From a1c8790039b8241a1ddca66d8996cecb91a8b2c4 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Thu, 6 Nov 2025 12:18:00 +0100 Subject: [PATCH 01/12] wolfssl: preserve early-data handling across WANT_WRITE retries The early-data logic setups "early" exits in Accept/Connect state machine so that the data exchanged during the handshake can be delivered to the caller. After the caller process the data, it usually calls Accept/Connect again to cotinue the handshake. Under non-blocking I/O there is the chance that these early exits are skipped, this commit fixes that. Server-side accept (TLS 1.3/DTLS 1.3) could skip the early-data shortcut whenever sending the Finished flight first hit WANT_WRITE: when Accept is called again and the data is eventually flushed into the I/O layer the accept state is advanced past TLS13_ACCEPT_FINISHED_SENT, so the next wolfSSL_accept() call skipped the block that marks SERVER_FINISHED_COMPLETE and lets the application drain 0-RTT data. By keeping the FALL_THROUGH into TLS13_ACCEPT_FINISHED_SENT and only returning early while that handshake flag is still unset, we revisit the shortcut immediately after the buffered flight is delivered, preserving the intentional behaviour even under non-blocking I/O. On the client, the same pattern showed up after SendTls13ClientHello() buffered due to WANT_WRITE: after flushing, the connect state is already CLIENT_HELLO_SENT so the early-data exit is no longer executed. We now fall through into the CLIENT_HELLO_SENT case and only short-circuit once per handshake, ensuring the reply-processing loop still executes on the retry. --- src/tls13.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/src/tls13.c b/src/tls13.c index e4026c8527..d45bbea09c 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -13396,8 +13396,12 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) ssl->options.connectState = CLIENT_HELLO_SENT; WOLFSSL_MSG("TLSv13 connect state: CLIENT_HELLO_SENT"); + FALL_THROUGH; + + case CLIENT_HELLO_SENT: #ifdef WOLFSSL_EARLY_DATA - if (ssl->earlyData != no_early_data) { + if (ssl->earlyData != no_early_data && + ssl->options.handShakeState != CLIENT_HELLO_COMPLETE) { #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) if (!ssl->options.dtls && ssl->options.tls13MiddleBoxCompat) { if ((ssl->error = SendChangeCipher(ssl)) != 0) { @@ -13411,9 +13415,6 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) return WOLFSSL_SUCCESS; } #endif - FALL_THROUGH; - - case CLIENT_HELLO_SENT: /* Get the response/s from the server. */ while (ssl->options.serverState < SERVER_HELLOVERIFYREQUEST_COMPLETE) { @@ -14736,15 +14737,16 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) ssl->options.acceptState = TLS13_ACCEPT_FINISHED_SENT; WOLFSSL_MSG("accept state ACCEPT_FINISHED_SENT"); + FALL_THROUGH; + + case TLS13_ACCEPT_FINISHED_SENT: #ifdef WOLFSSL_EARLY_DATA - if (ssl->earlyData != no_early_data) { + if (ssl->earlyData != no_early_data && + ssl->options.handShakeState != SERVER_FINISHED_COMPLETE) { ssl->options.handShakeState = SERVER_FINISHED_COMPLETE; return WOLFSSL_SUCCESS; } #endif - FALL_THROUGH; - - case TLS13_ACCEPT_FINISHED_SENT : #ifdef HAVE_SESSION_TICKET #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED if (!ssl->options.verifyPeer && !ssl->options.noTicketTls13 && From 093d77727b4bb4028db0fbf554c8ae24cb1b9704 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Tue, 2 Dec 2025 17:58:23 +0100 Subject: [PATCH 02/12] early_data: avoid resetting ssl->earlyData after WANT_WRITE retry --- src/tls13.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/src/tls13.c b/src/tls13.c index d45bbea09c..98409f3a45 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -15066,7 +15066,10 @@ int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz) return SIDE_ERROR; if (ssl->options.handShakeState == NULL_STATE) { - if (ssl->error != WC_NO_ERR_TRACE(WC_PENDING_E)) + /* the server flight can return WANT_WRITE and we re-enter here after + * setting ssl->earlyData = process_early_data, set earlyData to + * expecting_early_data just once */ + if (ssl->earlyData < expecting_early_data) ssl->earlyData = expecting_early_data; /* this used to be: ret = wolfSSL_accept_TLSv13(ssl); * However, wolfSSL_accept_TLSv13() expects a certificate to @@ -15098,6 +15101,20 @@ int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz) #endif /* WOLFSSL_DTLS13 */ } } +#ifdef WOLFSSL_DTLS13 + else if (ssl->buffers.outputBuffer.length > 0 && + ssl->options.dtls && ssl->dtls13SendingAckOrRtx) { + ret = SendBuffered(ssl); + if (ret == 0) { + ssl->dtls13SendingAckOrRtx = 0; + } + else { + ssl->error = ret; + WOLFSSL_ERROR(ssl->error); + return WOLFSSL_FATAL_ERROR; + } + } +#endif /* WOLFSSL_DTLS13 */ else ret = 0; #else From 57282140a99688c3e5384b7b60bd211ae358c17d Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Thu, 4 Dec 2025 11:02:33 +0100 Subject: [PATCH 03/12] WOLFSSL_CHECK_ALERT_ON_ERR: ignore non fatal errors --- src/internal.c | 39 ++++++++++++++++++++++++++++----------- src/ssl.c | 29 ++++++++++++++--------------- src/tls13.c | 6 +++--- wolfssl/internal.h | 4 ++++ 4 files changed, 49 insertions(+), 29 deletions(-) diff --git a/src/internal.c b/src/internal.c index 111eb9ffde..9d482a06a3 100644 --- a/src/internal.c +++ b/src/internal.c @@ -22292,17 +22292,6 @@ static int DoProcessReplyEx(WOLFSSL* ssl, int allowSocketErr) return ssl->error; } - /* If checking alert on error (allowSocketErr == 1) do not try and - * process alerts for async or ocsp non blocking */ -#if defined(WOLFSSL_CHECK_ALERT_ON_ERR) && \ - (defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)) - if (allowSocketErr == 1 && \ - (ssl->error == WC_NO_ERR_TRACE(WC_PENDING_E) || - ssl->error == WC_NO_ERR_TRACE(OCSP_WANT_READ))) { - return ssl->error; - } -#endif - #if defined(WOLFSSL_DTLS) && defined(WOLFSSL_ASYNC_CRYPT) /* process any pending DTLS messages - this flow can happen with async */ if (ssl->dtls_rx_msg_list != NULL) { @@ -42524,6 +42513,34 @@ int wolfSSL_TestAppleNativeCertValidation_AppendCA(WOLFSSL_CTX* ctx, #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */ +#if defined(WOLFSSL_CHECK_ALERT_ON_ERR) +/* Do not try to process error for async, non blocking io, and app_read */ +void wolfSSL_maybeCheckAlertOnErr(WOLFSSL* ssl, int err) +{ +#if defined(WOLFSSL_ASYNC_CRYPT) + if (err == WC_NO_ERR_TRACE(WC_PENDING_E)) { + return; + } +#endif +#if defined(WOLFSSL_NONBLOCK_OCSP) + if (err == WC_NO_ERR_TRACE(OCSP_WANT_READ)) { + return; + } +#endif +#if defined(WOLFSSL_EARLY_DATA) + if (err == WC_NO_ERR_TRACE(APP_DATA_READY)) { + return; + } +#endif + if (err == WC_NO_ERR_TRACE(WANT_WRITE) || + err == WC_NO_ERR_TRACE(WANT_READ)) { + return; + } + /* check if an alert was sent */ + ProcessReplyEx(ssl, 1); +} +#endif /* WOLFSSL_CHECK_ALERT_ON_ERR */ + #undef ERROR_OUT #endif /* !WOLFCRYPT_ONLY */ diff --git a/src/ssl.c b/src/ssl.c index 4c1f7b1856..f413efe6b1 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10592,7 +10592,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (ssl->options.sendVerify) { if ( (ssl->error = SendCertificate(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -10613,7 +10613,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (!ssl->options.resuming) { if ( (ssl->error = SendClientKeyExchange(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif #ifdef WOLFSSL_EXTRA_ALERTS if (ssl->error == WC_NO_ERR_TRACE(NO_PEER_KEY) || @@ -10644,7 +10644,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (ssl->options.sendVerify) { if ( (ssl->error = SendCertificateVerify(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -10659,7 +10659,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case FIRST_REPLY_THIRD : if ( (ssl->error = SendChangeCipher(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -10672,7 +10672,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case FIRST_REPLY_FOURTH : if ( (ssl->error = SendFinished(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11052,7 +11052,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, } if ( (ssl->error = SendServerHello(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11071,7 +11071,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (!ssl->options.resuming) if ( (ssl->error = SendCertificate(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11086,7 +11086,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (!ssl->options.resuming) if ( (ssl->error = SendCertificateStatus(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11105,7 +11105,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (!ssl->options.resuming) if ( (ssl->error = SendServerKeyExchange(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11120,8 +11120,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (ssl->options.verifyPeer) { if ( (ssl->error = SendCertificateRequest(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - /* See if an alert was sent. */ - ProcessReplyEx(ssl, 1); + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11141,7 +11140,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (!ssl->options.resuming) if ( (ssl->error = SendServerHelloDone(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11182,7 +11181,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (ssl->options.createTicket && !ssl->options.noTicketTls12) { if ( (ssl->error = SendTicket(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_MSG("Thought we need ticket but failed"); WOLFSSL_ERROR(ssl->error); @@ -11203,7 +11202,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if ( (ssl->error = SendChangeCipher(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11215,7 +11214,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case CHANGE_CIPHER_SENT : if ( (ssl->error = SendFinished(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; diff --git a/src/tls13.c b/src/tls13.c index 98409f3a45..8de5dc882a 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -13548,7 +13548,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) ssl->error = SendTls13Certificate(ssl); if (ssl->error != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -13570,7 +13570,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) ssl->error = SendTls13CertificateVerify(ssl); if (ssl->error != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -13586,7 +13586,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) case FIRST_REPLY_FOURTH: if ((ssl->error = SendTls13Finished(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index c975865caf..7c253d89f3 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -7240,6 +7240,10 @@ WOLFSSL_LOCAL int pkcs8_encrypt(WOLFSSL_EVP_PKEY* pkey, word32* keySz); #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ +#if defined(WOLFSSL_CHECK_ALERT_ON_ERR) +WOLFSSL_LOCAL void wolfSSL_maybeCheckAlertOnErr(WOLFSSL* ssl, int err); +#endif + #ifdef __cplusplus } /* extern "C" */ #endif From 609e30a69cde757dc85ed815fd86de14840c3a6c Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Tue, 2 Dec 2025 11:02:12 +0100 Subject: [PATCH 04/12] test: tls13_early_data: refactor splitEarlyData test option --- tests/api/test_tls13.c | 256 +++++++++++++++++++++-------------------- 1 file changed, 130 insertions(+), 126 deletions(-) diff --git a/tests/api/test_tls13.c b/tests/api/test_tls13.c index abf0e1e02b..59ad15abe3 100644 --- a/tests/api/test_tls13.c +++ b/tests/api/test_tls13.c @@ -2011,164 +2011,168 @@ int test_tls13_early_data(void) method_provider server_meth; const char* tls_version; int isUdp; + int splitEarlyData; } params[] = { #ifdef WOLFSSL_TLS13 { wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, - "TLS 1.3", 0 }, + "TLS 1.3", 0, 0 }, + { wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, + "TLS 1.3", 0, 1 }, #endif #ifdef WOLFSSL_DTLS13 { wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method, - "DTLS 1.3", 1 }, + "DTLS 1.3", 1, 0 }, + { wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method, + "DTLS 1.3", 1, 1 }, #endif }; for (i = 0; i < sizeof(params)/sizeof(*params) && !EXPECT_FAIL(); i++) { - for (splitEarlyData = 0; splitEarlyData < 2; splitEarlyData++) { - struct test_memio_ctx test_ctx; - WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL; - WOLFSSL *ssl_c = NULL, *ssl_s = NULL; - WOLFSSL_SESSION *sess = NULL; - - XMEMSET(&test_ctx, 0, sizeof(test_ctx)); - - fprintf(stderr, "\tEarly data with %s\n", params[i].tls_version); - - ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, - &ssl_s, params[i].client_meth, params[i].server_meth), 0); - - /* Get a ticket so that we can do 0-RTT on the next connection */ - ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0); - /* Make sure we read the ticket */ - ExpectIntEQ(wolfSSL_read(ssl_c, msgBuf, sizeof(msgBuf)), -1); - ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); - ExpectNotNull(sess = wolfSSL_get1_session(ssl_c)); - - wolfSSL_free(ssl_c); - ssl_c = NULL; - wolfSSL_free(ssl_s); - ssl_s = NULL; - XMEMSET(&test_ctx, 0, sizeof(test_ctx)); - ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, + struct test_memio_ctx test_ctx; + WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL; + WOLFSSL *ssl_c = NULL, *ssl_s = NULL; + WOLFSSL_SESSION *sess = NULL; + int splitEarlyData = params[i].splitEarlyData; + + XMEMSET(&test_ctx, 0, sizeof(test_ctx)); + + fprintf(stderr, "\tEarly data with %s\n", params[i].tls_version); + + ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s, params[i].client_meth, params[i].server_meth), 0); - wolfSSL_SetLoggingPrefix("client"); - ExpectIntEQ(wolfSSL_set_session(ssl_c, sess), WOLFSSL_SUCCESS); + + /* Get a ticket so that we can do 0-RTT on the next connection */ + ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0); + /* Make sure we read the ticket */ + ExpectIntEQ(wolfSSL_read(ssl_c, msgBuf, sizeof(msgBuf)), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); + ExpectNotNull(sess = wolfSSL_get1_session(ssl_c)); + + wolfSSL_free(ssl_c); + ssl_c = NULL; + wolfSSL_free(ssl_s); + ssl_s = NULL; + XMEMSET(&test_ctx, 0, sizeof(test_ctx)); + ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, + &ssl_s, params[i].client_meth, params[i].server_meth), 0); + wolfSSL_SetLoggingPrefix("client"); + ExpectIntEQ(wolfSSL_set_session(ssl_c, sess), WOLFSSL_SUCCESS); #ifdef WOLFSSL_DTLS13 - if (params[i].isUdp) { - wolfSSL_SetLoggingPrefix("server"); + if (params[i].isUdp) { + wolfSSL_SetLoggingPrefix("server"); #ifdef WOLFSSL_DTLS13_NO_HRR_ON_RESUME - ExpectIntEQ(wolfSSL_dtls13_no_hrr_on_resume(ssl_s, 1), - WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_dtls13_no_hrr_on_resume(ssl_s, 1), + WOLFSSL_SUCCESS); #else - /* Let's test this but we generally don't recommend turning off - * the cookie exchange */ - ExpectIntEQ(wolfSSL_disable_hrr_cookie(ssl_s), WOLFSSL_SUCCESS); + /* Let's test this but we generally don't recommend turning off + * the cookie exchange */ + ExpectIntEQ(wolfSSL_disable_hrr_cookie(ssl_s), WOLFSSL_SUCCESS); #endif - } + } #endif - /* Test 0-RTT data */ - wolfSSL_SetLoggingPrefix("client"); + /* Test 0-RTT data */ + wolfSSL_SetLoggingPrefix("client"); + ExpectIntEQ(wolfSSL_write_early_data(ssl_c, msg, sizeof(msg), + &written), sizeof(msg)); + ExpectIntEQ(written, sizeof(msg)); + + if (splitEarlyData) { ExpectIntEQ(wolfSSL_write_early_data(ssl_c, msg, sizeof(msg), &written), sizeof(msg)); ExpectIntEQ(written, sizeof(msg)); + } - if (splitEarlyData) { - ExpectIntEQ(wolfSSL_write_early_data(ssl_c, msg, sizeof(msg), - &written), sizeof(msg)); - ExpectIntEQ(written, sizeof(msg)); - } + /* Read first 0-RTT data (if split otherwise entire data) */ + wolfSSL_SetLoggingPrefix("server"); + ExpectIntEQ(wolfSSL_read_early_data(ssl_s, msgBuf, sizeof(msgBuf), + &read), sizeof(msg)); + ExpectIntEQ(read, sizeof(msg)); + ExpectStrEQ(msg, msgBuf); - /* Read first 0-RTT data (if split otherwise entire data) */ - wolfSSL_SetLoggingPrefix("server"); - ExpectIntEQ(wolfSSL_read_early_data(ssl_s, msgBuf, sizeof(msgBuf), - &read), sizeof(msg)); + /* Test 0.5-RTT data */ + ExpectIntEQ(wolfSSL_write(ssl_s, msg4, sizeof(msg4)), sizeof(msg4)); + + if (splitEarlyData) { + /* Read second 0-RTT data */ + ExpectIntEQ(wolfSSL_read_early_data(ssl_s, msgBuf, + sizeof(msgBuf), &read), sizeof(msg)); ExpectIntEQ(read, sizeof(msg)); ExpectStrEQ(msg, msgBuf); + } - /* Test 0.5-RTT data */ - ExpectIntEQ(wolfSSL_write(ssl_s, msg4, sizeof(msg4)), sizeof(msg4)); - - if (splitEarlyData) { - /* Read second 0-RTT data */ - ExpectIntEQ(wolfSSL_read_early_data(ssl_s, msgBuf, - sizeof(msgBuf), &read), sizeof(msg)); - ExpectIntEQ(read, sizeof(msg)); - ExpectStrEQ(msg, msgBuf); - } + if (params[i].isUdp) { + wolfSSL_SetLoggingPrefix("client"); + ExpectIntEQ(wolfSSL_connect(ssl_c), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), + WC_NO_ERR_TRACE(APP_DATA_READY)); - if (params[i].isUdp) { - wolfSSL_SetLoggingPrefix("client"); - ExpectIntEQ(wolfSSL_connect(ssl_c), -1); - ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), - WC_NO_ERR_TRACE(APP_DATA_READY)); - - /* Read server 0.5-RTT data */ - ExpectIntEQ(wolfSSL_read(ssl_c, msgBuf, sizeof(msgBuf)), - sizeof(msg4)); - ExpectStrEQ(msg4, msgBuf); - - /* Complete handshake */ - ExpectIntEQ(wolfSSL_connect(ssl_c), -1); - ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), - WOLFSSL_ERROR_WANT_READ); - /* Use wolfSSL_is_init_finished to check if handshake is - * complete. Normally a user would loop until it is true but - * here we control both sides so we just assert the expected - * value. wolfSSL_read_early_data does not provide handshake - * status to us with non-blocking IO and we can't use - * wolfSSL_accept as TLS layer may return ZERO_RETURN due to - * early data parsing logic. */ - wolfSSL_SetLoggingPrefix("server"); - ExpectFalse(wolfSSL_is_init_finished(ssl_s)); - ExpectIntEQ(wolfSSL_read_early_data(ssl_s, msgBuf, - sizeof(msgBuf), &read), 0); - ExpectIntEQ(read, 0); - ExpectTrue(wolfSSL_is_init_finished(ssl_s)); - - wolfSSL_SetLoggingPrefix("client"); - ExpectIntEQ(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS); - } - else { - wolfSSL_SetLoggingPrefix("client"); - ExpectIntEQ(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS); - - wolfSSL_SetLoggingPrefix("server"); - ExpectFalse(wolfSSL_is_init_finished(ssl_s)); - ExpectIntEQ(wolfSSL_read_early_data(ssl_s, msgBuf, - sizeof(msgBuf), &read), 0); - ExpectIntEQ(read, 0); - ExpectTrue(wolfSSL_is_init_finished(ssl_s)); - - /* Read server 0.5-RTT data */ - wolfSSL_SetLoggingPrefix("client"); - ExpectIntEQ(wolfSSL_read(ssl_c, msgBuf, sizeof(msgBuf)), - sizeof(msg4)); - ExpectStrEQ(msg4, msgBuf); - } + /* Read server 0.5-RTT data */ + ExpectIntEQ(wolfSSL_read(ssl_c, msgBuf, sizeof(msgBuf)), + sizeof(msg4)); + ExpectStrEQ(msg4, msgBuf); + + /* Complete handshake */ + ExpectIntEQ(wolfSSL_connect(ssl_c), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), + WOLFSSL_ERROR_WANT_READ); + /* Use wolfSSL_is_init_finished to check if handshake is + * complete. Normally a user would loop until it is true but + * here we control both sides so we just assert the expected + * value. wolfSSL_read_early_data does not provide handshake + * status to us with non-blocking IO and we can't use + * wolfSSL_accept as TLS layer may return ZERO_RETURN due to + * early data parsing logic. */ + wolfSSL_SetLoggingPrefix("server"); + ExpectFalse(wolfSSL_is_init_finished(ssl_s)); + ExpectIntEQ(wolfSSL_read_early_data(ssl_s, msgBuf, + sizeof(msgBuf), &read), 0); + ExpectIntEQ(read, 0); + ExpectTrue(wolfSSL_is_init_finished(ssl_s)); - /* Test bi-directional write */ wolfSSL_SetLoggingPrefix("client"); - ExpectIntEQ(wolfSSL_write(ssl_c, msg2, sizeof(msg2)), sizeof(msg2)); + ExpectIntEQ(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS); + } + else { + wolfSSL_SetLoggingPrefix("client"); + ExpectIntEQ(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS); + wolfSSL_SetLoggingPrefix("server"); - ExpectIntEQ(wolfSSL_read(ssl_s, msgBuf, sizeof(msgBuf)), - sizeof(msg2)); - ExpectStrEQ(msg2, msgBuf); - ExpectIntEQ(wolfSSL_write(ssl_s, msg3, sizeof(msg3)), sizeof(msg3)); + ExpectFalse(wolfSSL_is_init_finished(ssl_s)); + ExpectIntEQ(wolfSSL_read_early_data(ssl_s, msgBuf, + sizeof(msgBuf), &read), 0); + ExpectIntEQ(read, 0); + ExpectTrue(wolfSSL_is_init_finished(ssl_s)); + + /* Read server 0.5-RTT data */ wolfSSL_SetLoggingPrefix("client"); ExpectIntEQ(wolfSSL_read(ssl_c, msgBuf, sizeof(msgBuf)), - sizeof(msg3)); - ExpectStrEQ(msg3, msgBuf); - - wolfSSL_SetLoggingPrefix(NULL); - ExpectTrue(wolfSSL_session_reused(ssl_c)); - ExpectTrue(wolfSSL_session_reused(ssl_s)); - - wolfSSL_SESSION_free(sess); - wolfSSL_free(ssl_c); - wolfSSL_free(ssl_s); - wolfSSL_CTX_free(ctx_c); - wolfSSL_CTX_free(ctx_s); + sizeof(msg4)); + ExpectStrEQ(msg4, msgBuf); } + + /* Test bi-directional write */ + wolfSSL_SetLoggingPrefix("client"); + ExpectIntEQ(wolfSSL_write(ssl_c, msg2, sizeof(msg2)), sizeof(msg2)); + wolfSSL_SetLoggingPrefix("server"); + ExpectIntEQ(wolfSSL_read(ssl_s, msgBuf, sizeof(msgBuf)), + sizeof(msg2)); + ExpectStrEQ(msg2, msgBuf); + ExpectIntEQ(wolfSSL_write(ssl_s, msg3, sizeof(msg3)), sizeof(msg3)); + wolfSSL_SetLoggingPrefix("client"); + ExpectIntEQ(wolfSSL_read(ssl_c, msgBuf, sizeof(msgBuf)), + sizeof(msg3)); + ExpectStrEQ(msg3, msgBuf); + + wolfSSL_SetLoggingPrefix(NULL); + ExpectTrue(wolfSSL_session_reused(ssl_c)); + ExpectTrue(wolfSSL_session_reused(ssl_s)); + + wolfSSL_SESSION_free(sess); + wolfSSL_free(ssl_c); + wolfSSL_free(ssl_s); + wolfSSL_CTX_free(ctx_c); + wolfSSL_CTX_free(ctx_s); } #endif return EXPECT_RESULT(); From 8de68decd2c3883855e0429117ad126471eed787 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Tue, 2 Dec 2025 11:59:12 +0100 Subject: [PATCH 05/12] test: tls13_early_data: test WANT_WRITE in early data --- tests/api/test_tls13.c | 191 ++++++++++++++++++++++++++++++++++------- 1 file changed, 162 insertions(+), 29 deletions(-) diff --git a/tests/api/test_tls13.c b/tests/api/test_tls13.c index 59ad15abe3..ee9cbcc650 100644 --- a/tests/api/test_tls13.c +++ b/tests/api/test_tls13.c @@ -1992,6 +1992,101 @@ int test_tls13_pq_groups(void) return EXPECT_RESULT(); } +#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \ + defined(WOLFSSL_EARLY_DATA) && defined(HAVE_SESSION_TICKET) +static int test_tls13_read_until_write_ok(WOLFSSL* ssl, void* buf, int bufLen) +{ + int ret, err; + int tries = 5; + + err = 0; + do { + ret = wolfSSL_read(ssl, buf, bufLen); + if (ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)) { + err = wolfSSL_get_error(ssl, ret); + } + } while (tries-- && ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR) && + err == WC_NO_ERR_TRACE(WOLFSSL_ERROR_WANT_WRITE)); + return ret; +} +static int test_tls13_connect_until_write_ok(WOLFSSL* ssl) +{ + int ret, err; + int tries = 5; + + err = 0; + do { + ret = wolfSSL_connect(ssl); + if (ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)) { + err = wolfSSL_get_error(ssl, ret); + } + } while (tries-- && ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR) && + err == WC_NO_ERR_TRACE(WOLFSSL_ERROR_WANT_WRITE)); + return ret; +} +static int test_tls13_write_until_write_ok(WOLFSSL* ssl, const void* msg, + int msgLen) +{ + int ret, err; + int tries = 5; + + err = 0; + do { + ret = wolfSSL_write(ssl, msg, msgLen); + if (ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)) { + err = wolfSSL_get_error(ssl, ret); + } + } while (tries-- && ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR) && + err == WC_NO_ERR_TRACE(WOLFSSL_ERROR_WANT_WRITE)); + return ret; +} +static int test_tls13_early_data_read_until_write_ok(WOLFSSL* ssl, void* buf, + int bufLen, int* read) +{ + int ret, err; + int tries = 5; + + err = 0; + do { + ret = wolfSSL_read_early_data(ssl, buf, bufLen, read); + if (ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)) { + err = wolfSSL_get_error(ssl, ret); + } + } while (tries-- && ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR) && + err == WC_NO_ERR_TRACE(WOLFSSL_ERROR_WANT_WRITE)); + return ret; +} +static int test_tls13_early_data_write_until_write_ok(WOLFSSL* ssl, + const void* msg, int msgLen, int* written) +{ + int ret, err; + int tries = 5; + + err = 0; + do { + ret = wolfSSL_write_early_data(ssl, msg, msgLen, written); + if (ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)) { + err = wolfSSL_get_error(ssl, ret); + } + } while (tries-- && ret == WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR) && + err == WC_NO_ERR_TRACE(WOLFSSL_ERROR_WANT_WRITE)); + return ret; +} +struct test_tls13_wwrite_ctx { + int want_write; + struct test_memio_ctx *text_ctx; +}; +static int test_tls13_mock_wantwrite_cb(WOLFSSL* ssl, char* data, int sz, + void* ctx) +{ + struct test_tls13_wwrite_ctx *wwctx = (struct test_tls13_wwrite_ctx *)ctx; + wwctx->want_write = !wwctx->want_write; + if (wwctx->want_write) { + return WOLFSSL_CBIO_ERR_WANT_WRITE; + } + return test_memio_write_cb(ssl, data, sz, wwctx->text_ctx); +} +#endif /* HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES && WOLFSSL_EARLY_DATA */ int test_tls13_early_data(void) { EXPECT_DECLS; @@ -2000,7 +2095,6 @@ int test_tls13_early_data(void) int written = 0; int read = 0; size_t i; - int splitEarlyData; char msg[] = "This is early data"; char msg2[] = "This is client data"; char msg3[] = "This is server data"; @@ -2012,18 +2106,27 @@ int test_tls13_early_data(void) const char* tls_version; int isUdp; int splitEarlyData; + int everyWriteWantWrite; } params[] = { #ifdef WOLFSSL_TLS13 { wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, - "TLS 1.3", 0, 0 }, + "TLS 1.3", 0, 0, 0 }, + { wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, + "TLS 1.3", 0, 1, 0 }, + { wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, + "TLS 1.3", 0, 0, 1 }, { wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, - "TLS 1.3", 0, 1 }, + "TLS 1.3", 0, 1, 1 }, #endif #ifdef WOLFSSL_DTLS13 { wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method, - "DTLS 1.3", 1, 0 }, + "DTLS 1.3", 1, 0, 0 }, { wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method, - "DTLS 1.3", 1, 1 }, + "DTLS 1.3", 1, 1, 0 }, + { wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method, + "DTLS 1.3", 1, 0, 1 }, + { wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method, + "DTLS 1.3", 1, 1, 1 }, #endif }; @@ -2033,10 +2136,14 @@ int test_tls13_early_data(void) WOLFSSL *ssl_c = NULL, *ssl_s = NULL; WOLFSSL_SESSION *sess = NULL; int splitEarlyData = params[i].splitEarlyData; + int everyWriteWantWrite = params[i].everyWriteWantWrite; + struct test_tls13_wwrite_ctx wwrite_ctx_s, wwrite_ctx_c; XMEMSET(&test_ctx, 0, sizeof(test_ctx)); - fprintf(stderr, "\tEarly data with %s\n", params[i].tls_version); + fprintf(stderr, "\tEarly data with %s%s%s\n", params[i].tls_version, + splitEarlyData ? " (split early data)" : "", + everyWriteWantWrite ? " (every write WANT_WRITE)" : ""); ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s, params[i].client_meth, params[i].server_meth), 0); @@ -2071,49 +2178,66 @@ int test_tls13_early_data(void) } #endif + if (everyWriteWantWrite) { + XMEMSET(&wwrite_ctx_c, 0, sizeof(wwrite_ctx_c)); + XMEMSET(&wwrite_ctx_s, 0, sizeof(wwrite_ctx_s)); + wwrite_ctx_c.text_ctx = &test_ctx; + wwrite_ctx_s.text_ctx = &test_ctx; + wolfSSL_SetIOWriteCtx(ssl_c, &wwrite_ctx_c); + wolfSSL_SSLSetIOSend(ssl_c, test_tls13_mock_wantwrite_cb); + wolfSSL_SetIOWriteCtx(ssl_s, &wwrite_ctx_s); + wolfSSL_SSLSetIOSend(ssl_s, test_tls13_mock_wantwrite_cb); + } /* Test 0-RTT data */ wolfSSL_SetLoggingPrefix("client"); - ExpectIntEQ(wolfSSL_write_early_data(ssl_c, msg, sizeof(msg), - &written), sizeof(msg)); + + ExpectIntEQ(test_tls13_early_data_write_until_write_ok(ssl_c, msg, + sizeof(msg), &written), + sizeof(msg)); ExpectIntEQ(written, sizeof(msg)); if (splitEarlyData) { - ExpectIntEQ(wolfSSL_write_early_data(ssl_c, msg, sizeof(msg), - &written), sizeof(msg)); + ExpectIntEQ(test_tls13_early_data_write_until_write_ok(ssl_c, msg, + sizeof(msg), &written), + sizeof(msg)); ExpectIntEQ(written, sizeof(msg)); } /* Read first 0-RTT data (if split otherwise entire data) */ wolfSSL_SetLoggingPrefix("server"); - ExpectIntEQ(wolfSSL_read_early_data(ssl_s, msgBuf, sizeof(msgBuf), - &read), sizeof(msg)); + ExpectIntEQ(test_tls13_early_data_read_until_write_ok(ssl_s, msgBuf, + sizeof(msgBuf), &read), + sizeof(msg)); ExpectIntEQ(read, sizeof(msg)); ExpectStrEQ(msg, msgBuf); /* Test 0.5-RTT data */ - ExpectIntEQ(wolfSSL_write(ssl_s, msg4, sizeof(msg4)), sizeof(msg4)); + ExpectIntEQ(test_tls13_write_until_write_ok(ssl_s, msg4, sizeof(msg4)), + sizeof(msg4)); if (splitEarlyData) { /* Read second 0-RTT data */ - ExpectIntEQ(wolfSSL_read_early_data(ssl_s, msgBuf, - sizeof(msgBuf), &read), sizeof(msg)); + ExpectIntEQ(test_tls13_early_data_read_until_write_ok(ssl_s, msgBuf, + sizeof(msgBuf), &read), + sizeof(msg)); ExpectIntEQ(read, sizeof(msg)); ExpectStrEQ(msg, msgBuf); } if (params[i].isUdp) { wolfSSL_SetLoggingPrefix("client"); - ExpectIntEQ(wolfSSL_connect(ssl_c), -1); + ExpectIntEQ(test_tls13_connect_until_write_ok(ssl_c), -1); ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WC_NO_ERR_TRACE(APP_DATA_READY)); /* Read server 0.5-RTT data */ - ExpectIntEQ(wolfSSL_read(ssl_c, msgBuf, sizeof(msgBuf)), + ExpectIntEQ( + test_tls13_read_until_write_ok(ssl_c, msgBuf, sizeof(msgBuf)), sizeof(msg4)); ExpectStrEQ(msg4, msgBuf); /* Complete handshake */ - ExpectIntEQ(wolfSSL_connect(ssl_c), -1); + ExpectIntEQ(test_tls13_connect_until_write_ok(ssl_c), -1); ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); /* Use wolfSSL_is_init_finished to check if handshake is @@ -2125,42 +2249,51 @@ int test_tls13_early_data(void) * early data parsing logic. */ wolfSSL_SetLoggingPrefix("server"); ExpectFalse(wolfSSL_is_init_finished(ssl_s)); - ExpectIntEQ(wolfSSL_read_early_data(ssl_s, msgBuf, - sizeof(msgBuf), &read), 0); + ExpectIntEQ(test_tls13_early_data_read_until_write_ok(ssl_s, msgBuf, + sizeof(msgBuf), &read), + 0); ExpectIntEQ(read, 0); ExpectTrue(wolfSSL_is_init_finished(ssl_s)); wolfSSL_SetLoggingPrefix("client"); - ExpectIntEQ(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS); + ExpectIntEQ(test_tls13_connect_until_write_ok(ssl_c), + WOLFSSL_SUCCESS); } else { wolfSSL_SetLoggingPrefix("client"); - ExpectIntEQ(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS); + ExpectIntEQ(test_tls13_connect_until_write_ok(ssl_c), + WOLFSSL_SUCCESS); wolfSSL_SetLoggingPrefix("server"); ExpectFalse(wolfSSL_is_init_finished(ssl_s)); - ExpectIntEQ(wolfSSL_read_early_data(ssl_s, msgBuf, - sizeof(msgBuf), &read), 