PRAGMA_GCC_*: refactor macros to properly push a context, and refactor their use in src/tls13.c:DeriveKey() to deal with gcc context quirks that otherwise disabled the warning mask when defined(HAVE_FIPS); add a missing #ifndef NO_MD5 in ssl.c:wolfSSL_LH_strhash().

src/ssl.c

@@ -15785,10 +15785,13 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
                 idx += (int)iov[i].iov_len;
             }
 
-           /* myBuffer may not initialized fully, but the sending length will be */
-            PRAGMA_GCC_IGNORE("GCC diagnostic ignored \"-Wmaybe-uninitialized\"");
+           /* myBuffer may not be initialized fully, but the span up to the
+            * sending length will be.
+            */
+            PRAGMA_GCC_DIAG_PUSH;
+            PRAGMA_GCC("GCC diagnostic ignored \"-Wmaybe-uninitialized\"");
             ret = wolfSSL_write(ssl, myBuffer, sending);
-            PRAGMA_GCC_POP;
+            PRAGMA_GCC_DIAG_POP;
 
             if (dynamic)
                 XFREE(myBuffer, ssl->heap, DYNAMIC_TYPE_WRITEV);
@@ -56166,8 +56169,10 @@ static int wolfssl_conf_value_cmp(const WOLFSSL_CONF_VALUE *a,
 unsigned long wolfSSL_LH_strhash(const char *str)
 {
     unsigned long ret = 0;
+#ifndef NO_MD5
     int strLen;
     byte digest[WC_MD5_DIGEST_SIZE];
+#endif
     WOLFSSL_ENTER("wolfSSL_LH_strhash");
 
     if (!str)

src/tls13.c

@@ -308,12 +308,21 @@ static int DeriveKey(WOLFSSL* ssl, byte* output, int outputLen,
     if (includeMsgs)
         hashOutSz = hashSz;
 
-    /* myBuffer may not initialized fully, but the sending length will be */
-    PRAGMA_GCC_IGNORE("GCC diagnostic ignored \"-Wmaybe-uninitialized\"");
+    /* hash buffer may not be fully initialized, but the sending length won't
+     * extend beyond the initialized span.
+     */
+    PRAGMA_GCC_DIAG_PUSH;
+    PRAGMA_GCC("GCC diagnostic ignored \"-Wmaybe-uninitialized\"");
+    #if defined(HAVE_FIPS) && defined(wc_Tls13_HKDF_Expand_Label)
+    return wc_Tls13_HKDF_Expand_Label_fips(output, outputLen, secret, hashSz,
+                             protocol, protocolLen, label, labelLen,
+                             hash, hashOutSz, digestAlg);
+    #else
     return wc_Tls13_HKDF_Expand_Label(output, outputLen, secret, hashSz,
                              protocol, protocolLen, label, labelLen,
                              hash, hashOutSz, digestAlg);
-    PRAGMA_GCC_POP;
+    #endif
+    PRAGMA_GCC_DIAG_POP;
 }
 
 /* Convert TLS mac ID to a hash algorithm ID

wolfssl/wolfcrypt/types.h

@@ -1136,11 +1136,13 @@ decouple library dependencies with standard string, memory and so on.
     #endif
 
     #if defined(__GNUC__) && __GNUC__ > 5
-        #define PRAGMA_GCC_IGNORE(str) _Pragma(str);
-        #define PRAGMA_GCC_POP         _Pragma("GCC diagnostic pop");
+        #define PRAGMA_GCC_DIAG_PUSH _Pragma("GCC diagnostic push")
+        #define PRAGMA_GCC(str) _Pragma(str)
+        #define PRAGMA_GCC_DIAG_POP _Pragma("GCC diagnostic pop")
     #else
-        #define PRAGMA_GCC_IGNORE(str)
-        #define PRAGMA_GCC_POP
+        #define PRAGMA_GCC_DIAG_PUSH
+        #define PRAGMA_GCC(str)
+        #define PRAGMA_GCC_DIAG_POP
     #endif
 
     #ifdef __clang__