wolfSSL · JacobBarthelmeh · Dec 30, 2025 · Dec 29, 2025 · Dec 29, 2025
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -1,3 +1,77 @@
+# wolfSSH v1.4.22 (December 31, 2025)
+
+## Vulnerabilities
+
+- [Critical] CVE-2025-14942. wolfSSH’s key exchange state machine can be
+  manipulated to leak the client’s password in the clear, trick the client to
+  send a bogus signature, or trick the client into skipping user
+  authentication. This affects client applications with wolfSSH version 1.4.21
+  and earlier. Users of wolfSSH must update or apply the fix patch and it’s
+  recommended to update credentials used. This fix is also recommended for
+  wolfSSH server applications. While there aren’t any specific attacks, the
+  same defect is present.
+
+## New Features
+
+- Added a complete SFTP client example for the Renesas RX72N platform. (PR
+  847)
+- Enabled TSIP support and provided cleaned-up configuration headers for the
+  RX72N example. (PR 847)
+- Added FIPS-enabled build configurations to the Visual Studio project files.
+  (PR 851)
+- Added documentation describing how to build and use the new FIPS Visual
+  Studio configurations. (PR 851)
+- Introduced regression tests covering SSH agent signing, including error
+  paths and successful operation. (PR 856)
+- Added regression tests that explicitly exercise WANT_READ / WANT_WRITE  paths
+  to guard against deadlocks. (PR 856)
+
+## Improvements
+
+- Refactored SSH string parsing by unifying GetString() and GetStringAlloc()
+  around GetStringRef(), simplifying maintenance and reducing duplication. (PR
+  857)
+- Enhanced SSH message-order validation by introducing explicit
+  expected-message tracking and clearer message ID range macros. (PR 855)
+- Improved server-side out-of-order message checking to align behavior with the
+  stricter client implementation. (PR 855)
+- Improved worker thread behavior under window backpressure by prioritizing
+  receive handling, preventing stalls with small-window SFTP clients. (PR 856)
+- Hardened SSH agent handling logic by validating response types, tracking
+  message IDs, and enforcing strict buffer size limits. (PR 845)
+- Improved SCP path handling by canonicalizing client-supplied base paths
+  before filesystem access. (PR 845)
+- Improved portability by replacing non-standard <sys/errno.h> includes with
+  standard <errno.h>. (PR 852)
+- Reduced logging overhead by defining WLOG as a no-op when debugging is
+  disabled. (PR 839)
+- Updated documentation to better reflect current features, examples, and build
+  options. (PR 851)
+
+## Fixes
+
+- Fixed incorrect handling of zero-length SSH strings in packet parsing. (PR
+  857)
+- Fixed a worker-thread deadlock caused by blocked sends preventing
+  window-adjust processing. (PR 856)
+- Fixed a double-free crash and eliminated a socket-close spin loop under error
+  conditions. (PR 855)
+- Fixed uninitialized authentication data that could lead to undefined behavior
+  during authentication. (PR 854)
+- Fixed SFTP connection interoperability issues discovered through
+  cross-implementation testing. SFTP fix for init to handle channel data which
+  resolves a potential interoperability SFTP connection issue. (PR 846)
+- Fixed SCP receive handling to reject traversal filenames containing path
+  separators or “dot” components. (PR 845)
+- Fixed missing declaration of wc_SSH_KDF that caused build failures under
+  strict compiler warnings. (PR 848)
+- Fixed SSH agent test setup so regression tests exercise the intended code
+  paths. (PR 845)
+- Excluded a standalone regression test from Zephyr builds where it was
+  incompatible with the Zephyr test model. (PR 855)
+
+---
+
 # wolfSSH v1.4.21 (October 20, 2025)
 
 ## Vulnerabilities
@@ -51,6 +125,8 @@
 - Rename wolfssh test certs to avoid conflict with wolfssl test certs (PR 831)
 - Do not treat the shell as interactive until pty-req message request is received. This fixes an interoperability issue with WinSCP (PR 832)
 
+---
+
 # wolfSSH v1.4.20 (Feburary 20, 2025)
 