0); + ExpectIntEQ(test_tls13_early_data_read_until_write_ok(ssl_s, msgBuf, + sizeof(msgBuf), &read), + 0); ExpectIntEQ(read, 0); ExpectTrue(wolfSSL_is_init_finished(ssl_s)); /* Read server 0.5-RTT data */ wolfSSL_SetLoggingPrefix("client"); - ExpectIntEQ(wolfSSL_read(ssl_c, msgBuf, sizeof(msgBuf)), + ExpectIntEQ( + test_tls13_read_until_write_ok(ssl_c, msgBuf, sizeof(msgBuf)), sizeof(msg4)); ExpectStrEQ(msg4, msgBuf); } /* Test bi-directional write */ wolfSSL_SetLoggingPrefix("client"); - ExpectIntEQ(wolfSSL_write(ssl_c, msg2, sizeof(msg2)), sizeof(msg2)); + ExpectIntEQ(test_tls13_write_until_write_ok(ssl_c, msg2, sizeof(msg2)), + sizeof(msg2)); wolfSSL_SetLoggingPrefix("server"); - ExpectIntEQ(wolfSSL_read(ssl_s, msgBuf, sizeof(msgBuf)), + ExpectIntEQ( + test_tls13_read_until_write_ok(ssl_s, msgBuf, sizeof(msgBuf)), sizeof(msg2)); ExpectStrEQ(msg2, msgBuf); - ExpectIntEQ(wolfSSL_write(ssl_s, msg3, sizeof(msg3)), sizeof(msg3)); + ExpectIntEQ(test_tls13_write_until_write_ok(ssl_s, msg3, sizeof(msg3)), + sizeof(msg3)); wolfSSL_SetLoggingPrefix("client"); - ExpectIntEQ(wolfSSL_read(ssl_c, msgBuf, sizeof(msgBuf)), + ExpectIntEQ( + test_tls13_read_until_write_ok(ssl_c, msgBuf, sizeof(msgBuf)), sizeof(msg3)); ExpectStrEQ(msg3, msgBuf); From 950c074c259d76b763edbeb06fd57058cb5fbae4 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Thu, 4 Dec 2025 19:05:03 +0100 Subject: [PATCH 06/12] test: fix typo in structure field --- tests/api/test_tls13.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/api/test_tls13.c b/tests/api/test_tls13.c index ee9cbcc650..1f9728cc90 100644 --- a/tests/api/test_tls13.c +++ b/tests/api/test_tls13.c @@ -2074,7 +2074,7 @@ static int test_tls13_early_data_write_until_write_ok(WOLFSSL* ssl, } struct test_tls13_wwrite_ctx { int want_write; - struct test_memio_ctx *text_ctx; + struct test_memio_ctx *test_ctx; }; static int test_tls13_mock_wantwrite_cb(WOLFSSL* ssl, char* data, int sz, void* ctx) @@ -2084,7 +2084,7 @@ static int test_tls13_mock_wantwrite_cb(WOLFSSL* ssl, char* data, int sz, if (wwctx->want_write) { return WOLFSSL_CBIO_ERR_WANT_WRITE; } - return test_memio_write_cb(ssl, data, sz, wwctx->text_ctx); + return test_memio_write_cb(ssl, data, sz, wwctx->test_ctx); } #endif /* HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES && WOLFSSL_EARLY_DATA */ int test_tls13_early_data(void) @@ -2181,8 +2181,8 @@ int test_tls13_early_data(void) if (everyWriteWantWrite) { XMEMSET(&wwrite_ctx_c, 0, sizeof(wwrite_ctx_c)); XMEMSET(&wwrite_ctx_s, 0, sizeof(wwrite_ctx_s)); - wwrite_ctx_c.text_ctx = &test_ctx; - wwrite_ctx_s.text_ctx = &test_ctx; + wwrite_ctx_c.test_ctx = &test_ctx; + wwrite_ctx_s.test_ctx = &test_ctx; wolfSSL_SetIOWriteCtx(ssl_c, &wwrite_ctx_c); wolfSSL_SSLSetIOSend(ssl_c, test_tls13_mock_wantwrite_cb); wolfSSL_SetIOWriteCtx(ssl_s, &wwrite_ctx_s); From 38d8eb6f0d7ffb14072d7d6a02bdad5a99497f98 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Wed, 17 Dec 2025 16:28:46 +0100 Subject: [PATCH 07/12] address reviewer's comments --- src/internal.c | 6 ++--- src/ssl.c | 56 +++++++++++------------------------------- src/tls13.c | 25 ++++++++----------- tests/api/test_tls13.c | 4 +-- wolfssl/internal.h | 4 +-- 5 files changed, 30 insertions(+), 65 deletions(-) diff --git a/src/internal.c b/src/internal.c index 9d482a06a3..380fdbc4d3 100644 --- a/src/internal.c +++ b/src/internal.c @@ -42513,10 +42513,10 @@ int wolfSSL_TestAppleNativeCertValidation_AppendCA(WOLFSSL_CTX* ctx, #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */ -#if defined(WOLFSSL_CHECK_ALERT_ON_ERR) /* Do not try to process error for async, non blocking io, and app_read */ -void wolfSSL_maybeCheckAlertOnErr(WOLFSSL* ssl, int err) +void wolfSSL_MaybeCheckAlertOnErr(WOLFSSL* ssl, int err) { +#if defined(WOLFSSL_CHECK_ALERT_ON_ERR) #if defined(WOLFSSL_ASYNC_CRYPT) if (err == WC_NO_ERR_TRACE(WC_PENDING_E)) { return; @@ -42538,8 +42538,8 @@ void wolfSSL_maybeCheckAlertOnErr(WOLFSSL* ssl, int err) } /* check if an alert was sent */ ProcessReplyEx(ssl, 1); -} #endif /* WOLFSSL_CHECK_ALERT_ON_ERR */ +} #undef ERROR_OUT diff --git a/src/ssl.c b/src/ssl.c index f413efe6b1..03d321c184 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10591,9 +10591,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif if (ssl->options.sendVerify) { if ( (ssl->error = SendCertificate(ssl)) != 0) { - #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); - #endif + wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -10612,9 +10610,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif if (!ssl->options.resuming) { if ( (ssl->error = SendClientKeyExchange(ssl)) != 0) { - #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); - #endif + wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); #ifdef WOLFSSL_EXTRA_ALERTS if (ssl->error == WC_NO_ERR_TRACE(NO_PEER_KEY) || ssl->error == WC_NO_ERR_TRACE(PSK_KEY_ERROR)) { @@ -10643,9 +10639,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH) if (ssl->options.sendVerify) { if ( (ssl->error = SendCertificateVerify(ssl)) != 0) { - #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); - #endif + wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -10658,9 +10652,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case FIRST_REPLY_THIRD : if ( (ssl->error = SendChangeCipher(ssl)) != 0) { - #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); - #endif + wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -10671,9 +10663,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case FIRST_REPLY_FOURTH : if ( (ssl->error = SendFinished(ssl)) != 0) { - #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); - #endif + wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11051,9 +11041,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, return WOLFSSL_FATAL_ERROR; } if ( (ssl->error = SendServerHello(ssl)) != 0) { - #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); - #endif + wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11070,9 +11058,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifndef NO_CERTS if (!ssl->options.resuming) if ( (ssl->error = SendCertificate(ssl)) != 0) { - #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); - #endif + wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11085,9 +11071,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifndef NO_CERTS if (!ssl->options.resuming) if ( (ssl->error = SendCertificateStatus(ssl)) != 0) { - #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); - #endif + wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11104,9 +11088,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif if (!ssl->options.resuming) if ( (ssl->error = SendServerKeyExchange(ssl)) != 0) { - #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); - #endif + wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11119,9 +11101,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (!ssl->options.resuming) { if (ssl->options.verifyPeer) { if ( (ssl->error = SendCertificateRequest(ssl)) != 0) { - #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); - #endif + wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11139,9 +11119,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case CERT_REQ_SENT : if (!ssl->options.resuming) if ( (ssl->error = SendServerHelloDone(ssl)) != 0) { - #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); - #endif + wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11180,9 +11158,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifdef HAVE_SESSION_TICKET if (ssl->options.createTicket && !ssl->options.noTicketTls12) { if ( (ssl->error = SendTicket(ssl)) != 0) { - #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); - #endif + wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_MSG("Thought we need ticket but failed"); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11201,9 +11177,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, } if ( (ssl->error = SendChangeCipher(ssl)) != 0) { - #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); - #endif + wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11213,9 +11187,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case CHANGE_CIPHER_SENT : if ( (ssl->error = SendFinished(ssl)) != 0) { - #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); - #endif + wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } diff --git a/src/tls13.c b/src/tls13.c index 8de5dc882a..e281508531 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -13403,13 +13403,14 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) if (ssl->earlyData != no_early_data && ssl->options.handShakeState != CLIENT_HELLO_COMPLETE) { #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) - if (!ssl->options.dtls && ssl->options.tls13MiddleBoxCompat) { - if ((ssl->error = SendChangeCipher(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; + if (!ssl->options.dtls && + ssl->options.tls13MiddleBoxCompat) { + if ((ssl->error = SendChangeCipher(ssl)) != 0) { + WOLFSSL_ERROR(ssl->error); + return WOLFSSL_FATAL_ERROR; + } + ssl->options.sentChangeCipher = 1; } - ssl->options.sentChangeCipher = 1; - } #endif ssl->options.handShakeState = CLIENT_HELLO_COMPLETE; return WOLFSSL_SUCCESS; @@ -13547,9 +13548,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) if (!ssl->options.resuming && ssl->options.sendVerify) { ssl->error = SendTls13Certificate(ssl); if (ssl->error != 0) { - #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); - #endif + wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -13569,9 +13568,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) if (!ssl->options.resuming && ssl->options.sendVerify) { ssl->error = SendTls13CertificateVerify(ssl); if (ssl->error != 0) { - #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); - #endif + wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -13585,9 +13582,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) case FIRST_REPLY_FOURTH: if ((ssl->error = SendTls13Finished(ssl)) != 0) { - #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); - #endif + wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } diff --git a/tests/api/test_tls13.c b/tests/api/test_tls13.c index 1f9728cc90..b28faf24f8 100644 --- a/tests/api/test_tls13.c +++ b/tests/api/test_tls13.c @@ -2140,6 +2140,8 @@ int test_tls13_early_data(void) struct test_tls13_wwrite_ctx wwrite_ctx_s, wwrite_ctx_c; XMEMSET(&test_ctx, 0, sizeof(test_ctx)); + XMEMSET(&wwrite_ctx_c, 0, sizeof(wwrite_ctx_c)); + XMEMSET(&wwrite_ctx_s, 0, sizeof(wwrite_ctx_s)); fprintf(stderr, "\tEarly data with %s%s%s\n", params[i].tls_version, splitEarlyData ? " (split early data)" : "", @@ -2179,8 +2181,6 @@ int test_tls13_early_data(void) #endif if (everyWriteWantWrite) { - XMEMSET(&wwrite_ctx_c, 0, sizeof(wwrite_ctx_c)); - XMEMSET(&wwrite_ctx_s, 0, sizeof(wwrite_ctx_s)); wwrite_ctx_c.test_ctx = &test_ctx; wwrite_ctx_s.test_ctx = &test_ctx; wolfSSL_SetIOWriteCtx(ssl_c, &wwrite_ctx_c); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 7c253d89f3..acd53111d6 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -7240,9 +7240,7 @@ WOLFSSL_LOCAL int pkcs8_encrypt(WOLFSSL_EVP_PKEY* pkey, word32* keySz); #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ -#if defined(WOLFSSL_CHECK_ALERT_ON_ERR) -WOLFSSL_LOCAL void wolfSSL_maybeCheckAlertOnErr(WOLFSSL* ssl, int err); -#endif +WOLFSSL_LOCAL void wolfSSL_MaybeCheckAlertOnErr(WOLFSSL* ssl, int err); #ifdef __cplusplus } /* extern "C" */ From f4c48c19c1a184d77756d914ba43bde8e97bf101 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Wed, 17 Dec 2025 16:31:33 +0100 Subject: [PATCH 08/12] fix: abide unused arguments when WOLFSSL_CHECK_ALER_ON_ERR is disabled --- src/internal.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/internal.c b/src/internal.c index 380fdbc4d3..0b102054f3 100644 --- a/src/internal.c +++ b/src/internal.c @@ -42538,6 +42538,9 @@ void wolfSSL_MaybeCheckAlertOnErr(WOLFSSL* ssl, int err) } /* check if an alert was sent */ ProcessReplyEx(ssl, 1); +#else + (void)ssl; + (void)err; #endif /* WOLFSSL_CHECK_ALERT_ON_ERR */ } From 12c2cdafaf92d210967aae2ca5855f90457333cf Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Thu, 18 Dec 2025 16:52:58 +0100 Subject: [PATCH 09/12] rename wolfSSL_MaybeCheckAlertOnErr in wolfMaybeCheckAlertOnErr --- src/internal.c | 2 +- src/ssl.c | 28 ++++++++++++++-------------- src/tls13.c | 6 +++--- wolfssl/internal.h | 2 +- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/src/internal.c b/src/internal.c index 0b102054f3..4a514a4a0c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -42514,7 +42514,7 @@ int wolfSSL_TestAppleNativeCertValidation_AppendCA(WOLFSSL_CTX* ctx, #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */ /* Do not try to process error for async, non blocking io, and app_read */ -void wolfSSL_MaybeCheckAlertOnErr(WOLFSSL* ssl, int err) +void wolfMaybeCheckAlertOnErr(WOLFSSL* ssl, int err) { #if defined(WOLFSSL_CHECK_ALERT_ON_ERR) #if defined(WOLFSSL_ASYNC_CRYPT) diff --git a/src/ssl.c b/src/ssl.c index 03d321c184..f87086d9b2 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10591,7 +10591,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif if (ssl->options.sendVerify) { if ( (ssl->error = SendCertificate(ssl)) != 0) { - wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfMaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -10610,7 +10610,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif if (!ssl->options.resuming) { if ( (ssl->error = SendClientKeyExchange(ssl)) != 0) { - wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfMaybeCheckAlertOnErr(ssl, ssl->error); #ifdef WOLFSSL_EXTRA_ALERTS if (ssl->error == WC_NO_ERR_TRACE(NO_PEER_KEY) || ssl->error == WC_NO_ERR_TRACE(PSK_KEY_ERROR)) { @@ -10639,7 +10639,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH) if (ssl->options.sendVerify) { if ( (ssl->error = SendCertificateVerify(ssl)) != 0) { - wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfMaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -10652,7 +10652,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case FIRST_REPLY_THIRD : if ( (ssl->error = SendChangeCipher(ssl)) != 0) { - wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfMaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -10663,7 +10663,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case FIRST_REPLY_FOURTH : if ( (ssl->error = SendFinished(ssl)) != 0) { - wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfMaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11041,7 +11041,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, return WOLFSSL_FATAL_ERROR; } if ( (ssl->error = SendServerHello(ssl)) != 0) { - wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfMaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11058,7 +11058,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifndef NO_CERTS if (!ssl->options.resuming) if ( (ssl->error = SendCertificate(ssl)) != 0) { - wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfMaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11071,7 +11071,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifndef NO_CERTS if (!ssl->options.resuming) if ( (ssl->error = SendCertificateStatus(ssl)) != 0) { - wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfMaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11088,7 +11088,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif if (!ssl->options.resuming) if ( (ssl->error = SendServerKeyExchange(ssl)) != 0) { - wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfMaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11101,7 +11101,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (!ssl->options.resuming) { if (ssl->options.verifyPeer) { if ( (ssl->error = SendCertificateRequest(ssl)) != 0) { - wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfMaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11119,7 +11119,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case CERT_REQ_SENT : if (!ssl->options.resuming) if ( (ssl->error = SendServerHelloDone(ssl)) != 0) { - wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfMaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11158,7 +11158,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifdef HAVE_SESSION_TICKET if (ssl->options.createTicket && !ssl->options.noTicketTls12) { if ( (ssl->error = SendTicket(ssl)) != 0) { - wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfMaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_MSG("Thought we need ticket but failed"); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11177,7 +11177,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, } if ( (ssl->error = SendChangeCipher(ssl)) != 0) { - wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfMaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11187,7 +11187,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case CHANGE_CIPHER_SENT : if ( (ssl->error = SendFinished(ssl)) != 0) { - wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfMaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } diff --git a/src/tls13.c b/src/tls13.c index e281508531..01c8cc13d6 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -13548,7 +13548,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) if (!ssl->options.resuming && ssl->options.sendVerify) { ssl->error = SendTls13Certificate(ssl); if (ssl->error != 0) { - wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfMaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -13568,7 +13568,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) if (!ssl->options.resuming && ssl->options.sendVerify) { ssl->error = SendTls13CertificateVerify(ssl); if (ssl->error != 0) { - wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfMaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -13582,7 +13582,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) case FIRST_REPLY_FOURTH: if ((ssl->error = SendTls13Finished(ssl)) != 0) { - wolfSSL_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfMaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index acd53111d6..7a77501340 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -7240,7 +7240,7 @@ WOLFSSL_LOCAL int pkcs8_encrypt(WOLFSSL_EVP_PKEY* pkey, word32* keySz); #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ -WOLFSSL_LOCAL void wolfSSL_MaybeCheckAlertOnErr(WOLFSSL* ssl, int err); +WOLFSSL_LOCAL void wolfMaybeCheckAlertOnErr(WOLFSSL* ssl, int err); #ifdef __cplusplus } /* extern "C" */ From 14b124769ab16dfa51094bc19118e86555e36004 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Mon, 22 Dec 2025 10:04:50 +0100 Subject: [PATCH 10/12] use wolfssl internal prefix for MaybeCheckAlertOnErr --- src/internal.c | 2 +- src/ssl.c | 28 ++++++++++++++-------------- src/tls13.c | 6 +++--- wolfssl/internal.h | 2 +- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/src/internal.c b/src/internal.c index 4a514a4a0c..b41973c901 100644 --- a/src/internal.c +++ b/src/internal.c @@ -42514,7 +42514,7 @@ int wolfSSL_TestAppleNativeCertValidation_AppendCA(WOLFSSL_CTX* ctx, #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */ /* Do not try to process error for async, non blocking io, and app_read */ -void wolfMaybeCheckAlertOnErr(WOLFSSL* ssl, int err) +void wolfssl_i_MaybeCheckAlertOnErr(WOLFSSL* ssl, int err) { #if defined(WOLFSSL_CHECK_ALERT_ON_ERR) #if defined(WOLFSSL_ASYNC_CRYPT) diff --git a/src/ssl.c b/src/ssl.c index f87086d9b2..546aa56add 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10591,7 +10591,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif if (ssl->options.sendVerify) { if ( (ssl->error = SendCertificate(ssl)) != 0) { - wolfMaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -10610,7 +10610,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif if (!ssl->options.resuming) { if ( (ssl->error = SendClientKeyExchange(ssl)) != 0) { - wolfMaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); #ifdef WOLFSSL_EXTRA_ALERTS if (ssl->error == WC_NO_ERR_TRACE(NO_PEER_KEY) || ssl->error == WC_NO_ERR_TRACE(PSK_KEY_ERROR)) { @@ -10639,7 +10639,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH) if (ssl->options.sendVerify) { if ( (ssl->error = SendCertificateVerify(ssl)) != 0) { - wolfMaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -10652,7 +10652,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case FIRST_REPLY_THIRD : if ( (ssl->error = SendChangeCipher(ssl)) != 0) { - wolfMaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -10663,7 +10663,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case FIRST_REPLY_FOURTH : if ( (ssl->error = SendFinished(ssl)) != 0) { - wolfMaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11041,7 +11041,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, return WOLFSSL_FATAL_ERROR; } if ( (ssl->error = SendServerHello(ssl)) != 0) { - wolfMaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11058,7 +11058,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifndef NO_CERTS if (!ssl->options.resuming) if ( (ssl->error = SendCertificate(ssl)) != 0) { - wolfMaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11071,7 +11071,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifndef NO_CERTS if (!ssl->options.resuming) if ( (ssl->error = SendCertificateStatus(ssl)) != 0) { - wolfMaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11088,7 +11088,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif if (!ssl->options.resuming) if ( (ssl->error = SendServerKeyExchange(ssl)) != 0) { - wolfMaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11101,7 +11101,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (!ssl->options.resuming) { if (ssl->options.verifyPeer) { if ( (ssl->error = SendCertificateRequest(ssl)) != 0) { - wolfMaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11119,7 +11119,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case CERT_REQ_SENT : if (!ssl->options.resuming) if ( (ssl->error = SendServerHelloDone(ssl)) != 0) { - wolfMaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11158,7 +11158,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifdef HAVE_SESSION_TICKET if (ssl->options.createTicket && !ssl->options.noTicketTls12) { if ( (ssl->error = SendTicket(ssl)) != 0) { - wolfMaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_MSG("Thought we need ticket but failed"); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11177,7 +11177,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, } if ( (ssl->error = SendChangeCipher(ssl)) != 0) { - wolfMaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11187,7 +11187,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case