cppcheck: fixes from reviewing report

IDE/Espressif/ESP-IDF/examples/wolfssl_benchmark/main/helper.c

@@ -118,7 +118,7 @@ int construct_argv()
 
     __argv[cnt] = malloc(10);
     sprintf(__argv[cnt], "benchmark");
-    __argv[9] = '\0';
+    __argv[cnt][9] = '\0';
     cnt = 1;
 
     while (*ch != '\0')

IDE/MDK-ARM/MDK-ARM/wolfSSL/wolfssl_MDK_ARM.c

@@ -197,6 +197,7 @@ FILE * wolfSSL_fopen(const char *name, const char *openmode)
     #define PATHSIZE 100
     char path[PATHSIZE] ; char *p ;
 
+    if (name == NULL) return NULL;
     if(strlen(name) > PATHSIZE)return(NULL) ;
 
     for(i = 0; i<= strlen(name); i++) {

IDE/zephyr/wolfssl_tls_sock/src/tls_sock.c

@@ -323,9 +323,7 @@ int wolfssl_server_accept_tcp(WOLFSSL* ssl, SOCKET_T* fd, SOCKET_T* acceptfd)
     if (ret == 0) {
         *acceptfd = clientfd;
         tcp_set_nonblocking(&clientfd);
-    }
 
-    if (ret == 0) {
         printf("Server has client\n");
         if (wolfSSL_set_fd(ssl, clientfd) != WOLFSSL_SUCCESS)
             ret = -1;

examples/echoclient/echoclient.c

@@ -89,7 +89,7 @@ void echoclient_test(void* args)
     int argc    = 0;
     char** argv = 0;
 #endif
-    word16 port = yasslPort;
+    word16 port;
     char buffer[CYASSL_MAX_ERROR_SZ];
 
     ((func_args*)args)->return_code = -1; /* error state */
@@ -126,6 +126,8 @@ void echoclient_test(void* args)
 
 #if defined(NO_MAIN_DRIVER) && !defined(USE_WINDOWS_API) && !defined(WOLFSSL_MDK_SHELL)
     port = ((func_args*)args)->signal->port;
+#else
+    port = yasslPort;
 #endif
 
 #if defined(CYASSL_DTLS)

mcapi/mcapi_test.c

@@ -238,7 +238,7 @@ static int check_md5(void)
         return -1;
     }
 
-    if (ret == 0 && memcmp(mcDigest, defDigest, CRYPT_MD5_DIGEST_SIZE) != 0) {
+    if (memcmp(mcDigest, defDigest, CRYPT_MD5_DIGEST_SIZE) != 0) {
         printf("md5 final memcmp failed\n");
         return -1;
     }

src/bio.c

@@ -230,15 +230,15 @@ int wolfSSL_BIO_read(WOLFSSL_BIO* bio, void* buf, int len)
                 if (bio->ptr) {
                     ret = (int)XFREAD(buf, 1, len, (XFILE)bio->ptr);
                 }
+                else {
                 #if !defined(USE_WINDOWS_API) && !defined(NO_WOLFSSL_DIR) && \
                     !defined(WOLFSSL_NUCLEUS) && !defined(WOLFSSL_NUCLEUS_1_2)
-                else {
                     ret = (int)XREAD(bio->num, buf, len);
-                }
                 #else
-                WOLFSSL_MSG("No file pointer and XREAD not enabled");
-                ret = NOT_COMPILED_IN;
+                    WOLFSSL_MSG("No file pointer and XREAD not enabled");
+                    ret = NOT_COMPILED_IN;
                 #endif
+                }
             #else
                 WOLFSSL_MSG("WOLFSSL_BIO_FILE used with NO_FILESYSTEM");
                 ret = NOT_COMPILED_IN;
@@ -541,9 +541,11 @@ static int wolfSSL_BIO_MD_write(WOLFSSL_BIO* bio, const void* data, int len)
 int wolfSSL_BIO_write(WOLFSSL_BIO* bio, const void* data, int len)
 {
     int ret = 0;
+#ifdef WOLFSSL_BASE64_ENCODE
     /* Use extra return var as we want to return how much of input we have
      * written, not how big the base64 encoding ended up being */
     int retB64 = 0;
+#endif
     WOLFSSL_BIO* front = bio;
     void* frmt = NULL;
     word32 frmtSz = 0;
@@ -594,15 +596,15 @@ int wolfSSL_BIO_write(WOLFSSL_BIO* bio, const void* data, int len)
                 if (bio->ptr) {
                     ret = (int)XFWRITE(data, 1, len, (XFILE)bio->ptr);
                 }
+                else {
                 #if !defined(USE_WINDOWS_API) && !defined(NO_WOLFSSL_DIR) && \
                     !defined(WOLFSSL_NUCLEUS) && !defined(WOLFSSL_NUCLEUS_1_2)
-                else {
                     ret = (int)XWRITE(bio->num, data, len);
-                }
                 #else
-                WOLFSSL_MSG("No file pointer and XWRITE not enabled");
-                ret = NOT_COMPILED_IN;
+                    WOLFSSL_MSG("No file pointer and XWRITE not enabled");
+                    ret = NOT_COMPILED_IN;
                 #endif
+                }
             #else
                 WOLFSSL_MSG("WOLFSSL_BIO_FILE used with NO_FILESYSTEM");
                 ret = NOT_COMPILED_IN;
@@ -659,9 +661,11 @@ exit_chain:
         XFREE(frmt, front->heap, DYNAMIC_TYPE_TMP_BUFFER);
     }
 
+#ifdef WOLFSSL_BASE64_ENCODE
     if (retB64 > 0 && ret > 0)
         return retB64;
     else
+#endif
         return ret;
 }
 

src/internal.c

@@ -1715,9 +1715,7 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
     ctx->minEccKeySz  = MIN_ECCKEY_SZ;
     ctx->eccTempKeySz = ECDHE_SIZE;
 #endif
-#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
     ctx->verifyDepth = MAX_CHAIN_DEPTH;
-#endif
 #ifdef OPENSSL_EXTRA
     ctx->cbioFlag = WOLFSSL_CBIO_NONE;
 #endif
@@ -1866,11 +1864,6 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
     ctx->ticketHint = SESSION_TICKET_HINT_DEFAULT;
 #endif
 
-#ifdef HAVE_WOLF_EVENT
-    if (ret == 0)
-        ret = wolfEventQueue_Init(&ctx->event_queue);
-#endif /* HAVE_WOLF_EVENT */
-
 #ifdef WOLFSSL_EARLY_DATA
     ctx->maxEarlyDataSz = MAX_EARLY_DATA_SZ;
 #endif
@@ -1880,7 +1873,10 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
 #endif
 
     ctx->heap = heap; /* wolfSSL_CTX_load_static_memory sets */
-    ctx->verifyDepth = MAX_CHAIN_DEPTH;
+
+#ifdef HAVE_WOLF_EVENT
+    ret = wolfEventQueue_Init(&ctx->event_queue);
+#endif /* HAVE_WOLF_EVENT */
 
     return ret;
 }
@@ -5832,9 +5828,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
     ssl->wfd = -1;
     ssl->devId = ctx->devId; /* device for async HW (from wolfAsync_DevOpen) */
 
-    ssl->IOCB_ReadCtx  = &ssl->rfd;  /* prevent invalid pointer access if not */
-    ssl->IOCB_WriteCtx = &ssl->wfd;  /* correctly set */
-
 #ifdef HAVE_NETX
     ssl->IOCB_ReadCtx  = &ssl->nxCtx;  /* default NetX IO ctx, same for read */
     ssl->IOCB_WriteCtx = &ssl->nxCtx;  /* and write */
@@ -5848,7 +5841,11 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
 #elif defined (WOLFSSL_GNRC)
     ssl->IOCB_ReadCtx = ssl->gnrcCtx;
     ssl->IOCB_WriteCtx = ssl->gnrcCtx;
+#else
+    ssl->IOCB_ReadCtx  = &ssl->rfd;  /* prevent invalid pointer access if not */
+    ssl->IOCB_WriteCtx = &ssl->wfd;  /* correctly set */
 #endif
+
     /* initialize states */
     ssl->options.serverState = NULL_STATE;
     ssl->options.clientState = NULL_STATE;
@@ -6256,10 +6253,6 @@ int AllocKey(WOLFSSL* ssl, int type, void** pKey)
             return BAD_FUNC_ARG;
     }
 
-    if (sz == 0) {
-        return NOT_COMPILED_IN;
-    }
-
     /* Allocate memory for key */
     *pKey = (void *)XMALLOC(sz, ssl->heap, type);
     if (*pKey == NULL) {
@@ -8557,10 +8550,8 @@ static WC_INLINE int GrowOutputBuffer(WOLFSSL* ssl, int size)
        the header, if the user wants encrypted alignment they need
        to define their alignment requirement */
 
