From 08737fab7210e155199855d51aeba6498912744d Mon Sep 17 00:00:00 2001 From: Jeremiah Mackey Date: Thu, 19 Mar 2026 15:39:01 +0000 Subject: [PATCH 1/9] Fix wrap_socket server_side mismatch --- wolfssl/__init__.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/wolfssl/__init__.py b/wolfssl/__init__.py index b4f42f0..aa180c9 100644 --- a/wolfssl/__init__.py +++ b/wolfssl/__init__.py @@ -245,6 +245,9 @@ def wrap_socket(self, sock, server_side=None, "between init and wrap_socket()") if self._server_side is None: + if server_side: + raise ValueError("SSLContext server_side value not consistent " + "between init and wrap_socket()") self._server_side = server_side if server_side is None and self._server_side is not None: From 9a738526785a83b7f81925d1e732b3e9a9f7b2cf Mon Sep 17 00:00:00 2001 From: Jeremiah Mackey Date: Thu, 19 Mar 2026 15:41:42 +0000 Subject: [PATCH 2/9] Check wolfSSL_check_domain_name return --- wolfssl/__init__.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/wolfssl/__init__.py b/wolfssl/__init__.py index aa180c9..ff78ba0 100644 --- a/wolfssl/__init__.py +++ b/wolfssl/__init__.py @@ -463,8 +463,11 @@ def __init__(self, sock=None, keyfile=None, certfile=None, if self._context.check_hostname: sni = _ffi.new("char[]", server_hostname.encode("utf-8")) - _lib.wolfSSL_check_domain_name(self.native_object, - sni) + ret = _lib.wolfSSL_check_domain_name(self.native_object, + sni) + if ret != _SSL_SUCCESS: + raise SSLError("Unable to set domain name check for " + "hostname verification") if connected: try: From ad2f7c6046df346909289346d3bee8fab898ba42 Mon Sep 17 00:00:00 2001 From: Jeremiah Mackey Date: Thu, 19 Mar 2026 15:45:34 +0000 Subject: [PATCH 3/9] Fix wrong alert description function --- wolfssl/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl/__init__.py b/wolfssl/__init__.py index ff78ba0..cf2dea9 100644 --- a/wolfssl/__init__.py +++ b/wolfssl/__init__.py @@ -771,7 +771,7 @@ def do_handshake(self, block=False): # pylint: disable=unused-argument if alertRet == _SSL_SUCCESS: alertHistory = alertHistoryPtr[0] code = alertHistory.last_rx.code - alertDesc = _lib.wolfSSL_alert_type_string_long(code) + alertDesc = _lib.wolfSSL_alert_desc_string_long(code) if alertDesc != _ffi.NULL: alertStr = _ffi.string(alertDesc).decode("ascii") else: From c5ed261a4e80b6782c0c36c57724f9a1d9b7a4f6 Mon Sep 17 00:00:00 2001 From: Jeremiah Mackey Date: Thu, 19 Mar 2026 15:46:06 +0000 Subject: [PATCH 4/9] Return None from get_peer_x509 --- wolfssl/__init__.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wolfssl/__init__.py b/wolfssl/__init__.py index cf2dea9..c1b1af5 100644 --- a/wolfssl/__init__.py +++ b/wolfssl/__init__.py @@ -850,7 +850,7 @@ def get_peer_x509(self): after making a successful SSL/TLS connection. """ if self.native_object == _ffi.NULL: - return _ffi.NULL + return None return WolfSSLX509(self.native_object) @@ -863,7 +863,7 @@ def getpeercert(self, binary_form=False): x509 = self.get_peer_x509() if not x509: - return x509 + return None if binary_form: return x509.get_der() From 40b35a4e3635661e84aa5322ac1a82d4053309bd Mon Sep 17 00:00:00 2001 From: Jeremiah Mackey Date: Thu, 19 Mar 2026 15:46:53 +0000 Subject: [PATCH 5/9] Free X509 in WolfSSLX509.__del__ --- wolfssl/__init__.