pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2026Q2] pkgsrc/security/wolfssl



Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Sun Jun 28 18:49:58 UTC 2026

Modified Files:
        pkgsrc/security/wolfssl [pkgsrc-2026Q2]: Makefile PLIST distinfo

Log Message:
Pullup ticket #7149 - requested by taca
security/wolfssl: security fix

Revisions pulled up:
- security/wolfssl/Makefile                                     1.32
- security/wolfssl/PLIST                                        1.19
- security/wolfssl/distinfo                                     1.33

---
   Module Name: pkgsrc
   Committed By:        fox
   Date:                Sat Jun 27 08:23:26 UTC 2026

   Modified Files:
        pkgsrc/security/wolfssl: Makefile PLIST distinfo

   Log Message:
   security/wolfssl: Update to 5.9.2

   Changes since 5.9.1:

   To download the release bundle of wolfSSL visit the download page at
   www.wolfssl.com/download/

   PR stands for Pull Request, and PR references a GitHub pull request
   number where the code change was added.

   NOTE: The pre-standardization Dilithium API has been renamed to its
   FIPS 204 ML-DSA name; the legacy dilithium.h header and
   wc_dilithium_* names remain available through a temporary
   compatibility shim.
   NOTE: The SLH-DSA Hash sign/verify APIs now require a caller-supplied
   pre-hashed digest rather than the raw message (see Enhancements
   below).
   NOTE: liboqs integrations for ML-KEM, ML-DSA, and SLH-DSA (SPHINCS+)
   have been removed in favor of the native implementations; the
   deprecated liblms and libxmss integrations have also been removed.
   NOTE (BREAKING RFC 6960 4.2.2.2): OCSP responder authorization is
   now strictly enforced. Removes the non-compliant
   CheckOcspResponderChain() fallback, which authorized any OCSP
   responder cert issued by an ancestor of the target's issuer; RFC 6960
   4.2.2.2 requires direct issuance by the CA identified in the request.
   Also removes the now-unused WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK macro
   and the vp parameter from CheckOcspResponder().

