wolfSSL · julek-wolfssl · Feb 23, 2026 · Feb 26, 2026 · Feb 27, 2026 · Feb 27, 2026
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -0,0 +1,142 @@
+name: Python Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-24.04
+    timeout-minutes: 10
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: >-
+            --enable-all --enable-tlsv10
+            'CPPFLAGS=-DHAVE_SECRET_CALLBACK -DWOLFSSL_PYTHON'
+          check: false
+          install: true
+
+      - name: tar build-dir
+        run: tar -zcf build-dir.tgz build-dir
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-python
+          path: build-dir.tgz
+          retention-days: 5
+
+  python_check:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+            - python_ver: 3.12.11
+              tests: >-
+                test_ssl
+                test.test_asyncio.test_ssl
+                test.test_asyncio.test_sslproto
+                test_hashlib
+                test_hmac
+                test_secrets
+                test_ftplib
+                test_imaplib
+                test_poplib
+                test_smtplib
+                test_httplib
+                test_urllib2_localnet
+                test_xmlrpc
+                test_docxmlrpc
+            - python_ver: 3.13.4
+              tests: >-
+                test_ssl
+                test.test_asyncio.test_ssl
+                test.test_asyncio.test_sslproto
+                test_hashlib
+                test_hmac
+                test_secrets
+                test_ftplib
+                test_imaplib
+                test_poplib
+                test_smtplib
+                test_httplib
+                test_urllib2_localnet
+                test_xmlrpc
+                test_docxmlrpc
+            - python_ver: 3.13.7
+              tests: >-
+                test_ssl
+                test.test_asyncio.test_ssl
+                test.test_asyncio.test_sslproto
+                test_hashlib
+                test_hmac
+                test_secrets
+                test_ftplib
+                test_imaplib
+                test_poplib
+                test_smtplib
+                test_httplib
+                test_urllib2_localnet
+                test_xmlrpc
+                test_docxmlrpc
+    name: Python ${{ matrix.python_ver }}
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-24.04
+    timeout-minutes: 60
+    needs: build_wolfssl
+    steps:
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y \
+            build-essential autoconf automake autoconf-archive pkgconf \
+            libffi-dev libbz2-dev libreadline-dev libsqlite3-dev \
+            zlib1g-dev libncursesw5-dev libgdbm-dev libnss3-dev \
+            liblzma-dev uuid-dev pkg-config
+
+      - name: Download wolfSSL
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-python
+
+      - name: Untar wolfSSL build
+        run: tar -xf build-dir.tgz
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Checkout CPython
+        uses: actions/checkout@v4
+        with:
+          repository: python/cpython
+          ref: v${{ matrix.python_ver }}
+          path: cpython
+
+      - name: Apply wolfSSL patch
+        working-directory: cpython
+        run: patch -p1 < $GITHUB_WORKSPACE/osp/Python/wolfssl-python-${{ matrix.python_ver }}.patch
+
+      - name: Build CPython and run SSL and crypto tests
+        working-directory: cpython
+        run: |
+          export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH
+          rm -f aclocal.m4
+          autoreconf -if
+          ./configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir
+          make -j test TESTOPTS="-v ${{ matrix.tests }}"
diff --git a/.github/workflows/softhsm.yml b/.github/workflows/softhsm.yml
@@ -25,7 +25,7 @@ jobs:
         uses: wolfSSL/actions-build-autotools-project@v1
         with:
           path: wolfssl
-          configure: --enable-all CFLAGS=-DRSA_MIN_SIZE=1024
+          configure: --enable-all --disable-oldnames CFLAGS=-DRSA_MIN_SIZE=1024
           install: true
           check: false
 

diff --git a/configure.ac b/configure.ac
@@ -1300,9 +1300,6 @@ then
             test "$enable_openvpn" = "" && enable_openvpn=yes
             test "$enable_asio" = "" && enable_asio=yes
             test "$enable_libwebsockets" = "" && enable_libwebsockets=yes
-            if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 5; then
-                test "$enable_qt" = "" && enable_qt=yes
-            fi
         fi
     fi
 

diff --git a/src/internal.c b/src/internal.c
@@ -26281,15 +26281,20 @@ int SendData(WOLFSSL* ssl, const void* data, size_t sz)
 
         if (sent == (word32)sz) break;
 
-        buffSz = (word32)sz - sent;
-        outputSz = wolfssl_local_GetRecordSize(ssl, (word32)buffSz, 1);
+        buffSz = (int)((word32)sz - sent);
+        if (buffSz <= 0) {
+            WOLFSSL_MSG("error: sent size exceeds input size");
+            ssl->error = BAD_FUNC_ARG;
+            return WOLFSSL_FATAL_ERROR;
+        }
 #if defined(WOLFSSL_DTLS)
         if (ssl->options.dtls) {
 #if defined(WOLFSSL_DTLS_MTU)
             int mtu = ssl->dtlsMtuSz;
 #else
             int mtu = MAX_MTU;
 #endif
+            outputSz = wolfssl_local_GetRecordSize(ssl, (word32)buffSz, 1);
             if (outputSz > mtu) {
 #if defined(WOLFSSL_NO_DTLS_SIZE_CHECK)
                 /* split instead of error out */
@@ -26303,7 +26308,14 @@ int SendData(WOLFSSL* ssl, const void* data, size_t sz)
 #endif /* WOLFSSL_NO_DTLS_SIZE_CHECK */
             }
         }
+        else
 #endif /* WOLFSSL_DTLS */
+        {
+            int maxFrag = wolfSSL_GetMaxFragSize(ssl);
+            if (maxFrag > 0)
+                buffSz = min((word32)buffSz, (word32)maxFrag);
+            outputSz = wolfssl_local_GetRecordSize(ssl, (word32)buffSz, 1);
+        }
 
