Merge pull request #8829 from gojimmypi/pr-espressif-time-correction

Correct Espressif default time setting
2025-06-02 17:03:06 -06:00 · 2025-06-02 15:04:49 -07:00 · 2025-06-02 10:39:23 -06:00 · 2025-05-31 09:23:59 -07:00 · 2025-05-31 00:23:32 -05:00 · 2025-05-30 18:05:25 -05:00
560 changed files with 118520 additions and 59351 deletions
--- a/.github/workflows/ada.yml
+++ b/.github/workflows/ada.yml
@ -0,0 +1,33 @@
+name: WolfSSL Ada Build Tests
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@master
+
+    - name: Install gnat
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y gnat gprbuild
+
+    - name: Checkout wolfssl
+      uses: actions/checkout@master
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl
+
+    - name: Build wolfssl Ada
+      working-directory: ./wolfssl/wrapper/Ada
+      run: |
+        mkdir obj
+        gprbuild default.gpr
+        gprbuild examples.gpr
--- a/.github/workflows/async.yml
+++ b/.github/workflows/async.yml
@ -18,9 +18,9 @@ jobs:
      matrix:
        config: [
          # Add new configs here
-          '--enable-asynccrypt --enable-all --enable-dtls13',
-          '--enable-asynccrypt-sw --enable-ocspstapling --enable-ocspstapling2',
-          '--enable-ocsp CFLAGS="-DTEST_NONBLOCK_CERTS"',
+          '--enable-asynccrypt --enable-all --enable-dtls13 CFLAGS="-pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFCRYPT_TEST_LINT"',
+          '--enable-asynccrypt-sw --enable-ocspstapling --enable-ocspstapling2 CFLAGS="-pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
+          '--enable-ocsp CFLAGS="-DTEST_NONBLOCK_CERTS -pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
        ]
    name: make check
    if: github.repository_owner == 'wolfssl'
--- a/.github/workflows/cmake.yml
+++ b/.github/workflows/cmake.yml
@ -75,13 +75,35 @@ jobs:
            -DWOLFSSL_SNI:BOOL=yes -DWOLFSSL_SP_MATH_ALL:BOOL=yes -DWOLFSSL_SRTP:BOOL=yes \
            -DWOLFSSL_STUNNEL:BOOL=yes -DWOLFSSL_SUPPORTED_CURVES:BOOL=yes -DWOLFSSL_SYS_CA_CERTS:BOOL=yes \
            -DWOLFSSL_TICKET_NONCE_MALLOC:BOOL=yes -DWOLFSSL_TLS13:BOOL=yes -DWOLFSSL_TLSV12:BOOL=yes \
-            -DWOLFSSL_TLSX:BOOL=yes -DWOLFSSL_TPM:BOOL=yes -DWOLFSSL_USER_SETTINGS:BOOL=no \
+            -DWOLFSSL_TLSX:BOOL=yes -DWOLFSSL_TPM:BOOL=yes -DWOLFSSL_CLU:BOOL=yes -DWOLFSSL_USER_SETTINGS:BOOL=no \
            -DWOLFSSL_USER_SETTINGS_ASM:BOOL=no -DWOLFSSL_WOLFSSH:BOOL=ON -DWOLFSSL_X86_64_BUILD_ASM:BOOL=yes \
+            -DWOLFSSL_MLKEM=1 -DWOLFSSL_LMS=1 -DWOLFSSL_LMSSHA256192=1 -DWOLFSSL_EXPERIMENTAL=1 \
            -DWOLFSSL_X963KDF:BOOL=yes \
            -DCMAKE_C_FLAGS="-DWOLFSSL_DTLS_CH_FRAG" \
            ..
        cmake --build .
+        ctest -j $(nproc)
        cmake --install .

+        # clean up
+        cd ..
+        rm -rf build
+
        # Kyber Cmake broken
        # -DWOLFSSL_KYBER:BOOL=yes
+
+# build "lean-tls" wolfssl
+    - name: Build wolfssl with lean-tls
+      working-directory: ./wolfssl
+      run: |
+        mkdir build
+        cd build
+        cmake -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" \
+            -DWOLFSSL_LEAN_TLS:BOOL=yes \
+            ..
+        cmake --build .
+        cmake --install .
+
+        # clean up
+        cd ..
+        rm -rf build
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@ -23,8 +23,8 @@ jobs:
        check_filenames: true
        check_hidden: true
          # Add comma separated list of words that occur multiple times that should be ignored (sorted alphabetically, case sensitive)
-        ignore_words_list: adin,aNULL,brunch,carryIn,chainG,ciph,cLen,cliKs,dout,haveA,inCreated,inOut,inout,larg,LEAPYEAR,Merget,optionA,parm,parms,repid,rIn,userA,ser,siz,te,Te
+        ignore_words_list: adin,aNULL,brunch,carryIn,chainG,ciph,cLen,cliKs,dout,haveA,inCreated,inOut,inout,larg,LEAPYEAR,Merget,optionA,parm,parms,repid,rIn,userA,ser,siz,te,Te,
          # The exclude_file contains lines of code that should be ignored. This is useful for individual lines which have non-words that can safely be ignored.
        exclude_file: '.codespellexcludelines'
          # To skip files entirely from being processed, add it to the following list:
-        skip: '*.cproject,*.der,*.mtpj,*.pem,*.vcxproj,.git,*.launch,*.scfg,*.revoked'
+        skip: '*.cproject,*.der,*.mtpj,*.pem,*.vcxproj,.git,*.launch,*.scfg,*.revoked,./examples/asn1/dumpasn1.cfg,./examples/asn1/oid_names.h'
--- a/.github/workflows/grpc.yml
+++ b/.github/workflows/grpc.yml
@ -71,6 +71,11 @@ jobs:
        with:
          name: wolf-install-grpc

+      - name: Setup cmake version
+        uses: jwlawson/actions-setup-cmake@v2
+        with:
+          cmake-version: '3.25.x'
+
      - name: untar build-dir
        run: tar -xf build-dir.tgz

@ -94,7 +99,7 @@ jobs:
          git submodule update --init
          mkdir cmake/build
          cd cmake/build
-          cmake -DgRPC_BUILD_TESTS=ON -DgRPC_SSL_PROVIDER=wolfssl \
+          cmake -DCMAKE_POLICY_VERSION_MINIMUM=3.1 -DgRPC_BUILD_TESTS=ON -DgRPC_SSL_PROVIDER=wolfssl \
            -DWOLFSSL_INSTALL_DIR=$GITHUB_WORKSPACE/build-dir ../..
          make -j $(nproc) ${{ matrix.tests }}

--- a/.github/workflows/hostap-vm.yml
+++ b/.github/workflows/hostap-vm.yml
@ -217,6 +217,7 @@ jobs:
          sudo apt-get install -y libpcap0.8 libpcap-dev curl libcurl4-openssl-dev \
            libnl-3-dev binutils-dev libssl-dev libiberty-dev libnl-genl-3-dev \
            libnl-route-3-dev libdbus-1-dev bridge-utils tshark python3-pycryptodome
+          sudo pip install pycryptodome

      - name: Checking if we have hostap in cache
        uses: actions/cache/restore@v4
@ -312,6 +313,7 @@ jobs:
            KERNELDIR=$GITHUB_WORKSPACE/linux
            KVMARGS="-cpu host"
          EOF
+          git config --global --add safe.directory $GITHUB_WORKSPACE/hostap
          # Run tests in increments of 200 to not stall out the parallel-vm script
          while mapfile -t -n 200 ary && ((${#ary[@]})); do
            TESTS=$(printf '%s\n' "${ary[@]}" | tr '\n' ' ')
--- a/.github/workflows/intelasm-c-fallback.yml
+++ b/.github/workflows/intelasm-c-fallback.yml
@ -18,7 +18,7 @@ jobs:
      matrix:
        config: [
          # Add new configs here
-          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -DWC_AES_C_DYNAMIC_FALLBACK -DWC_C_DYNAMIC_FALLBACK -DDEBUG_VECTOR_REGISTER_ACCESS -DDEBUG_VECTOR_REGISTER_ACCESS_FUZZING -DWC_DEBUG_CIPHER_LIFECYCLE"'
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -DWC_C_DYNAMIC_FALLBACK -DDEBUG_VECTOR_REGISTER_ACCESS -DDEBUG_VECTOR_REGISTER_ACCESS_FUZZING -DWC_DEBUG_CIPHER_LIFECYCLE"'
        ]
    name: make check
    if: github.repository_owner == 'wolfssl'
--- a/.github/workflows/jwt-cpp.yml
+++ b/.github/workflows/jwt-cpp.yml
@ -66,6 +66,11 @@ jobs:
        with:
          name: wolf-install-jwt-cpp

+      - name: Setup cmake version
+        uses: jwlawson/actions-setup-cmake@v2
+        with:
+          cmake-version: '3.25.x'
+
      - name: untar build-dir
        run: tar -xf build-dir.tgz

@ -87,7 +92,7 @@ jobs:
        run: |
          patch -p1 < ../osp/jwt-cpp/${{ matrix.config.ref }}.patch
          PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig \
-            cmake -B build -DJWT_SSL_LIBRARY:STRING=wolfSSL -DJWT_BUILD_TESTS=ON .
+            cmake -DCMAKE_POLICY_VERSION_MINIMUM=3.5 -B build -DJWT_SSL_LIBRARY:STRING=wolfSSL -DJWT_BUILD_TESTS=ON .
          make -j -C build
          ldd ./build/tests/jwt-cpp-test | grep wolfssl

--- a/.github/workflows/libssh2.yml
+++ b/.github/workflows/libssh2.yml
@ -60,14 +60,27 @@ jobs:
      - name: untar build-dir
        run: tar -xf build-dir.tgz

-      - name: Build and test libssh2
-        uses: wolfSSL/actions-build-autotools-project@v1
+      - name: Clone libssh2
+        uses: actions/checkout@v4
        with:
          repository: libssh2/libssh2
          ref: libssh2-${{ matrix.ref }}
          path: libssh2
-          configure: --with-crypto=wolfssl --with-libwolfssl-prefix=$GITHUB_WORKSPACE/build-dir
-          check: true
+
+      - name: Build libssh2
+        working-directory: libssh2
+        run: |
+          autoreconf -fi
+          ./configure --with-crypto=wolfssl --with-libwolfssl-prefix=$GITHUB_WORKSPACE/build-dir
+
+      - name: Update libssh2 test to use a stable version of debian
+        working-directory: libssh2
+        run: |
+            sed -i 's/testing-slim/stable-slim/' tests/openssh_server/Dockerfile
+
+      - name: Run libssh2 tests
+        working-directory: libssh2
+        run: make check

      - name: Confirm libssh2 built with wolfSSL
        run: ldd libssh2/src/.libs/libssh2.so | grep wolfssl
--- a/.github/workflows/libvncserver.yml
+++ b/.github/workflows/libvncserver.yml
@ -55,6 +55,11 @@ jobs:
        with:
          name: wolf-install-libvncserver

+      - name: Setup cmake version
+        uses: jwlawson/actions-setup-cmake@v2
+        with:
+          cmake-version: '3.25.x'
+
      - name: untar build-dir
        run: tar -xf build-dir.tgz

@ -76,7 +81,7 @@ jobs:
        run: |
          patch -p1 < ../osp/libvncserver/${{ matrix.ref }}.patch
          PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig \
-            cmake -B build -DWITH_GNUTLS=OFF -DWITH_OPENSSL=OFF -DWITH_GCRYPT=OFF -DWITH_WOLFSSL=ON .
+            cmake -DCMAKE_POLICY_VERSION_MINIMUM=3.5 -B build -DWITH_GNUTLS=OFF -DWITH_OPENSSL=OFF -DWITH_GCRYPT=OFF -DWITH_WOLFSSL=ON .
          make -j -C build VERBOSE=1
          ldd build/libvncclient.so | grep wolfssl
          ldd build/libvncserver.so | grep wolfssl
--- a/.github/workflows/mosquitto.yml
+++ b/.github/workflows/mosquitto.yml
@ -77,6 +77,12 @@ jobs:
          ref: v${{ matrix.ref }}
          path: mosquitto

+      - name: Update certs
+        run: |
+            cd $GITHUB_WORKSPACE/mosquitto/test/ssl
+            ./gen.sh
+            cat all-ca.crt >> server.crt
+
      - name: Configure and build mosquitto
        run: |
            cd $GITHUB_WORKSPACE/mosquitto/
--- a/.github/workflows/msys2.yml
+++ b/.github/workflows/msys2.yml
@ -0,0 +1,36 @@
+name: MSYS2 Build Test
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  msys2:
+    runs-on: windows-latest
+    defaults:
+      run:
+        shell: msys2 {0}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: msys2/setup-msys2@v2
+        with:
+          msystem: msys
+          update: true
+          install: git gcc autotools base-devel autoconf netcat
+      - name: configure wolfSSL
+        run: ./autogen.sh && ./configure CFLAGS="-DUSE_CERT_BUFFERS_2048 -DUSE_CERT_BUFFERS_256 -DNO_WRITE_TEMP_FILES"
+      - name: build wolfSSL
+        run: make
+      - name: run tests
+        run: make check
+      - name: Display log
+        if: always()
+        run: cat test-suite.log
--- a/.github/workflows/multi-arch.yml
+++ b/.github/workflows/multi-arch.yml
@ -30,6 +30,7 @@ jobs:
          - HOST: riscv64-linux-gnu
            CC: riscv64-linux-gnu-gcc
            ARCH: riscv64
+            EXTRA_OPTS: --enable-riscv-asm
          # Config to ensure CPUs without Thumb instructions compiles
          - HOST: arm-linux-gnueabi
            CC: arm-linux-gnueabi-gcc
@ -51,7 +52,7 @@ jobs:
            CC: ${{ matrix.CC }}
            CFLAGS: ${{ matrix.CFLAGS }}
            QEMU_LD_PREFIX: /usr/${{ matrix.HOST }}
-        run: ./autogen.sh && ./configure --host=${{ matrix.HOST }} --enable-all --disable-examples ${{ matrix.EXTRA_OPTS }} && make
+        run: ./autogen.sh && ./configure --host=${{ matrix.HOST }} --enable-all --disable-examples CPPFLAGS="-pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFCRYPT_TEST_LINT" ${{ matrix.EXTRA_OPTS }} && make
      - name: Print errors
        if: ${{ failure() }}
        run: |
--- a/.github/workflows/multi-compiler.yml
+++ b/.github/workflows/multi-compiler.yml
@ -21,31 +21,28 @@ jobs:
        include:
          - CC: gcc-9
            CXX: g++-9
-            OS: ubuntu-22.04
+            OS: ubuntu-24.04
          - CC: gcc-10
            CXX: g++-10
-            OS: ubuntu-22.04
+            OS: ubuntu-24.04
          - CC: gcc-11
            CXX: g++-11
-            OS: ubuntu-22.04
+            OS: ubuntu-24.04
          - CC: gcc-12
            CXX: g++-12
-            OS: ubuntu-22.04
-          - CC: clang-10
-            CXX: clang++-10
-            OS: ubuntu-20.04
+            OS: ubuntu-24.04
          - CC: clang-11
            CXX: clang++-11
-            OS: ubuntu-20.04
+            OS: ubuntu-22.04
          - CC: clang-12
            CXX: clang++-12
-            OS: ubuntu-20.04
+            OS: ubuntu-22.04
          - CC: clang-13
            CXX: clang++-13
            OS: ubuntu-22.04
          - CC: clang-14
            CXX: clang++-14
-            OS: ubuntu-22.04
+            OS: ubuntu-24.04
    if: github.repository_owner == 'wolfssl'
    runs-on: ${{ matrix.OS }}
    # This should be a safe limit for the tests to run.
@ -58,7 +55,7 @@ jobs:
        env:
            CC: ${{ matrix.CC }}
            CXX: ${{ matrix.CXX }}
-        run: ./autogen.sh && ./configure && make && make dist
+        run: ./autogen.sh && ./configure CFLAGS="-pedantic -Wdeclaration-after-statement" && make && make dist
      - name: Show log on errors
        if: ${{ failure() }}
        run: |
--- a/.github/workflows/no-malloc.yml
+++ b/.github/workflows/no-malloc.yml
@ -18,7 +18,7 @@ jobs:
      matrix:
        config: [
          # Add new configs here
-          '--enable-rsa --enable-keygen --disable-dh CFLAGS="-DWOLFSSL_NO_MALLOC -DRSA_MIN_SIZE=1024"',
+          '--enable-rsa --enable-keygen --disable-dh CFLAGS="-DWOLFSSL_NO_MALLOC -DRSA_MIN_SIZE=1024 -pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
        ]
    name: make check
    if: github.repository_owner == 'wolfssl'
--- a/.github/workflows/opensslcoexist.yml
+++ b/.github/workflows/opensslcoexist.yml
@ -0,0 +1,50 @@
+name: OPENSSL_COEXIST and TEST_OPENSSL_COEXIST
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  make_check:
+    strategy:
+      matrix:
+        config: [
+          # Add new configs here
+          '--verbose --enable-all --disable-all-osp --disable-opensslall --enable-opensslcoexist CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -pedantic -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
+          '--verbose --enable-all --disable-all-osp --disable-opensslall --enable-opensslcoexist CPPFLAGS="-DNO_WOLFSSL_CIPHER_SUITE_TEST -pedantic -DTEST_OPENSSL_COEXIST -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"'
+        ]
+    name: make check
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 6
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: Test --enable-opensslcoexist and TEST_OPENSSL_COEXIST
+        run: |
+          ./autogen.sh || $(exit 2)
+          ./configure ${{ matrix.config }} || $(exit 3)
+          make -j 4 || $(exit 4)
+          make check
+
+      - name: Print errors
+        if: ${{ failure() }}
+        run: |
+          for file in config.log scripts/*.log
+          do
+              if [ -f "$file" ]; then
+                  echo "${file}:"
+                  cat "$file"
+                  echo "========================================================================"
+              fi
+          done
--- a/.github/workflows/os-check.yml
+++ b/.github/workflows/os-check.yml
@ -23,6 +23,8 @@ jobs:
          '',
          '--enable-all --enable-asn=template',
          '--enable-all --enable-asn=original',
+          '--enable-all --enable-asn=template CPPFLAGS=-DWOLFSSL_OLD_OID_SUM',
+          '--enable-all --enable-asn=original CPPFLAGS=-DWOLFSSL_OLD_OID_SUM',
          '--enable-harden-tls',
          '--enable-tls13 --enable-session-ticket --enable-dtls --enable-dtls13
             --enable-opensslextra --enable-sessioncerts
@ -42,6 +44,10 @@ jobs:
            --enable-psk --enable-aesccm --enable-nullcipher CPPFLAGS=-DWOLFSSL_STATIC_RSA',
          '--enable-ascon --enable-experimental',
          '--enable-ascon CPPFLAGS=-DWOLFSSL_ASCON_UNROLL --enable-experimental',
+          '--enable-all CPPFLAGS=''-DNO_AES_192 -DNO_AES_256'' ',
+          '--enable-sniffer --enable-curve25519 --enable-curve448 --enable-enckeys CFLAGS=-DWOLFSSL_DH_EXTRA',
+          '--enable-dtls --enable-dtls13 --enable-dtls-frag-ch
+            --enable-dtls-mtu CPPFLAGS=-DWOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS',
        ]
    name: make check
    if: github.repository_owner == 'wolfssl'
@ -52,7 +58,7 @@ jobs:
      - name: Build and test wolfSSL
        uses: wolfSSL/actions-build-autotools-project@v1
        with:
-          configure: ${{ matrix.config }}
+          configure: CFLAGS="-pedantic -Wno-overlength-strings -Wdeclaration-after-statement -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" ${{ matrix.config }}
          check: true

  make_user_settings:
@ -84,6 +90,7 @@ jobs:
        os: [ ubuntu-22.04, macos-latest ]
        user-settings: [
          # Add new user_settings.h here
+          'examples/configs/user_settings_eccnonblock.h',
          'examples/configs/user_settings_min_ecc.h',
          'examples/configs/user_settings_wolfboot_keytools.h',
          'examples/configs/user_settings_wolftpm.h',
--- a/.github/workflows/pq-all.yml
+++ b/.github/workflows/pq-all.yml
@ -18,7 +18,8 @@ jobs:
      matrix:
        config: [
          # Add new configs here
-          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=all,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST"'
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"',
+          '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" CC=c++'
        ]
    name: make check
    if: github.repository_owner == 'wolfssl'
--- a/.github/workflows/smallStackSize.yml
+++ b/.github/workflows/smallStackSize.yml
@ -0,0 +1,53 @@
+name: Stack Size warnings
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_library:
+    strategy:
+      matrix:
+        config: [
+          # defaults, noasm
+          '--disable-asm',
+
+          # defaults + native PQ, no asm
+          '--disable-asm --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium',
+
+          # all-crypto + native PQ, no asm
+          '--disable-asm --enable-all-crypto --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium',
+
+          # defaults, intelasm + sp-asm
+          '--enable-intelasm --enable-sp-asm',
+
+          # defaults + native PQ, intelasm + sp-asm
+          '--enable-intelasm --enable-sp-asm --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium',
+
+          # all-crypto + native PQ, intelasm + sp-asm
+          '--enable-intelasm --enable-sp-asm --enable-all-crypto --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium'
+        ]
+    name: build library
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 6
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: Build wolfCrypt with smallstack and stack depth warnings, and run testwolfcrypt
+        run: |
+          ./autogen.sh || $(exit 2)
+          echo "running ./configure ... ${{ matrix.config }}"
+          ./configure --enable-cryptonly --disable-cryptocb --disable-testcert --enable-smallstack --enable-smallstackcache --enable-crypttests --disable-benchmark --disable-examples --with-max-rsa-bits=16384 --enable-stacksize=verbose CFLAGS="-Wframe-larger-than=2048 -Wstack-usage=4096 -DWOLFSSL_TEST_MAX_RELATIVE_STACK_BYTES=8192 -DTEST_ALWAYS_RUN_TO_END" ${{ matrix.config }} || $(exit 3)
+          make -j 4 || $(exit 4)
+          ./wolfcrypt/test/testwolfcrypt
--- a/.github/workflows/wolfCrypt-Wconversion.yml
+++ b/.github/workflows/wolfCrypt-Wconversion.yml
@ -0,0 +1,48 @@
+name: wolfCrypt conversion warnings
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_library:
+    strategy:
+      matrix:
+        config: [
+          # Add new configs here
+          '--disable-asm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion"',
+          '--enable-intelasm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion"',
+          '--enable-smallstack --disable-asm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion"',
+          '--enable-smallstack --enable-intelasm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion"',
+          '--enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -DNO_INT128"',
+          '--enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests CPPFLAGS="-Wdeclaration-after-statement -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion" --enable-32bit CFLAGS=-m32'
+        ]
+    name: build library
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-22.04
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 6
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout wolfSSL
+
+      - name: install_multilib
+        run: |
+          export DEBIAN_FRONTEND=noninteractive
+          sudo apt-get update
+          sudo apt-get install -y gcc-multilib
+
+      - name: Build wolfCrypt with extra type conversion warnings
+        run: |
+          ./autogen.sh || $(exit 2)
+          echo "running ./configure ${{ matrix.config }}"
+          ./configure ${{ matrix.config }} || $(exit 3)
+          make -j 4 || $(exit 4)
--- a/.github/workflows/zephyr.yml
+++ b/.github/workflows/zephyr.yml
@ -49,6 +49,11 @@ jobs:
            python3-ply python3-setuptools python-is-python3 qemu-kvm rsync socat srecord sudo \
            texinfo unzip wget ovmf xz-utils

+      - name: Setup cmake version
+        uses: jwlawson/actions-setup-cmake@v2
+        with:
+          cmake-version: '3.25.x'
+
      - name: Install west
        run: sudo pip install west

--- a/.wolfssl_known_macro_extras
+++ b/.wolfssl_known_macro_extras
@ -9,9 +9,17 @@ APP_ESP_HTTP_CLIENT_EXAMPLE
 APSTUDIO_INVOKED
 ARCH_sim
 ARDUINO
+ARDUINO_ARCH_ESP32
+ARDUINO_ARCH_ESP8266
+ARDUINO_ARCH_MBED
+ARDUINO_ARCH_NRF52
 ARDUINO_ARCH_RP2040
+ARDUINO_ARCH_SAMD
+ARDUINO_ARCH_STM32
 ARDUINO_SAMD_NANO_33_IOT
 ARDUINO_SAM_DUE
+ARDUINO_SEEED_XIAO
+ARDUINO_TEENSY41
 ASN_DUMP_OID
 ASN_TEMPLATE_SKIP_ISCA_CHECK
 ATCAPRINTF
@ -44,8 +52,24 @@ CONFIG_COMPILER_OPTIMIZATION_DEFAULT
 CONFIG_COMPILER_OPTIMIZATION_NONE
 CONFIG_COMPILER_OPTIMIZATION_PERF
 CONFIG_COMPILER_OPTIMIZATION_SIZE
+CONFIG_CRYPTO_AES
+CONFIG_CRYPTO_CBC
+CONFIG_CRYPTO_CTR
+CONFIG_CRYPTO_DH
+CONFIG_CRYPTO_DH_RFC7919_GROUPS
+CONFIG_CRYPTO_ECB
+CONFIG_CRYPTO_ECDH
+CONFIG_CRYPTO_ECDSA
 CONFIG_CRYPTO_FIPS
+CONFIG_CRYPTO_GCM
+CONFIG_CRYPTO_HMAC
 CONFIG_CRYPTO_MANAGER
+CONFIG_CRYPTO_RSA
+CONFIG_CRYPTO_SHA1
+CONFIG_CRYPTO_SHA256
+CONFIG_CRYPTO_SHA3
+CONFIG_CRYPTO_SHA512
+CONFIG_CRYPTO_XTS
 CONFIG_CSPRNG_ENABLED
 CONFIG_ESP32C2_DEFAULT_CPU_FREQ_MHZ
 CONFIG_ESP32C3_DEFAULT_CPU_FREQ_MHZ
@ -81,10 +105,12 @@ CONFIG_IDF_TARGET_ESP32C2
 CONFIG_IDF_TARGET_ESP32C3
 CONFIG_IDF_TARGET_ESP32C6
 CONFIG_IDF_TARGET_ESP32H2
+CONFIG_IDF_TARGET_ESP32P4
 CONFIG_IDF_TARGET_ESP32S2
 CONFIG_IDF_TARGET_ESP32S3
 CONFIG_IDF_TARGET_ESP8266
 CONFIG_IDF_TARGET_ESP8684
+CONFIG_KASAN
 CONFIG_MAIN_TASK_STACK_SIZE
 CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
 CONFIG_MBEDTLS_PSA_CRYPTO_C
@ -138,8 +164,8 @@ CONFIG_WOLFSSL_TARGET_PORT
 CONFIG_WOLFSSL_TLS13_ENABLED
 CONFIG_WOLFSSL_TLS_VERSION_1_2
 CONFIG_WOLFSSL_TLS_VERSION_1_3
-CONFIG_WOLFTPM_EXAMPLE_NAME_ESPRESSIF
 CONFIG_WOLFTPM
+CONFIG_WOLFTPM_EXAMPLE_NAME_ESPRESSIF
 CONFIG_X86
 CONV_WITH_DIV
 CPA_CY_API_VERSION_NUM_MAJOR
@ -155,6 +181,7 @@ CRYP_KEYSIZE_192B
 CSM_UNSUPPORTED_ALGS
 CTYPE_USER
 CURVED448_SMALL
+CUSTOM_ENTROPY_TIMEHIRES
 CY_USING_HAL
 DCP_USE_DCACHE
 DILITHIUM_MUL_11_SLOW
@ -175,6 +202,7 @@ ESP_IDF_VERSION_MAJOR
 ESP_IDF_VERSION_MINOR
 ESP_PLATFORM
 ESP_TASK_MAIN_STACK
+ETHERNET_AVAILABLE
 EV_TRIGGER
 FP_ECC_CONTROL
 FREERTOS_TCP_WINSIM
@ -244,6 +272,7 @@ HSM_KEY_TYPE_HMAC_512
 HSM_OP_KEY_GENERATION_FLAGS_CREATE
 HSM_OP_KEY_GENERATION_FLAGS_UPDATE
 HSM_SVC_KEY_STORE_FLAGS_UPDATE
+HWCAP_ASIMDRDM
 IDIRECT_DEV_RANDOM
 IDIRECT_DEV_TIME
 ID_TRNG
@ -255,7 +284,6 @@ INTIMEVER
 IOTSAFE_NO_GETDATA
 IOTSAFE_SIG_8BIT_LENGTH
 KCAPI_USE_XMALLOC
-KYBER_NONDETERMINISTIC
 K_SERIES
 LIBWOLFSSL_VERSION_GIT_BRANCH
 LIBWOLFSSL_VERSION_GIT_HASH
@ -284,6 +312,7 @@ MICRIUM_MALLOC
 MICROCHIP_MPLAB_HARMONY
 MICROCHIP_MPLAB_HARMONY_3
 MICRO_SESSION_CACHEx
+MLKEM_NONDETERMINISTIC
 MODULE_SOCK_TCP
 MP_31BIT
 MP_8BIT
@ -314,6 +343,7 @@ NO_ECC384
 NO_ECC521
 NO_ECC_CACHE_CURVE
 NO_ECC_CHECK_KEY
+NO_ECC_CHECK_PUBKEY_ORDER
 NO_ECC_KEY_IMPORT
 NO_ECC_MAKE_PUB
 NO_ED25519_CLIENT_AUTH
@ -435,6 +465,7 @@ SL_SE_KEY_TYPE_ECC_P521
 SL_SE_KEY_TYPE_ECC_X25519
 SL_SE_KEY_TYPE_ECC_X448
 SL_SE_PRF_HMAC_SHA1
+SNIFFER_SINGLE_SESSION_CACHE
 SOFTDEVICE_PRESENT
 SO_NOSIGPIPE
 SO_REUSEPORT
@ -460,6 +491,7 @@ STM32H723xx
 STM32H725xx
 STM32H743xx
 STM32H753xx
+STM32H7S3xx
 STM32L475xx
 STM32L4A6xx
 STM32L552xx
@ -469,6 +501,7 @@ STM32U575xx
 STM32U585xx
 STM32U5A9xx
 STM32WB55xx
+STM32WBA52xx
 STM32WL55xx
 STM32_AESGCM_PARTIAL
 STM32_HW_CLOCK_AUTO
@ -478,9 +511,12 @@ TCP_NODELAY
 TFM_ALREADY_SET
 TFM_SMALL_MONT_SET
 THREADED_SNIFFTEST
+TIF_NEED_FPU_LOAD
 TIME_T_NOT_LONG
 TI_DUMMY_BUILD
 TLS13_RSA_PSS_SIGN_CB_NO_PREHASH
+TSIP_RSAES_1024
+TSIP_RSAES_2048
 UNICODE
 USER_CA_CB
 USER_CUSTOM_SNIFFX
@ -523,6 +559,7 @@ WC_ASYNC_ENABLE_SHA384
 WC_ASYNC_ENABLE_SHA512
 WC_ASYNC_NO_CRYPT
 WC_ASYNC_NO_HASH
+WC_CACHE_RESISTANT_BASE64_TABLE
 WC_DILITHIUM_CACHE_PRIV_VECTORS
 WC_DILITHIUM_CACHE_PUB_VECTORS
 WC_DILITHIUM_FIXED_ARRAY
@ -544,7 +581,10 @@ WC_SHA384_DIGEST_SIZE
 WC_SHA512
 WC_SSIZE_TYPE
 WC_STRICT_SIG
+WC_WANT_FLAG_DONT_USE_AESNI
 WC_XMSS_FULL_HASH
+WIFI_AVAILABLE
+WIN_REUSE_CRYPT_HANDLE
 WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE
 WOLFSENTRY_H
 WOLFSENTRY_NO_JSON
@ -552,6 +592,7 @@ WOLFSSL_32BIT_MILLI_TIME
 WOLFSSL_AARCH64_PRIVILEGE_MODE
 WOLFSSL_AESNI_BY4
 WOLFSSL_AESNI_BY6
+WOLFSSL_AES_CTR_EXAMPLE
 WOLFSSL_AFTER_DATE_CLOCK_SKEW
 WOLFSSL_ALGO_HW_MUTEX
 WOLFSSL_ALLOW_CRIT_AIA
@ -569,7 +610,6 @@ WOLFSSL_ARM_ARCH_NEON_64BIT
 WOLFSSL_ASCON_UNROLL
 WOLFSSL_ASNC_CRYPT
 WOLFSSL_ASN_EXTRA
-WOLFSSL_ASN_INT_LEAD_0_ANY
 WOLFSSL_ASN_TEMPLATE_NEED_SET_INT32
 WOLFSSL_ASN_TEMPLATE_TYPE_CHECK
 WOLFSSL_ATECC508
@ -598,10 +638,10 @@ WOLFSSL_CHECK_DESKEY
 WOLFSSL_CHECK_MEM_ZERO
 WOLFSSL_CHIBIOS
 WOLFSSL_CLANG_TIDY
+WOLFSSL_CLIENT_EXAMPLE
 WOLFSSL_COMMERCIAL_LICENSE
 WOLFSSL_CONTIKI
 WOLFSSL_CRL_ALLOW_MISSING_CDP
-WOLFSSL_CURVE25519_BLINDING
 WOLFSSL_CUSTOM_CONFIG
 WOLFSSL_DILITHIUM_ASSIGN_KEY
 WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM
@ -615,11 +655,10 @@ WOLFSSL_DILITHIUM_SIGN_CHECK_Y
 WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC
 WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A
 WOLFSSL_DILITHIUM_SMALL_MEM_POLY64
-WOLFSSL_DILITHIUM_VERIFY_NO_MALLOC
 WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM
 WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
 WOLFSSL_DTLS_DISALLOW_FUTURE
-WOLFSSL_DTLS_DROP_STATS
+WOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS
 WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT
 WOLFSSL_DUMP_MEMIO_STREAM
 WOLFSSL_DUP_CERTPOL
@ -651,7 +690,6 @@ WOLFSSL_HARDEN_TLS_ALLOW_OLD_TLS
 WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC
 WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK
 WOLFSSL_HARDEN_TLS_NO_SCR_CHECK
-WOLFSSL_HMAC_COPY_HASH
 WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
 WOLFSSL_I2D_ECDSA_SIG_ALLOC
 WOLFSSL_IAR_ARM_TIME
@ -664,9 +702,9 @@ WOLFSSL_IMXRT_DCP
 WOLFSSL_ISOTP
 WOLFSSL_KEIL
 WOLFSSL_KEIL_NET
-WOLFSSL_KYBER_INVNTT_UNROLL
-WOLFSSL_KYBER_NO_LARGE_CODE
-WOLFSSL_KYBER_NTT_UNROLL
+WOLFSSL_KYBER_NO_DECAPSULATE
+WOLFSSL_KYBER_NO_ENCAPSULATE
+WOLFSSL_KYBER_NO_MAKE_KEY
 WOLFSSL_LIB
 WOLFSSL_LMS_CACHE_BITS
 WOLFSSL_LMS_FULL_HASH
@ -681,7 +719,11 @@ WOLFSSL_MAKE_SYSTEM_NAME_WSL
 WOLFSSL_MDK5
 WOLFSSL_MEM_FAIL_COUNT
 WOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM
+WOLFSSL_MLKEM_INVNTT_UNROLL
 WOLFSSL_MLKEM_MAKEKEY_SMALL_MEM
+WOLFSSL_MLKEM_NO_LARGE_CODE
+WOLFSSL_MLKEM_NO_MALLOC
+WOLFSSL_MLKEM_NTT_UNROLL
 WOLFSSL_MONT_RED_CT
 WOLFSSL_MP_COND_COPY
 WOLFSSL_MP_INVMOD_CONSTANT_TIME
@ -699,10 +741,10 @@ WOLFSSL_NO_CRL_NEXT_DATE
 WOLFSSL_NO_DECODE_EXTRA
 WOLFSSL_NO_DER_TO_PEM
 WOLFSSL_NO_DH186
+WOLFSSL_NO_DH_GEN_PUB
 WOLFSSL_NO_DTLS_SIZE_CHECK
 WOLFSSL_NO_ETM_ALERT
 WOLFSSL_NO_FENCE
-WOLFSSL_NO_FSEEK
 WOLFSSL_NO_INIT_CTX_KEY
 WOLFSSL_NO_ISSUERHASH_TDPEER
 WOLFSSL_NO_KCAPI_AES_CBC
@ -757,6 +799,7 @@ WOLFSSL_RENESAS_RSIP
 WOLFSSL_RENESAS_RZN2L
 WOLFSSL_RENESAS_TLS
 WOLFSSL_RENESAS_TSIP_IAREWRX
+WOLFSSL_REQUIRE_TCA
 WOLFSSL_RSA_CHECK_D_ON_DECRYPT
 WOLFSSL_RSA_DECRYPT_TO_0_LEN
 WOLFSSL_RW_THREADED
@ -769,6 +812,7 @@ WOLFSSL_SE050_INIT
 WOLFSSL_SE050_NO_RSA
 WOLFSSL_SE050_NO_TRNG
 WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT
+WOLFSSL_SERVER_EXAMPLE
 WOLFSSL_SETTINGS_FILE
 WOLFSSL_SH224
 WOLFSSL_SHA256_ALT_CH_MAJ
@ -777,7 +821,6 @@ WOLFSSL_SILABS_TRNG
 WOLFSSL_SM4_EBC
 WOLFSSL_SNIFFER_NO_RECOVERY
 WOLFSSL_SP_ARM32_UDIV
-WOLFSSL_SP_DH
 WOLFSSL_SP_FAST_NCT_EXPTMOD
 WOLFSSL_SP_INT_SQR_VOLATILE
 WOLFSSL_STACK_CHECK
@ -786,6 +829,7 @@ WOLFSSL_STM32_RNG_NOLIB
 WOLFSSL_STRONGEST_HASH_SIG
 WOLFSSL_STSAFE_TAKES_SLOT
 WOLFSSL_TELIT_M2MB
+WOLFSSL_TEMPLATE_EXAMPLE
 WOLFSSL_THREADED_CRYPT
 WOLFSSL_TICKET_DECRYPT_NO_CREATE
 WOLFSSL_TICKET_ENC_AES128_GCM
@ -798,9 +842,9 @@ WOLFSSL_TICKET_ENC_HMAC_SHA512
 WOLFSSL_TI_CURRTIME
 WOLFSSL_TLS13_DRAFT
 WOLFSSL_TLS13_IGNORE_AEAD_LIMITS
-WOLFSSL_TLS13_MIDDLEBOX_COMPAT
 WOLFSSL_TLS13_SHA512
 WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
+WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY
 WOLFSSL_TRACK_MEMORY_FULL
 WOLFSSL_TRAP_MALLOC_SZ
 WOLFSSL_UNALIGNED_64BIT_ACCESS
@ -825,17 +869,13 @@ WOLFSSL_XIL_MSG_NO_SLEEP
 WOLFSSL_XMSS_LARGE_SECRET_KEY
 WOLFSSL_ZEPHYR
 WOLF_ALLOW_BUILTIN
-WOLF_CONF_IO
-WOLF_CONF_KYBER
-WOLF_CONF_PK
-WOLF_CONF_RESUMPTION
-WOLF_CONF_TPM
 WOLF_CRYPTO_CB_CMD
 WOLF_CRYPTO_CB_FIND
 WOLF_CRYPTO_CB_ONLY_ECC
 WOLF_CRYPTO_CB_ONLY_RSA
 WOLF_CRYPTO_DEV
 WOLF_NO_TRAILING_ENUM_COMMAS
+WindowsCE
 XGETPASSWD
 XMSS_CALL_PRF_KEYGEN
 XPAR_VERSAL_CIPS_0_PSPMC_0_PSV_CORTEXA72_0_TIMESTAMP_CLK_FREQ
@ -845,6 +885,8 @@ _ABIO64
 _ARCH_PPC64
 _COMPILER_VERSION
 _INTPTR_T_DECLARED
+_LINUX_REFCOUNT_H
+_LINUX_REFCOUNT_TYPES_H
 _LP64
 _MSC_VER
 _MSVC_LANG
@ -885,6 +927,7 @@ __BIG_ENDIAN__
 __BORLANDC__
 __CCRX__
 __COMPILER_VER__
+__COUNTER__
 __CYGWIN__
 __DATE__
 __DCACHE_PRESENT
@ -916,8 +959,8 @@ __MINGW64_VERSION_MAJOR
 __MINGW64__
 __MWERKS__
 __NT__
-__OpenBSD__
 __OS2__
+__OpenBSD__
 __PIE__
 __POWERPC__
 __PPC__
@ -947,6 +990,7 @@ __SUNPRO_CC
 __SVR4
 __TI_COMPILER_VERSION__
 __TURBOC__
+__UNIX__
 __USE_GNU
 __USE_MISC
 __USE_XOPEN2K
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -34,7 +34,7 @@ if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_BINARY_DIR}")
     You must delete them, or cmake will refuse to work.")
 endif()

-project(wolfssl VERSION 5.7.6 LANGUAGES C ASM)
+project(wolfssl VERSION 5.8.0 LANGUAGES C ASM)

 # Set WOLFSSL_ROOT if not already defined
 if ("${WOLFSSL_ROOT}" STREQUAL "")
@ -53,7 +53,7 @@ set(WOLFSSL_LIBRARY_VERSION_FIRST 43)

 # increment if interfaces have been added
 # set to zero if WOLFSSL_LIBRARY_VERSION_FIRST is incremented
-set(WOLFSSL_LIBRARY_VERSION_SECOND 0)
+set(WOLFSSL_LIBRARY_VERSION_SECOND 1)

 # increment if source code has changed
 # set to zero if WOLFSSL_LIBRARY_VERSION_FIRST is incremented or
@ -125,6 +125,9 @@ check_function_exists("socket" HAVE_SOCKET)
 check_function_exists("strftime" HAVE_STRFTIME)
 check_function_exists("__atomic_fetch_add" HAVE_C___ATOMIC)

+include(CheckSymbolExists)
+check_symbol_exists(isascii "ctype.h" HAVE_ISASCII)
+
 include(CheckTypeSize)

 check_type_size("__uint128_t" __UINT128_T)
@ -569,9 +572,18 @@ add_option(WOLFSSL_OQS
    "Enable integration with the OQS (Open Quantum Safe) liboqs library (default: disabled)"
    "no" "yes;no")

-# Kyber
-add_option(WOLFSSL_KYBER
-    "Enable the wolfSSL PQ Kyber library (default: disabled)"
+# ML-KEM/Kyber
+add_option(WOLFSSL_MLKEM
+    "Enable the wolfSSL PQ ML-KEM library (default: disabled)"
+    "no" "yes;no")
+
+# LMS
+add_option(WOLFSSL_LMS
+    "Enable the PQ LMS Stateful Hash-based Signature Scheme (default: disabled)"
+    "no" "yes;no")
+
+add_option(WOLFSSL_LMSSHA256192
+    "Enable the LMS SHA_256_192 truncated variant (default: disabled)"
    "no" "yes;no")

 # Experimental features
@ -587,7 +599,7 @@ if (WOLFSSL_EXPERIMENTAL)
    # check if any experimental features are also enabled:
    set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 0)

-    set_wolfssl_definitions("WOLFSSL_EXPERIMENTAL_SETTINGS" RESUlT)
+    set_wolfssl_definitions("WOLFSSL_EXPERIMENTAL_SETTINGS" RESULT)

    # Checking for experimental feature: OQS
    message(STATUS "Looking for WOLFSSL_OQS")
@ -602,9 +614,9 @@ if (WOLFSSL_EXPERIMENTAL)
            list(APPEND WOLFSSL_LINK_LIBS ${OQS_LIBRARY})
            list(APPEND WOLFSSL_INCLUDE_DIRS ${OQS_INCLUDE_DIR})

-            set_wolfssl_definitions("HAVE_LIBOQS"          RESUlT)
-            set_wolfssl_definitions("HAVE_TLS_EXTENSIONS"  RESUlT)
-            set_wolfssl_definitions("OPENSSL_EXTRA"        RESUlT)
+            set_wolfssl_definitions("HAVE_LIBOQS"          RESULT)
+            set_wolfssl_definitions("HAVE_TLS_EXTENSIONS"  RESULT)
+            set_wolfssl_definitions("OPENSSL_EXTRA"        RESULT)

        else()
            message(STATUS "Checking OQS - not found")
@ -614,20 +626,52 @@ if (WOLFSSL_EXPERIMENTAL)
        message(STATUS "Looking for WOLFSSL_OQS - not found")
    endif()

-    # Checking for experimental feature: Kyber
-    message(STATUS "Looking for WOLFSSL_KYBER")
-    if (WOLFSSL_KYBER)
+    # Checking for experimental feature: WOLFSSL_MLKEM
+    message(STATUS "Looking for WOLFSSL_MLKEM")
+    if (WOLFSSL_MLKEM)
        set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 1)

-        message(STATUS "Automatically set related requirements for Kyber:")
-        set_wolfssl_definitions("WOLFSSL_HAVE_KYBER" RESUlT)
-        set_wolfssl_definitions("WOLFSSL_WC_KYBER"   RESUlT)
-        set_wolfssl_definitions("WOLFSSL_SHA3"       RESUlT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE128"   RESUlT)
-        set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESUlT)
-        message(STATUS "Looking for WOLFSSL_KYBER - found")
+        message(STATUS "Automatically set related requirements for ML-KEM:")
+        add_definitions("-DWOLFSSL_HAVE_MLKEM")
+        add_definitions("-DWOLFSSL_WC_MLKEM")
+        add_definitions("-DWOLFSSL_SHA3")
+        add_definitions("-DWOLFSSL_SHAKE128")
+        add_definitions("-DWOLFSSL_SHAKE256")
+
+        set_wolfssl_definitions("WOLFSSL_HAVE_MLKEM" RESULT)
+        set_wolfssl_definitions("WOLFSSL_WC_MLKEM"   RESULT)
+        set_wolfssl_definitions("WOLFSSL_SHA3"       RESULT)
+        set_wolfssl_definitions("WOLFSSL_SHAKE128"   RESULT)
+        set_wolfssl_definitions("WOLFSSL_SHAKE256"   RESULT)
+        message(STATUS "Looking for WOLFSSL_MLKEM - found")
    else()
-        message(STATUS "Looking for WOLFSSL_KYBER - not found")
+        message(STATUS "Looking for WOLFSSL_MLKEM - not found")
+    endif()
+
+    # Checking for experimental feature: WOLFSSL_LMS
+    message(STATUS "Looking for WOLFSSL_LMS")
+    if (WOLFSSL_LMS)
+        set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 2)
+
+        message(STATUS "Automatically set related requirements for LMS")
+        add_definitions("-DWOLFSSL_HAVE_LMS")
+        add_definitions("-DWOLFSSL_WC_LMS")
+        set_wolfssl_definitions("WOLFSSL_HAVE_LMS" RESULT)
+        set_wolfssl_definitions("WOLFSSL_WC_LMS"   RESULT)
+        message(STATUS "Looking for WOLFSSL_LMS - found")
+        # Checking for experimental feature: WOLFSSL_LMSSHA256192
+        if (WOLFSSL_LMSSHA256192)
+            message(STATUS "Automatically set related requirements for LMS SHA256-192")
+            add_definitions("-DWOLFSSL_LMS_SHA256_192")
+            add_definitions("-DWOLFSSL_NO_LMS_SHA256_256")
+            set_wolfssl_definitions("WOLFSSL_LMS_SHA256_192"    RESULT)
+            set_wolfssl_definitions("WOLFSSL_NO_LMS_SHA256_256" RESULT)
+            message(STATUS "Looking for WOLFSSL_LMSSHA256192 - found")
+        else()
+            message(STATUS "Looking for WOLFSSL_LMSSHA256192 - not found")
+        endif()
+    else()
+        message(STATUS "Looking for WOLFSSL_LMS - not found")
    endif()

    # Other experimental feature detection can be added here...
@ -640,8 +684,8 @@ if (WOLFSSL_EXPERIMENTAL)
    endif()

    # Sanity checks
-    if(WOLFSSL_OQS AND WOLFSSL_KYBER)
-        message(FATAL_ERROR "Error: cannot enable both WOLFSSL_OQS and WOLFSSL_KYBER at the same time.")
+    if(WOLFSSL_OQS AND WOLFSSL_MLKEM)
+        message(FATAL_ERROR "Error: cannot enable both WOLFSSL_OQS and WOLFSSL_MLKEM at the same time.")
    endif()

 else()
@ -650,11 +694,21 @@ else()
    if (WOLFSSL_OQS)
        message(FATAL_ERROR "Error: WOLFSSL_OQS requires WOLFSSL_EXPERIMENTAL at this time.")
    endif()
-    if(WOLFSSL_KYBER)
-        message(FATAL_ERROR "Error: WOLFSSL_KYBER requires WOLFSSL_EXPERIMENTAL at this time.")
+    if(WOLFSSL_MLKEM)
+        message(FATAL_ERROR "Error: WOLFSSL_MLKEM requires WOLFSSL_EXPERIMENTAL at this time.")
    endif()
 endif()

+# LMS
+add_option(WOLFSSL_LMS
+    "Enable the wolfSSL LMS implementation (default: disabled)"
+    "no" "yes;no")
+
+# XMSS
+add_option(WOLFSSL_XMSS
+    "Enable the wolfSSL XMSS implementation (default: disabled)"
+    "no" "yes;no")
+
 # TODO: - Lean PSK
 #       - Lean TLS
 #       - Low resource
@ -668,8 +722,6 @@ endif()
 #       - Atomic user record layer
 #       - Public key callbacks
 #       - Microchip/Atmel CryptoAuthLib
-#       - XMSS
-#       - LMS
 #       - dual-certs

 # AES-CBC
@ -744,7 +796,8 @@ add_option("WOLFSSL_AESCTR"

 if(WOLFSSL_OPENVPN OR
   WOLFSSL_LIBSSH2 OR
-   WOLFSSL_AESSIV)
+   WOLFSSL_AESSIV OR
+   WOLFSSL_CLU)
    override_cache(WOLFSSL_AESCTR "yes")
 endif()

@ -884,7 +937,7 @@ endif()
 #       - SEP

 add_option("WOLFSSL_KEYGEN"
-    "Enable key generation (default: disabled)])"
+    "Enable key generation (default: disabled)"
    "no" "yes;no")

 add_option("WOLFSSL_CERTGEN"
@ -1011,7 +1064,7 @@ add_option("WOLFSSL_ED25519"
    "Enable ED25519 (default: disabled)"
    "no" "yes;no")