-    if (align) {
-       while (align < hdrSz)
-           align *= 2;
-    }
+    while (align < hdrSz)
+        align *= 2;
 #endif
 
     tmp = (byte*)XMALLOC(size + ssl->buffers.outputBuffer.length + align,
@@ -11771,8 +11762,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                     /* Check peer's certificate version number. TLS 1.2 / 1.3
                      * requires the clients certificate be version 3 unless a
                      * different version has been negotiated using RFC 7250 */
-                    if ((ret == 0) &&
-                            (ssl->options.side == WOLFSSL_SERVER_END)) {
+                    if (ssl->options.side == WOLFSSL_SERVER_END) {
                         if (args->dCert->version != WOLFSSL_X509_V3) {
                             WOLFSSL_MSG("Peers certificate was not version 3!");
                             args->lastErr = ASN_VERSION_E;
@@ -17048,7 +17038,7 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
              int epochOrder)
 {
 #ifndef WOLFSSL_NO_TLS12
-    int ret = 0;
+    int ret;
     BuildMsgArgs* args;
     BuildMsgArgs  lcl_args;
 #ifdef WOLFSSL_ASYNC_CRYPT
@@ -17075,8 +17065,8 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
     }
 #endif
 
-    ret = WC_NOT_PENDING_E;
 #ifdef WOLFSSL_ASYNC_CRYPT
+    ret = WC_NOT_PENDING_E;
     if (asyncOkay) {
         ret = wolfSSL_AsyncPop(ssl, &ssl->options.buildMsgState);
         if (ret != WC_NOT_PENDING_E) {
@@ -17092,7 +17082,10 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
     }
 
     /* Reset state */
-    if (ret == WC_NOT_PENDING_E) {
+#ifdef WOLFSSL_ASYNC_CRYPT
+    if (ret == WC_NOT_PENDING_E)
+#endif
+    {
         ret = 0;
         ssl->options.buildMsgState = BUILD_MSG_BEGIN;
         XMEMSET(args, 0, sizeof(BuildMsgArgs));
@@ -18584,7 +18577,9 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
     int sent = 0,  /* plainText size */
         sendSz,
         ret;
+#if defined(WOLFSSL_EARLY_DATA) && defined(WOLFSSL_EARLY_DATA_GROUP)
     int groupMsgs = 0;
+#endif
 
     if (ssl->error == WANT_WRITE
     #ifdef WOLFSSL_ASYNC_CRYPT
@@ -18635,7 +18630,11 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
     }
 
     /* last time system socket output buffer was full, try again to send */
-    if (!groupMsgs && ssl->buffers.outputBuffer.length > 0) {
+    if (ssl->buffers.outputBuffer.length > 0
+    #if defined(WOLFSSL_EARLY_DATA) && defined(WOLFSSL_EARLY_DATA_GROUP)
+        && !groupMsgs
+    #endif
+        ) {
         WOLFSSL_MSG("output buffer was full, trying to send again");
         if ( (ssl->error = SendBuffered(ssl)) < 0) {
             WOLFSSL_ERROR(ssl->error);
@@ -21972,19 +21971,20 @@ exit_dpk:
     /* Make sure client setup is valid for this suite, true on success */
     int VerifyClientSuite(WOLFSSL* ssl)
     {
-        int  havePSK = 0;
+    #ifndef NO_PSK
+        int  havePSK = ssl->options.havePSK;
+    #endif
         byte first   = ssl->options.cipherSuite0;
         byte second  = ssl->options.cipherSuite;
 
         WOLFSSL_ENTER("VerifyClientSuite");
 
-        #ifndef NO_PSK
-            havePSK = ssl->options.havePSK;
-        #endif
-
         if (CipherRequires(first, second, REQUIRES_PSK)) {
             WOLFSSL_MSG("Requires PSK");
-            if (havePSK == 0) {
+        #ifndef NO_PSK
+            if (havePSK == 0)
+        #endif
+            {
                 WOLFSSL_MSG("Don't have PSK");
                 return 0;
             }
@@ -24191,7 +24191,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
         case TLS_ASYNC_BUILD:
         {
             args->encSz = MAX_ENCRYPT_SZ;
-            args->encSecret = (byte*)XMALLOC(args->encSz, ssl->heap,
+            args->encSecret = (byte*)XMALLOC(MAX_ENCRYPT_SZ, ssl->heap,
                                                     DYNAMIC_TYPE_SECRET);
             if (args->encSecret == NULL) {
                 ERROR_OUT(MEMORY_E, exit_scke);
@@ -25275,7 +25275,7 @@ int SendCertificateVerify(WOLFSSL* ssl)
 
             /* build encoded signature buffer */
             ssl->buffers.sig.length = MAX_ENCODED_SIG_SZ;
-            ssl->buffers.sig.buffer = (byte*)XMALLOC(ssl->buffers.sig.length,
+            ssl->buffers.sig.buffer = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ,
                                         ssl->heap, DYNAMIC_TYPE_SIGNATURE);
             if (ssl->buffers.sig.buffer == NULL) {
                 ERROR_OUT(MEMORY_E, exit_scv);
@@ -25325,9 +25325,10 @@ int SendCertificateVerify(WOLFSSL* ssl)
             }
         #ifndef NO_OLD_TLS
             else {
-                /* if old TLS load MD5 and SHA hash as value to sign */
+                /* if old TLS load MD5 and SHA hash as value to sign
+                 * MD5 and SHA must be first two buffers in stucture */
                 XMEMCPY(ssl->buffers.sig.buffer,
-                    (byte*)ssl->hsHashes->certHashes.md5, FINISHED_SZ);
+                                (byte*)&ssl->hsHashes->certHashes, FINISHED_SZ);
             }
         #endif
 
@@ -25817,7 +25818,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
         word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
         int    sendSz;
         byte   sessIdSz = ID_LEN;
+    #if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_SESSION_TICKET)
         byte   echoId   = 0;  /* ticket echo id flag */
+    #endif
         byte   cacheOff = 0;  /* session cache off flag */
 
         WOLFSSL_START(WC_FUNC_SERVER_HELLO_SEND);
@@ -25862,7 +25865,11 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 
         /* if no session cache don't send a session ID unless we're echoing
          * an ID as part of session tickets */
-        if (echoId == 0 && cacheOff == 1) {
+        if (cacheOff == 1
+        #if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_SESSION_TICKET)
+            && echoId == 0
+        #endif
+            ) {
             length -= ID_LEN;    /* adjust ID_LEN assumption */
             sessIdSz = 0;
         }
@@ -26547,7 +26554,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                         args->length = ENUM_LEN + CURVE_LEN + ENUM_LEN;
 
                         args->exportSz = MAX_EXPORT_ECC_SZ;
-                        args->exportBuf = (byte*)XMALLOC(args->exportSz,
+                        args->exportBuf = (byte*)XMALLOC(MAX_EXPORT_ECC_SZ,
                                             ssl->heap, DYNAMIC_TYPE_DER);
                         if (args->exportBuf == NULL) {
                             ERROR_OUT(MEMORY_E, exit_sske);
@@ -26656,7 +26663,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 
                         /* Export temp ECC key and add to length */
                         args->exportSz = MAX_EXPORT_ECC_SZ;
-                        args->exportBuf = (byte*)XMALLOC(args->exportSz,
+                        args->exportBuf = (byte*)XMALLOC(MAX_EXPORT_ECC_SZ,
                                             ssl->heap, DYNAMIC_TYPE_DER);
                         if (args->exportBuf == NULL) {
                             ERROR_OUT(MEMORY_E, exit_sske);
@@ -27635,7 +27642,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
     static int VerifyServerSuite(WOLFSSL* ssl, word16 idx)
     {
         int  haveRSA = !ssl->options.haveStaticECC;
-        int  havePSK = 0;
+    #ifndef NO_PSK
+        int  havePSK = ssl->options.havePSK;
+    #endif
         byte first;
         byte second;
 
@@ -27649,10 +27658,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
         first   = ssl->suites->suites[idx];
         second  = ssl->suites->suites[idx+1];
 
-        #ifndef NO_PSK
-            havePSK = ssl->options.havePSK;
-        #endif
-
         if (ssl->options.haveNTRU)
             haveRSA = 0;
 
@@ -27690,7 +27695,10 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 
         if (CipherRequires(first, second, REQUIRES_PSK)) {
             WOLFSSL_MSG("Requires PSK");
-            if (havePSK == 0) {
+        #ifndef NO_PSK
+            if (havePSK == 0)
+        #endif
+            {
                 WOLFSSL_MSG("Don't have PSK");
                 return 0;
             }

src/ssl.c

@@ -2123,6 +2123,9 @@ int wolfSSL_read(WOLFSSL* ssl, void* data, int sz)
     WOLFSSL_ENTER("wolfSSL_read()");
 
     #ifdef OPENSSL_EXTRA
+    if (ssl == NULL) {
+        return BAD_FUNC_ARG;
+    }
     if (ssl->CBIS != NULL) {
         ssl->CBIS(ssl, SSL_CB_READ, WOLFSSL_SUCCESS);
         ssl->cbmode = SSL_CB_READ;
@@ -2837,7 +2840,9 @@ int wolfSSL_Rehandshake(WOLFSSL* ssl)
         #endif
     }
 
