* Fixed some build configuration variations.

* Fixed `PEM_BUFSIZE` macro redefined when building with coexist.
* Updated the `user_settings_all.h` and `user_settings_wolfboot_keytools.h` to include latest options.
* Improved API unit test error case checking where `TEST_RES_CHECK` is not used.
* Changed `TEST_SKIPPED` to unique value.
* Added CI tests for enable-all, small stack, and user setting templates.

.github/SECURITY.md

@@ -6,7 +6,7 @@ If you discover a vulnerability, please report it to support@wolfssl.com
 
  1. Include a detailed description
  2. Include method to reproduce and/or method of discovery
- 3. We will evaulate the report promptly and respond to you with findings.
+ 3. We will evaluate the report promptly and respond to you with findings.
  4. We will credit you with the report if you would like.
 
 **Please keep the vulnerability private** until a fix has been released.

.github/workflows/os-check.yml

@@ -1,4 +1,4 @@
-name: Test MacOS/Ubuntu/Windows compilation
+name: GitHub Action Tests
 concurrency:
   group: ${{ github.ref }}
 
@@ -13,35 +13,122 @@ jobs:
     name: macOS Build Test
     runs-on: macos-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
+
     - name: brew
       run: brew install automake libtool
+
     - name: autogen
       run: ./autogen.sh
-    - name: configure
-      run: ./configure
-    - name: make
-      run: make
-    - name: make check
-      run: make check
-    - name: make distcheck
-      run: make distcheck
+
+    - name: configure make check
+      run: |
+        ./configure
+        make
+        make check
+        make distcheck
+
+    - name: configure all make check
+      run: |
+        ./configure --enable-all
+        make
+        make check
+        make distcheck
+
+    - name: configure all ASN template
+      run: |
+        ./configure --enable-all --enable-asn=template
+        make
+        make check
+        make distcheck
+
+    - name: make user_settings_all.h
+      run: |
+        cp ./examples/configs/user_settings_all.h user_settings.h
+        ./configure --enable-usersettings
+        make
+        make check
+
+    - name: user_settings_all.h with compatibility layer
+      run: |
+        cp ./examples/configs/user_settings_all.h user_settings.h
+        sed -i -e "s/if 0/if 1/" user_settings.h
+        ./configure --enable-usersettings
+        make
+        make check
+
+    - name: user_settings_min_ecc.h
+      run: |
+        cp ./examples/configs/user_settings_min_ecc.h user_settings.h
+        ./configure --enable-usersettings --disable-examples
+        make
+        ./wolfcrypt/test/testwolfcrypt
+
+    - name: user_settings_wolfboot_keytools.h
+      run: |
+        cp ./examples/configs/user_settings_wolfboot_keytools.h user_settings.h
+        ./configure --enable-usersettings --disable-examples
+        make
+        ./wolfcrypt/test/testwolfcrypt
 
   ubuntu_build:
     name: Ubuntu Build Test
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
+
     - name: autogen
       run: ./autogen.sh
-    - name: configure
-      run: ./configure
-    - name: make
-      run: make
-    - name: make check
-      run: make check
-    - name: make distcheck
-      run: make distcheck
+
+    - name: configure make check
+      run: |
+        ./configure
+        make
+        make check
+        make distcheck
+
+    - name: configure all make check
+      run: |
+        ./configure --enable-all
+        make
+        make check
+        make distcheck
+
+    - name: configure all ASN template
+      run: |
+        ./configure --enable-all --enable-asn=template
+        make
+        make check
+        make distcheck
+
+    - name: make user_settings_all.h
+      run: |
+        cp ./examples/configs/user_settings_all.h user_settings.h
+        ./configure --enable-usersettings
+        make
+        make check
+
+    - name: user_settings_all.h with compatibility layer
+      run: |
+        cp ./examples/configs/user_settings_all.h user_settings.h
+        sed -i -e "s/if 0/if 1/" user_settings.h
+        ./configure --enable-usersettings
+        make
+        make check
+
+    - name: user_settings_min_ecc.h
+      run: |
+        cp ./examples/configs/user_settings_min_ecc.h user_settings.h
+        ./configure --enable-usersettings --disable-examples
+        make
+        ./wolfcrypt/test/testwolfcrypt
+
+    - name: user_settings_wolfboot_keytools.h
+      run: |
+        cp ./examples/configs/user_settings_wolfboot_keytools.h user_settings.h
+        ./configure --enable-usersettings --disable-examples
+        make
+        ./wolfcrypt/test/testwolfcrypt
 
   windows_build:
     name: Windows Build Test
@@ -56,7 +143,7 @@ jobs:
       BUILD_CONFIGURATION: Release
       BUILD_PLATFORM: x64
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     - name: Add MSBuild to PATH
       uses: microsoft/setup-msbuild@v1

configure.ac

@@ -8447,10 +8447,10 @@ AM_CONDITIONAL([BUILD_HMAC],[test "x$ENABLED_HMAC" = "xyes"])
 AM_CONDITIONAL([BUILD_ERROR_STRINGS],[test "x$ENABLED_ERROR_STRINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_DO178],[test "x$ENABLED_DO178" = "xyes"])
 AM_CONDITIONAL([BUILD_PSA],[test "x$ENABLED_PSA" = "xyes"])
-AM_CONDITIONAL([BUILD_DTLS13],[test "x$ENABLED_DTLS13" = "xyes"])
+AM_CONDITIONAL([BUILD_DTLS13],[test "x$ENABLED_DTLS13" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_QUIC],[test "x$ENABLED_QUIC" = "xyes"])
 AM_CONDITIONAL([BUILD_DTLS_CID],[test "x$ENABLED_DTLS_CID" = "xyes"])
-AM_CONDITIONAL([BUILD_DTLS],[test "x$ENABLED_DTLS" = "xyes"])
+AM_CONDITIONAL([BUILD_DTLS],[test "x$ENABLED_DTLS" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_MAXQ10XX],[test "x$ENABLED_MAXQ10XX" = "xyes"])
 
 if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes" &&

examples/client/client.c

@@ -3662,7 +3662,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         }
     }
 
-#ifdef HAVE_CRL
+#if defined(HAVE_CRL) && !defined(NO_FILESYSTEM)
     if (disableCRL == 0 && !useVerifyCb) {
     #if defined(HAVE_IO_TIMEOUT) && defined(HAVE_HTTP_CLIENT)
         wolfIO_SetTimeout(DEFAULT_TIMEOUT_SEC);
@@ -4273,7 +4273,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
         }
 #endif
 
-#if defined(OPENSSL_EXTRA) && defined(HAVE_EXT_CACHE)
+#if !defined(NO_SESSION_CACHE) && (defined(OPENSSL_EXTRA) || \
+        defined(HAVE_EXT_CACHE))
         if (flatSession) {
             const byte* constFlatSession = flatSession;
             session = wolfSSL_d2i_SSL_SESSION(NULL,
@@ -4283,7 +4284,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
         wolfSSL_set_session(sslResume, session);
 
-#if defined(OPENSSL_EXTRA) && defined(HAVE_EXT_CACHE)
+#if !defined(NO_SESSION_CACHE) && (defined(OPENSSL_EXTRA) || \
+        defined(HAVE_EXT_CACHE))
         if (flatSession) {
             XFREE(flatSession, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         }

examples/configs/user_settings_all.h

@@ -50,22 +50,30 @@ extern "C" {
 #define HAVE_NULL_CIPHER /* Enable use of TLS cipher suites without cipher (clear text / no encryption) */
 #define WOLFSSL_HAVE_CERT_SERVICE
 #define WOLFSSL_JNI
-#define WOLFSSL_SEP
+#define WOLFSSL_SEP /* certificate policy set extension */
 #define WOLFCRYPT_HAVE_SRP
 #define WOLFSSL_HAVE_WOLFSCEP
 #define WOLFSSL_ENCRYPTED_KEYS /* Support for encrypted keys PKCS8 */
 #define HAVE_PKCS7
-#define WOLFSSL_MULTI_ATTRIB
-#define WOLFSSL_DER_LOAD
-#define ASN_BER_TO_DER /* BER to DER support */
 #define WOLFSSL_SIGNER_DER_CERT
+#define WOLFSSL_TRUST_PEER_CERT
+#define WOLFSSL_SYS_CA_CERTS /* Enable ability to load CA certs from OS */
+#define WOLFSSL_WOLFSSH
+#define WC_NO_ASYNC_THREADING
 //#define HAVE_THREAD_LS /* DG Commented: Thread local storage - may not be portable */
 //#define WOLFSSL_AEAD_ONLY /* automatically set if TLS v1.3 only, but can be enabled for TLS v1.2 manually */
 
 /* TLS Features */
-#define WOLFSSL_DTLS
 #define WOLFSSL_TLS13
 #define WOLFSSL_EITHER_SIDE /* allow generic server/client method for WOLFSSL_CTX new */
+#define WOLFSSL_TLS13_NO_PEEK_HANDSHAKE_DONE
+
+/* DTLS */
+#define WOLFSSL_DTLS
+#define WOLFSSL_MULTICAST
+
+/* DTLS v1.3 is not yet included with enable-all */
+//#define WOLFSSL_DTLS13
 
 /* DG Disabled SSLv3 and TLSv1.0 - should avoid using */
 //#define WOLFSSL_ALLOW_SSLV3
@@ -80,9 +88,17 @@ extern "C" {
 #define HAVE_MAX_FRAGMENT
 #define HAVE_TRUNCATED_HMAC
 #define HAVE_SESSION_TICKET
+#define WOLFSSL_TICKET_HAVE_ID
+#define WOLFSSL_FORCE_CACHE_ON_TICKET
 #define HAVE_EXTENDED_MASTER
 #define HAVE_TRUSTED_CA
 #define HAVE_ENCRYPT_THEN_MAC
+#define WOLFSSL_POST_HANDSHAKE_AUTH
+#define WOLFSSL_SEND_HRR_COOKIE /* Used by DTLS v1.3 */
+#define HAVE_ANON /* anon cipher suites */
+#define HAVE_FALLBACK_SCSV /* TLS_FALLBACK_SCSV */
+#define WOLFSSL_EARLY_DATA
+#define HAVE_SERVER_RENEGOTIATION_INFO
 