   Vulnerabilities

     * [High CVE-2026-11310] X.509 trust-chain bypass in the OpenSSL
       compatibility certificate verifier (wolfSSL_X509_verify_cert()).
       This affects only builds with --enable-opensslextra
       (OPENSSL_EXTRA) and whose application validates certificates by
       calling X509_verify_cert() (OpenSSL compatibility layer function)
       with caller-supplied untrusted intermediate certificates; for
       those users it is critical, otherwise the library is unaffected.
       In particular, native wolfSSL TLS/DTLS usage is not impacted.
       wolfSSL's X509_verify_cert() temporarily loads each
       caller-supplied untrusted intermediate into the certificate
       manager but failed to drop them before the trusted-store check,
       so an untrusted intermediate could anchor the path itself. An
       attacker can present a chain that never reaches a configured
       trust anchor and have it accepted, resulting in acceptance of an
       attacker-controlled certificate. This is certificate verification
       independent of TLS (e.g. S/MIME/CMS, code/firmware signing,
       JWT/JWS x5c), is not specific to any key type or algorithm, and
       a single untrusted intermediate suffices. The default wolfSSL TLS
       handshake (WOLFSSL_VERIFY_PEER) is not affected; only TLS
       applications doing manual or deferred peer verification through
       this API are, which also requires --enable-sessioncerts.
       Affected: v5.8.4, v5.9.0 and v5.9.1 (introduced by commit
       025dbc34); v5.8.2 and earlier are not. Thanks to Corban Villa,
       Sohee Kim and Austin Chu (UC Berkeley, Sky Lab). Fixed in
       PR 10674.
     * [High CVE-2026-11999] X.509 trust-chain bypass (path-depth
       exhaustion) in the OpenSSL compatibility certificate verifier
       (wolfSSL_X509_verify_cert()). This affects only builds with
       --enable-opensslextra whose application calls X509_verify_cert()
       with caller-supplied untrusted intermediates; for those users it
       is critical, otherwise the library is unaffected. Native wolfSSL
       TLS/DTLS usage is not impacted. X509_verify_cert() returned
       success based only on the last verified link rather than on
       reaching a trust anchor: when the supplied chain is deeper than
       the verifier's maximum path depth (default 100), path building
       runs out of depth while still walking untrusted intermediates and
       the chain is accepted even though it never reaches a configured
       trust anchor, allowing acceptance of an attacker-controlled
       certificate. The default TLS handshake (WOLFSSL_VERIFY_PEER) is
       not affected; only applications doing manual or deferred
       verification through this API are. Affected versions: v5.7.4
       through v5.9.1, introduced in commit 17c9e92b7 (first released in
       v5.7.4); v5.7.2 and earlier are not affected. Thanks to Corban
       Villa, Sohee Kim and Austin Chu (UC Berkeley, Sky Lab). Fixed in
       PR 10674.
     * [High CVE-2026-6679] A heap buffer overflow could occur in the
       DTLS 1.3 ACK serialization path before the connecting peer is
       authenticated. The buffer overflow was due to an integer
       truncation when computing the length of the ACK record-number
       list, causing an undersized buffer to be allocated and then
       overrun. This affects builds using DTLS 1.3 and wolfSSL version
       5.9.0 and earlier. A fix was added to the 5.9.1 release. Thanks
       to Nicholas Carlini from Anthropic for the report. Fixed in
       PR 10116.
     * [High CVE-2026-55958] Out-of-bounds write in the Renesas TSIP
       TLS 1.3 transcript buffer. In tsip_StoreMessage() the capacity
       check guarding the fixed message bag (MSGBAG_SIZE) sets an error
       code but fails to return, so execution falls through to an
       XMEMCPY that writes past the end of the buffer once the
       accumulated TLS 1.3 handshake transcript exceeds MSGBAG_SIZE
       (8 KB), corrupting adjacent heap state and potentially causing a
       remote denial of service crash. The bag is sized to hold a normal
       handshake, so this is reached only by an unusually large but
       valid certificate chain, or by a malicious or man-in-the-middle
       server sending an oversized handshake message to a client that
       does not strictly verify the chain. This only affects builds
       using the Renesas TSIP TLS port (WOLFSSL_RENESAS_TSIP_TLS) as a
       TLS 1.3 client on Renesas MCUs with TSIP hardware enabled, and
       is rated High within those builds. All other configurations are
       unaffected. Thanks to NVIDIA Project Vanessa for the report.
       Fixed in PR 10705.
     * [High CVE-2026-55960] Un-negotiated Raw Public Key (RFC 7250)
       accepted in place of an X.509 certificate, bypassing chain
       validation. A raw public key has no chain, so
       ParseCertRelative() accepts it without performing any trust
       verification; it must therefore only be accepted when RPK was
       actually negotiated for that peer. The check now defaults the
       expected type to X.509 (per RFC 7250/8446) when no type was
       negotiated, comparing against the received server certificate
       type on the client and the selected client certificate type on
       the server, and rejects any mismatch, including an un-negotiated
       raw public key, with UNSUPPORTED_CERTIFICATE. Only affects builds
       with Raw Public Key support (HAVE_RPK) enabled - disabled by
       default in a standalone build, but included in --enable-all.
       Thanks to NVIDIA Project Vanessa for the report. Fixed in
       PR 10702.
     * [High CVE-2026-55961] wolfSSL_PKCS7_verify() returning success
       for a degenerate (certs-only) PKCS#7 object that contains no
       signer. Such an object has empty signerInfos, so the underlying
       signed-data verification succeeds without authenticating any
       content. The compatibility-layer verify path now rejects the
       object when no signer signature has actually been verified, so a
       PKCS#7 carrying no valid signature is no longer reported as
       verified. This is enforced regardless of the PKCS7_NOVERIFY
       flag, which only suppresses signer certificate chain validation
       and was never intended to waive the requirement that a signature
       exist. Only affects OpenSSL compatibility builds that call the
       PKCS7_verify() compatibility API on potentially degenerate PKCS#7
       bundles. Thanks to NVIDIA Project Vanessa for the report. Fixed
       in PR 10702.
     * [Med CVE-2026-6731] X.509 name constraint bypass via the Subject
       Common Name when treated as a DNS-type name. A certificate whose
       Subject CN violates an issuing CA's DNS name constraints could be
       accepted. Thanks to d0sf3t (Aradex) for the report. Fixed in
       PR 10223.
     * [Med CVE-2026-6091] Partial-chain certificate verification may
       accept chains that terminate at a peer-supplied, untrusted
       intermediate certificate rather than a trusted anchor. An
       attacker could present a chain that ends at an intermediate they
       control and have it accepted as valid. Thanks to Dikai Zou for
       the report. Fixed in PR 10170.
     * [Med CVE-2026-6094] Heap buffer overread in
       wc_PKCS7_DecodeEnvelopedData when parsing crafted PKCS7
       EnvelopedData. This could theoretically be triggered by
       attacker-supplied data delivered via S/MIME or CMS. Thanks to
       Dikai Zou for the report. Fixed in PR 10128.
     * [Med CVE-2026-6329] PKCS#12 MAC verification uses an
       attacker-controlled comparison length, weakening the integrity
       check on the MAC and allowing a mismatched MAC to be accepted.
       Thanks to Nicholas Carlini from Anthropic for the report. Fixed
       in PR 10192.
     * [Med CVE-2026-6330] The ML-KEM ARM64 NEON ciphertext comparison
       only compares half of the input, breaking the Fujisaki-Okamoto
       transform's implicit rejection and weakening IND-CCA2 security
       on that code path. Thanks to Nicholas Carlini from Anthropic for
       the report. Fixed in PR 10192.
     * [Med CVE-2026-8720] wc_Blake2bHmacFinal and wc_Blake2sHmacFinal
       discard the message when the key length exceeds the block size,
       producing a MAC that is independent of the input. This bug is
       specific to the HMAC-BLAKE2 API's that were added in wolfSSL
       version 5.9.0. Fixed in PR 10447.
     * [Med CVE-2026-10097] ML-KEM-1024 x64 AVX2 implicit rejection
       failure in the Fujisaki-Okamoto transform breaks IND-CCA2
       security, allowing decapsulation to deviate from the
       implicit-rejection behavior required by the standard. Thanks to
       007bsd for the report. Fixed in PR 10430.
     * [Med CVE-2026-10098] OCSP CertID serial-number
       length-confusion in wolfSSL_OCSP_resp_find_status allows a
       same-issuer SingleResponse whose serial is a prefix of the
       target serial to be reported as the revocation status of a
       different certificate. Thanks to Kim Youngjoon (Team-Atlanta and
       Georgia Institute of Technology) for the report. Fixed in
       PR 10554.
     * [Med CVE-2026-10592] Certificates with wildcard DNS SANs
       (e.g. *.example.com) bypassed CA name-constraint checks. Thanks
       to tonghuaroot for the report. Fixed in PR 10549.
     * [Med CVE-2026-7532] iPAddress name constraints bypass when
       WOLFSSL_IP_ALT_NAME is not defined. IP address name constraints
       are not enforced in that configuration, allowing a certificate to
       bypass an issuing CA's IP address constraints. Thanks to Ankur
       Tyagi of Cisco Talos (TALOS-2026-2409) for the report. Fixed in
       PR 10354.
     * [Med CVE-2026-6291] Bleichenbacher padding oracle in PKCS#7
       KTRI decryption. When decrypting PKCS#7 EnvelopedData using RSA
       PKCS#1 v1.5 key transport, wolfSSL returned distinguishable error
       codes depending on whether RSA padding validation failed versus
       whether the decrypted content was malformed. An attacker able to
       submit crafted EnvelopedData messages and observe error responses
       could use this as a padding oracle to incrementally recover the
       encrypted Content Encryption Key (CEK). The fix generates a
       deterministic pseudo-random fake CEK on padding failure (via
       HMAC-SHA256) and proceeds with decryption identically, using
       constant-time operations throughout, so that all failure paths
       produce the same error regardless of padding validity. Found with
       internal wolfSSL review. Fixed in PR 10203.
     * [Med CVE-2026-7511] PKCS7_verify signer confusion allows forged
       signatures, where the signer associated with a signature is not
       correctly bound, permitting a forged signature to be accepted.
       Thanks to Nicholas Carlini from Anthropic for the report. Fixed
       in PR 10203.
     * [Med CVE-2026-11703] Fixed missing SNI/ALPN binding on stateful
       (session-ID) resumption, which previously skipped the binding
       check performed for ticket-based resumption. A cached session
       could be resumed under a different SNI/ALPN than originally
       negotiated and, where client-authentication policy differs across
       virtual hosts, carry the cached peer-authentication state into a
       context it was not established for. Resumption now verifies the
       SNI/ALPN binding for all paths and declines (falling back to a
       full handshake) on mismatch. Thanks to Dikai Zou for the report.
       Fixed in PR 10489.
     * [Med CVE-2026-55962] TLS 1.3 post-handshake authentication
       (PHA) issue where a server could accept a client's Finished
       message without the client having sent a Certificate and
       CertificateVerify. The post-handshake-auth exemption that allows
       an empty/absent peer certificate was only intended for the
       initial handshake, but it was also being applied while a
       post-handshake CertificateRequest was still outstanding. The
       check is now scoped to the initial handshake only: on the server,
       once a post-handshake CertificateRequest has been sent
       (certReqCtx is set), a peer certificate and a valid
       CertificateVerify are required again before the Finished is
       accepted, with empty-certificate handling following the
       configured verify mode (FAIL_IF_NO_PEER_CERT) just as during
       first-handshake client authentication. Only affects TLS 1.3
       servers built with post-handshake authentication support
       (WOLFSSL_POST_HANDSHAKE_AUTH / --enable-postauth, included in
       --enable-all) that enable WOLFSSL_VERIFY_POST_HANDSHAKE and
       request a client certificate after the handshake via
       wolfSSL_request_certificate(). Clients, and servers that do not
       use post-handshake authentication, are unaffected. Thanks to
       NVIDIA Project Vanessa for the report. Fixed in PR 10702.
     * [Med CVE-2026-55964] Chain intermediate CA:TRUE without
       keyCertSign accepted as a signing CA. Intermediate CA
       certificates are required to have the keyCertSign key usage when
       a Key Usage extension is present, but chain-supplied temporary
       CAs (WOLFSSL_TEMP_CA) added while building a certificate path
       were previously exempted from this check, so an intermediate
       asserting CA:TRUE but lacking keyCertSign was accepted as a
       signing CA. The check now applies to chain-supplied temporary CAs
       as well; only operator-loaded root certificates (WOLFSSL_USER_CA)
       and self-signed roots remain exempt. Per RFC 5280 an absent Key
       Usage extension implies all usages, so the requirement is
       enforced only when the extension is actually present
       (extKeyUsageSet). Affects the OpenSSL-compatibility
       certificate-path-building path (X509_verify_cert / X509_STORE,
       OPENSSL_EXTRA/OPENSSL_ALL), where untrusted chain intermediates
       are added as temporary CAs; native (non-OpenSSL-compat)
       certificate verification does not create temporary CAs and is
       unaffected. Within those builds, the check applies unless
       ALLOW_INVALID_CERTSIGN is defined. Thanks to NVIDIA Project
       Vanessa for the report. Fixed in PR 10702.
     * [Low CVE-2026-6092] When HAVE_ENCRYPT_THEN_MAC is configured,
       the implementation could fall back to MAC-then-Encrypt rather
       than enforcing Encrypt-then-MAC. Thanks to Marcin Olejnik
       (Rockwell Automation) for the report. Fixed in PR 10167.
     * [Low CVE-2026-6331] HMAC zero-length tag forgery in
       EVP_DigestVerifyFinal, where a zero-length tag could be accepted
       as valid during HMAC verification. Thanks to Nicholas Carlini
       from Anthropic for the report. Fixed in PR 10192.
     * [Low CVE-2026-6681] The PKCS#7 decode path ignores the
       caller-supplied output buffer size (outputSz), allowing decoded
       content to be written past the bounds of the provided buffer.
       This affects wolfSSL 5.9.0 and earlier and was fixed in the
       5.9.1 release. Thanks to Nicholas Carlini from Anthropic for the
       report. Fixed in PR 10116.
     * [Low CVE-2026-10512] The X25519 x86_64 assembly implementation
       fails to clear the most significant bit during the final modular
       reduction, so the computed result may not be fully reduced modulo
       the field prime 2^255 - 19. This can leave the field element in
       a non-canonical form, producing an incorrect result from the
       scalar multiplication and potentially a wrong shared secret.
       Thanks to Haruki Oyama for the report. Fixed in PR 10536.
     * [Low CVE-2026-6678] Integer underflow in wc_PKCS7_DecryptOri
       when handling crafted Other Recipient Info, leading to incorrect
       length handling during decryption. Thanks to Dikai Zou for the
       report. Fixed in PR 10203.
     * [Low CVE-2026-7531] Use-after-free in PQC hybrid key-share
       handling. This is an incomplete-fix follow-up to CVE-2026-5460
       (released in 5.9.1): a malicious TLS 1.3 server sending a
       truncated PQC hybrid KeyShare can still trigger the error cleanup
       path to operate on freed memory. Thanks to Thai Duong
       (Calif.io / Anthropic) for the report. Fixed in PR 10327.
     * [Low CVE-2026-6325] Out-of-bounds write in
       SetSuitesHashSigAlgo when processing an oversized signature
       algorithms list, allowing a write past the bounds of the
       destination buffer. Thanks to Muhammad Arya Arjuna Habibullah
       (Pelioro) for the report. Fixed in PR 10204.
     * [Low CVE-2026-6412] Certificate policy and RFC 8446 compliance
       concerns regarding the continued acceptance of SHA-1/MD5 in
       certificate processing. Thanks to Xiangdong Li (Student, Beijing
       University of Posts and Telecommunications [BUPT]) for the
       report. Fixed in PR 10222.
     * [Low CVE-2026-6450] A CRL critical extension bypass exists in
       ParseCRL_Extensions where critical extensions are not properly
       enforced, allowing a crafted CRL with an unhandled critical
       extension to be accepted. This only affects builds with CRL
       support enabled and where a crafted CRL had a trusted signature
       when parsed. Thanks to Oleh Konko (@1seal) for the report.
       Fixed in PR 10239.
     * [Low CVE-2026-12340] Out-of-bounds heap read during SM2/SM3
       certificate signature verification. When parsing a certificate
       with an SM3wSM2 signature, the Subject Key Identifier computation
       reads the trailing 65 bytes of the public key without checking
       that the key is at least that long. A public key shorter than
       65 bytes results in an out-of-bounds heap read, leading to a
       potential crash (denial of service); there is no out-of-bounds
       write. Note this only affects builds with SM2 support
       (--enable-sm2 or --enable-all). Thanks to David Pokora, Trail of
       Bits (in collaboration with Anthropic). Fixed in PR 10641.
     * [Low CVE-2026-55967] AES-GCM encryption/decryption with
       extremely large cumulative single message sizes (>64 GiB) were
       not properly rejected by the streaming APIs, allowing counter
       wrap, keystream reuse, and consequent plaintext recovery. Thanks
       to NVIDIA Project Vanessa for the report. Fixed in PR 10709.