+#ifdef HAVE_SESSION_TICKET
     if (ret == WOLFSSL_SUCCESS)
+#endif
         ret = _Rehandshake(ssl);
 
     return ret;
@@ -8287,7 +8292,7 @@ int wolfSSL_check_private_key(const WOLFSSL* ssl)
         if (ret == 0 && der.keyOID == RSAk) {
             ret = wc_CryptoCb_RsaCheckPrivKey((RsaKey*)pkey, der.publicKey,
                                               der.pubKeySize);
-            if (ret == 0 && ret != CRYPTOCB_UNAVAILABLE)
+            if (ret == 0)
                 ret = WOLFSSL_SUCCESS;
             wc_FreeRsaKey((RsaKey*)pkey);
         }
@@ -8296,7 +8301,7 @@ int wolfSSL_check_private_key(const WOLFSSL* ssl)
         if (ret == 0 && der.keyOID == ECDSAk) {
             ret = wc_CryptoCb_EccCheckPrivKey((ecc_key*)pkey, der.publicKey,
                                               der.pubKeySize);
-            if (ret == 0 && ret != CRYPTOCB_UNAVAILABLE)
+            if (ret == 0)
                 ret = WOLFSSL_SUCCESS;
             wc_ecc_free((ecc_key*)pkey);
         }
@@ -13792,7 +13797,7 @@ static int GetDeepCopySession(WOLFSSL* ssl, WOLFSSL_SESSION* copyFrom)
 
 int SetSession(WOLFSSL* ssl, WOLFSSL_SESSION* session)
 {
-    if (ssl->options.sessionCacheOff)
+    if (ssl == NULL || ssl->options.sessionCacheOff)
         return WOLFSSL_FAILURE;
 
 #ifdef OPENSSL_EXTRA
@@ -16746,10 +16751,12 @@ int wolfSSL_get_server_tmp_key(const WOLFSSL* ssl, WOLFSSL_EVP_PKEY** pkey)
 #endif
 
     *pkey = ret;
-    if (ret == NULL)
-        return WOLFSSL_FAILURE;
-    else
+#ifdef HAVE_ECC
+    if (ret != NULL)
         return WOLFSSL_SUCCESS;
+    else
+#endif
+        return WOLFSSL_FAILURE;
 }
 
 #endif /* !NO_WOLFSSL_SERVER */
@@ -18854,7 +18861,9 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl)
  * don't */
 static void ExternalFreeX509(WOLFSSL_X509* x509)
 {
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
     int doFree = 0;
+#endif
 
     WOLFSSL_ENTER("ExternalFreeX509");
     if (x509) {
@@ -18871,11 +18880,12 @@ static void ExternalFreeX509(WOLFSSL_X509* x509)
             if (x509->refCount == 0)
                 doFree = 1;
             wc_UnLockMutex(&x509->refMutex);
-        #else
-            doFree = 1;
-        #endif /* OPENSSL_EXTRA */
+        #endif /* OPENSSL_EXTRA || OPENSSL_ALL */
 
-            if (doFree) {
+        #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
+            if (doFree)
+        #endif /* OPENSSL_EXTRA || OPENSSL_ALL */
+            {
                 FreeX509(x509);
                 XFREE(x509, x509->heap, DYNAMIC_TYPE_X509);
             }
@@ -22943,7 +22953,8 @@ int wolfSSL_X509_NAME_get_text_by_NID(WOLFSSL_X509_NAME* name,
         return textSz;
     }
 
-    if (buf != NULL && text != NULL) {
+    /* buf is not NULL from above */
+    if (text != NULL) {
         textSz = min(textSz + 1, len); /* + 1 to account for null char */
         if (textSz > 0) {
             XMEMCPY(buf, text, textSz - 1);
@@ -32173,8 +32184,13 @@ WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG, int *initTmpRng)
     !defined(HAVE_FAST_RSA) && defined(WC_RSA_BLINDING)
     rng = ((RsaKey*)rsa->internal)->rng;
 #endif
-    if (rng == NULL && tmpRNG) {
-        if (!*tmpRNG) {
+    if (tmpRNG != NULL
+    #if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && \
+        !defined(HAVE_FAST_RSA) && defined(WC_RSA_BLINDING)
+        && rng == NULL
+    #endif
+        ) {
+        if (*tmpRNG == NULL) {
 #ifdef WOLFSSL_SMALL_STACK
             *tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_TMP_BUFFER);
             if (*tmpRNG == NULL)
@@ -32434,35 +32450,28 @@ int wolfSSL_RAND_egd(const char* nm)
     #endif
         return WOLFSSL_FATAL_ERROR;
     }
-    if (ret == WOLFSSL_SUCCESS) {
-        rem.sun_family = AF_UNIX;
-        XSTRNCPY(rem.sun_path, nm, sizeof(rem.sun_path) - 1);
-        rem.sun_path[sizeof(rem.sun_path)-1] = '\0';
-    }
+    rem.sun_family = AF_UNIX;
+    XSTRNCPY(rem.sun_path, nm, sizeof(rem.sun_path) - 1);
+    rem.sun_path[sizeof(rem.sun_path)-1] = '\0';
 
     /* connect to egd server */
-    if (ret == WOLFSSL_SUCCESS) {
-        if (connect(fd, (struct sockaddr*)&rem, sizeof(struct sockaddr_un))
-                == -1) {
-            WOLFSSL_MSG("error connecting to egd server");
-            ret = WOLFSSL_FATAL_ERROR;
-        }
+    if (connect(fd, (struct sockaddr*)&rem, sizeof(struct sockaddr_un)) == -1) {
+        WOLFSSL_MSG("error connecting to egd server");
+        ret = WOLFSSL_FATAL_ERROR;
     }
 
     while (ret == WOLFSSL_SUCCESS && bytes < 255 && idx + 2 < 256) {
-        if (ret == WOLFSSL_SUCCESS) {
-            buf[idx]     = WOLFSSL_EGD_NBLOCK;
-            buf[idx + 1] = 255 - bytes; /* request 255 bytes from server */
-            ret = (int)write(fd, buf + idx, 2);
-            if (ret <= 0 || ret != 2) {
-                if (errno == EAGAIN) {
-                    ret = WOLFSSL_SUCCESS;
-                    continue;
-                }
-                WOLFSSL_MSG("error requesting entropy from egd server");
-                ret = WOLFSSL_FATAL_ERROR;
-                break;
+        buf[idx]     = WOLFSSL_EGD_NBLOCK;
+        buf[idx + 1] = 255 - bytes; /* request 255 bytes from server */
+        ret = (int)write(fd, buf + idx, 2);
+        if (ret != 2) {
+            if (errno == EAGAIN) {
+                ret = WOLFSSL_SUCCESS;
+                continue;
             }
+            WOLFSSL_MSG("error requesting entropy from egd server");
+            ret = WOLFSSL_FATAL_ERROR;
+            break;
         }
 
         /* attempting to read */
@@ -43367,7 +43376,9 @@ err:
         const char* headerEnd = NULL;
         const char* footer = NULL;
         const char* footerEnd = NULL;
+    #ifdef HAVE_CRL
         DerBuffer* der = NULL;
+    #endif
 
         (void)cb;
 
@@ -43397,9 +43408,10 @@ err:
         /* Read the header and footer */
         while (wolfSSL_BIO_read(bio, &pem[i], 1) == 1) {
             i++;
-            if (!header)
+            if (!header) {
                 header = XSTRNSTR(pem, "-----BEGIN ", (unsigned int)i);
-            else if (header) {
+            }
+            else {
                 if (!headerEnd) {
                     headerEnd = XSTRNSTR(header + XSTR_SIZEOF("-----BEGIN "),
                             "-----",
@@ -43463,7 +43475,7 @@ err:
                     goto err;
                 }
             }
-#ifdef HAVE_CRL
+    #ifdef HAVE_CRL
             else if (headerEnd - header ==
                     XSTR_SIZEOF("-----BEGIN X509 CRL-----") &&
                     XMEMCMP(header, "-----BEGIN X509 CRL-----",
@@ -43481,7 +43493,7 @@ err:
                     goto err;
                 }
             }
-#endif
+    #endif
             else {
                 /* TODO support WOLFSSL_X509_PKEY as well */
                 WOLFSSL_MSG("Unsupported PEM structure");
@@ -43490,14 +43502,18 @@ err:
         }
 
         XFREE(pem, 0, DYNAMIC_TYPE_PEM);
+    #ifdef HAVE_CRL
         if (der)
             FreeDer(&der);
+    #endif
         return WOLFSSL_SUCCESS;
 err:
         if (pem)
             XFREE(pem, 0, DYNAMIC_TYPE_PEM);
+    #ifdef HAVE_CRL
         if (der)
             FreeDer(&der);
+    #endif
         return WOLFSSL_FAILURE;
 #endif /* WOLFSSL_PEM_TO_DER || WOLFSSL_DER_TO_PEM */
     }
@@ -54855,7 +54871,10 @@ int wolfSSL_PEM_write_bio_PKCS8PrivateKey(WOLFSSL_BIO* bio,
             oidSz = 0;
         }
 
