Fix and expand tinytls13 footprint profile across CI configs

Make every --enable-tinytls13 spelling build and pass locally, and grow the
CI matrix to cover them. These are fixes found while testing the configs the
CI workflow had not actually exercised.

- internal.h, internal.c, ssl_load.c: include ML-DSA and Falcon in the
  pkCurveOID member and producer guards so the PSK plus ML-DSA build compiles.
- tls13.c: gate the DoTls13CertificateVerify definition on NO_CERTS to match
  its call site.
- settings.h: let the AES-256 adder survive the floor, default the
  user_settings path to the SHA-256 floor, make WOLFSSL_NO_MALLOC opt-in so
  the test suite still runs, and keep ML-DSA ASN.1 for the cert profile.
- configure.ac: drive ENABLED_ASM and emit WOLFSSL_NO_ASM for the small C
  floor, restrict SP math to P-256, strip ML-DSA ASN.1 only on the PSK floor,
  and print a notice for the reduced security cert verify.
- examples: guard the cert loading paths for NO_CERTS and treat NO_CERTS as
  PSK mode in echoserver and echoclient.
- Add examples/configs/tinytls13_smoke.c, an in memory TLS 1.3 handshake test
  that drives PSK, ECDSA, ML-DSA-65 and RSA-PSS chain verify, plus forced
  cipher suites, for builds with no example or unit test harness.
- certs: add ECDSA leaves signed by the ML-DSA-65 and RSA-PSS CAs so the cert
  profiles drive a real PQC and PSS chain verify in CI.
- .github/workflows/tinytls13.yml: cover every profile and adder, run the
  smoke handshake on the build verified configs, and least privilege the
  workflow token.

Author: aidangarske

.github/workflows/tinytls13.yml

@@ -15,6 +15,9 @@ concurrency:
   cancel-in-progress: true
 # END OF COMMON SECTION
 