-if(WOLFSSL_OPENSSH)
+if(WOLFSSL_OPENSSH OR WOLFSSL_CLU)
    override_cache(WOLFSSL_ED25519 "yes")
 endif()

@ -1141,8 +1194,7 @@ if(NOT WOLFSSL_MEMORY)
 else()
    # turn off memory cb if leanpsk or leantls on
    if(WOLFSSL_LEAN_PSK OR WOLFSSL_LEAN_TLS)
-        # but don't turn on NO_WOLFSSL_MEMORY because using own
-        override_cache(WOLFSSL_MEMORY "no")
+        list(APPEND WOLFSSL_DEFINITIONS "-DNO_WOLFSSL_MEMORY")
    endif()
 endif()

@ -1687,6 +1739,9 @@ add_option(WOLFSSL_PKCS7 ${WOLFSSL_PKCS7_HELP_STRING} "no" "yes;no")
 set(WOLFSSL_TPM_HELP_STRING "Enable wolfTPM options (default: disabled)")
 add_option(WOLFSSL_TPM ${WOLFSSL_TPM_HELP_STRING} "no" "yes;no")

+set(WOLFSSL_CLU_HELP_STRING "Enable wolfCLU options (default: disabled)")
+add_option(WOLFSSL_CLU ${WOLFSSL_CLU_HELP_STRING} "no" "yes;no")
+
 set(WOLFSSL_AESKEYWRAP_HELP_STRING "Enable AES key wrap support (default: disabled)")
 add_option(WOLFSSL_AESKEYWRAP ${WOLFSSL_AESKEYWRAP_HELP_STRING} "no" "yes;no")

@ -2031,6 +2086,25 @@ if(WOLFSSL_TPM)
    override_cache(WOLFSSL_AESCFB   "yes")
 endif()

+if(WOLFSSL_CLU)
+    override_cache(WOLFSSL_CERTGEN  "yes")
+    override_cache(WOLFSSL_CERTREQ  "yes")
+    override_cache(WOLFSSL_CERTEXT  "yes")
+    override_cache(WOLFSSL_MD5      "yes")
+    override_cache(WOLFSSL_AESCTR   "yes")
+    override_cache(WOLFSSL_KEYGEN   "yes")
+    override_cache(WOLFSSL_OPENSSLALL "yes")
+    override_cache(WOLFSSL_ED25519  "yes")
+    override_cache(WOLFSSL_SHA512   "yes")
+    override_cache(WOLFSSL_DES3     "yes")
+    override_cache(WOLFSSL_PKCS7    "yes")
+    list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_OID_ENCODING" "-DWOLFSSL_NO_ASN_STRICT" "-DWOLFSSL_ALT_NAMES")
+    # Add OPENSSL_ALL definition to ensure OpenSSL compatibility functions are available
+    list(APPEND WOLFSSL_DEFINITIONS "-DOPENSSL_ALL")
+    # Remove NO_DES3 from WOLFSSL_DEFINITIONS to ensure DES3 is enabled
+    list(REMOVE_ITEM WOLFSSL_DEFINITIONS "-DNO_DES3")
+endif()
+
 if(WOLFSSL_AESCFB)
    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_AES_CFB")
 endif()
@ -2290,6 +2364,18 @@ if (ENABLE_SCCACHE AND (NOT WOLFSSL_SCCACHE_ALREADY_SET_FLAG))
    endif()
 endif()

+add_option("WOLFSSL_KEYLOG_EXPORT"
+    "Enable insecure export of TLS secrets to an NSS keylog file (default: disabled)"
+    "no" "yes;no")
+if(WOLFSSL_KEYLOG_EXPORT)
+    message(WARNING "Keylog export enabled -- Sensitive key data will be stored insecurely.")
+    list(APPEND WOLFSSL_DEFINITIONS
+        "-DSHOW_SECRETS"
+        "-DHAVE_SECRET_CALLBACK"
+        "-DWOLFSSL_SSLKEYLOGFILE"
+        "-DWOLFSSL_KEYLOG_EXPORT_WARNED")
+endif()
+

 file(REMOVE ${OPTION_FILE})

@ -2420,12 +2506,15 @@ target_include_directories(wolfssl

 target_link_libraries(wolfssl PUBLIC ${WOLFSSL_LINK_LIBS})

-if (WIN32 OR ${CMAKE_SYSTEM_NAME} MATCHES "^MSYS" OR ${CMAKE_SYSTEM_NAME} MATCHES "^MINGW")
+if(CMAKE_C_COMPILER_ID STREQUAL "OpenWatcom")
+    if(CMAKE_SYSTEM_NAME STREQUAL "Windows")
+        target_link_libraries(wolfssl PUBLIC ws2_32 crypt32)
+    endif()
+elseif (WIN32 OR ${CMAKE_SYSTEM_NAME} MATCHES "^MSYS" OR ${CMAKE_SYSTEM_NAME} MATCHES "^MINGW")
    # For Windows link required libraries
    message("Building on Windows/MSYS/MINGW")
    target_link_libraries(wolfssl PUBLIC
        ws2_32 crypt32 advapi32)
-elseif(CMAKE_C_COMPILER_ID STREQUAL "OpenWatcom")
 elseif(APPLE)
    message("Building on Apple")
    if(WOLFSSL_SYS_CA_CERTS)
@ -2491,7 +2580,9 @@ if(WOLFSSL_EXAMPLES)
        add_executable(tls_bench
            ${CMAKE_CURRENT_SOURCE_DIR}/examples/benchmark/tls_bench.c)
        target_link_libraries(tls_bench wolfssl)
-        target_link_libraries(tls_bench Threads::Threads)
+        if(CMAKE_USE_PTHREADS_INIT)
+            target_link_libraries(tls_bench Threads::Threads)
+        endif()
        set_property(TARGET tls_bench
                 PROPERTY RUNTIME_OUTPUT_DIRECTORY
                 ${WOLFSSL_OUTPUT_BASE}/examples/benchmark)
@ -2500,6 +2591,8 @@ if(WOLFSSL_EXAMPLES)
    # Build unit tests
    add_executable(unit_test
        tests/api.c
+        tests/api/test_md2.c
+        tests/api/test_md4.c
        tests/api/test_md5.c
        tests/api/test_sha.c
        tests/api/test_sha256.c
@ -2509,20 +2602,55 @@ if(WOLFSSL_EXAMPLES)
        tests/api/test_sm3.c
        tests/api/test_ripemd.c
        tests/api/test_hash.c
+        tests/api/test_hmac.c
+        tests/api/test_cmac.c
+        tests/api/test_des3.c
+        tests/api/test_chacha.c
+        tests/api/test_poly1305.c
+        tests/api/test_chacha20_poly1305.c
+        tests/api/test_camellia.c
+        tests/api/test_arc4.c
+        tests/api/test_rc2.c
+        tests/api/test_aes.c
        tests/api/test_ascon.c
-        tests/hash.c
+        tests/api/test_sm4.c
+        tests/api/test_wc_encrypt.c
+        tests/api/test_random.c
+        tests/api/test_wolfmath.c
+        tests/api/test_rsa.c
+        tests/api/test_dsa.c
+        tests/api/test_dh.c
+        tests/api/test_ecc.c
+        tests/api/test_sm2.c
+        tests/api/test_curve25519.c
+        tests/api/test_ed25519.c
+        tests/api/test_curve448.c
+        tests/api/test_ed448.c
+        tests/api/test_mlkem.c
+        tests/api/test_mldsa.c
+        tests/api/test_signature.c
+        tests/api/test_dtls.c
+        tests/api/test_ocsp.c
+        tests/api/test_evp.c
+        tests/api/test_tls_ext.c
+        tests/api/test_tls.c
        tests/srp.c
        tests/suites.c
        tests/w64wrapper.c
        tests/unit.c
        tests/quic.c
+        tests/utils.c
+        testsuite/utils.c
        examples/server/server.c
-        examples/client/client.c)
+        examples/client/client.c
+        wolfcrypt/test/test.c)
    target_include_directories(unit_test PRIVATE
        ${CMAKE_CURRENT_BINARY_DIR})
    target_compile_options(unit_test PUBLIC "-DNO_MAIN_DRIVER")
    target_link_libraries(unit_test wolfssl)
-    target_link_libraries(unit_test Threads::Threads)
+    if(CMAKE_USE_PTHREADS_INIT)
+        target_link_libraries(unit_test Threads::Threads)
+    endif()
    set_property(TARGET unit_test
                 PROPERTY RUNTIME_OUTPUT_DIRECTORY
                 ${WOLFSSL_OUTPUT_BASE}/tests/)
--- a/ChangeLog.md
+++ b/ChangeLog.md
@ -1,3 +1,213 @@
+# wolfSSL Release 5.8.0 (Apr 24, 2025)
+
+Release 5.8.0 has been developed according to wolfSSL's development and QA
+process (see link below) and successfully passed the quality criteria.
+https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance
+
+NOTE: * --enable-heapmath is deprecated
+
+PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request
+ number where the code change was added.
+
+
+## New Feature Additions
+* Algorithm registration in the Linux kernel module for all supported FIPS AES,
+ SHA, HMAC, ECDSA, ECDH, and RSA modes, key sizes, and digest sizes.
+* Implemented various fixes to support building for Open Watcom including OS/2
+ support and Open Watcom 1.9 compatibility (PR 8505, 8484)
+* Added support for STM32H7S (tested on NUCLEO-H7S3L8) (PR 8488)
+* Added support for STM32WBA (PR 8550)
+* Added Extended Master Secret Generation Callback to the --enable-pkcallbacks
+ build (PR 8303)
+* Implement AES-CTS (configure flag --enable-aescts) in wolfCrypt (PR 8594)
+* Added support for libimobiledevice commit 860ffb (PR 8373)
+* Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 IPD
+ (PR 8307)
+* Added blinding option when using a Curve25519 private key by defining the
+ macro WOLFSSL_CURVE25519_BLINDING (PR 8392)
+
+
+## Linux Kernel Module
+* Production-ready LKCAPI registration for cbc(aes), cfb(aes), gcm(aes),
+ rfc4106 (gcm(aes)), ctr(aes), ofb(aes), and ecb(aes), ECDSA with P192, P256,
+ P384, and P521 curves, ECDH with P192, P256, and P384 curves, and RSA with
+ bare and PKCS1 padding
+* Various fixes for LKCAPI wrapper for AES-CBC and AES-CFB (PR 8534, 8552)
+* Adds support for the legacy one-shot AES-GCM back end (PR 8614, 8567) for
+ compatibility with FIPS 140-3 Cert #4718.
+* On kernel >=6.8, for CONFIG_FORTIFY_SOURCE, use 5-arg fortify_panic() override
+ macro (PR 8654)
+* Update calls to scatterwalk_map() and scatterwalk_unmap() for linux commit
+ 7450ebd29c (merged for Linux 6.15) (PR 8667)
+* Inhibit LINUXKM_LKCAPI_REGISTER_ECDH on kernel <5.13 (PR 8673)
+* Fix for uninitialized build error with fedora (PR 8569)
+* Register ecdsa, ecdh, and rsa for use with linux kernel crypto (PR 8637, 8663,
+ 8646)
+* Added force zero shared secret buffer, and clear of old key with ecdh
+ (PR 8685)
+* Update fips-check.sh script to pickup XTS streaming support on aarch64 and
+ disable XTS-384 as an allowed use in FIPS mode (PR 8509, 8546)
+
+
+## Enhancements and Optimizations
+
+### Security & Cryptography
+* Add constant-time implementation improvements for encoding functions. We thank
+ Zhiyuan and Gilles for sharing a new constant-time analysis tool (CT-LLVM) and
+ reporting several non-constant-time implementations. (PR 8396, 8617)
+* Additional support for PKCS7 verify and decode with indefinite lengths
+ (PR 8520, 834, 8645)
+* Add more PQC hybrid key exchange algorithms such as support for combinations
+ with X25519 and X448 enabling compatibility with the PQC key exchange support
+ in Chromium browsers and Mozilla Firefox (PR 7821)
+* Add short-circuit comparisons to DH key validation for RFC 7919 parameters
+ (PR 8335)
+* Improve FIPS compatibility with various build configurations for more resource
+ constrained builds (PR 8370)
+* Added option to disable ECC public key order checking (PR 8581)
+* Allow critical alt and basic constraints extensions (PR 8542)
+* New codepoint for MLDSA to help with interoperability (PR 8393)
+* Add support for parsing trusted PEM certs having the header
+ “BEGIN_TRUSTED_CERT” (PR 8400)
+* Add support for parsing only of DoD certificate policy and Comodo Ltd PKI OIDs
+ (PR 8599, 8686)
+* Update ssl code in `src/*.c` to be consistent with wolfcrypt/src/asn.c
+ handling of ML_DSA vs Dilithium and add dual alg. test (PR 8360, 8425)
+
+### Build System, Configuration, CI & Protocols
+* Internal refactor for include of config.h and when building with
+ BUILDING_WOLFSSL macro. This refactor will give a warning of “deprecated
+ function” when trying to improperly use an internal API of wolfSSL in an
+ external application. (PR 8640, 8647, 8660, 8662, 8664)
+* Add WOLFSSL_CLU option to CMakeLists.txt (PR 8548)
+* Add CMake and Zephyr support for XMSS and LMS (PR 8494)
+* Added GitHub CI for CMake builds (PR 8439)
+* Added necessary macros when building wolfTPM Zephyr with wolfSSL (PR 8382)
+* Add MSYS2 build continuous integration test (PR 8504)
+* Update DevKitPro doc to list calico dependency with build commands (PR 8607)
+* Conversion compiler warning fixes and additional continuous integration test
+ added (PR 8538)
+* Enable DTLS 1.3 by default in --enable-jni builds (PR 8481)
+* Enabled TLS 1.3 middlebox compatibility by default for --enable-jni builds
+ (PR 8526)
+
+### Performance Improvements
+* Performance improvements AES-GCM and HMAC (in/out hash copy) (PR 8429)
+* LMS fixes and improvements adding API to get Key ID from raw private key,
+ change to identifiers to match standard, and fix for when
+ WOLFSSL_LMS_MAX_LEVELS is 1 (PR 8390, 8684, 8613, 8623)
+* ML-KEM/Kyber improvements and fixes; no malloc builds, small memory usage,
+ performance improvement, fix for big-endian (PR 8397, 8412, 8436, 8467, 8619,
+ 8622, 8588)
+* Performance improvements for AES-GCM and when doing multiple HMAC operations
+ (PR 8445)
+
+### Assembly and Platform-Specific Enhancements
+* Poly1305 arm assembly changes adding ARM32 NEON implementation and fix for
+ Aarch64 use (PR 8344, 8561, 8671)
+* Aarch64 assembly enhancement to use more CPU features, fix for FreeBSD/OpenBSD
+ (PR 8325, 8348)
+* Only perform ARM assembly CPUID checks if support was enabled at build time
+ (PR 8566)
+* Optimizations for ARM32 assembly instructions on platforms less than ARMv7
+ (PR 8395)
+* Improve MSVC feature detection for static assert macros (PR 8440)
+* Improve Espressif make and CMake for ESP8266 and ESP32 series (PR 8402)
+* Espressif updates for Kconfig, ESP32P4 and adding a sample user_settings.h
+ (PR 8422, PR 8641)
+
+### OpenSSL Compatibility Layer
+* Modification to the push/pop to/from in OpenSSL compatibility layer. This is
+ a pretty major API change in the OpenSSL compatibility stack functions.
+ Previously the API would push/pop from the beginning of the list but now they
+ operate on the tail of the list. This matters when using the sk_value with
+ index values. (PR 8616)
+* OpenSSL Compat Layer: OCSP response improvements (PR 8408, 8498)
+* Expand the OpenSSL compatibility layer to include an implementation of
+ BN_CTX_get (PR 8388)
+
+### API Additions and Modifications
+* Refactor Hpke to allow multiple uses of a context instead of just one shot
+ mode (PR 6805)
+* Add support for PSK client callback with Ada and use with Alire (thanks
+ @mgrojo, PR 8332, 8606)
+* Change wolfSSL_CTX_GenerateEchConfig to generate multiple configs and add
+ functions wolfSSL_CTX_SetEchConfigs and wolfSSL_CTX_SetEchConfigsBase64 to
+ rotate the server's echConfigs (PR 8556)
+* Added the public API wc_PkcsPad to do PKCS padding (PR 8502)
+* Add NULL_CIPHER_TYPE support to wolfSSL_EVP_CipherUpdate (PR 8518)
+* Update Kyber APIs to ML-KEM APIs (PR 8536)
+* Add option to disallow automatic use of "default" devId using the macro
+ WC_NO_DEFAULT_DEVID (PR 8555)
+* Detect unknown key format on ProcessBufferTryDecode() and handle RSA-PSSk
+ format (PR 8630)
+
+### Porting and Language Support
+* Update Python port to support version 3.12.6 (PR 8345)
+* New additions for MAXQ with wolfPKCS11 (PR 8343)
+* Port to ntp 4.2.8p17 additions (PR 8324)
+* Add version 0.9.14 to tested libvncserver builds (PR 8337)
+
+### General Improvements and Cleanups
+* Cleanups for STM32 AES GCM (PR 8584)
+* Improvements to isascii() and the CMake key log option (PR 8596)
+* Arduino documentation updates, comments and spelling corrections (PR 8381,
+ 8384, 8514)
+* Expanding builds with WOLFSSL_NO_REALLOC for use with --enable-opensslall and
+ --enable-all builds (PR 8369, 8371)
+
+
+## Fixes
+* Fix a use after free caused by an early free on error in the X509 store
+ (PR 8449)
+* Fix to account for existing PKCS8 header with
+ wolfSSL_PEM_write_PKCS8PrivateKey (PR 8612)
+* Fixed failing CMake build issue when standard threads support is not found in
+ the system (PR 8485)
+* Fix segmentation fault in SHA-512 implementation for AVX512 targets built with
+ gcc -march=native -O2 (PR 8329)
+* Fix Windows socket API compatibility warning with mingw32 build (PR 8424)
+* Fix potential null pointer increments in cipher list parsing (PR 8420)
+* Fix for possible stack buffer overflow read with wolfSSL_SMIME_write_PKCS7.
+ Thanks to the team at Code Intelligence for the report. (PR 8466)
+* Fix AES ECB implementation for Aarch64 ARM assembly (PR 8379)
+* Fixed building with VS2008 and .NET 3.5 (PR 8621)
+* Fixed possible error case memory leaks in CRL and EVP_Sign_Final (PR 8447)
+* Fixed SSL_set_mtu compatibility function return code (PR 8330)
+* Fixed Renesas RX TSIP (PR 8595)
+* Fixed ECC non-blocking tests (PR 8533)
+* Fixed CMake on MINGW and MSYS (PR 8377)
+* Fixed Watcom compiler and added new CI test (PR 8391)
+* Fixed STM32 PKA ECC 521-bit support (PR 8450)
+* Fixed STM32 PKA with P521 and shared secret (PR 8601)
+* Fixed crypto callback macro guards with `DEBUG_CRYPTOCB` (PR 8602)
+* Fix outlen return for RSA private decrypt with WOLF_CRYPTO_CB_RSA_PAD
+ (PR 8575)
+* Additional sanity check on r and s lengths in DecodeECC_DSA_Sig_Bin (PR 8350)
+* Fix compat. layer ASN1_TIME_diff to accept NULL output params (PR 8407)
+* Fix CMake lean_tls build (PR 8460)
+* Fix for QUIC callback failure (PR 8475)
+* Fix missing alert types in AlertTypeToString for print out with debugging
+ enabled (PR 8572)
+* Fixes for MSVS build issues with PQC configure (PR 8568)
+* Fix for SE050 port and minor improvements (PR 8431, 8437)
+* Fix for missing rewind function in zephyr and add missing files for compiling
+ with assembly optimizations (PR 8531, 8541)
+* Fix for quic_record_append to return the correct code (PR 8340, 8358)
+* Fixes for Bind 9.18.28 port (PR 8331)
+* Fix to adhere more closely with RFC8446 Appendix D and set haveEMS when
+ negotiating TLS 1.3 (PR 8487)
+* Fix to properly check for signature_algorithms from the client in a TLS 1.3
+ server (PR 8356)
+* Fix for when BIO data is less than seq buffer size. Thanks to the team at Code
+ Intelligence for the report (PR 8426)
+* ARM32/Thumb2 fixes for WOLFSSL_NO_VAR_ASSIGN_REG and td4 variable declarations
+ (PR 8590, 8635)
+* Fix for Intel AVX1/SSE2 assembly to not use vzeroupper instructions unless ymm
+ or zmm registers are used (PR 8479)
+* Entropy MemUse fix for when block size less than update bits (PR 8675)
+
+
 # wolfSSL Release 5.7.6 (Dec 31, 2024)

 Release 5.7.6 has been developed according to wolfSSL's development and QA
--- a/IDE/ARDUINO/README.md
+++ b/IDE/ARDUINO/README.md
@ -2,8 +2,19 @@

 See the [example sketches](./sketches/README.md):

- [sketches/wolfssl_server](./sketches/wolfssl_server/README.md)
- [sketches/wolfssl_client](./sketches/wolfssl_client/README.md)
+NOTE: Moving; See https://github.com/wolfSSL/wolfssl-examples/pull/499
+
+Bare-bones templates:
+
+- [sketches/wolfssl_version](./sketches/wolfssl_version/README.md) single file.
+- [sketches/template](./sketches/template/README.md) multiple file example.
+
+Functional examples:
+- [sketches/wolfssl_AES_CTR](./sketches/wolfssl_AES_CTR/README.md) AES CTR Encrypt / decrypt.
+- [sketches/wolfssl_client](./sketches/wolfssl_client/README.md) TLS Client.
+- [sketches/wolfssl_server](./sketches/wolfssl_server/README.md) TLS Server.
+
+Both the `template` and `wolfssl_AES_CTR` examples include VisualGDB project files.

 When publishing a new version to the Arduino Registry, be sure to edit `WOLFSSL_VERSION_ARUINO_SUFFIX` in the `wolfssl-arduino.sh` script.

@ -62,7 +73,7 @@ from within the `wolfssl/IDE/ARDUINO` directory:

 1. `./wolfssl-arduino.sh`
    - Creates an Arduino Library directory structure in the local `wolfSSL` directory of `IDE/ARDUINO`.
-    - You can add your own `user_settings.h`, or copy/rename the [default](../../examples/configs/user_settings_arduino.h).
+    - You can add your own `user_settings.h`, or copy/rename the [default](https://github.com/wolfSSL/wolfssl/blob/master/examples/configs/user_settings_arduino.h).

 2. `./wolfssl-arduino.sh INSTALL` (The most common option)
    - Creates an Arduino Library in the local `wolfSSL` directory
--- a/IDE/ARDUINO/include.am
+++ b/IDE/ARDUINO/include.am
@ -2,16 +2,32 @@
 # included from Top Level Makefile.am
 # All paths should be given relative to the root

+# Library files:
 EXTRA_DIST+= IDE/ARDUINO/README.md
+
+# There's an Arduino-specific Arduino_README_prepend.md that will be prepended to wolfSSL README.md
+# Not to be confused with the interim PREPENDED_README.md that is created by script.
 EXTRA_DIST+= IDE/ARDUINO/Arduino_README_prepend.md
+
+# Core library files
+EXTRA_DIST+= IDE/ARDUINO/wolfssl.h
+EXTRA_DIST+= IDE/ARDUINO/wolfssl.h
+EXTRA_DIST+= IDE/ARDUINO/wolfssl-arduino.cpp
+
 EXTRA_DIST+= IDE/ARDUINO/keywords.txt
 EXTRA_DIST+= IDE/ARDUINO/library.properties.template
+
+# Sketch Examples
 EXTRA_DIST+= IDE/ARDUINO/sketches/README.md
+
+# wolfssl_client example sketch
 EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_client/README.md
-EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_client/wolfssl_client.ino
+
+# wolfssl_server example sketch
 EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_server/README.md
-EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_server/wolfssl_server.ino
+
+# wolfssl_version example sketch
 EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_version/README.md
-EXTRA_DIST+= IDE/ARDUINO/sketches/wolfssl_version/wolfssl_version.ino
-EXTRA_DIST+= IDE/ARDUINO/wolfssl.h
+
+# Publishing script, either local install or to github.com/wolfSSL/Arduino-wolfSSL clone directory.
 EXTRA_DIST+= IDE/ARDUINO/wolfssl-arduino.sh
--- a/IDE/ARDUINO/sketches/README.md
+++ b/IDE/ARDUINO/sketches/README.md
@ -1,15 +1,20 @@
 # wolfSSL Arduino Examples

-There are currently two example Arduino sketches:
+There are currently five example Arduino sketches:

-* [wolfssl_client](./wolfssl_client/README.md): Basic TLS listening client.
-* [wolfssl_server](./wolfssl_server/README.md): Basic TLS server.
+NOTE: Moving; See https://github.com/wolfSSL/wolfssl-examples/pull/499
+
+* `template`: Reference template wolfSSL example, including optional VisualGDB project files.
+* `wolfssl_AES_CTR`: Basic AES CTR Encryption / Decryption example.
+* `wolfssl_client`: Basic TLS listening client.
+* `wolfssl_server`: Basic TLS server.
+* `wolfssl_version`: Bare-bones wolfSSL example.

 Examples have been most recently confirmed operational on the
 [Arduino IDE](https://www.arduino.cc/en/software) 2.2.1.

 For examples on other platforms, see the [IDE directory](https://github.com/wolfssl/wolfssl/tree/master/IDE).
-Additional examples can be found on [wolfSSL/wolfssl-examples](https://github.com/wolfSSL/wolfssl-examples/).
+Additional wolfssl examples can be found at [wolfSSL/wolfssl-examples](https://github.com/wolfSSL/wolfssl-examples/).

 ## Using wolfSSL

@ -20,7 +25,7 @@ The typical include will look something like this:

