Update wolfSSL and networking code

Uses MEM2 for downloads, improves timeout handling and adds proxy support.
2024-11-22 03:09:15 +01:00 · 2020-11-08 21:29:44 +00:00 · 2020-11-08 21:29:44 +00:00 · 1129a26b44
commit 1129a26b44
parent 4440574baa
102 changed files with 3454 additions and 5486 deletions
--- a/Languages/czech.lang
+++ b/Languages/czech.lang
@ -2058,6 +2058,9 @@ msgstr "Synchronizuji ..."
 msgid "System Default"
 msgstr "Puvodní nastavení systému"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "Cínsky"
--- a/Languages/danish.lang
+++ b/Languages/danish.lang
@ -2058,6 +2058,9 @@ msgstr "Synkronisere..."
 msgid "System Default"
 msgstr "System-standard"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "Kinesisk (trad.)"
--- a/Languages/dutch.lang
+++ b/Languages/dutch.lang
@ -2058,6 +2058,9 @@ msgstr "Synchroniseren..."
 msgid "System Default"
 msgstr "Systeem standaard"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "Chinees Trad."
--- a/Languages/english.lang
+++ b/Languages/english.lang
@ -2058,6 +2058,9 @@ msgstr ""
 msgid "System Default"
 msgstr ""
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr ""
--- a/Languages/finnish.lang
+++ b/Languages/finnish.lang
@ -2058,6 +2058,9 @@ msgstr ""
 msgid "System Default"
 msgstr "Wiin oletus"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "TKiina"
--- a/Languages/french.lang
+++ b/Languages/french.lang
@ -2058,6 +2058,9 @@ msgstr "Synchronisation..."
 msgid "System Default"
 msgstr "Console par défaut"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "Chinois traditionnel"
--- a/Languages/german.lang
+++ b/Languages/german.lang
@ -2058,6 +2058,9 @@ msgstr "Synchronisiere..."
 msgid "System Default"
 msgstr "Konsolenstandard"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "Traditionelles Chinesisch"
--- a/Languages/greek.lang
+++ b/Languages/greek.lang
@ -2058,6 +2058,9 @@ msgstr "Συγχρονισμός..."
 msgid "System Default"
 msgstr "Βασικό-η συστήματος"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "Παραδοσιακά κινέζικα"
--- a/Languages/hungarian.lang
+++ b/Languages/hungarian.lang
@ -2058,6 +2058,9 @@ msgstr ""
 msgid "System Default"
 msgstr "Rendszer Alapértelmezett"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "Tradicionális Kínai"
--- a/Languages/italian.lang
+++ b/Languages/italian.lang
@ -2058,6 +2058,9 @@ msgstr "Sincronizzando..."
 msgid "System Default"
 msgstr "Predefinita del sistema"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "Cinese tradizionale"
--- a/Languages/japanese.lang
+++ b/Languages/japanese.lang
@ -2058,6 +2058,9 @@ msgstr "同期中です..."
 msgid "System Default"
 msgstr "Wiiの初期値"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "繁体中国語"
--- a/Languages/korean.lang
+++ b/Languages/korean.lang
@ -2052,6 +2052,9 @@ msgstr "동기화 중..."
 msgid "System Default"
 msgstr "기본 시스템"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "번체 중국어"
--- a/Languages/norwegian.lang
+++ b/Languages/norwegian.lang
@ -2058,6 +2058,9 @@ msgstr "Synkroniserer..."
 msgid "System Default"
 msgstr "System Standard"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "T.Kinesisk"
--- a/Languages/polish.lang
+++ b/Languages/polish.lang
@ -2058,6 +2058,9 @@ msgstr ""
 msgid "System Default"
 msgstr "Domyslne ustawienia systemowe"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "chinski"
--- a/Languages/portuguese_br.lang
+++ b/Languages/portuguese_br.lang
@ -2058,6 +2058,9 @@ msgstr "Sincronizando..."
 msgid "System Default"
 msgstr "Padrão"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "Chinês"
--- a/Languages/portuguese_pt.lang
+++ b/Languages/portuguese_pt.lang
@ -2058,6 +2058,9 @@ msgstr "A sincronizar"
 msgid "System Default"
 msgstr "Predefinição Sistema"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "Chinês Tradicional"
--- a/Languages/russian.lang
+++ b/Languages/russian.lang
@ -2058,6 +2058,9 @@ msgstr ""
 msgid "System Default"
 msgstr "По умолчанию"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "Традиционный китайский"
--- a/Languages/schinese.lang
+++ b/Languages/schinese.lang
@ -2058,6 +2058,9 @@ msgstr "正在同步 ..."
 msgid "System Default"
 msgstr "系统默认"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "繁体中文"
--- a/Languages/spanish.lang
+++ b/Languages/spanish.lang
@ -2058,6 +2058,9 @@ msgstr "Sincronizando..."
 msgid "System Default"
 msgstr "Consola"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "Chino Tradicional"
--- a/Languages/swedish.lang
+++ b/Languages/swedish.lang
@ -2058,6 +2058,9 @@ msgstr ""
 msgid "System Default"
 msgstr "Systemets standard"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "TKinesiska"
--- a/Languages/tchinese.lang
+++ b/Languages/tchinese.lang
@ -2058,6 +2058,9 @@ msgstr "正在同步..."
 msgid "System Default"
 msgstr "系統預設值"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "繁體中文"
--- a/Languages/thai.lang
+++ b/Languages/thai.lang
@ -2058,6 +2058,9 @@ msgstr ""
 msgid "System Default"
 msgstr "ค่าเริ่มต้นของระบบ"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "จีนโบราณ"
--- a/Languages/turkish.lang
+++ b/Languages/turkish.lang
@ -2058,6 +2058,9 @@ msgstr ""
 msgid "System Default"
 msgstr "Sistem Varsayılanı"
 msgid "System Proxy Settings"
 msgstr ""
 msgid "TChinese"
 msgstr "Geleneksel Çince"
--- a/source/language/UpdateLanguage.cpp
+++ b/source/language/UpdateLanguage.cpp
@ -83,7 +83,7 @@ int DownloadAllLanguageFiles(int revision)
 				fclose(pfile);
 				files_downloaded++;
 			}
-			free(file.data);
+			MEM2_free(file.data);
 		}
 	}
@ -151,7 +151,7 @@ int UpdateLanguageFiles()
 				fclose(pfile);
 				done++;
 			}
-			free(file.data);
+			MEM2_free(file.data);
 		}
 	}
--- a/source/libs/libwolfssl/certs_test.h
+++ b/source/libs/libwolfssl/certs_test.h
--- a/source/libs/libwolfssl/error-ssl.h
+++ b/source/libs/libwolfssl/error-ssl.h
@ -167,6 +167,8 @@ enum wolfSSL_ErrorCodes {
    CLIENT_CERT_CB_ERROR         = -436,   /* Client cert callback error */
    SSL_SHUTDOWN_ALREADY_DONE_E  = -437,   /* Shutdown called redundantly */
    TLS13_SECRET_CB_E            = -438,   /* TLS1.3 secret Cb fcn failure */
    DTLS_SIZE_ERROR              = -439,   /* Trying to send too much data */
    NO_CERT_ERROR                = -440,   /* TLS1.3 - no cert set error */
    /* add strings to wolfSSL_ERR_reason_error_string in internal.c !!!!! */
--- a/source/libs/libwolfssl/internal.h
+++ b/source/libs/libwolfssl/internal.h
@ -72,6 +72,9 @@
 #ifndef NO_SHA256
    #include <libs/libwolfssl/wolfcrypt/sha256.h>
 #endif
 #if defined(WOLFSSL_SHA384)
    #include <libs/libwolfssl/wolfcrypt/sha512.h>
 #endif
 #ifdef HAVE_OCSP
    #include <libs/libwolfssl/ocsp.h>
 #endif
@ -183,8 +186,15 @@
    /* do nothing */
 #else
    #ifndef SINGLE_THREADED
-        #define WOLFSSL_PTHREADS
+        #if defined(WOLFSSL_LINUXKM)
-        #include <pthread.h>
+            #define WOLFSSL_KTHREADS
            #include <linux/kthread.h>
        #elif defined(WOLFSSL_USER_MUTEX)
            /* do nothing */
        #else
            #define WOLFSSL_PTHREADS
            #include <pthread.h>
        #endif
    #endif
    #if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM)
        #include <unistd.h>      /* for close of BIO */
@ -858,11 +868,13 @@
 #if defined(BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256) || \
    defined(BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) || \
    defined(BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) || \
    defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) || \
    defined(BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256) || \
    defined(BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256) || \
    defined(BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384) || \
    defined(BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384) || \
    defined(BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) || \
    defined(BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) || \
    defined(BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384) || \
    defined(BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384) || \
@ -906,7 +918,7 @@
    #define BUILD_DES3
 #endif
-#if defined(NO_AES) || defined(NO_AES_DECRYPT)
+#if defined(NO_AES) || !defined(HAVE_AES_DECRYPT)
    #define AES_BLOCK_SIZE 16
    #undef  BUILD_AES
 #else
@ -1165,7 +1177,8 @@ enum {
 #ifndef MAX_PSK_ID_LEN
    /* max psk identity/hint supported */
    #if defined(WOLFSSL_TLS13)
-        #define MAX_PSK_ID_LEN 256
+        /* OpenSSL has a 1472 byte sessiont ticket */
        #define MAX_PSK_ID_LEN 1536
    #else
        #define MAX_PSK_ID_LEN 128
    #endif
@ -1207,19 +1220,6 @@ enum Misc {
    TLSv1_2_MINOR   = 3,        /* TLSv1_2 minor version number */
    TLSv1_3_MINOR   = 4,        /* TLSv1_3 minor version number */
    TLS_DRAFT_MAJOR = 0x7f,     /* Draft TLS major version number */
 #ifdef WOLFSSL_TLS13_DRAFT
 #ifdef WOLFSSL_TLS13_DRAFT_18
    TLS_DRAFT_MINOR = 0x12,     /* Minor version number of TLS draft */
 #elif defined(WOLFSSL_TLS13_DRAFT_22)
    TLS_DRAFT_MINOR = 0x16,     /* Minor version number of TLS draft */
 #elif defined(WOLFSSL_TLS13_DRAFT_23)
    TLS_DRAFT_MINOR = 0x17,     /* Minor version number of TLS draft */
 #elif defined(WOLFSSL_TLS13_DRAFT_26)
    TLS_DRAFT_MINOR = 0x1a,     /* Minor version number of TLS draft */
 #else
    TLS_DRAFT_MINOR = 0x1c,     /* Minor version number of TLS draft */
 #endif
 #endif
    OLD_HELLO_ID    = 0x01,     /* SSLv2 Client Hello Indicator */
    INVALID_BYTE    = 0xff,     /* Used to initialize cipher specs values */
    NO_COMPRESSION  =  0,
@ -1355,10 +1355,21 @@ enum Misc {
    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
    MAX_SYM_KEY_SIZE    = AES_256_KEY_SIZE,
 #else
-    MAX_SYM_KEY_SIZE    = WC_MAX_SYM_KEY_SIZE,
+    #if defined(HAVE_NULL_CIPHER) && defined(WOLFSSL_TLS13)
        #if defined(WOLFSSL_SHA384) && WC_MAX_SYM_KEY_SIZE < 48
            MAX_SYM_KEY_SIZE    = WC_SHA384_DIGEST_SIZE,
        #elif !defined(NO_SHA256) && WC_MAX_SYM_KEY_SIZE < 32
            MAX_SYM_KEY_SIZE    = WC_SHA256_DIGEST_SIZE,
        #else
            MAX_SYM_KEY_SIZE    = WC_MAX_SYM_KEY_SIZE,
        #endif
    #else
        MAX_SYM_KEY_SIZE    = WC_MAX_SYM_KEY_SIZE,
    #endif
 #endif
-#ifdef HAVE_SELFTEST
+#if defined(HAVE_SELFTEST) && \
    (!defined(HAVE_SELFTEST_VERSION) || (HAVE_SELFTEST_VERSION < 2))
    #ifndef WOLFSSL_AES_KEY_SIZE_ENUM
    #define WOLFSSL_AES_KEY_SIZE_ENUM
    AES_IV_SIZE         = 16,
@ -1502,7 +1513,7 @@ enum Misc {
 /* number of items in the signature algo list */
 #ifndef WOLFSSL_MAX_SIGALGO
-    #define WOLFSSL_MAX_SIGALGO 32
+    #define WOLFSSL_MAX_SIGALGO 36
 #endif
@ -1590,6 +1601,7 @@ enum states {
    SERVER_HELLO_COMPLETE,
    SERVER_ENCRYPTED_EXTENSIONS_COMPLETE,
    SERVER_CERT_COMPLETE,
    SERVER_CERT_VERIFY_COMPLETE,
    SERVER_KEYEXCHANGE_COMPLETE,
    SERVER_HELLODONE_COMPLETE,
 	SERVER_CHANGECIPHERSPEC_COMPLETE,
@ -1622,14 +1634,14 @@ WOLFSSL_LOCAL ProtocolVersion MakeTLSv1_3(void);
    WOLFSSL_LOCAL ProtocolVersion MakeDTLSv1_2(void);
    #ifdef WOLFSSL_SESSION_EXPORT
-    WOLFSSL_LOCAL int wolfSSL_dtls_import_internal(WOLFSSL* ssl, byte* buf,
+    WOLFSSL_LOCAL int wolfSSL_dtls_import_internal(WOLFSSL* ssl, const byte* buf,
                                                                     word32 sz);
    WOLFSSL_LOCAL int wolfSSL_dtls_export_internal(WOLFSSL* ssl, byte* buf,
                                                                     word32 sz);
    WOLFSSL_LOCAL int wolfSSL_dtls_export_state_internal(WOLFSSL* ssl,
                                                          byte* buf, word32 sz);
    WOLFSSL_LOCAL int wolfSSL_dtls_import_state_internal(WOLFSSL* ssl,
-                                                          byte* buf, word32 sz);
+                                                    const byte* buf, word32 sz);
    WOLFSSL_LOCAL int wolfSSL_send_session(WOLFSSL* ssl);
    #endif
 #endif
@ -1657,6 +1669,10 @@ WOLFSSL_LOCAL int InitSSL_Side(WOLFSSL* ssl, word16 side);
 /* for sniffer */
 WOLFSSL_LOCAL int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                            word32 size, word32 totalSz, int sniff);
 #ifdef WOLFSSL_TLS13
 WOLFSSL_LOCAL int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                           word32 size, word32 totalSz, int sniff);
 #endif
 WOLFSSL_LOCAL int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx);
 /* TLS v1.3 needs these */
 WOLFSSL_LOCAL int  HandleTlsResumption(WOLFSSL* ssl, int bogusID,
@ -1688,16 +1704,15 @@ WOLFSSL_LOCAL void FreeSuites(WOLFSSL* ssl);
 WOLFSSL_LOCAL int  ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, word32 size);
 WOLFSSL_LOCAL int  MatchDomainName(const char* pattern, int len, const char* str);
 #ifndef NO_CERTS
-WOLFSSL_LOCAL int  CheckAltNames(DecodedCert* dCert, char* domain);
+WOLFSSL_LOCAL int  CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN);
-#ifdef OPENSSL_EXTRA
+WOLFSSL_LOCAL int  CheckIPAddr(DecodedCert* dCert, const char* ipasc);
 WOLFSSL_LOCAL int  CheckIPAddr(DecodedCert* dCert, char* ipasc);
 #endif
 #endif
 WOLFSSL_LOCAL int  CreateTicket(WOLFSSL* ssl);
-WOLFSSL_LOCAL int  HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz);
+WOLFSSL_LOCAL int  HashRaw(WOLFSSL* ssl, const byte* output, int sz);
 WOLFSSL_LOCAL int  HashOutput(WOLFSSL* ssl, const byte* output, int sz,
                              int ivSz);
 WOLFSSL_LOCAL int  HashInput(WOLFSSL* ssl, const byte* input, int sz);
 #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
 WOLFSSL_LOCAL int SNI_Callback(WOLFSSL* ssl);
 #endif
@ -1840,11 +1855,10 @@ WOLFSSL_LOCAL int  SetCipherList(WOLFSSL_CTX*, Suites*, const char* list);
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
 #define MAX_DESCRIPTION_SZ 255
 #endif
 /* wolfSSL Cipher type just points back to SSL */
 struct WOLFSSL_CIPHER {
    byte cipherSuite0;
    byte cipherSuite;
-    WOLFSSL* ssl;
+    const WOLFSSL* ssl;
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
    char description[MAX_DESCRIPTION_SZ];
    unsigned long offset;
@ -2015,8 +2029,7 @@ WOLFSSL_LOCAL int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const byte* buff,
 #ifndef NO_CERTS
-#if !defined NOCERTS &&\
+#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
    (!defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH))
 typedef struct ProcPeerCertArgs {
    buffer*      certs;
 #ifdef WOLFSSL_TLS13
@ -2132,8 +2145,10 @@ typedef struct Keys {
    byte   keyUpdateRespond:1;    /* KeyUpdate is to be responded to. */
 #endif
 #ifdef WOLFSSL_RENESAS_TSIP_TLS
-    byte tsip_client_write_MAC_secret[TSIP_TLS_HMAC_KEY_INDEX_WORDSIZE];
+
-    byte tsip_server_write_MAC_secret[TSIP_TLS_HMAC_KEY_INDEX_WORDSIZE];
+    tsip_hmac_sha_key_index_t tsip_client_write_MAC_secret;
    tsip_hmac_sha_key_index_t tsip_server_write_MAC_secret;
 #endif
 } Keys;
@ -2151,13 +2166,14 @@ typedef enum {
    TLSX_SUPPORTED_GROUPS           = 0x000a, /* a.k.a. Supported Curves */
    TLSX_EC_POINT_FORMATS           = 0x000b,
 #if !defined(WOLFSSL_NO_SIGALG)
-    TLSX_SIGNATURE_ALGORITHMS       = 0x000d,
+    TLSX_SIGNATURE_ALGORITHMS       = 0x000d, /* HELLO_EXT_SIG_ALGO */
 #endif
    TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */
    TLSX_STATUS_REQUEST_V2          = 0x0011, /* a.k.a. OCSP stapling v2 */
 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
    TLSX_ENCRYPT_THEN_MAC           = 0x0016, /* RFC 7366 */
 #endif
    TLSX_EXTENDED_MASTER_SECRET     = 0x0017, /* HELLO_EXT_EXTMS */
    TLSX_QUANTUM_SAFE_HYBRID        = 0x0018, /* a.k.a. QSH  */
    TLSX_SESSION_TICKET             = 0x0023,
 #ifdef WOLFSSL_TLS13
@ -2175,12 +2191,8 @@ typedef enum {
    #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
    TLSX_POST_HANDSHAKE_AUTH        = 0x0031,
    #endif
    #if defined(WOLFSSL_TLS13_DRAFT_18) || defined(WOLFSSL_TLS13_DRAFT_22)
    TLSX_KEY_SHARE                  = 0x0028,
    #else
    TLSX_SIGNATURE_ALGORITHMS_CERT  = 0x0032,
    TLSX_KEY_SHARE                  = 0x0033,
    #endif
 #endif
    TLSX_RENEGOTIATION_INFO         = 0xff01
 } TLSX_Type;
@ -2522,7 +2534,6 @@ WOLFSSL_LOCAL int TLSX_KeyShare_DeriveSecret(WOLFSSL* ssl);
 #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
 #ifndef WOLFSSL_TLS13_DRAFT_18
 /* Ticket nonce - for deriving PSK.
 * Length allowed to be: 1..255. Only support 4 bytes.
 */
@ -2530,7 +2541,6 @@ typedef struct TicketNonce {
    byte len;
    byte data[MAX_TICKET_NONCE_SZ];
 } TicketNonce;
 #endif
 /* The PreSharedKey extension information - entry in a linked list. */
 typedef struct PreSharedKey {
@ -2586,6 +2596,13 @@ enum DeriveKeyType {
    update_traffic_key
 };
 WOLFSSL_LOCAL int DeriveEarlySecret(WOLFSSL* ssl);
 WOLFSSL_LOCAL int DeriveHandshakeSecret(WOLFSSL* ssl);
 WOLFSSL_LOCAL int DeriveTls13Keys(WOLFSSL* ssl, int secret, int side, int store);
 WOLFSSL_LOCAL int DeriveMasterSecret(WOLFSSL* ssl);
 WOLFSSL_LOCAL int DeriveResumptionPSK(WOLFSSL* ssl, byte* nonce, byte nonceLen, byte* secret);
 WOLFSSL_LOCAL int DeriveResumptionSecret(WOLFSSL* ssl, byte* key);
 /* The key update request values for KeyUpdate message. */
 enum KeyUpdateRequest {
    update_not_requested,
@ -2602,6 +2619,14 @@ enum SetCBIO {
 };
 #endif
 #ifdef WOLFSSL_STATIC_EPHEMERAL
 typedef struct {
    int keyAlgo;
    DerBuffer* key;
 } StaticKeyExchangeInfo_t;
 #endif
 /* wolfSSL context type */
 struct WOLFSSL_CTX {
    WOLFSSL_METHOD* method;
@ -2710,9 +2735,7 @@ struct WOLFSSL_CTX {
 #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
    short       minEccKeySz;      /* minimum ECC key size */
 #endif
 #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
    unsigned long     mask;             /* store SSL_OP_ flags */
 #endif
 #ifdef OPENSSL_EXTRA
    byte              sessionCtx[ID_LEN]; /* app session context ID */
    word32            disabledCurves;   /* curves disabled by user */
@ -2755,6 +2778,7 @@ struct WOLFSSL_CTX {
    wc_psk_client_tls13_callback client_psk_tls13_cb;  /* client callback */
    wc_psk_server_tls13_callback server_psk_tls13_cb;  /* server callback */
 #endif
    void*       psk_ctx;
    char        server_hint[MAX_PSK_ID_LEN + NULL_TERM_LEN];
 #endif /* HAVE_SESSION_TICKET || !NO_PSK */
 #ifdef WOLFSSL_TLS13
@ -2771,7 +2795,7 @@ struct WOLFSSL_CTX {
    pem_password_cb* passwd_cb;
    void*            passwd_userdata;
 #endif
-#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
+#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
    WOLFSSL_X509_STORE x509_store; /* points to ctx->cm */
    WOLFSSL_X509_STORE* x509_store_pt; /* take ownership of external store */
    byte            readAhead;
@ -2876,16 +2900,19 @@ struct WOLFSSL_CTX {
    #endif /* NO_RSA */
 #endif /* HAVE_PK_CALLBACKS */
 #ifdef HAVE_WOLF_EVENT
-        WOLF_EVENT_QUEUE event_queue;
+    WOLF_EVENT_QUEUE event_queue;
 #endif /* HAVE_WOLF_EVENT */
 #ifdef HAVE_EXT_CACHE
-        WOLFSSL_SESSION*(*get_sess_cb)(WOLFSSL*, unsigned char*, int, int*);
+    WOLFSSL_SESSION*(*get_sess_cb)(WOLFSSL*, unsigned char*, int, int*);
-        int (*new_sess_cb)(WOLFSSL*, WOLFSSL_SESSION*);
+    int (*new_sess_cb)(WOLFSSL*, WOLFSSL_SESSION*);
-        void (*rem_sess_cb)(WOLFSSL_CTX*, WOLFSSL_SESSION*);
+    void (*rem_sess_cb)(WOLFSSL_CTX*, WOLFSSL_SESSION*);
 #endif
 #if defined(OPENSSL_EXTRA) && defined(WOLFCRYPT_HAVE_SRP) && !defined(NO_SHA256)
-        Srp*  srp;  /* TLS Secure Remote Password Protocol*/
+    Srp*  srp;  /* TLS Secure Remote Password Protocol*/
-        byte* srp_password;
+    byte* srp_password;
 #endif
 #ifdef WOLFSSL_STATIC_EPHEMERAL
    StaticKeyExchangeInfo_t staticKE;
 #endif
 };
@ -2950,7 +2977,6 @@ enum KeyExchangeAlgorithm {
    ecc_static_diffie_hellman_kea       /* for verify suite only */
 };
 /* Supported Authentication Schemes */
 enum SignatureAlgorithm {
    anonymous_sa_algo = 0,
@ -3009,6 +3035,13 @@ enum CipherType { aead };
    #define CIPHER_NONCE
 #endif
 #if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION)
 enum CipherSrc {
    KEYS_NOT_SET = 0,
    KEYS,     /* keys from ssl->keys are loaded */
    SCR       /* keys from ssl->secure_renegotiation->tmp_keys are loaded */
 };
 #endif
 /* cipher for now */
 typedef struct Ciphers {
@ -3048,6 +3081,10 @@ typedef struct Ciphers {
 #endif
    byte    state;
    byte    setup;       /* have we set it up flag for detection */
 #if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION)
    enum CipherSrc src;  /* DTLS uses this to determine which keys
                          * are currently loaded */
 #endif
 } Ciphers;
@ -3149,6 +3186,8 @@ struct WOLFSSL_SESSION {
 #ifdef OPENSSL_EXTRA
    byte               sessionCtxSz;              /* sessionCtx length        */
    byte               sessionCtx[ID_LEN];        /* app specific context id  */
    wolfSSL_Mutex      refMutex;                  /* ref count mutex */
    int                refCount;                  /* reference count */
 #endif
 #ifdef WOLFSSL_TLS13
    word16             namedGroup;
@ -3157,9 +3196,7 @@ struct WOLFSSL_SESSION {
    #ifdef WOLFSSL_TLS13
    word32             ticketSeen;                /* Time ticket seen (ms) */
    word32             ticketAdd;                 /* Added by client */
        #ifndef WOLFSSL_TLS13_DRAFT_18
    TicketNonce        ticketNonce;               /* Nonce used to derive PSK */
        #endif
    #endif
    #ifdef WOLFSSL_EARLY_DATA
    word32             maxEarlyDataSz;
@ -3171,7 +3208,7 @@ struct WOLFSSL_SESSION {
    byte               staticTicket[SESSION_TICKET_LEN];
    byte               isDynamic;
 #endif
-#ifdef HAVE_EXT_CACHE
+#if defined(HAVE_EXT_CACHE) || defined(OPENSSL_EXTRA)
    byte               isAlloced;
 #endif
 #ifdef HAVE_EX_DATA
@ -3185,7 +3222,7 @@ WOLFSSL_SESSION* GetSession(WOLFSSL*, byte*, byte);
 WOLFSSL_LOCAL
 int          SetSession(WOLFSSL*, WOLFSSL_SESSION*);
-typedef int (*hmacfp) (WOLFSSL*, byte*, const byte*, word32, int, int, int);
+typedef int (*hmacfp) (WOLFSSL*, byte*, const byte*, word32, int, int, int, int);
 #ifndef NO_CLIENT_CACHE
    WOLFSSL_SESSION* GetSessionClient(WOLFSSL*, const byte*, int);
@ -3346,8 +3383,9 @@ typedef struct Options {
    wc_psk_client_tls13_callback client_psk_tls13_cb;  /* client callback */
    wc_psk_server_tls13_callback server_psk_tls13_cb;  /* server callback */
 #endif
    void*             psk_ctx;
 #endif /* NO_PSK */
-#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
+#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
    unsigned long     mask; /* store SSL_OP_ flags */
 #endif
@ -3587,15 +3625,15 @@ struct WOLFSSL_X509_NAME {
    char  staticName[ASN_NAME_MAX];
 #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \
    !defined(NO_ASN)
-    DecodedName fullName;
+    int   entrySz; /* number of entries */
-    WOLFSSL_X509_NAME_ENTRY cnEntry;
+    WOLFSSL_X509_NAME_ENTRY entry[MAX_NAME_ENTRIES]; /* all entries i.e. CN */
    WOLFSSL_X509_NAME_ENTRY extra[MAX_NAME_ENTRIES]; /* extra entries added */
    WOLFSSL_X509*           x509;   /* x509 that struct belongs to */
 #endif /* OPENSSL_EXTRA */
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX)
    byte  raw[ASN_NAME_MAX];
    int   rawLen;
 #endif
    void* heap;
 };
 #ifndef EXTERNAL_SERIAL_SIZE
@ -3626,7 +3664,7 @@ struct WOLFSSL_X509 {
    WOLFSSL_STACK* ext_sk; /* Store X509_EXTENSIONS from wolfSSL_X509_get_ext */
    WOLFSSL_STACK* ext_d2i;/* Store d2i extensions from wolfSSL_X509_get_ext_d2i */
 #endif /* WOLFSSL_QT || OPENSSL_ALL */
-#ifdef OPENSSL_EXTRA
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
    WOLFSSL_ASN1_INTEGER* serialNumber; /* Stores SN from wolfSSL_X509_get_serialNumber */
 #endif
    WOLFSSL_ASN1_TIME notBefore;
@ -3741,6 +3779,7 @@ typedef struct DtlsMsg {
    byte*           msg;
    DtlsFrag*       fragList;
    word32          fragSz;    /* Length of fragments received */
    word16          epoch;     /* Epoch that this message belongs to */
    word32          seq;       /* Handshake sequence number    */
    word32          sz;        /* Length of whole message      */
    byte            type;
@ -3810,6 +3849,20 @@ typedef struct HS_Hashes {
 } HS_Hashes;
 #ifndef WOLFSSL_NO_TLS12
 /* Persistable BuildMessage arguments */
 typedef struct BuildMsgArgs {
    word32 digestSz;
    word32 sz;
    word32 pad;
    word32 idx;
    word32 headerSz;
    word16 size;
    word32 ivSz;      /* TLSv1.1  IV */
    byte*  iv;
 } BuildMsgArgs;
 #endif
 #ifdef WOLFSSL_ASYNC_CRYPT
    #define MAX_ASYNC_ARGS 18
    typedef void (*FreeArgsCb)(struct WOLFSSL* ssl, void* pArgs);
@ -3818,6 +3871,7 @@ typedef struct HS_Hashes {
        WC_ASYNC_DEV* dev;
        FreeArgsCb    freeArgs; /* function pointer to cleanup args */
        word32        args[MAX_ASYNC_ARGS]; /* holder for current args */
        BuildMsgArgs  buildArgs; /* holder for current BuildMessage args */
    };
 #endif
@ -3971,11 +4025,9 @@ struct WOLFSSL {
 #endif
    word16          pssAlgo;
 #ifdef WOLFSSL_TLS13
    #if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22)
    word16          certHashSigAlgoSz;  /* SigAlgoCert ext length in bytes */
    byte            certHashSigAlgo[WOLFSSL_MAX_SIGALGO]; /* cert sig/algo to
                                                           * offer */
    #endif /* !WOLFSSL_TLS13_DRAFT_18 && !WOLFSSL_TLS13_DRAFT_22 */
 #endif
 #ifdef HAVE_NTRU
    word16          peerNtruKeyLen;
@ -4115,6 +4167,8 @@ struct WOLFSSL {
 #endif /* HAVE_TLS_EXTENSIONS */
 #ifdef HAVE_OCSP
        void*       ocspIOCtx;
        byte ocspProducedDate[MAX_DATE_SZ];
        int ocspProducedDateFormat;
    #ifdef OPENSSL_EXTRA
        byte*       ocspResp;
        int         ocspRespSz;
@ -4202,6 +4256,9 @@ struct WOLFSSL {
    WOLFSSL_STACK* supportedCiphers; /* Used in wolfSSL_get_ciphers_compat */
    WOLFSSL_STACK* peerCertChain;    /* Used in wolfSSL_get_peer_cert_chain */
 #endif
 #ifdef WOLFSSL_STATIC_EPHEMERAL
    StaticKeyExchangeInfo_t staticKE;
 #endif
 };
@ -4221,10 +4278,8 @@ WOLFSSL_API   void SSL_ResourceFree(WOLFSSL*);   /* Micrium uses */
                                 int type, WOLFSSL* ssl, int userChain,
                                WOLFSSL_CRL* crl, int verify);
-    #ifdef OPENSSL_EXTRA
+    WOLFSSL_LOCAL int CheckHostName(DecodedCert* dCert, const char *domainName,
    WOLFSSL_LOCAL int CheckHostName(DecodedCert* dCert, char *domainName,
                                    size_t domainNameLen);
    #endif
 #endif
@ -4333,12 +4388,8 @@ WOLFSSL_LOCAL int SendTicket(WOLFSSL*);
 WOLFSSL_LOCAL int DoClientTicket(WOLFSSL*, const byte*, word32);
 WOLFSSL_LOCAL int SendData(WOLFSSL*, const void*, int);
 #ifdef WOLFSSL_TLS13
 #ifdef WOLFSSL_TLS13_DRAFT_18
 WOLFSSL_LOCAL int SendTls13HelloRetryRequest(WOLFSSL*);
 #else
 WOLFSSL_LOCAL int SendTls13ServerHello(WOLFSSL*, byte);
 #endif
 #endif
 WOLFSSL_LOCAL int SendCertificate(WOLFSSL*);
 WOLFSSL_LOCAL int SendCertificateRequest(WOLFSSL*);
 #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
@ -4464,7 +4515,7 @@ WOLFSSL_LOCAL  int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength);
    WOLFSSL_LOCAL int  MakeTlsMasterSecret(WOLFSSL*);
 #ifndef WOLFSSL_AEAD_ONLY
    WOLFSSL_LOCAL int  TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in,
-                                word32 sz, int padSz, int content, int verify);
+                                word32 sz, int padSz, int content, int verify, int epochOrder);
 #endif
 #endif
@ -4486,24 +4537,30 @@ WOLFSSL_LOCAL  int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength);
    WOLFSSL_LOCAL DtlsMsg* DtlsMsgNew(word32, void*);
    WOLFSSL_LOCAL void DtlsMsgDelete(DtlsMsg*, void*);
    WOLFSSL_LOCAL void DtlsMsgListDelete(DtlsMsg*, void*);
-    WOLFSSL_LOCAL int  DtlsMsgSet(DtlsMsg*, word32, const byte*, byte,
+    WOLFSSL_LOCAL void DtlsTxMsgListClean(WOLFSSL* ssl);
    WOLFSSL_LOCAL int  DtlsMsgSet(DtlsMsg*, word32, word16, const byte*, byte,
                                                       word32, word32, void*);
-    WOLFSSL_LOCAL DtlsMsg* DtlsMsgFind(DtlsMsg*, word32);
+    WOLFSSL_LOCAL DtlsMsg* DtlsMsgFind(DtlsMsg*, word32, word32);
-    WOLFSSL_LOCAL void DtlsMsgStore(WOLFSSL*, word32, const byte*, word32,
+    WOLFSSL_LOCAL void DtlsMsgStore(WOLFSSL*, word32, word32, const byte*, word32,
                                                byte, word32, word32, void*);
    WOLFSSL_LOCAL DtlsMsg* DtlsMsgInsert(DtlsMsg*, DtlsMsg*);
-    WOLFSSL_LOCAL int  DtlsMsgPoolSave(WOLFSSL*, const byte*, word32);
+    WOLFSSL_LOCAL int  DtlsMsgPoolSave(WOLFSSL*, const byte*, word32, enum HandShakeType);
    WOLFSSL_LOCAL int  DtlsMsgPoolTimeout(WOLFSSL*);
    WOLFSSL_LOCAL int  VerifyForDtlsMsgPoolSend(WOLFSSL*, byte, word32);
    WOLFSSL_LOCAL int  VerifyForTxDtlsMsgDelete(WOLFSSL* ssl, DtlsMsg* head);
    WOLFSSL_LOCAL void DtlsMsgPoolReset(WOLFSSL*);
    WOLFSSL_LOCAL int  DtlsMsgPoolSend(WOLFSSL*, int);
 #endif /* WOLFSSL_DTLS */
-#ifndef NO_TLS
+#if defined(HAVE_SECURE_RENEGOTIATION) && defined(WOLFSSL_DTLS)
    WOLFSSL_LOCAL int DtlsSCRKeysSet(WOLFSSL* ssl);
    WOLFSSL_LOCAL int IsDtlsMsgSCRKeys(WOLFSSL* ssl);
    WOLFSSL_LOCAL int DtlsUseSCRKeys(WOLFSSL* ssl);
    WOLFSSL_LOCAL int DtlsCheckOrder(WOLFSSL* ssl, int order);
 #endif
-
+    WOLFSSL_LOCAL void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out);
 #endif /* NO_TLS */
 #if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
    WOLFSSL_LOCAL word32 TimeNowInMilliseconds(void);
@ -4511,8 +4568,8 @@ WOLFSSL_LOCAL  int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength);
 WOLFSSL_LOCAL word32  LowResTimer(void);
 #ifndef NO_CERTS
-    WOLFSSL_LOCAL void InitX509Name(WOLFSSL_X509_NAME*, int);
+    WOLFSSL_LOCAL void InitX509Name(WOLFSSL_X509_NAME*, int, void*);
-    WOLFSSL_LOCAL void FreeX509Name(WOLFSSL_X509_NAME* name, void* heap);
+    WOLFSSL_LOCAL void FreeX509Name(WOLFSSL_X509_NAME* name);
    WOLFSSL_LOCAL void InitX509(WOLFSSL_X509*, int, void* heap);
    WOLFSSL_LOCAL void FreeX509(WOLFSSL_X509*);
    WOLFSSL_LOCAL int  CopyDecodedToX509(WOLFSSL_X509*, DecodedCert*);
@ -4598,9 +4655,13 @@ WOLFSSL_LOCAL int SetDhExternal(WOLFSSL_DH *dh);
 WOLFSSL_LOCAL int InitHandshakeHashes(WOLFSSL* ssl);