 ## New Features
@@ -73,6 +149,7 @@
 - Reinstate support for P521 and P384 curves by default when compiled in (PR 762)
 - Fix for wolfSSH client app handling of an empty hostname (PR 768)
 
+---
 
 # wolfSSH v1.4.19 (November 1, 2024)
 
@@ -97,6 +174,7 @@
 - Minor static analysis report fixes (PR 740, 735)
 - Fix for handling SFTP transfer to non-existent folder (PR 743)
 
+---
 
 # wolfSSH v1.4.18 (July 22, 2024)
 

diff --git a/apps/wolfssh/common.c b/apps/wolfssh/common.c
@@ -1,6 +1,6 @@
 /* common.c
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/apps/wolfssh/common.h b/apps/wolfssh/common.h
@@ -1,6 +1,6 @@
 /* common.h
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/apps/wolfssh/wolfssh.c b/apps/wolfssh/wolfssh.c
@@ -1,6 +1,6 @@
 /* wolfssh.c
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/apps/wolfsshd/auth.c b/apps/wolfsshd/auth.c
@@ -1,6 +1,6 @@
 /* auth.c
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/apps/wolfsshd/auth.h b/apps/wolfsshd/auth.h
@@ -1,6 +1,6 @@
 /* auth.h
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/apps/wolfsshd/configuration.c b/apps/wolfsshd/configuration.c
@@ -1,6 +1,6 @@
 /* configuration.c
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/apps/wolfsshd/configuration.h b/apps/wolfsshd/configuration.h
@@ -1,6 +1,6 @@
 /* configuration.h
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/apps/wolfsshd/wolfsshd.c b/apps/wolfsshd/wolfsshd.c
@@ -1,6 +1,6 @@
 /* wolfsshd.c
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/configure.ac b/configure.ac
@@ -1,9 +1,9 @@
 # wolfssh
-# Copyright (C) 2014-2024 wolfSSL Inc.
+# Copyright (C) 2014-2026 wolfSSL Inc.
 # All right reserved.
 
-AC_COPYRIGHT([Copyright (C) 2014-2024 wolfSSL Inc.])
-AC_INIT([wolfssh],[1.4.21],[[email protected]],[wolfssh],[https://www.wolfssl.com])
+AC_COPYRIGHT([Copyright (C) 2014-2026 wolfSSL Inc.])
+AC_INIT([wolfssh],[1.4.22],[[email protected]],[wolfssh],[https://www.wolfssl.com])
 AC_PREREQ([2.69])
 AC_CONFIG_AUX_DIR([build-aux])
 
@@ -18,7 +18,7 @@ AC_ARG_PROGRAM
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_HEADERS([config.h])
 
-WOLFSSH_LIBRARY_VERSION=18:0:0
+WOLFSSH_LIBRARY_VERSION=19:0:1
 #                        | | |
 #                  +-----+ | +----+
 #                  |       |      |
@@ -265,6 +265,9 @@ AS_IF([test "x$ENABLED_SSHD" = "xyes"],[
   ])
 ])
 
+AC_CONFIG_LINKS([keys/gretel-key-rsa.pub:keys/gretel-key-rsa.pub
+                 keys/gretel-key-rsa.pem:keys/gretel-key-rsa.pem])
+
 # Set the automake conditionals.
 AM_CONDITIONAL([BUILD_EXAMPLE_SERVERS],[test "x$ENABLED_EXAMPLES" = "xyes"])
 AM_CONDITIONAL([BUILD_EXAMPLE_CLIENTS],[test "x$ENABLED_EXAMPLES" = "xyes"])