+permissions:
+  contents: read
+
 jobs:
   # Build + make check every --enable-tinytls13 spelling on one runner via
   # .github/scripts/parallel-make-check.py (see psk.yml for the pattern).
@@ -46,14 +49,25 @@ jobs:
       # Every tiny TLS 1.3 profile/adder spelling, so each is proven to build
       # and pass make check (which runs the TLS handshake test suite) out of
       # the box. Server is enabled where a config needs the server-side tests.
-      - name: Build and make check all tinytls13 configs
+      # The psk-p256 and cert-rsaverify configs strip to combinations
+      # (ECDHE-only ECC without certs, RSA verify only) that the OpenSSL-compat
+      # API unit suite (coupled to examples via BUILD_TESTS) does not gate for.
+      # Rather than carry test-harness edits for those, they build static with
+      # --disable-examples, skip make check ("check": false), and instead run
+      # wolfcrypt/test/testwolfcrypt plus examples/configs/tinytls13_smoke.c
+      # (a self-contained in-memory TLS 1.3 handshake) for real crypto and
+      # handshake verification.
+      - name: Build and test all tinytls13 configs
         run: |
           cat > "$RUNNER_TEMP/tinytls13-configs.json" <<'EOF'
           [
           {"name": "tinytls13-psk-x25519", "minutes": 1,
            "configure": ["--enable-tinytls13=psk,server", "--disable-mlkem"]},
-          {"name": "tinytls13-psk-p256", "minutes": 1,
-           "configure": ["--enable-tinytls13=psk,p256,server", "--disable-mlkem"]},
+          {"name": "tinytls13-psk-p256", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=psk,p256,server", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
+           "run": [["make", "wolfcrypt/test/testwolfcrypt"], ["./wolfcrypt/test/testwolfcrypt"],
+                   ["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
+                   ["./tinytls13_smoke"]]},
           {"name": "tinytls13-psk-staticmem", "minutes": 1,
            "configure": ["--enable-tinytls13=psk,server,staticmem", "--disable-mlkem"]},
           {"name": "tinytls13-psk-mldsa", "minutes": 1,
@@ -66,10 +80,56 @@ jobs:
            "configure": ["--enable-tinytls13=cert,server,sha384", "--disable-mlkem"]},
           {"name": "tinytls13-cert-mutualauth", "minutes": 1,
            "configure": ["--enable-tinytls13=cert,mutualauth,server", "--disable-mlkem"]},
-          {"name": "tinytls13-cert-rsaverify", "minutes": 1,
-           "configure": ["--enable-tinytls13=cert,server,rsaverify", "--disable-mlkem"]},
+          {"name": "tinytls13-cert-rsaverify", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=cert,server,rsaverify", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
+           "run": [["make", "wolfcrypt/test/testwolfcrypt"], ["./wolfcrypt/test/testwolfcrypt"],
+                   ["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
+                   ["./tinytls13_smoke"]]},
           {"name": "tinytls13-cert-mldsa", "minutes": 1,
-           "configure": ["--enable-tinytls13=cert,server,mldsa", "--disable-mlkem"]}
+           "configure": ["--enable-tinytls13=cert,server,mldsa", "--enable-static", "--disable-mlkem"],
+           "run": [["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
+                   ["./tinytls13_smoke"]]},
+          {"name": "tinytls13-psk-client-only", "minutes": 1,
+           "configure": ["--enable-tinytls13=psk", "--disable-mlkem"]},
+          {"name": "tinytls13-cert-client-only", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert", "--disable-mlkem"]},
+          {"name": "tinytls13-psk-asm", "minutes": 1,
+           "configure": ["--enable-tinytls13=psk,server,asm", "--disable-mlkem"]},
+          {"name": "tinytls13-cert-asm", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert,server,asm", "--disable-mlkem"]},
+          {"name": "tinytls13-cert-chacha", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=cert,server", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
+           "cflags": "-DHAVE_CHACHA -DHAVE_POLY1305",
+           "run": [["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
+                   ["./tinytls13_smoke", "TLS13-CHACHA20-POLY1305-SHA256"]]},
+          {"name": "tinytls13-cert-aes256", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=cert,server,sha384", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
+           "cflags": "-DWOLFSSL_AES_256",
+           "run": [["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
+                   ["./tinytls13_smoke", "TLS13-AES256-GCM-SHA384"]]},
+          {"name": "tinytls13-psk-mlkem", "minutes": 1,
+           "configure": ["--enable-tinytls13=psk,server", "--enable-static"],
+           "run": [["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
+                   ["./tinytls13_smoke", "-", "mlkem"]]},
+          {"name": "tinytls13-cert-staticmem", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=cert,server,staticmem", "--enable-static", "--disable-shared", "--disable-examples", "--disable-mlkem"],
+           "run": [["make", "wolfcrypt/test/testwolfcrypt"], ["./wolfcrypt/test/testwolfcrypt"],
+                   ["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
+                   ["./tinytls13_smoke"]]},
+          {"name": "tinytls13-nomalloc", "minutes": 1, "check": false,
+           "configure": ["--enable-tinytls13=psk,server,staticmem", "--enable-static", "--disable-shared", "--disable-examples", "--disable-crypttests", "--disable-mlkem"],
+           "cflags": "-DWOLFSSL_NO_MALLOC"},
+          {"name": "tinytls13-combo-cert-mutualauth-sha384", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert,mutualauth,server,sha384", "--disable-mlkem"]},
+          {"name": "tinytls13-combo-cert-mldsa-sha384", "minutes": 1,
+           "configure": ["--enable-tinytls13=cert,server,mldsa,sha384", "--enable-static", "--disable-mlkem"],
+           "run": [["cc", "-I.", "-I..", "../examples/configs/tinytls13_smoke.c", "src/.libs/libwolfssl.a", "-lm", "-o", "tinytls13_smoke"],
+                   ["./tinytls13_smoke"]]},
+          {"name": "tinytls13-bare", "minutes": 1,
+           "configure": ["--enable-tinytls13", "--disable-mlkem"]},
+          {"name": "tinytls13-usersettings", "minutes": 1, "check": false,
+           "user_settings": "examples/configs/user_settings_tinytls13.h",
+           "configure": ["--enable-usersettings", "--enable-static", "--disable-shared", "--disable-examples", "--disable-crypttests"]}
           ]
           EOF
           .github/scripts/parallel-make-check.py \