 /* TLS Session Cache */
 #define SESSION_CERTS
@@ -94,6 +110,22 @@ extern "C" {
 #define WOLFSSL_CERT_GEN
 #define WOLFSSL_CERT_REQ
 #define WOLFSSL_CERT_EXT
+#define WOLFSSL_MULTI_ATTRIB
+#define HAVE_SMIME
+#define WOLFSSL_DER_LOAD
+#define ASN_BER_TO_DER /* BER to DER support */
+#define WOLFSSL_HAVE_ISSUER_NAMES /* Store pointers to issuer name components and their lengths and encodings */
+#define WOLFSSL_SUBJ_DIR_ATTR /* Enable support for SubjectDirectoryAttributes extension */
+#define WOLFSSL_SUBJ_INFO_ACC /* Enable support for SubjectInfoAccess extension */
+#define WOLFSSL_CERT_NAME_ALL /* Adds more certificate name capability at the cost of taking up more memory. Adds initials, givenname, dnQualifer for example */
+#define WOLFSSL_FPKI /* Enable support for FPKI (Federal PKI) extensions */
+#define WOLFSSL_AKID_NAME /* Enable support for full AuthorityKeyIdentifier extension. Only supports copying full AKID from an existing certificate */
+#define HAVE_CTS /* Ciphertext stealing interface */
+#define WOLFSSL_PEM_TO_DER
+#define WOLFSSL_DER_TO_PEM
+#define WOLFSSL_CUSTOM_OID
+#define HAVE_OID_ENCODING
+//#define WOLFSSL_ASN_TEMPLATE /* Not enabled yet by default */
 
 /* Certificate Revocation */
 #define HAVE_OCSP
@@ -105,11 +137,21 @@ extern "C" {
 //#define HAVE_CRL_MONITOR /* DG Disabled (Monitors CRL files on filesystem) - not portable feature */
 
 
-/* Fast math key size 4096-bit max */
-#define USE_FAST_MATH
-#define FP_MAX_BITS 8192
+#if 1
+    /* sp_int.c */
+    #define WOLFSSL_SP_MATH_ALL
+#else
+    /* Fast math key size 4096-bit max */
+    #define USE_FAST_MATH
+#endif
 //#define HAVE___UINT128_T 1 /* DG commented: May not be portable */
 
+/* Max Sizes */
+#define RSA_MAX_SIZE 4096
+#define FP_MAX_BITS 8192
+#define SP_INT_BITS 4096
+
+
 /* Timing Resistance */
 #define TFM_TIMING_RESISTANT
 #define ECC_TIMING_RESISTANT
@@ -118,6 +160,8 @@ extern "C" {
 /* DH Key Sizes */
 #define HAVE_FFDHE_2048
 #define HAVE_FFDHE_3072
+#define WOLFSSL_DH_EXTRA /* Enable additional DH key import/export */
+#define HAVE_DH_DEFAULT_PARAMS
 
 /* ECC Features */
 #define HAVE_ECC
@@ -132,9 +176,14 @@ extern "C" {
 #define HAVE_COMP_KEY /* Compressed key support */
 #define FP_ECC /* Fixed point caching - speed repeated operations against same key */
 #define HAVE_ECC_ENCRYPT
+#define WOLFCRYPT_HAVE_ECCSI
+#define WOLFCRYPT_HAVE_SAKKE
+#define WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT
 
 /* RSA */
 #define WC_RSA_PSS
+#define WOLFSSL_PSS_LONG_SALT
+#define WC_RSA_NO_PADDING
 
 /* AES */
 #define HAVE_AES_DECRYPT
@@ -142,11 +191,16 @@ extern "C" {
 #define WOLFSSL_AES_DIRECT
 #define WOLFSSL_AES_COUNTER
 #define HAVE_AESGCM
+#define GCM_TABLE_4BIT
+#define WOLFSSL_AESGCM_STREAM
 #define HAVE_AESCCM
 #define WOLFSSL_AES_OFB
 #define WOLFSSL_AES_CFB
 #define WOLFSSL_AES_XTS
 #define HAVE_AES_KEYWRAP
+#define WOLFSSL_AES_CBC_LENGTH_CHECKS
+#define WOLFSSL_USE_ALIGN
+#define WOLFSSL_AES_SIV
 
 /* Hashing */
 #define WOLFSSL_SHA224
@@ -155,29 +209,44 @@ extern "C" {
 #define WOLFSSL_SHAKE256
 #define WOLFSSL_SHA3
 #define WOLFSSL_HASH_FLAGS /* enable hash flag API's */
+#define WOLFSSL_SHAKE256
 
 /* Additional Algorithms */
 #define HAVE_HASHDRBG
 #define HAVE_CURVE25519
 #define HAVE_ED25519
+#define WOLFSSL_ED25519_STREAMING_VERIFY
 #define CURVED25519_SMALL
+#define HAVE_ED448
+#define WOLFSSL_ED448_STREAMING_VERIFY
 #define HAVE_CURVE448
 #define HAVE_POLY1305
 #define HAVE_CHACHA
+#define HAVE_XCHACHA
 #define HAVE_HKDF
 #define HAVE_X963_KDF
 #define WOLFSSL_CMAC
 #define WOLFSSL_DES_ECB
+#define HAVE_BLAKE2
+#define HAVE_BLAKE2B
+#define HAVE_BLAKE2S
+#define WOLFSSL_SIPHASH
+#define HAVE_KEYING_MATERIAL
+#define WOLFSSL_HAVE_PRF
+
 
 /* Non-Standard Algorithms (DG disabled) */
 //#define HAVE_CAMELLIA
 //#define WOLFSSL_RIPEMD
 //#define HAVE_SCRYPT
+//#define WOLFSSL_MD2
+//#define WOLFSSL_ALLOW_RC4
 
 /* Encoding */
 #define WOLFSSL_BASE16
 #define WOLFSSL_BASE64_ENCODE
 
+
 /* Openssl compatibility */
 #if 0 /* DG Disabled */
     /* Openssl compatibility API's */
@@ -192,6 +261,13 @@ extern "C" {
     #define NO_OLD_WC_NAMES
     #define NO_OLD_SSL_NAMES
     #define NO_OLD_SHA_NAMES
+    #define NO_OLD_MD5_NAME
+    #define OPENSSL_NO_EC /* macro to enable ECC in openssl */
+    #define WOLFSSL_VERBOSE_ERRORS
+    #define ERROR_QUEUE_PER_THREAD
+    #define WOLFSSL_ERROR_CODE_OPENSSL
+    #define HAVE_WOLFSSL_SSL_H 1
+    #define OPENSSL_COMPATIBLE_DEFAULTS
 
     /* Openssl compatibility application specific */
     #define WOLFSSL_LIBWEBSOCKETS
@@ -206,6 +282,9 @@ extern "C" {
     #define WOLFSSL_ASIO
     #define ASIO_USE_WOLFSSL
     #define BOOST_ASIO_USE_WOLFSSL
+    #define WOLFSSL_OPENVPN
+
+    #define NO_WOLFSSL_STUB
 #endif
 
 /* TLS static cipher support - off by default */
@@ -222,6 +301,68 @@ extern "C" {
 #endif
 
 
+/* Used to manually test disable edge cases */
+#ifdef TEST_DISABLES
+    #define NO_SESSION_CACHE
+
+    //#define NO_ECC256
+    //#define NO_ECC_KEY_EXPORT
+    //#define NO_ECC_DHE
+    //#define NO_ECC_SIGN
+    //#define NO_ECC_VERIFY
+
+    //#define NO_RSA
+    #define NO_DH
+    #define NO_DSA
+
+    #define NO_SHA
+    #define NO_SHA256
+    #ifdef NO_SHA256
+        #undef WOLFSSL_SHA224
+    #endif
+    #define NO_SHA512
+    #ifdef NO_SHA512
+        #undef WOLFSSL_SHA384
+        #undef WOLFSSL_SHA512
+        #undef HAVE_ED25519
+    #endif
+    #define NO_MD4
+    #define NO_MD5
+    //#define NO_KDF
+    //#define NO_HMAC
+
+    #define NO_RC4
+    #define NO_DES3
+    //#define NO_AES
+    #define NO_AES_CBC
+    #define WOLFSSL_NO_SHAKE128
+
+    #define NO_PSK
+    #define NO_PWDBASED
+    #define NO_OLD_TLS
+    //#define WOLFSSL_NO_TLS12
+
+    //#define NO_64BIT
+    #define WOLFSSL_SP_NO_MALLOC
+    #define NO_FILESYSTEM
+    #define NO_WRITEV
+
+    #define NO_ERROR_STRINGS
+    //#define NO_WOLFSSL_CLIENT
+    //#define NO_WOLFSSL_SERVER
+
+    #define NO_MULTIBYTE_PRINT
+    //#define NO_ASN_TIME
+    //#define NO_ASN_CRYPT
+    //#define NO_CODING
+    #define NO_SIG_WRAPPER
+    //#define NO_HASH_WRAPPER
+    //#define WC_NO_HARDEN
+
+    //#define NO_CERTS
+    //#define NO_ASN
+#endif
+
 #ifdef __cplusplus
 }
 #endif

examples/configs/user_settings_wolfboot_keytools.h

@@ -26,7 +26,7 @@
 #ifndef H_USER_SETTINGS_
 #define H_USER_SETTINGS_
 
-#include <stdint.h>
+/* #include <stdint.h> */ /* DG: Removed, not needed for testing */
 