         /* check for available size, it does also DTLS MTU checks */
         if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
@@ -34083,7 +34095,15 @@ int SendClientKeyExchange(WOLFSSL* ssl)
         #endif
 
             if (IsEncryptionOn(ssl, 1)) {
-                args->sendSz += MAX_MSG_EXTRA;
+            #if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_MTU)
+                /* Use exact cipher overhead for the MTU pre-flight check.
+                 * MAX_MSG_EXTRA is an upper bound that can exceed a small MTU,
+                 * while the actual message fits within it. */
+                if (ssl->options.dtls)
+                    args->sendSz += cipherExtraData(ssl);
+                else
+            #endif
+                    args->sendSz += MAX_MSG_EXTRA;
             }
 
             /* check for available size */

diff --git a/src/ssl.c b/src/ssl.c
@@ -10457,8 +10457,7 @@ const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher)
         return NULL;
     }
 
-    #if !defined(WOLFSSL_CIPHER_INTERNALNAME) && !defined(NO_ERROR_STRINGS) && \
-        !defined(WOLFSSL_QT)
+    #if !defined(WOLFSSL_CIPHER_INTERNALNAME) && !defined(NO_ERROR_STRINGS)
         return GetCipherNameIana(cipher->cipherSuite0, cipher->cipherSuite);
     #else
         return wolfSSL_get_cipher_name_from_suite(cipher->cipherSuite0,
@@ -16022,9 +16021,8 @@ static WC_INLINE int sslCipherMinMaxCheck(const WOLFSSL *ssl, byte suite0,
  */
 WOLF_STACK_OF(WOLFSSL_CIPHER) *wolfSSL_get_ciphers_compat(const WOLFSSL *ssl)
 {
-    WOLF_STACK_OF(WOLFSSL_CIPHER)* ret = NULL;
     const Suites* suites;
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
+#if defined(OPENSSL_ALL)
     const CipherSuiteInfo* cipher_names = GetCipherNames();
     int cipherSz = GetCipherNamesSize();
 #endif
@@ -16040,15 +16038,20 @@ WOLF_STACK_OF(WOLFSSL_CIPHER) *wolfSSL_get_ciphers_compat(const WOLFSSL *ssl)
     /* check if stack needs populated */
     if (ssl->suitesStack == NULL) {
         int i;
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
-        int j;
+
+        ((WOLFSSL*)ssl)->suitesStack =
+                wolfssl_sk_new_type_ex(STACK_TYPE_CIPHER, ssl->heap);
+        if (ssl->suitesStack == NULL)
+            return NULL;
 
         /* higher priority of cipher suite will be on top of stack */
-        for (i = suites->suiteSz - 2; i >=0; i-=2) {
+#if defined(OPENSSL_ALL)
+        for (i = suites->suiteSz - 2; i >=0; i-=2)
 #else
-        for (i = 0; i < suites->suiteSz; i+=2) {
+        for (i = 0; i < suites->suiteSz; i+=2)
 #endif
-            WOLFSSL_STACK* add;
+        {
+            struct WOLFSSL_CIPHER cipher;
 
             /* A couple of suites are placeholders for special options,
              * skip those. */
@@ -16058,39 +16061,30 @@ WOLF_STACK_OF(WOLFSSL_CIPHER) *wolfSSL_get_ciphers_compat(const WOLFSSL *ssl)
                 continue;
             }
 
-            add = wolfSSL_sk_new_node(ssl->heap);
-            if (add != NULL) {
-                add->type = STACK_TYPE_CIPHER;
-                add->data.cipher.cipherSuite0 = suites->suites[i];
-                add->data.cipher.cipherSuite  = suites->suites[i+1];
-                add->data.cipher.ssl          = ssl;
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
+            XMEMSET(&cipher, 0, sizeof(cipher));
+            cipher.cipherSuite0 = suites->suites[i];
+            cipher.cipherSuite  = suites->suites[i+1];
+            cipher.ssl          = ssl;
+#if defined(OPENSSL_ALL)
+            cipher.in_stack     = 1;
+            {
+                int j;
                 for (j = 0; j < cipherSz; j++) {
-                    if (cipher_names[j].cipherSuite0 ==
-                            add->data.cipher.cipherSuite0 &&
-                            cipher_names[j].cipherSuite ==
-                                    add->data.cipher.cipherSuite) {
-                        add->data.cipher.offset = (unsigned long)j;
+                    if (cipher_names[j].cipherSuite0 == cipher.cipherSuite0 &&
+                            cipher_names[j].cipherSuite == cipher.cipherSuite) {
+                        cipher.offset = (unsigned long)j;
                         break;
                     }
                 }
+            }
 #endif
-                #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
-                /* in_stack is checked in wolfSSL_CIPHER_description */
-                add->data.cipher.in_stack     = 1;
-                #endif
-
-                add->next = ret;
-                if (ret != NULL) {
-                    add->num = ret->num + 1;
-                }
-                else {
-                    add->num = 1;
-                }
-                ret = add;
+            if (wolfSSL_sk_insert(ssl->suitesStack, &cipher, 0) <= 0) {
+                WOLFSSL_MSG("Error inserting cipher onto stack");
+                wolfSSL_sk_CIPHER_free(ssl->suitesStack);
+                ((WOLFSSL*)ssl)->suitesStack = NULL;
+                break;
             }
         }
-        ((WOLFSSL*)ssl)->suitesStack = ret;
     }
     return ssl->suitesStack;
 }