From a1295b31484cad56bbab7a15b1908c7561e87f61 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Fri, 15 Jun 2018 15:43:42 -0600
Subject: [PATCH 1/4] memory management with test cases

---
 src/ssl.c             |   4 +-
 tests/api.c           |  62 +++++++++++++---------
 wolfcrypt/test/test.c | 121 +++++++++++++++++++++++++++---------------
 3 files changed, 118 insertions(+), 69 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index 623ba1c9a..1a34d798f 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -28654,8 +28654,10 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
             return NULL;
 
         i = 0;
-        if (wc_PemGetHeaderFooter(CERT_TYPE, NULL, &footer) != 0)
+        if (wc_PemGetHeaderFooter(CERT_TYPE, NULL, &footer) != 0) {
+            XFREE(pem, 0, DYNAMIC_TYPE_PEM);
             return NULL;
+        }
 
         /* TODO: Inefficient
          * reading in one byte at a time until see "END CERTIFICATE"
diff --git a/tests/api.c b/tests/api.c
index 783af90bf..baec67e45 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -14651,23 +14651,25 @@ static void test_wc_PKCS7_EncodeDecodeEnvelopedData (void)
     /* RSA certs and keys. */
     #if defined(USE_CERT_BUFFERS_1024)
         /* Allocate buffer space. */
-        rsaCert = (byte*)XMALLOC(ONEK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        AssertNotNull(rsaCert =
+                (byte*)XMALLOC(ONEK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER));
         /* Init buffer. */
         rsaCertSz = (word32)sizeof_client_cert_der_1024;
         XMEMCPY(rsaCert, client_cert_der_1024, rsaCertSz);
-        rsaPrivKey = (byte*)XMALLOC(ONEK_BUF, HEAP_HINT,
-                                DYNAMIC_TYPE_TMP_BUFFER);
+        AssertNotNull(rsaPrivKey = (byte*)XMALLOC(ONEK_BUF, HEAP_HINT,
+                                DYNAMIC_TYPE_TMP_BUFFER));
         rsaPrivKeySz = (word32)sizeof_client_key_der_1024;
         XMEMCPY(rsaPrivKey, client_key_der_1024, rsaPrivKeySz);
 
     #elif defined(USE_CERT_BUFFERS_2048)
         /* Allocate buffer */
-        rsaCert = (byte*)XMALLOC(TWOK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        AssertNotNull(rsaCert =
+                (byte*)XMALLOC(TWOK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER));
         /* Init buffer. */
         rsaCertSz = (word32)sizeof_client_cert_der_2048;
         XMEMCPY(rsaCert, client_cert_der_2048, rsaCertSz);
-        rsaPrivKey = (byte*)XMALLOC(TWOK_BUF, HEAP_HINT,
-                                DYNAMIC_TYPE_TMP_BUFFER);
+        AssertNotNull(rsaPrivKey = (byte*)XMALLOC(TWOK_BUF, HEAP_HINT,
+                                DYNAMIC_TYPE_TMP_BUFFER));
         rsaPrivKeySz = (word32)sizeof_client_key_der_2048;
         XMEMCPY(rsaPrivKey, client_key_der_2048, rsaPrivKeySz);
 
@@ -14676,13 +14678,14 @@ static void test_wc_PKCS7_EncodeDecodeEnvelopedData (void)
         certFile = fopen(rsaClientCert, "rb");
         AssertNotNull(certFile);
         rsaCertSz = (word32)FOURK_BUF;
-        rsaCert = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        AssertNotNull(rsaCert =
+                (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER));
         rsaCertSz = (word32)fread(rsaCert, 1, rsaCertSz, certFile);
         fclose(certFile);
         keyFile = fopen(rsaClientKey, "rb");
         AssertNotNull(keyFile);
-        rsaPrivKey = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
-                                DYNAMIC_TYPE_TMP_BUFFER);
+        AssertNotNull(rsaPrivKey = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
+                                DYNAMIC_TYPE_TMP_BUFFER));
         rsaPrivKeySz = (word32)FOURK_BUF;
         rsaPrivKeySz = (word32)fread(rsaPrivKey, 1, rsaPrivKeySz, keyFile);
         fclose(keyFile);
@@ -14694,26 +14697,28 @@ static void test_wc_PKCS7_EncodeDecodeEnvelopedData (void)
     !defined(NO_SHA256) || !defined(NO_SHA512)))
 