 /* System */
 #define WOLFSSL_GENERAL_ALIGNMENT 4
@@ -35,8 +35,6 @@
 #define SIZEOF_LONG_LONG 8
 
 /* Math */
-#define WOLFSSL_SP
-#define WOLFSSL_SP_NO_3072
 #define USE_FAST_MATH
 #define FP_MAX_BITS (4096 * 2)
 #define TFM_TIMING_RESISTANT
@@ -45,10 +43,18 @@
 #define HAVE_ECC
 #define WOLFSSL_HAVE_SP_ECC
 #define ECC_TIMING_RESISTANT
+#define HAVE_ECC256
+#define HAVE_ECC384
+#define HAVE_ECC521
 
 /* ED25519 */
 #define HAVE_ED25519
-#define CURVED25519_SMALL
+/* DG: Added, since --enable-usersettings expects small version to be used */
+#define ED25519_SMALL
+
+/* ED448 */
+#define HAVE_ED448
+#define WOLFSSL_SHAKE256
 
 /* RSA */
 #define HAVE_RSA
@@ -58,14 +64,18 @@
 
 /* Hashing */
 #define WOLFSSL_SHA512 /* Required for ED25519 */
+#define WOLFSSL_SHA384
 #define WOLFSSL_SHA3
 #undef  NO_SHA256
 
 /* Chacha stream cipher */
 #define HAVE_CHACHA
 
+/* AES */
+#define WOLFSSL_AES_COUNTER
+#define WOLFSSL_AES_DIRECT
+
 /* Disables */
-#define NO_AES
 #define NO_CMAC
 #define NO_HMAC
 #define NO_RC4
@@ -73,15 +83,16 @@
 #define NO_DH
 #define NO_DSA
 #define NO_MD4
+#define NO_RABBIT
 #define NO_MD5
 #define NO_SIG_WRAPPER
 #define NO_CERT
 #define NO_SESSION_CACHE
+#define NO_HC128
 #define NO_DES3
 #define NO_PWDBASED
 #define NO_WRITEV
 #define NO_FILESYSTEM
-//#define NO_MAIN_DRIVER
 #define NO_OLD_RNGNAME
 #define NO_WOLFSSL_DIR
 #define WOLFSSL_NO_SOCK
@@ -89,7 +100,10 @@
 #define NO_ERROR_STRINGS
 
 #define BENCH_EMBEDDED
-#define NO_CRYPT_TEST
-#define NO_CRYPT_BENCHMARK
+
+/* DG: Removed since we need it here for testing */
+/* #define NO_MAIN_DRIVER */
+/* #define NO_CRYPT_TEST */
+/* #define NO_CRYPT_BENCHMARK */
 
 #endif /* !H_USER_SETTINGS_ */

examples/server/server.c

@@ -2995,7 +2995,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
 #ifndef NO_HANDSHAKE_DONE_CB
         wolfSSL_SetHsDoneCb(ssl, myHsDoneCb, NULL);
 #endif
-#ifdef HAVE_CRL
+#if defined(HAVE_CRL) && !defined(NO_FILESYSTEM)
     if (!disableCRL) {
 #ifdef HAVE_CRL_MONITOR
         crlFlags = WOLFSSL_CRL_MONITOR | WOLFSSL_CRL_START_MON;
@@ -3021,8 +3021,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
         }
 #ifndef NO_RSA
     /* All the OCSP Stapling test certs are RSA. */
-#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
-    || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+#if !defined(NO_FILESYSTEM) && (\
+       defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
+    || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2))
         { /* scope start */
             const char* ca1 = "certs/ocsp/intermediate1-ca-cert.pem";
             const char* ca2 = "certs/ocsp/intermediate2-ca-cert.pem";

scripts/ocsp.test

@@ -77,8 +77,8 @@ if test -n "$WOLFSSL_OCSP_TEST"; then
         printf '%s\n' "Test Passed!"
         exit 0
     elif [ $GL_UNREACHABLE -eq 1 ] && [ $GR_RESULT -eq 0 ]; then
-         printf '%s\n' "Global Sign is currently unreachable. Logging it but if"
-         printf '%s\n' "this continues to occur should be investigated"
+        printf '%s\n' "Global Sign is currently unreachable. Logging it but if"
+        printf '%s\n' "this continues to occur should be investigated"
         exit 0
     else
         # Unlike other environment variables the intent of WOLFSSL_OCSP_TEST
@@ -96,7 +96,7 @@ else
     if [ $GL_RESULT -ne 0 ] && [ $GR_RESULT -ne 0 ]; then
         printf '\n\n%s\n' "Both OCSP connection to globalsign and google failed"
         printf '%s\n' "Test Failed!"
-        exit 1
+        exit 77
     else
         printf '\n\n%s\n' "WOLFSSL_OCSP_TEST NOT set, and 1 of the tests passed"
         printf '%s\n' "Test Passed!"

src/ssl.c

@@ -2727,8 +2727,8 @@ int wolfSSL_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
 
 #ifdef HAVE_TRUSTED_CA
 
-WOLFSSL_API int wolfSSL_UseTrustedCA(WOLFSSL* ssl, byte type,
-            const byte* certId, word32 certIdSz)
+int wolfSSL_UseTrustedCA(WOLFSSL* ssl, byte type,
+    const byte* certId, word32 certIdSz)
 {
     if (ssl == NULL)
         return BAD_FUNC_ARG;
@@ -3467,8 +3467,7 @@ int wolfSSL_CTX_UseSessionTicket(WOLFSSL_CTX* ctx)
     return TLSX_UseSessionTicket(&ctx->extensions, NULL, ctx->heap);
 }
 
-WOLFSSL_API int wolfSSL_get_SessionTicket(WOLFSSL* ssl,
-                                          byte* buf, word32* bufSz)
+int wolfSSL_get_SessionTicket(WOLFSSL* ssl, byte* buf, word32* bufSz)
 {
     if (ssl == NULL || buf == NULL || bufSz == NULL || *bufSz == 0)
         return BAD_FUNC_ARG;
@@ -3483,7 +3482,7 @@ WOLFSSL_API int wolfSSL_get_SessionTicket(WOLFSSL* ssl,
     return WOLFSSL_SUCCESS;
 }
 
-WOLFSSL_API int wolfSSL_set_SessionTicket(WOLFSSL* ssl, const byte* buf,
+int wolfSSL_set_SessionTicket(WOLFSSL* ssl, const byte* buf,
                                           word32 bufSz)
 {
     if (ssl == NULL || (buf == NULL && bufSz > 0))
@@ -3523,8 +3522,8 @@ WOLFSSL_API int wolfSSL_set_SessionTicket(WOLFSSL* ssl, const byte* buf,
 }
 
 
-WOLFSSL_API int wolfSSL_set_SessionTicket_cb(WOLFSSL* ssl,
-                                            CallbackSessionTicket cb, void* ctx)
+int wolfSSL_set_SessionTicket_cb(WOLFSSL* ssl,
+                                 CallbackSessionTicket cb, void* ctx)
 {
     if (ssl == NULL)
         return BAD_FUNC_ARG;
@@ -7573,9 +7572,9 @@ int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz)
     return ret == 0 ? WOLFSSL_SUCCESS : ret;
 }
 
-WOLFSSL_API int wolfSSL_CertManagerCheckOCSPResponse(WOLFSSL_CERT_MANAGER *cm,
-                                                    byte *response, int responseSz, buffer *responseBuffer,
-                                                    CertStatus *status, OcspEntry *entry, OcspRequest *ocspRequest)
+int wolfSSL_CertManagerCheckOCSPResponse(WOLFSSL_CERT_MANAGER *cm,
+    byte *response, int responseSz, buffer *responseBuffer,
+    CertStatus *status, OcspEntry *entry, OcspRequest *ocspRequest)
 {
     int ret;
 
@@ -11112,6 +11111,43 @@ long wolfSSL_CTX_set_session_cache_mode(WOLFSSL_CTX* ctx, long mode)
     return WOLFSSL_SUCCESS;
 }
 
+#ifdef OPENSSL_EXTRA
+/* Get the session cache mode for CTX
+ *
+ * ctx  WOLFSSL_CTX struct to get cache mode from
+ *
+ * Returns a bit mask that has the session cache mode */
+long wolfSSL_CTX_get_session_cache_mode(WOLFSSL_CTX* ctx)
+{
+    long m = 0;
+
+    WOLFSSL_ENTER("SSL_CTX_set_session_cache_mode");
+
+    if (ctx == NULL) {
+        return m;
+    }
+
+    if (ctx->sessionCacheOff != 1) {
+        m |= WOLFSSL_SESS_CACHE_SERVER;
+    }
+
+    if (ctx->sessionCacheFlushOff == 1) {
+        m |= WOLFSSL_SESS_CACHE_NO_AUTO_CLEAR;
+    }
+
+#ifdef HAVE_EXT_CACHE
+    if (ctx->internalCacheOff == 1) {
+        m |= WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE;
+    }
+    if (ctx->internalCacheLookupOff == 1) {
+        m |= WOLFSSL_SESS_CACHE_NO_INTERNAL_LOOKUP;
+    }
+#endif
+
+    return m;
+}
+#endif /* OPENSSL_EXTRA */
+
 #endif /* NO_SESSION_CACHE */
 
 
@@ -14279,7 +14315,7 @@ ClientSession* AddSessionToClientCache(int side, int row, int idx, byte* serverI
     else
         return NULL;
 }
-#endif
+#endif /* !NO_CLIENT_CACHE */
 
 /**
  * For backwards compatibility, this API needs to be used in *ALL* functions
@@ -17654,7 +17690,7 @@ static int GetMinProtoVersion(int minDowngrade)
     return ret;
 }
 