 WOLFSSL_LOCAL void FreeHandshakeHashes(WOLFSSL* ssl);
 #ifndef WOLFSSL_NO_TLS12
 WOLFSSL_LOCAL void FreeBuildMsgArgs(WOLFSSL* ssl, BuildMsgArgs* args);
 #endif
 WOLFSSL_LOCAL int BuildMessage(WOLFSSL* ssl, byte* output, int outSz,
                        const byte* input, int inSz, int type, int hashOutput,
-                        int sizeOnly, int asyncOkay);
+                        int sizeOnly, int asyncOkay, int epochOrder);
 #ifdef WOLFSSL_TLS13
 int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
--- a/source/libs/libwolfssl/libwolfssl.a
+++ b/source/libs/libwolfssl/libwolfssl.a
--- a/source/libs/libwolfssl/openssl/asn1.h
+++ b/source/libs/libwolfssl/openssl/asn1.h
@ -69,6 +69,7 @@
 #define V_ASN1_OBJECT                   6
 #define V_ASN1_UTCTIME                  23
 #define V_ASN1_GENERALIZEDTIME          24
 #define V_ASN1_PRINTABLESTRING          19
 #define ASN1_STRING_FLAG_BITS_LEFT       0x008
 #define ASN1_STRING_FLAG_NDEF            0x010
@ -107,7 +108,7 @@ typedef enum {
 } WOLFSSL_ASN1_TYPES;
 #define ASN1_SEQUENCE(type) \
-    static const type __##type##_dummy_struct;\
+    static type __##type##_dummy_struct;\
    static const WOLFSSL_ASN1_TEMPLATE type##_member_data[]
 #define ASN1_SIMPLE(type, member, member_type) \
--- a/source/libs/libwolfssl/openssl/bio.h
+++ b/source/libs/libwolfssl/openssl/bio.h
@ -33,11 +33,11 @@
 #endif
-#define BIO_FLAG_BASE64_NO_NL WOLFSSL_BIO_FLAG_BASE64_NO_NL
+#define BIO_FLAGS_BASE64_NO_NL WOLFSSL_BIO_FLAG_BASE64_NO_NL
-#define BIO_FLAG_READ         WOLFSSL_BIO_FLAG_READ
+#define BIO_FLAGS_READ         WOLFSSL_BIO_FLAG_READ
-#define BIO_FLAG_WRITE        WOLFSSL_BIO_FLAG_WRITE
+#define BIO_FLAGS_WRITE        WOLFSSL_BIO_FLAG_WRITE
-#define BIO_FLAG_IO_SPECIAL   WOLFSSL_BIO_FLAG_IO_SPECIAL
+#define BIO_FLAGS_IO_SPECIAL   WOLFSSL_BIO_FLAG_IO_SPECIAL
-#define BIO_FLAG_RETRY        WOLFSSL_BIO_FLAG_RETRY
+#define BIO_FLAGS_SHOULD_RETRY WOLFSSL_BIO_FLAG_RETRY
 #define BIO_new_fp                      wolfSSL_BIO_new_fp
 #define BIO_new_file                    wolfSSL_BIO_new_file
--- a/source/libs/libwolfssl/openssl/dsa.h
+++ b/source/libs/libwolfssl/openssl/dsa.h
@ -80,6 +80,8 @@ WOLFSSL_API int wolfSSL_DSA_do_verify(const unsigned char* d,
                                      unsigned char* sig,
                                      WOLFSSL_DSA* dsa, int *dsacheck);
 WOLFSSL_API int wolfSSL_DSA_bits(const WOLFSSL_DSA *d);
 WOLFSSL_API WOLFSSL_DSA_SIG* wolfSSL_DSA_SIG_new(void);
 WOLFSSL_API void wolfSSL_DSA_SIG_free(WOLFSSL_DSA_SIG *sig);
 WOLFSSL_API WOLFSSL_DSA_SIG* wolfSSL_DSA_do_sign_ex(const unsigned char* digest,
--- a/source/libs/libwolfssl/openssl/ec.h
+++ b/source/libs/libwolfssl/openssl/ec.h
@ -148,12 +148,21 @@ int wolfSSL_EC_POINT_oct2point(const WOLFSSL_EC_GROUP *group,
 WOLFSSL_API
 int wolfSSL_i2o_ECPublicKey(const WOLFSSL_EC_KEY *in, unsigned char **out);
 WOLFSSL_API
 WOLFSSL_EC_KEY *wolfSSL_d2i_ECPrivateKey(WOLFSSL_EC_KEY **key, const unsigned char **in,
                                         long len);
 WOLFSSL_API
 int wolfSSL_i2d_ECPrivateKey(const WOLFSSL_EC_KEY *in, unsigned char **out);
 WOLFSSL_API
 void wolfSSL_EC_KEY_set_conv_form(WOLFSSL_EC_KEY *eckey, char form);
 WOLFSSL_API
 WOLFSSL_BIGNUM *wolfSSL_EC_POINT_point2bn(const WOLFSSL_EC_GROUP *group,
                                          const WOLFSSL_EC_POINT *p,
                                          char form,
                                          WOLFSSL_BIGNUM *in, WOLFSSL_BN_CTX *ctx);
 WOLFSSL_API
 int wolfSSL_EC_POINT_is_on_curve(const WOLFSSL_EC_GROUP *group,
                                 const WOLFSSL_EC_POINT *point,
                                 WOLFSSL_BN_CTX *ctx);
 WOLFSSL_API
 int wolfSSL_EC_KEY_LoadDer(WOLFSSL_EC_KEY* key,
@ -198,6 +207,8 @@ WOLFSSL_API
 int wolfSSL_EC_GROUP_cmp(const WOLFSSL_EC_GROUP *a, const WOLFSSL_EC_GROUP *b,
                         WOLFSSL_BN_CTX *ctx);
 WOLFSSL_API
 WOLFSSL_EC_GROUP *wolfSSL_EC_GROUP_dup(const WOLFSSL_EC_GROUP *src);
 WOLFSSL_API
 int wolfSSL_EC_GROUP_get_curve_name(const WOLFSSL_EC_GROUP *group);
 WOLFSSL_API
 int wolfSSL_EC_GROUP_get_degree(const WOLFSSL_EC_GROUP *group);
@ -228,11 +239,18 @@ int wolfSSL_EC_POINT_set_affine_coordinates_GFp(const WOLFSSL_EC_GROUP *group,
                                                const WOLFSSL_BIGNUM *y,
                                                WOLFSSL_BN_CTX *ctx);
 WOLFSSL_API
 int wolfSSL_EC_POINT_add(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r,
                         const WOLFSSL_EC_POINT *p1,
                         const WOLFSSL_EC_POINT *p2, WOLFSSL_BN_CTX *ctx);
 WOLFSSL_API
 int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r,
                         const WOLFSSL_BIGNUM *n,
                         const WOLFSSL_EC_POINT *q, const WOLFSSL_BIGNUM *m,
                         WOLFSSL_BN_CTX *ctx);
 WOLFSSL_API
 int wolfSSL_EC_POINT_invert(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *a,
                            WOLFSSL_BN_CTX *ctx);
 WOLFSSL_API
 void wolfSSL_EC_POINT_clear_free(WOLFSSL_EC_POINT *point);
 WOLFSSL_API
 int wolfSSL_EC_POINT_cmp(const WOLFSSL_EC_GROUP *group,
@ -277,6 +295,7 @@ char* wolfSSL_EC_POINT_point2hex(const WOLFSSL_EC_GROUP* group,
 #define EC_GROUP_set_asn1_flag          wolfSSL_EC_GROUP_set_asn1_flag
 #define EC_GROUP_new_by_curve_name      wolfSSL_EC_GROUP_new_by_curve_name
 #define EC_GROUP_cmp                    wolfSSL_EC_GROUP_cmp
 #define EC_GROUP_dup                    wolfSSL_EC_GROUP_dup
 #define EC_GROUP_get_curve_name         wolfSSL_EC_GROUP_get_curve_name
 #define EC_GROUP_get_degree             wolfSSL_EC_GROUP_get_degree
 #define EC_GROUP_get_order              wolfSSL_EC_GROUP_get_order
@ -291,7 +310,9 @@ char* wolfSSL_EC_POINT_point2hex(const WOLFSSL_EC_GROUP* group,
                                     wolfSSL_EC_POINT_get_affine_coordinates_GFp
 #define EC_POINT_set_affine_coordinates_GFp \
                                     wolfSSL_EC_POINT_set_affine_coordinates_GFp
 #define EC_POINT_add                    wolfSSL_EC_POINT_add
 #define EC_POINT_mul                    wolfSSL_EC_POINT_mul
 #define EC_POINT_invert                 wolfSSL_EC_POINT_invert
 #define EC_POINT_clear_free             wolfSSL_EC_POINT_clear_free
 #define EC_POINT_cmp                    wolfSSL_EC_POINT_cmp
 #define EC_POINT_copy                   wolfSSL_EC_POINT_copy
@ -304,7 +325,11 @@ char* wolfSSL_EC_POINT_point2hex(const WOLFSSL_EC_GROUP* group,
 #define EC_POINT_point2oct              wolfSSL_EC_POINT_point2oct
 #define EC_POINT_oct2point              wolfSSL_EC_POINT_oct2point
 #define EC_POINT_point2bn               wolfSSL_EC_POINT_point2bn
 #define EC_POINT_is_on_curve            wolfSSL_EC_POINT_is_on_curve
 #define i2o_ECPublicKey                 wolfSSL_i2o_ECPublicKey
 #define i2d_EC_PUBKEY                   wolfSSL_i2o_ECPublicKey
 #define d2i_ECPrivateKey                wolfSSL_d2i_ECPrivateKey
 #define i2d_ECPrivateKey                wolfSSL_i2d_ECPrivateKey
 #define EC_KEY_set_conv_form            wolfSSL_EC_KEY_set_conv_form
 #ifndef HAVE_SELFTEST
--- a/source/libs/libwolfssl/openssl/evp.h
+++ b/source/libs/libwolfssl/openssl/evp.h
@ -354,11 +354,13 @@ struct WOLFSSL_EVP_CIPHER_CTX {
 #define HAVE_WOLFSSL_EVP_CIPHER_CTX_IV
    int    ivSz;
 #ifdef HAVE_AESGCM
-    byte*   gcmDecryptBuffer;
+    byte*   gcmBuffer;
-    int     gcmDecryptBufferLen;
+    int     gcmBufferLen;
 #endif
    ALIGN16 unsigned char authTag[AES_BLOCK_SIZE];
    int     authTagSz;
    byte*   gcmAuthIn;
    int     gcmAuthInSz;
 #endif
 #endif
 };
@ -521,6 +523,7 @@ WOLFSSL_API int wolfSSL_EVP_PKEY_assign_EC_KEY(WOLFSSL_EVP_PKEY* pkey,
 WOLFSSL_API int wolfSSL_EVP_PKEY_assign_DSA(EVP_PKEY* pkey, WOLFSSL_DSA* key);
 WOLFSSL_API int wolfSSL_EVP_PKEY_assign_DH(EVP_PKEY* pkey, WOLFSSL_DH* key);
 WOLFSSL_API WOLFSSL_RSA* wolfSSL_EVP_PKEY_get0_RSA(struct WOLFSSL_EVP_PKEY *pkey);
 WOLFSSL_API WOLFSSL_DSA* wolfSSL_EVP_PKEY_get0_DSA(struct WOLFSSL_EVP_PKEY *pkey);
 WOLFSSL_API WOLFSSL_RSA* wolfSSL_EVP_PKEY_get1_RSA(WOLFSSL_EVP_PKEY*);
 WOLFSSL_API WOLFSSL_DSA* wolfSSL_EVP_PKEY_get1_DSA(WOLFSSL_EVP_PKEY*);
 WOLFSSL_API WOLFSSL_EC_KEY *wolfSSL_EVP_PKEY_get0_EC_KEY(WOLFSSL_EVP_PKEY *pkey);
--- a/source/libs/libwolfssl/openssl/hmac.h
+++ b/source/libs/libwolfssl/openssl/hmac.h
@ -72,6 +72,7 @@ WOLFSSL_API int wolfSSL_HMAC_Update(WOLFSSL_HMAC_CTX* ctx,
 WOLFSSL_API int wolfSSL_HMAC_Final(WOLFSSL_HMAC_CTX* ctx, unsigned char* hash,
                                  unsigned int* len);
 WOLFSSL_API int wolfSSL_HMAC_cleanup(WOLFSSL_HMAC_CTX* ctx);
 WOLFSSL_API void wolfSSL_HMAC_CTX_cleanup(WOLFSSL_HMAC_CTX* ctx);
 WOLFSSL_API void wolfSSL_HMAC_CTX_free(WOLFSSL_HMAC_CTX* ctx);
 WOLFSSL_API size_t wolfSSL_HMAC_size(const WOLFSSL_HMAC_CTX *ctx);
@ -83,6 +84,7 @@ typedef struct WOLFSSL_HMAC_CTX HMAC_CTX;
 #define HMAC_CTX_init wolfSSL_HMAC_CTX_Init
 #define HMAC_CTX_copy wolfSSL_HMAC_CTX_copy
 #define HMAC_CTX_free wolfSSL_HMAC_CTX_free
 #define HMAC_CTX_cleanup wolfSSL_HMAC_CTX_cleanup
 #define HMAC_CTX_reset wolfSSL_HMAC_cleanup
 #define HMAC_Init_ex  wolfSSL_HMAC_Init_ex
 #define HMAC_Init     wolfSSL_HMAC_Init
--- a/source/libs/libwolfssl/openssl/ssl.h
+++ b/source/libs/libwolfssl/openssl/ssl.h
@ -79,6 +79,7 @@ typedef WOLFSSL_X509_NAME  X509_NAME;
 typedef WOLFSSL_X509_INFO  X509_INFO;
 typedef WOLFSSL_X509_CHAIN X509_CHAIN;
 /* STACK_OF(ASN1_OBJECT) */
 typedef WOLFSSL_STACK      EXTENDED_KEY_USAGE;
@ -151,6 +152,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define CRYPTO_cleanup_all_ex_data      wolfSSL_cleanup_all_ex_data
 #define set_ex_data                     wolfSSL_CRYPTO_set_ex_data
 #define get_ex_data                     wolfSSL_CRYPTO_get_ex_data
 #define CRYPTO_memcmp                   wolfSSL_CRYPTO_memcmp
 /* this function was used to set the default malloc, free, and realloc */
 #define CRYPTO_malloc_init() 0 /* CRYPTO_malloc_init is not needed */
@ -174,14 +176,15 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define SSL_use_certificate_ASN1        wolfSSL_use_certificate_ASN1
 #define d2i_PKCS8_PRIV_KEY_INFO_bio     wolfSSL_d2i_PKCS8_PKEY_bio
 #define d2i_PKCS8PrivateKey_bio         wolfSSL_d2i_PKCS8PrivateKey_bio
 #define i2d_PKCS8PrivateKey_bio         wolfSSL_PEM_write_bio_PKCS8PrivateKey
 #define PKCS8_PRIV_KEY_INFO_free        wolfSSL_EVP_PKEY_free
 #define d2i_PKCS12_fp                   wolfSSL_d2i_PKCS12_fp
 #define i2d_PUBKEY                      wolfSSL_i2d_PUBKEY
 #define d2i_PUBKEY                      wolfSSL_d2i_PUBKEY
 #define d2i_PUBKEY_bio                  wolfSSL_d2i_PUBKEY_bio
 #define d2i_PrivateKey                  wolfSSL_d2i_PrivateKey
 #define d2i_AutoPrivateKey              wolfSSL_d2i_AutoPrivateKey
 #define i2d_PrivateKey                  wolfSSL_i2d_PrivateKey
 #define SSL_use_PrivateKey              wolfSSL_use_PrivateKey
 #define SSL_use_PrivateKey_ASN1         wolfSSL_use_PrivateKey_ASN1
 #define SSL_use_RSAPrivateKey_ASN1      wolfSSL_use_RSAPrivateKey_ASN1
@ -301,6 +304,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define SSL_set_connect_state           wolfSSL_set_connect_state
 #define SSL_set_accept_state            wolfSSL_set_accept_state
 #define SSL_session_reused              wolfSSL_session_reused
 #define SSL_SESSION_up_ref              wolfSSL_SESSION_up_ref
 #define SSL_SESSION_dup                 wolfSSL_SESSION_dup
 #define SSL_SESSION_free                wolfSSL_SESSION_free
 #define SSL_is_init_finished            wolfSSL_is_init_finished
@ -340,8 +344,8 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define DSA_dup_DH                      wolfSSL_DSA_dup_DH
 /* wolfSSL does not support DSA as the cert public key */
-#define EVP_PKEY_get0_DSA(...)          NULL
+#define EVP_PKEY_get0_DSA               wolfSSL_EVP_PKEY_get0_DSA
-#define DSA_bits(...)                   0
+#define DSA_bits                        wolfSSL_DSA_bits
 #define i2d_X509_bio                    wolfSSL_i2d_X509_bio
 #define d2i_X509_bio                    wolfSSL_d2i_X509_bio
@ -374,14 +378,19 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define X509_digest                     wolfSSL_X509_digest
 #define X509_get_ext_count              wolfSSL_X509_get_ext_count
 #define X509_get_ext_d2i                wolfSSL_X509_get_ext_d2i
 #define X509V3_EXT_i2d                  wolfSSL_X509V3_EXT_i2d
 #define X509_get_ext                    wolfSSL_X509_get_ext
 #define X509_get_ext_by_NID             wolfSSL_X509_get_ext_by_NID
 #define X509_get_issuer_name            wolfSSL_X509_get_issuer_name
 #define X509_issuer_name_hash           wolfSSL_X509_issuer_name_hash
 #define X509_get_subject_name           wolfSSL_X509_get_subject_name
 #define X509_subject_name_hash          wolfSSL_X509_subject_name_hash
 #define X509_get_pubkey                 wolfSSL_X509_get_pubkey
 #define X509_get0_pubkey                wolfSSL_X509_get_pubkey
 #define X509_get_notBefore              wolfSSL_X509_get_notBefore
 #define X509_get0_notBefore             wolfSSL_X509_get_notBefore
 #define X509_get_notAfter               wolfSSL_X509_get_notAfter
 #define X509_get0_notAfter              wolfSSL_X509_get_notAfter
 #define X509_get_serialNumber           wolfSSL_X509_get_serialNumber
 #define X509_get0_pubkey_bitstr         wolfSSL_X509_get0_pubkey_bitstr
 #define X509_get_ex_new_index           wolfSSL_X509_get_ex_new_index
@ -407,9 +416,11 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define X509_check_private_key          wolfSSL_X509_check_private_key
 #define X509_check_ca                   wolfSSL_X509_check_ca
 #define X509_check_host                 wolfSSL_X509_check_host
 #define X509_check_ip_asc               wolfSSL_X509_check_ip_asc
 #define X509_email_free                 wolfSSL_X509_email_free
 #define X509_check_issued               wolfSSL_X509_check_issued
 #define X509_dup                        wolfSSL_X509_dup
 #define X509_add_ext                    wolfSSL_X509_add_ext
 #define X509_EXTENSION_get_object       wolfSSL_X509_EXTENSION_get_object
 #define X509_EXTENSION_get_data         wolfSSL_X509_EXTENSION_get_data
@ -422,7 +433,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define sk_X509_push                    wolfSSL_sk_X509_push
 #define sk_X509_pop                     wolfSSL_sk_X509_pop
 #define sk_X509_pop_free                wolfSSL_sk_X509_pop_free
-#define sk_X509_dup                     wolfSSL_sk_X509_dup
+#define sk_X509_dup                     wolfSSL_sk_dup
 #define sk_X509_free                    wolfSSL_sk_X509_free
 #define sk_X509_EXTENSION_num           wolfSSL_sk_X509_EXTENSION_num
@ -430,7 +441,6 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define sk_X509_EXTENSION_new_null      wolfSSL_sk_X509_EXTENSION_new_null
 #define sk_X509_EXTENSION_pop_free      wolfSSL_sk_X509_EXTENSION_pop_free
 #define sk_X509_EXTENSION_push          wolfSSL_sk_X509_EXTENSION_push
 #define X509_EXTENSION_free             wolfSSL_X509_EXTENSION_free
 #define X509_INFO_new                   wolfSSL_X509_INFO_new
 #define X509_INFO_free                  wolfSSL_X509_INFO_free
@ -444,6 +454,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define sk_X509_INFO_free               wolfSSL_sk_X509_INFO_free
 #define i2d_X509_NAME                   wolfSSL_i2d_X509_NAME
 #define d2i_X509_NAME                   wolfSSL_d2i_X509_NAME
 #define X509_NAME_new                   wolfSSL_X509_NAME_new
 #define X509_NAME_free                  wolfSSL_X509_NAME_free
 #define X509_NAME_dup                   wolfSSL_X509_NAME_dup
@ -568,7 +579,6 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
 #define sk_X509_REVOKED_value           wolfSSL_sk_X509_REVOKED_value
 #define X509_OBJECT_free_contents       wolfSSL_X509_OBJECT_free_contents
 #define X509_subject_name_hash          wolfSSL_X509_subject_name_hash
 #define X509_check_purpose(...)         0
@ -661,6 +671,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
 #define ASN1_INTEGER_to_BN              wolfSSL_ASN1_INTEGER_to_BN
 #define i2a_ASN1_OBJECT                 wolfSSL_i2a_ASN1_OBJECT
 #define i2d_ASN1_OBJECT                 wolfSSL_i2d_ASN1_OBJECT
 #define ASN1_STRING_data                wolfSSL_ASN1_STRING_data
 #define ASN1_STRING_get0_data           wolfSSL_ASN1_STRING_data
@ -850,7 +861,6 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
 /*#if OPENSSL_API_COMPAT < 0x10100000L*/
 #define CONF_modules_free()
 #define ENGINE_cleanup()
 #define HMAC_CTX_cleanup                wolfSSL_HMAC_cleanup
 #define SSL_CTX_need_tmp_RSA(ctx)       0
 #define SSL_CTX_set_tmp_rsa(ctx,rsa)    1
 #define SSL_need_tmp_RSA(ssl)           0
@ -887,14 +897,6 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
 #define sk_X509_NAME_find               wolfSSL_sk_X509_NAME_find
 enum {
    GEN_DNS   = 0x02, /* ASN_DNS_TYPE */
    GEN_EMAIL = 0x01, /* ASN_RFC822_TYPE */
    GEN_URI   = 0x06, /* ASN_URI_TYPE */
    GEN_IPADD = 0x07,
    GEN_RID   = 0x08, /* Registered ID, not supported */
 };
 #define PEM_read_bio_DHparams           wolfSSL_PEM_read_bio_DHparams
 #define PEM_read_bio_DSAparams          wolfSSL_PEM_read_bio_DSAparams
@ -910,7 +912,7 @@ enum {
 #define sk_SSL_COMP_zero                wolfSSL_sk_SSL_COMP_zero
 #define sk_SSL_CIPHER_value             wolfSSL_sk_SSL_CIPHER_value
 #endif /* OPENSSL_ALL || WOLFSSL_HAPROXY */
-#define sk_SSL_CIPHER_dup               wolfSSL_sk_SSL_CIPHER_dup
+#define sk_SSL_CIPHER_dup               wolfSSL_sk_dup
 #define sk_SSL_CIPHER_free              wolfSSL_sk_SSL_CIPHER_free
 #define sk_SSL_CIPHER_find              wolfSSL_sk_SSL_CIPHER_find
@ -919,7 +921,6 @@ enum {
 #include <libs/libwolfssl/openssl/pem.h>
 #define SSL_CTRL_CHAIN       88
 #define GEN_IPADD            7
 #define ERR_LIB_SSL          20
 #define SSL_R_SHORT_READ     10
 #define ERR_R_PEM_LIB        9
@ -959,6 +960,7 @@ enum {
 #define SSL_num_renegotiations          wolfSSL_num_renegotiations
 #define SSL_renegotiate                 wolfSSL_Rehandshake
 #define SSL_get_secure_renegotiation_support wolfSSL_SSL_get_secure_renegotiation_support
 #define SSL_renegotiate_pending         wolfSSL_SSL_renegotiate_pending
 #define SSL_set_tlsext_debug_arg        wolfSSL_set_tlsext_debug_arg
 #define SSL_set_tlsext_status_type      wolfSSL_set_tlsext_status_type
 #define SSL_set_tlsext_status_exts      wolfSSL_set_tlsext_status_exts
@ -1227,7 +1229,7 @@ enum {
 #define X509_OBJECT_free                wolfSSL_X509_OBJECT_free
 #define X509_OBJECT_get_type(x)         0
-#define OpenSSL_version(x)              wolfSSL_lib_version()
+#define OpenSSL_version(x)              wolfSSL_OpenSSL_version()
 #ifdef __cplusplus
    } /* extern "C" */
--- a/source/libs/libwolfssl/openssl/stack.h
+++ b/source/libs/libwolfssl/openssl/stack.h
@ -28,6 +28,8 @@
    extern "C" {
 #endif
 #include <libs/libwolfssl/openssl/conf.h>
 typedef void (*wolfSSL_sk_freefunc)(void *);
 WOLFSSL_API void wolfSSL_sk_GENERIC_pop_free(WOLFSSL_STACK* sk, wolfSSL_sk_freefunc);
--- a/source/libs/libwolfssl/openssl/x509v3.h
+++ b/source/libs/libwolfssl/openssl/x509v3.h
@ -40,6 +40,7 @@
 /* Forward reference */
 typedef void *(*X509V3_EXT_D2I)(void *, const unsigned char **, long);
 typedef int (*X509V3_EXT_I2D) (void *, unsigned char **);
 typedef STACK_OF(CONF_VALUE) *(*X509V3_EXT_I2V) (
                                struct WOLFSSL_v3_ext_method *method,
                                void *ext, STACK_OF(CONF_VALUE) *extlist);
@ -53,6 +54,7 @@ struct WOLFSSL_v3_ext_method {
    int ext_flags;
    void *usr_data;
    X509V3_EXT_D2I d2i;
    X509V3_EXT_I2D i2d;
    X509V3_EXT_I2V i2v;
    X509V3_EXT_I2S i2s;
    X509V3_EXT_I2R i2r;
@ -61,7 +63,7 @@ struct WOLFSSL_v3_ext_method {
 struct WOLFSSL_X509_EXTENSION {
    WOLFSSL_ASN1_OBJECT *obj;
    WOLFSSL_ASN1_BOOLEAN crit;
-    WOLFSSL_ASN1_STRING value;
+    ASN1_OCTET_STRING value; /* DER format of extension */
    WOLFSSL_v3_ext_method ext_method;
    WOLFSSL_STACK* ext_sk; /* For extension specific data */
 };
@ -86,7 +88,9 @@ typedef struct WOLFSSL_BASIC_CONSTRAINTS BASIC_CONSTRAINTS;
 typedef struct WOLFSSL_ACCESS_DESCRIPTION ACCESS_DESCRIPTION;
 typedef WOLF_STACK_OF(WOLFSSL_ACCESS_DESCRIPTION) WOLFSSL_AUTHORITY_INFO_ACCESS;
 WOLFSSL_API WOLFSSL_BASIC_CONSTRAINTS* wolfSSL_BASIC_CONSTRAINTS_new(void);
 WOLFSSL_API void wolfSSL_BASIC_CONSTRAINTS_free(WOLFSSL_BASIC_CONSTRAINTS *bc);
 WOLFSSL_API WOLFSSL_AUTHORITY_KEYID* wolfSSL_AUTHORITY_KEYID_new(void);
 WOLFSSL_API void wolfSSL_AUTHORITY_KEYID_free(WOLFSSL_AUTHORITY_KEYID *id);
 WOLFSSL_API const WOLFSSL_v3_ext_method* wolfSSL_X509V3_EXT_get(
                                                    WOLFSSL_X509_EXTENSION* ex);
--- a/source/libs/libwolfssl/sniffer.h
+++ b/source/libs/libwolfssl/sniffer.h
@ -49,12 +49,49 @@ SSL_SNIFFER_API int ssl_SetPrivateKey(const char* address, int port,
                                      const char* keyFile, int typeK,
                                      const char* password, char* error);
 WOLFSSL_API
 SSL_SNIFFER_API int ssl_SetPrivateKeyBuffer(const char* address, int port,
                                            const char* keyBuf, int keySz, 
                                            int typeK, const char* password, 
                                            char* error);
 WOLFSSL_API
 SSL_SNIFFER_API int ssl_SetNamedPrivateKey(const char* name,
                                           const char* address, int port,
                                           const char* keyFile, int typeK,
                                           const char* password, char* error);
 WOLFSSL_API
 SSL_SNIFFER_API int ssl_SetNamedPrivateKeyBuffer(const char* name,
                                                 const char* address, int port,
                                                 const char* keyBuf, int keySz, 
                                                 int typeK, const char* password, 
                                                 char* error);
 WOLFSSL_API 
 SSL_SNIFFER_API int ssl_SetEphemeralKey(const char* address, int port, 
                                        const char* keyFile, int typeKey, 
                                        const char* password, char* error);
 WOLFSSL_API 
 SSL_SNIFFER_API int ssl_SetEphemeralKeyBuffer(const char* address, int port, 
                                              const char* keyBuf, int keySz, int typeKey, 
                                              const char* password, char* error);
 WOLFSSL_API 
 SSL_SNIFFER_API int ssl_SetNamedEphemeralKey(const char* name,
                                             const char* address, int port,
                                             const char* keyFile, int typeKey,
                                             const char* password, char* error);
 WOLFSSL_API 
 SSL_SNIFFER_API int ssl_SetNamedEphemeralKeyBuffer(const char* name,
                                                   const char* address, int port,
                                                   const char* keyBuf, int keySz, int typeKey, 
                                                   const char* password, char* error);
 WOLFSSL_API
 SSL_SNIFFER_API int ssl_DecodePacket(const unsigned char* packet, int length,
                                     unsigned char** data, char* error);
--- a/source/libs/libwolfssl/sniffer_error.h
+++ b/source/libs/libwolfssl/sniffer_error.h
@ -130,6 +130,7 @@
 #define NO_DATA_DEST_STR 91
 #define STORE_DATA_FAIL_STR 92
 #define CHAIN_INPUT_STR 93
 #define GOT_ENC_EXT_STR 94
 /* !!!! also add to msgTable in sniffer.c and .rc file !!!! */
--- a/source/libs/libwolfssl/ssl.h
+++ b/source/libs/libwolfssl/ssl.h
@ -191,7 +191,7 @@ typedef struct WOLFSSL_AUTHORITY_KEYID  WOLFSSL_AUTHORITY_KEYID;
 typedef struct WOLFSSL_BASIC_CONSTRAINTS WOLFSSL_BASIC_CONSTRAINTS;
 typedef struct WOLFSSL_ACCESS_DESCRIPTION WOLFSSL_ACCESS_DESCRIPTION;
-#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)
+#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 struct WOLFSSL_AUTHORITY_KEYID {
    WOLFSSL_ASN1_STRING *keyid;
@ -274,7 +274,8 @@ struct WOLFSSL_ASN1_OBJECT {
    int ca;
    WOLFSSL_ASN1_INTEGER *pathlen;
 #endif
-    unsigned char dynamic; /* if 1 then obj was dynamically created, 0 otherwise */
+    unsigned char dynamic; /* Use WOLFSSL_ASN1_DYNAMIC and WOLFSSL_ASN1_DYNAMIC_DATA
                            * to determine what needs to be freed. */
 #if defined(WOLFSSL_APACHE_HTTPD)
    WOLFSSL_GENERAL_NAME* gn;
@ -506,7 +507,7 @@ struct WOLFSSL_X509_STORE {
    int                   cache;          /* stunnel dereference */
    WOLFSSL_CERT_MANAGER* cm;
    WOLFSSL_X509_LOOKUP   lookup;
-#ifdef OPENSSL_EXTRA
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
    int                   isDynamic;
    WOLFSSL_X509_VERIFY_PARAM* param;    /* certificate validation parameter */
 #endif
@ -516,15 +517,15 @@ struct WOLFSSL_X509_STORE {
 #ifdef HAVE_EX_DATA
    WOLFSSL_CRYPTO_EX_DATA ex_data;
 #endif
-#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL)
+#if (defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)) && defined(HAVE_CRL)
-    WOLFSSL_X509_CRL *crl;
+    WOLFSSL_X509_CRL *crl; /* points to cm->crl */
 #endif
 };
-#ifdef OPENSSL_EXTRA
+#define WOLFSSL_NO_WILDCARDS   0x4
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 #define WOLFSSL_USE_CHECK_TIME 0x2
 #define WOLFSSL_NO_CHECK_TIME  0x200000
 #define WOLFSSL_NO_WILDCARDS   0x4
 #define WOLFSSL_HOST_NAME_MAX  256
 #define WOLFSSL_MAX_IPSTR 46 /* max ip size IPv4 mapped IPv6 */
 struct WOLFSSL_X509_VERIFY_PARAM {
@ -534,7 +535,7 @@ struct WOLFSSL_X509_VERIFY_PARAM {
    unsigned int  hostFlags;
    char ipasc[WOLFSSL_MAX_IPSTR];
 };
-#endif
+#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
 typedef struct WOLFSSL_ALERT {
    int code;
@ -709,11 +710,11 @@ WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_1_method(void);
 WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_1_server_method(void);
 WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_1_client_method(void);
 WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_2_method(void);
-WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_2_server_method(void);
+WOLFSSL_ABI WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_2_server_method(void);
 WOLFSSL_ABI WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_2_client_method(void);
 #ifdef WOLFSSL_TLS13
    WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_3_method(void);
-    WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_3_server_method(void);
+    WOLFSSL_ABI WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_3_server_method(void);
    WOLFSSL_ABI WOLFSSL_API WOLFSSL_METHOD *wolfTLSv1_3_client_method(void);
 #endif
@ -742,7 +743,7 @@ typedef int (*wc_dtls_export)(WOLFSSL* ssl,
 #define WOLFSSL_DTLS_EXPORT_TYPES
 #endif /* WOLFSSL_DTLS_EXPORT_TYPES */
-WOLFSSL_API int wolfSSL_dtls_import(WOLFSSL* ssl, unsigned char* buf,
+WOLFSSL_API int wolfSSL_dtls_import(WOLFSSL* ssl, const unsigned char* buf,
                                                               unsigned int sz);
 WOLFSSL_API int wolfSSL_CTX_dtls_set_export(WOLFSSL_CTX* ctx,
                                                           wc_dtls_export func);
@ -861,7 +862,7 @@ WOLFSSL_ABI WOLFSSL_API int  wolfSSL_connect(WOLFSSL*);
 WOLFSSL_ABI WOLFSSL_API int  wolfSSL_write(WOLFSSL*, const void*, int);
 WOLFSSL_ABI WOLFSSL_API int  wolfSSL_read(WOLFSSL*, void*, int);
 WOLFSSL_API int  wolfSSL_peek(WOLFSSL*, void*, int);
-WOLFSSL_API int  wolfSSL_accept(WOLFSSL*);
+WOLFSSL_ABI WOLFSSL_API int  wolfSSL_accept(WOLFSSL*);
 WOLFSSL_API int  wolfSSL_CTX_mutual_auth(WOLFSSL_CTX* ctx, int req);
 WOLFSSL_API int  wolfSSL_mutual_auth(WOLFSSL* ssl, int req);
 #ifdef WOLFSSL_TLS13
@ -891,10 +892,12 @@ WOLFSSL_API int  wolfSSL_accept_TLSv13(WOLFSSL*);
 WOLFSSL_API int  wolfSSL_CTX_set_max_early_data(WOLFSSL_CTX* ctx,
                                                unsigned int sz);
 WOLFSSL_API int  wolfSSL_set_max_early_data(WOLFSSL* ssl, unsigned int sz);
-WOLFSSL_API int  wolfSSL_write_early_data(WOLFSSL*, const void*, int, int*);
+WOLFSSL_API int  wolfSSL_write_early_data(WOLFSSL* ssl, const void* data,
-WOLFSSL_API int  wolfSSL_read_early_data(WOLFSSL*, void*, int, int*);
+                                          int sz, int* outSz);
-#endif
+WOLFSSL_API int  wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz,
-#endif
+                                         int* outSz);
 #endif /* WOLFSSL_EARLY_DATA */
 #endif /* WOLFSSL_TLS13 */
 WOLFSSL_ABI WOLFSSL_API void wolfSSL_CTX_free(WOLFSSL_CTX*);
 WOLFSSL_ABI WOLFSSL_API void wolfSSL_free(WOLFSSL*);
 WOLFSSL_ABI WOLFSSL_API int  wolfSSL_shutdown(WOLFSSL*);
@ -918,9 +921,11 @@ WOLFSSL_API int  wolfSSL_SetServerID(WOLFSSL*, const unsigned char*, int, int);
 WOLFSSL_API int  wolfSSL_BIO_new_bio_pair(WOLFSSL_BIO**, size_t,
                     WOLFSSL_BIO**, size_t);
-WOLFSSL_API int wolfSSL_RSA_padding_add_PKCS1_PSS(WOLFSSL_RSA *rsa, unsigned char *EM,
+WOLFSSL_API int wolfSSL_RSA_padding_add_PKCS1_PSS(WOLFSSL_RSA *rsa,
                                                  unsigned char *EM,
                                                  const unsigned char *mHash,
-                                                  const WOLFSSL_EVP_MD *Hash, int saltLen);
+                                                  const WOLFSSL_EVP_MD *hashAlg,
                                                  int saltLen);
 WOLFSSL_API int wolfSSL_RSA_verify_PKCS1_PSS(WOLFSSL_RSA *rsa, const unsigned char *mHash,
                                          const WOLFSSL_EVP_MD *hashAlg,
                                          const unsigned char *EM, int saltLen);
@ -1082,6 +1087,7 @@ typedef int WOLFSSL_LHASH;
 WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_new_node(void* heap);
 WOLFSSL_API void wolfSSL_sk_free(WOLFSSL_STACK* sk);
 WOLFSSL_API void wolfSSL_sk_free_node(WOLFSSL_STACK* in);
 WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_dup(WOLFSSL_STACK* sk);
 WOLFSSL_API int wolfSSL_sk_push_node(WOLFSSL_STACK** stack, WOLFSSL_STACK* in);
 WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_get_node(WOLFSSL_STACK* sk, int idx);