 /* wolfSSL user_settings.h must be included from settings.h
  * Make all configurations changes in user_settings.h
-  * Do not edit wolfSSL `settings.h` or `configh.h` files.
+  * Do not edit wolfSSL `settings.h` or `config.h` files.
  * Do not explicitly include user_settings.h in any source code.
  * Each Arduino sketch that uses wolfSSL must have: #include "wolfssl.h"
  * C/C++ source files can use: #include <wolfssl/wolfcrypt/settings.h>
@ -28,7 +33,43 @@ The typical include will look something like this:
  * The wolfSSL "settings.h" must appear before any other wolfSSL include.
  */
 #include <wolfssl.h>
+
+/* settings.h is typically included in wolfssl.h, but here as a reminder: */
+#include <wolfssl/wolfcrypt/settings.h>
+
+/* Any other wolfSSL includes follow:*
 #include <wolfssl/version.h>
 ```

+## Configuring wolfSSL
+
+See the `user_settings.h` in the Arduino library `wolfssl/src` directory. For Windows users this is typically:
+
+```
+C:\Users\%USERNAME%\Documents\Arduino\libraries\wolfssl\src
+```
+
+WARNING: Changes to the library `user_settings.h` file will be lost when upgrading wolfSSL using the Arduino IDE.
+
+## Troubleshooting
+
+If compile problems are encountered, for example:
+
+```
+ctags: cannot open temporary file : File exists
+exit status 1
+
+Compilation error: exit status 1
+```
+
+Try deleting the Arduino cache directory:
+
+```
+C:\Users\%USERNAME%\AppData\Local\arduino\sketches
+```
+
+For VisualGDB users, delete the project `.vs`, `Output`, and `TraceReports` directories.
+
+## More Information
+
 For more details, see [IDE/ARDUINO/README.md](https://github.com/wolfSSL/wolfssl/blob/master/IDE/ARDUINO/README.md)
--- a/IDE/ARDUINO/sketches/wolfssl_client/README.md
+++ b/IDE/ARDUINO/sketches/wolfssl_client/README.md
@ -1,6 +1,14 @@
 # Arduino Basic TLS Listening Client

-Open the [wolfssl_client.ino](./wolfssl_client.ino) file in the Arduino IDE.
+Open the `wolfssl_client.ino` file in the Arduino IDE.
+
+NOTE: Moving; See https://github.com/wolfSSL/wolfssl-examples/pull/499
+
+If using WiFi, be sure to set `ssid` and `password` values.
+
+May need "Ethernet by Various" library to be installed. Tested with v2.0.2 and v2.8.1.
+
+See the `#define WOLFSSL_TLS_SERVER_HOST` to set your own server address.

 Other IDE products are also supported, such as:

--- a/IDE/ARDUINO/sketches/wolfssl_client/wolfssl_client.ino
+++ b/IDE/ARDUINO/sketches/wolfssl_client/wolfssl_client.ino
@ -1,903 +0,0 @@
-/* wolfssl_client.ino
- *
- * Copyright (C) 2006-2025 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
-
-/*
-Tested with:
-
-1) Intel Galileo acting as the Client, with a laptop acting as a server using
-   the server example provided in examples/server.
-   Legacy Arduino v1.86 was used to compile and program the Galileo
-
-2) Espressif ESP32 WiFi
-
-3) Arduino Due, Nano33 IoT, Nano RP-2040
-*/
-
-/*
- * Note to code editors: the Arduino client and server examples are edited in
- * parallel for side-by-side comparison between examples.
- */
-
-/* If you have a private include, define it here, otherwise edit WiFi params */
-#define MY_PRIVATE_CONFIG "/workspace/my_private_config.h"
-
-/* set REPEAT_CONNECTION to a non-zero value to continually run the example. */
-#define REPEAT_CONNECTION 0
-
-/* Edit this with your other TLS host server address to connect to: */
-#define WOLFSSL_TLS_SERVER_HOST "192.168.1.39"
-
-/* wolfssl TLS examples communicate on port 11111 */
-#define WOLFSSL_PORT 11111
-
-/* Choose a monitor serial baud rate: 9600, 14400, 19200, 57600, 74880, etc. */
-#define SERIAL_BAUD 115200
-
-/* We'll wait up to 2000 milliseconds to properly shut down connection */
-#define SHUTDOWN_DELAY_MS 2000
-
-/* Number of times to retry connection.  */
-#define RECONNECT_ATTEMPTS 20
-
-/* Optional stress test. Define to consume memory until exhausted: */
-/* #define MEMORY_STRESS_TEST */
-
-/* Choose client or server example, not both. */
-#define WOLFSSL_CLIENT_EXAMPLE
-/* #define WOLFSSL_SERVER_EXAMPLE */
-
-#if defined(MY_PRIVATE_CONFIG)
-    /* the /workspace directory may contain a private config
-     * excluded from GitHub with items such as WiFi passwords */
-    #include MY_PRIVATE_CONFIG
-    static const char* ssid PROGMEM = MY_ARDUINO_WIFI_SSID;
-    static const char* password PROGMEM = MY_ARDUINO_WIFI_PASSWORD;
-#else
-    /* when using WiFi capable boards: */
-    static const char* ssid PROGMEM  = "your_SSID";
-    static const char* password PROGMEM = "your_PASSWORD";
-#endif
-
-#define BROADCAST_ADDRESS "255.255.255.255"
-
-/* There's an optional 3rd party NTPClient library by Fabrice Weinberg.
- * If it is installed, uncomment define USE_NTP_LIB here: */
-/* #define USE_NTP_LIB */
-#ifdef USE_NTP_LIB
-    #include <NTPClient.h>
-#endif
-
-/* wolfSSL user_settings.h must be included from settings.h
- * Make all configurations changes in user_settings.h
- * Do not edit wolfSSL `settings.h` or `config.h` files.
- * Do not explicitly include user_settings.h in any source code.
- * Each Arduino sketch that uses wolfSSL must have: #include "wolfssl.h"
- * C/C++ source files can use: #include <wolfssl/wolfcrypt/settings.h>
- * The wolfSSL "settings.h" must be included in each source file using wolfSSL.
- * The wolfSSL "settings.h" must appear before any other wolfSSL include.
- */
-#include <wolfssl.h>
-/* Important: make sure settings.h appears before any other wolfSSL headers */
-#include <wolfssl/wolfcrypt/settings.h>
-/* Reminder: settings.h includes user_settings.h
- * For ALL project wolfSSL settings, see:
- * [your path]/Arduino\libraries\wolfSSL\src\user_settings.h   */
-#include <wolfssl/ssl.h>
-#include <wolfssl/certs_test.h>
-#include <wolfssl/wolfcrypt/error-crypt.h>
-
-/* Define DEBUG_WOLFSSL in user_settings.h for more verbose logging. */
-#if defined(DEBUG_WOLFSSL)
-    #define PROGRESS_DOT F("")
-#else
-    #define PROGRESS_DOT F(".")
-#endif
-
-/* Convert a macro to a string */
-#define xstr(x) str(x)
-#define str(x) #x
-
-/* optional board-specific networking includes */
-#if defined(ESP32)
-    #define USING_WIFI
-    #include <WiFi.h>
-    #include <WiFiUdp.h>
-    #ifdef USE_NTP_LIB
-        WiFiUDP ntpUDP;
-    #endif
-    /* Ensure the F() flash macro is defined */
-    #ifndef F
-        #define F
-    #endif
-    WiFiClient client;
-
-#elif defined(ESP8266)
-    #define USING_WIFI
-    #include <ESP8266WiFi.h>
-    WiFiClient client;
-
-#elif defined(ARDUINO_SAM_DUE)
-    #include <SPI.h>
-    /* There's no WiFi/Ethernet on the Due. Requires Ethernet Shield.
-    /* Needs "Ethernet by Various" library to be installed. Tested with V2.0.2 */
-    #include <Ethernet.h>
-    EthernetClient client;
-
-#elif defined(ARDUINO_SAMD_NANO_33_IOT)
-    #define USING_WIFI
-    #include <SPI.h>
-    #include <WiFiNINA.h> /* Needs Arduino WiFiNINA library installed manually */
-    WiFiClient client;
-
-#elif defined(ARDUINO_ARCH_RP2040)
-    #define USING_WIFI
-    #include <SPI.h>
-    #include <WiFiNINA.h>
-    WiFiClient client;
-
-#elif defined(USING_WIFI)
-    #define USING_WIFI
-    #include <WiFi.h>
-    #include <WiFiUdp.h>
-    #ifdef USE_NTP_LIB
-        WiFiUDP ntpUDP;
-    #endif
-    WiFiClient client;
-
-/* TODO
-#elif defined(OTHER_BOARD)
-*/
-#else
-    #define USING_WIFI
-    WiFiClient client;
-
-#endif
-
-/* Only for syntax highlighters to show interesting options enabled: */
-#if defined(HAVE_SNI)                           \
-   || defined(HAVE_MAX_FRAGMENT)                  \
-   || defined(HAVE_TRUSTED_CA)                    \
-   || defined(HAVE_TRUNCATED_HMAC)                \
-   || defined(HAVE_CERTIFICATE_STATUS_REQUEST)    \
-   || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) \
-   || defined(HAVE_SUPPORTED_CURVES)              \
-   || defined(HAVE_ALPN)                          \
-   || defined(HAVE_SESSION_TICKET)                \
-   || defined(HAVE_SECURE_RENEGOTIATION)          \
-   || defined(HAVE_SERVER_RENEGOTIATION_INFO)
-#endif
-
-static const char host[] PROGMEM = WOLFSSL_TLS_SERVER_HOST; /* server to connect to */
-static const int port PROGMEM = WOLFSSL_PORT; /* port on server to connect to */
-
-static WOLFSSL_CTX* ctx = NULL;
-static WOLFSSL* ssl = NULL;
-static char* wc_error_message = (char*)malloc(80 + 1);
-static char errBuf[80];
-
-#if defined(MEMORY_STRESS_TEST)
-    #define MEMORY_STRESS_ITERATIONS 100
-    #define MEMORY_STRESS_BLOCK_SIZE 1024
-    #define MEMORY_STRESS_INITIAL (4*1024)
-    static char* memory_stress[MEMORY_STRESS_ITERATIONS]; /* typically 1K per item */
-    static int mem_ctr        = 0;
-#endif
-
-static int EthernetSend(WOLFSSL* ssl, char* msg, int sz, void* ctx);
-static int EthernetReceive(WOLFSSL* ssl, char* reply, int sz, void* ctx);
-static int reconnect = RECONNECT_ATTEMPTS;
-static int lng_index PROGMEM = 0; /* 0 = English */
-
-#if defined(__arm__)
-    #include <malloc.h>
-    extern char _end;
-    extern "C" char *sbrk(int i);
-    static char *ramstart=(char *)0x20070000;
-    static char *ramend=(char *)0x20088000;
-#endif
-
-/*****************************************************************************/
-/* fail_wait - in case of unrecoverable error                                */
-/*****************************************************************************/
-int fail_wait(void) {
-    show_memory();
-
-    Serial.println(F("Failed. Halt."));
-    while (1) {
-        delay(1000);
-    }
-    return 0;
-}
-
-/*****************************************************************************/
-/* show_memory() to optionally view during debugging.                         */
-/*****************************************************************************/
-int show_memory(void)
-{
-#if defined(__arm__)
-    struct mallinfo mi = mallinfo();
-
-    char *heapend=sbrk(0);
-    register char * stack_ptr asm("sp");
-    #if defined(DEBUG_WOLFSSL_VERBOSE)
-        Serial.print("    arena=");
-        Serial.println(mi.arena);
-        Serial.print("  ordblks=");
-        Serial.println(mi.ordblks);
-        Serial.print(" uordblks=");
-        Serial.println(mi.uordblks);
-        Serial.print(" fordblks=");
-        Serial.println(mi.fordblks);
-        Serial.print(" keepcost=");
-        Serial.println(mi.keepcost);
-    #endif
-
-    #if defined(DEBUG_WOLFSSL) || defined(MEMORY_STRESS_TEST)
-        Serial.print("Estimated free memory: ");
-        Serial.print(stack_ptr - heapend + mi.fordblks);
-        Serial.println(F(" bytes"));
-    #endif
-
-    #if (0)
-        /* Experimental: not supported on all devices: */
-        Serial.print("RAM Start %lx\n", (unsigned long)ramstart);
-        Serial.print("Data/Bss end %lx\n", (unsigned long)&_end);
-        Serial.print("Heap End %lx\n", (unsigned long)heapend);
-        Serial.print("Stack Ptr %lx\n",(unsigned long)stack_ptr);
-        Serial.print("RAM End %lx\n", (unsigned long)ramend);
-
-        Serial.print("Heap RAM Used: ",mi.uordblks);
-        Serial.print("Program RAM Used ",&_end - ramstart);
-        Serial.print("Stack RAM Used ",ramend - stack_ptr);
-
-        Serial.print("Estimated Free RAM: %d\n\n",stack_ptr - heapend + mi.fordblks);
-    #endif
-#else
-    Serial.println(F("show_memory() not implemented for this platform"));
-#endif
-    return 0;
-}
-
-/*****************************************************************************/
-/* EthernetSend() to send a message string.                                  */
-/*****************************************************************************/
-int EthernetSend(WOLFSSL* ssl, char* message, int sz, void* ctx) {
-    int sent = 0;
-    (void)ssl;
-    (void)ctx;
-
-    sent = client.write((byte*)message, sz);
-    return sent;
-}
-
-/*****************************************************************************/
-/* EthernetReceive() to receive a reply string.                              */
-/*****************************************************************************/
-int EthernetReceive(WOLFSSL* ssl, char* reply, int sz, void* ctx) {
-    int ret = 0;
-    (void)ssl;
-    (void)ctx;
-
-    while (client.available() > 0 && ret < sz) {
-        reply[ret++] = client.read();
-    }
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_hardware()                                                  */
-/*****************************************************************************/
-int setup_hardware(void) {
-    int ret = 0;
-
-#if defined(ARDUINO_SAMD_NANO_33_IOT)
-    Serial.println(F("Detected known tested and working Arduino Nano 33 IoT"));
-#elif defined(ARDUINO_ARCH_RP2040)
-    Serial.println(F("Detected known tested and working Arduino RP-2040"));
-#elif defined(__arm__) && defined(ID_TRNG) && defined(TRNG)
-    /* need to manually turn on random number generator on Arduino Due, etc. */
-    pmc_enable_periph_clk(ID_TRNG);
-    trng_enable(TRNG);
-    Serial.println(F("Enabled ARM TRNG"));
-#endif
-
-    show_memory();
-    randomSeed(analogRead(0));
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_datetime()                                                  */
-/*   The device needs to have a valid date within the valid range of certs.  */
-/*****************************************************************************/
-int setup_datetime(void) {
-    int ret = 0;
-    int ntp_tries = 20;
-
-    /* we need a date in the range of cert expiration */
-#ifdef USE_NTP_LIB
-    #if defined(ESP32)
-        NTPClient timeClient(ntpUDP, "pool.ntp.org");
-
-        timeClient.begin();
-        timeClient.update();
-        delay(1000);
-        while (!timeClient.isTimeSet() && (ntp_tries > 0)) {
-            timeClient.forceUpdate();
-            Serial.println(F("Waiting for NTP update"));
-            delay(2000);
-            ntp_tries--;
-        }
-        if (ntp_tries <= 0) {
-            Serial.println(F("Warning: gave up waiting on NTP"));
-        }
-        Serial.println(timeClient.getFormattedTime());
-        Serial.println(timeClient.getEpochTime());
-    #endif
-#endif
-
-#if defined(ESP32)
-    /* see esp32-hal-time.c */
-    ntp_tries = 5;
-    /* Replace "pool.ntp.org" with your preferred NTP server */
-    configTime(0, 0, "pool.ntp.org");
-
-    /* Wait for time to be set */
-    while ((time(nullptr) <= 100000) && ntp_tries > 0) {
-        Serial.println(F("Waiting for time to be set..."));
-        delay(2000);
-        ntp_tries--;
-    }
-#endif
-
-    return ret;
-} /* setup_datetime */
-
-/*****************************************************************************/
-/* Arduino setup_network()                                                   */
-/*****************************************************************************/
-int setup_network(void) {
-    int ret = 0;
-
-#if defined(USING_WIFI)
-    int status = WL_IDLE_STATUS;
-
-    /* The ESP8266 & ESP32 support both AP and STA. We'll use STA: */
-    #if defined(ESP8266) || defined(ESP32)
-        WiFi.mode(WIFI_STA);
-    #else
-        String fv;
-        if (WiFi.status() == WL_NO_MODULE) {
-            Serial.println("Communication with WiFi module failed!");
-            /* don't continue if no network */
-            while (true) ;
-        }
-
-        fv = WiFi.firmwareVersion();
-        if (fv < WIFI_FIRMWARE_LATEST_VERSION) {
-            Serial.println("Please upgrade the firmware");
-        }
-    #endif
-
-    Serial.print(F("Connecting to WiFi "));
-    Serial.print(ssid);
-    status = WiFi.begin(ssid, password);
-    while (status != WL_CONNECTED) {
-        delay(1000);
-        Serial.print(F("."));
-        Serial.print(status);
-        status = WiFi.status();
-    }
-
-    Serial.println(F(" Connected!"));
-#else
-    /* Newer Ethernet shields have a
-     * MAC address printed on a sticker on the shield */
-    byte mac[] = { 0xDE, 0xAD, 0xBE, 0xEF, 0xFE, 0xED };
-    IPAddress ip(192, 168, 1, 42);
-    IPAddress myDns(192, 168, 1, 1);
-    Ethernet.init(10); /* Most Arduino shields */
-    /* Ethernet.init(5);   * MKR ETH Shield */
-    /* Ethernet.init(0);   * Teensy 2.0 */
-    /* Ethernet.init(20);  * Teensy++ 2.0 */
-    /* Ethernet.init(15);  * ESP8266 with Adafruit FeatherWing Ethernet */
-    /* Ethernet.init(33);  * ESP32 with Adafruit FeatherWing Ethernet */
-    Serial.println(F("Initialize Ethernet with DHCP:"));
-    if (Ethernet.begin(mac) == 0) {
-        Serial.println(F("Failed to configure Ethernet using DHCP"));
-        /* Check for Ethernet hardware present */
-        if (Ethernet.hardwareStatus() == EthernetNoHardware) {
-            Serial.println(F("Ethernet shield was not found."));
-            while (true) {
-                delay(1); /* do nothing */
-            }
-        }
-        if (Ethernet.linkStatus() == LinkOFF) {
-            Serial.println(F("Ethernet cable is not connected."));
-        }
-        /* try to configure using IP address instead of DHCP : */
-        Ethernet.begin(mac, ip, myDns);
-    }
-    else {
-        Serial.print(F("  DHCP assigned IP "));
-        Serial.println(Ethernet.localIP());
-    }
-    /* We'll assume the Ethernet connection is ready to go. */
-#endif
-
-    Serial.println(F("********************************************************"));
-    Serial.print(F("      wolfSSL Example Client IP = "));
-#if defined(USING_WIFI)
-    Serial.println(WiFi.localIP());
-#else
-    Serial.println(Ethernet.localIP());
-#endif
-    Serial.print(F("   Configured Server Host to connect to: "));
-    Serial.println(host);
-    Serial.println(F("********************************************************"));
-    Serial.println(F("Setup network complete."));
-
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_wolfssl()                                                   */
-/*****************************************************************************/
-int setup_wolfssl(void) {
-    int ret = 0;
-    WOLFSSL_METHOD* method;
-
-    /* Show a revision of wolfssl user_settings.h file in use when available: */
-#if defined(WOLFSSL_USER_SETTINGS_ID)
-    Serial.print(F("WOLFSSL_USER_SETTINGS_ID: "));
-    Serial.println(F(WOLFSSL_USER_SETTINGS_ID));
-#else
-    Serial.println(F("No WOLFSSL_USER_SETTINGS_ID found."));
-#endif
-
-#if defined(NO_WOLFSSL_SERVER)
-    Serial.println(F("wolfSSL server code disabled to save space."));
-#endif
-#if defined(NO_WOLFSSL_CLIENT)
-    Serial.println(F("wolfSSL client code disabled to save space."));
-#endif
-
-#if defined(DEBUG_WOLFSSL)
-    wolfSSL_Debugging_ON();
-    Serial.println(F("wolfSSL Debugging is On!"));
-#else
-    Serial.println(F("wolfSSL Debugging is Off! (enable with DEBUG_WOLFSSL)"));
-#endif
-
-    /* See ssl.c for TLS cache settings. Larger cache = use more RAM. */
-#if defined(NO_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS NO_SESSION_CACHE"));
-#elif defined(MICRO_SESSION_CACHEx)
-    Serial.println(F("wolfSSL TLS MICRO_SESSION_CACHE"));
-#elif defined(SMALL_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS SMALL_SESSION_CACHE"));
-#elif defined(MEDIUM_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS MEDIUM_SESSION_CACHE"));
-#elif defined(BIG_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS BIG_SESSION_CACHE"));
-#elif defined(HUGE_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS HUGE_SESSION_CACHE"));
-#elif defined(HUGE_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS HUGE_SESSION_CACHE"));
-#else
-    Serial.println(F("WARNING: Unknown or no TLS session cache setting."));
-    /* See wolfssl/src/ssl.c for amount of memory used.
-     * It is best on embedded devices to choose a TLS session cache size. */
-#endif
-
-    ret = wolfSSL_Init();
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.println("Successfully called wolfSSL_Init");
-    }
-    else {
-        Serial.println("ERROR: wolfSSL_Init failed");
-    }
-
-    /* See companion server example with wolfSSLv23_server_method here.
-     * method = wolfSSLv23_client_method());   SSL 3.0 - TLS 1.3.
-     * method = wolfTLSv1_2_client_method();   only TLS 1.2
-     * method = wolfTLSv1_3_client_method();   only TLS 1.3
-     *
-     * see Arduino\libraries\wolfssl\src\user_settings.h */
-
-    Serial.println("Here we go!");
-
-    method = wolfSSLv23_client_method();
-    if (method == NULL) {
-        Serial.println(F("unable to get wolfssl client method"));
-        fail_wait();
-    }
-    ctx = wolfSSL_CTX_new(method);
-    if (ctx == NULL) {
-        Serial.println(F("unable to get ctx"));
-        fail_wait();
-    }
-
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_certificates()                                              */
-/*****************************************************************************/
-int setup_certificates(void) {
-    int ret = 0;
-
-    Serial.println(F("Initializing certificates..."));
-    show_memory();
-
-    /* Use built-in validation, No verification callback function: */
-    wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);
-
-    /* Certificate */
-    Serial.println("Initializing certificates...");
-    ret = wolfSSL_CTX_use_certificate_buffer(ctx,
-                                             CTX_CLIENT_CERT,
-                                             CTX_CLIENT_CERT_SIZE,
-                                             CTX_CLIENT_CERT_TYPE);
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.print("Success: use certificate: ");
-        Serial.println(xstr(CTX_SERVER_CERT));
-    }
-    else {
-        Serial.println(F("Error: wolfSSL_CTX_use_certificate_buffer failed: "));
-        wc_ErrorString(ret, wc_error_message);
-        Serial.println(wc_error_message);
-        fail_wait();
-    }
-
-    /* Setup private client key */
-    ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx,
-                                            CTX_CLIENT_KEY,
-                                            CTX_CLIENT_KEY_SIZE,
-                                            CTX_CLIENT_KEY_TYPE);
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.print("Success: use private key buffer: ");
-        Serial.println(xstr(CTX_SERVER_KEY));
-    }
-    else {
-        Serial.println(F("Error: wolfSSL_CTX_use_PrivateKey_buffer failed: "));
-        wc_ErrorString(ret, wc_error_message);
-        Serial.println(wc_error_message);
-        fail_wait();
-    }
-
-    ret = wolfSSL_CTX_load_verify_buffer(ctx,
-                                         CTX_CA_CERT,
-                                         CTX_CA_CERT_SIZE,
-                                         CTX_CA_CERT_TYPE);
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.println(F("Success: load_verify CTX_CA_CERT"));
-    }
-    else {
-        Serial.println(F("Error: wolfSSL_CTX_load_verify_buffer failed: "));
-        wc_ErrorString(ret, wc_error_message);
-        Serial.println(wc_error_message);
-        fail_wait();
-    }
-
-
-
-    return ret;
-} /* Arduino setup */
-
-/*****************************************************************************/
-/*****************************************************************************/
-/* Arduino setup()                                                           */
-/*****************************************************************************/
-/*****************************************************************************/
-void setup(void) {
-    int i = 0;
-    Serial.begin(SERIAL_BAUD);
-    while (!Serial && (i < 10)) {
-        /* wait for serial port to connect. Needed for native USB port only */
-        delay(1000);
-        i++;
-    }
-    Serial.println(F(""));
-    Serial.println(F(""));
-    Serial.println(F("wolfSSL TLS Client Example Startup."));
-
-    /* define DEBUG_WOLFSSL in wolfSSL user_settings.h for diagnostics */
-#if defined(DEBUG_WOLFSSL)
-    wolfSSL_Debugging_ON();
-#endif
-
-    /* Optionally pre-allocate a large block of memory for testing */
-#if defined(MEMORY_STRESS_TEST)
-    Serial.println(F("WARNING: Memory Stress Test Active!"));
-    Serial.print(F("Allocating extra memory: "));
-    Serial.print(MEMORY_STRESS_INITIAL);
-    Serial.println(F(" bytes..."));
-    memory_stress[mem_ctr] = (char*)malloc(MEMORY_STRESS_INITIAL);
-    show_memory();
-#endif
-
-    setup_hardware();
-
-    setup_network();
-
-    setup_datetime();
-
-    setup_wolfssl();
-
-    setup_certificates();
-
-    /* Initialize wolfSSL using callback functions. */
-    wolfSSL_SetIOSend(ctx, EthernetSend);
-    wolfSSL_SetIORecv(ctx, EthernetReceive);
-
-    Serial.println(F("Completed Arduino setup!"));
-    /* See companion wolfssl_server.ino code; server begins listening here
-     * https://github.com/wolfSSL/wolfssl/tree/master/IDE/ARDUINO/sketches/wolfssl_server
-     * Any other server will work. See also:
-     * https://github.com/wolfSSL/wolfssl/tree/master/examples/client
-     */
-    /* See companion wolfssl_server.ino code */
-    return;
-} /* Arduino setup */
-
-/*****************************************************************************/
-/* wolfSSL error_check()                                                     */
-/*****************************************************************************/
-int error_check(int this_ret, bool halt_on_error,
-                      const __FlashStringHelper* message) {
-    int ret = 0;
-    if (this_ret == WOLFSSL_SUCCESS) {
-        Serial.print(F("Success: "));
-        Serial.println(message);
-    }
-    else {
-        Serial.print(F("ERROR: return = "));
-        Serial.print(this_ret);
-        Serial.print(F(": "));
-        Serial.println(message);
-        Serial.println(wc_GetErrorString(this_ret));
-        if (halt_on_error) {
-            fail_wait();
-        }
-    }
-    show_memory();
-
-    return ret;
-} /* error_check */
-
-/*****************************************************************************/
-/* wolfSSL error_check_ssl                                                   */
-/*   Parameters:                                                             */
-/*     ssl           is the current WOLFSSL object pointer                   */
-/*     halt_on_error set to true to suspend operations for critical error    */
-/*     message       is expected to be a memory-efficient F("") macro string */
-/*****************************************************************************/
-int error_check_ssl(WOLFSSL* ssl, int this_ret, bool halt_on_error,
-                           const __FlashStringHelper* message) {
-    int err = 0;
-
-    if (ssl == NULL) {
-        Serial.println(F("ssl is Null; Unable to allocate SSL object?"));
-#ifndef DEBUG_WOLFSSL
-        Serial.println(F("Define DEBUG_WOLFSSL in user_settings.h for more."));
-#else
-        Serial.println(F("See wolfssl/wolfcrypt/error-crypt.h for codes."));
-#endif
-        Serial.print(F("ERROR: "));
-        Serial.println(message);
-        show_memory();
-        if (halt_on_error) {
-            fail_wait();
-        }
-    }
-    else {
-        err = wolfSSL_get_error(ssl, this_ret);
-        if (err == WOLFSSL_SUCCESS) {
-            Serial.print(F("Success m: "));
-            Serial.println(message);
-        }
-        else {
-            if (err < 0) {
-                wolfSSL_ERR_error_string(err, errBuf);
-                Serial.print(F("WOLFSSL Error: "));
-                Serial.print(err);
-                Serial.print(F("; "));
-                Serial.println(errBuf);
-            }
-            else {
-                Serial.println(F("Success: ssl object."));
-            }
-        }
-    }
-
-    return err;
-}
-
-/*****************************************************************************/
-/*****************************************************************************/
-/* Arduino loop()                                                            */
-/*****************************************************************************/
-/*****************************************************************************/
-void loop() {
-    char reply[80];
-    char msg[32]       = "hello wolfssl!";
-    const char* cipherName;
-    int retry_shutdown = SHUTDOWN_DELAY_MS; /* max try, once per millisecond */
-    int total_input    = 0;
-    int msgSz          = 0;
-    int input          = 0;
-    int ret            = 0;
-    int err            = 0;
-    msgSz = (int)strlen(msg);
-    Serial.println(F(""));
-    Serial.println(F("Starting Arduino loop() ..."));
-
-    if (reconnect) {
-        reconnect--;
-        /* WiFi client returns true if connection succeeds, false if not.  */
-        /* Wired client returns int (1,-1,-2,-3,-4) for connection status. */
-        Serial.print(F("Connecting to "));
-        Serial.print(host);
-        Serial.print(F(":"));
-        Serial.println(port);
-        /* can also use: IPAddress server(192,168,1,37); */
-        Serial.println(F("Here we go..."));
-        ret = client.connect(host, port);
-        Serial.println(F("Ok, checking..."));
-        if (ret > 0) {
-            Serial.println(F("Connected!"));
-
-            /* initialize wolfSSL */
-            ret = wolfSSL_Init();
-            error_check(ret, false, F("calling wolfSSL_Init") );
-
-            /* create secure connection object. see setup for ctx certs. */
-            Serial.println(F("Calling ssl = wolfSSL_new(ctx)"));
-            ssl = wolfSSL_new(ctx);
-            error_check_ssl(ssl, 0, true, F("Create WOLFSSL object from ctx"));
-
-            Serial.print(F("Connecting to wolfSSL TLS Secure Server..."));
-            do {
-                err = 0; /* reset error */
-                Serial.println(F("wolfSSL_connect ..."));
-                ret = wolfSSL_connect(ssl);
-                Serial.print("wolfSSL_connect return result =");
-                Serial.println(ret);
-                if ((ret != WOLFSSL_SUCCESS) && (ret != WC_PENDING_E)) {
-                    Serial.println(F("Failed connection, checking error."));
-                    err = error_check_ssl(ssl, ret, true,
-                                    F("Create WOLFSSL object from ctx"));
-                    Serial.print("err =");
-                    Serial.println(err);
-                }
-                else {
-                   Serial.print(PROGRESS_DOT);
-                }
-            } while (err == WC_PENDING_E);
-
-            Serial.println();
-            Serial.println(F("Connected!"));
-            Serial.print(F("SSL version is "));
-            Serial.println(wolfSSL_get_version(ssl));
-
-            cipherName = wolfSSL_get_cipher(ssl);
-            Serial.print(F("SSL cipher suite is "));
-            Serial.println(cipherName);
-
-            /* see test.h
-             * TODO: test.h needs a little bit of Arduino work for these:
-            showPeerEx(ssl, lng_index);
-            showPeerPEM(ssl);
-            */
-
-            Serial.print(F("Sending secure message to server: "));
-            Serial.println(msg);
-            ret = wolfSSL_write(ssl, msg, msgSz);
-            if (ret == msgSz) {
-                Serial.print(F("Waiting for Server response..."));
-
-                while (!client.available()) {
-                    /* wait for data */
-                    delay(1); /* 1 ms delay */
-                }
-
-                Serial.print(F("Reading response.."));
-                /* read data */
-                do {
-                    ret = wolfSSL_read(ssl, reply, sizeof(reply) - 1);
-                    if (ret < 0) {
-                        error_check_ssl(ssl, ret, false,
-                                        F("during TLS Read"));
-                    }
-                    else {
-                        Serial.print(PROGRESS_DOT);
-                    }
-                } while (err == WC_PENDING_E);
-                Serial.println();
-
-                Serial.println();
-                Serial.println(reply); /* typically: I hear you fa shizzle! */
-                Serial.println();
-
-            } /* wolfSSL_write message size matched */
-            else {
-                error_check_ssl(ssl, ret, false,
-                    F("during TLS Write"));
-            }  /* any wolfSSL_write message size mismatch is an error */
-
-            Serial.print(F("Shutting down.."));
-            do {
-                delay(1);
-                Serial.print(PROGRESS_DOT);
-                retry_shutdown--;
-                ret = wolfSSL_shutdown(ssl);
-            } while (   (ret == WOLFSSL_SHUTDOWN_NOT_DONE)
-                     && (retry_shutdown > 0)
-                    ); /* There may be pending data, so wait until done. */
-            Serial.println();
-
-            if (retry_shutdown <= 0) {
-                /* if wolfSSL_free is called before properly shutting down the
-                 * ssl object, undesired results may occur. */
-                Serial.println(F("Warning! Shutdown did not properly complete."));
-            }
-
-            wolfSSL_free(ssl);
-            client.stop();
-            Serial.println(F("Connection complete."));
-            if (REPEAT_CONNECTION) {
-                reconnect = RECONNECT_ATTEMPTS;
-            }
-            else {
-                reconnect = 0;
-            }
-        } /* client.connect(host, port) */
-        else {
-            Serial.println(F("Problem sending message. Trying to reconnect..."));
-        }
-    }
-    delay(1000);
-    if ((reconnect > 0) && (REPEAT_CONNECTION)) {
-        Serial.println(F("Arduino loop repeating..."));
-        Serial.println();
-    }
-    else {
-        printf("wow");
-        Serial.println(F("Done!"));
-        while(1) {
-            /* wait forever */
-        }
-    }
-
-#if defined(MEMORY_STRESS_TEST)
-    if (mem_ctr < MEMORY_STRESS_ITERATIONS) {
-        /* reminder: mem_ctr == 0 is MEMORY_STRESS_INITIAL allocation */
-        mem_ctr++;
-        Serial.print(F("Memory stress increment: "));
-        Serial.print(mem_ctr);
-        Serial.print(F(". Allocating addition memory (bytes): "));
-        Serial.println(MEMORY_STRESS_BLOCK_SIZE);
-        memory_stress[mem_ctr] = (char*)malloc(MEMORY_STRESS_BLOCK_SIZE);
-        show_memory();
-    }
-#endif
-} /* Arduino loop repeats */
--- a/IDE/ARDUINO/sketches/wolfssl_server/README.md
+++ b/IDE/ARDUINO/sketches/wolfssl_server/README.md
@ -1,6 +1,14 @@
 # Arduino Basic TLS Server

-Open the [wolfssl_server.ino](./wolfssl_server.ino) file in the Arduino IDE.
+Open the `wolfssl_server.ino` file in the Arduino IDE.
+
+NOTE: Moving; See https://github.com/wolfSSL/wolfssl-examples/pull/499
+
+If using WiFi, be sure to set `ssid` and `password` values.
+
+May need "Ethernet by Various" library to be installed. Tested with v2.0.2 and v2.8.1.
+
+See the `#define WOLFSSL_TLS_SERVER_HOST` to set your own server address.

 Other IDE products are also supported, such as:

--- a/IDE/ARDUINO/sketches/wolfssl_server/wolfssl_server.ino
+++ b/IDE/ARDUINO/sketches/wolfssl_server/wolfssl_server.ino
@ -1,847 +0,0 @@
-/* wolfssl_server.ino
- *
- * Copyright (C) 2006-2025 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
-
-/*
-Tested with:
-
-1) Intel Galileo acting as the Client, with a laptop acting as a server using
-   the server example provided in examples/server.
-   Legacy Arduino v1.86 was used to compile and program the Galileo
-
-2) Espressif ESP32 WiFi
-
-3) Arduino Due, Nano33 IoT, Nano RP-2040
-*/
-
-/*
- * Note to code editors: the Arduino client and server examples are edited in
- * parallel for side-by-side comparison between examples.
- */
-
-/* If you have a private include, define it here, otherwise edit WiFi params */
-#define MY_PRIVATE_CONFIG "/workspace/my_private_config.h"
-
-/* set REPEAT_CONNECTION to a non-zero value to continually run the example. */
-#define REPEAT_CONNECTION 1
-
-/* Edit this with your other TLS host server address to connect to: */
-/* #define WOLFSSL_TLS_SERVER_HOST "192.168.1.34" */
-
-/* wolfssl TLS examples communicate on port 11111 */
-#define WOLFSSL_PORT 11111
-
-/* Choose a monitor serial baud rate: 9600, 14400, 19200, 57600, 74880, etc. */
-#define SERIAL_BAUD 115200
-
-/* We'll wait up to 2000 milliseconds to properly shut down connection */
-#define SHUTDOWN_DELAY_MS 2000
-
-/* Number of times to retry connection.  */
-#define RECONNECT_ATTEMPTS 20
-
-/* Optional stress test. Define to consume memory until exhausted: */
-/* #define MEMORY_STRESS_TEST */
-
-/* Choose client or server example, not both. */
-/* #define WOLFSSL_CLIENT_EXAMPLE */
-#define WOLFSSL_SERVER_EXAMPLE
-
-#if defined(MY_PRIVATE_CONFIG)
-    /* the /workspace directory may contain a private config
-     * excluded from GitHub with items such as WiFi passwords */
-    #include MY_PRIVATE_CONFIG
-    static const char* ssid PROGMEM = MY_ARDUINO_WIFI_SSID;
-    static const char* password PROGMEM = MY_ARDUINO_WIFI_PASSWORD;
-#else
-    /* when using WiFi capable boards: */
-    static const char* ssid PROGMEM  = "your_SSID";
-    static const char* password PROGMEM = "your_PASSWORD";
-#endif
-
-#define BROADCAST_ADDRESS "255.255.255.255"
-
-/* There's an optional 3rd party NTPClient library by Fabrice Weinberg.
- * If it is installed, uncomment define USE_NTP_LIB here: */
-/* #define USE_NTP_LIB */
-#ifdef USE_NTP_LIB
-    #include <NTPClient.h>
-#endif
-
-/* wolfSSL user_settings.h must be included from settings.h
- * Make all configurations changes in user_settings.h
- * Do not edit wolfSSL `settings.h` or `config.h` files.
- * Do not explicitly include user_settings.h in any source code.
- * Each Arduino sketch that uses wolfSSL must have: #include "wolfssl.h"
- * C/C++ source files can use: #include <wolfssl/wolfcrypt/settings.h>
- * The wolfSSL "settings.h" must be included in each source file using wolfSSL.
- * The wolfSSL "settings.h" must appear before any other wolfSSL include.
- */
-#include <wolfssl.h>
-/* Important: make sure settings.h appears before any other wolfSSL headers */
-#include <wolfssl/wolfcrypt/settings.h>
-/* Reminder: settings.h includes user_settings.h
- * For ALL project wolfSSL settings, see:
- * [your path]/Arduino\libraries\wolfSSL\src\user_settings.h   */
-#include <wolfssl/ssl.h>
-#include <wolfssl/certs_test.h>
-#include <wolfssl/wolfcrypt/error-crypt.h>
-
-/* Define DEBUG_WOLFSSL in user_settings.h for more verbose logging. */
-#if defined(DEBUG_WOLFSSL)
-    #define PROGRESS_DOT F("")
-#else
-    #define PROGRESS_DOT F(".")
-#endif
-
-/* Convert a macro to a string */
-#define xstr(x) str(x)
-#define str(x) #x
-
-/* optional board-specific networking includes */
-#if defined(ESP32)
-    #define USING_WIFI
-    #include <WiFi.h>
-    #include <WiFiUdp.h>
-    #ifdef USE_NTP_LIB
-        WiFiUDP ntpUDP;
-    #endif
-    /* Ensure the F() flash macro is defined */
-    #ifndef F
-        #define F
-    #endif
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-#elif defined(ESP8266)
-    #define USING_WIFI
-    #include <ESP8266WiFi.h>
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-#elif defined(ARDUINO_SAM_DUE)
-    #include <SPI.h>
-    /* There's no WiFi/Ethernet on the Due. Requires Ethernet Shield.
-    /* Needs "Ethernet by Various" library to be installed. Tested with V2.0.2 */
-    #include <Ethernet.h>
-    EthernetClient client;
-    EthernetClient server(WOLFSSL_PORT);
-#elif defined(ARDUINO_SAMD_NANO_33_IOT)
-    #define USING_WIFI
-    #include <SPI.h>
-    #include <WiFiNINA.h> /* Needs Arduino WiFiNINA library installed manually */
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-#elif defined(ARDUINO_ARCH_RP2040)
-    #define USING_WIFI
-    #include <SPI.h>
-    #include <WiFiNINA.h>
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-#elif defined(USING_WIFI)
-    #define USING_WIFI
-    #include <WiFi.h>
-    #include <WiFiUdp.h>
-    #ifdef USE_NTP_LIB
-        WiFiUDP ntpUDP;
-    #endif
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-/* TODO
-#elif defined(OTHER_BOARD)
-*/
-#else
-    #define USING_WIFI
-    WiFiClient client;
-    WiFiServer server(WOLFSSL_PORT);
-#endif
-
-/* Only for syntax highlighters to show interesting options enabled: */
-#if defined(HAVE_SNI)                           \
-   || defined(HAVE_MAX_FRAGMENT)                  \
-   || defined(HAVE_TRUSTED_CA)                    \
-   || defined(HAVE_TRUNCATED_HMAC)                \
-   || defined(HAVE_CERTIFICATE_STATUS_REQUEST)    \
-   || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) \
-   || defined(HAVE_SUPPORTED_CURVES)              \
-   || defined(HAVE_ALPN)                          \
-   || defined(HAVE_SESSION_TICKET)                \
-   || defined(HAVE_SECURE_RENEGOTIATION)          \
-   || defined(HAVE_SERVER_RENEGOTIATION_INFO)
-#endif
-
-
-/* we expect our IP address from DHCP */
-
-static WOLFSSL_CTX* ctx = NULL;
-static WOLFSSL* ssl = NULL;
-static char* wc_error_message = (char*)malloc(80 + 1);
-static char errBuf[80];
-
-#if defined(MEMORY_STRESS_TEST)
-    #define MEMORY_STRESS_ITERATIONS 100
-    #define MEMORY_STRESS_BLOCK_SIZE 1024
-    #define MEMORY_STRESS_INITIAL (4*1024)
-    static char* memory_stress[MEMORY_STRESS_ITERATIONS]; /* typically 1K per item */
-    static int mem_ctr        = 0;
-#endif
-
-static int EthernetSend(WOLFSSL* ssl, char* msg, int sz, void* ctx);
-static int EthernetReceive(WOLFSSL* ssl, char* reply, int sz, void* ctx);
-static int reconnect = RECONNECT_ATTEMPTS;
-static int lng_index PROGMEM = 0; /* 0 = English */
-
-#if defined(__arm__)
-    #include <malloc.h>
-    extern char _end;
-    extern "C" char *sbrk(int i);
-    static char *ramstart=(char *)0x20070000;
-    static char *ramend=(char *)0x20088000;
-#endif
-
-/*****************************************************************************/
-/* fail_wait - in case of unrecoverable error                                */
-/*****************************************************************************/
-int fail_wait(void) {
-    show_memory();
-
-    Serial.println(F("Failed. Halt."));
-    while (1) {
-        delay(1000);
-    }
-    return 0;
-}
-
-/*****************************************************************************/
-/* show_memory() to optionally view during debugging.                         */
-/*****************************************************************************/
-int show_memory(void)
-{
-#if defined(__arm__)
-    struct mallinfo mi = mallinfo();
-
-    char *heapend=sbrk(0);
-    register char * stack_ptr asm("sp");
-    #if defined(DEBUG_WOLFSSL_VERBOSE)
-        Serial.print("    arena=");
-        Serial.println(mi.arena);
-        Serial.print("  ordblks=");
-        Serial.println(mi.ordblks);
-        Serial.print(" uordblks=");
-        Serial.println(mi.uordblks);
-        Serial.print(" fordblks=");
-        Serial.println(mi.fordblks);
-        Serial.print(" keepcost=");
-        Serial.println(mi.keepcost);
-    #endif
-
-    #if defined(DEBUG_WOLFSSL) || defined(MEMORY_STRESS_TEST)
-        Serial.print("Estimated free memory: ");
-        Serial.print(stack_ptr - heapend + mi.fordblks);
-        Serial.println(F(" bytes"));
-    #endif
-
-    #if (0)
-        /* Experimental: not supported on all devices: */
-        Serial.print("RAM Start %lx\n", (unsigned long)ramstart);
-        Serial.print("Data/Bss end %lx\n", (unsigned long)&_end);
-        Serial.print("Heap End %lx\n", (unsigned long)heapend);
-        Serial.print("Stack Ptr %lx\n",(unsigned long)stack_ptr);
-        Serial.print("RAM End %lx\n", (unsigned long)ramend);
-
-        Serial.print("Heap RAM Used: ",mi.uordblks);
-        Serial.print("Program RAM Used ",&_end - ramstart);
-        Serial.print("Stack RAM Used ",ramend - stack_ptr);
-
-        Serial.print("Estimated Free RAM: %d\n\n",stack_ptr - heapend + mi.fordblks);
-    #endif
-#else
-    Serial.println(F("show_memory() not implemented for this platform"));
-#endif
-    return 0;
-}
-
-/*****************************************************************************/
-/* EthernetSend() to send a message string.                                  */
-/*****************************************************************************/
-int EthernetSend(WOLFSSL* ssl, char* message, int sz, void* ctx) {
-    int sent = 0;
-    (void)ssl;
-    (void)ctx;
-
-    sent = client.write((byte*)message, sz);
-    return sent;
-}
-
-/*****************************************************************************/
-/* EthernetReceive() to receive a reply string.                              */
-/*****************************************************************************/
-int EthernetReceive(WOLFSSL* ssl, char* reply, int sz, void* ctx) {
-    int ret = 0;
-    (void)ssl;
-    (void)ctx;
-
-    while (client.available() > 0 && ret < sz) {
-        reply[ret++] = client.read();
-    }
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_hardware()                                                  */
-/*****************************************************************************/
-int setup_hardware(void) {
-    int ret = 0;
-
-#if defined(ARDUINO_SAMD_NANO_33_IOT)
-    Serial.println(F("Detected known tested and working Arduino Nano 33 IoT"));
-#elif defined(ARDUINO_ARCH_RP2040)
-    Serial.println(F("Detected known tested and working Arduino RP-2040"));
-#elif defined(__arm__) && defined(ID_TRNG) && defined(TRNG)
-    /* need to manually turn on random number generator on Arduino Due, etc. */
-    pmc_enable_periph_clk(ID_TRNG);
-    trng_enable(TRNG);
-    Serial.println(F("Enabled ARM TRNG"));
-#endif
-
-    show_memory();
-    randomSeed(analogRead(0));
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_datetime()                                                  */
-/*   The device needs to have a valid date within the valid range of certs.  */
-/*****************************************************************************/
-int setup_datetime(void) {
-    int ret = 0;
-    int ntp_tries = 20;
-
-    /* we need a date in the range of cert expiration */
-#ifdef USE_NTP_LIB
-    #if defined(ESP32)
-        NTPClient timeClient(ntpUDP, "pool.ntp.org");
-
-        timeClient.begin();
-        timeClient.update();
-        delay(1000);
-        while (!timeClient.isTimeSet() && (ntp_tries > 0)) {
-            timeClient.forceUpdate();
-            Serial.println(F("Waiting for NTP update"));
-            delay(2000);
-            ntp_tries--;
-        }
-        if (ntp_tries <= 0) {
-            Serial.println(F("Warning: gave up waiting on NTP"));
-        }
-        Serial.println(timeClient.getFormattedTime());
-        Serial.println(timeClient.getEpochTime());
-    #endif
-#endif
-
-#if defined(ESP32)
-    /* see esp32-hal-time.c */
-    ntp_tries = 5;
-    /* Replace "pool.ntp.org" with your preferred NTP server */
-    configTime(0, 0, "pool.ntp.org");
-
-    /* Wait for time to be set */
-    while ((time(nullptr) <= 100000) && ntp_tries > 0) {
-        Serial.println(F("Waiting for time to be set..."));
-        delay(2000);
-        ntp_tries--;
-    }
-#endif
-
-    return ret;
-} /* setup_datetime */
-
-/*****************************************************************************/
-/* Arduino setup_network()                                                   */
-/*****************************************************************************/
-int setup_network(void) {
-    int ret = 0;
-
-#if defined(USING_WIFI)
-    int status = WL_IDLE_STATUS;
-
-    /* The ESP8266 & ESP32 support both AP and STA. We'll use STA: */
-    #if defined(ESP8266) || defined(ESP32)
-        WiFi.mode(WIFI_STA);
-    #else
-        String fv;
-        if (WiFi.status() == WL_NO_MODULE) {
-            Serial.println("Communication with WiFi module failed!");
-            /* don't continue if no network */
-            while (true) ;
-        }
-
-        fv = WiFi.firmwareVersion();
-        if (fv < WIFI_FIRMWARE_LATEST_VERSION) {
-            Serial.println("Please upgrade the firmware");
-        }
-    #endif
-
-    Serial.print(F("Connecting to WiFi "));
-    Serial.print(ssid);
-    status = WiFi.begin(ssid, password);
-    while (status != WL_CONNECTED) {
-        delay(1000);
-        Serial.print(F("."));
-        Serial.print(status);
-        status = WiFi.status();
-    }
-
-    Serial.println(F(" Connected!"));
-#else
-    /* Newer Ethernet shields have a
-     * MAC address printed on a sticker on the shield */
-    byte mac[] = { 0xDE, 0xAD, 0xBE, 0xEF, 0xFE, 0xED };
-    IPAddress ip(192, 168, 1, 42);
-    IPAddress myDns(192, 168, 1, 1);
-    Ethernet.init(10); /* Most Arduino shields */
-    /* Ethernet.init(5);   * MKR ETH Shield */
-    /* Ethernet.init(0);   * Teensy 2.0 */
-    /* Ethernet.init(20);  * Teensy++ 2.0 */
-    /* Ethernet.init(15);  * ESP8266 with Adafruit FeatherWing Ethernet */
-    /* Ethernet.init(33);  * ESP32 with Adafruit FeatherWing Ethernet */
-    Serial.println(F("Initialize Ethernet with DHCP:"));
-    if (Ethernet.begin(mac) == 0) {
-        Serial.println(F("Failed to configure Ethernet using DHCP"));
-        /* Check for Ethernet hardware present */
-        if (Ethernet.hardwareStatus() == EthernetNoHardware) {
-            Serial.println(F("Ethernet shield was not found."));
-            while (true) {
-                delay(1); /* do nothing */
-            }
-        }
-        if (Ethernet.linkStatus() == LinkOFF) {
-            Serial.println(F("Ethernet cable is not connected."));
-        }
-        /* try to configure using IP address instead of DHCP : */
-        Ethernet.begin(mac, ip, myDns);
-    }
-    else {
-        Serial.print(F("  DHCP assigned IP "));
-        Serial.println(Ethernet.localIP());
-    }
-    /* We'll assume the Ethernet connection is ready to go. */
-#endif
-
-    Serial.println(F("********************************************************"));
-    Serial.print(F("      wolfSSL Example Server IP = "));
-#if defined(USING_WIFI)
-    Serial.println(WiFi.localIP());
-#else
-    Serial.println(Ethernet.localIP());
-#endif
-    /* In server mode, there's no host definition. */
-    /* See companion example: wolfssl_client.ino */
-    Serial.println(F("********************************************************"));
-    Serial.println(F("Setup network complete."));
-
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_wolfssl()                                                   */
-/*****************************************************************************/
-int setup_wolfssl(void) {
-    int ret = 0;
-    WOLFSSL_METHOD* method;
-
-    /* Show a revision of wolfssl user_settings.h file in use when available: */
-#if defined(WOLFSSL_USER_SETTINGS_ID)
-    Serial.print(F("WOLFSSL_USER_SETTINGS_ID: "));
-    Serial.println(F(WOLFSSL_USER_SETTINGS_ID));
-#else
-    Serial.println(F("No WOLFSSL_USER_SETTINGS_ID found."));
-#endif
-
-#if defined(NO_WOLFSSL_SERVER)
-    Serial.println(F("wolfSSL server code disabled to save space."));
-#endif
-#if defined(NO_WOLFSSL_CLIENT)
-    Serial.println(F("wolfSSL client code disabled to save space."));
-#endif
-
-#if defined(DEBUG_WOLFSSL)
-    wolfSSL_Debugging_ON();
-    Serial.println(F("wolfSSL Debugging is On!"));
-#else
-    Serial.println(F("wolfSSL Debugging is Off! (enable with DEBUG_WOLFSSL)"));
-#endif
-
-    /* See ssl.c for TLS cache settings. Larger cache = use more RAM. */
-#if defined(NO_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS NO_SESSION_CACHE"));
-#elif defined(MICRO_SESSION_CACHEx)
-    Serial.println(F("wolfSSL TLS MICRO_SESSION_CACHE"));
-#elif defined(SMALL_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS SMALL_SESSION_CACHE"));
-#elif defined(MEDIUM_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS MEDIUM_SESSION_CACHE"));
-#elif defined(BIG_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS BIG_SESSION_CACHE"));
-#elif defined(HUGE_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS HUGE_SESSION_CACHE"));
-#elif defined(HUGE_SESSION_CACHE)
-    Serial.println(F("wolfSSL TLS HUGE_SESSION_CACHE"));
-#else
-    Serial.println(F("WARNING: Unknown or no TLS session cache setting."));
-    /* See wolfssl/src/ssl.c for amount of memory used.
-     * It is best on embedded devices to choose a TLS session cache size. */
-#endif
-
-    ret = wolfSSL_Init();
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.println("Successfully called wolfSSL_Init");
-    }
-    else {
-        Serial.println("ERROR: wolfSSL_Init failed");
-    }
-
-    /* See companion server example with wolfSSLv23_server_method here.
-     * method = wolfSSLv23_client_method());   SSL 3.0 - TLS 1.3.
-     * method = wolfTLSv1_2_client_method();   only TLS 1.2
-     * method = wolfTLSv1_3_client_method();   only TLS 1.3
-     *
-     * see Arduino\libraries\wolfssl\src\user_settings.h */
-
-    Serial.println("Here we go!");
-
-    method = wolfSSLv23_server_method();
-    if (method == NULL) {
-        Serial.println(F("unable to get wolfssl server method"));
-        fail_wait();
-    }
-    ctx = wolfSSL_CTX_new(method);
-    if (ctx == NULL) {
-        Serial.println(F("unable to get ctx"));