-WOLFSSL_API int wolfSSL_CTX_get_min_proto_version(WOLFSSL_CTX* ctx)
+int wolfSSL_CTX_get_min_proto_version(WOLFSSL_CTX* ctx)
 {
     int ret = 0;
 
@@ -23573,7 +23609,7 @@ const unsigned char *SSL_SESSION_get0_id_context(const WOLFSSL_SESSION *sess, un
 
 /*** TBD ***/
 #ifndef NO_WOLFSSL_STUB
-WOLFSSL_API int wolfSSL_sk_SSL_COMP_zero(WOLFSSL_STACK* st)
+int wolfSSL_sk_SSL_COMP_zero(WOLFSSL_STACK* st)
 {
     (void)st;
     WOLFSSL_STUB("wolfSSL_sk_SSL_COMP_zero");
@@ -23615,7 +23651,7 @@ long wolfSSL_get_tlsext_status_type(WOLFSSL *s)
 #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */
 
 #ifndef NO_WOLFSSL_STUB
-WOLFSSL_API long wolfSSL_get_tlsext_status_exts(WOLFSSL *s, void *arg)
+long wolfSSL_get_tlsext_status_exts(WOLFSSL *s, void *arg)
 {
     (void)s;
     (void)arg;
@@ -23626,7 +23662,7 @@ WOLFSSL_API long wolfSSL_get_tlsext_status_exts(WOLFSSL *s, void *arg)
 
 /*** TBD ***/
 #ifndef NO_WOLFSSL_STUB
-WOLFSSL_API long wolfSSL_set_tlsext_status_exts(WOLFSSL *s, void *arg)
+long wolfSSL_set_tlsext_status_exts(WOLFSSL *s, void *arg)
 {
     (void)s;
     (void)arg;
@@ -23637,7 +23673,7 @@ WOLFSSL_API long wolfSSL_set_tlsext_status_exts(WOLFSSL *s, void *arg)
 
 /*** TBD ***/
 #ifndef NO_WOLFSSL_STUB
-WOLFSSL_API long wolfSSL_get_tlsext_status_ids(WOLFSSL *s, void *arg)
+long wolfSSL_get_tlsext_status_ids(WOLFSSL *s, void *arg)
 {
     (void)s;
     (void)arg;
@@ -23648,7 +23684,7 @@ WOLFSSL_API long wolfSSL_get_tlsext_status_ids(WOLFSSL *s, void *arg)
 
 /*** TBD ***/
 #ifndef NO_WOLFSSL_STUB
-WOLFSSL_API long wolfSSL_set_tlsext_status_ids(WOLFSSL *s, void *arg)
+long wolfSSL_set_tlsext_status_ids(WOLFSSL *s, void *arg)
 {
     (void)s;
     (void)arg;
@@ -23659,7 +23695,8 @@ WOLFSSL_API long wolfSSL_set_tlsext_status_ids(WOLFSSL *s, void *arg)
 
 /*** TBD ***/
 #ifndef NO_WOLFSSL_STUB
-WOLFSSL_API int SSL_SESSION_set1_id(WOLFSSL_SESSION *s, const unsigned char *sid, unsigned int sid_len)
+int wolfSSL_SESSION_set1_id(WOLFSSL_SESSION *s, const unsigned char *sid,
+    unsigned int sid_len)
 {
     (void)s;
     (void)sid;
@@ -23671,7 +23708,8 @@ WOLFSSL_API int SSL_SESSION_set1_id(WOLFSSL_SESSION *s, const unsigned char *sid
 
 #ifndef NO_WOLFSSL_STUB
 /*** TBD ***/
-WOLFSSL_API int SSL_SESSION_set1_id_context(WOLFSSL_SESSION *s, const unsigned char *sid_ctx, unsigned int sid_ctx_len)
+int wolfSSL_SESSION_set1_id_context(WOLFSSL_SESSION *s,
+    const unsigned char *sid_ctx, unsigned int sid_ctx_len)
 {
     (void)s;
     (void)sid_ctx;
@@ -23782,7 +23820,7 @@ void wolfSSL_ASN1_TYPE_free(WOLFSSL_ASN1_TYPE* at)
 
 #ifndef NO_WOLFSSL_STUB
 /*** TBD ***/
-WOLFSSL_API WOLFSSL_EVP_PKEY *wolfSSL_get_privatekey(const WOLFSSL *ssl)
+WOLFSSL_EVP_PKEY *wolfSSL_get_privatekey(const WOLFSSL *ssl)
 {
     (void)ssl;
     WOLFSSL_STUB("SSL_get_privatekey");
@@ -23801,8 +23839,7 @@ WOLFSSL_API WOLFSSL_EVP_PKEY *wolfSSL_get_privatekey(const WOLFSSL *ssl)
  *
  * return the string length written on success, WOLFSSL_FAILURE on failure.
  */
-WOLFSSL_API int wolfSSL_i2t_ASN1_OBJECT(char *buf, int buf_len,
-                                                WOLFSSL_ASN1_OBJECT *a)
+int wolfSSL_i2t_ASN1_OBJECT(char *buf, int buf_len, WOLFSSL_ASN1_OBJECT *a)
 {
     WOLFSSL_ENTER("wolfSSL_i2t_ASN1_OBJECT");
     return wolfSSL_OBJ_obj2txt(buf, buf_len, a, 0);
@@ -23931,8 +23968,7 @@ WOLFSSL_ASN1_OBJECT *wolfSSL_c2i_ASN1_OBJECT(WOLFSSL_ASN1_OBJECT **a,
 
 #ifndef NO_BIO
 /* Return number of bytes written to BIO on success. 0 on failure. */
-WOLFSSL_API int wolfSSL_i2a_ASN1_OBJECT(WOLFSSL_BIO *bp,
-                                        WOLFSSL_ASN1_OBJECT *a)
+int wolfSSL_i2a_ASN1_OBJECT(WOLFSSL_BIO *bp, WOLFSSL_ASN1_OBJECT *a)
 {
     int length = 0;
     word32 idx = 0;
@@ -24009,7 +24045,8 @@ int wolfSSL_i2d_ASN1_OBJECT(WOLFSSL_ASN1_OBJECT *a, unsigned char **pp)
 
 #ifndef NO_WOLFSSL_STUB
 /*** TBD ***/
-WOLFSSL_API void SSL_CTX_set_tmp_dh_callback(WOLFSSL_CTX *ctx, WOLFSSL_DH *(*dh) (WOLFSSL *ssl, int is_export, int keylength))
+void SSL_CTX_set_tmp_dh_callback(WOLFSSL_CTX *ctx,
+    WOLFSSL_DH *(*dh) (WOLFSSL *ssl, int is_export, int keylength))
 {
     (void)ctx;
     (void)dh;
@@ -24019,7 +24056,7 @@ WOLFSSL_API void SSL_CTX_set_tmp_dh_callback(WOLFSSL_CTX *ctx, WOLFSSL_DH *(*dh)
 
 #ifndef NO_WOLFSSL_STUB
 /*** TBD ***/
-WOLFSSL_API WOLF_STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
+WOLF_STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
 {
     WOLFSSL_STUB("SSL_COMP_get_compression_methods");
     return NULL;
@@ -24036,21 +24073,21 @@ int wolfSSL_sk_SSL_CIPHER_num(const WOLF_STACK_OF(WOLFSSL_CIPHER)* p)
     return (int)p->num;
 }
 
-WOLFSSL_API WOLFSSL_CIPHER* wolfSSL_sk_SSL_CIPHER_value(WOLFSSL_STACK* sk, int i)
+WOLFSSL_CIPHER* wolfSSL_sk_SSL_CIPHER_value(WOLFSSL_STACK* sk, int i)
 {
     WOLFSSL_ENTER("wolfSSL_sk_SSL_CIPHER_value");
     return (WOLFSSL_CIPHER*)wolfSSL_sk_value(sk, i);
 }
 
 #if !defined(NETOS)
-WOLFSSL_API void ERR_load_SSL_strings(void)
+void ERR_load_SSL_strings(void)
 {
 
 }
 #endif
 
 #ifdef HAVE_OCSP
-WOLFSSL_API long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char **resp)
+long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char **resp)
 {
     if (s == NULL || resp == NULL)
         return 0;
@@ -24059,7 +24096,8 @@ WOLFSSL_API long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char *
     return s->ocspRespSz;
 }
 
-WOLFSSL_API long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char *resp, int len)
+long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char *resp,
+    int len)
 {
     if (s == NULL)
         return WOLFSSL_FAILURE;
@@ -24079,8 +24117,8 @@ WOLFSSL_API long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char *
  * @param mode maximum fragment length mode
  * @return 1 on success, otherwise 0 or negative error code
  */
-WOLFSSL_API int wolfSSL_CTX_set_tlsext_max_fragment_length(WOLFSSL_CTX *c,
-                                                            unsigned char mode)
+int wolfSSL_CTX_set_tlsext_max_fragment_length(WOLFSSL_CTX *c,
+                                               unsigned char mode)
 {
     if (c == NULL || (mode < WOLFSSL_MFL_2_9 || mode > WOLFSSL_MFL_2_12 ))
         return BAD_FUNC_ARG;
@@ -24093,8 +24131,7 @@ WOLFSSL_API int wolfSSL_CTX_set_tlsext_max_fragment_length(WOLFSSL_CTX *c,
  * @param mode maximum fragment length mode
  * @return 1 on success, otherwise 0 or negative error code
  */
-WOLFSSL_API int wolfSSL_set_tlsext_max_fragment_length(WOLFSSL *s,
-                                                            unsigned char mode)
+int wolfSSL_set_tlsext_max_fragment_length(WOLFSSL *s, unsigned char mode)
 {
     if (s == NULL || (mode < WOLFSSL_MFL_2_9 || mode > WOLFSSL_MFL_2_12 ))
         return BAD_FUNC_ARG;
@@ -24107,7 +24144,7 @@ WOLFSSL_API int wolfSSL_set_tlsext_max_fragment_length(WOLFSSL *s,
 #endif /* OPENSSL_EXTRA */
 
