wolfSSL · Frauschi · Jan 26, 2026
diff --git a/.github/workflows/cmake-autoconf.yml b/.github/workflows/cmake-autoconf.yml
@@ -0,0 +1,41 @@
+name: WolfSSL CMake Autoconf Interworking Test
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  build:
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-latest
+
+    steps:
+# pull wolfSSL
+    - uses: actions/checkout@v4
+
+# install cmake and autotools
+    - name: Install cmake
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y cmake autoconf automake libtool
+
+# build and install wolfssl via autotools for CMake consumer test
+    - name: Build wolfssl with autotools
+      run: |
+        ./autogen.sh
+        ./configure --prefix="$GITHUB_WORKSPACE/install-autoconf" --enable-all
+        make -j $(nproc)
+        make install
+
+# CMake consumer test using the autotools install
+    - name: CMake consumer test (autotools install)
+      run: |
+        mkdir -p cmake/consumer/build
+        cd cmake/consumer/build
+        cmake -DCMAKE_PREFIX_PATH="$GITHUB_WORKSPACE/install-autoconf" ..
+        cmake --build .
+        ./wolfssl_consumer
+        cd ..
+        rm -rf build
diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml
@@ -13,32 +13,24 @@ jobs:
 
     steps:
 # pull wolfSSL
-    - uses: actions/checkout@master
+    - uses: actions/checkout@v4
 
 # install cmake
     - name: Install cmake
       run: |
         sudo apt-get update
         sudo apt-get install -y cmake
 
-# pull wolfssl
-    - name: Checkout wolfssl
-      uses: actions/checkout@master
-      with:
-        repository: wolfssl/wolfssl
-        path: wolfssl
-
 # build wolfssl
     - name: Build wolfssl
-      working-directory: ./wolfssl
       run: |
         mkdir build
         cd build
         cmake -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" \
             -DWOLFSSL_16BIT:BOOL=no -DWOLFSSL_32BIT:BOOL=no -DWOLFSSL_AES:BOOL=yes \
-            -DWOLFSSL_AESCBC:BOOL=yes -DWOLFSSL_AESCCM:BOOL=yes -DWOLFSSL_AESCFB:BOOL=yes \
+            -DWOLFSSL_AESCBC:BOOL=yes -DWOLFSSL_AESCCM:BOOL=yes -DWOLFSSL_AESCFB:BOOL=yes -DWOLFSSL_AESECB:BOOL=yes \
             -DWOLFSSL_AESCTR:BOOL=yes -DWOLFSSL_AESGCM:STRING=yes -DWOLFSSL_AESKEYWRAP:BOOL=yes \
-            -DWOLFSSL_AESOFB:BOOL=yes -DWOLFSSL_AESSIV:BOOL=yes -DWOLFSSL_ALIGN_DATA:BOOL=yes \
+            -DWOLFSSL_AESOFB:BOOL=yes -DWOLFSSL_AESCTS:BOOL=yes -DWOLFSSL_AESSIV:BOOL=yes -DWOLFSSL_ALIGN_DATA:BOOL=yes \
             -DWOLFSSL_ALPN:BOOL=ON -DWOLFSSL_ALT_CERT_CHAINS:BOOL=ON -DWOLFSSL_ARC4:BOOL=yes \
             -DWOLFSSL_ARIA:BOOL=no -DWOLFSSL_ASIO:BOOL=no -DWOLFSSL_ASM:BOOL=yes -DWOLFSSL_ASN:BOOL=yes \
             -DWOLFSSL_ASYNC_THREADS:BOOL=no -DWOLFSSL_BASE64_ENCODE:BOOL=yes -DWOLFSSL_CAAM:BOOL=no \
@@ -51,7 +43,7 @@ jobs:
             -DWOLFSSL_CURVE448:STRING=yes -DWOLFSSL_DEBUG:BOOL=yes -DWOLFSSL_DES3:BOOL=ON \
             -DWOLFSSL_DES3_TLS_SUITES:BOOL=no -DWOLFSSL_DH:STRING=yes -DWOLFSSL_DH_DEFAULT_PARAMS:BOOL=yes \
             -DWOLFSSL_DSA:BOOL=yes -DWOLFSSL_DTLS:BOOL=ON -DWOLFSSL_DTLS13:BOOL=yes \
-            -DWOLFSSL_DTLS_CID:BOOL=yes -DWOLFSSL_ECC:STRING=yes \
+            -DWOLFSSL_DTLS_CID:BOOL=yes -DWOLFSSL_DTLS_CH_FRAG:BOOL=yes -DWOLFSSL_ECC:STRING=yes \
             -DWOLFSSL_ECCCUSTCURVES:STRING=all -DWOLFSSL_ECCSHAMIR:BOOL=yes \
             -DWOLFSSL_ECH:BOOL=yes -DWOLFSSL_ED25519:BOOL=yes -DWOLFSSL_ED448:STRING=yes \
             -DWOLFSSL_ENCKEYS:BOOL=yes -DWOLFSSL_ENC_THEN_MAC:BOOL=yes -DWOLFSSL_ERROR_QUEUE:BOOL=yes \
@@ -80,7 +72,7 @@ jobs:
             -DWOLFSSL_MLKEM=1 -DWOLFSSL_LMS=1 -DWOLFSSL_LMSSHA256192=1 -DWOLFSSL_EXPERIMENTAL=1 \
             -DWOLFSSL_X963KDF:BOOL=yes -DWOLFSSL_DILITHIUM:BOOL=yes -DWOLFSSL_PKCS11:BOOL=yes \
             -DWOLFSSL_ECCSI:BOOL=yes -DWOLFSSL_SAKKE:BOOL=yes -DWOLFSSL_SIPHASH:BOOL=yes \
-            -DCMAKE_C_FLAGS="-DWOLFSSL_DTLS_CH_FRAG" \
+            -DWOLFSSL_WC_RSA_DIRECT:BOOL=yes -DWOLFSSL_PUBLIC_MP:BOOL=yes \
             ..
         cmake --build .
         ctest -j $(nproc)
@@ -92,7 +84,6 @@ jobs:
 