     #ifdef USE_CERT_BUFFERS_256
-        eccCert = (byte*)XMALLOC(TWOK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        AssertNotNull(eccCert =
+                (byte*)XMALLOC(TWOK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER));
         /* Init buffer. */
-       eccCertSz = (word32)sizeof_cliecc_cert_der_256;
+        eccCertSz = (word32)sizeof_cliecc_cert_der_256;
         XMEMCPY(eccCert, cliecc_cert_der_256, eccCertSz);
-        eccPrivKey = (byte*)XMALLOC(TWOK_BUF, HEAP_HINT,
-                                DYNAMIC_TYPE_TMP_BUFFER);
+        AssertNotNull(eccPrivKey = (byte*)XMALLOC(TWOK_BUF, HEAP_HINT,
+                                DYNAMIC_TYPE_TMP_BUFFER));
         eccPrivKeySz = (word32)sizeof_ecc_clikey_der_256;
         XMEMCPY(eccPrivKey, ecc_clikey_der_256, eccPrivKeySz);
     #else /* File system. */
         certFile = fopen(eccClientCert, "rb");
         AssertNotNull(certFile);
         eccCertSz = (word32)FOURK_BUF;
-        eccCert = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        AssertNotNull(eccCert =
+                (byte*)XMALLOC(FOURK_BUF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER));
         eccCertSz = (word32)fread(eccCert, 1, eccCertSz, certFile);
         fclose(certFile);
         keyFile = fopen(eccClientKey, "rb");
         AssertNotNull(keyFile);
         eccPrivKeySz = (word32)FOURK_BUF;
-        eccPrivKey = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
-                                DYNAMIC_TYPE_TMP_BUFFER);
+        AssertNotNull(eccPrivKey = (byte*)XMALLOC(FOURK_BUF, HEAP_HINT,
+                                DYNAMIC_TYPE_TMP_BUFFER));
         eccPrivKeySz = (word32)fread(eccPrivKey, 1, eccPrivKeySz, keyFile);
         fclose(keyFile);
     #endif /* USE_CERT_BUFFERS_256 */
@@ -18654,14 +18659,16 @@ static void test_wolfSSL_ASN1_TIME_to_generalizedtime(void){
     printf(testingFmt, "wolfSSL_ASN1_TIME_to_generalizedtime()");
 
     /* UTC Time test */
-    t = (WOLFSSL_ASN1_TIME*)XMALLOC(sizeof(WOLFSSL_ASN1_TIME), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    AssertNotNull(t = (WOLFSSL_ASN1_TIME*)XMALLOC(sizeof(WOLFSSL_ASN1_TIME),
+                NULL, DYNAMIC_TYPE_TMP_BUFFER));
     XMEMSET(t->data, 0, ASN_GENERALIZED_TIME_SIZE);
-    out = (WOLFSSL_ASN1_TIME*)XMALLOC(sizeof(WOLFSSL_ASN1_TIME), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    AssertNotNull(out = (WOLFSSL_ASN1_TIME*)XMALLOC(sizeof(WOLFSSL_ASN1_TIME),
+                NULL, DYNAMIC_TYPE_TMP_BUFFER));
     t->data[0] = ASN_UTC_TIME;
     t->data[1] = ASN_UTC_TIME_SIZE;
     XMEMCPY(t->data + 2,"050727123456Z",ASN_UTC_TIME_SIZE);
 
