wolfCLU v0.2.0 (May 28, 2026)

New Features

• Add generating Chimera (dual-algorithm) certificates, enabling conventional
  and post-quantum signatures on a single X.509 cert by @Yu-Ma28051503 (PR 182)
• Implement OCSP client and OCSP responder with both HTTP and SCGI transports,
  allowing the responder to be fronted by nginx in production by @julek-wolfssl
  (PR 200)
• Port shell-based tests to Python (unittest) so the test suite can run on
  Windows in addition to Linux/macOS by @julek-wolfssl (PR 215)
• Support passing an explicit key file to the enc command instead of deriving
  the key from a password by @embhorn (PR 224)

Fixes and Enhancements

• Improve x509-req test coverage by @kojiws (PR 188)
• Fix README examples and setting of the subject name in the req command by
  @Yu-Ma28051503 (PR 191)
• Check that the keystring is present before use to avoid a segfault in the
  pkey command by @anhu (PR 192)
• Fix enc command handling of the legacy algorithm name format
  (e.g. aes-128-cbc) by @lealem47 (PR 193)
• Remove redundant manual null-termination already added by the compiler for
  string literals by @anhu (PR 194)
• Sign/verify with ML-DSA now passes a context for interop with OpenSSL
  signatures by @anhu (PR 195)
• Fix path concatenation in wolfCLU_CertSignAppendOut so generated output paths
  are well-formed by @kojo1 (PR 197)
• Document build prerequisites (autoconf, automake, libtool) in the README by
  @kareem-wolfssl (PR 201)
• Fix out-of-bounds writes when processing argv by @miyazakh (PR 202)
• Fix wrong variable used when storing the RSA exponent by @miyazakh (PR 203)
• Fix potential double-free by @miyazakh (PR 204)
• Fix null pointer check by @miyazakh (PR 205)
• Fix XFWRITE being called with a negative size by @miyazakh (PR 206)
• Fix use-after-free by @miyazakh (PR 207)
• Fix unreachable if condition by @miyazakh (PR 208)
• Update post-quantum groups list to match the latest wolfSSL by @Frauschi
  (PR 209)
• Fixes from static analysis @yosuke-wolfssl (PR 210)
• Fix compile and unit test failures by @miyazakh (PR 211)
• Fix stack buffer overflow in encryption setup by @miyazakh (PR 212)
• Fix shell command injection by @miyazakh (PR 213)
• Fix read of exactly MAX_LEN bytes being treated as an error by
  @miyazakh (PR 214)
• Fix SHA-1 prefix match overwriting SHA-256/384/512 output selection
  by @miyazakh (PR 216)
• Fix issues uncovered by wolfCLU Fenrir fuzz testing by @aidangarske (PR 218)
• Fix wolfCLU_sign_data_ecc and wolfCLU_verify_signature_ecc by @embhorn
  (PR 219)
• Fix potential heap buffer over-read by @miyazakh (PR 220)
• Fix flaky test_encrypt_decrypt_base64 bad-password check by @julek-wolfssl
  (PR 221)
• Additional sanity checks on input arguments based on static analysis results
  by @JacobBarthelmeh (PR 222)
• Fixes for closing file descriptors, sanity checks on init calls, buffer
  scope, and sanity checks on arguments passed in by @JacobBarthelmeh (PR 223)

wolfCLU v0.1.8 (Apr 4, 2025)

• Fix build errors in server.c when linked to wolfssl with --enable-all (PR 170)
• Increase CI tests to include --enable-all build of wolfSSL (PR 171)
• Fix for using old SN style for subject name to account for differences in
  OBJ_sn2nid (PR 172)
• Update the ecc help menu to list -pubin (PR 173)

wolfCLU v0.1.7 (Jan 27, 2025)

• Initial support for XMSS-XMSS^MT gnkey, sign and verify (PR 163)
• Support longer certificate chains (PR 162)
• Fix for setting wrong version in CSRs (PR 154)
• Fix DIlithium pem header and sign-verify without level option (PR 158)
• Fix typo VERIFY_USE_PREVERIFY in src/client/client.c and src/server/server.c
  (PR 160)
• Fix for change to OBJ sn2nid behavior in wolfSSL (PR 166)

wolfCLU v0.1.5 (Dec 22, 2023)

• Fix memory type typo in clu_rsa.c
• Add missing void arg to functions in clu_funcs.c

wolfCLU v0.1.4 (Nov 21, 2023)

• Removed erroneous file generation on ecc keygen
• Added options -req, -signkey, -extfile, -extensions and -md for x509 command
• Use void with func prototype
• Add ability to set more subjectAltName attributes
• Check for defined MAX_FILENAME_SZ before defining it locally
• Handle potential pointer increment in wolfSSL_i2d_X509

wolfCLU v0.1.2 (Mar 31, 2023)

Fixes and Enhancements

• Fix for DH use with FIPS build and cross compile warning
• Fix for configure cross compile QA warning with Yocto builds
• Fix for macro guards on Shake
• Improve VS build to generate .exe for all platforms
• Fix for linking to wolfSSL library built with --enable-ipv6

wolfCLU v0.1.0 (Sep 12, 2022)

Fixes and Enhancements

• Fix for buffer issue with s_client
• Add fsanitize testing with github actions
• Update dhparam to read mod size from different location in arguments
• Fix for x509 encoding modifying the cert
• Fix for supporting more alt names and skipping count
• Add -CAfile and verify_return_error flags for s_client command
• Expand testing with additional unit tests and Jenkins nightly test
• Fix for enc edge cases
• Fix x509 command to use piped input
• Support for building on Windows
• Add -pass flag to enc command
• Add -partial_chain arg for verify command
• Add -modulus flag for x509 command
• Handle additional CSR attribute print outs
• Add -passout flag to req command
• Fix for enc with nosalt
• Update m4 files
• Fix for parsing basic constraint from conf file
• Improve error logging
• IPV6 parsing support for s_client command
• Support for building with FIPS wolfSSL
• Add -text flag for crl command
• Support for building on FreeRTOS
• Add disable filesystem configure
• Support for creating req with attributes

wolfCLU v0.0.8 (Mar 04, 2022)

Commands Added

• Add rand command
• Add PKCS12 parsing support and command
• Add a basic s_client command for simple TLS client connections
• Add support for x509 verify command
• Add initial rsa command support
• Add CRL verify command
• Add ca command
• Add dsaparam command
• Add sha hash commands (sha256, sha384, sha512)
• Add dhparam command

Fixes and Enhancements

• Support for parsing multiple organization names with conf file
• Set the default certificate request version to 3
• Add print out of private key to PKEY command
• Added support for -nosalt option
• Fix for RSA free with dgst command
• Testing with FIPS 140-3 wolfCrypt
• Add -subj support to req command
• Fix for -base64 with enc
• Fix for piping errors to stderr instead of stdout
• Removed testing-certs directory in favor of certs directory
• Fix for handling large file sizes with dgst and hash command
• Expanded req command to handle -text, -noout, -extensions and -verify
• Expanded x509 command to handle -subject, -issuer, -serial, -dates, -email, -fingerprint, -purpose, -hash
• Added -text support to ecparam command
• Added support for -sign with dgst command
• Tied in github actions for continuous integration testing
• Added support for creating encrypted private keys with -newkey