 # build "lean-tls" wolfssl
     - name: Build wolfssl with lean-tls
-      working-directory: ./wolfssl
       run: |
         mkdir build
         cd build
@@ -108,7 +99,6 @@ jobs:
 
 # CMake build with user_settings.h
     - name: Build wolfssl with user_settings.h
-      working-directory: ./wolfssl
       run: |
         mkdir build
         cp examples/configs/user_settings_all.h ./build/user_settings.h

diff --git a/.gitignore b/.gitignore
@@ -41,6 +41,9 @@ tags
 .tags*
 cyassl-config
 wolfssl-config
+cmake/wolfssl-config.cmake
+cmake/wolfssl-config-version.cmake
+cmake/wolfssl-targets.cmake
 cyassl.sublime*
 fips.h
 fips.c

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -427,6 +427,18 @@ if(WOLFSSL_DTLS_CID)
     list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_DTLS_CID")
 endif()
 
+# DTLS 1.3 Fragment ClientHello
+add_option("WOLFSSL_DTLS_CH_FRAG"
+    "Enable wolfSSL DTLS 1.3 Fragment ClientHello (default: disabled)"
+    "no" "yes;no")
+
+if(WOLFSSL_DTLS_CH_FRAG)
+    if(NOT WOLFSSL_DTLS13)
+        message(FATAL_ERROR "DTLS 1.3 Fragment ClientHello is supported only for DTLSv1.3")
+    endif()
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_DTLS_CH_FRAG")
+endif()
+
 # RNG
 add_option("WOLFSSL_RNG"
     "Enable compiling and using RNG (default: enabled)"
@@ -511,9 +523,6 @@ if(WOLFSSL_WOLFSSH)
     list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_WOLFSSH")
 endif()
 
-if(WOLFSSL_WOLFSSH OR WOLFSSL_WPAS)
-    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_PUBLIC_MP")
-endif()
 
 # TODO: - DTLS-SCTP
 #       - DTLS multicast
@@ -881,6 +890,27 @@ add_option("WOLFSSL_AESOFB"
     "Enable wolfSSL AES-OFB support (default: disabled)"
     "no" "yes;no")
 