CHANGE_CIPHER_SENT : if ( (ssl->error = SendFinished(ssl)) != 0) { - wolfMaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } diff --git a/src/tls13.c b/src/tls13.c index 01c8cc13d6..9ef675b70d 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -13548,7 +13548,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) if (!ssl->options.resuming && ssl->options.sendVerify) { ssl->error = SendTls13Certificate(ssl); if (ssl->error != 0) { - wolfMaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -13568,7 +13568,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) if (!ssl->options.resuming && ssl->options.sendVerify) { ssl->error = SendTls13CertificateVerify(ssl); if (ssl->error != 0) { - wolfMaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -13582,7 +13582,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) case FIRST_REPLY_FOURTH: if ((ssl->error = SendTls13Finished(ssl)) != 0) { - wolfMaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 7a77501340..3e8651ee7a 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -7240,7 +7240,7 @@ WOLFSSL_LOCAL int pkcs8_encrypt(WOLFSSL_EVP_PKEY* pkey, word32* keySz); #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ -WOLFSSL_LOCAL void wolfMaybeCheckAlertOnErr(WOLFSSL* ssl, int err); +WOLFSSL_LOCAL void wolfssl_i_MaybeCheckAlertOnErr(WOLFSSL* ssl, int err); #ifdef __cplusplus } /* extern "C" */ From 29d8fa7cb68ce5961673baa6a23139aaa72fe510 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Mon, 22 Dec 2025 13:45:34 +0100 Subject: [PATCH 11/12] tls13: fix indentation alignment --- src/tls13.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tls13.c b/src/tls13.c index 9ef675b70d..2e3a83e2f8 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -13412,8 +13412,8 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) ssl->options.sentChangeCipher = 1; } #endif - ssl->options.handShakeState = CLIENT_HELLO_COMPLETE; - return WOLFSSL_SUCCESS; + ssl->options.handShakeState = CLIENT_HELLO_COMPLETE; + return WOLFSSL_SUCCESS; } #endif /* Get the response/s from the server. */ From bafb8e56d5bf3dbad5fa069e49fc8bcb938d0f2e Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Tue, 23 Dec 2025 23:30:42 +0100 Subject: [PATCH 12/12] use wolfssl_local_ as local functions prefix --- src/internal.c | 2 +- src/ssl.c | 28 ++++++++++++++-------------- src/tls13.c | 6 +++--- wolfssl/internal.h | 2 +- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/src/internal.c b/src/internal.c index b41973c901..c43e9a9ac4 100644 --- a/src/internal.c +++ b/src/internal.c @@ -42514,7 +42514,7 @@ int wolfSSL_TestAppleNativeCertValidation_AppendCA(WOLFSSL_CTX* ctx, #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */ /* Do not try to process error for async, non blocking io, and app_read */ -void wolfssl_i_MaybeCheckAlertOnErr(WOLFSSL* ssl, int err) +void wolfssl_local_MaybeCheckAlertOnErr(WOLFSSL* ssl, int err) { #if defined(WOLFSSL_CHECK_ALERT_ON_ERR) #if defined(WOLFSSL_ASYNC_CRYPT) diff --git a/src/ssl.c b/src/ssl.c index 546aa56add..d0983b1a7d 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10591,7 +10591,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif if (ssl->options.sendVerify) { if ( (ssl->error = SendCertificate(ssl)) != 0) { - wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -10610,7 +10610,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif if (!ssl->options.resuming) { if ( (ssl->error = SendClientKeyExchange(ssl)) != 0) { - wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); #ifdef WOLFSSL_EXTRA_ALERTS if (ssl->error == WC_NO_ERR_TRACE(NO_PEER_KEY) || ssl->error == WC_NO_ERR_TRACE(PSK_KEY_ERROR)) { @@ -10639,7 +10639,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH) if (ssl->options.sendVerify) { if ( (ssl->error = SendCertificateVerify(ssl)) != 0) { - wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -10652,7 +10652,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case FIRST_REPLY_THIRD : if ( (ssl->error = SendChangeCipher(ssl)) != 0) { - wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -10663,7 +10663,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case FIRST_REPLY_FOURTH : if ( (ssl->error = SendFinished(ssl)) != 0) { - wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11041,7 +11041,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, return WOLFSSL_FATAL_ERROR; } if ( (ssl->error = SendServerHello(ssl)) != 0) { - wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11058,7 +11058,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifndef NO_CERTS if (!ssl->options.resuming) if ( (ssl->error = SendCertificate(ssl)) != 0) { - wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11071,7 +11071,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifndef NO_CERTS if (!ssl->options.resuming) if ( (ssl->error = SendCertificateStatus(ssl)) != 0) { - wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11088,7 +11088,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif if (!ssl->options.resuming) if ( (ssl->error = SendServerKeyExchange(ssl)) != 0) { - wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11101,7 +11101,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (!ssl->options.resuming) { if (ssl->options.verifyPeer) { if ( (ssl->error = SendCertificateRequest(ssl)) != 0) { - wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11119,7 +11119,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case CERT_REQ_SENT : if (!ssl->options.resuming) if ( (ssl->error = SendServerHelloDone(ssl)) != 0) { - wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11158,7 +11158,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifdef HAVE_SESSION_TICKET if (ssl->options.createTicket && !ssl->options.noTicketTls12) { if ( (ssl->error = SendTicket(ssl)) != 0) { - wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_MSG("Thought we need ticket but failed"); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11177,7 +11177,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, } if ( (ssl->error = SendChangeCipher(ssl)) != 0) { - wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -11187,7 +11187,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case CHANGE_CIPHER_SENT : if ( (ssl->error = SendFinished(ssl)) != 0) { - wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } diff --git a/src/tls13.c b/src/tls13.c index 2e3a83e2f8..9726c50b9f 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -13548,7 +13548,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) if (!ssl->options.resuming && ssl->options.sendVerify) { ssl->error = SendTls13Certificate(ssl); if (ssl->error != 0) { - wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -13568,7 +13568,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) if (!ssl->options.resuming && ssl->options.sendVerify) { ssl->error = SendTls13CertificateVerify(ssl); if (ssl->error != 0) { - wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } @@ -13582,7 +13582,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) case FIRST_REPLY_FOURTH: if ((ssl->error = SendTls13Finished(ssl)) != 0) { - wolfssl_i_MaybeCheckAlertOnErr(ssl, ssl->error); + wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 3e8651ee7a..9401970ee3 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -7240,7 +7240,7 @@ WOLFSSL_LOCAL int pkcs8_encrypt(WOLFSSL_EVP_PKEY* pkey, word32* keySz); #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ -WOLFSSL_LOCAL void wolfssl_i_MaybeCheckAlertOnErr(WOLFSSL* ssl, int err); +WOLFSSL_LOCAL void wolfssl_local_MaybeCheckAlertOnErr(WOLFSSL* ssl, int err); #ifdef __cplusplus } /* extern "C" */