Fixes from regression testing

[SparkiDev]

Description

CRL APIs not usable when NO_ASN_TIME defined.
WOLFSSL_TLS13 needs to be defined with HAVE_ECH.
When session ticket encrypted with CBC, must be a multiple of block size. Fix test define protection.
Fix ML-DSA protection of reduction functions.
Need !NO_RSA with WC_RSA_PSS.
Connection ID is not a DTLS 1.3 only extension.

Testing

Regression testing.

[SparkiDev]

retest this please

FIPS Windows:
wolfssl\wolfcrypt\settings.h(2764,14): fatal error C1083: Cannot open include file: 'BaseTsd.h': No such file or directory

[SparkiDev]

retest this please

[Copilot]

Pull request overview

Addresses multiple regressions found during test runs by tightening feature guards and fixing build/behavior issues across session tickets, CRL generation, TLS extensions, and PQC code paths.

Changes:

• Adjust preprocessor guards to ensure features/APIs are only compiled when their dependencies are enabled (e.g., CRL generation vs NO_ASN_TIME, ECH vs TLS 1.3, RSA-PSS vs NO_RSA).
• Fix session ticket sizing for CBC-encrypted tickets by rounding internal ticket plaintext size to the AES block size.
• Correct DTLS CID extension availability (not DTLS 1.3-only) and refine tests/build protections for TLS 1.3 and ML-DSA/Dilithium variants.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
wolfssl/internal.h	Moves TLSX_CONNECTION_ID to be available independently of TLS 1.3 so DTLS CID isn’t treated as DTLS 1.3-only.
wolfcrypt/src/pkcs7.c	Ensures RSA-PSS encoding logic is excluded when RSA is disabled.
wolfcrypt/src/dilithium.c	Fixes/expands compile-time protection for reduction/mod-reduction helpers used by ML-DSA/Dilithium across small/make-key/verify variants.
tests/api/test_tls13.c	Tightens build guards for a TLS 1.3 mismatch test to avoid unsupported SP-math curve configurations.
tests/api.c	Gates tests appropriately when NO_SESSION_CACHE/NO_ASN_TIME configurations make APIs unavailable.
src/internal.c	Adds unused-parameter suppression for edge builds, fixes ECH cleanup guard, and aligns CBC ticket plaintext size to block boundaries.
src/crl.c	Compiles out OpenSSL-extra CRL generation APIs when NO_ASN_TIME is set.

Comments suppressed due to low confidence (1)

src/crl.c:2336

• wolfSSL_X509_CRL_new() (and related CRL generation APIs in this block) are now compiled out when NO_ASN_TIME is defined, but the public declarations/macros for these functions still appear to be available under HAVE_CRL && OPENSSL_EXTRA in the headers. This can lead to link-time undefined references for consumers that build with OPENSSL_EXTRA + HAVE_CRL + NO_ASN_TIME. Either update the corresponding header guards to also require !defined(NO_ASN_TIME), or provide #else stub implementations that return NOT_COMPILED_IN/BAD_FUNC_ARG so the symbols are always present.

#if defined(OPENSSL_EXTRA) && !defined(NO_ASN_TIME)
/* Create a new empty CRL object for generation.
 * Version is set to 2 by default. Use wolfSSL_X509_CRL_set_version() to
 * change it.
 * lastUpdate set to current time, nextUpdate set to 500 days from now.
 * Returns a new CRL or NULL on failure.
 */
WOLFSSL_X509_CRL* wolfSSL_X509_CRL_new(void)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.