: sssd Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    if: github.repository_owner == 'wolfssl'
+    name: Build wolfSSL
+    # Just to keep it the same as the testing target
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-all CFLAGS=-DWOLFSSL_NO_ASN_STRICT
+          install: true
+          check: false
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-sssd
+          path: build-dir.tgz
+          retention-days: 5
+
+  sssd_check:
+    if: github.repository_owner == 'wolfssl'
+    strategy:
+      fail-fast: false
+      matrix:
+        # List of releases to test
+        ref: [ 2.9.1 ]
+    name: ${{ matrix.ref }}
+    runs-on: ubuntu-latest
+    container:
+      image: quay.io/sssd/ci-client-devel:ubuntu-latest
+      env:
+        LD_LIBRARY_PATH: /usr/local/lib
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 20
+    needs: build_wolfssl
+    steps:
+      - name: Install dependencies
+        run: |
+          # Don't prompt for anything
+          export DEBIAN_FRONTEND=noninteractive
+          sudo apt-get update
+          sudo apt-get install -y build-essential autoconf libldb-dev libldb2 python3-ldb bc
+
+      - name: Setup env
+        run: |
+          ln -s samba-4.0/ldb.h /usr/include/ldb.h
+          ln -s samba-4.0/ldb_errors.h /usr/include/ldb_errors.h
+          ln -s samba-4.0/ldb_handlers.h /usr/include/ldb_handlers.h
+          ln -s samba-4.0/ldb_module.h /usr/include/ldb_module.h
+          ln -s samba-4.0/ldb_version.h /usr/include/ldb_version.h
+
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-sssd
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Build and test sssd
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          repository: SSSD/sssd
+          ref: ${{ matrix.ref }}
+          path: sssd
+          patch-file: $GITHUB_WORKSPACE/osp/sssd/${{ matrix.ref }}.patch
+          configure: >-
+            --without-samba --without-nfsv4-idmapd-plugin --with-oidc-child=no
+            --without-manpages WOLFSSL_INSTALL_DIR=$GITHUB_WORKSPACE/build-dir
+          check: true
+

.github/workflows/stunnel.yml

@@ -1,11 +1,21 @@
 name: stunnel Tests
 
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   build_wolfssl:
     name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
     # Just to keep it the same as the testing target
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
@@ -18,11 +28,14 @@ jobs:
           configure: --enable-stunnel
           install: true
 
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
       - name: Upload built lib
         uses: actions/upload-artifact@v4
         with:
           name: wolf-install-stunnel
-          path: build-dir
+          path: build-dir.tgz
           retention-days: 5
 
   stunnel_check:
@@ -32,6 +45,7 @@ jobs:
         # List of releases to test
         ref: [ 5.67 ]
     name: ${{ matrix.ref }}
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
     timeout-minutes: 4
@@ -41,8 +55,10 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           name: wolf-install-stunnel
-          path: build-dir
-    
+
+      - name: untar build-dir
+        run: tar -xf build-dir.tgz
+
       - name: Checkout OSP
         uses: actions/checkout@v4
         with:

.github/workflows/win-csharp-test.yml

@@ -0,0 +1,58 @@
+name: Windows CSharp Build Test
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  build:
+
+    if: github.repository_owner == 'wolfssl'
+    runs-on: windows-latest
+
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 6
+
+    env:
+      # Path to the solution file relative to the root of the project.
+      SOLUTION_FILE_PATH: wolfssl\wrapper\CSharp\wolfSSL_CSharp.sln
+
+      # Configuration type to build.
+      # You can convert this to a build matrix if you need coverage of multiple configuration types.
+      # https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
+      BUILD_CONFIGURATION: Debug
+      BUILD_PLATFORM: x64
+
+    steps:
+        - name: Pull wolfssl
+          uses: actions/checkout@master
+          with:
+            repository: wolfssl/wolfssl
+            path: wolfssl
+
+        - name: Create FIPS stub files (autogen)
+          working-directory: wolfssl
+          run: |
+            echo $null >> wolfcrypt\src\fips.c
+            echo $null >> wolfcrypt\src\fips_test.c
+            echo $null >> wolfcrypt\src\wolfcrypt_first.c
+            echo $null >> wolfcrypt\src\wolfcrypt_last.c
+
+        - name: Add MSBuild to PATH
+          uses: microsoft/setup-msbuild@v1
+
+        - name: Build
+          working-directory: ${{env.GITHUB_WORKSPACE}}
+          # Add additional options to the MSBuild command line here (like platform or verbosity level).
+          # See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference
+          run: msbuild /m /p:PlatformToolset=v142 /p:Platform=${{env.BUILD_PLATFORM}} /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}}
+
+        - name: Run wolfCrypt test
+          working-directory: ${{env.GITHUB_WORKSPACE}}wolfssl\wrapper\CSharp\Debug\x64\
+          run: ./wolfCrypt-test.exe
+
+        - name: Run wolfSSL client/server example
+          working-directory: ${{env.GITHUB_WORKSPACE}}wolfssl\wrapper\CSharp\Debug\x64\
+          run: ./wolfSSL-TLS-Server.exe && sleep 1 & ./wolfSSL-TLS-Client.exe

.github/workflows/zephyr.yml

@@ -1,7 +1,16 @@
 name: Zephyr tests
 
+# START OF COMMON SECTION
 on:
-  workflow_call:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
 
 jobs:
   run_test:
@@ -14,9 +23,12 @@ jobs:
             zephyr-sdk: 0.16.1
           - zephyr-ref: v3.5.0
             zephyr-sdk: 0.16.3
+          - zephyr-ref: v2.7.4
+            zephyr-sdk: 0.16.3
+    if: github.repository_owner == 'wolfssl'
     runs-on: ubuntu-latest
     # This should be a safe limit for the tests to run.
-    timeout-minutes: 15
+    timeout-minutes: 25
     steps:
       - name: Install dependencies
         run: |
@@ -34,7 +46,7 @@ jobs:
             libglib2.0-dev libgtk2.0-0 liblocale-gettext-perl libncurses5-dev libpcap-dev \
             libpopt0 libsdl1.2-dev libsdl2-dev libssl-dev libtool libtool-bin locales make \
             net-tools ninja-build openssh-client parallel pkg-config python3-dev python3-pip \
-            python3-ply python3-setuptools python-is-python3 qemu rsync socat srecord sudo \
+            python3-ply python3-setuptools python-is-python3 qemu-kvm rsync socat srecord sudo \
             texinfo unzip wget ovmf xz-utils
 
       - name: Install west
@@ -69,25 +81,38 @@ jobs:
           cd zephyr-sdk-${{ matrix.config.zephyr-sdk }}
           ./setup.sh -h -c -t x86_64-zephyr-elf
 
+      - name: Fix options for 2.7.4
+        if: ${{ matrix.config.zephyr-ref == 'v2.7.4' }}
+        working-directory: zephyr/modules/crypto/wolfssl
+        run: |
+          sed -i -e 's/CONFIG_COMMON_LIBC_MALLOC_ARENA_SIZE/CONFIG_MINIMAL_LIBC_MALLOC_ARENA_SIZE/g' $(find -name prj.conf)
+
       - name: Run wolfssl test
         id: wolfssl-test
         working-directory: zephyr
         run: |
-          ./zephyr/scripts/twister --testsuite-root modules/crypto/wolfssl --test zephyr/samples/wolfssl_test/sample.crypto.wolfssl_test -vvv
+          ./zephyr/scripts/twister -T modules/crypto/wolfssl --test zephyr/samples/wolfssl_test/sample.crypto.wolfssl_test -vvv
+          rm -rf zephyr/twister-out
+          ./zephyr/scripts/twister -T modules/crypto/wolfssl --test zephyr/samples/wolfssl_test/sample.crypto.wolfssl_test_no_malloc -vvv
           rm -rf zephyr/twister-out
 
       - name: Run wolfssl TLS sock test
+        # Results in a page fault that I can't trace
+        if: ${{ matrix.config.zephyr-ref != 'v2.7.4' }}
         id: wolfssl-tls-sock
         working-directory: zephyr
         run: |
-          ./zephyr/scripts/twister --testsuite-root modules/crypto/wolfssl --test zephyr/samples/wolfssl_tls_sock/sample.crypto.wolfssl_tls_sock -vvv
+          ./zephyr/scripts/twister -T modules/crypto/wolfssl --test zephyr/samples/wolfssl_tls_sock/sample.crypto.wolfssl_tls_sock -vvv
+          rm -rf zephyr/twister-out
+          ./zephyr/scripts/twister -T modules/crypto/wolfssl --test zephyr/samples/wolfssl_tls_sock/sample.crypto.wolfssl_tls_sock_no_malloc -vvv
           rm -rf zephyr/twister-out
 
       - name: Run wolfssl TLS thread test
+        if: ${{ matrix.config.zephyr-ref != 'v2.7.4' }}
         id: wolfssl-tls-thread
         working-directory: zephyr
         run: |
-          ./zephyr/scripts/twister --testsuite-root modules/crypto/wolfssl --test zephyr/samples/wolfssl_tls_thread/sample.crypto.wolfssl_tls_thread -vvv
+          ./zephyr/scripts/twister -T modules/crypto/wolfssl --test zephyr/samples/wolfssl_tls_thread/sample.crypto.wolfssl_tls_thread -vvv
           rm -rf zephyr/twister-out
 
       - name: Zip failure logs

.gitignore

@@ -10,6 +10,7 @@ ctaocrypt/src/src/
 *.cache
 .dirstamp
 *.user
+!*-VS2022.vcxproj.user
 configure
 config.*
 !cmake/config.in
@@ -245,6 +246,7 @@ linuxkm/libwolfssl.mod.c
 linuxkm/libwolfssl.lds
 linuxkm/module_exports.c
 linuxkm/linuxkm/get_thread_size
+*.nds
 
 # autotools generated
 scripts/unit.test
@@ -413,6 +415,14 @@ user_settings_asm.h
 /IDE/Espressif/**/sdkconfig
 /IDE/Espressif/**/sdkconfig.old
 
+# ESP8266 RTOS SDK has a slightly different sdkconfig filename to exclude:
+/IDE/Espressif/**/sdkconfig.debug
+/IDE/Espressif/**/sdkconfig.release
+
+# Always include Espressif makefiles (typically only used for ESP8266)
+!/IDE/Espressif/**/Makefile
+!/IDE/Espressif/**/component.mk
+
 # MPLAB
 /IDE/MPLABX16/wolfssl.X/dist/default/
 /IDE/MPLABX16/wolfssl.X/.generated_files
@@ -433,3 +443,21 @@ MagicCrypto
 debian/changelog
 debian/control
 *.deb
+
+# Ada/Alire files
+wrapper/Ada/alire/
+wrapper/Ada/config/
+wrapper/Ada/lib/
+wrapper/Ada/obj/
+
+# PlatformIO
+/**/.pio
+/**/.vscode/.browse.c_cpp.db*
+/**/.vscode/c_cpp_properties.json
+/**/.vscode/launch.json
+/**/.vscode/ipch
+/**/sdkconfig.esp32dev
+
+# Autogenerated debug trace headers
+wolfssl/debug-trace-error-codes.h
+wolfssl/debug-untrace-error-codes.h