certs/mldsa/ecc-leaf-mldsa65.pem

@@ -0,0 +1,79 @@
+-----BEGIN CERTIFICATE-----
+MIIOXDCCAVmgAwIBAgIUHkXMjMS80gZRjcfzBuyuhnlS9yEwCwYJYIZIAWUDBAMS
+MFoxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
+bWFuMRAwDgYDVQQKDAd3b2xmU1NMMRUwEwYDVQQDDAxUZXN0IG1sZHNhNjUwHhcN
+MjYwNjIyMTgyNjQwWhcNMzYwNjE5MTgyNjQwWjAUMRIwEAYDVQQDDAlsb2NhbGhv
+c3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS7M6xMJ1BKxkqlBMM83p8223It
+zpTqK/rLIAk5LBboYQLpr03TApOaMVuXkiF/8M8Y2pERAjSG6CBYMwuANInYo0Iw
+QDAdBgNVHQ4EFgQUXV0m76x+NvmbdhUrSiUCI++yiTAwHwYDVR0jBBgwFoAU0X7s
+9Um6d4uq1MDByuLMZZkKhxIwCwYJYIZIAWUDBAMSA4IM7gA9PW9GacDhmkuLlT+C
+a7WbLvUQDQh1o7x2+gkqNN9aYFnWM3FgafeDHJGfJOmGk7RWNh7RHCnT6MmUJFXL
+qlnC6Q0p7rQpIE/RmkfGcuLRvZyZkLhhgHMKQRhStjzzUYVUW74JKNhc7mp7nD2i
+xCGeO77hy2VP65AoioniSyg71x83eqnEvUAjjtaWYwc3SoDEoSYSf0E6emIjYvvh
+KMUXlnLxah5X3mw6ZQXp1FspKY8VY1UkXakz/rSamEd4gmv7/cow6eObAQilHrRX
+OSiVL4E/uv6qfCjTlWBvpjCDGQP6PTJKYGX3RgzVDptXtlFgRw5QCzBVRQdrUdxR
+nZjbbtQUn7bXyKEEQtDQ32aMqlvOkdrHpDg6Nto0MTdUv0YDfA+iM4KEKItoCvNm
+fyO9AMQj7+BrK8hgXSAooACq2cDdELpE0PqUAdVboLFcCOu69D2cZjM8G5IhEqZG
+aeCTchyGD6dOtpGP7uRdYj+b+4rF1gWUNLxvkwBM7DdeSGV//00zIfiVOpZNs8BG
+0TAe5mVIgE4WEnp9Z0n/zesh5HLhW6d8V8rpqAikcZMOBslzEcpZS4KZIID1A5It
+NnNGd5u69LyE3vbjjNpif0/75ns/P+z73iO2FJQ8PnRSlPwwhd8BEpSl6lrk5/ZY
+L7XjyROaFZz3Iwt/mvtZrYcFaUHcMmZY/y3SKfsuyueld38XP87vRmpDk98VsUgL
+dBr9+QgqZLKscADMQq3f6W66ziVQY5/gzTbRt/xSCf3hazi9/TTLqQvaUpckAdqD
+HHr4/mTQ/zXxmXNAXwan4OKQBqy26zgIjMbATincEwDSWvFNJwDcHyYt0Pg/+tqK
+fXAbkvaSF0BO64nW/EGtxHa2b8EkG9n9ivvYyzVLc8D6OF+wBuxTegF8tYTavKCP
+UzW11/fEh+xEnIgMQ2EzK6ElxiggvJvH/AH3GAJR4C34u+IjKHm7915hCti1C6yv
+6NmIfvwWRHMC+2XdyLe9mmVcw8uNsAV1OpbgyNGIP+nghBhunZ23Kk8jv/LjADkA
+5SCOZZuM8/PEMAA98kN4CcUcSyGh1+ZcG6ArtCWIeUzlECEZ8jq0TRoj/M+pJZ8J
+Ll50p+wGB+maJeiFD05gKmtfAlKqgHH+TxqnTr8q+pVOlEnCMrEL6tNqWTkRwQ16
+t0EHstwfOjGuu+JA/1ENlfLDTHKYcmVFQv64MPHFGWknS5arj7A2Z63sxln1eCHH
+zzgN/eY+G5zjyYvSesCWc5MDz1JpHu8QUfO93PEVxovH/KBWcpPWI+9tNkfwPgZM
+dlJMalwyhvsPz45XMbpqP4UcIQlzLztk6J7KMfSYvbAUCR4aDo5HqLflHuM6MiS6
+saigxzmXNjomMOCM10HyHmfUSpVB5CLa9xG4ImGAFSz5eP2XTmxXQquGxf1dQlON
+6hfT9JW2KTNmhyjSbAmddRCXHCpUpa23GxJtw5zWelotzOYD3fN8OsSsv3Za3Exa
+zI6NzQ3qwZoz/7rpOAxENcZ6zA7qDs36ieqKVviaEO4Pb0ReudyE1WHoTlcUNbYK
+VnnFSnw8wewKxVbVCa2ic1F/x7wiDBh0BqC4biHTtJcC6iUPjKvO5JNITokuFeC9
+lTfRJg4Q2LWTEgfLh0wEMBhsUxRzA9MghDxfzA5BZa70//pm9pGCy6FDdVStbIxe
+FgGaVqHLtV47XHT2P8cHn6UszRGET4odF1S3J/Lqe9rk9p2JJECt6WhLRHUryie2
+hB+SfG00xmfP4eGyJEndd6ElqQ7grinVWikv9bq0MqVH3uvb8ZMLdK98gF7yZMyx
+xFXIOogdu0fn5qm43yrizuCLRiw1DXroS2X131ggTLJpObqauYx+gvReqma8fPX/
+LImlDAfgrUEGAMka3DaULRGWNNF5z5PyaIGyOokIWGvvN20ArM4J7DMzBQMzUZdz