 #ifdef WOLFSSL_HAVE_TLS_UNIQUE
-WOLFSSL_API size_t wolfSSL_get_finished(const WOLFSSL *ssl, void *buf, size_t count)
+size_t wolfSSL_get_finished(const WOLFSSL *ssl, void *buf, size_t count)
 {
     byte len = 0;
 
@@ -24129,7 +24166,7 @@ WOLFSSL_API size_t wolfSSL_get_finished(const WOLFSSL *ssl, void *buf, size_t co
     return len;
 }
 
-WOLFSSL_API size_t wolfSSL_get_peer_finished(const WOLFSSL *ssl, void *buf, size_t count)
+size_t wolfSSL_get_peer_finished(const WOLFSSL *ssl, void *buf, size_t count)
 {
     byte len = 0;
     WOLFSSL_ENTER("SSL_get_peer_finished");
@@ -24400,44 +24437,7 @@ long wolfSSL_CTX_set_tlsext_status_arg(WOLFSSL_CTX* ctx, void* arg)
     return WOLFSSL_SUCCESS;
 }
 
-#endif /* NO_CERTS */
-
-
-/* Get the session cache mode for CTX
- *
- * ctx  WOLFSSL_CTX struct to get cache mode from
- *
- * Returns a bit mask that has the session cache mode */
-WOLFSSL_API long wolfSSL_CTX_get_session_cache_mode(WOLFSSL_CTX* ctx)
-{
-    long m = 0;
-
-    WOLFSSL_ENTER("SSL_CTX_set_session_cache_mode");
-
-    if (ctx == NULL) {
-        return m;
-    }
-
-    if (ctx->sessionCacheOff != 1) {
-        m |= SSL_SESS_CACHE_SERVER;
-    }
-
-    if (ctx->sessionCacheFlushOff == 1) {
-        m |= SSL_SESS_CACHE_NO_AUTO_CLEAR;
-    }
-
-#ifdef HAVE_EXT_CACHE
-    if (ctx->internalCacheOff == 1) {
-        m |= SSL_SESS_CACHE_NO_INTERNAL_STORE;
-    }
-    if (ctx->internalCacheLookupOff == 1) {
-        m |= SSL_SESS_CACHE_NO_INTERNAL_LOOKUP;
-    }
-#endif
-
-    return m;
-}
-
+#endif /* !NO_CERTS */
 
 int wolfSSL_get_read_ahead(const WOLFSSL* ssl)
 {
@@ -25201,7 +25201,7 @@ int wolfSSL_ASN1_TIME_check(const WOLFSSL_ASN1_TIME* a)
 /*
  * Convert time to Unix time (GMT).
  */
-static long long TimeToUnixTime(int sec, int minute, int hour, int mday, 
+static long long TimeToUnixTime(int sec, int minute, int hour, int mday,
                                 int mon, int year)
 {
     /* Number of cumulative days from the previous months, starting from
@@ -25218,7 +25218,7 @@ static long long TimeToUnixTime(int sec, int minute, int hour, int mday,
                1969 / 100 - 1969 / 400;
 
     return ((((long long) (year - 1970) * 365 + leapDays +
-           monthDaysCumulative[mon] + mday - 1) * 24 + hour) * 60 + minute) * 
+           monthDaysCumulative[mon] + mday - 1) * 24 + hour) * 60 + minute) *
            60 + sec;
 }
 
@@ -35612,7 +35612,7 @@ int wolfSSL_BN_sub(WOLFSSL_BIGNUM* r, const WOLFSSL_BIGNUM* a,
     return 0;
 }
 
-WOLFSSL_API int wolfSSL_BN_mul(WOLFSSL_BIGNUM *r, WOLFSSL_BIGNUM *a, WOLFSSL_BIGNUM *b,
+int wolfSSL_BN_mul(WOLFSSL_BIGNUM *r, WOLFSSL_BIGNUM *a, WOLFSSL_BIGNUM *b,
     WOLFSSL_BN_CTX *ctx)
 {
     int ret = WOLFSSL_SUCCESS;
@@ -35827,7 +35827,7 @@ int wolfSSL_BN_is_negative(const WOLFSSL_BIGNUM* bn)
     return mp_isneg((mp_int*)bn->internal);
 }
 
-WOLFSSL_API void wolfSSL_BN_zero(WOLFSSL_BIGNUM* bn)
+void wolfSSL_BN_zero(WOLFSSL_BIGNUM* bn)
 {
     if (bn == NULL || bn->internal == NULL) {
         return;
@@ -35836,7 +35836,7 @@ WOLFSSL_API void wolfSSL_BN_zero(WOLFSSL_BIGNUM* bn)
     mp_zero((mp_int*)bn->internal);
 }
 
-WOLFSSL_API int wolfSSL_BN_one(WOLFSSL_BIGNUM* bn)
+int wolfSSL_BN_one(WOLFSSL_BIGNUM* bn)
 {
     int ret = WOLFSSL_SUCCESS;
 
@@ -36633,7 +36633,7 @@ int wolfSSL_BN_add_word(WOLFSSL_BIGNUM *bn, WOLFSSL_BN_ULONG w)
 /* return code compliant with OpenSSL :
  *   1 if success, 0 else
  */
-WOLFSSL_API int wolfSSL_BN_sub_word(WOLFSSL_BIGNUM* bn, WOLFSSL_BN_ULONG w)
+int wolfSSL_BN_sub_word(WOLFSSL_BIGNUM* bn, WOLFSSL_BN_ULONG w)
 {
     int ret;
 
@@ -40554,7 +40554,7 @@ error:
 * RETURNS:
 * returns pointer to a PKCS7 structure on success, otherwise returns NULL
 */
-WOLFSSL_API PKCS7* wolfSSL_SMIME_read_PKCS7(WOLFSSL_BIO* in,
+PKCS7* wolfSSL_SMIME_read_PKCS7(WOLFSSL_BIO* in,
         WOLFSSL_BIO** bcont)
 {
     MimeHdr* allHdrs = NULL;

src/tls.c

@@ -10058,7 +10058,7 @@ int TLSX_EarlyData_Use(WOLFSSL* ssl, word32 maxSz, int is_response)
 
     extension->resp = is_response;
     /* In QUIC, earlydata size is either 0 or 0xffffffff.
-     * Override any size between, possibly left from our intial value */
+     * Override any size between, possibly left from our initial value */
     extension->val  = (WOLFSSL_IS_QUIC(ssl) && is_response && maxSz > 0) ?
                        WOLFSSL_MAX_32BIT : maxSz;
 
@@ -11407,7 +11407,7 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word16* pLength)
         #endif
         }
     #endif
-#endif
+#endif /* WOLFSSL_TLS13 */
     #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
      || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
         if (!SSL_CM(ssl)->ocspStaplingEnabled) {
@@ -11480,8 +11480,9 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset)
             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
 #endif
 #ifdef WOLFSSL_TLS13
-        if (!IsAtLeastTLSv1_2(ssl))
+        if (!IsAtLeastTLSv1_2(ssl)) {
             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
+        }
     #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
         if (!IsAtLeastTLSv1_3(ssl->version)) {
             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
@@ -11506,7 +11507,7 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word16* pOffset)
          */
         TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
     #endif
-#endif
+#endif /* WOLFSSL_TLS13 */
     #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
      || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
          /* mark already sent, so it won't send it */
@@ -11591,33 +11592,34 @@ int TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType, word16* pLength)
 #ifndef NO_WOLFSSL_SERVER
         case server_hello:
             PF_VALIDATE_RESPONSE(ssl, semaphore);
-    #ifdef WOLFSSL_TLS13
+        #ifdef WOLFSSL_TLS13
                 if (IsAtLeastTLSv1_3(ssl->version)) {
                     XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
                     TURN_OFF(semaphore,
                                      TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
-            #ifdef HAVE_SUPPORTED_CURVES
-                    if (!ssl->options.noPskDheKe)
+                #ifdef HAVE_SUPPORTED_CURVES
+                    if (!ssl->options.noPskDheKe) {
                         TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
-            #endif
-        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
+                    }
+                #endif
+                #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
                     TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
-        #endif
-        #ifdef WOLFSSL_DTLS_CID
+                #endif
+                #ifdef WOLFSSL_DTLS_CID
                     TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_CONNECTION_ID));
-        #endif /* WOLFSSL_DTLS_CID */
+                #endif
                 }
-        #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
+            #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
                 else {
-            #ifdef HAVE_SUPPORTED_CURVES
+                #ifdef HAVE_SUPPORTED_CURVES
                     TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
-            #endif
-            #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
+                #endif
+                #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
                     TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
-            #endif
+                #endif
                 }
-        #endif
-    #endif
+            #endif
+        #endif /* WOLFSSL_TLS13 */
             break;
 
     #ifdef WOLFSSL_TLS13

tests/api.c

@@ -402,7 +402,7 @@ typedef struct testVector {
 /* Test failed. */
 #define TEST_FAIL       (0)
 /* Test skipped - not run. */
-#define TEST_SKIPPED    (-1)
+#define TEST_SKIPPED    (-7777)
 
