Add --enable-tinytls13 TLS 1.3-only footprint profile

.github/workflows/tinytls13.yml

@@ -0,0 +1,154 @@
+name: Tiny TLS 1.3 Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'release/**' ]
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    branches: [ '*' ]
+  schedule:
+    - cron: '42 10 * * 1-5'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+permissions:
+  contents: read
+
+jobs:
+  # Build + make check every --enable-tinytls13 spelling on one runner via
+  # .github/scripts/parallel-make-check.py (see psk.yml for the pattern).
+  make_check:
+    name: make check
+    if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v5
+        name: Checkout wolfSSL
+
+      - name: Install dependencies
+        uses: ./.github/actions/install-apt-deps
+        with:
+          packages: autoconf automake libtool build-essential bubblewrap
+          ghcr-debs-tag: ubuntu-24.04-minimal
+
+      - name: Set up ccache
+        uses: ./.github/actions/ccache-setup
+        with:
+          workflow-id: tinytls13
+          read-only: ${{ github.event_name == 'pull_request' }}
+          max-size: 100M
+
+      - name: Allow unprivileged user namespaces (for bwrap)
+        run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
+
+      # Every tiny TLS 1.3 profile/adder spelling, so each is proven to build
+      # and pass make check (which runs the TLS handshake test suite) out of
+      # the box. Server is enabled where a config needs the server-side tests.
+      # The psk-p256 and cert-rsaverify configs strip to combinations
+      # (ECDHE-only ECC without certs, RSA verify only) that the OpenSSL-compat
+      # API unit suite (coupled to examples via BUILD_TESTS) does not gate for.
+      # Rather than carry test-harness edits for those, they build static with
+      # --disable-examples, skip make check ("check": false), and instead run
+      # wolfcrypt/test/testwolfcrypt plus examples/configs/tinytls13_smoke.c
+      # (a self-contained in-memory TLS 1.3 handshake) for real crypto and
+      # handshake verification.
+      - name: Build and test all tinytls13 configs
+        run: |
+          cat > "$RUNNER_TEMP/tinytls13-configs.json" <<'EOF'
+          [
+          {"name": "tinytls13-psk-x25519", "minutes": 1,
+           "configure": ["--enable-tinytls13=psk,server", "--disable-mlkem"]},
+          {"name": "tinytls13-psk-p256", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=psk,p256,server", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
+           "run": [["make", "wolfcrypt/test/testwolfcrypt"], ["./wolfcrypt/test/testwolfcrypt"],
+                   ["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
+                   ["./tinytls13_smoke"]]},
+          {"name": "tinytls13-psk-staticmem", "minutes": 1,
+           "configure": ["--enable-tinytls13=psk,server,staticmem", "--disable-mlkem"]},
+          {"name": "tinytls13-psk-mldsa", "minutes": 1,
+           "configure": ["--enable-tinytls13=psk,server,mldsa", "--disable-mlkem"]},
+          {"name": "tinytls13-psk-sha384", "minutes": 1,
+           "configure": ["--enable-tinytls13=psk,server,sha384", "--disable-mlkem"]},
+          {"name": "tinytls13-cert", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert,server", "--disable-mlkem"]},
+          {"name": "tinytls13-cert-sha384", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert,server,sha384", "--disable-mlkem"]},
+          {"name": "tinytls13-cert-mutualauth", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert,mutualauth,server", "--disable-mlkem"]},
+          {"name": "tinytls13-cert-rsaverify", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=cert,server,rsaverify", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
+           "run": [["make", "wolfcrypt/test/testwolfcrypt"], ["./wolfcrypt/test/testwolfcrypt"],
+                   ["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
+                   ["./tinytls13_smoke"]]},
