wolfSSL · Roy-Carter · Apr 8, 2026 · Apr 8, 2026 · Apr 9, 2026 · julek-wolfssl
diff --git a/src/ssl.c b/src/ssl.c
@@ -12050,12 +12050,96 @@ const char* wolfSSL_alert_type_string_long(int alertID)
     return AlertTypeToString(alertID);
 }
 
+const char* wolfSSL_alert_type_string(int alertID)
+{
+    WOLFSSL_ENTER("wolfSSL_alert_type_string");
+
+    switch (alertID) {
+        case alert_warning:
+            return "W";
+        case alert_fatal:
+            return "F";
+        default:
+            return "U";
+    }
+}
+
 const char* wolfSSL_alert_desc_string_long(int alertID)
 {
     WOLFSSL_ENTER("wolfSSL_alert_desc_string_long");
 
     return AlertTypeToString(alertID);
 }
+
+const char* wolfSSL_alert_desc_string(int alertID)
+{
+    WOLFSSL_ENTER("wolfSSL_alert_desc_string");
+
+    switch (alertID) {
+        case close_notify:
+            return "CN";
+        case unexpected_message:
+            return "UM";
+        case bad_record_mac:
+            return "BM";
+        case record_overflow:
+            return "RO";
+        case decompression_failure:
+            return "DF";
+        case handshake_failure:
+            return "HF";
+        case no_certificate:
+            return "NC";
+        case bad_certificate:
+            return "BC";
+        case unsupported_certificate:
+            return "UC";
+        case certificate_revoked:
+            return "CR";
+        case certificate_expired:
+            return "CE";
+        case certificate_unknown:
+            return "CU";
+        case illegal_parameter:
+            return "IP";
+        case unknown_ca:
+            return "CA";
+        case access_denied:
+            return "AD";
+        case decode_error:
+            return "DE";
+        case decrypt_error:
+            return "DC";
+        case wolfssl_alert_protocol_version:
+            return "PV";
+        case insufficient_security:
+            return "IS";
+        case internal_error:
+            return "IE";
+        case inappropriate_fallback:
+            return "IF";
+        case user_canceled:
+            return "US";
+        case no_renegotiation:
+            return "NR";
+        case missing_extension:
+            return "ME";
+        case unsupported_extension:
+            return "XE";
-        case unsupported_extension:
-            return "XE";
+        case unsupported_extension:
+            return "UE";
-        case unsupported_extension:
-            return "XE";
+        case unsupported_extension:
+            return "UE";
+        case unrecognized_name:
+            return "UN";
+        case bad_certificate_status_response:
+            return "BR";
+        case unknown_psk_identity:
+            return "UP";
+        case certificate_required:
+            return "CQ";
+        case no_application_protocol:
+            return "AP";
+        default:
+            return "UK";
+    }
+}
 #endif /* !NO_TLS */
 
 #define STATE_STRINGS_PROTO(s) \

diff --git a/tests/api/test_evp_pkey.c b/tests/api/test_evp_pkey.c
@@ -1997,6 +1997,121 @@ int test_wolfSSL_EVP_MD_ecc_signing(void)
 }
 