   Enhancements

     * BREAKING (FIPS 205 SLH-DSA): wc_SlhDsaKey_SignHash,
       wc_SlhDsaKey_SignHashDeterministic,
       wc_SlhDsaKey_SignHashWithRandom, and wc_SlhDsaKey_VerifyHash now
       take the caller-pre-hashed message digest via hash/hashSz
       parameters (renamed from msg/msgSz), aligned with ML-DSA's
       wc_dilithium_sign_ctx_hash / wc_dilithium_verify_ctx_hash
       semantics, and NIST ACVP signatureInterface=external /
       preHash=preHash test vectors. hashSz must equal
       wc_HashGetDigestSize(hashType) (32 bytes for SHAKE128, 64 bytes
       for SHAKE256 per FIPS 205 Section 10.2.2); otherwise
       BAD_LENGTH_E is returned. Migration: hash the message yourself
       before the call (callers using positional arguments are
       source-compatible; only the parameter names changed). Caveat:
       callers who today pass a raw message whose length happens to
       equal the digest size for the chosen hashType (e.g., signing a
       32-byte handle/IV/seed with WC_HASH_TYPE_SHA256) will not trip
       BAD_LENGTH_E; the resulting signature is syntactically valid but
       is over the wrong bytes. The pre-existing
       wc_SlhDsaKey_SignMsgDeterministic and
       wc_SlhDsaKey_SignMsgWithRandom retain their M'-supplied-directly
       contract (FIPS 205 internal interface, Algorithm 19); their input
       validation is hardened with the same NULL/length/MISSING_KEY
       checks as the *Hash* family. wc_SlhDsaKey_VerifyMsg is
       unchanged. All three gain doxygen coverage. (PR 10450, PR 10465)
     * Behavioral change (RSA-PSS trailerField enforcement):
       DecodeRsaPssParams (and its public wrapper wc_DecodeRsaPssParams)
       now enforces RFC 8017 A.2.3, which mandates trailerField ==
       trailerFieldBC(1). In the default build (i.e., without
       WOLFSSL_NO_ASN_STRICT), any certificate or CMS/PKCS#7 structure
       whose RSA-PSS parameters contain a trailerField value other than
       1 is now rejected with ASN_PARSE_E. Previously, any positive
       integer value was silently accepted. This affects all call paths
       that decode RSA-PSS algorithm parameters, including X.509
       certificate parsing and PKCS#7 signature verification. Users who
       need to interoperate with non-conformant peers can define
       WOLFSSL_NO_ASN_STRICT to restore the previous permissive
       behavior. (PR 10595)
     * Renamed the post-quantum signature implementation from its
       pre-standardization name Dilithium to its NIST-standardized name
       ML-DSA (FIPS 204), mirroring the earlier Kyber -> ML-KEM rename
       in wc_mlkem.{h,c}. The legacy <wolfssl/wolfcrypt/dilithium.h>
       header, dilithium_key type, wc_dilithium_* / wc_Dilithium_*
       functions, and HAVE_DILITHIUM / WOLFSSL_DILITHIUM_* /
       WC_DILITHIUM_* build gates remain available through a temporary
       compatibility shim, so application code keeps compiling
       unchanged. See doc/dilithium-to-mldsa-migration.md for the full
       list of renamed symbols, the new WOLFSSL_MLDSA cmake option /
       --enable-mldsa configure switch, and the migration steps for
       moving consumer code to the canonical API. (PR 10436, PR 10497,
       PR 10516)
     * TLS 1.3: zero traffic key staging buffers in SetKeysSide() once
       a CryptoCB callback has imported the AES key into a Secure
       Element (aes->devCtx != NULL). Clears
       keys->{client,server}_write_key on the provisioned side(s) after
       cipher init succeeds. The static IV buffers
       (keys->{client,server}_write_IV, keys->aead_{enc,dec}_imp_IV)
       are intentionally left intact because BuildTls13Nonce() reads
       them on every AEAD record to construct the per-record nonce.
       Scoped to TLS 1.3, non-DTLS, non-QUIC; requires WOLF_CRYPTO_CB
       and WOLF_CRYPTO_CB_AES_SETKEY. (PR 10246)
     * The wc_AesCmacVerify/_ex API were hardened to more closely
       conform to NIST SP 800-38B MAC length guidance, and these verify
       functions will now correctly enforce bounds on tag length checks.
       As a result, Cmac verification that previously were erroneously
       passing will now return MAC_CMP_FAILED_E or BAD_FUNC_ARG.
       (PR 10462)