+          {"name": "tinytls13-cert-mldsa", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert,server,mldsa", "--enable-static", "--disable-mlkem"],
+           "run": [["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
+                   ["./tinytls13_smoke"]]},
+          {"name": "tinytls13-psk-client-only", "minutes": 1,
+           "configure": ["--enable-tinytls13=psk", "--disable-mlkem"]},
+          {"name": "tinytls13-cert-client-only", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert", "--disable-mlkem"]},
+          {"name": "tinytls13-psk-asm", "minutes": 1,
+           "configure": ["--enable-tinytls13=psk,server,asm", "--disable-mlkem"]},
+          {"name": "tinytls13-cert-asm", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert,server,asm", "--disable-mlkem"]},
+          {"name": "tinytls13-cert-chacha", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=cert,server", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
+           "cflags": "-DHAVE_CHACHA -DHAVE_POLY1305",
+           "run": [["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
+                   ["./tinytls13_smoke", "TLS13-CHACHA20-POLY1305-SHA256"]]},
+          {"name": "tinytls13-cert-aes256", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=cert,server,sha384", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
+           "cflags": "-DWOLFSSL_AES_256",
+           "run": [["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
+                   ["./tinytls13_smoke", "TLS13-AES256-GCM-SHA384"]]},
+          {"name": "tinytls13-psk-mlkem", "minutes": 1,
+           "configure": ["--enable-tinytls13=psk,server", "--enable-static"],
+           "run": [["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
+                   ["./tinytls13_smoke", "-", "mlkem"]]},
+          {"name": "tinytls13-cert-staticmem", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=cert,server,staticmem", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
+           "run": [["make", "wolfcrypt/test/testwolfcrypt"], ["./wolfcrypt/test/testwolfcrypt"],
+                   ["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
+                   ["./tinytls13_smoke"]]},
+          {"name": "tinytls13-nomalloc", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=psk,server,staticmem", "--enable-static", "--disable-shared", "--disable-examples", "--disable-crypttests", "--disable-mlkem"],
+           "cflags": "-DWOLFSSL_NO_MALLOC"},
+          {"name": "tinytls13-combo-cert-mutualauth-sha384", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert,mutualauth,server,sha384", "--disable-mlkem"]},
+          {"name": "tinytls13-combo-cert-mldsa-sha384", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert,server,mldsa,sha384", "--enable-static", "--disable-mlkem"],
+           "run": [["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
+                   ["./tinytls13_smoke"]]},
+          {"name": "tinytls13-bare", "minutes": 1,
+           "configure": ["--enable-tinytls13", "--disable-mlkem"]},
+          {"name": "tinytls13-usersettings", "minutes": 1, "check": false,
+           "user_settings": "examples/configs/user_settings_tinytls13.h",
+           "configure": ["--enable-usersettings", "--enable-static", "--disable-shared", "--disable-examples", "--disable-crypttests"]}
+          ]
+          EOF
+          .github/scripts/parallel-make-check.py \
+            ${{ github.event_name == 'schedule' && '--build-only' || '' }} \
+            --private-dir=certs \
+            "$RUNNER_TEMP/tinytls13-configs.json"
+
+      - name: ccache stats
+        if: always()
+        run: ccache -s || true
+
+      - name: Upload logs on failure
+        if: failure()
+        uses: actions/upload-artifact@v6
+        with:
+          retention-days: 7
+          name: tinytls13-logs
+          path: |
+            build-*/make-check.log
+            build-*/test-suite.log
+            build-*/config.log
+          if-no-files-found: ignore