 
+int test_wolfSSL_EVP_DigestSign(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048)
+    WOLFSSL_EVP_PKEY* privKey = NULL;
+    WOLFSSL_EVP_PKEY* pubKey = NULL;
+    const unsigned char testData[] = "Hi There";
+    WOLFSSL_EVP_MD_CTX mdCtx;
+    int ret;
+    const unsigned char* cp;
+    const unsigned char* p;
+    unsigned char sig[2048/8];
+    size_t sigSz;
+
+    cp = client_key_der_2048;
+    ExpectNotNull((privKey = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL, &cp,
+                                                  sizeof_client_key_der_2048)));
+    p = client_keypub_der_2048;
+    ExpectNotNull((pubKey = wolfSSL_d2i_PUBKEY(NULL, &p,
+                                               sizeof_client_keypub_der_2048)));
+
+    /* One-shot sign: query size first */
+    wolfSSL_EVP_MD_CTX_init(&mdCtx);
+    ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(),
+                                                             NULL, privKey), 1);
+    sigSz = 0;
+    ExpectIntEQ(wolfSSL_EVP_DigestSign(&mdCtx, NULL, &sigSz, testData,
+                                       (unsigned int)XSTRLEN((const char*)testData)), 1);
+    ExpectIntGT((int)sigSz, 0);
+    ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx);
+    ExpectIntEQ(ret, 1);
+
+    /* One-shot sign: actually produce the signature */
+    wolfSSL_EVP_MD_CTX_init(&mdCtx);
+    ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(),
+                                                             NULL, privKey), 1);
+    sigSz = sizeof(sig);
+    ExpectIntEQ(wolfSSL_EVP_DigestSign(&mdCtx, sig, &sigSz, testData,
+                                       (unsigned int)XSTRLEN((const char*)testData)), 1);
+    ExpectIntGT((int)sigSz, 0);
+    ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx);
+    ExpectIntEQ(ret, 1);
+
+    /* One-shot verify */
+    wolfSSL_EVP_MD_CTX_init(&mdCtx);
+    ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL,
+                wolfSSL_EVP_sha256(), NULL, pubKey), 1);
+    ExpectIntEQ(wolfSSL_EVP_DigestVerify(&mdCtx, sig, sigSz, testData,
+                                         (unsigned int)XSTRLEN((const char*)testData)), 1);
+    ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx);
+    ExpectIntEQ(ret, 1);
+
+    /* One-shot sign + verify with NULL ctx should fail */
+    ExpectIntEQ(wolfSSL_EVP_DigestSign(NULL, sig, &sigSz, testData,
+                                       (unsigned int)XSTRLEN((const char*)testData)),
+                WOLFSSL_FAILURE);
+    ExpectIntEQ(wolfSSL_EVP_DigestVerify(NULL, sig, sigSz, testData,
+                                         (unsigned int)XSTRLEN((const char*)testData)),
+                WOLFSSL_FAILURE);
+
+    wolfSSL_EVP_PKEY_free(pubKey);
+    wolfSSL_EVP_PKEY_free(privKey);
+#endif
+    return EXPECT_RESULT();
+}
+
+
+int test_wolfSSL_EVP_DigestSign_ecc(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256)
+    WOLFSSL_EVP_PKEY* privKey = NULL;
+    WOLFSSL_EVP_PKEY* pubKey = NULL;
+    const unsigned char testData[] = "ECC one-shot test";
+    WOLFSSL_EVP_MD_CTX mdCtx;
+    int ret;
+    const unsigned char* cp;
+    const unsigned char* p;
+    unsigned char sig[256];
+    size_t sigSz;
+
+    cp = ecc_clikey_der_256;
+    ExpectNotNull(privKey = wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, NULL, &cp,
+                                                   sizeof_ecc_clikey_der_256));
+    p = ecc_clikeypub_der_256;
+    ExpectNotNull((pubKey = wolfSSL_d2i_PUBKEY(NULL, &p,
+                                                sizeof_ecc_clikeypub_der_256)));
+
+    /* One-shot sign */
+    wolfSSL_EVP_MD_CTX_init(&mdCtx);
+    ExpectIntEQ(wolfSSL_EVP_DigestSignInit(&mdCtx, NULL, wolfSSL_EVP_sha256(),
+                                                             NULL, privKey), 1);
+    sigSz = sizeof(sig);
+    ExpectIntEQ(wolfSSL_EVP_DigestSign(&mdCtx, sig, &sigSz, testData,
+                                       (unsigned int)XSTRLEN((const char*)testData)), 1);
+    ExpectIntGT((int)sigSz, 0);
+    ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx);
+    ExpectIntEQ(ret, 1);
+
+    /* One-shot verify */
+    wolfSSL_EVP_MD_CTX_init(&mdCtx);
+    ExpectIntEQ(wolfSSL_EVP_DigestVerifyInit(&mdCtx, NULL,
+                wolfSSL_EVP_sha256(), NULL, pubKey), 1);
+    ExpectIntEQ(wolfSSL_EVP_DigestVerify(&mdCtx, sig, sigSz, testData,
+                                         (unsigned int)XSTRLEN((const char*)testData)), 1);
+    ret = wolfSSL_EVP_MD_CTX_cleanup(&mdCtx);
+    ExpectIntEQ(ret, 1);
+
+    wolfSSL_EVP_PKEY_free(pubKey);
+    wolfSSL_EVP_PKEY_free(privKey);
+#endif
+    return EXPECT_RESULT();
+}
+
+
 int test_wolfSSL_EVP_PKEY_encrypt(void)
 {
     EXPECT_DECLS;

