More configuration fixes

Author: danielinux

tests/api.c

@@ -4265,8 +4265,16 @@ static int test_wolfSSL_crl_ocsp_object_api(void)
     ExpectIntEQ(wolfSSL_EnableOCSP(clientSsl, WOLFSSL_OCSP_NO_NONCE),
         WOLFSSL_SUCCESS);
     ExpectIntEQ(wolfSSL_DisableOCSP(clientSsl), WOLFSSL_SUCCESS);
+#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
+    defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
     ExpectIntEQ(wolfSSL_EnableOCSPStapling(clientSsl), WOLFSSL_SUCCESS);
     ExpectIntEQ(wolfSSL_DisableOCSPStapling(clientSsl), WOLFSSL_SUCCESS);
+#else
+    ExpectIntEQ(wolfSSL_EnableOCSPStapling(clientSsl),
+        WC_NO_ERR_TRACE(NOT_COMPILED_IN));
+    ExpectIntEQ(wolfSSL_DisableOCSPStapling(clientSsl),
+        WC_NO_ERR_TRACE(NOT_COMPILED_IN));
+#endif
     ExpectIntEQ(wolfSSL_SetOCSP_OverrideURL(clientSsl, "http://dummy.test"),
         WOLFSSL_SUCCESS);
     ExpectIntEQ(wolfSSL_SetOCSP_OverrideURL(clientSsl, ""), WOLFSSL_SUCCESS);

tests/api/test_asn.c

@@ -2323,7 +2323,10 @@ int test_wc_AsnPkcs8Coverage(void)
                 ret == WC_NO_ERR_TRACE(ASN_INPUT_E));
             /* One byte too small triggers BAD_FUNC_ARG. */
             if (encSz > 0) {
-                byte* tooSmall = (byte*)XMALLOC(encSz - 1, NULL,
+                /* Allocate full encSz bytes so the buffer is not overrun;
+                 * pass smallSz = encSz-1 so the library's bounds check fires
+                 * before any write occurs. */
+                byte* tooSmall = (byte*)XMALLOC(encSz, NULL,
                     DYNAMIC_TYPE_TMP_BUFFER);
                 word32 smallSz = encSz - 1;
                 ExpectNotNull(tooSmall);
@@ -2367,7 +2370,9 @@ int test_wc_AsnPkcs8Coverage(void)
                     /* Too-small buffer after knowing real size. */
                     {
                         word32 smallSz = sz - 1;
-                        byte*  small2 = (byte*)XMALLOC(smallSz, NULL,
+                        /* Allocate full sz bytes to avoid buffer overrun;
+                         * smallSz < sz triggers the library's bounds check. */
+                        byte*  small2 = (byte*)XMALLOC(sz, NULL,
                             DYNAMIC_TYPE_TMP_BUFFER);
                         if (small2 != NULL) {
                             int ret = wc_EncryptPKCS8Key(pkcs8Buf, pkcs8Sz,

tests/api/test_ecc.c

@@ -3498,19 +3498,24 @@ int test_wc_EccBadArgCoverage7(void)
         sigLen = (word32)sizeof(sig);
         ExpectIntEQ(wc_ecc_rs_to_sig(validR, validS, sig, &sigLen), 0);
 
-        /* r is negative: mp_isneg(rtmp)==MP_YES → MP_READ_E.
-         * The s is non-zero (validS), so mp_iszero check passes first.
-         * This makes the first OR-operand at L11487 true. */
-        sigLen = (word32)sizeof(sig);
-        ExpectIntEQ(wc_ecc_rs_to_sig(negHex, validS, sig, &sigLen),
-            WC_NO_ERR_TRACE(MP_READ_E));
-
-        /* s is negative: mp_isneg(stmp)==MP_YES → MP_READ_E.
-         * r is validR (positive non-zero), so the first operand is false
-         * and we isolate the second operand of the OR. */
-        sigLen = (word32)sizeof(sig);
-        ExpectIntEQ(wc_ecc_rs_to_sig(validR, negHex, sig, &sigLen),
-            WC_NO_ERR_TRACE(MP_READ_E));
+        /* r is negative: the library rejects the negative value. In
+         * integer/heap math this happens via the explicit mp_isneg check
+         * inside wc_ecc_rs_to_sig (→ MP_READ_E). In sp_int the leading '-'
+         * is rejected earlier by sp_read_radix (→ MP_VAL). Either fail
+         * result is acceptable. */
+        {
+            int r;
+            sigLen = (word32)sizeof(sig);
+            r = wc_ecc_rs_to_sig(negHex, validS, sig, &sigLen);
+            ExpectTrue(r == WC_NO_ERR_TRACE(MP_READ_E) ||
+                       r == WC_NO_ERR_TRACE(MP_VAL));
+
+            /* s is negative: same reasoning applies to the second operand. */
+            sigLen = (word32)sizeof(sig);
+            r = wc_ecc_rs_to_sig(validR, negHex, sig, &sigLen);
+            ExpectTrue(r == WC_NO_ERR_TRACE(MP_READ_E) ||
+                       r == WC_NO_ERR_TRACE(MP_VAL));
+        }
     }
 