.wolfssl_known_macro_extras

@@ -816,7 +816,6 @@ WOLFSSL_MANUALLY_SELECT_DEVICE_CONFIG
 WOLFSSL_MDK5
 WOLFSSL_MEM_FAIL_COUNT
 WOLFSSL_MICROCHIP_AESGCM
-WOLFSSL_MLKEM_DYNAMIC_KEYS
 WOLFSSL_MLKEM_INVNTT_UNROLL
 WOLFSSL_MLKEM_NO_MALLOC
 WOLFSSL_MLKEM_NTT_UNROLL
@@ -948,6 +947,7 @@ WOLFSSL_TICKET_ENC_CBC_HMAC
 WOLFSSL_TICKET_ENC_CHACHA20_POLY1305
 WOLFSSL_TICKET_ENC_HMAC_SHA384
 WOLFSSL_TICKET_ENC_HMAC_SHA512
+WOLFSSL_TINY_TLS13_NO_DEFAULT_CURVE
 WOLFSSL_TI_CURRTIME
 WOLFSSL_TLS13_DRAFT
 WOLFSSL_TLS13_IGNORE_AEAD_LIMITS

certs/mldsa/ecc-leaf-mldsa44.pem

@@ -0,0 +1,61 @@
+-----BEGIN CERTIFICATE-----
+MIIK4zCCAVmgAwIBAgIURMREBesDbhFE7MTpbJAhFuwlmNgwCwYJYIZIAWUDBAMR
+MFoxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
+bWFuMRAwDgYDVQQKDAd3b2xmU1NMMRUwEwYDVQQDDAxUZXN0IG1sZHNhNDQwHhcN
+MjYwNjI0MTkyODM5WhcNMzYwNjIxMTkyODM5WjAUMRIwEAYDVQQDDAlsb2NhbGhv
+c3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS7M6xMJ1BKxkqlBMM83p8223It
+zpTqK/rLIAk5LBboYQLpr03TApOaMVuXkiF/8M8Y2pERAjSG6CBYMwuANInYo0Iw
+QDAdBgNVHQ4EFgQUXV0m76x+NvmbdhUrSiUCI++yiTAwHwYDVR0jBBgwFoAUswU7
+xg6AYh+iTpNtmT4TaDnG/DIwCwYJYIZIAWUDBAMRA4IJdQBp2TdyejDOdGyPgB2n
+c4X+/TQ1EhPeHNs4dZ3gxtmRmYtilgonNPtuEm31DNp0RrcB4BXK6PKhJP27fTAR
+wuwtfdoU7SnC8tsGr1eX3IKGq3+GCMzunJJgMN0zz6mDi25K3c025AxWFxdHOhhQ
+QguUxoZ/GWJsH/e2LJL5qTyeJvHNi/30cNjImsZXFeatQlv87/f1vcwCK4T5/ajd
+GWn4g1ktgRxzvtozBhg7Hw0CbOj0jXFIA+3k/GDCw9RxckBJ8Yn/ddMZNbljduZk
+zLykzjZsrX9badyy8pFgJaGsptgo/SOcxBhHIpjjGu9rTmi1QxAl1yliNoJXBxJR
+RmZijJ619Vmq6w00PSJnM4hP8O7DN8WZ/dZ9f78/WJsNXsv6s036QFwcpj5wo7ex
+OB6ZJSEXkIM9w4mPNpPUyAXfl9GauLGiXANFyqPmm/31CV5nL5INAON5Ft2vbOG8
+RGQySPVV4Cb9WuTtn0iMYgwqdYMxZJbgFUD4RvXiAl5fsLE8N7AHf7Cuua/k+mgZ
+PfH04f2Harzt100Y5J365x5b2ia7QpqRgYeubbCuW8Zd8nVT7+Imo3mgVwNWM9c8
+nskP0uHq51y5qrY3s0DSb8FKcZnZD7zQ70l8EVnlTD2G3QeiE8Id0XqubtrEO+DT
+vyZuMwU4x5NQKGyPUL6tHeUkt7hEWom9sCvIFkeOa4OadGuktxOdDc3f3w2VgG5/
+4nzlP/Y0PSziTw5RuV/G+f4V3VpWlSPCn2CfoTxjoVak/abCiWrijZ8lR3c4ERAl
+AevDEIxpvq5jIlv506vXw2CZeq6195KtsPGhrNkaax7ThZJQPFH/NR5Tu0Y2EBJG
+0lth79qhKKgQDmhf5VNkomblrqW2R6Dm8CvYRuHwmGSk+FfH4ULavv/fuVXaW+h4
+MYjTV8wq4Jdl9qi9G+rfncUzZc2L8/zKisGjuzK0AoWVhs5UgS+/3xjCbsuWkYHG
+siJ2kuZvl7KWR7Oc5OWfaRvAokNtglYWCtUzpD86V08X4l3U77Xi5UFJMjGcVVW6
+2F/WRyhq653vxvclDtkVyBaYDCcnHND7jGpqBcbJDTJyFE/Z3/GPFiYr1mYkVL/v