 WOLFSSL_API int wolfSSL_sk_push(WOLFSSL_STACK *st, const void *data);
@ -1102,12 +1108,13 @@ typedef WOLF_STACK_OF(WOLFSSL_GENERAL_NAME) WOLFSSL_GENERAL_NAMES;
 WOLFSSL_API int wolfSSL_sk_X509_push(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk,
                                                            WOLFSSL_X509* x509);
 WOLFSSL_API WOLFSSL_X509* wolfSSL_sk_X509_pop(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk);
 WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_X509_dup(WOLFSSL_STACK* sk);
 WOLFSSL_API void wolfSSL_sk_X509_free(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk);
 WOLFSSL_API WOLFSSL_GENERAL_NAME* wolfSSL_GENERAL_NAME_new(void);
 WOLFSSL_API void wolfSSL_GENERAL_NAME_free(WOLFSSL_GENERAL_NAME* gn);
-WOLFSSL_API int wolfSSL_sk_GENERAL_NAME_push(WOLF_STACK_OF(WOLFSSL_GENERAL_NAME)* sk,
+WOLFSSL_API WOLFSSL_GENERAL_NAMES* wolfSSL_GENERAL_NAMES_dup(
-                                                      WOLFSSL_GENERAL_NAME* gn);
+                                             WOLFSSL_GENERAL_NAMES* gns);
 WOLFSSL_API int wolfSSL_sk_GENERAL_NAME_push(WOLFSSL_GENERAL_NAMES* sk,
                                             WOLFSSL_GENERAL_NAME* gn);
 WOLFSSL_API WOLFSSL_GENERAL_NAME* wolfSSL_sk_GENERAL_NAME_value(
        WOLFSSL_STACK* sk, int i);
 WOLFSSL_API int wolfSSL_sk_GENERAL_NAME_num(WOLFSSL_STACK* sk);
@ -1129,6 +1136,7 @@ WOLFSSL_API void wolfSSL_sk_X509_EXTENSION_pop_free(
        void (*f) (WOLFSSL_X509_EXTENSION*));
 WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* wolfSSL_sk_X509_EXTENSION_new_null(void);
 WOLFSSL_API WOLFSSL_ASN1_OBJECT* wolfSSL_ASN1_OBJECT_new(void);
 WOLFSSL_API WOLFSSL_ASN1_OBJECT* wolfSSL_ASN1_OBJECT_dup(WOLFSSL_ASN1_OBJECT* obj);
 WOLFSSL_API void wolfSSL_ASN1_OBJECT_free(WOLFSSL_ASN1_OBJECT* obj);
 WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_new_asn1_obj(void);
 WOLFSSL_API int wolfSSL_sk_ASN1_OBJECT_push(WOLF_STACK_OF(WOLFSSL_ASN1_OBJEXT)* sk,
@ -1153,11 +1161,13 @@ WOLFSSL_API int  wolfSSL_set_session_id_context(WOLFSSL*, const unsigned char*,
 WOLFSSL_API void wolfSSL_set_connect_state(WOLFSSL*);
 WOLFSSL_API void wolfSSL_set_accept_state(WOLFSSL*);
 WOLFSSL_API int  wolfSSL_session_reused(WOLFSSL*);
 WOLFSSL_API int wolfSSL_SESSION_up_ref(WOLFSSL_SESSION* session);
 WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_dup(WOLFSSL_SESSION* session);
 WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_new(void);
 WOLFSSL_API void wolfSSL_SESSION_free(WOLFSSL_SESSION* session);
 WOLFSSL_API int  wolfSSL_is_init_finished(WOLFSSL*);
-WOLFSSL_API const char*  wolfSSL_get_version(WOLFSSL*);
+WOLFSSL_API const char*  wolfSSL_get_version(const WOLFSSL*);
 WOLFSSL_API int  wolfSSL_get_current_cipher_suite(WOLFSSL* ssl);
 WOLFSSL_API WOLFSSL_CIPHER*  wolfSSL_get_current_cipher(WOLFSSL*);
 WOLFSSL_API char* wolfSSL_CIPHER_description(const WOLFSSL_CIPHER*, char*, int);
@ -1312,6 +1322,8 @@ WOLFSSL_API void wolfSSL_X509_STORE_set_verify_cb(WOLFSSL_X509_STORE *st,
                                 WOLFSSL_X509_STORE_CTX_verify_cb verify_cb);
 WOLFSSL_API int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* n,
                                                           unsigned char** out);
 WOLFSSL_API WOLFSSL_X509_NAME *wolfSSL_d2i_X509_NAME(WOLFSSL_X509_NAME **name,
                                              unsigned char **in, long length);
 #ifndef NO_RSA
 WOLFSSL_API int wolfSSL_RSA_print(WOLFSSL_BIO* bio, WOLFSSL_RSA* rsa, int offset);
 #endif
@ -1325,8 +1337,10 @@ WOLFSSL_API char* wolfSSL_X509_get_name_oneline(WOLFSSL_X509_NAME*, char*, int);
 #endif
 WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_get_issuer_name(
                                                                 WOLFSSL_X509*);
 WOLFSSL_API unsigned long  wolfSSL_X509_issuer_name_hash(const WOLFSSL_X509* x509);
 WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name(
                                                                 WOLFSSL_X509*);
 WOLFSSL_API unsigned long  wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x509);
 WOLFSSL_API int  wolfSSL_X509_ext_isSet_by_NID(WOLFSSL_X509*, int);
 WOLFSSL_API int  wolfSSL_X509_ext_get_critical_by_NID(WOLFSSL_X509*, int);
 WOLFSSL_API int  wolfSSL_X509_get_isCA(WOLFSSL_X509*);
@ -1365,6 +1379,7 @@ WOLFSSL_API int wolfSSL_X509_NAME_get_index_by_NID(
 WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_X509_NAME_ENTRY_get_data(WOLFSSL_X509_NAME_ENTRY*);
 WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_ASN1_STRING_new(void);
 WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_ASN1_STRING_dup(WOLFSSL_ASN1_STRING* asn1);
 WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_ASN1_STRING_type_new(int type);
 WOLFSSL_API int wolfSSL_ASN1_STRING_type(const WOLFSSL_ASN1_STRING* asn1);
 WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_d2i_DISPLAYTEXT(WOLFSSL_ASN1_STRING **asn, const unsigned char **in, long len);
@ -1421,11 +1436,12 @@ WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PUBKEY_bio(WOLFSSL_BIO* bio,
                                         WOLFSSL_EVP_PKEY** out);
 WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PUBKEY(WOLFSSL_EVP_PKEY** key,
        const unsigned char** in, long inSz);
 WOLFSSL_API int wolfSSL_i2d_PUBKEY(const WOLFSSL_EVP_PKEY *key, unsigned char **der);
 WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey(int type,
        WOLFSSL_EVP_PKEY** out, const unsigned char **in, long inSz);
 WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_EVP(WOLFSSL_EVP_PKEY** key,
        unsigned char** in, long inSz);
-WOLFSSL_API int wolfSSL_i2d_PrivateKey(WOLFSSL_EVP_PKEY* key,
+WOLFSSL_API int wolfSSL_i2d_PrivateKey(const WOLFSSL_EVP_PKEY* key,
        unsigned char** der);
 WOLFSSL_API int       wolfSSL_X509_cmp_current_time(const WOLFSSL_ASN1_TIME*);
 #ifdef OPENSSL_EXTRA
@ -1571,6 +1587,7 @@ WOLFSSL_API long wolfSSL_clear_options(WOLFSSL *s,  long op);
 WOLFSSL_API long wolfSSL_clear_num_renegotiations(WOLFSSL *s);
 WOLFSSL_API long wolfSSL_total_renegotiations(WOLFSSL *s);
 WOLFSSL_API long wolfSSL_num_renegotiations(WOLFSSL* s);
 WOLFSSL_API int  wolfSSL_SSL_renegotiate_pending(WOLFSSL *s);
 WOLFSSL_API long wolfSSL_set_tmp_dh(WOLFSSL *s, WOLFSSL_DH *dh);
 WOLFSSL_API long wolfSSL_set_tlsext_debug_arg(WOLFSSL *s, void *arg);
 WOLFSSL_API long wolfSSL_set_tlsext_status_type(WOLFSSL *s, int type);
@ -1597,8 +1614,6 @@ enum {
    WOLFSSL_CRL_CHECK    = 2,
 };
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
    defined(HAVE_WEBSERVER)
 /* Separated out from other enums because of size */
 enum {
    SSL_OP_MICROSOFT_SESS_ID_BUG                  = 0x00000001,
@ -1645,6 +1660,8 @@ enum {
                  | SSL_OP_TLS_ROLLBACK_BUG),
 };
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
    defined(HAVE_WEBSERVER)
 /* for compatibility these must be macros */
 #define SSL_OP_NO_SSLv2   WOLFSSL_OP_NO_SSLv2
 #define SSL_OP_NO_SSLv3   WOLFSSL_OP_NO_SSLv3
@ -1950,6 +1967,11 @@ enum { /* ssl Constants */
    WOLFSSL_API void wolfSSL_set_psk_server_tls13_callback(WOLFSSL*,
                                                  wc_psk_server_tls13_callback);
 #endif
    WOLFSSL_API void* wolfSSL_get_psk_callback_ctx(WOLFSSL*);
    WOLFSSL_API int   wolfSSL_set_psk_callback_ctx(WOLFSSL*, void*);
    WOLFSSL_API void* wolfSSL_CTX_get_psk_callback_ctx(WOLFSSL_CTX*);
    WOLFSSL_API int   wolfSSL_CTX_set_psk_callback_ctx(WOLFSSL_CTX*, void*);
    #define PSK_TYPES_DEFINED
 #endif /* NO_PSK */
@ -1992,10 +2014,9 @@ WOLFSSL_API long wolfSSL_CTX_set_options(WOLFSSL_CTX*, long);
 WOLFSSL_API long wolfSSL_CTX_get_options(WOLFSSL_CTX* ctx);
 WOLFSSL_API long wolfSSL_CTX_clear_options(WOLFSSL_CTX*, long);
-#ifndef NO_CERTS
+#if !defined(NO_FILESYSTEM) && !defined(NO_CHECK_PRIVATE_KEY)
  WOLFSSL_API int  wolfSSL_CTX_check_private_key(const WOLFSSL_CTX*);
-#endif /* !NO_CERTS */
+#endif
 WOLFSSL_API void wolfSSL_ERR_free_strings(void);
 WOLFSSL_API void wolfSSL_ERR_remove_state(unsigned long);
 WOLFSSL_API int  wolfSSL_clear(WOLFSSL* ssl);
@ -2045,7 +2066,8 @@ WOLFSSL_API WOLFSSL_ASN1_TIME *wolfSSL_ASN1_TIME_set(WOLFSSL_ASN1_TIME *s, time_
 WOLFSSL_API int wolfSSL_sk_num(WOLFSSL_STACK* sk);
 WOLFSSL_API void* wolfSSL_sk_value(WOLFSSL_STACK* sk, int i);
-#if defined(HAVE_EX_DATA) || defined(FORTRESS)
+#if (defined(HAVE_EX_DATA) || defined(FORTRESS)) && \
    (defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL))
 WOLFSSL_API void* wolfSSL_CRYPTO_get_ex_data(const WOLFSSL_CRYPTO_EX_DATA* ex_data,
                                            int idx);
 WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx,
@ -2087,6 +2109,7 @@ WOLFSSL_ABI WOLFSSL_API int wolfSSL_Cleanup(void);
 /* which library version do we have */
 WOLFSSL_API const char* wolfSSL_lib_version(void);
 WOLFSSL_API const char* wolfSSL_OpenSSL_version(void);
 /* which library version do we have in hex */
 WOLFSSL_API word32 wolfSSL_lib_version_hex(void);
@ -2134,6 +2157,7 @@ WOLFSSL_API int wolfSSL_X509_version(WOLFSSL_X509*);
 WOLFSSL_API int wolfSSL_cmp_peer_cert_to_file(WOLFSSL*, const char*);
 WOLFSSL_ABI WOLFSSL_API char* wolfSSL_X509_get_next_altname(WOLFSSL_X509*);
 WOLFSSL_API int wolfSSL_X509_add_altname_ex(WOLFSSL_X509*, const char*, word32, int);
 WOLFSSL_API int wolfSSL_X509_add_altname(WOLFSSL_X509*, const char*, int);
 WOLFSSL_API WOLFSSL_X509* wolfSSL_d2i_X509(WOLFSSL_X509** x509,
@ -2143,7 +2167,7 @@ WOLFSSL_API WOLFSSL_X509*
 WOLFSSL_API int wolfSSL_i2d_X509(WOLFSSL_X509* x509, unsigned char** out);
 WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL(WOLFSSL_X509_CRL **crl,
                                                   const unsigned char *in, int len);
-#ifndef NO_FILESYSTEM
+#if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM)
 WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_fp(XFILE file, WOLFSSL_X509_CRL **crl);
 #endif
 WOLFSSL_API void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl);
@ -2178,7 +2202,7 @@ typedef struct WC_PKCS12 WC_PKCS12;
 WOLFSSL_API WC_PKCS12* wolfSSL_d2i_PKCS12_bio(WOLFSSL_BIO* bio,
                                       WC_PKCS12** pkcs12);
 WOLFSSL_API int wolfSSL_i2d_PKCS12_bio(WOLFSSL_BIO *bio, WC_PKCS12 *pkcs12);
-#ifndef NO_FILESYSTEM
+#if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM)
 WOLFSSL_API WOLFSSL_X509_PKCS12* wolfSSL_d2i_PKCS12_fp(XFILE fp,
                                       WOLFSSL_X509_PKCS12** pkcs12);
 #endif
@ -2424,6 +2448,7 @@ WOLFSSL_API void  wolfSSL_SetVerifyDecryptCtx(WOLFSSL* ssl, void *ctx);
 WOLFSSL_API void* wolfSSL_GetVerifyDecryptCtx(WOLFSSL* ssl);
 WOLFSSL_API const unsigned char* wolfSSL_GetMacSecret(WOLFSSL*, int);
 WOLFSSL_API const unsigned char* wolfSSL_GetDtlsMacSecret(WOLFSSL*, int, int);
 WOLFSSL_API const unsigned char* wolfSSL_GetClientWriteKey(WOLFSSL*);
 WOLFSSL_API const unsigned char* wolfSSL_GetClientWriteIV(WOLFSSL*);
 WOLFSSL_API const unsigned char* wolfSSL_GetServerWriteKey(WOLFSSL*);
@ -2527,7 +2552,7 @@ struct DhKey;
 typedef int (*CallbackDhAgree)(WOLFSSL* ssl, struct DhKey* key,
        const unsigned char* priv, unsigned int privSz,
        const unsigned char* otherPubKeyDer, unsigned int otherPubKeySz,
-        unsigned char* out, unsigned int* outlen,
+        unsigned char* out, word32* outlen,
        void* ctx);
 WOLFSSL_API void  wolfSSL_CTX_SetDhAgreeCb(WOLFSSL_CTX*, CallbackDhAgree);
 WOLFSSL_API void  wolfSSL_SetDhAgreeCtx(WOLFSSL* ssl, void *ctx);
@ -2625,7 +2650,7 @@ WOLFSSL_API void* wolfSSL_GetX448SharedSecretCtx(WOLFSSL* ssl);
 #ifndef NO_RSA
 typedef int (*CallbackRsaSign)(WOLFSSL* ssl,
       const unsigned char* in, unsigned int inSz,
-       unsigned char* out, unsigned int* outSz,
+       unsigned char* out, word32* outSz,
       const unsigned char* keyDer, unsigned int keySz,
       void* ctx);
 WOLFSSL_API void  wolfSSL_CTX_SetRsaSignCb(WOLFSSL_CTX*, CallbackRsaSign);
@ -2670,7 +2695,7 @@ WOLFSSL_API void* wolfSSL_GetRsaPssVerifyCtx(WOLFSSL* ssl);
 /* RSA Public Encrypt cb */
 typedef int (*CallbackRsaEnc)(WOLFSSL* ssl,
       const unsigned char* in, unsigned int inSz,
-       unsigned char* out, unsigned int* outSz,
+       unsigned char* out, word32* outSz,
       const unsigned char* keyDer, unsigned int keySz,
       void* ctx);
 WOLFSSL_API void  wolfSSL_CTX_SetRsaEncCb(WOLFSSL_CTX*, CallbackRsaEnc);
@ -3031,6 +3056,7 @@ enum {
    WOLFSSL_ECC_BRAINPOOLP512R1 = 28,
    WOLFSSL_ECC_X25519    = 29,
    WOLFSSL_ECC_X448      = 30,
    WOLFSSL_ECC_MAX       = 30,
    WOLFSSL_FFDHE_2048    = 256,
    WOLFSSL_FFDHE_3072    = 257,
@ -3208,7 +3234,6 @@ WOLFSSL_API int wolfSSL_accept_ex(WOLFSSL*, HandShakeCallBack, TimeoutCallBack,
 #include <libs/libwolfssl/openssl/asn1.h>
 struct WOLFSSL_X509_NAME_ENTRY {
    WOLFSSL_ASN1_OBJECT  object;  /* static object just for keeping grp, type */
    WOLFSSL_ASN1_STRING  data;
    WOLFSSL_ASN1_STRING* value;  /* points to data, for lighttpd port */
    int nid; /* i.e. ASN_COMMON_NAME */
    int set;
@ -3219,11 +3244,8 @@ WOLFSSL_API int wolfSSL_X509_NAME_get_index_by_OBJ(WOLFSSL_X509_NAME *name,
                                                   const WOLFSSL_ASN1_OBJECT *obj,
                                                   int idx);
 #endif /* OPENSSL_ALL || OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
 enum {
    WOLFSSL_SYS_ACCEPT = 0,
    WOLFSSL_SYS_BIND,
@ -3293,12 +3315,28 @@ WOLFSSL_API int wolfSSL_X509_NAME_cmp(const WOLFSSL_X509_NAME* x,
 WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_NAME_new(void);
 WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509*);
 WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_NAME_dup(WOLFSSL_X509_NAME*);
 WOLFSSL_API int wolfSSL_X509_NAME_copy(WOLFSSL_X509_NAME*, WOLFSSL_X509_NAME*);
 WOLFSSL_API int wolfSSL_check_private_key(const WOLFSSL* ssl);
 #endif /* !NO_CERTS */
 #endif /* OPENSSL_ALL || OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
 #ifdef WOLFSSL_WPAS_SMALL
    /* WPA Supplicant requires GEN_ values */
    #include <libs/libwolfssl/openssl/x509v3.h>
 #endif
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 WOLFSSL_API void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509,
                                                     int nid, int* c, int* idx);
 #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
 #ifndef NO_CERTS
 WOLFSSL_API int wolfSSL_X509_get_ext_count(const WOLFSSL_X509* passedCert);
 WOLFSSL_API int wolfSSL_X509_get_ext_by_NID(const WOLFSSL_X509 *x, int nid, int lastpos);
 WOLFSSL_API int wolfSSL_X509_add_ext(WOLFSSL_X509 *x, WOLFSSL_X509_EXTENSION *ex, int loc);
 WOLFSSL_API WOLFSSL_X509_EXTENSION *wolfSSL_X509V3_EXT_i2d(int nid, int crit,
                                                           void *data);
 WOLFSSL_API WOLFSSL_X509_EXTENSION* wolfSSL_X509V3_EXT_conf_nid(
        WOLF_LHASH_OF(CONF_VALUE)* conf, WOLFSSL_X509V3_CTX* ctx, int nid,
        char* value);
@ -3335,7 +3373,7 @@ WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_new_x509_ext(void);
 WOLFSSL_API WOLFSSL_ASN1_OBJECT* wolfSSL_X509_EXTENSION_get_object(WOLFSSL_X509_EXTENSION* ext);
 WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_X509_EXTENSION_get_data(WOLFSSL_X509_EXTENSION* ext);
-#endif /* NO_CERTS */
+#endif /* !NO_CERTS */
 WOLFSSL_API WOLFSSL_DH *wolfSSL_DSA_dup_DH(const WOLFSSL_DSA *r);
@ -3343,8 +3381,6 @@ WOLFSSL_API int wolfSSL_SESSION_get_master_key(const WOLFSSL_SESSION* ses,
        unsigned char* out, int outSz);
 WOLFSSL_API int wolfSSL_SESSION_get_master_key_length(const WOLFSSL_SESSION* ses);
 WOLFSSL_API void wolfSSL_CTX_set_cert_store(WOLFSSL_CTX* ctx,
                                                       WOLFSSL_X509_STORE* str);
 WOLFSSL_API int wolfSSL_i2d_X509_bio(WOLFSSL_BIO* bio, WOLFSSL_X509* x509);
 #if !defined(NO_FILESYSTEM)
 WOLFSSL_API WOLFSSL_X509* wolfSSL_d2i_X509_fp(XFILE fp,
@ -3353,20 +3389,27 @@ WOLFSSL_API WOLFSSL_STACK* wolfSSL_X509_STORE_GetCerts(WOLFSSL_X509_STORE_CTX* s
 #endif
 WOLFSSL_API WOLFSSL_X509* wolfSSL_d2i_X509_bio(WOLFSSL_BIO* bio,
                                               WOLFSSL_X509** x509);
-WOLFSSL_API WOLFSSL_X509_STORE* wolfSSL_CTX_get_cert_store(WOLFSSL_CTX* ctx);
+#endif /* OPENSSL_EXTRA || OPENSSL_ALL */
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 WOLFSSL_API void wolfSSL_CTX_set_cert_store(WOLFSSL_CTX* ctx,
                                                       WOLFSSL_X509_STORE* str);
 WOLFSSL_API WOLFSSL_X509_STORE* wolfSSL_CTX_get_cert_store(WOLFSSL_CTX* ctx);
 WOLFSSL_API size_t wolfSSL_get_server_random(const WOLFSSL *ssl,
                                             unsigned char *out, size_t outlen);
 WOLFSSL_API size_t wolfSSL_get_client_random(const WOLFSSL* ssl,
                                              unsigned char* out, size_t outSz);
 #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
 WOLFSSL_API size_t wolfSSL_BIO_wpending(const WOLFSSL_BIO *bio);
 WOLFSSL_API size_t wolfSSL_BIO_ctrl_pending(WOLFSSL_BIO *b);
 WOLFSSL_API size_t wolfSSL_get_server_random(const WOLFSSL *ssl,
                                             unsigned char *out, size_t outlen);
 WOLFSSL_API int wolfSSL_get_server_tmp_key(const WOLFSSL*, WOLFSSL_EVP_PKEY**);
 WOLFSSL_API int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX*, int);
 WOLFSSL_API int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX*, int);
 WOLFSSL_API size_t wolfSSL_get_client_random(const WOLFSSL* ssl,
                                              unsigned char* out, size_t outSz);
 WOLFSSL_API int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey);
 WOLFSSL_API WOLFSSL_X509 *wolfSSL_PEM_read_bio_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 **x, pem_password_cb *cb, void *u);
 WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_PEM_read_bio_X509_CRL(WOLFSSL_BIO *bp,
@ -3385,9 +3428,12 @@ WOLFSSL_API int wolfSSL_PEM_get_EVP_CIPHER_INFO(char* header,
 WOLFSSL_API int wolfSSL_PEM_do_header(EncryptedInfo* cipher,
                                      unsigned char* data, long* len,
                                      pem_password_cb* callback, void* ctx);
 #endif /* OPENSSL_EXTRA || OPENSSL_ALL */
 /*lighttp compatibility */
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) || \
    defined(OPENSSL_EXTRA_X509_SMALL)
 struct WOLFSSL_ASN1_BIT_STRING {
    int length;
    int type;
@ -3395,6 +3441,11 @@ struct WOLFSSL_ASN1_BIT_STRING {
    long flags;
 };
 WOLFSSL_API WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_get_entry(WOLFSSL_X509_NAME *name, int loc);
 #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)|| \
    defined(OPENSSL_EXTRA_X509_SMALL)
 #if    defined(OPENSSL_EXTRA) \
    || defined(OPENSSL_ALL) \
@ -3402,7 +3453,8 @@ struct WOLFSSL_ASN1_BIT_STRING {
    || defined(WOLFSSL_MYSQL_COMPATIBLE) \
    || defined(HAVE_STUNNEL) \
    || defined(WOLFSSL_NGINX) \
-    || defined(WOLFSSL_HAPROXY)
+    || defined(WOLFSSL_HAPROXY) \
    || defined(OPENSSL_EXTRA_X509_SMALL)
 WOLFSSL_API void wolfSSL_X509_NAME_ENTRY_free(WOLFSSL_X509_NAME_ENTRY* ne);
 WOLFSSL_API WOLFSSL_X509_NAME_ENTRY* wolfSSL_X509_NAME_ENTRY_new(void);
 WOLFSSL_API void wolfSSL_X509_NAME_free(WOLFSSL_X509_NAME* name);
@ -3414,7 +3466,6 @@ WOLFSSL_API void wolfSSL_set_verify_depth(WOLFSSL *ssl,int depth);
 WOLFSSL_API void* wolfSSL_get_app_data( const WOLFSSL *ssl);
 WOLFSSL_API int wolfSSL_set_app_data(WOLFSSL *ssl, void *arg);
 WOLFSSL_API WOLFSSL_ASN1_OBJECT * wolfSSL_X509_NAME_ENTRY_get_object(WOLFSSL_X509_NAME_ENTRY *ne);
 WOLFSSL_API WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_get_entry(WOLFSSL_X509_NAME *name, int loc);
 WOLFSSL_API unsigned char *wolfSSL_SHA1(const unsigned char *d, size_t n, unsigned char *md);
 WOLFSSL_API unsigned char *wolfSSL_SHA256(const unsigned char *d, size_t n, unsigned char *md);
 WOLFSSL_API unsigned char *wolfSSL_SHA384(const unsigned char *d, size_t n, unsigned char *md);
@ -3468,12 +3519,8 @@ WOLFSSL_API int wolfSSL_X509_REQ_set_pubkey(WOLFSSL_X509 *req,
 #endif
-#if defined(OPENSSL_ALL) \
+#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) \
-    || defined(HAVE_STUNNEL) \
+    || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY)
    || defined(WOLFSSL_NGINX) \
    || defined(WOLFSSL_HAPROXY) \
    || defined(OPENSSL_EXTRA) \
    || defined(HAVE_LIGHTY)
 #include <libs/libwolfssl/openssl/crypto.h>
@ -3485,6 +3532,8 @@ WOLFSSL_API int wolfSSL_CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const ch
 WOLFSSL_API void wolfSSL_CRYPTO_cleanup_all_ex_data(void);
 WOLFSSL_API int wolfSSL_CRYPTO_memcmp(const void *a, const void *b, size_t size);
 WOLFSSL_API WOLFSSL_BIGNUM* wolfSSL_DH_768_prime(WOLFSSL_BIGNUM* bn);
 WOLFSSL_API WOLFSSL_BIGNUM* wolfSSL_DH_1024_prime(WOLFSSL_BIGNUM* bn);
 WOLFSSL_API WOLFSSL_BIGNUM* wolfSSL_DH_1536_prime(WOLFSSL_BIGNUM* bn);
@ -3550,7 +3599,9 @@ WOLFSSL_API int wolfSSL_sk_X509_OBJECT_num(const WOLF_STACK_OF(WOLFSSL_X509_OBJE
 WOLFSSL_API int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO*,WOLFSSL_X509_NAME*,int,
        unsigned long);
 #endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || HAVE_LIGHTY */
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 WOLFSSL_API WOLFSSL_ASN1_BIT_STRING* wolfSSL_ASN1_BIT_STRING_new(void);
 WOLFSSL_API void wolfSSL_ASN1_BIT_STRING_free(WOLFSSL_ASN1_BIT_STRING*);
 WOLFSSL_API WOLFSSL_ASN1_BIT_STRING* wolfSSL_X509_get0_pubkey_bitstr(
@ -3559,6 +3610,10 @@ WOLFSSL_API int wolfSSL_ASN1_BIT_STRING_get_bit(
                            const WOLFSSL_ASN1_BIT_STRING*, int);
 WOLFSSL_API int wolfSSL_ASN1_BIT_STRING_set_bit(
                            WOLFSSL_ASN1_BIT_STRING*, int, int);
 #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
 #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) \
    || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY)
 WOLFSSL_API int        wolfSSL_CTX_add_session(WOLFSSL_CTX*, WOLFSSL_SESSION*);
@ -3571,17 +3626,22 @@ WOLFSSL_API WOLFSSL_X509* wolfSSL_sk_X509_value(WOLF_STACK_OF(WOLFSSL_X509)*, in
 WOLFSSL_API WOLFSSL_X509* wolfSSL_sk_X509_shift(WOLF_STACK_OF(WOLFSSL_X509)*);
 WOLFSSL_API void* wolfSSL_sk_X509_OBJECT_value(WOLF_STACK_OF(WOLFSSL_X509_OBJECT)*, int);
 #endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || HAVE_LIGHTY */
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 WOLFSSL_API void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION*, int);
 WOLFSSL_API int   wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION*, int, void*);
 #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
 #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) \
    || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY)
 WOLFSSL_API int wolfSSL_SESSION_get_ex_new_index(long,void*,void*,void*,
        CRYPTO_free_func*);
 WOLFSSL_API int wolfSSL_X509_NAME_get_sz(WOLFSSL_X509_NAME*);
 WOLFSSL_API const unsigned char* wolfSSL_SESSION_get_id(WOLFSSL_SESSION*,
        unsigned int*);
@ -3624,10 +3684,13 @@ WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_OBJECT)*
 WOLFSSL_API WOLFSSL_X509_OBJECT*
        wolfSSL_sk_X509_OBJECT_delete(WOLF_STACK_OF(WOLFSSL_X509_OBJECT)* sk, int i);
 WOLFSSL_API void wolfSSL_X509_OBJECT_free(WOLFSSL_X509_OBJECT *a);
 WOLFSSL_API void wolfSSL_sk_X509_pop_free(WOLF_STACK_OF(WOLFSSL_X509)* sk, void (*f) (WOLFSSL_X509*));
 #endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || HAVE_LIGHTY */
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 #include <libs/libwolfssl/openssl/stack.h>
 WOLFSSL_API void wolfSSL_sk_X509_pop_free(WOLF_STACK_OF(WOLFSSL_X509)* sk, void (*f) (WOLFSSL_X509*));
 #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
 #if defined(OPENSSL_EXTRA) && defined(HAVE_ECC)
 WOLFSSL_API int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, const char* names);
 WOLFSSL_API int wolfSSL_set1_curves_list(WOLFSSL* ssl, const char* names);
@ -3672,6 +3735,16 @@ WOLFSSL_API void *wolfSSL_OPENSSL_memdup(const void *data,
 WOLFSSL_API void wolfSSL_ERR_load_BIO_strings(void);
 #endif
 #if defined(HAVE_OCSP) && !defined(NO_ASN_TIME)
    WOLFSSL_API int wolfSSL_get_ocsp_producedDate(
        WOLFSSL *ssl,
        byte *producedDate,
        size_t producedDate_space,
        int *producedDateFormat);
    WOLFSSL_API int wolfSSL_get_ocsp_producedDate_tm(WOLFSSL *ssl,
        struct tm *produced_tm);
 #endif
 #if defined(OPENSSL_ALL) \
    || defined(WOLFSSL_NGINX) \
    || defined(WOLFSSL_HAPROXY) \
@ -3688,14 +3761,17 @@ WOLFSSL_LOCAL char* wolfSSL_get_ocsp_url(WOLFSSL* ssl);
 WOLFSSL_API int wolfSSL_set_ocsp_url(WOLFSSL* ssl, char* url);
 #endif
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 WOLFSSL_API void *wolfSSL_X509_get_ex_data(WOLFSSL_X509 *x509, int idx);
 WOLFSSL_API int wolfSSL_X509_set_ex_data(WOLFSSL_X509 *x509, int idx,
    void *data);
 #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \
    || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY)
 WOLFSSL_API WOLF_STACK_OF(WOLFSSL_CIPHER) *wolfSSL_get_ciphers_compat(const WOLFSSL *ssl);
 WOLFSSL_API int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a,
    void *b, void *c);
 WOLFSSL_API void *wolfSSL_X509_get_ex_data(WOLFSSL_X509 *x509, int idx);
 WOLFSSL_API int wolfSSL_X509_set_ex_data(WOLFSSL_X509 *x509, int idx,
    void *data);
 WOLFSSL_API int wolfSSL_X509_NAME_digest(const WOLFSSL_X509_NAME *data,
    const WOLFSSL_EVP_MD *type, unsigned char *md, unsigned int *len);
@ -3715,8 +3791,6 @@ WOLFSSL_API int wolfSSL_SSL_in_connect_init(WOLFSSL*);
 #ifndef NO_SESSION_CACHE
    WOLFSSL_API WOLFSSL_SESSION *wolfSSL_SSL_get0_session(const WOLFSSL *s);
 #endif
 WOLFSSL_API int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk,
    size_t chklen, unsigned int flags, char **peername);
 WOLFSSL_API int wolfSSL_i2a_ASN1_INTEGER(WOLFSSL_BIO *bp,
    const WOLFSSL_ASN1_INTEGER *a);
@ -3745,13 +3819,13 @@ WOLFSSL_API int wolfSSL_X509_check_issued(WOLFSSL_X509 *issuer,
 WOLFSSL_API char* wolfSSL_sk_WOLFSSL_STRING_value(
    WOLF_STACK_OF(WOLFSSL_STRING)* strings, int idx);
-#endif /* HAVE_OCSP */
+#endif /* HAVE_OCSP || OPENSSL_EXTRA || OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */
 WOLFSSL_API int PEM_write_bio_WOLFSSL_X509(WOLFSSL_BIO *bio,
    WOLFSSL_X509 *cert);
 #endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY ||
-    OPENSSL_EXTRA || HAVE_LIGHTY*/
+    OPENSSL_EXTRA || HAVE_LIGHTY */
 WOLFSSL_API void wolfSSL_get0_alpn_selected(const WOLFSSL *ssl,
        const unsigned char **data, unsigned int *len);
@ -3782,8 +3856,14 @@ WOLFSSL_API void wolfSSL_CTX_set_next_proto_select_cb(WOLFSSL_CTX *s,
 WOLFSSL_API void wolfSSL_get0_next_proto_negotiated(const WOLFSSL *s, const unsigned char **data,
        unsigned *len);
 #ifndef NO_ASN
 WOLFSSL_API int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk,
    size_t chklen, unsigned int flags, char **peername);
 WOLFSSL_API int wolfSSL_X509_check_ip_asc(WOLFSSL_X509 *x, const char *ipasc,
        unsigned int flags);
 #endif
-#ifdef OPENSSL_EXTRA
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
 WOLFSSL_API const unsigned char *SSL_SESSION_get0_id_context(
        const WOLFSSL_SESSION *sess, unsigned int *sid_ctx_length);
@ -3808,6 +3888,7 @@ WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_X509_PUBKEY_get(WOLFSSL_X509_PUBKEY* key);
 WOLFSSL_API int wolfSSL_X509_PUBKEY_set(WOLFSSL_X509_PUBKEY **x, WOLFSSL_EVP_PKEY *key);
 WOLFSSL_API int i2t_ASN1_OBJECT(char *buf, int buf_len, WOLFSSL_ASN1_OBJECT *a);
 WOLFSSL_API int wolfSSL_i2a_ASN1_OBJECT(WOLFSSL_BIO *bp, WOLFSSL_ASN1_OBJECT *a);
 WOLFSSL_API int wolfSSL_i2d_ASN1_OBJECT(WOLFSSL_ASN1_OBJECT *a, unsigned char **pp);
 WOLFSSL_API void SSL_CTX_set_tmp_dh_callback(WOLFSSL_CTX *ctx, WOLFSSL_DH *(*dh) (WOLFSSL *ssl, int is_export, int keylength));
 WOLFSSL_API WOLF_STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
 WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str, const char *file, const char *dir);
@ -3815,8 +3896,6 @@ WOLFSSL_API int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *ctx, WOLFSSL_X509
 WOLFSSL_API int wolfSSL_sk_SSL_CIPHER_num(const WOLF_STACK_OF(WOLFSSL_CIPHER)* p);
 WOLFSSL_API int wolfSSL_sk_SSL_CIPHER_find(
        WOLF_STACK_OF(WOLFSSL_CIPHER)* sk, const WOLFSSL_CIPHER* toFind);
 WOLFSSL_API WOLF_STACK_OF(WOLFSSL_CIPHER)* wolfSSL_sk_SSL_CIPHER_dup(
        WOLF_STACK_OF(WOLFSSL_CIPHER)* in);
 WOLFSSL_API void wolfSSL_sk_SSL_CIPHER_free(WOLF_STACK_OF(WOLFSSL_CIPHER)* sk);
 WOLFSSL_API int wolfSSL_sk_SSL_COMP_zero(WOLFSSL_STACK* st);
 WOLFSSL_API int wolfSSL_sk_SSL_COMP_num(WOLF_STACK_OF(WOLFSSL_COMP)* sk);
@ -3843,10 +3922,9 @@ WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PKCS8PrivateKey_bio(WOLFSSL_BIO* bio,
    WOLFSSL_EVP_PKEY** pkey, pem_password_cb* cb, void* u);
 WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_AutoPrivateKey(
    WOLFSSL_EVP_PKEY** pkey, const unsigned char** data, long length);
 WOLFSSL_API unsigned long  wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x509);
-#endif /* OPENSSL_EXTRA */
+#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
 #ifdef HAVE_PK_CALLBACKS
 WOLFSSL_API int wolfSSL_IsPrivatePkSet(WOLFSSL* ssl);
@ -3858,6 +3936,15 @@ WOLFSSL_API int wolfSSL_CTX_AllowEncryptThenMac(WOLFSSL_CTX *, int);
 WOLFSSL_API int wolfSSL_AllowEncryptThenMac(WOLFSSL *s, int);
 #endif
 /* This feature is used to set a fixed ephemeral key and is for testing only */
 /* Currently allows ECDHE and DHE only */
 #ifdef WOLFSSL_STATIC_EPHEMERAL
 WOLFSSL_API int wolfSSL_CTX_set_ephemeral_key(WOLFSSL_CTX* ctx, int keyAlgo,
    const char* key, unsigned int keySz, int format);
 WOLFSSL_API int wolfSSL_set_ephemeral_key(WOLFSSL* ssl, int keyAlgo,
    const char* key, unsigned int keySz, int format);
 #endif
 #ifdef __cplusplus
    }  /* extern "C" */
 #endif
--- a/source/libs/libwolfssl/test.h
+++ b/source/libs/libwolfssl/test.h
--- a/source/libs/libwolfssl/version.h
+++ b/source/libs/libwolfssl/version.h
@ -28,8 +28,8 @@
 extern "C" {
 #endif
-#define LIBWOLFSSL_VERSION_STRING "4.4.0"
+#define LIBWOLFSSL_VERSION_STRING "4.5.0"
-#define LIBWOLFSSL_VERSION_HEX 0x04004000
+#define LIBWOLFSSL_VERSION_HEX 0x04005000
 #ifdef __cplusplus
 }
--- a/source/libs/libwolfssl/wolfcrypt/aes.h
+++ b/source/libs/libwolfssl/wolfcrypt/aes.h
@ -22,8 +22,15 @@
 /*!
