From c048ce5f99057644ecb57b49ce70b8be2827ccd3 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Tue, 15 Dec 2020 23:56:04 +0700
Subject: [PATCH 1/6] build fix for --enable-ip-alt-name

---
 wolfssl/ssl.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index f8585e0b8..876797c5c 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -527,11 +527,15 @@ struct WOLFSSL_X509_STORE {
 };
 
 #define WOLFSSL_NO_WILDCARDS   0x4
+
+#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
+    #define WOLFSSL_MAX_IPSTR 46 /* max ip size IPv4 mapped IPv6 */
+#endif /* OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */
+
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
 #define WOLFSSL_USE_CHECK_TIME 0x2
 #define WOLFSSL_NO_CHECK_TIME  0x200000
 #define WOLFSSL_HOST_NAME_MAX  256
-#define WOLFSSL_MAX_IPSTR 46 /* max ip size IPv4 mapped IPv6 */
 struct WOLFSSL_X509_VERIFY_PARAM {
     time_t         check_time;
     unsigned long  flags;

From e0b0c329b3b12229f2a5bdab1bc7b81357a2006f Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Tue, 15 Dec 2020 10:50:57 -0700
Subject: [PATCH 2/6] build fix for --enable-afalg

---
 tests/api.c                  | 3 ++-
 wolfssl/ssl.h                | 3 ++-
 wolfssl/wolfcrypt/settings.h | 4 ++--
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/tests/api.c b/tests/api.c
index fd5cadd29..d6e50b2d8 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -6924,7 +6924,8 @@ static int test_wc_Sha256FinalRaw (void)
 {
     int flag = 0;
 #if !defined(NO_SHA256) && !defined(HAVE_SELFTEST) && !defined(WOLFSSL_DEVCRYPTO) && (!defined(HAVE_FIPS) || \
-    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 3)))
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 3))) && \
+    !defined(WOLFSSL_NO_HASH_RAW)
     wc_Sha256 sha256;
     byte* hash_test[3];
     byte hash1[WC_SHA256_DIGEST_SIZE];
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 876797c5c..bb77ed9c7 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -528,7 +528,8 @@ struct WOLFSSL_X509_STORE {
 
 #define WOLFSSL_NO_WILDCARDS   0x4
 
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
+#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \
+    defined(WOLFSSL_WPAS_SMALL) || defined(WOLFSSL_IP_ALT_NAME)
     #define WOLFSSL_MAX_IPSTR 46 /* max ip size IPv4 mapped IPv6 */
 #endif /* OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */
 
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index 91df8c469..cabe026e4 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -2290,8 +2290,8 @@ extern void uITRON4_free(void *p) ;
     #define KEEP_PEER_CERT
 #endif
 
-/* RAW hash function APIs are not implemented with ARMv8 hardware acceleration*/
-#ifdef WOLFSSL_ARMASM
+/* RAW hash function APIs are not implemented */
+#if defined(WOLFSSL_ARMASM) || defined(WOLFSSL_AFALG_HASH)
     #undef  WOLFSSL_NO_HASH_RAW
     #define WOLFSSL_NO_HASH_RAW
 #endif

From f6c3eae1de76a7da3c6a71217251ee48df93fb7c Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Wed, 16 Dec 2020 15:05:33 -0500
Subject: [PATCH 3/6] g++ build fix

---
 src/ssl.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index 4e349ada9..d61950c5d 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -7368,14 +7368,14 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
                                   ctx->privateKeyId, ctx->heap,
                                   ctx->privateKeyDevId);
         if (ret == 0 && der->keyOID == RSAk) {
-            ret = wc_CryptoCb_RsaCheckPrivKey(pkey, der->publicKey,
+            ret = wc_CryptoCb_RsaCheckPrivKey((RsaKey*)pkey, der->publicKey,
                                               der->pubKeySize);
-            wc_FreeRsaKey(pkey);
+            wc_FreeRsaKey((RsaKey*)pkey);
         }
         else if (ret == 0 && der->keyOID == ECDSAk) {
-            ret = wc_CryptoCb_EccCheckPrivKey(pkey, der->publicKey,
+            ret = wc_CryptoCb_EccCheckPrivKey((ecc_key*)pkey, der->publicKey,
                                               der->pubKeySize);
-            wc_ecc_free(pkey);
+            wc_ecc_free((ecc_key*)pkey);
         }
         if (pkey != NULL) {
             XFREE(pkey, ctx->heap, type);
@@ -7975,18 +7975,18 @@ int wolfSSL_check_private_key(const WOLFSSL* ssl)
                                   ssl->buffers.keyId, ssl->heap,
                                   ssl->buffers.keyDevId);
         if (ret == 0 && der.keyOID == RSAk) {
-            ret = wc_CryptoCb_RsaCheckPrivKey(pkey, der.publicKey,
+            ret = wc_CryptoCb_RsaCheckPrivKey((RsaKey*)pkey, der.publicKey,
                                               der.pubKeySize);
             if (ret == 0)
                 ret = 1;
-            wc_FreeRsaKey(pkey);
+            wc_FreeRsaKey((RsaKey*)pkey);
         }
         else if (ret == 0 && der.keyOID == ECDSAk) {
-            ret = wc_CryptoCb_EccCheckPrivKey(pkey, der.publicKey,
+            ret = wc_CryptoCb_EccCheckPrivKey((ecc_key*)pkey, der.publicKey,
                                               der.pubKeySize);
             if (ret == 0)
                 ret = 1;
-            wc_ecc_free(pkey);
+            wc_ecc_free((ecc_key*)pkey);
         }
         if (pkey != NULL) {
             XFREE(pkey, ssl->heap, type);