   New Features

     * Added wolfCrypt SRAM PUF (Physically Unclonable Function)
       support, deriving device-unique keys from SRAM power-on state
       using a BCH fuzzy extractor and HKDF
       (wc_PufInit/wc_PufEnroll/wc_PufReconstruct). by @dgarske
       (PR 10066)
     * Added SHE (Secure Hardware Extension) support to wolfCrypt with
       software CMD_LOAD_KEY message generation/verification (M1-M5)
       and optional crypto callback hardware offload. by @night1rider
       (PR 10009)
     * Added WOLF_CRYPTO_CB_SETKEY and WOLF_CRYPTO_CB_EXPORT_KEY
       generic crypto callbacks to bridge raw key bytes to and from
       hardware key stores. by @night1rider (PR 9851)
     * Added key id/label constructors
       (wc_InitCmac_Id/_Label, wc_AesNew_Id/_Label,
       wc_NewRsaKey_Id/_Label) so algorithms can forward a hardware
       key-slot identifier. by @night1rider (PR 10072)
     * Added RFC 8773(bis) cert_with_extern_psk support for TLS 1.3,
       with API and handshake tests. by @Frauschi (PR 10085)
     * Added native TLS-ALPN-01 ACME challenge certificate support via
       the RFC 8737 id-pe-acmeIdentifier extension. by @lealem47
       (PR 10334)
     * Extended WOLFSSL_SP_NONBLOCK to RSA and Diffie-Hellman for the
       C/Small 2048/3072/4096 backends so handshakes never block for
       long on a single big-integer operation. by @dgarske (PR 10394)
     * Added ML-KEM and ML-DSA support to the C# wrapper. by @dgarske
       (PR 10191)
     * Added an HPKE (RFC 9180) C# wrapper. by @dgarske (PR 10171)
     * Added --enable-wolfzfs support for the wolfCrypt OpenZFS patch
       in both kernel-space and user-space builds. by @philljj
       (PR 10397)
     * Added a minimal DTLS 1.3 client-only build via WOLFSSL_DTLS_ONLY
       and an --enable-dtls13 autoconf cascade. by @julek-wolfssl
       (PR 10353)
     * Raised the --enable-context-extra-user-data ex_data index limit
       to 9999 and increased external cookie/extra-user-data maximum
       sizes for large-scale deployments. by @Roy-Carter (PR 10236)
     * Published wolfSSL's external Security Policy and a structured
       Vulnerability Report Template
       (SECURITY-POLICY.md, SECURITY-REPORT-TEMPLATE.md).
       by @ColtonWilley (PR 10284)
     * Extended the OpenSSL compatibility layer for libevent
       integration, adding struct-tag compatibility defines,
       BIO_get_init, and short-form alert string helpers.
       by @Roy-Carter (PR 10158, PR 10160)
     * Add support for WOLF_CRYPTO_CB_ONLY_SHA512. by @rizlik (PR 10550)
     * Support RFC 9802 LMS and XMSS in X.509 certificate and CSR
       generation. by @Frauschi (PR 10572)

   Post-Quantum Cryptography (PQC)

     * Added a SHA-512 DRBG and FIPS module-boundary wrappers for
       ML-KEM, ML-DSA, LMS, XMSS, and SLH-DSA as part of the upcoming
       post-quantum FIPS submission. by @kaleb-himes (PR 9843)
     * Replaced the liboqs-based pre-standardization SPHINCS+ with the
       native FIPS 205 SLH-DSA implementation throughout the
       certificate/ASN.1/X.509 layers. by @Frauschi (PR 10261)
     * Removed the liboqs integrations for ML-KEM and ML-DSA in favor
       of the native implementations. by @Frauschi (PR 10293)
     * Removed the deprecated liblms and libxmss integrations now that
       wolfCrypt has its own LMS/XMSS implementations. by @Frauschi
       (PR 10292)
     * Wired RFC 9802 HSS/LMS and XMSS/XMSS^MT stateful hash-based
       signatures into X.509 certificate verification. by @Frauschi
       (PR 10406)
     * Added crypto callbacks (MakeKey/Sign/Verify/SigsLeft) and
       id/label support for LMS and XMSS. by @padelsbach (PR 10380)
     * Added CryptoCb support for SLH-DSA. by @Frauschi (PR 10466)
     * Added dynamic key allocation for ML-KEM
       (WOLFSSL_MLKEM_DYNAMIC_KEYS) to right-size key buffers and
       reduce handshake memory use on constrained systems. by @Frauschi
       (PR 10179, PR 10206)
     * Added dynamic key allocation for ML-DSA
       (WOLFSSL_DILITHIUM_DYNAMIC_KEYS). by @Frauschi (PR 10180)
     * Added ML-KEM support for PKCS#11 via the PKCS#11 3.2
       encapsulate/decapsulate interface. by @Frauschi (PR 10077)
     * Added ML-DSA to X509_get_pubkey and EVP_PKEY_base_id.
       by @kojo1 (PR 9965)
     * Added ML-DSA SPKI/PKCS#8 DER support to
       d2i_PUBKEY/d2i_PrivateKey, EVP_PKCS82PKEY, and
       X509_check_private_key. by @cconlon (PR 10310, PR 10483)
     * Added Ed25519/Ed448 support to the EVP_PKEY layer and fixed a
       d2i key-probe bug affecting RSA/ECC/DH. by @lealem47 (PR 10135)
     * Fixed PQC key exchange when a ClientHello offers multiple KEM
       key shares. by @Frauschi (PR 10299)
     * Fixed ML-DSA signing when WC_DILITHIUM_CACHE_MATRIX_A is
       enabled. by @embhorn (PR 10400)
     * Fixed ML-KEM AVX2 assembly (5-bit decompression and final-block
       ciphertext comparison). by @SparkiDev (PR 10430)
     * Various ML-KEM correctness and key-state validation
       improvements. by @SparkiDev (PR 10405)
     * Reduced the ML-DSA verify-only key object size and allowed
       SHAKE-only builds without the SHA-3 APIs. by @SparkiDev
       (PR 10420)
     * LMS fixes and improvements including a 32-bit signature length,
       hash-algorithm parameter accessors, and empty-message signing.
       by @SparkiDev (PR 10448)
     * Migrate internal ML-KEM consumers to canonical wc_MlKemKey API.
       by @Frauschi (PR 10571)
     * Add PQ documentation for LMS, ML-DSA, ML-KEM, XMSS.
       by @kaleb-himes (PR 10514)
     * Various leak / alloc and zeroization fixes for SLH-DSA.
       by @Frauschi (PR 10698)