 #endif /* HAVE_ECC && !NO_ECC256 && !NO_ECC_SECP && !WC_NO_RNG &&

tests/api/test_evp_cipher.c

@@ -2971,7 +2971,8 @@ int test_wolfSSL_EvpCipherCtxCtrlAead(void)
     EVP_CIPHER_CTX *ctx    = NULL;
     EVP_CIPHER_CTX *ctx_nb = NULL;  /* non-AEAD context */
     byte  key[16];
-    byte  iv[12];
+    /* Sized for AES-CBC (16 bytes); AES-GCM only reads the first 12. */
+    byte  iv[16];
     byte  tag[16];
     byte  tagbuf[16];
     XMEMSET(key,    0xAB, sizeof(key));
@@ -3707,13 +3708,16 @@ int test_wolfSSL_EvpCipherInitBatch4(void)
     ((!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \
      (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)))
         {
-            byte iv12[12];
-            XMEMSET(iv12, 0x44, sizeof(iv12));
+            /* Sized for AES block (16); wolfSSL_EVP_CipherInit -> wc_AesSetIV
+             * reads a full AES_BLOCK_SIZE even when the logical GCM nonce is
+             * 12 bytes. */
+            byte iv16gcm[16];
+            XMEMSET(iv16gcm, 0x44, sizeof(iv16gcm));
             /* Passing a new cipher type on an already-initialised ctx resets
              * the type (L7215 branch: type != NULL → full re-init).
              * May succeed or fail depending on whether AES GCM low-level was
              * already inited; just drive the branch. */
-            (void)EVP_CipherInit(ctx, EVP_aes_128_gcm(), key128, iv12, 1);
+            (void)EVP_CipherInit(ctx, EVP_aes_128_gcm(), key128, iv16gcm, 1);
         }
 #endif /* HAVE_AESGCM ... */
 

tests/api/test_pkcs7.c

@@ -1228,7 +1228,7 @@ int test_wc_PKCS7_EncodeSignedData_ex(void)
         int            certSz;
         int            keySz;
 
-        ExpectTure((fp = XFOPEN("./certs/1024/client-cert.der", "rb")) !=
+        ExpectTrue((fp = XFOPEN("./certs/1024/client-cert.der", "rb")) !=
             XBADFILE);
         ExpectIntGT(certSz = (int)XFREAD(cert, 1, sizeof(cert), fp), 0);
         if (fp != XBADFILE) {

tests/api/test_tls.c

@@ -39,11 +39,11 @@ int test_utils_memio_move_message(void)
 #if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
     WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
     WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+    struct test_memio_ctx test_ctx;
     (void)ctx_c;
     (void)ssl_c;
     (void)ctx_s;
     (void)ssl_s;
-    struct test_memio_ctx test_ctx;
     (void)test_ctx;
 
     XMEMSET(&test_ctx, 0, sizeof(test_ctx));
@@ -193,11 +193,11 @@ int test_tls12_curve_intersection(void) {
     defined(HAVE_CURVE25519)
     WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
     WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+    struct test_memio_ctx test_ctx;
     (void)ctx_c;
     (void)ssl_c;
     (void)ctx_s;
     (void)ssl_s;
-    struct test_memio_ctx test_ctx;
     (void)test_ctx;
     int ret;
     const char* curve_name;
@@ -281,11 +281,11 @@ int test_tls13_curve_intersection(void) {
     defined(WOLFSSL_TLS13) && defined(HAVE_ECC) && defined(HAVE_CURVE25519)
     WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
     WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+    struct test_memio_ctx test_ctx;
     (void)ctx_c;
     (void)ssl_c;
     (void)ctx_s;
     (void)ssl_s;
-    struct test_memio_ctx test_ctx;
     (void)test_ctx;
     const char* curve_name;
     int test1[] ={WOLFSSL_ECC_SECP256R1};
@@ -323,11 +323,11 @@ int test_tls_certreq_order(void)
      */
     WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
     WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+    struct test_memio_ctx test_ctx;
     (void)ctx_c;
     (void)ssl_c;
     (void)ctx_s;
     (void)ssl_s;
-    struct test_memio_ctx test_ctx;
     (void)test_ctx;
     int i = 0;
     const char* msg = NULL;
@@ -1111,11 +1111,11 @@ int test_tls_tlsx_sni_options_coverage(void)
     !defined(WOLFSSL_NO_TLS12) && defined(HAVE_SNI)
     WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
     WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+    struct test_memio_ctx test_ctx;
     (void)ctx_c;
     (void)ssl_c;
     (void)ctx_s;
     (void)ssl_s;
-    struct test_memio_ctx test_ctx;
     (void)test_ctx;
 