 /* Returns the result based on whether check is true.
  *
@@ -2897,8 +2897,11 @@ static int test_wolfSSL_CertRsaPss(void)
     XFILE f;
     const char* rsaPssSha256Cert = "./certs/rsapss/ca-rsapss.der";
     const char* rsaPssRootSha256Cert = "./certs/rsapss/root-rsapss.pem";
-#if defined(WOLFSSL_SHA384) && RSA_MAX_SIZE >= 3072
+#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_PSS_LONG_SALT) && \
+    RSA_MAX_SIZE >= 3072
     const char* rsaPssSha384Cert = "./certs/rsapss/ca-3072-rsapss.der";
+#endif
+#if defined(WOLFSSL_SHA384) && RSA_MAX_SIZE >= 3072
     const char* rsaPssRootSha384Cert = "./certs/rsapss/root-3072-rsapss.pem";
 #endif
     DecodedCert cert;
@@ -3290,7 +3293,7 @@ static int test_wolfSSL_CTX_SetMinMaxDhKey_Sz(void)
 static int test_wolfSSL_CTX_der_load_verify_locations(void)
 {
     int res = TEST_SKIPPED;
-#if defined(WOLFSSL_DER_LOAD) && \
+#if !defined(NO_FILESYSTEM) && defined(WOLFSSL_DER_LOAD) && \
     (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER))
     WOLFSSL_CTX* ctx = NULL;
     const char* derCert = "./certs/server-cert.der";
@@ -7326,9 +7329,11 @@ static void test_wolfSSL_CTX_add_session_ctx_ready(WOLFSSL_CTX* ctx)
     /* Don't store sessions. Lookup is still enabled. */
     AssertIntEQ(wolfSSL_CTX_set_session_cache_mode(ctx,
             WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE), WOLFSSL_SUCCESS);
+#ifdef OPENSSL_EXTRA
     AssertIntEQ(wolfSSL_CTX_get_session_cache_mode(ctx) &
             WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE,
             WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE);
+#endif
     /* Require both peers to provide certs */
     wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL);
 }
@@ -7391,9 +7396,11 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl)
         AssertNotNull(peer);
         wolfSSL_X509_free(peer);
         AssertNotNull(wolfSSL_SESSION_get_peer_chain(*sess));
-        AssertNotNull(wolfSSL_SESSION_get0_peer(*sess));
+    #ifdef OPENSSL_EXTRA
+        AssertNotNull(SSL_SESSION_get0_peer(*sess));
+    #endif
     }
-#endif
+#endif /* SESSION_CERTS */
 }
 
 static void test_wolfSSL_CTX_add_session_ssl_ready(WOLFSSL* ssl)
@@ -9229,7 +9236,8 @@ static int test_wolfSSL_wolfSSL_UseSecureRenegotiation(void)
     return res;
 }
 
-#if !defined(NO_WOLFSSL_SERVER) && (!defined(NO_RSA) || defined(HAVE_ECC))
+#if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_SERVER) && \
+    (!defined(NO_RSA) || defined(HAVE_ECC))
 /* Called when writing. */
 static int DummySend(WOLFSSL* ssl, char* buf, int sz, void* ctx)
 {
@@ -9269,7 +9277,8 @@ static int BufferInfoRecv(WOLFSSL* ssl, char* buf, int sz, void* ctx)
 static int test_tls_ext_duplicate(void)
 {
     int res = TEST_SKIPPED;
-#if !defined(NO_WOLFSSL_SERVER) && (!defined(NO_RSA) || defined(HAVE_ECC))
+#if !defined(NO_WOLFSSL_SERVER) && (!defined(NO_RSA) || defined(HAVE_ECC)) && \
+    !defined(NO_FILESYSTEM)
     const unsigned char clientHelloDupTlsExt[] = {
         0x16, 0x03, 0x03, 0x00, 0x6a, 0x01, 0x00, 0x00,
         0x66, 0x03, 0x03, 0xf4, 0x65, 0xbd, 0x22, 0xfe,
@@ -27326,7 +27335,7 @@ static int test_wc_Ed448PrivateKeyToDer(void)
 static int test_wc_SetSubjectBuffer(void)
 {
     int res = TEST_SKIPPED;
-#if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA)
+#if defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) && !defined(NO_FILESYSTEM)
     Cert    cert;
     FILE*   file;
     byte*   der;
@@ -28291,7 +28300,7 @@ static int test_wc_PKCS7_EncodeSignedData_ex(void)
 } /* END test_wc_PKCS7_EncodeSignedData_ex */
 
 
-#if defined(HAVE_PKCS7)
+#if defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM)
 
 /**
  * Loads certs/keys from files or buffers into the argument buffers,
@@ -28590,7 +28599,7 @@ static int CreatePKCS7SignedData(unsigned char* output, int outputSz,
 static int test_wc_PKCS7_VerifySignedData(void)
 {
     int res = TEST_SKIPPED;
-#if defined(HAVE_PKCS7)
+#if defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM)
     PKCS7* pkcs7;
     byte   output[6000]; /* Large size needed for bundles with int CA certs */
     word32 outputSz = sizeof(output);
@@ -29009,9 +29018,11 @@ static int test_wc_PKCS7_EncodeDecodeEnvelopedData(void)
     #endif /* USE_CERT_BUFFERS_256 */
 #endif /* END HAVE_ECC */
 
+#ifndef NO_FILESYSTEM
     /* Silence. */
     (void)keyFile;
     (void)certFile;
+#endif
 
     {
     const pkcs7EnvelopedVector testVectors[] = {
@@ -31310,12 +31321,12 @@ static int test_wc_GetPubKeyDerFromCert(void)
     byte keyDer[TWOK_BUF];  /* large enough for up to RSA 2048 */
     word32 keyDerSz = (word32)sizeof(keyDer);
     DecodedCert decoded;
-#if !defined(NO_RSA) && defined(WOLFSSL_CERT_REQ)
+#if !defined(NO_RSA) && defined(WOLFSSL_CERT_REQ) && !defined(NO_FILESYSTEM)
     byte certBuf[6000]; /* for PEM and CSR, client-cert.pem is 5-6kB */
     word32 certBufSz = sizeof(certBuf);
 #endif
 #if ((!defined(USE_CERT_BUFFERS_2048) && !defined(USE_CERT_BUFFERS_1024)) || \
-     defined(WOLFSSL_CERT_REQ)) && !defined(NO_RSA)
+     defined(WOLFSSL_CERT_REQ)) && !defined(NO_RSA) && !defined(NO_FILESYSTEM)
     XFILE fp;
 #endif
 #ifndef NO_RSA
@@ -31390,7 +31401,7 @@ static int test_wc_GetPubKeyDerFromCert(void)
     wc_FreeDecodedCert(&decoded);
 
     /* Certificate Request Tests */
-    #ifdef WOLFSSL_CERT_REQ
+    #if defined(WOLFSSL_CERT_REQ) && !defined(NO_FILESYSTEM)
     {
         XMEMSET(certBuf, 0, sizeof(certBuf));
         fp = XFOPEN("./certs/csr.signed.der", "rb");
@@ -37597,9 +37608,10 @@ static int test_wolfSSL_X509_get_ext_count(void)
 static int test_wolfSSL_X509_sign2(void)
 {
     int res = TEST_SKIPPED;
+    /* test requires WOLFSSL_AKID_NAME to match expected output */
 #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_CERTS) && \
     defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_ALT_NAMES) && \
-    defined(WOLFSSL_CERT_EXT) && \
+    defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_AKID_NAME) && \
     (defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME))
     WOLFSSL_X509 *x509, *ca;
     const unsigned char *der;
@@ -55731,7 +55743,7 @@ static int test_ENGINE_cleanup(void)
 static int test_wolfSSL_CTX_LoadCRL(void)
 {
     int res = TEST_SKIPPED;
-#if defined(HAVE_CRL) && !defined(NO_RSA)
+#if defined(HAVE_CRL) && !defined(NO_RSA) && !defined(NO_FILESYSTEM)
     WOLFSSL_CTX* ctx = NULL;
     WOLFSSL* ssl = NULL;
     const char* badPath = "dummypath";
@@ -59088,7 +59100,10 @@ static int test_wolfSSL_DTLS_fragment_buckets(void)
 }
 
 #endif
-#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) &&                     \
+
+
+#if !defined(NO_FILESYSTEM) && \
+     defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) &&                    \
     !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
 
 static int test_wolfSSL_dtls_stateless2(void)
@@ -60537,7 +60552,8 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_wolfSSL_DtlsUpdateWindow),
     TEST_DECL(test_wolfSSL_DTLS_fragment_buckets),
 #endif
-#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) &&                     \
+#if !defined(NO_FILESYSTEM) &&                                                 \
+     defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) &&                    \
     !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)
 #ifdef WOLFSSL_DTLS_NO_HVR_ON_RESUME
     TEST_DECL(test_wolfSSL_dtls_stateless_resume),
@@ -60713,7 +60729,10 @@ void ApiTest(void)
             printf(" %s\n", apitest_res_string(ret));
         }
         fflush(stdout);
-        AssertIntNE(ret, TEST_FAIL);
+        /* if return code is < 0 and not skipped then assert error */
+        Assert((ret > 0 || ret == TEST_SKIPPED),
+            ("Test failed\n"),
+            ("ret %d", ret));
 
         TestCleanup();
     }

wolfcrypt/src/asn.c

@@ -13195,7 +13195,8 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType,
                         cert->subjectEmail = (char*)&input[srcIdx];
                         cert->subjectEmailLen = strLen;
                     }
-                #if defined(WOLFSSL_HAVE_ISSUER_NAMES)
+                #if defined(WOLFSSL_HAVE_ISSUER_NAMES) && \
+                    (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT))
                     else if (nameType == ISSUER) {
                         cert->issuerEmail = (char*)&input[srcIdx];
                         cert->issuerEmailLen = strLen;
@@ -15059,7 +15060,7 @@ void FreeSignatureCtx(SignatureCtx* sigCtx)
     sigCtx->state = SIG_STATE_BEGIN;
 }
 
-#ifndef NO_ASN_CRYPT
+#if !defined(NO_ASN_CRYPT) && !defined(NO_HASH_WRAPPER)
 static int HashForSignature(const byte* buf, word32 bufSz, word32 sigOID,
                             byte* digest, int* typeH, int* digestSz, int verify)
 {
@@ -15226,7 +15227,7 @@ static int HashForSignature(const byte* buf, word32 bufSz, word32 sigOID,
 
     return ret;
 }
-#endif /* !NO_ASN_CRYPT */
+#endif /* !NO_ASN_CRYPT && !NO_HASH_WRAPPER */
 
