security/wolfssl: Update to 5.9.1HEADmain

Changes since 5.9.0:

To download the release bundle of wolfSSL visit the download page at
www.wolfssl.com/download/

PR stands for Pull Request, and PR references a GitHub pull request
number where the code change was added.

NOTE: --enable-heapmath is deprecated.
NOTE: MD5 is now disabled by default.

Vulnerabilities

  * [Critical CVE-2026-5194] Missing hash/digest size and OID checks
    allow digests smaller than allowed by FIPS 186-4 or 186-5, or
    smaller than appropriate for the relevant key type, to be accepted
    by signature verification functions. Affects ECDSA/ECC, DSA, ML-DSA,
    ED25519, and ED448. Builds with ECC and EdDSA or ML-DSA enabled
    doing certificate verification should update. Fixed in PR 10131.
  * [High CVE-2026-5264] Heap buffer overflow in DTLS 1.3 ACK message
    processing. A remote attacker can send a crafted DTLS 1.3 ACK
    message to trigger a heap buffer overflow. Fixed in PR 10076.
  * [High CVE-2026-5263] URI nameConstraints from constrained
    intermediate CAs are parsed but not enforced during certificate
    chain verification. A malicious sub-CA could issue leaf certificates
    with URI SAN entries that violate issuing CA nameConstraints.
    Fixed in PR 10048.
  * [High CVE-2026-5295] Stack buffer overflow in PKCS7 ORI OID
    processing. A crafted ORI OID value in a PKCS7 envelope can trigger
    a stack-based buffer overflow. Fixed in PR 10116.
  * [High CVE-2026-5466] wolfSSL ECCSI signature verifier
    wc_VerifyEccsiHash decodes r and s scalars with no check that they
    lie in [1, q-1]. A crafted forged signature could verify against any
    message for any identity using only public constants. Fixed in
    PR 10102.
  * [High CVE-2026-5477] Potential AES-EAX AEAD and CMAC authentication
    bypass on messages larger than 4 GiB. An attacker observing one
    valid (ciphertext, tag) pair for a >4 GiB EAX message can replace
    the first 4 GiB of ciphertext while the tag still verifies. Fixed
    in PR 10102.
  * [High CVE-2026-5447] Heap buffer overflow in CertFromX509 via
    AuthorityKeyIdentifier size confusion. Fixed in PR 10112.
  * [High CVE-2026-5500] wc_PKCS7_DecodeAuthEnvelopedData() does not
    sanitize the AES-GCM authentication tag length and has no lower
    bounds check. A MITM can truncate the mac field from 16 bytes to 1
    byte, reducing the tag check from 2^-128 to 2^-8. Fixed in
    PR 10102.
  * [High CVE-2026-5501] wolfSSL_X509_verify_cert() in the OpenSSL
    compatibility layer accepts a chain where the leaf signature is not
    checked if an attacker supplies an untrusted intermediate with Basic
    Constraints CA:FALSE signed by a trusted root. Limited to
    applications using the OpenSSL compatibility API directly. Fixed in
    PR 10102.
  * [High CVE-2026-5503] In TLSX_EchChangeSNI, the ctx->extensions
    branch set extensions unconditionally even when TLSX_Find returned
    NULL, causing TLSX_UseSNI to attach the attacker-controlled
    publicName to the shared WOLFSSL_CTX. TLSX_EchRestoreSNI then failed
    to clean it up, causing memcpy 255 bytes past the allocation
    boundary. Fixed in PR 10102.
  * [High CVE-2026-5479] ChaCha20-Poly1305 AEAD decryption path in
    wolfSSL_EVP_CipherFinal fails to verify the authentication tag
    before returning plaintext to the caller when using the EVP API.
    Fixed in PR 10102.
  * [Med CVE-2026-5392] Heap out-of-bounds read in PKCS7 parsing. A
    crafted PKCS7 message can trigger an OOB read via the indefinite-
    length end-of-content verification loop. Affects builds with PKCS7
    enabled. Fixed in PR 10039.
  * [Med CVE-2026-5446] ARIA-GCM nonce reuse in TLS 1.2 record
    encryption. Only affects builds with --enable-aria. Fixed in
    PR 10111.
  * [Med CVE-2026-5460] Malicious TLS 1.3 server sending a ServerHello
    with a truncated PQC hybrid KeyShare can trigger a double-free of
    the KyberKey in the error cleanup path. Fixed in PR 10092.
  * [Med CVE-2026-5504] Padding oracle in wolfSSL PKCS7 CBC decryption
    where interior padding bytes are not validated. Fixed in PR 10088.
  * [Med CVE-2026-5507] When restoring a session from cache, a pointer
    from serialized session data is used in a free operation without
    validation. Requires ability to inject a crafted session into the
    cache. Fixed in PR 10088.
  * [Low CVE-2026-5187] Heap out-of-bounds write in DecodeObjectId()
    caused by an off-by-one bounds check and sizeof mismatch. Fixed in
    PR 10025.
  * [Low CVE-2026-5188] Integer underflow in Subject Alternative Name
    (SAN) extension parsing. Only affects builds using the original
ASN.1
    parsing implementation (off by default). Fixed in PR 10024.
  * [Low CVE-2026-5448] X.509 date buffer overflow in
    wolfSSL_X509_notAfter / wolfSSL_X509_notBefore when parsing
    crafted certificates via the compatibility layer. Fixed in PR 10071.
  * [Low CVE-2026-5772] 1-byte stack buffer over-read in
    MatchDomainName when processing wildcard patterns with
    LEFT_MOST_WILDCARD_ONLY active. Fixed in PR 10119.
  * [Low CVE-2026-5778] Integer underflow in ChaCha20-Poly1305
    decryption path when a malformed TLS 1.2 record payload is shorter
    than the AEAD MAC size. Only affects sniffer builds. Fixed in
    PR 10125.