+IgugrVwxzGlAW3By14S3talrdywbpdbrH/wMi7j6H/VHqyw3bx4cLydQlbjxb1d3
+B3wm2NgOKYIfvsqw9mHOh16XInqamwCys9LhoRiqR5DwFGyEElWuFZJq9uKQvoyo
+Vx1P++TDoGP6f4ycmF1kkZaKNDK7Awj+ugmGMVu95Ij74x533kfNgvUDK7ChcJfX
+1a3VwmBGvB51AZWzaDqqa7d6OWQkoE0NE3gPnDgbNo+vZ6+ElMSK2P9G53kBA50H
+UbU+T/++QF6m69d02hq7yyiSgaXpVeLtAGEHTswmx3HWzxEE1o3PIsa322xizUsJ
+JHmHdIpFVDvaYz4A7Per42qRfXahHAqzp0UrqERQQROuzfJAWltp35LBbJIr2BXk
+l1JYDvjP5plOJgeDGvl1lY+cblsuV1OzSCuXAi//ziFXTpvhrQ0r5zE96NwNl6Fm
+L09mVZfd0Ic+sBaB9Mw6fN9QpSGHj2P/F9+UePU981qv93PqZv2ZGKrbbRMQg9Hh
+DsXNddZZduhR91xS6gVXN2IMsRKTRh/zD06oVOZxq9ZCO+NtCYYtMwzgi1By4Wx6
+R+UBg/t/rqXuui4cFEwUgS2R66VGXKzenhq5fQl1xYJPTRn0fMZBa77QLs90D1Bw
+qIY0BggeSxJ0u1hR3D2opXq1bjJ/mkjki6xwzVVI/cnWB3BwKdzmVcQJesDzhCkc
++kghJygggyyk2T6qYc/nIGf+2fe1vu8DuL969SVcW3WOzOgzzCEVCiGdD/3wMWL8
+2CLXUS6XBOTzEiahVB2u4ljuTe3pymRP8G3JLNNBvlpGAYxml/BbaKwJKJloO7Xy
+M1JZ7tno/yTCsvtY2OIMmlfkgaPQhOVwSSlXEZeHxGZZ9pe0QLYsKdBQCfoAFXpq
+YXdXtzaC3virEUKLkAp4vUGez6bMMjw1LfL8Lp6eW3szPmFrwzU3fMCGQPq7Clsw
+E2ZzrgM6Tdt4YsXp0ZLmaNbGtTi0WuQikSor4QZjr1zH2jWFs9kVW9T+1iKkKGUC
+AVwV+PbVtQsyp0gCA9mGFDdrZBH+U8KVn9wGF6I8+UwToWPnDNTYM2jVRpl8DWui
+xSBq1TxArIZD7T2xX2988zevcYDKs4w1AHj+27j6kmGZW2NGDVvdmHj/xxRuw9WV
+4tZAlLzavkGEo6/ngGJkdmPW1OAyGhKhpvGqjABMM1HfppvFNHxfyXQfLVroEog3
+/q+U1RsEs5mfHfWc1wNdL0FBYqTvgkarxUwKZzm48yeGVdO5GE4bTXgCxHLGi3Av
+aIzMEYJ5qNBIOhp629i2AV14CgPhQjaTZq+OkI3Gr7gKkTDZrJiU/THEUZs08KpJ
+8FUnWTzkZ0fZoMx8jnx2QXGmii/79S1PnzGzvxN5f8rM5xG/br9g3qEpJ23Yi9PH
+QqCtm7GVeKEcx1WLd7gZ4UMu4MpXhOmrDKG6du245KVq20AdzEckVWOq5ObGmBV7
+IYrhrfjojculsXuYse/+q3+vzlSevsz9f/N42pEITGGeAkaUdL6aQrxqjsLW7gNY
+82H9BbpCqw2UEGX44+sAMViszTrpy34Px16+svZfzdbhsUJdCpoi49Yuf7IdH4iY
+DJMVN9TNrTEUOZCB6trzbK8I0NDWYOvEBVHl5D0qB1LDqdN9Sc0Fj1dVgaC2Ihx9
+6c3+9m43zJTIstS+YTQbyZ67ADFnCxY8/eRN0ZDRymWnlTnR7r+ceNvzprUaF3XN
+ihpVNN3fGsWaejbCWND8YHDj+F5hLTXJLZ5sqzk/CU0doHbkhnai8WHUFdKYVZRl
+6PDML7snxqobWGv690ECgixrqQkdBtiEKIAOGk0wwJfDIyzyhB1lFRT8bafOnKCX
+DiHFSfDjVIg0rLANtivOXUCXctv07JoL+jCqpC0WOHe5ch5BNRDnruXhErbu4ZJw
+xZxrafS7+79U0MQAum2SSTCYnJE96VzNUzDdZg9z1ZKEVjhp9eAEfzQdZf0JwmQs
+gZvaPyOdJ+i1bndol4NOstjx3QHsiPimvkInYlPwaaRvaUDwmucIRAIWAk0X3ZkU
+X6iC7zLeLPiGUNpsI2FJHVD5eG1bivhsWFLRvHC6pHfCMSfCcw8wLTsbx0rwrQaA
+YntZeGqc45E7f+Ef6d+6Yg80O73F9iZBHrCwVg4E4wMxzDw91xoKtbMdOoWIRTn4
+BGR9+HjGK8tH7lpj5vP2EAoNFW+m25vu6tvCebUdZyWuGgnFQc7WyvLiCiNoCo5K
+DJb+XcYkOSb0YGt1HCcZCkZ0jjUN9qH1YQfCAoOI98/YhUiL4z9FAVfdM3OhUopT
+MZGUffqI1C+OZeSvGE4GZDdIUxznJ6JURSxS93X/BUyD89U1I86Jn5wAkRH4sjKO
+lipqwbk8EY1UkfszCSFkQJTXjDxciY7CDBpYaXHG5fJCYpPX2NoEUFR+hKy0uCxM
+bYCvvMX5/h8xU1Rof5WptbzH6wAAAAAAAAAFDRMbJDA=
+-----END CERTIFICATE-----