-        fail_wait();
-    }
-
-    return ret;
-}
-
-/*****************************************************************************/
-/* Arduino setup_certificates()                                              */
-/*****************************************************************************/
-int setup_certificates(void) {
-    int ret = 0;
-
-    Serial.println(F("Initializing certificates..."));
-    show_memory();
-
-    /* Use built-in validation, No verification callback function: */
-    wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
-
-    /* Certificate */
-    Serial.println("Initializing certificates...");
-    ret = wolfSSL_CTX_use_certificate_buffer(ctx,
-                                             CTX_SERVER_CERT,
-                                             CTX_SERVER_CERT_SIZE,
-                                             CTX_CA_CERT_TYPE);
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.print("Success: use certificate: ");
-        Serial.println(xstr(CTX_SERVER_CERT));
-    }
-    else {
-        Serial.print("Error: wolfSSL_CTX_use_certificate_buffer failed: ");
-        wc_ErrorString(ret, wc_error_message);
-        Serial.println(wc_error_message);
-        fail_wait();
-    }
-
-    /* Setup private server key */
-    ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx,
-                                            CTX_SERVER_KEY,
-                                            CTX_SERVER_KEY_SIZE,
-                                            CTX_SERVER_KEY_TYPE);
-    if (ret == WOLFSSL_SUCCESS) {
-        Serial.print("Success: use private key buffer: ");
-        Serial.println(xstr(CTX_SERVER_KEY));
-    }
-    else {
-        Serial.print("Error: wolfSSL_CTX_use_PrivateKey_buffer failed: ");
-        wc_ErrorString(ret, wc_error_message);
-        Serial.println(wc_error_message);
-        fail_wait();
-    }
-
-    return ret;
-} /* Arduino setup */
-
-/*****************************************************************************/
-/*****************************************************************************/
-/* Arduino setup()                                                           */
-/*****************************************************************************/
-/*****************************************************************************/
-void setup(void) {
-    int i = 0;
-    Serial.begin(SERIAL_BAUD);
-    while (!Serial && (i < 10)) {
-        /* wait for serial port to connect. Needed for native USB port only */
-        delay(1000);
-        i++;
-    }
-
-    Serial.println(F(""));
-    Serial.println(F(""));
-    Serial.println(F("wolfSSL TLS Server Example Startup."));
-
-    /* define DEBUG_WOLFSSL in wolfSSL user_settings.h for diagnostics */
-#if defined(DEBUG_WOLFSSL)
-    wolfSSL_Debugging_ON();
-#endif
-
-    /* Optionally pre-allocate a large block of memory for testing */
-#if defined(MEMORY_STRESS_TEST)
-    Serial.println(F("WARNING: Memory Stress Test Active!"));
-    Serial.print(F("Allocating extra memory: "));
-    Serial.print(MEMORY_STRESS_INITIAL);
-    Serial.println(F(" bytes..."));
-    memory_stress[mem_ctr] = (char*)malloc(MEMORY_STRESS_INITIAL);
-    show_memory();
-#endif
-
-    setup_hardware();
-
-    setup_network();
-
-    setup_datetime();
-
-    setup_wolfssl();
-
-    setup_certificates();
-
-    /* Initialize wolfSSL using callback functions. */
-    wolfSSL_SetIOSend(ctx, EthernetSend);
-    wolfSSL_SetIORecv(ctx, EthernetReceive);
-
-#if defined THIS_USER_SETTINGS_VERSION
-    Serial.print(F("This user_settings.h version:"))
-    Serial.println(THIS_USER_SETTINGS_VERSION)
-#endif
-
-    /* Start the server
-     * See https://www.arduino.cc/reference/en/libraries/ethernet/server.begin/
-     */
-
-    Serial.println(F("Completed Arduino setup()"));
-
-    server.begin();
-    Serial.println("Begin Server... (waiting for remote client to connect)");
-
-    /* See companion wolfssl_client.ino code */
-    return;
-} /* Arduino setup */
-
-/*****************************************************************************/
-/* wolfSSL error_check()                                                     */
-/*****************************************************************************/
-int error_check(int this_ret, bool halt_on_error,
-                      const __FlashStringHelper* message) {
-    int ret = 0;
-    if (this_ret == WOLFSSL_SUCCESS) {
-        Serial.print(F("Success: "));
-        Serial.println(message);
-    }
-    else {
-        Serial.print(F("ERROR: return = "));
-        Serial.print(this_ret);
-        Serial.print(F(": "));
-        Serial.println(message);
-        Serial.println(wc_GetErrorString(this_ret));
-        if (halt_on_error) {
-            fail_wait();
-        }
-    }
-    show_memory();
-
-    return ret;
-} /* error_check */
-
-/*****************************************************************************/
-/* wolfSSL error_check_ssl                                                   */
-/*   Parameters:                                                             */
-/*     ssl           is the current WOLFSSL object pointer                   */
-/*     halt_on_error set to true to suspend operations for critical error    */
-/*     message       is expected to be a memory-efficient F("") macro string */
-/*****************************************************************************/
-int error_check_ssl(WOLFSSL* ssl, int this_ret, bool halt_on_error,
-                           const __FlashStringHelper* message) {
-    int err = 0;
-
-    if (ssl == NULL) {
-        Serial.println(F("ssl is Null; Unable to allocate SSL object?"));
-#ifndef DEBUG_WOLFSSL
-        Serial.println(F("Define DEBUG_WOLFSSL in user_settings.h for more."));
-#else
-        Serial.println(F("See wolfssl/wolfcrypt/error-crypt.h for codes."));
-#endif
-        Serial.print(F("ERROR: "));
-        Serial.println(message);
-        show_memory();
-        if (halt_on_error) {
-            fail_wait();
-        }
-    }
-    else {
-        err = wolfSSL_get_error(ssl, this_ret);
-        if (err == WOLFSSL_SUCCESS) {
-            Serial.print(F("Success m: "));
-            Serial.println(message);
-        }
-        else {
-            if (err < 0) {
-                wolfSSL_ERR_error_string(err, errBuf);
-                Serial.print(F("WOLFSSL Error: "));
-                Serial.print(err);
-                Serial.print(F("; "));
-                Serial.println(errBuf);
-            }
-            else {
-                Serial.println(F("Success: ssl object."));
-            }
-        }
-    }
-
-    return err;
-}
-
-/*****************************************************************************/
-/*****************************************************************************/
-/* Arduino loop()                                                            */
-/*****************************************************************************/
-/*****************************************************************************/
-void loop() {
-    char errBuf[80]    = "(no error";
-    char reply[80]     = "(no reply)";
-    const char msg[]   = "I hear you fa shizzle!";
-    const char* cipherName;
-    int input          = 0;
-    int replySz        = 0;
-    int retry_shutdown = SHUTDOWN_DELAY_MS; /* max try, once per millisecond */
-    int ret            = 0;
-    IPAddress broadcast_address(255, 255, 255, 255);
-
-    /* Listen for incoming client requests. */
-    client = server.available();
-    if (client)  {
-       Serial.println("Have Client");
-       while (!client.connected()) {
-           /* wait for the client to actually connect */
-           delay(10);
-       }
-        Serial.print("Client connected from remote IP: ");
-        Serial.println(client.remoteIP());
-
-        ssl = wolfSSL_new(ctx);
-        if (ssl == NULL) {
-            Serial.println("Unable to allocate SSL object");
-            fail_wait();
-        }
-
-        ret = wolfSSL_accept(ssl);
-        if (ret != WOLFSSL_SUCCESS) {
-            ret = wolfSSL_get_error(ssl, 0);
-            wolfSSL_ERR_error_string(ret, errBuf);
-            Serial.print("TLS Accept Error: ");
-            Serial.println(errBuf);
-        }
-
-        cipherName = wolfSSL_get_cipher(ssl);
-        Serial.print("SSL cipher suite is ");
-        Serial.println(cipherName);
-
-        Serial.print("Server Read: ");
-        while (!client.available()) {
-            /* wait for data */
-        }
-
-        /* read data */
-        while (wolfSSL_pending(ssl)) {
-            input = wolfSSL_read(ssl, reply, sizeof(reply) - 1);
-            if (input < 0) {
-                ret = wolfSSL_get_error(ssl, 0);
-                wolfSSL_ERR_error_string(ret, errBuf);
-                Serial.print("TLS Read Error: ");
-                Serial.println(errBuf);
-                break;
-            }
-            else if (input > 0) {
-                replySz = input;
-                reply[input] = '\0';
-                Serial.print(reply);
-            }
-            else {
-                Serial.println("<end of reply, input == 0>");
-            }
-        }
-
-        /* Write our message into reply buffer to send */
-        memset(reply, 0, sizeof(reply));
-        memcpy(reply, msg, sizeof(msg));
-        replySz = strnlen(reply, sizeof(reply));
-
-        Serial.println("Sending reply...");
-        if ((wolfSSL_write(ssl, reply, replySz)) != replySz) {
-            ret = wolfSSL_get_error(ssl, 0);
-            wolfSSL_ERR_error_string(ret, errBuf);
-            Serial.print("TLS Write Error: ");
-            Serial.println(errBuf);
-        }
-        else {
-            Serial.println("Reply sent!");
-        }
-
-        Serial.println("Shutdown!");
-        do {
-            delay(1);
-            retry_shutdown--;
-            ret = wolfSSL_shutdown(ssl);
-        } while ((ret == WOLFSSL_SHUTDOWN_NOT_DONE) && (retry_shutdown > 0));
-
-        if (retry_shutdown <= 0) {
-            /* if wolfSSL_free is called before properly shutting down the
-             * ssl object, undesired results may occur. */
-            Serial.println("Warning! Shutdown did not properly complete.");
-        }
-
-        wolfSSL_free(ssl);
-        Serial.println("Connection complete.");
-        if (REPEAT_CONNECTION) {
-            Serial.println();
-            Serial.println("Waiting for next connection.");
-        }
-        else {
-            client.stop();
-            Serial.println("Done!");
-            while (1) {
-                /* wait forever if not repeating */
-                delay(100);
-            }
-        }
-    }
-    else {
-        /* Serial.println("Client not connected. Trying again..."); */
-    }
-
-    delay(100);
-} /* Arduino loop repeats */
--- a/IDE/ARDUINO/sketches/wolfssl_version/README.md
+++ b/IDE/ARDUINO/sketches/wolfssl_version/README.md
@ -1,3 +1,5 @@
 # Arduino Basic Hello World

 This example simply compiles in wolfSSL and shows the current version number.
+
+NOTE: Moving; See https://github.com/wolfSSL/wolfssl-examples/pull/499
--- a/IDE/ARDUINO/sketches/wolfssl_version/wolfssl_version.ino
+++ b/IDE/ARDUINO/sketches/wolfssl_version/wolfssl_version.ino
@ -1,55 +0,0 @@
-/* wolfssl_server.ino
- *
- * Copyright (C) 2006-2025 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
-
-#include <Arduino.h>
-
- /* wolfSSL user_settings.h must be included from settings.h
-  * Make all configurations changes in user_settings.h
-  * Do not edit wolfSSL `settings.h` or `config.h` files.
-  * Do not explicitly include user_settings.h in any source code.
-  * Each Arduino sketch that uses wolfSSL must have: #include "wolfssl.h"
-  * C/C++ source files can use: #include <wolfssl/wolfcrypt/settings.h>
-  * The wolfSSL "settings.h" must be included in each source file using wolfSSL.
-  * The wolfSSL "settings.h" must appear before any other wolfSSL include.
-  */
-#include <wolfssl.h>
-#include <wolfssl/version.h>
-
-/* Choose a monitor serial baud rate: 9600, 14400, 19200, 57600, 74880, etc. */
-#define SERIAL_BAUD 115200
-
-/* Arduino setup */
-void setup() {
-    Serial.begin(SERIAL_BAUD);
-    while (!Serial) {
-        /* wait for serial port to connect. Needed for native USB port only */
-    }
-    Serial.println(F(""));
-    Serial.println(F(""));
-    Serial.println(F("wolfSSL setup complete!"));
-}
-
-/* Arduino main application loop. */
-void loop() {
-    Serial.print("wolfSSL Version: ");
-    Serial.println(LIBWOLFSSL_VERSION_STRING);
-    delay(60000);
-}
--- a/IDE/ARDUINO/wolfssl-arduino.cpp
+++ b/IDE/ARDUINO/wolfssl-arduino.cpp
@ -0,0 +1,57 @@
+/* wolfssl-arduino.cpp
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#include <Arduino.h>
+#include "wolfssl.h"
+
+/* Function to allow wolfcrypt to use Arduino Serial.print for debug messages.
+ * See wolfssl/wolfcrypt/logging.c */
+
+#if defined(__AVR__)
+#include <avr/pgmspace.h>  /* Required for PROGMEM handling on AVR */
+#endif
+
+int wolfSSL_Arduino_Serial_Print(const char* const s)
+{
+    /* Reminder: Serial.print is only available in C++ */
+    int is_progmem = 0;
+
+#if defined(__AVR__)
+    const char* t;
+    t = s;
+
+    /* Safely check if `s` is in PROGMEM, 0x8000 is typical for AVR flash */
+    if (reinterpret_cast<uint16_t>(t) >= 0x8000) {
+        while (pgm_read_byte(t)) {
+            Serial.write(pgm_read_byte(t++));
+        }
+        Serial.println();
+        is_progmem = 1;
+    }
+#endif
+
+    /* Print normally for non-AVR boards or RAM-stored strings */
+    if (!is_progmem) {
+        Serial.println(s);
+    }
+
+    return 0;
+};
--- a/IDE/ARDUINO/wolfssl-arduino.sh
+++ b/IDE/ARDUINO/wolfssl-arduino.sh
@ -70,6 +70,9 @@ if [ "$ROOT_DIR" = "" ]; then
    exit 1
 fi

+
+ARDUINO_ROOT="$HOME/Arduino/libraries"
+
 # Check environment
 if [ -n "$WSL_DISTRO_NAME" ]; then
    # we found a non-blank WSL environment distro name
@ -78,8 +81,6 @@ if [ -n "$WSL_DISTRO_NAME" ]; then
    if echo "$current_path" | grep -Eq "^$pattern"; then
        # if we are in WSL and shared Windows file system, 'ln' does not work.
        ARDUINO_ROOT="/mnt/c/Users/$USER/Documents/Arduino/libraries"
-    else
-        ARDUINO_ROOT="$HOME/Arduino/libraries"
    fi
 fi
 echo "The Arduino library root is: $ARDUINO_ROOT"
@ -116,11 +117,21 @@ if [ $# -gt 0 ]; then
        echo "Error: not a valid operation: $THIS_OPERATION"
        exit 1
    fi
+else
+    echo "INSTALL parameter not specified. Installing to ROOT_DIR=$ROOT_DIR"
 fi


 ROOT_SRC_DIR="${ROOT_DIR}/src"
 EXAMPLES_DIR="${ROOT_DIR}/examples"
+
+if [ -n "$WOLFSSL_EXAMPLES_ROOT" ]; then
+    EXTRA_EXAMPLES_DIR="${WOLFSSL_EXAMPLES_ROOT}/Arduino"
+    echo "EXTRA_EXAMPLES_DIR=$EXTRA_EXAMPLES_DIR"
+else
+    echo "There are additional examples at https://github.com/wolfSSL/wolfssl-examples"
+    echo "Set WOLFSSL_EXAMPLES_ROOT to your local directory to include those examples."
+fi
 WOLFSSL_SRC="${ROOT_SRC_DIR}/src"
 WOLFSSL_HEADERS="${ROOT_SRC_DIR}/wolfssl"
 WOLFCRYPT_ROOT="${ROOT_SRC_DIR}/wolfcrypt"
@ -141,8 +152,16 @@ OPENSSL_DIR_TOP="${WOLFSSL_HEADERS_TOP}/openssl"

 WOLFSSL_VERSION=$(grep -i "LIBWOLFSSL_VERSION_STRING" ${TOP_DIR}/wolfssl/version.h | cut -d '"' -f 2)
 if [ "$WOLFSSL_VERSION" = "" ]; then
-    echo "ERROR: Could not find wolfSSL Version in ${TOP_DIR}/wolfssl/version.h"
-    exit 1
+    echo "Current user: [$USER]"
+    if [ "$USER" = "" ] || [ "$USER" = "runner" ]; then
+        # Typically when there's no user, it is a GitHub workflow. It is not guaranteed to be "runner"
+        echo "No USER found, no version.h found. Setting Version text to [GitHub] for assumed workflow."
+        WOLFSSL_VERSION="GitHub"
+    else
+        echo "ERROR: Could not find wolfSSL Version in ${TOP_DIR}/wolfssl/version.h"
+        echo "Check autogen.sh and configure"
+        exit 1
+    fi
 else
    echo "Found wolfSSL version $WOLFSSL_VERSION"
    echo "# WOLFSSL_VERSION_ARUINO_SUFFIX $WOLFSSL_VERSION_ARUINO_SUFFIX"
@ -235,26 +254,54 @@ if [ "$THIS_DIR" = "ARDUINO" ]; then
    $CP_CMD "${OPENSSL_DIR_TOP}"/* ."${OPENSSL_DIR}"                                          || exit 1

    # Finally, copy the Arduino-specific wolfssl library files into place: [lib]/src
-    $CP_CMD ./wolfssl.h ".${ROOT_SRC_DIR}"/wolfssl.h
+    $CP_CMD ./wolfssl.h           ".${ROOT_SRC_DIR}"/wolfssl.h           || exit 1
+    $CP_CMD ./wolfssl-arduino.cpp ".${ROOT_SRC_DIR}"/wolfssl-arduino.cpp || exit 1

+    unset NO_ARDUINO_EXAMPLES
    echo "Copy examples...."
    # Copy examples
    mkdir -p ".${ROOT_SRC_DIR}"/examples

-    echo "Copy wolfssl_client example...."
-    mkdir -p ".${EXAMPLES_DIR}"/wolfssl_client
-    $CP_CMD ./sketches/wolfssl_client/wolfssl_client.ino ".${EXAMPLES_DIR}"/wolfssl_client/wolfssl_client.ino || exit 1
-    $CP_CMD ./sketches/wolfssl_client/README.md          ".${EXAMPLES_DIR}"/wolfssl_client/README.md          || exit 1
+    EXAMPLES_DIR_REAL_PATH=$(realpath ".${EXAMPLES_DIR}")
+    echo "Source WOLFSSL_EXAMPLES_ROOT=$WOLFSSL_EXAMPLES_ROOT"
+    echo "Destination EXAMPLES_DIR=.${EXAMPLES_DIR}"
+    echo "EXAMPLES_DIR_REAL_PATH=${EXAMPLES_DIR_REAL_PATH}"

-    echo "Copy wolfssl_server example...."
-    mkdir -p .${EXAMPLES_DIR}/wolfssl_server
-    $CP_CMD ./sketches/wolfssl_server/wolfssl_server.ino ".${EXAMPLES_DIR}"/wolfssl_server/wolfssl_server.ino || exit 1
-    $CP_CMD ./sketches/wolfssl_server/README.md          ".${EXAMPLES_DIR}"/wolfssl_server/README.md          || exit 1
+    if [ -n "$WOLFSSL_EXAMPLES_ROOT" ]; then
+        echo "Copy template example...."
+        mkdir -p ".${EXAMPLES_DIR}"/template/wolfssl_library/src
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/template.ino                             ".${EXAMPLES_DIR}"/template/template.ino                             || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/README.md                                ".${EXAMPLES_DIR}"/template/README.md                                || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/wolfssl_helper.c                         ".${EXAMPLES_DIR}"/template/wolfssl_helper.c                         || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/wolfssl_helper.h                         ".${EXAMPLES_DIR}"/template/wolfssl_helper.h                         || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/wolfssl_library/wolfssl_library.h        ".${EXAMPLES_DIR}"/template/wolfssl_library/wolfssl_library.h        || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/template/wolfssl_library/src/wolfssl_library.cpp  ".${EXAMPLES_DIR}"/template/wolfssl_library/src/wolfssl_library.cpp  || exit 1

-    echo "Copy wolfssl_server example...."
-    mkdir -p .${EXAMPLES_DIR}/wolfssl_version
-    $CP_CMD ./sketches/wolfssl_version/wolfssl_version.ino ".${EXAMPLES_DIR}"/wolfssl_version/wolfssl_version.ino || exit 1
-    $CP_CMD ./sketches/wolfssl_version/README.md           ".${EXAMPLES_DIR}"/wolfssl_version/README.md           || exit 1
+        echo "Copy wolfssl_AES_CTR example...."
+        mkdir -p ".${EXAMPLES_DIR}"/wolfssl_AES_CTR
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_AES_CTR/wolfssl_AES_CTR.ino ".${EXAMPLES_DIR}"/wolfssl_AES_CTR/wolfssl_AES_CTR.ino || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_AES_CTR/README.md           ".${EXAMPLES_DIR}"/wolfssl_AES_CTR/README.md           || exit 1
+
+        echo "Copy wolfssl_client example...."
+        mkdir -p ".${EXAMPLES_DIR}"/wolfssl_client
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_client/wolfssl_client.ino   ".${EXAMPLES_DIR}"/wolfssl_client/wolfssl_client.ino   || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_client/README.md            ".${EXAMPLES_DIR}"/wolfssl_client/README.md            || exit 1
+
+        echo "Copy wolfssl_server example...."
+        mkdir -p .${EXAMPLES_DIR}/wolfssl_server
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_server/wolfssl_server.ino   ".${EXAMPLES_DIR}"/wolfssl_server/wolfssl_server.ino   || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_server/README.md            ".${EXAMPLES_DIR}"/wolfssl_server/README.md            || exit 1
+
+        echo "Copy wolfssl_version example...."
+        mkdir -p .${EXAMPLES_DIR}/wolfssl_version
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_version/wolfssl_version.ino ".${EXAMPLES_DIR}"/wolfssl_version/wolfssl_version.ino || exit 1
+        $CP_CMD "$WOLFSSL_EXAMPLES_ROOT"/Arduino/sketches/wolfssl_version/README.md           ".${EXAMPLES_DIR}"/wolfssl_version/README.md           || exit 1
+    else
+        NO_ARDUINO_EXAMPLES=1
+    fi
+    echo "Examples copied to .${EXAMPLES_DIR}"
+    echo "ls ${EXAMPLES_DIR_REAL_PATH}"
+    ls "${EXAMPLES_DIR_REAL_PATH}"
 else
    echo "ERROR: You must be in the IDE/ARDUINO directory to run this script"
    exit 1
@ -273,6 +320,8 @@ fi
 # as an Arduino-specific README.md file.
 VERSION_PLACEHOLDER="\${WOLFSSL_VERSION}"
 ARDUINO_VERSION_SUFFIX_PLACEHOLDER="\${WOLFSSL_VERSION_ARUINO_SUFFIX}"
+
+# This is the SOURCE to prepend. Note the OUTPUT is PREPENDED_README.md later copied to README.md
 PREPEND_FILE="Arduino_README_prepend.md"
 PROPERTIES_FILE_TEMPLATE="library.properties.template"
 sed s/"$VERSION_PLACEHOLDER"/"$WOLFSSL_VERSION"/ "$PREPEND_FILE" > "$PREPEND_FILE.tmp"
@ -340,4 +389,9 @@ if [ "$THIS_OPERATION" = "INSTALL" ]; then
    fi
 fi

+if [ -n "$NO_ARDUINO_EXAMPLES" ]; then
+    echo ""
+    echo "WARNING: No examples copied. Set WOLFSSL_EXAMPLES_ROOT as appropriate."
+    echo ""
+fi
 echo "Done!"
--- a/IDE/ARDUINO/wolfssl.h
+++ b/IDE/ARDUINO/wolfssl.h
@ -22,6 +22,7 @@
 /* Edit with caution. This is an Arduino-library specific header for wolfSSL */

 #ifndef WOLFSSL_USER_SETTINGS
+    /* Should already be defined in settings.h for #if defined(ARDUINO) */
    #define WOLFSSL_USER_SETTINGS
 #endif

@ -39,9 +40,10 @@
 #include <wolfssl/wolfcrypt/settings.h>
 #include <wolfssl/ssl.h>

-int wolfSSL_Arduino_Serial_Print(const char *const s)
-{
-    /* See wolfssl/wolfcrypt/logging.c */
-    Serial.println(F(s));
-    return 0;
-};
+#ifndef WOLFSSL_ARDUINO_H
+#define WOLFSSL_ARDUINO_H
+
+/* Declare a helper function to be used in wolfssl/wolfcrypt/logging.c */
+int wolfSSL_Arduino_Serial_Print(const char* const s);
+
+#endif /* WOLFSSL_ARDUINO_H */
--- a/IDE/Espressif/ESP-IDF/examples/template/CMakeLists.txt
+++ b/IDE/Espressif/ESP-IDF/examples/template/CMakeLists.txt
@ -14,7 +14,6 @@ else()
    add_compile_definitions(WOLFSSL_ESP_NO_WATCHDOG=1)
 endif()

-
 # The wolfSSL CMake file should be able to find the source code.
 # Otherwise, assign an environment variable or set it here:
 #
@ -129,7 +128,7 @@ endif()
 # an unintuitive error about  Unknown CMake command "esptool_py_flash_project_args".

 if(0)
-	message(STATUS "Begin optional PROTOCOL_EXAMPLES_DIR include")
+    message(STATUS "Begin optional PROTOCOL_EXAMPLES_DIR include")
    # This example uses an extra component for common functions such as Wi-Fi and Ethernet connection.
    set (PROTOCOL_EXAMPLES_DIR $ENV{IDF_PATH}/examples/common_components/protocol_examples_common)

@ -140,7 +139,7 @@ if(0)
    else()
        message(STATUS "NOT FOUND: PROTOCOL_EXAMPLES_DIR=${PROTOCOL_EXAMPLES_DIR}")
    endif()
-	message(STATUS "End optional PROTOCOL_EXAMPLES_DIR include")
+    message(STATUS "End optional PROTOCOL_EXAMPLES_DIR include")
 endif()

 include($ENV{IDF_PATH}/tools/cmake/project.cmake)
--- a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/component.mk
+++ b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/component.mk
@ -203,7 +203,7 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed25519.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed448.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/error.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/evp.o
-# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_kyber.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_mlkem.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_xmss.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/falcon.o
@ -266,8 +266,8 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/srp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/tfm.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_dsp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_encrypt.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber_poly.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem_poly.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_pkcs11.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_port.o
--- a/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h
+++ b/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/include/user_settings.h
@ -110,7 +110,7 @@
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
    /* #define USE_WOLFSSL_ESP_SDK_WIFI */
    #define TEST_ESPIDF_ALL_WOLFSSL
-
+    #define HAVE_HKDF
 #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_BENCHMARK)
    /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark */
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
@ -213,8 +213,8 @@
 #ifdef CONFIG_WOLFSSL_ENABLE_KYBER
    /* Kyber typically needs a minimum 10K stack */
    #define WOLFSSL_EXPERIMENTAL_SETTINGS
-    #define WOLFSSL_HAVE_KYBER
-    #define WOLFSSL_WC_KYBER
+    #define WOLFSSL_HAVE_MLKEM
+    #define WOLFSSL_WC_MLKEM
    #define WOLFSSL_SHA3
    #if defined(CONFIG_IDF_TARGET_ESP8266)
        /* With limited RAM, we'll disable some of the Kyber sizes: */
@ -784,6 +784,15 @@
    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
    /***** END CONFIG_IDF_TARGET_ESP32H2 *****/

+#elif defined(CONFIG_IDF_TARGET_ESP32P4)
+    #define WOLFSSL_ESP32
+    /*  wolfSSL Hardware Acceleration not yet implemented */
+    #define NO_ESP32_CRYPT
+    #define NO_WOLFSSL_ESP32_CRYPT_HASH
+    #define NO_WOLFSSL_ESP32_CRYPT_AES
+    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
+    /***** END CONFIG_IDF_TARGET_ESP32P4 *****/
+
 #elif defined(CONFIG_IDF_TARGET_ESP8266)
    #define WOLFSSL_ESP8266

--- a/IDE/Espressif/ESP-IDF/examples/template/main/Kconfig.projbuild
+++ b/IDE/Espressif/ESP-IDF/examples/template/main/Kconfig.projbuild
@ -65,11 +65,6 @@ choice WOLFSSL_EXAMPLE_CHOOSE
        help
            See wolfSSL/wolfssh on GitHub.

-    config WOLFSSL_EXAMPLE_NAME_WOLFSSH_ECHOSERVER
-        bool "SSH Echo Server"
-        help
-            See wolfSSL/wolfssh on GitHub.
-
    config WOLFSSL_EXAMPLE_NAME_ESP32_SSH_SERVER
        bool "SSH to UART Server for the ESP32"
        help
@ -95,12 +90,6 @@ choice WOLFSSL_EXAMPLE_CHOOSE
        help
            See wolfSSL/wolfTPM on GitHub.

-    config WOLFSSL_APPLE_HOMEKIT
-        bool "Apple HomeKit for the ESP32"
-        help
-            See AchimPieters/esp32-homekit-demo on GitHub.
-
-
    config WOLFSSL_EXAMPLE_NAME_NONE
        bool "Other"
        help
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/component.mk
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/component.mk
@ -203,7 +203,7 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed25519.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed448.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/error.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/evp.o
-# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_kyber.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_mlkem.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_xmss.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/falcon.o
@ -266,8 +266,8 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/srp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/tfm.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_dsp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_encrypt.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber_poly.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem_poly.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_pkcs11.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_port.o
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include/user_settings.h
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/components/wolfssl/include/user_settings.h
@ -110,7 +110,7 @@
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
    /* #define USE_WOLFSSL_ESP_SDK_WIFI */
    #define TEST_ESPIDF_ALL_WOLFSSL
-
+    #define HAVE_HKDF
 #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_BENCHMARK)
    /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark */
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
@ -213,8 +213,8 @@
 #ifdef CONFIG_WOLFSSL_ENABLE_KYBER
    /* Kyber typically needs a minimum 10K stack */
    #define WOLFSSL_EXPERIMENTAL_SETTINGS
-    #define WOLFSSL_HAVE_KYBER
-    #define WOLFSSL_WC_KYBER
+    #define WOLFSSL_HAVE_MLKEM
+    #define WOLFSSL_WC_MLKEM
    #define WOLFSSL_SHA3
    #if defined(CONFIG_IDF_TARGET_ESP8266)
        /* With limited RAM, we'll disable some of the Kyber sizes: */
@ -784,6 +784,15 @@
    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
    /***** END CONFIG_IDF_TARGET_ESP32H2 *****/

+#elif defined(CONFIG_IDF_TARGET_ESP32P4)
+    #define WOLFSSL_ESP32
+    /*  wolfSSL Hardware Acceleration not yet implemented */
+    #define NO_ESP32_CRYPT
+    #define NO_WOLFSSL_ESP32_CRYPT_HASH
+    #define NO_WOLFSSL_ESP32_CRYPT_AES
+    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
+    /***** END CONFIG_IDF_TARGET_ESP32P4 *****/
+
 #elif defined(CONFIG_IDF_TARGET_ESP8266)
    #define WOLFSSL_ESP8266

--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/Kconfig.projbuild
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/Kconfig.projbuild
@ -1,5 +1,102 @@
+# Kconfig main
+#
+# Copyright (C) 2006-2025 wolfSSL Inc.
+#
+# This file is part of wolfSSL.
+#
+# wolfSSL is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# wolfSSL is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+#
+
+# Kconfig File Version 5.7.2.001 for wolfssl_template
+
 menu "Example Configuration"

+choice WOLFSSL_EXAMPLE_CHOOSE
+    prompt "Choose Example (See wolfssl/include/user_settings.h)"
+    default WOLFSSL_EXAMPLE_NAME_NONE
+    help
+        The user settings file can be adjusted to specific wolfSSL examples.
+
+    config WOLFSSL_EXAMPLE_NAME_TEMPLATE
+        bool "wolfSSL Template"
+        help
+            The sample template app compiles in wolfSSL and prints the current wolfSSL Version. Nothing more.
+
+    config WOLFSSL_EXAMPLE_NAME_TEST
+        bool "wolfSSL Test"
+        help
+            This app tests all cryptographic functions currently enabled. See also Benchmark performance app.
+
+    config WOLFSSL_EXAMPLE_NAME_BENCHMARK
+        bool "wolfSSL Benchmark"
+        help
+            Benchmark performance app. See also cryptographic test.
+
+    config WOLFSSL_EXAMPLE_NAME_TLS_CLIENT
+        bool "TLS Client"
+        help
+            TLS Client Example app. Needs WiFi and a listening server on port 11111.
+
+    config WOLFSSL_EXAMPLE_NAME_TLS_SERVER
+        bool "TLS Server"
+        help
+            TLS Server Example app. Needs WiFi. More interesting with a TLS client using port 11111.
+
+    config WOLFSSL_EXAMPLE_NAME_WOLFSSH_TEMPLATE
+        bool "SSH Template App"
+        help
+            Bare-bones Hello World app that only compiles in wolfSSL and wolfSSH.
+            See wolfSSL/wolfssh on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_WOLFSSH_ECHOSERVER
+        bool "SSH Echo Server"
+        help
+            See wolfSSL/wolfssh on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_ESP32_SSH_SERVER
+        bool "SSH to UART Server for the ESP32"
+        help
+            See wolfSSL/wolfssh-examples on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_ESP8266_SSH_SERVER
+        bool "SSH to UART Server for the ESP8266"
+        help
+            See wolfSSL/wolfssh-examples on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_WOLFMQTT_TEMPLATE
+        bool "MQTT Template"
+        help
+            See wolfSSL/wolfmqtt on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_WOLFMQTT_AWS_IOT_MQTT
+        bool "MQTT AWS IoT"
+        help
+            See wolfSSL/wolfmqtt on GitHub.
+
+    config WOLFTPM_EXAMPLE_NAME_ESPRESSIF
+        bool "TPM Test Example for the ESP32"
+        help
+            See wolfSSL/wolfTPM on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_NONE
+        bool "Other"
+        help
+            A specific example app is not defined.
+
+endchoice
+
 config BENCH_ARGV
    string "Arguments for benchmark test"
    default "-lng 0"
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/sdkconfig.defaults
@ -1,5 +1,5 @@
 # Set the known example app config to template example (see user_settings.h)
-CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSL_BENCHMARK=y
+CONFIG_WOLFSSL_EXAMPLE_NAME_BENCHMARK=y

 # CONFIG_EXAMPLE_WIFI_SSID="myssid"
 # CONFIG_EXAMPLE_WIFI_PASSWORD="mypassword"
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/CMakeLists.txt
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/CMakeLists.txt
@ -14,7 +14,6 @@ else()
    add_compile_definitions(WOLFSSL_ESP_NO_WATCHDOG=1)
 endif()

-
 # The wolfSSL CMake file should be able to find the source code.
 # Otherwise, assign an environment variable or set it here:
 #
@ -129,7 +128,7 @@ endif()
 # an unintuitive error about  Unknown CMake command "esptool_py_flash_project_args".

 if(0)
-	message(STATUS "Begin optional PROTOCOL_EXAMPLES_DIR include")
+    message(STATUS "Begin optional PROTOCOL_EXAMPLES_DIR include")
    # This example uses an extra component for common functions such as Wi-Fi and Ethernet connection.
    set (PROTOCOL_EXAMPLES_DIR $ENV{IDF_PATH}/examples/common_components/protocol_examples_common)

@ -140,7 +139,7 @@ if(0)
    else()
        message(STATUS "NOT FOUND: PROTOCOL_EXAMPLES_DIR=${PROTOCOL_EXAMPLES_DIR}")
    endif()
-	message(STATUS "End optional PROTOCOL_EXAMPLES_DIR include")
+    message(STATUS "End optional PROTOCOL_EXAMPLES_DIR include")
 endif()

 include($ENV{IDF_PATH}/tools/cmake/project.cmake)
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/component.mk
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/component.mk
@ -203,7 +203,7 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed25519.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed448.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/error.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/evp.o
-# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_kyber.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_mlkem.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_xmss.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/falcon.o
@ -266,8 +266,8 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/srp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/tfm.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_dsp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_encrypt.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber_poly.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem_poly.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_pkcs11.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_port.o
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include/user_settings.h
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/components/wolfssl/include/user_settings.h
@ -110,7 +110,7 @@
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
    /* #define USE_WOLFSSL_ESP_SDK_WIFI */
    #define TEST_ESPIDF_ALL_WOLFSSL
-
+    #define HAVE_HKDF
 #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_BENCHMARK)
    /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark */
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
@ -213,8 +213,8 @@
 #ifdef CONFIG_WOLFSSL_ENABLE_KYBER
    /* Kyber typically needs a minimum 10K stack */
    #define WOLFSSL_EXPERIMENTAL_SETTINGS
-    #define WOLFSSL_HAVE_KYBER
-    #define WOLFSSL_WC_KYBER
+    #define WOLFSSL_HAVE_MLKEM
+    #define WOLFSSL_WC_MLKEM
    #define WOLFSSL_SHA3
    #if defined(CONFIG_IDF_TARGET_ESP8266)
        /* With limited RAM, we'll disable some of the Kyber sizes: */
@ -784,6 +784,15 @@
    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
    /***** END CONFIG_IDF_TARGET_ESP32H2 *****/

+#elif defined(CONFIG_IDF_TARGET_ESP32P4)
+    #define WOLFSSL_ESP32
+    /*  wolfSSL Hardware Acceleration not yet implemented */
+    #define NO_ESP32_CRYPT
+    #define NO_WOLFSSL_ESP32_CRYPT_HASH
+    #define NO_WOLFSSL_ESP32_CRYPT_AES
+    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
+    /***** END CONFIG_IDF_TARGET_ESP32P4 *****/
+
 #elif defined(CONFIG_IDF_TARGET_ESP8266)
    #define WOLFSSL_ESP8266

--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/Kconfig.projbuild
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/Kconfig.projbuild
@ -65,11 +65,6 @@ choice WOLFSSL_EXAMPLE_CHOOSE
        help
            See wolfSSL/wolfssh on GitHub.

-    config WOLFSSL_EXAMPLE_NAME_WOLFSSH_ECHOSERVER
-        bool "SSH Echo Server"
-        help
-            See wolfSSL/wolfssh on GitHub.
-
    config WOLFSSL_EXAMPLE_NAME_ESP32_SSH_SERVER
        bool "SSH to UART Server for the ESP32"
        help
@ -95,12 +90,6 @@ choice WOLFSSL_EXAMPLE_CHOOSE
        help
            See wolfSSL/wolfTPM on GitHub.

-    config WOLFSSL_APPLE_HOMEKIT
-        bool "Apple HomeKit for the ESP32"
-        help
-            See AchimPieters/esp32-homekit-demo on GitHub.
-
-
    config WOLFSSL_EXAMPLE_NAME_NONE
        bool "Other"
        help
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/client-tls.c
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/client-tls.c
@ -41,9 +41,9 @@
 #undef USE_WOLFSSL_ESP_SDK_WIFI
 #include <wolfssl/ssl.h>

-#if defined(WOLFSSL_WC_KYBER)
-    #include <wolfssl/wolfcrypt/kyber.h>
-    #include <wolfssl/wolfcrypt/wc_kyber.h>
+#if defined(WOLFSSL_WC_MLKEM)
+    #include <wolfssl/wolfcrypt/mlkem.h>
+    #include <wolfssl/wolfcrypt/wc_mlkem.h>
 #endif
 #if defined(USE_CERT_BUFFERS_2048) || defined(USE_CERT_BUFFERS_1024)
    #include <wolfssl/certs_test.h>
@ -397,22 +397,22 @@ WOLFSSL_ESP_TASK tls_smp_client_task(void* args)
        ESP_LOGI(TAG, "tls_smp_client_task heap @ %p = %d",
                      &this_heap, this_heap);
 #endif
-#if defined(WOLFSSL_HAVE_KYBER)
+#if defined(WOLFSSL_HAVE_MLKEM)
    #if defined(WOLFSSL_KYBER1024)
-        ESP_LOGI(TAG, "WOLFSSL_HAVE_KYBER is enabled, setting key share: "
+        ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is enabled, setting key share: "
                                        "WOLFSSL_P256_KYBER_LEVEL5");
        ret_i = wolfSSL_UseKeyShare(ssl, WOLFSSL_P521_KYBER_LEVEL5);
    #elif defined(WOLFSSL_KYBER768)
-        ESP_LOGI(TAG, "WOLFSSL_HAVE_KYBER is enabled, setting key share: "
+        ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is enabled, setting key share: "
                                        "WOLFSSL_P256_KYBER_LEVEL3");
        ret_i = wolfSSL_UseKeyShare(ssl, WOLFSSL_P256_KYBER_LEVEL3);
    #elif defined(WOLFSSL_KYBER512)
        /* This will typically be a low memory situation, such as ESP8266 */
-        ESP_LOGI(TAG, "WOLFSSL_HAVE_KYBER is enabled, setting key share: "
+        ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is enabled, setting key share: "
                                        "WOLFSSL_P256_KYBER_LEVEL1");
        ret_i = wolfSSL_UseKeyShare(ssl, WOLFSSL_P256_KYBER_LEVEL1);
    #else
-        ESP_LOGW(TAG, "WOLFSSL_HAVE_KYBER enabled but no key size available.");
+        ESP_LOGW(TAG, "WOLFSSL_HAVE_MLKEM enabled but no key size available.");
        ret_i = ESP_FAIL;
    #endif
        if (ret_i == WOLFSSL_SUCCESS) {
@ -422,7 +422,7 @@ WOLFSSL_ESP_TASK tls_smp_client_task(void* args)
            ESP_LOGE(TAG, "UseKeyShare Kyber failed");
        }
 #else
-    ESP_LOGI(TAG, "WOLFSSL_HAVE_KYBER is not enabled");
+    ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is not enabled");
 #endif
    }

--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/client-tls.h
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_client/main/include/client-tls.h
@ -44,7 +44,7 @@

 /* Reminder: Vanilla FreeRTOS is words, Espressif is bytes. */
 #if defined(WOLFSSL_ESP8266)
-    #if defined(WOLFSSL_HAVE_KYBER)
+    #if defined(WOLFSSL_HAVE_MLKEM)
        /* Minimum ESP8266 stack size = 10K with Kyber.
         * Note there's a maximum not far away as Kyber needs heap
         * and the total DRAM is typically only 80KB total. */
@ -54,7 +54,7 @@
        #define TLS_SMP_CLIENT_TASK_BYTES (6 * 1024)
    #endif
 #else
-    #if defined(WOLFSSL_HAVE_KYBER)
+    #if defined(WOLFSSL_HAVE_MLKEM)
        /* Minimum ESP32 stack size = 12K with Kyber enabled. */
        #define TLS_SMP_CLIENT_TASK_BYTES (12 * 1024)
    #else
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/CMakeLists.txt
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/CMakeLists.txt
@ -14,7 +14,6 @@ else()
    add_compile_definitions(WOLFSSL_ESP_NO_WATCHDOG=1)
 endif()

-
 # The wolfSSL CMake file should be able to find the source code.
 # Otherwise, assign an environment variable or set it here:
 #
@ -129,7 +128,7 @@ endif()
 # an unintuitive error about  Unknown CMake command "esptool_py_flash_project_args".

 if(0)
-	message(STATUS "Begin optional PROTOCOL_EXAMPLES_DIR include")
+    message(STATUS "Begin optional PROTOCOL_EXAMPLES_DIR include")
    # This example uses an extra component for common functions such as Wi-Fi and Ethernet connection.
    set (PROTOCOL_EXAMPLES_DIR $ENV{IDF_PATH}/examples/common_components/protocol_examples_common)

@ -140,7 +139,7 @@ if(0)
    else()
        message(STATUS "NOT FOUND: PROTOCOL_EXAMPLES_DIR=${PROTOCOL_EXAMPLES_DIR}")
    endif()
-	message(STATUS "End optional PROTOCOL_EXAMPLES_DIR include")
+    message(STATUS "End optional PROTOCOL_EXAMPLES_DIR include")
 endif()

 include($ENV{IDF_PATH}/tools/cmake/project.cmake)
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/component.mk
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/component.mk
@ -203,7 +203,7 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed25519.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed448.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/error.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/evp.o
-# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_kyber.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_mlkem.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_xmss.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/falcon.o
@ -266,8 +266,8 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/srp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/tfm.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_dsp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_encrypt.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber_poly.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem_poly.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_pkcs11.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_port.o
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include/user_settings.h
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/components/wolfssl/include/user_settings.h
@ -110,7 +110,7 @@
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
    /* #define USE_WOLFSSL_ESP_SDK_WIFI */
    #define TEST_ESPIDF_ALL_WOLFSSL
-
+    #define HAVE_HKDF
 #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_BENCHMARK)
    /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark */
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
@ -213,8 +213,8 @@
 #ifdef CONFIG_WOLFSSL_ENABLE_KYBER
    /* Kyber typically needs a minimum 10K stack */
    #define WOLFSSL_EXPERIMENTAL_SETTINGS
-    #define WOLFSSL_HAVE_KYBER
-    #define WOLFSSL_WC_KYBER
+    #define WOLFSSL_HAVE_MLKEM
+    #define WOLFSSL_WC_MLKEM
    #define WOLFSSL_SHA3
    #if defined(CONFIG_IDF_TARGET_ESP8266)
        /* With limited RAM, we'll disable some of the Kyber sizes: */
@ -784,6 +784,15 @@
    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
    /***** END CONFIG_IDF_TARGET_ESP32H2 *****/

+#elif defined(CONFIG_IDF_TARGET_ESP32P4)
+    #define WOLFSSL_ESP32
+    /*  wolfSSL Hardware Acceleration not yet implemented */
+    #define NO_ESP32_CRYPT
+    #define NO_WOLFSSL_ESP32_CRYPT_HASH
+    #define NO_WOLFSSL_ESP32_CRYPT_AES
+    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
+    /***** END CONFIG_IDF_TARGET_ESP32P4 *****/
+
 #elif defined(CONFIG_IDF_TARGET_ESP8266)
    #define WOLFSSL_ESP8266

--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/Kconfig.projbuild
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/Kconfig.projbuild
@ -65,11 +65,6 @@ choice WOLFSSL_EXAMPLE_CHOOSE
        help
            See wolfSSL/wolfssh on GitHub.

-    config WOLFSSL_EXAMPLE_NAME_WOLFSSH_ECHOSERVER
-        bool "SSH Echo Server"
-        help
-            See wolfSSL/wolfssh on GitHub.
-
    config WOLFSSL_EXAMPLE_NAME_ESP32_SSH_SERVER
        bool "SSH to UART Server for the ESP32"
        help
@ -95,12 +90,6 @@ choice WOLFSSL_EXAMPLE_CHOOSE
        help
            See wolfSSL/wolfTPM on GitHub.

-    config WOLFSSL_APPLE_HOMEKIT
-        bool "Apple HomeKit for the ESP32"
-        help
-            See AchimPieters/esp32-homekit-demo on GitHub.
-
-
    config WOLFSSL_EXAMPLE_NAME_NONE
        bool "Other"
        help
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/server-tls.c
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_server/main/server-tls.c
@ -54,9 +54,9 @@
    #error "Missing WOLFSSL_USER_SETTINGS in CMakeLists or Makefile:\
    CFLAGS +=-DWOLFSSL_USER_SETTINGS"
 #endif
-#if defined(WOLFSSL_WC_KYBER)
-    #include <wolfssl/wolfcrypt/kyber.h>
-    #include <wolfssl/wolfcrypt/wc_kyber.h>
+#if defined(WOLFSSL_WC_MLKEM)
+    #include <wolfssl/wolfcrypt/mlkem.h>
+    #include <wolfssl/wolfcrypt/wc_mlkem.h>
 #endif
 #if defined(USE_CERT_BUFFERS_2048) || defined(USE_CERT_BUFFERS_1024)
    #include <wolfssl/certs_test.h>
@ -329,7 +329,7 @@ WOLFSSL_ESP_TASK tls_smp_server_task(void *args)
        if ((ssl = wolfSSL_new(ctx)) == NULL) {
            ESP_LOGE(TAG, "ERROR: failed to create WOLFSSL object");
        }
-#if defined(WOLFSSL_HAVE_KYBER)
+#if defined(WOLFSSL_HAVE_MLKEM)
        else {
            /* If success creating CTX and Kyber enabled, set key share: */
            ret = wolfSSL_UseKeyShare(ssl, WOLFSSL_P521_KYBER_LEVEL5);
@ -341,7 +341,7 @@ WOLFSSL_ESP_TASK tls_smp_server_task(void *args)
            }
        }
 #else
-        ESP_LOGI(TAG, "WOLFSSL_HAVE_KYBER is not enabled, not using PQ.");
+        ESP_LOGI(TAG, "WOLFSSL_HAVE_MLKEM is not enabled, not using PQ.");
 #endif
        /* show what cipher connected for this WOLFSSL* object */
        ShowCiphers(ssl);
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/CMakeLists.txt
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/CMakeLists.txt
@ -14,7 +14,6 @@ else()
    add_compile_definitions(WOLFSSL_ESP_NO_WATCHDOG=1)
 endif()

-
 # The wolfSSL CMake file should be able to find the source code.
 # Otherwise, assign an environment variable or set it here:
 #
@ -129,7 +128,7 @@ endif()
 # an unintuitive error about  Unknown CMake command "esptool_py_flash_project_args".

 if(0)
-	message(STATUS "Begin optional PROTOCOL_EXAMPLES_DIR include")
+    message(STATUS "Begin optional PROTOCOL_EXAMPLES_DIR include")
    # This example uses an extra component for common functions such as Wi-Fi and Ethernet connection.
    set (PROTOCOL_EXAMPLES_DIR $ENV{IDF_PATH}/examples/common_components/protocol_examples_common)

@ -140,7 +139,7 @@ if(0)
    else()
        message(STATUS "NOT FOUND: PROTOCOL_EXAMPLES_DIR=${PROTOCOL_EXAMPLES_DIR}")
    endif()
-	message(STATUS "End optional PROTOCOL_EXAMPLES_DIR include")
+    message(STATUS "End optional PROTOCOL_EXAMPLES_DIR include")
 endif()

 include($ENV{IDF_PATH}/tools/cmake/project.cmake)
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/component.mk
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/component.mk
@ -203,7 +203,7 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed25519.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ed448.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/error.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/evp.o
-# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_kyber.o
+# COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_mlkem.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/ext_xmss.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/falcon.o
@ -266,8 +266,8 @@ COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/srp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/tfm.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_dsp.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_encrypt.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber.o
-COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_kyber_poly.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem.o
+COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_mlkem_poly.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_lms.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_pkcs11.o
 COMPONENT_OBJS += $(WOLFSSL_ROOT)/wolfcrypt/src/wc_port.o
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include/user_settings.h
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/components/wolfssl/include/user_settings.h
@ -110,7 +110,7 @@
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
    /* #define USE_WOLFSSL_ESP_SDK_WIFI */
    #define TEST_ESPIDF_ALL_WOLFSSL
-
+    #define HAVE_HKDF
 #elif defined(CONFIG_WOLFSSL_EXAMPLE_NAME_BENCHMARK)
    /* See https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark */
    /* We don't use WiFi, so don't compile in the esp-sdk-lib WiFi helpers: */
@ -213,8 +213,8 @@
 #ifdef CONFIG_WOLFSSL_ENABLE_KYBER
    /* Kyber typically needs a minimum 10K stack */
    #define WOLFSSL_EXPERIMENTAL_SETTINGS
-    #define WOLFSSL_HAVE_KYBER
-    #define WOLFSSL_WC_KYBER
+    #define WOLFSSL_HAVE_MLKEM
+    #define WOLFSSL_WC_MLKEM
    #define WOLFSSL_SHA3
    #if defined(CONFIG_IDF_TARGET_ESP8266)
        /* With limited RAM, we'll disable some of the Kyber sizes: */
@ -560,9 +560,6 @@
    defined(WOLFSSL_SP_RISCV32)
 #endif

-#define WOLFSSL_SMALL_STACK
-
-
 #define HAVE_VERSION_EXTENDED_INFO
 /* #define HAVE_WC_INTROSPECTION */

@ -784,6 +781,15 @@
    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
    /***** END CONFIG_IDF_TARGET_ESP32H2 *****/

+#elif defined(CONFIG_IDF_TARGET_ESP32P4)
+    #define WOLFSSL_ESP32
+    /*  wolfSSL Hardware Acceleration not yet implemented */
+    #define NO_ESP32_CRYPT
+    #define NO_WOLFSSL_ESP32_CRYPT_HASH
+    #define NO_WOLFSSL_ESP32_CRYPT_AES
+    #define NO_WOLFSSL_ESP32_CRYPT_RSA_PRI
+    /***** END CONFIG_IDF_TARGET_ESP32P4 *****/
+
 #elif defined(CONFIG_IDF_TARGET_ESP8266)
    #define WOLFSSL_ESP8266

--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/Kconfig.projbuild
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/Kconfig.projbuild
@ -1,29 +1,112 @@
-menu "Example Configuration"
+# Kconfig main
+#
+# Copyright (C) 2006-2025 wolfSSL Inc.
+#
+# This file is part of wolfSSL.
+#
+# wolfSSL is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# wolfSSL is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+#

-config BENCH_ARGV
-    string "Arguments for benchmark test"
-    default "-lng 0"
+# Kconfig File Version 5.7.2.001 for wolfssl_template
+
+menu "Example wolfSSL Configuration"
+
+choice WOLFSSL_EXAMPLE_CHOOSE
+    prompt "Choose Example (See wolfssl/include/user_settings.h)"
+    default WOLFSSL_EXAMPLE_NAME_NONE
    help
-        -? <num>    Help, print this usage
-                     0: English, 1: Japanese
-        -csv        Print terminal output in csv format
-        -base10     Display bytes as power of 10 (eg 1 kB = 1000 Bytes)
-        -no_aad     No additional authentication data passed.
-        -dgst_full  Full digest operation performed.
-        -rsa_sign   Measure RSA sign/verify instead of encrypt/decrypt.
-        -<alg>      Algorithm to benchmark. Available algorithms include:
-                    cipher aes-cbc aes-gcm chacha20 chacha20-poly1305
-                    digest md5 poly1305 sha sha2 sha224 sha256 sha384 sha512 sha3
-                    sha3-224 sha3-256 sha3-384 sha3-512
-                    mac hmac hmac-md5 hmac-sha hmac-sha224 hmac-sha256 hmac-sha384
-                    hmac-sha512
-                    asym rsa rsa-sz dh ecc-kg ecc
-                    other rng
-        -lng <num>  Display benchmark result by specified language.
-                    0: English, 1: Japanese
-        <num>       Size of block in bytes
+        The user settings file can be adjusted to specific wolfSSL examples.

-        e.g -lng 1
-        e.g sha
+    config WOLFSSL_EXAMPLE_NAME_TEMPLATE
+        bool "wolfSSL Template"
+        help
