Validate that the received key share data length (keLen) is at least
as large as the expected ciphertext size (ctSz) before passing it to
wc_KyberKey_Decapsulate. A malicious TLS 1.3 server could send a
short ML-KEM key share.

Save key->heap before calling wc_*_free(), which zeros the entire key
structure via ForceZero. The saved heap pointer is then passed to XFREE
instead of the now-zeroed key->heap.

Add check before word32 addition in dilithium_hash256() that
could wrap to zero, bypassing the size check.
Also reject absurdly large msgLen (> UINT32_MAX/2) in
wc_dilithium_verify_ctx_msg.

…1422)

Replace single last-byte padding check with full PKCS#5/PKCS#7
validation: verify padLen is non-zero and within block size.
Both wc_PKCS7_DecodeEnvelopedData and wc_PKCS7_DecodeEncryptedData
paths are fixed.

Reinitialize pointer fields in WOLFSSL_SESSION after raw XMEMCPY or
XFREAD in wolfSSL_memrestore_session_cache and
wolfSSL_restore_session_cache. After restore, ticket is reset to
staticTicket, ticketLenAlloc to 0, and peer to NULL.

Increase buff size from 8 to 24 bytes in PrintPubKeyRSA and related
EVP PKEY print functions.

Get rid of weird character

Fix warning found by CI

Style changes

Addressed 1 and 2.

… macro to local file

OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS is only defined when WC_RSA_PSS
is enabled but was used unconditionally in EncodeBasicOcspResponse,
causing a build error when WC_RSA_PSS is not defined.

…gned integer access when WC_SHA3_FAULT_HARDEN && !BIG_ENDIAN_ORDER.

This adds caching for apt and should make things a bit more stable and
faster.

Remove the unused AX_CHECK_LIBRARY and REQUIRE_CANONICAL macros from m4/, and stop calling AC_CANONICAL_TARGET from configure.ac since this tree no longer needs target canonicalization.

Update m4/ax_pthread.m4 to the latest AX_PTHREAD macro from the autoconf archive, which brings the host-based canonicalization checks used by the current upstream macro.

* ensure make -j is called everywhere
* shallow clones where possible
* set fixed ubuntu version for linux tests

Split make_check into two jobs to reduce CI time:

- make_check: 37 configs that interact with platform-specific features
  (sys-ca-certs, Apple Security.framework, OpenSSL compat, networking)
  continue to run on both Ubuntu and macOS.

- make_check_linux: 17 configs testing pure crypto algorithms,
  preprocessor guards, or features with no macOS-specific code paths
  now run on Linux only.

Also change make_user_settings_testwolfcrypt to Linux-only since
testwolfcrypt runs pure crypto tests with no platform-specific features.

Saves ~33 CI jobs with no loss of test coverage.

Add PKCS#11 integration for ML-KEM with key generation,
encapsulation and decapsulation support through the crypto
callback path.

Includes ML-KEM PKCS#11 constants/types, key store handling,
token object lifecycle management, and ML-KEM key init helpers
for private-key ID/label workflows.

Align implementation details with current upstream conventions
and review feedback:
- internal wolfCrypt ML-KEM path only for PKCS#11
- inline ML-KEM key-type/flag checks in PKCS#11 code
- proper key template formatting and enum placement
- ensure TLS ML-KEM object storage behavior is compatible with
  PKCS#11 ephemeral-key decapsulation flow

The WOLF_CRYPTO_CB_FREE path in wc_MlKemKey_Free, wc_dilithium_free,
and wc_ecc_free returned early when the crypto callback succeeded,
skipping local cleanup: ForceZero on private key material, PRF/hash
object frees (ML-KEM), SHAKE free and cached vector frees (ML-DSA),
and mp_forcezero on the private scalar and all hardware port frees
(ECC).

Any non-PKCS#11 callback returning 0 would silently leave key material
in memory. The PKCS#11 backend worked around this by returning
CRYPTOCB_UNAVAILABLE on success to force the fallthrough — a fragile
contract that is not part of the documented callback interface.

Fix by always continuing to software cleanup after invoking the
callback.

Remove the CRYPTOCB_UNAVAILABLE workaround from the three PKCS#11 free
dispatchers (ECC, ML-DSA, ML-KEM); they now return the real result of
C_DestroyObject.

Add NETWORK_UNSHARE_HELPER/bwrap wrapping to benchmark.test,
openssl_srtp.test, and sniffer-gen.sh to isolate network namespaces and
prevent port collisions when tests run concurrently. sniffer-gen.sh uses
--cap-add ALL (like dtls.test) since it runs tcpdump. ocsp-stapling.test
is excluded because it connects to external servers (login.live.com).

- se050_ed25519_verify_msg: initialize *res = 0 at entry so failures don't leak a stale res = 1 from a prior good verify.
- Ed25519 import functions: reset keyIdSet / keyId under WOLFSSL_SE050 in wc_ed25519_import_private_key_ex, wc_ed25519_import_private_only, wc_ed25519_import_public_ex so overwriting host-side key material invalidates any prior SE050 object binding.
- New workflow .github/workflows/se050-sim.yml: builds wolfSSL against the NXP Plug&Trust SDK and runs the wolfCrypt tests against the SE050Sim simulator. Patches the upstream Dockerfile to use the PR's wolfSSL source.
- ed25519_test SE050 adjustments:
- Cap the RFC 8032 loop at 5 iters — iter 5's 1023 B msg exceeds NXP SDK SE05X_TLV_BUF_SIZE_CMD = 900.
  - rareEd verifies and private-only sign: expect WC_HW_E (SE050 delegates malformed-input rejection to the secure element) instead of BAD_FUNC_ARG / SIG_VERIFY_E.
  - Skip ed25519ctx_test / ed25519ph_test — SE050 port drops the context/prehash params so RFC 8032 ctx/ph vectors can't byte-match.

- se050_rsa_verify: when the function uploads only the public part of the key (keyCreated == 1), erase the transient SE050 object and don't persist keyIdSet = 1. A subsequent sign on the same RsaKey was reusing the public-only SE050 object and failing. Pre-existing bindings (from wc_RsaUseKeyId or a prior sign that uploaded a keypair) are preserved untouched.

- rsa_keygen_test: add WOLFSSL_SE050 to the existing WOLFSSL_CRYPTOCELL guard around the export-then-decode round-trip. SE050-generated keys keep their private components in the secure element, so wc_RsaKeyToDer + wc_RsaPrivateKeyDecode cannot complete. Matching guard on the idx declaration to avoid an unused-variable warning.