.wolfssl_known_macro_extras

@@ -0,0 +1,982 @@
+AES_GCM_GMULT_NCT
+AFX_RESOURCE_DLL
+AFX_TARG_ENU
+ALLOW_BINARY_MISMATCH_INTROSPECTION
+ALLOW_V1_EXTENSIONS
+ANDROID
+APP_ESP_HTTP_CLIENT
+APP_ESP_HTTP_CLIENT_EXAMPLE
+APSTUDIO_INVOKED
+ARCH_sim
+ARDUINO
+ARDUINO_ARCH_RP2040
+ARDUINO_SAMD_NANO_33_IOT
+ARDUINO_SAM_DUE
+ASN_DUMP_OID
+ASN_TEMPLATE_SKIP_ISCA_CHECK
+ATCAPRINTF
+ATCA_ENABLE_DEPRECATED
+AVR
+BASE64_NO_TABLE
+BLAKE2B_SELFTEST
+BLAKE2S_SELFTEST
+BLOCKING
+BSP_DEFAULT_IO_CHANNEL_DEFINED
+BSP_LED_0
+BSP_LED_1
+BSP_SDCARD_ESDHC_CHANNEL
+BSP_SDCARD_SDHC_CHANNEL
+BSP_SDCARD_SPI_CHANNEL
+CAAM_OUT_INVALIDATE
+CIOCASYMFEAT
+CIOCGSESSINFO
+CMSIS_OS2_H_
+COMPONENT_WOLFSSL
+CONFIG_ARCH_CHIP_STM32F746ZG
+CONFIG_ARCH_CHIP_STM32H743ZI
+CONFIG_ARCH_CHIP_STM32L552ZE
+CONFIG_ARCH_POSIX
+CONFIG_ARM
+CONFIG_ARM64
+CONFIG_BOARD_NATIVE_POSIX
+CONFIG_COMPILER_OPTIMIZATION_DEFAULT
+CONFIG_COMPILER_OPTIMIZATION_NONE
+CONFIG_COMPILER_OPTIMIZATION_PERF
+CONFIG_COMPILER_OPTIMIZATION_SIZE
+CONFIG_CRYPTO_FIPS
+CONFIG_CRYPTO_MANAGER
+CONFIG_CSPRNG_ENABLED
+CONFIG_ESP32C2_DEFAULT_CPU_FREQ_MHZ
+CONFIG_ESP32C3_DEFAULT_CPU_FREQ_MHZ
+CONFIG_ESP32H2_DEFAULT_CPU_FREQ_MHZ
+CONFIG_ESP32S2_DEFAULT_CPU_FREQ_MHZ
+CONFIG_ESP32S3_DEFAULT_CPU_FREQ_MHZ
+CONFIG_ESP32_DEFAULT_CPU_FREQ_MHZ
+CONFIG_ESP8266_XTAL_FREQ_26
+CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_160
+CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240
+CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_80
+CONFIG_ESP_ENABLE_WOLFSSH
+CONFIG_ESP_MAIN_TASK_STACK_SIZE
+CONFIG_ESP_TLS_USING_WOLFSSL
+CONFIG_ESP_WIFI_PASSWORD
+CONFIG_ESP_WIFI_SSID
+CONFIG_ESP_WOLFSSL_ENABLE_KYBER
+CONFIG_ESP_WOLFSSL_ENABLE_WOLFSSH
+CONFIG_ESP_WOLFSSL_NO_ESP32_CRYPT
+CONFIG_ESP_WOLFSSL_NO_HW_AES
+CONFIG_ESP_WOLFSSL_NO_HW_HASH
+CONFIG_ESP_WOLFSSL_NO_HW_RSA_PRI
+CONFIG_ESP_WOLFSSL_NO_HW_RSA_PRI_EXPTMOD
+CONFIG_ESP_WOLFSSL_NO_HW_RSA_PRI_MP_MUL
+CONFIG_ESP_WOLFSSL_NO_HW_RSA_PRI_MULMOD
+CONFIG_FREERTOS_HZ
+CONFIG_FREERTOS_UNICORE
+CONFIG_IDF_TARGET
+CONFIG_IDF_TARGET_ARCH_RISCV
+CONFIG_IDF_TARGET_ARCH_XTENSA
+CONFIG_IDF_TARGET_ESP32
+CONFIG_IDF_TARGET_ESP32C2
+CONFIG_IDF_TARGET_ESP32C3
+CONFIG_IDF_TARGET_ESP32C6
+CONFIG_IDF_TARGET_ESP32H2
+CONFIG_IDF_TARGET_ESP32S2
+CONFIG_IDF_TARGET_ESP32S3
+CONFIG_IDF_TARGET_ESP8266
+CONFIG_IDF_TARGET_ESP8684
+CONFIG_MAIN_TASK_STACK_SIZE
+CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
+CONFIG_MBEDTLS_PSA_CRYPTO_C
+CONFIG_MIPS
+CONFIG_MODULE_SIG
+CONFIG_NET_SOCKETS_SOCKOPT_TLS
+CONFIG_NEWLIB_LIBC
+CONFIG_NEWLIB_NANO_FORMAT
+CONFIG_PICOLIBC
+CONFIG_POSIX_API
+CONFIG_POSIX_THREADS
+CONFIG_PREEMPT_COUNT
+CONFIG_PTHREAD_IPC
+CONFIG_SMP
+CONFIG_SNTP_TIME_SYNC_METHOD_SMOOTH
+CONFIG_TIMER_TASK_STACK_DEPTH
+CONFIG_TIMER_TASK_STACK_SIZE
+CONFIG_TLS_STACK_WOLFSSL
+CONFIG_USE_WOLFSSL_ESP_SDK_TIME
+CONFIG_USE_WOLFSSL_ESP_SDK_WIFI
+CONFIG_WOLFCRYPT_ARMASM
+CONFIG_WOLFCRYPT_FIPS
+CONFIG_WOLFCRYPT_INTELASM
+CONFIG_WOLFSSL
+CONFIG_WOLFSSL_ALLOW_TLS13
+CONFIG_WOLFSSL_ALPN
+CONFIG_WOLFSSL_ALT_CERT_CHAINS
+CONFIG_WOLFSSL_APPLE_HOMEKIT
+CONFIG_WOLFSSL_ASN_ALLOW_0_SERIAL
+CONFIG_WOLFSSL_CERTIFICATE_BUNDLE
+CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE
+CONFIG_WOLFSSL_DTLS
+CONFIG_WOLFSSL_ENABLE_KYBER
+CONFIG_WOLFSSL_EXAMPLE_NAME_ESP32_SSH_SERVER
+CONFIG_WOLFSSL_EXAMPLE_NAME_ESP8266_SSH_SERVER
+CONFIG_WOLFSSL_EXAMPLE_NAME_NONE
+CONFIG_WOLFSSL_EXAMPLE_NAME_TEMPLATE
+CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_CLIENT
+CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_SERVER
+CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFMQTT_AWS_IOT_MQTT
+CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFMQTT_TEMPLATE
+CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSH_ECHOSERVER
+CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSH_TEMPLATE
+CONFIG_WOLFSSL_HKDF
+CONFIG_WOLFSSL_MAX_FRAGMENT_LEN
+CONFIG_WOLFSSL_NO_ASN_STRICT
+CONFIG_WOLFSSL_PSK
+CONFIG_WOLFSSL_RSA_PSS
+CONFIG_WOLFSSL_TARGET_HOST
+CONFIG_WOLFSSL_TARGET_PORT
+CONFIG_WOLFSSL_TLS13_ENABLED
+CONFIG_WOLFSSL_TLS_VERSION_1_2
+CONFIG_WOLFSSL_TLS_VERSION_1_3
+CONFIG_WOLFTPM_EXAMPLE_NAME_ESPRESSIF
+CONFIG_X86
+CONV_WITH_DIV
+CPA_CY_API_VERSION_NUM_MAJOR
+CPU_MIMXRT1176DVMAA_cm7
+CPU_MK82FN256VLL15
+CRLDP_VALIDATE_DATA
+CRL_REPORT_LOAD_ERRORS
+CRL_STATIC_REVOKED_LIST
+CRYPTOCELL_KEY_SIZE
+CRYP_HEADERWIDTHUNIT_BYTE
+CRYP_KEYIVCONFIG_ONCE
+CRYP_KEYSIZE_192B
+CSM_UNSUPPORTED_ALGS
+CTYPE_USER
+CURVED448_SMALL
+CY_USING_HAL
+DCP_USE_DCACHE
+DILITHIUM_MUL_11_SLOW
+DILITHIUM_MUL_44_SLOW
+DILITHIUM_MUL_QINV_SLOW
+DILITHIUM_MUL_Q_SLOW
+DILITHIUM_MUL_SLOW
+DILITHIUM_USE_HINT_CT
+DTLS_RECEIVEFROM_NO_TIMEOUT_ON_INVALID_PEER
+ECCSI_ORDER_MORE_BITS_THAN_PRIME
+ECC_DUMP_OID
+ECDHE_SIZE
+ENABLE_SECURE_SOCKETS_LOGS
+ESP32
+ESP8266
+ESP_ENABLE_WOLFSSH
+ESP_IDF_VERSION_MAJOR
+ESP_IDF_VERSION_MINOR
+ESP_PLATFORM
+ESP_TASK_MAIN_STACK
+EV_TRIGGER
+FP_ECC_CONTROL
+FREERTOS_TCP_WINSIM
+FREESCALE
+FREESCALE_RNGB
+FREESCALE_USE_MMCAU_CLASSIC
+FSL_FEATURE_HAS_L1CACHE
+FSL_FEATURE_LTC_HAS_DES
+FSL_FEATURE_LTC_HAS_GCM
+FSL_FEATURE_LTC_HAS_PKHA
+FSL_FEATURE_LTC_HAS_SHA
+FSL_FEATURE_SOC_LTC_COUNT
+FSL_FEATURE_SOC_MMCAU_COUNT
+FSL_FEATURE_SOC_RNG_COUNT
+FSL_FEATURE_SOC_TRNG_COUNT
+FUSION_RTOS
+GENERATE_MACHINE_PARSEABLE_REPORT
+GE_P3_TOBYTES_IMPL
+GOAHEAD_WS
+HAL_RTC_MODULE_ENABLED
+HARDWARE_CACHE_COHERENCY
+HASH_AlgoMode_HASH
+HASH_BYTE_SWAP
+HASH_CR_LKEY
+HASH_DIGEST
+HASH_DataType_8b
+HASH_IMR_DCIE
+HASH_IMR_DINIE
+HAVE_AESGCM_DECRYPT
+HAVE_BYTEREVERSE64
+HAVE_CERTIFICATE_STATUS_V2
+HAVE_COLDFIRE_SEC
+HAVE_CRL_UPDATE_CB
+HAVE_CSHARP
+HAVE_CURL
+HAVE_CURVE22519
+HAVE_DANE
+HAVE_ECC239
+HAVE_ECC320
+HAVE_ECC512
+HAVE_ECC_CDH_CAST
+HAVE_ECC_SM2
+HAVE_ESP_CLK
+HAVE_EX_DATA_CRYPTO
+HAVE_EX_DATA_CLEANUP_HOOKS
+HAVE_FACON
+HAVE_FIPS_VERSION_PORT
+HAVE_FUZZER
+HAVE_INTEL_MULX
+HAVE_INTEL_QAT_SYNC
+HAVE_INTEL_SPEEDUP
+HAVE_MDK_RTX
+HAVE_NETX_BSD
+HAVE_PKCS7_RSA_RAW_SIGN_CALLBACK
+HAVE_POCO_LIB
+HAVE_RTP_SYS
+HAVE_SECURE_GETENV
+HAVE_STACK_SIZE_VERBOSE_LOG
+HAVE_THREADX
+HAVE_TM_TYPE
+HAVE_VALIDATE_DATE
+HAVE_VA_COPY
+HAVE_X448
+HONOR_MATH_USED_LENGTH
+HSM_KEY_TYPE_HMAC_224
+HSM_KEY_TYPE_HMAC_256
+HSM_KEY_TYPE_HMAC_384
+HSM_KEY_TYPE_HMAC_512
+HSM_OP_KEY_GENERATION_FLAGS_CREATE
+HSM_OP_KEY_GENERATION_FLAGS_UPDATE
+HSM_SVC_KEY_STORE_FLAGS_UPDATE
+IDIRECT_DEV_RANDOM
+IDIRECT_DEV_TIME
+ID_TRNG
+IGNORE_KEY_EXTENSIONS
+IGNORE_NETSCAPE_CERT_TYPE
+INCLUDE_uxTaskGetStackHighWaterMark
+INTEGRITY
+INTIMEVER
+IOTSAFE_NO_GETDATA
+IOTSAFE_SIG_8BIT_LENGTH
+KCAPI_USE_XMALLOC
+KYBER_NONDETERMINISTIC
+K_SERIES
+LIBWOLFSSL_VERSION_GIT_BRANCH
+LIBWOLFSSL_VERSION_GIT_HASH
+LIBWOLFSSL_VERSION_GIT_HASH_DATE
+LIBWOLFSSL_VERSION_GIT_ORIGIN
+LIBWOLFSSL_VERSION_GIT_SHORT_HASH
+LIBWOLFSSL_VERSION_GIT_TAG
+LINUXKM_FPU_STATES_FOLLOW_THREADS
+LINUXKM_LKCAPI_PRIORITY_ALLOW_MASKING
+LINUX_CYCLE_COUNT
+LINUX_RUSAGE_UTIME
+LP64
+MAX3266X_AESGCM
+MAX3266X_RSA
+MAXQ10XX_PRODUCTION_KEY
+MAXQ_EXPORT_TLS_KEYS
+MAXQ_SHA1
+MAXSEG_64K
+MAX_WOLFSSL_FILE_SIZE
+MDK_CONF_BARE_METAL
+MDK_CONF_FS
+MDK_CONF_RTX_TCP_FS
+MDK_CONF_TCP_FS
+MDK_WOLFLIB
+MICRIUM_MALLOC
+MICROCHIP_MPLAB_HARMONY
+MICROCHIP_MPLAB_HARMONY_3
+MICRO_SESSION_CACHEx
+MODULE_SOCK_TCP
+MP_31BIT
+MP_8BIT
+MQX_USE_IO_OLD
+MULTI_VALUE_STATISTICS
+MUTEX_DURING_INIT
+NEED_THREADX_TYPES
+NETX_DUO
+NET_SECURE_MODULE_EN
+NOTE_TRIGGER
+NO_AES_DECRYPT
+NO_ARDUINO_DEFAULT
+NO_ASM
+NO_ASN_OLD_TYPE_NAMES
+NO_CAMELLIA_CBC
+NO_CERT
+NO_CIPHER_SUITE_ALIASES
+NO_CLIENT_CACHE
+NO_CLOCK_SPEEDUP
+NO_CURVE25519_KEY_EXPORT
+NO_CURVE25519_KEY_IMPORT
+NO_CURVE25519_SHARED_SECRET
+NO_CURVE448_KEY_EXPORT
+NO_CURVE448_KEY_IMPORT
+NO_CURVE448_SHARED_SECRET
+NO_DEV_URANDOM
+NO_ECC384
+NO_ECC521
+NO_ECC_CACHE_CURVE
+NO_ECC_CHECK_KEY
+NO_ECC_KEY_IMPORT
+NO_ECC_MAKE_PUB
+NO_ED25519_CLIENT_AUTH
+NO_ED25519_KEY_EXPORT
+NO_ED25519_KEY_IMPORT
+NO_ED25519_MAKE_KEY
+NO_ED25519_SIGN
+NO_ED25519_VERIFY
+NO_ED448_CLIENT_AUTH
+NO_ED448_KEY_EXPORT
+NO_ED448_KEY_IMPORT
+NO_ED448_SIGN
+NO_ED448_VERIFY
+NO_ESP_MP_MUL_EVEN_ALT_CALC
+NO_FORCE_SCR_SAME_SUITE
+NO_GCM_ENCRYPT_EXTRA
+NO_GETENV
+NO_HANDSHAKE_DONE_CB
+NO_IMX6_CAAM_AES
+NO_IMX6_CAAM_HASH
+NO_OLD_NAMES
+NO_OLD_POLY1305
+NO_OLD_TIMEVAL_NAME
+NO_PBKDF1
+NO_PIC32MZ_CRYPT
+NO_PIC32MZ_HASH
+NO_PIC32MZ_RNG
+NO_PKCS11_AES
+NO_PKCS11_AESCBC
+NO_PKCS11_AESGCM
+NO_PKCS11_ECC
+NO_PKCS11_ECDH
+NO_PKCS11_EC_KEYGEN
+NO_PKCS11_HMAC
+NO_PKCS11_RNG
+NO_PKCS11_RSA
+NO_PKCS11_RSA_PKCS
+NO_PKCS7
+NO_PKCS7_COMPRESSED_DATA
+NO_PKCS7_ENCRYPTED_DATA
+NO_PKCS7_STREAM
+NO_POLY1305_ASM
+NO_PUBLIC_CCM_SET_NONCE
+NO_PUBLIC_GCM_SET_IV
+NO_RESUME_SUITE_CHECK
+NO_RNG
+NO_RNG_MUTEX
+NO_SESSION_CACHE_ROW_LOCK
+NO_SKID
+NO_SKIP_PREVIEW
+NO_STDIO_FGETS_REMAP
+NO_TKERNEL_MEM_POOL
+NO_TLSX_PSKKEM_PLAIN_ANNOUNCE
+NO_VERIFY_OID
+NO_WC_SSIZE_TYPE
+NO_WOLFSSL_ALLOC_ALIGN
+NO_WOLFSSL_AUTOSAR_CRYIF
+NO_WOLFSSL_AUTOSAR_CRYPTO
+NO_WOLFSSL_AUTOSAR_CSM
+NO_WOLFSSL_BASE64_DECODE
+NO_WOLFSSL_MSG_EX
+NO_WOLFSSL_RENESAS_FSPSM_AES
+NO_WOLFSSL_RENESAS_FSPSM_HASH
+NO_WOLFSSL_RENESAS_TSIP_CRYPT_AES
+NO_WOLFSSL_SHA256
+NO_WOLFSSL_SHA256_INTERLEAVE
+NO_WOLFSSL_SHA512_INTERLEAVE
+NO_WOLFSSL_SKIP_TRAILING_PAD
+NO_WOLFSSL_SMALL_STACK_STATIC
+NO_WOLFSSL_XILINX_TAG_MALLOC
+NRF52
+NRF52_SERIES
+NRF_ERROR_MODULE_ALREADY_INITIALIZED
+OLD_HELLO_ALLOWED
+OPENSSL_EXTRA_BSD
+OPENSSL_EXTRA_NO_ASN1
+OPENSSL_EXTRA_NO_BN
+OPENSSL_NO_PK
+OS_WINDOWS
+OTHERBOARD
+OTHER_BOARD
+PEER_INFO
+PKA_ECC_SCALAR_MUL_IN_B_COEFF
+PLATFORMIO
+PLUTON_CRYPTO_ECC
+PRINT_SESSION_STATS
+PTHREAD_STACK_MIN
+QAT_ENABLE_HASH
+QAT_ENABLE_RNG
+QAT_USE_POLLING_CHECK
+RC_NO_RNG
+REDIRECTION_IN3_KEYELMID
+REDIRECTION_IN3_KEYID
+REDIRECTION_OUT1_KEYELMID
+REDIRECTION_OUT1_KEYID
+REDIRECTION_OUT2_KEYELMID
+REDIRECTION_OUT2_KEYID
+RENESAS_T4_USE
+RTC_ALARMSUBSECONDMASK_ALL
+RTE_CMSIS_RTOS_RTX
+RTOS_MODULE_NET_AVAIL
+RTPLATFORM
+SA_INTERRUPT
+SCEKEY_INSTALLED
+SHA256_MANY_REGISTERS
+SHA3_BY_SPEC
+SHOW_CERTS
+SHOW_GEN
+SHOW_SIZES
+SHOW_SSID_AND_PASSWORD
+SIM_SCGC3_RNGA_MASK
+SIM_SCGC5_PORTC_MASK
+SIM_SCGC5_PORTD_MASK
+SIM_SCGC5_PORTE_MASK
+SIM_SCGC6_RNGA_MASK
+SL_SE_KEY_TYPE_ECC_P384
+SL_SE_KEY_TYPE_ECC_P521
+SL_SE_KEY_TYPE_ECC_X25519
+SL_SE_KEY_TYPE_ECC_X448
+SL_SE_PRF_HMAC_SHA1
+SOFTDEVICE_PRESENT
+SO_NOSIGPIPE
+SO_REUSEPORT
+SP_INT_NO_ASM
+SP_MATH_NEED_ADD_OFF
+SP_USE_DIVTI3
+SQRTMOD_USE_MOD_EXP
+SSL_SNIFFER_EXPORTS
+SSN_BUILDING_LIBYASSL
+STATIC_CHUNKS_ONLY
+STM32F107xC
+STM32F207xx
+STM32F217xx
+STM32F401xE
+STM32F407xx
+STM32F437xx
+STM32F756xx
+STM32F777xx
+STM32G071xx
+STM32G491xx
+STM32H563xx
+STM32H723xx
+STM32H725xx
+STM32H743xx
+STM32H753xx
+STM32L475xx
+STM32L4A6xx
+STM32L552xx
+STM32L562xx
+STM32MP135Fxx
+STM32U575xx
+STM32U585xx
+STM32U5A9xx
+STM32WB55xx
+STM32WL55xx
+STM32_AESGCM_PARTIAL
+STM32_HW_CLOCK_AUTO
+STM32_NUTTX_RNG
+TASK_EXTRA_STACK_SIZE
+TCP_NODELAY
+TFM_ALREADY_SET
+TFM_SMALL_MONT_SET
+THREADED_SNIFFTEST
+TIME_T_NOT_LONG
+TI_DUMMY_BUILD
+TLS13_RSA_PSS_SIGN_CB_NO_PREHASH
+UNICODE
+USER_CA_CB
+USER_CUSTOM_SNIFFX
+USER_MATH_LIB
+USE_ALT_MPRIME
+USE_ANY_ADDR
+USE_CERT_BUFFERS_25519
+USE_CERT_BUFFERS_3072
+USE_ECDSA_KEYSZ_HASH_ALGO
+USE_FULL_ASSERT
+USE_HAL_DRIVER
+USE_NXP_LTC
+USE_NXP_MMCAU
+USE_QAE_THREAD_LS
+USE_SECRET_CALLBACK
+USE_STSAFE_RNG_SEED
+USE_STSAFE_VERBOSE
+USE_TLSV13
+USE_WOLF_STRNSTR
+USS_API
+WC_AESXTS_STREAM_NO_REQUEST_ACCOUNTING
+WC_AES_BS_WORD_SIZE
+WC_AES_GCM_DEC_AUTH_EARLY
+WC_ASN_HASH_SHA256
+WC_ASYNC_ENABLE_3DES
+WC_ASYNC_ENABLE_AES
+WC_ASYNC_ENABLE_ARC4
+WC_ASYNC_ENABLE_DH
+WC_ASYNC_ENABLE_ECC
+WC_ASYNC_ENABLE_ECC_KEYGEN
+WC_ASYNC_ENABLE_HMAC
+WC_ASYNC_ENABLE_MD5
+WC_ASYNC_ENABLE_RSA
+WC_ASYNC_ENABLE_RSA_KEYGEN
+WC_ASYNC_ENABLE_SHA
+WC_ASYNC_ENABLE_SHA224
+WC_ASYNC_ENABLE_SHA256
+WC_ASYNC_ENABLE_SHA3
+WC_ASYNC_ENABLE_SHA384
+WC_ASYNC_ENABLE_SHA512
+WC_ASYNC_NO_CRYPT
+WC_ASYNC_NO_HASH
+WC_DILITHIUM_CACHE_PRIV_VECTORS
+WC_DILITHIUM_CACHE_PUB_VECTORS
+WC_DILITHIUM_FIXED_ARRAY
+WC_DISABLE_RADIX_ZERO_PAD
+WC_ECC_NONBLOCK_ONLY
+WC_KDF_NIST_SP_800_56C
+WC_LMS_FULL_HASH
+WC_NO_RNG_SIMPLE
+WC_NO_STATIC_ASSERT
+WC_PKCS11_FIND_WITH_ID_ONLY
+WC_PROTECT_ENCRYPTED_MEM
+WC_RNG_BLOCKING
+WC_RSA_DIRECT
+WC_RSA_NONBLOCK
+WC_RSA_NONBLOCK_TIME
+WC_RSA_NO_FERMAT_CHECK
+WC_SHA384
+WC_SHA384_DIGEST_SIZE
+WC_SHA512
+WC_SHA512_DIGEST_SIZE
+WC_SSIZE_TYPE
+WC_STRICT_SIG
+WC_XMSS_FULL_HASH
+WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
+WOLFSENTRY_H
+WOLFSENTRY_NO_JSON
+WOLFSSL_32BIT_MILLI_TIME
+WOLFSSL_AESNI_BY4
+WOLFSSL_AESNI_BY6
+WOLFSSL_AFTER_DATE_CLOCK_SKEW
+WOLFSSL_ALGO_HW_MUTEX
+WOLFSSL_ALLOW_CRIT_AIA
+WOLFSSL_ALLOW_CRIT_AKID
+WOLFSSL_ALLOW_CRIT_SKID
+WOLFSSL_ALLOW_ENCODING_CA_FALSE
+WOLFSSL_ALLOW_MAX_FRAGMENT_ADJUST
+WOLFSSL_ALLOW_NO_CN_IN_SAN
+WOLFSSL_ALLOW_NO_SUITES
+WOLFSSL_ALLOW_SERVER_SC_EXT
+WOLFSSL_ALLOW_TLS_SHA1
+WOLFSSL_ALTERNATIVE_DOWNGRADE
+WOLFSSL_ALT_NAMES_NO_REV
+WOLFSSL_ARM_ARCH_NEON_64BIT
+WOLFSSL_ASNC_CRYPT
+WOLFSSL_ASN_EXTRA
+WOLFSSL_ASN_INT_LEAD_0_ANY
+WOLFSSL_ASN_TEMPLATE_NEED_SET_INT32
+WOLFSSL_ASN_TEMPLATE_TYPE_CHECK
+WOLFSSL_ATECC508
+WOLFSSL_ATECC508A_NOIDLE
+WOLFSSL_ATECC508A_NOSOFTECC
+WOLFSSL_ATECC508A_TLS
+WOLFSSL_ATECC_ECDH_IOENC
+WOLFSSL_ATECC_NO_ECDH_ENC
+WOLFSSL_ATECC_RNG
+WOLFSSL_ATECC_TFLXTLS
+WOLFSSL_ATECC_TNGTLS
+WOLFSSL_ATMEL
+WOLFSSL_ATMEL_TIME
+WOLFSSL_BEFORE_DATE_CLOCK_SKEW
+WOLFSSL_BIGINT_TYPES
+WOLFSSL_BIO_NO_FLOW_STATS
+WOLFSSL_BLAKE2B_INIT_EACH_FIELD
+WOLFSSL_BLAKE2S_INIT_EACH_FIELD
+WOLFSSL_BLIND_PRIVATE_KEY
+WOLFSSL_BYTESWAP32_ASM
+WOLFSSL_CAAM_BLACK_KEY_AESCCM
+WOLFSSL_CAAM_BLACK_KEY_SM
+WOLFSSL_CAAM_NO_BLACK_KEY
+WOLFSSL_CALLBACKS
+WOLFSSL_CHECK_DESKEY
+WOLFSSL_CHECK_MEM_ZERO
+WOLFSSL_CHIBIOS
+WOLFSSL_CLANG_TIDY
+WOLFSSL_COMMERCIAL_LICENSE
+WOLFSSL_CONTIKI
+WOLFSSL_CRL_ALLOW_MISSING_CDP
+WOLFSSL_DILITHIUM_ASSIGN_KEY
+WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM
+WOLFSSL_DILITHIUM_NO_ASN1
+WOLFSSL_DILITHIUM_NO_CHECK_KEY
+WOLFSSL_DILITHIUM_NO_LARGE_CODE
+WOLFSSL_DILITHIUM_NO_MAKE
+WOLFSSL_DILITHIUM_REVERSE_HASH_OID
+WOLFSSL_DILITHIUM_SIGN_CHECK_W0
+WOLFSSL_DILITHIUM_SIGN_CHECK_Y
+WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC
+WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A
+WOLFSSL_DILITHIUM_SMALL_MEM_POLY64
+WOLFSSL_DILITHIUM_VERIFY_NO_MALLOC
+WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM
+WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
+WOLFSSL_DTLS_DISALLOW_FUTURE
+WOLFSSL_DTLS_DROP_STATS
+WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT
+WOLFSSL_DUMP_MEMIO_STREAM
+WOLFSSL_DUP_CERTPOL
+WOLFSSL_ECC_BLIND_K
+WOLFSSL_ECC_GEN_REJECT_SAMPLING
+WOLFSSL_ECC_NO_SMALL_STACK
+WOLFSSL_ECC_SIGALG_PARAMS_NULL_ALLOWED
+WOLFSSL_ECDHX_SHARED_NOT_ZERO
+WOLFSSL_ECDSA_MATCH_HASH
+WOLFSSL_ECDSA_SET_K_ONE_LOOP
+WOLFSSL_EC_POINT_CMP_JACOBIAN
+WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
+WOLFSSL_EMNET
+WOLFSSL_ESPWROOM32
+WOLFSSL_EVP_PRINT
+WOLFSSL_EXPORT_INT
+WOLFSSL_EXPORT_SPC_SZ
+WOLFSSL_EXTRA
+WOLFSSL_FORCE_OCSP_NONCE_CHECK
+WOLFSSL_FRDM_K64
+WOLFSSL_FRDM_K64_JENKINS
+WOLFSSL_FUNC_TIME
+WOLFSSL_FUNC_TIME_LOG
+WOLFSSL_GEN_CERT
+WOLFSSL_GETRANDOM
+WOLFSSL_GNRC
+WOLFSSL_HARDEN_TLS_ALLOW_ALL_CIPHERSUITES
+WOLFSSL_HARDEN_TLS_ALLOW_OLD_TLS
+WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC
+WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK
+WOLFSSL_HARDEN_TLS_NO_SCR_CHECK
+WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
+WOLFSSL_I2D_ECDSA_SIG_ALLOC
+WOLFSSL_IAR_ARM_TIME
+WOLFSSL_IGNORE_BAD_CERT_PATH
+WOLFSSL_IMX6
+WOLFSSL_IMX6_CAAM
+WOLFSSL_IMX6_CAAM_BLOB
+WOLFSSL_IMX6_CAAM_RNG
+WOLFSSL_IMXRT_DCP
+WOLFSSL_ISOTP
+WOLFSSL_KEIL
+WOLFSSL_KEIL_NET
+WOLFSSL_KYBER_INVNTT_UNROLL
+WOLFSSL_KYBER_NO_LARGE_CODE
+WOLFSSL_KYBER_NTT_UNROLL
+WOLFSSL_LIB
+WOLFSSL_LMS_CACHE_BITS
+WOLFSSL_LMS_FULL_HASH
+WOLFSSL_LMS_LARGE_CACHES
+WOLFSSL_LMS_MAX_HEIGHT
+WOLFSSL_LMS_MAX_LEVELS
+WOLFSSL_LMS_NO_SIG_CACHE
+WOLFSSL_LMS_ROOT_LEVELS
+WOLFSSL_LPC43xx
+WOLFSSL_MAKE_SYSTEM_NAME_LINUX
+WOLFSSL_MAKE_SYSTEM_NAME_WSL
+WOLFSSL_MDK5
+WOLFSSL_MEM_FAIL_COUNT
+WOLFSSL_MONT_RED_CT
+WOLFSSL_MP_COND_COPY
+WOLFSSL_MP_INVMOD_CONSTANT_TIME
+WOLFSSL_MULTICIRCULATE_ALTNAMELIST
+WOLFSSL_NONBLOCK_OCSP
+WOLFSSL_NOSHA3_384
+WOLFSSL_NOT_WINDOWS_API
+WOLFSSL_NO_BIO_ADDR_IN
+WOLFSSL_NO_CLIENT
+WOLFSSL_NO_CLIENT_CERT_ERROR
+WOLFSSL_NO_COPY_CERT
+WOLFSSL_NO_COPY_KEY
+WOLFSSL_NO_CRL_DATE_CHECK
+WOLFSSL_NO_CRL_NEXT_DATE
+WOLFSSL_NO_DECODE_EXTRA
+WOLFSSL_NO_DER_TO_PEM
+WOLFSSL_NO_DH186
+WOLFSSL_NO_DTLS_SIZE_CHECK
+WOLFSSL_NO_ETM_ALERT
+WOLFSSL_NO_FENCE
+WOLFSSL_NO_FSEEK
+WOLFSSL_NO_INIT_CTX_KEY
+WOLFSSL_NO_ISSUERHASH_TDPEER
+WOLFSSL_NO_KCAPI_AES_CBC
+WOLFSSL_NO_KCAPI_HMAC_SHA1
+WOLFSSL_NO_KCAPI_HMAC_SHA224
+WOLFSSL_NO_KCAPI_HMAC_SHA256
+WOLFSSL_NO_KCAPI_HMAC_SHA384
+WOLFSSL_NO_KCAPI_HMAC_SHA512
+WOLFSSL_NO_KCAPI_SHA224
+WOLFSSL_NO_OCSP_DATE_CHECK
+WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK
+WOLFSSL_NO_OCSP_OPTIONAL_CERTS
+WOLFSSL_NO_PUBLIC_FFDHE
+WOLFSSL_NO_RSA_KEY_CHECK
+WOLFSSL_NO_SERVER_GROUPS_EXT
+WOLFSSL_NO_SESSION_STATS
+WOLFSSL_NO_SIGALG
+WOLFSSL_NO_SOCKADDR_UN
+WOLFSSL_NO_SPHINCS
+WOLFSSL_NO_STRICT_CIPHER_SUITE
+WOLFSSL_NO_TICKET_EXPIRE
+WOLFSSL_NO_TRUSTED_CERTS_VERIFY
+WOLFSSL_NO_XOR_OPS
+WOLFSSL_NRF51_AES
+WOLFSSL_OLDTLS_AEAD_CIPHERSUITES
+WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
+WOLFSSL_OLD_SET_CURVES_LIST
+WOLFSSL_OLD_UNSUPPORTED_EXTENSION
+WOLFSSL_OPTIONS_IGNORE_SYS
+WOLFSSL_PASSTHRU_ERR
+WOLFSSL_PB
+WOLFSSL_PEER_ADDRESS_CHANGES
+WOLFSSL_PKCS11_RW_TOKENS
+WOLFSSL_PRCONNECT_PRO
+WOLFSSL_PREFIX
+WOLFSSL_PSA_NO_AES
+WOLFSSL_PSA_NO_HASH
+WOLFSSL_PSA_NO_PKCB
+WOLFSSL_PSA_NO_PKCBS
+WOLFSSL_PSA_NO_RNG
+WOLFSSL_PSK_IDENTITY_ALERT
+WOLFSSL_PSK_ID_PROTECTION
+WOLFSSL_PSK_MULTI_ID_PER_CS
+WOLFSSL_PSK_TLS13_CB
+WOLFSSL_PSOC6_CRYPTO
+WOLFSSL_PYTHON
+WOLFSSL_RENESAS_FSPSM_CRYPT_ONLY
+WOLFSSL_RENESAS_RA6M3
+WOLFSSL_RENESAS_RA6M3G
+WOLFSSL_RENESAS_RSIP
+WOLFSSL_RENESAS_RZN2L
+WOLFSSL_RENESAS_TLS
+WOLFSSL_RENESAS_TSIP_CRYPTONLY
+WOLFSSL_RENESAS_TSIP_IAREWRX
+WOLFSSL_RSA_CHECK_D_ON_DECRYPT
+WOLFSSL_RSA_DECRYPT_TO_0_LEN
+WOLFSSL_RW_THREADED
+WOLFSSL_SAKKE_SMALL
+WOLFSSL_SAKKE_SMALL_MODEXP
+WOLFSSL_SE050_CRYPT
+WOLFSSL_SE050_HASH
+WOLFSSL_SE050_INIT
+WOLFSSL_SE050_NO_TRNG
+WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT
+WOLFSSL_SETTINGS_FILE
+WOLFSSL_SH224
+WOLFSSL_SHA256_ALT_CH_MAJ
+WOLFSSL_SHUTDOWNONCE
+WOLFSSL_SILABS_TRNG
+WOLFSSL_SM4_EBC
+WOLFSSL_SNIFFER_NO_RECOVERY
+WOLFSSL_SP_ARM32_UDIV
+WOLFSSL_SP_DH
+WOLFSSL_SP_FAST_NCT_EXPTMOD
+WOLFSSL_SP_INT_SQR_VOLATILE
+WOLFSSL_STACK_CHECK
+WOLFSSL_STM32F427_RNG
+WOLFSSL_STM32_RNG_NOLIB
+WOLFSSL_STRONGEST_HASH_SIG
+WOLFSSL_STSAFE_TAKES_SLOT
+WOLFSSL_TELIT_M2MB
+WOLFSSL_THREADED_CRYPT
+WOLFSSL_TICKET_DECRYPT_NO_CREATE
+WOLFSSL_TICKET_ENC_AES128_GCM
+WOLFSSL_TICKET_ENC_AES256_CBC
+WOLFSSL_TICKET_ENC_AES256_GCM
+WOLFSSL_TICKET_ENC_CBC_HMAC
+WOLFSSL_TICKET_ENC_CHACHA20_POLY1305
+WOLFSSL_TICKET_ENC_HMAC_SHA384
+WOLFSSL_TICKET_ENC_HMAC_SHA512
+WOLFSSL_TI_CURRTIME
+WOLFSSL_TLS13_DRAFT
+WOLFSSL_TLS13_IGNORE_AEAD_LIMITS
+WOLFSSL_TLS13_MIDDLEBOX_COMPAT
+WOLFSSL_TLS13_SHA512
+WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
+WOLFSSL_TRACK_MEMORY_FULL
+WOLFSSL_TRAP_MALLOC_SZ
+WOLFSSL_UNALIGNED_64BIT_ACCESS
+WOLFSSL_USER_FILESYSTEM
+WOLFSSL_USER_LOG
+WOLFSSL_USER_MUTEX
+WOLFSSL_USER_THREADING
+WOLFSSL_USE_ESP32C3_CRYPT_HASH_HW
+WOLFSSL_USE_FLASHMEM
+WOLFSSL_USE_OPTIONS_H
+WOLFSSL_USE_POPEN_HOST
+WOLFSSL_VALIDATE_DH_KEYGEN
+WOLFSSL_WC_XMSS_NO_SHA256
+WOLFSSL_WC_XMSS_NO_SHAKE256
+WOLFSSL_WICED_PSEUDO_UNIX_EPOCH_TIME
+WOLFSSL_X509_STORE_CERTS
+WOLFSSL_X509_TRUSTED_CERTIFICATE_CALLBACK
+WOLFSSL_XFREE_NO_NULLNESS_CHECK
+WOLFSSL_XILINX_CRYPTO_OLD
+WOLFSSL_XILINX_PATCH
+WOLFSSL_XIL_MSG_NO_SLEEP
+WOLFSSL_XMSS_LARGE_SECRET_KEY
+WOLFSSL_ZEPHYR
+WOLFSS_SP_MATH_ALL
+WOLF_ALLOW_BUILTIN
+WOLF_CONF_IO
+WOLF_CONF_KYBER
+WOLF_CONF_PK
+WOLF_CONF_RESUMPTION
+WOLF_CONF_TPM
+WOLF_CRYPTO_CB_CMD
+WOLF_CRYPTO_CB_FIND
+WOLF_CRYPTO_CB_ONLY_ECC
+WOLF_CRYPTO_CB_ONLY_RSA
+WOLF_CRYPTO_CB_RSA_PAD
+WOLF_CRYPTO_DEV
+WOLF_NO_TRAILING_ENUM_COMMAS
+WOLSSL_OLD_TIMINGPADVERIFY
+XGETPASSWD
+XMSS_CALL_PRF_KEYGEN
+XPAR_VERSAL_CIPS_0_PSPMC_0_PSV_CORTEXA72_0_TIMESTAMP_CLK_FREQ
+XSECURE_CACHE_DISABLE
+_ABI64
+_ABIO64
+_ARCH_PPC64
+_COMPILER_VERSION
+_INTPTR_T_DECLARED
+_LP64
+_MSC_VER
+_MSVC_LANG
+_M_ARM64
+_M_X64
+_NETOS
+_POSIX_C_SOURCE
+_SDCC_VERSION_PATCHLEVEL
+_SH3
+_SILICON_LABS_SECURITY_FEATURE
+_SOCKLEN_T
+_SYS_DEVCON_LOCAL_H
+_TIME_HELPER_H
+_UINTPTR_T_DECLARED
+_WIN32
+_WIN32_WCE
+_WIN64
+__32MZ2048ECH144__
+__32MZ2048ECM144__
+__32MZ2048EFM144__
+__ANDROID__
+__APPLE__
+__ARCH_STRCASECMP_NO_REDIRECT
+__ARCH_STRCMP_NO_REDIRECT
+__ARCH_STRNCASECMP_NO_REDIRECT
+__ARCH_STRNCAT_NO_REDIRECT
+__ARCH_STRNCMP_NO_REDIRECT
+__ARCH_STRNCPY_NO_REDIRECT
+__ARCH_STRSTR_NO_REDIRECT
+__ARM_ARCH_7M__
+__ARM_FEATURE_CRYPTO
+__ASSEMBLER__
+__ATOMIC_RELAXED
+__AVR__
+__BCPLUSPLUS__
+__BIG_ENDIAN__
+__BORLANDC__
+__CCRX__
+__COMPILER_VER__
+__CYGWIN__
+__DATE__
+__DCACHE_PRESENT
+__DCC__
+__DECC_VER
+__ELF__
+__EMSCRIPTEN__
+__FPU_PRESENT
+__FreeBSD__
+__GLIBC__
+__GNUC_MINOR__
+__GNUC__
+__HP_cc
+__IAR_SYSTEMS_ICC__
+__ICCARM__
+__ILP32__
+__INCLUDE_NUTTX_CONFIG_H
+__INTEGRITY
+__INTEL_COMPILER
+__KEIL__
+__KEY_DATA_H__
+__LP64
+__LP64__
+__MACH__
+__MICROBLAZE__
+__MINGW32__
+__MINGW64_VERSION_MAJOR
+__MINGW64__
+__MWERKS__
+__PIE__
+__POWERPC__
+__PPC__
+__PPU
+__QNXNTO__
+__QNX__
+__ROPI__
+__SAM3A4C__
+__SAM3A8C__
+__SAM3A8H__
+__SAM3X4C__
+__SAM3X4E__
+__SAM3X8C__
+__SAM3X8E__
+__SANITIZE_ADDRESS__
+__SDCC_VERSION_MAJOR
+__SDCC_VERSION_MINOR
+__SDCC_VERSION_PATCH
+__SIZEOF_INT128__
+__SIZEOF_LONG_LONG__
+__STDC_VERSION__
+__STDC__
+__STM32__
+__STRICT_ANSI__
+__SUNPRO_C
+__SUNPRO_CC
+__SVR4
+__TI_COMPILER_VERSION__
+__TURBOC__
+__USE_GNU
+__USE_MISC
+__USE_XOPEN2K
+__WATCOMC__
+__WATCOM_INT64__
+__XC32
+__XTENSA__
+__aarch64__
+__alpha__
+__arch64__
+__arm__
+__clang__
+__clang_major__
+__cplusplus
+__ghc__
+__ghs__
+__hpux__
+__i386
+__i386__
+__ia64__
+__linux__
+__llvm__
+__mips
+__mips64
+__must_check
+__ppc64__
+__ppc__
+__riscv
+__riscv_xlen
+__s390x__
+__sparc64__
+__sun
+__svr4__
+__thumb__
+__ti__
+__x86_64__
+byte
+configTICK_RATE_HZ
+fallthrough
+noinline
+ssize_t
+sun
+versal
+wc_Tls13_HKDF_Expand_Label

CMakeLists.txt

@@ -1,6 +1,6 @@
-# CMakeList.txt
+# CMakeLists.txt
 #
-# Copyright (C) 2006-2023 wolfSSL Inc.
+# Copyright (C) 2006-2024 wolfSSL Inc.
 #
 # This file is part of wolfSSL. (formerly known as CyaSSL)
 #
@@ -21,6 +21,12 @@
 
 cmake_minimum_required(VERSION 3.16)
 
+if(${CMAKE_VERSION} VERSION_LESS "3.22")
+    message(STATUS "This project recommends using CMake version 3.22 or higher. You are using ${CMAKE_VERSION}.")
+else()
+    cmake_policy(SET CMP0128 NEW)
+endif()
+
 if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_BINARY_DIR}")
     message(FATAL_ERROR "In-source builds are not allowed.\
      Run cmake from a separate directory from where CMakeLists.txt lives.\
@@ -28,7 +34,7 @@ if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_BINARY_DIR}")
      You must delete them, or cmake will refuse to work.")
 endif()
 
-project(wolfssl VERSION 5.7.0 LANGUAGES C ASM)
+project(wolfssl VERSION 5.7.4 LANGUAGES C ASM)
 
 # Set WOLFSSL_ROOT if not already defined
 if ("${WOLFSSL_ROOT}" STREQUAL "")
@@ -47,7 +53,7 @@ set(WOLFSSL_LIBRARY_VERSION_FIRST 42)
 
 # increment if interfaces have been added
 # set to zero if WOLFSSL_LIBRARY_VERSION_FIRST is incremented
-set(WOLFSSL_LIBRARY_VERSION_SECOND 1)
+set(WOLFSSL_LIBRARY_VERSION_SECOND 3)
 
 # increment if source code has changed
 # set to zero if WOLFSSL_LIBRARY_VERSION_FIRST is incremented or
@@ -125,6 +131,7 @@ check_type_size("__uint128_t" __UINT128_T)
 check_type_size("long long" SIZEOF_LONG_LONG)
 check_type_size("long" SIZEOF_LONG)
 check_type_size("time_t" SIZEOF_TIME_T)
+check_type_size("uintptr_t" HAVE_UINTPTR_T)
 
 # By default, HAVE___UINT128_T gets defined as TRUE,
 # but we want it as 1.
@@ -278,6 +285,8 @@ if(NOT WOLFSSL_SINGLE_THREADED)
             "-DHAVE_PTHREAD"
             "-D_POSIX_THREADS")
     endif()
+else()
+    list(APPEND WOLFSSL_DEFINITIONS "-DSINGLE_THREADED")
 endif()
 
 # DTLS-SRTP
@@ -411,16 +420,17 @@ if(WOLFSSL_CURL)
     set(WOLFSSL_MD4 "yes")
     set(WOLFSSL_DES3 "yes")
     set(WOLFSSL_ALPN "yes")
+    set(WOLFSSL_WOLFSSH "yes")
     set(WOLFSSL_OPENSSLEXTRA "yes")
     set(WOLFSSL_CRL "yes")
     set(WOLFSSL_OCSP "yes")
     set(WOLFSSL_OCSPSTAPLING "yes")
     set(WOLFSSL_OCSPSTAPLING_V2 "yes")
+    # Note: OCSP sets requisite HAVE_TLS_EXTENSIONS and HAVE_CERTIFICATE_STATUS_REQUEST(_V2)
     set(WOLFSSL_SNI "yes")
     set(WOLFSSL_ALT_CERT_CHAINS "yes")
     set(WOLFSSL_IP_ALT_NAME "yes")
     set(WOLFSSL_SESSION_TICKET "yes")
-    set(WOLFSSL_WOLFSSH "yes")
     list(APPEND WOLFSSL_DEFINITIONS
         "-DNO_SESSION_CACHE_REF" "-DWOLFSSL_DES_ECB")
 endif()
@@ -431,7 +441,7 @@ add_option(WOLFSSL_ALPN
     "no" "yes;no")
 
 if(WOLFSSL_ALPN)
-        list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_ALPN" "-DHAVE_TLS_EXTENSIONS")
+    list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_ALPN" "-DHAVE_TLS_EXTENSIONS")
 endif()
 
