wolfcrypt/src/wc_slhdsa.c:
* refactor SAVE_VECTOR_REGISTERS2() in slhdsakey_fors_sign() as
CAN_SAVE_VECTOR_REGISTERS(), with local save-restore wrappers around the
rest of the vector calls deeper in the call stack, to avoid failing
GFP_ATOMIC allocations and long spans with interrupts disabled.
* fix numerous bugprone-macro-parentheses and bugprone-signed-char-misuses.
* use readUnalignedWord64() in SHAKE256_SET_SEED_HA_X4_*() and
slhdsakey_shake256_set_seed_ha_x4() to avoid benign unaligned access warnings
from sanitizers.
wolfcrypt/test/test.c:
* in TestDumpData(), use WOLFSSL_DEBUG_PRINTF(), not fprintf(stderr, ...), for
portability.
* in slhdsa_test_param() and slhdsa_test(), use WC_DECLARE_VAR() and friends
for SlhDsaKey allocations, and use ERROR_OUT() and single-return-point
refactors to fix error path memory leaks.
### `wolfssl/internal.h`
- **`InternalTicket` struct gains a flexible array member**: A new `peerCert[]` field (with a preceding `peerCertLen[2]`) is added to `InternalTicket`. This allows the peer's DER-encoded certificate to be stored directly inside the session ticket.
- **`ExternalTicket` struct becomes variable-length**: The `enc_ticket` field is changed from a fixed-size array to a flexible array member (`byte enc_ticket[]`). The `mac` field is removed from the struct — the MAC is now placed dynamically after the encrypted data in `enc_ticket`.
### `src/internal.c`
- The `GetRecordHeader` function now only adds `MAX_COMP_EXTRA` to the maximum allowed record size when `ssl->options.usingCompression` is true, tightening the length validation. The max fragment length extension check is now much stricter.
- **Peer certificate is serialized into the ticket**: During ticket creation, the code attempts to find the peer certificate from `ssl->peerCert` or from `ssl->session->chain` (fallback). If found and within `MAX_TICKET_PEER_CERT_SZ`, it's copied into `it->peerCert`. DTLS is explicitly excluded (peer cert length set to 0) to keep ticket size small for MTU constraints. If `HAVE_MAX_FRAGMENT` is defined and max fragment is not `MAX_RECORD_SIZE` for TLS 1.3, the cert is also skipped since `SendTls13NewSessionTicket` doesn't support fragmentation yet.
- **Peer certificate restoration from ticket**: On successful ticket decryption, if the ticket contains a peer certificate (`peerCertLen > 0`), it is decoded back into `ssl->peerCert` via `ParseCertRelative`/`CopyDecodedToX509`, and also added to `ssl->session->chain` via `AddSessionCertToChain`.
- The `CLEAR_ASN_NO_PEM_HEADER_ERROR` macro was rewritten to loop and remove all consecutive PEM no-start-line errors (not just the last one), wrapped in a `do { ... } while(0)` for safety.
- The `SendTicket` function is simplified to use `SendHandshakeMsg` to support fragmenting the larger ticket.
---
### `src/x509.c`
- `loadX509orX509REQFromPemBio` now accepts `TRUSTED_CERT_TYPE` in addition to `CERT_TYPE` and `CERTREQ_TYPE`.
- **Streaming BIO support**: When `wolfSSL_BIO_get_len()` returns ≤ 0 (e.g., pipes/FIFOs), the function no longer returns an error. Instead, it sets an initial buffer of `MAX_X509_SIZE` and dynamically grows (doubling) up to `MAX_BIO_READ_BUFFER` (`MAX_X509_SIZE * 16`) as data is read byte-by-byte.
- **Alternate footer detection**: For `TRUSTED_CERT_TYPE`, the PEM reader also checks for the regular `CERT_TYPE` footer (`-----END CERTIFICATE-----`) in addition to the trusted cert footer (`-----END TRUSTED CERTIFICATE-----`), so it can parse either format.
- Removed two lines that set `cert->srcIdx` to `SIGALGO_SEQ` offset. This makes `cert->srcIdx` reflect the end of parsed certificate data. This is used by `loadX509orX509REQFromBuffer` to detect where auxiliary trust data begins in trusted certificates.
---
### `src/ssl_sk.c`
- Added a `STACK_TYPE_X509_CRL` case to `wolfssl_sk_dup_data` that calls `wolfSSL_X509_CRL_dup` for deep-copying CRL stack elements. Previously, `STACK_TYPE_X509_CRL` fell through to the unsupported default case.