    \file wolfssl/wolfcrypt/aes.h
 */
 /*
 DESCRIPTION
 This library provides the interfaces to the Advanced Encryption Standard (AES)
 for encrypting and decrypting data. AES is the standard known for a symmetric
 block cipher mechanism that uses n-bit binary string parameter key with 128-bits,
 192-bits, and 256-bits of key sizes.
 */
 #ifndef WOLF_CRYPT_AES_H
 #define WOLF_CRYPT_AES_H
@ -55,14 +62,9 @@
    #include <libs/libwolfssl/wolfcrypt/port/st/stm32.h>
 #endif
-#ifdef WOLFSSL_AESNI
+#ifdef WOLFSSL_IMXRT_DCP
-
+    #include "fsl_dcp.h"
-#include <wmmintrin.h>
+#endif
 #include <emmintrin.h>
 #include <smmintrin.h>
 #endif /* WOLFSSL_AESNI */
 #ifdef WOLFSSL_XILINX_CRYPT
 #include "xsecure_aes.h"
@ -226,6 +228,9 @@ struct Aes {
 #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
    defined(WOLFSSL_RENESAS_TSIP_TLS_AES_CRYPT)
    TSIP_AES_CTX ctx;
 #endif
 #if defined(WOLFSSL_IMXRT_DCP)
    dcp_handle_t handle;
 #endif
    void*  heap; /* memory hint to use */
 };
--- a/source/libs/libwolfssl/wolfcrypt/asn.h
+++ b/source/libs/libwolfssl/wolfcrypt/asn.h
@ -23,6 +23,14 @@
    \file wolfssl/wolfcrypt/asn.h
 */
 /*
 DESCRIPTION
 This library provides the interface to Abstract Syntax Notation One (ASN.1) objects.
 ASN.1 is a standard interface description language for defining data structures
 that can be serialized and deserialized in a cross-platform way.
 */
 #ifndef WOLF_CRYPT_ASN_H
 #define WOLF_CRYPT_ASN_H
@ -233,6 +241,7 @@ enum
    NID_jurisdictionStateOrProvinceName = 0xd,
    NID_businessCategory = ASN_BUS_CAT,
    NID_domainComponent = ASN_DOMAIN_COMPONENT,
    NID_userId = 458,
    NID_emailAddress = 0x30,           /* emailAddress */
    NID_id_on_dnsSRV = 82,             /* 1.3.6.1.5.5.7.8.7 */
    NID_ms_upn = 265,                  /* 1.3.6.1.4.1.311.20.2.3 */
@ -341,7 +350,8 @@ enum Misc_ASN {
    #endif
                                   /* Max total extensions, id + len + others */
 #endif
-#if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || defined(HAVE_PKCS7)
+#if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || \
        defined(HAVE_PKCS7) || defined(OPENSSL_EXTRA_X509_SMALL)
    MAX_OID_SZ          = 32,      /* Max DER length of OID*/
    MAX_OID_STRING_SZ   = 64,      /* Max string length representation of OID*/
 #endif
@ -356,7 +366,6 @@ enum Misc_ASN {
    MAX_CERTPOL_SZ      = CTC_MAX_CERTPOL_SZ,
 #endif
    MAX_AIA_SZ          = 2,       /* Max Authority Info Access extension size*/
    MAX_NAME_ENTRIES    = 5,       /* extra entries added to x509 name struct */
    OCSP_NONCE_EXT_SZ   = 35,      /* OCSP Nonce Extension size */
    MAX_OCSP_EXT_SZ     = 58,      /* Max OCSP Extension length */
    MAX_OCSP_NONCE_SZ   = 16,      /* OCSP Nonce size           */
@ -371,6 +380,8 @@ enum Misc_ASN {
    TRAILING_ZERO       = 1,       /* Used for size of zero pad */
    ASN_TAG_SZ          = 1,       /* single byte ASN.1 tag */
    MIN_VERSION_SZ      = 3,       /* Min bytes needed for GetMyVersion */
    MAX_X509_VERSION    = 3,       /* Max X509 version allowed */
    MIN_X509_VERSION    = 0,       /* Min X509 version allowed */
 #if defined(OPENSSL_ALL)  || defined(WOLFSSL_MYSQL_COMPATIBLE) || \
    defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
    defined(OPENSSL_EXTRA) || defined(HAVE_PKCS7)
@ -383,6 +394,12 @@ enum Misc_ASN {
    PEM_LINE_LEN       = PEM_LINE_SZ + 12, /* PEM line max + fudge */
 };
 #ifndef WC_MAX_NAME_ENTRIES
    /* entries added to x509 name struct */
    #define WC_MAX_NAME_ENTRIES 13
 #endif
 #define MAX_NAME_ENTRIES WC_MAX_NAME_ENTRIES
 enum Oid_Types {
    oidHashType         = 0,
@ -521,7 +538,9 @@ enum Extensions_Sum {
    POLICY_CONST_OID          = 150,
    ISSUE_ALT_NAMES_OID       = 132,
    TLS_FEATURE_OID           = 92,  /* id-pe 24 */
-    NETSCAPE_CT_OID           = 753  /* 2.16.840.1.113730.1.1 */
+    NETSCAPE_CT_OID           = 753, /* 2.16.840.1.113730.1.1 */
    OCSP_NOCHECK_OID          = 121  /* 1.3.6.1.5.5.7.48.1.5
                                         id-pkix-ocsp-nocheck */
 };
 enum CertificatePolicy_Sum {
@ -609,64 +628,6 @@ struct Base_entry {
    byte        type;   /* Name base type (DNS or RFC822) */
 };
 #define DOMAIN_COMPONENT_MAX 10
 #define DN_NAMES_MAX 9
 struct DecodedName {
    char*   fullName;
    int     fullNameLen;
    int     entryCount;
    int     cnIdx;
    int     cnLen;
    int     cnNid;
    int     snIdx;
    int     snLen;
    int     snNid;
    int     cIdx;
    int     cLen;
    int     cNid;
    int     lIdx;
    int     lLen;
    int     lNid;
    int     stIdx;
    int     stLen;
    int     stNid;
    int     oIdx;
    int     oLen;
    int     oNid;
    int     ouIdx;
    int     ouLen;
 #ifdef WOLFSSL_CERT_EXT
    int     bcIdx;
    int     bcLen;
    int     jcIdx;
    int     jcLen;
    int     jsIdx;
    int     jsLen;
 #endif
    int     ouNid;
    int     emailIdx;
    int     emailLen;
    int     emailNid;
    int     uidIdx;
    int     uidLen;
    int     uidNid;
    int     serialIdx;
    int     serialLen;
    int     serialNid;
    int     dcIdx[DOMAIN_COMPONENT_MAX];
    int     dcLen[DOMAIN_COMPONENT_MAX];
    int     dcNum;
    int     dcMode;
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
    /* hold the location / order with which each of the DN tags was found
     *
     * example of ASN_DOMAIN_COMPONENT at index 0 if first found and so on.
     */
    int     loc[DOMAIN_COMPONENT_MAX + DN_NAMES_MAX];
    int     locSz;
 #endif
 };
 enum SignatureState {
    SIG_STATE_BEGIN,
@ -784,7 +745,6 @@ struct CertSignCtx {
 #endif
 typedef struct DecodedCert DecodedCert;
 typedef struct DecodedName DecodedName;
 typedef struct Signer      Signer;
 #ifdef WOLFSSL_TRUST_PEER_CERT
 typedef struct TrustedPeerCert TrustedPeerCert;
@ -911,8 +871,9 @@ struct DecodedCert {
    int     subjectEmailLen;
 #endif /* WOLFSSL_CERT_GEN */
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
-    DecodedName issuerName;
+    /* WOLFSSL_X509_NAME structures (used void* to avoid including ssl.h) */
-    DecodedName subjectName;
+    void* issuerName;
    void* subjectName;
 #endif /* OPENSSL_EXTRA */
 #ifdef WOLFSSL_SEP
    int     deviceTypeSz;
@ -950,6 +911,9 @@ struct DecodedCert {
    byte weOwnAltNames : 1;        /* altNames haven't been given to copy */
    byte extKeyUsageSet : 1;
    byte extExtKeyUsageSet : 1;    /* Extended Key Usage set */
 #ifdef HAVE_OCSP
    byte ocspNoCheckSet : 1;       /* id-pkix-ocsp-nocheck set */
 #endif
    byte extCRLdistSet : 1;
    byte extAuthInfoSet : 1;
    byte extBasicConstSet : 1;
@ -1052,6 +1016,7 @@ struct TrustedPeerCert {
 #endif
 WOLFSSL_LOCAL int CalcHashId(const byte* data, word32 len, byte* hash);
 WOLFSSL_LOCAL int GetName(DecodedCert* cert, int nameType, int maxIdx);
 WOLFSSL_ASN_API int wc_BerToDer(const byte* ber, word32 berSz, byte* der,
                                word32* derSz);
@ -1118,12 +1083,14 @@ WOLFSSL_LOCAL int GetAsnTimeString(void* currTime, byte* buf, word32 len);
 WOLFSSL_LOCAL int ExtractDate(const unsigned char* date, unsigned char format,
                                                 wolfssl_tm* certTime, int* idx);
 WOLFSSL_LOCAL int DateGreaterThan(const struct tm* a, const struct tm* b);
-WOLFSSL_LOCAL int ValidateDate(const byte* date, byte format, int dateType);
+WOLFSSL_LOCAL int wc_ValidateDate(const byte* date, byte format, int dateType);
 WOLFSSL_LOCAL int wc_OBJ_sn2nid(const char *sn);
 /* ASN.1 helper functions */
 #ifdef WOLFSSL_CERT_GEN
 WOLFSSL_ASN_API int SetName(byte* output, word32 outputSz, CertName* name);
 WOLFSSL_LOCAL const char* GetOneCertName(CertName* name, int idx);
 WOLFSSL_LOCAL byte GetCertNameId(int idx);
 #endif
 WOLFSSL_LOCAL int GetShortInt(const byte* input, word32* inOutIdx, int* number,
                              word32 maxIdx);
--- a/source/libs/libwolfssl/wolfcrypt/asn_public.h
+++ b/source/libs/libwolfssl/wolfcrypt/asn_public.h
@ -23,6 +23,11 @@
    \file wolfssl/wolfcrypt/asn_public.h
 */
 /*
 DESCRIPTION
 This library defines the interface APIs for X509 certificates.
 */
 #ifndef WOLF_CRYPT_ASN_PUBLIC_H
 #define WOLF_CRYPT_ASN_PUBLIC_H
@ -325,6 +330,8 @@ typedef struct Cert {
 #endif
    char    certPolicies[CTC_MAX_CERTPOL_NB][CTC_MAX_CERTPOL_SZ];
    word16  certPoliciesNb;              /* Number of Cert Policy */
 #endif
 #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA)
    byte     issRaw[sizeof(CertName)];   /* raw issuer info */
    byte     sbjRaw[sizeof(CertName)];   /* raw subject info */
 #endif
--- a/source/libs/libwolfssl/wolfcrypt/blake2-int.h
+++ b/source/libs/libwolfssl/wolfcrypt/blake2-int.h
@ -39,16 +39,6 @@
 #include <libs/libwolfssl/wolfcrypt/types.h>
 #if defined(_MSC_VER)
    #define ALIGN(x) __declspec(align(x))
 #elif defined(__IAR_SYSTEMS_ICC__) || defined(__GNUC__)
    #define ALIGN(x) __attribute__((aligned(x)))
 #else
    #define ALIGN(x)
 #endif
 #if defined(__cplusplus)
    extern "C" {
 #endif
@ -87,7 +77,7 @@
    byte  personal[BLAKE2S_PERSONALBYTES];  /* 32 */
  } blake2s_param;
-  ALIGN( 32 ) typedef struct __blake2s_state
+  ALIGN32 typedef struct __blake2s_state
  {
    word32 h[8];
    word32 t[2];
@ -112,7 +102,7 @@
    byte  personal[BLAKE2B_PERSONALBYTES];  /* 64 */
  } blake2b_param;
-  ALIGN( 64 ) typedef struct __blake2b_state
+  ALIGN64 typedef struct __blake2b_state
  {
    word64 h[8];
    word64 t[2];
--- a/source/libs/libwolfssl/wolfcrypt/blake2.h
+++ b/source/libs/libwolfssl/wolfcrypt/blake2.h
@ -76,12 +76,14 @@ typedef struct Blake2s {
 #ifdef HAVE_BLAKE2B
 WOLFSSL_API int wc_InitBlake2b(Blake2b*, word32);
 WOLFSSL_API int wc_InitBlake2b_WithKey(Blake2b*, word32, const byte *, word32);
 WOLFSSL_API int wc_Blake2bUpdate(Blake2b*, const byte*, word32);
 WOLFSSL_API int wc_Blake2bFinal(Blake2b*, byte*, word32);
 #endif
 #ifdef HAVE_BLAKE2S
 WOLFSSL_API int wc_InitBlake2s(Blake2s*, word32);
 WOLFSSL_API int wc_InitBlake2s_WithKey(Blake2s*, word32, const byte *, word32);
 WOLFSSL_API int wc_Blake2sUpdate(Blake2s*, const byte*, word32);
 WOLFSSL_API int wc_Blake2sFinal(Blake2s*, byte*, word32);
 #endif
--- a/source/libs/libwolfssl/wolfcrypt/chacha.h
+++ b/source/libs/libwolfssl/wolfcrypt/chacha.h
@ -18,7 +18,12 @@
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */
 /*
 DESCRIPTION
 This library contains implementation for the ChaCha20 stream cipher.
 */
 /*!
    \file wolfssl/wolfcrypt/chacha.h
 */
@ -35,9 +40,21 @@
    extern "C" {
 #endif
 /*
 Initialization vector starts at 13 with zero being the index origin of a matrix.
 Block counter is located at index 12.
  0   1   2   3
  4   5   6   7
  8   9   10  11
  12  13  14  15
 */
 #define CHACHA_MATRIX_CNT_IV 12
 /* Size of the IV */
 #define CHACHA_IV_WORDS    3
-#define CHACHA_IV_BYTES    (CHACHA_IV_WORDS * sizeof(word32))
+
 /* Size of IV in bytes*/
 #define CHACHA_IV_BYTES 12
 /* Size of ChaCha chunks */
 #define CHACHA_CHUNK_WORDS 16
@ -57,10 +74,13 @@ enum {
 typedef struct ChaCha {
    word32 X[CHACHA_CHUNK_WORDS];           /* state of cipher */
    word32 left;                            /* number of bytes leftover */
 #ifdef HAVE_INTEL_AVX1
    /* vpshufd reads 16 bytes but we only use bottom 4. */
    byte extra[12];
 #endif
    word32 left;                            /* number of bytes leftover */
 #if defined(USE_INTEL_CHACHA_SPEEDUP) || defined(WOLFSSL_ARMASM)
    word32 over[CHACHA_CHUNK_WORDS];
 #endif
 } ChaCha;
--- a/source/libs/libwolfssl/wolfcrypt/chacha20_poly1305.h
+++ b/source/libs/libwolfssl/wolfcrypt/chacha20_poly1305.h
@ -18,12 +18,14 @@
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */
 /*
 DESCRIPTION
 This library contains implementation for the ChaCha20 stream cipher and
 the Poly1305 authenticator, both as as combined-mode,
 or Authenticated Encryption with Additional Data (AEAD) algorithm.
-/* This implementation of the ChaCha20-Poly1305 AEAD is based on "ChaCha20
+*/
 * and Poly1305 for IETF protocols" (draft-irtf-cfrg-chacha20-poly1305-10):
 * https://tools.ietf.org/html/draft-irtf-cfrg-chacha20-poly1305-10
 */
 /*!
    \file wolfssl/wolfcrypt/chacha20_poly1305.h
@ -45,6 +47,7 @@
 #define CHACHA20_POLY1305_AEAD_KEYSIZE      32
 #define CHACHA20_POLY1305_AEAD_IV_SIZE      12
 #define CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE 16
 #define CHACHA20_POLY1305_MAX               4294967295U
 enum {
    CHACHA20_POLY_1305_ENC_TYPE = 8,    /* cipher unique type */
--- a/source/libs/libwolfssl/wolfcrypt/cpuid.h
+++ b/source/libs/libwolfssl/wolfcrypt/cpuid.h
@ -54,6 +54,11 @@
    void cpuid_set_flags(void);
    word32 cpuid_get_flags(void);
    /* Public APIs to modify flags. */
    WOLFSSL_API void cpuid_select_flags(word32 flags);
    WOLFSSL_API void cpuid_set_flag(word32 flag);
    WOLFSSL_API void cpuid_clear_flag(word32 flag);
 #endif
 #ifdef __cplusplus
--- a/source/libs/libwolfssl/wolfcrypt/cryptocb.h
+++ b/source/libs/libwolfssl/wolfcrypt/cryptocb.h
@ -6,7 +6,7 @@
 *
 * wolfSSL is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
+ * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * wolfSSL is distributed in the hope that it will be useful,
--- a/source/libs/libwolfssl/wolfcrypt/curve25519.h
+++ b/source/libs/libwolfssl/wolfcrypt/curve25519.h
@ -86,6 +86,18 @@ enum {
    EC25519_BIG_ENDIAN=1
 };
 WOLFSSL_API
 int wc_curve25519_make_pub(int public_size, byte* pub, int private_size,
                           const byte* priv);
 WOLFSSL_API
 int wc_curve25519_generic(int public_size, byte* pub,
                          int private_size, const byte* priv,
                          int basepoint_size, const byte* basepoint);
 WOLFSSL_API
 int wc_curve25519_make_priv(WC_RNG* rng, int keysize, byte* priv);
 WOLFSSL_API
 int wc_curve25519_make_key(WC_RNG* rng, int keysize, curve25519_key* key);
--- a/source/libs/libwolfssl/wolfcrypt/dh.h
+++ b/source/libs/libwolfssl/wolfcrypt/dh.h
@ -45,11 +45,19 @@
 #ifdef WOLFSSL_ASYNC_CRYPT
    #include <libs/libwolfssl/wolfcrypt/async.h>
 #endif
 /* Optional support extended DH public / private keys */
 #if !defined(WOLFSSL_DH_EXTRA) && (defined(WOLFSSL_QT) || \
        defined(OPENSSL_ALL) || defined(WOLFSSL_OPENSSH) || \
        defined(WOLFSSL_STATIC_EPHEMERAL))
    #define WOLFSSL_DH_EXTRA
 #endif
 typedef struct DhParams {
-    #ifdef HAVE_FFDHE_Q
+#ifdef HAVE_FFDHE_Q
    const byte* q;
    word32      q_len;
-    #endif /* HAVE_FFDHE_Q */
+#endif /* HAVE_FFDHE_Q */
    const byte* p;
    word32      p_len;
    const byte* g;
@ -58,8 +66,8 @@ typedef struct DhParams {
 /* Diffie-Hellman Key */
 struct DhKey {
-    mp_int p, g, q;                         /* group parameters  */
+    mp_int p, g, q; /* group parameters */
-#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(WOLFSSL_OPENSSH)
+#ifdef WOLFSSL_DH_EXTRA
    mp_int pub;
    mp_int priv;
 #endif
@ -101,15 +109,20 @@ WOLFSSL_API int wc_DhAgree(DhKey* key, byte* agree, word32* agreeSz,
                       word32 pubSz);
 WOLFSSL_API int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key,
-                           word32);
+                           word32); /* wc_DhKeyDecode is in asn.c */
 WOLFSSL_API int wc_DhSetKey(DhKey* key, const byte* p, word32 pSz, const byte* g,
                        word32 gSz);
 WOLFSSL_API int wc_DhSetKey_ex(DhKey* key, const byte* p, word32 pSz,
                        const byte* g, word32 gSz, const byte* q, word32 qSz);
-#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
+
-WOLFSSL_LOCAL int wc_DhSetFullKeys(DhKey* key,const byte* priv_key,word32 privSz,
+#ifdef WOLFSSL_DH_EXTRA
-                                   const byte* pub_key, word32 pubSz);
+WOLFSSL_API int wc_DhImportKeyPair(DhKey* key, const byte* priv, word32 privSz,
-#endif
+                                   const byte* pub, word32 pubSz);
 WOLFSSL_API int wc_DhExportKeyPair(DhKey* key, byte* priv, word32* pPrivSz, 
                                   byte* pub, word32* pPubSz);
 #endif /* WOLFSSL_DH_EXTRA */
 WOLFSSL_API int wc_DhSetCheckKey(DhKey* key, const byte* p, word32 pSz,
                        const byte* g, word32 gSz, const byte* q, word32 qSz,
                        int trusted, WC_RNG* rng);
@ -136,4 +149,3 @@ WOLFSSL_API int wc_DhExportParamsRaw(DhKey* dh, byte* p, word32* pSz,
 #endif /* NO_DH */
 #endif /* WOLF_CRYPT_DH_H */
--- a/source/libs/libwolfssl/wolfcrypt/ecc.h
+++ b/source/libs/libwolfssl/wolfcrypt/ecc.h
@ -50,7 +50,7 @@
    #endif
 #endif
-#ifdef WOLFSSL_ATECC508A
+#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A)
    #include <libs/libwolfssl/wolfcrypt/port/atmel/atmel.h>
 #endif /* WOLFSSL_ATECC508A */
@ -58,6 +58,11 @@
    #include <libs/libwolfssl/wolfcrypt/port/arm/cryptoCell.h>
 #endif
 #ifdef WOLFSSL_HAVE_SP_ECC
    #include <libs/libwolfssl/wolfcrypt/sp_int.h>
 #endif
 #ifdef __cplusplus
    extern "C" {
 #endif
@ -127,7 +132,7 @@ enum {
    ECC_MAX_SIG_SIZE= ((MAX_ECC_BYTES * 2) + ECC_MAX_PAD_SZ + SIG_HEADER_SZ),
    /* max crypto hardware size */
-#ifdef WOLFSSL_ATECC508A
+#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A)
    ECC_MAX_CRYPTO_HW_SIZE = ATECC_KEY_SIZE, /* from port/atmel/atmel.h */
    ECC_MAX_CRYPTO_HW_PUBKEY_SIZE = (ATECC_KEY_SIZE*2),
 #elif defined(PLUTON_CRYPTO_ECC)
@ -278,14 +283,15 @@ typedef struct ecc_set_type {
 * mp_ints for the components of the point. With ALT_ECC_SIZE, the components
 * of the point are pointers that are set to each of a three item array of
 * alt_fp_ints. While an mp_int will have 4096 bits of digit inside the
- * structure, the alt_fp_int will only have 528 bits. A size value was added
+ * structure, the alt_fp_int will only have 512 bits for ECC 256-bit and 
- * in the ALT case, as well, and is set by mp_init() and alt_fp_init(). The
+ * 1056-bits for ECC 521-bit. A size value was added in the ALT case, as well, 
- * functions fp_zero() and fp_copy() use the size parameter. An int needs to
+ * and is set by mp_init() and alt_fp_init(). The functions fp_zero() and 
- * be initialized before using it instead of just fp_zeroing it, the init will
+ * fp_copy() use the size parameter. An int needs to be initialized before 
- * call zero. FP_MAX_BITS_ECC defaults to 528, but can be set to change the
+ * using it instead of just fp_zeroing it, the init will call zero. The 
- * number of bits used in the alternate FP_INT.
+ * FP_MAX_BITS_ECC defaults to calculating based on MAX_ECC_BITS, but 
 * can be set to change the number of bits used in the alternate FP_INT.
 *
- * Do not enable ALT_ECC_SIZE and disable fast math in the configuration.
+ * The ALT_ECC_SIZE option only applies to stack based fast math USE_FAST_MATH.
 */
 #ifndef USE_FAST_MATH
@ -294,19 +300,18 @@ typedef struct ecc_set_type {
 /* determine max bits required for ECC math */
 #ifndef FP_MAX_BITS_ECC
-    /* check alignment */
+    /* max bits rounded up by 8 then doubled */
-    #if ((MAX_ECC_BITS * 2) % DIGIT_BIT) == 0
+    /* (ROUND8(MAX_ECC_BITS) * 2) */
-        /* max bits is double */
+    #define FP_MAX_BITS_ECC (2 * \
-        #define FP_MAX_BITS_ECC     (MAX_ECC_BITS * 2)
+        ((MAX_ECC_BITS + DIGIT_BIT - 1) / DIGIT_BIT) * DIGIT_BIT)
-    #else
+
-        /* max bits is doubled, plus one digit of fudge */
+    /* Note: For ECC verify only FP_MAX_BITS_ECC can be reduced to:
-        #define FP_MAX_BITS_ECC     ((MAX_ECC_BITS * 2) + DIGIT_BIT)
+             ROUND8(MAX_ECC_BITS) + ROUND8(DIGIT_BIT) */
-    #endif
+#endif
-#else
+
-    /* verify alignment */
+/* verify alignment */
-    #if FP_MAX_BITS_ECC % CHAR_BIT
+#if FP_MAX_BITS_ECC % CHAR_BIT
-       #error FP_MAX_BITS_ECC must be a multiple of CHAR_BIT
+    #error FP_MAX_BITS_ECC must be a multiple of CHAR_BIT
    #endif
 #endif
 /* determine buffer size */
@ -347,12 +352,26 @@ typedef struct {
 /* ECC Flags */
 enum {
-    WC_ECC_FLAG_NONE = 0x00,
+    WC_ECC_FLAG_NONE     = 0x00,
 #ifdef HAVE_ECC_CDH
    WC_ECC_FLAG_COFACTOR = 0x01,
 #endif
    WC_ECC_FLAG_DEC_SIGN = 0x02,
 };
 /* ECC non-blocking */
 #ifdef WC_ECC_NONBLOCK
    typedef struct ecc_nb_ctx {
    #if defined(WOLFSSL_HAVE_SP_ECC) && defined(WOLFSSL_SP_NONBLOCK)
        sp_ecc_ctx_t sp_ctx;
    #else
        /* build configuration not supported */
        #error ECC non-blocking only supports SP (--enable-sp=nonblock)
    #endif
    } ecc_nb_ctx_t;
 #endif /* WC_ECC_NONBLOCK */
 /* An ECC Key */
 struct ecc_key {
    int type;           /* Public or Private */
@ -369,7 +388,7 @@ struct ecc_key {
    void* heap;         /* heap hint */
    ecc_point pubkey;   /* public key */
    mp_int    k;        /* private key */
-#ifdef WOLFSSL_ATECC508A
+#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A)
    int  slot;        /* Key Slot Number (-1 unknown) */
    byte pubkey_raw[ECC_MAX_CRYPTO_HW_PUBKEY_SIZE];
 #endif
@ -413,6 +432,12 @@ struct ecc_key {
 #ifdef WOLFSSL_DSP
    remote_handle64 handle;
 #endif
 #ifdef ECC_TIMING_RESISTANT
    WC_RNG* rng;
 #endif
 #ifdef WC_ECC_NONBLOCK
    ecc_nb_ctx_t* nb_ctx;
 #endif
 };
@ -427,7 +452,7 @@ extern const size_t ecc_sets_count;
 WOLFSSL_API
 const char* wc_ecc_get_name(int curve_id);
-#ifndef WOLFSSL_ATECC508A
+#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)
 #ifdef WOLFSSL_PUBLIC_ECC_ADD_DBL
    #define ECC_API    WOLFSSL_API
@ -446,6 +471,10 @@ ECC_API int ecc_projective_add_point(ecc_point* P, ecc_point* Q, ecc_point* R,
 ECC_API int ecc_projective_dbl_point(ecc_point* P, ecc_point* R, mp_int* a,
                                     mp_int* modulus, mp_digit mp);
 WOLFSSL_LOCAL
 int ecc_projective_add_point_safe(ecc_point* A, ecc_point* B, ecc_point* R,
    mp_int* a, mp_int* modulus, mp_digit mp, int* infinity);
 #endif
 WOLFSSL_API
@ -453,8 +482,13 @@ int wc_ecc_make_key(WC_RNG* rng, int keysize, ecc_key* key);
 WOLFSSL_ABI WOLFSSL_API
 int wc_ecc_make_key_ex(WC_RNG* rng, int keysize, ecc_key* key, int curve_id);
 WOLFSSL_API
 int wc_ecc_make_key_ex2(WC_RNG* rng, int keysize, ecc_key* key, int curve_id,
                        int flags);
 WOLFSSL_API
 int wc_ecc_make_pub(ecc_key* key, ecc_point* pubOut);
 WOLFSSL_API
 int wc_ecc_make_pub_ex(ecc_key* key, ecc_point* pubOut, WC_RNG* rng);
 WOLFSSL_API
 int wc_ecc_check_key(ecc_key* key);
 WOLFSSL_API
 int wc_ecc_is_point(ecc_point* ecp, mp_int* a, mp_int* b, mp_int* prime);
@ -472,7 +506,8 @@ WOLFSSL_API
 int wc_ecc_shared_secret_ex(ecc_key* private_key, ecc_point* point,
                             byte* out, word32 *outlen);
-#if defined(WOLFSSL_ATECC508A) || defined(PLUTON_CRYPTO_ECC) || defined(WOLFSSL_CRYPTOCELL)
+#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A) || \
    defined(PLUTON_CRYPTO_ECC) || defined(WOLFSSL_CRYPTOCELL)
 #define wc_ecc_shared_secret_ssh wc_ecc_shared_secret
 #else
 #define wc_ecc_shared_secret_ssh wc_ecc_shared_secret_ex /* For backwards compat */
@ -521,6 +556,12 @@ WOLFSSL_API
 int wc_ecc_set_flags(ecc_key* key, word32 flags);
 WOLFSSL_API
 void wc_ecc_fp_free(void);
 WOLFSSL_LOCAL
 void wc_ecc_fp_init(void);
 #ifdef ECC_TIMING_RESISTANT
 WOLFSSL_API
 int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng);
 #endif
 WOLFSSL_API
 int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id);
@ -568,14 +609,20 @@ WOLFSSL_API
 int wc_ecc_cmp_point(ecc_point* a, ecc_point *b);
 WOLFSSL_API
 int wc_ecc_point_is_at_infinity(ecc_point *p);
 WOLFSSL_API
 int wc_ecc_point_is_on_curve(ecc_point *p, int curve_idx);
-#ifndef WOLFSSL_ATECC508A
+#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)
 WOLFSSL_API
 int wc_ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R,
                  mp_int* a, mp_int* modulus, int map);
 WOLFSSL_LOCAL
 int wc_ecc_mulmod_ex(mp_int* k, ecc_point *G, ecc_point *R,
                  mp_int* a, mp_int* modulus, int map, void* heap);
 WOLFSSL_LOCAL
 int wc_ecc_mulmod_ex2(mp_int* k, ecc_point *G, ecc_point *R, mp_int* a,
                      mp_int* modulus, mp_int* order, WC_RNG* rng, int map,
                      void* heap);
 #endif /* !WOLFSSL_ATECC508A */
@ -754,6 +801,10 @@ int sp_dsp_ecc_verify_256(remote_handle64 handle, const byte* hash, word32 hashL
    mp_int* pY, mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap);
 #endif
 #ifdef WC_ECC_NONBLOCK
    WOLFSSL_API int wc_ecc_set_nonblock(ecc_key *key, ecc_nb_ctx_t* ctx);
 #endif
 #ifdef __cplusplus
    }    /* extern "C" */
 #endif
--- a/source/libs/libwolfssl/wolfcrypt/error-crypt.h
+++ b/source/libs/libwolfssl/wolfcrypt/error-crypt.h
@ -22,6 +22,11 @@
 /*!
