configure.ac:

  if ENABLED_LINUXKM_PIE, add -DWOLFSSL_NO_OCSP_ISSUER_CHECK to gate out backward dependency in asn.c;

  if ENABLE_LINUXKM, don't error on FIPS without thread_ls_on;

  for --enable-curl, set ENABLED_MD4="yes", and move --enable-md4 AC_ARG_ENABLE() clause up to a position adjacent to des3 handling;

scripts/sniffer-gen.sh: fix illegal exit code (SC2242);

src/internal.c: fix clang-analyzer-core.NonNullParamChecker in CreateTicket();

src/ocsp.c: fix readability-redundant-preprocessor;

src/tls.c: fix empty-body in TLSX_PskKeModes_Parse() and clang-diagnostic-unreachable-code-break in ALPN_Select();

tests/api.c: fix several clang-analyzer-core.NullDereference related to Expect*() refactor;

wolfcrypt/src/asn.c:

  fix -Wconversions in DecodeAuthKeyId() and ParseCertRelative();

  fix readability-redundant-declaration re GetCA() and GetCAByName();

  gate inclusion of wolfssl/internal.h on !defined(WOLFCRYPT_ONLY);

wolfssl/internal.h: add macro-detection gating around GetCA() and GetCAByName() prototypes matching gates in wolfcrypt/src/asn.c;

tests/utils.c: in create_tmp_dir(), use one-arg variant of mkdir() if defined(__CYGWIN__) || defined(__MINGW32__).

configure.ac

@@ -508,6 +508,9 @@ AC_SUBST([ENABLED_LINUXKM_BENCHMARKS])
 if test "$ENABLED_LINUXKM_DEFAULTS" = "yes"
 then
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DH_CONST -DWOLFSSL_SP_MOD_WORD_RP -DWOLFSSL_SP_DIV_64 -DWOLFSSL_SP_DIV_WORD_HALF -DWOLFSSL_SMALL_STACK_STATIC -DWOLFSSL_TEST_SUBROUTINE=static"
+    if test "$ENABLED_LINUXKM_PIE" = "yes"; then
+        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_OCSP_ISSUER_CHECK"
+    fi
     if test "$ENABLED_FIPS" = "no"; then
         AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OLD_PRIME_CHECK"
     fi
@@ -4391,6 +4394,14 @@ then
 fi
 
 
+# MD4
+AC_ARG_ENABLE([md4],
+    [AS_HELP_STRING([--enable-md4],[Enable MD4 (default: disabled)])],
+    [ ENABLED_MD4=$enableval ],
+    [ ENABLED_MD4=no ]
+    )
+
+
 # DES3
 AC_ARG_ENABLE([des3],
     [AS_HELP_STRING([--enable-des3],[Enable DES3 (default: disabled)])],
@@ -4701,7 +4712,7 @@ AS_CASE([$FIPS_VERSION],
         AS_IF([test "x$ENABLED_DES3" = "xno"],[ENABLED_DES3="yes"])
     ])
 
-AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$thread_ls_on" = "xno"],
+AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$thread_ls_on" = "xno" && test "$ENABLE_LINUXKM" = "no"],
     [AC_MSG_ERROR([FIPS requires Thread Local Storage])])
 
 
@@ -6299,6 +6310,11 @@ AC_ARG_ENABLE([curl],
 # curl support requires all the features enabled within this conditional.
 if test "$ENABLED_CURL" = "yes"
 then
+    if test "$ENABLED_MD4" = "no"
+    then
+        ENABLED_MD4="yes"
+    fi
+
     if test "x$ENABLED_DES3" = "xno"
     then
         ENABLED_DES3="yes"
@@ -6513,14 +6529,6 @@ then
     fi
 fi
 
-# MD4
-AC_ARG_ENABLE([md4],
-    [AS_HELP_STRING([--enable-md4],[Enable MD4 (default: disabled)])],
-    [ ENABLED_MD4=$enableval ],
-    [ ENABLED_MD4=no ]
-    )
-
-
 if test "$ENABLED_MD4" = "no"
 then
     #turn on MD4 if using stunnel
@@ -8933,14 +8941,10 @@ fi
 