+            The sample template app compiles in wolfSSL and prints the current wolfSSL Version. Nothing more.
+
+    config WOLFSSL_EXAMPLE_NAME_TEST
+        bool "wolfSSL Test"
+        help
+            This app tests all cryptographic functions currently enabled. See also Benchmark performance app.
+
+    config WOLFSSL_EXAMPLE_NAME_BENCHMARK
+        bool "wolfSSL Benchmark"
+        help
+            Benchmark performance app. See also cryptographic test.
+
+    config WOLFSSL_EXAMPLE_NAME_TLS_CLIENT
+        bool "TLS Client"
+        help
+            TLS Client Example app. Needs WiFi and a listening server on port 11111.
+
+    config WOLFSSL_EXAMPLE_NAME_TLS_SERVER
+        bool "TLS Server"
+        help
+            TLS Server Example app. Needs WiFi. More interesting with a TLS client using port 11111.
+
+    config WOLFSSL_EXAMPLE_NAME_WOLFSSH_TEMPLATE
+        bool "SSH Template App"
+        help
+            Bare-bones Hello World app that only compiles in wolfSSL and wolfSSH.
+            See wolfSSL/wolfssh on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_WOLFSSH_ECHOSERVER
+        bool "SSH Echo Server"
+        help
+            See wolfSSL/wolfssh on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_ESP32_SSH_SERVER
+        bool "SSH to UART Server for the ESP32"
+        help
+            See wolfSSL/wolfssh-examples on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_ESP8266_SSH_SERVER
+        bool "SSH to UART Server for the ESP8266"
+        help
+            See wolfSSL/wolfssh-examples on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_WOLFMQTT_TEMPLATE
+        bool "MQTT Template"
+        help
+            See wolfSSL/wolfmqtt on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_WOLFMQTT_AWS_IOT_MQTT
+        bool "MQTT AWS IoT"
+        help
+            See wolfSSL/wolfmqtt on GitHub.
+
+    config WOLFTPM_EXAMPLE_NAME_ESPRESSIF
+        bool "TPM Test Example for the ESP32"
+        help
+            See wolfSSL/wolfTPM on GitHub.
+
+    config WOLFSSL_EXAMPLE_NAME_NONE
+        bool "Other"
+        help
+            A specific example app is not defined.
+
+endchoice
+
+config WOLFSSL_TARGET_HOST
+    string "Target host"
+    default "127.0.0.1"
+    help
+        host address for the example to connect
+
+config WOLFSSL_TARGET_PORT
+    int "Target port"
+    default 11111
+    help
+        host port for the example to connect

 endmenu
--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/main.c
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/main/main.c
@ -164,6 +164,8 @@ void app_main(void)
        .stop_bits = UART_STOP_BITS_1,
    };
    int stack_start = 0;
+    int heap_start = 0;
+    int heap_current = 0;
    int loops = 0;
    esp_err_t ret = 0;

@ -245,8 +247,12 @@ void app_main(void)
    ** note it is still always called in wolf_test_task.
    */
    stack_start = uxTaskGetStackHighWaterMark(NULL);
+    heap_start = heap_caps_get_free_size(MALLOC_CAP_8BIT);

    do {
+        heap_current = heap_caps_get_free_size(MALLOC_CAP_8BIT);
+        ESP_LOGI(TAG, "Free heap memory: %d bytes; Start %d",
+                                         heap_current, heap_start);
        ESP_LOGI(TAG, "Stack HWM: %d\n", uxTaskGetStackHighWaterMark(NULL));

        ret = wolf_test_task();
@ -272,7 +278,7 @@ void app_main(void)
    ESP_LOGI(TAG, "Stack HWM: %d\n", uxTaskGetStackHighWaterMark(NULL));
 #endif

-#if defined(DEBUG_WOLFSSL) && defined(WOLFSSL_ESP32_CRYPT_RSA_PRI)
+#if defined(WOLFSSL_HW_METRICS) && defined(WOLFSSL_ESP32_CRYPT_RSA_PRI)
    esp_hw_show_mp_metrics();
 #endif

--- a/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults
+++ b/IDE/Espressif/ESP-IDF/examples/wolfssl_test/sdkconfig.defaults
@ -1,5 +1,5 @@
 # Set the known example app config to template example (see user_settings.h)
-CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSL_TEST=y
+CONFIG_WOLFSSL_EXAMPLE_NAME_TEST=y

 # CONFIG_EXAMPLE_WIFI_SSID="myssid"
 # CONFIG_EXAMPLE_WIFI_PASSWORD="mypassword"
--- a/IDE/MCUEXPRESSO/RT1170/wolfssl_cm7/.cproject
+++ b/IDE/MCUEXPRESSO/RT1170/wolfssl_cm7/.cproject
@ -241,7 +241,7 @@
 						<entry flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="drivers"/>
 						<entry excluding="freertos_kernel/portable/MemMang/heap_1.c|freertos_kernel/portable/MemMang/heap_2.c|freertos_kernel/portable/MemMang/heap_3.c|freertos_kernel/portable/MemMang/heap_5.c" flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="freertos"/>
 						<entry excluding="src/netif/ppp/polarssl/arc4.c|src/netif/ppp/polarssl/des.c|src/netif/ppp/polarssl/md4.c|src/netif/ppp/polarssl/md5.c|src/netif/ppp/polarssl/sha1.c" flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="lwip"/>
-						<entry excluding="wolfcrypt/src/misc.c|src/x509.c|src/x509_str.c|wolfcrypt/src/evp.c|src/conf.c|src/pk.c|src/bio.c|wolfcrypt/src/wc_kyber_asm.S|wolfcrypt/src/sp_x86_64_asm.S|wolfcrypt/src/sp_x86_64_asm.asm|wolfcrypt/src/sha512_asm.S|wolfcrypt/src/sha3_asm.S|wolfcrypt/src/sha256_asm.S|wolfcrypt/src/poly1305_asm.S|wolfcrypt/src/fe_x25519_asm.S|wolfcrypt/src/port|wolfcrypt/src/chacha_asm.S|wolfcrypt/src/aes_gcm_x86_asm.S|wolfcrypt/src/aes_gcm_asm.S|wolfcrypt/src/aes_asm.S|wolfcrypt/src/aes_asm.asm|wolfcrypt/user-crypto|wolfcrypt/test|wolfcrypt/benchmark" flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="source"/>
+						<entry excluding="wolfcrypt/src/misc.c|src/x509.c|src/x509_str.c|wolfcrypt/src/evp.c|src/conf.c|src/pk.c|src/bio.c|wolfcrypt/src/wc_mlkem_asm.S|wolfcrypt/src/sp_x86_64_asm.S|wolfcrypt/src/sp_x86_64_asm.asm|wolfcrypt/src/sha512_asm.S|wolfcrypt/src/sha3_asm.S|wolfcrypt/src/sha256_asm.S|wolfcrypt/src/poly1305_asm.S|wolfcrypt/src/fe_x25519_asm.S|wolfcrypt/src/port|wolfcrypt/src/chacha_asm.S|wolfcrypt/src/aes_gcm_x86_asm.S|wolfcrypt/src/aes_gcm_asm.S|wolfcrypt/src/aes_asm.S|wolfcrypt/src/aes_asm.asm|wolfcrypt/user-crypto|wolfcrypt/test|wolfcrypt/benchmark" flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="source"/>
 						<entry flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="source/wolfcrypt/src/port/caam"/>
 						<entry flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="startup"/>
 						<entry flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="utilities"/>
@ -489,7 +489,7 @@
 						<entry flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="drivers"/>
 						<entry excluding="freertos_kernel/portable/MemMang/heap_1.c|freertos_kernel/portable/MemMang/heap_2.c|freertos_kernel/portable/MemMang/heap_3.c|freertos_kernel/portable/MemMang/heap_5.c" flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="freertos"/>
 						<entry excluding="src/netif/ppp/polarssl/arc4.c|src/netif/ppp/polarssl/des.c|src/netif/ppp/polarssl/md4.c|src/netif/ppp/polarssl/md5.c|src/netif/ppp/polarssl/sha1.c" flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="lwip"/>
-						<entry excluding="wolfcrypt/src/misc.c|src/x509.c|src/x509_str.c|wolfcrypt/src/evp.c|src/conf.c|src/pk.c|src/bio.c|wolfcrypt/src/wc_kyber_asm.S|wolfcrypt/src/sp_x86_64_asm.S|wolfcrypt/src/sp_x86_64_asm.asm|wolfcrypt/src/sha512_asm.S|wolfcrypt/src/sha3_asm.S|wolfcrypt/src/sha256_asm.S|wolfcrypt/src/poly1305_asm.S|wolfcrypt/src/fe_x25519_asm.S|wolfcrypt/src/port|wolfcrypt/src/chacha_asm.S|wolfcrypt/src/aes_gcm_x86_asm.S|wolfcrypt/src/aes_gcm_asm.S|wolfcrypt/src/aes_asm.S|wolfcrypt/src/aes_asm.asm|wolfcrypt/user-crypto|wolfcrypt/test|wolfcrypt/benchmark" flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="source"/>
+						<entry excluding="wolfcrypt/src/misc.c|src/x509.c|src/x509_str.c|wolfcrypt/src/evp.c|src/conf.c|src/pk.c|src/bio.c|wolfcrypt/src/wc_mlkem_asm.S|wolfcrypt/src/sp_x86_64_asm.S|wolfcrypt/src/sp_x86_64_asm.asm|wolfcrypt/src/sha512_asm.S|wolfcrypt/src/sha3_asm.S|wolfcrypt/src/sha256_asm.S|wolfcrypt/src/poly1305_asm.S|wolfcrypt/src/fe_x25519_asm.S|wolfcrypt/src/port|wolfcrypt/src/chacha_asm.S|wolfcrypt/src/aes_gcm_x86_asm.S|wolfcrypt/src/aes_gcm_asm.S|wolfcrypt/src/aes_asm.S|wolfcrypt/src/aes_asm.asm|wolfcrypt/user-crypto|wolfcrypt/test|wolfcrypt/benchmark" flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="source"/>
 						<entry flags="VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="source/wolfcrypt/src/port/caam"/>
 						<entry flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="startup"/>
 						<entry flags="LOCAL|VALUE_WORKSPACE_PATH|RESOLVED" kind="sourcePath" name="utilities"/>
@ -565,4 +565,4 @@
 	</storageModule>
 	<storageModule moduleId="org.eclipse.cdt.make.core.buildtargets"/>
 	<storageModule moduleId="refreshScope"/>
-</cproject>
+</cproject>
--- a/IDE/NDS/README.md
+++ b/IDE/NDS/README.md
@ -15,13 +15,16 @@ $ ./configure \
    AR=$DEVKITARM/bin/arm-none-eabi-ar \
    STRIP=$DEVKITARM/bin/arm-none-eabi-strip \
    RANLIB=$DEVKITARM/bin/arm-none-eabi-ranlib \
-    LIBS="-lfat -lnds9" \
-    LDFLAGS="-L/opt/devkitpro/libnds/lib" \
+    LIBS="-lfat -lnds9 -lcalico_ds9" \
+    LDFLAGS="-L$DEVKITPRO/libnds/lib \
+        -L$DEVKITPRO/calico/lib" \
    --prefix=$DEVKITPRO/portlibs/nds \
    CFLAGS="-march=armv5te -mtune=arm946e-s \
-        --specs=ds_arm9.specs -DARM9 -DWOLFSSL_NDS \
+        -specs=$DEVKITPRO/calico/share/ds9.specs \
+        -D__NDS__ -DARM9 -D__thumb__=0 \
        -DWOLFSSL_MELONDS \
-        -DWOLFSSL_USER_IO \
+        -DWOLFSSL_NDS -DWOLFSSL_USER_IO \
+        -I$DEVKITPRO/calico/include \
        -I$DEVKITPRO/libnds/include" \
    --enable-fastmath --disable-benchmark \
    --disable-shared --disable-examples --disable-ecc
@ -37,12 +40,15 @@ $ ./configure \
    AR=$DEVKITARM/bin/arm-none-eabi-ar \
    STRIP=$DEVKITARM/bin/arm-none-eabi-strip \
    RANLIB=$DEVKITARM/bin/arm-none-eabi-ranlib \
-    LIBS="-lfat -lnds9" \
-    LDFLAGS="-L/opt/devkitpro/libnds/lib" \
+    LIBS="-lfat -lnds9 -lcalico_ds9" \
+    LDFLAGS="-L$DEVKITPRO/libnds/lib \
+        -L$DEVKITPRO/calico/lib" \
    --prefix=$DEVKITPRO/portlibs/nds \
    CFLAGS="-march=armv5te -mtune=arm946e-s \
-        --specs=ds_arm9.specs -DARM9 -DWOLFSSL_NDS \
-        -DWOLFSSL_USER_IO \
+        -specs=$DEVKITPRO/calico/share/ds9.specs \
+        -D__NDS__ -DARM9 -D__thumb__=0 \
+        -DWOLFSSL_NDS -DWOLFSSL_USER_IO \
+        -I$DEVKITPRO/calico/include \
        -I$DEVKITPRO/libnds/include" \
    --enable-fastmath --disable-benchmark \
    --disable-shared --disable-examples --disable-ecc
--- a/IDE/NETOS/Makefile.wolfcrypt.inc
+++ b/IDE/NETOS/Makefile.wolfcrypt.inc
@ -1,11 +1,11 @@
-WOLFSSL_ROOT=wolfCrypt_v4_5_2
+WOLFSSL_ROOT=wolfssl-5.7.2-commercial-fips-linuxv5.2.1
 APP_WOLFCRYPTOBJS = $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/wolfcrypt_first.o\
            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/aes.o\
            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/cmac.o\
-            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/des3.o\
            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/dh.o\
            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/ecc.o\
            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/hmac.o\
+            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/kdf.o\
            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/random.o\
            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/rsa.o\
            $(NETOS_DIR)/src/$(WOLFSSL_ROOT)/objs/ns9210/32b/gnu/sha.o\
--- a/IDE/NETOS/include.am
+++ b/IDE/NETOS/include.am
@ -4,6 +4,7 @@

 EXTRA_DIST+= IDE/NETOS/Makefile.wolfcrypt.inc
 EXTRA_DIST+= IDE/NETOS/user_settings.h
+EXTRA_DIST+= IDE/NETOS/user_settings.h-cert3389
 EXTRA_DIST+= IDE/NETOS/user_settings.h-cert2425
 EXTRA_DIST+= IDE/NETOS/wolfssl_netos_custom.c
 EXTRA_DIST+= IDE/NETOS/README.md
--- a/IDE/NETOS/user_settings.h
+++ b/IDE/NETOS/user_settings.h
@ -1,5 +1,5 @@
 /* user_settings.h
-*
+ *
 * Copyright (C) 2006-2025 wolfSSL Inc.
 *
 * This file is part of wolfSSL.
@ -19,7 +19,6 @@
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */

-/* Custom wolfSSL user settings for GCC ARM */

 #ifndef WOLFSSL_USER_SETTINGS_H
 #define WOLFSSL_USER_SETTINGS_H
@ -28,11 +27,39 @@
 extern "C" {
 #endif

+#undef  HAVE_FIPS
+#if 1
+
+    #define HAVE_FIPS
+
+    #undef  HAVE_FIPS_VERSION
+    #define HAVE_FIPS_VERSION 5
+
+    #undef HAVE_FIPS_VERSION_MAJOR
+    #define HAVE_FIPS_VERSION_MAJOR 5
+
+    #undef HAVE_FIPS_VERSION_MINOR
+    #define HAVE_FIPS_VERSION_MINOR 2
+
+    #undef WOLFSSL_WOLFSSH
+    #define WOLFSSL_WOLFSSH
+
+    #undef WC_RNG_SEED_CB
+    #define WC_RNG_SEED_CB
+
+    #if 1
+        #undef NO_ATTRIBUTE_CONSTRUCTOR
+        #define NO_ATTRIBUTE_CONSTRUCTOR
+    #endif
+
+#endif
+
+
 /* ------------------------------------------------------------------------- */
 /* Platform */
 /* ------------------------------------------------------------------------- */
-#undef WOLFSSL_GENERAL_ALIGNMENT
-#define WOLFSSL_GENERAL_ALIGNMENT 4
+#undef  WOLFSSL_GENERAL_ALIGNMENT
+#define WOLFSSL_GENERAL_ALIGNMENT   4

 #undef THREADX
 #define THREADX
@ -47,85 +74,99 @@ extern "C" {
 #undef BIG_ENDIAN_ORDER
 #define BIG_ENDIAN_ORDER

-#undef WOLFSSL_SMALL_STACK
-//#define WOLFSSL_SMALL_STACK
+#undef WOLFSSL_USE_ALIGN
+#define WOLFSSL_USE_ALIGN

-#undef WOLFSSL_USER_IO
-//#define WOLFSSL_USER_IO
-
-#undef NO_THREAD_LS
+#undef  NO_THREAD_LS
 #define NO_THREAD_LS

 /* ------------------------------------------------------------------------- */
 /* Math Configuration */
 /* ------------------------------------------------------------------------- */
-#undef SIZEOF_LONG_LONG
+
+    #define WOLFCRYPT_FIPS_CORE_HASH_VALUE \
+            F0E3A7F32D8FDE71DA017855072247B27D8C0F5A74CACE89AED272A7CF5EAC0E
+#if 0
+    #define WOLFSSL_SP_MATH_ALL
+    #define WOLFSSL_SP_RSA
+    #define WOLFSSL_SP_DH
+    #define WOLFSSL_SP_ECC
+    #define WOLFSSL_SP_4096
+    #define WOLFSSL_SP_384
+    #define WOLFSSL_SP_521
+    #define WOLFSSL_SP_SMALL
+    #define WOLFSSL_SP_NO_MALLOC
+    #define SP_INT_BITS 8192
+#endif
+#if 1
+    #undef  USE_FAST_MATH
+    #define USE_FAST_MATH
+    #if 1
+        #define WOLFSSL_SP_RSA
+        #define WOLFSSL_SP_DH
+        #define WOLFSSL_SP_ECC
+        #define WOLFSSL_SP_4096
+        #define WOLFSSL_SP_384
+        #define WOLFSSL_SP_521
+        #define WOLFSSL_SP_SMALL
+        #define SP_INT_BITS 8192
+    #endif
+#endif
+#if 0
+    #undef USE_INTEGER_HEAP_MATH
+    #define USE_INTEGER_HEAP_MATH
+
+    #undef WOLFSSL_SMALL_STACK
+    #define WOLFSSL_SMALL_STACK
+#endif
+
+#undef  SIZEOF_LONG_LONG
 #define SIZEOF_LONG_LONG 8

-#undef SIZEOF_LONG
-#define SIZEOF_LONG 4
-
-#undef USE_FAST_MATH
-#if 1
-    #define USE_FAST_MATH
-
-    #undef TFM_TIMING_RESISTANT
+#ifdef USE_FAST_MATH
+    #undef  TFM_TIMING_RESISTANT
    #define TFM_TIMING_RESISTANT

-    /* Optimizations */
-    #define TFM_ARM
+    #undef  FP_MAX_BITS
+    #define FP_MAX_BITS 16384
+
+    #define TFM_NO_ASM
+
+    /* Optimizations (on M0 UMULL is not supported, need another assembly
+     * solution) */
+    //#define TFM_ARM
 #endif

-/* ------------------------------------------------------------------------- */
-/* FIPS - Requires eval or license from wolfSSL */
-/* ------------------------------------------------------------------------- */
-#undef HAVE_FIPS
-#if 1
-    #define HAVE_FIPS
-
-    #undef HAVE_FIPS_VERSION
-    #define HAVE_FIPS_VERSION 2
-
-    #ifdef SINGLE_THREADED
-        #undef NO_THREAD_LS
-        #define NO_THREAD_LS
-    #endif
-
-    #if 1
-        #undef NO_ATTRIBUTE_CONSTRUCTOR
-        #define NO_ATTRIBUTE_CONSTRUCTOR
-    #endif
-#endif
-
-
 /* ------------------------------------------------------------------------- */
 /* Crypto */
 /* ------------------------------------------------------------------------- */
 /* RSA */
 #undef NO_RSA
 #if 1
-    #ifdef USE_FAST_MATH
-        /* Maximum math bits (Max RSA key bits * 2) */
-        #undef FP_MAX_BITS
-        #define FP_MAX_BITS 8192
-    #endif

    /* half as much memory but twice as slow */
-    #undef RSA_LOW_MEM
+    #undef  RSA_LOW_MEM
    //#define RSA_LOW_MEM

    /* Enables blinding mode, to prevent timing attacks */
    #if 0
-        #undef WC_RSA_BLINDING
+        #undef  WC_RSA_BLINDING
        #define WC_RSA_BLINDING
    #else
-        #undef WC_NO_HARDEN
+        #undef  WC_NO_HARDEN
        #define WC_NO_HARDEN
    #endif

    /* RSA PSS Support */
    #if 1
+        #undef WC_RSA_PSS
        #define WC_RSA_PSS
+
+        #undef WOLFSSL_PSS_LONG_SALT
+        #define WOLFSSL_PSS_LONG_SALT
+
+        #undef WOLFSSL_PSS_SALT_LEN_DISCOVER
+        #define WOLFSSL_PSS_SALT_LEN_DISCOVER
    #endif

    #if 1
@ -141,86 +182,86 @@ extern "C" {
    #define HAVE_ECC

    /* Manually define enabled curves */
-    #undef ECC_USER_CURVES
-    //#define ECC_USER_CURVES
+    #undef  ECC_USER_CURVES
+    #define ECC_USER_CURVES

    #ifdef ECC_USER_CURVES
-    /* Manual Curve Selection */
-    //#define HAVE_ECC192
-    //#define HAVE_ECC224
-    #undef NO_ECC256
-    //#define HAVE_ECC384
-    //#define HAVE_ECC521
+        /* Manual Curve Selection */
+        #define HAVE_ECC192
+        #define HAVE_ECC224
+        #undef NO_ECC256
+        #define HAVE_ECC256
+        #define HAVE_ECC384
+        #define HAVE_ECC521
    #endif

-    /* Fixed point cache (speeds repeated operations against same private key) */
-    #undef FP_ECC
+    /* Fixed point cache (speeds repeated operations against same private key)
+     */
+    #undef  FP_ECC
    //#define FP_ECC
    #ifdef FP_ECC
        /* Bits / Entries */
-        #undef FP_ENTRIES
-        #define FP_ENTRIES 2
-        #undef FP_LUT
-        #define FP_LUT 4
+        #undef  FP_ENTRIES
+        #define FP_ENTRIES  2
+        #undef  FP_LUT
+        #define FP_LUT      4
    #endif

    /* Optional ECC calculation method */
    /* Note: doubles heap usage, but slightly faster */
-    #undef ECC_SHAMIR
+    #undef  ECC_SHAMIR
    #define ECC_SHAMIR

    /* Reduces heap usage, but slower */
-    #undef ECC_TIMING_RESISTANT
+    #undef  ECC_TIMING_RESISTANT
    #define ECC_TIMING_RESISTANT

    #ifdef HAVE_FIPS
-        #undef HAVE_ECC_CDH
+        #undef  HAVE_ECC_CDH
        #define HAVE_ECC_CDH /* Enable cofactor support */

        #undef NO_STRICT_ECDSA_LEN
        #define NO_STRICT_ECDSA_LEN /* Do not force fixed len w/ FIPS */

-        #undef WOLFSSL_VALIDATE_ECC_IMPORT
+        #undef  WOLFSSL_VALIDATE_ECC_IMPORT
        #define WOLFSSL_VALIDATE_ECC_IMPORT /* Validate import */
-    #endif

-    /* Compressed Key Support */
-    #undef HAVE_COMP_KEY
-    //#define HAVE_COMP_KEY
+        #undef WOLFSSL_VALIDATE_ECC_KEYGEN
+        #define WOLFSSL_VALIDATE_ECC_KEYGEN /* Validate generated keys */
+
+        #undef WOLFSSL_ECDSA_SET_K
+        #define WOLFSSL_ECDSA_SET_K
+
+        //#define WOLFCRYPT_HAVE_SAKKE
+
+    #endif

    /* Use alternate ECC size for ECC math */
    #ifdef USE_FAST_MATH
-        /* MAX ECC BITS = ROUND8(MAX ECC) * 2 */
-        #ifdef NO_RSA
-            /* Custom fastmath size if not using RSA */
-            #undef FP_MAX_BITS
-            #define FP_MAX_BITS (256 * 2)
-        #else
-            #undef ALT_ECC_SIZE
-            #define ALT_ECC_SIZE
-            /* wolfSSL will compute the FP_MAX_BITS_ECC, but it can be overridden */
-            //#undef FP_MAX_BITS_ECC
-            //#define FP_MAX_BITS_ECC (256 * 2)
-        #endif
+        #undef  ALT_ECC_SIZE
+        #define ALT_ECC_SIZE

        /* Speedups specific to curve */
        #ifndef NO_ECC256
-            #undef TFM_ECC256
+            #undef  TFM_ECC256
            #define TFM_ECC256
        #endif
    #endif
 #endif

 /* DH */
-#undef NO_DH
+#undef  NO_DH
 #if 1
+    #define HAVE_DH
    /* Use table for DH instead of -lm (math) lib dependency */
    #if 1
+        #define HAVE_DH_DEFAULT_PARAMS
        #define WOLFSSL_DH_CONST
        #define HAVE_FFDHE_2048
+        #define HAVE_FFDHE_3072
        #define HAVE_FFDHE_4096
-        //#define HAVE_FFDHE_6144
-        //#define HAVE_FFDHE_8192
+        #define HAVE_FFDHE_6144
+        #define HAVE_FFDHE_8192
    #endif

    #ifdef HAVE_FIPS
@ -235,28 +276,31 @@ extern "C" {
 /* AES */
 #undef NO_AES
 #if 1
-    #undef HAVE_AES_CBC
+    #undef  HAVE_AES_CBC
    #define HAVE_AES_CBC

-    #undef HAVE_AESGCM
+    #undef  HAVE_AESGCM
    #define HAVE_AESGCM

-    /* GCM Method: GCM_SMALL, GCM_WORD32 or GCM_TABLE */
-    // #define GCM_SMALL
-    // #define GCM_WORD32
-    #define GCM_TABLE
+    /* GCM Method (slowest to fastest): GCM_SMALL, GCM_WORD32, GCM_TABLE or
+     *                                  GCM_TABLE_4BIT */
+    #define GCM_TABLE_4BIT

-    #undef WOLFSSL_AES_DIRECT
+    #undef  WOLFSSL_AES_DIRECT
    #define WOLFSSL_AES_DIRECT

-    #undef HAVE_AES_ECB
+    #undef  HAVE_AES_ECB
    #define HAVE_AES_ECB

-    #undef WOLFSSL_AES_COUNTER
+    #undef  WOLFSSL_AES_COUNTER
    #define WOLFSSL_AES_COUNTER

-    #undef HAVE_AESCCM
+    #undef  HAVE_AESCCM
    #define HAVE_AESCCM
+
+    #undef WOLFSSL_AES_OFB
+    #define WOLFSSL_AES_OFB
+
 #else
    #define NO_AES
 #endif
@ -264,8 +308,11 @@ extern "C" {

 /* DES3 */
 #undef NO_DES3
-#if 1
-    /* No change */
+#if 0
+    #if 1
+        #undef WOLFSSL_DES_ECB
+        #define WOLFSSL_DES_ECB
+    #endif
 #else
    #define NO_DES3
 #endif
@ -278,20 +325,29 @@ extern "C" {
    #define HAVE_POLY1305

    /* Needed for Poly1305 */
-    #undef HAVE_ONE_TIME_AUTH
+    #undef  HAVE_ONE_TIME_AUTH
    #define HAVE_ONE_TIME_AUTH
 #endif

-/* Ed25519 / Curve25519 */
+/* Curve25519 */
 #undef HAVE_CURVE25519
-#undef HAVE_ED25519
 #if 0
    #define HAVE_CURVE25519
+
+    /* Optionally use small math (less flash usage, but much slower) */
+    #if 1
+        #define CURVE25519_SMALL
+    #endif
+#endif
+
+/* Ed25519 */
+#undef HAVE_ED25519
+#if 0
    #define HAVE_ED25519 /* ED25519 Requires SHA512 */

    /* Optionally use small math (less flash usage, but much slower) */
    #if 1
-        #define CURVED25519_SMALL
+        #define ED25519_SMALL
    #endif
 #endif

@ -303,7 +359,7 @@ extern "C" {
 #undef NO_SHA
 #if 1
    /* 1k smaller, but 25% slower */
-    //#define USE_SLOW_SHA
+    #define USE_SLOW_SHA
 #else
    #define NO_SHA
 #endif
@ -312,7 +368,7 @@ extern "C" {
 #undef NO_SHA256
 #if 1
    /* not unrolled - ~2k smaller and ~25% slower */
-    //#define USE_SLOW_SHA256
+    #define USE_SLOW_SHA256

    /* Sha224 */
    #if 1
@ -327,14 +383,17 @@ extern "C" {
 #if 1
    #define WOLFSSL_SHA512

+    #define  WOLFSSL_NOSHA512_224 /* Not in FIPS mode */
+    #define  WOLFSSL_NOSHA512_256 /* Not in FIPS mode */
+
    /* Sha384 */
-    #undef WOLFSSL_SHA384
+    #undef  WOLFSSL_SHA384
    #if 1
        #define WOLFSSL_SHA384
    #endif

    /* over twice as small, but 50% slower */
-    //#define USE_SLOW_SHA512
+    #define USE_SLOW_SHA512
 #endif

 /* Sha3 */
@ -344,17 +403,18 @@ extern "C" {
 #endif

 /* MD5 */
-#undef NO_MD5
+#undef  NO_MD5
 #if 1
-    /* No change */
+
 #else
    #define NO_MD5
 #endif

-/* HKDF */
+/* HKDF / PRF */
 #undef HAVE_HKDF
 #if 1
    #define HAVE_HKDF
+    #define WOLFSSL_HAVE_PRF
 #endif

 /* CMAC */
@ -363,101 +423,49 @@ extern "C" {
    #define WOLFSSL_CMAC
 #endif

-
-/* ------------------------------------------------------------------------- */
-/* Benchmark / Test */
-/* ------------------------------------------------------------------------- */
-/* Use reduced benchmark / test sizes */
-#undef BENCH_EMBEDDED
-#define BENCH_EMBEDDED
-
-#undef USE_CERT_BUFFERS_2048
-#define USE_CERT_BUFFERS_2048
-
-#undef USE_CERT_BUFFERS_1024
-//#define USE_CERT_BUFFERS_1024
-
-#undef USE_CERT_BUFFERS_256
-#define USE_CERT_BUFFERS_256
-
-#undef FORCE_BUFFER_TEST
-#define FORCE_BUFFER_TEST
-
-
 /* ------------------------------------------------------------------------- */
 /* Debugging */
 /* ------------------------------------------------------------------------- */

-#undef DEBUG_WOLFSSL
-#undef NO_ERROR_STRINGS
+#undef  DEBUG_WOLFSSL
+#define DEBUG_WOLFSSL
+
+/* Use this to measure / print heap usage */
 #if 0
-    #define DEBUG_WOLFSSL
-#else
-    #if 0
-        #define NO_ERROR_STRINGS
-    #endif
-#endif
-
-
-/* ------------------------------------------------------------------------- */
-/* Memory */
-/* ------------------------------------------------------------------------- */
-
-/* Override Memory API's */
-#if 0
-    #undef XMALLOC_OVERRIDE
-    #define XMALLOC_OVERRIDE
-
-    /* prototypes for user heap override functions */
-    /* Note: Realloc only required for normal math */
-    /* Note2: XFREE(NULL) must be properly handled */
-    #include <stddef.h> /* for size_t */
-    extern void *myMalloc(size_t n, void* heap, int type);
-    extern void myFree(void *p, void* heap, int type);
-    extern void *myRealloc(void *p, size_t n, void* heap, int type);
-
-    #define XMALLOC(n, h, t) myMalloc(n, h, t)
-    #define XFREE(p, h, t) myFree(p, h, t)
-    #define XREALLOC(p, n, h, t) myRealloc(p, n, h, t)
-#endif
-
-#if 0
-    /* Static memory requires fast math */
-    #define WOLFSSL_STATIC_MEMORY
-
-    /* Disable fallback malloc/free */
-    #define WOLFSSL_NO_MALLOC
-    #if 1
-    #define WOLFSSL_MALLOC_CHECK /* trap malloc failure */
-    #endif
-#endif
-
-/* Memory callbacks */
-#if 1
-    #undef USE_WOLFSSL_MEMORY
+    #undef  USE_WOLFSSL_MEMORY
    #define USE_WOLFSSL_MEMORY

-    /* Use this to measure / print heap usage */
-    #if 0
-        #undef WOLFSSL_TRACK_MEMORY
-        // #define WOLFSSL_TRACK_MEMORY
+    #undef  WOLFSSL_TRACK_MEMORY
+    //#define WOLFSSL_TRACK_MEMORY

-        #undef WOLFSSL_DEBUG_MEMORY
-        //#define WOLFSSL_DEBUG_MEMORY
-
-        #undef WOLFSSL_DEBUG_MEMORY_PRINT
-        //#define WOLFSSL_DEBUG_MEMORY_PRINT
-    #endif
+    #undef  WOLFSSL_DEBUG_MEMORY
+    //#define WOLFSSL_DEBUG_MEMORY
 #else
-    #ifndef WOLFSSL_STATIC_MEMORY
-        #define NO_WOLFSSL_MEMORY
-        /* Otherwise we will use stdlib malloc, free and realloc */
-    #endif
+    #undef  NO_WOLFSSL_MEMORY
+    #define NO_WOLFSSL_MEMORY
 #endif

+#ifndef DEBUG_WOLFSSL
+    #undef  NO_ERROR_STRINGS
+    #define NO_ERROR_STRINGS
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Port */
+/* ------------------------------------------------------------------------- */
+
+/* Override Current Time */
+/* Allows custom "custom_time()" function to be used for benchmark */
+//#define WOLFSSL_USER_CURRTIME
+//#define XTIME time
+
+
 /* ------------------------------------------------------------------------- */
 /* RNG */
 /* ------------------------------------------------------------------------- */
+/* Size of returned HW RNG value */
+//#define CUSTOM_RAND_TYPE      unsigned int

 /* Seed Source */
 #if 1
@ -473,152 +481,194 @@ extern "C" {
    #define CUSTOM_RAND_TYPE      unsigned char
 #endif

+//#define WOLFSSL_GENSEED_FORTEST
 /* Choose RNG method */
 #if 1
    /* Use built-in P-RNG (SHA256 based) with HW RNG */
    /* P-RNG + HW RNG (P-RNG is ~8K) */
-    //#define WOLFSSL_GENSEED_FORTEST
-    #undef HAVE_HASHDRBG
+    #undef  HAVE_HASHDRBG
    #define HAVE_HASHDRBG
 #else
-    #undef WC_NO_HASHDRBG
+    #undef  WC_NO_HASHDRBG
    #define WC_NO_HASHDRBG

    /* Bypass P-RNG and use only HW RNG */
-    extern int my_rng_gen_block(unsigned char* output, unsigned int sz);
-    #undef CUSTOM_RAND_GENERATE_BLOCK
-    #define CUSTOM_RAND_GENERATE_BLOCK my_rng_gen_block
+    extern int custom_rand_generate_block(unsigned char* output,
+                                          unsigned int sz);
+    #undef  CUSTOM_RAND_GENERATE_BLOCK
+    #define CUSTOM_RAND_GENERATE_BLOCK  custom_rand_generate_block
 #endif

 /* ------------------------------------------------------------------------- */
 /* Enable Features */
 /* ------------------------------------------------------------------------- */
-#undef WOLFSSL_TLS13
 #if 0
+    #undef WOLFSSL_TLS13
    #define WOLFSSL_TLS13
 #endif

-#undef WOLFSSL_KEY_GEN
-#if 1
-    #define WOLFSSL_KEY_GEN
-#endif
+#undef  WOLFSSL_KEY_GEN
+#define WOLFSSL_KEY_GEN

-#if defined(HAVE_FIPS) && !defined(WOLFSSL_KEY_GEN)
-    #define WOLFSSL_OLD_PRIME_CHECK
-#endif
-
-#undef KEEP_PEER_CERT
+#undef  KEEP_PEER_CERT
 //#define KEEP_PEER_CERT

-#undef HAVE_COMP_KEY
+#undef  HAVE_COMP_KEY
 //#define HAVE_COMP_KEY

-#undef HAVE_TLS_EXTENSIONS
+#undef  HAVE_TLS_EXTENSIONS
 #define HAVE_TLS_EXTENSIONS

-#undef HAVE_SUPPORTED_CURVES
+#undef  HAVE_SUPPORTED_CURVES
 #define HAVE_SUPPORTED_CURVES

-#undef WOLFSSL_BASE64_ENCODE
+#undef  WOLFSSL_BASE64_ENCODE
 #define WOLFSSL_BASE64_ENCODE

+#undef WOLFSSL_BASE16
+#define WOLFSSL_BASE16
+
 /* TLS Session Cache */
-#if 0
+#if 1
    #define SMALL_SESSION_CACHE
 #else
    #define NO_SESSION_CACHE
 #endif

+#define BENCH_EMBEDDED

 /* ------------------------------------------------------------------------- */
 /* Disable Features */
 /* ------------------------------------------------------------------------- */
-#undef NO_WOLFSSL_SERVER
+#undef  NO_WOLFSSL_SERVER
 //#define NO_WOLFSSL_SERVER

-#undef NO_WOLFSSL_CLIENT
+#undef  NO_WOLFSSL_CLIENT
 //#define NO_WOLFSSL_CLIENT

-#undef NO_CRYPT_TEST
+#undef  NO_CRYPT_TEST
 //#define NO_CRYPT_TEST

-#undef NO_CRYPT_BENCHMARK
+#undef  NO_CRYPT_BENCHMARK
 //#define NO_CRYPT_BENCHMARK

-#undef WOLFCRYPT_ONLY
+#undef  WOLFCRYPT_ONLY
 //#define WOLFCRYPT_ONLY

 /* In-lining of misc.c functions */
 /* If defined, must include wolfcrypt/src/misc.c in build */
 /* Slower, but about 1k smaller */
-#undef NO_INLINE
+#undef  NO_INLINE
 //#define NO_INLINE

-#undef NO_FILESYSTEM
+#undef  NO_FILESYSTEM
 #define NO_FILESYSTEM

 #undef NO_WOLFSSL_DIR
 #define NO_WOLFSSL_DIR

-#undef NO_WRITEV
+#undef  NO_WRITEV
 #define NO_WRITEV

-#undef NO_MAIN_DRIVER
+#undef  NO_MAIN_DRIVER
 #define NO_MAIN_DRIVER

-#undef NO_DEV_RANDOM
+#undef  NO_DEV_RANDOM
 #define NO_DEV_RANDOM

-#undef NO_DSA
+#undef  NO_DSA
 #define NO_DSA

-#undef NO_RC4
+#undef  NO_DES3
+#define NO_DES3
+
+#undef  NO_RC4
 #define NO_RC4

-#undef NO_OLD_TLS
+#undef  NO_OLD_TLS
 #define NO_OLD_TLS

-#undef NO_PSK
+#undef  NO_PSK
 #define NO_PSK

-#undef NO_MD4
+#undef  NO_MD4
 #define NO_MD4

-#undef NO_PWDBASED
+#undef  NO_PWDBASED
 //#define NO_PWDBASED

-#undef NO_CODING
+#undef  NO_CODING
 //#define NO_CODING

-#undef NO_ASN_TIME
+#undef  NO_ASN_TIME
 //#define NO_ASN_TIME

-#undef NO_CERTS
+#undef  NO_CERTS
 //#define NO_CERTS

-#undef NO_SIG_WRAPPER
+#undef  NO_SIG_WRAPPER
 //#define NO_SIG_WRAPPER

-/* ACVP Testing ONLY specific settings */
+/* FIPS optesting for wolfSSL Engineering only, disable in production */
 #if 0
-    #undef USE_NORMAL_PRINTF
-    #define USE_NORMAL_PRINTF
-
-    #undef USE_UART_READ_LINE
+    #define DEBUG_FIPS_VERBOSE
+    #define NO_CAVP_TDES
    #define USE_UART_READ_LINE
-
-    #undef USE_SMALL_MONTE
-    #define USE_SMALL_MONTE
-
-    #undef WOLFSSL_PUBLIC_MP
+    #define USE_NORMAL_PRINTF
    #define WOLFSSL_PUBLIC_MP

-    #undef HAVE_FORCE_FIPS_FAILURE
+    #define NO_MAIN_OPTEST_DRIVER
+    #define OPTEST_LOGGING_ENABLED
+    #define DEBUG_FIPS_VERBOSE
+    #define OPTEST_INVALID_LOGGING_ENABLED
+    #define OPTEST_RUNNING_ORGANIC
    #define HAVE_FORCE_FIPS_FAILURE
-#endif

+    #define USE_CERT_BUFFERS_2048
+    #define USE_CERT_BUFFERS_256
+    #define FORCE_BUFFER_TEST
+    #define NO_MAIN_OPTEST_DRIVER
+    #define DEEPLY_EMBEDDED
+
+#endif
+/* End optesting only section */
+
+/* START Customer specified options */
+#if 1
+    #undef  HAVE_SECRET_CALLBACK
+    #define HAVE_SECRET_CALLBACK
+
+    #undef  ATOMIC_USER
+    #define ATOMIC_USER
+
+    #undef  HAVE_EX_DATA
+    #define HAVE_EX_DATA
+
+    #undef  NO_WOLFSSL_STUB
+    #define NO_WOLFSSL_STUB
+
+    #undef  OPENSSL_EXTRA
+    #define OPENSSL_EXTRA
+
+    #undef  OPENSSL_ALL
+    #define OPENSSL_ALL
+
+    #undef  HAVE_EXTENDED_MASTER
+    #define HAVE_EXTENDED_MASTER
+
+    #undef  WC_NO_ASYNC_THREADING
+    #define WC_NO_ASYNC_THREADING
+
+    #undef  NO_TESTSUITE_MAIN_DRIVER
+    #define NO_TESTSUITE_MAIN_DRIVER
+
+    #undef WOLFSSL_NO_ASN_STRICT
+    #define WOLFSSL_NO_ASN_STRICT
+#endif
+/* END Customer specified options */
 #ifdef __cplusplus
 }
 #endif

 #endif /* WOLFSSL_USER_SETTINGS_H */
+
--- a/IDE/NETOS/user_settings.h-cert2425
+++ b/IDE/NETOS/user_settings.h-cert2425
@ -1,3 +1,25 @@
+/* user_settings.h
+ *
+ * Copyright (C) 2006-2024 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
 #ifndef _NETOS_USER_SETTINGS_H_
 #define _NETOS_USER_SETTINGS_H_

--- a/IDE/NETOS/user_settings.h-cert3389
+++ b/IDE/NETOS/user_settings.h-cert3389
@ -0,0 +1,623 @@
+/* user_settings.h
+ *
+ * Copyright (C) 2006-2024 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Custom wolfSSL user settings for GCC ARM */
+
+#ifndef WOLFSSL_USER_SETTINGS_H
+#define WOLFSSL_USER_SETTINGS_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* ------------------------------------------------------------------------- */
+/* Platform */
+/* ------------------------------------------------------------------------- */
+#undef WOLFSSL_GENERAL_ALIGNMENT
+#define WOLFSSL_GENERAL_ALIGNMENT 4
+
+#undef THREADX
+#define THREADX
+
+#ifndef TX_TIMER_TICKS_PER_SECOND
+    #define TX_TIMER_TICKS_PER_SECOND 100
+#endif
+
+#undef NETOS
+#define NETOS
+
+#undef BIG_ENDIAN_ORDER
+#define BIG_ENDIAN_ORDER
+
+#undef WOLFSSL_SMALL_STACK
+//#define WOLFSSL_SMALL_STACK
+
+#undef WOLFSSL_USER_IO
+//#define WOLFSSL_USER_IO
+
+#undef NO_THREAD_LS
+#define NO_THREAD_LS
+
+/* ------------------------------------------------------------------------- */
+/* Math Configuration */
+/* ------------------------------------------------------------------------- */
+#undef SIZEOF_LONG_LONG
+#define SIZEOF_LONG_LONG 8
+
+#undef SIZEOF_LONG
+#define SIZEOF_LONG 4
+
+#undef USE_FAST_MATH
+#if 1
+    #define USE_FAST_MATH
+
+    #undef TFM_TIMING_RESISTANT
+    #define TFM_TIMING_RESISTANT
+
+    /* Optimizations */
+    #define TFM_ARM
+#endif
+
+/* ------------------------------------------------------------------------- */
+/* FIPS - Requires eval or license from wolfSSL */
+/* ------------------------------------------------------------------------- */
+#undef HAVE_FIPS
+#if 1
+    #define HAVE_FIPS
+
+    #undef HAVE_FIPS_VERSION
+    #define HAVE_FIPS_VERSION 2
+
+    #ifdef SINGLE_THREADED
+        #undef NO_THREAD_LS
+        #define NO_THREAD_LS
+    #endif
+
+    #if 1
+        #undef NO_ATTRIBUTE_CONSTRUCTOR
+        #define NO_ATTRIBUTE_CONSTRUCTOR
+    #endif
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Crypto */
+/* ------------------------------------------------------------------------- */
+/* RSA */
+#undef NO_RSA
+#if 1
+    #ifdef USE_FAST_MATH
+        /* Maximum math bits (Max RSA key bits * 2) */
+        #undef FP_MAX_BITS
+        #define FP_MAX_BITS 8192
+    #endif
+
+    /* half as much memory but twice as slow */
+    #undef RSA_LOW_MEM
+    //#define RSA_LOW_MEM
+
+    /* Enables blinding mode, to prevent timing attacks */
+    #if 0
+        #undef WC_RSA_BLINDING
+        #define WC_RSA_BLINDING
+    #else
+        #undef WC_NO_HARDEN
+        #define WC_NO_HARDEN
+    #endif
+
+    /* RSA PSS Support */
+    #if 1
+        #define WC_RSA_PSS
+    #endif
+
+    #if 1
+        #define WC_RSA_NO_PADDING
+    #endif
+#else
+    #define NO_RSA
+#endif
+
+/* ECC */
+#undef HAVE_ECC
+#if 1
+    #define HAVE_ECC
+
+    /* Manually define enabled curves */
+    #undef ECC_USER_CURVES
+    //#define ECC_USER_CURVES
+
+    #ifdef ECC_USER_CURVES
+    /* Manual Curve Selection */
+    //#define HAVE_ECC192
+    //#define HAVE_ECC224
+    #undef NO_ECC256
+    //#define HAVE_ECC384
+    //#define HAVE_ECC521
+    #endif
+
+    /* Fixed point cache (speeds repeated operations against same private key) */
+    #undef FP_ECC
+    //#define FP_ECC
+    #ifdef FP_ECC
+        /* Bits / Entries */
+        #undef FP_ENTRIES
+        #define FP_ENTRIES 2
+        #undef FP_LUT
+        #define FP_LUT 4
+    #endif
+
+    /* Optional ECC calculation method */
+    /* Note: doubles heap usage, but slightly faster */
+    #undef ECC_SHAMIR
+    #define ECC_SHAMIR
+
+    /* Reduces heap usage, but slower */
+    #undef ECC_TIMING_RESISTANT
+    #define ECC_TIMING_RESISTANT
+
+    #ifdef HAVE_FIPS
+        #undef HAVE_ECC_CDH
+        #define HAVE_ECC_CDH /* Enable cofactor support */
+
+        #undef NO_STRICT_ECDSA_LEN
+        #define NO_STRICT_ECDSA_LEN /* Do not force fixed len w/ FIPS */
+
+        #undef WOLFSSL_VALIDATE_ECC_IMPORT
+        #define WOLFSSL_VALIDATE_ECC_IMPORT /* Validate import */
+    #endif
+
+    /* Compressed Key Support */
+    #undef HAVE_COMP_KEY
+    //#define HAVE_COMP_KEY
+
+    /* Use alternate ECC size for ECC math */
+    #ifdef USE_FAST_MATH
+        /* MAX ECC BITS = ROUND8(MAX ECC) * 2 */
+        #ifdef NO_RSA
+            /* Custom fastmath size if not using RSA */
+            #undef FP_MAX_BITS
+            #define FP_MAX_BITS (256 * 2)
+        #else
+            #undef ALT_ECC_SIZE
+            #define ALT_ECC_SIZE
+            /* wolfSSL will compute the FP_MAX_BITS_ECC, but it can be overridden */
+            //#undef FP_MAX_BITS_ECC
+            //#define FP_MAX_BITS_ECC (256 * 2)
+        #endif
+
+        /* Speedups specific to curve */
+        #ifndef NO_ECC256
+            #undef TFM_ECC256
+            #define TFM_ECC256
+        #endif
+    #endif
+#endif
+
+/* DH */
+#undef NO_DH
+#if 1
+    /* Use table for DH instead of -lm (math) lib dependency */
+    #if 1
+        #define WOLFSSL_DH_CONST
+        #define HAVE_FFDHE_2048
+        #define HAVE_FFDHE_4096
+        //#define HAVE_FFDHE_6144
+        //#define HAVE_FFDHE_8192
+    #endif
+
+    #ifdef HAVE_FIPS
+        #define WOLFSSL_VALIDATE_FFC_IMPORT
+        #define HAVE_FFDHE_Q
+    #endif
+#else
+    #define NO_DH
+#endif
+
+
+/* AES */
+#undef NO_AES
+#if 1
+    #undef HAVE_AES_CBC
+    #define HAVE_AES_CBC
+
+    #undef HAVE_AESGCM
+    #define HAVE_AESGCM
+
+    /* GCM Method: GCM_SMALL, GCM_WORD32 or GCM_TABLE */
+    // #define GCM_SMALL
+    // #define GCM_WORD32
+    #define GCM_TABLE
+
+    #undef WOLFSSL_AES_DIRECT
+    #define WOLFSSL_AES_DIRECT
+
+    #undef HAVE_AES_ECB
+    #define HAVE_AES_ECB
+
+    #undef WOLFSSL_AES_COUNTER
+    #define WOLFSSL_AES_COUNTER
+
+    #undef HAVE_AESCCM
+    #define HAVE_AESCCM
+#else
+    #define NO_AES
+#endif
+
+
+/* DES3 */
+#undef NO_DES3
+#if 1
+    /* No change */
+#else
+    #define NO_DES3
+#endif
+
+/* ChaCha20 / Poly1305 */
+#undef HAVE_CHACHA
+#undef HAVE_POLY1305
+#if 0
+    #define HAVE_CHACHA
+    #define HAVE_POLY1305
+
+    /* Needed for Poly1305 */
+    #undef HAVE_ONE_TIME_AUTH
+    #define HAVE_ONE_TIME_AUTH
+#endif
+
+/* Ed25519 / Curve25519 */
+#undef HAVE_CURVE25519
+#undef HAVE_ED25519
+#if 0
+    #define HAVE_CURVE25519
+    #define HAVE_ED25519 /* ED25519 Requires SHA512 */
+
+    /* Optionally use small math (less flash usage, but much slower) */
+    #if 1
+        #define CURVED25519_SMALL
+    #endif
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Hashing */
+/* ------------------------------------------------------------------------- */
+/* Sha */
+#undef NO_SHA
+#if 1
+    /* 1k smaller, but 25% slower */
+    //#define USE_SLOW_SHA
+#else
+    #define NO_SHA
+#endif
+
+/* Sha256 */
+#undef NO_SHA256
+#if 1
+    /* not unrolled - ~2k smaller and ~25% slower */
+    //#define USE_SLOW_SHA256
+
+    /* Sha224 */
+    #if 1
+        #define WOLFSSL_SHA224
+    #endif
+#else
+    #define NO_SHA256
+#endif
+
+/* Sha512 */
+#undef WOLFSSL_SHA512
+#if 1
+    #define WOLFSSL_SHA512
+
+    /* Sha384 */
+    #undef WOLFSSL_SHA384
+    #if 1
+        #define WOLFSSL_SHA384
+    #endif
+
+    /* over twice as small, but 50% slower */
+    //#define USE_SLOW_SHA512
+#endif
+
+/* Sha3 */
+#undef WOLFSSL_SHA3
+#if 1
+    #define WOLFSSL_SHA3
+#endif
+
+/* MD5 */
+#undef NO_MD5
+#if 1
+    /* No change */
+#else
+    #define NO_MD5
+#endif
+
+/* HKDF */
+#undef HAVE_HKDF
+#if 1
+    #define HAVE_HKDF
+#endif
+
+/* CMAC */
+#undef WOLFSSL_CMAC
+#if 1
+    #define WOLFSSL_CMAC
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Benchmark / Test */
+/* ------------------------------------------------------------------------- */
+/* Use reduced benchmark / test sizes */
+#undef BENCH_EMBEDDED
+#define BENCH_EMBEDDED
+
+#undef USE_CERT_BUFFERS_2048
+#define USE_CERT_BUFFERS_2048
+
+#undef USE_CERT_BUFFERS_1024
+//#define USE_CERT_BUFFERS_1024
+
+#undef USE_CERT_BUFFERS_256
+#define USE_CERT_BUFFERS_256
+
+#undef FORCE_BUFFER_TEST
+#define FORCE_BUFFER_TEST
+
+
+/* ------------------------------------------------------------------------- */
+/* Debugging */
+/* ------------------------------------------------------------------------- */
+
+#undef DEBUG_WOLFSSL
+#undef NO_ERROR_STRINGS
+#if 0
+    #define DEBUG_WOLFSSL
+#else
+    #if 0
+        #define NO_ERROR_STRINGS
+    #endif
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Memory */
+/* ------------------------------------------------------------------------- */
+
+/* Override Memory API's */
+#if 0
+    #undef XMALLOC_OVERRIDE
+    #define XMALLOC_OVERRIDE
+
+    /* prototypes for user heap override functions */
+    /* Note: Realloc only required for normal math */
+    #include <stddef.h> /* for size_t */
+    extern void *myMalloc(size_t n, void* heap, int type);
+    extern void myFree(void *p, void* heap, int type);
+    extern void *myRealloc(void *p, size_t n, void* heap, int type);
+
+    #define XMALLOC(n, h, t) myMalloc(n, h, t)
+    #define XFREE(p, h, t) myFree(p, h, t)
+    #define XREALLOC(p, n, h, t) myRealloc(p, n, h, t)
+#endif
+
+#if 0
+    /* Static memory requires fast math */
+    #define WOLFSSL_STATIC_MEMORY
+
+    /* Disable fallback malloc/free */
+    #define WOLFSSL_NO_MALLOC
+    #if 1
+    #define WOLFSSL_MALLOC_CHECK /* trap malloc failure */
+    #endif
+#endif
+
+/* Memory callbacks */
+#if 1
+    #undef USE_WOLFSSL_MEMORY
+    #define USE_WOLFSSL_MEMORY
+
+    /* Use this to measure / print heap usage */
+    #if 0
+        #undef WOLFSSL_TRACK_MEMORY
+        // #define WOLFSSL_TRACK_MEMORY
+
+        #undef WOLFSSL_DEBUG_MEMORY
+        //#define WOLFSSL_DEBUG_MEMORY
+
+        #undef WOLFSSL_DEBUG_MEMORY_PRINT
+        //#define WOLFSSL_DEBUG_MEMORY_PRINT
+    #endif
+#else
+    #ifndef WOLFSSL_STATIC_MEMORY
+        #define NO_WOLFSSL_MEMORY
+        /* Otherwise we will use stdlib malloc, free and realloc */
+    #endif
+#endif
+
+/* ------------------------------------------------------------------------- */
+/* RNG */
+/* ------------------------------------------------------------------------- */
+
+/* Seed Source */
+#if 1
+    extern int my_rng_generate_seed(unsigned char* output, int sz);
+    #undef CUSTOM_RAND_GENERATE_SEED
+    #define CUSTOM_RAND_GENERATE_SEED my_rng_generate_seed
+#endif
+
+/* NETOS */
+#if 0
+    extern unsigned char get_byte_from_pool(void);
+    #define CUSTOM_RAND_GENERATE  get_byte_from_pool
+    #define CUSTOM_RAND_TYPE      unsigned char
+#endif
+
+/* Choose RNG method */
+#if 1
+    /* Use built-in P-RNG (SHA256 based) with HW RNG */
+    /* P-RNG + HW RNG (P-RNG is ~8K) */
+    //#define WOLFSSL_GENSEED_FORTEST
+    #undef HAVE_HASHDRBG
+    #define HAVE_HASHDRBG
+#else
+    #undef WC_NO_HASHDRBG
+    #define WC_NO_HASHDRBG
+
+    /* Bypass P-RNG and use only HW RNG */
+    extern int my_rng_gen_block(unsigned char* output, unsigned int sz);
+    #undef CUSTOM_RAND_GENERATE_BLOCK
+    #define CUSTOM_RAND_GENERATE_BLOCK my_rng_gen_block
+#endif
+
+/* ------------------------------------------------------------------------- */
+/* Enable Features */
+/* ------------------------------------------------------------------------- */
+#undef WOLFSSL_TLS13
+#if 0
+    #define WOLFSSL_TLS13
+#endif
+
+#undef WOLFSSL_KEY_GEN
+#if 1
+    #define WOLFSSL_KEY_GEN
+#endif
+
+#if defined(HAVE_FIPS) && !defined(WOLFSSL_KEY_GEN)
+    #define WOLFSSL_OLD_PRIME_CHECK
+#endif
+
+#undef KEEP_PEER_CERT
+//#define KEEP_PEER_CERT
+
+#undef HAVE_COMP_KEY
+//#define HAVE_COMP_KEY
+
+#undef HAVE_TLS_EXTENSIONS
+#define HAVE_TLS_EXTENSIONS
+
+#undef HAVE_SUPPORTED_CURVES
+#define HAVE_SUPPORTED_CURVES
+
+#undef WOLFSSL_BASE64_ENCODE
+#define WOLFSSL_BASE64_ENCODE
+
+/* TLS Session Cache */
+#if 0
+    #define SMALL_SESSION_CACHE
+#else
+    #define NO_SESSION_CACHE
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Disable Features */
+/* ------------------------------------------------------------------------- */
+#undef NO_WOLFSSL_SERVER
+//#define NO_WOLFSSL_SERVER
+
+#undef NO_WOLFSSL_CLIENT
+//#define NO_WOLFSSL_CLIENT
+
+#undef NO_CRYPT_TEST
+//#define NO_CRYPT_TEST
+
+#undef NO_CRYPT_BENCHMARK
+//#define NO_CRYPT_BENCHMARK
+
+#undef WOLFCRYPT_ONLY
+//#define WOLFCRYPT_ONLY
+
+/* In-lining of misc.c functions */
+/* If defined, must include wolfcrypt/src/misc.c in build */
+/* Slower, but about 1k smaller */
+#undef NO_INLINE
+//#define NO_INLINE
+
+#undef NO_FILESYSTEM
+#define NO_FILESYSTEM
+
+#undef NO_WOLFSSL_DIR
+#define NO_WOLFSSL_DIR
+
+#undef NO_WRITEV
+#define NO_WRITEV
+
+#undef NO_MAIN_DRIVER
+#define NO_MAIN_DRIVER
+
+#undef NO_DEV_RANDOM
+#define NO_DEV_RANDOM
+
+#undef NO_DSA
+#define NO_DSA
+
+#undef NO_RC4
+#define NO_RC4
+
+#undef NO_OLD_TLS
+#define NO_OLD_TLS
+
+#undef NO_PSK
+#define NO_PSK
+
+#undef NO_MD4
+#define NO_MD4
+
+#undef NO_PWDBASED
+//#define NO_PWDBASED
+
+#undef NO_CODING
+//#define NO_CODING
+
+#undef NO_ASN_TIME
+//#define NO_ASN_TIME
+
+#undef NO_CERTS
+//#define NO_CERTS
+
+#undef NO_SIG_WRAPPER
+//#define NO_SIG_WRAPPER
+
+/* ACVP Testing ONLY specific settings */
+#if 0
+    #undef USE_NORMAL_PRINTF
+    #define USE_NORMAL_PRINTF
+
+    #undef USE_UART_READ_LINE
+    #define USE_UART_READ_LINE
+
+    #undef USE_SMALL_MONTE
+    #define USE_SMALL_MONTE
+
+    #undef WOLFSSL_PUBLIC_MP
+    #define WOLFSSL_PUBLIC_MP
+
+    #undef HAVE_FORCE_FIPS_FAILURE
+    #define HAVE_FORCE_FIPS_FAILURE
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* WOLFSSL_USER_SETTINGS_H */
--- a/IDE/NETOS/wolfssl_netos_custom.c
+++ b/IDE/NETOS/wolfssl_netos_custom.c
@ -68,7 +68,7 @@ unsigned char get_byte_from_pool(void)

 int my_rng_generate_seed(unsigned char* output, int sz)
 {
-    word32 i;
+    int i;
    srand(get_byte_from_pool());

    for (i = 0; i < sz; i++) {
--- a/IDE/Renesas/cs+/Projects/README
+++ b/IDE/Renesas/cs+/Projects/README
@ -13,3 +13,6 @@ test:
  - set stack size in "bsp/stacksct.h"
  Build "test" wolfCrypt

+
+Note: It could need to initialize clock for the device. You can refer the link below
+https://www.renesas.com/ja/document/apn/rx65n-group-rx651-group-initial-settings-example-rev211?language=en&r=1054461
--- a/IDE/Renesas/cs+/Projects/common/user_settings.h
+++ b/IDE/Renesas/cs+/Projects/common/user_settings.h
@ -76,4 +76,5 @@

 #define NO_FILESYSTEM

+#define XSTRCASECMP(s1,s2) strcmp((s1),(s2))

--- a/IDE/Renesas/cs+/Projects/common/wolfssl_dummy.c
+++ b/IDE/Renesas/cs+/Projects/common/wolfssl_dummy.c
@ -59,4 +59,9 @@ void abort(void)
    while(1);
 }

+/* dummy return true when char is alphanumeric character */
+int isascii(const char *s)
+{
+    return isalnum(s);
+}

--- a/IDE/STM32Cube/README.md
+++ b/IDE/STM32Cube/README.md
@ -15,30 +15,34 @@ You need both the STM32 IDE and the STM32 initialization code generator (STM32Cu
 * STM32CubeIDE: Integrated Development Environment for STM32 [https://www.st.com/en/development-tools/stm32cubeide.html](https://www.st.com/en/development-tools/stm32cubeide.html)
 * STM32CubeMX: STM32Cube initialization code generator [https://www.st.com/en/development-tools/stm32cubemx.html](https://www.st.com/en/development-tools/stm32cubemx.html)

-## STM32 Cube Pack
+## STM32 Cube Pack Install

-### STM32 Cube Pack Installation
+The STM32 Cube packs are integrated into the STM32CubeIDE and STM32CubeMX tools. You will find packs for wolfSSL, wolfSSH, wolfTPM and wolfMQTT.
+
+If you need to manually install a Cube Pack you can do the following:

 1. Download [wolfSSL Cube Pack](https://www.wolfssl.com/files/ide/I-CUBE-wolfSSL.pack)
-2. Run the “STM32CubeMX” tool.
-3. Under “Manage software installations” pane on the right, click “INSTALL/REMOVE” button. This can be also found by clicking "Help" -> "Managed embedded software packages"
-4. From Local and choose “I-CUBE-wolfSSL.pack”.
+2. Run the "STM32CubeMX" tool.
+3. Under "Manage software installations" pane on the right, click "INSTALL/REMOVE" button. This can be also found by clicking "Help" -> "Managed embedded software packages"
+4. From Local and choose "I-CUBE-wolfSSL.pack".
 5. Accept the GPLv2 license. Contact wolfSSL at sales@wolfssl.com for a commercial license and support/maintenance.

 ### STM32 Cube Pack Usage

 1. Create or open a Cube Project based on your hardware. See the sections below for creating a project and finding the example projects.
-2. Under “Software Packs” choose “Select Components”.
+2. Under "Software Packs" choose "Select Components".
 3. Find and check all components for the wolfSSL.wolfSSL packs (wolfSSL / Core, wolfCrypt / Core and wolfCrypt / Test). Close
-4. Under the “Software Packs” section click on “wolfSSL.wolfSSL” and configure the parameters.
-5. For Cortex-M recommend “Math Configuration” -> “Single Precision Cortex-M Math” for the fastest option. If seeing `error: r7 cannot be used in 'asm` add `-fomit-frame-pointer` to the CFLAGS. This only happens in debug builds, because r7 is used for debug.
+4. Under the "Software Packs" section click on "wolfSSL.wolfSSL" and configure the parameters.
+5. For Cortex-M recommend "Math Configuration" -> "Single Precision Cortex-M Math" for the fastest option.
+  - If seeing `error: r7 cannot be used in 'asm` add `-fomit-frame-pointer` to the CFLAGS. This only happens in debug builds, because `r7` is used for debug.
 6. Hit the "Generate Code" button
 7. Open the project in STM32CubeIDE
 8. The Benchmark example uses float. To enable go to "Project Properties" -> "C/C++ Build" -> "Settings" -> "Tool Settings" -> "MCU Settings" -> Check "Use float with printf".
 9. To enable printf make the `main.c` changes below in the [STM32 Printf](#stm32-printf) section.

-
-**Note:** The STM32MP13 will likely require you to use DDR RAM, as well as enabling MMU and caches for optimum performance. Please see the `STM32MP13.md` file in `wolfcrypt/src/port/st` for more information on how to do this.
+**Notes:**
+* The STM32MP13 will likely require you to use DDR RAM, as well as enabling MMU and caches for optimum performance. Please see the `STM32MP13.md` file in `wolfcrypt/src/port/st` for more information on how to do this.
+* The STM32H7S only has 64KB of onboard flash. Customers typically use an external SPI NOR flash with XIP. The `Template_XIP_Boot` project is flashed to onboard and it starts up the SPI Flash with XIP and loads the application. To use this you need to make sure the option byte `XSPI2_HSLB` is set to enable XSPIM_P2 high speed support, otherwise the MX_EXTMEM_MANAGER_Init() will timeout and fail.

 ### Creating your own STM32CubeMX configuration

@ -89,7 +93,9 @@ The section for "Hardware platform" may need to be adjusted depending on your pr
 * To enable STM32L4 support define `WOLFSSL_STM32L4`.
 * To enable STM32L5 support define `WOLFSSL_STM32L5`.
 * To enable STM32H7 support define `WOLFSSL_STM32H7`.
+* To enable STM32H7S support define `WOLFSSL_STM32H7S`.
 * To enable STM32WB support define `WOLFSSL_STM32WB`.
+* To enable STM32WBA support define `WOLFSSL_STM32WBA`.
 * To enable STM32WL support define `WOLFSSL_STM32WL`.
 * To enable STM32U5 support define `WOLFSSL_STM32U5`.
 * To enable STM32H5 support define `WOLFSSL_STM32H5`.
@ -110,6 +116,10 @@ To enable the latest Cube HAL support please define `STM32_HAL_V2`.

 If you'd like to use the older Standard Peripheral library undefine `WOLFSSL_STM32_CUBEMX`.

+## Workarounds
+
+### STM32F7 AES GCM with pack v1.17.0 or older
+
 With STM32 Cube HAL v2 some AES GCM hardware has a limitation for the AAD header, which must be a multiple of 4 bytes. If your HAL does not support `CRYP_HEADERWIDTHUNIT_BYTE` then consider adding `STM32_AESGCM_PARTIAL` if you are getting AES GCM authentication failures. This bug existed in v1.16.0 or later.

 The STM32F7 v1.17.0 pack has a bug in the AES GCM code for handling of additional authentication data when not a multiple of 4 bytes. To patch see `stm32f7xx_hal_cryp.c` -> `CRYP_GCMCCM_SetHeaderPhase`:
--- a/IDE/STM32Cube/STM32_Benchmarks.md
+++ b/IDE/STM32Cube/STM32_Benchmarks.md
@ -1,16 +1,17 @@
 # STM Benchmarks

-* [STM32H753ZI](#stm32h753zi)
-* [STM32WB55](#stm32wb55)
-* [STM32WL55](#stm32wl55)
 * [STM32F437](#stm32f437)
+* [STM32F777](#stm32f777)
+* [STM32G071RB](#stm32g071rb)
+* [STM32H563ZI](#stm32h563zi)
+* [STM32H753ZI](#stm32h753zi)
+* [STM32H7S3](#stm32h7s3)
 * [STM32L4A6Z](#stm32l4a6z)
 * [STM32L562E](#stm32l562e)
-* [STM32F777](#stm32f777)
 * [STM32U585](#stm32u585)
-* [STM32H563ZI](#stm32h563zi)
-* [STM32G071RB](#stm32g071rb)
-
+* [STM32WB55](#stm32wb55)
+* [STM32WBA52](#stm32wba52)
+* [STM32WL55](#stm32wl55)

 ## STM32H753ZI

@ -172,6 +173,179 @@ Benchmark Test: Return code 0
 ```