 # altcertchains
@@ -530,6 +540,15 @@ if (WOLFSSL_OPENSSLALL)
       "-DWOLFSSL_ERROR_CODE_OPENSSL" "-DWOLFSSL_CERT_NAME_ALL")
 endif()
 
+add_option(WOLFSSL_NO_STUB
+    "Removes OpenSSL compatibility stub functions (default: disabled)"
+    "no" "yes;no")
+
+if (WOLFSSL_NO_STUB)
+    list(APPEND WOLFSSL_DEFINITIONS
+      "-DNO_WOLFSSL_STUB")
+endif()
+
 # TODO: - IPv6 test apps
 
 set(WOLFSSL_SLOW_MATH "yes")
@@ -539,16 +558,89 @@ add_option(WOLFSSL_OQS
     "Enable integration with the OQS (Open Quantum Safe) liboqs library (default: disabled)"
     "no" "yes;no")
 
-if (WOLFSSL_OQS)
-    find_package(OQS)
+# Kyber
+add_option(WOLFSSL_KYBER
+    "Enable the wolfSSL PQ Kyber library (default: disabled)"
+    "no" "yes;no")
 
-    if (OQS_FOUND)
-        list(APPEND WOLFSSL_LINK_LIBS ${OQS_LIBRARY})
-        list(APPEND WOLFSSL_INCLUDE_DIRS ${OQS_INCLUDE_DIR})
-        set(HAVE_LIBOQS 1)
-        list(APPEND WOLFSSL_DEFINITIONS
-          "-DHAVE_TLS_EXTENSIONS"
-          "-DHAVE_LIBOQS")
+# Experimental features
+add_option(WOLFSSL_EXPERIMENTAL
+    "Enable experimental features (default: disabled)"
+    "no" "yes;no")
+
+message(STATUS "Looking for WOLFSSL_EXPERIMENTAL")
+if (WOLFSSL_EXPERIMENTAL)
+    message(STATUS "Looking for WOLFSSL_EXPERIMENTAL - found")
+
+    # We've enabled the experimental environment, but let's
+    # check if any experimental features are also enabled:
+    set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 0)
+
+    set_wolfssl_definitions("WOLFSSL_EXPERIMENTAL_SETTINGS" RESUlT)
+
+    # Checking for experimental feature: OQS
+    message(STATUS "Looking for WOLFSSL_OQS")
+    if (WOLFSSL_OQS)
+        set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 1)
+        message(STATUS "Looking for WOLFSSL_OQS - found")
+
+        message(STATUS "Checking OQS")
+        find_package(OQS)
+        if (OQS_FOUND)
+            message(STATUS "Checking OQS - found")
+            list(APPEND WOLFSSL_LINK_LIBS ${OQS_LIBRARY})
+            list(APPEND WOLFSSL_INCLUDE_DIRS ${OQS_INCLUDE_DIR})
+
+            set_wolfssl_definitions("HAVE_LIBOQS"          RESUlT)
+            set_wolfssl_definitions("HAVE_TLS_EXTENSIONS"  RESUlT)
+            set_wolfssl_definitions("OPENSSL_EXTRA"        RESUlT)
+
+        else()
+            message(STATUS "Checking OQS - not found")
+            message(STATUS "WARNING: WOLFSSL_OQS enabled but not found: OQS_LIBRARY=${OQS_LIBRARY}, OQS_INCLUDE_DIR=${OQS_INCLUDE_DIR} ")
+        endif()
+    else()
+        message(STATUS "Looking for WOLFSSL_OQS - not found")
+    endif()
+
+    # Checking for experimental feature: Kyber
+    message(STATUS "Looking for WOLFSSL_KYBER")
+    if (WOLFSSL_KYBER)
+        set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 1)
+
+        message(STATUS "Automatically set related requirements for Kyber:")
+        set_wolfssl_definitions("WOLFSSL_HAVE_KYBER" RESUlT)
+        set_wolfssl_definitions("WOLFSSL_WC_KYBER"   RESUlT)
+        set_wolfssl_definitions("WOLFSSL_SHA3"       RESUlT)
+        set_wolfssl_definitions("WOLFSSL_SHAKE128"   RESUlT)
+        set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESUlT)
+        message(STATUS "Looking for WOLFSSL_KYBER - found")
+    else()
+        message(STATUS "Looking for WOLFSSL_KYBER - not found")
+    endif()
+
+    # Other experimental feature detection can be added here...
+
+    # Were any experimental features found? Display a message.
+    if(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE)
+        message(STATUS "WOLFSSL_EXPERIMENTAL enabled, experimental features enabled.")
+    else()
+        message(STATUS "Warning: WOLFSSL_EXPERIMENTAL enabled, but no experimental features enabled.")
+    endif()
+
+    # Sanity checks
+    if(WOLFSSL_OQS AND WOLFSSL_KYBER)
+        message(FATAL_ERROR "Error: cannot enable both WOLFSSL_OQS and WOLFSSL_KYBER at the same time.")
+    endif()
+
+else()
+    # Experimental mode not enabled, but were any experimental features enabled? Error out if so:
+    message(STATUS "Looking for WOLFSSL_EXPERIMENTAL - not found")
+    if (WOLFSSL_OQS)
+        message(FATAL_ERROR "Error: WOLFSSL_OQS requires WOLFSSL_EXPERIMENTAL at this time.")
+    endif()
+    if(WOLFSSL_KYBER)
+        message(FATAL_ERROR "Error: WOLFSSL_KYBER requires WOLFSSL_EXPERIMENTAL at this time.")
     endif()
 endif()
 
@@ -565,6 +657,9 @@ endif()
 #       - Atomic user record layer
 #       - Public key callbacks
 #       - Microchip/Atmel CryptoAuthLib
+#       - XMSS
+#       - LMS
+#       - dual-certs
 
 # AES-CBC
 add_option("WOLFSSL_AESCBC"
@@ -852,13 +947,29 @@ if(WOLFSSL_ECC)
     endif()
 endif()
 
-# TODO: - ECC custom curves
-#       - Compressed key
+# TODO: - Compressed key
 #       - FP ECC, fixed point cache ECC
 #       - ECC encrypt
 #       - PSK
 #       - Single PSK identity
 
+# ECC custom curves
+add_option("WOLFSSL_ECCCUSTCURVES"
+    "Enable ECC Custom Curves (default: disabled)"
+    "no" "yes;no;all")
+
+if(WOLFSSL_ECCCUSTCURVES)
+    if("${WOLFSSL_ECCCUSTCURVES}" STREQUAL "all")
+        list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_ECC_SECPR2")
+        list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_ECC_SECPR3")
+        list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_ECC_BRAINPOOL")
+        list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_ECC_KOBLITZ")
+        list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_ECC_CDH")
+    endif()
+
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_CUSTOM_CURVES")
+endif()
+
 # CURVE25519
 set(WOLFSSL_CURVE25519_SMALL "no")
 add_option("WOLFSSL_CURVE25519"
@@ -1216,6 +1327,14 @@ if(WOLFSSL_OPENSSH OR
     override_cache(WOLFSSL_DES3 "yes")
 endif()
 
+# DES3 TLS Suites
+set(WOLFSSL_DES3_TLS_SUITES_STRING "Enable DES3 TLS cipher suites (default: disabled)")
+add_option("WOLFSSL_DES3_TLS_SUITES" ${WOLFSSL_DES3_TLS_SUITES_STRING} "no" "yes;no")
+
+if(NOT WOLFSSL_DES3_TLS_SUITES)
+    list(APPEND WOLFSSL_DEFINITIONS "-DNO_DES3_TLS_SUITES")
+endif()
+
 # ARC4
 set(WOLFSSL_ARC4_HELP_STRING "Enable ARC4 (default: disabled)")
 add_option("WOLFSSL_ARC4" ${WOLFSSL_ARC4_HELP_STRING} "no" "yes;no")
@@ -1443,6 +1562,15 @@ add_option(WOLFSSL_SNI ${WOLFSSL_SNI_HELP_STRING} ${SNI_DEFAULT} "yes;no")
 set(WOLFSSL_TLSX_HELP_STRING "Enable all TLS Extensions (default: disabled)")
 add_option(WOLFSSL_TLSX ${WOLFSSL_TLSX_HELP_STRING} "no" "yes;no")
 
+add_option(WOLFSSL_EX_DATA
+    "Enable app data (default: disabled)"
+    "no" "yes;no")
+
+if (WOLFSSL_EX_DATA)
+    list(APPEND WOLFSSL_DEFINITIONS
+      "-DHAVE_EX_DATA")
+endif()
+
 # Supported elliptic curves extensions
 add_option("WOLFSSL_SUPPORTED_CURVES"
     "Enable Supported Elliptic Curves (default: enabled)"
@@ -1767,6 +1895,10 @@ add_option("WOLFSSL_CRYPTOCB"
     "Enable crypto callbacks (default: disabled)"
     "no" "yes;no")
 
+add_option("WOLFSSL_CRYPTOCB_NO_SW_TEST"
+    "Disable crypto callback SW testing (default: disabled)"
+    "no" "yes;no")
+
 add_option("WOLFSSL_PKCALLBACKS"
     "Enable public key callbacks (default: disabled)"
     "no" "yes;no")
@@ -1970,6 +2102,10 @@ if(WOLFSSL_CRYPTOCB)
     list(APPEND WOLFSSL_DEFINITIONS "-DWOLF_CRYPTO_CB")
 endif()
 
+if(WOLFSSL_CRYPTOCB_NO_SW_TEST)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWC_TEST_NO_CRYPTOCB_SW_TEST")
+endif()
+
 # Public Key Callbacks
 if(WOLFSSL_PKCALLBACKS)
     list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_PK_CALLBACKS")
@@ -2106,34 +2242,46 @@ else()
 endif()
 set(OPTION_FILE "${WOLFSSL_OUTPUT_BASE}/wolfssl/options.h")
 
+# sccache
+add_option("ENABLE_SCCACHE"
+        "Enable sccache (default: disabled)"
+        "no" "yes;no")
+
+if (ENABLE_SCCACHE AND (NOT WOLFSSL_SCCACHE_ALREADY_SET_FLAG))
+    find_program(SCCACHE sccache REQUIRED)
+    if(SCCACHE)
+        message(STATUS "Enable sccache")
+
+        if(CMAKE_C_COMPILER_LAUNCHER)
+            set(CMAKE_C_COMPILER_LAUNCHER "${CMAKE_C_COMPILER_LAUNCHER}" "${SCCACHE}")
+        else()
+            set(CMAKE_C_COMPILER_LAUNCHER "${SCCACHE}")
+        endif()
+        if(CMAKE_CXX_COMPILER_LAUNCHER)
+            set(CMAKE_CXX_COMPILER_LAUNCHER "${CMAKE_CXX_COMPILER_LAUNCHER}" "${SCCACHE}")
+        else()
+            set(CMAKE_CXX_COMPILER_LAUNCHER "${SCCACHE}")
+        endif()
+
+        if (MSVC)
+            if(CMAKE_BUILD_TYPE STREQUAL "Debug")
+                string(REPLACE "/Zi" "/Z7" CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG}")
+                string(REPLACE "/Zi" "/Z7" CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG}")
+            elseif(CMAKE_BUILD_TYPE STREQUAL "Release")
+                string(REPLACE "/Zi" "/Z7" CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE}")
+                string(REPLACE "/Zi" "/Z7" CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE}")
+            elseif(CMAKE_BUILD_TYPE STREQUAL "RelWithDebInfo")
+                string(REPLACE "/Zi" "/Z7" CMAKE_CXX_FLAGS_RELWITHDEBINFO "${CMAKE_CXX_FLAGS_RELWITHDEBINFO}")
+                string(REPLACE "/Zi" "/Z7" CMAKE_C_FLAGS_RELWITHDEBINFO "${CMAKE_C_FLAGS_RELWITHDEBINFO}")
+            endif()
+        endif()
+        set(WOLFSSL_SCCACHE_ALREADY_SET_FLAG ON)
+    endif()
+endif()
+
+
 file(REMOVE ${OPTION_FILE})
 
-file(APPEND ${OPTION_FILE} "/* wolfssl options.h\n")
-file(APPEND ${OPTION_FILE} " * generated from configure options\n")
-file(APPEND ${OPTION_FILE} " *\n")
-file(APPEND ${OPTION_FILE} " * Copyright (C) 2006-2023 wolfSSL Inc.\n")
-file(APPEND ${OPTION_FILE} " *\n")
-file(APPEND ${OPTION_FILE} " * This file is part of wolfSSL. (formerly known as CyaSSL)\n")
-file(APPEND ${OPTION_FILE} " *\n")
-file(APPEND ${OPTION_FILE} " */\n\n")
-file(APPEND ${OPTION_FILE} "#ifndef WOLFSSL_OPTIONS_H\n")
-file(APPEND ${OPTION_FILE} "#define WOLFSSL_OPTIONS_H\n\n\n")
-file(APPEND ${OPTION_FILE} "#ifdef __cplusplus\n")
-file(APPEND ${OPTION_FILE} "extern \"C\" {\n")
-file(APPEND ${OPTION_FILE} "#endif\n\n")
-
-add_to_options_file("${WOLFSSL_DEFINITIONS}" "${OPTION_FILE}")
-# CMAKE_C_FLAGS is just a string of space-separated flags to pass to the C
-# compiler. We need to replace those spaces with semicolons in order to treat it
-# as a CMake list.
-string(REPLACE " " ";" CMAKE_C_FLAGS_LIST "${CMAKE_C_FLAGS}")
-add_to_options_file("${CMAKE_C_FLAGS_LIST}" "${OPTION_FILE}")
-
-file(APPEND ${OPTION_FILE} "\n#ifdef __cplusplus\n")
-file(APPEND ${OPTION_FILE} "}\n")
-file(APPEND ${OPTION_FILE} "#endif\n\n\n")
-file(APPEND ${OPTION_FILE} "#endif /* WOLFSSL_OPTIONS_H */\n\n")
-
 ####################################################
 # Library Target
 ####################################################
@@ -2211,6 +2359,20 @@ if(WOLFSSL_ARIA)
     message(STATUS "ARIA Check: WOLFSSL_LINK_LIBS    = ${WOLFSSL_LINK_LIBS}")
 endif()
 
+foreach(DEF IN LISTS WOLFSSL_DEFINITIONS)
+    string(REGEX MATCH "^(-D)?([^=]+)(=(.*))?$" DEF_MATCH ${DEF})
+    if (NOT "${CMAKE_MATCH_4}" STREQUAL "")
+        set(${CMAKE_MATCH_2} ${CMAKE_MATCH_4})
+        # message("set(${CMAKE_MATCH_2} ${CMAKE_MATCH_4})")
+    else()
+        set(${CMAKE_MATCH_2} 1)
+        # message("set(${CMAKE_MATCH_2} 1)")
+    endif()
+endforeach()
+
+# If new build options are added please update the cmake/options.h.in
+configure_file(${CMAKE_CURRENT_SOURCE_DIR}/cmake/options.h.in ${OPTION_FILE})
+
 set_target_properties(wolfssl
     PROPERTIES
         SOVERSION ${WOLFSSL_LIBRARY_VERSION_FIRST}
@@ -2309,7 +2471,7 @@ if(WOLFSSL_EXAMPLES)
                  PROPERTY RUNTIME_OUTPUT_DIRECTORY
                  ${WOLFSSL_OUTPUT_BASE}/examples/echoserver)
 
-    if(NOT WIN32)
+    if(NOT WIN32 AND NOT WOLFSSL_SINGLE_THREADED)
         # Build TLS benchmark example
         add_executable(tls_bench
             ${CMAKE_CURRENT_SOURCE_DIR}/examples/benchmark/tls_bench.c)

ChangeLog.md

@@ -1,3 +1,304 @@
+# wolfSSL Release 5.7.4 (Oct 24, 2024)
+
+Release 5.7.4 has been developed according to wolfSSL's development and QA
+process (see link below) and successfully passed the quality criteria.
+https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
+
+NOTE: * --enable-heapmath is being deprecated and will be removed by end of 2024
+
+PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request
+ number where the code change was added.
+
+
+## Vulnerabilities
+* [Low] When the OpenSSL compatibility layer is enabled, certificate
+ verification behaved differently in wolfSSL than OpenSSL, in the
+ X509_STORE_add_cert() and X509_STORE_load_locations() implementations.
+ Previously, in cases where an application explicitly loaded an intermediate
+ certificate, wolfSSL was verifying only up to that intermediate certificate,
+ rather than verifying up to the root CA. This only affects use cases where the
+ API is called directly, and does not affect TLS connections. Users that call
+ the API X509_STORE_add_cert() or X509_STORE_load_locations() directly in their
+ applications are recommended to update the version of wolfSSL used or to have
+ additional sanity checks on certificates loaded into the X509_STORE when
+ verifying a certificate. (https://github.com/wolfSSL/wolfssl/pull/8087)
+
+
+## PQC TLS Experimental Build Fix
+* When using TLS with post quantum algorithms enabled, the connection uses a
+ smaller EC curve than agreed on. Users building with --enable-experimental and
+ enabling PQC cipher suites with TLS connections are recommended to update the
+ version of wolfSSL used. Thanks to Daniel Correa for the report.
+ (https://github.com/wolfSSL/wolfssl/pull/8084)
+
+
+## New Feature Additions
+* RISC-V 64 new assembly optimizations added for SHA-256, SHA-512, ChaCha20,
+ Poly1305, and SHA-3 (PR 7758,7833,7818,7873,7916)
+* Implement support for Connection ID (CID) with DTLS 1.2 (PR 7995)
+* Add support for (DevkitPro)libnds (PR 7990)
+* Add port for Mosquitto OSP (Open Source Project) (PR 6460)
+* Add port for init sssd (PR 7781)
+* Add port for eXosip2 (PR 7648)
+* Add support for STM32G4 (PR 7997)
+* Add support for MAX32665 and MAX32666 TPU HW and ARM ASM Crypto Callback
+ Support (PR 7777)
+* Add support for building wolfSSL to be used in libspdm (PR 7869)
+* Add port for use with Nucleus Plus 2.3 (PR 7732)
+* Initial support for RFC5755 x509 attribute certificates (acerts). Enabled with
+ --enable-acert (PR 7926)
+* PKCS#11 RSA Padding offload allows tokens to perform CKM_RSA_PKCS
+ (sign/encrypt), CKM_RSA_PKCS_PSS (sign), and CKM_RSA_PKCS_OAEP (encrypt).
+ (PR 7750)
+* Added “new” and “delete” style functions for heap/pool allocation and freeing
+ of low level crypto structures (PR 3166 and 8089)
+
+
+## Enhancements and Optimizations
+* Increase default max alt. names from 128 to 1024 (PR 7762)
+* Added new constant time DH agree function wc_DhAgree_ct (PR 7802)
+* Expanded compatibility layer with the API EVP_PKEY_is_a (PR 7804)
+* Add option to disable cryptocb test software test using
+ --disable-cryptocb-sw-test (PR 7862)
+* Add a call to certificate verify callback before checking certificate dates
+ (PR 7895)
+* Expanded algorithms supported with the wolfCrypt CSharp wrapper. Adding
+ support for RNG, ECC(ECIES and ECDHE), RSA, ED25519/Curve25519, AES-GCM, and
+ Hashing (PR 3166)
+* Expand MMCAU support for use with DES ECB (PR 7960)
+* Update AES SIV to handle multiple associated data inputs (PR 7911)
+* Remove HAVE_NULL_CIPHER from --enable-openssh (PR 7811)
+* Removed duplicate if(NULL) checks when calling XFREE (macro does) (PR 7839)
+* Set RSA_MIN_SIZE default to 2048 bits (PR 7923)
+* Added support for wolfSSL to be used as the default TLS in the zephyr kernel
+ (PR 7731)
+* Add enable provider build using --enable-wolfprovider with autotools (PR 7550)
+* Renesas RX TSIP ECDSA support (PR 7685)
+* Support DTLS1.3 downgrade when the server supports CID (PR 7841)
+* Server-side checks OCSP even if it uses v2 multi (PR 7828)
+* Add handling of absent hash params in PKCS7 bundle parsing and creation
+ (PR 7845)
+* Add the use of w64wrapper for Poly1305, enabling Poly1305 to be used in
+ environments that do not have a word64 type (PR 7759)
+* Update to the maxq10xx support (PR 7824)
+* Add support for parsing over optional PKCS8 attributes (PR 7944)
+* Add support for either side method with DTLS 1.3 (PR 8012)
+* Added PKCS7 PEM support for parsing PEM data with BEGIN/END PKCS7 (PR 7704)
+* Add CMake support for WOLFSSL_CUSTOM_CURVES (PR 7962)
+* Add left-most wildcard matching support to X509_check_host() (PR 7966)
+* Add option to set custom SKID with PKCS7 bundle creation (PR 7954)
+* Building wolfSSL as a library with Ada and corrections to Alire manifest
+ (PR 7303,7940)
+* Renesas RX72N support updated (PR 7849)
+* New option WOLFSSL_COPY_KEY added to always copy the key to the SSL object
+ (PR 8005)
+* Add the new option WOLFSSL_COPY_CERT to always copy the cert buffer for each
+ SSL object (PR 7867)
+* Add an option to use AES-CBC with HMAC for default session ticket enc/dec.
+ Defaults to AES-128-CBC with HMAC-SHA256 (PR 7703)
+* Memory usage improvements in wc_PRF, sha256 (for small code when many
+ registers are available) and sp_int objects (PR 7901)
+* Change in the configure script to work around ">>" with no command. In older
+ /bin/sh it can be ambiguous, as used in OS’s such as FreeBSD 9.2 (PR 7876)
+* Don't attempt to include system headers when not required (PR 7813)
+* Certificates: DER encoding of ECC signature algorithm parameter is now
+ allowed to be NULL with a define (PR 7903)
+* SP x86_64 asm: check for AVX2 support for VMs (PR 7979)
+* Update rx64n support on gr-rose (PR 7889)
+* Update FSP version to v5.4.0 for RA6M4 (PR 7994)
+* Update TSIP driver version to v1.21 for RX65N RSK (PR 7993)
+* Add a new crypto callback for RSA with padding (PR 7907)
+* Replaced the use of pqm4 with wolfSSL implementations of Kyber/MLDSA
+ (PR 7924)
+* Modernized memory fence support for C11 and clang (PR 7938)
+* Add a CRL error override callback (PR 7986)
+* Extend the X509 unknown extension callback for use with a user context
+ (PR 7730)
+* Additional debug error tracing added with TLS (PR 7917)
+* Added runtime support for library call stack traces with
+ –enable-debug-trace-errcodes=backtrace, using libbacktrace (PR 7846)
+* Expanded C89 conformance (PR 8077)
+* Expanded support for WOLFSSL_NO_MALLOC (PR 8065)
+* Added support for cross-compilation of Linux kernel module (PR 7746)
+* Updated Linux kernel module with support for kernel 6.11 and 6.12 (PR 7826)
+* Introduce WOLFSSL_ASN_ALLOW_0_SERIAL to allow parsing of certificates with a
+ serial number of 0 (PR 7893)
+* Add conditional repository_owner to all wolfSSL GitHub workflows (PR 7871)
+
+### Espressif / Arduino Updates
+* Update wolfcrypt settings.h for Espressif ESP-IDF, template update (PR 7953)
+* Update Espressif sha, util, mem, time helpers (PR 7955)
+* Espressif _thread_local_start and _thread_local_end fix (PR 8030)
+* Improve benchmark for Espressif devices (PR 8037)
+* Introduce Espressif common CONFIG_WOLFSSL_EXAMPLE_NAME, Kconfig (PR 7866)
+* Add wolfSSL esp-tls and Certificate Bundle Support for Espressif ESP-IDF
+ (PR 7936)
+* Update wolfssl Release for Arduino (PR 7775)
+
+### Post Quantum Crypto Updates
+* Dilithium: support fixed size arrays in dilithium_key (PR 7727)
+* Dilithium: add option to use precalc with small sign (PR 7744)
+* Allow Kyber to be built with FIPS (PR 7788)
+* Allow Kyber asm to be used in the Linux kernel module (PR 7872)
+* Dilithium, Kyber: Update to final specification (PR 7877)
+* Dilithium: Support FIPS 204 Draft and Final Draft (PR 7909,8016)
+
+### ARM Assembly Optimizations
+* ARM32 assembly optimizations added for ChaCha20 and Poly1305 (PR 8020)
+* Poly1305 assembly optimizations improvements for Aarch64 (PR 7859)
+* Poly1305 assembly optimizations added for Thumb-2 (PR 7939)
+* Adding ARM ASM build option to STM32CubePack (PR 7747)
+* Add ARM64 to Visual Studio Project (PR 8010)
+* Kyber assembly optimizations for ARM32 and Aarch64 (PR 8040,7998)
+* Kyber assembly optimizations for ARMv7E-M/ARMv7-M (PR 7706)
+
+
+## Fixes
+* ECC key load: fixes for certificates with parameters that are not default for
+ size (PR 7751)
+* Fixes for building x86 in Visual Studio for non-windows OS (PR 7884)
+* Fix for TLS v1.2 secret callback, incorrectly detecting bad master secret
+ (PR 7812)
+* Fixes for PowerPC assembly use with Darwin and SP math all (PR 7931)
+* Fix for detecting older versions of Mac OS when trying to link with
+ libdispatch (PR 7932)
+* Fix for DTLS1.3 downgrade to DTLS1.2 when the server sends multiple handshake
+ packets combined into a single transmission. (PR 7840)
+* Fix for OCSP to save the request if it was stored in ssl->ctx->certOcspRequest
+ (PR 7779)
+* Fix to OCSP for searching for CA by key hash instead of ext. key id (PR 7934)
+* Fix for staticmemory and singlethreaded build (PR 7737)
+* Fix to not allow Shake128/256 with Xilinx AFALG (PR 7708)
+* Fix to support PKCS11 without RSA key generation (PR 7738)
+* Fix not calling the signing callback when using PK callbacks + TLS 1.3
+ (PR 7761)
+* Cortex-M/Thumb2 ASM fix label for IAR compiler (PR 7753)
+* Fix with PKCS11 to iterate correctly over slotId (PR 7736)
+* Stop stripping out the sequence header on the AltSigAlg extension (PR 7710)
+* Fix ParseCRL_AuthKeyIdExt with ASN template to set extAuthKeyIdSet value
+ (PR 7742)
+* Use max key length for PSK encrypt buffer size (PR 7707)
+* DTLS 1.3 fix for size check to include headers and CID fixes (PR 7912,7951)
+* Fix STM32 Hash FIFO and add support for STM32U5A9xx (PR 7787)
+* Fix CMake build error for curl builds (PR 8021)
+* SP Maths: PowerPC ASM fix to use XOR instead of LI (PR 8038)
+* SSL loading of keys/certs: testing and fixes (PR 7789)
+* Misc. fixes for Dilithium and Kyber (PR 7721,7765,7803,8027,7904)
+* Fixes for building wolfBoot sources for PQ LMS/XMSS (PR 7868)
+* Fixes for building with Kyber enabled using CMake and zephyr port (PR 7773)
+* Fix for edge cases with session resumption with TLS 1.2 (PR 8097)
+* Fix issue with ARM ASM with AES CFB/OFB not initializing the "left" member
+ (PR 8099)
+
+
+# wolfSSL Release 5.7.2 (July 08, 2024)
+
+Release 5.7.2 has been developed according to wolfSSL's development and QA
+process (see link below) and successfully passed the quality criteria.
+https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
+
+NOTE: * --enable-heapmath is being deprecated and will be removed by end of 2024
+
+## Vulnerabilities
+* [Medium] CVE-2024-1544
+Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.6.6 with wc_ecc_sign_hash calls. Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Analyzing the division through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. Thanks to Luca Wilke, Florian Sieck and Thomas Eisenbarth (University of Lübeck) for reporting the vulnerability. Details will appear in the proceedings of CCS 24.
+Fixed https://github.com/wolfSSL/wolfssl/pull/7020
+
+
+* [Medium] CVE-2024-5288
+A private key blinding operation, enabled by defining the macro WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer attack on ECC operations. If performing ECC private key operations in an environment where a malicious user could gain fine control over the device and perform row hammer style attacks it is recommended to update the version of wolfSSL used and to build with WOLFSSL_BLIND_PRIVATE_KEY defined. Thanks to Kemal Derya, M. Caner Tol, Berk Sunar for the report (Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute)
+Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7416
+
+
+* [Low] When parsing a provided maliciously crafted certificate directly using wolfSSL API, outside of a TLS connection, a certificate with an excessively large number of extensions could lead to a potential DoS. There are existing sanity checks during a TLS handshake with wolfSSL which mitigate this issue. Thanks to Bing Shi for the report.
+Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7597
+
+* [Low] CVE-2024-5991
+In the function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the Openssl compatibility function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. While calling without a NULL terminated string is very uncommon, it is still technically allowed. If a caller was attempting to do a name check on a non*NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.
+Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7604
+
+* [Medium] CVE-2024-5814
+A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello when downgrading from TLS 1.3.
+Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7619
+
+* [Medium] OCSP stapling version 2 response verification bypass issue when a crafted response of length 0 is received. Found with internal testing.
+Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7702
+
+* [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS connection attempt. A revoked CA certificate could incorrectly be loaded into the trusted signers list and used in a repeat connection attempt. Found with internal testing.
+Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7702
+
+
+## New Feature Additions
+* Added Dilithium/ML-DSA: Implementation of ML-DSA-44/65/87 (PR 7622)
+* AES RISC-V 64-bit ASM: ECB/CBC/CTR/GCM/CCM (PR 7569)
+* Added CUDA support for AES encryption (PR 7436)
+* Added support for gRPC (PR 7445)
+* Added function wc_RsaPrivateKeyDecodeRaw to import raw RSA private keys (PR 7608)
+* Added crypto callback for SHA-3 (PR 7670)
+* Support for Infineon Modus Toolbox with wolfSSL (PR 7369)
+* Allow user to send a user_canceled alert by calling wolfSSL_SendUserCanceled (PR 7590)
+* C# wrapper SNI support added (PR 7610)
+* Quantum-safe algorithm support added to the Linux kernel module (PR 7574)
+* Support for NIST 800-56C Option 1 KDF, using the macro WC_KDF_NIST_SP_800_56C added (PR 7589)
+* AES-XTS streaming mode added, along with hardware acceleration and kernel module use (PR 7522, 7560, 7424)
+* PlatformIO FreeRTOS with ESP build and addition of benchmark and test example applications (PR 7528, 7413, 7559, 7542)
+
+
+## Enhancements and Optimizations
+* Expanded STM32 AES hardware acceleration support for use with STM32H5 (PR 7578)
+* Adjusted wc_xmss and wc_lms settings to support use with wolfBoot (PR 7393)
+* Added the --enable-rpk option to autotools build for using raw public key support (PR 7379)
+* SHA-3 Thumb2, ARM32 assembly implementation added (PR 7667)
+* Improvements to RSA padding to expose Pad/Unpad APIs (PR 7612)
+* Updates and API additions for supporting socat version 1.8.0.0 (PR 7594)
+* cmake build improvements, expanding build options with SINGLE_THREADED and post-quantum algorithms, adjusting the generation of options.h file and using “yes;no” boolean instead of strings (PR 7611, 7546, 7479, 7480, 7380)
+* Improvements for Renesas RZ support (PR 7474)
+* Improvements to dual algorithm certificates for post-quantum keys (PR 7286)
+* Added wolfSSL_SessionIsSetup so the user can check if a session ticket has been sent by the server (PR 7430)
+* hostap updates: Implement PACs for EAP-FAST and filter cipher list on TLS version change (PR 7446)
+* Changed subject name comparison to match different upper and lower cases (PR 7420)
+* Support for DTLS 1.3 downgrade when using PSK (PR 7367)
+* Update to static memory build for more generic memory pools used (PR 7418)
+* Improved performance of Kyber C implementation (PR 7654)
+* Support for ECC_CACHE_CURVE with no malloc (PR 7490)
+* Added the configure option --enable-debug-trace-errcodes (macro WOLFSSL_DEBUG_TRACE_ERROR_CODES) which enables more debug tracking of error code values (PR 7634)
+* Enhanced wc_MakeRsaKey and wc_RsaKeyToDer to work with WOLFSSL_NO_MALLOC (PR 7362)
+* Improvements to assembly implementations of ChaCha20 and Poly1305 ASM for use with MSVC (PR 7319)
+* Cortex-M inline assembly labels with unique number appended (PR 7649)
+* Added secret logging callback to TLS <= 1.2, enabled with the macro HAVE_SECRET_CALLBACK (PR 7372)
+* Made wc_RNG_DRBG_Reseed() a public wolfCrypt API (PR 7386)
+* Enabled DES3 support without the DES3 ciphers. To re-enable DES3 cipher suites, use the configure flag --enable-des3-tls-suites (PR 7315)
+* Added stubs required for latest nginx (1.25.5) (PR 7449)
+* Added option for using a custom salt with the function wc_ecc_ctx_set_own_salt (PR 7552)
+* Added PQ files for Windows (PR 7419)
+* Enhancements to static memory feature, adding the option for a global heap hint (PR 7478) and build options for a lean or debug setting, enabled with --enable-staticmemory=small or --enable-staticmemory=debug (PR 7597)
+* Updated --enable-jni to define SESSION_CERTS for wolfJSSE (PR 7557)
+* Exposed DTLS in Ada wrapper and updated examples (PR 7397)
+* Added additional minimum TLS extension size sanity checks (PR 7602)
+* ESP improvements: updating the examples and libraries, updates for Apple HomeKit SHA/SRP, and fix for endianness with SHA512 software fallback (PR 7607, 7392, 7505, 7535)
+* Made the wc_CheckCertSigPubKey API publicly available with the define of the macro WOLFSSL_SMALL_CERT_VERIFY (PR 7599)
+* Added an alpha/preview of additional FIPS 140-3 full submission, bringing additional algorithms such as SRTP-KDF, AES-XTS, GCM streaming, AES-CFB, ED25519, and ED448 into the FIPS module boundary (PR 7295)
+* XCODE support for v5.2.3 of the FIPS module (PR 7140)
+* Expanded OpenSSL compatibility layer and added EC_POINT_hex2point (PR 7191)
+
+## Fixes
+* Fixed Kyber control-flow timing leak. Thanks to Antoon Purnal from PQShield for the report
+* Fixed the NXP MMCAU HW acceleration for SHA-256 (PR 7389)
+* Fixed AES-CFB1 encrypt/decrypt on size (8*x-1) bits (PR 7431)
+* Fixed use of %rip with SHA-256 x64 assembly (PR 7409)
+* Fixed OCSP response message build for DTLS (PR 7671)
+* Handled edge case in wc_ecc_mulmod() with zero (PR 7532)
+* Fixed RPK (Raw Public Key) to follow certificate use correctly (PR 7375)
+* Added sanity check on record header with QUIC use (PR 7638)
+* Added sanity check for empty directory strings in X.509 when parsing (PR 7669)
+* Added sanity check on non-conforming serial number of 0 in certificates being parsed (PR 7625)
+* Fixed wolfSSL_CTX_set1_sigalgs_list() to make the TLS connection conform to the selected sig hash algorithm (PR 7693)
+* Various fixes for dual algorithm certificates including small stack use and support for Certificate Signing Requests (PR 7577)
+* Added sanity check for critical policy extension when wolfSSL is built without policy extension support enabled (PR 7388)
+* Added sanity check that the ed25519 signature is smaller than the order (PR 7513)
+* Fixed Segger emNet to handle non-blocking want read/want write (PR 7581)
+
+
 # wolfSSL Release 5.7.0 (Mar 20, 2024)
 