 /* Return codes: 0=Success, Negative (see error-crypt.h), ASN_SIG_CONFIRM_E */
 static int ConfirmSignature(SignatureCtx* sigCtx,
@@ -15926,7 +15927,7 @@ static int ConfirmSignature(SignatureCtx* sigCtx,
                     break;
                 }
             #endif /* !NO_DSA && !HAVE_SELFTEST */
-            #if defined(HAVE_ECC)
+            #if defined(HAVE_ECC) && defined(HAVE_ECC_VERIFY)
                 case ECDSAk:
                 {
                 #if defined(HAVE_PK_CALLBACKS)
@@ -22343,6 +22344,7 @@ wcchar END_PUB_KEY          = "-----END PUBLIC KEY-----";
 const int pem_struct_min_sz = XSTR_SIZEOF("-----BEGIN X509 CRL-----"
                                              "-----END X509 CRL-----");
 
+#ifdef WOLFSSL_PEM_TO_DER
 static WC_INLINE const char* SkipEndOfLineChars(const char* line,
                                                 const char* endOfLine)
 {
@@ -22353,6 +22355,7 @@ static WC_INLINE const char* SkipEndOfLineChars(const char* line,
     }
     return line;
 }
+#endif
 
 int wc_PemGetHeaderFooter(int type, const char** header, const char** footer)
 {
@@ -27735,7 +27738,7 @@ static int MakeSignature(CertSignCtx* certSignCtx, const byte* buf, int sz,
         }
     #endif /* !NO_RSA */
 
-    #ifdef HAVE_ECC
+    #if defined(HAVE_ECC) && defined(HAVE_ECC_SIGN)
         if (!rsaKey && eccKey) {
             word32 outSz = sigSz;
 
@@ -27744,7 +27747,7 @@ static int MakeSignature(CertSignCtx* certSignCtx, const byte* buf, int sz,
             if (ret == 0)
                 ret = outSz;
         }
-    #endif /* HAVE_ECC */
+    #endif /* HAVE_ECC && HAVE_ECC_SIGN */
 
     #if defined(HAVE_ED25519) && defined(HAVE_ED25519_SIGN)
         if (!rsaKey && !eccKey && ed25519Key) {
@@ -35166,9 +35169,7 @@ static int GetRevoked(RevokedCert* rcert, const byte* buff, word32* idx,
                       DecodedCRL* dcrl, int maxIdx)
 {
 #ifndef WOLFSSL_ASN_TEMPLATE
-#ifndef NO_ASN_TIME
     int ret;
-#endif
     int len;
     word32 end;
     RevokedCert* rc;

wolfcrypt/src/ecc.c

@@ -225,7 +225,8 @@ ECC Curve Sizes:
 /* forward declarations */
 static int  wc_ecc_new_point_ex(ecc_point** point, void* heap);
 static void wc_ecc_del_point_ex(ecc_point* p, void* heap);
-#if defined(WOLFSSL_ECDSA_DETERMINISTIC_K) || defined(WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT)
+#if defined(HAVE_ECC_SIGN) && (defined(WOLFSSL_ECDSA_DETERMINISTIC_K) || \
+    defined(WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT))
 static int deterministic_sign_helper(const byte* in, word32 inlen, ecc_key* key);
 #endif
 
@@ -1257,7 +1258,7 @@ const size_t ecc_sets_count = ECC_SET_COUNT - 1;
 #endif
 
 
-#ifdef HAVE_COMP_KEY
+#if defined(HAVE_COMP_KEY) && defined(HAVE_ECC_KEY_EXPORT)
 static int wc_ecc_export_x963_compressed(ecc_key* key, byte* out, word32* outLen);
 #endif
 
@@ -14373,7 +14374,7 @@ int mp_sqrtmod_prime(mp_int* n, mp_int* prime, mp_int* ret)
 #endif /* !WOLFSSL_SP_MATH */
 #endif /* !WOLFSSL_ATECC508A && !WOLFSSL_ATECC608A && !WOLFSSL_CRYPTOCELL */
 
-
+#ifdef HAVE_ECC_KEY_EXPORT
 /* export public ECC key in ANSI X9.63 format compressed */
 static int wc_ecc_export_x963_compressed(ecc_key* key, byte* out, word32* outLen)
 {
@@ -14414,7 +14415,7 @@ static int wc_ecc_export_x963_compressed(ecc_key* key, byte* out, word32* outLen
 
    return ret;
 }
-
+#endif /* HAVE_ECC_KEY_EXPORT */
 #endif /* HAVE_COMP_KEY */
 
 
@@ -14479,7 +14480,7 @@ int wc_ecc_set_custom_curve(ecc_key* key, const ecc_set_type* dp)
 }
 #endif /* WOLFSSL_CUSTOM_CURVES */
 
-#ifdef HAVE_X963_KDF
+#if defined(HAVE_X963_KDF) && !defined(NO_HASH_WRAPPER)
 
 static WC_INLINE void IncrementX963KdfCounter(byte* inOutCtr)
 {
@@ -14581,7 +14582,7 @@ int wc_X963_KDF(enum wc_HashType type, const byte* secret, word32 secretSz,
 
     return ret;
 }
-#endif /* HAVE_X963_KDF */
+#endif /* HAVE_X963_KDF && !NO_HASH_WRAPPER */
 
 #ifdef WOLFSSL_SE050
 /* Use specified hardware key ID with ecc_key operations. Unlike devId,

wolfcrypt/src/kdf.c

@@ -54,7 +54,7 @@
 #include <wolfssl/wolfcrypt/kdf.h>
 
 
-#ifdef WOLFSSL_HAVE_PRF
+#if defined(WOLFSSL_HAVE_PRF) && !defined(NO_HMAC)
 
 #ifdef WOLFSSL_SHA512
     #define P_HASH_MAX_SIZE WC_SHA512_DIGEST_SIZE
@@ -335,7 +335,7 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen,
 
     return ret;
 }
-#endif /* WOLFSSL_HAVE_PRF */
+#endif /* WOLFSSL_HAVE_PRF && !NO_HMAC */
 
 
 #if defined(HAVE_HKDF) && !defined(NO_HMAC)

wolfcrypt/src/misc.c

@@ -834,8 +834,8 @@ WC_STATIC WC_INLINE word32 MakeWordFromHash(const byte* hashID)
 #endif /* HAVE_SESSION_TICKET || !NO_CERTS || !NO_SESSION_CACHE */
 
 
-#if !defined(WOLFCRYPT_ONLY) && (!defined(NO_SESSION_CACHE) || \
-    defined(HAVE_SESSION_TICKET))
+#if !defined(WOLFCRYPT_ONLY) && !defined(NO_HASH_WRAPPER) && \
+    (!defined(NO_SESSION_CACHE) || defined(HAVE_SESSION_TICKET))
 
 #include <wolfssl/wolfcrypt/hash.h>
 
@@ -856,7 +856,8 @@ WC_STATIC WC_INLINE word32 HashObject(const byte* o, word32 len, int* error)
 
     return *error == 0 ? MakeWordFromHash(digest) : 0; /* 0 on failure */
 }
-#endif /* WOLFCRYPT_ONLY && (!NO_SESSION_CACHE || HAVE_SESSION_TICKET) */
+#endif /* WOLFCRYPT_ONLY && !NO_HASH_WRAPPER &&
+        * (!NO_SESSION_CACHE || HAVE_SESSION_TICKET) */
 
 #undef WC_STATIC
 

wolfcrypt/src/rsa.c

@@ -1611,7 +1611,7 @@ int wc_RsaPad_ex(const byte* input, word32 inputLen, byte* pkcsBlock,
 
 
 /* UnPadding */
-#ifndef WC_NO_RSA_OAEP
+#if !defined(WC_NO_RSA_OAEP) && !defined(NO_HASH_WRAPPER)
 /* UnPad plaintext, set start to *output, return length of plaintext,
  * < 0 on error */
 static int RsaUnPad_OAEP(byte *pkcsBlock, unsigned int pkcsBlockLen,
@@ -1724,7 +1724,7 @@ static int RsaUnPad_OAEP(byte *pkcsBlock, unsigned int pkcsBlockLen,
     *output = (byte*)(pkcsBlock + idx);
     return pkcsBlockLen - idx;
 }
-#endif /* WC_NO_RSA_OAEP */
+#endif /* !WC_NO_RSA_OAEP */
 
 #ifdef WC_RSA_PSS
 /* 0x00 .. 0x00 0x01 | Salt | Gen Hash | 0xbc

wolfcrypt/test/test.c

@@ -13149,7 +13149,7 @@ WOLFSSL_TEST_SUBROUTINE int memory_test(void)
         static const char* certEccRsaDerFile = CERT_WRITE_TEMP_DIR "certeccrsa.der";
     #endif
     #if defined(HAVE_ECC_KEY_EXPORT) && !defined(WC_NO_RNG) && \
-        !defined(WOLF_CRYPTO_CB_ONLY_ECC)
+        !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(NO_ASN_CRYPT)
         static const char* eccCaKeyPemFile  = CERT_WRITE_TEMP_DIR "ecc-key.pem";
         static const char* eccPubKeyDerFile = CERT_WRITE_TEMP_DIR "ecc-public-key.der";
         static const char* eccCaKeyTempFile = CERT_WRITE_TEMP_DIR "ecc-key.der";
@@ -22624,6 +22624,7 @@ static int ecc_test_vector_item(const eccVector* vector)
     }
 #endif
 