Experimental Build Vulnerability

  * [Med CVE-2026-5393] CVE-2026-5393 Dual-Algorithm CertificateVerify
    out-of-bounds read. When processing a dual-algorithm
    CertificateVerify message, an out-of-bounds read can occur on
    crafted input. This can only occur when --enable-experimental and
    --enable-dual-alg-certs is used when building wolfSSL. Thanks to
    Sunwoo Lee, Woohyun Choi, and Seunghyun Yoon (Korea Institute of
    Energy Technology, KENTECH) for testing the fix. Fixed in PR 10079.

New Features

  * Enable PQC algorithm ML-KEM (FIPS203) on by default. (PR 9732)
  * Add brainpool curve support to wolfSSL_CTX_set1_sigalgs_list.
    (PR 9993)
  * Implement wolfSSL_Atomic_Int_Exchange(). (PR 10036)
  * Add GPLv2 license exception for VDE (Virtual Distributed Ethernet).
    (PR 10107)
  * Add DTLS 1.3/TLS 1.3 write-dup (Duplicate SSL) support so the
    read-side can delegate post-handshake work to the write-side.
    (PR 10006)

Post-Quantum Cryptography (PQC)

  * Fix Dilithium API to use byte type for context length parameters,
    enforcing the 0-255 byte constraint. (PR 10010)
  * Fix benchmarking for ML-DSA with static memory enabled. (PR 9970)
  * Add checks to verify the private key is set before performing
    private key operations in Ed25519, Ed448, ML-DSA, and ML-KEM.
    (PR 10083)
  * Add buffer size and callback validation checks to wc_LmsKey_Sign.
    (PR 10084)
  * Fix out-of-bounds shift in ML-DSA by ensuring cast before large
    shift operations. (PR 10096)
  * Zeroize sensitive memory buffers in the ML-DSA implementation.
    (PR 10100, 10113)
  * Fix undefined behavior in SLH-DSA key initialization by casting to
    unsigned before left shift. (PR 10104)
  * Guard legacy non-context ML-DSA API behind WOLFSSL_DILITHIUM_NO_CTX,
    making the context-aware FIPS 204 API the default. (PR 10047)

TLS/DTLS

  * Fix handling of OCSP_WANT_READ return in TLS 1.3 handshake message
    type processing. (PR 9995)
  * Fix HPKE implementation where KDF digest was incorrectly used for
    the KEM; refactor HPKE code out of TLS/ECH into dedicated functions.
    (PR 9999)
  * Fix DTLS 1.3 ServerHello to not echo legacy_session_id. (PR 10007)
  * Fix TLS 1.3 server accepting mismatched ciphersuite in second
    ClientHello after HelloRetryRequest. (PR 10034)
  * Fix possible memory leak in ECC non-blocking crypto within TLS.
    (PR 10065)
  * Fix multiple correctness issues in DTLS 1.3 and TLS 1.3 including
    wrong return values, missing bounds checks, PSK identity buffer
    overread, swapped server/client parameters in finished secret
    derivation, and NULL dereference in SM3 exporter path. (PR 10117)

ASN and Certificate Parsing

  * Add wolfSSL_check_ip_address() for filtering connections based on
    SAN IP address entries. (PR 9935)
  * Add host name verification from verification context when calling
    wolfSSL_X509_verify_cert. (PR 9952)
  * Move non-template (WOLFSSL_ASN_ORIGINAL) code into asn_orig.c.
    (PR 9920)
  * Fix potential null pointer dereferences in ASN parsing code. (PR
    9990)
  * Remove FIPS-conditional guards from GetASN_BitString length check
    so validation applies in all builds. (PR 10027)
  * Add validation to reject negative ASN.1 integers in CRL number
    fields during decoding. (PR 10087)

Hardware and Embedded Ports

  * Fix SE050 integration: route RSA-PSS sign/verify through software
    path to prevent double-hashing, release persistent key slots on
    free, and add missing mutex unlock before early returns. (PR 9912)
  * Fix LMS and XMSS compilation when WOLFSSL_NO_HASH_RAW is defined.
    (PR 9946)
  * Fix issues in MAX32666 tests. (PR 10035)
  * Fix buffer overflows, key material exposure, mutex leaks, and logic
    errors across hardware crypto port backends. (PR 10080)