From a948066f8695d78632dd57f77dc0736a6c8131b7 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Thu, 17 Dec 2020 01:49:48 +0700
Subject: [PATCH 4/6] some infer fixes

---
 src/ocsp.c                      |  3 +++
 src/ssl.c                       | 38 +++++++++++++++++++++++----------
 src/tls.c                       |  5 +++++
 tests/api.c                     |  8 ++++---
 wolfcrypt/benchmark/benchmark.c |  4 ++--
 wolfcrypt/src/asn.c             |  2 +-
 wolfcrypt/src/ecc.c             |  2 +-
 7 files changed, 44 insertions(+), 18 deletions(-)

diff --git a/src/ocsp.c b/src/ocsp.c
index 8ba3cb5cb..4862cf939 100644
--- a/src/ocsp.c
+++ b/src/ocsp.c
@@ -987,6 +987,9 @@ int wolfSSL_i2d_OCSP_CERTID(WOLFSSL_OCSP_CERTID* id, unsigned char** data)
     }
     else {
         *data = (unsigned char*)XMALLOC(id->rawCertIdSize, NULL, DYNAMIC_TYPE_OPENSSL);
+        if (*data == NULL) {
+            return WOLFSSL_FAILURE;
+        }
         XMEMCPY(*data, id->rawCertId, id->rawCertIdSize);
     }
 
diff --git a/src/ssl.c b/src/ssl.c
index d61950c5d..51f4c40b5 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -6293,7 +6293,7 @@ int wolfSSL_CertManagerDisableOCSPStapling(WOLFSSL_CERT_MANAGER* cm)
 /* require OCSP stapling response */
 int wolfSSL_CertManagerEnableOCSPMustStaple(WOLFSSL_CERT_MANAGER* cm)
 {
-    int ret = WOLFSSL_SUCCESS;
+    int ret;
 
     WOLFSSL_ENTER("wolfSSL_CertManagerEnableOCSPMustStaple");
 
@@ -6305,6 +6305,7 @@ int wolfSSL_CertManagerEnableOCSPMustStaple(WOLFSSL_CERT_MANAGER* cm)
     #ifndef NO_WOLFSSL_CLIENT
         cm->ocspMustStaple = 1;
     #endif
+    ret = WOLFSSL_SUCCESS;
 #else
     ret = NOT_COMPILED_IN;
 #endif
@@ -6314,7 +6315,7 @@ int wolfSSL_CertManagerEnableOCSPMustStaple(WOLFSSL_CERT_MANAGER* cm)
 
 int wolfSSL_CertManagerDisableOCSPMustStaple(WOLFSSL_CERT_MANAGER* cm)
 {
-    int ret = WOLFSSL_SUCCESS;
+    int ret;
 
     WOLFSSL_ENTER("wolfSSL_CertManagerDisableOCSPMustStaple");
 
@@ -6326,6 +6327,7 @@ int wolfSSL_CertManagerDisableOCSPMustStaple(WOLFSSL_CERT_MANAGER* cm)
     #ifndef NO_WOLFSSL_CLIENT
         cm->ocspMustStaple = 0;
     #endif
+    ret = WOLFSSL_SUCCESS;
 #else
     ret = NOT_COMPILED_IN;
 #endif
@@ -14788,11 +14790,13 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
 