   TLS/DTLS

     * Multiple TLS 1.3 Encrypted Client Hello (ECH) compliance fixes
       per RFC 9849, covering rejection handling, ECHConfig parsing,
       and inner ClientHello validation. by @sebastian-carpenter
       (PR 10141)
     * Added client-side ECH ech_outer_extensions encoding to shrink
       the HPKE-sealed inner ClientHello. by @sebastian-carpenter
       (PR 10306)
     * Added maximum_name_length padding for the ECH ClientHelloInner
       and a new wolfSSL_CTX_GenerateEchConfigEx() API.
       by @sebastian-carpenter (PR 10326)
     * Added opt-in ECH trial decryption
       (wolfSSL_CTX_SetEchEnableTrialDecrypt()) and ECH
       connection-status reporting. by @sebastian-carpenter (PR 10469)
     * Evict the session from cache after an accepted 0-RTT resumption
       to prevent early-data replay (RFC 8446 section 8).
       by @julek-wolfssl (PR 10221)
     * Gate 0-RTT acceptance on a cache-backed resumption ticket and
       stop auto-advertising 0-RTT unless the application requests it.
       by @julek-wolfssl (PR 10289)
     * Send a missing_extension alert when the SNI extension is absent
       in TLS 1.3. by @jackctj117 (PR 10332)
     * Reject extensions in a TLS 1.3 Certificate message that were
       not offered in the prior ClientHello/CertificateRequest
       (RFC 8446 section 4.4.2). by @gasbytes (PR 10338)
     * Error out on unknown/unsolicited extensions in TLS 1.3 response
       messages while still tolerating GREASE in NewSessionTicket.
       by @Frauschi (PR 10186)
     * Fixed encrypt-then-mac handling on the non-resumption path.
       by @embhorn (PR 10167)
     * Fixed a TLS 1.3 AEAD/KeyUpdate limit that used 16-bit counters
       where 32-bit values were required. by @SparkiDev (PR 10513)
     * Decoupled the speculative ClientHello key share from
       preferredGroup[0] via WOLFSSL_KEY_SHARE_DEFAULT_GROUP to reduce
       HelloRetryRequests. by @Frauschi (PR 10435)
     * Fixed DTLS 1.3 unnecessary client retransmission after
       HelloRetryRequest and improved server robustness. by @rizlik
       (PR 10349)
     * Free and NULL the DTLS 1.3 cipher slot on init failure.
       by @gasbytes (PR 10360)
     * Added a WOLFSSL_DTLS13_5_9_0_COMPAT compatibility mode for
       interoperating with pre-5.9.0 DTLS 1.3 clients. by @rizlik
       (PR 10492)
     * Added a missing WOLFSSL_QUIC_MAX_RECORD_CAPACITY check on the
       QUIC early-data path. by @gasbytes (PR 10201)
     * Default WOLFSSL_MAX_SIGALGO to 128. by @julek-wolfssl (PR 10528)
     * Added NID_X25519 and NID_X448 support to the EVP layer.
       by @julek-wolfssl (PR 10552)
     * Enabled the all-zero shared-secret check for Curve25519/Curve448
       by default and ensured post_handshake_auth was offered before
       accepting a post-handshake CertificateRequest.
       by @kareem-wolfssl (PR 10374)
     * Fixed a DupSSL (write-dup) issue with Poly1305 authentication.
       by @embhorn (PR 10337)
     * Various X509 enhancements and fixes. by @SparkiDev (PR 10548)
     * Cache AEAD record overhead on WOLFSSL. by @julek-wolfssl
       (PR 10476)
     * Add keylog support for TLS 1.3 ECH. by @sebastian-carpenter
       (PR 10259)
     * Enhance OCSP responder authorization. by @rlm2002 (PR 10532)
     * Allow RSA client certs on ECDHE-ECDSA mutual auth.
       by @julek-wolfssl (PR 10553)
     * Enforce only 1 protocolname in serverhello. by @anhu (PR 10443)
     * Fix tls_bench DTLS mode failures. by @miyazakh (PR 10606)
     * Fix cipher property NIDs for SSL_get_current_cipher and add PSK
       kx mapping. by @julek-wolfssl (PR 10639)

   ASN and Certificate Parsing

     * Allow serial number 0 for self-signed root CA certificates while
       keeping the RFC 5280 check for others. by @jackctj117 (PR 9567)
     * Fixed peer certificate verification with IP address SAN entries.
       by @embhorn (PR 10169)
     * Fixed partial chain verification to only terminate at a
       certificate present in the original trust set. by @embhorn
       (PR 10170)
     * Apply DNS name constraints to the Subject CN when no SAN is
       present. by @rlm2002 (PR 10223)
     * Fixed IDNA wildcard matching. Thanks to Andrew Chin, SSLab at
       Georgia Institute of Technology. by @embhorn (PR 10331)
     * Honor the otherName GeneralName form in name-constraint checks
       and add WOLFSSL_X509_STORE_ALLOW_NON_CA_INTERMEDIATE for
       backward compatibility. by @embhorn (PR 10339)
     * Always parse and store iPAddress and registeredID GeneralNames
       for name-constraint enforcement. by @embhorn (PR 10354) Thanks
       to Ankur Tyagi of Cisco Talos for the report.
     * Hardened X.509 chain validation, session-ticket peer-cert
       binding, and peer-cert restore, and reject embedded NUL in
       dNSName/rfc822Name/URI SAN entries. by @julek-wolfssl (PR 10279)
     * Restrict domain-name pattern matching and case folding to valid
       FQDNs via a new IsValidFQDN() helper. by @douzzer (PR 10183,
       PR 10419)
     * Report a certificate verify failure for MD5-signed certificates
       during chain verification. by @embhorn (PR 10222)
     * Make SHA-1-with-RSA the last-resort signature type, as SHA-1
       signatures are deprecated. by @SparkiDev (PR 10173)
     * Tightened the key length check in wc_SignatureGetSize() from >=
       to exact equality. by @miyazakh (PR 10122)
     * Fixed a malformed AKID extension produced by
       wolfSSL_X509_set_authority_key_id(). by @cconlon (PR 10370)
     * Set the PKCS#8 (RFC 5958) version correctly when a private key
       bundles the optional publicKey field. by @cconlon (PR 10427)
     * Bind OCSP responder authorization to the CertID issuerKeyHash.
       by @julek-wolfssl (PR 10303)
     * Fixed multi-CRL PEM bundles being truncated to the first CRL in
       wolfSSL_PEM_read_bio_X509_CRL. by @julek-wolfssl (PR 10336)
     * Reject CRLs with unrecognized critical extensions and critical
       entry extensions per RFC 5280. by @gasbytes (PR 10239, PR 10274)
     * Validate DSA parameters when verifying a DSA key.
       by @kareem-wolfssl (PR 10381). Thanks to Kr0emer for the report.
     * Validate parameters in wolfSSL_EC_POINT_hex2point. Thanks to
       breakingbad6, Yanzhao Shen, and Yingpei Zeng (Hangzhou Dianzi
       University). by @embhorn (PR 10445)
     * Adjusted the CA pathlen check and added glitch hardening when a
       trust anchor is included in the certificate chain.
       by @JacobBarthelmeh (PR 10296)
     * Added ascii-digit validation in the ASN.1 time decode functions.
       by @padelsbach (PR 10276)
     * Allow a SubjectInfoAccess extension without an
       id-ad-caRepository entry. by @holtrop-wolfssl (PR 10368)
     * Tighten RFC 8017 A.2.3 compliance for RSA-PSS. by @miyazakh
       (PR 10595)