-        if (ret >= 0) {
+    #ifdef HAVE_ECC
+        if (ret >= 0)
+    #endif
+        {
             ret = wc_CreatePKCS8Key(key, &keySz, (byte*)pkey->pkey.ptr,
                                          pkey->pkey_sz, algId, curveOid, oidSz);
             keySz = ret;
@@ -55233,7 +55252,7 @@ int wolfSSL_X509_set_serialNumber(WOLFSSL_X509* x509, WOLFSSL_ASN1_INTEGER* s)
 int wolfSSL_X509_set_pubkey(WOLFSSL_X509 *cert, WOLFSSL_EVP_PKEY *pkey)
 {
     byte* p = NULL;
-    int derSz;
+    int derSz = 0;
     WOLFSSL_ENTER("wolfSSL_X509_set_pubkey");
 
     if (cert == NULL || pkey == NULL)

src/tls.c

@@ -5135,8 +5135,10 @@ static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, const byte* input,
                 WOLFSSL_MSG("Process client ticket rejected, bad TLS version");
                 ssl->options.rejectTicket = 1;
                 ret = 0;  /* not fatal */
-            } else if (ret == WOLFSSL_TICKET_RET_FATAL || ret < 0) {
+            } else if (ret == WOLFSSL_TICKET_RET_FATAL) {
                 WOLFSSL_MSG("Process client ticket fatal error, not using");
+            } else if (ret < 0) {
+                WOLFSSL_MSG("Process client ticket unknown error, not using");
             }
         }
     }
@@ -10242,6 +10244,9 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
                 }
             }
         }
+        if (ret != 0) {
+            return ret;
+        }
 #endif
 
 #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)

src/tls13.c

@@ -2303,7 +2303,7 @@ static void FreeBuildMsg13Args(WOLFSSL* ssl, void* pArgs)
 int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
                 int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay)
 {
-    int ret = 0;
+    int ret;
     BuildMsg13Args* args;
     BuildMsg13Args  lcl_args;
 #ifdef WOLFSSL_ASYNC_CRYPT
@@ -2314,8 +2314,8 @@ int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
 
     WOLFSSL_ENTER("BuildTls13Message");
 
-    ret = WC_NOT_PENDING_E;
 #ifdef WOLFSSL_ASYNC_CRYPT
+    ret = WC_NOT_PENDING_E;
     if (asyncOkay) {
         ret = wolfSSL_AsyncPop(ssl, &ssl->options.buildMsgState);
         if (ret != WC_NOT_PENDING_E) {
@@ -2331,7 +2331,10 @@ int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
     }
 
     /* Reset state */
-    if (ret == WC_NOT_PENDING_E) {
+#ifdef WOLFSSL_ASYNC_CRYPT
+    if (ret == WC_NOT_PENDING_E)
+#endif
+    {
         ret = 0;
         ssl->options.buildMsgState = BUILD_MSG_BEGIN;
         XMEMSET(args, 0, sizeof(BuildMsg13Args));
@@ -3292,8 +3295,8 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
         return INVALID_PARAMETER;
     }
 
-#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
     if (*extMsgType == server_hello) {
+#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
         ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
         if (ext != NULL)
             psk = (PreSharedKey*)ext->data;
@@ -3306,10 +3309,8 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
         }
         else if ((ret = SetupPskKey(ssl, psk)) != 0)
             return ret;
-    }
 #endif
 
-    if (*extMsgType == server_hello) {
         ssl->keys.encryptionOn = 1;
         ssl->options.serverState = SERVER_HELLO_COMPLETE;
     }
@@ -3356,7 +3357,7 @@ static int DoTls13EncryptedExtensions(WOLFSSL* ssl, const byte* input,
 #endif
 
     /* Length field of extension data. */
-    if (totalSz < i - begin + OPAQUE16_LEN)
+    if (totalSz < OPAQUE16_LEN)
         return BUFFER_ERROR;
     ato16(&input[i], &totalExtSz);
     i += OPAQUE16_LEN;
@@ -3433,7 +3434,7 @@ static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input,
     if (ssl->toInfoOn) AddLateName("CertificateRequest", &ssl->timeoutInfo);
 #endif
 
-    if ((*inOutIdx - begin) + OPAQUE8_LEN > size)
+    if (OPAQUE8_LEN > size)
         return BUFFER_ERROR;
 
     /* Length of the request context. */
@@ -3733,6 +3734,7 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
             continue;
         }
 
+    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
         ssl->options.sendVerify = 0;
 
         /* Derive the Finished message secret. */
@@ -3755,6 +3757,7 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
         current->chosen = 1;
         ext->resp = 1;
         break;
+    #endif
     }
 
     /* Hash the rest of the ClientHello. */
@@ -3762,7 +3765,10 @@ static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
     if (ret != 0)
         return ret;
 
-    if (current == NULL) {
+#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
+    if (current == NULL)
+#endif
+    {
 #ifdef WOLFSSL_PSK_ID_PROTECTION
     #ifndef NO_CERTS
         if (ssl->buffers.certChainCnt != 0)
@@ -4098,9 +4104,12 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
     word32          i = *inOutIdx;
     word32          begin = i;
     word16          totalExtSz = 0;
-    int             usingPSK = 0;
     byte            sessIdSz = 0;
     int             wantDowngrade = 0;
+#if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \
+                                                    defined(HAVE_TLS_EXTENSIONS)
+    int             usingPSK = 0;
+#endif
 
     WOLFSSL_START(WC_FUNC_CLIENT_HELLO_DO);
     WOLFSSL_ENTER("DoTls13ClientHello");
@@ -4114,7 +4123,7 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 #endif
 
     /* protocol version, random and session id length check */
-    if ((i - begin) + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz)
+    if (OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz)
         return BUFFER_ERROR;
 
     /* Protocol version */
@@ -4298,7 +4307,11 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 
     }
 
-    if (!usingPSK) {
+#if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \
+                                                    defined(HAVE_TLS_EXTENSIONS)
+    if (!usingPSK)
+#endif
+    {
         /* Not using PSK so don't require no KE. */
         ssl->options.noPskDheKe = 0;
 
@@ -5119,7 +5132,9 @@ static int SendTls13Certificate(WOLFSSL* ssl)
     word32 offset = OPAQUE16_LEN;
     byte*  p = NULL;
     byte   certReqCtxLen = 0;
+#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
     byte*  certReqCtx = NULL;
+#endif
 
 #ifdef OPENSSL_EXTRA
     WOLFSSL_X509* x509 = NULL;
@@ -5249,10 +5264,12 @@ static int SendTls13Certificate(WOLFSSL* ssl)
 
             /* Request context. */
             output[i++] = certReqCtxLen;
+        #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
             if (certReqCtxLen > 0) {
                 XMEMCPY(output + i, certReqCtx, certReqCtxLen);
                 i += certReqCtxLen;
             }
+        #endif
             length -= OPAQUE8_LEN + certReqCtxLen;
             fragSz -= OPAQUE8_LEN + certReqCtxLen;
             /* Certificate list length. */
@@ -8426,17 +8443,18 @@ void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl,
  */
 int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
 {
+#if !defined(NO_CERTS) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
     word16 havePSK = 0;
+#endif
     WOLFSSL_ENTER("SSL_accept_TLSv13()");
 
 #ifdef HAVE_ERRNO_H
     errno = 0;
 #endif
 
-#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
+#if !defined(NO_CERTS) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
     havePSK = ssl->options.havePSK;
 #endif
-    (void)havePSK;
 
     if (ssl->options.side != WOLFSSL_SERVER_END) {
         WOLFSSL_ERROR(ssl->error = SIDE_ERROR);
@@ -8457,7 +8475,10 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
 
 #ifndef NO_CERTS
     /* allow no private key if using PK callbacks and CB is set */
-    if (!havePSK) {
+#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
+    if (!havePSK)
+#endif
+    {
         if (!ssl->buffers.certificate ||
             !ssl->buffers.certificate->buffer) {
 
