Files
Aidan Garske 41fad5f307 Fix and expand tinytls13 footprint profile across CI configs
Make every --enable-tinytls13 spelling build and pass locally, and grow the
CI matrix to cover them. These are fixes found while testing the configs the
CI workflow had not actually exercised.

- internal.h, internal.c, ssl_load.c: include ML-DSA and Falcon in the
  pkCurveOID member and producer guards so the PSK plus ML-DSA build compiles.
- tls13.c: gate the DoTls13CertificateVerify definition on NO_CERTS to match
  its call site.
- settings.h: let the AES-256 adder survive the floor, default the
  user_settings path to the SHA-256 floor, make WOLFSSL_NO_MALLOC opt-in so
  the test suite still runs, and keep ML-DSA ASN.1 for the cert profile.
- configure.ac: drive ENABLED_ASM and emit WOLFSSL_NO_ASM for the small C
  floor, restrict SP math to P-256, strip ML-DSA ASN.1 only on the PSK floor,
  and print a notice for the reduced security cert verify.
- examples: guard the cert loading paths for NO_CERTS and treat NO_CERTS as
  PSK mode in echoserver and echoclient.
- Add examples/configs/tinytls13_smoke.c, an in memory TLS 1.3 handshake test
  that drives PSK, ECDSA, ML-DSA-65 and RSA-PSS chain verify, plus forced
  cipher suites, for builds with no example or unit test harness.
- certs: add ECDSA leaves signed by the ML-DSA-65 and RSA-PSS CAs so the cert
  profiles drive a real PQC and PSS chain verify in CI.
- .github/workflows/tinytls13.yml: cover every profile and adder, run the
  smoke handshake on the build verified configs, and least privilege the
  workflow token.
2026-06-22 12:08:58 -07:00

62 lines
2.5 KiB
Plaintext

# vim:ft=automake
# All paths should be given relative to the root
#
EXTRA_DIST += \
certs/rsapss/ecc-leaf-rsapss.pem \
certs/rsapss/ca-rsapss.der \
certs/rsapss/ca-rsapss.pem \
certs/rsapss/ca-rsapss-key.der \
certs/rsapss/ca-rsapss-key.pem \
certs/rsapss/ca-rsapss-priv.der \
certs/rsapss/ca-rsapss-priv.pem \
certs/rsapss/client-rsapss.der \
certs/rsapss/client-rsapss.pem \
certs/rsapss/client-rsapss-key.der \
certs/rsapss/client-rsapss-key.pem \
certs/rsapss/client-rsapss-priv.der \
certs/rsapss/client-rsapss-priv.pem \
certs/rsapss/root-rsapss.der \
certs/rsapss/root-rsapss.pem \
certs/rsapss/root-rsapss-key.der \
certs/rsapss/root-rsapss-key.pem \
certs/rsapss/root-rsapss-priv.der \
certs/rsapss/root-rsapss-priv.pem \
certs/rsapss/server-rsapss.der \
certs/rsapss/server-rsapss.pem \
certs/rsapss/server-rsapss-cert.pem \
certs/rsapss/server-rsapss-key.der \
certs/rsapss/server-rsapss-key.pem \
certs/rsapss/server-rsapss-priv.der \
certs/rsapss/server-rsapss-priv.pem \
certs/rsapss/ca-3072-rsapss.der \
certs/rsapss/ca-3072-rsapss.pem \
certs/rsapss/ca-3072-rsapss-key.der \
certs/rsapss/ca-3072-rsapss-key.pem \
certs/rsapss/ca-3072-rsapss-priv.der \
certs/rsapss/ca-3072-rsapss-priv.pem \
certs/rsapss/client-3072-rsapss.der \
certs/rsapss/client-3072-rsapss.pem \
certs/rsapss/client-3072-rsapss-key.der \
certs/rsapss/client-3072-rsapss-key.pem \
certs/rsapss/client-3072-rsapss-priv.der \
certs/rsapss/client-3072-rsapss-priv.pem \
certs/rsapss/root-3072-rsapss.der \
certs/rsapss/root-3072-rsapss.pem \
certs/rsapss/root-3072-rsapss-key.der \
certs/rsapss/root-3072-rsapss-key.pem \
certs/rsapss/root-3072-rsapss-priv.der \
certs/rsapss/root-3072-rsapss-priv.pem \
certs/rsapss/server-3072-rsapss.der \
certs/rsapss/server-3072-rsapss.pem \
certs/rsapss/server-3072-rsapss-cert.pem \
certs/rsapss/server-3072-rsapss-key.der \
certs/rsapss/server-3072-rsapss-key.pem \
certs/rsapss/server-3072-rsapss-priv.der \
certs/rsapss/server-3072-rsapss-priv.pem \
certs/rsapss/server-mix-rsapss-cert.pem
EXTRA_DIST += \
certs/rsapss/renew-rsapss-certs.sh \
certs/rsapss/gen-rsapss-keys.sh