Add defense-in-depth checks to wc_ed{25519,448}_check_key() and
ed{25519,448}_verify_msg_final_with_sha() that reject the identity
point and other small-order public keys. Honest EdDSA key generation
never produces such keys, but wolfSSL previously accepted them on
import and verification. The guard runs at both entry points so it
holds even when a key is imported with trusted=1. New tests are gated
on !HAVE_FIPS || FIPS_VERSION3_GE(7,0,0).
TLS_EMPTY_RENEGOTIATION_INFO_SCSV appears in GetCipherNames() when
HAVE_RENEGOTIATION_INDICATION is set. It is a signaling value, not a
real suite; set_cipher_list accepts it but the handshake rejects it
with UNSUPPORTED_SUITE. Add it to record_size_skip_cipher's deny list.
wolfssl_local_GetRecordSize() runs BuildMessage(sizeOnly=1) on every
wolfSSL_write hot path. For AEAD ciphers the overhead is constant per
connection framing state, so cache (recordSz - payloadSz) on WOLFSSL
and invalidate in SetKeysSide(), at cidInfo->tx assignment, and in
wolfSSL_clear(). BuildMessage stays the single source of truth.
Add test_record_size_matches_build_message (cross-checks every built
cipher over TLS/DTLS +/- CID against BuildMessage) and
test_record_size_cache_invalidated_on_renegotiation.
Move out DTLS 1.3 specific tests into test_dtls13.c. (Also move out from
test_dtls.c)
Move out DTLS tests into test_dtls.c.
Move out LMS and XMSS tests into test_lms_xmss.c.
Move out SSL session tests into test_session.c.
Move out remaining ML-DSA/Dilithium tests in api.c into test_mldsa.c.
test_dtls13_oversized_cert_chain (added upstream in 1653ecd07) loaded a >9-cert chain to exercise SendTls13Certificate's word16 overflow guard. This PR now rejects over-MAX_CHAIN_DEPTH chains at load in ProcessUserChain, so the chain never reaches the send path; the load-time rejection is covered by test_wolfSSL_CTX_use_certificate_chain_buffer_max_depth. The word16 send guard remains as defense-in-depth (now only reachable via large PQC chains).
Enable all-zero shared secret check for Curve448/25519 by default. Ensure post_handshake_auth extension was sent before accepting post-handshake CertificateRequest message.
Add `*pp == NULL` checks to three d2i wrappers to prevent NULL deref
on public OpenSSL-compat APIs:
- d2i_evp_pkey (reachable via wolfSSL_d2i_PublicKey/PrivateKey)
- wolfSSL_d2i_OCSP_RESPONSE
- wolfSSL_d2i_ECDSA_SIG (template-ASN crash)
Also add regression tests for the existing PR fixes: ProcessBuffer
negative-size, PemToDer family negative-pemSz, GetCRLInfo negative-sz,
wc_Set*Buffer derSz<0, and d2i_ECDSA_SIG negative-length / *pp==NULL.
wolfssl/wolfcrypt/wc_mldsa.h: move WOLFSSL_MLDSA_NO_CTX setup to precede legacy dilithium.h header, so that the _NO_CTX remap macros are properly gated in.
When building with --enable-opensslextra=x509small, only OPENSSL_EXTRA_X509_SMALL is defined, not OPENSSL_EXTRA, so these functions are not compiled into the library