@@ -8478,7 +8499,7 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
             return WOLFSSL_FATAL_ERROR;
         }
     }
-#endif
+#endif /* NO_CERTS */
 
     if (ssl->buffers.outputBuffer.length > 0
     #ifdef WOLFSSL_ASYNC_CRYPT

tests/api.c

@@ -19110,7 +19110,7 @@ static int test_wc_curve25519_make_key (void)
 /*
  * Testing wc_curve25519_shared_secret_ex
  */
-static int test_wc_curve25519_shared_secret_ex (void)
+static int test_wc_curve25519_shared_secret_ex(void)
 {
     int ret = 0;
 #if defined(HAVE_CURVE25519)
@@ -19126,9 +19126,9 @@ static int test_wc_curve25519_shared_secret_ex (void)
     ret = wc_curve25519_init(&private_key);
     if (ret == 0) {
         ret = wc_InitRng(&rng);
-        if (ret == 0) {
-            ret = wc_curve25519_make_key(&rng, CURVE25519_KEYSIZE, &private_key);
-        }
+    }
+    if (ret == 0) {
+        ret = wc_curve25519_make_key(&rng, CURVE25519_KEYSIZE, &private_key);
     }
     if (ret == 0) {
         ret = wc_curve25519_make_key(&rng, CURVE25519_KEYSIZE, &public_key);
@@ -19142,6 +19142,9 @@ static int test_wc_curve25519_shared_secret_ex (void)
     if (ret == 0) {
         ret = wc_curve25519_shared_secret_ex(NULL, NULL, NULL,
                                               0, endian);
+        if (ret == 0) {
+            ret = -1;
+        }
         if (ret == BAD_FUNC_ARG) {
             ret = 0;
         }
@@ -19149,28 +19152,40 @@ static int test_wc_curve25519_shared_secret_ex (void)
     if (ret == 0) {
         ret = wc_curve25519_shared_secret_ex(NULL, &public_key, out,
                                              &outLen, endian);
-        if (ret == BAD_FUNC_ARG) {
+        if (ret == 0) {
+            ret = -1;
+        }
+        else if (ret == BAD_FUNC_ARG) {
             ret = 0;
         }
     }
     if (ret == 0) {
         ret = wc_curve25519_shared_secret_ex(&private_key, NULL, out,
                                               &outLen, endian);
-        if (ret == BAD_FUNC_ARG) {
+        if (ret == 0) {
+            ret = -1;
+        }
+        else if (ret == BAD_FUNC_ARG) {
             ret = 0;
         }
     }
     if (ret == 0) {
         ret = wc_curve25519_shared_secret_ex(&private_key, &public_key, NULL,
                                               &outLen, endian);
-        if (ret == BAD_FUNC_ARG) {
+        if (ret == 0) {
+            ret = -1;
+        }
+        else if (ret == BAD_FUNC_ARG) {
             ret = 0;
         }
     }
     if (ret == 0) {
         ret = wc_curve25519_shared_secret_ex(&private_key, &public_key, out,
                                               NULL, endian);
-        if (ret == BAD_FUNC_ARG) {
+        if (ret == 0) {
+            ret = -1;
+        }
+        else if (ret == BAD_FUNC_ARG) {
             ret = 0;
         }
     }
@@ -19181,7 +19196,10 @@ static int test_wc_curve25519_shared_secret_ex (void)
         public_key.p.point[CURVE25519_KEYSIZE-1] = 0x8F;
         ret = wc_curve25519_shared_secret_ex(&private_key, &public_key, out,
                                               &outLen, endian);
-        if (ret == ECC_BAD_ARG_E) {
+        if (ret == 0) {
+            ret = -1;
+        }
+        else if (ret == ECC_BAD_ARG_E) {
            ret = 0;
         }
     }
@@ -19190,7 +19208,10 @@ static int test_wc_curve25519_shared_secret_ex (void)
     if (ret == 0) {
         ret = wc_curve25519_shared_secret_ex(&private_key, &public_key, out,
                                               &outLen, endian);
-        if (ret == BAD_FUNC_ARG) {
+        if (ret == 0) {
+            ret = -1;
+        }
+        else if (ret == BAD_FUNC_ARG) {
             ret = 0;
         }
     }
@@ -23293,6 +23314,9 @@ static int test_wc_SetSubjectBuffer (void)
             derSz = (word32)XFREAD(der, 1, FOURK_BUF, file);
             XFCLOSE(file);
         }
+        else {
+            ret = -1;
+        }
     }
     if (ret == 0) {
         ret = wc_InitCert(&cert);
@@ -23350,7 +23374,7 @@ static int test_wc_SetSubjectKeyIdFromPublicKey_ex (void)
     if (ret == 0) { /*ED25519*/
         ret = wc_ed25519_init(&ed25519Key);
         if (ret == 0) {
-            wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &ed25519Key);
+            ret = wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &ed25519Key);
         }
         if (ret == 0) {
             ret = wc_SetSubjectKeyIdFromPublicKey_ex(&cert, ED25519_TYPE,
@@ -23375,7 +23399,7 @@ static int test_wc_SetSubjectKeyIdFromPublicKey_ex (void)
     if (ret == 0) { /*ECC*/
         ret = wc_ecc_init(&eccKey);
         if (ret == 0) {
-            wc_ecc_make_key(&rng, KEY14, &eccKey);
+            ret = wc_ecc_make_key(&rng, KEY14, &eccKey);
         }
         if (ret == 0) {
             ret = wc_SetSubjectKeyIdFromPublicKey_ex(&cert, ECC_TYPE, &eccKey);
@@ -23389,7 +23413,7 @@ static int test_wc_SetSubjectKeyIdFromPublicKey_ex (void)
     if (ret == 0) { /*ED448*/
         ret = wc_ed448_init(&ed448Key);
         if (ret == 0) {
-            wc_ed448_make_key(&rng, ED448_KEY_SIZE, &ed448Key);
+            ret = wc_ed448_make_key(&rng, ED448_KEY_SIZE, &ed448Key);
         }
         if (ret == 0) {
             ret = wc_SetSubjectKeyIdFromPublicKey_ex(&cert, ED448_TYPE,
@@ -23441,7 +23465,7 @@ static int test_wc_SetAuthKeyIdFromPublicKey_ex (void)
     if (ret == 0) { /*ED25519*/
         ret = wc_ed25519_init(&ed25519Key);
         if (ret == 0) {
-            wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &ed25519Key);
+            ret = wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &ed25519Key);
         }
         if (ret == 0) {
             ret = wc_SetAuthKeyIdFromPublicKey_ex(&cert, ED25519_TYPE,
@@ -23466,7 +23490,7 @@ static int test_wc_SetAuthKeyIdFromPublicKey_ex (void)
     if (ret == 0) { /*ECC*/
         ret = wc_ecc_init(&eccKey);
         if (ret == 0) {
-            wc_ecc_make_key(&rng, KEY14, &eccKey);
+            ret = wc_ecc_make_key(&rng, KEY14, &eccKey);
         }
         if (ret == 0) {
             ret = wc_SetAuthKeyIdFromPublicKey_ex(&cert, ECC_TYPE, &eccKey);
@@ -23480,7 +23504,7 @@ static int test_wc_SetAuthKeyIdFromPublicKey_ex (void)
     if (ret == 0) { /*ED448*/
         ret = wc_ed448_init(&ed448Key);
         if (ret == 0) {
-            wc_ed448_make_key(&rng, ED448_KEY_SIZE, &ed448Key);
+            ret = wc_ed448_make_key(&rng, ED448_KEY_SIZE, &ed448Key);
         }
         if (ret == 0) {
             ret = wc_SetAuthKeyIdFromPublicKey_ex(&cert, ED448_TYPE,
@@ -25971,22 +25995,26 @@ static int test_wc_HashSetFlags(void)
     }
     /* For loop to test not supported cases */
     int notSupportedLen = (sizeof(notSupported)/sizeof(enum wc_HashType));
-    for (j = 0; j < notSupportedLen; j++){
+    for (j = 0; ret == 0 && j < notSupportedLen; j++){
+        ret = wc_HashInit(&hash, notSupported[j]);
         if (ret == 0) {
-            ret = wc_HashInit(&hash, notSupported[j]);
-            if (ret == BAD_FUNC_ARG){
+            ret = -1;
+        }
+        else if (ret == BAD_FUNC_ARG){
+            ret = wc_HashSetFlags(&hash, notSupported[j], flags);
+            if (ret == 0) {
+                ret = -1;
+            }
+            else if (ret == BAD_FUNC_ARG) {
                 ret = 0;
-                if (ret == 0){
-                    ret = wc_HashSetFlags(&hash, notSupported[j], flags);
-                    if (ret == BAD_FUNC_ARG) {
-                        ret = 0;
-                    }
-                }
             }
         }
         if (ret == 0) {
             ret = wc_HashFree(&hash, notSupported[j]);
-            if (ret ==  BAD_FUNC_ARG) {
+            if (ret == 0) {
+                ret = -1;
+            }
+            else if (ret == BAD_FUNC_ARG) {
                 ret = 0;
             }
         }
@@ -26068,22 +26096,26 @@ static int test_wc_HashGetFlags(void)
     }
     /* For loop to test not supported cases */
     int notSupportedLen = (sizeof(notSupported)/sizeof(enum wc_HashType));
-    for (j = 0; j < notSupportedLen; j++){
+    for (j = 0; ret == 0 && j < notSupportedLen; j++){
+        ret = wc_HashInit(&hash, notSupported[j]);
         if (ret == 0) {
-            ret = wc_HashInit(&hash, notSupported[j]);
-            if (ret == BAD_FUNC_ARG){
+            ret = -1;
+        }
+        else if (ret == BAD_FUNC_ARG){
+            ret = wc_HashGetFlags(&hash, notSupported[j], &flags);
+            if (ret == 0) {
+                ret = -1;
+            }
+            else if (ret == BAD_FUNC_ARG) {
                 ret = 0;
-                if (ret == 0){
-                    ret = wc_HashGetFlags(&hash, notSupported[j], &flags);
-                    if (ret == BAD_FUNC_ARG) {
-                        ret = 0;
-                    }
-                }
             }
         }
         if (ret == 0) {
             ret = wc_HashFree(&hash, notSupported[j]);
-            if (ret ==  BAD_FUNC_ARG) {
+            if (ret == 0) {
+                ret = -1;
+            }
+            if (ret == BAD_FUNC_ARG) {
                 ret = 0;
             }
         }
@@ -36550,6 +36582,9 @@ static void test_wolfSSL_EVP_PKEY_assign(void)
     AssertIntEQ(wolfSSL_EVP_PKEY_assign(pkey,type,ecKey), WOLFSSL_SUCCESS);
     wolfSSL_EVP_PKEY_free(pkey);
 #endif /* HAVE_ECC */
+
+    (void)type;
+
     printf(resultFmt, passed);
 #endif /* OPENSSL_ALL */
 }
@@ -42890,6 +42925,7 @@ static int test_wolfSSL_THREADID_hash(void)
     AssertTrue(1);
     res = CRYPTO_THREADID_hash(NULL);
     AssertTrue( res == 0UL);
+    XMEMSET(&id, 0, sizeof(id));
     res = CRYPTO_THREADID_hash(&id);
     AssertTrue( res == 0UL);
     printf(resultFmt, passed);
@@ -42918,6 +42954,8 @@ static void test_wolfSSL_CTX_get_min_proto_version(void)
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
     WOLFSSL_CTX *ctx;
 