+# AES-ECB
+add_option("WOLFSSL_AESECB"
+    "Enable wolfSSL AES-ECB support (default: disabled)"
+    "no" "yes;no")
+
+if(WOLFSSL_AESECB)
+    list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_AES_ECB")
+endif()
+
+# AES-CTS
+add_option("WOLFSSL_AESCTS"
+    "Enable wolfSSL AES-CTS support (default: disabled)"
+    "no" "yes;no")
+
+if(WOLFSSL_AESCTS)
+    if(NOT WOLFSSL_AESCBC)
+        message(FATAL_ERROR "AES-CTS requires AES-CBC.")
+    endif()
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_AES_CTS")
+endif()
+
 # TODO: - AES-GCM stream
 #       - AES-ARM
 #       - Xilinx hardened crypto
@@ -1080,7 +1110,7 @@ if(WOLFSSL_ECCSI)
         message(FATAL_ERROR "cannot enable ECCSI without enabling ECC.")
     endif()
 
-    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFCRYPT_HAVE_ECCSI -DWOLFSSL_PUBLIC_MP")
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFCRYPT_HAVE_ECCSI")
 endif()
 
 # SAKKE
@@ -1105,6 +1135,18 @@ if(WOLFSSL_SIPHASH)
     list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SIPHASH")
 endif()
 
+add_option("WOLFSSL_PUBLIC_MP"
+    "Enable public MP API (default: disabled)"
+    "no" "yes;no")
+
+if(WOLFSSL_WOLFSSH OR WOLFSSL_WPAS OR WOLFSSL_ECCSI)
+    override_cache(WOLFSSL_PUBLIC_MP "yes")
+endif()
+
+if(WOLFSSL_PUBLIC_MP)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_PUBLIC_MP")
+endif()
+
 # TODO: - Compressed key
 #       - FP ECC, fixed point cache ECC
 #       - ECC encrypt
@@ -1310,6 +1352,15 @@ else()
     endif()
 endif()
 
+# RSA Direct
+add_option("WOLFSSL_WC_RSA_DIRECT"
+    "Enable RSA Direct (default: disabled)"
+    "no" "yes;no")
+
+if(WOLFSSL_RSA AND WOLFSSL_WC_RSA_DIRECT)
+    list(APPEND WOLFSSL_DEFINITIONS "-DWC_RSA_DIRECT")
+endif()
+
 # OAEP
 add_option("WOLFSSL_OAEP"
     "Enable RSA OAEP (default: enabled)"
@@ -1435,6 +1486,12 @@ if(NOT WOLFSSL_AES)
     if(WOLFSSL_AESCTR)
         message(FATAL_ERROR "AESCTR requires AES.")
     endif()
+    if(WOLFSSL_AESECB)
+        message(FATAL_ERROR "AES-ECB requires AES.")
+    endif()
+    if(WOLFSSL_AESCTS)
+        message(FATAL_ERROR "AES-CTS requires AES.")
+    endif()
 else()
     if(WOLFSSL_LEAN_PSK)
         list(APPEND WOLFSSL_DEFINITIONS "-DNO_AES")
@@ -2196,13 +2253,14 @@ if(WOLFSSL_AESOFB)
 endif()
 
 if(WOLFSSL_TPM)
-    override_cache(WOLFSSL_KEYGEN   "yes")
-    override_cache(WOLFSSL_CERTGEN  "yes")
-    override_cache(WOLFSSL_CRYPTOCB "yes")
-    override_cache(WOLFSSL_CERTREQ  "yes")
-    override_cache(WOLFSSL_CERTEXT  "yes")
-    override_cache(WOLFSSL_PKCS7    "yes")
-    override_cache(WOLFSSL_AESCFB   "yes")
+    override_cache(WOLFSSL_KEYGEN    "yes")
+    override_cache(WOLFSSL_CERTGEN   "yes")
+    override_cache(WOLFSSL_CRYPTOCB  "yes")
+    override_cache(WOLFSSL_CERTREQ   "yes")
+    override_cache(WOLFSSL_CERTEXT   "yes")
+    override_cache(WOLFSSL_PKCS7     "yes")
+    override_cache(WOLFSSL_AESCFB    "yes")
+    override_cache(WOLFSSL_PUBLIC_MP "yes")
     list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_ALLOW_ENCODING_CA_FALSE")
 endif()
 