    \file wolfssl/wolfcrypt/error-crypt.h
 */
 /*
 DESCRIPTION
 This library defines error codes and contians routines for setting and examining
 the error status.
 */
 #ifndef WOLF_CRYPT_ERROR_H
 #define WOLF_CRYPT_ERROR_H
@ -227,10 +232,10 @@ enum {
    CRYPTOCB_UNAVAILABLE= -271,  /* Crypto callback unavailable */
    PKCS7_SIGNEEDS_CHECK= -272,  /* signature needs verified by caller */
    PSS_SALTLEN_RECOVER_E=-273,  /* PSS slat length not recoverable */
    CHACHA_POLY_OVERFLOW =-274,  /* ChaCha20Poly1305 limit overflow */
    ASN_SELF_SIGNED_E   = -275,  /* ASN self-signed certificate error */
-    ASN_SELF_SIGNED_E   = -274, /* ASN self-signed certificate error */
+    WC_LAST_E           = -275,  /* Update this to indicate last error */
    WC_LAST_E           = -274,  /* Update this to indicate last error */
    MIN_CODE_E          = -300   /* errors -101 - -299 */
    /* add new companion error id strings for any new error codes
--- a/source/libs/libwolfssl/wolfcrypt/fe_448.h
+++ b/source/libs/libwolfssl/wolfcrypt/fe_448.h
@ -27,7 +27,9 @@
 #if defined(HAVE_CURVE448) || defined(HAVE_ED448)
 #ifndef WOLFSSL_LINUXKM
 #include <stdint.h>
 #endif
 #include <libs/libwolfssl/wolfcrypt/types.h>
@ -40,7 +42,7 @@
 #endif
 /* default to be faster but take more memory */
-#if !defined(CURVE448_SMALL) || !defined(ED448_SMALL)
+#if !defined(CURVE448_SMALL) && !defined(ED448_SMALL)
 #if defined(CURVED448_128BIT)
    typedef int64_t fe448;
--- a/source/libs/libwolfssl/wolfcrypt/fe_operations.h
+++ b/source/libs/libwolfssl/wolfcrypt/fe_operations.h
@ -28,8 +28,10 @@
 #if defined(HAVE_CURVE25519) || defined(HAVE_ED25519)
 #if !defined(CURVE25519_SMALL) || !defined(ED25519_SMALL)
 #ifndef WOLFSSL_LINUXKM
    #include <stdint.h>
 #endif
 #endif
 #include <libs/libwolfssl/wolfcrypt/types.h>
@ -79,7 +81,7 @@ Bounds on each t[i] vary depending on context.
 #if !defined(FREESCALE_LTC_ECC)
 WOLFSSL_LOCAL void fe_init(void);
-WOLFSSL_LOCAL int  curve25519(byte * q, byte * n, byte * p);
+WOLFSSL_LOCAL int  curve25519(byte * q, const byte * n, const byte * p);
 #endif
 /* default to be faster but take more memory */
--- a/source/libs/libwolfssl/wolfcrypt/hmac.h
+++ b/source/libs/libwolfssl/wolfcrypt/hmac.h
@ -131,11 +131,11 @@ typedef union {
 #ifdef WOLFSSL_SHA3
    wc_Sha3 sha3;
 #endif
-} Hash;
+} wc_Hmac_Hash;
 /* Hmac digest */
 struct Hmac {
-    Hash    hash;
+    wc_Hmac_Hash    hash;
    word32  ipad[WC_HMAC_BLOCK_SIZE  / sizeof(word32)];  /* same block size all*/
    word32  opad[WC_HMAC_BLOCK_SIZE  / sizeof(word32)];
    word32  innerHash[WC_MAX_DIGEST_SIZE / sizeof(word32)];
--- a/source/libs/libwolfssl/wolfcrypt/integer.h
+++ b/source/libs/libwolfssl/wolfcrypt/integer.h
@ -42,7 +42,11 @@
 #include <libs/libwolfssl/wolfcrypt/random.h>
 #ifndef CHAR_BIT
-    #include <limits.h>
+    #if defined(WOLFSSL_LINUXKM)
        #include <linux/limits.h>
    #else
        #include <limits.h>
    #endif
 #endif
 #include <libs/libwolfssl/wolfcrypt/mpi_class.h>
@ -301,6 +305,7 @@ MP_API int  mp_div_2d (mp_int * a, int b, mp_int * c, mp_int * d);
 MP_API void mp_zero (mp_int * a);
 MP_API void mp_clamp (mp_int * a);
 MP_API void mp_exch (mp_int * a, mp_int * b);
 MP_API int  mp_cond_swap_ct (mp_int * a, mp_int * b, int c, int m);
 MP_API void mp_rshd (mp_int * a, int b);
 MP_API void mp_rshb (mp_int * a, int b);
 MP_API int  mp_mod_2d (mp_int * a, int b, mp_int * c);
@ -318,6 +323,7 @@ MP_API int  mp_is_bit_set (mp_int * a, mp_digit b);
 MP_API int  mp_mod (mp_int * a, mp_int * b, mp_int * c);
 MP_API int  mp_div(mp_int * a, mp_int * b, mp_int * c, mp_int * d);
 MP_API int  mp_div_2(mp_int * a, mp_int * b);
 MP_API int  mp_div_2_mod_ct (mp_int* a, mp_int* b, mp_int* c);
 MP_API int  mp_add (mp_int * a, mp_int * b, mp_int * c);
 int  s_mp_add (mp_int * a, mp_int * b, mp_int * c);
 int  s_mp_sub (mp_int * a, mp_int * b, mp_int * c);
@ -332,6 +338,7 @@ MP_API int  mp_exptmod_base_2 (mp_int * X, mp_int * P, mp_int * Y);
 MP_API int  mp_montgomery_setup (mp_int * n, mp_digit * rho);
 int  fast_mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho);
 MP_API int  mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho);
 #define mp_montgomery_reduce_ex(x, n, rho, ct) mp_montgomery_reduce (x, n, rho)
 MP_API void mp_dr_setup(mp_int *a, mp_digit *d);
 MP_API int  mp_dr_reduce (mp_int * x, mp_int * n, mp_digit k);
 MP_API int  mp_reduce_2k(mp_int *a, mp_int *n, mp_digit d);
@ -355,6 +362,8 @@ MP_API int  mp_sqr (mp_int * a, mp_int * b);
 MP_API int  mp_mulmod (mp_int * a, mp_int * b, mp_int * c, mp_int * d);
 MP_API int  mp_submod (mp_int* a, mp_int* b, mp_int* c, mp_int* d);
 MP_API int  mp_addmod (mp_int* a, mp_int* b, mp_int* c, mp_int* d);
 MP_API int  mp_submod_ct (mp_int* a, mp_int* b, mp_int* c, mp_int* d);
 MP_API int  mp_addmod_ct (mp_int* a, mp_int* b, mp_int* c, mp_int* d);
 MP_API int  mp_mul_d (mp_int * a, mp_digit b, mp_int * c);
 MP_API int  mp_2expt (mp_int * a, int b);
 MP_API int  mp_set_bit (mp_int * a, int b);
--- a/source/libs/libwolfssl/wolfcrypt/memory.h
+++ b/source/libs/libwolfssl/wolfcrypt/memory.h
@ -29,7 +29,7 @@
 #ifndef WOLFSSL_MEMORY_H
 #define WOLFSSL_MEMORY_H
-#ifndef STRING_USER
+#if !defined(STRING_USER) && !defined(WOLFSSL_LINUXKM)
 #include <stdlib.h>
 #endif
 #include <libs/libwolfssl/wolfcrypt/types.h>
@ -110,7 +110,11 @@ WOLFSSL_API int wolfSSL_GetAllocators(wolfSSL_Malloc_cb*,
        #elif defined (OPENSSL_EXTRA)
            /* extra storage in structs for multiple attributes and order */
            #ifndef LARGEST_MEM_BUCKET
-                #define LARGEST_MEM_BUCKET 25600
+                #ifdef WOLFSSL_TLS13
                    #define LARGEST_MEM_BUCKET 30400
                #else
                    #define LARGEST_MEM_BUCKET 25600
                #endif
            #endif
            #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3360,4480,\
                                    LARGEST_MEM_BUCKET
--- a/source/libs/libwolfssl/wolfcrypt/misc.h
+++ b/source/libs/libwolfssl/wolfcrypt/misc.h
@ -18,9 +18,13 @@
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */
 /*
 DESCRIPTION
 This module implements the arithmetic-shift right, left, byte swapping, XOR,
 masking and clearing memory logic.
-
+*/
 #ifndef WOLF_CRYPT_MISC_H
 #define WOLF_CRYPT_MISC_H
--- a/source/libs/libwolfssl/wolfcrypt/pkcs11.h
+++ b/source/libs/libwolfssl/wolfcrypt/pkcs11.h
@ -6,7 +6,7 @@
 *
 * wolfSSL is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
+ * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * wolfSSL is distributed in the hope that it will be useful,
--- a/source/libs/libwolfssl/wolfcrypt/pkcs7.h
+++ b/source/libs/libwolfssl/wolfcrypt/pkcs7.h
@ -154,8 +154,9 @@ enum Pkcs7_Misc {
                            MAX_SEQ_SZ + ASN_NAME_MAX + MAX_SN_SZ +
                            MAX_SEQ_SZ + MAX_ALGO_SZ + 1 + MAX_ENCRYPTED_KEY_SZ,
 #if (defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && \
-     (HAVE_FIPS_VERSION >= 2)) || defined(HAVE_SELFTEST)
+     (HAVE_FIPS_VERSION >= 2)) || (defined(HAVE_SELFTEST) && \
-    /* In the event of fips cert 3389 or CAVP selftest build, these enums are
+     (!defined(HAVE_SELFTEST_VERSION) || HAVE_SELFTEST_VERSION < 2))
    /* In the event of fips cert 3389 or CAVP selftest v1 build, these enums are
     * not in aes.h for use with pkcs7 so enumerate it here outside the fips
     * boundary */
    GCM_NONCE_MID_SZ = 12, /* The usual default nonce size for AES-GCM. */
--- a/source/libs/libwolfssl/wolfcrypt/poly1305.h
+++ b/source/libs/libwolfssl/wolfcrypt/poly1305.h
@ -119,9 +119,12 @@ WOLFSSL_API int wc_Poly1305_EncodeSizes(Poly1305* ctx, word32 aadSz, word32 data
 WOLFSSL_API int wc_Poly1305_MAC(Poly1305* ctx, byte* additional, word32 addSz,
                               byte* input, word32 sz, byte* tag, word32 tagSz);
-void poly1305_block(Poly1305* ctx, const unsigned char *m);
+#if defined(__aarch64__ ) && defined(WOLFSSL_ARMASM)
 void poly1305_blocks(Poly1305* ctx, const unsigned char *m,
                            size_t bytes);
 void poly1305_block(Poly1305* ctx, const unsigned char *m);
 #endif
 #ifdef __cplusplus
    } /* extern "C" */
 #endif
--- a/source/libs/libwolfssl/wolfcrypt/port/Espressif/esp32-crypt.h
+++ b/source/libs/libwolfssl/wolfcrypt/port/Espressif/esp32-crypt.h
@ -39,7 +39,7 @@
 #include "soc/hwcrypto_reg.h"
 #include "soc/cpu.h"
 #include "driver/periph_ctrl.h"
-#if ESP_IDF_VERSION_MAJOR >= 4 && ESP_IDF_VERSION_MINOR >= 1
+#if ESP_IDF_VERSION_MAJOR >= 4
 #include <esp32/rom/ets_sys.h>
 #else
 #include <rom/ets_sys.h>
@ -55,7 +55,7 @@ int esp_CryptHwMutexUnLock(wolfSSL_Mutex* mutex);
 #ifndef NO_AES
-#if ESP_IDF_VERSION_MAJOR >= 4 && ESP_IDF_VERSION_MINOR >= 1
+#if ESP_IDF_VERSION_MAJOR >= 4
 #include "esp32/rom/aes.h"
 #else
 #include "rom/aes.h"
@ -89,7 +89,7 @@ uint64_t  wc_esp32elapsedTime();
 /* RAW hash function APIs are not implemented with esp32 hardware acceleration*/
 #define WOLFSSL_NO_HASH_RAW
-#if ESP_IDF_VERSION_MAJOR >= 4 && ESP_IDF_VERSION_MINOR >= 1
+#if ESP_IDF_VERSION_MAJOR >= 4
 #include "esp32/rom/sha.h"
 #else
 #include "rom/sha.h"
--- a/source/libs/libwolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h
+++ b/source/libs/libwolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h
@ -35,6 +35,13 @@
 extern "C" {
 #endif
 #define TSIP_SESSIONKEY_NONCE_SIZE      8
 typedef enum {
    WOLFSSL_TSIP_NOERROR = 0,
    WOLFSSL_TSIP_ILLEGAL_CIPHERSUITE = 0xffffffff,
 }wolfssl_tsip_error_number;
 typedef enum {
    tsip_Key_SESSION = 1,
    tsip_Key_AES128  = 2,
@ -52,6 +59,34 @@ enum {
    l_TLS_RSA_WITH_AES_256_CBC_SHA256  = 0x3d,
 };
 #if defined(WOLFSSL_RENESAS_TSIP_TLS) && (WOLFSSL_RENESAS_TSIP_VER >=109) 
 typedef struct
 {
    uint8_t                          *encrypted_provisioning_key;
    uint8_t                          *iv;
    uint8_t                          *encrypted_user_tls_key;
    uint32_t                          encrypted_user_tls_key_type;
    tsip_tls_ca_certification_public_key_index_t  user_rsa2048_tls_pubindex;
 } tsip_key_data;
 void tsip_inform_user_keys_ex(
        byte*       provisioning_key,   /* key got from DLM server */
        byte*       iv,                 /* iv used for public key  */
        byte*       encrypted_public_key,/*RSA2048 or ECDSAp256 public key*/
        word32      public_key_type);   /* 0: RSA-2048 2:ECDSA P-256 */    
 int tsip_generateMasterSecretEx(
        byte        cipherSuiteFirst,
        byte        cipherSuite,
        const byte* pr,                 /* pre-master    */
        const byte* cr,                 /* client random */
        const byte* sr,                 /* server random */
        byte*       ms);
 #elif defined(WOLFSSL_RENESAS_TSIP_TLS) && (WOLFSSL_RENESAS_TSIP_VER >=106)
 typedef struct
 {
    uint8_t                          *encrypted_session_key;
@ -60,45 +95,81 @@ typedef struct
    tsip_tls_ca_certification_public_key_index_t  user_rsa2048_tls_pubindex;
 } tsip_key_data;
 struct WOLFSSL;
 int  tsip_Open( );
 void tsip_Close( );
 int tsip_hw_lock();
 void tsip_hw_unlock( void );
 int tsip_usable(const struct WOLFSSL *ssl);
 void tsip_inform_sflash_signedcacert(const byte *ps_flash, 
    const byte *psigned_ca_cert, word32 len);
 void tsip_inform_cert_sign(const byte *sign);
 /* set / get key */
 void tsip_inform_user_keys(byte *encrypted_session_key, byte *iv,
                           byte *encrypted_user_tls_key);
 byte tsip_rootCAverified( );
 byte tsip_checkCA(word32 cmIdx);
 int tsip_tls_RootCertVerify(const byte *cert  , word32 cert_len,
                            word32 key_n_start, word32 key_n_len,
                            word32 key_e_start, word32 key_e_len,
                            word32 cm_row);
 int tsip_tls_CertVerify(const byte *cert, word32 certSz,
                        const byte *signature, word32 sigSz,
                        word32 key_n_start, word32 key_n_len,
                        word32 key_e_start, word32 key_e_len,
                        byte *tsip_encRsaKeyIdx);
 void tsip_inform_key_position(const word32 key_n_start, const word32 key_n_len,
                              const word32 key_e_start, const word32 key_e_len);
 int tsip_generatePremasterSecret(byte *premaster, word32 preSz);
 int tsip_generateEncryptPreMasterSecret(struct WOLFSSL *ssl, byte *out, 
                                        word32 *outSz);
 int tsip_generateMasterSecret(const byte *pre, const byte *cr,const byte *sr,
                              byte *ms);
-int tsip_generateSeesionKey(struct WOLFSSL *ssl);
+#endif
-int tsip_Sha256Hmac(const struct WOLFSSL *ssl, const byte *myInner, 
+
-            word32 innerSz, const byte *in, word32 sz, byte *digest, 
+struct WOLFSSL;
-            word32 verify);
+
-int tsip_Sha1Hmac(const struct WOLFSSL *ssl, const byte *myInner, 
+int     tsip_Open();
-            word32 innerSz, const byte *in, word32 sz, byte *digest, 
+
-            word32 verify);
+void    tsip_Close();
 int     tsip_hw_lock();
 void    tsip_hw_unlock( void );
 int     tsip_usable(const struct WOLFSSL *ssl);
 void    tsip_inform_sflash_signedcacert(
            const byte* ps_flash, 
            const byte* psigned_ca_cert,
            word32      len);
 void    tsip_inform_cert_sign(const byte *sign);                           
 byte    tsip_rootCAverified();
 byte    tsip_checkCA(word32 cmIdx);
 int     tsip_tls_RootCertVerify(
            const   byte* cert,         word32 cert_len,
            word32  key_n_start,        word32 key_n_len,
            word32  key_e_start,        word32 key_e_len,
            word32  cm_row);
 int     tsip_tls_CertVerify(
            const   byte* cert,         word32 certSz,
            const   byte* signature,    word32 sigSz,
            word32  key_n_start,        word32 key_n_len,
            word32  key_e_start,        word32 key_e_len,
            byte*   tsip_encRsaKeyIdx);
 void    tsip_inform_key_position(
            const word32 key_n_start,
            const word32 key_n_len,
            const word32 key_e_start,
            const word32 key_e_len);
 int     tsip_generatePremasterSecret(
            byte*   premaster,
            word32  preSz);
 int     tsip_generateEncryptPreMasterSecret(
            struct WOLFSSL* ssl, 
            byte*           out, 
            word32*         outSz);
 int     tsip_generateSeesionKey(struct WOLFSSL *ssl);
 int     tsip_Sha256Hmac(
            const struct WOLFSSL *ssl,
            const byte* myInner, 
            word32      innerSz,
            const byte* in,
            word32      sz,
            byte*       digest, 
            word32      verify);
 int     tsip_Sha1Hmac(
            const struct WOLFSSL *ssl,
            const byte* myInner, 
            word32      innerSz,
            const byte* in,
            word32      sz, 
            byte*       digest, 
            word32      verify);
 #if (!defined(NO_SHA) || !defined(NO_SHA256)) && \
    !defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH)
@ -128,10 +199,10 @@ typedef wolfssl_TSIP_Hash wc_Sha;
 #endif /* NO_SHA */
 #if defined(WOLFSSL_RENESAS_TSIP_TLS_AES_CRYPT)
-typedef struct {
+    typedef struct {
-    tsip_aes_key_index_t tsip_keyIdx;
+        tsip_aes_key_index_t tsip_keyIdx;
-    word32               keySize;
+        word32               keySize;
-} TSIP_AES_CTX;
+    } TSIP_AES_CTX;
    struct Aes;
    int wc_tsip_AesCbcEncrypt(struct Aes* aes, byte* out, const byte* in,
--- a/source/libs/libwolfssl/wolfcrypt/port/atmel/atmel.h
+++ b/source/libs/libwolfssl/wolfcrypt/port/atmel/atmel.h
@ -27,14 +27,15 @@
 #include <libs/libwolfssl/wolfcrypt/settings.h>
 #include <libs/libwolfssl/wolfcrypt/error-crypt.h>
-#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC_PKCB)
+#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A) || \
    defined(WOLFSSL_ATECC_PKCB)
    #undef  SHA_BLOCK_SIZE
    #define SHA_BLOCK_SIZE  SHA_BLOCK_SIZE_REMAP
    #include <cryptoauthlib.h>
    #undef SHA_BLOCK_SIZE
 #endif
-/* ATECC508A only supports ECC P-256 */
+/* ATECC508A/608A only supports ECC P-256 */
 #define ATECC_KEY_SIZE      (32)
 #define ATECC_PUBKEY_SIZE   (ATECC_KEY_SIZE*2) /* X and Y */
 #define ATECC_SIG_SIZE      (ATECC_KEY_SIZE*2) /* R and S */
@ -53,11 +54,19 @@
 #endif
 /* Symmetric encryption key */
 #ifndef ATECC_SLOT_I2C_ENC
-#define ATECC_SLOT_I2C_ENC        (0x04)
+    #ifdef WOLFSSL_ATECC_TNGTLS
        #define ATECC_SLOT_I2C_ENC        (0x06)
    #else
        #define ATECC_SLOT_I2C_ENC        (0x04)
    #endif
 #endif
 /* Parent encryption key */
 #ifndef ATECC_SLOT_ENC_PARENT
-#define ATECC_SLOT_ENC_PARENT     (0x7)
+    #ifdef WOLFSSL_ATECC_TNGTLS
        #define ATECC_SLOT_ENC_PARENT     (0x6)
    #else
        #define ATECC_SLOT_ENC_PARENT     (0x7)
    #endif
 #endif
 /* ATECC_KEY_SIZE required for ecc.h */
@ -78,7 +87,7 @@ int  atmel_get_random_number(uint32_t count, uint8_t* rand_out);
 #endif
 long atmel_get_curr_time_and_date(long* tm);
-#ifdef WOLFSSL_ATECC508A
+#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A)
 enum atmelSlotType {
    ATMEL_SLOT_ANY,
@ -100,6 +109,8 @@ int  atmel_ecc_translate_err(int status);
 int  atmel_get_rev_info(word32* revision);
 void atmel_show_rev_info(void);
 WOLFSSL_API int wolfCrypt_ATECC_SetConfig(ATCAIfaceCfg* cfg);
 /* The macro ATECC_GET_ENC_KEY can be set to override the default
   encryption key with your own at build-time */
 #ifndef ATECC_GET_ENC_KEY
--- a/source/libs/libwolfssl/wolfcrypt/port/cypress/psoc6_crypto.h
+++ b/source/libs/libwolfssl/wolfcrypt/port/cypress/psoc6_crypto.h
@ -0,0 +1,74 @@
 /* psoc6_crypto.h
 *
 * Copyright (C) 2006-2020 wolfSSL Inc.
 *
 * This file is part of wolfSSL.
 *
 * wolfSSL is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * wolfSSL is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */
 #ifndef _PSOC6_CRYPTO_PORT_H_
 #define _PSOC6_CRYPTO_PORT_H_
 #include <libs/libwolfssl/wolfcrypt/settings.h>
 #ifdef USE_FAST_MATH
    #include <libs/libwolfssl/wolfcrypt/tfm.h>
 #elif defined WOLFSSL_SP_MATH
    #include <libs/libwolfssl/wolfcrypt/sp_int.h>
 #else
    #include <libs/libwolfssl/wolfcrypt/integer.h>
 #endif
 #include "cy_crypto_core_sha.h"
 #include "cy_device_headers.h"
 #include "psoc6_02_config.h"
 #include "cy_crypto_common.h"
 #include "cy_crypto_core.h"
 #ifdef WOLFSSL_SHA512
 typedef struct wc_Sha512 {
    cy_stc_crypto_sha_state_t hash_state;
    cy_en_crypto_sha_mode_t sha_mode;
    cy_stc_crypto_v2_sha512_buffers_t sha_buffers;
 } wc_Sha512;
 #define WC_SHA512_TYPE_DEFINED
 #include <libs/libwolfssl/wolfcrypt/sha512.h>
 #endif
 #ifndef NO_SHA256
 typedef struct wc_Sha256 {
    cy_stc_crypto_sha_state_t hash_state;
    cy_en_crypto_sha_mode_t sha_mode;
    cy_stc_crypto_v2_sha256_buffers_t sha_buffers;
 } wc_Sha256;
 #include <libs/libwolfssl/wolfcrypt/sha.h>
 #include <libs/libwolfssl/wolfcrypt/sha256.h>
 #endif /* !def NO_SHA256 */
 #ifdef HAVE_ECC
 #include <libs/libwolfssl/wolfcrypt/ecc.h>
 int psoc6_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
                    word32 hashlen, int* verif_res, ecc_key* key);
 #endif /* HAVE_ECC */
 #define PSOC6_CRYPTO_BASE ((CRYPTO_Type*) CRYPTO_BASE)
 /* Crypto HW engine initialization */
 int psoc6_crypto_port_init(void);
 #endif /* _PSOC6_CRYPTO_PORT_H_ */
--- a/source/libs/libwolfssl/wolfcrypt/port/nxp/dcp_port.h
+++ b/source/libs/libwolfssl/wolfcrypt/port/nxp/dcp_port.h
@ -0,0 +1,77 @@
 /* dcp_port.h
 *
 * Copyright (C) 2006-2020 wolfSSL Inc.
 *
 * This file is part of wolfSSL.
 *
 * wolfSSL is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * wolfSSL is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */
 #ifndef _DCP_PORT_H_
 #define _DCP_PORT_H_
 #include <libs/libwolfssl/wolfcrypt/settings.h>
 #ifdef USE_FAST_MATH
    #include <libs/libwolfssl/wolfcrypt/tfm.h>
 #elif defined WOLFSSL_SP_MATH
    #include <libs/libwolfssl/wolfcrypt/sp_int.h>
 #else
    #include <libs/libwolfssl/wolfcrypt/integer.h>
 #endif
 #include <libs/libwolfssl/wolfcrypt/aes.h>
 #include <libs/libwolfssl/wolfcrypt/error-crypt.h>
 #include "fsl_device_registers.h"
 #include "fsl_debug_console.h"
 #include "fsl_dcp.h"
 int wc_dcp_init(void);
 #ifndef NO_AES
 int  DCPAesInit(Aes* aes);
 void DCPAesFree(Aes *aes);
 int  DCPAesSetKey(Aes* aes, const byte* key, word32 len, const byte* iv,
                          int dir);
 int  DCPAesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz);
 int  DCPAesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz);
 #endif
 #ifdef HAVE_AES_ECB
 int  DCPAesEcbEncrypt(Aes* aes, byte* out, const byte* in, word32 sz);
 int  DCPAesEcbDecrypt(Aes* aes, byte* out, const byte* in, word32 sz);
 #endif
 #ifndef NO_SHA256
 typedef struct wc_Sha256_DCP {
    dcp_handle_t handle;
    dcp_hash_ctx_t ctx;
 } wc_Sha256;
 #define WC_SHA256_TYPE_DEFINED
 void DCPSha256Free(wc_Sha256 *sha256);
 #endif
 #ifndef NO_SHA
 typedef struct wc_Sha_DCP {
    dcp_handle_t handle;
    dcp_hash_ctx_t ctx;
 } wc_Sha;
 #define WC_SHA_TYPE_DEFINED
 void DCPShaFree(wc_Sha *sha);
 #endif
 #endif
--- a/source/libs/libwolfssl/wolfcrypt/port/nxp/ksdk_port.h
+++ b/source/libs/libwolfssl/wolfcrypt/port/nxp/ksdk_port.h
@ -65,8 +65,8 @@ int ksdk_port_init(void);
 	int wc_ecc_point_add(ecc_point *mG, ecc_point *mQ, ecc_point *mR, mp_int *m);
 	#ifdef HAVE_CURVE25519
-		int wc_curve25519(ECPoint *q, byte *n, const ECPoint *p, fsl_ltc_ecc_coordinate_system_t type);
+		int nxp_ltc_curve25519(ECPoint *q, const byte *n, const ECPoint *p, fsl_ltc_ecc_coordinate_system_t type);
-		const ECPoint *wc_curve25519_GetBasePoint(void);
+		const ECPoint *nxp_ltc_curve25519_GetBasePoint(void);
 		status_t LTC_PKHA_Curve25519ToWeierstrass(const ltc_pkha_ecc_point_t *ltcPointIn, ltc_pkha_ecc_point_t *ltcPointOut);
 		status_t LTC_PKHA_WeierstrassToCurve25519(const ltc_pkha_ecc_point_t *ltcPointIn, ltc_pkha_ecc_point_t *ltcPointOut);
 		status_t LTC_PKHA_Curve25519ComputeY(ltc_pkha_ecc_point_t *ltcPoint);
--- a/source/libs/libwolfssl/wolfcrypt/port/st/stm32.h
+++ b/source/libs/libwolfssl/wolfcrypt/port/st/stm32.h
@ -28,11 +28,6 @@
 #include <libs/libwolfssl/wolfcrypt/settings.h>
 #include <libs/libwolfssl/wolfcrypt/types.h>
 #if defined(WOLFSSL_STM32_PKA) && defined(HAVE_ECC)
    #include <libs/libwolfssl/wolfcrypt/integer.h>
    #include <libs/libwolfssl/wolfcrypt/ecc.h>
 #endif
 #ifdef STM32_HASH
 #define WOLFSSL_NO_HASH_RAW
@ -54,6 +49,9 @@
 #if !defined(HASH_DATATYPE_8B) && defined(HASH_DataType_8b)
    #define HASH_DATATYPE_8B HASH_DataType_8b
 #endif
 #ifndef HASH_STR_NBW
 	#define HASH_STR_NBW HASH_STR_NBLW
 #endif
 #ifndef STM32_HASH_TIMEOUT
    #define STM32_HASH_TIMEOUT 0xFFFF
@ -93,19 +91,30 @@ int  wc_Stm32_Hash_Final(STM32_HASH_Context* stmCtx, word32 algo,
 #ifndef NO_AES
    #if !defined(STM32_CRYPTO_AES_GCM) && (defined(WOLFSSL_STM32F4) || \
-            defined(WOLFSSL_STM32F7) || defined(WOLFSSL_STM32L4))
+            defined(WOLFSSL_STM32F7) || defined(WOLFSSL_STM32L4) || \
 			defined(WOLFSSL_STM32L5) || defined(WOLFSSL_STM32H7))
        /* Hardware supports AES GCM acceleration */
        #define STM32_CRYPTO_AES_GCM
    #endif
-    #ifdef WOLFSSL_STM32L4
+    #if defined(WOLFSSL_STM32WB)
        #define STM32_CRYPTO_AES_ONLY /* crypto engine only supports AES */
        #define CRYP AES1
        #define STM32_HAL_V2
    #endif
    #if defined(WOLFSSL_STM32L4) || defined(WOLFSSL_STM32L5)
 		#ifdef WOLFSSL_STM32L4
        	#define STM32_CRYPTO_AES_ONLY /* crypto engine only supports AES */
 		#endif
        #define CRYP AES
 		#ifndef CRYP_AES_GCM
 			#define CRYP_AES_GCM CRYP_AES_GCM_GMAC
 		#endif
    #endif
    /* Detect newer CubeMX crypto HAL (HAL_CRYP_Encrypt / HAL_CRYP_Decrypt) */
-    #if !defined(STM32_HAL_V2) && \
+    #if !defined(STM32_HAL_V2) && defined(CRYP_AES_GCM) && \
-        defined(WOLFSSL_STM32F7) && defined(CRYP_AES_GCM)
+        (defined(WOLFSSL_STM32F7) || defined(WOLFSSL_STM32L5) || defined(WOLFSSL_STM32H7))
        #define STM32_HAL_V2
    #endif
@ -122,7 +131,7 @@ int  wc_Stm32_Hash_Final(STM32_HASH_Context* stmCtx, word32 algo,
    struct Aes;
    #ifdef WOLFSSL_STM32_CUBEMX
        int wc_Stm32_Aes_Init(struct Aes* aes, CRYP_HandleTypeDef* hcryp);
-    #else /* STD_PERI_LIB */
+    #else /* Standard Peripheral Library */
        int wc_Stm32_Aes_Init(struct Aes* aes, CRYP_InitTypeDef* cryptInit,
            CRYP_KeyInitTypeDef* keyInit);
    #endif /* WOLFSSL_STM32_CUBEMX */
@ -131,12 +140,25 @@ int  wc_Stm32_Hash_Final(STM32_HASH_Context* stmCtx, word32 algo,
 #endif /* STM32_CRYPTO */
 #if defined(WOLFSSL_STM32_PKA) && defined(HAVE_ECC)
-int stm32_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
+#ifdef WOLFSSL_SP_MATH
-                    word32 hashlen, int* res, ecc_key* key);
+    struct sp_int;
-
+    #define MATH_INT_T struct sp_int
-int stm32_ecc_sign_hash_ex(const byte* hash, word32 hashlen, WC_RNG* rng,
+#elif defined(USE_FAST_MATH)
-                     ecc_key* key, mp_int *r, mp_int *s);
+    struct fp_int;
    #define MATH_INT_T struct fp_int
 #else
    struct mp_int;
 	#define MATH_INT_T struct mp_int
 #endif
 struct ecc_key;
 struct WC_RNG;
 int stm32_ecc_verify_hash_ex(MATH_INT_T *r, MATH_INT_T *s, const byte* hash,
                    word32 hashlen, int* res, struct ecc_key* key);
 int stm32_ecc_sign_hash_ex(const byte* hash, word32 hashlen, struct WC_RNG* rng,
                     struct ecc_key* key, MATH_INT_T *r, MATH_INT_T *s);
 #endif /* WOLFSSL_STM32_PKA && HAVE_ECC */
 #endif /* _WOLFPORT_STM32_H_ */
--- a/source/libs/libwolfssl/wolfcrypt/random.h
+++ b/source/libs/libwolfssl/wolfcrypt/random.h
@ -149,6 +149,23 @@ typedef struct OS_Seed {
    #define WC_RNG_TYPE_DEFINED
 #endif
 #ifdef HAVE_HASHDRBG
 struct DRBG_internal {
    word32 reseedCtr;
    word32 lastBlock;
    byte V[DRBG_SEED_LEN];
    byte C[DRBG_SEED_LEN];
 #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
    void* heap;
    int devId;
 #endif
    byte   matchCount;
 #ifdef WOLFSSL_SMALL_STACK_CACHE
    wc_Sha256 sha256;
 #endif
 };
 #endif
 /* RNG context */
 struct WC_RNG {
    OS_Seed seed;
@ -157,18 +174,7 @@ struct WC_RNG {
    /* Hash-based Deterministic Random Bit Generator */
    struct DRBG* drbg;
 #if defined(WOLFSSL_NO_MALLOC) && !defined(WOLFSSL_STATIC_MEMORY)
-    #define DRBG_STRUCT_SZ ((sizeof(word32)*3) + (DRBG_SEED_LEN*2))
+    struct DRBG_internal drbg_data;
    #ifdef WOLFSSL_SMALL_STACK_CACHE
        #define DRBG_STRUCT_SZ_SHA256 (sizeof(wc_Sha256))
    #else
        #define DRBG_STRUCT_SZ_SHA256 0
    #endif
    #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
        #define DRBG_STRUCT_SZ_ASYNC (sizeof(void*) + sizeof(int))
    #else
        #define DRBG_STRUCT_SZ_ASYNC 0
    #endif
    byte drbg_data[DRBG_STRUCT_SZ + DRBG_STRUCT_SZ_SHA256 + DRBG_STRUCT_SZ_ASYNC];
 #endif
    byte status;
 #endif
@ -219,7 +225,7 @@ WOLFSSL_API int  wc_FreeRng(WC_RNG*);
 #define wc_InitRng_ex(rng, h, d) NOT_COMPILED_IN
 #define wc_InitRngNonce(rng, n, s) NOT_COMPILED_IN
 #define wc_InitRngNonce_ex(rng, n, s, h, d) NOT_COMPILED_IN
-#define wc_RNG_GenerateBlock(rng, b, s) NOT_COMPILED_IN
+#define wc_RNG_GenerateBlock(rng, b, s) ({(void)rng; (void)b; (void)s; NOT_COMPILED_IN;})
 #define wc_RNG_GenerateByte(rng, b) NOT_COMPILED_IN
 #define wc_FreeRng(rng) (void)NOT_COMPILED_IN
 #endif
--- a/source/libs/libwolfssl/wolfcrypt/rsa.h
+++ b/source/libs/libwolfssl/wolfcrypt/rsa.h
@ -23,7 +23,13 @@
    \file wolfssl/wolfcrypt/rsa.h
 */
 /*
 DESCRIPTION
 This library provides the interface to the RSA.
 RSA keys can be used to encrypt, decrypt, sign and verify data.