Rust Wrapper

  * Release version 1.2.0 of the wolfssl-wolfcrypt Rust crate. (PR
    9953)
  * Update Rust wrapper build script to support cross-compiling and
    bare-metal targets including RISC-V. (PR 10031)

Build System and Portability

  * Remove default declaration of WC_ALLOC_DO_ON_FAILURE. (PR 9905)
  * Refactor wc_Hash* so known wc_HashType values are unconditionally
    defined in enum wc_HashType and return HASH_TYPE_E if gated out or
    used improperly. (PR 9937)
  * Remove forced enabling of MD5 when building with --enable-jni so
    MD5 can be explicitly disabled in FIPS builds. (PR 10011)
  * Add __extension__ to wc_debug_trace_error_codes_enabled() variant
    to inhibit false positive -pedantic errors in GCC. (PR 10041)
  * Fix IAR compiler warnings about undefined volatile access order by
    reading volatile values into local copies before use. (PR 10045)
  * Automatically enable WOLFSSL_SP_4096 when WOLFSSL_HAVE_SP_DH is
    defined under --enable-usersettings. (PR 10054)
  * Extend WC_MAYBE_UNUSED macro to cover GCC versions greater than 3.
    (PR 10101)
  * Fix compile error when building with --enable-crl and --disable-ecc.
    (PR 10118)
  * Fix -Wcast-qual hygiene in wolfCrypt. (PR 10120)

Bug Fixes

  * Fix stack memory tracking for the wolfCrypt benchmark. (PR 9983)
  * Fix bug in FillSigner where pubKeyStored and subjectCNStored flags
    were not cleared after transferring pointers from a DecodedCert to a
    signer. (PR 10033)
  * Fix heap overflow in ssl_DecodePacketInternal caused by silent
    truncation when summing 64-bit iov_len values into a 32-bit integer.
    (PR 10017)
  * Add bounds check in GetSafeContent to prevent unsigned integer
    underflow in content size calculation. (PR 10018)
  * Fix potential double free in non-blocking async handling within ASN
    parsing. (PR 10022)
  * Fix stack buffer overflow in RSA exponent print via
    wolfSSL_EVP_PKEY_print_public. (PR 10088)
  * Fix sanity check on hashLen provided to
    wc_dilithium_verify_ctx_hash. (PR 10131)
  * Disallow wildcard partial domains in MatchDomainName. (PR 9991)
  * Fix buffer underflow when zero-length size is passed to devcrypto
    AES-CBC. (PR 10005)
  * Route BIO_ctrl_pending, BIO_reset, and BIO_get_mem_data through
    custom method ctrlCb when set. (PR 10004)
  * Fix multiple issues in SP integer implementation including negative
    number handling, missing bounds checks, and re-implement
    wc_PKCS12_PBKDF() without MP. (PR 10020)
  * Fix x86_64 AES-XTS register clobbering and ARM32 multiply/accumulate
    source register bugs, plus assembly label and mnemonic fixes across
    AES, ChaCha, SHA-3, SHA-512, ML-KEM, and Curve25519. (PR 10023)
  * Fix SP non-blocking ECC mont_inv_order where last bit was not
    processed during modular inverse computation. (PR 10044)
  * Add bounds check to prevent OOB access when parsing end-of-content
    octets in PKCS7 streaming indefinite-length encoding. (PR 10039)
  * Refactor wc_PKCS12_PBKDF_ex() "Increment B by 1" loop to avoid
    bugprone-inc-dec-in-conditions. (PR 10059)
  * Fix OpenSSL compatibility layer ASN1_INTEGER and ASN1_STRING struct
    compatibility. (PR 10089)
  * Fix potential data truncation in
    wc_XChaCha20Poly1305_crypt_oneshot()
    by replacing long int casts with size_t. (PR 10091)
  * Fix error handling in Linux kernel AES AEAD glue code so
    scatterwalk_map failures correctly propagate an error. (PR 9996)
  * Fix DTLS Fragment Reassembly to not read uninitialized heap
    contents.
    (PR 10090)
  * Fix DTLS 1.3 word16 truncation on handshake send size. (PR 10103)
  * Fix invalid-pointer-pair memory errors reported by clang sanitizer.
    (PR 10095)
  * Harden default builds by enabling ECC curve validation
    unconditionally, removing dependency on USE_ECC_B_PARAM. (PR 10133)

Documentation and Maintenance

  * Add inline Doxygen documentation for previously undocumented macros
    across TLS, cryptography, and ASN source files; fix spelling errors
    throughout the codebase. (PR 9992)
  * Fix typos in SSL API function argument descriptions. (PR 10021)
  * Update documentation to reflect support for both FIPS 140-2 and
    FIPS 140-3. (PR 10061)

0 files changed, 0 insertions, 0 deletions