+## STM32H7S3
+
+Supports RNG, PKA ECC P-256, AES-GCM/CCM/CTR/CBC and SHA-1/2 acceleration.
+
+Board: NUCLEO-H7S3L8
+CPU: Cortex-M7 at 600 MHz
+IDE: STM32CubeIDE
+RTOS: Bare-metal
+
+Notes:
+* The STM32H7S only has 64KB of onboard flash. Customers typically use an external SPI NOR flash with XIP. The `Template_XIP_Boot` project is flashed to onboard and it starts up the SPI Flash with XIP and loads the application. To use this you need to make sure the option byte `XSPI2_HSLB` is set to enable XSPIM_P2 high speed support, otherwise the MX_EXTMEM_MANAGER_Init() will timeout and fail.
+* These tests were run without the SP Cortex-M assembly speedups due to issues with release optimizations possibly related to execute in place or caching.
+
+### STM32H7S3 (-Os, HW Crypto (AES/HASH/PKA), WOLF_CONF_MATH=3 (sp_c32.c))
+
+```
+------------------------------------------------------------------------------
+ wolfSSL version 5.7.6
+------------------------------------------------------------------------------
+wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each)
+RNG                          2 MiB took 1.000 seconds,    1.880 MiB/s
+AES-128-CBC-enc             16 MiB took 1.000 seconds,   15.747 MiB/s
+AES-128-CBC-dec             15 MiB took 1.000 seconds,   15.454 MiB/s
+AES-192-CBC-enc             16 MiB took 1.000 seconds,   15.723 MiB/s
+AES-192-CBC-dec             16 MiB took 1.000 seconds,   15.527 MiB/s
+AES-256-CBC-enc             16 MiB took 1.000 seconds,   15.723 MiB/s
+AES-256-CBC-dec             15 MiB took 1.000 seconds,   15.356 MiB/s
+AES-128-GCM-enc             10 MiB took 1.000 seconds,   10.132 MiB/s
+AES-128-GCM-dec             10 MiB took 1.000 seconds,   10.083 MiB/s
+AES-192-GCM-enc             10 MiB took 1.000 seconds,   10.156 MiB/s
+AES-192-GCM-dec             10 MiB took 1.000 seconds,   10.083 MiB/s
+AES-256-GCM-enc             10 MiB took 1.000 seconds,   10.156 MiB/s
+AES-256-GCM-dec             10 MiB took 1.000 seconds,   10.107 MiB/s
+AES-128-GCM-enc-no_AAD      10 MiB took 1.000 seconds,   10.229 MiB/s
+AES-128-GCM-dec-no_AAD      10 MiB took 1.000 seconds,   10.132 MiB/s
+AES-192-GCM-enc-no_AAD      10 MiB took 1.000 seconds,   10.181 MiB/s
+AES-192-GCM-dec-no_AAD      10 MiB took 1.000 seconds,   10.107 MiB/s
+AES-256-GCM-enc-no_AAD      10 MiB took 1.000 seconds,   10.181 MiB/s
+AES-256-GCM-dec-no_AAD      10 MiB took 1.000 seconds,   10.132 MiB/s
+GMAC Table 4-bit            46 MiB took 1.000 seconds,   45.835 MiB/s
+CHACHA                      32 MiB took 1.000 seconds,   31.519 MiB/s
+CHA-POLY                    15 MiB took 1.000 seconds,   15.259 MiB/s
+POLY1305                    57 MiB took 1.000 seconds,   56.934 MiB/s
+SHA-256                     90 MiB took 1.000 seconds,   90.381 MiB/s
+SHA-384                     98 MiB took 1.000 seconds,   97.925 MiB/s
+SHA-512                     98 MiB took 1.000 seconds,   97.925 MiB/s
+SHA-512/224                 98 MiB took 1.000 seconds,   98.120 MiB/s
+SHA-512/256                 98 MiB took 1.000 seconds,   98.096 MiB/s
+HMAC-SHA256                 71 MiB took 1.000 seconds,   71.265 MiB/s
+HMAC-SHA384                 89 MiB took 1.000 seconds,   88.599 MiB/s
+HMAC-SHA512                 89 MiB took 1.000 seconds,   88.843 MiB/s
+RSA     2048   public       352 ops took 1.000 sec, avg 2.841 ms, 352.000 ops/sec
+RSA     2048  private         6 ops took 1.008 sec, avg 168.000 ms, 5.952 ops/sec
+DH      2048  key gen        15 ops took 1.027 sec, avg 68.467 ms, 14.606 ops/sec
+DH      2048    agree        16 ops took 1.094 sec, avg 68.375 ms, 14.625 ops/sec
+ECC   [      SECP256R1]   256  key gen        60 ops took 1.016 sec, avg 16.933 ms, 59.055 ops/sec
+ECDHE [      SECP256R1]   256    agree        60 ops took 1.011 sec, avg 16.850 ms, 59.347 ops/sec
+ECDSA [      SECP256R1]   256     sign       106 ops took 1.008 sec, avg 9.509 ms, 105.159 ops/sec
+ECDSA [      SECP256R1]   256   verify       102 ops took 1.004 sec, avg 9.843 ms, 101.594 ops/sec
+CURVE  25519  key gen        14 ops took 1.011 sec, avg 72.214 ms, 13.848 ops/sec
+CURVE  25519    agree        18 ops took 1.079 sec, avg 59.944 ms, 16.682 ops/sec
+ED     25519  key gen        11 ops took 1.063 sec, avg 96.636 ms, 10.348 ops/sec
+ED     25519     sign        12 ops took 1.173 sec, avg 97.750 ms, 10.230 ops/sec
+ED     25519   verify         6 ops took 1.015 sec, avg 169.167 ms, 5.911 ops/sec
+```
+
+### STM32H7S3 (-O2, No HW Crypto, WOLF_CONF_ARMASM=1, WOLF_CONF_MATH=4 (sp_cortexm.c))
+
+```
+------------------------------------------------------------------------------
+ wolfSSL version 5.7.6
+------------------------------------------------------------------------------
+wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each)
+RNG                          4 MiB took 1.004 seconds,    4.231 MiB/s
+AES-128-CBC-enc            425 KiB took 1.027 seconds,  413.827 KiB/s
+AES-128-CBC-dec            425 KiB took 1.020 seconds,  416.667 KiB/s
+AES-192-CBC-enc            350 KiB took 1.011 seconds,  346.192 KiB/s
+AES-192-CBC-dec            350 KiB took 1.012 seconds,  345.850 KiB/s
+AES-256-CBC-enc            300 KiB took 1.012 seconds,  296.443 KiB/s
+AES-256-CBC-dec            300 KiB took 1.012 seconds,  296.443 KiB/s
+AES-128-GCM-enc            350 KiB took 1.000 seconds,  350.000 KiB/s
+AES-128-GCM-dec            375 KiB took 1.067 seconds,  351.453 KiB/s
+AES-192-GCM-enc            300 KiB took 1.004 seconds,  298.805 KiB/s
+AES-192-GCM-dec            300 KiB took 1.004 seconds,  298.805 KiB/s
+AES-256-GCM-enc            275 KiB took 1.051 seconds,  261.656 KiB/s
+AES-256-GCM-dec            275 KiB took 1.047 seconds,  262.655 KiB/s
+AES-128-GCM-enc-no_AAD     350 KiB took 1.000 seconds,  350.000 KiB/s
+AES-128-GCM-dec-no_AAD     350 KiB took 1.000 seconds,  350.000 KiB/s
+AES-192-GCM-enc-no_AAD     300 KiB took 1.003 seconds,  299.103 KiB/s
+AES-192-GCM-dec-no_AAD     300 KiB took 1.004 seconds,  298.805 KiB/s
+AES-256-GCM-enc-no_AAD     275 KiB took 1.051 seconds,  261.656 KiB/s
+AES-256-GCM-dec-no_AAD     275 KiB took 1.047 seconds,  262.655 KiB/s
+GMAC Table 4-bit             9 MiB took 1.000 seconds,    8.525 MiB/s
+CHACHA                      52 MiB took 1.000 seconds,   51.636 MiB/s
+CHA-POLY                    28 MiB took 1.000 seconds,   28.052 MiB/s
+POLY1305                   164 MiB took 1.000 seconds,  164.258 MiB/s
+SHA-256                     16 MiB took 1.000 seconds,   16.064 MiB/s
+SHA-384                      8 MiB took 1.000 seconds,    8.398 MiB/s
+SHA-512                      8 MiB took 1.000 seconds,    8.398 MiB/s
+SHA-512/224                  8 MiB took 1.000 seconds,    8.398 MiB/s
+SHA-512/256                  8 MiB took 1.000 seconds,    8.374 MiB/s
+HMAC-SHA256                 16 MiB took 1.000 seconds,   15.894 MiB/s
+HMAC-SHA384                  8 MiB took 1.000 seconds,    8.252 MiB/s
+HMAC-SHA512                  8 MiB took 1.000 seconds,    8.276 MiB/s
+RSA     2048   public       598 ops took 1.000 sec, avg 1.672 ms, 598.000 ops/sec
+RSA     2048  private        18 ops took 1.074 sec, avg 59.667 ms, 16.760 ops/sec
+DH      2048  key gen        37 ops took 1.024 sec, avg 27.676 ms, 36.133 ops/sec
+DH      2048    agree        38 ops took 1.051 sec, avg 27.658 ms, 36.156 ops/sec
+ECC   [      SECP256R1]   256  key gen       906 ops took 1.000 sec, avg 1.104 ms, 906.000 ops/sec
+ECDHE [      SECP256R1]   256    agree       562 ops took 1.000 sec, avg 1.779 ms, 562.000 ops/sec
+ECDSA [      SECP256R1]   256     sign       304 ops took 1.004 sec, avg 3.303 ms, 302.789 ops/sec
+ECDSA [      SECP256R1]   256   verify       232 ops took 1.004 sec, avg 4.328 ms, 231.076 ops/sec
+CURVE  25519  key gen        16 ops took 1.008 sec, avg 63.000 ms, 15.873 ops/sec
+CURVE  25519    agree        20 ops took 1.023 sec, avg 51.150 ms, 19.550 ops/sec
+ED     25519  key gen        12 ops took 1.016 sec, avg 84.667 ms, 11.811 ops/sec
+ED     25519     sign        12 ops took 1.028 sec, avg 85.667 ms, 11.673 ops/sec
+ED     25519   verify         8 ops took 1.176 sec, avg 147.000 ms, 6.803 ops/sec
+```
+
+### STM32H7S3 (-O2, No HW Crypto, WOLF_CONF_ARMASM=0, WOLF_CONF_MATH=6 (sp_int.c))
+
+```
+------------------------------------------------------------------------------
+ wolfSSL version 5.7.6
+------------------------------------------------------------------------------
+wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each)
+RNG                          2 MiB took 1.004 seconds,    2.189 MiB/s
+AES-128-CBC-enc            425 KiB took 1.044 seconds,  407.088 KiB/s
+AES-128-CBC-dec            350 KiB took 1.032 seconds,  339.147 KiB/s
+AES-192-CBC-enc            350 KiB took 1.031 seconds,  339.476 KiB/s
+AES-192-CBC-dec            300 KiB took 1.059 seconds,  283.286 KiB/s
+AES-256-CBC-enc            300 KiB took 1.027 seconds,  292.113 KiB/s
+AES-256-CBC-dec            250 KiB took 1.027 seconds,  243.427 KiB/s
+AES-128-GCM-enc            350 KiB took 1.055 seconds,  331.754 KiB/s
+AES-128-GCM-dec            350 KiB took 1.055 seconds,  331.754 KiB/s
+AES-192-GCM-enc            300 KiB took 1.059 seconds,  283.286 KiB/s
+AES-192-GCM-dec            300 KiB took 1.059 seconds,  283.286 KiB/s
+AES-256-GCM-enc            250 KiB took 1.008 seconds,  248.016 KiB/s
+AES-256-GCM-dec            250 KiB took 1.008 seconds,  248.016 KiB/s
+AES-128-GCM-enc-no_AAD     350 KiB took 1.051 seconds,  333.016 KiB/s
+AES-128-GCM-dec-no_AAD     350 KiB took 1.071 seconds,  326.797 KiB/s
+AES-192-GCM-enc-no_AAD     300 KiB took 1.055 seconds,  284.360 KiB/s
+AES-192-GCM-dec-no_AAD     300 KiB took 1.055 seconds,  284.360 KiB/s
+AES-256-GCM-enc-no_AAD     250 KiB took 1.004 seconds,  249.004 KiB/s
+AES-256-GCM-dec-no_AAD     250 KiB took 1.004 seconds,  249.004 KiB/s
+GMAC Table 4-bit             2 MiB took 1.000 seconds,    1.690 MiB/s
+CHACHA                      36 MiB took 1.000 seconds,   35.522 MiB/s
+CHA-POLY                    14 MiB took 1.000 seconds,   14.185 MiB/s
+POLY1305                    78 MiB took 1.000 seconds,   77.686 MiB/s
+SHA-256                      6 MiB took 1.000 seconds,    5.591 MiB/s
+SHA-384                      6 MiB took 1.000 seconds,    6.470 MiB/s
+SHA-512                      6 MiB took 1.000 seconds,    6.348 MiB/s
+SHA-512/224                  6 MiB took 1.000 seconds,    6.348 MiB/s
+SHA-512/256                  6 MiB took 1.000 seconds,    6.348 MiB/s
+HMAC-SHA256                  6 MiB took 1.000 seconds,    5.542 MiB/s
+HMAC-SHA384                  6 MiB took 1.000 seconds,    6.250 MiB/s
+HMAC-SHA512                  6 MiB took 1.000 seconds,    6.299 MiB/s
+RSA     2048   public       382 ops took 1.000 sec, avg 2.618 ms, 382.000 ops/sec
+RSA     2048  private         8 ops took 1.196 sec, avg 149.500 ms, 6.689 ops/sec
+DH      2048  key gen        17 ops took 1.039 sec, avg 61.118 ms, 16.362 ops/sec
+DH      2048    agree        18 ops took 1.098 sec, avg 61.000 ms, 16.393 ops/sec
+ECC   [      SECP256R1]   256  key gen        64 ops took 1.020 sec, avg 15.937 ms, 62.745 ops/sec
+ECDHE [      SECP256R1]   256    agree        64 ops took 1.016 sec, avg 15.875 ms, 62.992 ops/sec
+ECDSA [      SECP256R1]   256     sign        52 ops took 1.035 sec, avg 19.904 ms, 50.242 ops/sec
+ECDSA [      SECP256R1]   256   verify        30 ops took 1.035 sec, avg 34.500 ms, 28.986 ops/sec
+CURVE  25519  key gen        16 ops took 1.008 sec, avg 63.000 ms, 15.873 ops/sec
+CURVE  25519    agree        20 ops took 1.020 sec, avg 51.000 ms, 19.608 ops/sec
+ED     25519  key gen        13 ops took 1.094 sec, avg 84.154 ms, 11.883 ops/sec
+ED     25519     sign        12 ops took 1.004 sec, avg 83.667 ms, 11.952 ops/sec
+ED     25519   verify         8 ops took 1.149 sec, avg 143.625 ms, 6.963 ops/sec
+```
+
+
 ## STM32WB55