   Hardware and Embedded Ports

     * Reworked the Microchip TA-100 port for cryptoauthlib v3.6.0,
       with AES-GCM now working. by @danielinux (PR 9702)
     * Added wolfCrypt hardware crypto support for NXP LPC55S69.
       by @twcook86 (PR 10278)
     * Added STM32U3 hardware crypto support (AES, hash, TRNG).
       by @dgarske (PR 10361)
     * Fixed STM32 AES hardware crypto when WOLFSSL_ARMASM is set.
       by @dgarske (PR 10311)
     * Allow custom time functions on STM32 by not forcing NO_ASN_TIME
       when XTIME is defined. by @lealem47 (PR 10295)
     * Fixed NXP DCP AES multiblock CBC encrypt/decrypt and the
       in-place case. by @padelsbach (PR 10307)
     * Fixed Octeon/Cavium AES-GCM AAD GHASH and non-12-byte IV J0
       derivation bugs. by @ejohnstown (PR 10439) and @JacobBarthelmeh
       (PR 10471)
     * SE050 fixes plus new SE050_RSA_NO_VERIFY/SE050_ECDSA_NO_VERIFY/
       SE050_ECDSA_NO_ECDHE options and simulator CI. by @rizlik
       (PR 10219)
     * Improved MQX/Fusion RTOS compatibility for XINET_PTON (MQX RTCS
       support, IPv6 buffer sizing). by @josepho0918 (PR 10075)
     * Added Zephyr 4.3 default TLS-socket support. by @ColtonWilley
       (PR 10268)
     * Fixed wolfSSL support on the CHERI RISC-V architecture.
       by @wbeasley-thegoodpenguin (PR 10272)
     * Revived and hardened the IoT-Safe memory-TLS example.
       by @danielinux (PR 10457)
     * Fixed the NXP CAAM build when WOLFSSL_HASH_KEEP is not defined.
       by @JacobBarthelmeh (PR 10459)
     * Set hashType in port hash implementations so SHA-512 modes can
       be distinguished. by @padelsbach (PR 10193)
     * Fixed the LMS/XMSS crypto callback software fallback to
       propagate CRYPTOCB_UNAVAILABLE. by @padelsbach (PR 10456)
     * Fixed a PIC32 hardware-acceleration stack-pointer free bug and
       added PIC32MZ emulator tests. by @LinuxJedi (PR 10495)
     * Numerous hardware/embedded port hardening fixes (Xilinx/AMD,
       PSoC6, TROPIC01, devcrypto, RX64, STM32, KCAPI, QAT) from
       Fenrir review. by @JacobBarthelmeh (PR 10467, PR 10470,
       PR 10508) and @dgarske (PR 10496)
     * Implements the SHA accelerator for MAX32666 as bare-metal.
       by @mattia-moffa (PR 10431)

   Rust Wrapper

     * Added rand_core, aead, and cipher crate trait implementations.
       by @holtrop-wolfssl (PR 10070)
     * Added digest and signature crate trait implementations.
       by @holtrop-wolfssl (PR 10248)
     * Added password-hash, kem, and mac crate trait implementations.
       by @holtrop-wolfssl (PR 10305)
     * Added zeroize-on-drop and fixed Fenrir findings across the crate.
       by @holtrop-wolfssl (PR 10205)
     * Ensured memory safety for the C RNG struct and added
       functionality found during boringtun integration.
       by @holtrop-wolfssl (PR 10402)
     * Added buffer-size checks to the ChaCha20-Poly1305 one-shot
       wrappers. by @holtrop-wolfssl (PR 10267)
     * Add scrypt KDF and RSA-OAEP support. by @holtrop-wolfssl
       (PR 10556)

   Build System and Portability

     * Removed unused m4 macros and updated AX_PTHREAD to the latest
       autoconf-archive macro. by @BrianAker (PR 10106)
     * Guard <stddef.h> behind NO_STDDEF_H and userspace
       fcntl/filesystem code behind WOLFSSL_KERNEL_MODE. by @philljj
       (PR 10280, PR 10521)
     * Support building --enable-opensslextra with NO_BIO and
       NO_FILESYSTEM. by @JacobBarthelmeh (PR 10393)
     * Allow --enable-writedup when DTLS is disabled. by @mattia-moffa
       (PR 10527)
     * Set WOLFSSL_USE_ALIGN automatically for ARM user_settings.h
       builds. by @embhorn (PR 10487)
     * Added WC_LINUXKM_USE_HEAP_WRAPPERS heap wrappers and AES-CCM
       LKCAPI shims for the Linux kernel module. by @douzzer (PR 10512,
       PR 10194)
     * linuxkm enhancements for wolfGuard support. by @douzzer
       (PR 10590)
     * Added a software CryptoCb test device and
       WOLF_CRYPTO_CB_ONLY_* test infrastructure (SHA-256, SHA-224,
       AES). by @rizlik (PR 10351, PR 10500)
     * Added configure and CMake options for WOLF_CRYPTO_CB_RSA_PAD.
       by @kareem-wolfssl (PR 10428)
     * Fixed mem_track.h compilation on multi-threaded non-Linux builds.
       by @LinuxJedi (PR 10453)
     * Fixed CUDA builds with WOLFSSL_AES_SMALL_TABLES. by @embhorn
       (PR 10366)
     * Skip testsuite.test for --enable-leantls builds. by @miyazakh
       (PR 10510)
     * RPM packaging fixes for examples/cmake artifacts and RHEL10 LTO
       builds. by @space88man (PR 10270, PR 10356) and @twcook86
       (PR 10275)
     * Fixed the SGX build to not require fcntl.h. by @JacobBarthelmeh
       (PR 10524)
     * Various linuxkm Fenrir fixes. by @douzzer (PR 10688)
     * Various bsdkm fixes and cleanup. by @philljj (PR 10565)