 Release 5.7.0 has been developed according to wolfSSL's development and QA
@@ -112,7 +413,7 @@ fixed this omission in several PRs for this release.
 
 * [Low] CVE-2023-6936: A potential heap overflow read is possible in servers connecting over TLS 1.3 when the optional `WOLFSSL_CALLBACKS` has been defined. The out of bounds read can occur when a server receives a malicious malformed ClientHello. Users should either discontinue use of `WOLFSSL_CALLBACKS` on the server side or update versions of wolfSSL to 5.6.6. Thanks to the tlspuffin fuzzer team for the report which was designed and developed by; Lucca Hirschi (Inria, LORIA), Steve Kremer (Inria, LORIA), and Max Ammann (Trail of Bits). The fix for this issue is located in the following GitHub Pull Request: https://github.com/wolfSSL/wolfssl/pull/6949.
 
-* [Low] A side channel vulnerability with AES T-Tables is possible in a very controlled environment where precision sub-cache-line inspection can happen, such as inside an Intel SGX enclave. This can lead to recovery of the AES key. To prevent this type of attack, wolfSSL added an AES bitsliced implementation which can be enabled with the “`--enable-aes-bitsliced`” configure option. Thanks to Florian Sieck, Zhiyuan Zhang, Sebastian Berndt, Chitchanok Chuengsatiansup, Thomas Eisenbarth, and Yuval Yarom for the report (Universities of Lübeck, Melbourne, Adelaide and Bochum). The fix for this issue is located in the following GitHub Pull Request: https://github.com/wolfSSL/wolfssl/pull/6854.
+* [Low] CVE-2024-1543: A side channel vulnerability with AES T-Tables is possible in a very controlled environment where precision sub-cache-line inspection can happen, such as inside an Intel SGX enclave. This can lead to recovery of the AES key. To prevent this type of attack, wolfSSL added an AES bitsliced implementation which can be enabled with the “`--enable-aes-bitsliced`” configure option. Thanks to Florian Sieck, Zhiyuan Zhang, Sebastian Berndt, Chitchanok Chuengsatiansup, Thomas Eisenbarth, and Yuval Yarom for the report (Universities of Lübeck, Melbourne, Adelaide and Bochum). The fix for this issue is located in the following GitHub Pull Request: https://github.com/wolfSSL/wolfssl/pull/6854.
 
 * [Low] CVE-2023-6937: wolfSSL prior to 5.6.6 did not check that messages in a single (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and then the rest of the first server flight would be accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the ServerHello but a wolfSSL client would accept an unencrypted flight from the server. This does not compromise key negotiation and authentication so it is assigned a low severity rating. Thanks to Johannes Wilson for the report (Sectra Communications and Linköping University). The fix for this issue is located in the following GitHub Pull Request: https://github.com/wolfSSL/wolfssl/pull/7029.
 
@@ -766,9 +1067,9 @@ Release 5.5.1 of wolfSSL embedded TLS has bug fixes and new features including:
 
 ## Enhancements
 * DTLSv1.3: Do HRR Cookie exchange by default
-* Add wolfSSL_EVP_PKEY_new_CMAC_key to OpenSSL compatible API 
-* Update ide win10 build files to add missing sp source files 
-* Improve Workbench docs 
+* Add wolfSSL_EVP_PKEY_new_CMAC_key to OpenSSL compatible API
+* Update ide win10 build files to add missing sp source files
+* Improve Workbench docs
 * Improve EVP support for CHACHA20_POLY1305
 * Improve `wc_SetCustomExtension` documentation
 * RSA-PSS with OCSP and add simple OCSP response DER verify test case
@@ -776,23 +1077,23 @@ Release 5.5.1 of wolfSSL embedded TLS has bug fixes and new features including:
 * Don't over-allocate memory for DTLS fragments
 * Add WOLFSSL_ATECC_TFLXTLS for Atmel port
 * SHA-3 performance improvements with x86_64 assembly
-* Add code to fallback to S/W if TSIP cannot handle 
+* Add code to fallback to S/W if TSIP cannot handle
 * Improves entropy with VxWorks
 * Make time in milliseconds 64-bits for longer session ticket lives
 * Support for setting cipher list with bytes
 * wolfSSL_set1_curves_list(), wolfSSL_CTX_set1_curves_list() improvements
 * Add to RSAES-OAEP key parsing for pkcs7
 * Add missing DN nid to work with PrintName()
-* SP int: default to 16 bit word size when NO_64BIT defined 
+* SP int: default to 16 bit word size when NO_64BIT defined
 * Limit the amount of fragments we store per a DTLS connection and error out when max limit is reached
 * Detect when certificate's RSA public key size is too big and fail on loading of certificate
 
 ## Fixes
 * Fix for async with OCSP non-blocking in `ProcessPeerCerts`
 * Fixes for building with 32-bit and socket size sign/unsigned mismatch
-* Fix Windows CMakeList compiler options 
-* TLS 1.3 Middle-Box compat: fix missing brace 
-* Configuration consistency fixes for RSA keys and way to force disable of private keys 
+* Fix Windows CMakeList compiler options
+* TLS 1.3 Middle-Box compat: fix missing brace
+* Configuration consistency fixes for RSA keys and way to force disable of private keys
 * Fix for Aarch64 Mac M1 SP use
 * Fix build errors and warnings for MSVC with DTLS 1.3
 * Fix HMAC compat layer function for SHA-1
@@ -800,9 +1101,9 @@ Release 5.5.1 of wolfSSL embedded TLS has bug fixes and new features including:
 * Check return from call to wc_Time
 * SP math: fix build configuration with opensslall
 * Fix for async session tickets
-* SP int mp_init_size fixes when SP_WORD_SIZE == 8 
+* SP int mp_init_size fixes when SP_WORD_SIZE == 8
 * Ed. function to make public key now checks for if the private key flag is set
-* Fix HashRaw WC_SHA256_DIGEST_SIZE for wc_Sha256GetHash 
+* Fix HashRaw WC_SHA256_DIGEST_SIZE for wc_Sha256GetHash
 * Fix for building with PSK only
 * Set correct types in wolfSSL_sk_*_new functions
 * Sanity check that size passed to mp_init_size() is no more than SP_INT_DIGITS
@@ -916,7 +1217,7 @@ CVE-2020-12966 https://www.amd.com/en/corporate/product-security/bulletin/amd-sb
 * Update SP math all to not use sp_int_word when SQR_MUL_ASM is available
 ### SP Math Fixes
 * Fixes for constant time with div function
-* Fix casting warnings for Windows builds and assembly changes to support XMM6-15 being non-volatile 
+* Fix casting warnings for Windows builds and assembly changes to support XMM6-15 being non-volatile
 * Fix for div_word when not using div function
 * Fixes for user settings with SP ASM and ED/Curve25519 small
 * Additional Wycheproof tests ran and fixes
@@ -1096,7 +1397,7 @@ Release 5.3.0 of wolfSSL embedded TLS has bug fixes and new features including:
 ### Math Library Fixes
 * Sanity check with SP math that ECC points ordinates are not greater than modulus length
 * Additional sanity checks that _sp_add_d does not error due to overflow
-* Wycheproof fixes, testing integration, and fixes for AVX / AArch64 ASM edge case tests 
+* Wycheproof fixes, testing integration, and fixes for AVX / AArch64 ASM edge case tests
 * TFM fp_div_2_ct rework to avoid potential overflow
 
 ### Misc.
@@ -1337,7 +1638,7 @@ Release 5.1.0 of wolfSSL embedded TLS has bug fixes and new features including:
 ###### PORT Fixes
 * Building with Android wpa_supplicant and KeyStore
 * Setting initial value of CA certificate with TSIP enabled
-* Cryptocell ECC build fix and fix with RSA disabled 
+* Cryptocell ECC build fix and fix with RSA disabled
 * IoT-SAFE improvement for Key/File slot ID size, fix for C++ compile, and fixes for retrieving the public key after key generation
 
 ###### Math Library Fixes
@@ -1476,7 +1777,7 @@ Release 5.0.0 of wolfSSL embedded TLS has bug fixes and new features including:
     - SSL_SESSION_has_ticket()
     - SSL_SESSION_get_ticket_lifetime_hint()
     - DIST_POINT_new
-    - DIST_POINT_free 
+    - DIST_POINT_free
     - DIST_POINTS_free
     - CRL_DIST_POINTS_free
     - sk_DIST_POINT_push
@@ -1639,7 +1940,7 @@ Release 4.8.0 of wolfSSL embedded TLS has bug fixes and new features including:
 
 ### Vulnerabilities
 * [Low] CVE-2021-37155: OCSP request/response verification issue. In the case that the serial number in the OCSP request differs from the serial number in the OCSP response the error from the comparison was not resulting in a failed verification. We recommend users that have wolfSSL version 4.6.0 and 4.7.0 with OCSP enabled update their version of wolfSSL. Version 4.5.0 and earlier are not affected by this report. Thanks to Rainer Mueller-Amersdorffer, Roee Yankelevsky, Barak Gutman, Hila Cohen and Shoshi Berko (from CYMOTIVE Technologies and CARIAD) for the report.
-* [Low] CVE-2021-24116: Side-Channel cache look up vulnerability in base64 PEM decoding for versions of wolfSSL 4.5.0 and earlier. Versions 4.6.0 and up contain a fix and do not need to be updated for this report. If decoding a PEM format private key using version 4.5.0 and older of wolfSSL then we recommend updating the version of wolfSSL used. Thanks to Florian Sieck, Jan Wichelmann, Sebastian Berndt and Thomas Eisenbarth for the report. 
+* [Low] CVE-2021-24116: Side-Channel cache look up vulnerability in base64 PEM decoding for versions of wolfSSL 4.5.0 and earlier. Versions 4.6.0 and up contain a fix and do not need to be updated for this report. If decoding a PEM format private key using version 4.5.0 and older of wolfSSL then we recommend updating the version of wolfSSL used. Thanks to Florian Sieck, Jan Wichelmann, Sebastian Berndt and Thomas Eisenbarth for the report.
 
 ### New Feature Additions
 ###### New Product

Docker/Dockerfile

@@ -6,11 +6,11 @@ USER root
 # Set timezone to UTC
 RUN ln -snf /usr/share/zoneinfo/UTC /etc/localtime && echo UTC > /etc/timezone
 
-ARG DEPS_WOLFSSL="build-essential autoconf libtool clang clang-tools zlib1g-dev libuv1-dev libpam0g-dev valgrind git linux-headers-generic gcc-multilib g++-multilib libpcap-dev bubblewrap gdb iputils-ping lldb bsdmainutils netcat binutils-arm-linux-gnueabi binutils-aarch64-linux-gnu"
+ARG DEPS_WOLFSSL="build-essential autoconf libtool clang clang-tools zlib1g-dev libuv1-dev libpam0g-dev valgrind git linux-headers-generic gcc-multilib g++-multilib libpcap-dev bubblewrap gdb iputils-ping lldb bsdmainutils netcat-traditional binutils-arm-linux-gnueabi binutils-aarch64-linux-gnu"
 ARG DEPS_LIBOQS="astyle cmake gcc ninja-build libssl-dev python3-pytest python3-pytest-xdist unzip xsltproc doxygen graphviz python3-yaml valgrind git"
 ARG DEPS_UDP_PROXY="wget libevent-dev"
-ARG DEPS_TESTS="abi-dumper libcurl4-openssl-dev tcpdump libpsl-dev python3-pandas python3-tabulate libnl-genl-3-dev libcap-ng-dev"
-ARG DEPS_TOOLS="ccache"
+ARG DEPS_TESTS="abi-dumper libcurl4-openssl-dev tcpdump libpsl-dev python3-pandas python3-tabulate libnl-genl-3-dev libcap-ng-dev python3-virtualenv curl jq"
+ARG DEPS_TOOLS="ccache clang-tidy maven libfile-util-perl android-tools-adb usbutils shellcheck"
 RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y apt-utils \
                     && apt install -y ${DEPS_WOLFSSL} ${DEPS_LIBOQS} ${DEPS_UDP_PROXY} ${DEPS_TESTS} ${DEPS_TOOLS} \
                     && apt clean -y && rm -rf /var/lib/apt/lists/*
@@ -40,10 +40,12 @@ RUN cd /opt/sources && git clone --single-branch https://github.com/cisco/hash-s
 
 # Install pkixssh to /opt/pkixssh for X509 interop testing with wolfSSH
 RUN mkdir /var/empty
-RUN cd /opt/sources && wget -q -O- https://roumenpetrov.info/secsh/src/pkixssh-14.1.1.tar.gz | tar xzf - && cd pkixssh-14.1.1 && ./configure --prefix=/opt/pkixssh/ --exec-prefix=/opt/pkixssh/ && make install
+RUN cd /opt/sources && wget -q -O- https://roumenpetrov.info/secsh/src/pkixssh-15.1.tar.gz | tar xzf - && cd pkixssh-15.1 && ./configure --prefix=/opt/pkixssh/ --exec-prefix=/opt/pkixssh/ && make install
 
 # Install udp/tcp-proxy
 RUN cd /opt/sources && git clone --depth=1 --single-branch --branch=main http://github.com/wolfssl/udp-proxy && cd udp-proxy && make && cp tcp_proxy udp_proxy /bin/.
+# Install libbacktrace
+RUN cd /opt/sources && git clone --depth=1 --single-branch https://github.com/ianlancetaylor/libbacktrace.git && cd libbacktrace && mkdir build && cd build && ../configure && make && make install
 
 # Allow non-root to use tcpdump (will need NET_RAW and NET_ADMIN capability when running the container)
 RUN setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/tcpdump

Docker/Dockerfile.cross-compiler

@@ -3,7 +3,7 @@ FROM $DOCKER_BASE_IMAGE
 
 USER root
 
-ARG DEPS_TESTING="gcc-arm-linux-gnueabi gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu"
+ARG DEPS_TESTING="gcc-arm-linux-gnueabi gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu gcc-powerpc-linux-gnu gcc-powerpc64-linux-gnu gcc-arm-none-eabi"
 RUN DEBIAN_FRONTEND=noninteractive apt update \
                     && apt install -y ${DEPS_TESTING} \
                     && apt clean -y && rm -rf /var/lib/apt/lists/*

Docker/buildAndPush.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 # Assume we're in wolfssl/Docker
 WOLFSSL_DIR=$(builtin cd ${BASH_SOURCE%/*}/..; pwd)
@@ -18,18 +18,37 @@ docker build -t wolfssl/wolfssl-builder:${CUR_DATE} ${DOCKER_BUILD_OPTIONS} "${W
     docker tag wolfssl/testing-cross-compiler:${CUR_DATE} wolfssl/testing-cross-compiler:latest
 
 if [ $? -eq 0 ]; then
-    echo "Pushing containers to DockerHub"
-    docker push wolfssl/wolfssl-builder:${CUR_DATE} && docker push wolfssl/wolfssl-builder:latest && \
-        docker push wolfssl/testing-cross-compiler:${CUR_DATE} && docker push wolfssl/testing-cross-compiler:latest
+    echo "Push containers to DockerHub [y/N]? "
+    read val
+    if [ "$val" = "y" ]; then
+        docker push wolfssl/wolfssl-builder:${CUR_DATE} && docker push wolfssl/wolfssl-builder:latest && \
+            docker push wolfssl/testing-cross-compiler:${CUR_DATE} && docker push wolfssl/testing-cross-compiler:latest
+        if [ $? -ne 0 ]; then
+            echo "Warning: push failed. Continuing"
+            ((NUM_FAILURES++))
+        fi
+    fi
 else
     echo "Warning: Build wolfssl/wolfssl-builder failed. Continuing"
     ((NUM_FAILURES++))
 fi
 
 echo "Building wolfssl/wolfCLU:${CUR_DATE}"
-docker buildx build --pull --push --build-arg DUMMY=${CUR_DATE} -t wolfssl/wolfclu:${CUR_DATE} --platform=linux/amd64,linux/arm64,linux/arm/v7 "${WOLFSSL_DIR}/Docker/wolfCLU" && \
-docker buildx build --pull --push --build-arg DUMMY=${CUR_DATE} -t wolfssl/wolfclu:latest      --platform=linux/amd64,linux/arm64,linux/arm/v7 "${WOLFSSL_DIR}/Docker/wolfCLU"
-if [ $? -ne 0 ]; then
+DOCKER_ARGS="--pull --build-arg DUMMY=${CUR_DATE} --platform=linux/amd64,linux/arm64,linux/arm/v7 ${WOLFSSL_DIR}/Docker/wolfCLU"
+docker buildx build -t wolfssl/wolfclu:${CUR_DATE} ${DOCKER_ARGS} && \
+    docker buildx build -t wolfssl/wolfclu:latest ${DOCKER_ARGS}
+if [ $? -eq 0 ]; then
+    echo "Push containers to DockerHub [y/N]? "
+    read val
+    if [ "$val" = "y" ]; then
+        docker buildx build ${DOCKER_ARGS} --push -t wolfssl/wolfclu:${CUR_DATE} && \
+            docker buildx build ${DOCKER_ARGS} --push -t wolfssl/wolfclu:latest
+        if [ $? -ne 0 ]; then
+            echo "Warning: push failed. Continuing"
+            ((NUM_FAILURES++))
+        fi
+    fi
+else
     echo "Warning: Build wolfssl/wolfclu failed. Continuing"
     ((NUM_FAILURES++))
 fi

Docker/run.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 echo "Running with \"${*}\"..."
 

Docker/wolfCLU/Dockerfile

@@ -1,9 +1,9 @@
 ARG DOCKER_BASE_IMAGE=ubuntu
-FROM ubuntu as BUILDER
+FROM ubuntu AS builder
 
-ARG DEPS_WOLFSSL="build-essential autoconf libtool zlib1g-dev libuv1-dev libpam0g-dev git libpcap-dev libcurl4-openssl-dev bsdmainutils netcat iputils-ping bubblewrap"
+ARG DEPS_WOLFSSL="build-essential autoconf libtool zlib1g-dev libuv1-dev libpam0g-dev git libpcap-dev libcurl4-openssl-dev bsdmainutils netcat-traditional iputils-ping bubblewrap"
 RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y apt-utils \
-                    && apt install -y ${DEPS_WOLFSSL} ${DEPS_LIBOQS} \
+                    && apt install -y ${DEPS_WOLFSSL} \
                     && apt clean -y && rm -rf /var/lib/apt/lists/*
 
 ARG NUM_CPU=16
@@ -18,8 +18,8 @@ RUN git clone --depth=1 --single-branch --branch=main http://github.com/wolfssl/
 
 FROM ${DOCKER_BASE_IMAGE}
 USER root
-COPY --from=BUILDER /usr/local/lib/libwolfssl.so /usr/local/lib/
-COPY --from=BUILDER /usr/local/bin/wolfssl* /usr/local/bin/
+COPY --from=builder /usr/local/lib/libwolfssl.so /usr/local/lib/
+COPY --from=builder /usr/local/bin/wolfssl* /usr/local/bin/
 RUN ldconfig
 ENTRYPOINT ["/usr/local/bin/wolfssl"]
 LABEL org.opencontainers.image.source=https://github.com/wolfssl/wolfssl

Docker/wolfCLU/README.md

@@ -1,6 +1,6 @@
 This is a small container that has wolfCLU installed for quick access. To build your own run the following:
 ```
-docker build --pull --build-arg DUMMY=$(date +%s) -t wolfclu . 
+docker build --pull --build-arg DUMMY=$(date +%s) -t wolfclu .
 ```
 
 To run the container, you can use:

Docker/yocto/Dockerfile

@@ -19,7 +19,9 @@ WORKDIR /opt/poky
 ARG YOCTO_VERSION=kirkstone
 RUN git checkout -t origin/${YOCTO_VERSION} -b ${YOCTO_VERSION} && git pull
 
-RUN git clone --single-branch --branch=${YOCTO_VERSION} https://github.com/wolfSSL/meta-wolfssl.git && \
+# This arg is to be able to force a rebuild starting from this line
+ARG DUMMY=date
+RUN DUMMY=${DUMMY} git clone --single-branch --branch=master https://github.com/wolfssl/meta-wolfssl.git && \
     /bin/bash -c "source oe-init-build-env" && \
     echo 'IMAGE_INSTALL:append = " wolfssl wolfclu wolfssh wolfmqtt wolftpm wolfclu "' >> /opt/poky/build/conf/local.conf && \
     sed -i '/\/opt\/poky\/meta-poky \\/a \\t/opt/poky/meta-wolfssl \\' /opt/poky/build/conf/bblayers.conf

Docker/yocto/buildAndPush.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 # Assume we're in wolfssl/Docker/yocto
 WOLFSSL_DIR=$(builtin cd ${BASH_SOURCE%/*}/../..; pwd)
@@ -11,9 +11,9 @@ fi
 NUM_FAILURES=0
 
 CUR_DATE=$(date -u +%F)
-for ver in kirkstone dunfell; do
+for ver in kirkstone langdale scarthgap; do
     echo "Building wolfssl/yocto:${ver}-${CUR_DATE} as ${DOCKER_BUILD_OPTIONS}"
-    docker build -t wolfssl/yocto:${ver}-${CUR_DATE} --build-arg YOCTO_VERSION=${ver} -f Dockerfile "${WOLFSSL_DIR}/Docker/yocto" && \
+    docker build -t wolfssl/yocto:${ver}-${CUR_DATE} --build-arg YOCTO_VERSION=${ver} --build-arg BUILD_DATE=${CUR_DATE} -f Dockerfile "${WOLFSSL_DIR}/Docker/yocto" && \
         docker tag wolfssl/yocto:${ver}-${CUR_DATE} wolfssl/yocto:${ver}-latest
     if [ $? -eq 0 ]; then
         echo "Pushing containers to DockerHub"

IDE/ARDUINO/Arduino_README_prepend.md

@@ -8,6 +8,12 @@ See the [Arduino-wolfSSL logs](https://downloads.arduino.cc/libraries/logs/githu
 
 ## Arduino Releases
 
-The first Official wolfSSL Arduino Library is `5.6.6-Arduino.1`: a slightly modified, post [release 5.6.6](https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.6-stable) version update.
+This release of wolfSSL is version [5.7.4](https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.4-stable).
+
+Version [5.7.2](https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable) of the Arduino wolfSSL was published August 3, 2024.
+
+The next Official wolfSSL Arduino Library was [5.7.0](https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.0-stable)
+
+The first Official wolfSSL Arduino Library was `5.6.6-Arduino.1`: a slightly modified, post [release 5.6.6](https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.6-stable) version update.
 
 See other [wolfSSL releases versions](https://github.com/wolfSSL/wolfssl/releases). The `./wolfssl-arduino.sh INSTALL` [script](https://github.com/wolfSSL/wolfssl/tree/master/IDE/ARDUINO) can be used to install specific GitHub versions as needed.

IDE/ARDUINO/README.md

@@ -27,7 +27,7 @@ This option will allow wolfSSL to be installed directly using the native Arduino
 
 ## Manually Reformatting wolfSSL as a Compatible Arduino Library
 
-Use [this](./wolfssl-arduino.sh) shell script that will re-organize the wolfSSL library to be 
+Use [this](./wolfssl-arduino.sh) shell script that will re-organize the wolfSSL library to be
 compatible with [Arduino Library Specification](https://arduino.github.io/arduino-cli/0.35/library-specification/)
 for projects that use Arduino IDE 1.5.0 or newer.
 
