The memLock mutex and #include <pthread.h> in mem_track.h were
declared under #ifdef DO_MEM_LIST (Linux/macOS/Zephyr only), but
referenced under the broader guard
!defined(SINGLE_THREADED) && \
(defined(DO_MEM_LIST) || defined(DO_MEM_STATS))
Since DO_MEM_STATS is defined whenever WOLFSSL_TRACK_MEMORY +
USE_WOLFSSL_MEMORY are set without WOLFSSL_STATIC_MEMORY, any
non-Linux/Mac/Zephyr multi-threaded build failed to compile with
implicit pthread_mutex_lock declarations and undeclared memLock.
Replace the raw pthread mutex with wolfSSL's portable mutex API
(wc_InitMutex / wc_LockMutex / wc_UnLockMutex / wc_FreeMutex) so
locking works on every platform wolfSSL already ports to.
InitMemoryTracker now calls wc_InitMutex before
wolfSSL_SetAllocators installs TrackMalloc, guarded by a
memLockInit flag for idempotency. CleanupMemoryTracker calls
wc_FreeMutex after restoring the default allocators so no
in-flight allocation races a freed mutex. The four mutex guards
in TrackMalloc/TrackFree and the two in InitMemoryTracker/
ShowMemoryTracker are unified on the same condition as the
memLock declaration itself.
ZD #21763
Merging TranslateReturnCode into wolfSSL_LastError dropped the
IP_SOCK_getsockopt(SO_ERROR) lookup emNET integrations need to retrieve
the canonical IP_ERR_* for a failed recv/send, leaving a broken branch
that returned the raw value and mishandled the POSIX-facade convention.
Restore the historic lookup (fixing the optlen pointer-vs-int typo
along the way) and add a CI test that builds wolfSSL with
-DWOLFSSL_EMNET against a clean-room shim providing an emNET-faithful
IP_SOCK_getsockopt (SO_ERROR-then-errno fallback, since Linux does not
stash EAGAIN in SO_ERROR); recv/send fall through to glibc.
The emNET `wolfSSL_LastError` branches were incorrect. The second one
was never hit and would never compile. The first one inverts error codes
that should not be inverted.
This fixes that code and adds a test with a shim layer to test emNET
calls without using emNET.
* configure.ac: --enable-dtls13 auto-enables --enable-dtls and TLS 1.3,
with a targeted error if either is explicitly --disabled, plus a
post-finalization sanity check that errors out if a later
prerequisite test forces ENABLED_TLS13 back to "no" while
ENABLED_DTLS13 is yes.
* src/internal.c, src/wolfio.c, wolfssl/wolfio.h: new WOLFSSL_DTLS_ONLY
compile-time flag elides the EmbedReceive / EmbedSend default
callbacks. The DTLS_MAJOR runtime check stays in SetSSL_CTX so a
TLS-method ctx in a DTLS-only build doesn't get datagram callbacks
by default, and WriteSEQ keeps its ssl->options.dtls branch. A
#error in settings.h refuses WOLFSSL_DTLS_ONLY without WOLFSSL_DTLS.
* wolfcrypt/src/aes.c: add HAVE_AES_DECRYPT to the inv_col_mul
definition gate to match its only caller; without it the function is
emitted dead under WOLFSSL_AES_DIRECT && NO_AES_DECRYPT and
-Werror=unused-function fails the build.
* .github/workflows/os-check.yml: matrix entry for a minimal DTLS 1.3
client-only build.
Increase the timeout for PQC CI tests from 6 to 10 minutes. The new
SLH-DSA tests take more time than the previous tests due to the slow
signing. With the old timeout, some tests sometimes hit the timeout
before finishing successfully.
Reduce the number of tests running on macos in os-check.yml to the
minimum required number to cover all mac os specific features. All other
platform-agnostic configs and setups are only tested on Linux, which is
much faster in GitHub CI.