   Bug Fixes

     * AES-CCM encryption/decryption with 13 or 12 byte nonces and
       large messages (>1 MiB and >256 MiB respectively) were not
       properly rejected at argument validation time, allowing counter
       wrap, keystream reuse, and consequent plaintext recovery. Thanks
       to NVIDIA Project Vanessa for the report. (PR 10709)
     * Out-of-bounds write in wolfSSL_get_finished() and
       wolfSSL_get_peer_finished(). The functions validated the caller
       buffer against TLS_FINISHED_SZ (12 bytes) but copied the full
       Finished message, which for TLS 1.3 is the handshake hash size
       (32 or 48 bytes), overrunning a correctly sized 12-byte buffer.
       The output length is now validated before the copy. Thanks to
       Qiushi Wu from IBM Research for the report. (PR 10576)
     * Fix for rejecting the import of a public key that is the
       identity element with Ed448. Use of a public key that is the
       identity element allows for crafting a forged signature that
       verifies with that specific public key. wolfSSL does not generate
       an Ed448 key pair that is the identity element. This
       defense-in-depth hardening for Ed448 and has been available
       since release 5.9.1. Thanks to Nicholas Carlini from Anthropic
       for the report. (PR 10116)
     * Fix for !aNULL after an explicit ADH suite leaving the anon
       suite available. Thanks to NVIDIA Project Vanessa for the
       report. (PR 10714)
     * P-521 ECDH SP-math validates 65 bytes but writes 66 leading to
       a 1-byte heap overflow. Thanks to NVIDIA Project Vanessa for the
       report. (PR 10702)
     * Fix for FreeBSD kernel module to have additional sanity checks
       on IV size when copying. This avoids a stack overflow in
       --enable-freebsdkm-crypto-register builds used for preliminary
       testing. Thanks to NVIDIA Project Vanessa for the report.
       (PR 10695)
     * Added an upper limit to the PBKDF iteration count and changed
       iterations <= 0 to fail closed instead of silently clamping to
       1. by @anhu (PR 10050) and @miyazakh (PR 10504)
     * Added MP integer size bounds checks in SizeASN_Items.
       by @anhu (PR 10051)
     * Ensure certificates are correctly added to the cert manager.
       by @anhu (PR 10073)
     * Use O_CLOEXEC at file creation to harden against multithread
       races. by @embhorn (PR 10162)
     * BIO improvements and fixes, including an out-of-bounds read and
       an inverted ctrl_pending check. by @rizlik (PR 10164)
     * Guard against negative lengths in BIO, I/O callbacks, and
       PKCS12 PBKDF. by @ColtonWilley (PR 10208)
     * Fixed a dangling secure_renegotiation pointer after
       TLSX_FreeAll. by @ColtonWilley (PR 10210)
     * Added missing NULL checks across public API entry points.
       by @ColtonWilley (PR 10216)
     * Fixed NULL dereferences, a DSA SignFinal overflow, and the i2d
       contract across EVP/OCSP/X509. by @ColtonWilley (PR 10217)
     * Enforce the minimum auth tag size in wc_AesGcmDecryptFinal.
       by @yosuke-wolfssl (PR 10175)
     * AES-EAX and AES-SIV lifecycle and NULL-check fixes.
       by @SparkiDev (PR 10174)
     * Added a C implementation for ARM AES-GCM small-table builds
       without NEON. by @SparkiDev (PR 10176)
     * SP integer fixes for negative numbers, zero-used edge cases,
       bounds, and truncation, plus added testing. by @SparkiDev
       (PR 10235, PR 10529) and @embhorn (PR 10478) Thanks to Kr0emer
       for reporting these issues and testing the fixes.
     * Fixed the Curve25519 private-key clamp check to enforce RFC 7748
       rule 3. by @MarkAtwood (PR 10363)
     * Fixed the Blake2 oversized-key path. by @mattia-moffa (PR 10447)
     * Fixed a SAKKE heap buffer overflow and a correctness gap in
       sakke_hash_to_range, plus a wc_export_int size check.
       by @JeremiahM37 (PR 10442) and @philljj (PR 10444)
     * Added checks to PKCS7_VerifySignedData to prevent out-of-bounds
       access. Thanks to Feng Ning / Innora. by @padelsbach (PR 10441)
     * Various PKCS#7 fixes. by @Frauschi (PR 10203) and
       @kareem-wolfssl (PR 10128)
     * Various PKCS#12 fixes including strict-aliasing, zeroization,
       and overflow checks. by @rlm2002 (PR 10378)
     * Fixed an ECC temporary-key leak and undefined behavior, and an
       ECC validation regression. by @Frauschi (PR 10346, PR 10260)
     * Fixed a double free in wolfSSL_X509_set_ext. by @padelsbach
       (PR 10481)
     * Reset the SHA-3 hashType between ML-KEM cryptocb calls.
       by @night1rider (PR 10211)
     * Plumb the caller heap into CMAC before the cryptocb fires.
       by @night1rider (PR 10401)
     * Fixed inverted AllocDer checks in the alt private key id/label
       paths. by @night1rider (PR 10168)
     * TLS extension bounds-checking fixes. Thanks to Suryansh
       Mansharamani (Plainshift AI). by @embhorn (PR 10220)
     * Hardened TLSX_KeyShare_ProcessPqcHybridClient against double
       free and wrong-key NULLing. by @embhorn (PR 10327) and
       @kareem-wolfssl (PR 10493)
     * Various missing bounds and length checks. by @kareem-wolfssl
       (PR 10142, PR 10277)
     * Fixed the NO_VERIFY_OID build in GetOID. Thanks to @cpsource.
       by @JeremiahM37 (PR 10440)
     * Ensure large buffers are heap-allocated under
       WOLFSSL_SMALL_STACK. by @Frauschi (PR 10245)
     * Fixed private key lock issues. by @kaleb-himes (PR 10446)
     * Improved HPKE return codes to use defined error values.
       by @sebastian-carpenter (PR 10455)
     * MD4 and MD2 public APIs now return int instead of void,
       alongside static-analysis fixes for SECO, devcrypto, and ARIA.
       by @JacobBarthelmeh (PR 10460)
     * Extensive wolfCrypt input-validation, key-zeroization, and
       side-channel hardening across RSA, ECC, EdDSA, Curve25519/448,
       DH, SRP, PKCS#7, KDF, LMS, and PQ key handling.
       by @JeremiahM37 (PR 10136, PR 10231, PR 10238, PR 10264,
       PR 10304, PR 10340, PR 10386, PR 10392, PR 10413, PR 10426,
       PR 10468), @julek-wolfssl (PR 10230, PR 10247, PR 10398), and
       @aidangarske (PR 10155)
     * Fixed a word32 size overflow in wc_DeCompressDynamic that could
       under-allocate a buffer and cause a heap overflow on --with-libz
       + PKCS7-compressed builds. by @JeremiahM37 (PR 10413)
     * Resolved numerous Coverity static-analysis findings. by @rlm2002
       (PR 10129, PR 10165, PR 10376, PR 10418, PR 10482)
     * Enforce MAX_ENTROPY_BITS upper bound in wc_Entropy_Get().
       by @miyazakh (PR 10593)
     * Various EVP API bug fixes. by @MarkAtwood (PR 10364, PR 9987)
     * Various ppc and armv8 asm and linuxkm fixes. by @douzzer
       (PR 10600)
     * Fixes for Zephyr secure sockets integration. by @Frauschi
       (PR 10583)
     * Add signed-length validation to d2i, PEM, and buffer-load APIs
       to harden against potential out of bounds case. by @ColtonWilley
       (PR 10207)
     * Reject duplicate certificatePolicies certificate extensions
       (RFC 5280), previously accepted as last-wins. by @Frauschi
       (PR 10714)
     * Strengthen subgroup check in wc_DhAgree by @philljj (PR 10560).
       Thanks to Muhammad Arya Arjuna Habibullah (Pelioro) for the
       report.
     * Fix missing private key zeroization in ML-KEM by @anhu
       (PR 10665). Thanks to Uday Devaraj, SYNE Lab, Syracuse
       University.
     * Force-zero wc_AesSivDecrypt output buffer on authentication
       failure. by @holtrop-wolfssl (PR 10668)
     * Ed448: check for public key presence on export.
       by @holtrop-wolfssl (PR 10656)
     * Hardening fixes in wolfSSL_strnstr and mp_get_digit. Thanks to
       Dominik Blain / COBALT Security for the bug report.
       by @padelsbach (PR 10138)

   Documentation and Maintenance

     * Added documentation for the new OCSP responder and certificate
       accessor APIs. by @julek-wolfssl (PR 10147)
     * Improved API documentation argument descriptions for the
       sigalgs/groups/cipher-list/options setters. by @kojo1 (PR 10382)
     * Added doxygen coverage for the SHE API. by @night1rider (PR 10243)
     * Added the BN_bn2binpad API. by @julek-wolfssl (PR 10148)
     * Added TLS 1.3 decryption fuzz tests, Monte Carlo / unaligned /
       in-place cipher tests, and expanded negative test coverage for
       handshake, AEAD, PKCS7, PSS, DSA, DRBG, and PQ paths.
       by @SparkiDev (PR 10461, PR 10213, PR 10226) and @JeremiahM37
       (PR 10166, PR 10291)
     * Various improvements to CI efficiency and parallelism.
       by @julek-wolfssl (PR 10667, PR 10685, PR 10701, PR 10731)