@@ -2600,7 +2658,7 @@ target_compile_definitions(wolfssl PRIVATE "BUILDING_WOLFSSL")
 if(${BUILD_SHARED_LIBS})
     target_compile_definitions(wolfssl PUBLIC "WOLFSSL_DLL")
 endif()
-target_compile_definitions(wolfssl PUBLIC ${WOLFSSL_DEFINITIONS})
+target_compile_definitions(wolfssl PRIVATE ${WOLFSSL_DEFINITIONS})
 
 ####################################################
 # Include Directories
@@ -2663,6 +2721,7 @@ if(WOLFSSL_EXAMPLES)
     add_executable(client
         ${CMAKE_CURRENT_SOURCE_DIR}/examples/client/client.c)
     target_link_libraries(client wolfssl)
+    target_compile_definitions(client PRIVATE ${WOLFSSL_DEFINITIONS})
     set_property(TARGET client
                  PROPERTY RUNTIME_OUTPUT_DIRECTORY
                  ${WOLFSSL_OUTPUT_BASE}/examples/client)
@@ -2671,6 +2730,7 @@ if(WOLFSSL_EXAMPLES)
     add_executable(server
         ${CMAKE_CURRENT_SOURCE_DIR}/examples/server/server.c)
     target_link_libraries(server wolfssl)
+    target_compile_definitions(server PRIVATE ${WOLFSSL_DEFINITIONS})
     set_property(TARGET server
                  PROPERTY RUNTIME_OUTPUT_DIRECTORY
                  ${WOLFSSL_OUTPUT_BASE}/examples/server)
@@ -2681,6 +2741,7 @@ if(WOLFSSL_EXAMPLES)
     target_include_directories(echoclient PRIVATE
         ${CMAKE_CURRENT_BINARY_DIR})
     target_link_libraries(echoclient wolfssl)
+    target_compile_definitions(echoclient PRIVATE ${WOLFSSL_DEFINITIONS})
     set_property(TARGET echoclient
                  PROPERTY RUNTIME_OUTPUT_DIRECTORY
                  ${WOLFSSL_OUTPUT_BASE}/examples/echoclient)
@@ -2691,6 +2752,7 @@ if(WOLFSSL_EXAMPLES)
     target_include_directories(echoserver PRIVATE
         ${CMAKE_CURRENT_BINARY_DIR})
     target_link_libraries(echoserver wolfssl)
+    target_compile_definitions(echoserver PRIVATE ${WOLFSSL_DEFINITIONS})
     set_property(TARGET echoserver
                  PROPERTY RUNTIME_OUTPUT_DIRECTORY
                  ${WOLFSSL_OUTPUT_BASE}/examples/echoserver)
@@ -2700,6 +2762,7 @@ if(WOLFSSL_EXAMPLES)
         add_executable(tls_bench
             ${CMAKE_CURRENT_SOURCE_DIR}/examples/benchmark/tls_bench.c)
         target_link_libraries(tls_bench wolfssl)
+        target_compile_definitions(tls_bench PRIVATE ${WOLFSSL_DEFINITIONS})
         if(CMAKE_USE_PTHREADS_INIT)
             target_link_libraries(tls_bench Threads::Threads)
         endif()
@@ -2804,6 +2867,7 @@ if(WOLFSSL_EXAMPLES)
         ${CMAKE_CURRENT_BINARY_DIR})
     target_compile_options(unit_test PUBLIC "-DNO_MAIN_DRIVER")
     target_link_libraries(unit_test wolfssl)
+    target_compile_definitions(unit_test PRIVATE ${WOLFSSL_DEFINITIONS})
     if(CMAKE_USE_PTHREADS_INIT)
         target_link_libraries(unit_test Threads::Threads)
     endif()
@@ -2829,6 +2893,7 @@ if(WOLFSSL_CRYPT_TESTS)
             ${CMAKE_CURRENT_SOURCE_DIR}/wolfcrypt/test/test.c)
         set_target_properties(wolfcrypttest_lib PROPERTIES OUTPUT_NAME "wolfcrypttest")
         target_link_libraries(wolfcrypttest_lib wolfssl)
+        target_compile_definitions(wolfcrypttest_lib PRIVATE ${WOLFSSL_DEFINITIONS})
         target_compile_options(wolfcrypttest_lib PRIVATE "-DNO_MAIN_DRIVER")
         if(WOLFSSL_CRYPT_TESTS_HELP)
             target_compile_options(wolfcrypttest_lib PRIVATE "-DHAVE_WOLFCRYPT_TEST_OPTIONS")
@@ -2839,13 +2904,15 @@ if(WOLFSSL_CRYPT_TESTS)
             ${CMAKE_CURRENT_SOURCE_DIR}/wolfcrypt/benchmark/benchmark.c)
         set_target_properties(wolfcryptbench_lib PROPERTIES OUTPUT_NAME "wolfcryptbench")
         target_link_libraries(wolfcryptbench_lib wolfssl)
+        target_compile_definitions(wolfcryptbench_lib PRIVATE ${WOLFSSL_DEFINITIONS})
         target_compile_options(wolfcryptbench_lib PRIVATE "-DNO_MAIN_DRIVER")
     endif()
 