certs/mldsa/include.am

@@ -31,6 +31,7 @@ EXTRA_DIST += \
 		 certs/mldsa/mldsa65-key.pem \
 		 certs/mldsa/mldsa65-cert.pem \
 		 certs/mldsa/mldsa65-cert.der \
+		 certs/mldsa/ecc-leaf-mldsa65.pem \
 		 certs/mldsa/mldsa87-key.pem \
 		 certs/mldsa/mldsa87-cert.pem \
 		 certs/mldsa/mldsa87-cert.der \

certs/rsapss/ecc-leaf-rsapss.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNDCCAeigAwIBAgIUJdePE8BDNOOIsd+cyrHxNRYrF/0wQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgEgMIGyMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UE
+BwwHQm96ZW1hbjEXMBUGA1UECgwOd29sZlNTTF9SU0FQU1MxEjAQBgNVBAsMCUNB
+LVJTQVBTUzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkB
+FhBpbmZvQHdvbGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDAeFw0y
+NjA2MjIxODI2NDBaFw0zNjA2MTkxODI2NDBaMBQxEjAQBgNVBAMMCWxvY2FsaG9z
+dDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLszrEwnUErGSqUEwzzenzbbci3O
+lOor+ssgCTksFuhhAumvTdMCk5oxW5eSIX/wzxjakRECNIboIFgzC4A0idijQjBA
+MB0GA1UdDgQWBBRdXSbvrH42+Zt2FStKJQIj77KJMDAfBgNVHSMEGDAWgBSeDODT
+37ZL8xljXMpsk4aiFFORMTBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAQUA
+oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASADggEBAElprEznMP8A
+0b5c12vOMkAWT1jxpXGwDeVNkgZS+RfC82OI7UMN7kzlpjGaHts/JMUIvCTmIyNA
+I47x6JteFsnJklrk40Q4Om1ANOI1Zw8Jf/pX9mqwU4uOkto1PzTP7t0EICBr0UG4
+JV97K/+9GT2HJccS6UEh6hG2BySYHAFnG7SoBgXm6a2tGTR/Cfz9ZUY8+Cy87F3k
+3q9sCB3oqP+REOAM7FN/0Va2eY24nHZkno7sGsl2kDTx3vacBjHkx6u/KaaahB5K
+Snb3aGwrksRALpjRHOnz5wYCEtOkLOde0v1sktaVtroVRNXW2pS6iCXPpNApRJyv
+MFCkuGEo+gc=
+-----END CERTIFICATE-----