+    (void)ctx;
+
     printf(testingFmt, "wolfSSL_CTX_get_min_proto_version()");
 
     #ifndef NO_OLD_TLS
@@ -43027,6 +43065,9 @@ static void test_wolfSSL_SSL_in_init(void)
 #elif defined(HAVE_ECC)
         testCertFile = eccCertFile;
         testKeyFile = eccKeyFile;
+#else
+        testCertFile = NULL;
+        testKeyFile = NULL;
 #endif
         if  (testCertFile != NULL && testKeyFile != NULL) {
             AssertTrue(SSL_CTX_use_certificate_file(ctx, testCertFile,
@@ -43208,6 +43249,9 @@ static void test_wolfSSL_set_psk_use_session_callback(void)
 #elif defined(HAVE_ECC)
         testCertFile = eccCertFile;
         testKeyFile = eccKeyFile;
+#else
+        testCertFile = NULL;
+        testKeyFile = NULL;
 #endif
         if  (testCertFile != NULL && testKeyFile != NULL) {
             AssertTrue(SSL_CTX_use_certificate_file(ctx, testCertFile,

wolfcrypt/src/asn.c

@@ -10064,7 +10064,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
                         cert->ca->keyOID, cert->signature,
                         cert->sigLength, cert->signatureOID,
                         tsip_encRsaKeyIdx)) != 0) {
-                    if (ret != 0 && ret != WC_PENDING_E) {
+                    if (ret != WC_PENDING_E) {
                         WOLFSSL_MSG("Confirm signature failed");
                     }
                     return ret;
@@ -11176,8 +11176,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
                          * then strip this padding before proceeding:
                          * der->length -= padVal;
                          */
-                        if (der->length > 0 &&
-                            der->length > DES_BLOCK_SIZE &&
+                        if (der->length > DES_BLOCK_SIZE &&
                             (der->length % DES_BLOCK_SIZE) != 0) {
                             padVal = der->buffer[der->length-1];
                             if (padVal < DES_BLOCK_SIZE) {
@@ -16525,10 +16524,12 @@ static int wc_BuildEccKeyDer(ecc_key* key, byte* output, word32 *inLen,
     totalSz = prvidx + pubidx + curveidx + verSz + seqSz;
     if (output == NULL) {
         *inLen = totalSz;
+    #ifndef WOLFSSL_NO_MALLOC
         XFREE(prv, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
-        if (pubIn) {
+        if (pub) {
             XFREE(pub, key->heap, DYNAMIC_TYPE_TMP_BUFFER);
         }
+    #endif
         return LENGTH_ONLY_E;
     }
     if (inLen != NULL && totalSz > (int)*inLen) {
@@ -18126,7 +18127,10 @@ static int ParseCRL_CertList(DecodedCRL* dcrl, const byte* buf,
         word32* inOutIdx, int sz)
 {
     word32 oid, dateIdx, idx, checkIdx;
-    int version, doNextDate = 1;
+    int version;
+#ifdef WOLFSSL_NO_CRL_NEXT_DATE
+    int doNextDate = 1;
+#endif
     byte tag;
 
     if (dcrl == NULL || inOutIdx == NULL || buf == NULL) {
@@ -18165,7 +18169,10 @@ static int ParseCRL_CertList(DecodedCRL* dcrl, const byte* buf,
 #endif
     }
 
-    if (doNextDate) {
+#ifdef WOLFSSL_NO_CRL_NEXT_DATE
+    if (doNextDate)x
+#endif
+    {
 #ifndef NO_ASN_TIME
         if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) {
             WOLFSSL_MSG("CRL after date is no longer valid");

wolfcrypt/src/curve25519.c

@@ -112,13 +112,12 @@ int wc_curve25519_generic(int public_size, byte* pub,
                           int private_size, const byte* priv,
                           int basepoint_size, const byte* basepoint)
 {
-    int ret;
-
 #ifdef FREESCALE_LTC_ECC
     /* unsupported with NXP LTC, onlly supports single basepoint with
      * nxp_ltc_curve25519_GetBasePoint() */
     return WC_HW_E;
 #else
+    int ret;
 
     if ((public_size != CURVE25519_KEYSIZE) ||
         (private_size != CURVE25519_KEYSIZE) ||
@@ -147,7 +146,6 @@ int wc_curve25519_generic(int public_size, byte* pub,
     #endif
 
     return ret;
-
 #endif /* FREESCALE_LTC_ECC */
 }
 

wolfcrypt/src/des3.c

@@ -719,9 +719,17 @@
     int wc_Des3_SetKey(Des3* des, const byte* key, const byte* iv, int dir)
     {
         int ret = 0;
-        byte* dkey1 = (byte*)des->key[0];
-        byte* dkey2 = (byte*)des->key[1];
-        byte* dkey3 = (byte*)des->key[2];
+        byte* dkey1;
+        byte* dkey2;
+        byte* dkey3;
+
+        if (des == NULL || key == NULL) {
+            return BAD_FUNC_ARG;
+        }
+
+        dkey1 = (byte*)des->key[0];
+        dkey2 = (byte*)des->key[1];
+        dkey3 = (byte*)des->key[2];
 
         XMEMCPY(dkey1, key, 8);         /* set key 1 */
         XMEMCPY(dkey2, key + 8, 8);     /* set key 2 */
@@ -835,9 +843,17 @@
     int wc_Des3_SetKey(Des3* des, const byte* key, const byte* iv, int dir)
     {
         int i = 0, ret = 0;
-        byte* dkey1 = (byte*)des->key[0];
-        byte* dkey2 = (byte*)des->key[1];
-        byte* dkey3 = (byte*)des->key[2];
+        byte* dkey1;
+        byte* dkey2;
+        byte* dkey3;
+
+        if (des == NULL || key == NULL) {
+            return BAD_FUNC_ARG;
+        }
+
+        dkey1 = (byte*)des->key[0];
+        dkey2 = (byte*)des->key[1];
+        dkey3 = (byte*)des->key[2];
 
         XMEMCPY(dkey1, key, 8);         /* set key 1 */
         XMEMCPY(dkey2, key + 8, 8);     /* set key 2 */
@@ -1771,9 +1787,9 @@ int wc_Des3_SetIV(Des3* des, const byte* iv)
     if (des == NULL) {
         return BAD_FUNC_ARG;
     }
-    if (des && iv)
+    if (iv)
         XMEMCPY(des->reg, iv, DES_BLOCK_SIZE);
-    else if (des)
+    else
         XMEMSET(des->reg,  0, DES_BLOCK_SIZE);
 
     return 0;

wolfcrypt/src/ecc.c

@@ -5081,7 +5081,8 @@ static int wc_ecc_sign_hash_hw(const byte* in, word32 inlen,
         }
         hash_mode = cc310_hashModeECC(msgLenInBytes);
         if (hash_mode == CRYS_ECPKI_HASH_OpModeLast) {
-            hash_mode = cc310_hashModeECC(keysize);
+            (void)cc310_hashModeECC(keysize);
+            /* Ignoring returned value */
             hash_mode = CRYS_ECPKI_HASH_SHA256_mode;
 
         }
@@ -8139,22 +8140,24 @@ int wc_ecc_import_x963_ex(const byte* in, word32 inLen, ecc_key* key,
     if (err == MP_OKAY)
         err = mp_set(key->pubkey.z, 1);
 
-#ifdef WOLFSSL_SILABS_SE_ACCEL
-    err = silabs_ecc_import(key, keysize);
-#endif
 #ifdef WOLFSSL_CRYPTOCELL
-    pDomain = CRYS_ECPKI_GetEcDomain(cc310_mapCurve(key->dp->id));
+    if (err == MP_OKAY) {
+        pDomain = CRYS_ECPKI_GetEcDomain(cc310_mapCurve(key->dp->id));
 