 Supports RNG, ECC P-256, AES-CBC and SHA-256 acceleration.
@ -290,6 +464,57 @@ Benchmark Test: Return code 0
 ```


+## STM32WBA52
+
+Supports RNG, ECC P-256, AES-CBC and SHA-256 acceleration.
+
+Board: NUCLEO-WBA52CG
+CPU: Cortex-M33 at 96MHz
+IDE: STM32CubeIDE
+RTOS: Bare-metal
+
+### STM32WBA52 (STM AES/Hash/PKA ECC Acceleration, -Os, SP-C32)
+
+```
+------------------------------------------------------------------------------
+ wolfSSL version 5.7.6
+------------------------------------------------------------------------------
+Running wolfCrypt Benchmarks...
+wolfCrypt Benchmark (block bytes 1024, min 1.0 sec each)
+RNG                        275 KiB took 1.020 seconds,  269.608 KiB/s
+AES-128-CBC-enc              4 MiB took 1.000 seconds,    4.395 MiB/s
+AES-128-CBC-dec              4 MiB took 1.000 seconds,    4.370 MiB/s
+AES-256-CBC-enc              4 MiB took 1.000 seconds,    4.102 MiB/s
+AES-256-CBC-dec              4 MiB took 1.000 seconds,    4.077 MiB/s
+AES-128-GCM-enc            575 KiB took 1.031 seconds,  557.711 KiB/s
+AES-128-GCM-dec            575 KiB took 1.032 seconds,  557.171 KiB/s
+AES-256-GCM-enc            550 KiB took 1.000 seconds,  550.000 KiB/s
+AES-256-GCM-dec            550 KiB took 1.000 seconds,  550.000 KiB/s
+AES-128-GCM-enc-no_AAD     575 KiB took 1.024 seconds,  561.523 KiB/s
+AES-128-GCM-dec-no_AAD     575 KiB took 1.023 seconds,  562.072 KiB/s
+AES-256-GCM-enc-no_AAD     575 KiB took 1.039 seconds,  553.417 KiB/s
+AES-256-GCM-dec-no_AAD     575 KiB took 1.039 seconds,  553.417 KiB/s
+GMAC Table 4-bit             1 MiB took 1.000 seconds,    1.266 MiB/s
+CHACHA                       3 MiB took 1.004 seconds,    2.942 MiB/s
+CHA-POLY                     2 MiB took 1.008 seconds,    1.865 MiB/s
+POLY1305                     7 MiB took 1.000 seconds,    7.251 MiB/s
+SHA-256                      7 MiB took 1.000 seconds,    7.495 MiB/s
+SHA-384                    600 KiB took 1.039 seconds,  577.478 KiB/s
+HMAC-SHA256                  7 MiB took 1.000 seconds,    7.275 MiB/s
+HMAC-SHA384                575 KiB took 1.012 seconds,  568.182 KiB/s
+RSA     2048   public        62 ops took 1.019 sec, avg 16.435 ms, 60.844 ops/sec
+RSA     2048  private         2 ops took 1.102 sec, avg 551.000 ms, 1.815 ops/sec
+DH      2048  key gen         4 ops took 1.086 sec, avg 271.500 ms, 3.683 ops/sec
+DH      2048    agree         4 ops took 1.086 sec, avg 271.500 ms, 3.683 ops/sec
+ECC   [      SECP256R1]   256  key gen       114 ops took 1.000 sec, avg 8.772 ms, 114.000 ops/sec
+ECDHE [      SECP256R1]   256    agree        54 ops took 1.024 sec, avg 18.963 ms, 52.734 ops/sec
+ECDSA [      SECP256R1]   256     sign        36 ops took 1.047 sec, avg 29.083 ms, 34.384 ops/sec
+ECDSA [      SECP256R1]   256   verify        34 ops took 1.019 sec, avg 29.971 ms, 33.366 ops/sec
+Benchmark complete
+Benchmark Test: Return code 0
+```
+
+
 ## STM32WL55

 Supports RNG, ECC P-256 and AES-CBC acceleration.
--- a/IDE/STM32Cube/default_conf.ftl
+++ b/IDE/STM32Cube/default_conf.ftl
@ -76,6 +76,13 @@ extern ${variable.value} ${variable.name};
    #define WOLFSSL_STM32_PKA
    #undef  NO_STM32_CRYPTO
    #define HAL_CONSOLE_UART huart1
+#elif defined(STM32WBA52xx)
+    #define WOLFSSL_STM32WBA
+    #define WOLFSSL_STM32_PKA
+    #undef  NO_STM32_HASH
+    #undef  NO_STM32_CRYPTO
+    /* NUCLEO-WBA52CG USART1 (TX=PB12 / RX=PA8) */
+    #define HAL_CONSOLE_UART huart1
 #elif defined(STM32WL55xx)
    #define WOLFSSL_STM32WL
    #define WOLFSSL_STM32_PKA
@ -102,6 +109,12 @@ extern ${variable.value} ${variable.name};
    #undef  NO_STM32_CRYPTO
    #define STM32_HAL_V2
    #define HAL_CONSOLE_UART huart3
+#elif defined(STM32H7S3xx)
+    #define WOLFSSL_STM32H7S
+    #undef  NO_STM32_HASH
+    #undef  NO_STM32_CRYPTO
+    #define WOLFSSL_STM32_PKA
+    #define HAL_CONSOLE_UART huart3
 #elif defined(STM32H753xx)
    #define WOLFSSL_STM32H7
    #undef  NO_STM32_HASH
@ -326,6 +339,10 @@ extern ${variable.value} ${variable.name};
 #if defined(WOLF_CONF_DTLS) && WOLF_CONF_DTLS == 1
    #define WOLFSSL_DTLS
 #endif
+#if defined(WOLF_CONF_DTLS13) && WOLF_CONF_DTLS13 == 1
+    #define WOLFSSL_DTLS13
+    #define WOLFSSL_SEND_HRR_COOKIE
+#endif
 #if defined(WOLF_CONF_PSK) && WOLF_CONF_PSK == 0
    #define NO_PSK
 #endif
@ -575,25 +592,25 @@ extern ${variable.value} ${variable.name};
 /* NOTE: this is after the hashing section to override the potential SHA3 undef
 * above. */
 #if defined(WOLF_CONF_KYBER) && WOLF_CONF_KYBER == 1
-#undef  WOLFSSL_EXPERIMENTAL_SETTINGS
-#define WOLFSSL_EXPERIMENTAL_SETTINGS
+    #undef  WOLFSSL_EXPERIMENTAL_SETTINGS
+    #define WOLFSSL_EXPERIMENTAL_SETTINGS

-#undef  WOLFSSL_HAVE_KYBER
-#define WOLFSSL_HAVE_KYBER
+    #undef  WOLFSSL_HAVE_MLKEM
+    #define WOLFSSL_HAVE_MLKEM

-#undef  WOLFSSL_WC_KYBER
-#define WOLFSSL_WC_KYBER
+    #undef  WOLFSSL_WC_MLKEM
+    #define WOLFSSL_WC_MLKEM

-#undef  WOLFSSL_NO_SHAKE128
-#undef  WOLFSSL_SHAKE128
-#define WOLFSSL_SHAKE128
+    #undef  WOLFSSL_NO_SHAKE128
+    #undef  WOLFSSL_SHAKE128
+    #define WOLFSSL_SHAKE128

-#undef  WOLFSSL_NO_SHAKE256
-#undef  WOLFSSL_SHAKE256
-#define WOLFSSL_SHAKE256
+    #undef  WOLFSSL_NO_SHAKE256
+    #undef  WOLFSSL_SHAKE256
+    #define WOLFSSL_SHAKE256

-#undef  WOLFSSL_SHA3
-#define WOLFSSL_SHA3
+    #undef  WOLFSSL_SHA3
+    #define WOLFSSL_SHA3
 #endif /* WOLF_CONF_KYBER */

 /* ------------------------------------------------------------------------- */
@ -608,6 +625,7 @@ extern ${variable.value} ${variable.name};
    #define WOLFSSL_ARMASM_INLINE
    #define WOLFSSL_ARMASM_NO_HW_CRYPTO
    #define WOLFSSL_ARMASM_NO_NEON
+    #define WOLFSSL_ARMASM_THUMB2
    #define WOLFSSL_ARM_ARCH 7
    /* Disable H/W offloading if accelerating S/W crypto */
    #undef  NO_STM32_HASH
@ -694,8 +712,14 @@ extern ${variable.value} ${variable.name};
 #define NO_RC4
 #define NO_MD4
 #define NO_DES3
+
+#ifndef WOLFSSL_SHAKE128
 #define WOLFSSL_NO_SHAKE128
+#endif
+
+#ifndef WOLFSSL_SHAKE256
 #define WOLFSSL_NO_SHAKE256
+#endif

 /* In-lining of misc.c functions */
 /* If defined, must include wolfcrypt/src/misc.c in build */
--- a/IDE/STM32Cube/wolfssl_example.c
+++ b/IDE/STM32Cube/wolfssl_example.c
@ -1750,7 +1750,7 @@ static int tls13_uart_client(void)

    wolfSSL_SetIOReadCtx(ssl, tbuf);

-#ifdef WOLFSSL_HAVE_KYBER
+#ifdef WOLFSSL_HAVE_MLKEM
 #ifndef WOLFSSL_NO_ML_KEM
    if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ML_KEM_512) != WOLFSSL_SUCCESS) {
        printf("wolfSSL_UseKeyShare Error!!");
--- a/IDE/WIN-SRTP-KDF-140-3/user_settings.h
+++ b/IDE/WIN-SRTP-KDF-140-3/user_settings.h
@ -80,24 +80,15 @@
        #define WOLFSSL_VALIDATE_ECC_IMPORT
        #define WOLFSSL_VALIDATE_FFC_IMPORT
        #define HAVE_FFDHE_Q
-        #define HAVE_PUBLIC_FFDHE
    #ifdef _WIN64
        #define WOLFSSL_AESNI
-        #define HAVE_INTEL_RDSEED
    #endif
-        #define FORCE_FAILURE_RDSEED
    #endif /* FIPS v2 */
    #if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 5)
-        #undef WOLFSSL_AESNI /* Comment out if using PAA */
-        #undef HAVE_INTEL_RDSEED
-        #undef FORCE_FAILURE_RDSEED
-        #undef HAVE_PUBLIC_FFDHE
-
        #define NO_DES
        #define NO_DES3
        #define NO_MD5
        #define NO_OLD_TLS
-
        #define WOLFSSL_TLS13
        #define HAVE_TLS_EXTENSIONS
        #define HAVE_SUPPORTED_CURVES
@ -124,17 +115,28 @@
        #define FP_MAX_BITS 16384
    #endif /* FIPS v5 */
    #if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 6)
+        #undef WOLFSSL_AESNI /* Comment out if using PAA */
        #define HAVE_ED25519
+        #define HAVE_CURVE25519
+        #define WOLFSSL_ED25519_STREAMING_VERIFY
+        #define HAVE_ED25519_KEY_IMPORT
        #define HAVE_ED448
+        #define HAVE_CURVE448
+        #define HAVE_ED448_KEY_IMPORT
+        #define WOLFSSL_ED448_STREAMING_VERIFY
+        #undef  WOLFSSL_NO_SHAKE256
        #define WOLFSSL_SHAKE256
        #define WOLFSSL_SHAKE128
        #define WOLFSSL_AES_CFB
        #define WOLFSSL_AES_XTS
+        #define WOLFSSL_AESXTS_STREAM
+        #define WOLFSSL_AESGCM_STREAM
        #define HAVE_AES_KEYWRAP
        #define WC_SRTP_KDF
        #define HAVE_PBKDF2
        #define WOLFCRYPT_FIPS_CORE_HASH_VALUE \
-                AA9F70F147FAB898A76F587873AC4E9C7050D6E1F5828046BE871C54EDF2BF1C
+      AE8F969C072FB4A87B5C594F96162002F3CCEB6026BDB2553C8621AE197F7059 //woPAA
+      //E257E8C21764333E4710316D208A90D4ECA0682D6F40DC3F4A6E259D4752E306 //wPAA
        #define WOLFSSL_NOSHA512_224
        #define WOLFSSL_NOSHA512_256

@ -174,4 +176,24 @@
    #endif
 #endif /* HAVE_FIPS */

+/* For optesting and code review and harness/vector processing */
+#if 0
+    #undef USE_CERT_BUFFERS_2048
+    #define USE_CERT_BUFFERS_2048
+
+    #undef USE_CERT_BUFFERS_256
+    #define USE_CERT_BUFFERS_256
+
+    #define NO_MAIN_DRIVER
+    #define HAVE_FORCE_FIPS_FAILURE
+    #define OPTEST_LOGGING_ENABLED
+    #define OPTEST_INVALID_LOGGING_ENABLED
+    #define DEBUG_FIPS_VERBOSE
+    #define OPTEST_RUNNING_ORGANIC
+    #define DEBUG_WOLFSSL
+    #define OPTEST_LOG_TE_MAPPING
+    #define DEEPLY_EMBEDDED
+    #define WORKING_WITH_AEGISOLVE
+#endif /* 1 || 0 */
+
 #endif /* _WIN_USER_SETTINGS_H_ */
--- a/IDE/WIN-SRTP-KDF-140-3/wolfssl-fips.rc
+++ b/IDE/WIN-SRTP-KDF-140-3/wolfssl-fips.rc
@ -60,7 +60,7 @@ VS_VERSION_INFO VERSIONINFO
 FILEFLAGS 0x0L
 #endif
 FILEOS 0x40004L
- FILETYPE 0x7L
+ FILETYPE VFT_DLL
 FILESUBTYPE 0x0L
 BEGIN
    BLOCK "StringFileInfo"
--- a/IDE/WIN-SRTP-KDF-140-3/wolfssl-fips.vcxproj
+++ b/IDE/WIN-SRTP-KDF-140-3/wolfssl-fips.vcxproj
@ -42,46 +42,46 @@
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
    <ConfigurationType>StaticLibrary</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
    <CharacterSet>Unicode</CharacterSet>
    <WholeProgramOptimization>true</WholeProgramOptimization>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Release|Win32'" Label="Configuration">
    <ConfigurationType>DynamicLibrary</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
    <CharacterSet>Unicode</CharacterSet>
    <WholeProgramOptimization>true</WholeProgramOptimization>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
    <ConfigurationType>StaticLibrary</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
    <CharacterSet>Unicode</CharacterSet>
    <WholeProgramOptimization>true</WholeProgramOptimization>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Release|x64'" Label="Configuration">
    <ConfigurationType>DynamicLibrary</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
    <CharacterSet>Unicode</CharacterSet>
    <WholeProgramOptimization>true</WholeProgramOptimization>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
    <ConfigurationType>StaticLibrary</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
    <CharacterSet>Unicode</CharacterSet>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug|Win32'" Label="Configuration">
    <ConfigurationType>DynamicLibrary</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
    <CharacterSet>Unicode</CharacterSet>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
    <ConfigurationType>StaticLibrary</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
    <CharacterSet>Unicode</CharacterSet>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug|x64'" Label="Configuration">
    <ConfigurationType>DynamicLibrary</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
    <CharacterSet>Unicode</CharacterSet>
    <WholeProgramOptimization>true</WholeProgramOptimization>
  </PropertyGroup>
@ -132,7 +132,7 @@
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
    <ClCompile>
      <Optimization>Disabled</Optimization>
-      <AdditionalIncludeDirectories>./;../../;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)XXX-fips-test\IDE\WIN-SRTP-KDF-140-3;$(SolutionDir)XXX-fips-test;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
@ -144,7 +144,7 @@
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug|Win32'">
    <ClCompile>
      <Optimization>Disabled</Optimization>
-      <AdditionalIncludeDirectories>./;../../;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)XXX-fips-test\IDE\WIN-SRTP-KDF-140-3;$(SolutionDir)XXX-fips-test;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>BUILDING_WOLFSSL;WOLFSSL_DLL;WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <MinimalRebuild>true</MinimalRebuild>
      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -164,7 +164,7 @@
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
    <ClCompile>
      <Optimization>Disabled</Optimization>
-      <AdditionalIncludeDirectories>./;../../;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)XXX-fips-test\IDE\WIN-SRTP-KDF-140-3;$(SolutionDir)XXX-fips-test;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
@ -176,7 +176,7 @@
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug|x64'">
    <ClCompile>
      <Optimization>Disabled</Optimization>
-      <AdditionalIncludeDirectories>./;../../;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)XXX-fips-test\IDE\WIN-SRTP-KDF-140-3;$(SolutionDir)XXX-fips-test;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>BUILDING_WOLFSSL;WOLFSSL_DLL;WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <MinimalRebuild>true</MinimalRebuild>
      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@ -197,7 +197,7 @@
    <ClCompile>
      <Optimization>MaxSpeed</Optimization>
      <IntrinsicFunctions>true</IntrinsicFunctions>
-      <AdditionalIncludeDirectories>./;../../;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)XXX-fips-test\IDE\WIN-SRTP-KDF-140-3;$(SolutionDir)XXX-fips-test;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
      <FunctionLevelLinking>true</FunctionLevelLinking>
@ -210,7 +210,7 @@
    <ClCompile>
      <Optimization>MaxSpeed</Optimization>
      <IntrinsicFunctions>true</IntrinsicFunctions>
-      <AdditionalIncludeDirectories>./;../../;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)XXX-fips-test\IDE\WIN-SRTP-KDF-140-3;$(SolutionDir)XXX-fips-test;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>BUILDING_WOLFSSL;WOLFSSL_DLL;WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
      <FunctionLevelLinking>true</FunctionLevelLinking>
@ -228,7 +228,7 @@
    <ClCompile>
      <Optimization>MaxSpeed</Optimization>
      <IntrinsicFunctions>true</IntrinsicFunctions>
-      <AdditionalIncludeDirectories>./;../../;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)XXX-fips-test\IDE\WIN-SRTP-KDF-140-3;$(SolutionDir)XXX-fips-test;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
      <FunctionLevelLinking>true</FunctionLevelLinking>
@ -241,7 +241,7 @@
    <ClCompile>
      <Optimization>MaxSpeed</Optimization>
      <IntrinsicFunctions>true</IntrinsicFunctions>
-      <AdditionalIncludeDirectories>./;../../;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)XXX-fips-test\IDE\WIN-SRTP-KDF-140-3;$(SolutionDir)XXX-fips-test;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>BUILDING_WOLFSSL;WOLFSSL_DLL;WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
      <FunctionLevelLinking>true</FunctionLevelLinking>
@ -266,7 +266,9 @@
    <ClCompile Include="..\..\wolfcrypt\src\dsa.c" />
    <ClCompile Include="..\..\wolfcrypt\src\ecc.c" />
    <ClCompile Include="..\..\wolfcrypt\src\ed25519.c" />
+	<ClCompile Include="..\..\wolfcrypt\src\curve25519.c" />
    <ClCompile Include="..\..\wolfcrypt\src\ed448.c" />
+	<ClCompile Include="..\..\wolfcrypt\src\curve448.c" />
    <ClCompile Include="..\..\wolfcrypt\src\error.c" />
    <ClCompile Include="..\..\wolfcrypt\src\fe_448.c" />
    <ClCompile Include="..\..\wolfcrypt\src\fe_low_mem.c" />
@ -389,4 +391,4 @@
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
  <ImportGroup Label="ExtensionTargets">
  </ImportGroup>
-</Project>
+</Project>
--- a/IDE/WIN10/wolfssl-fips.rc
+++ b/IDE/WIN10/wolfssl-fips.rc
@ -51,8 +51,8 @@ END
 //

 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 5,7,6,0
- PRODUCTVERSION 5,7,6,0
+ FILEVERSION 5,8,0,0
+ PRODUCTVERSION 5,8,0,0
 FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
 FILEFLAGS 0x1L
@ -60,7 +60,7 @@ VS_VERSION_INFO VERSIONINFO
 FILEFLAGS 0x0L
 #endif
 FILEOS 0x40004L
- FILETYPE 0x7L
+ FILETYPE VFT_DLL
 FILESUBTYPE 0x0L
 BEGIN
    BLOCK "StringFileInfo"
@ -69,12 +69,12 @@ BEGIN
        BEGIN
            VALUE "CompanyName", "wolfSSL Inc."
            VALUE "FileDescription", "The wolfSSL FIPS embedded SSL library is a lightweight, portable, C-language-based SSL/TLS library targeted at IoT, embedded, and RTOS environments primarily because of its size, speed, and feature set."
-            VALUE "FileVersion", "5.7.6.0"
+            VALUE "FileVersion", "5.8.0.0"
            VALUE "InternalName", "wolfssl-fips"
-            VALUE "LegalCopyright", "Copyright (C) 2024"
+            VALUE "LegalCopyright", "Copyright (C) 2025"
            VALUE "OriginalFilename", "wolfssl-fips.dll"
            VALUE "ProductName", "wolfSSL FIPS"
-            VALUE "ProductVersion", "5.7.6.0"
+            VALUE "ProductVersion", "5.8.0.0"
        END
    END
    BLOCK "VarFileInfo"
--- a/IDE/XCODE-FIPSv6/README
+++ b/IDE/XCODE-FIPSv6/README
@ -0,0 +1,7 @@
+- The user_settings.h in this directory is intended for use with the FIPS 140-3
+submission candidate for upcoming SRTP-KDF submission. As such it is subject to
+change between now and when the CMVP issues the wolfCrypt FIPS 140-3
+certificate.
+
+- Last updated: 28 Feb 2025
+
--- a/IDE/XCODE-FIPSv6/include.am
+++ b/IDE/XCODE-FIPSv6/include.am
@ -0,0 +1,9 @@
+# vim:ft=automake
+# included from Top Level Makefile.am
+# All paths should be given relative to the root
+
+# NOTE: The app will be stored in wolfssl/fips repository and copied
+#       into the proper release bundles when packaging the release.
+
+EXTRA_DIST+= IDE/XCODE-FIPSv6/user_settings.h
+EXTRA_DIST+= IDE/XCODE-FIPSv6/README
--- a/IDE/XCODE-FIPSv6/user_settings.h
+++ b/IDE/XCODE-FIPSv6/user_settings.h
@ -0,0 +1,949 @@
+/* user_settings.h
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+/* Custom wolfSSL user settings for GCC ARM */
+
+#ifndef WOLFSSL_USER_SETTINGS_H
+#define WOLFSSL_USER_SETTINGS_H
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* ------------------------------------------------------------------------- */
+/* Platform */
+/* ------------------------------------------------------------------------- */
+#undef  WOLFSSL_GENERAL_ALIGNMENT
+#define WOLFSSL_GENERAL_ALIGNMENT   4
+
+#undef  SINGLE_THREADED
+//#define SINGLE_THREADED
+
+#undef  WOLFSSL_SMALL_STACK
+//#define WOLFSSL_SMALL_STACK
+
+#undef  WOLFSSL_USER_IO
+//#define WOLFSSL_USER_IO
+
+#undef ANDROID_V454
+/* #define ANDROID_V454 */ /* application specific stuff in benchmark and harness from 140-2 days, carry
+                      * over to 140-3 work also */
+
+#undef NO_WRITE_TEMP_FILES
+#define NO_WRITE_TEMP_FILES
+
+#ifdef ANDROID_V454
+    #define MAX_FIPS_DATA_SZ 50000000
+    #define MAX_FIPS_CODE_SZ 50000000
+    #if 0
+       /* To have all printouts go to the app view on the device use: */
+       extern int appendToTextView(const char* fmt, ...);
+       #undef printf
+       #define printf(format, ...) appendToTextView(format, ## __VA_ARGS__)
+    #else
+       #include <stdio.h>
+       #include <android/log.h>
+       #include <unistd.h>
+       /* Inline function for WOLFLOGV */
+       static inline int wolf_logv(const char* fmt, ...) {
+           usleep(500); /* Sleep for 0.5 millisecond */
+           va_list args;
+           va_start(args, fmt);
+           int n = __android_log_vprint(ANDROID_LOG_VERBOSE,
+                                        "wolfCrypt_android", fmt, args);
+           va_end(args);
+           usleep(500); /* Sleep for 0.5 millisecond */
+           return n;
+       }
+
+       #define WOLFLOGV(...) wolf_logv(__VA_ARGS__)
+       #undef printf
+       #define printf WOLFLOGV
+    #endif
+#endif
+
+/* Uncomment for iOS devices with PAA */
+#undef IPHONE
+#define IPHONE
+
+/* ------------------------------------------------------------------------- */
+/* Math Configuration */
+/* ------------------------------------------------------------------------- */
+#undef  SIZEOF_LONG_LONG
+#define SIZEOF_LONG_LONG 8
+
+/* Maximum math bits (Max RSA key bits * 2) */
+#undef  FP_MAX_BITS
+#define FP_MAX_BITS 16384
+
+/* Maximum math bits (largest supported key bits) */
+#undef SP_INT_BITS
+#define SP_INT_BITS 8192
+
+#undef USE_FAST_MATH
+#if 0 /* Flip to 1 for PAA with single precision */
+    #define WOLFSSL_SP_MATH_ALL
+    #define WOLFSSL_SP_INT_NEGATIVE
+#else
+    #define USE_FAST_MATH
+
+    #undef  TFM_TIMING_RESISTANT
+    #define TFM_TIMING_RESISTANT
+
+    #define WOLFCRYPT_HAVE_SAKKE /* Note: Sakke can be enabled with 1024-bit support */
+
+    #undef TFM_NO_ASM
+    //#define TFM_NO_ASM
+
+    #if 0 /* Flip to 1 for PAA with tfm */
+        /* Optimizations */
+        #define TFM_ARM
+    #endif
+#endif
+
+/* Wolf Single Precision Math */
+#undef WOLFSSL_SP
+#if 0 /* SP Assembly Speedups (wPAA) */  /* Flip to 1 for PAA with tfm or single precision */
+    #define WOLFSSL_SP
+    //#define WOLFSSL_SP_SMALL      /* use smaller version of code */
+    #define WOLFSSL_SP_1024
+    #undef WOLFCRYPT_HAVE_SAKKE
+    #define WOLFCRYPT_HAVE_SAKKE /* Note: Sakke can be enabled with 1024-bit support */
+    #define WOLFSSL_SP_4096 /* Explicitly enable 4096-bit support (2048/3072 on by default) */
+    #define WOLFSSL_SP_384 /* Explicitly enable 384-bit support (others on by default) */
+    #define WOLFSSL_SP_521 /* Explicitly enable 521-bit support (others on by default) */
+    #define WOLFSSL_HAVE_SP_RSA
+    #define WOLFSSL_HAVE_SP_DH
+    #define WOLFSSL_HAVE_SP_ECC
+    /* Customer indicated no desire for PAA, leave out */
+    #if 0 /* Flip to 1 for PAA with single precision */
+        #define WOLFSSL_ARMASM
+        #define WOLFSSL_SP_ARM64
+        #define WOLFSSL_SP_ARM64_ASM
+        #define WOLFSSL_ARMASM_INLINE
+    #endif
+#endif
+
+/* ------------------------------------------------------------------------- */
+/* FIPS - Requires eval or license from wolfSSL */
+/* ------------------------------------------------------------------------- */
+#undef  HAVE_FIPS
+#if 1
+
+    #define WOLFCRYPT_FIPS_CORE_HASH_VALUE \
+1EF567FF471CFF983D21DA74623BDD14CCBCD0B14DADA8E4A9A79A47DEE82F3C
+    #define HAVE_FIPS
+
+    #undef  HAVE_FIPS_VERSION
+    #define HAVE_FIPS_VERSION 6
+
+    #undef HAVE_FIPS_VERSION_MAJOR
+    #define HAVE_FIPS_VERSION_MAJOR HAVE_FIPS_VERSION
+
+    #undef HAVE_FIPS_VERSION_MINOR
+    #define HAVE_FIPS_VERSION_MINOR 0
+
+    #undef HAVE_FIPS_VERSION_PATCH
+    #define HAVE_FIPS_VERSION_PATCH 0
+
+    #undef WOLFSSL_WOLFSSH
+    #define WOLFSSL_WOLFSSH
+
+    #undef WOLFSSL_ECDSA_SET_K
+    #define WOLFSSL_ECDSA_SET_K
+
+    #undef WC_RNG_SEED_CB
+    #define WC_RNG_SEED_CB
+
+    #ifdef SINGLE_THREADED
+        #undef  NO_THREAD_LS
+        #define NO_THREAD_LS
+    #endif
+
+    #if 0
+        #undef NO_ATTRIBUTE_CONSTRUCTOR
+        #define NO_ATTRIBUTE_CONSTRUCTOR
+    #endif
+
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Crypto */
+/* ------------------------------------------------------------------------- */
+/* RSA */
+#undef NO_RSA
+#if 1
+
+    /* half as much memory but twice as slow */
+    #undef  RSA_LOW_MEM
+    //#define RSA_LOW_MEM
+
+    /* Enables blinding mode, to prevent timing attacks */
+    #if 1
+        #undef  WC_RSA_BLINDING
+        #define WC_RSA_BLINDING
+    #else
+        #undef  WC_NO_HARDEN
+        #define WC_NO_HARDEN
+    #endif
+
+    /* RSA PSS Support */
+    #if 1
+        #undef WC_RSA_PSS
+        #define WC_RSA_PSS
+
+        #undef WOLFSSL_PSS_LONG_SALT
+        #define WOLFSSL_PSS_LONG_SALT
+
+        #undef WOLFSSL_PSS_SALT_LEN_DISCOVER /* ? */
+        #define WOLFSSL_PSS_SALT_LEN_DISCOVER /* ? */
+    #endif
+
+    #if 1
+        #define WC_RSA_NO_PADDING
+    #endif
+#else
+    #define NO_RSA
+#endif
+
+/* ECC */
+#undef HAVE_ECC
+#if 1
+    #define HAVE_ECC
+
+    /* Manually define enabled curves */
+    #undef  ECC_USER_CURVES
+    #define ECC_USER_CURVES
+
+    #ifdef ECC_USER_CURVES
+        /* Manual Curve Selection */
+        #define HAVE_ECC192
+        #define HAVE_ECC224
+        #undef NO_ECC256
+        #define HAVE_ECC256
+        #define HAVE_ECC384
+        #define HAVE_ECC521
+    #endif
+
+    /* Fixed point cache (speeds repeated operations against same private key) */
+    #undef  FP_ECC
+    //#define FP_ECC
+    #ifdef FP_ECC
+        /* Bits / Entries */
+        #undef  FP_ENTRIES
+        #define FP_ENTRIES  2
+        #undef  FP_LUT
+        #define FP_LUT      4
+    #endif
+
+    /* Optional ECC calculation method */
+    /* Note: doubles heap usage, but slightly faster */
+    #undef  ECC_SHAMIR
+    #define ECC_SHAMIR
+
+    /* Reduces heap usage, but slower */
+    #undef  ECC_TIMING_RESISTANT
+    #define ECC_TIMING_RESISTANT
+
+    #ifdef HAVE_FIPS
+        #undef  HAVE_ECC_CDH
+        #define HAVE_ECC_CDH /* Enable cofactor support */
+
+        #undef NO_STRICT_ECDSA_LEN
+        #define NO_STRICT_ECDSA_LEN /* Do not force fixed len w/ FIPS */
+
+        #undef  WOLFSSL_VALIDATE_ECC_IMPORT
+        #define WOLFSSL_VALIDATE_ECC_IMPORT /* Validate import */
+
+        #undef WOLFSSL_VALIDATE_ECC_KEYGEN
+        #define WOLFSSL_VALIDATE_ECC_KEYGEN /* Validate generated keys */
+
+    #endif
+
+    /* Compressed Key Support */
+    #undef  HAVE_COMP_KEY
+    //#define HAVE_COMP_KEY
+
+    /* Use alternate ECC size for ECC math */
+    #ifdef USE_FAST_MATH
+        /* MAX ECC BITS = ROUND8(MAX ECC) * 2 */
+        #ifdef NO_RSA
+            /* Custom fastmath size if not using RSA */
+            #undef  FP_MAX_BITS
+            #define FP_MAX_BITS     (256 * 2)
+        #else
+            #undef  ALT_ECC_SIZE
+            #define ALT_ECC_SIZE
+            /* wolfSSL will compute the FP_MAX_BITS_ECC, but it can be overridden */
+            //#undef  FP_MAX_BITS_ECC
+            //#define FP_MAX_BITS_ECC (256 * 2)
+        #endif
+
+        /* Speedups specific to curve */
+        #ifndef NO_ECC256
+            #undef  TFM_ECC256
+            #define TFM_ECC256
+        #endif
+    #endif
+#endif
+
+/* DH */
+#undef  NO_DH
+#if 1
+    /* Use table for DH instead of -lm (math) lib dependency */
+    #if 1
+        #define HAVE_DH_DEFAULT_PARAMS
+        #define WOLFSSL_DH_CONST
+        #define HAVE_FFDHE_2048
+        #define HAVE_FFDHE_3072
+        #define HAVE_FFDHE_4096
+        #define HAVE_FFDHE_6144
+        #define HAVE_FFDHE_8192
+    #endif
+
+    #ifdef HAVE_FIPS
+        #define WOLFSSL_VALIDATE_FFC_IMPORT
+        #define HAVE_FFDHE_Q
+    #endif
+#else
+    #define NO_DH
+#endif
+
+
+/* AES */
+#undef NO_AES
+#if 1
+    #undef  HAVE_AES_CBC
+    #define HAVE_AES_CBC
+
+    #undef  HAVE_AESGCM
+    #define HAVE_AESGCM
+
+    /* GCM Method (slowest to fastest): GCM_SMALL, GCM_WORD32, GCM_TABLE or
+     *                                  GCM_TABLE_4BIT */
+    #define GCM_TABLE_4BIT
+
+    #undef  WOLFSSL_AES_DIRECT
+    #define WOLFSSL_AES_DIRECT
+
+    #undef  HAVE_AES_ECB
+    #define HAVE_AES_ECB
+
+    #undef  WOLFSSL_AES_COUNTER
+    #define WOLFSSL_AES_COUNTER
+
+    #undef  HAVE_AESCCM
+    #define HAVE_AESCCM
+
+    #undef WOLFSSL_AES_OFB
+    #define WOLFSSL_AES_OFB
+
+    /* Required for module v6.0.0 */
+    #undef WOLFSSL_AES_CFB
+    #define WOLFSSL_AES_CFB
+
+    #undef WOLFSSL_AES_XTS
+    #define WOLFSSL_AES_XTS
+
+    #undef WOLFSSL_AESXTS_STREAM
+    #define WOLFSSL_AESXTS_STREAM
+
+    #undef WOLFSSL_AES_128
+    #define WOLFSSL_AES_128
+
+    #undef WOLFSSL_AES_256
+    #define WOLFSSL_AES_256
+
+    #undef WOLFSSL_AESGCM_STREAM
+    #define WOLFSSL_AESGCM_STREAM
+
+    #undef HAVE_AES_KEYWRAP
+    #define HAVE_AES_KEYWRAP
+#else
+    #define NO_AES
+#endif
+
+
+/* DES3 */
+#undef NO_DES3
+#if 0
+    #if 1
+        #undef WOLFSSL_DES_ECB
+        #define WOLFSSL_DES_ECB
+    #endif
+#else
+    #define NO_DES3
+#endif
+
+/* ChaCha20 / Poly1305 */
+#undef HAVE_CHACHA
+#undef HAVE_POLY1305
+#if 0
+    #define HAVE_CHACHA
+    #define HAVE_POLY1305
+
+    /* Needed for Poly1305 */
+    #undef  HAVE_ONE_TIME_AUTH
+    #define HAVE_ONE_TIME_AUTH
+#endif
+
+/* Ed25519 / Curve25519 */
+#undef HAVE_CURVE25519
+#undef HAVE_ED25519
+/* Required for module v6.0.0 */
+#if 1
+    #define HAVE_CURVE25519
+    #define HAVE_ED25519 /* ED25519 Requires SHA512 */
+    #define WOLFSSL_ED25519_STREAMING_VERIFY
+    #define HAVE_ED25519_KEY_IMPORT
+
+    /* Optionally use small math (less flash usage, but much slower) */
+    #if 0
+        #define CURVED25519_SMALL
+    #endif
+#endif
+
+/* Ed448 / Curve448 */
+/* Required for module v6.0.0 */
+#if 1
+    #define HAVE_CURVE448
+    #define HAVE_ED448
+    #define WOLFSSL_ED448_STREAMING_VERIFY
+    #define HAVE_ED448_KEY_IMPORT
+#endif
+
+/* ------------------------------------------------------------------------- */
+/* Hashing */
+/* ------------------------------------------------------------------------- */
+/* Sha */
+#undef NO_SHA
+#if 1
+    /* 1k smaller, but 25% slower */
+    //#define USE_SLOW_SHA
+#else
+    #define NO_SHA
+#endif
+
+/* Sha256 */
+#undef NO_SHA256
+#if 1
+    /* not unrolled - ~2k smaller and ~25% slower */
+    //#define USE_SLOW_SHA256
+
+    /* Sha224 */
+    #if 1
+        #define WOLFSSL_SHA224
+    #endif
+#else
+    #define NO_SHA256
+#endif
+
+/* Sha512 */
+#undef WOLFSSL_SHA512
+#if 1
+    #define WOLFSSL_SHA512
+
+    #define  WOLFSSL_NOSHA512_224 /* Not in FIPS mode */
+    #define  WOLFSSL_NOSHA512_256 /* Not in FIPS mode */
+
+
+    /* Sha384 */
+    #undef  WOLFSSL_SHA384
+    #if 1
+        #define WOLFSSL_SHA384
+    #endif
+
+    /* over twice as small, but 50% slower */
+    //#define USE_SLOW_SHA512
+#endif
+
+/* Sha3 */
+#undef WOLFSSL_SHA3
+#if 1
+    #define WOLFSSL_SHA3
+    /* Required to not be disabled for module v6.0.0 */
+    #if 0
+        #undef WOLFSSL_NO_SHAKE128
+        #define WOLFSSL_NO_SHAKE128
+
+        #undef WOLFSSL_NO_SHAKE256
+        #define WOLFSSL_NO_SHAKE256
+    #else
+        #define WOLFSSL_SHAKE256
+        #define WOLFSSL_SHAKE128
+    #endif
+#endif
+
+/* MD5 */
+#undef  NO_MD5
+#if 0
+
+#else
+    #define NO_MD5
+#endif
+
+/* HKDF / PRF */
+#undef HAVE_HKDF
+#if 1
+    #define HAVE_HKDF
+    #define WOLFSSL_HAVE_PRF
+
+    /* Required for module v6.0.0 */
+    #define WC_SRTP_KDF
+    #define HAVE_PBKDF2
+#endif
+
+/* CMAC */
+#undef WOLFSSL_CMAC
+#if 1
+    #define WOLFSSL_CMAC
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Benchmark / Test */
+/* ------------------------------------------------------------------------- */
+/* Use reduced benchmark / test sizes */
+#undef  BENCH_EMBEDDED
+#define BENCH_EMBEDDED
+
+#undef  USE_CERT_BUFFERS_2048
+#define USE_CERT_BUFFERS_2048
+
+#undef  USE_CERT_BUFFERS_1024
+//#define USE_CERT_BUFFERS_1024
+
+#undef  USE_CERT_BUFFERS_256
+#define USE_CERT_BUFFERS_256
+
+
+/* ------------------------------------------------------------------------- */
+/* Debugging */
+/* ------------------------------------------------------------------------- */
+
+#undef DEBUG_WOLFSSL
+#undef NO_ERROR_STRINGS
+#if 1
+    //#define DEBUG_WOLFSSL
+#else
+    #if 0
+        #define NO_ERROR_STRINGS
+    #endif
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Memory */
+/* ------------------------------------------------------------------------- */
+
+/* Override Memory API's */
+#if 0
+    #undef  XMALLOC_OVERRIDE
+    #define XMALLOC_OVERRIDE
+
+    /* prototypes for user heap override functions */
+    /* Note: Realloc only required for normal math */
+    #include <stddef.h>  /* for size_t */
+    extern void *myMalloc(size_t n, void* heap, int type);
+    extern void myFree(void *p, void* heap, int type);
+    extern void *myRealloc(void *p, size_t n, void* heap, int type);
+
+    #define XMALLOC(n, h, t)     myMalloc(n, h, t)
+    #define XFREE(p, h, t)       myFree(p, h, t)
+    #define XREALLOC(p, n, h, t) myRealloc(p, n, h, t)
+#endif
+
+#if 0
+    /* Static memory requires fast math */
+    #define WOLFSSL_STATIC_MEMORY
+
+    /* Disable fallback malloc/free */
+    #define WOLFSSL_NO_MALLOC
+    #if 1
+        #define WOLFSSL_MALLOC_CHECK /* trap malloc failure */
+    #endif
+#endif
+
+/* Memory callbacks */
+#if 1
+    #undef  USE_WOLFSSL_MEMORY
+    #define USE_WOLFSSL_MEMORY
+
+    /* Use this to measure / print heap usage */
+    #if 0
+        #undef  WOLFSSL_TRACK_MEMORY
+//        #define WOLFSSL_TRACK_MEMORY
+
+        #undef  WOLFSSL_DEBUG_MEMORY
+        //#define WOLFSSL_DEBUG_MEMORY
+
+        #undef WOLFSSL_DEBUG_MEMORY_PRINT
+        //#define WOLFSSL_DEBUG_MEMORY_PRINT
+    #endif
+#else
+    #ifndef WOLFSSL_STATIC_MEMORY
+        #define NO_WOLFSSL_MEMORY
+        /* Otherwise we will use stdlib malloc, free and realloc */
+    #endif
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Port */
+/* ------------------------------------------------------------------------- */
+
+/* Override Current Time */
+/* Allows custom "custom_time()" function to be used for benchmark */
+//#define WOLFSSL_USER_CURRTIME
+//#define WOLFSSL_GMTIME
+//#define USER_TICKS
+//extern unsigned long my_time(unsigned long* timer);
+//#define XTIME my_time
+
+
+/* ------------------------------------------------------------------------- */
+/* RNG */
+/* ------------------------------------------------------------------------- */
+
+/* Seed Source */
+ /* Seed Source */
+// extern int my_rng_generate_seed(unsigned char* output, int sz);
+// #undef  CUSTOM_RAND_GENERATE_SEED
+// #define CUSTOM_RAND_GENERATE_SEED  my_rng_generate_seed
+
+/* Choose RNG method */
+#if 1
+    /* Use built-in P-RNG (SHA256 based) with HW RNG */
+    /* P-RNG + HW RNG (P-RNG is ~8K) */
+    //#define WOLFSSL_GENSEED_FORTEST
+    #undef  HAVE_HASHDRBG
+    #define HAVE_HASHDRBG
+#else
+    #undef  WC_NO_HASHDRBG
+    #define WC_NO_HASHDRBG
+
+    /* Bypass P-RNG and use only HW RNG */
+    extern int my_rng_gen_block(unsigned char* output, unsigned int sz);
+    #undef  CUSTOM_RAND_GENERATE_BLOCK
+    #define CUSTOM_RAND_GENERATE_BLOCK  my_rng_gen_block
+#endif
+
+
+/* ------------------------------------------------------------------------- */
+/* Custom Standard Lib */
+/* ------------------------------------------------------------------------- */
+/* Allows override of all standard library functions */
+#undef STRING_USER
+#if 0
+    #define STRING_USER
+
+    #include <string.h>
+
+    #undef  USE_WOLF_STRSEP
+    #define USE_WOLF_STRSEP
+    #define XSTRSEP(s1,d)     wc_strsep((s1),(d))
+
+    #undef  USE_WOLF_STRTOK
+    #define USE_WOLF_STRTOK
+    #define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr))
+
+    #define XSTRNSTR(s1,s2,n) mystrnstr((s1),(s2),(n))
+
+    #define XMEMCPY(d,s,l)    memcpy((d),(s),(l))
+    #define XMEMSET(b,c,l)    memset((b),(c),(l))
+    #define XMEMCMP(s1,s2,n)  memcmp((s1),(s2),(n))
+    #define XMEMMOVE(d,s,l)   memmove((d),(s),(l))
+
+    #define XSTRLEN(s1)       strlen((s1))
+    #define XSTRNCPY(s1,s2,n) strncpy((s1),(s2),(n))
+    #define XSTRSTR(s1,s2)    strstr((s1),(s2))
+
+    #define XSTRNCMP(s1,s2,n)     strncmp((s1),(s2),(n))
+    #define XSTRNCAT(s1,s2,n)     strncat((s1),(s2),(n))
+    #define XSTRNCASECMP(s1,s2,n) strncasecmp((s1),(s2),(n))
+
+    #define XSNPRINTF snprintf
+#endif
+
+
+
+/* ------------------------------------------------------------------------- */
+/* Enable Features */
+/* ------------------------------------------------------------------------- */
+#undef WOLFSSL_ASN_TEMPLATE
+#define WOLFSSL_ASN_TEMPLATE
+
+#undef WOLFSSL_ASN_PRINT
+#define WOLFSSL_ASN_PRINT
+
+#undef WOLFSSL_TLS13
+#if 1
+    #define WOLFSSL_TLS13
+#endif
+
+#undef WOLFSSL_KEY_GEN
+#if 1
+    #define WOLFSSL_KEY_GEN
+#endif
+
+#if defined(HAVE_FIPS) && !defined(WOLFSSL_KEY_GEN)
+    #define WOLFSSL_OLD_PRIME_CHECK
+#endif
+
+#undef  KEEP_PEER_CERT
+//#define KEEP_PEER_CERT
+
+#undef  HAVE_COMP_KEY
+//#define HAVE_COMP_KEY
+
+#undef  HAVE_TLS_EXTENSIONS
+#define HAVE_TLS_EXTENSIONS
+
+#undef HAVE_EXTENDED_MASTER
+#define HAVE_EXTENDED_MASTER
+
+#undef  HAVE_SUPPORTED_CURVES
+#define HAVE_SUPPORTED_CURVES
+
+#undef  WOLFSSL_BASE64_ENCODE
+#define WOLFSSL_BASE64_ENCODE
+
+/* TLS Session Cache */
+#if 0
+    #define SMALL_SESSION_CACHE
+#else
+    #define NO_SESSION_CACHE
+#endif
+
+#undef OPENSSL_EXTRA
+#define OPENSSL_EXTRA
+
+#undef WOLFSSL_DER_LOAD
+#define WOLFSSL_DER_LOAD
+
+#undef HAVE_SESSION_TICKET
+#define HAVE_SESSION_TICKET
+
+#undef HAVE_EX_DATA
+#define HAVE_EX_DATA
+
+#undef HAVE_ENCRYPT_THEN_MAC
+#define HAVE_ENCRYPT_THEN_MAC
+
+#undef WOLFSSL_CERT_GEN
+#define WOLFSSL_CERT_GEN
+
+#undef ATOMIC_USER
+#define ATOMIC_USER
+
+#undef HAVE_SECRET_CALLBACK
+#define HAVE_SECRET_CALLBACK
+
+/* wolfEngine */
+#if 0
+    #define OPENSSL_COEXIST
+
+    /* HKDF for engine */
+    #undef HAVE_HKDF
+    #if 1
+        #define HAVE_HKDF
+        #define HAVE_X963_KDF
+    #endif
+
+    #undef WOLFSSL_PUBLIC_MP
+    #define WOLFSSL_PUBLIC_MP
+
+    #undef NO_OLD_RNGNAME
+    #define NO_OLD_RNGNAME
+
+    #undef NO_OLD_WC_NAMES
+    #define NO_OLD_WC_NAMES
+
+    #undef NO_OLD_SSL_NAMES
+    #define NO_OLD_SSL_NAMES
+
+    #undef NO_OLD_SHA_NAMES
+    #define NO_OLD_SHA_NAMES
+
+    #undef NO_OLD_MD5_NAME
+    #define NO_OLD_MD5_NAME
+
+    #undef NO_OLD_SHA256_NAMES
+    #define NO_OLD_SHA256_NAMES
+#endif
+
+#undef WOLFSSL_SYS_CA_CERTS
+//#define WOLFSSL_SYS_CA_CERTS
+
+#undef LIBWOLFSSL_GLOBAL_EXTRA_CFLAGS
+#define LIBWOLFSSL_GLOBAL_EXTRA_CFLAGS
+
+#undef HAVE_SERVER_RENEGOTIATION_INFO
+#define HAVE_SERVER_RENEGOTIATION_INFO
+
+#undef WOLFSSL_PEM_TO_DER
+#define WOLFSSL_PEM_TO_DER
+
+#undef WOLFSSL_PUB_PEM_TO_DER
+#define WOLFSSL_PUB_PEM_TO_DER
+
+/* ------------------------------------------------------------------------- */
+/* Disable Features */
+/* ------------------------------------------------------------------------- */
+#undef  NO_WOLFSSL_SERVER
+//#define NO_WOLFSSL_SERVER
+
+#undef  NO_WOLFSSL_CLIENT
+//#define NO_WOLFSSL_CLIENT
+
+#undef  NO_CRYPT_TEST
+//#define NO_CRYPT_TEST
+
+#undef  NO_CRYPT_BENCHMARK
+//#define NO_CRYPT_BENCHMARK
+
+#undef  WOLFCRYPT_ONLY
+#define WOLFCRYPT_ONLY
+
+/* In-lining of misc.c functions */
+/* If defined, must include wolfcrypt/src/misc.c in build */
+/* Slower, but about 1k smaller */
+#undef  NO_INLINE
+//#define NO_INLINE
+
+#undef  NO_FILESYSTEM
+//#define NO_FILESYSTEM
+
+#undef  NO_WRITEV
+//#define NO_WRITEV
+
+#undef  NO_MAIN_DRIVER
+#define NO_MAIN_DRIVER
+
+#undef  NO_DEV_RANDOM
+//#define NO_DEV_RANDOM
+
+#undef  NO_DSA
+#define NO_DSA
+
+#undef  NO_RC4
+#define NO_RC4
+
+#undef  NO_OLD_TLS
+#define NO_OLD_TLS
+
+#undef  NO_PSK
+#define NO_PSK
+
+#undef  NO_MD4
+#define NO_MD4
+
+#undef  NO_PWDBASED
+//#define NO_PWDBASED
+
+#undef  NO_CODING
+//#define NO_CODING
+
+#undef  NO_ASN_TIME
+//#define NO_ASN_TIME
+
+#undef  NO_CERTS
+//#define NO_CERTS
+
+#undef  NO_SIG_WRAPPER
+//#define NO_SIG_WRAPPER
+
+#undef NO_DO178
+#define NO_DO178
+
+/* wolfSSL engineering ACVP algo and operational testing only (Default: Off) */
+#if 1
+    #ifndef WOLFSSL_PUBLIC_MP
+        #define WOLFSSL_PUBLIC_MP
+    #endif
+    #define OPTEST_LOGGING_ENABLED
+    #define DEBUG_FIPS_VERBOSE
+    #ifndef DEBUG_WOLFSSL
+        //#define DEBUG_WOLFSSL
+    #endif
+    #define OPTEST_RUNNING_ORGANIC
+    #define OPTEST_INVALID_LOGGING_ENABLED
+    #define HAVE_FORCE_FIPS_FAILURE
+    #define DEEPLY_EMBEDDED
+    #define OPTEST_LOG_TE_MAPPING
+    #define NO_MAIN_OPTEST_DRIVER
+    #define NO_MAIN_DRIVER
+    #define NO_MAIN_HARNESS_DRIVER
+
+    #ifdef BENCH_EMBEDDED
+    /* NOTE: Can not be on for operational testing */
+        #undef BENCH_EMBEDDED
+    #endif
+
+    #define NO_WRITE_TEMP_FILES
+#endif
+
+/* Customer Specific Section */
+/* #define CUSTOMER_1_IOS */
+#ifdef CUSTOMER_1_IOS
+
+    /* not certified, disable for full FIPS compliance, will attempt to include
+     * in UPDT submission and/or next FS submission */
+    #undef HAVE_PKCS7
+    #define HAVE_PKCS7
+
+    #undef HAVE_SNI
+    #define HAVE_SNI
+
+    #undef HAVE_THREAD_LS
+    #define HAVE_THREAD_LS
+
+    /* Not certifiable but external to module boundary and out of scope */
+    #undef WOLFCRYPT_HAVE_ECCSI
+    #define WOLFCRYPT_HAVE_ECCSI
+
+    #undef WOLFSSL_DTLS
+    #define WOLFSSL_DTLS
+
+    #undef WOLFSSL_DTLS_MTU
+    #define WOLFSSL_DTLS_MTU
+
+    /* OpenSSL Compatibility (NOTE: Incompatible with wolfEngine and
+       OPENSSL_COEXIST) */
+    #ifndef OPENSSL_COEXIST
+        #undef OPENSSL_EXTRA
+        #if 1
+            #define OPENSSL_EXTRA
+            /* Larger footprint but enable ALL compatibility not just a subset */
+            #if 1
+                #define OPENSSL_ALL
+            #endif
+        #endif
+    #endif
+#endif /* CUSTOMER_1_IOS */
+
+#ifdef __cplusplus
+}
+#endif
+
+
+#endif /* WOLFSSL_USER_SETTINGS_H */
+
--- a/IDE/XCODE/wolfssl-FIPS.xcodeproj/project.pbxproj
+++ b/IDE/XCODE/wolfssl-FIPS.xcodeproj/project.pbxproj
@ -125,7 +125,7 @@
 		700F0CF52A2FC11300755BA7 /* eccsi.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CDB2A2FC0D500755BA7 /* eccsi.h */; };
 		700F0CF62A2FC11300755BA7 /* ed448.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD22A2FC0D500755BA7 /* ed448.h */; };
 		700F0CF72A2FC11300755BA7 /* ed25519.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CE12A2FC0D500755BA7 /* ed25519.h */; };
-		700F0CF82A2FC11300755BA7 /* ext_kyber.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD52A2FC0D500755BA7 /* ext_kyber.h */; };
+		700F0CF82A2FC11300755BA7 /* ext_mlkem.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD52A2FC0D500755BA7 /* ext_mlkem.h */; };
 		700F0CF92A2FC11300755BA7 /* falcon.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CDD2A2FC0D500755BA7 /* falcon.h */; };
 		700F0CFA2A2FC11300755BA7 /* fe_448.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CDE2A2FC0D500755BA7 /* fe_448.h */; };
 		700F0CFB2A2FC11300755BA7 /* fe_operations.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CC72A2FC0D400755BA7 /* fe_operations.h */; };
@ -133,7 +133,7 @@
 		700F0CFD2A2FC11300755BA7 /* ge_448.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CE22A2FC0D500755BA7 /* ge_448.h */; };
 		700F0CFE2A2FC11300755BA7 /* ge_operations.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CCA2A2FC0D500755BA7 /* ge_operations.h */; };
 		700F0CFF2A2FC11300755BA7 /* hpke.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CCD2A2FC0D500755BA7 /* hpke.h */; };
-		700F0D002A2FC11300755BA7 /* kyber.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CCC2A2FC0D500755BA7 /* kyber.h */; };
+		700F0D002A2FC11300755BA7 /* mlkem.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CCC2A2FC0D500755BA7 /* mlkem.h */; };
 		700F0D012A2FC11300755BA7 /* mem_track.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CDA2A2FC0D500755BA7 /* mem_track.h */; };
 		700F0D022A2FC11300755BA7 /* pkcs11.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD92A2FC0D500755BA7 /* pkcs11.h */; };
 		700F0D032A2FC11300755BA7 /* pkcs12.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CE42A2FC0D500755BA7 /* pkcs12.h */; };
@ -147,7 +147,7 @@
 		700F0D0B2A2FC11300755BA7 /* sp.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD12A2FC0D500755BA7 /* sp.h */; };
 		700F0D0C2A2FC11300755BA7 /* sphincs.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CEC2A2FC0D500755BA7 /* sphincs.h */; };
 		700F0D0D2A2FC11300755BA7 /* srp.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CDC2A2FC0D500755BA7 /* srp.h */; };
-		700F0D0E2A2FC11300755BA7 /* wc_kyber.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD82A2FC0D500755BA7 /* wc_kyber.h */; };
+		700F0D0E2A2FC11300755BA7 /* wc_mlkem.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD82A2FC0D500755BA7 /* wc_mlkem.h */; };
 		700F0D0F2A2FC11300755BA7 /* wc_pkcs11.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CE82A2FC0D500755BA7 /* wc_pkcs11.h */; };
 		700F0D102A2FC11300755BA7 /* wolfevent.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD62A2FC0D500755BA7 /* wolfevent.h */; };
 		700F0D112A2FC11300755BA7 /* wolfmath.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CEB2A2FC0D500755BA7 /* wolfmath.h */; };
@ -285,7 +285,7 @@
 				700F0CF52A2FC11300755BA7 /* eccsi.h in CopyFiles */,
 				700F0CF62A2FC11300755BA7 /* ed448.h in CopyFiles */,
 				700F0CF72A2FC11300755BA7 /* ed25519.h in CopyFiles */,
-				700F0CF82A2FC11300755BA7 /* ext_kyber.h in CopyFiles */,
+				700F0CF82A2FC11300755BA7 /* ext_mlkem.h in CopyFiles */,
 				700F0CF92A2FC11300755BA7 /* falcon.h in CopyFiles */,
 				700F0CFA2A2FC11300755BA7 /* fe_448.h in CopyFiles */,
 				700F0CFB2A2FC11300755BA7 /* fe_operations.h in CopyFiles */,
@ -293,7 +293,7 @@
 				700F0CFD2A2FC11300755BA7 /* ge_448.h in CopyFiles */,
 				700F0CFE2A2FC11300755BA7 /* ge_operations.h in CopyFiles */,
 				700F0CFF2A2FC11300755BA7 /* hpke.h in CopyFiles */,
-				700F0D002A2FC11300755BA7 /* kyber.h in CopyFiles */,
+				700F0D002A2FC11300755BA7 /* mlkem.h in CopyFiles */,
 				700F0D012A2FC11300755BA7 /* mem_track.h in CopyFiles */,
 				700F0D022A2FC11300755BA7 /* pkcs11.h in CopyFiles */,
 				700F0D032A2FC11300755BA7 /* pkcs12.h in CopyFiles */,
@ -307,7 +307,7 @@
 				700F0D0B2A2FC11300755BA7 /* sp.h in CopyFiles */,
 				700F0D0C2A2FC11300755BA7 /* sphincs.h in CopyFiles */,
 				700F0D0D2A2FC11300755BA7 /* srp.h in CopyFiles */,
-				700F0D0E2A2FC11300755BA7 /* wc_kyber.h in CopyFiles */,
+				700F0D0E2A2FC11300755BA7 /* wc_mlkem.h in CopyFiles */,
 				700F0D0F2A2FC11300755BA7 /* wc_pkcs11.h in CopyFiles */,
 				700F0D102A2FC11300755BA7 /* wolfevent.h in CopyFiles */,
 				700F0D112A2FC11300755BA7 /* wolfmath.h in CopyFiles */,
@ -563,7 +563,7 @@
 		700F0CC92A2FC0D500755BA7 /* selftest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = selftest.h; path = ../../wolfssl/wolfcrypt/selftest.h; sourceTree = "<group>"; };
 		700F0CCA2A2FC0D500755BA7 /* ge_operations.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ge_operations.h; path = ../../wolfssl/wolfcrypt/ge_operations.h; sourceTree = "<group>"; };
 		700F0CCB2A2FC0D500755BA7 /* async.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = async.h; path = ../../wolfssl/wolfcrypt/async.h; sourceTree = "<group>"; };
-		700F0CCC2A2FC0D500755BA7 /* kyber.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = kyber.h; path = ../../wolfssl/wolfcrypt/kyber.h; sourceTree = "<group>"; };
+		700F0CCC2A2FC0D500755BA7 /* mlkem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = mlkem.h; path = ../../wolfssl/wolfcrypt/mlkem.h; sourceTree = "<group>"; };
 		700F0CCD2A2FC0D500755BA7 /* hpke.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = hpke.h; path = ../../wolfssl/wolfcrypt/hpke.h; sourceTree = "<group>"; };
 		700F0CCE2A2FC0D500755BA7 /* cpuid.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cpuid.h; path = ../../wolfssl/wolfcrypt/cpuid.h; sourceTree = "<group>"; };
 		700F0CCF2A2FC0D500755BA7 /* fips.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = fips.h; path = ../../wolfssl/wolfcrypt/fips.h; sourceTree = "<group>"; };
@ -572,10 +572,10 @@
 		700F0CD22A2FC0D500755BA7 /* ed448.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ed448.h; path = ../../wolfssl/wolfcrypt/ed448.h; sourceTree = "<group>"; };
 		700F0CD32A2FC0D500755BA7 /* curve448.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = curve448.h; path = ../../wolfssl/wolfcrypt/curve448.h; sourceTree = "<group>"; };
 		700F0CD42A2FC0D500755BA7 /* siphash.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = siphash.h; path = ../../wolfssl/wolfcrypt/siphash.h; sourceTree = "<group>"; };
-		700F0CD52A2FC0D500755BA7 /* ext_kyber.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ext_kyber.h; path = ../../wolfssl/wolfcrypt/ext_kyber.h; sourceTree = "<group>"; };
+		700F0CD52A2FC0D500755BA7 /* ext_mlkem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ext_mlkem.h; path = ../../wolfssl/wolfcrypt/ext_mlkem.h; sourceTree = "<group>"; };
 		700F0CD62A2FC0D500755BA7 /* wolfevent.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = wolfevent.h; path = ../../wolfssl/wolfcrypt/wolfevent.h; sourceTree = "<group>"; };
 		700F0CD72A2FC0D500755BA7 /* cmac.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cmac.h; path = ../../wolfssl/wolfcrypt/cmac.h; sourceTree = "<group>"; };
-		700F0CD82A2FC0D500755BA7 /* wc_kyber.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = wc_kyber.h; path = ../../wolfssl/wolfcrypt/wc_kyber.h; sourceTree = "<group>"; };
+		700F0CD82A2FC0D500755BA7 /* wc_mlkem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = wc_mlkem.h; path = ../../wolfssl/wolfcrypt/wc_mlkem.h; sourceTree = "<group>"; };
 		700F0CD92A2FC0D500755BA7 /* pkcs11.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = pkcs11.h; path = ../../wolfssl/wolfcrypt/pkcs11.h; sourceTree = "<group>"; };
 		700F0CDA2A2FC0D500755BA7 /* mem_track.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = mem_track.h; path = ../../wolfssl/wolfcrypt/mem_track.h; sourceTree = "<group>"; };
 		700F0CDB2A2FC0D500755BA7 /* eccsi.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = eccsi.h; path = ../../wolfssl/wolfcrypt/eccsi.h; sourceTree = "<group>"; };
@ -643,7 +643,7 @@
 				700F0CDB2A2FC0D500755BA7 /* eccsi.h */,
 				700F0CD22A2FC0D500755BA7 /* ed448.h */,
 				700F0CE12A2FC0D500755BA7 /* ed25519.h */,
-				700F0CD52A2FC0D500755BA7 /* ext_kyber.h */,
+				700F0CD52A2FC0D500755BA7 /* ext_mlkem.h */,
 				700F0CDD2A2FC0D500755BA7 /* falcon.h */,
 				700F0CDE2A2FC0D500755BA7 /* fe_448.h */,
 				700F0CC72A2FC0D400755BA7 /* fe_operations.h */,
@ -651,7 +651,7 @@
 				700F0CE22A2FC0D500755BA7 /* ge_448.h */,
 				700F0CCA2A2FC0D500755BA7 /* ge_operations.h */,
 				700F0CCD2A2FC0D500755BA7 /* hpke.h */,
-				700F0CCC2A2FC0D500755BA7 /* kyber.h */,
+				700F0CCC2A2FC0D500755BA7 /* mlkem.h */,
 				700F0CDA2A2FC0D500755BA7 /* mem_track.h */,
 				700F0CD92A2FC0D500755BA7 /* pkcs11.h */,
 				700F0CE42A2FC0D500755BA7 /* pkcs12.h */,
@ -665,7 +665,7 @@
 				700F0CD12A2FC0D500755BA7 /* sp.h */,
 				700F0CEC2A2FC0D500755BA7 /* sphincs.h */,
 				700F0CDC2A2FC0D500755BA7 /* srp.h */,
-				700F0CD82A2FC0D500755BA7 /* wc_kyber.h */,
+				700F0CD82A2FC0D500755BA7 /* wc_mlkem.h */,
 				700F0CE82A2FC0D500755BA7 /* wc_pkcs11.h */,
 				700F0CD62A2FC0D500755BA7 /* wolfevent.h */,
 				700F0CEB2A2FC0D500755BA7 /* wolfmath.h */,
--- a/IDE/XCODE/wolfssl.xcodeproj/project.pbxproj
+++ b/IDE/XCODE/wolfssl.xcodeproj/project.pbxproj
@ -256,7 +256,7 @@
 		700F0C0D2A2FBC5100755BA7 /* eccsi.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF72A2FBC1600755BA7 /* eccsi.h */; };
 		700F0C0E2A2FBC5100755BA7 /* ed448.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF82A2FBC1600755BA7 /* ed448.h */; };
 		700F0C0F2A2FBC5100755BA7 /* ed25519.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF42A2FBC1600755BA7 /* ed25519.h */; };
-		700F0C102A2FBC5100755BA7 /* ext_kyber.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF92A2FBC1600755BA7 /* ext_kyber.h */; };
+		700F0C102A2FBC5100755BA7 /* ext_mlkem.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF92A2FBC1600755BA7 /* ext_mlkem.h */; };
 		700F0C112A2FBC5100755BA7 /* falcon.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0C022A2FBC1600755BA7 /* falcon.h */; };
 		700F0C122A2FBC5100755BA7 /* fe_448.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BEB2A2FBC1500755BA7 /* fe_448.h */; };
 		700F0C132A2FBC5100755BA7 /* fe_operations.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF62A2FBC1600755BA7 /* fe_operations.h */; };
@ -264,7 +264,7 @@
 		700F0C152A2FBC5100755BA7 /* ge_448.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BE72A2FBC1500755BA7 /* ge_448.h */; };
 		700F0C162A2FBC5100755BA7 /* ge_operations.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0C012A2FBC1600755BA7 /* ge_operations.h */; };
 		700F0C172A2FBC5100755BA7 /* hpke.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BE12A2FBC1500755BA7 /* hpke.h */; };
-		700F0C182A2FBC5100755BA7 /* kyber.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BEA2A2FBC1500755BA7 /* kyber.h */; };
+		700F0C182A2FBC5100755BA7 /* mlkem.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BEA2A2FBC1500755BA7 /* mlkem.h */; };
 		700F0C192A2FBC5100755BA7 /* pkcs11.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BFD2A2FBC1600755BA7 /* pkcs11.h */; };
 		700F0C1A2A2FBC5100755BA7 /* pkcs12.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BEC2A2FBC1500755BA7 /* pkcs12.h */; };
 		700F0C1B2A2FBC5100755BA7 /* rc2.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BE02A2FBC1500755BA7 /* rc2.h */; };
@ -277,7 +277,7 @@
 		700F0C222A2FBC5100755BA7 /* sp.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BE92A2FBC1500755BA7 /* sp.h */; };
 		700F0C232A2FBC5100755BA7 /* sphincs.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BE22A2FBC1500755BA7 /* sphincs.h */; };
 		700F0C242A2FBC5100755BA7 /* srp.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF32A2FBC1600755BA7 /* srp.h */; };
-		700F0C252A2FBC5100755BA7 /* wc_kyber.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BFF2A2FBC1600755BA7 /* wc_kyber.h */; };
+		700F0C252A2FBC5100755BA7 /* wc_mlkem.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BFF2A2FBC1600755BA7 /* wc_mlkem.h */; };
 		700F0C262A2FBC5100755BA7 /* wc_pkcs11.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF52A2FBC1600755BA7 /* wc_pkcs11.h */; };
 		700F0C272A2FBC5100755BA7 /* wolfevent.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BE62A2FBC1500755BA7 /* wolfevent.h */; };
 		700F0C282A2FBC5100755BA7 /* kdf.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 6AC8513B272CB04F00F2B32A /* kdf.h */; };
@ -625,7 +625,7 @@
 				700F0C0D2A2FBC5100755BA7 /* eccsi.h in CopyFiles */,
 				700F0C0E2A2FBC5100755BA7 /* ed448.h in CopyFiles */,
 				700F0C0F2A2FBC5100755BA7 /* ed25519.h in CopyFiles */,
-				700F0C102A2FBC5100755BA7 /* ext_kyber.h in CopyFiles */,
+				700F0C102A2FBC5100755BA7 /* ext_mlkem.h in CopyFiles */,
 				700F0C112A2FBC5100755BA7 /* falcon.h in CopyFiles */,
 				700F0C122A2FBC5100755BA7 /* fe_448.h in CopyFiles */,
 				700F0C132A2FBC5100755BA7 /* fe_operations.h in CopyFiles */,
@ -633,7 +633,7 @@
 				700F0C152A2FBC5100755BA7 /* ge_448.h in CopyFiles */,
 				700F0C162A2FBC5100755BA7 /* ge_operations.h in CopyFiles */,
 				700F0C172A2FBC5100755BA7 /* hpke.h in CopyFiles */,
-				700F0C182A2FBC5100755BA7 /* kyber.h in CopyFiles */,
+				700F0C182A2FBC5100755BA7 /* mlkem.h in CopyFiles */,
 				700F0C192A2FBC5100755BA7 /* pkcs11.h in CopyFiles */,
 				700F0C1A2A2FBC5100755BA7 /* pkcs12.h in CopyFiles */,
 				700F0C1B2A2FBC5100755BA7 /* rc2.h in CopyFiles */,
@ -646,7 +646,7 @@
 				700F0C222A2FBC5100755BA7 /* sp.h in CopyFiles */,
 				700F0C232A2FBC5100755BA7 /* sphincs.h in CopyFiles */,
 				700F0C242A2FBC5100755BA7 /* srp.h in CopyFiles */,
