From 3ac05dea09487b3631bf4341450b0084eda0edb1 Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Wed, 16 Apr 2025 21:46:48 +1000
Subject: [PATCH 1/2] Regression test fixes

dtls13.c: LowResTimer() not available when NO_ASN_TIME is defined.
api.c: Add certificate and key to use for when only Ed25519 or Ed448.
asn.c: Casts needed for g++ compile.
mem_track.c: Casts needed for g++ compile.
---
 src/dtls13.c                  | 4 ++++
 tests/api.c                   | 6 ++++++
 wolfcrypt/src/asn.c           | 5 +++--
 wolfssl/wolfcrypt/mem_track.h | 4 ++--
 4 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/dtls13.c b/src/dtls13.c
index cc2c02fa4..d4f8b9b1e 100644
--- a/src/dtls13.c
+++ b/src/dtls13.c
@@ -1545,11 +1545,14 @@ static int Dtls13RtxSendBuffered(WOLFSSL* ssl)
     byte* output;
     int isLast;
     int sendSz;
+#ifndef NO_ASN_TIME
     word32 now;
+#endif
     int ret;
 
     WOLFSSL_ENTER("Dtls13RtxSendBuffered");
 
+#ifndef NO_ASN_TIME
     now = LowResTimer();
     if (now - ssl->dtls13Rtx.lastRtx < DTLS13_MIN_RTX_INTERVAL) {
 #ifdef WOLFSSL_DEBUG_TLS
@@ -1559,6 +1562,7 @@ static int Dtls13RtxSendBuffered(WOLFSSL* ssl)
     }
 
     ssl->dtls13Rtx.lastRtx = now;
+#endif
 
     r = ssl->dtls13Rtx.rtxRecords;
     prevNext = &ssl->dtls13Rtx.rtxRecords;
diff --git a/tests/api.c b/tests/api.c
index bdf4c1bbe..d7840a46c 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -47887,6 +47887,12 @@ static int test_tls13_apis(void)
 #elif defined(HAVE_ECC)
     const char*  ourCert = eccCertFile;
     const char*  ourKey  = eccKeyFile;
+#elif defined(HAVE_ED25519)
+    const char*  ourCert = edCertFile;
+    const char*  ourKey  = edKeyFile;
+#elif defined(HAVE_ED448)
+    const char*  ourCert = ed448CertFile;
+    const char*  ourKey  = ed448KeyFile;
 #endif
 #endif
 #endif
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 8148a2cba..600be978a 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -38392,7 +38392,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
         if (DecodeCerts(source, &idx, resp, size) < 0)
             return ASN_PARSE_E;
 
-        ret = OcspCheckCert(resp, noVerify, noVerifySignature, cm, heap);
+        ret = OcspCheckCert(resp, noVerify, noVerifySignature,
+            (WOLFSSL_CERT_MANAGER*)cm, heap);
         if (ret == 0) {
             sigValid = 1;
         }
@@ -38407,7 +38408,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
     if (!noVerifySignature && !sigValid) {
         Signer* ca;
         SignatureCtx sigCtx;
-        ca = OcspFindSigner(resp, cm);
+        ca = OcspFindSigner(resp, (WOLFSSL_CERT_MANAGER*)cm);
         if (ca == NULL)
             return ASN_NO_SIGNER_E;
 
diff --git a/wolfssl/wolfcrypt/mem_track.h b/wolfssl/wolfcrypt/mem_track.h
index 4e867a81d..205ec570b 100644
--- a/wolfssl/wolfcrypt/mem_track.h
+++ b/wolfssl/wolfcrypt/mem_track.h
@@ -596,7 +596,7 @@ static WC_INLINE int StackSizeCheck(struct func_args* args, thread_func tf)
 #endif
 
 #ifdef PTHREAD_STACK_MIN
-    if (stackSize < PTHREAD_STACK_MIN)
+    if (stackSize < (size_t)PTHREAD_STACK_MIN)
         stackSize = PTHREAD_STACK_MIN;
 #endif
 
@@ -677,7 +677,7 @@ static WC_INLINE int StackSizeCheck_launch(struct func_args* args,
     struct stack_size_debug_context* shim_args;
 
 #ifdef PTHREAD_STACK_MIN
-    if (stackSize < PTHREAD_STACK_MIN)
+    if (stackSize < (size_t)PTHREAD_STACK_MIN)
         stackSize = PTHREAD_STACK_MIN;
 #endif
 

From 4f3ce188b6babf99e20e216f07b7380e5e7de902 Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Thu, 17 Apr 2025 10:53:49 +1000
Subject: [PATCH 2/2] Memory Zero checks: add check call

Must check memory is zeroed after Tls13DeriveKey() call.
---
 src/dtls13.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/dtls13.c b/src/dtls13.c
index d4f8b9b1e..91eb2b20d 100644
--- a/src/dtls13.c
+++ b/src/dtls13.c
@@ -1959,6 +1959,9 @@ int Dtls13DeriveSnKeys(WOLFSSL* ssl, int provision)
 
 end:
     ForceZero(key_dig, MAX_PRF_DIG);
+#ifdef WOLFSSL_CHECK_MEM_ZERO
+    wc_MemZero_Check(key_dig, sizeof(key_dig));
+#endif
     return ret;
 }