certs/rsapss/include.am

@@ -3,6 +3,7 @@
 #
 
 EXTRA_DIST += \
+         certs/rsapss/ecc-leaf-rsapss.pem \
          certs/rsapss/ca-rsapss.der \
          certs/rsapss/ca-rsapss.pem \
          certs/rsapss/ca-rsapss-key.der \

configure.ac

@@ -940,13 +940,14 @@ if test "x$enable_tinytls13" != "x" && test "x$enable_tinytls13" != "xno"
 then
     tinytls13_cert=no
     tinytls13_p256=no
+    tinytls13_asm=no
     for v in `echo $enable_tinytls13 | tr ',' ' '`
     do
         case $v in
         cert|mutualauth) tinytls13_cert=yes ;;
         p256)            tinytls13_p256=yes ;;
         rsaverify)       enable_rsa=yes ;;
-        asm)             enable_asm=yes ;;
+        asm)             tinytls13_asm=yes ;;
         mldsa)           enable_mldsa=yes ;;
         sha384)          enable_sha384=yes; enable_sha512=yes ;;
         esac
@@ -957,6 +958,18 @@ then
     test "x$enable_sha384" = "x" && enable_sha384=no
     test "x$enable_sha512" = "x" && enable_sha512=no
 
+    # Small-C floor by default: no platform assembly unless the asm adder is
+    # selected. ENABLED_ASM (resolved above) is the variable the downstream
+    # assembly decisions read; emit the no-asm defines here too, since the
+    # WOLFSSL_NO_ASM emission earlier ran before this block.
+    if test "$tinytls13_asm" = "yes"
+    then
+        ENABLED_ASM=yes
+    else
+        ENABLED_ASM=no
+        AM_CFLAGS="$AM_CFLAGS -DTFM_NO_ASM -DWOLFSSL_NO_ASM"
+    fi
+
     # TLS 1.3 only, no legacy TLS / renegotiation / extras.
     enable_tls13=yes
     enable_oldtls=no
@@ -970,7 +983,9 @@ then
     if test "$tinytls13_cert" = "yes"
     then
         enable_ecc=yes
-        enable_sp=yes
+        # P-256 only SP math to match the documented footprint; bare "yes"
+        # would also pull in P-384/P-521 on 64-bit hosts.
+        enable_sp="yes,256"
         test "x$enable_asn" = "x" && enable_asn=template
         test "x$enable_rsa" = "x" && enable_rsa=no
     else
@@ -979,7 +994,7 @@ then
         if test "$tinytls13_p256" = "yes"
         then
             enable_ecc=yes
-            enable_sp=yes
+            enable_sp="yes,256"
         else
             test "x$enable_ecc" = "x" && enable_ecc=no
             enable_curve25519=yes
@@ -2903,7 +2918,9 @@ AC_ARG_ENABLE([tinytls13],
     [AS_HELP_STRING([--enable-tinytls13@<:@=LIST@:>@],
         [Enable tiny TLS 1.3 footprint build. LIST is comma-separated from:
          psk cert server mutualauth staticmem asm p256 sha384 mldsa rsaverify
-         (default: disabled; bare flag = psk)])],
+         (default: disabled; bare flag = psk). NOTE: the cert profile is a
+         reduced-security verify (no name constraints, relaxed ASN, no CRL)
+         meant for a known or pinned CA, not public-internet PKI.])],
     [ ENABLED_TINYTLS13=$enableval ],
     [ ENABLED_TINYTLS13=no ]
     )
@@ -2918,6 +2935,7 @@ then
     # Feature switches were aligned early (MATH LIBRARY SELECTION section);
     # here we only emit the umbrella + adder macros (settings.h does the rest).
     tinytls13_base=psk
+    tinytls13_mldsa=no
     for v in `echo $ENABLED_TINYTLS13 | tr ',' ' '`
     do
         case $v in
@@ -2931,15 +2949,25 @@ then
         p256)       AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DECC_USER_CURVES" ;;
         rsaverify)  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TINY_TLS13_RSA_VERIFY" ;;
         sha384)     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA384" ;;
-        mldsa)      AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_MLDSA -DWOLFSSL_DILITHIUM_VERIFY_ONLY -DWOLFSSL_DILITHIUM_VERIFY_SMALL_MEM -DWOLFSSL_DILITHIUM_NO_ASN1 -DWOLFSSL_NO_ML_DSA_44 -DWOLFSSL_NO_ML_DSA_87" ;;
+        mldsa)      tinytls13_mldsa=yes
+                    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_MLDSA -DWOLFSSL_DILITHIUM_VERIFY_ONLY -DWOLFSSL_DILITHIUM_VERIFY_SMALL_MEM -DWOLFSSL_NO_ML_DSA_44 -DWOLFSSL_NO_ML_DSA_87" ;;
         no)         ;;
         *)          AC_MSG_ERROR([Invalid --enable-tinytls13 value: $v. Valid: psk cert server mutualauth staticmem asm p256 sha384 mldsa rsaverify.]) ;;
         esac
     done
 