+#ifdef HAVE_ECC_VERIFY
     do {
     #if defined(WOLFSSL_ASYNC_CRYPT)
         ret = wc_AsyncWait(ret, &userA->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
@@ -22638,6 +22639,7 @@ static int ecc_test_vector_item(const eccVector* vector)
 
     if (verify != 1)
         ret = -9812;
+#endif
 
 done:
 
@@ -23349,7 +23351,7 @@ done:
 }
 #endif
 
-#ifdef HAVE_ECC_CDH
+#if defined(HAVE_ECC_CDH) && defined(HAVE_ECC_DHE)
 static int ecc_test_cdh_vectors(WC_RNG* rng)
 {
     int ret;
@@ -23449,7 +23451,7 @@ done:
 
     return ret;
 }
-#endif /* HAVE_ECC_CDH */
+#endif /* HAVE_ECC_CDH && HAVE_ECC_DHE */
 #endif /* HAVE_ECC_VECTOR_TEST */
 
 #ifdef HAVE_ECC_KEY_IMPORT
@@ -23933,20 +23935,17 @@ done:
 static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount,
     int curve_id, const ecc_set_type* dp)
 {
-#if (defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)) && !defined(WC_NO_RNG) && \
+#if defined(HAVE_ECC_DHE) && !defined(WC_NO_RNG) && \
     !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)
     WC_DECLARE_VAR(sharedA, byte, ECC_SHARED_SIZE, HEAP_HINT);
     WC_DECLARE_VAR(sharedB, byte, ECC_SHARED_SIZE, HEAP_HINT);
+    word32  y;
 #endif
 #ifdef HAVE_ECC_KEY_EXPORT
     #define ECC_KEY_EXPORT_BUF_SIZE (MAX_ECC_BYTES * 2 + 32)
     WC_DECLARE_VAR(exportBuf, byte, ECC_KEY_EXPORT_BUF_SIZE, HEAP_HINT);
 #endif
     word32  x = 0;
-#if (defined(HAVE_ECC_DHE) || defined(HAVE_ECC_CDH)) && !defined(WC_NO_RNG) && \
-    !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A)
-    word32  y;
-#endif
 #if defined(HAVE_ECC_SIGN) && !defined(WOLFSSL_KCAPI_ECC)
     WC_DECLARE_VAR(sig, byte, ECC_SIG_SIZE, HEAP_HINT);
     WC_DECLARE_VAR(digest, byte, ECC_DIGEST_SIZE, HEAP_HINT);
@@ -24108,7 +24107,6 @@ static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount,
     if (XMEMCMP(sharedA, sharedB, x))
         ERROR_OUT(-9920, done);
     TEST_SLEEP();
-#endif /* HAVE_ECC_DHE */
 
 #ifdef HAVE_ECC_CDH
     /* add cofactor flag */
@@ -24149,6 +24147,7 @@ static int ecc_test_curve_size(WC_RNG* rng, int keySize, int testVerifyCount,
     wc_ecc_set_flags(userA, 0);
     wc_ecc_set_flags(userB, 0);
 #endif /* HAVE_ECC_CDH */
+#endif /* HAVE_ECC_DHE */
 #endif /* !WOLFSSL_ATECC508A && WOLFSSL_ATECC608A */
 
 #ifdef HAVE_ECC_KEY_EXPORT
@@ -26273,7 +26272,7 @@ WOLFSSL_TEST_SUBROUTINE int ecc_test(void)
         goto done;
     }
 #endif
-#ifdef HAVE_ECC_CDH
+#if defined(HAVE_ECC_CDH) && defined(HAVE_ECC_DHE)
     ret = ecc_test_cdh_vectors(&rng);
     if (ret != 0) {
         printf("ecc_test_cdh_vectors failed! %d\n", ret);
@@ -44262,6 +44261,6 @@ WOLFSSL_TEST_SUBROUTINE int aes_siv_test(void)
 
 #else
     #ifndef NO_MAIN_DRIVER
-        int main() { return 0; }
+        int main(void) { return 0; }
     #endif
 #endif /* NO_CRYPT_TEST */

wolfssl/internal.h

@@ -3651,7 +3651,7 @@ typedef struct Ciphers {
 #ifdef HAVE_CHACHA
     ChaCha*   chacha;
 #endif
-#if defined(WOLFSSL_TLS13) && defined(HAVE_NULL_CIPHER)
+#if defined(WOLFSSL_TLS13) && defined(HAVE_NULL_CIPHER) && !defined(NO_HMAC)
     Hmac* hmac;
 #endif
 #ifdef WOLFSSL_CIPHER_TEXT_CHECK

wolfssl/openssl/pem.h

@@ -218,6 +218,8 @@ WOLFSSL_API
 int wolfSSL_PEM_write_DHparams(XFILE fp, WOLFSSL_DH* dh);
 #endif /* NO_FILESYSTEM */
 
+#define PEM_BUFSIZE WOLF_PEM_BUFSIZE
+
 #define PEM_read                        wolfSSL_PEM_read
 #define PEM_read_bio                    wolfSSL_PEM_read_bio
 #define PEM_write                       wolfSSL_PEM_write

wolfssl/openssl/ssl.h

@@ -362,6 +362,9 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define SSL_SESSION_set_cipher          wolfSSL_SESSION_set_cipher
 #define SSL_is_init_finished            wolfSSL_is_init_finished
 
+#define SSL_SESSION_set1_id             wolfSSL_SESSION_set1_id
+#define SSL_SESSION_set1_id_context     wolfSSL_SESSION_set1_id_context
+
 #define SSL_get_version                 wolfSSL_get_version
 #define SSL_get_current_cipher          wolfSSL_get_current_cipher
 

wolfssl/ssl.h

@@ -2516,8 +2516,6 @@ WOLFSSL_API void wolfSSL_ERR_print_errors(WOLFSSL_BIO *bio);
     #define SSL_R_TLSV1_ALERT_UNKNOWN_CA WOLFSSL_R_TLSV1_ALERT_UNKNOWN_CA
     #define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN WOLFSSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN
     #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE WOLFSSL_R_SSLV3_ALERT_BAD_CERTIFICATE
-
-    #define PEM_BUFSIZE WOLF_PEM_BUFSIZE
 #endif
 
 enum { /* ssl Constants */
@@ -5009,8 +5007,8 @@ WOLFSSL_API const unsigned char *SSL_SESSION_get0_id_context(
 #endif
 
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
-WOLFSSL_API int SSL_SESSION_set1_id(WOLFSSL_SESSION *s, const unsigned char *sid, unsigned int sid_len);
-WOLFSSL_API int SSL_SESSION_set1_id_context(WOLFSSL_SESSION *s, const unsigned char *sid_ctx, unsigned int sid_ctx_len);
+WOLFSSL_API int wolfSSL_SESSION_set1_id(WOLFSSL_SESSION *s, const unsigned char *sid, unsigned int sid_len);
+WOLFSSL_API int wolfSSL_SESSION_set1_id_context(WOLFSSL_SESSION *s, const unsigned char *sid_ctx, unsigned int sid_ctx_len);
 WOLFSSL_API WOLFSSL_X509_ALGOR* wolfSSL_X509_ALGOR_new(void);
 WOLFSSL_API void wolfSSL_X509_ALGOR_free(WOLFSSL_X509_ALGOR *alg);
 WOLFSSL_API const WOLFSSL_X509_ALGOR* wolfSSL_X509_get0_tbs_sigalg(const WOLFSSL_X509 *x);

wolfssl/test.h

@@ -3681,7 +3681,7 @@ static WC_INLINE int myEccSharedSecret(WOLFSSL* ssl, ecc_key* otherKey,
 
 #endif /* HAVE_ECC */
 
-#ifdef HAVE_HKDF
+#if defined(HAVE_HKDF) && !defined(NO_HMAC)
 static WC_INLINE int myHkdfExtract(byte* prk, const byte* salt, word32 saltLen,
        byte* ikm, word32 ikmLen, int digest, void* ctx)
 {
@@ -3722,7 +3722,7 @@ static WC_INLINE int myHkdfExtract(byte* prk, const byte* salt, word32 saltLen,
             ikmLen);
     return ret;
 }
-#endif /* HAVE_HKDF */
+#endif /* HAVE_HKDF && !NO_HMAC */
 
 #if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT)
 #ifdef HAVE_ED25519_SIGN
@@ -4590,9 +4590,9 @@ static WC_INLINE void SetupPkCallbacks(WOLFSSL_CTX* ctx)
         wolfSSL_CTX_SetEccVerifyCb(ctx, myEccVerify);
         wolfSSL_CTX_SetEccSharedSecretCb(ctx, myEccSharedSecret);
     #endif /* HAVE_ECC */
-    #ifdef HAVE_HKDF
+    #if defined(HAVE_HKDF) && !defined(NO_HMAC)
         wolfSSL_CTX_SetHKDFExtractCb(ctx, myHkdfExtract);
-    #endif /* HAVE_HKDF */
+    #endif /* HAVE_HKDF && !NO_HMAC */
     #ifndef NO_DH
         wolfSSL_CTX_SetDhAgreeCb(ctx, myDhCallback);
     #endif
@@ -5131,12 +5131,14 @@ void DEBUG_WRITE_DER(const byte* der, int derSz, const char* fileName);
 
 #define DTLS_CID_BUFFER_SIZE 256
 
-#if defined(WOLFSSL_TICKET_NONCE_MALLOC) && defined(HAVE_SESSION_TICKET)       \
+#if !defined(NO_FILESYSTEM) && (                                               \
+    defined(WOLFSSL_TICKET_NONCE_MALLOC) && defined(HAVE_SESSION_TICKET)       \
     && defined(WOLFSSL_TLS13) &&                                               \
     (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)))\
     ||                                                                         \
     (defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) &&                    \
-     !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER))
+     !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER)))
+
 #define TEST_MEMIO_BUF_SZ (64 * 1024)
 struct test_memio_ctx
 {