-    /* create public key from external key buffer */
-    err = CRYS_ECPKI_BuildPublKeyFullCheck(pDomain,
-                                           (byte*)in-1, /* re-adjust */
-                                           inLen+1,     /* original input */
-                                           &key->ctx.pubKey,
-                                           &tempBuff);
+        /* create public key from external key buffer */
+        err = CRYS_ECPKI_BuildPublKeyFullCheck(pDomain,
+                                               (byte*)in-1, /* re-adjust */
+                                               inLen+1,     /* original input */
+                                               &key->ctx.pubKey,
+                                               &tempBuff);
 
-    if (err != SA_SILIB_RET_OK){
-        WOLFSSL_MSG("CRYS_ECPKI_BuildPublKeyFullCheck failed");
+        if (err != SA_SILIB_RET_OK){
+            WOLFSSL_MSG("CRYS_ECPKI_BuildPublKeyFullCheck failed");
+        }
     }
+#elif defined(WOLFSSL_SILABS_SE_ACCEL)
+    if (err == MP_OKAY)
+        err = silabs_ecc_import(key, keysize);
 #endif
 #ifdef WOLFSSL_VALIDATE_ECC_IMPORT
     if (err == MP_OKAY)
@@ -8345,8 +8348,8 @@ int wc_ecc_import_private_key_ex(const byte* priv, word32 privSz,
 
 #ifdef WOLFSSL_CRYPTOCELL
     pDomain = CRYS_ECPKI_GetEcDomain(cc310_mapCurve(key->dp->id));
-    /* import private key */
-    if (priv != NULL && priv[0] != '\0') {
+    /* import private key - priv checked for NULL at top */
+    if (priv[0] != '\0') {
 
         /* Create private key from external key buffer*/
         ret = CRYS_ECPKI_BuildPrivKey(pDomain,
@@ -8368,10 +8371,11 @@ int wc_ecc_import_private_key_ex(const byte* priv, word32 privSz,
     if (ret == MP_OKAY) {
         if (pub) {
             ret = silabs_ecc_import(key, key->dp->size);
-        } else
-        {
+        }
+        else {
             ret = silabs_ecc_import_private(key, key->dp->size);
         }
+    }
 #elif defined(WOLFSSL_QNX_CAAM)
     if ((wc_ecc_size(key) + WC_CAAM_MAC_SZ) == (int)privSz) {
         int part = caamFindUnusuedPartition();

wolfcrypt/src/eccsi.c

@@ -543,7 +543,7 @@ static int eccsi_decode_point(ecc_point* point, word32 size, const byte* data,
 {
     int err = 0;
 
-    if ((err == 0) && (sz != size * 2) && (sz != size * 2 + 1)) {
+    if ((sz != size * 2) && (sz != size * 2 + 1)) {
         err = BUFFER_E;
     }
 

wolfcrypt/src/evp.c

@@ -4289,14 +4289,13 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md)
                         ret = WOLFSSL_FAILURE;
                         break;
                     }
+                    /* arg is 4...(ctx->ivSz - 8) */
+                    XMEMCPY(ctx->iv, ptr, arg);
                     if (wc_InitRng(&rng) != 0) {
                         WOLFSSL_MSG("wc_InitRng failed");
                         ret = WOLFSSL_FAILURE;
                         break;
                     }
-                    if (arg) {
-                        XMEMCPY(ctx->iv, ptr, arg);
-                    }
                     if (wc_RNG_GenerateBlock(&rng, ctx->iv   + arg,
                                                    ctx->ivSz - arg) != 0) {
                         /* rng is freed immediately after if block so no need
@@ -6373,7 +6372,7 @@ int wolfSSL_EVP_PKEY_set1_DH(WOLFSSL_EVP_PKEY *pkey, WOLFSSL_DH *key)
         ret = wc_DhParamsToDer(dhkey,NULL,&derSz);
     }
 
-    if (derSz <= 0 || ret != LENGTH_ONLY_E) {
+    if (derSz == 0 || ret != LENGTH_ONLY_E) {
        WOLFSSL_MSG("Failed to get size of DH Key");
        return WOLFSSL_FAILURE;
     }

wolfcrypt/src/integer.c

@@ -686,7 +686,8 @@ int mp_mod_2d (mp_int * a, int b, mp_int * c)
   /* clear the digit that is not completely outside/inside the modulus */
   x = DIGIT_BIT - (b % DIGIT_BIT);
   if (x != DIGIT_BIT) {
-    c->dp[b / DIGIT_BIT] &= ~((mp_digit)0) >> (x + ((sizeof(mp_digit)*8) - DIGIT_BIT));
+    c->dp[b / DIGIT_BIT] &=
+         ((mp_digit)~((mp_digit)0)) >> (x + ((sizeof(mp_digit)*8) - DIGIT_BIT));
   }
   mp_clamp (c);
   return MP_OKAY;

wolfcrypt/src/pkcs12.c

@@ -58,6 +58,7 @@ enum {
     WC_PKCS12_ENCRYPTED_DATA = 656,
 
     WC_PKCS12_DATA_OBJ_SZ = 11,
+    WC_PKCS12_MAC_SALT_SZ = 8,
 };
 
 static const byte WC_PKCS12_ENCRYPTED_OID[] =
@@ -1442,7 +1443,7 @@ static int wc_PKCS12_shroud_key(WC_PKCS12* pkcs12, WC_RNG* rng,
     word32 sz;
     word32 totalSz = 0;
     int ret;
-
+    byte* pkcs8Key = NULL;
 
     if (outSz == NULL || pkcs12 == NULL || rng == NULL || key == NULL ||
             pass == NULL) {
@@ -1455,6 +1456,7 @@ static int wc_PKCS12_shroud_key(WC_PKCS12* pkcs12, WC_RNG* rng,
     if (out != NULL) {
         tmpIdx += MAX_LENGTH_SZ + 1; /* save room for length and tag (+1) */
         sz = *outSz - tmpIdx;
+        pkcs8Key = out + tmpIdx;
     }
 
     /* case of no encryption */
@@ -1472,8 +1474,8 @@ static int wc_PKCS12_shroud_key(WC_PKCS12* pkcs12, WC_RNG* rng,
         }
 
         /* PKCS#8 wrapping around key */
-        ret = wc_CreatePKCS8Key(out + tmpIdx, &sz, key, keySz, algoID,
-                curveOID, oidSz);
+        ret = wc_CreatePKCS8Key(pkcs8Key, &sz, key, keySz, algoID, curveOID,
+                oidSz);
     }
     else {
         WOLFSSL_MSG("creating PKCS12 Shrouded Key Bag");
@@ -1483,7 +1485,7 @@ static int wc_PKCS12_shroud_key(WC_PKCS12* pkcs12, WC_RNG* rng,
             vAlgo = 10;
         }
 
-        ret = UnTraditionalEnc(key, keySz, out + tmpIdx, &sz, pass, passSz,
+        ret = UnTraditionalEnc(key, keySz, pkcs8Key, &sz, pass, passSz,
                 vPKCS, vAlgo, NULL, 0, itt, rng, heap);
     }
     if (ret == LENGTH_ONLY_E) {
@@ -2354,8 +2356,9 @@ WC_PKCS12* wc_PKCS12_create(char* pass, word32 passSz, char* name,
         mac->itt = macIter;
 
         /* set mac salt */
-        mac->saltSz = 8;
-        mac->salt = (byte*)XMALLOC(mac->saltSz, heap, DYNAMIC_TYPE_PKCS);
+        mac->saltSz = WC_PKCS12_MAC_SALT_SZ;
+        mac->salt = (byte*)XMALLOC(WC_PKCS12_MAC_SALT_SZ, heap,
+                DYNAMIC_TYPE_PKCS);
         if (mac->salt == NULL) {
             wc_PKCS12_free(pkcs12);
             wc_FreeRng(&rng);

wolfcrypt/src/port/ti/ti-hash.c

@@ -107,6 +107,9 @@ static int hashGetHash(wolfssl_TI_Hash *hash, byte* result, word32 algo, word32
 
     XMEMSET(h, 0, sizeof(h));
 #endif
+    if (result == NULL) {
+        return BAD_FUNC_ARG;
+    }
     XMEMCPY(result, h, hsize);
 
     return 0;

wolfcrypt/src/random.c

@@ -363,10 +363,8 @@ static int Hash_df(DRBG_internal* drbg, byte* out, word32 outSz, byte type,
     #endif
         if (ret != 0)
             break;
-
-        if (ret == 0)
 #endif
-            ret = wc_Sha256Update(sha, &ctr, sizeof(ctr));
+        ret = wc_Sha256Update(sha, &ctr, sizeof(ctr));
         if (ret == 0) {
             ctr++;
             ret = wc_Sha256Update(sha, (byte*)&bits, sizeof(bits));

wolfcrypt/src/rsa.c

@@ -1282,11 +1282,10 @@ static int RsaPad_PSS(const byte* input, word32 inputLen, byte* pkcsBlock,
         }
     }
 