-    gtime = wolfSSL_ASN1_TIME_to_generalizedtime(t, &out);
+    AssertNotNull(gtime = wolfSSL_ASN1_TIME_to_generalizedtime(t, &out));
     AssertIntEQ(gtime->data[0], ASN_GENERALIZED_TIME);
     AssertIntEQ(gtime->data[1], ASN_GENERALIZED_TIME_SIZE);
     AssertStrEQ((char*)gtime->data + 2, "20050727123456Z");
@@ -18673,7 +18680,7 @@ static void test_wolfSSL_ASN1_TIME_to_generalizedtime(void){
     t->data[0] = ASN_GENERALIZED_TIME;
     t->data[1] = ASN_GENERALIZED_TIME_SIZE;
     XMEMCPY(t->data + 2,"20050727123456Z",ASN_GENERALIZED_TIME_SIZE);
-    gtime = wolfSSL_ASN1_TIME_to_generalizedtime(t, &out);
+    AssertNotNull(gtime = wolfSSL_ASN1_TIME_to_generalizedtime(t, &out));
     AssertIntEQ(gtime->data[0], ASN_GENERALIZED_TIME);
     AssertIntEQ(gtime->data[1], ASN_GENERALIZED_TIME_SIZE);
     AssertStrEQ((char*)gtime->data + 2, "20050727123456Z");
@@ -19757,7 +19764,8 @@ static void test_wolfSSL_i2c_ASN1_INTEGER()
     a->intData[2] = 40;
     ret = wolfSSL_i2c_ASN1_INTEGER(a, NULL);
     AssertIntEQ(ret, 1);
-    pp = (unsigned char*)XMALLOC(ret + 1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    AssertNotNull(pp = (unsigned char*)XMALLOC(ret + 1, NULL,
+                DYNAMIC_TYPE_TMP_BUFFER));
     tpp = pp;
     XMEMSET(pp, 0, ret + 1);
     wolfSSL_i2c_ASN1_INTEGER(a, &pp); 
@@ -19771,7 +19779,8 @@ static void test_wolfSSL_i2c_ASN1_INTEGER()
     a->intData[2] = 128;
     ret = wolfSSL_i2c_ASN1_INTEGER(a, NULL);
     AssertIntEQ(ret, 2);
-    pp = (unsigned char*)XMALLOC(ret + 1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    AssertNotNull(pp = (unsigned char*)XMALLOC(ret + 1, NULL,
+                DYNAMIC_TYPE_TMP_BUFFER));
     tpp = pp;
     XMEMSET(pp, 0, ret + 1);
     wolfSSL_i2c_ASN1_INTEGER(a, &pp); 
@@ -19787,7 +19796,8 @@ static void test_wolfSSL_i2c_ASN1_INTEGER()
     a->negative = 1;
     ret = wolfSSL_i2c_ASN1_INTEGER(a, NULL);
     AssertIntEQ(ret, 1);
-    pp = (unsigned char*)XMALLOC(ret + 1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    AssertNotNull(pp = (unsigned char*)XMALLOC(ret + 1, NULL,
+                DYNAMIC_TYPE_TMP_BUFFER));
     tpp = pp;
     XMEMSET(pp, 0, ret + 1);
     wolfSSL_i2c_ASN1_INTEGER(a, &pp); 
@@ -19802,7 +19812,8 @@ static void test_wolfSSL_i2c_ASN1_INTEGER()
     a->negative = 1;
     ret = wolfSSL_i2c_ASN1_INTEGER(a, NULL);
     AssertIntEQ(ret, 1);
-    pp = (unsigned char*)XMALLOC(ret + 1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    AssertNotNull(pp = (unsigned char*)XMALLOC(ret + 1, NULL,
+                DYNAMIC_TYPE_TMP_BUFFER));
     tpp = pp;
     XMEMSET(pp, 0, ret + 1);
     wolfSSL_i2c_ASN1_INTEGER(a, &pp); 
@@ -19817,7 +19828,8 @@ static void test_wolfSSL_i2c_ASN1_INTEGER()
     a->negative = 1;
     ret = wolfSSL_i2c_ASN1_INTEGER(a, NULL);
     AssertIntEQ(ret, 2);
-    pp = (unsigned char*)XMALLOC(ret + 1, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    AssertNotNull(pp = (unsigned char*)XMALLOC(ret + 1, NULL,
+            DYNAMIC_TYPE_TMP_BUFFER));
     tpp = pp;
     XMEMSET(pp, 0, ret + 1);
     wolfSSL_i2c_ASN1_INTEGER(a, &pp); 
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index b534468dc..dc7a749d3 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -13009,8 +13009,8 @@ int openssl_test(void)
 
 int openSSL_evpMD_test(void)
 {
+    int ret = 0;
 #if !defined(NO_SHA256) && !defined(NO_SHA)
-    int ret ;
     WOLFSSL_EVP_MD_CTX* ctx;
     WOLFSSL_EVP_MD_CTX* ctx2;
 