diff --git a/tests/api/test_evp_pkey.h b/tests/api/test_evp_pkey.h
@@ -58,6 +58,8 @@ int test_wolfSSL_EVP_PKEY_sign_verify_ec(void);
 int test_wolfSSL_EVP_MD_rsa_signing(void);
 int test_wc_RsaPSS_DigitalSignVerify(void);
 int test_wolfSSL_EVP_MD_ecc_signing(void);
+int test_wolfSSL_EVP_DigestSign(void);
+int test_wolfSSL_EVP_DigestSign_ecc(void);
 int test_wolfSSL_EVP_PKEY_encrypt(void);
 int test_wolfSSL_EVP_PKEY_derive(void);
 int test_wolfSSL_EVP_PKEY_print_public(void);
@@ -98,6 +100,8 @@ int test_wolfSSL_EVP_PKEY_print_public(void);
     TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_MD_rsa_signing),              \
     TEST_DECL_GROUP("evp_pkey", test_wc_RsaPSS_DigitalSignVerify),             \
     TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_MD_ecc_signing),              \
+    TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_DigestSign),                  \
+    TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_DigestSign_ecc),              \
     TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_encrypt),                \
     TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_derive),                 \
     TEST_DECL_GROUP("evp_pkey", test_wolfSSL_EVP_PKEY_print_public)

diff --git a/tests/api/test_tls.c b/tests/api/test_tls.c
@@ -31,6 +31,7 @@
 #include <tests/utils.h>
 #include <tests/api/test_tls.h>
 #include <wolfssl/internal.h>
+#include <wolfssl/ssl.h>
 
 
 int test_utils_memio_move_message(void)
@@ -857,3 +858,58 @@ int test_tls_set_curves_list_ecc_fallback(void)
     return EXPECT_RESULT();
 }
 
+
+int test_wolfSSL_alert_type_string(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_TLS) && defined(OPENSSL_EXTRA)
+    ExpectStrEQ(wolfSSL_alert_type_string(alert_warning), "W");
+    ExpectStrEQ(wolfSSL_alert_type_string(alert_fatal), "F");
+    ExpectStrEQ(wolfSSL_alert_type_string(0), "U");
+    ExpectStrEQ(wolfSSL_alert_type_string(-1), "U");
+    ExpectStrEQ(wolfSSL_alert_type_string(99), "U");
+#endif
+    return EXPECT_RESULT();
+}
+
+
+int test_wolfSSL_alert_desc_string(void)
+{
+    EXPECT_DECLS;
+#if !defined(NO_TLS) && defined(OPENSSL_EXTRA)
+    ExpectStrEQ(wolfSSL_alert_desc_string(close_notify), "CN");
+    ExpectStrEQ(wolfSSL_alert_desc_string(unexpected_message), "UM");
+    ExpectStrEQ(wolfSSL_alert_desc_string(bad_record_mac), "BM");
+    ExpectStrEQ(wolfSSL_alert_desc_string(record_overflow), "RO");
+    ExpectStrEQ(wolfSSL_alert_desc_string(decompression_failure), "DF");
+    ExpectStrEQ(wolfSSL_alert_desc_string(handshake_failure), "HF");
+    ExpectStrEQ(wolfSSL_alert_desc_string(no_certificate), "NC");
+    ExpectStrEQ(wolfSSL_alert_desc_string(bad_certificate), "BC");
+    ExpectStrEQ(wolfSSL_alert_desc_string(unsupported_certificate), "UC");
+    ExpectStrEQ(wolfSSL_alert_desc_string(certificate_revoked), "CR");
+    ExpectStrEQ(wolfSSL_alert_desc_string(certificate_expired), "CE");
+    ExpectStrEQ(wolfSSL_alert_desc_string(certificate_unknown), "CU");
+    ExpectStrEQ(wolfSSL_alert_desc_string(illegal_parameter), "IP");
+    ExpectStrEQ(wolfSSL_alert_desc_string(unknown_ca), "CA");
+    ExpectStrEQ(wolfSSL_alert_desc_string(access_denied), "AD");
+    ExpectStrEQ(wolfSSL_alert_desc_string(decode_error), "DE");
+    ExpectStrEQ(wolfSSL_alert_desc_string(decrypt_error), "DC");
+    ExpectStrEQ(wolfSSL_alert_desc_string(wolfssl_alert_protocol_version), "PV");
+    ExpectStrEQ(wolfSSL_alert_desc_string(insufficient_security), "IS");
+    ExpectStrEQ(wolfSSL_alert_desc_string(internal_error), "IE");
+    ExpectStrEQ(wolfSSL_alert_desc_string(inappropriate_fallback), "IF");
+    ExpectStrEQ(wolfSSL_alert_desc_string(user_canceled), "US");
+    ExpectStrEQ(wolfSSL_alert_desc_string(no_renegotiation), "NR");
+    ExpectStrEQ(wolfSSL_alert_desc_string(missing_extension), "ME");
+    ExpectStrEQ(wolfSSL_alert_desc_string(unsupported_extension), "XE");
+    ExpectStrEQ(wolfSSL_alert_desc_string(unrecognized_name), "UN");
+    ExpectStrEQ(wolfSSL_alert_desc_string(bad_certificate_status_response), "BR");
+    ExpectStrEQ(wolfSSL_alert_desc_string(unknown_psk_identity), "UP");
+    ExpectStrEQ(wolfSSL_alert_desc_string(certificate_required), "CQ");
+    ExpectStrEQ(wolfSSL_alert_desc_string(no_application_protocol), "AP");
+    /* Unknown alert description returns "UK" */
+    ExpectStrEQ(wolfSSL_alert_desc_string(255), "UK");
+#endif
+    return EXPECT_RESULT();
+}
+
diff --git a/tests/api/test_tls.h b/tests/api/test_tls.h
@@ -32,6 +32,8 @@ int test_tls12_bad_cv_sig_alg(void);
 int test_tls12_no_null_compression(void);
 int test_tls12_etm_failed_resumption(void);
 int test_tls_set_curves_list_ecc_fallback(void);
+int test_wolfSSL_alert_type_string(void);
+int test_wolfSSL_alert_desc_string(void);
 