             /* Need a persistent copy of the subject name. */
             node->data.name = wolfSSL_X509_NAME_dup(subjectName);
-            /*
-             * Original cert will be freed so make sure not to try to access
-             * it in the future.
-             */
-            node->data.name->x509 = NULL;
+            if (node->data.name != NULL) {
+                /*
+                * Original cert will be freed so make sure not to try to access
+                * it in the future.
+                */
+                node->data.name->x509 = NULL;
+            }
 
             /* Put node on the front of the list. */
             node->num  = (list == NULL) ? 1 : list->num + 1;
@@ -32192,6 +32196,11 @@ int wolfSSL_PEM_write_bio_RSAPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_RSA* key,
             return WOLFSSL_FAILURE;
         }
 
+        if (derBuf == NULL) {
+            WOLFSSL_MSG("wolfSSL_RSA_To_Der failed to get buffer");
+            return WOLFSSL_FAILURE;
+        }
+
         pkey->pkey.ptr = (char*)XMALLOC(derSz, bio->heap,
                 DYNAMIC_TYPE_TMP_BUFFER);
         if (pkey->pkey.ptr == NULL) {
@@ -32247,6 +32256,11 @@ int wolfSSL_PEM_write_bio_RSA_PUBKEY(WOLFSSL_BIO* bio, WOLFSSL_RSA* rsa)
         return WOLFSSL_FAILURE;
     }
 
+    if (derBuf == NULL) {
+        WOLFSSL_MSG("wolfSSL_RSA_To_Der failed to get buffer");
+        return WOLFSSL_FAILURE;
+    }
+
     pkey->pkey.ptr = (char*)XMALLOC(derSz, bio->heap,
             DYNAMIC_TYPE_TMP_BUFFER);
     if (pkey->pkey.ptr == NULL) {
@@ -37706,7 +37720,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
     static int CopyX509NameToCert(WOLFSSL_X509_NAME* n, byte* out)
     {
         unsigned char* der = NULL;
-        int length = BAD_FUNC_ARG, ret = BAD_FUNC_ARG;
+        int length = BAD_FUNC_ARG, ret;
         word32 idx = 0;
 
         ret = wolfSSL_i2d_X509_NAME(n, &der);
@@ -39227,9 +39241,11 @@ err:
                 XMEMCPY(fullName + *idx, "=", 1); *idx = *idx + 1;
 
                 data = wolfSSL_ASN1_STRING_data(e->value);
-                sz   = (int)XSTRLEN((const char*)data);
-                XMEMCPY(fullName + *idx, data, sz);
-                *idx += sz;
+                if (data != NULL) {
+                    sz = (int)XSTRLEN((const char*)data);
+                    XMEMCPY(fullName + *idx, data, sz);
+                    *idx += sz;
+                }
 
                 ret++;
             }
diff --git a/src/tls.c b/src/tls.c
index e0b1df0f1..634f30e51 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -4072,6 +4072,11 @@ int TLSX_SupportedCurve_CheckPriority(WOLFSSL* ssl)
         return ret;
 
     ext = TLSX_Find(priority, TLSX_SUPPORTED_GROUPS);
+    if (ext == NULL) {
+        WOLFSSL_MSG("Could not find supported groups extension");
+        return 0;
+    }
+
     curve = (SupportedCurve*)ext->data;
     name = curve->name;
 
diff --git a/tests/api.c b/tests/api.c
index d6e50b2d8..35ca09009 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -22065,7 +22065,7 @@ static int test_wc_ecc_sig_size_calc (void)
 #if defined(HAVE_ECC) && !defined(WC_NO_RNG) && !defined(HAVE_SELFTEST)
     ecc_key     key;
     WC_RNG      rng;
-    int         sz;
+    int         sz = 0;
 
     printf(testingFmt, "wc_ecc_sig_size_calc()");
 
@@ -29186,7 +29186,8 @@ static void test_wolfSSL_ASN1_TIME_adj(void)
     offset_day = 7;
     offset_sec = 45 * mini;
     /* offset_sec = -45 * min;*/
-    asn_time = wolfSSL_ASN1_TIME_adj(s, t, offset_day, offset_sec);
+    AssertNotNull(asn_time =
+            wolfSSL_ASN1_TIME_adj(s, t, offset_day, offset_sec));
     AssertTrue(asn_time->type == asn_utc_time);
     XSTRNCPY(date_str, (const char*)&asn_time->data, CTC_DATE_SIZE);
     date_str[CTC_DATE_SIZE] = '\0';
@@ -34689,6 +34690,7 @@ static void test_IncCtr(void)
     EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
     const EVP_CIPHER *init = EVP_des_ede3_cbc();
 