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/wolfssl/__init__.py b/wolfssl/__init__.py index c1b1af5..2c75f16 100644 --- a/wolfssl/__init__.py +++ b/wolfssl/__init__.py @@ -100,6 +100,12 @@ def __init__(self, session): if self.native_object == _ffi.NULL: raise SSLError("Unable to get internal WOLFSSL_X509 from wolfSSL") + def __del__(self): + if getattr(self, 'native_object', None) is not None \ + and self.native_object != _ffi.NULL: + _lib.wolfSSL_X509_free(self.native_object) + self.native_object = _ffi.NULL + def get_subject_cn(self): cnPtr = _lib.wolfSSL_X509_get_subjectCN(self.native_object) if cnPtr == _ffi.NULL: From 5e77b6cbcb015737631ae908df61979ae4491dd8 Mon Sep 17 00:00:00 2001 From: Jeremiah Mackey Date: Thu, 19 Mar 2026 15:51:03 +0000 Subject: [PATCH 6/9] Check wolfSSL_write return value --- wolfssl/__init__.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/wolfssl/__init__.py b/wolfssl/__init__.py index 2c75f16..be54a64 100644 --- a/wolfssl/__init__.py +++ b/wolfssl/__init__.py @@ -572,7 +572,17 @@ def write(self, data): data = t2b(data) - return _lib.wolfSSL_write(self.native_object, data, len(data)) + ret = _lib.wolfSSL_write( + self.native_object, data, len(data)) + if ret <= 0: + err = _lib.wolfSSL_get_error( + self.native_object, 0) + if err == _SSL_ERROR_WANT_WRITE: + raise SSLWantWriteError() + else: + raise SSLError( + "wolfSSL_write error (%d)" % err) + return ret def send(self, data, flags=0): if flags != 0: From e15bf07408b0c25c19b79d06f59ed7aa07d7511c Mon Sep 17 00:00:00 2001 From: Jeremiah Mackey Date: Thu, 19 Mar 2026 15:52:11 +0000 Subject: [PATCH 7/9] Null native_object after CTX_free --- wolfssl/__init__.py | 1 + 1 file changed, 1 insertion(+) diff --git a/wolfssl/__init__.py b/wolfssl/__init__.py index be54a64..204bdcd 100644 --- a/wolfssl/__init__.py +++ b/wolfssl/__init__.py @@ -179,6 +179,7 @@ def __init__(self, protocol, server_side=None): def __del__(self): if getattr(self, 'native_object', None) is not None and self.native_object != _ffi.NULL: _lib.wolfSSL_CTX_free(self.native_object) + self.native_object = _ffi.NULL @property def verify_mode(self): From 63b1ee8d17cf6d7549046749e24301f3fbb426a5 Mon Sep 17 00:00:00 2001 From: Jeremiah Mackey Date: Thu, 19 Mar 2026 16:02:17 +0000 Subject: [PATCH 8/9] Enforce CERT_REQUIRED for check_hostname --- wolfssl/__init__.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/wolfssl/__init__.py b/wolfssl/__init__.py index 204bdcd..7678fb5 100644 --- a/wolfssl/__init__.py +++ b/wolfssl/__init__.py @@ -215,8 +215,11 @@ def check_hostname(self): @check_hostname.setter def check_hostname(self, value): if value is not True and value is not False: - raise ValueError("check_hostname must be either True or False") - + raise ValueError("check_hostname must be either " + "True or False") + if value and self._verify_mode != CERT_REQUIRED: + raise ValueError("check_hostname needs verify_mode " + "set to CERT_REQUIRED") self._check_hostname = value def get_options(self): From a86dac7917239d9d1acca242db893aacbbad9cdb Mon Sep 17 00:00:00 2001 From: Jeremiah Mackey Date: Thu, 19 Mar 2026 16:24:26 +0000 Subject: [PATCH 9/9] Use shlex.split in build call() --- wolfssl/_build_ffi.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/wolfssl/_build_ffi.py b/wolfssl/_build_ffi.py index 9dfba28..dbc624b 100644 --- a/wolfssl/_build_ffi.py +++ b/wolfssl/_build_ffi.py @@ -69,11 +69,14 @@ def wolfssl_lib_path(): def call(cmd): - print("Calling: '{}' from working directory {}".format(cmd, os.getcwd())) + print("Calling: '{}' from working directory {}".format( + cmd, os.getcwd())) old_env = os.environ["PATH"] - os.environ["PATH"] = "{}:{}".format(WOLFSSL_SRC_PATH, old_env) - subprocess.check_call(cmd, shell=True, env=os.environ) + os.environ["PATH"] = "{}:{}".format( + WOLFSSL_SRC_PATH, old_env) + subprocess.check_call( + shlex.split(cmd), env=os.environ) os.environ["PATH"] = old_env