+    # ML-DSA on the PSK floor never parses a certificate, so drop the ASN.1/
+    # X.509 surface for footprint. The cert profile needs it to decode and
+    # verify ML-DSA certificates, so keep ASN.1 there.
+    if test "$tinytls13_mldsa" = "yes" && test "$tinytls13_base" != "cert"
+    then
+        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_ASN1"
+    fi
+
     if test "$tinytls13_base" = "cert"
     then
         AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TINY_TLS13_CERT"
+        AC_MSG_NOTICE([tiny TLS 1.3 cert profile is a reduced-security verify: no name constraints, relaxed ASN, no CRL. For a known or pinned CA, not public-internet PKI.])
     else
         AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TINY_TLS13"
     fi

examples/configs/README.md

@@ -18,6 +18,7 @@ Example wolfSSL configuration file templates for use when autoconf is not availa
 * `user_settings_stm32.h`: Example configuration file generated from the wolfSSL STM32 Cube pack.
 * `user_settings_tls12.h`: Example for TLS v1.2 client only, ECC only, AES-GCM only, SHA2-256 only.
 * `user_settings_tls13.h`: TLS 1.3 only configuration (no TLS 1.2). Modern cipher suites with X25519/X448 key exchange.
+* `user_settings_tinytls13.h`: Smallest TLS 1.3 only footprint profile. PSK + ECDHE floor (no X.509) with opt-in adders: `cert` (minimal X.509 verify), `server`, `mutualauth`, `staticmem`, `asm`, `p256`, `sha384`, `mldsa`, `rsaverify`. Pairs with `--enable-tinytls13`. See `tinytls13_smoke.c` for the self-contained handshake check used by `--disable-examples` builds.
 * `user_settings_dtls13.h`: DTLS 1.3 for IoT and embedded. Includes connection ID support and smaller MTU options.
 * `user_settings_pq.h`: Post-quantum TLS with ML-KEM (Kyber) key exchange and ML-DSA (Dilithium) certificates.
 * `user_settings_openssl_compat.h`: OpenSSL compatibility layer for drop-in replacement. Enables OPENSSL_ALL and related APIs.

examples/configs/include.am

@@ -24,6 +24,7 @@ EXTRA_DIST += examples/configs/user_settings_template.h
 EXTRA_DIST += examples/configs/user_settings_tls12.h
 EXTRA_DIST += examples/configs/user_settings_tls13.h
 EXTRA_DIST += examples/configs/user_settings_tinytls13.h
+EXTRA_DIST += examples/configs/tinytls13_smoke.c
 EXTRA_DIST += examples/configs/user_settings_wolfboot_keytools.h
 EXTRA_DIST += examples/configs/user_settings_wolfssh.h
 EXTRA_DIST += examples/configs/user_settings_wolftpm.h