 if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes"
 then
-    ESCAPED_ARGS="$ac_configure_args"
-    ESCAPED_ARGS=$(echo "$ESCAPED_ARGS" | sed 's/\\/\\\\/g')
-    ESCAPED_ARGS=$(echo "$ESCAPED_ARGS" | sed 's/\"/\\\"/g')
-    ESCAPED_GLOBAL_ARGS="$CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS"
-    ESCAPED_GLOBAL_ARGS=$(echo "$ESCAPED_GLOBAL_ARGS" | sed 's/\\/\\\\/g')
-    ESCAPED_GLOBAL_ARGS=$(echo "$ESCAPED_GLOBAL_ARGS" | sed 's/\"/\\\"/g')
+    ESCAPED_ARGS=$(echo "$ac_configure_args" | sed 's/\\/\\\\/g;s/\"/\\\"/g')
+    ESCAPED_GLOBAL_CFLAGS=$(echo "$CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS" | sed 's/\\/\\\\/g;s/\"/\\\"/g')
     echo "#define LIBWOLFSSL_CONFIGURE_ARGS \"$ESCAPED_ARGS\"" > "${output_objdir}/.build_params" &&
-        echo "#define LIBWOLFSSL_GLOBAL_CFLAGS \"$ESCAPED_GLOBAL_ARGS\" LIBWOLFSSL_GLOBAL_EXTRA_CFLAGS" >> "${output_objdir}/.build_params" ||
+        echo "#define LIBWOLFSSL_GLOBAL_CFLAGS \"$ESCAPED_GLOBAL_CFLAGS\" LIBWOLFSSL_GLOBAL_EXTRA_CFLAGS" >> "${output_objdir}/.build_params" ||
         AC_MSG_ERROR([Couldn't create ${output_objdir}/.build_params.])
 else
     rm -f "${output_objdir}/.build_params"

scripts/sniffer-gen.sh

@@ -65,7 +65,7 @@ run_sequence() {
         run_test "" "-v 4 -g" "-v 4 -J"
     else
         echo "Invalid test"
-        exit -1
+        exit 1
     fi
 }
 

src/internal.c

@@ -35791,6 +35791,11 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
     #endif
 
         if (!ssl->options.tls1_3) {
+            if (ssl->arrays == NULL) {
+                WOLFSSL_MSG("CreateTicket called with null arrays");
+                ret = BAD_FUNC_ARG;
+                goto error;
+            }
             XMEMCPY(it->msecret, ssl->arrays->masterSecret, SECRET_LEN);
 #ifndef NO_ASN_TIME
             c32toa(LowResTimer(), it->timestamp);

src/ocsp.c

@@ -549,8 +549,6 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
     return ret;
 }
 
-#ifdef HAVE_OCSP
-
 #ifndef WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK
 static int CheckOcspResponderChain(OcspEntry* single, DecodedCert *cert,
         void* vp) {
@@ -646,7 +644,6 @@ int CheckOcspResponder(OcspResponse *bs, DecodedCert *cert, void* vp)
     }
     return ret;
 }
-#endif /* HAVE_OCSP */
 
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
     defined(WOLFSSL_APACHE_HTTPD) || defined(HAVE_LIGHTY)

src/tls.c

@@ -1693,7 +1693,6 @@ int ALPN_Select(WOLFSSL *ssl)
                 SendAlert(ssl, alert_fatal, no_application_protocol);
                 WOLFSSL_ERROR_VERBOSE(UNKNOWN_ALPN_PROTOCOL_NAME_E);
                 return UNKNOWN_ALPN_PROTOCOL_NAME_E;
-                break;
         }
     }
     else
@@ -10290,8 +10289,10 @@ static int TLSX_PskKeModes_Parse(WOLFSSL* ssl, const byte* input, word16 length,
     if (ret == 0)
         ret = TLSX_PskKeyModes_Use(ssl, modes);
 
-    if (ret != 0)
+    if (ret != 0) {
         WOLFSSL_ERROR_VERBOSE(ret);
+    }
+
     return ret;
 }
 

tests/api.c

@@ -40233,12 +40233,15 @@ static int test_wolfSSL_BIO_gets(void)
     ExpectNotNull(emp_bm = BUF_MEM_new());
     ExpectNotNull(msg_bm = BUF_MEM_new());
     ExpectIntEQ(BUF_MEM_grow(msg_bm, sizeof(msg)), sizeof(msg));
-    XFREE(msg_bm->data, NULL, DYNAMIC_TYPE_OPENSSL);
+    if (EXPECT_SUCCESS())
+        XFREE(msg_bm->data, NULL, DYNAMIC_TYPE_OPENSSL);
     /* emp size is 1 for terminator */
     ExpectIntEQ(BUF_MEM_grow(emp_bm, sizeof(emp)), sizeof(emp));
-    XFREE(emp_bm->data, NULL, DYNAMIC_TYPE_OPENSSL);
-    emp_bm->data = emp;
-    msg_bm->data = msg;
+    if (EXPECT_SUCCESS()) {
+        XFREE(emp_bm->data, NULL, DYNAMIC_TYPE_OPENSSL);
+        emp_bm->data = emp;
+        msg_bm->data = msg;
+    }
     ExpectIntEQ(BIO_set_mem_buf(bio, emp_bm, BIO_CLOSE), WOLFSSL_SUCCESS);
 
     /* check reading an empty string */
@@ -40256,9 +40259,11 @@ static int test_wolfSSL_BIO_gets(void)
     ExpectIntEQ(BIO_gets(bio, bio_buffer, bufferSz), 8);
     ExpectIntEQ(BIO_gets(bio, bio_buffer, -1), 0);
 