+    AssertNotNull(ctx);
     wolfSSL_EVP_CIPHER_CTX_init(ctx);
     AssertIntEQ(EVP_CipherInit(ctx, init, key, iv, 1), WOLFSSL_SUCCESS);
 
@@ -35442,7 +35444,7 @@ static void test_wolfSSL_OCSP_resp_count()
     WOLFSSL_OCSP_BASICRESP basicResp;
     WOLFSSL_OCSP_SINGLERESP singleRespOne;
     WOLFSSL_OCSP_SINGLERESP singleRespTwo;
-    int count = 1;
+    int count;
 
     printf(testingFmt, "wolfSSL_OCSP_resp_count()");
 
diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c
index 0fce5ee1e..08c3b4ea5 100644
--- a/wolfcrypt/benchmark/benchmark.c
+++ b/wolfcrypt/benchmark/benchmark.c
@@ -5301,7 +5301,7 @@ exit:
 
 void bench_ecc(int doAsync)
 {
-    int ret = 0, i, times, count, pending = 0;
+    int ret = 0, i, times = 0, count = 0, pending = 0;
     const int keySize = bench_ecc_size;
     ecc_key genKey[BENCH_MAX_PENDING];
 #ifdef HAVE_ECC_DHE
@@ -5313,7 +5313,7 @@ void bench_ecc(int doAsync)
 #endif
 #endif
     word32 x[BENCH_MAX_PENDING];
-    double start;
+    double start = 0;
     const char**desc = bench_desc_words[lng_index];
 
 #ifdef HAVE_ECC_DHE
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 3036c169e..21ba6b987 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -17556,7 +17556,7 @@ void FreeOcspRequest(OcspRequest* req)
 
 int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
 {
-    int cmp;
+    int cmp = 0; /* start as matching if both req and resp have no values */
     OcspEntry *single, *next, *prev = NULL, *top;
 
     WOLFSSL_ENTER("CompareOcspReqResp");
diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
index e68fee460..ee3a01700 100644
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -6288,7 +6288,7 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
 #else
 {
    int           err;
-   word32        keySz;
+   word32        keySz = 0;
 #if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A)
    byte sigRS[ATECC_KEY_SIZE*2];
 #elif defined(WOLFSSL_CRYPTOCELL)

From 9a968bdf536be107fee41e7656932a2e04105985 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Thu, 17 Dec 2020 01:58:36 +0700
Subject: [PATCH 5/6] disable XChaCha with armasm

---
 wolfssl/wolfcrypt/settings.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index cabe026e4..a5a0cd324 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -2296,6 +2296,11 @@ extern void uITRON4_free(void *p) ;
     #define WOLFSSL_NO_HASH_RAW
 #endif
 
+/* XChacha not implemented with ARM assembly ChaCha */
+#if defined(WOLFSSL_ARMASM)
+    #undef HAVE_XCHACHA
+#endif
+
 #if !defined(WOLFSSL_SHA384) && !defined(WOLFSSL_SHA512) && defined(NO_AES) && \
                                                           !defined(WOLFSSL_SHA3)
     #undef  WOLFSSL_NO_WORD64_OPS

From 97bc5e870cb30a061d65c6be16e35b6997cdf297 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Fri, 18 Dec 2020 00:36:00 +0700
Subject: [PATCH 6/6] fix for default OCSP cmp value and fix for
 WOLFSSL_NO_CLIENT_AUTH build

---
 tests/suites.c      | 2 ++
 wolfcrypt/src/asn.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/tests/suites.c b/tests/suites.c
index aed0de245..7d02f4223 100644
--- a/tests/suites.c
+++ b/tests/suites.c
@@ -279,7 +279,9 @@ static int IsUsingCert(const char* line)
 {
     return XSTRSTR(line, "-c ") != NULL;
 }
+#endif
 
+#if defined(NO_CERTS) || defined(WOLFSSL_NO_CLIENT_AUTH)
 static int IsNoClientCert(const char* line)
 {
     const char* begin;
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 21ba6b987..1e0bbad29 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -17556,7 +17556,7 @@ void FreeOcspRequest(OcspRequest* req)
 
 int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
 {
-    int cmp = 0; /* start as matching if both req and resp have no values */
+    int cmp = -1; /* default as not matching, cmp gets set on each check */
     OcspEntry *single, *next, *prev = NULL, *top;
 
     WOLFSSL_ENTER("CompareOcspReqResp");