Not all RISC-V chips allow unaligned reads and writes with basic
assembly instructions like lw/sw.
Add alternative assembly that is turned on with:
WOLFSSL_RISCV_ASM_NO_UNALIGNED.
Add defense-in-depth checks to wc_ed{25519,448}_check_key() and
ed{25519,448}_verify_msg_final_with_sha() that reject the identity
point and other small-order public keys. Honest EdDSA key generation
never produces such keys, but wolfSSL previously accepted them on
import and verification. The guard runs at both entry points so it
holds even when a key is imported with trusted=1. New tests are gated
on !HAVE_FIPS || FIPS_VERSION3_GE(7,0,0).
TLS_EMPTY_RENEGOTIATION_INFO_SCSV appears in GetCipherNames() when
HAVE_RENEGOTIATION_INDICATION is set. It is a signaling value, not a
real suite; set_cipher_list accepts it but the handshake rejects it
with UNSUPPORTED_SUITE. Add it to record_size_skip_cipher's deny list.
wolfssl_local_GetRecordSize() runs BuildMessage(sizeOnly=1) on every
wolfSSL_write hot path. For AEAD ciphers the overhead is constant per
connection framing state, so cache (recordSz - payloadSz) on WOLFSSL
and invalidate in SetKeysSide(), at cidInfo->tx assignment, and in
wolfSSL_clear(). BuildMessage stays the single source of truth.
Add test_record_size_matches_build_message (cross-checks every built
cipher over TLS/DTLS +/- CID against BuildMessage) and
test_record_size_cache_invalidated_on_renegotiation.
Move out DTLS 1.3 specific tests into test_dtls13.c. (Also move out from
test_dtls.c)
Move out DTLS tests into test_dtls.c.
Move out LMS and XMSS tests into test_lms_xmss.c.
Move out SSL session tests into test_session.c.
Move out remaining ML-DSA/Dilithium tests in api.c into test_mldsa.c.
test_dtls13_oversized_cert_chain (added upstream in 1653ecd07) loaded a >9-cert chain to exercise SendTls13Certificate's word16 overflow guard. This PR now rejects over-MAX_CHAIN_DEPTH chains at load in ProcessUserChain, so the chain never reaches the send path; the load-time rejection is covered by test_wolfSSL_CTX_use_certificate_chain_buffer_max_depth. The word16 send guard remains as defense-in-depth (now only reachable via large PQC chains).
Enforce MAX_CHAIN_DEPTH limits in OCSP chain processing
(SendCertificateStatus, ProcessChainOCSPRequest), certificate loading
(ProcessUserChain), and TLS 1.3 certificate sending
(SendTls13Certificate). Add idx bounds checks to chain accessors
in ssl.c.
Harden SNI extension parser (TLSX_SNI_GetFromBuffer) with length
checks preventing buffer overreads on malformed ClientHello.
Fix off-by-one in TLSX_CSR_Free where <= should be < since
csr->requests is a count, not a max index.
Add remaining-buffer bounds checks to PKCS7 decoders:
DecodeEnvelopedData, DecodeAuthEnvelopedData (encryptedContentSz
and authTagSz), DecodeEncryptedData, SignedData null signature tag,
and PwriKek_KeyUnWrap cekLen validation.
Remove outdated RFC, refactor into single error case, guard against negative/0 len and NULL *data pointer, don't set ownStatus until status is confirmed non-NULL.
Enable all-zero shared secret check for Curve448/25519 by default. Ensure post_handshake_auth extension was sent before accepting post-handshake CertificateRequest message.
Add `*pp == NULL` checks to three d2i wrappers to prevent NULL deref
on public OpenSSL-compat APIs:
- d2i_evp_pkey (reachable via wolfSSL_d2i_PublicKey/PrivateKey)
- wolfSSL_d2i_OCSP_RESPONSE
- wolfSSL_d2i_ECDSA_SIG (template-ASN crash)
Also add regression tests for the existing PR fixes: ProcessBuffer
negative-size, PemToDer family negative-pemSz, GetCRLInfo negative-sz,
wc_Set*Buffer derSz<0, and d2i_ECDSA_SIG negative-length / *pp==NULL.