@@ -55,8 +55,8 @@ from within the `wolfssl/IDE/ARDUINO` directory:
 3. `./wolfssl-arduino.sh INSTALL /path/to/repository` (Used to update [arduino-wolfSSL](https://github.com/wolfSSL/arduino-wolfSSL))
     - Creates an Arduino Library in `wolfSSL` directory
     - Copies that directory contents to the specified `/path/to/repository`
-    - Adds the [default](../../examples/configs/user_settings_arduino.h) as `user_settings.h`. 
-     
+    - Adds the [default](../../examples/configs/user_settings_arduino.h) as `user_settings.h`.
+
 4. `./wolfssl-arduino.sh INSTALL /path/to/any/other/directory`
     - Creates an Arduino Library in `wolfSSL` directory
     - Copies that directory contents to the specified `/path/to/any/other/directory`

IDE/ARDUINO/sketches/wolfssl_client/wolfssl_client.ino

@@ -1,6 +1,6 @@
 /* wolfssl_client.ino
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ARDUINO/sketches/wolfssl_server/README.md

@@ -13,7 +13,7 @@ Additional examples can be found on [wolfSSL/wolfssl-examples](https://github.co
 
 ## Connect with an Arduino Sketch
 
-See the companion [Arduino Sketch Client](../wolfssl_client/wolfssl_client.ino). 
+See the companion [Arduino Sketch Client](../wolfssl_client/wolfssl_client.ino).
 
 ## Connect with Linux Client
 
@@ -35,7 +35,7 @@ press the reset button or power cycle the Arduino before making a connection.
 Here's one possible script to test the server from a command-line client:
 
 ```bash
-#!/bin/bash
+#!/usr/bin/env bash
 echo "client log " > client_log.txt
 counter=1
 THIS_ERR=0

IDE/ARDUINO/sketches/wolfssl_server/wolfssl_server.ino

@@ -1,6 +1,6 @@
 /* wolfssl_server.ino
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ARDUINO/wolfssl-arduino.sh

@@ -20,7 +20,7 @@
 # Reminder there's typically no $USER for GitHub actions, but:
 # ROOT_DIR="/mnt/c/Users/$USER/Documents/Arduino/libraries"
 #
-# The company name is "wolfSSL Inc."; There’s a space, no comma, and a period after "Inc."
+# The company name is "wolfSSL Inc."; There's a space, no comma, and a period after "Inc."
 # The Arduino library name is "wolfssl" (all lower case)
 # The Arduino library directory name is "wolfssl" (all lower case)
 # The Arduino library include file is "wolfssl.h" (all lower case)
@@ -29,7 +29,7 @@
 ROOT_DIR="/wolfssl"
 
 # The Arduino Version will initially have a suffix appended during fine tuning stage.
-WOLFSSL_VERSION_ARUINO_SUFFIX="-Arduino.3"
+WOLFSSL_VERSION_ARUINO_SUFFIX=""
 
 # For verbose copy, set CP_CMD="-v", otherwise clear it: CP_CMD="cp"
 # Do not set to empty string, as copy will fail with this: CP_CMD=""
@@ -65,6 +65,11 @@ if ! [ "$CP_CMD" = "cp " ]; then
     fi
 fi
 
+if [ "$ROOT_DIR" = "" ]; then
+    echo "ERROR: ROOT_DIR cannot be blank"
+    exit 1
+fi
+
 # Check environment
 if [ -n "$WSL_DISTRO_NAME" ]; then
     # we found a non-blank WSL environment distro name
@@ -84,6 +89,11 @@ if [ $# -gt 0 ]; then
     if [ "$THIS_OPERATION" = "INSTALL" ]; then
         THIS_INSTALL_DIR=$2
 
+        if [ "$THIS_INSTALL_DIR" = "/" ]; then
+            echo "ERROR: THIS_INSTALL_DIR cannot be /"
+            exit 1
+        fi
+
         echo "Install is active."
 
         if [ "$THIS_INSTALL_DIR" = "" ]; then
@@ -96,10 +106,10 @@ if [ $# -gt 0 ]; then
         else
             echo "Installing to $THIS_INSTALL_DIR"
             if [ -d "$THIS_INSTALL_DIR/.git" ];then
-                echo "Target is a GitHub repository."
+                echo "Target is a GitHub root repository."
                 THIS_INSTALL_IS_GITHUB="true"
             else
-                echo "Target is NOT a GitHub repository."
+                echo "Target is NOT a GitHub root directory repository. (e.g. not wolfssl/Arduino-wolfssl)"
             fi
         fi
     else
@@ -300,24 +310,33 @@ echo ""
 # Note we should have exited above if a problem was encountered,
 # as we'll never want to install a bad library.
 if [ "$THIS_OPERATION" = "INSTALL" ]; then
+    echo "Config:"
+    echo "cp ../../examples/configs/user_settings_arduino.h  ".${ROOT_SRC_DIR}"/user_settings.h"
+    # Nearly an ordinary copy, but we remove any lines with ">>" (typically edit with caution warning in comments)
+    grep -v '>>' ../../examples/configs/user_settings_arduino.h > ".${ROOT_SRC_DIR}"/user_settings.h || exit 1
+
+    # Show the user_settings.h revision string:
+    grep "WOLFSSL_USER_SETTINGS_ID" ."${ROOT_SRC_DIR}/user_settings.h"
+    echo ""
+
     if [ "$THIS_INSTALL_IS_GITHUB" = "true" ]; then
         echo "Installing to GitHub directory: $THIS_INSTALL_DIR"
         cp -r ."$ROOT_DIR"/* "$THIS_INSTALL_DIR" || exit 1
+        echo "Removing workspace library directory: .$ROOT_DIR"
+        rm -rf ".$ROOT_DIR"
     else
-        echo "Config:"
-        echo "cp ../../examples/configs/user_settings_arduino.h  ".${ROOT_SRC_DIR}"/user_settings.h"
-        # Nearly an ordinary copy, but we remove any lines with ">>" (typically edit with caution warning in comments)
-        grep -v '>>' ../../examples/configs/user_settings_arduino.h > ".${ROOT_SRC_DIR}"/user_settings.h || exit 1
 
-        # Show the user_settings.h revision string:
-        grep "WOLFSSL_USER_SETTINGS_ID" ."${ROOT_SRC_DIR}/user_settings.h"
-        echo ""
+        echo "Installing to local directory:"
+        if [ "$THIS_INSTALL_DIR" = "" ]; then
+            echo "mv .$ROOT_DIR $ARDUINO_ROOT"
+            mv  ."$ROOT_DIR" "$ARDUINO_ROOT" || exit 1
 
-        echo "Install:"
-        echo "mv .$ROOT_DIR $ARDUINO_ROOT"
-        mv  ."$ROOT_DIR" "$ARDUINO_ROOT" || exit 1
-
-        echo "Arduino wolfSSL Version: $WOLFSSL_VERSION$WOLFSSL_VERSION_ARUINO_SUFFIX"
+            echo "Arduino wolfSSL Version: $WOLFSSL_VERSION$WOLFSSL_VERSION_ARUINO_SUFFIX"
+        else
+            echo "cp -r .\"$ROOT_DIR\"/* \"$THIS_INSTALL_DIR\""
+            mkdir -p "$THIS_INSTALL_DIR" || exit 1
+            cp -r ."$ROOT_DIR"/* "$THIS_INSTALL_DIR" || exit 1
+        fi
     fi
 fi
 

IDE/AURIX/Cpu0_Main.c

@@ -1,6 +1,6 @@
 /* Cpu0_Main.c
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *
@@ -63,7 +63,7 @@ int fputc(int ch, FILE *f)
     if (ch == (int)'\n') {
         int chcr = (int)'\r';
         count = 1;
-        IfxAsclin_Asc_write(&g_asc, &chcr, &count, TIME_INFINITE);    
+        IfxAsclin_Asc_write(&g_asc, &chcr, &count, TIME_INFINITE);
     }
     count = 1;
     IfxAsclin_Asc_write(&g_asc, &ch, &count, TIME_INFINITE);

IDE/AURIX/README.md

@@ -9,7 +9,7 @@ Tested Platform:
 
 ## Running wolfCrypt on TriCore
 
-1) Add the wolfSSL source and headers to `Libraries/wolfssl`. 
+1) Add the wolfSSL source and headers to `Libraries/wolfssl`.
   - Only the following folders are required: `src`, `wolfcrypt` and `wolfssl`.
   - See script to help with producing bundle here: https://github.com/wolfSSL/wolfssl/blob/master/scripts/makedistsmall.sh
 2) Add `WOLFSSL_USER_SETTINGS` to the Preprocessing symbols list. C/C++ Build -> Settings -> TASKING C/C++ Compiler -> Preprocessing.

IDE/AURIX/user_settings.h

@@ -1,6 +1,6 @@
 /* user_settings.h
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/AURIX/wolf_main.c

@@ -1,6 +1,6 @@
 /* wolf_main.c
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/CRYPTOCELL/main.c

@@ -1,6 +1,6 @@
 /* main.c
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *
@@ -18,8 +18,8 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
-
-
+
+
 #include <wolfssl/wolfcrypt/settings.h>
 #include <wolfcrypt/test/test.h>
 #include <wolfcrypt/benchmark/benchmark.h>
@@ -63,4 +63,3 @@ int main(void)
 
     return 0;
 }
-

IDE/CRYPTOCELL/user_settings.h

@@ -1,6 +1,6 @@
 /* user_settings.h
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *
@@ -401,6 +401,7 @@ extern "C" {
 
     /* prototypes for user heap override functions */
     /* Note: Realloc only required for normal math */
+    /* Note2: XFREE(NULL) must be properly handled */
     #include <stddef.h>  /* for size_t */
     extern void *myMalloc(size_t n, void* heap, int type);
     extern void myFree(void *p, void* heap, int type);

IDE/ECLIPSE/DEOS/deos_malloc.c

@@ -1,6 +1,6 @@
 /* deos_malloc.c
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/DEOS/deos_wolfssl/.project

@@ -240,9 +240,9 @@
 			<locationURI>WOLFSSL_ROOT/wolfcrypt/src/fe_operations.c</locationURI>
 		</link>
 		<link>
-			<name>wolfcrypt/src/fe_x25519_128.i</name>
+			<name>wolfcrypt/src/fe_x25519_128.h</name>
 			<type>1</type>
-			<locationURI>WOLFSSL_ROOT/wolfcrypt/src/fe_x25519_128.i</locationURI>
+			<locationURI>WOLFSSL_ROOT/wolfcrypt/src/fe_x25519_128.h</locationURI>
 		</link>
 		<link>
 			<name>wolfcrypt/src/fp_mont_small.i</name>

IDE/ECLIPSE/DEOS/tls_wolfssl.c

@@ -1,6 +1,6 @@
 /* tls_wolfssl.c
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/DEOS/tls_wolfssl.h

@@ -1,6 +1,6 @@
 /* tls_wolfssl.h
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/DEOS/user_settings.h

@@ -1,6 +1,6 @@
 /* user_setting.h
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/MICRIUM/README.md

@@ -40,7 +40,7 @@ The folder hierarchy is the same as the wolfSSL folders with an exception of the
 
 4. Right click on each folders, add or link all the source code in the corresponding folder in wolfSSL.
 
-5. Remove non-C platform dependent files from your build. At the moment, only aes_asm.asm, aes_gcm_asm.asm and aes_asm.s must be removed from your wolfssl/wolfcrypt/src folder.
+5. Remove non-C platform dependent files from your build. At the moment, only aes_asm.asm, aes_gcm_asm.asm, aes_xts_asm.asm and aes_asm.s must be removed from your wolfssl/wolfcrypt/src folder.
 
 6. In your C/C++ compiler preprocessor settings, add the wolfSSL directories to your include paths.
 Here's an example of the paths that must be added.

IDE/ECLIPSE/MICRIUM/client_wolfssl.c

@@ -1,6 +1,6 @@
 /* client_wolfssl.c
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/MICRIUM/client_wolfssl.h

@@ -1,6 +1,6 @@
 /* client_wolfssl.h
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/MICRIUM/server_wolfssl.c

@@ -1,6 +1,6 @@
 /* server_wolfssl.c
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/MICRIUM/server_wolfssl.h

@@ -1,6 +1,6 @@
 /* server_wolfssl.h
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/MICRIUM/user_settings.h

@@ -1,6 +1,6 @@
 /* user_setting.h
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/MICRIUM/wolfsslRunTests.c

@@ -1,6 +1,6 @@
 /* wolfsslRunTests.c
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/RTTHREAD/user_settings.h

@@ -1,6 +1,6 @@
 /* user_setting.h
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/RTTHREAD/wolfssl_test.c

@@ -1,6 +1,6 @@
 /* wolfsslRunTests.c
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/ECLIPSE/SIFIVE/README.md

@@ -1 +1 @@
-This folder has moved to `IDE/RISCV/SIFIVE-HIFIVE1`.
+This folder has moved to `IDE/RISCV/SIFIVE-HIFIVE1`.

IDE/Espressif/ESP-IDF/README.md

@@ -1,11 +1,12 @@
 # ESP-IDF Port
 
-These Espressif examples have been created and tested with the latest stable release branch of 
-[ESP-IDF V5.1](https://docs.espressif.com/projects/esp-idf/en/release-v5.1/esp32/get-started/index.html).
-The prior version 4.4 ESP-IDF is still supported, however version 5.1 or greater is recommended.
-Espressif has [a list of all ESP-IDF versions](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/versions.html).
+These Espressif examples have been created and tested with the latest stable release branch of
+ESP-IDF v5.2, v5.3 and the master branch
 
-See the latest [Espressif Migration Guides](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/migration-guides/index.html).
+The prior version 4.4 ESP-IDF is still supported, however version 5.2 or greater is recommended.
+Espressif has [a list of all ESP-IDF versions](Espressifversions.html).
+
+See the latest Espressif Migration Guides.
 
 ## Examples
 
@@ -34,7 +35,7 @@ looks for the wolfSSL `user_settings.h` in the project as described below.
 ### File: `sdkconfig.h`
 
 The Espressif `sdkconfig.h`, generated automatically from your `sdkconfig`
-file at [build](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/build-system.html)
+file at [build](Espressif api-guides/build-system.html)
 time, should be included before any other files.
 
 ### File: `user_settings.h`
@@ -44,6 +45,28 @@ default configuration items in the wolfssl `settings.h`. With the latest version
 wolfSSL, some of these defaults can be disabled with `NO_ESPIDF_DEFAULT` and customized
 in your project `user_settings.h` as desired.
 
+The `user_settings.h` include file should not be explicitly included in an project source files. Be
+sure to include `settings.h` (which pulls in `user_settings.h`) before any other wolfSSL include files.
+
+A new project should also include a compiler option suc as `CFLAGS +=-DWOLFSSL_USER_SETTINGS"` to ensure
+the `user_settings.h` is included properly. See the [template example](https://github.com/wolfSSL/wolfssl/blob/master/IDE/Espressif/ESP-IDF/examples/template/main/main.c).
+
+```
+#ifdef WOLFSSL_USER_SETTINGS
+    #include <wolfssl/wolfcrypt/settings.h>
+    #ifndef WOLFSSL_ESPIDF
+        #warning "Problem with wolfSSL user_settings."
+        #warning "Check components/wolfssl/include"
+    #endif
+    #include <wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h>
+#else
+    /* Define WOLFSSL_USER_SETTINGS project wide for settings.h to include   */
+    /* wolfSSL user settings in ./components/wolfssl/include/user_settings.h */
+    #error "Missing WOLFSSL_USER_SETTINGS in CMakeLists or Makefile:\
+    CFLAGS +=-DWOLFSSL_USER_SETTINGS"
+#endif
+```
+
 See the respective project directory:
 
   `[project-dir]/components/wolfssl/user_settings.h`
@@ -79,7 +102,7 @@ of your source code, particularly before the `#include <wolfssl/wolfcrypt/settin
 
 ## Requirements
 
- 1. [ESP-IDF development framework](https://docs.espressif.com/projects/esp-idf/en/latest/get-started/)
+ 1. [ESP-IDF development framework](https://github.com/espressif/esp-idf)
 
 ## wolfSSL as an Espressif component
 
@@ -91,7 +114,7 @@ There are various methods available for using wolfSSL as a component:
 
 ## Espressif Managed Components
 
-Visit https://components.espressif.com/components/wolfssl/wolfssl and see the instructions. Typically:
+Visit https://www.wolfssl.com/wolfssl-now-available-in-espressif-component-registry/ and see the instructions. Typically:
 
 ```
 idf.py add-dependency "wolfssl/wolfssl^5.6.0-stable"
@@ -116,15 +139,23 @@ See the specific examples for additional details.
 
 ## Setup for Linux (wolfSSL local copy)
 
-This is a legacy method for installation. It is recommended to use the new `CMakeLists.txt` to point to wolfSSL source code.
+This is an alternate method for installation. It is recommended to use the new `CMakeLists.txt` to point to wolfSSL source code.
 
- 1. Run `setup.sh` at _/path/to_`/wolfssl/IDE/Espressif/ESP-IDF/` to deploy files into ESP-IDF tree  
+ 1. Run `setup.sh` at _/path/to_`/wolfssl/IDE/Espressif/ESP-IDF/` to deploy files into ESP-IDF tree
  2. Find Wolfssl files at _/path/to/esp_`/esp-idf/components/wolfssl/`
  3. Find [Example Programs](https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples) under _/path/to/esp_`/esp-idf/examples/protocols/wolfssl_xxx` (where xxx is the project name)
 
+
+```
+WRK_IDF_PATH=/mnt/c/SysGCC/esp32/esp-idf/v5.2
+. $WRK_IDF_PATH/export.sh
+
+./setup.sh
+```
+
 ## Setup for Windows
 
-This is a legacy method for installation. It is recommended to use the new `CMakeLists.txt` to point to wolfSSL source code.
+This is an alternate method for installation. It is recommended to use the new `CMakeLists.txt` to point to wolfSSL source code.
 
  1. Run ESP-IDF Command Prompt (cmd.exe) or Run ESP-IDF PowerShell Environment
  2. Run `setup_win.bat` at `.\IDE\Espressif\ESP-IDF\`
@@ -147,7 +178,7 @@ C:\SysGCC\esp32\esp-idf>git clone -b v5.0.2 --recursive https://github.com/espre
 
 ## Configuration
 
- 1. The `user_settings.h` can be found in `[project]/components/wolfssl/include/user_settings.h`. 
+ 1. The `user_settings.h` can be found in `[project]/components/wolfssl/include/user_settings.h`.
 
 ## Configuration (Legacy IDF install)
 
@@ -161,13 +192,13 @@ C:\SysGCC\esp32\esp-idf>git clone -b v5.0.2 --recursive https://github.com/espre
 
  For question please email [support@wolfssl.com]
 
- Note: This is tested with :  
+ Note: This is tested with :
    - OS: Ubuntu 20.04.3 LTS
    - Microsoft Windows 10 Pro 10.0.19041 / Windows 11 Pro 22H2 22621.2715
    - Visual Studio 2022 17.7.6 with VisualGDB 5.6R9 (build 4777)
    - WSL 1 Ubuntu 22.04.3 LTS
-   - ESP-IDF: ESP-IDF v5.1
-   - SoC Module : all those supported in ESP-IDF v5.1
+   - ESP-IDF: ESP-IDF v5.2
+   - SoC Module : all those supported in ESP-IDF v5.2
 
 ## JTAG Debugging Notes
 
@@ -204,3 +235,15 @@ ftdi layout_signal nSRST -data 0x0020
 reset_config srst_push_pull trst_push_pull
 
 ```
+
+## Windows long paths
+
+Check "Long Paths Enabled" in Windows registry.
+
+Please set registry HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled to 1.
+
+The operation requires Administrator privileges. Command:
+
+```powershell
+powershell -Command "&{ Start-Process -FilePath reg 'ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f' -Verb runAs}"
+```

IDE/Espressif/ESP-IDF/README_32se.md

@@ -10,7 +10,7 @@ Including the following examples:
  The `user_settings.h` file enables some of the hardened settings.
 
 ## Requirements
-1. ESP-IDF development framework: https://docs.espressif.com/projects/esp-idf/en/latest/get-started/
+1. ESP-IDF development framework: https://github.com/espressif/esp-idf
 
 2. Microchip CryptoAuthentication Library: https://github.com/MicrochipTech/cryptoauthlib
 

IDE/Espressif/ESP-IDF/compileAllExamples.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 #
 # testing script: compileAllExamples
 #

IDE/Espressif/ESP-IDF/dummy_config_h

@@ -1,6 +1,6 @@
 /* config.h - dummy
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/Espressif/ESP-IDF/dummy_test_paths.h

@@ -1,6 +1,6 @@
 /* wolfcrypt/test/test_paths.h
  *
- * Copyright (C) 2006-2023 wolfSSL Inc.
+ * Copyright (C) 2006-2024 wolfSSL Inc.
  *
  * This file is part of wolfSSL.
  *

IDE/Espressif/ESP-IDF/examples/README.md

@@ -10,9 +10,9 @@ These are the core examples for wolfSSL:
 
 - [Test](./wolfssl_test/README.md)
 
-- [TLS Client](./wolfssl_client/README.md)
+- [TLS Client](./wolfssl_client/README.md). See also [CLI Client](https://github.com/wolfSSL/wolfssl/tree/master/examples/client) and [more TLS examples](https://github.com/wolfSSL/wolfssl-examples/tree/master/tls).
 
-- [TLS Server](./wolfssl_server/README.md)
+- [TLS Server](./wolfssl_server/README.md). See also [CLI Server](https://github.com/wolfSSL/wolfssl/tree/master/examples/server)
 
 ## Other Espressif wolfSSL Examples
 
@@ -44,7 +44,7 @@ TLS1.3 Linux Client to Linux Server: `TLS_AES_128_GCM_SHA256` (default)
 ./examples/client/client -v 4 -h 127.0.0.1 -p 11111 -A ./certs/ca-cert.pem
 ```
 
-TLS1.2 Linux Server 
+TLS1.2 Linux Server
 ```
 ./examples/server/server -v 3 -b -d -p 11111 -c ./certs/server-cert.pem -k ./certs/server-key.pem
 ```
@@ -71,14 +71,14 @@ There's an additional example that uses wolfSSL installed as a component to the
 
 ## Installing wolfSSL for Espressif projects
 
-[Core examples](https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples) 
-have a local `components/wolfssl` directory with a special CMakeFile.txt that does not require 
+[Core examples](https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples)
+have a local `components/wolfssl` directory with a special CMakeFile.txt that does not require
 wolfSSL to be installed.
 
-If you want to install wolfSSL, see the setup for [wolfSSL](https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF#setup-for-linux) 
+If you want to install wolfSSL, see the setup for [wolfSSL](https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF#setup-for-linux)
 and [wolfSSH](https://github.com/wolfSSL/wolfssh/tree/master/ide/Espressif#setup-for-linux).
 
-The [Espressif Managed Component for wolfSSL](https://components.espressif.com/components/wolfssl/wolfssl)
+The [Espressif Managed Component for wolfSSL](https://www.wolfssl.com/wolfssl-now-available-in-espressif-component-registry/)
 also installs source code locally, instead of pointing to a source repository.
 
 ## VisualGDB
@@ -114,7 +114,4 @@ It may be helpful to also delete the `sdkconfig` file. (Save a backup if you've
 
 - esp32.com: [GPIO6,GPIO7,GPIO8,and GPIO9 changed for ESP32-WROOM-32E](https://esp32.com/viewtopic.php?t=29058)
 
-See also [this ESP-FAQ Handbook](https://docs.espressif.com/projects/esp-faq/en/latest/esp-faq-en-master.pdf).
-
-
-
+See also the `ESP-FAQ Handbook`.

IDE/Espressif/ESP-IDF/examples/template/CMakeLists.txt

@@ -1,10 +1,13 @@
 # wolfSSL Espressif Example Project CMakeLists.txt
-#   v1.0
+#   v1.3
 #
 # The following lines of boilerplate have to be in your project's
 # CMakeLists in this exact order for cmake to work correctly
 cmake_minimum_required(VERSION 3.16)
 
+# Optional no watchdog typically used for test & benchmark
+add_compile_options(-DWOLFSSL_ESP_NO_WATCHDOG=1)
+
 # The wolfSSL CMake file should be able to find the source code.
 # Otherwise, assign an environment variable or set it here:
 #
@@ -68,6 +71,12 @@ else()
     message(STATUS "No conflicting wolfSSL components found.")
 endif()
 
+# Ensure the this wolfSSL component directory is included
+set(WOLFSSL_PATH "${CMAKE_HOME_DIRECTORY}/components/wolfssl")
+list(APPEND EXTRA_COMPONENT_DIRS ${WOLFSSL_PATH})
+
+# Not only is a project-level "set(COMPONENTS" not needed here, this will cause
+# an unintuitive error about  Unknown CMake command "esptool_py_flash_project_args".
 include($ENV{IDF_PATH}/tools/cmake/project.cmake)
 
 project(wolfssl_template)

IDE/Espressif/ESP-IDF/examples/template/README.md

@@ -7,11 +7,11 @@ For general information on [wolfSSL examples for Espressif](../README.md), see t
 
 ### Prerequisites
 
-It is assumed the [ESP-IDF environment](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/get-started/) has been installed.
+It is assumed the [ESP-IDF environment](Espressifget-started/) has been installed.
 
 ### Files Included
 
-- [main.c](./main/main.c) with a simple call to an Espressif library (`ESP_LOGI`) and a call to a wolfSSL library (`esp_ShowExtendedSystemInfo`) . 
+- [main.c](./main/main.c) with a simple call to an Espressif library (`ESP_LOGI`) and a call to a wolfSSL library (`esp_ShowExtendedSystemInfo`) .
 
 - See [components/wolfssl/include](./components/wolfssl/include/user_settings.h) directory to edit the wolfSSL `user_settings.h`.
 
@@ -19,7 +19,7 @@ It is assumed the [ESP-IDF environment](https://docs.espressif.com/projects/esp-
 
 - The [components/wolfssl/CMakeLists.txt](./components/wolfssl/CMakeLists.txt) typically does not need to be changed.
 
-- Optional [VisualGDB Project](./VisualGDB/wolfssl_template_IDF_v5.1_ESP32.vgdbproj) for Visual Studio using ESP32 and ESP-IDF v5.1.
+- Optional [VisualGDB Project](./VisualGDB/README.md) for Visual Studio using ESP32 and ESP-IDF v5.2. See also [template](../template/VisualGDB/README.md) for other devices.
 
 - Edit the project [CMakeLists.txt](./CMakeLists.txt) to optionally point this project's wolfSSL component source code at a different directory:
 
@@ -30,12 +30,12 @@ set(WOLFSSL_ROOT "~/workspace/wolfssl-other-source")
 
 ## Getting Started:
 
-Here's an example using the command-line [idf.py](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/tools/idf-py.html).
+Here's an example using the command-line [idf.py](Espressifapi-guides/tools/idf-py.html).
 
 Edit your `WRK_IDF_PATH`to point to your ESP-IDF install directory.
 
 ```
-WRK_IDF_PATH=/mnt/c/SysGCC/esp32/esp-idf/v5.1
+WRK_IDF_PATH=/mnt/c/SysGCC/esp32/esp-idf/v5.2
 
 echo "Run export.sh from ${WRK_IDF_PATH}"
 . ${WRK_IDF_PATH}/export.sh
@@ -53,7 +53,7 @@ idf.py flash -p /dev/ttyS19 -b 115200
 idf.py flash -p /dev/ttyS19 -b 115200 monitor
 ```
 
-Press `Ctrl+]` to exit `idf.py monitor`. See [additional monitor keyboard commands](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/tools/idf-monitor.html).
+Press `Ctrl+]` to exit `idf.py monitor`. See [additional monitor keyboard commands](Espressifapi-guides/tools/idf-monitor.html).
 