-				700F0C252A2FBC5100755BA7 /* wc_kyber.h in CopyFiles */,
+				700F0C252A2FBC5100755BA7 /* wc_mlkem.h in CopyFiles */,
 				700F0C262A2FBC5100755BA7 /* wc_pkcs11.h in CopyFiles */,
 				700F0C272A2FBC5100755BA7 /* wolfevent.h in CopyFiles */,
 				700F0C282A2FBC5100755BA7 /* kdf.h in CopyFiles */,
@ -985,7 +985,7 @@
 		700F0BE72A2FBC1500755BA7 /* ge_448.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ge_448.h; path = ../../wolfssl/wolfcrypt/ge_448.h; sourceTree = "<group>"; };
 		700F0BE82A2FBC1500755BA7 /* sp_int.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = sp_int.h; path = ../../wolfssl/wolfcrypt/sp_int.h; sourceTree = "<group>"; };
 		700F0BE92A2FBC1500755BA7 /* sp.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = sp.h; path = ../../wolfssl/wolfcrypt/sp.h; sourceTree = "<group>"; };
-		700F0BEA2A2FBC1500755BA7 /* kyber.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = kyber.h; path = ../../wolfssl/wolfcrypt/kyber.h; sourceTree = "<group>"; };
+		700F0BEA2A2FBC1500755BA7 /* mlkem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = mlkem.h; path = ../../wolfssl/wolfcrypt/mlkem.h; sourceTree = "<group>"; };
 		700F0BEB2A2FBC1500755BA7 /* fe_448.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = fe_448.h; path = ../../wolfssl/wolfcrypt/fe_448.h; sourceTree = "<group>"; };
 		700F0BEC2A2FBC1500755BA7 /* pkcs12.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = pkcs12.h; path = ../../wolfssl/wolfcrypt/pkcs12.h; sourceTree = "<group>"; };
 		700F0BED2A2FBC1500755BA7 /* chacha20_poly1305.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = chacha20_poly1305.h; path = ../../wolfssl/wolfcrypt/chacha20_poly1305.h; sourceTree = "<group>"; };
@ -1000,13 +1000,13 @@
 		700F0BF62A2FBC1600755BA7 /* fe_operations.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = fe_operations.h; path = ../../wolfssl/wolfcrypt/fe_operations.h; sourceTree = "<group>"; };
 		700F0BF72A2FBC1600755BA7 /* eccsi.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = eccsi.h; path = ../../wolfssl/wolfcrypt/eccsi.h; sourceTree = "<group>"; };
 		700F0BF82A2FBC1600755BA7 /* ed448.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ed448.h; path = ../../wolfssl/wolfcrypt/ed448.h; sourceTree = "<group>"; };
-		700F0BF92A2FBC1600755BA7 /* ext_kyber.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ext_kyber.h; path = ../../wolfssl/wolfcrypt/ext_kyber.h; sourceTree = "<group>"; };
+		700F0BF92A2FBC1600755BA7 /* ext_mlkem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ext_mlkem.h; path = ../../wolfssl/wolfcrypt/ext_mlkem.h; sourceTree = "<group>"; };
 		700F0BFA2A2FBC1600755BA7 /* sha3.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = sha3.h; path = ../../wolfssl/wolfcrypt/sha3.h; sourceTree = "<group>"; };
 		700F0BFB2A2FBC1600755BA7 /* signature.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = signature.h; path = ../../wolfssl/wolfcrypt/signature.h; sourceTree = "<group>"; };
 		700F0BFC2A2FBC1600755BA7 /* cmac.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cmac.h; path = ../../wolfssl/wolfcrypt/cmac.h; sourceTree = "<group>"; };
 		700F0BFD2A2FBC1600755BA7 /* pkcs11.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = pkcs11.h; path = ../../wolfssl/wolfcrypt/pkcs11.h; sourceTree = "<group>"; };
 		700F0BFE2A2FBC1600755BA7 /* siphash.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = siphash.h; path = ../../wolfssl/wolfcrypt/siphash.h; sourceTree = "<group>"; };
-		700F0BFF2A2FBC1600755BA7 /* wc_kyber.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = wc_kyber.h; path = ../../wolfssl/wolfcrypt/wc_kyber.h; sourceTree = "<group>"; };
+		700F0BFF2A2FBC1600755BA7 /* wc_mlkem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = wc_mlkem.h; path = ../../wolfssl/wolfcrypt/wc_mlkem.h; sourceTree = "<group>"; };
 		700F0C002A2FBC1600755BA7 /* fips.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = fips.h; path = ../../wolfssl/wolfcrypt/fips.h; sourceTree = "<group>"; };
 		700F0C012A2FBC1600755BA7 /* ge_operations.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ge_operations.h; path = ../../wolfssl/wolfcrypt/ge_operations.h; sourceTree = "<group>"; };
 		700F0C022A2FBC1600755BA7 /* falcon.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = falcon.h; path = ../../wolfssl/wolfcrypt/falcon.h; sourceTree = "<group>"; };
@ -1157,7 +1157,7 @@
 				700F0BF72A2FBC1600755BA7 /* eccsi.h */,
 				700F0BF82A2FBC1600755BA7 /* ed448.h */,
 				700F0BF42A2FBC1600755BA7 /* ed25519.h */,
-				700F0BF92A2FBC1600755BA7 /* ext_kyber.h */,
+				700F0BF92A2FBC1600755BA7 /* ext_mlkem.h */,
 				700F0C022A2FBC1600755BA7 /* falcon.h */,
 				700F0BEB2A2FBC1500755BA7 /* fe_448.h */,
 				700F0BF62A2FBC1600755BA7 /* fe_operations.h */,
@ -1165,7 +1165,7 @@
 				700F0BE72A2FBC1500755BA7 /* ge_448.h */,
 				700F0C012A2FBC1600755BA7 /* ge_operations.h */,
 				700F0BE12A2FBC1500755BA7 /* hpke.h */,
-				700F0BEA2A2FBC1500755BA7 /* kyber.h */,
+				700F0BEA2A2FBC1500755BA7 /* mlkem.h */,
 				700F0BFD2A2FBC1600755BA7 /* pkcs11.h */,
 				700F0BEC2A2FBC1500755BA7 /* pkcs12.h */,
 				700F0BE02A2FBC1500755BA7 /* rc2.h */,
@ -1178,7 +1178,7 @@
 				700F0BE92A2FBC1500755BA7 /* sp.h */,
 				700F0BE22A2FBC1500755BA7 /* sphincs.h */,
 				700F0BF32A2FBC1600755BA7 /* srp.h */,
-				700F0BFF2A2FBC1600755BA7 /* wc_kyber.h */,
+				700F0BFF2A2FBC1600755BA7 /* wc_mlkem.h */,
 				700F0BF52A2FBC1600755BA7 /* wc_pkcs11.h */,
 				700F0BE62A2FBC1500755BA7 /* wolfevent.h */,
 				5216465E1A8993770062516A /* aes.h */,
--- a/IDE/include.am
+++ b/IDE/include.am
@ -61,6 +61,7 @@ include IDE/WINCE/include.am
 include IDE/WORKBENCH/include.am
 include IDE/XCODE-FIPSv2/include.am
 include IDE/XCODE-FIPSv5/include.am
+include IDE/XCODE-FIPSv6/include.am
 include IDE/XCODE/include.am
 include IDE/XilinxSDK/include.am
 include IDE/zephyr/include.am
--- a/Makefile.am
+++ b/Makefile.am
@ -213,7 +213,8 @@ if BUILD_LINUXKM
        EXTRA_CFLAGS EXTRA_CPPFLAGS EXTRA_CCASFLAGS EXTRA_LDFLAGS \
 	AM_CPPFLAGS CPPFLAGS AM_CFLAGS CFLAGS \
        AM_CCASFLAGS CCASFLAGS \
-        src_libwolfssl_la_OBJECTS ENABLED_CRYPT_TESTS ENABLED_LINUXKM_PIE ENABLED_ASM \
+        src_libwolfssl_la_OBJECTS ENABLED_CRYPT_TESTS ENABLED_LINUXKM_LKCAPI_REGISTER \
+        ENABLED_LINUXKM_PIE ENABLED_ASM \
        CFLAGS_FPU_DISABLE CFLAGS_FPU_ENABLE CFLAGS_SIMD_DISABLE CFLAGS_SIMD_ENABLE \
        CFLAGS_AUTO_VECTORIZE_DISABLE CFLAGS_AUTO_VECTORIZE_ENABLE \
        ASFLAGS_FPU_DISABLE_SIMD_ENABLE ASFLAGS_FPU_ENABLE_SIMD_DISABLE \
--- a/300
+++ b/300
@ -70,130 +70,214 @@ should be used for the enum name.

 *** end Notes ***

-# wolfSSL Release 5.7.6 (Dec 31, 2024)
+# wolfSSL Release 5.8.0 (Apr 24, 2025)

-Release 5.7.6 has been developed according to wolfSSL's development and QA
+Release 5.8.0 has been developed according to wolfSSL's development and QA
 process (see link below) and successfully passed the quality criteria.
 https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance

-NOTE:
- * --enable-heapmath is deprecated.
- * In this release, the default cipher suite preference is updated to prioritize
- TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256 when enabled.
- * This release adds a sanity check for including wolfssl/options.h or
- user_settings.h.
-
+NOTE: * --enable-heapmath is deprecated

 PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request
 number where the code change was added.


-## Vulnerabilities
-* [Med] An OCSP (non stapling) issue was introduced in wolfSSL version 5.7.4
- when performing OCSP requests for intermediate certificates in a certificate
- chain. This affects only TLS 1.3 connections on the server side. It would not
- impact other TLS protocol versions or connections that are not using the
- traditional OCSP implementation. (Fix in pull request 8115)
-
-
 ## New Feature Additions
-* Add support for RP2350 and improve RP2040 support, both with RNG optimizations
- (PR 8153)
-* Add support for STM32MP135F, including STM32CubeIDE support and HAL support
- for SHA2/SHA3/AES/RNG/ECC optimizations. (PR 8223, 8231, 8241)
-* Implement Renesas TSIP RSA Public Enc/Private support (PR 8122)
-* Add support for Fedora/RedHat system-wide crypto-policies (PR 8205)
-* Curve25519 generic keyparsing API added with  wc_Curve25519KeyToDer and
- wc_Curve25519KeyDecode (PR 8129)
-* CRL improvements and update callback, added the functions
- wolfSSL_CertManagerGetCRLInfo and wolfSSL_CertManagerSetCRLUpdate_Cb (PR 8006)
-* For DTLS, add server-side stateless and CID quality-of-life API. (PR 8224)
+* Algorithm registration in the Linux kernel module for all supported FIPS AES,
+ SHA, HMAC, ECDSA, ECDH, and RSA modes, key sizes, and digest sizes.
+* Implemented various fixes to support building for Open Watcom including OS/2
+ support and Open Watcom 1.9 compatibility (PR 8505, 8484)
+* Added support for STM32H7S (tested on NUCLEO-H7S3L8) (PR 8488)
+* Added support for STM32WBA (PR 8550)
+* Added Extended Master Secret Generation Callback to the --enable-pkcallbacks
+ build (PR 8303)
+* Implement AES-CTS (configure flag --enable-aescts) in wolfCrypt (PR 8594)
+* Added support for libimobiledevice commit 860ffb (PR 8373)
+* Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 IPD
+ (PR 8307)
+* Added blinding option when using a Curve25519 private key by defining the
+ macro WOLFSSL_CURVE25519_BLINDING (PR 8392)
+
+
+## Linux Kernel Module
+* Production-ready LKCAPI registration for cbc(aes), cfb(aes), gcm(aes),
+ rfc4106 (gcm(aes)), ctr(aes), ofb(aes), and ecb(aes), ECDSA with P192, P256,
+ P384, and P521 curves, ECDH with P192, P256, and P384 curves, and RSA with
+ bare and PKCS1 padding
+* Various fixes for LKCAPI wrapper for AES-CBC and AES-CFB (PR 8534, 8552)
+* Adds support for the legacy one-shot AES-GCM back end (PR 8614, 8567) for
+ compatibility with FIPS 140-3 Cert #4718.
+* On kernel >=6.8, for CONFIG_FORTIFY_SOURCE, use 5-arg fortify_panic() override
+ macro (PR 8654)
+* Update calls to scatterwalk_map() and scatterwalk_unmap() for linux commit
+ 7450ebd29c (merged for Linux 6.15) (PR 8667)
+* Inhibit LINUXKM_LKCAPI_REGISTER_ECDH on kernel <5.13 (PR 8673)
+* Fix for uninitialized build error with fedora (PR 8569)
+* Register ecdsa, ecdh, and rsa for use with linux kernel crypto (PR 8637, 8663,
+ 8646)
+* Added force zero shared secret buffer, and clear of old key with ecdh
+ (PR 8685)
+* Update fips-check.sh script to pickup XTS streaming support on aarch64 and
+ disable XTS-384 as an allowed use in FIPS mode (PR 8509, 8546)


 ## Enhancements and Optimizations
-* Add a CMake dependency check for pthreads when required. (PR 8162)
-* Update OS_Seed declarations for legacy compilers and FIPS modules (boundary
- not affected). (PR 8170)
-* Enable WOLFSSL_ALWAYS_KEEP_SNI by default when using --enable-jni. (PR 8283)
-* Change the default cipher suite preference, prioritizing
- TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256. (PR 7771)
-* Add SRTP-KDF (FIPS module v6.0.0) to checkout script for release bundling
- (PR 8215)
-* Make library build when no hardware crypto available for Aarch64 (PR 8293)
-* Update assembly code to avoid `uint*_t` types for better compatibility with
- older C standards. (PR 8133)
-* Add initial documentation for writing ASN template code to decode BER/DER.
- (PR 8120)
-* Perform full reduction in sc_muladd for EdDSA with Curve448 (PR 8276)
-* Allow SHA-3 hardware cryptography instructions to be explicitly not used in
- MacOS builds (PR 8282)
-* Make Kyber and ML-KEM available individually and together. (PR 8143)
-* Update configuration options to include Kyber/ML-KEM and fix defines used in
- wolfSSL_get_curve_name. (PR 8183)
-* Make GetShortInt available with WOLFSSL_ASN_EXTRA (PR 8149)
-* Improved test coverage and minor improvements of X509 (PR 8176)
-* Add sanity checks for configuration methods, ensuring the inclusion of
- wolfssl/options.h or user_settings.h. (PR 8262)
-* Enable support for building without TLS (NO_TLS). Provides reduced code size
- option for non-TLS users who want features like the certificate manager or
- compatibility layer. (PR 8273)
-* Exposed get_verify functions with OPENSSL_EXTRA. (PR 8258)
-* ML-DSA/Dilithium: obtain security level from DER when decoding (PR 8177)
-* Implementation for using PKCS11 to retrieve certificate for SSL CTX (PR 8267)
-* Add support for the RFC822 Mailbox attribute (PR 8280)
-* Initialize variables and adjust types resolve warnings with Visual Studio in
- Windows builds. (PR 8181)
-* Refactors and expansion of opensslcoexist build (PR 8132, 8216, 8230)
-* Add DTLS 1.3 interoperability, libspdm and DTLS CID interoperability tests
- (PR 8261, 8255, 8245)
-* Remove trailing error exit code in wolfSSL install setup script (PR 8189)
-* Update Arduino files for wolfssl 5.7.4 (PR 8219)
-* Improve Espressif SHA HW/SW mutex messages (PR 8225)
-* Apply post-5.7.4 release updates for Espressif Managed Component examples
- (PR 8251)
-* Expansion of c89 conformance (PR 8164)
-* Added configure option for additional sanity checks with --enable-faultharden
- (PR 8289)
-* Aarch64 ASM additions to check CPU features before hardware crypto instruction
- use (PR 8314)
+
+### Security & Cryptography
+* Add constant-time implementation improvements for encoding functions. We thank
+ Zhiyuan and Gilles for sharing a new constant-time analysis tool (CT-LLVM) and
+ reporting several non-constant-time implementations. (PR 8396, 8617)
+* Additional support for PKCS7 verify and decode with indefinite lengths
+ (PR 8520, 834, 8645)
+* Add more PQC hybrid key exchange algorithms such as support for combinations
+ with X25519 and X448 enabling compatibility with the PQC key exchange support
+ in Chromium browsers and Mozilla Firefox (PR 7821)
+* Add short-circuit comparisons to DH key validation for RFC 7919 parameters
+ (PR 8335)
+* Improve FIPS compatibility with various build configurations for more resource
+ constrained builds (PR 8370)
+* Added option to disable ECC public key order checking (PR 8581)
+* Allow critical alt and basic constraints extensions (PR 8542)
+* New codepoint for MLDSA to help with interoperability (PR 8393)
+* Add support for parsing trusted PEM certs having the header
+ “BEGIN_TRUSTED_CERT” (PR 8400)
+* Add support for parsing only of DoD certificate policy and Comodo Ltd PKI OIDs
+ (PR 8599, 8686)
+* Update ssl code in `src/*.c` to be consistent with wolfcrypt/src/asn.c
+ handling of ML_DSA vs Dilithium and add dual alg. test (PR 8360, 8425)
+
+### Build System, Configuration, CI & Protocols
+* Internal refactor for include of config.h and when building with
+ BUILDING_WOLFSSL macro. This refactor will give a warning of “deprecated
+ function” when trying to improperly use an internal API of wolfSSL in an
+ external application. (PR 8640, 8647, 8660, 8662, 8664)
+* Add WOLFSSL_CLU option to CMakeLists.txt (PR 8548)
+* Add CMake and Zephyr support for XMSS and LMS (PR 8494)
+* Added GitHub CI for CMake builds (PR 8439)
+* Added necessary macros when building wolfTPM Zephyr with wolfSSL (PR 8382)
+* Add MSYS2 build continuous integration test (PR 8504)
+* Update DevKitPro doc to list calico dependency with build commands (PR 8607)
+* Conversion compiler warning fixes and additional continuous integration test
+ added (PR 8538)
+* Enable DTLS 1.3 by default in --enable-jni builds (PR 8481)
+* Enabled TLS 1.3 middlebox compatibility by default for --enable-jni builds
+ (PR 8526)
+
+### Performance Improvements
+* Performance improvements AES-GCM and HMAC (in/out hash copy) (PR 8429)
+* LMS fixes and improvements adding API to get Key ID from raw private key,
+ change to identifiers to match standard, and fix for when
+ WOLFSSL_LMS_MAX_LEVELS is 1 (PR 8390, 8684, 8613, 8623)
+* ML-KEM/Kyber improvements and fixes; no malloc builds, small memory usage,
+ performance improvement, fix for big-endian (PR 8397, 8412, 8436, 8467, 8619,
+ 8622, 8588)
+* Performance improvements for AES-GCM and when doing multiple HMAC operations
+ (PR 8445)
+
+### Assembly and Platform-Specific Enhancements
+* Poly1305 arm assembly changes adding ARM32 NEON implementation and fix for
+ Aarch64 use (PR 8344, 8561, 8671)
+* Aarch64 assembly enhancement to use more CPU features, fix for FreeBSD/OpenBSD
+ (PR 8325, 8348)
+* Only perform ARM assembly CPUID checks if support was enabled at build time
+ (PR 8566)
+* Optimizations for ARM32 assembly instructions on platforms less than ARMv7
+ (PR 8395)
+* Improve MSVC feature detection for static assert macros (PR 8440)
+* Improve Espressif make and CMake for ESP8266 and ESP32 series (PR 8402)
+* Espressif updates for Kconfig, ESP32P4 and adding a sample user_settings.h
+ (PR 8422, PR 8641)
+
+### OpenSSL Compatibility Layer
+* Modification to the push/pop to/from in OpenSSL compatibility layer. This is
+ a pretty major API change in the OpenSSL compatibility stack functions.
+ Previously the API would push/pop from the beginning of the list but now they
+ operate on the tail of the list. This matters when using the sk_value with
+ index values. (PR 8616)
+* OpenSSL Compat Layer: OCSP response improvements (PR 8408, 8498)
+* Expand the OpenSSL compatibility layer to include an implementation of
+ BN_CTX_get (PR 8388)
+
+### API Additions and Modifications
+* Refactor Hpke to allow multiple uses of a context instead of just one shot
+ mode (PR 6805)
+* Add support for PSK client callback with Ada and use with Alire (thanks
+ @mgrojo, PR 8332, 8606)
+* Change wolfSSL_CTX_GenerateEchConfig to generate multiple configs and add
+ functions wolfSSL_CTX_SetEchConfigs and wolfSSL_CTX_SetEchConfigsBase64 to
+ rotate the server's echConfigs (PR 8556)
+* Added the public API wc_PkcsPad to do PKCS padding (PR 8502)
+* Add NULL_CIPHER_TYPE support to wolfSSL_EVP_CipherUpdate (PR 8518)
+* Update Kyber APIs to ML-KEM APIs (PR 8536)
+* Add option to disallow automatic use of "default" devId using the macro
+ WC_NO_DEFAULT_DEVID (PR 8555)
+* Detect unknown key format on ProcessBufferTryDecode() and handle RSA-PSSk
+ format (PR 8630)
+
+### Porting and Language Support
+* Update Python port to support version 3.12.6 (PR 8345)
+* New additions for MAXQ with wolfPKCS11 (PR 8343)
+* Port to ntp 4.2.8p17 additions (PR 8324)
+* Add version 0.9.14 to tested libvncserver builds (PR 8337)
+
+### General Improvements and Cleanups
+* Cleanups for STM32 AES GCM (PR 8584)
+* Improvements to isascii() and the CMake key log option (PR 8596)
+* Arduino documentation updates, comments and spelling corrections (PR 8381,
+ 8384, 8514)
+* Expanding builds with WOLFSSL_NO_REALLOC for use with --enable-opensslall and
+ --enable-all builds (PR 8369, 8371)


 ## Fixes
-* Fix a memory issue when using the compatibility layer with
- WOLFSSL_GENERAL_NAME and handling registered ID types. (PR 8155)
-* Fix a build issue with signature fault hardening when using public key
- callbacks (HAVE_PK_CALLBACKS). (PR 8287)
-* Fix for handling heap hint pointer properly when managing multiple WOLFSSL_CTX
- objects and free’ing one of them (PR 8180)
-* Fix potential memory leak in error case with Aria. (PR 8268)
-* Fix Set_Verify flag behaviour on Ada wrapper. (PR 8256)
-* Fix a compilation error with the NO_WOLFSSL_DIR flag. (PR 8294)
-* Resolve a corner case for Poly1305 assembly code on Aarch64. (PR 8275)
-* Fix incorrect version setting in CSRs. (PR 8136)
-* Correct debugging output for cryptodev. (PR 8202)
-* Fix for benchmark application use with /dev/crypto GMAC auth error due to size
- of AAD (PR 8210)
-* Add missing checks for the initialization of sp_int/mp_int with DSA to free
- memory properly in error cases. (PR 8209)
-* Fix return value of wolfSSL_CTX_set_tlsext_use_srtp (8252)
-* Check Root CA by Renesas TSIP before adding it to ca-table (PR 8101)
-* Prevent adding a certificate to the CA cache for Renesas builds if it does not
- set CA:TRUE in basic constraints. (PR 8060)
-* Fix attribute certificate holder entityName parsing. (PR 8166)
-* Resolve build issues for configurations without any wolfSSL/openssl
- compatibility layer headers. (PR 8182)
-* Fix for building SP RSA small and RSA public only (PR 8235)
-* Fix for Renesas RX TSIP RSA Sign/Verify with wolfCrypt only (PR 8206)
-* Fix to ensure all files have settings.h included (like wc_lms.c) and guards
- for building all `*.c` files (PR 8257 and PR 8140)
-* Fix x86 target build issues in Visual Studio for non-Windows operating
- systems. (PR 8098)
-* Fix wolfSSL_X509_STORE_get0_objects to handle no CA (PR 8226)
-* Properly handle reference counting when adding to the X509 store. (PR 8233)
-* Fix for various typos and improper size used with FreeRTOS_bind in the Renesas
- example. Thanks to Hongbo for the report on example issues. (PR 7537)
-* Fix for potential heap use after free with wolfSSL_PEM_read_bio_PrivateKey.
- Thanks to Peter for the issue reported. (PR 8139)
+* Fix a use after free caused by an early free on error in the X509 store
+ (PR 8449)
+* Fix to account for existing PKCS8 header with
+ wolfSSL_PEM_write_PKCS8PrivateKey (PR 8612)
+* Fixed failing CMake build issue when standard threads support is not found in
+ the system (PR 8485)
+* Fix segmentation fault in SHA-512 implementation for AVX512 targets built with
+ gcc -march=native -O2 (PR 8329)
+* Fix Windows socket API compatibility warning with mingw32 build (PR 8424)
+* Fix potential null pointer increments in cipher list parsing (PR 8420)
+* Fix for possible stack buffer overflow read with wolfSSL_SMIME_write_PKCS7.
+ Thanks to the team at Code Intelligence for the report. (PR 8466)
+* Fix AES ECB implementation for Aarch64 ARM assembly (PR 8379)
+* Fixed building with VS2008 and .NET 3.5 (PR 8621)
+* Fixed possible error case memory leaks in CRL and EVP_Sign_Final (PR 8447)
+* Fixed SSL_set_mtu compatibility function return code (PR 8330)
+* Fixed Renesas RX TSIP (PR 8595)
+* Fixed ECC non-blocking tests (PR 8533)
+* Fixed CMake on MINGW and MSYS (PR 8377)
+* Fixed Watcom compiler and added new CI test (PR 8391)
+* Fixed STM32 PKA ECC 521-bit support (PR 8450)
+* Fixed STM32 PKA with P521 and shared secret (PR 8601)
+* Fixed crypto callback macro guards with `DEBUG_CRYPTOCB` (PR 8602)
+* Fix outlen return for RSA private decrypt with WOLF_CRYPTO_CB_RSA_PAD
+ (PR 8575)
+* Additional sanity check on r and s lengths in DecodeECC_DSA_Sig_Bin (PR 8350)
+* Fix compat. layer ASN1_TIME_diff to accept NULL output params (PR 8407)
+* Fix CMake lean_tls build (PR 8460)
+* Fix for QUIC callback failure (PR 8475)
+* Fix missing alert types in AlertTypeToString for print out with debugging
+ enabled (PR 8572)
+* Fixes for MSVS build issues with PQC configure (PR 8568)
+* Fix for SE050 port and minor improvements (PR 8431, 8437)
+* Fix for missing rewind function in zephyr and add missing files for compiling
+ with assembly optimizations (PR 8531, 8541)
+* Fix for quic_record_append to return the correct code (PR 8340, 8358)
+* Fixes for Bind 9.18.28 port (PR 8331)
+* Fix to adhere more closely with RFC8446 Appendix D and set haveEMS when
+ negotiating TLS 1.3 (PR 8487)
+* Fix to properly check for signature_algorithms from the client in a TLS 1.3
+ server (PR 8356)
+* Fix for when BIO data is less than seq buffer size. Thanks to the team at Code
+ Intelligence for the report (PR 8426)
+* ARM32/Thumb2 fixes for WOLFSSL_NO_VAR_ASSIGN_REG and td4 variable declarations
+ (PR 8590, 8635)
+* Fix for Intel AVX1/SSE2 assembly to not use vzeroupper instructions unless ymm
+ or zmm registers are used (PR 8479)
+* Entropy MemUse fix for when block size less than update bits (PR 8675)


 For additional vulnerability information visit the vulnerability page at:
--- a/README.md
+++ b/README.md
@ -14,7 +14,7 @@ OpenSSL.

 wolfSSL is powered by the wolfCrypt cryptography library. Two versions of
 wolfCrypt have been FIPS 140-2 validated (Certificate #2425 and
-certificate #3389). FIPS 140-3 validation is in progress. For additional
+certificate #3389). FIPS 140-3 validated (Certificate #4718). For additional
 information, visit the [wolfCrypt FIPS FAQ](https://www.wolfssl.com/license/fips/)
 or contact fips@wolfssl.com.

@ -75,131 +75,214 @@ single call hash function. Instead the name `WC_SHA`, `WC_SHA256`, `WC_SHA384` a
 `WC_SHA512` should be used for the enum name.


-# wolfSSL Release 5.7.6 (Dec 31, 2024)
+# wolfSSL Release 5.8.0 (Apr 24, 2025)

-Release 5.7.6 has been developed according to wolfSSL's development and QA
+Release 5.8.0 has been developed according to wolfSSL's development and QA
 process (see link below) and successfully passed the quality criteria.
 https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance

-NOTE:
- * --enable-heapmath is deprecated.
- * In this release, the default cipher suite preference is updated to prioritize
- TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256 when enabled.
- * This release adds a sanity check for including wolfssl/options.h or
- user_settings.h.
-
+NOTE: * --enable-heapmath is deprecated

 PR stands for Pull Request, and PR <NUMBER> references a GitHub pull request
 number where the code change was added.


-## Vulnerabilities
-* [Med] An OCSP (non stapling) issue was introduced in wolfSSL version 5.7.4
- when performing OCSP requests for intermediate certificates in a certificate
- chain. This affects only TLS 1.3 connections on the server side. It would not
- impact other TLS protocol versions or connections that are not using the
- traditional OCSP implementation. (Fix in pull request 8115)
-
-
 ## New Feature Additions
-* Add support for RP2350 and improve RP2040 support, both with RNG optimizations
- (PR 8153)
-* Add support for STM32MP135F, including STM32CubeIDE support and HAL support
- for SHA2/SHA3/AES/RNG/ECC optimizations. (PR 8223, 8231, 8241)
-* Implement Renesas TSIP RSA Public Enc/Private support (PR 8122)
-* Add support for Fedora/RedHat system-wide crypto-policies (PR 8205)
-* Curve25519 generic keyparsing API added with  wc_Curve25519KeyToDer and
- wc_Curve25519KeyDecode (PR 8129)
-* CRL improvements and update callback, added the functions
- wolfSSL_CertManagerGetCRLInfo and wolfSSL_CertManagerSetCRLUpdate_Cb (PR 8006)
-* For DTLS, add server-side stateless and CID quality-of-life API. (PR 8224)
+* Algorithm registration in the Linux kernel module for all supported FIPS AES,
+ SHA, HMAC, ECDSA, ECDH, and RSA modes, key sizes, and digest sizes.
+* Implemented various fixes to support building for Open Watcom including OS/2
+ support and Open Watcom 1.9 compatibility (PR 8505, 8484)
+* Added support for STM32H7S (tested on NUCLEO-H7S3L8) (PR 8488)
+* Added support for STM32WBA (PR 8550)
+* Added Extended Master Secret Generation Callback to the --enable-pkcallbacks
+ build (PR 8303)
+* Implement AES-CTS (configure flag --enable-aescts) in wolfCrypt (PR 8594)
+* Added support for libimobiledevice commit 860ffb (PR 8373)
+* Initial ASCON hash256 and AEAD128 support based on NIST SP 800-232 IPD
+ (PR 8307)
+* Added blinding option when using a Curve25519 private key by defining the
+ macro WOLFSSL_CURVE25519_BLINDING (PR 8392)
+
+
+## Linux Kernel Module
+* Production-ready LKCAPI registration for cbc(aes), cfb(aes), gcm(aes),
+ rfc4106 (gcm(aes)), ctr(aes), ofb(aes), and ecb(aes), ECDSA with P192, P256,
+ P384, and P521 curves, ECDH with P192, P256, and P384 curves, and RSA with
+ bare and PKCS1 padding
+* Various fixes for LKCAPI wrapper for AES-CBC and AES-CFB (PR 8534, 8552)
+* Adds support for the legacy one-shot AES-GCM back end (PR 8614, 8567) for
+ compatibility with FIPS 140-3 Cert #4718.
+* On kernel >=6.8, for CONFIG_FORTIFY_SOURCE, use 5-arg fortify_panic() override
+ macro (PR 8654)
+* Update calls to scatterwalk_map() and scatterwalk_unmap() for linux commit
+ 7450ebd29c (merged for Linux 6.15) (PR 8667)
+* Inhibit LINUXKM_LKCAPI_REGISTER_ECDH on kernel <5.13 (PR 8673)
+* Fix for uninitialized build error with fedora (PR 8569)
+* Register ecdsa, ecdh, and rsa for use with linux kernel crypto (PR 8637, 8663,
+ 8646)
+* Added force zero shared secret buffer, and clear of old key with ecdh
+ (PR 8685)
+* Update fips-check.sh script to pickup XTS streaming support on aarch64 and
+ disable XTS-384 as an allowed use in FIPS mode (PR 8509, 8546)


 ## Enhancements and Optimizations
-* Add a CMake dependency check for pthreads when required. (PR 8162)
-* Update OS_Seed declarations for legacy compilers and FIPS modules (boundary
- not affected). (PR 8170)
-* Enable WOLFSSL_ALWAYS_KEEP_SNI by default when using --enable-jni. (PR 8283)
-* Change the default cipher suite preference, prioritizing
- TLS_AES_256_GCM_SHA384 over TLS_AES_128_GCM_SHA256. (PR 7771)
-* Add SRTP-KDF (FIPS module v6.0.0) to checkout script for release bundling
- (PR 8215)
-* Make library build when no hardware crypto available for Aarch64 (PR 8293)
-* Update assembly code to avoid `uint*_t` types for better compatibility with
- older C standards. (PR 8133)
-* Add initial documentation for writing ASN template code to decode BER/DER.
- (PR 8120)
-* Perform full reduction in sc_muladd for EdDSA with Curve448 (PR 8276)
-* Allow SHA-3 hardware cryptography instructions to be explicitly not used in
- MacOS builds (PR 8282)
-* Make Kyber and ML-KEM available individually and together. (PR 8143)
-* Update configuration options to include Kyber/ML-KEM and fix defines used in
- wolfSSL_get_curve_name. (PR 8183)
-* Make GetShortInt available with WOLFSSL_ASN_EXTRA (PR 8149)
-* Improved test coverage and minor improvements of X509 (PR 8176)
-* Add sanity checks for configuration methods, ensuring the inclusion of
- wolfssl/options.h or user_settings.h. (PR 8262)
-* Enable support for building without TLS (NO_TLS). Provides reduced code size
- option for non-TLS users who want features like the certificate manager or
- compatibility layer. (PR 8273)
-* Exposed get_verify functions with OPENSSL_EXTRA. (PR 8258)
-* ML-DSA/Dilithium: obtain security level from DER when decoding (PR 8177)
-* Implementation for using PKCS11 to retrieve certificate for SSL CTX (PR 8267)
-* Add support for the RFC822 Mailbox attribute (PR 8280)
-* Initialize variables and adjust types resolve warnings with Visual Studio in
- Windows builds. (PR 8181)
-* Refactors and expansion of opensslcoexist build (PR 8132, 8216, 8230)
-* Add DTLS 1.3 interoperability, libspdm and DTLS CID interoperability tests
- (PR 8261, 8255, 8245)
-* Remove trailing error exit code in wolfSSL install setup script (PR 8189)
-* Update Arduino files for wolfssl 5.7.4 (PR 8219)
-* Improve Espressif SHA HW/SW mutex messages (PR 8225)
-* Apply post-5.7.4 release updates for Espressif Managed Component examples
- (PR 8251)
-* Expansion of c89 conformance (PR 8164)
-* Added configure option for additional sanity checks with --enable-faultharden
- (PR 8289)
-* Aarch64 ASM additions to check CPU features before hardware crypto instruction
- use (PR 8314)
+
+### Security & Cryptography
+* Add constant-time implementation improvements for encoding functions. We thank
+ Zhiyuan and Gilles for sharing a new constant-time analysis tool (CT-LLVM) and
+ reporting several non-constant-time implementations. (PR 8396, 8617)
+* Additional support for PKCS7 verify and decode with indefinite lengths
+ (PR 8520, 834, 8645)
+* Add more PQC hybrid key exchange algorithms such as support for combinations
+ with X25519 and X448 enabling compatibility with the PQC key exchange support
+ in Chromium browsers and Mozilla Firefox (PR 7821)
+* Add short-circuit comparisons to DH key validation for RFC 7919 parameters
+ (PR 8335)
+* Improve FIPS compatibility with various build configurations for more resource
+ constrained builds (PR 8370)
+* Added option to disable ECC public key order checking (PR 8581)
+* Allow critical alt and basic constraints extensions (PR 8542)
+* New codepoint for MLDSA to help with interoperability (PR 8393)
+* Add support for parsing trusted PEM certs having the header
+ “BEGIN_TRUSTED_CERT” (PR 8400)
+* Add support for parsing only of DoD certificate policy and Comodo Ltd PKI OIDs
+ (PR 8599, 8686)
+* Update ssl code in `src/*.c` to be consistent with wolfcrypt/src/asn.c
+ handling of ML_DSA vs Dilithium and add dual alg. test (PR 8360, 8425)
+
+### Build System, Configuration, CI & Protocols
+* Internal refactor for include of config.h and when building with
+ BUILDING_WOLFSSL macro. This refactor will give a warning of “deprecated
+ function” when trying to improperly use an internal API of wolfSSL in an
+ external application. (PR 8640, 8647, 8660, 8662, 8664)
+* Add WOLFSSL_CLU option to CMakeLists.txt (PR 8548)
+* Add CMake and Zephyr support for XMSS and LMS (PR 8494)
+* Added GitHub CI for CMake builds (PR 8439)
+* Added necessary macros when building wolfTPM Zephyr with wolfSSL (PR 8382)
+* Add MSYS2 build continuous integration test (PR 8504)
+* Update DevKitPro doc to list calico dependency with build commands (PR 8607)
+* Conversion compiler warning fixes and additional continuous integration test
+ added (PR 8538)
+* Enable DTLS 1.3 by default in --enable-jni builds (PR 8481)
+* Enabled TLS 1.3 middlebox compatibility by default for --enable-jni builds
+ (PR 8526)
+
+### Performance Improvements
+* Performance improvements AES-GCM and HMAC (in/out hash copy) (PR 8429)
+* LMS fixes and improvements adding API to get Key ID from raw private key,
+ change to identifiers to match standard, and fix for when
+ WOLFSSL_LMS_MAX_LEVELS is 1 (PR 8390, 8684, 8613, 8623)
+* ML-KEM/Kyber improvements and fixes; no malloc builds, small memory usage,
+ performance improvement, fix for big-endian (PR 8397, 8412, 8436, 8467, 8619,
+ 8622, 8588)
+* Performance improvements for AES-GCM and when doing multiple HMAC operations
+ (PR 8445)
+
+### Assembly and Platform-Specific Enhancements
+* Poly1305 arm assembly changes adding ARM32 NEON implementation and fix for
+ Aarch64 use (PR 8344, 8561, 8671)
+* Aarch64 assembly enhancement to use more CPU features, fix for FreeBSD/OpenBSD
+ (PR 8325, 8348)
+* Only perform ARM assembly CPUID checks if support was enabled at build time
+ (PR 8566)
+* Optimizations for ARM32 assembly instructions on platforms less than ARMv7
+ (PR 8395)
+* Improve MSVC feature detection for static assert macros (PR 8440)
+* Improve Espressif make and CMake for ESP8266 and ESP32 series (PR 8402)
+* Espressif updates for Kconfig, ESP32P4 and adding a sample user_settings.h
+ (PR 8422, PR 8641)
+
+### OpenSSL Compatibility Layer
+* Modification to the push/pop to/from in OpenSSL compatibility layer. This is
+ a pretty major API change in the OpenSSL compatibility stack functions.
+ Previously the API would push/pop from the beginning of the list but now they
+ operate on the tail of the list. This matters when using the sk_value with
+ index values. (PR 8616)
+* OpenSSL Compat Layer: OCSP response improvements (PR 8408, 8498)
+* Expand the OpenSSL compatibility layer to include an implementation of
+ BN_CTX_get (PR 8388)
+
+### API Additions and Modifications
+* Refactor Hpke to allow multiple uses of a context instead of just one shot
+ mode (PR 6805)
+* Add support for PSK client callback with Ada and use with Alire (thanks
+ @mgrojo, PR 8332, 8606)
+* Change wolfSSL_CTX_GenerateEchConfig to generate multiple configs and add
+ functions wolfSSL_CTX_SetEchConfigs and wolfSSL_CTX_SetEchConfigsBase64 to
+ rotate the server's echConfigs (PR 8556)
+* Added the public API wc_PkcsPad to do PKCS padding (PR 8502)
+* Add NULL_CIPHER_TYPE support to wolfSSL_EVP_CipherUpdate (PR 8518)
+* Update Kyber APIs to ML-KEM APIs (PR 8536)
+* Add option to disallow automatic use of "default" devId using the macro
+ WC_NO_DEFAULT_DEVID (PR 8555)
+* Detect unknown key format on ProcessBufferTryDecode() and handle RSA-PSSk
+ format (PR 8630)
+
+### Porting and Language Support
+* Update Python port to support version 3.12.6 (PR 8345)
+* New additions for MAXQ with wolfPKCS11 (PR 8343)
+* Port to ntp 4.2.8p17 additions (PR 8324)
+* Add version 0.9.14 to tested libvncserver builds (PR 8337)
+
+### General Improvements and Cleanups
+* Cleanups for STM32 AES GCM (PR 8584)
+* Improvements to isascii() and the CMake key log option (PR 8596)
+* Arduino documentation updates, comments and spelling corrections (PR 8381,
+ 8384, 8514)
+* Expanding builds with WOLFSSL_NO_REALLOC for use with --enable-opensslall and
+ --enable-all builds (PR 8369, 8371)


 ## Fixes
-* Fix a memory issue when using the compatibility layer with
- WOLFSSL_GENERAL_NAME and handling registered ID types. (PR 8155)
-* Fix a build issue with signature fault hardening when using public key
- callbacks (HAVE_PK_CALLBACKS). (PR 8287)
-* Fix for handling heap hint pointer properly when managing multiple WOLFSSL_CTX
- objects and free’ing one of them (PR 8180)
-* Fix potential memory leak in error case with Aria. (PR 8268)
-* Fix Set_Verify flag behaviour on Ada wrapper. (PR 8256)
-* Fix a compilation error with the NO_WOLFSSL_DIR flag. (PR 8294)
-* Resolve a corner case for Poly1305 assembly code on Aarch64. (PR 8275)
-* Fix incorrect version setting in CSRs. (PR 8136)
-* Correct debugging output for cryptodev. (PR 8202)
-* Fix for benchmark application use with /dev/crypto GMAC auth error due to size
- of AAD (PR 8210)
-* Add missing checks for the initialization of sp_int/mp_int with DSA to free
- memory properly in error cases. (PR 8209)
-* Fix return value of wolfSSL_CTX_set_tlsext_use_srtp (8252)
-* Check Root CA by Renesas TSIP before adding it to ca-table (PR 8101)
-* Prevent adding a certificate to the CA cache for Renesas builds if it does not
- set CA:TRUE in basic constraints. (PR 8060)
-* Fix attribute certificate holder entityName parsing. (PR 8166)
-* Resolve build issues for configurations without any wolfSSL/openssl
- compatibility layer headers. (PR 8182)
-* Fix for building SP RSA small and RSA public only (PR 8235)
-* Fix for Renesas RX TSIP RSA Sign/Verify with wolfCrypt only (PR 8206)
-* Fix to ensure all files have settings.h included (like wc_lms.c) and guards
- for building all `*.c` files (PR 8257 and PR 8140)
-* Fix x86 target build issues in Visual Studio for non-Windows operating
- systems. (PR 8098)
-* Fix wolfSSL_X509_STORE_get0_objects to handle no CA (PR 8226)
-* Properly handle reference counting when adding to the X509 store. (PR 8233)
-* Fix for various typos and improper size used with FreeRTOS_bind in the Renesas
- example. Thanks to Hongbo for the report on example issues. (PR 7537)
-* Fix for potential heap use after free with wolfSSL_PEM_read_bio_PrivateKey.
- Thanks to Peter for the issue reported. (PR 8139)
-
+* Fix a use after free caused by an early free on error in the X509 store
+ (PR 8449)
+* Fix to account for existing PKCS8 header with
+ wolfSSL_PEM_write_PKCS8PrivateKey (PR 8612)
+* Fixed failing CMake build issue when standard threads support is not found in
+ the system (PR 8485)
+* Fix segmentation fault in SHA-512 implementation for AVX512 targets built with
+ gcc -march=native -O2 (PR 8329)
+* Fix Windows socket API compatibility warning with mingw32 build (PR 8424)
+* Fix potential null pointer increments in cipher list parsing (PR 8420)
+* Fix for possible stack buffer overflow read with wolfSSL_SMIME_write_PKCS7.
+ Thanks to the team at Code Intelligence for the report. (PR 8466)
+* Fix AES ECB implementation for Aarch64 ARM assembly (PR 8379)
+* Fixed building with VS2008 and .NET 3.5 (PR 8621)
+* Fixed possible error case memory leaks in CRL and EVP_Sign_Final (PR 8447)
+* Fixed SSL_set_mtu compatibility function return code (PR 8330)
+* Fixed Renesas RX TSIP (PR 8595)
+* Fixed ECC non-blocking tests (PR 8533)
+* Fixed CMake on MINGW and MSYS (PR 8377)
+* Fixed Watcom compiler and added new CI test (PR 8391)
+* Fixed STM32 PKA ECC 521-bit support (PR 8450)
+* Fixed STM32 PKA with P521 and shared secret (PR 8601)
+* Fixed crypto callback macro guards with `DEBUG_CRYPTOCB` (PR 8602)
+* Fix outlen return for RSA private decrypt with WOLF_CRYPTO_CB_RSA_PAD
+ (PR 8575)
+* Additional sanity check on r and s lengths in DecodeECC_DSA_Sig_Bin (PR 8350)
+* Fix compat. layer ASN1_TIME_diff to accept NULL output params (PR 8407)
+* Fix CMake lean_tls build (PR 8460)
+* Fix for QUIC callback failure (PR 8475)
+* Fix missing alert types in AlertTypeToString for print out with debugging
+ enabled (PR 8572)
+* Fixes for MSVS build issues with PQC configure (PR 8568)
+* Fix for SE050 port and minor improvements (PR 8431, 8437)
+* Fix for missing rewind function in zephyr and add missing files for compiling
+ with assembly optimizations (PR 8531, 8541)
+* Fix for quic_record_append to return the correct code (PR 8340, 8358)
+* Fixes for Bind 9.18.28 port (PR 8331)
+* Fix to adhere more closely with RFC8446 Appendix D and set haveEMS when
+ negotiating TLS 1.3 (PR 8487)
+* Fix to properly check for signature_algorithms from the client in a TLS 1.3
+ server (PR 8356)
+* Fix for when BIO data is less than seq buffer size. Thanks to the team at Code
+ Intelligence for the report (PR 8426)
+* ARM32/Thumb2 fixes for WOLFSSL_NO_VAR_ASSIGN_REG and td4 variable declarations
+ (PR 8590, 8635)
+* Fix for Intel AVX1/SSE2 assembly to not use vzeroupper instructions unless ymm
+ or zmm registers are used (PR 8479)
+* Entropy MemUse fix for when block size less than update bits (PR 8675)

 For additional vulnerability information visit the vulnerability page at:
 https://www.wolfssl.com/docs/security-vulnerabilities/
--- a/certs/external/baltimore-cybertrust-root.pem
+++ b/certs/external/baltimore-cybertrust-root.pem
@ -1,21 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
-RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
-VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
-DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
-ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
-VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
-mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
-IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
-mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
-XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
-dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
-jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
-BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
-DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
-9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
-jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
-Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
-ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
-R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
-----END CERTIFICATE-----
--- a/certs/external/ca_collection.pem
+++ b/certs/external/ca_collection.pem
@ -1,80 +1,3 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 33554617 (0x20000b9)
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
-        Validity
-            Not Before: May 12 18:46:00 2000 GMT
-            Not After : May 12 23:59:00 2025 GMT
-        Subject: C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:a3:04:bb:22:ab:98:3d:57:e8:26:72:9a:b5:79:
-                    d4:29:e2:e1:e8:95:80:b1:b0:e3:5b:8e:2b:29:9a:
-                    64:df:a1:5d:ed:b0:09:05:6d:db:28:2e:ce:62:a2:
-                    62:fe:b4:88:da:12:eb:38:eb:21:9d:c0:41:2b:01:
-                    52:7b:88:77:d3:1c:8f:c7:ba:b9:88:b5:6a:09:e7:
-                    73:e8:11:40:a7:d1:cc:ca:62:8d:2d:e5:8f:0b:a6:
-                    50:d2:a8:50:c3:28:ea:f5:ab:25:87:8a:9a:96:1c:
-                    a9:67:b8:3f:0c:d5:f7:f9:52:13:2f:c2:1b:d5:70:
-                    70:f0:8f:c0:12:ca:06:cb:9a:e1:d9:ca:33:7a:77:
-                    d6:f8:ec:b9:f1:68:44:42:48:13:d2:c0:c2:a4:ae:
-                    5e:60:fe:b6:a6:05:fc:b4:dd:07:59:02:d4:59:18:
-                    98:63:f5:a5:63:e0:90:0c:7d:5d:b2:06:7a:f3:85:
-                    ea:eb:d4:03:ae:5e:84:3e:5f:ff:15:ed:69:bc:f9:
-                    39:36:72:75:cf:77:52:4d:f3:c9:90:2c:b9:3d:e5:
-                    c9:23:53:3f:1f:24:98:21:5c:07:99:29:bd:c6:3a:
-                    ec:e7:6e:86:3a:6b:97:74:63:33:bd:68:18:31:f0:
-                    78:8d:76:bf:fc:9e:8e:5d:2a:86:a7:4d:90:dc:27:
-                    1a:39
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Subject Key Identifier: 
-                E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:3
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-    Signature Algorithm: sha1WithRSAEncryption
-         85:0c:5d:8e:e4:6f:51:68:42:05:a0:dd:bb:4f:27:25:84:03:
-         bd:f7:64:fd:2d:d7:30:e3:a4:10:17:eb:da:29:29:b6:79:3f:
-         76:f6:19:13:23:b8:10:0a:f9:58:a4:d4:61:70:bd:04:61:6a:
-         12:8a:17:d5:0a:bd:c5:bc:30:7c:d6:e9:0c:25:8d:86:40:4f:
-         ec:cc:a3:7e:38:c6:37:11:4f:ed:dd:68:31:8e:4c:d2:b3:01:
-         74:ee:be:75:5e:07:48:1a:7f:70:ff:16:5c:84:c0:79:85:b8:
-         05:fd:7f:be:65:11:a3:0f:c0:02:b4:f8:52:37:39:04:d5:a9:
-         31:7a:18:bf:a0:2a:f4:12:99:f7:a3:45:82:e3:3c:5e:f5:9d:
-         9e:b5:c8:9e:7c:2e:c8:a4:9e:4e:08:14:4b:6d:fd:70:6d:6b:
-         1a:63:bd:64:e6:1f:b7:ce:f0:f2:9f:2e:bb:1b:b7:f2:50:88:
-         73:92:c2:e2:e3:16:8d:9a:32:02:ab:8e:18:dd:e9:10:11:ee:
-         7e:35:ab:90:af:3e:30:94:7a:d0:33:3d:a7:65:0f:f5:fc:8e:
-         9e:62:cf:47:44:2c:01:5d:bb:1d:b5:32:d2:47:d2:38:2e:d0:
-         fe:81:dc:32:6a:1e:b5:ee:3c:d5:fc:e7:81:1d:19:c3:24:42:
-         ea:63:39:a9
-----BEGIN CERTIFICATE-----
-MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
-RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
-VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
-DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
-ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
-VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
-mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
-IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
-mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
-XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
-dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
-jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
-BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
-DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
-9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
-jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
-Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
-ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
-R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
-----END CERTIFICATE-----
 Certificate:
    Data:
        Version: 3 (0x2)
--- a/certs/external/include.am
+++ b/certs/external/include.am
@ -6,7 +6,6 @@ EXTRA_DIST += \
 	     certs/external/ca-globalsign-root.pem \
 	     certs/external/ca-google-root.pem \
 	     certs/external/ca-digicert-ev.pem \
-	     certs/external/baltimore-cybertrust-root.pem \
 	     certs/external/README.txt \
 	     certs/external/DigiCertGlobalRootCA.pem \
 	     certs/external/ca_collection.pem
--- a/certs/fpki-certpol-cert.der
+++ b/certs/fpki-certpol-cert.der
--- a/certs/include.am
+++ b/certs/include.am
@ -53,6 +53,7 @@ EXTRA_DIST += \
             certs/wolfssl-website-ca.pem \
             certs/test-degenerate.p7b \
             certs/test-stream-sign.p7b \
+             certs/test-stream-dec.p7b \
             certs/test-ber-exp02-05-2022.p7b \
             certs/test-servercert.p12 \
             certs/test-servercert-rc2.p12 \
@ -74,6 +75,7 @@ EXTRA_DIST += \
             certs/x942dh2048.der \
             certs/x942dh2048.pem \
             certs/fpki-cert.der \
+             certs/fpki-certpol-cert.der \
             certs/rid-cert.der \
             certs/dh-priv-2048.der \
             certs/dh-priv-2048.pem \
--- a/certs/ocsp/include.am
+++ b/certs/ocsp/include.am
@ -36,4 +36,5 @@ EXTRA_DIST += \
        certs/ocsp/test-response.der \
        certs/ocsp/test-response-rsapss.der \
        certs/ocsp/test-response-nointern.der \
-        certs/ocsp/test-multi-response.der
+        certs/ocsp/test-multi-response.der \
+        certs/ocsp/test-leaf-response.der
--- a/certs/ocsp/renewcerts.sh
+++ b/certs/ocsp/renewcerts.sh
@ -100,6 +100,16 @@ openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -cert
 kill $PID
 wait $PID

+# Create a response DER buffer for testing leaf certificate
+openssl ocsp -port 22221 -ndays 1000 -index \
+./index-intermediate1-ca-issued-certs.txt -rsigner ocsp-responder-cert.pem \
+-rkey ocsp-responder-key.pem -CA intermediate1-ca-cert.pem -partial_chain &
+PID=$!
+sleep 1 # Make sure server is ready
+
+openssl ocsp -issuer ./intermediate1-ca-cert.pem -cert ./server1-cert.pem -url http://localhost:22221/ -respout test-leaf-response.der -noverify
+kill $PID
+wait $PID

 # now start up a responder that signs using rsa-pss
 openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss &
--- a/certs/ocsp/test-leaf-response.der
+++ b/certs/ocsp/test-leaf-response.der
--- a/certs/renewcerts.sh
+++ b/certs/renewcerts.sh
@ -29,6 +29,7 @@
 #                       client-crl-dist.pem
 #                       entity-no-ca-bool-cert.pem
 #                       fpki-cert.der
+#                       fpki-certpol-cert.der
 #                       rid-cert.der
 # updates the following crls:
 #                       crl/cliCrl.pem
@ -373,6 +374,20 @@ run_renewcerts(){
    echo "End of section"
    echo "---------------------------------------------------------------------"
    ###########################################################
+    ########## update and sign fpki-certpol-cert.der ################
+    ###########################################################
+    echo "Updating fpki-certpol-cert.der"
+    echo ""
+    #pipe the following arguments to openssl req...
+    echo -e "US\\nMontana\\nBozeman\\nwolfSSL\\nFPKI\\nwww.wolfssl.com\\ninfo@wolfssl.com\\n.\\n.\\n" | openssl req -new -key server-key.pem -config ./wolfssl.cnf -nodes > fpki-certpol-req.pem
+    check_result $? "Step 1"
+
+    openssl x509 -req -in fpki-certpol-req.pem -extfile wolfssl.cnf -extensions fpki_ext_certpol -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out fpki-certpol-cert.der -outform DER
+    check_result $? "Step 2"
+    rm fpki-certpol-req.pem
+    echo "End of section"
+    echo "---------------------------------------------------------------------"
+    ###########################################################
    ########## update and sign rid-cert.der ################
    ###########################################################
    echo "Updating rid-cert.der"
@ -858,6 +873,11 @@ run_renewcerts(){
    openssl smime -sign -in ./ca-cert.pem -out test-stream-sign.p7b -signer ./ca-cert.pem -nodetach -nocerts -binary -outform DER -stream -inkey ./ca-key.pem
    check_result $? ""

+    echo "Creating test-stream-dec.p7b..."
+    echo ""
+    openssl cms -encrypt -in ca-cert.pem -recip client-cert.pem -out test-stream-dec.p7b -outform DER -stream
+    check_result $? ""
+
    echo "End of section"
    echo "---------------------------------------------------------------------"

--- a/certs/renewcerts/wolfssl.cnf
+++ b/certs/renewcerts/wolfssl.cnf
@ -355,6 +355,18 @@ subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr
 policyConstraints = requireExplicitPolicy:0
 2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt

+[fpki_ext_certpol]
+basicConstraints = CA:FALSE,pathlen:0
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, clientAuth, 1.3.6.1.4.1.311.20.2.2, 1.3.6.1.5.2.3.4, 1.3.6.1.5.5.7.3.21
+subjectAltName = @FASC_UUID_altname
+certificatePolicies = 1.3.6.1.4.1.6449.1.2.1.3.4, 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.40, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.2.1.11.5, 2.16.840.1.101.2.1.11.9, 2.16.840.1.101.2.1.11.10, 2.16.840.1.101.2.1.11.17, 2.16.840.1.101.2.1.11.18, 2.16.840.1.101.2.1.11.19, 2.16.840.1.101.2.1.11.20, 2.16.840.1.101.2.1.11.31, 2.16.840.1.101.2.1.11.36, 2.16.840.1.101.2.1.11.37, 2.16.840.1.101.2.1.11.38, 2.16.840.1.101.2.1.11.39, 2.16.840.1.101.2.1.11.40, 2.16.840.1.101.2.1.11.41, 2.16.840.1.101.2.1.11.42, 2.16.840.1.101.2.1.11.43, 2.16.840.1.101.2.1.11.44, 2.16.840.1.101.2.1.11.59, 2.16.840.1.101.2.1.11.60, 2.16.840.1.101.2.1.11.61, 2.16.840.1.101.2.1.11.62, 2.16.840.1.101.3.2.1.12.1, 2.16.840.1.101.3.2.1.12.2, 2.16.840.1.101.3.2.1.12.3, 2.16.840.1.101.3.2.1.12.4, 2.16.840.1.101.3.2.1.12.5, 2.16.840.1.101.3.2.1.12.6, 2.16.840.1.101.3.2.1.12.8, 2.16.840.1.101.3.2.1.12.9, 2.16.840.1.101.3.2.1.12.10, 2.16.840.1.101.3.2.1.3.4, 2.16.840.1.101.3.2.1.3.7, 2.16.840.1.101.3.2.1.3.12, 2.16.840.1.101.3.2.1.3.13, 2.16.840.1.101.3.2.1.3.16, 2.16.840.1.101.3.2.1.3.18, 2.16.840.1.101.3.2.1.3.20, 2.16.840.1.101.3.2.1.3.36, 2.16.840.1.101.3.2.1.3.38, 2.16.840.1.101.3.2.1.3.39, 2.16.840.1.101.3.2.1.3.41, 2.16.840.1.101.3.2.1.3.45, 2.16.840.1.101.3.2.1.3.47, 2.16.840.1.101.3.2.1.6.1, 2.16.840.1.101.3.2.1.6.2, 2.16.840.1.101.3.2.1.6.3, 2.16.840.1.101.3.2.1.6.4, 2.16.840.1.101.3.2.1.6.12, 2.16.840.1.101.3.2.1.6.38, 2.16.840.1.101.3.2.1.5.4, 2.16.840.1.101.3.2.1.5.5, 2.16.840.1.101.3.2.1.5.10, 2.16.840.1.101.3.2.1.5.12, 1.3.6.1.4.1.73.15.3.1.12, 1.3.6.1.4.1.73.15.3.1.17, 1.3.6.1.4.1.45606.3.1.12, 1.3.6.1.4.1.45606.3.1.20, 1.3.6.1.4.1.45606.3.1.22, 1.3.6.1.4.1.25054.3.1.12, 1.3.6.1.4.1.25054.3.1.14, 1.3.6.1.4.1.25054.3.1.20, 1.3.6.1.4.1.25054.3.1.22, 1.3.6.1.4.1.24019.1.1.1.2, 1.3.6.1.4.1.24019.1.1.1.3, 1.3.6.1.4.1.24019.1.1.1.7, 1.3.6.1.4.1.24019.1.1.1.9, 1.3.6.1.4.1.24019.1.1.1.18, 1.3.6.1.4.1.24019.1.1.1.19, 1.3.6.1.4.1.38099.1.1.1.2, 1.3.6.1.4.1.38099.1.1.1.5, 1.3.6.1.4.1.38099.1.1.1.7, 2.16.840.1.113733.1.7.23.3.1.7, 2.16.840.1.113733.1.7.23.3.1.13, 2.16.840.1.113733.1.7.23.3.1.18, 2.16.840.1.113733.1.7.23.3.1.20, 2.16.840.1.113733.1.7.23.3.1.36, 2.16.840.1.114027.200.3.10.7.2, 2.16.840.1.114027.200.3.10.7.4, 2.16.840.1.114027.200.3.10.7.6, 2.16.840.1.114027.200.3.10.7.9, 2.16.840.1.114027.200.3.10.7.16, 1.3.6.1.4.1.13948.1.1.1.6, 2.16.840.1.113839.0.100.12.1, 2.16.840.1.113839.0.100.12.2, 2.16.840.1.113839.0.100.18.0, 2.16.840.1.113839.0.100.18.1, 2.16.840.1.113839.0.100.18.2, 2.16.840.1.113839.0.100.20.1, 1.3.6.1.4.1.103.100.1.1.3.3, 1.3.6.1.4.1.16334.509.2.8, 1.3.6.1.4.1.16334.509.2.9, 1.3.6.1.4.1.16334.509.2.11, 1.3.6.1.4.1.16334.509.2.14, 1.3.6.1.4.1.1569.10.1.12, 1.3.6.1.4.1.1569.10.1.18, 1.3.6.1.4.1.26769.10.1.12, 1.3.6.1.4.1.26769.10.1.18, 1.3.6.1.4.1.3922.1.1.1.12, 1.3.6.1.4.1.3922.1.1.1.18, 1.3.6.1.4.1.3922.1.1.1.20, 1.3.6.1.4.1.3922.1.1.1.38, 1.2.36.1.334.1.2.1.2, 1.2.36.1.334.1.2.1.3, 1.2.36.1.334.1.2.2.2, 2.16.528.1.1003.1.2.5.1, 2.16.528.1.1003.1.2.5.2, 2.16.528.1.1003.1.2.5.3, 2.16.840.1.101.3.2.1.48.11, 2.16.840.1.101.3.2.1.48.13, 2.16.840.1.101.3.2.1.48.86, 2.16.840.1.101.3.2.1.48.109, 2.16.840.1.101.3.2.1.48.110
+subjectDirectoryAttributes = ASN1:SEQUENCE:SubjDirAttr
+policyConstraints = requireExplicitPolicy:0
+2.16.840.1.101.3.6.10.1 = ASN1:SEQUENCE:PIVCertExt
+
 # using example UUID from RFC4122
 [FASC_UUID_altname]
 otherName.1 = 1.3.6.1.4.1.311.20.2.3;UTF8:facts@wolfssl.com
--- a/certs/test-stream-dec.p7b
+++ b/certs/test-stream-dec.p7b
--- a/Show More
+++ b/Show More