 #define TEST_TLS_DECLS                                                         \
         TEST_DECL_GROUP("tls", test_utils_memio_move_message),                 \
@@ -43,6 +45,8 @@ int test_tls_set_curves_list_ecc_fallback(void);
         TEST_DECL_GROUP("tls", test_tls12_bad_cv_sig_alg),                     \
         TEST_DECL_GROUP("tls", test_tls12_no_null_compression),                \
         TEST_DECL_GROUP("tls", test_tls12_etm_failed_resumption),              \
-        TEST_DECL_GROUP("tls", test_tls_set_curves_list_ecc_fallback)
+        TEST_DECL_GROUP("tls", test_tls_set_curves_list_ecc_fallback),         \
+        TEST_DECL_GROUP("tls", test_wolfSSL_alert_type_string),                \
+        TEST_DECL_GROUP("tls", test_wolfSSL_alert_desc_string)
 
 #endif /* TESTS_API_TEST_TLS_H */
diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c
@@ -4950,6 +4950,25 @@ int wolfSSL_EVP_DigestSignFinal(WOLFSSL_EVP_MD_CTX *ctx, unsigned char *sig,
     return ret;
 }
 
+int wolfSSL_EVP_DigestSign(WOLFSSL_EVP_MD_CTX *ctx, unsigned char *sigret,
+                           size_t *siglen, const unsigned char *tbs,
+                           size_t tbslen)
+{
+    WOLFSSL_ENTER("EVP_DigestSign");
+
+    if (ctx == NULL || siglen == NULL)
+        return WOLFSSL_FAILURE;
+
+    if (sigret != NULL) {
+        if (tbs == NULL || tbslen == 0)
+            return WOLFSSL_FAILURE;
+        if (wolfSSL_EVP_DigestSignUpdate(ctx, tbs, (unsigned int)tbslen)
+                != WOLFSSL_SUCCESS)
+            return WOLFSSL_FAILURE;
+    }
+    return wolfSSL_EVP_DigestSignFinal(ctx, sigret, siglen);
+}
+
 int wolfSSL_EVP_DigestVerifyInit(WOLFSSL_EVP_MD_CTX *ctx,
                                  WOLFSSL_EVP_PKEY_CTX **pctx,
                                  const WOLFSSL_EVP_MD *type,
@@ -5044,6 +5063,21 @@ int wolfSSL_EVP_DigestVerifyFinal(WOLFSSL_EVP_MD_CTX *ctx,
     return WOLFSSL_FAILURE;
 }
 
+int wolfSSL_EVP_DigestVerify(WOLFSSL_EVP_MD_CTX *ctx,
+                             const unsigned char *sigret, size_t siglen,
+                             const unsigned char *tbs, size_t tbslen)
+{
+    WOLFSSL_ENTER("EVP_DigestVerify");
+
+    if (ctx == NULL || sigret == NULL || tbs == NULL)
+        return WOLFSSL_FAILURE;
+
+    if (wolfSSL_EVP_DigestVerifyUpdate(ctx, tbs, tbslen) != WOLFSSL_SUCCESS)
+        return WOLFSSL_FAILURE;
+
+    return wolfSSL_EVP_DigestVerifyFinal(ctx, sigret, siglen);
+}
+
 
 #ifdef WOLFSSL_APACHE_HTTPD
 #if !defined(USE_WINDOWS_API) && !defined(MICROCHIP_PIC32)