@@ -13019,45 +13019,56 @@ int openSSL_evpMD_test(void)
 
     ret = EVP_DigestInit(ctx, EVP_sha256());
     if (ret != SSL_SUCCESS) {
-        return -7600;
+        ret = -7600;
+        goto openSSL_evpMD_test_done;
     }
 
     ret = EVP_MD_CTX_copy(ctx2, ctx);
     if (ret != SSL_SUCCESS) {
-        return -7601;
+        ret = -7601;
+        goto openSSL_evpMD_test_done;
     }
 
     if (EVP_MD_type(EVP_sha256()) != EVP_MD_CTX_type(ctx2)) {
-        return -7602;
+        ret = -7602;
+        goto openSSL_evpMD_test_done;
     }
 
     ret = EVP_DigestInit(ctx, EVP_sha1());
     if (ret != SSL_SUCCESS) {
-        return -7603;
+        ret = -7603;
+        goto openSSL_evpMD_test_done;
     }
 
     if (EVP_MD_type(EVP_sha256()) != EVP_MD_CTX_type(ctx2)) {
-        return -7604;
+        ret = -7604;
+        goto openSSL_evpMD_test_done;
     }
 
     ret = EVP_MD_CTX_copy_ex(ctx2, ctx);
     if (ret != SSL_SUCCESS) {
-        return -7605;
+        ret = -7605;
+        goto openSSL_evpMD_test_done;
     }
 
     if (EVP_MD_type(EVP_sha256()) == EVP_MD_CTX_type(ctx2)) {
-        return -7606;
+        ret = -7606;
+        goto openSSL_evpMD_test_done;
     }
 
     if (EVP_MD_type(EVP_sha1()) != EVP_MD_CTX_type(ctx2)) {
-        return -7607;
+        ret = -7607;
+        goto openSSL_evpMD_test_done;
     }
 
+    ret = 0; /* got to success state without jumping to end with a fail */
+
+openSSL_evpMD_test_done:
     EVP_MD_CTX_destroy(ctx);
     EVP_MD_CTX_destroy(ctx2);
 #endif /* NO_SHA256 */
 
-    return 0;
+    return ret;
 }
 
 #ifdef DEBUG_SIGN
@@ -13078,19 +13089,19 @@ static void show(const char *title, const char *p, unsigned int s) {
 #define ERR_BASE_PKEY -5000
 int openssl_pkey0_test(void)
 {
+    int ret = 0;
 #if !defined(NO_RSA) && !defined(HAVE_USER_RSA) && !defined(NO_SHA)
     byte*   prvTmp;
     byte*   pubTmp;
     int prvBytes;
     int pubBytes;
-    RSA *prvRsa;
-    RSA *pubRsa;
-    EVP_PKEY *prvPkey;
-    EVP_PKEY *pubPkey;
-    EVP_PKEY_CTX *enc;
-    EVP_PKEY_CTX *dec;
+    RSA *prvRsa = NULL;
+    RSA *pubRsa = NULL;
+    EVP_PKEY *prvPkey = NULL;
+    EVP_PKEY *pubPkey = NULL;
+    EVP_PKEY_CTX *enc = NULL;
+    EVP_PKEY_CTX *dec = NULL;
 
-    int    ret;
     byte   in[] = "Everyone gets Friday off.";
     byte   out[256];
     size_t outlen;
@@ -13107,8 +13118,10 @@ int openssl_pkey0_test(void)
     if (prvTmp == NULL)
         return ERR_BASE_PKEY-1;
     pubTmp = (byte*)XMALLOC(FOURK_BUFF, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
-    if (pubTmp == NULL)
+    if (pubTmp == NULL) {
+        XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
         return ERR_BASE_PKEY-2;
+    }
 
