Three fixes for guard-context correctness in the ASN.1 code split:
1. Strip WOLFSSL_ASN_ORIG_INCLUDED from forward declaration wrappers.
The file-guard was being applied to fwd decls in asn.c, but at the
fwd-decl site that macro is not yet defined, so #ifndef ... #else
inverted the condition and hid all declarations.
2. Add outer feature guard tracking. Large feature sections (HAVE_OCSP,
HAVE_CRL, WOLFSSL_CERT_GEN, etc.) that span many functions in asn.c
are now tracked and re-emitted around the corresponding blocks in
asn_orig.c, fixing 'unknown type name' errors in minimal builds.
3. Collect multi-line #if continuations in the outer guard map so that
full guard conditions (e.g. #if !defined(NO_RSA) && \ continued
across lines) are stored and compared as complete strings, preventing
duplicate guard emission.
Both modes build and pass tests (5 PASS, 0 FAIL each):
./configure --enable-asn=original && make check
./configure && make check
Add settings.h include before the compile guard in asn_orig.c so
WOLFSSL_IGNORE_FILE_WARN is available when compiled separately.
Add -Wno-pedantic for asn_orig.c in async examples Makefile to
suppress empty translation unit warning.
- Copy TLS 1.3 traffic secrets and DTLS 1.3 epoch/cipher state to the
write-dup side in DupSSL so key updates can be performed.
- Delegate KeyUpdate responses from the read side to the write side via
the shared WriteDup struct, for both peer-initiated and local key
updates.
- Delegate DTLS 1.3 ACK sending from the read side to the write side.
- Track DTLS 1.3 KeyUpdate ACKs: write side records the in-flight
KeyUpdate epoch/seq, read side sets keyUpdateAcked when the matching
ACK arrives.
- Delegate post-handshake certificate authentication (CertificateRequest
processing) from the read side to the write side, transferring
transcript hashes, cert context, and signature parameters.
- Reset prevSent/plainSz to prevent stale values from SendData to think
that data was already sent.
- Refactor FreeHandshakeHashes into Free_HS_Hashes for reuse.
- Move DTLS 1.3 epoch initialization earlier in InitSSL so the
write-dup early-return path has valid epoch state.
- Add tests for write dup with all protocol versions, key update,
post-handshake auth, and WANT_WRITE recovery.
- Add --enable-all --enable-writedup to CI os-check matrix.
wolfssl/ssl.h, examples/client/client.c, examples/server/server.c, src/bio.c, tests/api.c: add error tracing for WOLFSSL_SHUTDOWN_NOT_DONE.
tests/api.c: in test_wolfSSL_read_write_ex(), use WOLFSSL_SUCCESS rather than 1 for expected-success wolfSSL_shutdown()s, and add note that the wrong value is being returned (the test currently always fails, which is masked by an always-success retval).
* don't default-enable ML-KEM if SHA3/SHAKE are explicitly disabled at user request, or if FIPS <7.
* move ML-KEM flag setup after FIPS setup (like SHA3 and SHAKE flag setup) to allow FIPS overrides.
* remove the unused and misleading "v6-ready" FIPS flavor, and fix v6-dev to get the v6 version triplet.