+jPZ9qklFeWPXCKRVAHESMfFPozMNvdOpWqW0nxZ4P4rjcSKDfXX5wsQC4tW53pK/
+0fpqGrNVY5xsIu8zV6OYpvbaPoaDxHS+clvDB9PrJlvjZUFBWPAiCzjYJNgcVFqU
+39/aAKWj24dbDarp5QEM8rReQiLvCjzD8ARb1zVAnaeyhaMaxCgwp5v/IEcSShH6
+mNX2dcsht10lic5DxJ8Up9ZFNTZhDSD+1E0tX4Vt0DPR8ZVYbW56rnXHTdYiwKhm
+4lXia11zR2f4pl3JD23yYRvSfPJTilWkUO+wAazmP5vRPELyodO4vvqDL+lOkwff
+7IV6JFCLdOV22RpwMHlO7YZkWpoauocljvfZBLLTOqlmcxKGN+T1na9D39jly5oi
+9Aqb4dK6AFaFw5k78kcei3OLNdCDD8dssY1sReMeLM7ENuj4T7XjJh3PVDBDhRS7
+0WPjztBAsVkqOvIRxINjoXTIRvTL0u8P/NUWKhduSDKe+NIvHChuF5VycgAS6G2p
+C3ZqsVM0D3D4s2AvalPJfyhhBN6c9dVeUfjBCNPWk8z7v+d38VHSAPkq5C4Sp5W3
+dD2Wm4ohgkDe1AkvcTtCHSK5tyo8mV0NyObbuMw5YnYyJ5h2CS/PaEfRME+VOsTI
+FLhgy0EZwRfxV+3Q6pTRA3DC0NR50F3teF50HbcmuXxae4FL3F/4qGjErubs6tbD
+M8QzgBLjALl82UrbtFItELLfTjQC7HtOZgwIGqOwd00Eoy6pqwe2AWzYz63A4F1z
+1PPYPAsjfWtfkQmjFeMcljAYaY0YUGox8139lcL8m/7l+2fLhv62m940rRrg41D1
+DTiCIqJTe070lq20iJZ/zWUnrWM/Vhn5PVnc4mgQ7d0uIAJ9j8wxgqw5UYNGYKRw
+Vf3IqsAyYxPsBo9iibBUy4qPMtPA/wN25B22gorjda2Cp0pQWdBjGSRrFjaO8Bx1
+oFJ8nOuzPbG5Q5VJbwGrCxDt7kSueh1ernEAsNAXCWf0L9v+dgJBsYreytCFO7hO
+N+29BKEUh0qXwXmO45gc5Lzw0l19NiBbkm2vYBpW/xh6QHzk22WvPTzMilasDOZK
+aNDiIOXFqKBi4JcmVpJK04BPCiY69pbSL/OpJS+4oR2tKqYo2+U3z89AHNaiLvuB
+v+37j1Z8jMjyZNm+Ex+cKh6PaVTv+sk72goCTfx6hex0WrSDMiU+A9nHho002/oj
+jH3cokwIrpUWd0UpEpMvoNPlCaX9j3s2mL1RxGSy4nd+oabobtGuRRcPDxMK6eRY
+nd3Bksk05pAVqOnAYZNLIYc3ZypXu6ayK4fOL69Ke41OfbWWHZz+or3htceDwZet
+4sAuvL86l1LjFF3kq/G9Z/OxwITrWjocLJemWC32spgelsmOcKV0p6K70JkVFQY6
+c9wl2I360F2oP09wVKd+U7cPvHIMUsQyl0xXR3+bqTVdG4fDqRMksD1nkAQEJvyb
+Tiinf9pUV9raJN/h6fYKu9tis9GRcdy7XPS0t/uLsVHhmhQv+drlCvaigJadpGUN
+79I5WKsFtxXjTLuCxQ9mQspNm9QX8aMnvZLUM7v1oLVxywyWucWSsHBvRM5LP4Kk
+ZrReaVsxyrNHZlfZ0UZoVpoE79FzpYOHj9jh081rY6frEM2a1wYNZFb/hKoN/6FM
+VVKB19glO7oh1AknhueGaDcbAUuVYhHCEpOZVWbD+uQt4FiI1NNjAJSVzsd2Y6Gw
+2/BbAyrdf7lAOopyY4bzJPQsuNCM+kdWNUBrkceWl7d+r3nJUN+g94sMtPIUVQRq
+HWweWk8ZZK167I+/3jPE32H73Dp/8GRuzF8UquAZ0TtBepzaP8BRn2LMUiycqXU9
+Buq9TC2XpyEBGWN3/ferZ8bBURKKSOJk8GRcElIsXc7e8XgAVCCT8D11ZQgKhAjM
+dq6UyK8ufg6jpfx19QvCxduGNZb1KhRSfuGUQXJZMJ6/iOhLqvGSTxCE7sPIk91v
+SAIuxvNEjgFeVFaKn3ETUt51lgANHykqPUJOUWNqgZOaq67HyNHa8PQKFhwnOUZM
+Zm2Fhqby9PgUNz0/U1aCj5G91OIMDSEoSnF0gITBAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAFiUxOw==
+-----END CERTIFICATE-----