-    emp_bm->data = NULL;
+    if (EXPECT_SUCCESS())
+        emp_bm->data = NULL;
     BUF_MEM_free(emp_bm);
-    msg_bm->data = NULL;
+    if (EXPECT_SUCCESS())
+        msg_bm->data = NULL;
     BUF_MEM_free(msg_bm);
 #endif
 

tests/utils.c

@@ -53,6 +53,9 @@ char* create_tmp_dir(char *tmpDir, int len)
 #ifdef _MSC_VER
     if (_mkdir(tmpDir) != 0)
         return NULL;
+#elif defined(__CYGWIN__) || defined(__MINGW32__)
+    if (mkdir(tmpDir) != 0)
+        return NULL;
 #else
     if (mkdir(tmpDir, 0700) != 0)
         return NULL;

wolfcrypt/src/asn.c

@@ -190,7 +190,10 @@ ASN Options:
     #include <wolfssl/wolfcrypt/cryptocb.h>
 #endif
 
-#include <wolfssl/internal.h>
+#ifndef WOLFCRYPT_ONLY
+    #include <wolfssl/internal.h>
+#endif
+
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
     #include <wolfssl/openssl/objects.h>
 #endif
@@ -18867,7 +18870,7 @@ static int DecodeAuthKeyId(const byte* input, word32 sz, DecodedCert* cert)
         /* Get the hash or hash of the hash if wrong size. */
         ret = GetHashId(dataASN[AUTHKEYIDASN_IDX_KEYID].data.ref.data,
                     (int)dataASN[AUTHKEYIDASN_IDX_KEYID].data.ref.length,
-                    cert->extAuthKeyId, HashIdAlg(cert->signatureOID));
+                    cert->extAuthKeyId, HashIdAlg((int)cert->signatureOID));
     }
 #ifdef WOLFSSL_AKID_NAME
     if (ret == 0 && dataASN[AUTHKEYIDASN_IDX_ISSUER].data.ref.data != NULL) {
@@ -21448,29 +21451,10 @@ int wc_ParseCert(DecodedCert* cert, int type, int verify, void* cm)
     return ParseCert(cert, type, verify, cm);
 }
 
-#if !defined(OPENSSL_EXTRA) && !defined(OPENSSL_EXTRA_X509_SMALL) && \
-    !defined(GetCA)
-/* from SSL proper, for locking can't do find here anymore.
- * brought in from internal.h if built with compat layer.
- * if defined(GetCA), it's a predefined macro and these prototypes
- * would conflict.
- */
-#ifdef __cplusplus
-    extern "C" {
-#endif
-    Signer* GetCA(void* signers, byte* hash);
-    #ifndef NO_SKID
-        Signer* GetCAByName(void* signers, byte* hash);
-    #endif
-#ifdef __cplusplus
-    }
-#endif
-
-#endif /* !OPENSSL_EXTRA && !OPENSSL_EXTRA_X509_SMALL && !GetCA */
-
-#if defined(WOLFCRYPT_ONLY)
+#ifdef WOLFCRYPT_ONLY
 
 /* dummy functions, not using wolfSSL so don't need actual ones */
+Signer* GetCA(void* signers, byte* hash);
 Signer* GetCA(void* signers, byte* hash)
 {
     (void)hash;
@@ -21479,6 +21463,7 @@ Signer* GetCA(void* signers, byte* hash)
 }
 
 #ifndef NO_SKID
+Signer* GetCAByName(void* signers, byte* hash);
 Signer* GetCAByName(void* signers, byte* hash)
 {
     (void)hash;
@@ -21488,6 +21473,8 @@ Signer* GetCAByName(void* signers, byte* hash)
 #endif /* NO_SKID */
 
 #ifdef WOLFSSL_AKID_NAME
+Signer* GetCAByAKID(void* vp, const byte* issuer, word32 issuerSz,
+        const byte* serial, word32 serialSz);
 Signer* GetCAByAKID(void* vp, const byte* issuer, word32 issuerSz,
         const byte* serial, word32 serialSz)
 {
@@ -22701,7 +22688,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
                     }
                 }
                 else {
-                    cert->maxPathLen = min(cert->ca->maxPathLen - 1,
+                    cert->maxPathLen = (byte)min(cert->ca->maxPathLen - 1,
                                            cert->maxPathLen);
                 }
             }

wolfssl/internal.h

@@ -6128,12 +6128,14 @@ WOLFSSL_LOCAL WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG,
                                                              DecodedCert* cert);
     #endif
 
-    WOLFSSL_LOCAL Signer* GetCA(void* vp, byte* hash);
+    #ifndef GetCA
+        WOLFSSL_LOCAL Signer* GetCA(void* vp, byte* hash);
+    #endif
     #ifdef WOLFSSL_AKID_NAME
         WOLFSSL_LOCAL Signer* GetCAByAKID(void* vp, const byte* issuer,
                 word32 issuerSz, const byte* serial, word32 serialSz);
     #endif
-    #ifndef NO_SKID
+    #if !defined(NO_SKID) && !defined(GetCAByName)
         WOLFSSL_LOCAL Signer* GetCAByName(void* cm, byte* hash);
     #endif
 #endif /* !NO_CERTS */