To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.31.2.1 pkgsrc/security/wolfssl/Makefile
cvs rdiff -u -r1.18 -r1.18.2.1 pkgsrc/security/wolfssl/PLIST
cvs rdiff -u -r1.32 -r1.32.2.1 pkgsrc/security/wolfssl/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/wolfssl/Makefile
diff -u pkgsrc/security/wolfssl/Makefile:1.31 pkgsrc/security/wolfssl/Makefile:1.31.2.1
--- pkgsrc/security/wolfssl/Makefile:1.31       Sun Apr 12 11:25:01 2026
+++ pkgsrc/security/wolfssl/Makefile    Sun Jun 28 18:49:58 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.31 2026/04/12 11:25:01 fox Exp $
+# $NetBSD: Makefile,v 1.31.2.1 2026/06/28 18:49:58 bsiegert Exp $
 
-DISTNAME=      wolfssl-5.9.1
+DISTNAME=      wolfssl-5.9.2
 CATEGORIES=    security
 MASTER_SITES=  https://www.wolfssl.com/
 EXTRACT_SUFX=  .zip

Index: pkgsrc/security/wolfssl/PLIST
diff -u pkgsrc/security/wolfssl/PLIST:1.18 pkgsrc/security/wolfssl/PLIST:1.18.2.1
--- pkgsrc/security/wolfssl/PLIST:1.18  Mon Mar 30 10:22:27 2026
+++ pkgsrc/security/wolfssl/PLIST       Sun Jun 28 18:49:58 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.18 2026/03/30 10:22:27 fox Exp $
+@comment $NetBSD: PLIST,v 1.18.2.1 2026/06/28 18:49:58 bsiegert Exp $
 bin/wolfssl-config
 include/wolfssl/callbacks.h
 include/wolfssl/certs_test.h
@@ -98,9 +98,6 @@ include/wolfssl/wolfcrypt/eccsi.h
 include/wolfssl/wolfcrypt/ed25519.h
 include/wolfssl/wolfcrypt/ed448.h
 include/wolfssl/wolfcrypt/error-crypt.h
-include/wolfssl/wolfcrypt/ext_lms.h
-include/wolfssl/wolfcrypt/ext_mlkem.h
-include/wolfssl/wolfcrypt/ext_xmss.h
 include/wolfssl/wolfcrypt/falcon.h
 include/wolfssl/wolfcrypt/fe_448.h
 include/wolfssl/wolfcrypt/fe_operations.h
@@ -112,7 +109,6 @@ include/wolfssl/wolfcrypt/hmac.h
 include/wolfssl/wolfcrypt/hpke.h
 include/wolfssl/wolfcrypt/integer.h
 include/wolfssl/wolfcrypt/kdf.h
-include/wolfssl/wolfcrypt/lms.h
 include/wolfssl/wolfcrypt/logging.h
 include/wolfssl/wolfcrypt/md2.h
 include/wolfssl/wolfcrypt/md4.h
@@ -120,13 +116,13 @@ include/wolfssl/wolfcrypt/md5.h
 include/wolfssl/wolfcrypt/mem_track.h
 include/wolfssl/wolfcrypt/memory.h
 include/wolfssl/wolfcrypt/misc.h
-include/wolfssl/wolfcrypt/mlkem.h
 include/wolfssl/wolfcrypt/mpi_class.h
 include/wolfssl/wolfcrypt/mpi_superclass.h
 include/wolfssl/wolfcrypt/oid_sum.h
 include/wolfssl/wolfcrypt/pkcs12.h
 include/wolfssl/wolfcrypt/pkcs7.h
 include/wolfssl/wolfcrypt/poly1305.h
+include/wolfssl/wolfcrypt/puf.h
 include/wolfssl/wolfcrypt/pwdbased.h
 include/wolfssl/wolfcrypt/random.h
 include/wolfssl/wolfcrypt/rc2.h
@@ -145,21 +141,21 @@ include/wolfssl/wolfcrypt/sm2.h
 include/wolfssl/wolfcrypt/sm3.h
 include/wolfssl/wolfcrypt/sm4.h
 include/wolfssl/wolfcrypt/sp_int.h
-include/wolfssl/wolfcrypt/sphincs.h
 include/wolfssl/wolfcrypt/srp.h
 include/wolfssl/wolfcrypt/tfm.h
 include/wolfssl/wolfcrypt/types.h
 include/wolfssl/wolfcrypt/visibility.h
 include/wolfssl/wolfcrypt/wc_encrypt.h
 include/wolfssl/wolfcrypt/wc_lms.h
+include/wolfssl/wolfcrypt/wc_mldsa.h
 include/wolfssl/wolfcrypt/wc_mlkem.h
 include/wolfssl/wolfcrypt/wc_port.h
+include/wolfssl/wolfcrypt/wc_she.h
 include/wolfssl/wolfcrypt/wc_slhdsa.h
 include/wolfssl/wolfcrypt/wc_xmss.h
 include/wolfssl/wolfcrypt/wolfentropy.h
 include/wolfssl/wolfcrypt/wolfevent.h
 include/wolfssl/wolfcrypt/wolfmath.h
-include/wolfssl/wolfcrypt/xmss.h
 include/wolfssl/wolfio.h
 lib/cmake/wolfssl/wolfssl-config-version.cmake
 lib/cmake/wolfssl/wolfssl-config.cmake
@@ -168,6 +164,7 @@ lib/libwolfssl.la
 lib/pkgconfig/wolfssl.pc
 share/doc/wolfssl/QUIC.md
 share/doc/wolfssl/README.txt
+share/doc/wolfssl/dilithium-to-mldsa-migration.md
 share/doc/wolfssl/example/client.c
 share/doc/wolfssl/example/echoclient.c
 share/doc/wolfssl/example/echoserver.c

Index: pkgsrc/security/wolfssl/distinfo
diff -u pkgsrc/security/wolfssl/distinfo:1.32 pkgsrc/security/wolfssl/distinfo:1.32.2.1
--- pkgsrc/security/wolfssl/distinfo:1.32       Sun Apr 12 11:25:01 2026
+++ pkgsrc/security/wolfssl/distinfo    Sun Jun 28 18:49:58 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.32 2026/04/12 11:25:01 fox Exp $
+$NetBSD: distinfo,v 1.32.2.1 2026/06/28 18:49:58 bsiegert Exp $
 
-BLAKE2s (wolfssl-5.9.1.zip) = 0f9e10fe46317ddfe4a53f8c83d8eb837de2ff1e47a409a44e41c0706ae987f2
-SHA512 (wolfssl-5.9.1.zip) = 318083dd96e3a4142020d91bcfe05dcf1a3126ac0fea4218c9c65a3de34590736e6a6f244a027c41751f97aa5c1ebbf0569658ee1c103c2febcbab4dd66d6d40
-Size (wolfssl-5.9.1.zip) = 28487279 bytes
+BLAKE2s (wolfssl-5.9.2.zip) = fc4462b870b862026618a9ea8620a94a8b2f0c41934ad538917c3be30f9a663c
+SHA512 (wolfssl-5.9.2.zip) = 8bfdbe026ecb18647a37cc5a55a335a5749a7381d082bdbf8212705e231f8e00212b15b4fc474b536756e63cd9c688617c4e8792cef923c037b8cdf2177ed286
+Size (wolfssl-5.9.2.zip) = 29803913 bytes



Home | Main Index | Thread Index | Old Index