     # Build wolfCrypt test executable.
     add_executable(wolfcrypttest
         ${CMAKE_CURRENT_SOURCE_DIR}/wolfcrypt/test/test.c)
     target_link_libraries(wolfcrypttest wolfssl)
+    target_compile_definitions(wolfcrypttest PRIVATE ${WOLFSSL_DEFINITIONS})
     set_property(TARGET wolfcrypttest
                  PROPERTY RUNTIME_OUTPUT_DIRECTORY
                  ${WOLFSSL_OUTPUT_BASE}/wolfcrypt/test)
@@ -2865,6 +2932,7 @@ if(WOLFSSL_CRYPT_TESTS)
     target_include_directories(wolfcryptbench PRIVATE
         ${CMAKE_CURRENT_BINARY_DIR})
     target_link_libraries(wolfcryptbench wolfssl)
+    target_compile_definitions(wolfcryptbench PRIVATE ${WOLFSSL_DEFINITIONS})
     set_property(TARGET wolfcryptbench
                  PROPERTY RUNTIME_OUTPUT_DIRECTORY
                  ${WOLFSSL_OUTPUT_BASE}/wolfcrypt/benchmark)
@@ -3019,9 +3087,9 @@ if(WOLFSSL_INSTALL)
     # Install the library
     install(TARGETS wolfssl
             EXPORT wolfssl-targets
-            LIBRARY DESTINATION lib
-            ARCHIVE DESTINATION lib
-            RUNTIME DESTINATION bin
+            LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}
+            ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}
+            RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
             )
     # Install the headers
     install(DIRECTORY ${WOLFSSL_OUTPUT_BASE}/wolfssl/

diff --git a/INSTALL b/INSTALL
@@ -16,6 +16,9 @@
     all the generated build options. This file needs to be included in your application
     before any other wolfSSL headers. Optionally your application can define
     WOLFSSL_USE_OPTIONS_H to do this automatically.
+    Note: Building with configure also installs CMake package files under
+    $(libdir)/cmake/wolfssl to support find_package(wolfssl). You can disable this
+    with ./configure --disable-cmake-install.
 
 2. Building on iOS
 

diff --git a/Makefile.am b/Makefile.am
@@ -78,6 +78,9 @@ CLEANFILES+= ecc-key.der \
              pkcs7encryptedDataDES3.der \
              pkcs7encryptedDataDES.der \
              pkcs7envelopedDataAES256CBC_ECDH.der \
+             cmake/wolfssl-config.cmake \
+             cmake/wolfssl-config-version.cmake \
+             cmake/wolfssl-targets.cmake \
              pkcs7envelopedDataAES128CBC_ECDH_SHA1KDF.der \
              pkcs7envelopedDataAES256CBC_ECDH_SHA256KDF.der \
              pkcs7envelopedDataAES256CBC_ECDH_SHA512KDF.der \

diff --git a/cmake/Config.cmake.in b/cmake/Config.cmake.in
@@ -1,4 +1,9 @@
 @PACKAGE_INIT@
+# Autoconf-generated configs won't define PACKAGE_PREFIX_DIR; fall back to the
+# configured install prefix for non-relocatable packages.
+if (NOT DEFINED PACKAGE_PREFIX_DIR)
+  set(PACKAGE_PREFIX_DIR "@WOLFSSL_PREFIX_ABS@")
+endif()
 
 include(CMakeFindDependencyMacro)
 if (@HAVE_PTHREAD@)