 */
 #ifndef WOLF_CRYPT_RSA_H
 #define WOLF_CRYPT_RSA_H
@ -280,8 +286,9 @@ WOLFSSL_API int  wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx,
                                                               RsaKey*, word32);
 WOLFSSL_API int  wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz,
                                        const byte* e, word32 eSz, RsaKey* key);
-WOLFSSL_API int wc_RsaKeyToDer(RsaKey*, byte* output, word32 inLen);
+#ifdef WOLFSSL_KEY_GEN
-
+    WOLFSSL_API int wc_RsaKeyToDer(RsaKey*, byte* output, word32 inLen);
 #endif
 #ifdef WC_RSA_BLINDING
    WOLFSSL_API int wc_RsaSetRNG(RsaKey* key, WC_RNG* rng);
--- a/source/libs/libwolfssl/wolfcrypt/settings.h
+++ b/source/libs/libwolfssl/wolfcrypt/settings.h
@ -62,6 +62,9 @@
 /* Uncomment next line if using Microchip TCP/IP stack, version 6 or later */
 /* #define MICROCHIP_TCPIP */
 /* Uncomment next line if using above Microchip TCP/IP defines with BSD API */
 /* #define MICROCHIP_TCPIP_BSD_API */
 /* Uncomment next line if using PIC32MZ Crypto Engine */
 /* #define WOLFSSL_MICROCHIP_PIC32MZ */
@ -209,10 +212,20 @@
 /* Uncomment next line if using RENESAS RX64N */
 /* #define WOLFSSL_RENESAS_RX65N */
 /* Uncomment next line if using Solaris OS*/
 /* #define WOLFSSL_SOLARIS */
 /* Uncomment next line if building for Linux Kernel Module */
 /* #define WOLFSSL_LINUXKM */
 #include <libs/libwolfssl/wolfcrypt/visibility.h>
 #ifdef WOLFSSL_USER_SETTINGS
    #include "user_settings.h"
 #elif defined(USE_HAL_DRIVER) && !defined(HAVE_CONFIG_H)
    /* STM Configuration File (generated by CubeMX) */
    #include "wolfSSL.wolfSSL_conf.h"
 #endif
@ -292,7 +305,7 @@
    #endif
 #endif
-#if defined(WOLFSSL_RENESAS_RA6M3G)
+#if defined(WOLFSSL_RENESAS_RA6M3G) || defined(WOLFSSL_RENESAS_RA6M3)
    /* settings in user_settings.h */
 #endif
@ -337,7 +350,9 @@
    /* #define WOLFSSL_MICROCHIP_PIC32MZ */
    #define SIZEOF_LONG_LONG 8
    #define SINGLE_THREADED
-    #define WOLFSSL_USER_IO
+    #ifndef MICROCHIP_TCPIP_BSD_API
        #define WOLFSSL_USER_IO
    #endif
    #define NO_WRITEV
    #define NO_DEV_RANDOM
    #define NO_FILESYSTEM
@ -375,6 +390,16 @@
    #endif
 #endif
 #ifdef WOLFSSL_ATECC508A
    /* backwards compatibility */
 #ifndef WOLFSSL_ATECC_NO_ECDH_ENC
    #define WOLFSSL_ATECC_ECDH_ENC
 #endif
    #ifdef WOLFSSL_ATECC508A_DEBUG
        #define WOLFSSL_ATECC_DEBUG
    #endif
 #endif
 #ifdef MBED
    #define WOLFSSL_USER_IO
    #define NO_FILESYSTEM
@ -601,7 +626,6 @@
 #ifdef WOLFSSL_NRF5x
        #define SIZEOF_LONG 4
        #define SIZEOF_LONG_LONG 8
        #define NO_ASN_TIME
        #define NO_DEV_RANDOM
        #define NO_FILESYSTEM
        #define NO_MAIN_DRIVER
@ -609,7 +633,6 @@
        #define SINGLE_THREADED
        #define USE_FAST_MATH
        #define TFM_TIMING_RESISTANT
        #define USE_WOLFSSL_MEMORY
        #define WOLFSSL_NRF51
        #define WOLFSSL_USER_IO
        #define NO_SESSION_CACHE
@ -703,7 +726,7 @@ extern void uITRON4_free(void *p) ;
        https://github.com/wolfSSL/wolfssl-freertos/pull/3/files */
    #if !defined(USE_FAST_MATH) || defined(HAVE_ED25519) || defined(HAVE_ED448)
        #if defined(WOLFSSL_ESPIDF)
-            /*In IDF, realloc(p, n) is equivalent to 
+            /*In IDF, realloc(p, n) is equivalent to
            heap_caps_realloc(p, s, MALLOC_CAP_8BIT) */
            #define XREALLOC(p, n, h, t) realloc((p), (n))
        #else
@ -812,7 +835,9 @@ extern void uITRON4_free(void *p) ;
        #undef SIZEOF_LONG
        #define SIZEOF_LONG_LONG 8
    #else
-        #error settings.h - please implement SIZEOF_LONG and SIZEOF_LONG_LONG
+        #if !defined(SIZEOF_LONG) && !defined(SIZEOF_LONG_LONG)
            #error settings.h - please implement SIZEOF_LONG and SIZEOF_LONG_LONG
        #endif
    #endif
    #define XMALLOC(s, h, type) ((void *)rtp_malloc((s), SSL_PRO_MALLOC))
@ -822,7 +847,9 @@ extern void uITRON4_free(void *p) ;
    #if (WINMSP3)
        #define XSTRNCASECMP(s1,s2,n)  _strnicmp((s1),(s2),(n))
    #else
-        #sslpro: settings.h - please implement XSTRNCASECMP - needed for HAVE_ECC
+        #ifndef XSTRNCASECMP
            #error settings.h - please implement XSTRNCASECMP - needed for HAVE_ECC
        #endif
    #endif
    #define WOLFSSL_HAVE_MAX
@ -900,6 +927,19 @@ extern void uITRON4_free(void *p) ;
    #define TFM_TIMING_RESISTANT
 #endif
 /* To support storing some of the large constant tables in flash memory rather than SRAM.
   Useful for processors that have limited SRAM, such as the AVR family of microtrollers. */
 #ifdef WOLFSSL_USE_FLASHMEM
    /* This is supported on the avr-gcc compiler, for more information see:
         https://gcc.gnu.org/onlinedocs/gcc/Named-Address-Spaces.html */
    #define FLASH_QUALIFIER __flash
    /* Copy data out of flash memory and into SRAM */
    #define XMEMCPY_P(pdest, psrc, size) memcpy_P((pdest), (psrc), (size))
 #else
    #define FLASH_QUALIFIER
 #endif
 #ifdef FREESCALE_MQX_5_0
    /* use normal Freescale MQX port, but with minor changes for 5.0 */
    #define FREESCALE_MQX
@ -1051,7 +1091,9 @@ extern void uITRON4_free(void *p) ;
    /* random seed */
    #define NO_OLD_RNGNAME
-    #if defined(FSL_FEATURE_SOC_TRNG_COUNT) && (FSL_FEATURE_SOC_TRNG_COUNT > 0)
+    #if   defined(FREESCALE_NO_RNG)
        /* nothing to define */
    #elif defined(FSL_FEATURE_SOC_TRNG_COUNT) && (FSL_FEATURE_SOC_TRNG_COUNT > 0)
        #define FREESCALE_KSDK_2_0_TRNG
    #elif defined(FSL_FEATURE_SOC_RNG_COUNT) && (FSL_FEATURE_SOC_RNG_COUNT > 0)
        #ifdef FREESCALE_KSDK_1_3
@ -1187,7 +1229,8 @@ extern void uITRON4_free(void *p) ;
 #if defined(WOLFSSL_STM32F2) || defined(WOLFSSL_STM32F4) || \
    defined(WOLFSSL_STM32F7) || defined(WOLFSSL_STM32F1) || \
-    defined(WOLFSSL_STM32L4)
+    defined(WOLFSSL_STM32L4) || defined(WOLFSSL_STM32L5) || \
    defined(WOLFSSL_STM32WB) || defined(WOLFSSL_STM32H7)
    #define SIZEOF_LONG_LONG 8
    #ifndef CHAR_BIT
@ -1208,7 +1251,8 @@ extern void uITRON4_free(void *p) ;
        #undef  STM32_CRYPTO
        #define STM32_CRYPTO
-        #ifdef WOLFSSL_STM32L4
+        #if defined(WOLFSSL_STM32L4) || defined(WOLFSSL_STM32L5) || \
            defined(WOLFSSL_STM32WB)
            #define NO_AES_192 /* hardware does not support 192-bit */
        #endif
    #endif
@ -1221,8 +1265,12 @@ extern void uITRON4_free(void *p) ;
    #endif
    #define NO_OLD_RNGNAME
    #ifdef WOLFSSL_STM32_CUBEMX
-        #if defined(WOLFSSL_STM32F2)
+        #if defined(WOLFSSL_STM32F1)
            #include "stm32f1xx_hal.h"
        #elif defined(WOLFSSL_STM32F2)
            #include "stm32f2xx_hal.h"
        #elif defined(WOLFSSL_STM32L5)
            #include "stm32l5xx_hal.h"
        #elif defined(WOLFSSL_STM32L4)
            #include "stm32l4xx_hal.h"
        #elif defined(WOLFSSL_STM32F4)
@ -1231,6 +1279,10 @@ extern void uITRON4_free(void *p) ;
            #include "stm32f7xx_hal.h"
        #elif defined(WOLFSSL_STM32F1)
            #include "stm32f1xx_hal.h"
        #elif defined(WOLFSSL_STM32H7)
            #include "stm32h7xx_hal.h"
        #elif defined(WOLFSSL_STM32WB)
            #include "stm32wbxx_hal.h"
        #endif
        #if defined(WOLFSSL_CUBEMX_USE_LL) && defined(WOLFSSL_STM32L4)
            #include "stm32l4xx_ll_rng.h"
@ -1256,6 +1308,14 @@ extern void uITRON4_free(void *p) ;
            #ifdef STM32_HASH
                #include "stm32f4xx_hash.h"
            #endif
        #elif defined(WOLFSSL_STM32L5)
            #include "stm32l5xx.h"
            #ifdef STM32_CRYPTO
                #include "stm32l5xx_cryp.h"
            #endif
            #ifdef STM32_HASH
                #include "stm32l5xx_hash.h"
            #endif
        #elif defined(WOLFSSL_STM32L4)
            #include "stm32l4xx.h"
            #ifdef STM32_CRYPTO
@ -1266,11 +1326,14 @@ extern void uITRON4_free(void *p) ;
            #endif
        #elif defined(WOLFSSL_STM32F7)
            #include "stm32f7xx.h"
        #elif defined(WOLFSSL_STM32H7)
            #include "stm32h7xx.h"
        #elif defined(WOLFSSL_STM32F1)
            #include "stm32f1xx.h"
        #endif
    #endif /* WOLFSSL_STM32_CUBEMX */
-#endif /* WOLFSSL_STM32F2 || WOLFSSL_STM32F4 || WOLFSSL_STM32L4 || WOLFSSL_STM32F7 */
+#endif /* WOLFSSL_STM32F2 || WOLFSSL_STM32F4 || WOLFSSL_STM32L4 || 
          WOLFSSL_STM32L5 || WOLFSSL_STM32F7 || WOLFSSL_STMWB || WOLFSSL_STM32H7 */
 #ifdef WOLFSSL_DEOS
    #include <deos.h>
    #include <timeout.h>
@ -1400,6 +1463,22 @@ extern void uITRON4_free(void *p) ;
    #endif
 #endif /* MICRIUM */
 #if defined(sun) || defined(__sun)
 # if defined(__SVR4) || defined(__svr4__)
    /* Solaris */
    #ifndef WOLFSSL_SOLARIS
        #define WOLFSSL_SOLARIS
    #endif
 # else
    /* SunOS */
 # endif
 #endif
 #ifdef WOLFSSL_SOLARIS
    /* Avoid naming clash with fp_zero from math.h > ieefp.h */
    #define WOLFSSL_DH_CONST
 #endif
 #ifdef WOLFSSL_MCF5441X
    #define BIG_ENDIAN_ORDER
    #ifndef SIZEOF_LONG
@ -1544,6 +1623,12 @@ extern void uITRON4_free(void *p) ;
 #endif
 #endif
 /* If DCP is used without SINGLE_THREADED, enforce WOLFSSL_CRYPT_HW_MUTEX */
 #if defined(WOLFSSL_IMXRT_DCP) && !defined(SINGLE_THREADED)
    #undef WOLFSSL_CRYPT_HW_MUTEX
    #define WOLFSSL_CRYPT_HW_MUTEX 1
 #endif
 #if !defined(XMALLOC_USER) && !defined(MICRIUM_MALLOC) && \
    !defined(WOLFSSL_LEANPSK) && !defined(NO_WOLFSSL_MEMORY) && \
    !defined(XMALLOC_OVERRIDE)
@ -2008,6 +2093,60 @@ extern void uITRON4_free(void *p) ;
 #endif
 #ifdef WOLFSSL_LINUXKM
    #ifndef NO_DEV_RANDOM
        #define NO_DEV_RANDOM
    #endif
    #ifndef NO_WRITEV
        #define NO_WRITEV
    #endif
    #ifndef NO_FILESYSTEM
        #define NO_FILESYSTEM
    #endif
    #ifndef NO_STDIO_FILESYSTEM
        #define NO_STDIO_FILESYSTEM
    #endif
    #ifndef WOLFSSL_NO_SOCK
        #define WOLFSSL_NO_SOCK
    #endif
    #ifndef WOLFSSL_DH_CONST
        #define WOLFSSL_DH_CONST
    #endif
    #ifndef WOLFSSL_USER_IO
        #define WOLFSSL_USER_IO
    #endif
    #ifndef USE_WOLF_STRTOK
        #define USE_WOLF_STRTOK
    #endif
    #ifndef WOLFSSL_SP_MOD_WORD_RP
        #define WOLFSSL_SP_MOD_WORD_RP
    #endif
    #ifndef WOLFSSL_OLD_PRIME_CHECK
        #define WOLFSSL_OLD_PRIME_CHECK
    #endif
    #undef HAVE_STRINGS_H
    #undef HAVE_ERRNO_H
    #undef HAVE_THREAD_LS
    #undef WOLFSSL_HAVE_MIN
    #undef WOLFSSL_HAVE_MAX
    #define SIZEOF_LONG         8
    #define SIZEOF_LONG_LONG    8
    #define CHAR_BIT            8
    #ifndef WOLFSSL_SP_DIV_64
        #define WOLFSSL_SP_DIV_64
    #endif
    #ifndef WOLFSSL_SP_DIV_WORD_HALF
        #define WOLFSSL_SP_DIV_WORD_HALF
    #endif
    #ifndef SP_HALF_SIZE
        #define SP_HALF_SIZE        32
    #endif
    #ifndef SP_HALF_MAX
        #define SP_HALF_MAX         4294967295U
    #endif
 #endif
 /* Place any other flags or defines here */
 #if defined(WOLFSSL_MYSQL_COMPATIBLE) && defined(_WIN32) \
@ -2196,6 +2335,21 @@ extern void uITRON4_free(void *p) ;
    #define WOLFSSL_NO_CONSTCHARCONST
 #endif
 /* FIPS v1 does not support TLS v1.3 (requires RSA PSS and HKDF) */
 #if defined(HAVE_FIPS) && !defined(HAVE_FIPS_VERSION)
    #undef WC_RSA_PSS
    #undef WOLFSSL_TLS13
 #endif
 /* For FIPSv2 make sure the ECDSA encoding allows extra bytes
 * but make sure users consider enabling it */
 #if !defined(NO_STRICT_ECDSA_LEN) && defined(HAVE_FIPS) && \
        defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
    /* ECDSA length checks off by default for CAVP testing
     * consider enabling strict checks in production */
    #define NO_STRICT_ECDSA_LEN
 #endif
 #ifdef __cplusplus
    }   /* extern "C" */
--- a/source/libs/libwolfssl/wolfcrypt/sha.h
+++ b/source/libs/libwolfssl/wolfcrypt/sha.h
@ -72,6 +72,9 @@
 #ifdef WOLFSSL_ESP32WROOM32_CRYPT
    #include <libs/libwolfssl/wolfcrypt/port/Espressif/esp32-crypt.h>
 #endif
 #ifdef WOLFSSL_IMXRT_DCP
    #include <libs/libwolfssl/wolfcrypt/port/nxp/dcp_port.h>
 #endif
 #if !defined(NO_OLD_SHA_NAMES)
    #define SHA             WC_SHA
@ -101,6 +104,8 @@ enum {
 #elif defined(WOLFSSL_RENESAS_TSIP_CRYPT) && \
   !defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH)
    #include "wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h"
 #elif defined(WOLFSSL_PSOC6_CRYPTO)
    #include "wolfssl/wolfcrypt/port/cypress/psoc6_crypto.h"
 #else
 /* Sha digest */
--- a/source/libs/libwolfssl/wolfcrypt/sha256.h
+++ b/source/libs/libwolfssl/wolfcrypt/sha256.h
@ -126,6 +126,10 @@ enum {
 #elif defined(WOLFSSL_RENESAS_TSIP_CRYPT) && \
   !defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH)
    #include "wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h"
 #elif defined(WOLFSSL_PSOC6_CRYPTO)
    #include "wolfssl/wolfcrypt/port/cypress/psoc6_crypto.h"
 #elif defined(WOLFSSL_IMXRT_DCP)
    #include <libs/libwolfssl/wolfcrypt/port/nxp/dcp_port.h>
 #else
 /* wc_Sha256 digest */
@ -142,6 +146,7 @@ struct wc_Sha256 {
    word32  loLen;     /* length in bytes   */
    word32  hiLen;     /* length in bytes   */
    void*   heap;
 #endif
 #ifdef WOLFSSL_PIC32MZ_HASH
    hashUpdCache cache; /* cache for updates */
 #endif
@ -150,7 +155,7 @@ struct wc_Sha256 {
 #endif /* WOLFSSL_ASYNC_CRYPT */
 #ifdef WOLFSSL_SMALL_STACK_CACHE
    word32* W;
-#endif
+#endif /* !FREESCALE_LTC_SHA && !STM32_HASH_SHA2 */
 #ifdef WOLFSSL_DEVCRYPTO_HASH
    WC_CRYPTODEV ctx;
    byte*  msg;
@ -168,7 +173,6 @@ struct wc_Sha256 {
    int    devId;
    void*  devCtx; /* generic crypto callback context */
 #endif
 #endif
 #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB)
    word32 flags; /* enum wc_HashFlags in hash.h */
 #endif
--- a/source/libs/libwolfssl/wolfcrypt/sha3.h
+++ b/source/libs/libwolfssl/wolfcrypt/sha3.h
@ -58,7 +58,8 @@ enum {
    WC_SHA3_512_DIGEST_SIZE  = 64,
    WC_SHA3_512_COUNT        =  9,
-#ifndef HAVE_SELFTEST
+#if !defined(HAVE_SELFTEST) || \
    defined(HAVE_SELFTEST_VERSION) && (HAVE_SELFTEST_VERSION >= 2)
    /* These values are used for HMAC, not SHA-3 directly.
     * They come from from FIPS PUB 202. */
    WC_SHA3_224_BLOCK_SIZE = 144,
--- a/source/libs/libwolfssl/wolfcrypt/sha512.h
+++ b/source/libs/libwolfssl/wolfcrypt/sha512.h
@ -31,6 +31,7 @@
 #if defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384)
 #if defined(HAVE_FIPS) && \
    defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)
    #include <libs/libwolfssl/wolfcrypt/fips.h>
@ -111,6 +112,8 @@ enum {
 #ifdef WOLFSSL_IMX6_CAAM
    #include "wolfssl/wolfcrypt/port/caam/wolfcaam_sha.h"
 #elif defined (WOLFSSL_PSOC6_CRYPTO)
    #include "wolfssl/wolfcrypt/port/cypress/psoc6_crypto.h"
 #else
 /* wc_Sha512 digest */
 struct wc_Sha512 {
@ -153,6 +156,7 @@ WOLFSSL_LOCAL void Transform_Sha512_Len(wc_Sha512* sha512, const byte* data,
 #ifdef WOLFSSL_SHA512
 WOLFSSL_API int wc_InitSha512(wc_Sha512*);
 WOLFSSL_API int wc_InitSha512_ex(wc_Sha512*, void*, int);
 WOLFSSL_API int wc_Sha512Update(wc_Sha512*, const byte*, word32);
--- a/source/libs/libwolfssl/wolfcrypt/sp.h
+++ b/source/libs/libwolfssl/wolfcrypt/sp.h
@ -28,16 +28,22 @@
 #if defined(WOLFSSL_HAVE_SP_RSA) || defined(WOLFSSL_HAVE_SP_DH) || \
                                    defined(WOLFSSL_HAVE_SP_ECC)
 #ifndef WOLFSSL_LINUXKM
 #include <stdint.h>
 #endif
 #include <libs/libwolfssl/wolfcrypt/integer.h>
 #include <libs/libwolfssl/wolfcrypt/sp_int.h>
 #include <libs/libwolfssl/wolfcrypt/ecc.h>
-#if defined(_MSC_VER)
+#ifdef noinline
    #define SP_NOINLINE noinline
 #elif defined(_MSC_VER)
    #define SP_NOINLINE __declspec(noinline)
-#elif defined(__IAR_SYSTEMS_ICC__) || defined(__GNUC__) || defined(__KEIL__)
+#elif defined(__ICCARM__) || defined(__IAR_SYSTEMS_ICC__)
    #define SP_NOINLINE _Pragma("inline = never")
 #elif defined(__GNUC__) || defined(__KEIL__)
    #define SP_NOINLINE __attribute__((noinline))
 #else
    #define SP_NOINLINE
@ -141,7 +147,18 @@ int sp_ecc_proj_dbl_point_384(mp_int* pX, mp_int* pY, mp_int* pZ,
 int sp_ecc_map_384(mp_int* pX, mp_int* pY, mp_int* pZ);
 int sp_ecc_uncompress_384(mp_int* xm, int odd, mp_int* ym);
-#endif /*ifdef WOLFSSL_HAVE_SP_ECC */
+#ifdef WOLFSSL_SP_NONBLOCK
 int sp_ecc_sign_256_nb(sp_ecc_ctx_t* ctx, const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
                    mp_int* rm, mp_int* sm, mp_int* km, void* heap);
 int sp_ecc_verify_256_nb(sp_ecc_ctx_t* ctx, const byte* hash, word32 hashLen, mp_int* pX, mp_int* pY,
                      mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap);
 int sp_ecc_sign_384_nb(sp_ecc_ctx_t* ctx, const byte* hash, word32 hashLen, WC_RNG* rng, mp_int* priv,
                    mp_int* rm, mp_int* sm, mp_int* km, void* heap);
 int sp_ecc_verify_384_nb(sp_ecc_ctx_t* ctx, const byte* hash, word32 hashLen, mp_int* pX, mp_int* pY,
                      mp_int* pZ, mp_int* r, mp_int* sm, int* res, void* heap);
 #endif /* WOLFSSL_SP_NONBLOCK */
 #endif /* WOLFSSL_HAVE_SP_ECC */
 #ifdef __cplusplus
--- a/source/libs/libwolfssl/wolfcrypt/sp_int.h
+++ b/source/libs/libwolfssl/wolfcrypt/sp_int.h
@ -19,12 +19,18 @@
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */
 /*
 DESCRIPTION
 This library provides single precision (SP) integer math functions.
 */
 #ifndef WOLF_CRYPT_SP_INT_H
 #define WOLF_CRYPT_SP_INT_H
 #ifndef WOLFSSL_LINUXKM
 #include <stdint.h>
 #include <limits.h>
 #endif
 /* Make sure WOLFSSL_SP_ASM build option defined when requested */
 #if !defined(WOLFSSL_SP_ASM) && ( \
@ -60,6 +66,7 @@
    typedef int32 sp_digit;
    typedef uint32 sp_int_digit;
    typedef uint64 sp_int_word;
    typedef int64 sp_int_sword;
    #undef SP_WORD_SIZE
    #define SP_WORD_SIZE 32
 #elif !defined(WOLFSSL_SP_ASM)
@ -67,6 +74,7 @@
    typedef int32_t sp_digit;
    typedef uint32_t sp_int_digit;
    typedef uint64_t sp_int_word;
    typedef int64_t sp_int_sword;
  #elif SP_WORD_SIZE == 64
    typedef int64_t sp_digit;
    typedef uint64_t sp_int_digit;
@ -78,14 +86,14 @@
      typedef long int128_t __attribute__ ((mode(TI)));
    #endif
    typedef uint128_t sp_int_word;
-  #else
+    typedef int128_t sp_int_sword;
    #error Word size not defined
  #endif
 #else
  #if SP_WORD_SIZE == 32
    typedef uint32_t sp_digit;
    typedef uint32_t sp_int_digit;
    typedef uint64_t sp_int_word;
    typedef int64_t sp_int_sword;
  #elif SP_WORD_SIZE == 64
    typedef uint64_t sp_digit;
    typedef uint64_t sp_int_digit;
@ -97,12 +105,28 @@
      typedef long int128_t __attribute__ ((mode(TI)));
    #endif
    typedef uint128_t sp_int_word;
-  #else
+    typedef int128_t sp_int_sword;
    #error Word size not defined
  #endif
 #endif
-#define SP_MASK    (sp_digit)(-1)
+#if SP_WORD_SIZE == 32
    #define SP_MASK ((sp_int_digit)0xffffffffU)
 #elif SP_WORD_SIZE == 64
    #define SP_MASK ((sp_int_digit)0xffffffffffffffffUL)
 #else
    #error Word size not defined
 #endif
 #if defined(WOLFSSL_HAVE_SP_ECC) && defined(WOLFSSL_SP_NONBLOCK)
 typedef struct sp_ecc_ctx {
    #ifdef WOLFSSL_SP_384
    byte data[48*80]; /* stack data */
    #else
    byte data[32*80]; /* stack data */
    #endif
 } sp_ecc_ctx_t;
 #endif
 #ifdef WOLFSSL_SP_MATH
 #include <libs/libwolfssl/wolfcrypt/random.h>
@ -169,9 +193,10 @@ typedef sp_int_digit mp_digit;
 MP_API int sp_init(sp_int* a);
 MP_API int sp_init_multi(sp_int* a, sp_int* b, sp_int* c, sp_int* d,
                         sp_int* e, sp_int* f);
 MP_API void sp_free(sp_int* a);
 MP_API void sp_clear(sp_int* a);
 MP_API int sp_unsigned_bin_size(sp_int* a);
-MP_API int sp_read_unsigned_bin(sp_int* a, const byte* in, int inSz);
+MP_API int sp_read_unsigned_bin(sp_int* a, const byte* in, word32 inSz);
 MP_API int sp_read_radix(sp_int* a, const char* in, int radix);
 MP_API int sp_cmp(sp_int* a, sp_int* b);
 MP_API int sp_count_bits(sp_int* a);
@ -211,7 +236,6 @@ MP_API void sp_rshb(sp_int* a, int n, sp_int* r);
 MP_API int sp_mul_d(sp_int* a, sp_int_digit n, sp_int* r);
 #define MP_OKAY    0
 #define MP_NO      0
 #define MP_YES     1
@ -221,15 +245,17 @@ MP_API int sp_mul_d(sp_int* a, sp_int_digit n, sp_int* r);
 #define MP_EQ    0
 #define MP_LT    -1
 #define MP_OKAY   0
 #define MP_MEM   -2
 #define MP_VAL   -3
 #define FP_WOULDBLOCK -4
 #define DIGIT_BIT  SP_WORD_SIZE
 #define MP_MASK    SP_MASK
 #define CheckFastMathSettings() 1
-#define mp_free(a)
+#define mp_free                     sp_free
 #define mp_isodd                    sp_isodd
 #define mp_iseven                   sp_iseven
--- a/source/libs/libwolfssl/wolfcrypt/tfm.h
+++ b/source/libs/libwolfssl/wolfcrypt/tfm.h
@ -432,7 +432,7 @@ MP_API void fp_free(fp_int* a);
 /* set to a small digit */
 void fp_set(fp_int *a, fp_digit b);
-void fp_set_int(fp_int *a, unsigned long b);
+int  fp_set_int(fp_int *a, unsigned long b);
 /* check if a bit is set */
 int fp_is_bit_set(fp_int *a, fp_digit b);
@ -459,7 +459,7 @@ void fp_rshd(fp_int *a, int x);
 void fp_rshb(fp_int *a, int x);
 /* left shift x digits */
-void fp_lshd(fp_int *a, int x);
+int fp_lshd(fp_int *a, int x);
 /* signed comparison */
 int fp_cmp(fp_int *a, fp_int *b);
@ -470,19 +470,22 @@ int fp_cmp_mag(fp_int *a, fp_int *b);
 /* power of 2 operations */
 void fp_div_2d(fp_int *a, int b, fp_int *c, fp_int *d);
 void fp_mod_2d(fp_int *a, int b, fp_int *c);
-void fp_mul_2d(fp_int *a, int b, fp_int *c);
+int  fp_mul_2d(fp_int *a, int b, fp_int *c);
 void fp_2expt (fp_int *a, int b);
-void fp_mul_2(fp_int *a, fp_int *c);
+int  fp_mul_2(fp_int *a, fp_int *c);
 void fp_div_2(fp_int *a, fp_int *c);
 /* c = a / 2 (mod b) - constant time (a < b and positive) */
 int fp_div_2_mod_ct(fp_int *a, fp_int *b, fp_int *c);
 /* Counts the number of lsbs which are zero before the first zero bit */
 int fp_cnt_lsb(fp_int *a);
 /* c = a + b */
-void fp_add(fp_int *a, fp_int *b, fp_int *c);
+int fp_add(fp_int *a, fp_int *b, fp_int *c);
 /* c = a - b */
-void fp_sub(fp_int *a, fp_int *b, fp_int *c);
+int fp_sub(fp_int *a, fp_int *b, fp_int *c);
 /* c = a * b */
 int fp_mul(fp_int *a, fp_int *b, fp_int *c);
@ -500,13 +503,13 @@ int fp_mod(fp_int *a, fp_int *b, fp_int *c);
 int fp_cmp_d(fp_int *a, fp_digit b);
 /* c = a + b */
-void fp_add_d(fp_int *a, fp_digit b, fp_int *c);
+int fp_add_d(fp_int *a, fp_digit b, fp_int *c);
 /* c = a - b */
 int fp_sub_d(fp_int *a, fp_digit b, fp_int *c);
 /* c = a * b */
-void fp_mul_d(fp_int *a, fp_digit b, fp_int *c);
+int fp_mul_d(fp_int *a, fp_digit b, fp_int *c);
 /* a/b => cb + d == a */
 /*int fp_div_d(fp_int *a, fp_digit b, fp_int *c, fp_digit *d);*/
@ -530,6 +533,12 @@ int fp_submod(fp_int *a, fp_int *b, fp_int *c, fp_int *d);
 /* d = a + b (mod c) */
 int fp_addmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d);
 /* d = a - b (mod c) - constant time (a < c and b < c) */
 int fp_submod_ct(fp_int *a, fp_int *b, fp_int *c, fp_int *d);
 /* d = a + b (mod c) - constant time (a < c and b < c) */
 int fp_addmod_ct(fp_int *a, fp_int *b, fp_int *c, fp_int *d);
 /* c = a * a (mod b) */
 int fp_sqrmod(fp_int *a, fp_int *b, fp_int *c);
@ -549,10 +558,11 @@ int fp_montgomery_setup(fp_int *a, fp_digit *mp);
 /* computes a = B**n mod b without division or multiplication useful for
 * normalizing numbers in a Montgomery system.
 */
-void fp_montgomery_calc_normalization(fp_int *a, fp_int *b);
+int fp_montgomery_calc_normalization(fp_int *a, fp_int *b);
 /* computes x/R == x (mod N) via Montgomery Reduction */
 int fp_montgomery_reduce(fp_int *a, fp_int *m, fp_digit mp);
 int fp_montgomery_reduce_ex(fp_int *a, fp_int *m, fp_digit mp, int ct);
 /* d = a**b (mod c) */
 int fp_exptmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d);
@ -637,7 +647,7 @@ int fp_count_bits(fp_int *a);
 int fp_leading_bit(fp_int *a);
 int fp_unsigned_bin_size(fp_int *a);
-void fp_read_unsigned_bin(fp_int *a, const unsigned char *b, int c);
+int fp_read_unsigned_bin(fp_int *a, const unsigned char *b, int c);
 int fp_to_unsigned_bin(fp_int *a, unsigned char *b);
 int fp_to_unsigned_bin_len(fp_int *a, unsigned char *b, int c);
 int fp_to_unsigned_bin_at_pos(int x, fp_int *t, unsigned char *b);
@ -652,7 +662,7 @@ int fp_to_unsigned_bin_at_pos(int x, fp_int *t, unsigned char *b);
 /* VARIOUS LOW LEVEL STUFFS */
-void s_fp_add(fp_int *a, fp_int *b, fp_int *c);
+int  s_fp_add(fp_int *a, fp_int *b, fp_int *c);
 void s_fp_sub(fp_int *a, fp_int *b, fp_int *c);
 void fp_reverse(unsigned char *s, int len);
@ -728,6 +738,7 @@ int  fp_sqr_comba64(fp_int *a, fp_int *b);
 #define mp_tohex(M, S)     mp_toradix((M), (S), MP_RADIX_HEX)
 MP_API int  mp_init (mp_int * a);
 MP_API int  mp_init_copy(fp_int * a, fp_int * b);
 MP_API void mp_clear (mp_int * a);
 MP_API void mp_free (mp_int * a);
 MP_API void mp_forcezero (mp_int * a);
@ -743,6 +754,8 @@ MP_API int  mp_mul_d (mp_int * a, mp_digit b, mp_int * c);
 MP_API int  mp_mulmod (mp_int * a, mp_int * b, mp_int * c, mp_int * d);
 MP_API int  mp_submod (mp_int* a, mp_int* b, mp_int* c, mp_int* d);
 MP_API int  mp_addmod (mp_int* a, mp_int* b, mp_int* c, mp_int* d);
 MP_API int  mp_submod_ct (mp_int* a, mp_int* b, mp_int* c, mp_int* d);
 MP_API int  mp_addmod_ct (mp_int* a, mp_int* b, mp_int* c, mp_int* d);
 MP_API int  mp_mod(mp_int *a, mp_int *b, mp_int *c);
 MP_API int  mp_invmod(mp_int *a, mp_int *b, mp_int *c);
 MP_API int  mp_invmod_mont_ct(mp_int *a, mp_int *b, mp_int *c, fp_digit mp);
@ -791,9 +804,11 @@ MP_API int mp_radix_size (mp_int * a, int radix, int *size);
 #ifdef HAVE_ECC
    MP_API int mp_sqr(fp_int *a, fp_int *b);
    MP_API int mp_montgomery_reduce(fp_int *a, fp_int *m, fp_digit mp);
    MP_API int mp_montgomery_reduce_ex(fp_int *a, fp_int *m, fp_digit mp,
                                       int ct);
    MP_API int mp_montgomery_setup(fp_int *a, fp_digit *rho);
    MP_API int mp_div_2(fp_int * a, fp_int * b);
-    MP_API int mp_init_copy(fp_int * a, fp_int * b);
+    MP_API int mp_div_2_mod_ct(mp_int *a, mp_int *b, mp_int *c);
 #endif
 #if defined(HAVE_ECC) || !defined(NO_RSA) || !defined(NO_DSA) || \
@ -817,6 +832,7 @@ MP_API int  mp_lcm(fp_int *a, fp_int *b, fp_int *c);
 MP_API int  mp_rand_prime(mp_int* N, int len, WC_RNG* rng, void* heap);
 MP_API int  mp_exch(mp_int *a, mp_int *b);
 #endif /* WOLFSSL_KEY_GEN */
 MP_API int  mp_cond_swap_ct (mp_int * a, mp_int * b, int c, int m);
 MP_API int  mp_cnt_lsb(fp_int *a);
 MP_API int  mp_div_2d(fp_int *a, int b, fp_int *c, fp_int *d);
--- a/source/libs/libwolfssl/wolfcrypt/types.h
+++ b/source/libs/libwolfssl/wolfcrypt/types.h
@ -22,7 +22,12 @@
 /*!
    \file wolfssl/wolfcrypt/types.h
 */
 /*
 DESCRIPTION
 This library defines the primitive data types and abstraction macros to
 decouple library dependencies with standard string, memory and so on.
