Add --enable-tinytls13 TLS 1.3-only footprint profile#10751
Open
aidangarske wants to merge 2 commits into
Open
Add --enable-tinytls13 TLS 1.3-only footprint profile#10751aidangarske wants to merge 2 commits into
aidangarske wants to merge 2 commits into
Conversation
…r + minimal X.509)
Make every --enable-tinytls13 spelling build and pass locally, and grow the CI matrix to cover them. These are fixes found while testing the configs the CI workflow had not actually exercised. - internal.h, internal.c, ssl_load.c: include ML-DSA and Falcon in the pkCurveOID member and producer guards so the PSK plus ML-DSA build compiles. - tls13.c: gate the DoTls13CertificateVerify definition on NO_CERTS to match its call site. - settings.h: let the AES-256 adder survive the floor, default the user_settings path to the SHA-256 floor, make WOLFSSL_NO_MALLOC opt-in so the test suite still runs, and keep ML-DSA ASN.1 for the cert profile. - configure.ac: drive ENABLED_ASM and emit WOLFSSL_NO_ASM for the small C floor, restrict SP math to P-256, strip ML-DSA ASN.1 only on the PSK floor, and print a notice for the reduced security cert verify. - examples: guard the cert loading paths for NO_CERTS and treat NO_CERTS as PSK mode in echoserver and echoclient. - Add examples/configs/tinytls13_smoke.c, an in memory TLS 1.3 handshake test that drives PSK, ECDSA, ML-DSA-65 and RSA-PSS chain verify, plus forced cipher suites, for builds with no example or unit test harness. - certs: add ECDSA leaves signed by the ML-DSA-65 and RSA-PSS CAs so the cert profiles drive a real PQC and PSS chain verify in CI. - .github/workflows/tinytls13.yml: cover every profile and adder, run the smoke handshake on the build verified configs, and least privilege the workflow token.
|
retest this please |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds --enable-tinytls13, a TLS 1.3-only footprint profile for embedded and resource-constrained targets. It is a translation layer over
existing wolfSSL macros (the WOLFSSL_TINY_TLS13 umbrella in settings.h), so it adds no new feature flags to the core library. Non-FIPS.
Profiles and adders
a known or pinned CA, not public-internet PKI. Surfaced in the configure output and docs.
example --enable-tinytls13=cert,server,mldsa.
Footprint
Flash of the gc-sectioned linked client (-Os -flto --gc-sections), Cortex-M33:
Testing
The added tinytls13.yml workflow builds and tests every profile and adder on a single runner (parallel-make-check.py, ccache, same setup as
psk.yml). Stripped configs that the broad unit suite cannot gate for are build-verified with testwolfcrypt plus
examples/configs/tinytls13_smoke.c, a self-contained in-memory TLS 1.3 handshake that drives PSK, ECDSA, ML-DSA-65 and RSA-PSS chain
verification, plus forced ChaCha20-Poly1305 / AES-256-GCM / X25519MLKEM768.