 #ifdef USE_CERT_BUFFERS_1024
     XMEMCPY(prvTmp, client_key_der_1024, sizeof_client_key_der_1024);
@@ -13123,41 +13136,46 @@ int openssl_pkey0_test(void)
 #else
     keyFile = fopen(cliKey, "rb");
     if (!keyFile) {
+        XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
         err_sys("can't open ./certs/client-key.der, "
                 "Please run from wolfSSL home dir", ERR_BASE_PKEY-3);
-        XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
         return ERR_BASE_PKEY-3;
     }
     prvBytes = (int)fread(prvTmp, 1, (int)FOURK_BUFF, keyFile);
     fclose(keyFile);
     keypubFile = fopen(cliKeypub, "rb");
     if (!keypubFile) {
+        XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
         err_sys("can't open ./certs/client-cert.der, "
                 "Please run from wolfSSL home dir", -4);
-        XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
         return ERR_BASE_PKEY-4;
     }
     pubBytes = (int)fread(pubTmp, 1, (int)FOURK_BUFF, keypubFile);
     fclose(keypubFile);
-    #endif /* USE_CERT_BUFFERS */
+#endif /* USE_CERT_BUFFERS */
 
         prvRsa = wolfSSL_RSA_new();
         pubRsa = wolfSSL_RSA_new();
         if((prvRsa == NULL) || (pubRsa == NULL)){
-          printf("error with RSA_new\n");
-          return ERR_BASE_PKEY-10;
+            printf("error with RSA_new\n");
+            ret = ERR_BASE_PKEY-10;
+            goto openssl_pkey0_test_done;
         }
 
         ret = wolfSSL_RSA_LoadDer_ex(prvRsa, prvTmp, prvBytes, WOLFSSL_RSA_LOAD_PRIVATE);
         if(ret != SSL_SUCCESS){
-          printf("error with RSA_LoadDer_ex\n");
-          return ERR_BASE_PKEY-11;
+            printf("error with RSA_LoadDer_ex\n");
+            ret = ERR_BASE_PKEY-11;
+            goto openssl_pkey0_test_done;
         }
 
         ret = wolfSSL_RSA_LoadDer_ex(pubRsa, pubTmp, pubBytes, WOLFSSL_RSA_LOAD_PUBLIC);
         if(ret != SSL_SUCCESS){
-          printf("error with RSA_LoadDer_ex\n");
-          return ERR_BASE_PKEY-12;
+            printf("error with RSA_LoadDer_ex\n");
+            ret = ERR_BASE_PKEY-12;
+            goto openssl_pkey0_test_done;
         }
         keySz = (size_t)RSA_size(pubRsa);
 
@@ -13165,37 +13183,43 @@ int openssl_pkey0_test(void)
         pubPkey = wolfSSL_PKEY_new();
         if((prvPkey == NULL) || (pubPkey == NULL)){
             printf("error with PKEY_new\n");
-            return ERR_BASE_PKEY-13;
+            ret = ERR_BASE_PKEY-13;
+            goto openssl_pkey0_test_done;
         }
         ret  = wolfSSL_EVP_PKEY_set1_RSA(prvPkey, prvRsa);
         ret += wolfSSL_EVP_PKEY_set1_RSA(pubPkey, pubRsa);
         if(ret != 2){
             printf("error with PKEY_set1_RSA\n");
-            return ERR_BASE_PKEY-14;
+            ret = ERR_BASE_PKEY-14;
+            goto openssl_pkey0_test_done;
         }
 
         dec = EVP_PKEY_CTX_new(prvPkey, NULL);
         enc = EVP_PKEY_CTX_new(pubPkey, NULL);
         if((dec == NULL)||(enc==NULL)){
             printf("error with EVP_PKEY_CTX_new\n");
-            return ERR_BASE_PKEY-15;
+            ret = ERR_BASE_PKEY-15;
+            goto openssl_pkey0_test_done;
         }
 