 */
 #ifndef WOLF_CRYPT_TYPES_H
 #define WOLF_CRYPT_TYPES_H
@ -197,7 +202,11 @@
            #define WC_INLINE
        #endif
    #else
-        #define WC_INLINE
+        #ifdef __GNUC__
            #define WC_INLINE __attribute__((unused))
        #else
            #define WC_INLINE
        #endif
    #endif
    #endif
@ -244,7 +253,11 @@
    #if defined(__GNUC__)
        #if ((__GNUC__ > 7) || ((__GNUC__ == 7) && (__GNUC_MINOR__ >= 1)))
            #undef  FALL_THROUGH
-            #define FALL_THROUGH __attribute__ ((fallthrough));
+            #if defined(WOLFSSL_LINUXKM) && defined(fallthrough)
                #define FALL_THROUGH fallthrough
            #else
                #define FALL_THROUGH __attribute__ ((fallthrough));
            #endif
        #endif
    #endif
    #endif /* FALL_THROUGH */
@ -342,10 +355,17 @@
        #else
        /* just use plain C stdlib stuff if desired */
        #include <stdlib.h>
-        #define XMALLOC(s, h, t)     malloc((s))
+        #define XMALLOC(s, h, t)     malloc((size_t)(s))
        #define XFREE(p, h, t)       {void* xp = (p); if((xp)) free((xp));}
-        #define XREALLOC(p, n, h, t) realloc((p), (n))
+        #define XREALLOC(p, n, h, t) realloc((p), (size_t)(n))
        #endif
    #elif defined(WOLFSSL_LINUXKM)
 	/* the requisite linux/slab.h is included in wc_port.h, with incompatible warnings masked out. */
        #define XMALLOC(s, h, t)     ({(void)(h); (void)(t); kmalloc(s, GFP_KERNEL);})
        #define XFREE(p, h, t)       ({void* _xp; (void)(h); _xp = (p); if(_xp) kfree(_xp);})
        #define XREALLOC(p, n, h, t) ({(void)(h); (void)(t); krealloc((p), (n), GFP_KERNEL);})
    #elif !defined(MICRIUM_MALLOC) && !defined(EBSNET) \
            && !defined(WOLFSSL_SAFERTOS) && !defined(FREESCALE_MQX) \
            && !defined(FREESCALE_KSDK_MQX) && !defined(FREESCALE_FREE_RTOS) \
@ -375,8 +395,9 @@
        #endif /* WOLFSSL_STATIC_MEMORY */
    #endif
-    /* declare/free variable handling for async */
+    /* declare/free variable handling for async and smallstack */
-    #ifdef WOLFSSL_ASYNC_CRYPT
+    #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_SMALL_STACK)
        #define DECLARE_VAR_IS_HEAP_ALLOC
        #define DECLARE_VAR(VAR_NAME, VAR_TYPE, VAR_SIZE, HEAP) \
            VAR_TYPE* VAR_NAME = (VAR_TYPE*)XMALLOC(sizeof(VAR_TYPE) * VAR_SIZE, (HEAP), DYNAMIC_TYPE_WOLF_BIGINT);
        #define DECLARE_VAR_INIT(VAR_NAME, VAR_TYPE, VAR_SIZE, INIT_VALUE, HEAP) \
@ -389,9 +410,19 @@
            })
        #define DECLARE_ARRAY(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) \
            VAR_TYPE* VAR_NAME[VAR_ITEMS]; \
-            int idx##VAR_NAME; \
+            int idx##VAR_NAME, inner_idx_##VAR_NAME; \
            for (idx##VAR_NAME=0; idx##VAR_NAME<VAR_ITEMS; idx##VAR_NAME++) { \
                VAR_NAME[idx##VAR_NAME] = (VAR_TYPE*)XMALLOC(VAR_SIZE, (HEAP), DYNAMIC_TYPE_WOLF_BIGINT); \
                if (VAR_NAME[idx##VAR_NAME] == NULL) { \
                    for (inner_idx_##VAR_NAME = 0; inner_idx_##VAR_NAME < idx##VAR_NAME; inner_idx_##VAR_NAME++) { \
                        XFREE(VAR_NAME[inner_idx_##VAR_NAME], HEAP, DYNAMIC_TYPE_WOLF_BIGINT); \
                        VAR_NAME[inner_idx_##VAR_NAME] = NULL; \
                    } \
                    for (inner_idx_##VAR_NAME = idx##VAR_NAME + 1; inner_idx_##VAR_NAME < VAR_ITEMS; inner_idx_##VAR_NAME++) { \
                        VAR_NAME[inner_idx_##VAR_NAME] = NULL; \
                    } \
                    break; \
                } \
            }
        #define FREE_VAR(VAR_NAME, HEAP) \
            XFREE(VAR_NAME, (HEAP), DYNAMIC_TYPE_WOLF_BIGINT);
@ -406,6 +437,7 @@
        #define FREE_ARRAY_DYNAMIC(VAR_NAME, VAR_ITEMS, HEAP) \
            FREE_ARRAY(VAR_NAME, VAR_ITEMS, HEAP)
    #else
        #undef DECLARE_VAR_IS_HEAP_ALLOC
        #define DECLARE_VAR(VAR_NAME, VAR_TYPE, VAR_SIZE, HEAP) \
            VAR_TYPE VAR_NAME[VAR_SIZE]
        #define DECLARE_VAR_INIT(VAR_NAME, VAR_TYPE, VAR_SIZE, INIT_VALUE, HEAP) \
@ -417,10 +449,20 @@
        #define DECLARE_ARRAY_DYNAMIC_DEC(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) \
            VAR_TYPE* VAR_NAME[VAR_ITEMS]; \
-            int idx##VAR_NAME;
+            int idx##VAR_NAME, inner_idx_##VAR_NAME;
        #define DECLARE_ARRAY_DYNAMIC_EXE(VAR_NAME, VAR_TYPE, VAR_ITEMS, VAR_SIZE, HEAP) \
            for (idx##VAR_NAME=0; idx##VAR_NAME<VAR_ITEMS; idx##VAR_NAME++) { \
                VAR_NAME[idx##VAR_NAME] = (VAR_TYPE*)XMALLOC(VAR_SIZE, (HEAP), DYNAMIC_TYPE_TMP_BUFFER); \
                if (VAR_NAME[idx##VAR_NAME] == NULL) { \
                    for (inner_idx_##VAR_NAME = 0; inner_idx_##VAR_NAME < idx##VAR_NAME; inner_idx_##VAR_NAME++) { \
                        XFREE(VAR_NAME[inner_idx_##VAR_NAME], HEAP, DYNAMIC_TYPE_TMP_BUFFER); \
                        VAR_NAME[inner_idx_##VAR_NAME] = NULL; \
                    } \
                    for (inner_idx_##VAR_NAME = idx##VAR_NAME + 1; inner_idx_##VAR_NAME < VAR_ITEMS; inner_idx_##VAR_NAME++) { \
                        VAR_NAME[inner_idx_##VAR_NAME] = NULL; \
                    } \
                    break; \
                } \
            }
        #define FREE_ARRAY_DYNAMIC(VAR_NAME, VAR_ITEMS, HEAP) \
            for (idx##VAR_NAME=0; idx##VAR_NAME<VAR_ITEMS; idx##VAR_NAME++) { \
@ -437,12 +479,17 @@
        #define USE_WOLF_STRSEP
    #endif
-    #ifndef STRING_USER
+	#ifndef STRING_USER
-        #include <string.h>
+        #if defined(WOLFSSL_LINUXKM)
-        #define XMEMCPY(d,s,l)    memcpy((d),(s),(l))
+            #include <linux/string.h>
-        #define XMEMSET(b,c,l)    memset((b),(c),(l))
+        #else
-        #define XMEMCMP(s1,s2,n)  memcmp((s1),(s2),(n))
+            #include <string.h>
-        #define XMEMMOVE(d,s,l)   memmove((d),(s),(l))
+        #endif
 	    #define XMEMCPY(d,s,l)    memcpy((d),(s),(l))
 	    #define XMEMSET(b,c,l)    memset((b),(c),(l))
 	    #define XMEMCMP(s1,s2,n)  memcmp((s1),(s2),(n))
 	    #define XMEMMOVE(d,s,l)   memmove((d),(s),(l))
        #define XSTRLEN(s1)       strlen((s1))
        #define XSTRNCPY(s1,s2,n) strncpy((s1),(s2),(n))
@ -489,7 +536,37 @@
                   for snprintf */
                #include <stdio.h>
            #endif
-            #define XSNPRINTF snprintf
+            #if defined(WOLFSSL_ESPIDF) && \
                (!defined(NO_ASN_TIME) && defined(HAVE_PKCS7))
                    #include<stdarg.h>
                    /* later gcc than 7.1 introduces -Wformat-truncation    */
                    /* In cases when truncation is expected the caller needs*/
                    /* to check the return value from the function so that  */
                    /* compiler doesn't complain.                           */
                    /* xtensa-esp32-elf v8.2.0 warns trancation at          */
                    /* GetAsnTimeString()                                   */
                    static WC_INLINE
                    int _xsnprintf_(char *s, size_t n, const char *format, ...)
                    {
                        va_list ap;
                        int ret;
                        if ((int)n <= 0) return -1;
                        va_start(ap, format);
                        ret = vsnprintf(s, n, format, ap);
                        if (ret < 0)
                            ret = -1;
                        va_end(ap);
                        return ret;
                    }
                #define XSNPRINTF _xsnprintf_
            #else
                #define XSNPRINTF snprintf
            #endif
            #endif
        #else
            #if defined(_MSC_VER) || defined(__CYGWIN__) || defined(__MINGW32__)
@ -565,9 +642,11 @@
        #endif
    #endif /* OPENSSL_EXTRA */
-    #ifndef CTYPE_USER
+	#ifndef CTYPE_USER
-        #include <ctype.h>
+            #ifndef WOLFSSL_LINUXKM
-        #if defined(HAVE_ECC) || defined(HAVE_OCSP) || \
+                #include <ctype.h>
            #endif
 	    #if defined(HAVE_ECC) || defined(HAVE_OCSP) || \
            defined(WOLFSSL_KEY_GEN) || !defined(NO_DSA)
            #define XTOUPPER(c)     toupper((c))
            #define XISALPHA(c)     isalpha((c))
--- a/source/libs/libwolfssl/wolfcrypt/wc_encrypt.h
+++ b/source/libs/libwolfssl/wolfcrypt/wc_encrypt.h
@ -28,24 +28,33 @@
 #define WOLF_CRYPT_ENCRYPT_H
 #include <libs/libwolfssl/wolfcrypt/types.h>
-#include <libs/libwolfssl/wolfcrypt/aes.h>
+#ifndef NO_AES
-#include <libs/libwolfssl/wolfcrypt/chacha.h>
+    #include <libs/libwolfssl/wolfcrypt/aes.h>
-#include <libs/libwolfssl/wolfcrypt/des3.h>
+#endif
-#include <libs/libwolfssl/wolfcrypt/arc4.h>
+#ifdef HAVE_CHACHA
    #include <libs/libwolfssl/wolfcrypt/chacha.h>
 #endif
 #ifndef NO_DES3
    #include <libs/libwolfssl/wolfcrypt/des3.h>
 #endif
 #ifndef NO_RC4
    #include <libs/libwolfssl/wolfcrypt/arc4.h>
 #endif
 #ifdef __cplusplus
    extern "C" {
 #endif
-/* determine max cipher key size */
+/* determine max cipher key size - cannot use enum values here, must be define,
 * since WC_MAX_SYM_KEY_SIZE is used in if macro logic. */
 #ifndef NO_AES
    #define WC_MAX_SYM_KEY_SIZE     (AES_MAX_KEY_SIZE/8)
 #elif defined(HAVE_CHACHA)
-    #define WC_MAX_SYM_KEY_SIZE     CHACHA_MAX_KEY_SZ
+    #define WC_MAX_SYM_KEY_SIZE     32 /* CHACHA_MAX_KEY_SZ */
 #elif !defined(NO_DES3)
-    #define WC_MAX_SYM_KEY_SIZE     DES3_KEY_SIZE
+    #define WC_MAX_SYM_KEY_SIZE     24 /* DES3_KEY_SIZE */
 #elif !defined(NO_RC4)
-    #define WC_MAX_SYM_KEY_SIZE     RC4_KEY_SIZE
+    #define WC_MAX_SYM_KEY_SIZE     16 /* RC4_KEY_SIZE */
 #else
    #define WC_MAX_SYM_KEY_SIZE     32
 #endif
--- a/source/libs/libwolfssl/wolfcrypt/wc_pkcs11.h
+++ b/source/libs/libwolfssl/wolfcrypt/wc_pkcs11.h
@ -6,7 +6,7 @@
 *
 * wolfSSL is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
+ * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * wolfSSL is distributed in the hope that it will be useful,
--- a/source/libs/libwolfssl/wolfcrypt/wc_port.h
+++ b/source/libs/libwolfssl/wolfcrypt/wc_port.h
@ -54,6 +54,115 @@
    #endif
 #endif
 #ifdef WOLFSSL_LINUXKM
    #ifdef HAVE_CONFIG_H
        #ifndef PACKAGE_NAME
            #error wc_port.h included before config.h
        #endif
        /* config.h is autogenerated without gating, and is subject to repeat
         * inclusions, so gate it out here to keep autodetection masking
         * intact:
         */
        #undef HAVE_CONFIG_H
    #endif
    #ifdef BUILDING_WOLFSSL
    _Pragma("GCC diagnostic push");
    /* we include all the needed kernel headers with these masked out. else
     * there are profuse warnings.
     */
    _Pragma("GCC diagnostic ignored \"-Wunused-parameter\"");
    _Pragma("GCC diagnostic ignored \"-Wpointer-arith\"");
    _Pragma("GCC diagnostic ignored \"-Wshadow\"");
    _Pragma("GCC diagnostic ignored \"-Wnested-externs\"");
    _Pragma("GCC diagnostic ignored \"-Wredundant-decls\"");
    _Pragma("GCC diagnostic ignored \"-Wsign-compare\"");
    _Pragma("GCC diagnostic ignored \"-Wpointer-sign\"");
    _Pragma("GCC diagnostic ignored \"-Wbad-function-cast\"");
    #include <linux/kconfig.h>
    #include <linux/kernel.h>
    #include <linux/version.h>
    #include <linux/ctype.h>
    #include <linux/init.h>
    #include <linux/module.h>
    #ifndef SINGLE_THREADED
        #include <linux/kthread.h>
    #endif
    #include <linux/net.h>
    #include <linux/slab.h>
    #if defined(WOLFSSL_AESNI) || defined(USE_INTEL_SPEEDUP)
        #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
            #include <asm/i387.h>
        #else
            #include <asm/simd.h>
        #endif
        #define SAVE_VECTOR_REGISTERS() kernel_fpu_begin()
        #define RESTORE_VECTOR_REGISTERS() kernel_fpu_end()
    #elif defined(WOLFSSL_ARMASM)
        #include <asm/fpsimd.h>
        #define SAVE_VECTOR_REGISTERS() ({ preempt_disable(); fpsimd_preserve_current_state(); })
        #define RESTORE_VECTOR_REGISTERS() ({ fpsimd_restore_current_state(); preempt_enable(); })
    #else
        #define SAVE_VECTOR_REGISTERS() ({})
        #define RESTORE_VECTOR_REGISTERS() ({})
    #endif
    _Pragma("GCC diagnostic pop");
    /* remove this multifariously conflicting macro, picked up from
     * Linux arch/<arch>/include/asm/current.h.
     */
    #undef current
    /* prevent gcc's mm_malloc.h from being included, since it unconditionally
     * includes stdlib.h, which is kernel-incompatible.
     */
    #define _MM_MALLOC_H_INCLUDED
    #define malloc(x) kmalloc(x, GFP_KERNEL)
    #define free(x) kfree(x)
    #define realloc(x,y) krealloc(x, y, GFP_KERNEL)
    /* min() and max() in linux/kernel.h over-aggressively type-check, producing
     * myriad spurious -Werrors throughout the codebase.
     */
    #undef min
    #undef max
    /* work around namespace conflict between wolfssl/internal.h (enum HandShakeType)
     * and linux/key.h (extern int()).
     */
    #define key_update wc_key_update
    #define lkm_printf(format, args...) printk(KERN_INFO "wolfssl: %s(): " format, __func__, ## args)
    #define printf(...) lkm_printf(__VA_ARGS__)
    #endif /* BUILDING_WOLFSSL */
    /* needed to suppress inclusion of stdio.h in wolfssl/wolfcrypt/types.h */
    #define XSNPRINTF snprintf
    /* the rigmarole around kstrtol() here is to accommodate its warn-unused-result attribute. */
    #define XATOI(s) ({                                 \
          long _xatoi_res = 0;                          \
          int _xatoi_ret = kstrtol(s, 10, &_xatoi_res); \
          if (_xatoi_ret != 0) {                        \
            _xatoi_res = 0;                             \
          }                                             \
          (int)_xatoi_res;                              \
        })
 #else /* ! WOLFSSL_LINUXKM */
    #ifdef BUILDING_WOLFSSL
        #define SAVE_VECTOR_REGISTERS() do{}while(0)
        #define RESTORE_VECTOR_REGISTERS() do{}while(0)
    #endif
 #endif /* WOLFSSL_LINUXKM */
 /* THREADING/MUTEX SECTION */
 #ifdef USE_WINDOWS_API
@ -156,8 +265,14 @@
 #else
    #ifndef SINGLE_THREADED
-        #define WOLFSSL_PTHREADS
+        #ifndef WOLFSSL_USER_MUTEX
-        #include <pthread.h>
+            #if defined(WOLFSSL_LINUXKM)
                #define WOLFSSL_KTHREADS
            #else
                #define WOLFSSL_PTHREADS
                #include <pthread.h>
            #endif
        #endif
    #endif
    #if (defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS)) && \
        !defined(NO_FILESYSTEM)
@ -192,6 +307,8 @@
        typedef CRITICAL_SECTION wolfSSL_Mutex;
    #elif defined(WOLFSSL_PTHREADS)
        typedef u32 wolfSSL_Mutex; /* pthread_mutex_t = mutex_t = u32 */
    #elif defined(WOLFSSL_KTHREADS)
        typedef struct mutex wolfSSL_Mutex;
    #elif defined(THREADX)
        typedef TX_MUTEX wolfSSL_Mutex;
    #elif defined(WOLFSSL_DEOS)
@ -238,6 +355,10 @@
        typedef struct k_mutex wolfSSL_Mutex;
    #elif defined(WOLFSSL_TELIT_M2MB)
        typedef M2MB_OS_MTX_HANDLE wolfSSL_Mutex;
    #elif defined(WOLFSSL_USER_MUTEX)
        /* typedef User_Mutex wolfSSL_Mutex; */
    #elif defined(WOLFSSL_LINUXKM)
        typedef struct mutex wolfSSL_Mutex;
    #else
        #error Need a mutex type in multithreaded mode
    #endif /* USE_WINDOWS_API */
@ -245,7 +366,7 @@
 /* Enable crypt HW mutex for Freescale MMCAU, PIC32MZ or STM32 */
 #if defined(FREESCALE_MMCAU) || defined(WOLFSSL_MICROCHIP_PIC32MZ) || \
-    defined(STM32_CRYPTO)
+    defined(STM32_CRYPTO) || defined(STM32_HASH) || defined(STM32_RNG)
    #ifndef WOLFSSL_CRYPT_HW_MUTEX
        #define WOLFSSL_CRYPT_HW_MUTEX  1
    #endif
@ -414,6 +535,23 @@ WOLFSSL_API int wolfCrypt_Cleanup(void);
    #define XBADFILE                 -1
    #define XFGETS(b,s,f)            -2 /* Not ported yet */
 #elif defined (WOLFSSL_XILINX)
    #include "xsdps.h"
    #include "ff.h"
    /* workaround to declare variable and provide type */
    #define XFILE                    FIL curFile; FIL*
    #define XFOPEN(NAME, MODE)       ({ FRESULT res; res = f_open(&curFile, (NAME), (FA_OPEN_ALWAYS | FA_WRITE | FA_READ)); (res == FR_OK) ? &curFile : NULL; })
    #define XFSEEK(F, O, W)          f_lseek((F), (O))
    #define XFTELL(F)                f_tell((F))
    #define XREWIND(F)               f_rewind((F))
    #define XFREAD(BUF, SZ, AMT, F)  ({ FRESULT res; UINT br; res = f_read((F), (BUF), (SZ)*(AMT), &br); (void)br; res; })
    #define XFWRITE(BUF, SZ, AMT, F) ({ FRESULT res; UINT written; res = f_write((F), (BUF), (SZ)*(AMT), &written); (void)written; res; })
    #define XFCLOSE(F)               f_close((F))
    #define XSEEK_END                0
    #define XBADFILE                 NULL
    #define XFGETS(b,s,f)            f_gets((b), (s), (f))
 #elif defined(WOLFSSL_USER_FILESYSTEM)
    /* To be defined in user_settings.h */
 #else
@ -451,6 +589,9 @@ WOLFSSL_API int wolfCrypt_Cleanup(void);
        #define MAX_PATH 256
    #endif
    WOLFSSL_LOCAL int wc_FileLoad(const char* fname, unsigned char** buf, 
        size_t* bufLen, void* heap);
 #if !defined(NO_WOLFSSL_DIR) && !defined(WOLFSSL_NUCLEUS) && \
    !defined(WOLFSSL_NUCLEUS_1_2)
    typedef struct ReadDirCtx {
@ -528,7 +669,9 @@ WOLFSSL_API int wolfCrypt_Cleanup(void);
    #define NEED_TMP_TIME
 #elif defined(WOLFSSL_XILINX)
-    #define USER_TIME
+    #ifndef XTIME
        #define XTIME(t1)       xilinx_time((t1))
    #endif
    #include <time.h>
 #elif defined(HAVE_RTP_SYS)
@ -553,6 +696,7 @@ WOLFSSL_API int wolfCrypt_Cleanup(void);
 #elif defined(MICROCHIP_TCPIP_V5) || defined(MICROCHIP_TCPIP)
    #include <time.h>
    extern time_t pic32_time(time_t* timer);
    #define XTIME(t1)       pic32_time((t1))
    #define XGMTIME(c, t)   gmtime((c))
@ -637,6 +781,24 @@ WOLFSSL_API int wolfCrypt_Cleanup(void);
    #define WOLFSSL_GMTIME
    #define USE_WOLF_TM
 #elif defined(WOLFSSL_LINUXKM)
    #ifdef BUILDING_WOLFSSL
    /* includes are all above, with incompatible warnings masked out. */
    #if LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0)
    typedef __kernel_time_t time_t;
    #else
    typedef __kernel_time64_t time_t;
    #endif
    extern time_t time(time_t * timer);
    #define XTIME time
    #define WOLFSSL_GMTIME
    #define XGMTIME(c, t) gmtime(c)
    #define NO_TIMEVAL 1
    #endif /* BUILDING_WOLFSSL */
 #else
    /* default */
    /* uses complete <time.h> facility */
@ -674,16 +836,17 @@ WOLFSSL_API int wolfCrypt_Cleanup(void);
    #endif
 #endif
 #if !defined(XGMTIME) && !defined(TIME_OVERRIDES)
-    #if defined(WOLFSSL_GMTIME) || !defined(HAVE_GMTIME_R) || defined(WOLF_C99)
+    /* Always use gmtime_r if available. */
-        #define XGMTIME(c, t)   gmtime((c))
+    #if defined(HAVE_GMTIME_R)
    #else
        #define XGMTIME(c, t)   gmtime_r((c), (t))
        #define NEED_TMP_TIME
    #else
        #define XGMTIME(c, t)   gmtime((c))
    #endif
 #endif
 #if !defined(XVALIDATE_DATE) && !defined(HAVE_VALIDATE_DATE)
    #define USE_WOLF_VALIDDATE
-    #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
+    #define XVALIDATE_DATE(d, f, t) wc_ValidateDate((d), (f), (t))
 #endif
 /* wolf struct tm and time_t */
@ -742,7 +905,7 @@ WOLFSSL_API int wolfCrypt_Cleanup(void);
 #endif
 #ifndef FILE_BUFFER_SIZE
-    #define FILE_BUFFER_SIZE 1024     /* default static file buffer size for input,
+    #define FILE_BUFFER_SIZE 1024     /* default static file buffer size for input, \
                                    will use dynamic buffer if not big enough */
 #endif
--- a/source/libs/libwolfssl/wolfcrypt/wolfmath.h
+++ b/source/libs/libwolfssl/wolfcrypt/wolfmath.h
@ -19,6 +19,11 @@
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 */
 /*
 DESCRIPTION
 This library provides big integer math functions.
 */
 #ifndef __WOLFMATH_H__
 #define __WOLFMATH_H__
--- a/source/libs/libwolfssl/wolfio.h
+++ b/source/libs/libwolfssl/wolfio.h
@ -94,6 +94,8 @@
    #elif defined(WOLFSSL_NUCLEUS_1_2)
        #include <externs.h>
        #include <errno.h>
    #elif defined(WOLFSSL_LINUXKM)
        /* the requisite linux/net.h is included in wc_port.h, with incompatible warnings masked out. */
    #elif defined(WOLFSSL_ATMEL)
        #include "socket/include/socket.h"
    #elif defined(INTIME_RTOS)
@ -126,6 +128,8 @@
        #include <errno.h>
    #elif defined(WOLFSSL_ZEPHYR)
        #include <net/socket.h>
    #elif defined(MICROCHIP_PIC32)
        #include <sys/errno.h>
    #elif defined(HAVE_NETX)
        #include "nx_api.h"
        #include "errno.h"
@ -147,7 +151,6 @@
                && !defined(WOLFSSL_CONTIKI) && !defined(WOLFSSL_WICED) \
                && !defined(WOLFSSL_GNRC) && !defined(WOLFSSL_RIOT_OS)
            #include <network.h>
            //#include <sys/socket.h>
            //#include <arpa/inet.h>
            //#include <netinet/in.h>
            //#include <netdb.h>
@ -159,7 +162,7 @@
        #endif
    #endif
-    #if defined(WOLFSSL_RENESAS_RA6M3G) /* Uses FREERTOS_TCP */
+    #if defined(WOLFSSL_RENESAS_RA6M3G) || defined(WOLFSSL_RENESAS_RA6M3) /* Uses FREERTOS_TCP */
        #include <errno.h>
    #endif
@ -294,6 +297,9 @@
    #define SEND_FUNCTION send
    #define RECV_FUNCTION recv
 #elif defined(WOLFSSL_LINUXKM)
    #define SEND_FUNCTION linuxkm_send
    #define RECV_FUNCTION linuxkm_recv
 #else
    #define SEND_FUNCTION send
    #define RECV_FUNCTION recv
--- a/source/network/ImageDownloader.cpp
+++ b/source/network/ImageDownloader.cpp
@ -215,7 +215,7 @@ int ImageDownloader::DownloadProcess(int TotalDownloadCount)
 			fclose(pfile);
 			MissingImagesCount--;
 		}
-		free(file.data);
+		MEM2_free(file.data);
 		gprintf("File saved successfully (%s%s)\n", MissingImages[i].gameID.c_str(), MissingImages[i].fileExt);
 		//! Remove the image from the vector since it's done
@ -298,7 +298,7 @@ void ImageDownloader::DownloadImage(const char *url, const char *gameID, const c
 	if(PAL && strcmp(CheckedRegion, "EN") != 0)
 	{
 		snprintf(downloadURL, sizeof(downloadURL), "%sEN/%s.png", url, gameID);
-		gprintf(" - Not found.\n%s", downloadURL);
+		gprintf(" - Not found.\n%s\n", downloadURL);
 		downloadfile(downloadURL, file);
 		if(VALID_IMAGE(file))
 			return;
@ -311,13 +311,13 @@ void ImageDownloader::DownloadImage(const char *url, const char *gameID, const c
 			lang = "US";
 		snprintf(downloadURL, sizeof(downloadURL), "%s%s/%s.png", url, lang, gameID);
-		gprintf(" - Not found.\n%s", downloadURL);
+		gprintf(" - Not found.\n%s\n", downloadURL);
 		downloadfile(downloadURL, file);
 		if(VALID_IMAGE(file))
 			return;
 		snprintf(downloadURL, sizeof(downloadURL), "%sOTHER/%s.png", url, gameID);
-		gprintf(" - Not found.\n%s", downloadURL);
+		gprintf(" - Not found.\n%s\n", downloadURL);
 		downloadfile(downloadURL, file);
 		if(VALID_IMAGE(file))
 			return;
@ -326,7 +326,7 @@ void ImageDownloader::DownloadImage(const char *url, const char *gameID, const c
 		{
 			lang = "RU";
 			snprintf(downloadURL, sizeof(downloadURL), "%s%s/%s.png", url, lang, gameID);
-			gprintf(" - Not found.\n%s", downloadURL);
+			gprintf(" - Not found.\n%s\n", downloadURL);
 			downloadfile(downloadURL, file);
 			if(VALID_IMAGE(file))
 				return;
@ -336,14 +336,14 @@ void ImageDownloader::DownloadImage(const char *url, const char *gameID, const c
 		{
 			lang = "FI";
 			snprintf(downloadURL, sizeof(downloadURL), "%s%s/%s.png", url, lang, gameID);
-			gprintf(" - Not found.\n%s", downloadURL);
+			gprintf(" - Not found.\n%s\n", downloadURL);
 			downloadfile(downloadURL, file);
 			if(VALID_IMAGE(file))
 				return;
 			lang = "SE";
 			snprintf(downloadURL, sizeof(downloadURL), "%s%s/%s.png", url, lang, gameID);
-			gprintf(" - Not found.\n%s", downloadURL);
+			gprintf(" - Not found.\n%s\n", downloadURL);
 			downloadfile(downloadURL, file);
 			if(VALID_IMAGE(file))
 				return;
--- a/source/network/URL_List.cpp
+++ b/source/network/URL_List.cpp
@ -36,7 +36,7 @@ URL_List::URL_List(const char * url)
 	Links = (Link_Info *) malloc(sizeof(Link_Info));
 	if (!Links)
 	{
-		free(file.data);
+		MEM2_free(file.data);
 		urlcount = -3;
 		return;
 	}
@ -71,7 +71,7 @@ URL_List::URL_List(const char * url)
 				}
 				free(Links);
 				Links = NULL;
-				free(file.data);
+				MEM2_free(file.data);
 				urlcount = -4;
 				break;
 			}
@ -89,7 +89,7 @@ URL_List::URL_List(const char * url)
 				}
 				free(Links);
 				Links = NULL;
-				free(file.data);
+				MEM2_free(file.data);
 				urlcount = -5;
 				break;
 			}
@ -105,7 +105,7 @@ URL_List::URL_List(const char * url)
 		cnt++;
 	}
-	free(file.data);
+	MEM2_free(file.data);
 }
 URL_List::~URL_List()
--- a/source/network/Wiinnertag.cpp
+++ b/source/network/Wiinnertag.cpp
@ -79,7 +79,7 @@ bool Wiinnertag::Send(const char *gameID)
 		replaceString(sendURL, "{KEY}", tagList[i].second.c_str());
 		struct download file = {};
-		file.skip_response = 1;
+		file.skip_response = true;
 		downloadfile(sendURL, &file);
 	}
--- a/source/network/https.c
+++ b/source/network/https.c
@ -2,79 +2,113 @@
    Code by blackb0x @ GBAtemp.net
    This allows the Wii to download from servers that use SNI.
