Fail loudly if clock_gettime() ever fails instead of computing
throughput from uninitialized stack, and warn when -z is combined with
-s since the sink-send only applies to the client.
The PeekSEQ-written explicit nonce is overwritten by the encrypt paths
before transmission (cipher-generated counter, or aead_exp_IV on legacy
FIPS/selftest builds) and the AAD sequence is written separately; the
optimization is the removal of the per-record RNG draw.
Under WOLFSSL_RW_THREADED the read and write threads could both perform
the lazy isDGramSock() first-time cache write concurrently; the cached
bit-fields share a storage unit with other dtlsCtx flags, making this a
data race.
Instead of caching from inside the I/O callbacks, run the
getsockopt(SO_TYPE) probe where dtlsCtx.rfd/wfd is assigned and store
the result per descriptor (rfd and wfd may be different sockets of
different types). fd assignment happens during single-threaded setup,
so no thread-specific handling is needed, and the I/O callbacks reduce
to reading a struct member, so isDGramSock() is dropped in favor of
reading the flags directly. The stateless-hash test no longer needs to
mask the fields: the I/O callbacks no longer write to the WOLFSSL
object.
dtls_bench.c is built whenever DTLS and the example servers are enabled,
including the cross-mingw-all-crypto multi-test scenario, which cross-
compiles for Windows. It directly includes POSIX-only headers
(<sys/socket.h>, <arpa/inet.h>, <netdb.h>, <net/if.h>) that mingw does
not ship, so the build failed there.
Gate the networking includes and the whole benchmark body behind a
DTLS_BENCH_ENABLED check (WOLFSSL_DTLS, not USE_WINDOWS_API, not
WOLFSSL_NO_SOCK). When the platform lacks POSIX BSD sockets, compile a
small stub main() that reports the tool is unsupported, so the source
tree still builds.
Add examples/benchmark/dtls_bench, a DTLS throughput benchmark that
completes a handshake and then measures bulk-send throughput. It
supports DTLS 1.2 and 1.3, selectable cipher suites, an end-to-end
mode, and a -z sink mode that discards records on the server after the
handshake to isolate the sender's record-layer cost. The socket is set
up with wolfSSL_set_dtls_fd_connected.
Optimize the send path exercised by the benchmark:
- wolfio (EmbedSendTo): cache the per-descriptor socket-type probe
(getsockopt SO_TYPE) in WOLFSSL_DTLS_CTX instead of running it on
every send, removing a syscall from the record send path. The cache
is invalidated whenever rfd/wfd is reassigned.
- internal (BuildMessage): for AEAD suites whose explicit nonce is the
8-byte record sequence number, write the sequence number directly as
nonce_explicit instead of drawing it from the RNG. This covers
AES-GCM (RFC 5288 sec 3), AES-CCM (RFC 6655 sec 3), SM4-GCM/CCM
(RFC 8998 sec 3), and Camellia-/ARIA-GCM which inherit the RFC 5288
construction; ChaCha20 uses an implicit nonce and is excluded. A new
read-only PeekSEQ() helper reads the sequence number without advancing
the per-direction counter, leaving the single mandated increment to
writeAeadAuthData().
Also ignore the built dtls_bench binary in .gitignore.
wolfcrypt/src/wc_port.c: fix several missed refactors to WC_ATOMIC_[U]INT_ARG.
wolfssl/wolfcrypt/wc_port.h:
* harmonize the return type of WOLFSSL_ATOMIC_STORE() (always void).
* fix MSVC WOLFSSL_ATOMIC_LOAD() and _STORE() with correct atomic semantics, and add gating on USE_WINDOWS_API.
Extend test_tls13_apis with negative-count assertions for
wolfSSL_CTX_set_groups and wolfSSL_set_groups, and NULL-groups
assertions for wolfSSL_CTX_set1_groups and wolfSSL_set1_groups
(tests/api/test_tls13.c).