         ret = EVP_PKEY_decrypt_init(dec);
         if (ret != 1) {
             printf("error with decrypt init\n");
-            return ERR_BASE_PKEY-16;
+            ret = ERR_BASE_PKEY-16;
+            goto openssl_pkey0_test_done;
         }
         ret = EVP_PKEY_encrypt_init(enc);
         if (ret != 1) {
             printf("error with encrypt init\n");
-            return ERR_BASE_PKEY-17;
+            ret = ERR_BASE_PKEY-17;
+            goto openssl_pkey0_test_done;
         }
         XMEMSET(out, 0, sizeof(out));
         ret = EVP_PKEY_encrypt(enc, out, &outlen, in, sizeof(in));
         if (ret != 1) {
             printf("error encrypting msg\n");
-            return ERR_BASE_PKEY-18;
+            ret = ERR_BASE_PKEY-18;
+            goto openssl_pkey0_test_done;
         }
 
         show("encrypted msg", out, outlen);
@@ -13204,7 +13228,8 @@ int openssl_pkey0_test(void)
         ret = EVP_PKEY_decrypt(dec, plain, &outlen, out, keySz);
         if (ret != 1) {
             printf("error decrypting msg\n");
-            return ERR_BASE_PKEY-19;
+            ret = ERR_BASE_PKEY-19;
+            goto openssl_pkey0_test_done;
         }
         show("decrypted msg", plain, outlen);
 
@@ -13212,28 +13237,33 @@ int openssl_pkey0_test(void)
         ret = EVP_PKEY_decrypt_init(dec);
         if (ret != 1) {
             printf("error with decrypt init\n");
-            return ERR_BASE_PKEY-30;
+            ret = ERR_BASE_PKEY-30;
+            goto openssl_pkey0_test_done;
         }
         ret = EVP_PKEY_encrypt_init(enc);
         if (ret != 1) {
             printf("error with encrypt init\n");
-            return ERR_BASE_PKEY-31;
+            ret = ERR_BASE_PKEY-31;
+            goto openssl_pkey0_test_done;
         }
 
         if (EVP_PKEY_CTX_set_rsa_padding(dec, RSA_PKCS1_PADDING) <= 0) {
-              printf("first set rsa padding error\n");
-              return ERR_BASE_PKEY-32;
+            printf("first set rsa padding error\n");
+            ret = ERR_BASE_PKEY-32;
+            goto openssl_pkey0_test_done;
         }
 
 #ifndef HAVE_FIPS
         if (EVP_PKEY_CTX_set_rsa_padding(dec, RSA_PKCS1_OAEP_PADDING) <= 0){
             printf("second set rsa padding error\n");
-            return ERR_BASE_PKEY-33;
+            ret = ERR_BASE_PKEY-33;
+            goto openssl_pkey0_test_done;
         }
 
         if (EVP_PKEY_CTX_set_rsa_padding(enc, RSA_PKCS1_OAEP_PADDING) <= 0) {
             printf("third set rsa padding error\n");
-            return ERR_BASE_PKEY-34;
+            ret = ERR_BASE_PKEY-34;
+            goto openssl_pkey0_test_done;
         }
 #endif
 
@@ -13241,7 +13271,8 @@ int openssl_pkey0_test(void)
         ret = EVP_PKEY_encrypt(enc, out, &outlen, in, sizeof(in));
         if (ret != 1) {
             printf("error encrypting msg\n");
-            return ERR_BASE_PKEY-35;
+            ret = ERR_BASE_PKEY-35;
+            goto openssl_pkey0_test_done;
         }
 
         show("encrypted msg", out, outlen);
@@ -13250,11 +13281,14 @@ int openssl_pkey0_test(void)
         ret = EVP_PKEY_decrypt(dec, plain, &outlen, out, keySz);
         if (ret != 1) {
             printf("error decrypting msg\n");
-            return ERR_BASE_PKEY-36;
+            ret = ERR_BASE_PKEY-36;
+            goto openssl_pkey0_test_done;
         }
 
         show("decrypted msg", plain, outlen);
 