-    #if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
-        if (msg != NULL) {
-            XFREE(msg, heap, DYNAMIC_TYPE_RSA_BUFFER);
-        }
-    #endif
+#if !defined(WOLFSSL_NO_MALLOC) || defined(WOLFSSL_STATIC_MEMORY)
+    /* msg is always not NULL as we bail on allocation failure */
+    XFREE(msg, heap, DYNAMIC_TYPE_RSA_BUFFER);
+#endif
     return ret;
 }
 #endif /* WC_RSA_PSS */
@@ -2284,16 +2283,19 @@ static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
     tmp = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_RSA);
     if (tmp == NULL)
         return MEMORY_E;
-#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
 #ifdef WC_RSA_BLINDING
+#if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
     rnd = (mp_int*)XMALLOC(sizeof(mp_int) * 2, key->heap, DYNAMIC_TYPE_RSA);
     if (rnd == NULL) {
         XFREE(tmp, key->heap, DYNAMIC_TYPE_RSA);
         return MEMORY_E;
     }
     rndi = rnd + 1;
-#endif /* WC_RSA_BLINDING */
+#else
+    rnd = NULL;
+    rndi = NULL;
 #endif
+#endif /* WC_RSA_BLINDING */
 #endif /* WOLFSSL_SMALL_STACK */
 
     if (mp_init(tmp) != MP_OKAY)

wolfcrypt/src/sakke.c

@@ -862,7 +862,7 @@ static int sakke_decode_point(ecc_point* point, word32 size, const byte* data,
 {
     int err = 0;
 
-    if ((err == 0) && (sz != size * 2) && (sz != size * 2 + 1)) {
+    if ((sz != size * 2) && (sz != size * 2 + 1)) {
         err = BUFFER_E;
     }
 
@@ -2522,9 +2522,8 @@ static int sakke_modexp_loop(SakkeKey* key, mp_int* b, mp_int* e, mp_proj* r,
     /* Set c[0] to [mont_one, zero] */
     if (err == 0) {
         mp_zero(c[0]->y);
-    }
-    /* Set by is montgomery form of b - base */
-    if (err == 0) {
+
+        /* Set 'by' to montgomery form of 'b' - base */
         err = mp_mulmod(b, c[0]->x, prime, by);
     }
     for (i = mp_count_bits(&key->params.q) - 1; (err == 0) && (i >= 0); i--) {
@@ -6120,7 +6119,7 @@ static int sakke_hash_to_range(SakkeKey* key, enum wc_HashType hashType,
     int err = 0;
     byte h[WC_MAX_DIGEST_SIZE];
     byte v[WC_MAX_DIGEST_SIZE];
-    word32 hashSz = 0;
+    word32 hashSz = 1;
     word32 i;
 
     /* Step 1: A = hashfn( s ), where s = data | extra

wolfcrypt/src/srp.c

@@ -479,7 +479,7 @@ int wc_SrpGetVerifier(Srp* srp, byte* verifier, word32* size)
         return MP_INIT_E;
 
     /* v = g ^ x % N */
-    if (!r) r = mp_exptmod(&srp->g, &srp->auth, &srp->N, &v);
+    r = mp_exptmod(&srp->g, &srp->auth, &srp->N, &v);
     if (!r) r = *size < (word32)mp_unsigned_bin_size(&v) ? BUFFER_E : MP_OKAY;
     if (!r) r = mp_to_unsigned_bin(&v, verifier);
     if (!r) *size = mp_unsigned_bin_size(&v);
@@ -511,7 +511,7 @@ int wc_SrpSetPrivate(Srp* srp, const byte* priv, word32 size)
     r = mp_init(&p);
     if (r != MP_OKAY)
         return MP_INIT_E;
-    if (!r) r = mp_read_unsigned_bin(&p, priv, size);
+    r = mp_read_unsigned_bin(&p, priv, size);
     if (!r) r = mp_mod(&p, &srp->N, &srp->priv);
     if (!r) r = mp_iszero(&srp->priv) == MP_YES ? SRP_BAD_KEY_E : 0;
 

wolfcrypt/src/wc_port.c

@@ -1601,7 +1601,7 @@ int wolfSSL_CryptHwMutexUnLock(void)
 
     void *uITRON4_realloc(void *p, size_t sz) {
       ER ercd;
-      void *newp;
+      void *newp = NULL;
       if(p) {
           ercd = get_mpl(ID_wolfssl_MPOOL, sz, (VP)&newp);
           if (ercd == E_OK) {
@@ -1695,7 +1695,7 @@ int wolfSSL_CryptHwMutexUnLock(void)
 
     void *uTKernel_realloc(void *p, unsigned int sz) {
       ER ercd;
-      void *newp;
+      void *newp = NULL;
       if (p) {
           ercd = tk_get_mpl(ID_wolfssl_MPOOL, sz, (VP)&newp, TMO_FEVR);
           if (ercd == E_OK) {

wolfcrypt/test/test.c

@@ -4639,6 +4639,8 @@ static int rc2_ecb_test(void)
     h.keyLen = 33;
     h.effectiveKeyBits = 129;
 
+    a.iv = b.iv = c.iv = d.iv = e.iv = f.iv = g.iv = h.iv = NULL;
+
     test_rc2[0] = a;
     test_rc2[1] = b;
     test_rc2[2] = c;
@@ -4723,7 +4725,6 @@ static int rc2_cbc_test(void)
     /* key length = 8, effective key bits = 64 */
     c.input  = "\x10\x00\x00\x00\x00\x00\x00\x01"
                "\x10\x00\x00\x00\x00\x00\x00\x01";
-    c.output = "\x30\x64\x9e\xdf\x9b\xe7\xd2\xc2";
     c.output = "\xB5\x70\x14\xA2\x5F\x40\xE3\x6D"
                "\x81\x99\x8D\xE0\xB5\xD5\x3A\x05";
     c.key    = "\x30\x00\x00\x00\x00\x00\x00\x00";
@@ -14769,8 +14770,10 @@ WOLFSSL_TEST_SUBROUTINE int rsa_test(void)
     !defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096) && \
     !defined(NO_FILESYSTEM)
     XFILE   file;
+#ifdef WOLFSSL_TEST_CERT
     XFILE   file2;
 #endif
+#endif
 #ifdef WOLFSSL_TEST_CERT
 #ifdef WOLFSSL_SMALL_STACK
     DecodedCert *cert = (DecodedCert *)XMALLOC(sizeof *cert, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
@@ -15410,6 +15413,13 @@ WOLFSSL_TEST_SUBROUTINE int rsa_test(void)
         return ret;
 #endif
 
+#if !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_ASN) && \
+    !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \
+    !defined(USE_CERT_BUFFERS_3072) && !defined(USE_CERT_BUFFERS_4096)
+    (void)clientCert;
+#endif
+
+#ifdef WOLFSSL_TEST_CERT
 #if defined(WOLFSSL_MDK_ARM)
     #define sizeof(s) XSTRLEN((char *)(s))
 #endif
@@ -15443,7 +15453,6 @@ WOLFSSL_TEST_SUBROUTINE int rsa_test(void)
     #undef sizeof
 #endif
 
-#ifdef WOLFSSL_TEST_CERT
     InitDecodedCert(cert, tmp, (word32)bytes, 0);
 
     ret = ParseCert(cert, CERT_TYPE, NO_VERIFY, 0);
@@ -15453,7 +15462,7 @@ WOLFSSL_TEST_SUBROUTINE int rsa_test(void)
     }
 
     FreeDecodedCert(cert);
-#endif
+#endif /* WOLFSSL_TEST_CERT */
 
 #ifdef WOLFSSL_CERT_EXT
 
@@ -18044,8 +18053,9 @@ WOLFSSL_TEST_SUBROUTINE int openssl_test(void)
     ret = EVP_DigestInit(&md_ctx, EVP_md5());
     if (ret == WOLFSSL_SUCCESS) {
         ret = EVP_DigestUpdate(&md_ctx, a.input, (unsigned long)a.inLen);
-        if (ret == WOLFSSL_SUCCESS)
-            ret = EVP_DigestFinal(&md_ctx, hash, 0);
+    }
+    if (ret == WOLFSSL_SUCCESS) {
+        ret = EVP_DigestFinal(&md_ctx, hash, 0);
     }
     EVP_MD_CTX_cleanup(&md_ctx);
     if (ret != WOLFSSL_SUCCESS ||
@@ -23470,6 +23480,8 @@ WOLFSSL_TEST_SUBROUTINE int ecc_test(void)
 #ifndef WC_NO_RNG
     if (ret != 0)
         return -10300;
+#else
+    (void)ret;
 #endif
 
 #if (defined(HAVE_ECC112) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 112

wolfcrypt/user-crypto/src/rsa.c

@@ -1644,7 +1644,7 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
 {
     int sz, pSz, qSz;
     IppStatus ret;
-    word32 outSz = outLen;
+    word32 outSz;
 
     IppsMontState* pMont = NULL;
     IppsMontState* qMont = NULL;