 */
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <network.h>
 #include <ogc/lwp_watchdog.h>
 #include <unistd.h>
 #include "https.h"
 #include "gecko.h"
 #include "../svnrev.h"
-#include "picohttpparser.h"
+#include "gecko.h"
 #include "https.h"
 #include "prompts/ProgressWindow.h"
 #include "settings/ProxySettings.h"
 #include "utils/base64.h"
 u8 loop;
 WOLFSSL_SESSION *session;
-int https_write(HTTP_INFO *httpinfo, char *buffer, int len)
+int https_write(HTTP_INFO *httpinfo, char *buffer, int len, bool proxy)
 {
-    int ret, slen = 0;
+    int ret, pos = 0;
-    while (1)
+    int rlen = len > BLOCK_SIZE ? BLOCK_SIZE : len;
    u64 time = gettime();
    while (ticks_to_millisecs(diff_ticks(time, gettime())) < READ_WRITE_TIMEOUT)
    {
-        if (httpinfo->use_https)
+        if (httpinfo->use_https && !proxy)
-            ret = wolfSSL_write(httpinfo->ssl, &buffer[slen], len - slen);
+            ret = wolfSSL_write(httpinfo->ssl, &buffer[pos], rlen);
        else
-            ret = net_write(httpinfo->sock, &buffer[slen], len - slen);
+            ret = net_write(httpinfo->sock, &buffer[pos], rlen);
-
+        if (ret > 0)
-        if (ret == 0)
+        {
-            continue;
+            pos += ret;
-        else if (ret <= 0)
+            rlen = len - pos > BLOCK_SIZE ? BLOCK_SIZE : len - pos;
-            return ret; // Timeout would return -1
+            if (pos >= len)
-
+                return pos;
-        slen += ret;
+            time = gettime();
-        if (slen >= len)
+        }
-            break;
+        usleep(10000);
    }
-    return slen;
+#ifdef DEBUG_NETWORK
    gprintf("The connection timed out (write)\n");
 #endif
    return -ETIMEDOUT;
 }
-int https_read(HTTP_INFO *httpinfo, char *buffer, int len)
+int https_read(HTTP_INFO *httpinfo, char *buffer, int len, bool proxy)
 {
-    struct pollsd fds[1];
+    int ret = -ETIMEDOUT;
-    fds[0].socket = httpinfo->sock;
+    u64 time = gettime();
-    fds[0].events = POLLIN;
+    if (len > BLOCK_SIZE)
-
+        len = BLOCK_SIZE;
-    net_fcntl(httpinfo->sock, F_SETFL, 4);
+    while (ticks_to_millisecs(diff_ticks(time, gettime())) < READ_WRITE_TIMEOUT)
    switch (net_poll(fds, 1, READ_WRITE_TIMEOUT))
    {
-    case -1:
+        if (httpinfo->use_https && !proxy)
-#ifdef DEBUG_NETWORK
+            ret = wolfSSL_read(httpinfo->ssl, buffer, len);
-        gprintf("net_poll error\n");
+        else
-#endif
+            ret = net_read(httpinfo->sock, buffer, len);
-        return -1;
+        if (ret >= 0)
-    case 0:
+            return ret;
-#ifdef DEBUG_NETWORK
+        usleep(10000);
        gprintf("The connection timed out\n");
 #endif
        return -ETIMEDOUT;
    default:
        net_fcntl(httpinfo->sock, F_SETFL, 0);
        if (len > 8192)
            len = 8192; // 16KB is the max on a Wii, but 8KB is safe
        if (httpinfo->use_https)
            return wolfSSL_read(httpinfo->ssl, buffer, len);
        return net_read(httpinfo->sock, buffer, len);
    }
 #ifdef DEBUG_NETWORK
    gprintf("The connection timed out (read)\n");
 #endif
    return -ETIMEDOUT;
 }
 int send_callback(__attribute__((unused)) WOLFSSL *ssl, char *buf, int sz, void *ctx)
 {
    int sent = net_write(*(int *)ctx, buf, sz);
    if (sent < 0)
    {
        if (sent == -EAGAIN)
            return WOLFSSL_CBIO_ERR_WANT_WRITE;
        else if (sent == -ECONNRESET)
            return WOLFSSL_CBIO_ERR_CONN_RST;
        else if (sent == -EINTR)
            return WOLFSSL_CBIO_ERR_ISR;
        else if (sent == -EPIPE)
            return WOLFSSL_CBIO_ERR_CONN_CLOSE;
        else
            return WOLFSSL_CBIO_ERR_GENERAL;
    }
    return sent;
 }
 int recv_callback(__attribute__((unused)) WOLFSSL *ssl, char *buf, int sz, void *ctx)
 {
    int recvd = net_read(*(int *)ctx, buf, sz);
    if (recvd < 0)
    {
        if (recvd == -EAGAIN)
            return WOLFSSL_CBIO_ERR_WANT_READ;
        else if (recvd == -ECONNRESET)
            return WOLFSSL_CBIO_ERR_CONN_RST;
        else if (recvd == -EINTR)
            return WOLFSSL_CBIO_ERR_ISR;
        else if (recvd == -ECONNABORTED)
            return WOLFSSL_CBIO_ERR_CONN_CLOSE;
        else
            return WOLFSSL_CBIO_ERR_GENERAL;
    }
    else if (recvd == 0)
        return WOLFSSL_CBIO_ERR_CONN_CLOSE;
    return recvd;
 }
 void https_close(HTTP_INFO *httpinfo)
 {
    if (httpinfo->use_https)
    {
-        if (wolfSSL_shutdown(httpinfo->ssl) == SSL_SHUTDOWN_NOT_DONE)
+        wolfSSL_shutdown(httpinfo->ssl);
            wolfSSL_shutdown(httpinfo->ssl);
        wolfSSL_free(httpinfo->ssl);
        wolfSSL_CTX_free(httpinfo->ctx);
    }
@ -84,41 +118,42 @@ void https_close(HTTP_INFO *httpinfo)
 #endif
 }
-u8 get_header_value(struct phr_header *headers, size_t num_headers, char *dst, char *header)
+bool get_header_value(struct phr_header *headers, size_t num_headers, char *dst, char *header)
 {
    for (size_t i = 0; i != num_headers; ++i)
    {
        if (strncasecmp(header, headers[i].name, headers[i].name_len) == 0)
        {
            strlcpy(dst, headers[i].value, headers[i].value_len + 1);
-            return 1;
+            return true;
        }
    }
-    return 0;
+    return false;
 }
 u64 get_header_value_int(struct phr_header *headers, size_t num_headers, char *header)
 {
-    char header_value[30] = {};
+    char header_value[30];
    if (!get_header_value(headers, num_headers, header_value, header))
        return 0;
    return strtoull(header_value, NULL, 0);
 }
-u8 is_chunked(struct phr_header *headers, size_t num_headers)
+bool is_chunked(struct phr_header *headers, size_t num_headers)
 {
-    char encoding[10] = {};
+    char encoding[9];
    if (!get_header_value(headers, num_headers, encoding, "transfer-encoding"))
-        return 0;
+        return false;
-    return (strcasecmp(encoding, "chunked") == 0) ? 1 : 0;
+    return (strcasecmp(encoding, "chunked") == 0);
 }
-u8 read_chunked(HTTP_INFO *httpinfo, struct download *buffer, size_t start_pos)
+bool read_chunked(HTTP_INFO *httpinfo, struct download *buffer, size_t start_pos)
 {
-    struct phr_chunked_decoder decoder = {};
+    struct phr_chunked_decoder decoder = {0};
-    size_t capacity = 4096, rsize;
+    size_t rsize, capacity = 4096;
-    ssize_t rret, pret;
+    ssize_t pret;
-    decoder.consume_trailer = 1;
+    int ret;
    decoder.consume_trailer = true;
 #ifdef DEBUG_NETWORK
    gprintf("Data is chunked\n");
 #endif
@ -127,7 +162,7 @@ u8 read_chunked(HTTP_INFO *httpinfo, struct download *buffer, size_t start_pos)
        if (buffer->show_progress)
        {
            if (ProgressCanceled())
-                return 0;
+                return false;
            ShowProgress(start_pos, capacity); // Unknown size for chunked transfers
        }
        if (start_pos == capacity)
@ -136,46 +171,39 @@ u8 read_chunked(HTTP_INFO *httpinfo, struct download *buffer, size_t start_pos)
            gprintf("Increased buffer size\n");
 #endif
            capacity *= 2;
-            buffer->data = realloc(buffer->data, capacity);
+            buffer->data = MEM2_realloc(buffer->data, capacity);
        }
-        while ((rret = https_read(httpinfo, &buffer->data[start_pos], capacity - start_pos)) == -1 && errno == EINTR)
+        if ((ret = https_read(httpinfo, &buffer->data[start_pos], capacity - start_pos, false)) < 1)
-            ;
+            return false;
-        if (rret <= 0)
+        rsize = ret;
        {
 #ifdef DEBUG_NETWORK
            gprintf("IO error\n");
 #endif
            return 0;
        }
        rsize = rret;
        pret = phr_decode_chunked(&decoder, &buffer->data[start_pos], &rsize);
        if (pret == -1)
        {
 #ifdef DEBUG_NETWORK
            gprintf("Parse error\n");
 #endif
-            return 0;
+            return false;
        }
        start_pos += rsize;
    } while (pret == -2);
    buffer->size = start_pos;
-    buffer->data = realloc(buffer->data, buffer->size);
+    buffer->data = MEM2_realloc(buffer->data, buffer->size);
-    return 1;
+    return true;
 }
-u8 read_all(HTTP_INFO *httpinfo, struct download *buffer, size_t start_pos)
+bool read_all(HTTP_INFO *httpinfo, struct download *buffer, size_t start_pos)
 {
    size_t capacity = 4096;
-    ssize_t ret;
+    int ret;
 #ifdef DEBUG_NETWORK
    gprintf("Data is not chunked\n");
 #endif
-    while (1)
+    while (true)
    {
        if (buffer->show_progress)
        {
            if (ProgressCanceled())
-                return 0;
+                return false;
            ShowProgress(start_pos, buffer->content_length);
        }
        if (start_pos == capacity)
@ -184,81 +212,140 @@ u8 read_all(HTTP_INFO *httpinfo, struct download *buffer, size_t start_pos)
            gprintf("Increased buffer size\n");
 #endif
            capacity *= 2;
-            buffer->data = realloc(buffer->data, capacity);
+            buffer->data = MEM2_realloc(buffer->data, capacity);
        }
-        while ((ret = https_read(httpinfo, &buffer->data[start_pos], capacity - start_pos)) == -1 && errno == EINTR)
+        if ((ret = https_read(httpinfo, &buffer->data[start_pos], capacity - start_pos, false)) == 0)
            ;
        if (ret == 0)
            break;
        if (ret < 0)
-            return 0;
+            return false;
        start_pos += ret;
    };
    buffer->size = start_pos;
-    buffer->data = realloc(buffer->data, buffer->size);
+    buffer->data = MEM2_realloc(buffer->data, buffer->size);
-    return 1;
+    return (buffer->content_length > 0 && buffer->content_length == start_pos);
 }
 bool get_response(HTTP_INFO *httpinfo, HTTP_RESPONSE *resp, bool proxy)
 {
    int rret, minor_version;
    size_t msg_len, prevbuflen;
    const char *msg;
    while (true)
    {
        if ((rret = https_read(httpinfo, &resp->data[resp->buflen], 1, proxy)) < 1)
            return false;
        prevbuflen = resp->buflen;
        resp->buflen += rret;
        // Parse the response
        resp->num_headers = sizeof(resp->headers) / sizeof(resp->headers[0]);
        if ((resp->pret = phr_parse_response(resp->data, resp->buflen, &minor_version, &resp->status, &msg, &msg_len,
                                             resp->headers, &resp->num_headers, prevbuflen)) > 0)
            return true;
        else if (resp->pret == -1)
        {
 #ifdef DEBUG_NETWORK
            gprintf("pret error %i\n", resp->pret);
 #endif
            return false;
        }
        if (resp->buflen == sizeof(resp->data))
        {
 #ifdef DEBUG_NETWORK
            gprintf("buflen error %lu\n", (unsigned long)resp->buflen);
 #endif
            return false;
        }
    }
    return false;
 }
 bool check_ip(char *str)
 {
    int partA, partB, partC, partD;
    char extra;
    // We avoid using regex because it increases the file size
    return (sscanf(str, "%d.%d.%d.%d%c", &partA, &partB, &partC, &partD, &extra) == 4);
 }
 bool connect_proxy(HTTP_INFO *httpinfo, char *host, char *username, char *password)
 {
    HTTP_RESPONSE response = {0};
    char request[500];
    char credentials[66];
    char *auth;
    int len;
    if (username && password)
    {
        if (!snprintf(credentials, sizeof(credentials), "%s:%s", username, password))
            return false;
        if (!(auth = base64(credentials, strlen(credentials), &len)))
            return false;
        len = snprintf(request, sizeof(request),
                       "CONNECT %s:%i HTTP/1.1\r\nProxy-Authorization: Basic %s\r\nUser-Agent: curl/7.55.1\r\n\r\n",
                       host, httpinfo->use_https ? 443 : 80, auth);
        MEM2_free(auth);
    }
    else
        len = snprintf(request, sizeof(request),
                       "CONNECT %s:%i HTTP/1.1\r\nUser-Agent: curl/7.55.1\r\n\r\n",
                       host, httpinfo->use_https ? 443 : 80);
    if (len > 0 && https_write(httpinfo, request, len, true) != len)
        return false;
    if (get_response(httpinfo, &response, true))
    {
        if (response.status == 200)
            return true;
    }
    return false;
 }
 int connect(char *host, u16 port)
 {
    struct sockaddr_in sin;
    s32 sock, ret;
-    u64 t;
+    u32 ipaddress;
-
+    u64 time;
-    u32 ipaddress = getipbynamecached(host);
+#ifdef DEBUG_NETWORK
-    if (ipaddress == 0)
+    gprintf("Connecting to %s", host);
-        return -1;
+#endif
-
+    if ((ipaddress = check_ip(host) ? inet_addr(host) : getipbynamecached(host)) == 0)
-    sock = net_socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
+        return -EFAULT;
    if (sock < 0)
        return sock;
    memset(&sin, 0, sizeof(struct sockaddr_in));
    sin.sin_family = AF_INET;
    sin.sin_port = htons(port);
    sin.sin_addr.s_addr = ipaddress;
 #ifdef DEBUG_NETWORK
-    gprintf("Connecting to %s (%s)\n", host, inet_ntoa(sin.sin_addr));
+    if (!check_ip(host))
        gprintf(" (%s)", inet_ntoa(sin.sin_addr));
 #endif
    if ((sock = net_socket(AF_INET, SOCK_STREAM, IPPROTO_IP)) < 0)
        return sock;
    net_fcntl(sock, F_SETFL, 4);
-    t = gettime();
+    time = gettime();
-    while (1)
+    while (ticks_to_millisecs(diff_ticks(time, gettime())) < CONNECT_TIMEOUT)
    {
-        if (ticks_to_millisecs(diff_ticks(t, gettime())) > TCP_CONNECT_TIMEOUT)
+        if ((ret = net_connect(sock, (struct sockaddr *)&sin, sizeof(sin))) < 0)
        {
 #ifdef DEBUG_NETWORK
            gprintf("The connection timed out\n");
 #endif
            net_close(sock);
            return -ETIMEDOUT;
        }
        ret = net_connect(sock, (struct sockaddr *)&sin, sizeof(sin));
        if (ret < 0)
        {
            if (ret == -EISCONN)
-                break;
+                return sock;
            if (ret == -EINPROGRESS || ret == -EALREADY)
            {
-                usleep(20 * 1000);
+                usleep(10000);
                continue;
            }
            net_close(sock);
            return ret;
        }
        break;
    }
-    net_fcntl(sock, F_SETFL, 0);
+    net_close(sock);
-    return sock;
+    return -ETIMEDOUT;
 }
 void downloadfile(const char *url, struct download *buffer)
 {
-    HTTP_INFO httpinfo;
+    HTTP_INFO httpinfo = {0};
    memset(&httpinfo, 0, sizeof(HTTP_INFO));
    // Always reset the size due to the image downloader looping
    buffer->size = 0;
    // Check if we're using HTTPS and set the path
    char *path;
    if (strncmp(url, "https://", 8) == 0)
@ -272,33 +359,53 @@ void downloadfile(const char *url, struct download *buffer)
        path = strchr(url + 7, '/');
    }
    else
-        return; // Prevents uninitialized warning
+        return;
    if (path == NULL)
        return;
    // Get the host
    int domainlength = path - url - 7 - httpinfo.use_https;
    char host[domainlength + 1];
    strlcpy(host, url + 7 + httpinfo.use_https, domainlength + 1);
    // Start connecting
-    if ((httpinfo.sock = connect(host, httpinfo.use_https ? 443 : 80)) < 0)
+    if (getProxyAddress() && getProxyPort() > 0)
        httpinfo.sock = connect(getProxyAddress(), getProxyPort());
    else
        httpinfo.sock = connect(host, httpinfo.use_https ? 443 : 80);
    if (httpinfo.sock < 0)
    {
 #ifdef DEBUG_NETWORK
-        gprintf("Failed to connect to %s\n", host);
+        if (httpinfo.sock == -ETIMEDOUT)
            gprintf("\nFailed to connect (timed out)\n");
        else
            gprintf("\nFailed to connect (%i)\n", httpinfo.sock);
 #endif
        return;
    }
 #ifdef DEBUG_NETWORK
-    else
+    gprintf("\nConnected\n");
        gprintf("Connected\n");
 #endif
-
+    // Connect to a web proxy
    if (getProxyAddress() && getProxyPort() > 0)
    {
        if (!connect_proxy(&httpinfo, host, getProxyUsername(), getProxyPassword()))
        {
 #ifdef DEBUG_NETWORK
            gprintf("Failed to connect to proxy (%s:%i)\n", getProxyAddress(), getProxyPort());
 #endif
            https_close(&httpinfo);
            return;
        }
        session = NULL; // Resume doesn't work with a proxy
 #ifdef DEBUG_NETWORK
        gprintf("Proxy is ready to receive\n");
 #endif
    }
    // Setup for HTTPS if it's necessary
    if (httpinfo.use_https)
    {
        // Create a new SSL context
-        // wolfSSLv23_client_method() works, but resume would require further changes
+        // wolfSSLv23_client_method() works but TLS 1.2 is slightly faster on Wii
        if ((httpinfo.ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())) == NULL)
        {
 #ifdef DEBUG_NETWORK
@ -318,6 +425,9 @@ void downloadfile(const char *url, struct download *buffer)
            https_close(&httpinfo);
            return;
        }
        // Custom I/O is essential due to how libogc handles errors
        wolfSSL_SetIOSend(httpinfo.ctx, send_callback);
        wolfSSL_SetIORecv(httpinfo.ctx, recv_callback);
        // Create a new wolfSSL session
        if ((httpinfo.ssl = wolfSSL_new(httpinfo.ctx)) == NULL)
        {
@ -345,13 +455,20 @@ void downloadfile(const char *url, struct download *buffer)
            session = NULL;
        }
        // Initiate a handshake
-        if (wolfSSL_connect(httpinfo.ssl) != SSL_SUCCESS)
+        u64 time = gettime();
        while (true)
        {
            if (ticks_to_millisecs(diff_ticks(time, gettime())) > CONNECT_TIMEOUT)
            {
 #ifdef DEBUG_NETWORK
-            gprintf("SSL handshake failed\n");
+                gprintf("SSL handshake failed\n");
 #endif
-            https_close(&httpinfo);
+                https_close(&httpinfo);
-            return;
+                return;
            }
            if (wolfSSL_connect(httpinfo.ssl) == SSL_SUCCESS)
                break;
            usleep(10000);
        }
        // Check if we resumed successfully
        if (session != NULL && !wolfSSL_session_reused(httpinfo.ssl))
@ -370,28 +487,21 @@ void downloadfile(const char *url, struct download *buffer)
        gprintf("Using: %s - %s\n", wolfSSL_get_version(httpinfo.ssl), wolfSSL_CIPHER_get_name(cipher));
 #endif
    }
    // Send our request
    char request[2300];
-    char isgecko[36] = "Cookie: challenge=BitMitigate.com\r\n";
+    char method[5] = "HEAD"; // Get the GameTDB timestamp
    char method[5] = "HEAD"; // The only way to get the GameTDB timestamp
    int ret, len;
    if (strcmp(host, "www.geckocodes.org") != 0)
        memset(isgecko, 0, sizeof(isgecko)); // Not geckocodes, so don't set a cookie
    if (!buffer->gametdbcheck)
        strcpy(method, "GET");
-
+    len = snprintf(request, sizeof(request),
    len = snprintf(request, 2300,
                   "%s %s HTTP/1.1\r\n"
                   "Host: %s\r\n"
                   "User-Agent: USBLoaderGX/%s\r\n"
                   "Connection: close\r\n"
                   "%s"
                   "Pragma: no-cache\r\n"
                   "Cache-Control: no-cache\r\n\r\n",
-                   method, path, host, GetRev(), isgecko);
+                   method, path, host, GetRev());
-    if ((ret = https_write(&httpinfo, request, len)) != len)
+    if ((ret = https_write(&httpinfo, request, len, false)) != len)
    {
 #ifdef DEBUG_NETWORK
        gprintf("https_write error: %i\n", ret);
@ -399,7 +509,6 @@ void downloadfile(const char *url, struct download *buffer)
        https_close(&httpinfo);
        return;
    }
    // Check if we want a response
    if (buffer->skip_response)
    {
@ -409,56 +518,15 @@ void downloadfile(const char *url, struct download *buffer)
        https_close(&httpinfo);
        return;
    }
    // Get the response
-    char response[4096];
+    HTTP_RESPONSE response = {0};
-    struct phr_header headers[100];
+    if (!get_response(&httpinfo, &response, false))
    int pret, minor_version, status, dl_valid;
    size_t buflen = 0, prevbuflen = 0, num_headers, msg_len;
    ssize_t rret;
    const char *msg;
    while (1)
    {
-        // Read the response
+        https_close(&httpinfo);
-        while ((rret = https_read(&httpinfo, &response[buflen], 1)) == -1 && errno == EINTR)
+        return;
            ;
        if (rret <= 0)
        {
 #ifdef DEBUG_NETWORK
            gprintf("rret error %i\n", rret);
 #endif
            https_close(&httpinfo);
            return;
        }
        prevbuflen = buflen;
        buflen += rret;
        // Parse the response
        num_headers = sizeof(headers) / sizeof(headers[0]);
        pret = phr_parse_response(response, buflen, &minor_version, &status, &msg, &msg_len, headers, &num_headers, prevbuflen);
        if (pret > 0)
            break; // Successfully parsed the response
        else if (pret == -1)
        {
 #ifdef DEBUG_NETWORK
            gprintf("pret error %i\n", pret);
 #endif
            https_close(&httpinfo);
            return;
        }
        // Response is incomplete so continue the loop
        if (buflen == sizeof(response))
        {
 #ifdef DEBUG_NETWORK
            gprintf("buflen error %i\n", buflen);
 #endif
            https_close(&httpinfo);
            return;
        }
    }
    // The website wants to redirect us
-    if (status == 301 || status == 302)
+    if (response.status == 301 || response.status == 302)
    {
        https_close(&httpinfo);
        if (loop == REDIRECT_LIMIT)
@ -469,8 +537,8 @@ void downloadfile(const char *url, struct download *buffer)
            return;
        }
        loop++;
-        char location[2100] = {};
+        char location[2049];
-        if (!get_header_value(headers, num_headers, location, "location"))
+        if (!get_header_value(response.headers, response.num_headers, location, "location"))
            return;
 #ifdef DEBUG_NETWORK
        gprintf("Redirect #%i - %s\n", loop, location);
@ -483,27 +551,29 @@ void downloadfile(const char *url, struct download *buffer)
    // Exit if it's a GameTDB HEAD request
    if (buffer->gametdbcheck)
    {
-        buffer->gametdbcheck = get_header_value_int(headers, num_headers, "x-gametdb-timestamp");
+        buffer->gametdbcheck = get_header_value_int(response.headers, response.num_headers, "x-gametdb-timestamp");
        https_close(&httpinfo);
        return;
    }
    // We got what we wanted
-    if (status == 200)
+    if (response.status == 200)
    {
-        buffer->data = malloc(4096);
+        buffer->data = MEM2_alloc(4096);
-        memcpy(buffer->data, &response[pret], buflen - pret);
+        memcpy(buffer->data, &response.data[response.pret], response.buflen - response.pret);
        if (buffer->show_progress)
            buffer->content_length = get_header_value_int(headers, num_headers, "content-length");
        // Determine how to read the data
-        if (is_chunked(headers, num_headers))
+        bool dl_valid;
-            dl_valid = read_chunked(&httpinfo, buffer, buflen - pret);
+        if (is_chunked(response.headers, response.num_headers))
            dl_valid = read_chunked(&httpinfo, buffer, response.buflen - response.pret);
        else
-            dl_valid = read_all(&httpinfo, buffer, buflen - pret);
+        {
            buffer->content_length = get_header_value_int(response.headers, response.num_headers, "content-length");
            dl_valid = read_all(&httpinfo, buffer, response.buflen - response.pret);
        }
        // Check if the download is incomplete
-        if (!dl_valid || buffer->size <= 0)
+        if (!dl_valid || buffer->size < 1)
        {
            buffer->size = 0;
-            free(buffer->data);
+            MEM2_free(buffer->data);
 #ifdef DEBUG_NETWORK
            gprintf("Removed incomplete download\n");
 #endif
@ -516,16 +586,18 @@ void downloadfile(const char *url, struct download *buffer)
        // Finished
        https_close(&httpinfo);
 #ifdef DEBUG_NETWORK
-        gprintf("Download size: %llu\n", buffer->size);
+        gprintf("Download size: %llu\n", (long long)buffer->size);
-        gprintf("Headers:\n");
+        gprintf("------------- HEADERS -------------\n");
-        for (size_t i = 0; i != num_headers; ++i)
+        for (size_t i = 0; i != response.num_headers; ++i)
-            gprintf("%.*s: %.*s\n", (int)headers[i].name_len, headers[i].name, (int)headers[i].value_len, headers[i].value);
+            gprintf("%.*s: %.*s\n", (int)response.headers[i].name_len, response.headers[i].name,
                    (int)response.headers[i].value_len, response.headers[i].value);
        gprintf("------------ COMPLETED ------------\n");
 #endif
        return;
    }
    // Close on all other status codes
 #ifdef DEBUG_NETWORK
-    gprintf("Status code: %i - %s\n", status, url);
+    gprintf("Status code: %i - %s\n", response.status, url);
 #endif
    https_close(&httpinfo);
 }
--- a/source/network/https.h
+++ b/source/network/https.h
@ -6,7 +6,10 @@
 #define _HTTPS_H_
 #include <libs/libwolfssl/ssl.h>
 #include "dns.h"
 #include "memory/mem2.h"
 #include "picohttpparser.h"
 #ifdef __cplusplus
 extern "C"
@ -15,19 +18,30 @@ extern "C"
 // #define DEBUG_NETWORK
 #define REDIRECT_LIMIT 3
-#define TCP_CONNECT_TIMEOUT 5000
+#define CONNECT_TIMEOUT 10000
-#define READ_WRITE_TIMEOUT 5000
+#define READ_WRITE_TIMEOUT 20000
 #define BLOCK_SIZE 8192
    struct download
    {
-        u8 skip_response;   // Used by WiinnerTag
+        bool skip_response; // Used by WiinnerTag
-        u8 show_progress;   // Used when downloading wiitdb.zip
+        bool show_progress; // Used when downloading wiitdb.zip
        u64 gametdbcheck;   // Used when checking the GameTDB version
        u64 content_length;
        u64 size;
        char *data;
    };
    typedef struct
    {
        int status;
        int pret;
        size_t num_headers;
        size_t buflen;
        struct phr_header headers[100];
        char data[4096];
    } HTTP_RESPONSE;
    typedef struct
    {
        u8 use_https;
--- a/source/network/networkops.cpp
+++ b/source/network/networkops.cpp
@ -11,6 +11,7 @@
 #include "networkops.h"
 #include "https.h"
 #include "update.h"
 #include "settings/ProxySettings.h"
 #define PORT 4299
@ -52,6 +53,7 @@ void Initialize_Network(int retries)
 	}
 	else
 	{
 		getProxyInfo();
 		wolfSSL_Init();
 		networkinitialized = true;
 		return;
--- a/source/network/picohttpparser.c
+++ b/source/network/picohttpparser.c
@ -241,6 +241,41 @@ static const char *is_complete(const char *buf, const char *buf_end, size_t last
        *valp_ += res_;                                                                                                            \
    } while (0)
 /* returned pointer is always within [buf, buf_end), or null */
 static const char *parse_token(const char *buf, const char *buf_end, const char **token, size_t *token_len, char next_char,
                               int *ret)
 {
    /* We use pcmpestri to detect non-token characters. This instruction can take no more than eight character ranges (8*2*8=128
     * bits that is the size of a SSE register). Due to this restriction, characters `|` and `~` are handled in the slow loop. */
    static const char ALIGNED(16) ranges[] = "\x00 "  /* control chars and up to SP */
                                             "\"\""   /* 0x22 */
                                             "()"     /* 0x28,0x29 */
                                             ",,"     /* 0x2c */
                                             "//"     /* 0x2f */
                                             ":@"     /* 0x3a-0x40 */
                                             "[]"     /* 0x5b-0x5d */
                                             "{\xff"; /* 0x7b-0xff */
    const char *buf_start = buf;
    int found;
    buf = findchar_fast(buf, buf_end, ranges, sizeof(ranges) - 1, &found);
    if (!found) {
        CHECK_EOF();
    }
    while (1) {
        if (*buf == next_char) {
            break;
        } else if (!token_char_map[(unsigned char)*buf]) {
            *ret = -1;
            return NULL;
        }
        ++buf;
        CHECK_EOF();
    }
    *token = buf_start;
    *token_len = buf - buf_start;
    return buf;
 }
 /* returned pointer is always within [buf, buf_end), or null */
 static const char *parse_http_version(const char *buf, const char *buf_end, int *minor_version, int *ret)
 {
@ -280,31 +315,10 @@ static const char *parse_headers(const char *buf, const char *buf_end, struct ph
        if (!(*num_headers != 0 && (*buf == ' ' || *buf == '\t'))) {
            /* parsing name, but do not discard SP before colon, see
             * http://www.mozilla.org/security/announce/2006/mfsa2006-33.html */
-            headers[*num_headers].name = buf;
+            if ((buf = parse_token(buf, buf_end, &headers[*num_headers].name, &headers[*num_headers].name_len, ':', ret)) == NULL) {
-            static const char ALIGNED(16) ranges1[] = "\x00 "  /* control chars and up to SP */
+                return NULL;
                                                      "\"\""   /* 0x22 */
                                                      "()"     /* 0x28,0x29 */
                                                      ",,"     /* 0x2c */
                                                      "//"     /* 0x2f */
                                                      ":@"     /* 0x3a-0x40 */
                                                      "[]"     /* 0x5b-0x5d */
                                                      "{\377"; /* 0x7b-0xff */
            int found;
            buf = findchar_fast(buf, buf_end, ranges1, sizeof(ranges1) - 1, &found);
            if (!found) {
                CHECK_EOF();
            }
-            while (1) {
+            if (headers[*num_headers].name_len == 0) {
                if (*buf == ':') {
                    break;
                } else if (!token_char_map[(unsigned char)*buf]) {
                    *ret = -1;
                    return NULL;
                }
                ++buf;
                CHECK_EOF();
            }
            if ((headers[*num_headers].name_len = buf - headers[*num_headers].name) == 0) {
                *ret = -1;
                return NULL;
            }
@ -352,13 +366,17 @@ static const char *parse_request(const char *buf, const char *buf_end, const cha
    }
    /* parse request line */
-    ADVANCE_TOKEN(*method, *method_len);
+    if ((buf = parse_token(buf, buf_end, method, method_len, ' ', ret)) == NULL) {
        return NULL;
    }
    do {
        ++buf;
        CHECK_EOF();
    } while (*buf == ' ');
    ADVANCE_TOKEN(*path, *path_len);
    do {
        ++buf;
        CHECK_EOF();
    } while (*buf == ' ');
    if (*method_len == 0 || *path_len == 0) {
        *ret = -1;
@ -422,6 +440,7 @@ static const char *parse_response(const char *buf, const char *buf_end, int *min
    }
    do {
        ++buf;
        CHECK_EOF();
    } while (*buf == ' ');
    /* parse status code, we want at least [:digit:][:digit:][:digit:]<other char> to try to parse */
    if (buf_end - buf < 4) {
@ -437,7 +456,8 @@ static const char *parse_response(const char *buf, const char *buf_end, int *min
    if (*msg_len == 0) {
        /* ok */
    } else if (**msg == ' ') {
-        /* remove preceding space */
+        /* Remove preceding space. Successful return from `get_token_to_eol` guarantees that we would hit something other than SP
         * before running past the end of the given buffer. */
        do {
            ++*msg;
            --*msg_len;
--- a/source/network/update.cpp
+++ b/source/network/update.cpp
@ -61,7 +61,7 @@ int DownloadFileToPath(const char *url, const char *dest)
 	StartProgress(tr("Downloading file..."), 0, filename, true, true);
 	struct download file = {};
-	file.show_progress = 1;
+	file.show_progress = true;
 	downloadfile(url, &file);
 	if (file.size > 0)
 	{
@ -73,7 +73,7 @@ int DownloadFileToPath(const char *url, const char *dest)
 		}
 		fwrite(file.data, 1, file.size, savefile);
 		fclose(savefile);
-		free(file.data);
+		MEM2_free(file.data);
 	}
 	ProgressStop();
 	ProgressCancelEnable(false);
@ -84,7 +84,7 @@ static bool CheckNewGameTDBVersion(const char *url)
 {
 	gprintf("Checking GameTDB version...\n");
 	struct download file = {};
-	file.gametdbcheck = 1;
+	file.gametdbcheck = true;
 	downloadfile(url, &file);
 	if (file.gametdbcheck <= 0)
@ -157,7 +157,7 @@ static void UpdateIconPng()
 			fwrite(file.data, 1, file.size, pfile);
 			fclose(pfile);
 		}
-		free(file.data);
+		MEM2_free(file.data);
 	}
 }
@ -175,7 +175,7 @@ static void UpdateMetaXml()
 			fwrite(file.data, 1, file.size, pfile);
 			fclose(pfile);
 		}
-		free(file.data);
+		MEM2_free(file.data);
 	}
 }
@ -197,7 +197,7 @@ int CheckUpdate()
 	if (file.size > 0)
 	{
 		revnumber = atoi((char *)file.data);
-		free(file.data);
+		MEM2_free(file.data);
 	}
 	if (revnumber > currentrev)
@ -233,7 +233,7 @@ static int ApplicationDownload(void)
 			ptr++;
 		}
-		free(file.data);
+		MEM2_free(file.data);
 	}
 	if (newrev <= currentrev)
--- a/source/prompts/PromptWindows.cpp
+++ b/source/prompts/PromptWindows.cpp
@ -1522,12 +1522,12 @@ int CodeDownload(const char *id)
 				else
 					WindowPrompt(tr("Error"), tr("Could not write file."), tr( "OK" ));
 			}
-			free(file.data);
+			MEM2_free(file.data);
 		}
 		else
 		{
 			if (file.size > 0)
-				free(file.data);
+				MEM2_free(file.data);
 			snprintf(codeurl, sizeof(codeurl), "%s.txt%s", id, tr(" could not be downloaded."));
 			WindowPrompt(tr( "Error" ), codeurl, tr( "OK" ));
 		}
--- a/source/settings/CSettings.cpp
+++ b/source/settings/CSettings.cpp
@ -87,6 +87,9 @@ void CSettings::SetDefault()
 	strlcpy(URL_Discs, "https://art.gametdb.com/wii/disc/", sizeof(URL_Discs));
 	strlcpy(URL_DiscsCustom, "https://art.gametdb.com/wii/disccustom/", sizeof(URL_DiscsCustom));
 	strlcpy(URL_GameTDB, "https://www.gametdb.com/wiitdb.zip", sizeof(URL_GameTDB));
 	ProxyUsername[0] = 0;
 	ProxyPassword[0] = 0;
 	ProxyAddress[0] = 0;
 	theme[0] = 0;
 	language_path[0] = 0;
 	ogg_path[0] = 0;
@ -226,6 +229,8 @@ void CSettings::SetDefault()
 	GCInstallCompressed = OFF;
 	GCInstallAligned = OFF;
 	PrivateServer = OFF;
 	ProxyUseSystem = ON;
 	ProxyPort = 0;
 }
 bool CSettings::Load()
@ -499,6 +504,11 @@ bool CSettings::Save()
 	fprintf(file, "URL_Discs = %s\n", URL_Discs);
 	fprintf(file, "URL_DiscsCustom = %s\n", URL_DiscsCustom);
 	fprintf(file, "URL_GameTDB = %s\n", URL_GameTDB);
 	fprintf(file, "ProxyUseSystem = %d\n", ProxyUseSystem);
 	fprintf(file, "ProxyUsername = %s\n", ProxyUsername);
 	fprintf(file, "ProxyPassword = %s\n", ProxyPassword);
 	fprintf(file, "ProxyAddress = %s\n", ProxyAddress);
 	fprintf(file, "ProxyPort = %d\n", ProxyPort);
 	fclose(file);
 	return true;
@ -1326,6 +1336,34 @@ bool CSettings::SetSetting(char *name, char *value)
 			strlcpy(URL_GameTDB, value, sizeof(URL_GameTDB));
 		return true;
 	}
 	else if (strcmp(name, "ProxyUseSystem") == 0)
 	{
 		ProxyUseSystem = atoi(value);
 		return true;
 	}
 	else if (strcmp(name, "ProxyUsername") == 0)
 	{
 		if(strlen(value) > 0)
 			strlcpy(ProxyUsername, value, sizeof(ProxyUsername));
 		return true;
 	}
 	else if (strcmp(name, "ProxyPassword") == 0)
 	{
 		if(strlen(value) > 0)
 			strlcpy(ProxyPassword, value, sizeof(ProxyPassword));
 		return true;
 	}
 	else if (strcmp(name, "ProxyAddress") == 0)
 	{
 		if(strlen(value) > 6)
 			strlcpy(ProxyAddress, value, sizeof(ProxyAddress));
 		return true;
 	}
 	else if(strcmp(name, "ProxyPort") == 0)
 	{
 		ProxyPort = atoi(value);
 		return true;
 	}
 	else if (strcmp(name, "CustomAddress") == 0)
 	{
 		if(strlen(value) > 3)
--- a/source/settings/CSettings.h
+++ b/source/settings/CSettings.h
@ -98,6 +98,11 @@ class CSettings
 		char URL_Discs[300];
 		char URL_DiscsCustom[300];
 		char URL_GameTDB[300];
 		char ProxyUsername[33];
 		char ProxyPassword[33];
 		char ProxyAddress[256];
 		u16 ProxyPort;
 		short ProxyUseSystem;
 		short videomode;
 		short language;
 		short ocarina;
--- a/source/settings/ProxySettings.cpp
+++ b/source/settings/ProxySettings.cpp
@ -0,0 +1,74 @@
 #include <ogcsys.h>
 #include <ogc/isfs.h>
 #include <string.h>
 #include "ProxySettings.h"
 #include "settings/CSettings.h"
 #define ALIGN32(x) (((x) + 31) & ~31)
 bool proxy_enabled;
 bool proxy_creds_enabled;
 char proxy_address[256];
 u16 proxy_port;
 char proxy_username[33];
 char proxy_password[33];
 void getProxyInfo()
 {
    char *buffer;
    int fd = ISFS_Open("/shared2/sys/net/02/config.dat", ISFS_OPEN_READ);
    if (fd >= 0)
    {
        fstats stats ATTRIBUTE_ALIGN(32);
        if (ISFS_GetFileStats(fd, &stats) >= 0)
        {
            if (stats.file_length == 7004)
            {
                buffer = (char *)MEM2_alloc(ALIGN32(stats.file_length));
                if (buffer)
                {
                    if (ISFS_Read(fd, buffer, stats.file_length) == 7004)
                    {
                        proxy_enabled = buffer[44];
                        proxy_creds_enabled = buffer[45];
                        strncpy(proxy_address, buffer + 48, sizeof(proxy_address) - 1);
                        proxy_port = ((buffer[304] & 0xFF) << 8) | (buffer[305] & 0xFF);
                        strncpy(proxy_username, buffer + 306, sizeof(proxy_username) - 1);
                        strncpy(proxy_password, buffer + 338, sizeof(proxy_password) - 1);
                    }
                }
                MEM2_free(buffer);
            }
        }
        ISFS_Close(fd);
    }
 }
 char *getProxyAddress()
 {
    if (Settings.ProxyUseSystem)
        return proxy_enabled ? proxy_address : NULL;
    return (strlen(Settings.ProxyAddress) > 6) ? Settings.ProxyAddress : NULL;
 }
 u16 getProxyPort()
 {
    if (Settings.ProxyUseSystem)
        return proxy_enabled ? proxy_port : 0;
    return Settings.ProxyPort;
 }
 char *getProxyUsername()
 {
    if (Settings.ProxyUseSystem)
        return proxy_enabled && proxy_creds_enabled ? proxy_username : NULL;
    return (strlen(Settings.ProxyUsername) > 0) ? Settings.ProxyUsername : NULL;
 }
 char *getProxyPassword()
 {
    if (Settings.ProxyUseSystem)
        return proxy_enabled && proxy_creds_enabled ? proxy_password : NULL;
    return (strlen(Settings.ProxyPassword) > 0) ? Settings.ProxyPassword : NULL;
 }
--- a/source/settings/ProxySettings.h
+++ b/source/settings/ProxySettings.h
@ -0,0 +1,17 @@
 #ifndef _PROXYSETTINGS_
 #define _PROXYSETTINGS_
 #ifdef __cplusplus
 extern "C"
 {
 #endif
    void getProxyInfo();
    char *getProxyAddress();
    u16 getProxyPort();
    char *getProxyUsername();
    char *getProxyPassword();
 #ifdef __cplusplus
 }
 #endif
 #endif /* _PROXYSETTINGS_ */
--- a/Show More
+++ b/Show More