diff --git a/examples/client/client.c b/examples/client/client.c
@@ -1,6 +1,6 @@
 /* client.c
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/examples/client/client.h b/examples/client/client.h
@@ -1,6 +1,6 @@
 /* client.h
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/examples/client/common.c b/examples/client/common.c
@@ -1,6 +1,6 @@
 /* common.c
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/examples/client/common.h b/examples/client/common.h
@@ -1,6 +1,6 @@
 /* common.h
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c
@@ -1,6 +1,6 @@
 /* echoserver.c
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/examples/echoserver/echoserver.h b/examples/echoserver/echoserver.h
@@ -1,6 +1,6 @@
 /* echoserver.h
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/examples/portfwd/portfwd.c b/examples/portfwd/portfwd.c
@@ -1,6 +1,6 @@
 /* portfwd.c
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/examples/portfwd/wolfssh_portfwd.h b/examples/portfwd/wolfssh_portfwd.h
@@ -1,6 +1,6 @@
 /* wolfssh_portfwd.h
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/examples/scpclient/scpclient.c b/examples/scpclient/scpclient.c
@@ -1,6 +1,6 @@
 /* scpclient.c
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/examples/scpclient/scpclient.h b/examples/scpclient/scpclient.h
@@ -1,6 +1,6 @@
 /* scpclient.h
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/examples/sftpclient/sftpclient.c b/examples/sftpclient/sftpclient.c
@@ -1,6 +1,6 @@
 /* sftpclient.c
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/examples/sftpclient/sftpclient.h b/examples/sftpclient/sftpclient.h
@@ -1,6 +1,6 @@
 /* sftpclient.h
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/ide/Espressif/ESP-IDF/default_espressif_options.h b/ide/Espressif/ESP-IDF/default_espressif_options.h
@@ -1,7 +1,7 @@
 /* wolfssl options.h
  * generated from configure options
  *
- * Copyright (C) 2014-2024 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/components/wolfssl/include/user_settings.h b/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/components/wolfssl/include/user_settings.h
@@ -1,6 +1,6 @@
 /* wolfssl-component include/user_settings.h
  *
- * Copyright (C) 2014-2025 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/echoserver.c b/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/echoserver.c
@@ -1,6 +1,6 @@
 /* echoserver.c
  *
- * Copyright (C) 2014-2025 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/include/echoserver.h b/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/include/echoserver.h
@@ -1,6 +1,6 @@
 /* echoserver.h
  *
- * Copyright (C) 2014-2025 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/include/main.h b/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/include/main.h
@@ -1,6 +1,6 @@
 /* template main.h
  *
- * Copyright (C) 2014-2025 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/include/time_helper.h b/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/include/time_helper.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2025 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/include/wifi_connect.h b/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/include/wifi_connect.h
@@ -1,6 +1,6 @@
 /* wifi_connect.h
  *
- * Copyright (C) 2014-2025 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/main.c b/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/main.c
@@ -1,6 +1,6 @@
 /* main.c
  *
- * Copyright (C) 2014-2025 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/time_helper.c b/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/time_helper.c
@@ -1,6 +1,6 @@
 /* time_helper.c
  *
- * Copyright (C) 2014-2025 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/wifi_connect.c b/ide/Espressif/ESP-IDF/examples/wolfssh_echoserver/main/wifi_connect.c
@@ -1,6 +1,6 @@
 /* wifi_connect.c
  *
- * Copyright (C) 2014-2025 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/ide/Espressif/ESP-IDF/examples/wolfssh_template/components/wolfssl/include/user_settings.h b/ide/Espressif/ESP-IDF/examples/wolfssh_template/components/wolfssl/include/user_settings.h
@@ -1,6 +1,6 @@
 /* wolfssl-component include/user_settings.h
  *
- * Copyright (C) 2014-2025 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/ide/Espressif/ESP-IDF/examples/wolfssh_template/main/include/main.h b/ide/Espressif/ESP-IDF/examples/wolfssh_template/main/include/main.h
@@ -1,6 +1,6 @@
 /* template main.h
  *
- * Copyright (C) 2014-2025 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *

diff --git a/ide/Espressif/ESP-IDF/examples/wolfssh_template/main/main.c b/ide/Espressif/ESP-IDF/examples/wolfssh_template/main/main.c
@@ -1,6 +1,6 @@
 /* main.c
  *
- * Copyright (C) 2014-2025 wolfSSL Inc.
+ * Copyright (C) 2014-2026 wolfSSL Inc.
  *
  * This file is part of wolfSSH.
  *