---
### `wolfssl/openssl/ssl.h`
- `sk_X509_dup` now maps to `wolfSSL_shallow_sk_dup` (was `wolfSSL_sk_dup`/deep copy). This matches OpenSSL's behavior where `sk_X509_dup` does a shallow copy.
- `sk_SSL_CIPHER_dup` similarly changed to `wolfSSL_shallow_sk_dup`.
---
### `src/ssl_api_cert.c`
- When `ssl->ourCert` is `NULL` and the SSL owns its cert, the function now checks if `ssl->ctx->ourCert` points to the same certificate (by comparing DER buffers). If so, it returns the ctx's `X509` pointer directly. This maintains pointer compatibility for applications (like nginx OCSP stapling) that use the `X509*` from `SSL_CTX_use_certificate` as a lookup key.
### `src/bio.c`
- When `wolfssl_file_len` returns `WOLFSSL_BAD_FILETYPE` (now returned for pipes/FIFOs), `wolfSSL_BIO_get_len` treats it as length 0 instead of propagating the error.
---
### `tests/test-maxfrag.conf` and `tests/test-maxfrag-dtls.conf`
- Removed `DHE-RSA-AES256-GCM-SHA384` test entries because the ClientKeyExchange doesn't fit in the selected max fragment length.
Decapsulation needs H, hash of public key, and it is not present if you
have a new key made from a seed.
Code changed to check for and create H in decapsulate.
linuxkm/linuxkm_memory.c:
* fix straddle check in wc_reloc_normalize_text();
* fix seg_map bounds checks in wc_fips_generate_hash();
linuxkm/linuxkm_memory.h: fix initializer for wc_reloc_table_segments.bss_end;
wolfssl/wolfcrypt/settings.h: add WC_BITS_TO_BYTES() and WC_BITS_FULL_BYTES() and deploy opportunistically to wolfssl/internal.h, wolfssl/wolfcrypt/{asn.h,dh.h,rsa.h,types.h}, wolfcrypt/src/sakke.c, and wolfcrypt/test/test.c.
wolfcrypt/test/test.c: fix error-path memory leaks in srtpkdf_test(), and properly gate out incompatible SRTP_KDF_LONG_KEY test on old FIPS (defect introduced in #9733);
.wolfssl_known_macro_extras: get into lexical order and remove unneeded WC_RSA_DIRECT.
## Summary
- Add non-blocking (incremental) Curve25519 key generation and shared secret via `WC_X25519_NONBLOCK`, modeled after the existing ECC non-blocking pattern (`WC_ECC_NONBLOCK`)
- Implement `curve25519_nb()` and `fe_inv__distinct_nb()` in `fe_low_mem.c` as state-machine variants that return `FP_WOULDBLOCK` to yield after each field multiply
- Add `wc_curve25519_set_nonblock()` API to attach/detach non-blocking context to a key
- Integrate X25519 non-blocking with TLS 1.2/1.3 key share generation and shared secret in `tls.c` and `internal.c` (behind `WC_X25519_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW`)
- Add `--enable-curve25519=nonblock` configure option (auto-enables `--enable-asynccrypt` and `--enable-asynccrypt-sw`)
- Add X25519 async software dispatch cases in `async.c` and types in `async.h`
- Fix async guard in `curve25519.c` to require `WOLFSSL_ASYNC_CRYPT_SW` (matching other algorithms)
- Overhaul `examples/async/` client/server: non-blocking I/O via `WOLFSSL_USER_IO`, standalone `Makefile`, X25519/ECC mode selection, CI-friendly ready-file sync
- Add `examples/configs/user_settings_curve25519nonblock.h` and CI coverage in `os-check.yml` and new `async-examples.yml` workflow
- Add wolfcrypt test and API test coverage for X25519 non-blocking
Update ret code to match docs and update docs
Replace magic numbers with appropriate define
Define MAX_ENTROPY_BITS when MEMUSE not enabled
Fix type cast windows detection
Older FIPS modules still need the old check
CodeSpell you're wrong, that is what I want to name my variable
Turn the hostap into a manual dispatch until it gets fixed
Upon closer review we can not skip the test when memuse enabled
Fix whitespace stuff found by multitest
More syntax things
Correct comments based on latest findings
* tweaks to xmss_test() for compatibility with WOLFSSL_NO_MALLOC && NO_WOLFSSL_MEMORY;
* fixes for return codes in dilithium_test().
wolfssl/wolfcrypt/dilithium.h: add !WC_NO_CONSTRUCTORS gate around wc_dilithium_new() and wc_dilithium_delete() prototypes, to match gating in implementation.