From a9299732d95ddbf1f33e7dc9d483f9b65555d7a0 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Mon, 6 Jul 2026 18:02:06 +0200 Subject: [PATCH] tests: fix AesKeyExport lifecycle-tag leak and server-only session-cache test The last two red PR jobs, both in the branch's new tests: - intelasm (ASAN): test_wc_AesKeyExportArgMcdc calls wc_AesInit_Id() and wc_AesInit_Label() which succeed (allocating the WC_DEBUG_CIPHER_LIFECYCLE tag) but were never freed -> 8-byte LeakSanitizer leak. Add wc_AesFree() to both blocks. - no-client-no-client-auth (minimal server-only build): test_wolfSSL_session_cache_api_direct's wolfSSL_new() returned NULL because a certless server CTX has no usable cipher suite. Load the test server cert/key (file, with a USE_CERT_BUFFERS_2048 fallback) before wolfSSL_new() in the server-only path; the client path is cert-free as before. Verified: --enable-all + ASAN run of the aes group is leak-free, and CPPFLAGS="-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH" now passes. --- tests/api.c | 14 ++++++++++++++ tests/api/test_aes.c | 2 ++ 2 files changed, 16 insertions(+) diff --git a/tests/api.c b/tests/api.c index d7e82e6f4b..bb259cfa9b 100644 --- a/tests/api.c +++ b/tests/api.c @@ -4608,6 +4608,20 @@ static int test_wolfSSL_session_cache_api_direct(void) ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); #elif !defined(NO_WOLFSSL_SERVER) ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + /* A client CTX yields a usable WOLFSSL* cert-free, but a server needs a + * cert+key or wolfSSL_new() has no usable cipher suite and returns NULL + * (e.g. minimal server-only builds). Load the test server cert/key. */ +#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) + ExpectIntEQ(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, + WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); +#elif !defined(NO_CERTS) && !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) + ExpectIntEQ(wolfSSL_CTX_use_certificate_buffer(ctx, server_cert_der_2048, + sizeof_server_cert_der_2048, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, server_key_der_2048, + sizeof_server_key_der_2048, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); +#endif #endif ExpectNotNull(ssl = wolfSSL_new(ctx)); diff --git a/tests/api/test_aes.c b/tests/api/test_aes.c index c56f81fd47..cfd552c8ae 100644 --- a/tests/api/test_aes.c +++ b/tests/api/test_aes.c @@ -9927,6 +9927,7 @@ int test_wc_AesKeyExportArgMcdc(void) WC_NO_ERR_TRACE(BUFFER_E)); ExpectIntEQ(wc_AesInit_Id(&aes, id, AES_MAX_ID_LEN + 1, NULL, INVALID_DEVID), WC_NO_ERR_TRACE(BUFFER_E)); + wc_AesFree(&aes); /* first init succeeded; free its lifecycle tag */ } /* wc_AesInit_Label(): aes/label == NULL OR-chain, plus labelLen == 0 / @@ -9949,6 +9950,7 @@ int test_wc_AesKeyExportArgMcdc(void) WC_NO_ERR_TRACE(BUFFER_E)); ExpectIntEQ(wc_AesInit_Label(&aes, longLabel, NULL, INVALID_DEVID), WC_NO_ERR_TRACE(BUFFER_E)); + wc_AesFree(&aes); /* first init succeeded; free its lifecycle tag */ } #endif /* WOLF_PRIVATE_KEY_ID */