- src/x509.c: Guard wolfSSL_X509_get_der against derCert->length > INT_MAX, and reject derSz <= 0 in wolfSSL_i2d_X509.
- tests/api/test_ossl_x509_io.{c,h}: Add API coverage for the X509 DER length guards.
Master's test reorg (c674cec4a) moved test_dtls13_oversized_cert_chain into
the new tests/api/test_dtls13.c. This branch removes that test, so resolve by
taking master's test_dtls.{c,h} and re-applying the removal in test_dtls13.{c,h}.
After the SHA-512/224 and /256 fallback to the generic SHA-512 callback,
restore the variant initial state so the object is reset for reuse, and
exercise the path in cryptocb_test.
1. Side-aware ML-KEM in TLS (tls.c, tls13.c, ssl.c, internal.h):
TLSX_IsGroupSupported/TLSX_UseSupportedCurve take a `side` arg; new
TLSX_IsMlKemGroupSupported + client/server support macros. A build only
capable of one ML-KEM op no longer advertises groups it can't use for
its role.
2. NO_ASN_TIME support (ssl_asn1.c, ssl.h, settings.h): data-only
ASN1_TIME APIs now compile without system time; OCSP responder
auto-disabled under NO_ASN_TIME.
3. SP ECC (sp_*.c, sp_x86_64_asm.asm): curve `b` constants and
sp_ecc_is_point_* always compiled (point-check available in more
configs); asm movsxd -> movsx.
4. configure.ac: BUILD_MEMUSE fixed to trigger on != "xno".
5. Test fixes: HRR-aware TLS 1.3 memio tests (new
test_memio_msg_is_hello_retry_request); tightened build guards
(Ed25519/Ed448 key-import, AES decrypt, XMSS heights, SP sizes,
static-PSK).
* add WOLFSSL_API attribute to wc_linuxkm_sig_ignore_begin(), wc_linuxkm_sig_ignore_end(), wc_linuxkm_check_for_intr_signals(), and wc_linuxkm_relax_long_loop().
* fix WC_CONTAINERIZE_THIS macro wrappers for wc_linuxkm_sig_ignore_begin() and wc_linuxkm_sig_ignore_end() (stray semicolons).
linuxkm/linuxkm_wc_port.h, linuxkm/lkcapi_sha_glue.c, linuxkm/module_hooks.c: add wc_linuxkm_can_block(), and refactor ad hoc `preempt_count() != 0` checks for sleep safety as calls to wc_linuxkm_can_block().
linuxkm/module_hooks.c: fix wc_linuxkm_malloc_usable_size() implementation for kvmalloc() compatibility.
wolfSSL_EVP_PKEY_cmp returned 'not equal' for EC keys that were
serialized to DER and deserialized back, even though the key material
was identical. This happened because keys imported via RFC 5915
(ECPrivateKey) without the optional public key field had type
ECC_PRIVATEKEY_ONLY, meaning the internal ecc_key.pubkey was not
populated. The point comparison then failed against a key that did
have a populated pubkey.
Fix by deriving the public key from the private key via
wc_ecc_make_pub() when the ecc_key type is ECC_PRIVATEKEY_ONLY
before comparing. Also ensure SetECKeyInternal() is called when
the internal representation is not yet synced from external BIGNUMs.
The constant-time path of _DH_compute_key (DH_compute_key_padded) had
the XMEMMOVE source/dest swapped and used (padded_keySz - keySz) as the
length instead of keySz, overwriting the secret with junk when keySz <
padded_keySz. Move key[0..keySz-1] to the high end, matching the idiom
used in tls.c/sniffer.c.
FreeCiphersSide freed cipher->cam with XFREE only, leaving the expanded
key schedule and IV in freed heap memory. Call wc_CamelliaFree (which
ForceZeros the context) before XFREE, matching the ARIA cleanup above.
Dtls13NewEpochSlot never updated oldestNumber after picking a candidate,
so every eligible epoch compared "older" than the sentinel and the last
eligible slot was returned instead of the lowest epoch number. Update
oldestNumber alongside oldest so the true minimum is evicted.
wolfSSL_CTX_set_groups/wolfSSL_set_groups only rejected counts above
WOLFSSL_MAX_GROUP_COUNT; a negative count skipped the copy loop and was
cast to byte (e.g. 255) into numGroups, which InitSSL later trusts for a
fixed-size copy. Reject count <= 0 in both, and in the set1_groups
OpenSSL-compat wrappers.
DoTls13CertificateRequest rejected a non-empty context during the
handshake but did the complementary check for post-handshake auth.
Per RFC 8446 Section 4.3.2 a post-handshake certificate_request_context
must be non-empty and unique; reject a zero-length context and one that
duplicates a still-pending request context with a fatal illegal_parameter
alert.
DoTls13CertificateRequest parsed the extensions but never verified the
mandatory signature_algorithms extension was present. A request with
none left peerSuites.hashSigAlgoSz at zero and was accepted. Per RFC
8446 Section 4.3.2, reject such a request with a fatal missing_extension
alert before selecting a certificate response.