Add test_wolfSSL_get_shared_ciphers covering NULL ssl, NULL buf, and
zero-length inputs (tests/api/test_tls.c).
Add count < 0 validation to wolfSSL_CTX_set_groups and wolfSSL_set_groups
(src/tls.c) to prevent negative count from bypassing the upper-bound check
and corrupting numGroups via byte truncation.
Widen count == 0 to count <= 0 and add NULL groups check in
wolfSSL_CTX_set1_groups and wolfSSL_set1_groups (src/ssl.c).
Add NULL buf and NULL cipher checks in wolfSSL_get_shared_ciphers to
prevent NULL pointer dereference.
* wc_local_InitUp()
* wc_local_InitUpDone()
* wc_local_InitDown()
* wc_local_InitDownDone()
* wc_init_state_t
* WC_DECLARE_INIT_STATE()
* WC_INIT_STATE_*
* union wc_init_state_bitfields
* WC_INIT_STATE_RAISE_BAD_STATE()
* WC_ATOMIC_INT_ARG and WC_ATOMIC_UINT_ARG, pivoting on WC_16BIT_CPU, used to assure operands to atomic operators are 32 bits, and that wc_init_state_t is 32 bits, even on 16 bit targets like Arduino.
fix&refactor thread safety mechanisms in wolfCrypt_Init() and wolfCrypt_Cleanup(), and fix a few preexisting error-handling flubs in wolfCrypt_Init().
The two new tests (test_tls12_ecdhe_ecdsa_rsa_client_cert and
test_tls12_ecdhe_rsa_ecdsa_client_cert) were appended right after
test_wolfSSL_alert_desc_string, the last function in test_tls.c. Another
in-flight branch appends its own new tests at the same anchor, producing
a spurious add/add merge conflict even though the additions are
independent. Move these two functions just above
test_wolfSSL_alert_desc_string so the two branches insert at different
locations and merge cleanly. Pure code movement; no behavior change.
The TLS 1.2 server derived the single advertised ClientCertificateType
and the signature_algorithms list in its CertificateRequest from the
negotiated cipher suite's own signature algorithm. On an ECDHE-ECDSA
suite only ecdsa_sign was offered (and only ECDSA sig algs), so RSA
clients could not authenticate even though the server could happily
verify an RSA certificate. The same was true in reverse for an RSA
server: the CertificateRequest only advertised rsa_sign.
Refactor SendCertificateRequest to advertise certificate_types and
signature_algorithms covering both sig families when both are compiled
in. Three static helpers in internal.c keep the logic in one place
without mutating ssl->suites:
GetServerCertReqCertTypes - certificate_types to emit
GetServerCertReqHashSigAlgo - signature_algorithms to emit
InServerCertReqHashSigAlgo - membership check used for verification
The advertised lists are written to stack buffers in the caller. To
keep DoCertificateVerify in agreement with what we actually sent, the
SupportedHashSigAlgo call site there is replaced with
InServerCertReqHashSigAlgo, which rebuilds the same list locally and
looks up the client's chosen algo.
Replace the magic certTypes buffer size with a new
MAX_CERT_REQ_CERT_TYPE_CNT constant declared next to
ClientCertificateType.
Add two end-to-end mutual-auth tests covering both directions:
test_tls12_ecdhe_ecdsa_rsa_client_cert - ECDSA server, RSA client
test_tls12_ecdhe_rsa_ecdsa_client_cert - RSA server, ECDSA client
Update test_certreq_sighash_algos to permit RSA / RSA-PSS sig algs in
the ECDHE-ECDSA CertificateRequest; the previous assertion locked in
the ECDSA-only behaviour that this change corrects.
TLS 1.3 is unaffected: RFC 8446 removed certificate_types from
CertificateRequest, and TLS 1.3 cipher suites do not bind a signature
algorithm, so the server's hashSigAlgo already covers both sig
families when either has been compiled in.