certs/mldsa/include.am

@@ -28,6 +28,7 @@ EXTRA_DIST += \
 		 certs/mldsa/mldsa44-key.pem \
 		 certs/mldsa/mldsa44-cert.pem \
 		 certs/mldsa/mldsa44-cert.der \
+		 certs/mldsa/ecc-leaf-mldsa44.pem \
 		 certs/mldsa/mldsa65-key.pem \
 		 certs/mldsa/mldsa65-cert.pem \
 		 certs/mldsa/mldsa65-cert.der \

certs/rsapss/ecc-leaf-rsapss.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNDCCAeigAwIBAgIUJdePE8BDNOOIsd+cyrHxNRYrF/0wQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgEgMIGyMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UE
+BwwHQm96ZW1hbjEXMBUGA1UECgwOd29sZlNTTF9SU0FQU1MxEjAQBgNVBAsMCUNB
+LVJTQVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkB
+FhBpbmZvQHdvbGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDAeFw0y
+NjA2MjIxODI2NDBaFw0zNjA2MTkxODI2NDBaMBQxEjAQBgNVBAMMCWxvY2FsaG9z
+dDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLszrEwnUErGSqUEwzzenzbbci3O
+lOor+ssgCTksFuhhAumvTdMCk5oxW5eSIX/wzxjakRECNIboIFgzC4A0idijQjBA
+MB0GA1UdDgQWBBRdXSbvrH42+Zt2FStKJQIj77KJMDAfBgNVHSMEGDAWgBSeDODT
+37ZL8xljXMpsk4aiFFORMTBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUA
+oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggEBAElprEznMP8A
+0b5c12vOMkAWT1jxpXGwDeVNkgZS+RfC82OI7UMN7kzlpjGaHts/JMUIvCTmIyNA
+I47x6JteFsnJklrk40Q4Om1ANOI1Zw8Jf/pX9mqwU4uOkto1PzTP7t0EICBr0UG4
+JV97K/+9GT2HJccS6UEh6hG2BySYHAFnG7SoBgXm6a2tGTR/Cfz9ZUY8+Cy87F3k
+3q9sCB3oqP+REOAM7FN/0Va2eY24nHZkno7sGsl2kDTx3vacBjHkx6u/KaaahB5K
+Snb3aGwrksRALpjRHOnz5wYCEtOkLOde0v1sktaVtroVRNXW2pS6iCXPpNApRJyv
+MFCkuGEo+gc=
+-----END CERTIFICATE-----

certs/rsapss/include.am

@@ -3,6 +3,7 @@
 #
 
 EXTRA_DIST += \
+         certs/rsapss/ecc-leaf-rsapss.pem \
          certs/rsapss/ca-rsapss.der \
          certs/rsapss/ca-rsapss.pem \
          certs/rsapss/ca-rsapss-key.der \