 ## Other Examples:
 

IDE/Espressif/ESP-IDF/examples/template/VisualGDB/wolfssl_template_IDF_v5.1_ESP32.vgdbproj

@@ -18,7 +18,7 @@
     <ToolchainID>
       <ID>com.visualgdb.xtensa-esp32-elf</ID>
       <Version>
-        <GCC>12.2.0</GCC>
+        <GCC>13.2.0</GCC>
         <GDB>12.1</GDB>
         <Revision>1</Revision>
       </Version>
@@ -67,8 +67,8 @@
       <EnableFastUpToDateCheck>true</EnableFastUpToDateCheck>
       <ESPIDFExtension>
         <IDFCheckout>
-          <Version>release/v5.1</Version>
-          <Subdirectory>esp-idf/v5.1</Subdirectory>
+          <Version>release/v5.2</Version>
+          <Subdirectory>esp-idf/v5.2</Subdirectory>
           <Type>ESPIDF</Type>
         </IDFCheckout>
         <COMPort>COM37</COMPort>

IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/CMakeLists.txt

@@ -1,34 +1,163 @@
 #
-#  Copyright (C) 2006-2023 wolfSSL Inc.
+# Copyright (C) 2006-2024 wolfSSL Inc.
 #
-#  This file is part of wolfSSL.
+# This file is part of wolfSSL.
 #
-#  wolfSSL is free software; you can redistribute it and/or modify
-#  it under the terms of the GNU General Public License as published by
-#  the Free Software Foundation; either version 2 of the License, or
-#  (at your option) any later version.
+# wolfSSL is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
 #
-#  wolfSSL is distributed in the hope that it will be useful,
-#  but WITHOUT ANY WARRANTY; without even the implied warranty of
-#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#  GNU General Public License for more details.
+# wolfSSL is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
 #
-#  You should have received a copy of the GNU General Public License
-#  along with this program; if not, write to the Free Software
-#  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 #
 # cmake for wolfssl Espressif projects
 #
-# Version 5.6.0.011 for detect test/benchmark
+# Version 5.7.2 Espressif ESP-IDF integration
 #
 # See https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/build-system.html
 #
-
+message(STATUS "Begin wolfssl ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}")
 cmake_minimum_required(VERSION 3.16)
+
+set(VERBOSE_COMPONENT_MESSAGES 1)
+
+# Optional requires include:
+# set(THIS_ESP_TLS "esp-tls")
+set(THIS_ESP_TLS "")
+
+# function: IS_ESP_IDF_COMPONENT
+#  output:    RESULT = 1 (true) if this component is located in the ESP-IDF components
+#             otherwise 0 (false)
+function( IS_ESP_IDF_COMPONENT  RESULT )
+    # NOTE: Component location is based on the location of the CMakeList.txt
+    # and *not* the location of the wolfSSL source code. (which may be anywhere)
+
+    # Normalize the paths to remove any trailing slashes
+    get_filename_component(NORMALIZED_IDF_PATH  "${IDF_PATH}"      REALPATH)
+    get_filename_component(NORMALIZED_TEST_PATH "${COMPONENT_DIR}" REALPATH)
+
+    # Check if the test path starts with the IDF_PATH
+    string(FIND "${NORMALIZED_TEST_PATH}" "${NORMALIZED_IDF_PATH}" pos)
+
+    if(${pos} EQUAL 0)
+        message(STATUS "${COMPONENT_DIR} is within IDF_PATH.")
+        set(${RESULT} 1 PARENT_SCOPE)
+    else()
+        message(STATUS "${COMPONENT_DIR} is not within IDF_PATH.")
+        set(${RESULT} 0 PARENT_SCOPE)
+    endif()
+endfunction()
+
+# Determine if this cmake file is located in the ESP-IDF component directory or not,
+# and if so, if it is being ignored (allowing the use of a local project one, instead).
+IS_ESP_IDF_COMPONENT( IS_WOLSSL_ESP_IDF_COMPONENT )
+if( IS_WOLSSL_ESP_IDF_COMPONENT )
+    message(STATUS "This wolfSSL is a component in ESP-IDF.")
+    if ( CONFIG_IGNORE_ESP_IDF_WOLFSSL_COMPONENT )
+        idf_component_register()
+        message(STATUS "Warning: wolfSSL component in ESP-IDF is being ignored.")
+        return()
+    endif()
+endif()
+
+
+if( "${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}" STREQUAL "" )
+    # nothing to do
+else()
+    # Only forward slashes, or double backslashes are supported.
+    # By the time we get here the sdkconfig file has a value for wolfSSL source code root.
+    string(REPLACE "\\" "/" CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT})
+    message(STATUS "Cleaned wolfssl path: ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}")
+endif()
+
+# The scope of this CMAKE_C_FLAGS is just this component:
 set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DWOLFSSL_USER_SETTINGS")
+
 set(CMAKE_CURRENT_SOURCE_DIR ".")
-set(COMPONENT_REQUIRES lwip) # we typically don't need lwip directly in wolfssl component
-set(WOLFSSL_ROOT "$ENV{WOLFSSL_ROOT}" )
+# set(COMPONENT_REQUIRES lwip) # we typically don't need lwip directly in wolfssl component
+
+# Optionally set your source to wolfSSL in your project CMakeLists.txt like this:
+# set(WOLFSSL_ROOT "c:/test/my_wolfssl" )
+
+if ( "${WOLFSSL_ROOT}" STREQUAL "")
+    set(WOLFSSL_ROOT "$ENV{WOLFSSL_ROOT}" )
+endif()
+
+if(  "$ENV{IDF_PATH}" STREQUAL "" )
+    message(FATAL_ERROR "IDF_PATH Environment variable not set!")
+else()
+    string(REPLACE "\\" "/" THIS_IDF_PATH "$ENV{IDF_PATH}")
+endif()
+
+# Optional compiler definitions to help with system name detection (typically printed by app diagnostics)
+if(VERBOSE_COMPONENT_MESSAGES)
+    if(WIN32)
+        # Windows-specific configuration here
+        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WINDOWS")
+        message("Detected Windows")
+    endif()
+    if(CMAKE_HOST_UNIX)
+        message("Detected UNIX")
+    endif()
+    if(APPLE)
+        message("Detected APPLE")
+    endif()
+    if(CMAKE_HOST_UNIX AND (NOT APPLE) AND EXISTS "/proc/sys/fs/binfmt_misc/WSLInterop")
+        # Windows-specific configuration here
+        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_WSL")
+        message("Detected WSL")
+    endif()
+    if(CMAKE_HOST_UNIX AND (NOT APPLE) AND (NOT WIN32))
+        # Windows-specific configuration here
+        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_LINUX")
+        message("Detected Linux")
+    endif()
+    if(APPLE)
+        # Windows-specific configuration here
+        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_SYSTEM_NAME_APPLE")
+        message("Detected Apple")
+    endif()
+endif() # End optional WOLFSSL_CMAKE_SYSTEM_NAME
+
+message(STATUS "CONFIG_TARGET_PLATFORM = ${CONFIG_TARGET_PLATFORM}")
+
+# Check that there are not conflicting wolfSSL components
+# The ESP Registry Component will be in ./managed_components/wolfssl__wolfssl
+# The local component wolfSSL directory will be in ./components/wolfssl
+if( EXISTS "${CMAKE_HOME_DIRECTORY}/managed_components/wolfssl__wolfssl" AND EXISTS "${CMAKE_HOME_DIRECTORY}/components/wolfssl" )
+    # These exclude statements don't seem to be honored by the $ENV{IDF_PATH}/tools/cmake/project.cmake'
+    # add_subdirectory("${CMAKE_HOME_DIRECTORY}/managed_components/wolfssl__wolfssl" EXCLUDE_FROM_ALL)
+    # add_subdirectory("${CMAKE_HOME_DIRECTORY}/managed_components/wolfssl__wolfssl/include" EXCLUDE_FROM_ALL)
+    # So we'll error out and let the user decide how to proceed:
+    message(WARNING "\nFound wolfSSL components in\n"
+                    "./managed_components/wolfssl__wolfssl\n"
+                    "and\n"
+                    "./components/wolfssl\n"
+                    "in project directory: \n"
+                    "${CMAKE_HOME_DIRECTORY}")
+    message(FATAL_ERROR "\nPlease use either the ESP Registry Managed Component or the wolfSSL component directory but not both.\n"
+                        "If removing the ./managed_components/wolfssl__wolfssl directory, remember to also remove "
+                        "or rename the idf_component.yml file typically found in ./main/")
+else()
+    message(STATUS "No conflicting wolfSSL components found.")
+endif()
+
+
+# Don't include lwip requirement for benchmark and test apps.
+if( ("${CMAKE_PROJECT_NAME}" STREQUAL "wolfssl_benchmark") OR ("${CMAKE_PROJECT_NAME}" STREQUAL "wolfssl_test") )
+    message(STATUS "Not including lwip for ${CMAKE_PROJECT_NAME}")
+else()
+    # benchmark and test do not need wifi, everything else probably does:
+    set(COMPONENT_REQUIRES lwip "${THIS_ESP_TLS}") # we typically don't need lwip directly in wolfssl component
+endif()
 
 # find the user name to search for possible "wolfssl-username"
 message(STATUS "USERNAME = $ENV{USERNAME}")
@@ -45,6 +174,30 @@ else()
 endif()
 message(STATUS "THIS_USER = ${THIS_USER}")
 
+if( "$ENV{IDF_PATH}" STREQUAL "" )
+    message(FATAL_ERROR "IDF_PATH Environment variable not set!")
+else()
+    string(REPLACE "\\" "/" THIS_IDF_PATH "$ENV{IDF_PATH}")
+endif()
+
+# ENVIRONMENT_VAR_TO_MACRO
+# Check environment variable name EVARPARAM as [name]
+# If defined, and has a value of EVARVALUE as [value],
+# then assign a compiler definition "-D[name]=[value]"
+function(ENVIRONMENT_VAR_TO_MACRO EVARPARAM EVARVALUE)
+    # If the EVARPARAM environment variable name is set to EVARVALUE,
+    # set the compiler flag definition to enable CSV output.
+    if ( "$ENV{${EVARPARAM}}" STREQUAL "${EVARVALUE}")
+        message(STATUS "Appending compile definition: -D${EVARPARAM}=${EVARVALUE}")
+        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D${EVARPARAM}=${EVARVALUE}")
+    else()
+        if(DEFINED ENV{${EVARPARAM}})
+            message(STATUS "Environment variable ${EVARPARAM} detected but set to $ENV{${EVARPARAM}}, not appending compile definition.")
+        else()
+            message(STATUS "Environment variable ${EVARPARAM} not detected, not appending compile definition.")
+        endif()
+    endif()
+endfunction()
 
 # COMPONENT_NAME = wolfssl
 # The component name is the directory name. "No feature to change this".
@@ -63,7 +216,8 @@ message(STATUS "THIS_USER = ${THIS_USER}")
 # function: IS_WOLFSSL_SOURCE
 #  parameter: DIRECTORY_PARAMETER - the directory to test
 #  output:    RESULT = contains contents of DIRECTORY_PARAMETER for wolfssl directory, otherwise blank.
-function(IS_WOLFSSL_SOURCE DIRECTORY_PARAMETER RESULT)
+function( IS_WOLFSSL_SOURCE  DIRECTORY_PARAMETER
+          RESULT )
     if (EXISTS "${DIRECTORY_PARAMETER}/wolfcrypt/src")
         set(${RESULT} "${DIRECTORY_PARAMETER}" PARENT_SCOPE)
     else()
@@ -71,27 +225,71 @@ function(IS_WOLFSSL_SOURCE DIRECTORY_PARAMETER RESULT)
     endif()
 endfunction()
 
+# *********************************************************************************************
 # function: FIND_WOLFSSL_DIRECTORY
 #  parameter: OUTPUT_FOUND_WOLFSSL_DIRECTORY contains root of source code, otherwise blank
 #
+# Example usage:
+#   FIND_WOLFSSL_DIRECTORY(WOLFSSL_ROOT)
+# *********************************************************************************************
 function(FIND_WOLFSSL_DIRECTORY OUTPUT_FOUND_WOLFSSL_DIRECTORY)
-    message(STATUS "Starting FIND_WOLFSSL_DIRECTORY")
-    set(CURRENT_SEARCH_DIR "$ENV{WOLFSSL_ROOT}")
-    if( "${CURRENT_SEARCH_DIR}" STREQUAL "" )
-        message(STATUS "The WOLFSSL_ROOT environment variable is not set. Searching...")
+    message(STATUS "Starting FIND_WOLFSSL_DIRECTORY: ${${OUTPUT_FOUND_WOLFSSL_DIRECTORY}}")
+
+    if ( "${${OUTPUT_FOUND_WOLFSSL_DIRECTORY}}" STREQUAL "" )
+        # The parameter is empty, so we certainly need to search.
+        # First, see if there's an environment variable. This takes highest priority (unless already found as hard-coded, above)
+        set(CURRENT_SEARCH_DIR "$ENV{WOLFSSL_ROOT}")
+        if( "${CURRENT_SEARCH_DIR}" STREQUAL "" )
+            message(STATUS "The WOLFSSL_ROOT environment variable is not set. Searching...")
+            # Next, if not found, see if wolfSSL was selected for ESP-TLS Kconfig
+            if(CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT)
+                set(CURRENT_SEARCH_DIR ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT})
+                get_filename_component(CURRENT_SEARCH_DIR "${CURRENT_SEARCH_DIR}" ABSOLUTE)
+                message(STATUS "WOLFSSL_ROOT found in sdkconfig/KConfig: ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}")
+            else()
+                message(STATUS "wolfSSL not defined in [Component Config] [wolfssl]. Continuing search...")
+                # If not specified as a search hint in OUTPUT_FOUND_WOLFSSL_DIRECTORY:
+                # This wolfSSL component CMakeLists.txt may be found EITHER in:
+                #   1) local project component
+                #   2) ESP-IDF share components
+                # We'll start in the CMAKE_CURRENT_SOURCE_DIR, typically [something]/projectname/components/wolfssl
+                # That option might find wolfSSL source code as a copy in the component directory (e.g. Managed Components)
+                # Unless cmake is in the ESP-IDF, in which case it is unlikely to find wolfSSL source in any parent.
+                message(STATUS "CMAKE_CURRENT_SOURCE_DIR = ${CMAKE_CURRENT_SOURCE_DIR}")
+                get_filename_component(CURRENT_SEARCH_DIR "${CMAKE_CURRENT_SOURCE_DIR}" ABSOLUTE)
+                message(STATUS "CURRENT_SEARCH_DIR = ${CURRENT_SEARCH_DIR}")
+                string(LENGTH ${CURRENT_SEARCH_DIR} CURRENT_SEARCH_DIR_LENGTH)
+            endif() # CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT
+        endif() # check environment var blank
     else()
-        get_filename_component(CURRENT_SEARCH_DIR "$ENV{WOLFSSL_ROOT}" ABSOLUTE)
+        message(STATUS "Parameter found for FIND_WOLFSSL_DIRECTORY")
+        message(STATUS "Setting wolfSSL search directory to: ${${OUTPUT_FOUND_WOLFSSL_DIRECTORY}}")
+        set(CURRENT_SEARCH_DIR "${${OUTPUT_FOUND_WOLFSSL_DIRECTORY}}")
+    endif() # parameter empty
+
+    # Check to see if we found a path in environment or config settings, above.
+    if( "${CURRENT_SEARCH_DIR}" STREQUAL "" )
+        message(STATUS "Source for wolfSSL not specified in path nor config settings.")
+        # We'll continue the search by recursing up the directory tree, below.
+    else()
+        # Setting found! Does it contain a valid path?
+        string(REPLACE "\\" "/" CURRENT_SEARCH_DIR ${CURRENT_SEARCH_DIR})
+        get_filename_component(CURRENT_SEARCH_DIR "${CURRENT_SEARCH_DIR}" ABSOLUTE)
         IS_WOLFSSL_SOURCE("${CURRENT_SEARCH_DIR}" FOUND_WOLFSSL)
         if( FOUND_WOLFSSL )
-            message(STATUS "Found WOLFSSL_ROOT via Environment Variable: ${CURRENT_SEARCH_DIR}")
+            message(STATUS "Found wolfSSL source code via setting: ${CURRENT_SEARCH_DIR}")
             set(${OUTPUT_FOUND_WOLFSSL_DIRECTORY} ${CURRENT_SEARCH_DIR} PARENT_SCOPE)
             return()
         else()
-            message(FATAL_ERROR "WOLFSSL_ROOT Environment Variable defined, but path not found:")
-            message(STATUS "$ENV{WOLFSSL_ROOT}")
+            if(WIN32)
+                message(STATUS "When specifying a path for Windows, use forward slahes, or double backslashes.")
+            endif()
+            message(STATUS "CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT sdkconfig setting = ${CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT}")
+            message(STATUS "WOLFSSL_ROOT Variable defined, but source code not found: ${CURRENT_SEARCH_DIR}")
         endif()
     endif()
 
+
     # we'll start in the CMAKE_CURRENT_SOURCE_DIR, typically [something]/projectname/components/wolfssl
     message(STATUS "CMAKE_CURRENT_SOURCE_DIR = ${CMAKE_CURRENT_SOURCE_DIR}")
     get_filename_component(CURRENT_SEARCH_DIR "${CMAKE_CURRENT_SOURCE_DIR}" ABSOLUTE)
@@ -109,16 +307,47 @@ function(FIND_WOLFSSL_DIRECTORY OUTPUT_FOUND_WOLFSSL_DIRECTORY)
             return()
         endif()
 
+        # Maintain CURRENT_SEARCH_DIR, but check various suffixes with CURRENT_SEARCH_DIR_ALT
         if( THIS_USER )
             # Check for "wolfssl-[username]" subdirectory as we recurse up the directory tree
             set(CURRENT_SEARCH_DIR_ALT ${CURRENT_SEARCH_DIR}/wolfssl-${THIS_USER})
-            message(STATUS "Looking in ${CURRENT_SEARCH_DIR}")
+            message(STATUS "Looking in ${CURRENT_SEARCH_DIR_ALT}")
 
-            #if(EXISTS ${CURRENT_SEARCH_DIR_ALT} AND IS_DIRECTORY ${CURRENT_SEARCH_DIR_ALT} AND EXISTS "${CURRENT_SEARCH_DIR_ALT}/wolfcrypt/src")
             IS_WOLFSSL_SOURCE("${CURRENT_SEARCH_DIR_ALT}" FOUND_WOLFSSL )
             if ( FOUND_WOLFSSL )
-               message(STATUS "Found wolfssl in user-suffix CURRENT_SEARCH_DIR_ALT = ${CURRENT_SEARCH_DIR_ALT}")
-                set(${OUTPUT_FOUND_WOLFSSL_DIRECTORY} ${CURRENT_SEARCH_DIR_ALT} PARENT_SCOPE)
+                message(STATUS "Found wolfssl in user-suffix CURRENT_SEARCH_DIR_ALT = ${CURRENT_SEARCH_DIR_ALT}")
+                set(CURRENT_SEARCH_DIR "${CURRENT_SEARCH_DIR_ALT}")
+                set(${OUTPUT_FOUND_WOLFSSL_DIRECTORY} ${CURRENT_SEARCH_DIR} PARENT_SCOPE)
+                return()
+            endif()
+        endif()
+
+        if ( FOUND_WOLFSSL )
+            # if we already found the source, skip attempt of "wolfssl-master"
+        else()
+            set(CURRENT_SEARCH_DIR_ALT ${CURRENT_SEARCH_DIR}/wolfssl-master)
+            message(STATUS "Looking in ${CURRENT_SEARCH_DIR_ALT}")
+
+            IS_WOLFSSL_SOURCE("${CURRENT_SEARCH_DIR_ALT}" FOUND_WOLFSSL )
+            if ( FOUND_WOLFSSL )
+                message(STATUS "Found wolfssl in master-suffix CURRENT_SEARCH_DIR_ALT = ${CURRENT_SEARCH_DIR_ALT}")
+                set(CURRENT_SEARCH_DIR "${CURRENT_SEARCH_DIR_ALT}")
+                set(${OUTPUT_FOUND_WOLFSSL_DIRECTORY} ${CURRENT_SEARCH_DIR} PARENT_SCOPE)
+                return()
+            endif()
+        endif()
+
+        if ( FOUND_WOLFSSL )
+            # if we already found the source, skip attempt of "wolfssl"
+        else()
+            set(CURRENT_SEARCH_DIR_ALT ${CURRENT_SEARCH_DIR}/wolfssl)
+            message(STATUS "Looking in ${CURRENT_SEARCH_DIR_ALT}")
+
+            IS_WOLFSSL_SOURCE("${CURRENT_SEARCH_DIR_ALT}" FOUND_WOLFSSL )
+            if ( FOUND_WOLFSSL )
+                message(STATUS "Found wolfssl in CURRENT_SEARCH_DIR_ALT = ${CURRENT_SEARCH_DIR_ALT}")
+                set(CURRENT_SEARCH_DIR "${CURRENT_SEARCH_DIR_ALT}")
+                set(${OUTPUT_FOUND_WOLFSSL_DIRECTORY} ${CURRENT_SEARCH_DIR} PARENT_SCOPE)
                 return()
             endif()
         endif()
@@ -138,7 +367,8 @@ function(FIND_WOLFSSL_DIRECTORY OUTPUT_FOUND_WOLFSSL_DIRECTORY)
         get_filename_component(CURRENT_SEARCH_DIR "${CURRENT_SEARCH_DIR}" DIRECTORY)
         message(STATUS "Next CURRENT_SEARCH_DIR = ${CURRENT_SEARCH_DIR}")
         if( "${PRIOR_SEARCH_DIR}" STREQUAL "${CURRENT_SEARCH_DIR}" )
-            # when the search directory is empty, we'll give up
+            # When the parent is current directory, cannot go any further. We didn't find wolfssl.
+            # When the search directory is empty, we'll give up.
             set(CURRENT_SEARCH_DIR "")
         endif()
     endwhile()
@@ -149,17 +379,58 @@ endfunction()
 
 
 # Example usage:
+#
+# Simply find the WOLFSSL_DIRECTORY by searching parent directories:
+#   FIND_WOLFSSL_DIRECTORY(WOLFSSL_ROOT)
+#
 
+message(STATUS "CONFIG_TARGET_PLATFORM = ${CONFIG_TARGET_PLATFORM}")
 
+# Check for environment variable that may be assigned to macros
+ENVIRONMENT_VAR_TO_MACRO("GENERATE_MACHINE_PARSEABLE_REPORT" "1")
+ENVIRONMENT_VAR_TO_MACRO("WOLFSSL_BENCHMARK_FIXED_CSV"       "1")
 
+# Optional variable inspection
+if (0)
+    get_cmake_property(_variableNames VARIABLES)
+    list (SORT _variableNames)
+    message(STATUS "")
+    message(STATUS "ALL VARIABLES BEGIN")
+    message(STATUS "")
+    foreach (_variableName ${_variableNames})
+        message(STATUS "${_variableName}=${${_variableName}}")
+    endforeach()
+    message(STATUS "")
+    message(STATUS "ALL VARIABLES END")
+    message(STATUS "")
+endif()
+
+if ( ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") OR ("${IDF_TARGET}" STREQUAL "esp8266") )
+    # There's no esp_timer, no driver components for the ESP8266
+    message(STATUS "Early expansion EXCLUDES esp_timer for esp8266: ${THIS_INCLUDE_TIMER}")
+    message(STATUS "Early expansion EXCLUDES driver for esp8266: ${THIS_INCLUDE_DRIVER}")
+    set(THIS_INCLUDE_TIMER "")
+    set(THIS_INCLUDE_DRIVER "")
+    set(THIS_ESP_TLS "")
+else()
+    message(STATUS "Early expansion includes esp_timer: ${THIS_INCLUDE_TIMER}")
+    message(STATUS "Early expansion includes driver: ${THIS_INCLUDE_DRIVER}")
+    set(THIS_INCLUDE_TIMER "esp_timer")
+    set(THIS_INCLUDE_DRIVER "driver")
+    set(THIS_ESP_TLS "esp-tls")
+    # Let the app know that we've included the esp-tls component requirement.
+    # This is critical for use the the esp-tls component. See wolfssl esp_crt_bundle.c file.
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_REQUIRED_ESP_TLS=1")
+endif()
 
 if(CMAKE_BUILD_EARLY_EXPANSION)
     message(STATUS "wolfssl component CMAKE_BUILD_EARLY_EXPANSION:")
     idf_component_register(
                             REQUIRES "${COMPONENT_REQUIRES}"
                             PRIV_REQUIRES # esp_hw_support
-                                          esp_timer
-                                          driver # this will typically only be needed for wolfSSL benchmark
+                                          "${THIS_ESP_TLS}"
+                                          "${THIS_INCLUDE_TIMER}"
+                                          "${THIS_INCLUDE_DRIVER}" # this will typically only be needed for wolfSSL benchmark
                            )
 
 else()
@@ -168,48 +439,99 @@ else()
     message(STATUS "wolfssl component config:")
     message(STATUS "************************************************************************************************")
 
+    if ( "${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266")
+        # There's no esp_timer, no driver components for the ESP8266
+        set(THIS_INCLUDE_TIMER "")
+        set(THIS_INCLUDE_DRIVER "")
+    else()
+        set(THIS_INCLUDE_TIMER "esp_timer")
+        set(THIS_INCLUDE_DRIVER "driver")
+    endif()
+
     # search for wolfSSL
     FIND_WOLFSSL_DIRECTORY(WOLFSSL_ROOT)
     if(WOLFSSL_ROOT)
-        message(STATUS "NEW Found wolfssl directory at: ${WOLFSSL_ROOT}")
+        IS_WOLFSSL_SOURCE("${WOLFSSL_ROOT}" FOUND_WOLFSSL)
+        if(FOUND_WOLFSSL)
+            message(STATUS "Found WOLFSSL_ROOT via CMake specification.")
+        else()
+            # WOLFSSL_ROOT Path specified in CMakeLists.txt is not a valid path
+            message(FATAL_ERROR "WOLFSSL_ROOT CMake Variable defined, but path not found: ${WOLFSSL_ROOT}\n"
+                                "Try correcting WOLFSSL_ROOT in your project CMakeFile.txt or setting environment variable.")
+            # Abort CMake after fatal error.
+        endif()
     else()
-        message(STATUS "NEW wolfssl directory not found.")
+        message(STATUS "Source code for wolfSSL still not found.")
+        message(STATUS "Searching from project home: ${CMAKE_HOME_DIRECTORY} ...")
+        set(WOLFSSL_ROOT "${CMAKE_HOME_DIRECTORY}")
+        FIND_WOLFSSL_DIRECTORY(WOLFSSL_ROOT)
+    endif()
+
+
+    if(WOLFSSL_ROOT)
+        message(STATUS "Confirmed wolfssl directory at: ${WOLFSSL_ROOT}")
+    else()
+        # Try to allow a more intuitive error that the source code was not found in cmake:
+        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_CMAKE_WARNING_SOURCE_NOT_FOUND")
+
+        message(STATUS "Failed: wolfssl source code directory not found.")
         # Abort. We need wolfssl _somewhere_.
-        message(FATAL_ERROR "Could not find wolfssl in ${WOLFSSL_ROOT}.\n"
-                            "Try setting WOLFSSL_ROOT environment variable or git clone.")
+        message(STATUS "")
+        message(STATUS "")
+        message(STATUS "Could not find wolfssl in any parent directory named wolfssl-${THIS_USER}, wolfssl-master, or wolfssl.\n"
+                       "Try setting WOLFSSL_ROOT environment variable, cmake variable in project, copy source, or use managed components.")
+        message(STATUS "")
+        message(STATUS "")
+        # Abort CMake after fatal error. (or not?)
     endif()
 
     set(INCLUDE_PATH ${WOLFSSL_ROOT})
 
     set(WOLFSSL_EXTRA_PROJECT_DIR "${WOLFSSL_ROOT}/src/")
 
-    if( ${CMAKE_PROJECT_NAME} STREQUAL "wolfssl_benchmark" )
-        set(WOLFSSL_EXTRA_PROJECT_DIR "${WOLFSSL_ROOT}/wolfcrypt/benchmark")
-    endif()
-
-    if( ${CMAKE_PROJECT_NAME} STREQUAL "wolfssl_test" )
-        set(WOLFSSL_EXTRA_PROJECT_DIR "${WOLFSSL_ROOT}/wolfcrypt/test")
+    # During regression tests, optionally copy source locally and use: set(USE_LOCAL_TEST_BENCH 1)
+    set(USE_LOCAL_TEST_BENCH 0)
+    if(NOT USE_LOCAL_TEST_BENCH)
+        if( "${CMAKE_PROJECT_NAME}" STREQUAL "hello-world" )
+            message(STATUS "Include ${WOLFSSL_ROOT}/wolfcrypt/benchmark")
+            set(WOLFSSL_EXTRA_PROJECT_DIR "${WOLFSSL_ROOT}/wolfcrypt/benchmark")
+        endif()
+
+        if( "${CMAKE_PROJECT_NAME}" STREQUAL "wolfssl_benchmark" )
+            message(STATUS "Include ${WOLFSSL_ROOT}/wolfcrypt/benchmark")
+            set(WOLFSSL_EXTRA_PROJECT_DIR "${WOLFSSL_ROOT}/wolfcrypt/benchmark")
+        endif()
+
+        if( "${CMAKE_PROJECT_NAME}" STREQUAL "wolfssl_test" )
+            message(STATUS "Include ${WOLFSSL_ROOT}/wolfcrypt/test")
+            set(WOLFSSL_EXTRA_PROJECT_DIR "${WOLFSSL_ROOT}/wolfcrypt/test")
+        endif()
     endif()
 
+    message(STATUS "WOLFSSL_EXTRA_PROJECT_DIR = ${WOLFSSL_EXTRA_PROJECT_DIR}")
     set(COMPONENT_SRCDIRS "\"${WOLFSSL_ROOT}/src/\""
                           "\"${WOLFSSL_ROOT}/wolfcrypt/src\""
                           "\"${WOLFSSL_ROOT}/wolfcrypt/src/port/Espressif\""
+                          "\"${WOLFSSL_ROOT}/wolfcrypt/src/port/Espressif/esp_crt_bundle\""
                           "\"${WOLFSSL_ROOT}/wolfcrypt/src/port/atmel\""
                           "\"${WOLFSSL_EXTRA_PROJECT_DIR}\""
                          ) # COMPONENT_SRCDIRS
 
     message(STATUS "This COMPONENT_SRCDIRS = ${COMPONENT_SRCDIRS}")
 
+    # wolfSSL user_settings.h may be in the local project.
+    # TODO check if exists and possibly set to ESP-IDF
     set(WOLFSSL_PROJECT_DIR "${CMAKE_HOME_DIRECTORY}/components/wolfssl")
-    add_definitions(-DWOLFSSL_USER_SETTINGS_DIR="${WOLFSSL_PROJECT_DIR}/include/user_settings.h")
-
 
+    string(REPLACE "/" "//" STR_WOLFSSL_PROJECT_DIR "${WOLFSSL_PROJECT_DIR}")
+    add_definitions(-DWOLFSSL_USER_SETTINGS_DIR="${STR_WOLFSSL_PROJECT_DIR}/include/user_settings.h")
+    message(STATUS "Added definition for user_settings.h: -DWOLFSSL_USER_SETTINGS_DIR=\"${STR_WOLFSSL_PROJECT_DIR}//include//user_settings.h\"")
     # Espressif may take several passes through this makefile. Check to see if we found IDF
     string(COMPARE EQUAL "${PROJECT_SOURCE_DIR}" "" WOLFSSL_FOUND_IDF)
 