     /* --- Subtest 1: client sends "example.com", server expects "example.com"
@@ -1226,11 +1226,11 @@ int test_tls_tlsx_sc_parse_coverage(void)
     !defined(NO_WOLFSSL_CLIENT)
     WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
     WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+    struct test_memio_ctx test_ctx;
     (void)ctx_c;
     (void)ssl_c;
     (void)ctx_s;
     (void)ssl_s;
-    struct test_memio_ctx test_ctx;
     (void)test_ctx;
 
     /* --- Subtest 1: normal curve intersection (extension != NULL path,
@@ -1323,11 +1323,11 @@ int test_tls_tlsx_sv_parse_coverage(void)
     defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_TLS12)
     WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
     WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+    struct test_memio_ctx test_ctx;
     (void)ctx_c;
     (void)ssl_c;
     (void)ctx_s;
     (void)ssl_s;
-    struct test_memio_ctx test_ctx;
     (void)test_ctx;
 
     /* --- Subtest 1: pure TLS 1.3 handshake.
@@ -1454,11 +1454,11 @@ int test_tls_build_handshake_hash_coverage(void)
     !defined(WOLFSSL_NO_TLS12) && !defined(NO_RSA)
     WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
     WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+    struct test_memio_ctx test_ctx;
     (void)ctx_c;
     (void)ssl_c;
     (void)ctx_s;
     (void)ssl_s;
-    struct test_memio_ctx test_ctx;
     (void)test_ctx;
 
     /* --- Subtest 1: TLS 1.2 with AES-128-CBC-SHA256 (sha256_mac).
@@ -1807,11 +1807,11 @@ int test_tls_tlsx_validate_curves_coverage(void)
     !defined(NO_AES) && defined(HAVE_AES_CBC)
     WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
     WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+    struct test_memio_ctx test_ctx;
     (void)ctx_c;
     (void)ssl_c;
     (void)ctx_s;
     (void)ssl_s;
-    struct test_memio_ctx test_ctx;
     (void)test_ctx;
 
     /* --- Subtest 1: ECDHE-RSA cipher + client restricts to SECP256R1,
@@ -1954,11 +1954,11 @@ int test_tls_tlsx_psk_coverage(void)
     !defined(NO_RSA) && defined(HAVE_ECC)
     WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
     WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+    struct test_memio_ctx test_ctx;
     (void)ctx_c;
     (void)ssl_c;
     (void)ctx_s;
     (void)ssl_s;
-    struct test_memio_ctx test_ctx;
     (void)test_ctx;
 
     /* --- Subtest 1: full TLS 1.3 handshake followed by session-ticket
@@ -2185,11 +2185,11 @@ int test_tls_tlsx_keyshare_coverage(void)
     !defined(NO_RSA) && defined(HAVE_ECC)
     WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
     WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+    struct test_memio_ctx test_ctx;
     (void)ctx_c;
     (void)ssl_c;
     (void)ctx_s;
     (void)ssl_s;
-    struct test_memio_ctx test_ctx;
     (void)test_ctx;
 
     /* --- Subtest 1: TLS 1.3 normal handshake, client offers SECP256R1,
@@ -2326,11 +2326,11 @@ int test_tls_tlsx_csr_coverage(void)
     !defined(NO_RSA) && defined(HAVE_ECC)
     WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
     WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+    struct test_memio_ctx test_ctx;
     (void)ctx_c;
     (void)ssl_c;
     (void)ctx_s;
     (void)ssl_s;
-    struct test_memio_ctx test_ctx;
     (void)test_ctx;
 
     /* --- Subtest 1: TLS 1.2: client requests OCSP stapling via
@@ -2425,11 +2425,11 @@ int test_tls_tlsx_write_request_coverage(void)
     !defined(NO_WOLFSSL_SERVER) && !defined(NO_RSA)
     WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
     WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+    struct test_memio_ctx test_ctx;
     (void)ctx_c;
     (void)ssl_c;
     (void)ctx_s;
     (void)ssl_s;
-    struct test_memio_ctx test_ctx;
     (void)test_ctx;
 
     /* --- Subtest 1: TLS 1.2 client WriteRequest.
@@ -4272,11 +4272,11 @@ int test_tls_build_handshake_hash_batch4(void)
 
     WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
     WOLFSSL     *ssl_c = NULL, *ssl_s = NULL;
+    struct test_memio_ctx test_ctx;
     (void)ctx_c;
     (void)ssl_c;
     (void)ctx_s;
     (void)ssl_s;
-    struct test_memio_ctx test_ctx;
     (void)test_ctx;
 
     /* --- Subtest 1: TLS 1.2 with DHE-RSA-AES128-SHA (sha_mac <= sha256_mac).