     # get a list of all wolfcrypt assembly files; we'll exclude them as they don't target Xtensa
     file(GLOB EXCLUDE_ASM *.S)
-    file(GLOB_RECURSE EXCLUDE_ASM ${CMAKE_SOURCE_DIR} "${WOLFSSL_ROOT}/wolfcrypt/src/*.S")
+    file(GLOB EXCLUDE_ASM ${CMAKE_SOURCE_DIR} "${WOLFSSL_ROOT}/wolfcrypt/src/*.S")
 
     message(STATUS "IDF_PATH = $ENV{IDF_PATH}")
     message(STATUS "PROJECT_SOURCE_DIR = ${PROJECT_SOURCE_DIR}")
@@ -232,11 +554,12 @@ else()
         message(STATUS "Remove either the local project component: ${WOLFSSL_PROJECT_DIR} ")
         message(STATUS "or the Espressif shared component installed at: $ENV{IDF_PATH}/components/wolfssl/ ")
         message(STATUS "")
-        message(FATAL_ERROR "Please use wolfSSL in either local project or Espressif components, but not both.")
         message(STATUS "")
         message(STATUS "**************************************************************************************")
         message(STATUS "")
 
+        message(STATUS "Please use wolfSSL in either local project or Espressif components, but not both.")
+
         # Optional: if you change the above FATAL_ERROR to STATUS you can warn at runtime with this macro definition:
         set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_MULTI_INSTALL_WARNING")
 
@@ -286,6 +609,7 @@ else()
                         message(FATAL_ERROR "Found stray wolfSSL user_settings.h in "
                                             "${WOLFSSL_ROOT}/include/user_settings.h "
                                             " (please move it to ${WOLFSSL_PROJECT_DIR}/include/user_settings.h )")
+                        # Abort CMake after fatal error.
                     else()
                         # we won't overwrite an existing user settings file, just note that we already have one:
                         if( EXISTS "${WOLFSSL_PROJECT_DIR}/include/user_settings.h" )
@@ -342,7 +666,9 @@ else()
     # depending on the environment, we may need to swap backslashes with forward slashes
     string(REPLACE "\\" "/" RTOS_IDF_PATH "$ENV{IDF_PATH}/components/freertos/FreeRTOS-Kernel/include/freertos")
 
-    string(REPLACE "\\" "/" WOLFSSL_ROOT ${WOLFSSL_ROOT})
+	if(WOLFSSL_ROOT)
+	    string(REPLACE "\\" "/" WOLFSSL_ROOT ${WOLFSSL_ROOT})
+	endif()
 
     if(IS_DIRECTORY "${RTOS_IDF_PATH}")
         message(STATUS "Found current RTOS path: ${RTOS_IDF_PATH}")
@@ -355,17 +681,22 @@ else()
             message(STATUS "Could not find RTOS path")
         endif()
     endif()
-
-
+    message(STATUS "THIS_IDF_PATH = $THIS_IDF_PATH")
+    # wolfSSL-specific include directories
     set(COMPONENT_ADD_INCLUDEDIRS
-        "./include" # this is the location of wolfssl user_settings.h
+        "./include" # this is the location of local project wolfssl user_settings.h
         "\"${WOLFSSL_ROOT}/\""
         "\"${WOLFSSL_ROOT}/wolfssl/\""
         "\"${WOLFSSL_ROOT}/wolfssl/wolfcrypt/\""
+        "\"${WOLFSSL_ROOT}/wolfssl/wolfcrypt/port/Espressif\""
         "\"${RTOS_IDF_PATH}/\""
+        # wolfSSL release after v5.7 includes WiFi, time, and mem/debug helpers
+        "${THIS_IDF_PATH}/components/esp_event/include"
+        "${THIS_IDF_PATH}/components/esp_netif/include"
+        "${THIS_IDF_PATH}/components/esp_wifi/include"
         )
 
-
+    # Optionally include cryptoauthlib if present
     if(IS_DIRECTORY ${IDF_PATH}/components/cryptoauthlib)
         list(APPEND COMPONENT_ADD_INCLUDEDIRS "../cryptoauthlib/lib")
     endif()
@@ -374,7 +705,7 @@ else()
     list(APPEND COMPONENT_ADD_INCLUDEDIRS "\"${WOLFSSL_ROOT}/wolfssl/wolfcrypt/\"")
 
 
-
+    # Some files are known to be included elsewhere, or not used for Espressif
     set(COMPONENT_SRCEXCLUDE
         "\"${WOLFSSL_ROOT}/src/bio.c\""
         "\"${WOLFSSL_ROOT}/src/conf.c\""
@@ -384,9 +715,14 @@ else()
         "\"${WOLFSSL_ROOT}/src/ssl_bn.c\""      # included by ssl.c
         "\"${WOLFSSL_ROOT}/src/ssl_certman.c\"" # included by ssl.c
         "\"${WOLFSSL_ROOT}/src/ssl_crypto.c\""  # included by ssl.c
+        "\"${WOLFSSL_ROOT}/src/ssl_load.c\""    # included by ssl.c
         "\"${WOLFSSL_ROOT}/src/ssl_misc.c\""    # included by ssl.c
+        "\"${WOLFSSL_ROOT}/src/ssl_p7p12.c\""   # included by ssl.c
+        "\"${WOLFSSL_ROOT}/src/ssl_sess.c\""    # included by ssl.c
         "\"${WOLFSSL_ROOT}/src/x509.c\""
         "\"${WOLFSSL_ROOT}/src/x509_str.c\""
+        "\"${WOLFSSL_ROOT}/wolfcrypt/src/ext_kyber.c\""     # external non-wolfssl Kyber disabled by default
+        "\"${WOLFSSL_ROOT}/wolfssl/wolfcrypt/ext_kyber.h\"" # external non-wolfssl Kyber disabled by default
         "\"${WOLFSSL_ROOT}/wolfcrypt/src/evp.c\""
         "\"${WOLFSSL_ROOT}/wolfcrypt/src/misc.c\""
         "\"${WOLFSSL_ROOT}/wolfcrypt/src/sp_sm2_arm32.c\""
@@ -397,6 +733,7 @@ else()
         "\"${WOLFSSL_ROOT}/wolfcrypt/src/sp_sm2_cortexm.c\""
         "\"${WOLFSSL_ROOT}/wolfcrypt/src/sp_sm2_x86_64.c\""
         "\"${WOLFSSL_ROOT}/wolfcrypt/src/sp_sm2_x86_64_asm.S\""
+        "\"${WOLFSSL_ROOT}/examples\"" # Examples are distributed in Managed Components, but not part of a project.
         "\"${EXCLUDE_ASM}\""
         )
 
@@ -418,22 +755,144 @@ else()
     # see https://docs.espressif.com/projects/esp-idf/en/stable/esp32/migration-guides/release-5.x/build-system.html?highlight=space%20path
     #
     set(EXTRA_COMPONENT_DIRS "${COMPONENT_SRCDIRS}")
-    idf_component_register(
-                            SRC_DIRS "${COMPONENT_SRCDIRS}"
-                            INCLUDE_DIRS "${COMPONENT_ADD_INCLUDEDIRS}"
-                            REQUIRES "${COMPONENT_REQUIRES}"
-                            EXCLUDE_SRCS "${COMPONENT_SRCEXCLUDE}"
-                            PRIV_REQUIRES esp_timer driver # this will typically only be needed for wolfSSL benchmark
-                           )
-    # some optional diagnostics
-    if (1)
+
+    if(WOLFSSL_ROOT)
+        # Only register the component if we found wolfSSL source.
+        # This is important to allow Cmake to finish to completion, otherwise the UI
+        # may not be able to display the Kconfig settings to fix a bad or missing source.
+        idf_component_register(
+                                SRC_DIRS "${COMPONENT_SRCDIRS}"
+                                INCLUDE_DIRS "${COMPONENT_ADD_INCLUDEDIRS}"
+                                REQUIRES "${COMPONENT_REQUIRES}"
+                                EXCLUDE_SRCS "${COMPONENT_SRCEXCLUDE}"
+                                PRIV_REQUIRES
+                                  "${THIS_ESP_TLS}"
+                                  "${THIS_INCLUDE_TIMER}"
+                                  "${THIS_INCLUDE_DRIVER}" # this will typically only be needed for wolfSSL benchmark
+                               )
+    else()
+        # Register the component simply to allow CMake to complete, but there's no wolfSSL source.
+        # Expect many other errors, but the project should at least be loadable and UI can edit Kconfig settings.
+        idf_component_register()
+        message(STATUS "Warning: wolfSSL component not registered as no source code found (WOLFSSL_ROOT is blank)")
+    endif()
+
+# function(WOLFSSL_INIT_CERT_BUNDLE)
+if( CONFIG_WOLFSSL_CERTIFICATE_BUNDLE
+    AND NOT CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE
+    AND NOT ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266")
+  )
+    if (CMAKE_BUILD_EARLY_EXPANSION)
+        message(ERROR "Bundle Cert initialization must occur during CMAKE_BUILD_EARLY_EXPANSION")
+    endif()
+    # reminder: we need a value for wolfSSL root first!
+    if( "${WOLFSSL_ROOT}" STREQUAL "" )
+        message(ERROR "Certificate bundles need a value for WOLFSSL_ROOT")
+    endif()
+    set(WOLFSSL_ESP_CRT_BUNDLE_DIR ${WOLFSSL_ROOT}/wolfcrypt/src/port/Espressif/esp_crt_bundle)
+    message(STATUS "WOLFSSL_ESP_CRT_BUNDLE_DIR=${WOLFSSL_ESP_CRT_BUNDLE_DIR}")
+    if(EXISTS "${WOLFSSL_ESP_CRT_BUNDLE_DIR}")
+        set(bundle_name "x509_crt_bundle_wolfssl")
+
+        # For now the certs are in the same directory
+        set(DEFAULT_CRT_DIR "${WOLFSSL_ESP_CRT_BUNDLE_DIR}")
+
+        # Generate custom certificate bundle using the generate_cert_bundle utility
+        set(GENERATE_CERT_BUNDLEPY ${python} ${WOLFSSL_ESP_CRT_BUNDLE_DIR}/gen_crt_bundle.py)
+
+        if(CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_FULL)
+            list(APPEND crt_paths ${DEFAULT_CRT_DIR}/cacrt_all.pem ${DEFAULT_CRT_DIR}/cacrt_local.pem)
+        elseif(CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_CMN)
+            list(APPEND crt_paths ${DEFAULT_CRT_DIR}/cacrt_all.pem ${DEFAULT_CRT_DIR}/cacrt_local.pem)
+            list(APPEND args --filter ${DEFAULT_CRT_DIR}/cmn_crt_authorities.csv)
+        endif()
+
+        # Add deprecated root certs if enabled. This config is not visible if the default cert
+        # bundle is not selected
+        if(CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEPRECATED_LIST)
+            list(APPEND crt_paths ${DEFAULT_CRT_DIR}/cacrt_deprecated.pem)
+        endif()
+
+        if(CONFIG_WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE)
+            get_filename_component(custom_bundle_path
+              ${CONFIG_WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE_PATH} ABSOLUTE BASE_DIR "${project_dir}")
+            list(APPEND crt_paths ${custom_bundle_path})
+            message(STATUS "Using a custom wolfSSL bundle path: ${custom_bundle_path}")
+        else()
+            message(STATUS "Not using a custom wolfSSL bundle path.")
+        endif()
+        list(APPEND args --input ${crt_paths} -q)
+
+        message(STATUS "CMAKE_CURRENT_BINARY_DIR: ${CMAKE_CURRENT_BINARY_DIR}")
+        get_filename_component(crt_bundle
+            ${bundle_name}
+            ABSOLUTE BASE_DIR "${CMAKE_CURRENT_BINARY_DIR}")
+
+        message(STATUS "Setting up bundle generate: ${GENERATE_CERT_BUNDLEPY} ${args}")
+        message(STATUS "Depends on custom bundle path: ${custom_bundle_path}")
+        message(STATUS "crt_bundle ${crt_bundle}")
+        message(STATUS "COMPONENT_LIB ${COMPONENT_LIB}")
+        message(STATUS "GENERATE_CERT_BUNDLEPY ${GENERATE_CERT_BUNDLEPY}")
+        message(STATUS "args ${args}")
+        message(STATUS "cert_bundle ${cert_bundle}")
+
+        # Generate bundle according to config
+        # File is generated at build time, not cmake load
+        add_custom_command(OUTPUT ${crt_bundle}
+            COMMAND ${GENERATE_CERT_BUNDLEPY} ARGS ${args}
+            DEPENDS ${custom_bundle_path}
+            VERBATIM)
+
+        if(EXISTS "${crt_bundle}")
+            message(STATUS "Bundle file exists from prior build: ${crt_bundle}")
+        else()
+            message(STATUS "Bundle file expected during next build: ${crt_bundle}")
+        endif()
+
+        # Reminder the file is generated at build time, not cmake load time.
+        message(STATUS "wolfSSL Cert Bundle File to be created at build time in: ${crt_bundle}")
+
+        add_custom_target(custom_wolfssl_bundle DEPENDS ${cert_bundle})
+
+        # the wolfSSL crtificate bundle is baked into wolfSSL
+        add_dependencies(${COMPONENT_LIB} custom_wolfssl_bundle)
+
+        # COMPONENT_LIB may vary: __idf_wolfssl, __idf_esp_wolfssl, etc
+        # target_add_binary_data(__idf_wolfssl ${crt_bundle} BINARY)
+        target_add_binary_data(${COMPONENT_LIB} ${crt_bundle} BINARY)
+        set_property(DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
+                     APPEND PROPERTY ADDITIONAL_CLEAN_FILES
+                     "${crt_bundle}")
+    else()
+        message(STATUS "WARNING: CONFIG_WOLFSSL_CERTIFICATE_BUNDLE enabled but directory not found: ${WOLFSSL_ESP_CRT_BUNDLE_DIR}")
+    endif()
+endif()
+
+# endfunction() # WOLFSSL_INIT_CERT_BUNDLE
+
+    # Some optional diagnostics. Verbose ones are truncated.
+    if (VERBOSE_COMPONENT_MESSAGES)
         get_cmake_property(_variableNames VARIABLES)
         list (SORT _variableNames)
         message(STATUS "")
         message(STATUS "ALL VARIABLES BEGIN")
         message(STATUS "")
         foreach (_variableName ${_variableNames})
-            message(STATUS "${_variableName}=${${_variableName}}")
+            if (      ("${_variableName}" STREQUAL "bootloader_binary_files")
+                    OR ("${_variableName}" STREQUAL "Component paths")
+                    OR ("${_variableName}" STREQUAL "component_targets")
+                    OR ("${_variableName}" STREQUAL "__COMPONENT_TARGETS")
+                    OR ("${_variableName}" STREQUAL "CONFIGS_LIST")
+                    OR ("${_variableName}" STREQUAL "__CONFIG_VARIABLES")
+                    OR ("${_variableName}" STREQUAL "val")
+                    OR ("${_variableName}" MATCHES "^__idf_")
+               )
+                # Truncate the displayed value:
+                string(SUBSTRING "${${_variableName}}" 0 70 truncatedValue)
+                message(STATUS "${_variableName} = ${truncatedValue} ... (truncated)")
+            else()
+                message(STATUS "${_variableName}=${${_variableName}}")
+            endif()
         endforeach()
         message(STATUS "")
         message(STATUS "ALL VARIABLES END")
@@ -441,6 +900,12 @@ else()
     endif()
 
     # target_sources(wolfssl PRIVATE  "\"${WOLFSSL_ROOT}/wolfssl/\""  "\"${WOLFSSL_ROOT}/wolfssl/wolfcrypt\"")
+    message(STATUS "DETECTED_PROJECT_NAME=${CMAKE_PROJECT_NAME}")
+    message(STATUS "COMPONENT_TARGET=${COMPONENT_TARGET}")
+    target_compile_definitions(${COMPONENT_TARGET} PRIVATE DETECTED_PROJECT_NAME="${CMAKE_PROJECT_NAME}")
+    if( "${CMAKE_PROJECT_NAME}" STREQUAL "esp_http_client_example" )
+        target_compile_definitions(${COMPONENT_TARGET} PRIVATE APP_ESP_HTTP_CLIENT_EXAMPLE="y")
+    endif()
 
 endif() # CMAKE_BUILD_EARLY_EXPANSION
 
@@ -496,31 +961,80 @@ endfunction() # LIBWOLFSSL_SAVE_INFO
 
 # create some programmatic #define values that will be used by ShowExtendedSystemInfo().
 # see wolfcrypt\src\port\Espressif\esp32_utl.c
-if(NOT CMAKE_BUILD_EARLY_EXPANSION)
+if(NOT CMAKE_BUILD_EARLY_EXPANSION AND WOLFSSL_ROOT)
     set (git_cmd "git")
     message(STATUS "Adding macro definitions:")
 
     # LIBWOLFSSL_VERSION_GIT_ORIGIN: git config --get remote.origin.url
-    execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "config" "--get" "remote.origin.url" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET  )
+    execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "config" "--get" "remote.origin.url"
+                    OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET  )
     LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_ORIGIN "${TMP_OUT}" "${TMP_RES}")
 
     # LIBWOLFSSL_VERSION_GIT_BRANCH: git rev-parse --abbrev-ref HEAD
-    execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "--abbrev-ref" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET  )
+    execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "--abbrev-ref" "HEAD"
+                    OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET  )
     LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_BRANCH "${TMP_OUT}" "${TMP_RES}")
 
     # LIBWOLFSSL_VERSION_GIT_HASH: git rev-parse HEAD
-    execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET  )
+    execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "HEAD"
+                    OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET  )
     LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_HASH "${TMP_OUT}" "${TMP_RES}")
 
     # LIBWOLFSSL_VERSION_GIT_SHORT_HASH: git rev-parse --short HEAD
-    execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "--short" "HEAD" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET )
+    execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "rev-parse" "--short" "HEAD"
+                    OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES ERROR_QUIET )
     LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_SHORT_HASH "${TMP_OUT}" "${TMP_RES}")
 
     # LIBWOLFSSL_VERSION_GIT_HASH_DATE git show --no-patch --no-notes --pretty=\'\%cd\'
-    execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd} "show" "--no-patch" "--no-notes" "--pretty=\'\%cd\'" OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES  )
+    execute_process(WORKING_DIRECTORY ${WOLFSSL_ROOT} COMMAND ${git_cmd}
+                    "show" "--no-patch" "--no-notes" "--pretty=\'\%cd\'"
+                    OUTPUT_VARIABLE TMP_OUT RESULT_VARIABLE TMP_RES  )
     LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_GIT_HASH_DATE "${TMP_OUT}" "${TMP_RES}")
 
-    message(STATUS "************************************************************************************************")
-    message(STATUS "wolfssl component config complete!")
-    message(STATUS "************************************************************************************************")
+    LIBWOLFSSL_SAVE_INFO(LIBWOLFSSL_VERSION_WOLFSSL_ROOT "${WOLFSSL_ROOT}" "${TMP_RES}")
+
 endif()
+
+# Ensure flag "-DWOLFSSL_ESPIDF" is already in CMAKE_C_FLAGS if not yet found from project
+string(FIND "${CMAKE_C_FLAGS}" "-DWOLFSSL_ESPIDF" FLAG_ALRREADY_FOUND_WOLFSSL_ESPIDF)
+
+if(FLAG_ALRREADY_FOUND_WOLFSSL_ESPIDF EQUAL -1)
+    # Flag not found, append it
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_ESPIDF")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS")
+endif()
+
+if(WOLFSSL_ROOT)
+    message(STATUS "Using wolfSSL in ${WOLFSSL_ROOT}")
+
+    # PlatformIO does not process script from from the Espressif cmake process.
+    # We need to know where wolfSSL source code was found, so save it in the
+    # PIO_WOLFSSL_ROOT environment variable to later be read by extra_script.py
+
+    set(ENV{PIO_WOLFSSL_ROOT} "${WOLFSSL_ROOT}")
+    message(STATUS "PIO_WOLFSSL_ROOT =  $ENV{PIO_WOLFSSL_ROOT}")
+    message(STATUS "PLATFORMIO_BUILD_DIR = $ENV{PLATFORMIO_BUILD_DIR}")
+    # See esp-tls Kconfig; menu "ESP-TLS", ESP_TLS_LIBRARY_CHOOSE
+    if(CONFIG_ESP_TLS_USING_WOLFSSL)
+        if ( ("${CONFIG_TARGET_PLATFORM}" STREQUAL "esp8266") OR ("${IDF_TARGET}" STREQUAL "esp8266") )
+            message(STATUS "This version of wolfSSL is not supported on the ESP8266 esp-tls at this time. Check ESP-TLS config")
+        else()
+            message(STATUS "wolfSSL will be used for ESP-TLS")
+        endif()
+    else()
+        message(STATUS "WARNING: wolfSSL NOT selected for ESP-TLS. Features and performance will be limited.")
+    endif()
+else()
+    message(STATUS "")
+    message(STATUS "Consider setting WOLFSSL_ROOT environment variable, use Kconfig setting, or set manually in this cmake file, above.")
+    message(STATUS "")
+    message(STATUS "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")
+    message(STATUS "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")
+    message(STATUS "ERROR: Could not find wolfSSL Source Code")
+    message(STATUS "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")
+    message(STATUS "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")
+endif()
+
+message(STATUS "************************************************************************************************")
+message(STATUS "wolfSSL component config complete!")
+message(STATUS "************************************************************************************************")

IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/Kconfig

@@ -0,0 +1,523 @@
+# Kconfig template
+#
+# Copyright (C) 2006-2024 wolfSSL Inc.  All rights reserved.
+#
+# This file is part of wolfSSL.
+#
+# wolfSSL is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# wolfSSL is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+#
+
+# Kconfig File Version 5.7.2.001 for esp-idf integration
+
+# Kconfig Format Rules
+#
+# See:
+#  https://docs.espressif.com/projects/esp-idf/en/stable/esp32/api-reference/kconfig.html
+#
+# Format rules for Kconfig files are as follows:
+#
+# Option names in any menus should have consistent prefixes. The prefix
+# currently should have at least 3 characters.
+#
+# The unit of indentation should be 4 spaces. All sub-items belonging to a
+# parent item are indented by one level deeper. For example, menu is indented
+# by 0 spaces, config menu by 4 spaces, help in config by 8 spaces, and the
+# text under help by 12 spaces.
+#
+# No trailing spaces are allowed at the end of the lines.
+#
+# The maximum length of options is NOT 50 characters as documented.
+#   kconfcheck will complain that options should be 40 at most.
+#
+# Fix option lengths first. Superfluous errors on other lines may occur.
+#
+# The maximum length of lines is 120 characters.
+#
+# python -m kconfcheck <path_to_kconfig_file>
+#
+# ---------------------------------------------------------------------------------------------------------------------
+# Begin main wolfSSL configuration menu
+# ---------------------------------------------------------------------------------------------------------------------
+#   See ESP-IDF esp-tls component for config TLS_STACK_WOLFSSL
+
+menu "wolfSSL"
+
+    menu "Hardening"
+        config ESP_WOLFSSL_WC_NO_HARDEN
+            bool "Disable wolfSSL hardening"
+            default n
+            help
+                Sets WC_NO_HARDEN
+
+        config ESP_WOLFSSL_TFM_TIMING_RESISTANT
+            bool "Enable TFM Timing Resistant Code"
+            default n
+            help
+                Sets TFM_TIMING_RESISTANT.
+
+    endmenu # Hardening
+
+    config ESP_WOLFSSL_ENABLE_BENCHMARK
+        bool "Enable wolfSSL Benchmark Library"
+        default n
+        help
+            Enables wolfcrypt/benchmark/benchmark.c code for benchmark metrics. Disables NO_CRYPT_BENCHMARK.
+
+
+    menu "Benchmark Debug"
+        config ESP_DEBUG_WOLFSSL_BENCHMARK_TIMING
+            bool "Enable benchmark timing debug"
+            depends on ESP_WOLFSSL_ENABLE_BENCHMARK
+            default n
+            help
+                Enable wolfssl debug for benchmark metric timing (CPU Cycles, RTOS ticks, etc).
+
+        config ESP_WOLFSSL_BENCHMARK_TIMER_DEBUG
+            bool "Enable benchmark timer debug"
+            depends on ESP_WOLFSSL_ENABLE_BENCHMARK
+            default n
+            help
+                Turn on timer debugging (used when CPU cycles not available)
+
+    endmenu # Benchmark Debug
+
+    # -----------------------------------------------------------------------------------------------------------------
+    # wolfCrypt Test
+    # -----------------------------------------------------------------------------------------------------------------
+    config ESP_WOLFSSL_ENABLE_TEST
+        bool "Enable wolfCrypt Test Library"
+        default n
+        help
+            Enables wolfcrypt/test/test.c code for testing. Disables NO_CRYPT_TEST.
+
+    menu "wolfCrypt tests"
+        config WOLFSSL_HAVE_WOLFCRYPT_TEST_OPTIONS
+            bool "Enable wolfCrypt Test Options"
+            depends on ESP_WOLFSSL_ENABLE_TEST
+            default n
+            help
+                Enables HAVE_WOLFCRYPT_TEST_OPTIONS
+
+        config TEST_ESPIDF_ALL_WOLFSSL
+            bool "Enable all features to use in tests"
+            depends on ESP_WOLFSSL_ENABLE_TEST
+            default n
+            help
+                Enables TEST_ESPIDF_ALL_WOLFSSL
+
+    endmenu # wolfCrypt tests
+
+    # -----------------------------------------------------------------------------------------------------------------
+    # Apple HomeKit Options
+    # -----------------------------------------------------------------------------------------------------------------
+    menu "Apple HomeKit"
+        config WOLFSSL_APPLE_HOMEKIT
+            bool "Enable Apple HomeKit options"
+            default n
+            help
+                Enables FP_MAX_BITS (8192 * 2), SRP, ChaCha, Poly1305, Base64 encoding needed for Apple HomeKit.
+    endmenu # Apple HomeKit
+    # -----------------------------------------------------------------------------------------------------------------
+
+    config ESP_WOLFSSL_DISABLE_MY_ECC
+        bool "Disable ECC in my project"
+        default "n"
+        help
+            ECC is enabled by default. Select this option to disable.
+
+    config ESP_WOLFSSL_ENABLE_MY_USE_RSA
+        bool "Enable RSA in my project"
+        default "n"
+        help
+            RSA is disabled by default. Select this option to enable.
+
+    config ESP_WOLFSSL_BENCHMARK
+        bool "Enable wolfSSL Benchmark"
+        default n
+        help
+            Enables user settings relevant to benchmark code
+
+    config ESP_TLS_USING_WOLFSSL_SPECIFIED
+        bool "Use the specified wolfssl for ESP-TLS"
+        default Y
+        help
+            Includes wolfSSL from specified directory (not using esp-wolfssl).
+
+    config ESP_WOLFSSL_NO_USE_FAST_MATH
+        bool "Disable FAST_MATH library and all ESP32 Hardware Acceleration"
+        select ESP_WOLFSSL_NO_HW
+        select ESP_WOLFSSL_NO_HW_AES
+        select ESP_WOLFSSL_NO_HW_HASH
+        select ESP_WOLFSSL_NO_HW_RSA_PRI
+        select ESP_WOLFSSL_NO_HW_RSA_PRI_MP_MUL
+        select ESP_WOLFSSL_NO_HW_RSA_PRI_MULMOD
+        select ESP_WOLFSSL_NO_HW_RSA_PRI_EXPTMOD
+        default n
+        help
+            When disabling all hardware acceleration for smaller memory footprint,
+            disabling TFM fast math provides faster wolfSSL software algorithms in an
+            even smaller flash memory footprint.
+
+    menu "Protocol Config"
+        config WOLFSSL_HAVE_ALPN
+            bool "Enable ALPN (Application Layer Protocol Negotiation) in wolfSSL"
+            default y
+
+        config WOLFSSL_ALLOW_TLS13
+            bool "Allow TLS 1.3"
+            default y
+            help
+                Allow TLS to fallback to TLS1.2. Memory footprint will likely be larger for TLS1.2.
+                When disabled HTTPS and MQTT over TLS connections will fail if TLS1.3 not accepted.
+
+        config WOLFSSL_ALLOW_TLS12
+            bool "Allow TLS 1.2"
+            default n
+            help
+                Allow TLS to fallback to TLS1.2. Memory footprint will likely be larger for TLS1.2.
+                When disabled HTTPS and MQTT over TLS connections will fail if TLS1.3 not accepted.
+
+        config WOLFSSL_HAVE_TLS_EXTENSIONS
+            bool "Enable TLS Extensions"
+            default y
+            help
+                Sets HAVE_TLS_EXTENSIONS which is needed for TLS 1.3, SNI, ALPN, and more.
+
+        config WOLFSSL_ALT_CERT_CHAINS
+            bool "Enable Alternate Certificate Chains"
+            default n
+            help
+                The option relaxes the default strict wolfSSL certificate chain processing. This
+                will typically need to be enabled when loading only a CA file. Typically solves
+                the -188 ASN_NO_SIGNER_E error. Use with caution.
+
+        config WOLFSSL_HAVE_OCSP
+            bool "Enable OCSP (Online Certificate Status Protocol) in wolfSSL"
+            default n
+            help
+                Sets HAVE_OCSP
+
+    endmenu # Protocol Config
+    # -----------------------------------------------------------------------------------------------------------------
+
+    # -----------------------------------------------------------------------------------------------------------------
+    config TLS_STACK_WOLFSSL
+        # Invisible option that locks TLS_STACK_WOLFSSL to ESP_TLS_USING_WOLFSSL
+        bool
+        default n
+        select FREERTOS_ENABLE_BACKWARD_COMPATIBILITY
+        help
+            Includes wolfSSL in ESP-TLS so that it can be compiled with wolfSSL as its SSL/TLS library.
+            Enabled when wolfSSL is selected in ESP_TLS_LIBRARY_CHOOSE.
+
+    menu "wolfSSL ESP-TLS"
+        depends on ESP_TLS_USING_WOLFSSL
+
+        menu "Certificate Bundle"
+            depends on ESP_TLS_USING_WOLFSSL
+
+            config WOLFSSL_CERTIFICATE_BUNDLE
+                bool "Enable trusted root certificate bundle"
+                default y if ESP_TLS_USING_WOLFSSL
+                default n
+                depends on ESP_TLS_USING_WOLFSSL
+                help
+                    Enable support for large number of default root certificates
+
+                    When enabled this option allows user to store default as well
+                    as customer specific root certificates in compressed format rather
+                    than storing full certificate. For the root certificates the public key and the subject name
+                    will be stored.
+
+            config WOLFSSL_NO_ASN_STRICT
+                bool "Relax Certificate ASN Strict Checks"
+                default n
+                depends on ESP_TLS_USING_WOLFSSL
+                help
+                    Allows sub-optimal certificate ASN checks. Unless using a bundle with known issues,
+                    it is recommended to NOT enable this.
+
+            config WOLFSSL_ASN_ALLOW_0_SERIAL
+                bool "Allow cert missing an ASN Serial Number"
+                default y
+                depends on ESP_TLS_USING_WOLFSSL
+                help
+                    Although not recommended, there may be certificates in the bundle that are missing
+                    a serial number. This option allows the missing value without having to fully
+                    disable strict ASN checking with WOLFSSL_NO_ASN_STRICT.
+
+            choice WOLFSSL_DEFAULT_CERTIFICATE_BUNDLE
+                bool "Default certificate bundle options"
+                depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL
+                default WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_FULL
+
+                config WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_FULL
+                    bool "Use the full default certificate bundle"
+                config WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_CMN
+                    bool "Use only the most common certificates from the default bundles"
+                    help
+                        Use only the most common certificates from the default bundles, reducing the size with 50%,
+                        while still having around 99% coverage.
+                config WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE
+                    bool "Do not use the default certificate bundle"
+            endchoice
+
+            config WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE
+                depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL
+                default n
+                bool "Add custom certificates to the default bundle"
+            config WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE_PATH
+                depends on WOLFSSL_CUSTOM_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL
+                string "Custom certificate bundle path"
+                help
+                    Name of the custom certificate directory or file. This path is evaluated
+                    relative to the project root directory.
+
+            config WOLFSSL_CERTIFICATE_BUNDLE_DEPRECATED_LIST
+                bool "Add deprecated root certificates"
+                depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL && !WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE
+                help
+                    Include the deprecated list of root certificates in the bundle.
+                    This list gets updated when a certificate is removed from the Mozilla's
+                    NSS root certificate store. This config can be enabled if you would like
+                    to ensure that none of the certificates that were deployed in the product
+                    are affected because of the update to bundle. In turn, enabling this
+                    config keeps expired, retracted certificates in the bundle and it may
+                    pose a security risk.
+
+                    - Deprecated cert list may grow based based on sync with upstream bundle
+                    - Deprecated certs would be be removed in ESP-IDF (next) major release
+
+            config WOLFSSL_CERTIFICATE_BUNDLE_MAX_CERTS
+                int "Maximum no of certificates allowed in certificate bundle"
+                default 200
+                depends on WOLFSSL_CERTIFICATE_BUNDLE && ESP_TLS_USING_WOLFSSL
+
+        endmenu
+    endmenu # wolfSSL ESP-TLS
+    # -----------------------------------------------------------------------------------------------------------------
+
+    # -----------------------------------------------------------------------------------------------------------------
+    config ESP_WOLFSSL_ALT_HARDWARE_ACCELERATION
+        bool "Modify default hardware acceleration settings"
+        default n
+        help
+            When disabling all hardware acceleration for smaller memory footprint,
+            disabling TFM fast math provides faster wolfSSL software algorithms in an
+            even smaller flash memory footprint.
+            Typically used for debugging, analysis, or optimizations. The default
+            hardware acceleration features can be each manually adjusted.
+
+    menu "wolfSSL Hardware Acceleration"
+
+        config ESP_WOLFSSL_NO_ESP32_CRYPT
+            bool "Disable all ESP32 Hardware Acceleration"
+            depends on ESP_WOLFSSL_ALT_HARDWARE_ACCELERATION
+            default n
+            select ESP_WOLFSSL_NO_HW_AES
+            select ESP_WOLFSSL_NO_HW_HASH
+            select ESP_WOLFSSL_NO_HW_RSA_PRI
+            select ESP_WOLFSSL_NO_HW_RSA_PRI_MP_MUL
+            select ESP_WOLFSSL_NO_HW_RSA_PRI_MULMOD
+            select ESP_WOLFSSL_NO_HW_RSA_PRI_EXPTMOD
+            help
+                Hardware acceleration enabled by default. When selected defines: NO_ESP32_CRYPT.
+                Consider disabling FASTMATH (other libraries are faster in software and smaller)
+
+        config ESP_WOLFSSL_NO_HW_AES
+            bool "Disable all ESP32 AES Hardware Acceleration"
+            depends on ESP_WOLFSSL_ALT_HARDWARE_ACCELERATION
+            default n
+            help
+                Hardware acceleration enabled by default.When selected defines: NO_HW_AES
+
+        config ESP_WOLFSSL_NO_HW_HASH
+            bool "Disable all ESP32 SHA Hash Hardware Acceleration"
+            depends on ESP_WOLFSSL_ALT_HARDWARE_ACCELERATION
+            default n
+            help
+                Hardware acceleration enabled by default. When selected defines: NO_HW_HASH
+
+        config ESP_WOLFSSL_NO_HW_RSA_PRI
+            bool "Disable all ESP32 RSA Hardware Acceleration"
+            depends on ESP_WOLFSSL_ALT_HARDWARE_ACCELERATION
+            default n
+            select ESP_WOLFSSL_NO_HW_PRI_MP_MUL
+            select ESP_WOLFSSL_NO_HW_RSA_PRI_MULMOD
+            select ESP_WOLFSSL_NO_HW_RSA_PRI_EXPTMOD
+            help
+                Hardware acceleration enabled by default. When selected defines: NO_HW_RSA_PRI
+
+        config ESP_WOLFSSL_NO_HW_RSA_PRI_MP_MUL
+            bool "Disable all ESP32 Multiplication Hardware Acceleration"
+            depends on ESP_WOLFSSL_ALT_HARDWARE_ACCELERATION
+            default n
+            help
+                Hardware acceleration enabled by default. When selected defines: NO_HW_RSA_PRI_MP_MUL
+
+        config ESP_WOLFSSL_NO_HW_RSA_PRI_MULMOD
+            bool "Disable all ESP32 Modular Multiplication Hardware Acceleration"
+            depends on ESP_WOLFSSL_ALT_HARDWARE_ACCELERATION
+            default n
+            help
+                Hardware acceleration enabled by default. When selected defines: NO_HW_RSA_PRI_MULMOD
+
+        config ESP_WOLFSSL_NO_HW_RSA_PRI_EXPTMOD
+            bool "Disable all ESP32 RSA Exponential Math Hardware Acceleration"
+            depends on ESP_WOLFSSL_ALT_HARDWARE_ACCELERATION
+            default n
+            help
+                Hardware acceleration enabled by default.
+                Select this option to force disable: NO_HW_RSA_PRI_EXPTMOD
+
+        config ESP_WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS
+            bool "Enable debugging of RSA Multiplication operand length"
+            default n
+            help
+                Prints an esp log warning to the default console UART when one of the
+                multiplication operands exceeds the maximum size supported by hardware,
+                requiring fallback to software. This can be helpful to pick key sizes
+                when performance is critical. See also metrics for counting instances.
+
+        config ESP_WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS
+            bool "Enable debugging of RSA Modular operand length"
+            default n
+            help
+                Prints an esp log warning to the default console UART when one of the
+                modular math operands exceeds the maximum size supported by hardware,
+                requiring fallback to software. This can be helpful to pick key sizes
+                when performance is critical. See also metrics for counting instances.
+
+    endmenu # wolfSSL Hardware Acceleration
+    # -----------------------------------------------------------------------------------------------------------------
+
+    # -----------------------------------------------------------------------------------------------------------------
+    menu "wolfSSL Experimental Options"
+
+        config ESP_WOLFSSL_EXPERIMENTAL_SETTINGS
+            bool "Enable wolfSSL Experimental Settings"
+            default n
+            help
+                Enables experimental settings for wolfSSL. See documentation.
+
+        config ESP_WOLFSSL_ENABLE_KYBER
+            bool "Enable wolfSSL Kyber"
+            default n
+            help
+                Enable debugging messages for wolfSSL. See user_settings.h for additional debug options.
+
+    endmenu # wolfSSL Experimental Options
+    # -----------------------------------------------------------------------------------------------------------------
+
+    # -----------------------------------------------------------------------------------------------------------------
+    menu "wolfSSL Debug Options"
+        config ESP_WOLFSSL_DEBUG_WOLFSSL
+            bool "Enable wolfSSL Debugging"
+            default n
+            help
+                Enable debugging messages for wolfSSL. See user_settings.h for additional debug options.
+
+        config ESP_WOLFSSL_TEST_LOOP
+            bool "Run test apps in a loop until failure"
+            default y
+            help
+                Enable a loop wrapper for benchmark, http_client, and wolfssl test apps.
+
+    endmenu # wolfSSL Debug Options
+    # -----------------------------------------------------------------------------------------------------------------
+
+    # -----------------------------------------------------------------------------------------------------------------
+    menu "wolfSSL Customization"
+        config CUSTOM_SETTING_WOLFSSL_ROOT
+            string "Enter a path for wolfSSL source code"
+            default "~/workspace/wolfssl"
+            help
+                This option lets you specify a directory for the wolfSSL source code (typically a git clone).
+                Enter the path using forward slashes (e.g., C:/myfolder/mysubfolder) or double backslashes
+                (e.g., C:\\myfolder\\mysubfolder).
+
+    endmenu # wolfSSL Customization
+    # -----------------------------------------------------------------------------------------------------------------
+
+    # -----------------------------------------------------------------------------------------------------------------
+    menu "Component Config"
+        config IGNORE_ESP_IDF_WOLFSSL_COMPONENT
+            bool "Ignore the ESP-IDF component of wolfSSL (if present)"
+            default n
+            help
+                Ignores wolfSSL present in the esp-idf/components directory. Requires wolfssl as a local component.
+
+        config IGNORE_LOCAL_WOLFSSL_COMPONENT
+            bool "Ignore the local component of wolfSSL (if present)"
+            default n
+            help
+                Ignores wolfSSL present in the local project components directory.
+                Requires wolfssl as a ESP-IDF component.
+
+    endmenu # Component Config
+    # -----------------------------------------------------------------------------------------------------------------
+
+    # -----------------------------------------------------------------------------------------------------------------
+    menu "Utility Config"
+        config USE_WOLFSSL_ESP_SDK_TIME
+            bool "Enable wolfSSL time helper functions"
+            default n
+            help
+                Enables use of various time and date setting functions found in the esp-sdk-lib.h file.
+
+        config USE_WOLFSSL_ESP_SDK_WIFI
+            bool "Enable wolfSSL WiFi helper functions"
+            default n
+            help
+                Enables use of various time and date setting functions found in the esp-sdk-lib.h file.
+
+    endmenu # Utility Config
+endmenu # wolfSSL
+# ---------------------------------------------------------------------------------------------------------------------
+
+
+# ---------------------------------------------------------------------------------------------------------------------
+menu "wolfSSH"
+    config ESP_ENABLE_WOLFSSH
+        bool "Enable wolfSSH options"
+        default n
+        help
+            Enables WOLFSSH_TERM, WOLFSSL_KEY_GEN, WOLFSSL_PTHREADS, WOLFSSH_TEST_SERVER, WOLFSSH_TEST_THREADING
+
+    config ESP_WOLFSSL_DEBUG_WOLFSSH
+        bool "Enable wolfSSH debugging"
+        default n
+        help
+            Enable wolfSSH debugging macro. See user_settings.h
+
+endmenu # wolfSSH
+# ---------------------------------------------------------------------------------------------------------------------
+
+# ---------------------------------------------------------------------------------------------------------------------
+menu "wolfMQTT"
+    config ESP_ENABLE_WOLFMQTT
+        bool "Enable wolfMQTT options"
+        default n
+        help
+            Enables WOLFMQTT
+
+    config ESP_WOLFSSL_DEBUG_WOLFMQTT
+        bool "Enable wolfMQTT debugging"
+        default n
+        help
+            Enable wolfMQTT debugging macro. See user_settings.h
+
+endmenu # wolfMQTT
+# ---------------------------------------------------------------------------------------------------------------------

IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/README.md

@@ -0,0 +1,162 @@
+# wolfSSL Espressif Component
+
+This is the directory for wolfSSL as an Espressif ESP-IDF component.
+
+Other options are available, such as installing wolfSSL as a local _project_ component using the [Managed Component](https://www.wolfssl.com/wolfssl-now-available-in-espressif-component-registry/).
+
+Enabling this wolfSSL ESP-IDF component allows other ESP-IDF libraries such as those that depend on [ESP-TLS](https://github.com/espressif/esp-idf/tree/master/components/esp-tls)
+to also use the wolfSSL library. (See [github.com/wolfSSL/wolfssl](https://github.com/wolfSSL/wolfssl))
+
+The wolfSSL source code is not included here. Instead, the `idf.py menuconfig` option can be used to configure the
+`sdkconfig` file setting: `CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT` to point to the desired wolfSSL code.
+
+## Directory Contents
+
+This directory must contain, at a minimum:
+
+- `CMakeLists.txt`
+- `./include/user_settings.h`
+
+The directory should also contain:
+- `Kconfig`
+- `component.mk`
+
+The directory may contain wolfSSL source, for example with a [Managed Component](https://www.wolfssl.com/wolfssl-now-available-in-espressif-component-registry/),
+or if the `setup.sh` script was used from [wolfSSL/IDE/Espressif/ESP-IDF](https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF).
+
+
+Under normal circumstances when the wolfSSL source is not included here, the `CMakeLists.txt` will search for it in this order:
+
+- A hard-coded `WOLFSSL_ROOT` cmake variable.
+- `WOLFSSL_ROOT` Environment Variable
+- The `CONFIG_CUSTOM_SETTING_WOLFSSL_ROOT` value in the `sdkconfig` file, from the `Kconfig` option.
+- Any parent directories, up to the root (if this directory is in the ESP-IDF components)
+- Any parent directories, up to the root (if this directory is a project component)
+
+While recursing up the directory tree, the following names of wolfSSL directories will be considered:
+
+- `wolfssl-[current user name]`
+- `wolfssl-master`
+- `wolfssl`
+
+## Getting Started
+
+See the `Espressif Getting Started Guide`.
+
+```
+# Set environment variable to ESP-IDF location
+# For example, VisualGDB in WSL
+WRK_IDF_PATH=/mnt/c/SysGCC/esp32/esp-idf/v5.2
+WRK_IDF_PATH=/mnt/c/SysGCC/esp32-master/esp-idf/v5.3-master
+
+# Or wherever the ESP-IDF is installed:
+WRK_IDF_PATH=~/esp/esp-idf
+
+echo "Run export.sh from ${WRK_IDF_PATH}"
+. ${WRK_IDF_PATH}/export.sh
+
+cd [your project]
+
+idf.py menuconfig
+```
+
+Enable wolfSSL to be used in the ESP-TLS:
+
+```
+Component config  --->
+    ESP-TLS  --->
+        Choose SSL/TLS library for ESP-TLS (See help for more Info)
+            (X) wolfSSL (License info in wolfSSL directory README)
+```
+
+Adjust wolfSSL settings, such as path to source code as needed:
+
+```
+Component config  --->
+    wolfSSL  --->
+        [*] Include wolfSSL in ESP-TLS
+        [*] Use the specified wolfssl for ESP-TLS
+        (~/workspace/wolfssl) Enter a path for wolfSSL source code
+```
+
+## Configuration
+
+All settings for wolfSSL are adjusted in the [include/user_settings.h](./include/user_settings.h) file.
+
+The `user_settings.h` file should not be included directly. Instead, `#include <wolfssl/wolfcrypt/settings.h>`
+before any other wolfSSL headers, like this:
+
+
+```c
+/* ESP-IDF */
+#include <esp_log.h>
+#include "sdkconfig.h"
+
+/* wolfSSL */
+/* Always include wolfcrypt/settings.h before any other wolfSSL file.    */
+/* Reminder: settings.h pulls in user_settings.h; don't include it here. */
+#if defined(WOLFSSL_USER_SETTINGS)
+    #include <wolfssl/wolfcrypt/settings.h>
+    #if defined(WOLFSSL_ESPIDF)
+        #include <wolfssl/version.h>
+        #include <wolfssl/wolfcrypt/types.h>
+        #include <wolfcrypt/test/test.h>
+        #include <wolfssl/wolfcrypt/port/Espressif/esp-sdk-lib.h>
+        #include <wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h>
+    #else
+        #error "Problem with wolfSSL user_settings. "           \
+               "Check components/wolfssl/include "              \
+               "and confirm WOLFSSL_USER_SETTINGS is defined, " \
+               "typically in the component CMakeLists.txt"
+    #endif
+#else
+    /* Define WOLFSSL_USER_SETTINGS project wide for settings.h to include   */
+    /* wolfSSL user settings in ./components/wolfssl/include/user_settings.h */
+    #error "Missing WOLFSSL_USER_SETTINGS in CMakeLists or Makefile:\
+    CFLAGS +=-DWOLFSSL_USER_SETTINGS"
+#endif
+```
+
+## Examples
+
+See the wolfSSL examples:
+
+- [wolfSSL Core Examples](https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples)
+- [wolfSSL Additional Examples](https://github.com/wolfSSL/wolfssl-examples/tree/master/ESP32)
+- [wolfSSH Core Examples](https://github.com/wolfSSL/wolfssh/tree/master/ide/Espressif/ESP-IDF/examples)
+- [wolfSSH Additional Examples](https://github.com/wolfSSL/wolfssh-examples/tree/main/Espressif)
+- [wolfMQTT Examples](https://github.com/wolfSSL/wolfMQTT/tree/master/IDE/Espressif/ESP-IDF/examples)
+
+## Platforms
+
+The ESP-IDF wolfSSL is also available for PlatformIO:
+
+- [Release wolfSSL](https://registry.platformio.org/search?q=owner%3Awolfssl)
+- [Staging / Preview wolfSSL](https://registry.platformio.org/search?q=owner%3Awolfssl-staging)
+
+The wolfSSL library can also be used for Espressif with Arduino:
+
+- [arduino.cc/reference/en/libraries/wolfssl](https://www.arduino.cc/reference/en/libraries/wolfssl/)
+- [github.com/wolfSSL/Arduino-wolfSSL](https://github.com/wolfSSL/Arduino-wolfSSL)
+
+
+## Additional Information
+
+- [wolfSSL Documentation](https://www.wolfssl.com/documentation/manuals/wolfssl/index.html) and [docs/espressif](https://www.wolfssl.com/docs/espressif/)
+- [wolfSSL FAQ](https://www.wolfssl.com/docs/frequently-asked-questions-faq/)
+- [wolfSSL Products](https://www.wolfssl.com/products/)
+- [www.wolfssl.com/espressif](https://www.wolfssl.com/espressif/)
+- [More...](https://www.wolfssl.com/?s=espressif)
+
+## Contact
+
+Have a specific request or questions? We'd love to hear from you! Please contact us at support@wolfssl.com or open an issue on GitHub.
+
+## Licensing and Support
+
+wolfSSL (formerly known as CyaSSL) and wolfCrypt are either licensed for use under the GPLv2 (or at your option any later version) or a standard commercial license. For our users who cannot use wolfSSL under GPLv2 (or any later version), a commercial license to wolfSSL and wolfCrypt is available.
+
+See the LICENSE.txt, visit wolfssl.com/license, contact us at licensing@wolfssl.com or call +1 425 245 8247
+
+View Commercial Support Options: [wolfssl.com/products/support-and-maintenance](wolfssl.com/products/support-and-maintenance)
+

IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/component.mk

@@ -0,0 +1,296 @@
+#
+# Copyright (C) 2006-2024 wolfSSL Inc.
+#
+# This file is part of wolfSSL.
+#
+# wolfSSL is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# wolfSSL is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+#
+
+$(info ***********  wolfssl component ************)
+
+#
+# Component Makefile
+#
+#
+# The Espressif Managed Components are only for newer versions of the ESP-IDF
+# Typically only for ESP32[-x] targets and only for ESP-IDF v4.3 or later:
+# See https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/tools/idf-component-manager.html
+#     https://components.espressif.com/
+#
+# Usage:
+#
+#   make flash
+#
+#   make flash ESPPORT=/dev/ttyS55
+#
+#   make flash ESPBAUD=9600
+#
+#   make monitor ESPPORT=COM1
+#
+#   make monitor ESPPORT=/dev/ttyS55 MONITORBAUD=115200
+#
+#   export ESPPORT=/dev/ttyS55
+#
+# https://docs.espressif.com/projects/esp8266-rtos-sdk/en/latest/get-started/index.html
+#
+
+# Although the project should define WOLFSSL_USER_SETTINGS, we'll also
+# define it here:
+CFLAGS +=-DWOLFSSL_USER_SETTINGS
+
+# Note that 4 source files created by autogen are excluded here.
+#
+# See these files commented out, below. Adjust as needed for your application:
+#
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/async.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/selftest.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wolfcrypt_first.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wolfcrypt_last.o
+
+
+# NOTICE: the WOLFSSL_ROOT setting MUST be relative!
+# See https://docs.espressif.com/projects/esp8266-rtos-sdk/en/latest/api-guides/build-system.html?highlight=must+relative#optional-component-specific-variables
+# In the wolfSSL GitHub examples for Espressif:
+#   https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples
+# When this wolfssl component.mk makefile is in [project]/components/wolfssl
+# The root is 7 directories up from here (the location of of this component.mk):
+WOLFSSL_ROOT := ../../../../../../..
+
+# To set the location of a different location, it is best to use relative paths.
+#
+# Set WOLFSSL_ROOT to a relative path from the current component directory.
+# For example, if the wolfssl_client is copied from the examples to test:
+#
+# cp -r /IDE/Espressif/ESP-IDF/examples/wolfssl_client/* /mnt/c/test/demo
+#
+# we run make in   /mnt/c/test/demo
+# component is in  /mnt/c/test/demo/components/wolfssl
+# wolfssl is in    /mnt/c/workspace/wolfssl-master
+#
+# "/mnt/c" is 4 directories up:
+#             2 for `./test/demo` from where we run `make`, plus
+#             2 more from the location of `component.mk` located
+#               in `[current directory]/components/wolfssl`.
+#
+# Thus we need 4 parent reference to find the relative path to wolfSSL:
+# WOLFSSL_ROOT := ../../../../workspace/wolfssl-master
+
+# Optional CFLAGS (make works without these; for reference only)
+# CFLAGS += -I$(WOLFSSL_ROOT)/wolfssl
+# CFLAGS += -I$(WOLFSSL_ROOT)/wolfssl/wolfcrypt
+# CFLAGS += -I$(WOLFSSL_ROOT)/wolfssl/wolfcrypt/port/Espressif
+
+abs_WOLFSSL_ROOT := $(shell realpath $(WOLFSSL_ROOT))
+
+# print-wolfssl-path-value:
+#	@echo "WOLFSSL_ROOT defined: $(WOLFSSL_ROOT)"
+#	@echo "WOLFSSL_ROOT actual:  $(abs_WOLFSSL_ROOT)"
+
+$(info WOLFSSL_ROOT defined: $(WOLFSSL_ROOT))
+$(info WOLFSSL_ROOT actual:  $(abs_WOLFSSL_ROOT))
+
+# NOTE: The wolfSSL include directory (e.g. user_settings.h) is
+# located HERE in THIS project, and *not* in the wolfSSL root.
+COMPONENT_ADD_INCLUDEDIRS := .
+COMPONENT_ADD_INCLUDEDIRS += include
+COMPONENT_ADD_INCLUDEDIRS += $(WOLFSSL_ROOT)/.
+COMPONENT_ADD_INCLUDEDIRS += $(WOLFSSL_ROOT)/wolfssl
+COMPONENT_ADD_INCLUDEDIRS += $(WOLFSSL_ROOT)/wolfssl/wolfcrypt
+COMPONENT_ADD_INCLUDEDIRS += $(WOLFSSL_ROOT)/wolfssl/wolfcrypt/port/Espressif
+# COMPONENT_ADD_INCLUDEDIRS += $ENV(IDF_PATH)/components/freertos/include/freertos
+# COMPONENT_ADD_INCLUDEDIRS += "$ENV(IDF_PATH)/soc/esp32s3/include/soc"
+
+# wolfSSL
+COMPONENT_SRCDIRS := $(WOLFSSL_ROOT)/src
+
+# wolfcrypt
+COMPONENT_SRCDIRS += $(WOLFSSL_ROOT)/wolfcrypt/src
+
+# Espressif
+COMPONENT_SRCDIRS += $(WOLFSSL_ROOT)/wolfcrypt/src/port/Espressif
+COMPONENT_SRCDIRS += $(WOLFSSL_ROOT)/wolfcrypt/src/port/atmel
+
+COMPONENT_OBJEXCLUDE := $(WOLFSSL_ROOT)/wolfcrypt/src/aes_asm.o
+COMPONENT_OBJEXCLUDE += $(WOLFSSL_ROOT)/wolfcrypt/src/evp.o
+COMPONENT_OBJEXCLUDE += $(WOLFSSL_ROOT)/wolfcrypt/src/misc.o
+COMPONENT_OBJEXCLUDE += $(WOLFSSL_ROOT)/wolfcrypt/src/sha512_asm.o
+COMPONENT_OBJEXCLUDE += $(WOLFSSL_ROOT)/wolfcrypt/src/fe_x25519_asm.o
+COMPONENT_OBJEXCLUDE += $(WOLFSSL_ROOT)/wolfcrypt/src/aes_gcm_x86_asm.o
+COMPONENT_OBJEXCLUDE += $(WOLFSSL_ROOT)/src/bio.o
+
+
+##
+## wolfSSL
+##
+COMPONENT_OBJS := $(WOLFSSL_ROOT)/src/bio.o
+# COMPONENT_OBJS += src/conf.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/crl.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/dtls.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/dtls13.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/internal.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/keys.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/ocsp.o
+# COMPONENT_OBJS += src/pk.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/quic.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/sniffer.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/ssl.o
+# COMPONENT_OBJS += src/ssl_asn1.o
+# COMPONENT_OBJS += src/ssl_bn.o
+# COMPONENT_OBJS += src/ssl_certman.o
+# COMPONENT_OBJS += src/ssl_crypto.o
+# COMPONENT_OBJS += src/ssl_misc.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/tls.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/tls13.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/src/wolfio.o
+# COMPONENT_OBJS += src/x509.o
+# COMPONENT_OBJS += src/x509_str.o
+
+##
+## wolfcrypt
+##
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/aes.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/arc4.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/asm.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/asn.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/async.o # autogen exclusion
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/blake2b.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/blake2s.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/camellia.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/chacha.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/chacha20_poly1305.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/cmac.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/coding.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/compress.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/cpuid.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/cryptocb.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/curve25519.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/curve448.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/des3.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/dh.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/dilithium.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/dsa.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ecc.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/eccsi.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ecc_fp.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed25519.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed448.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/error.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/evp.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_kyber.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_lms.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_xmss.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/falcon.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/fe_448.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/fe_low_mem.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/fe_operations.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/fips.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/fips_test.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ge_448.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ge_low_mem.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ge_operations.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/hash.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/hmac.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/hpke.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/integer.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/kdf.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/logging.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/md2.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/md4.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/md5.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/memory.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/misc.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/pkcs12.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/pkcs7.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/poly1305.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/pwdbased.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/random.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/rc2.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ripemd.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/rsa.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sakke.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/selftest.o # autogen exclusion
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sha.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sha256.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sha3.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sha512.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/signature.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/siphash.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm2.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm3.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sm4.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sphincs.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_arm32.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_arm64.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_armthumb.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_c32.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_c64.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_cortexm.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_dsp32.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_int.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_sm2_arm32.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_sm2_arm64.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_sm2_armthumb.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_sm2_c32.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_sm2_c64.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_sm2_cortexm.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_sm2_x86_64.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/sp_x86_64.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/srp.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/tfm.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_dsp.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_encrypt.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber_poly.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_lms.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_pkcs11.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_port.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_xmss.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wolfcrypt_first.o # autogen exclusion
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wolfcrypt_last.o  # autogen exclusion
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wolfevent.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wolfmath.o
+
+##
+## Espressif
+##
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/port/Espressif/esp32_aes.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/port/Espressif/esp32_mp.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/port/Espressif/esp32_sha.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/port/Espressif/esp32_util.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/port/Espressif/esp_sdk_mem_lib.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/port/Espressif/esp_sdk_time_lib.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/port/Espressif/esp_sdk_wifi_lib.o
+
+##
+## wolfcrypt benchmark  (optional)
+##
+## COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/benchmark/benchmark.o
+## COMPONENT_SRCDIRS += $(WOLFSSL_ROOT)/wolfcrypt/benchmark
+## COMPONENT_ADD_INCLUDEDIRS += $(WOLFSSL_ROOT)/wolfcrypt/benchmark
+
+
+##
+## wolfcrypt test (optional)
+##
+## COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/test/test.o
+## COMPONENT_SRCDIRS += $(WOLFSSL_ROOT)/wolfcrypt/test
+
+##
+## wolfcrypt
+##
+## COMPONENT_PRIV_INCLUDEDIRS += $(PROJECT_PATH)/components/wolfssl/include
+## COMPONENT_SRCDIRS += $(WOLFSSL_ROOT)/wolfcrypt/src
+
+$(info ********** end wolfssl component **********)