+openssl_pkey0_test_done:
+
         wolfSSL_RSA_free(prvRsa);
         wolfSSL_RSA_free(pubRsa);
         EVP_PKEY_free(pubPkey);
@@ -13467,9 +13501,10 @@ int openssl_evpSig_test()
 #else
     keyFile = fopen(cliKey, "rb");
     if (!keyFile) {
+        XFREE(pubTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
         err_sys("can't open ./certs/client-key.der, "
                 "Please run from wolfSSL home dir", -40);
-        XFREE(prvTmp, HEAP_HINT ,DYNAMIC_TYPE_TMP_BUFFER);
         return ERR_BASE_EVPSIG-3;
     }
     prvBytes = (int)fread(prvTmp, 1, (int)FOURK_BUFF, keyFile);

From bade35bd760dd2ecd2234941c8b5843ab4b1df82 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Fri, 15 Jun 2018 16:25:09 -0600
Subject: [PATCH 2/4] update return value

---
 wolfcrypt/test/test.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index dc7a749d3..932cf2197 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -13287,6 +13287,7 @@ int openssl_pkey0_test(void)
 
         show("decrypted msg", plain, outlen);
 
+        ret = 0; /* made it to this point without error then set success */
 openssl_pkey0_test_done:
 
         wolfSSL_RSA_free(prvRsa);
@@ -13299,8 +13300,7 @@ openssl_pkey0_test_done:
         XFREE(pubTmp, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
 #endif /* NO_RSA */
 
-        return 0;
-
+        return ret;
 }
 
 

From c98aca32c486009b21031e71f641531b927ff257 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Fri, 15 Jun 2018 17:00:45 -0600
Subject: [PATCH 3/4] static analysis report fixes

---
 src/ssl.c             | 2 +-
 wolfcrypt/src/asn.c   | 4 +++-
 wolfcrypt/src/pkcs7.c | 1 +
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index 1a34d798f..4bd9e1b5e 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -15613,8 +15613,8 @@ WOLFSSL_EVP_PKEY* wolfSSL_X509_get_pubkey(WOLFSSL_X509* x509)
                 if (wolfSSL_RSA_LoadDer_ex(key->rsa,
                             (const unsigned char*)key->pkey.ptr, key->pkey_sz,
                             WOLFSSL_RSA_LOAD_PUBLIC) != SSL_SUCCESS) {
-                    XFREE(key, x509->heap, DYNAMIC_TYPE_PUBLIC_KEY);
                     wolfSSL_RSA_free(key->rsa);
+                    XFREE(key, x509->heap, DYNAMIC_TYPE_PUBLIC_KEY);
                     return NULL;
                 }
             }
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 500296088..d4ebf7b4d 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -10885,8 +10885,10 @@ static int SignCert(int requestSz, int sType, byte* buffer, word32 buffSz,
 
     sigSz = MakeSignature(certSignCtx, buffer, requestSz, certSignCtx->sig,
         MAX_ENCODED_SIG_SZ, rsaKey, eccKey, ed25519Key, rng, sType, heap);
-    if (sigSz == WC_PENDING_E)
+    if (sigSz == WC_PENDING_E) {
+        XFREE(certSignCtx->sig, heap, DYNAMIC_TYPE_TMP_BUFFER);
         return sigSz;
+    }
 
     if (sigSz >= 0) {
         if (requestSz + MAX_SEQ_SZ * 2 + sigSz > (int)buffSz)
diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
index 5e7af23da..bbd85b608 100644
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -5048,6 +5048,7 @@ int wc_PKCS7_DecodeEncryptedData(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz,
     /* go back and check the version now that attribs have been processed */
     if ((haveAttribs == 0 && version != 0) ||
         (haveAttribs == 1 && version != 2) ) {
+        XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
         WOLFSSL_MSG("Wrong PKCS#7 EncryptedData version");
         return ASN_VERSION_E;
     }

From d8e278b6b3afe1dbba8a2dff4f519ef5597794f8 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Mon, 18 Jun 2018 18:15:26 -0600
Subject: [PATCH 4/4] revert free on sig and add comment

---
 wolfcrypt/src/asn.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index d4ebf7b4d..3c74d2f65 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -10886,7 +10886,8 @@ static int SignCert(int requestSz, int sType, byte* buffer, word32 buffSz,
     sigSz = MakeSignature(certSignCtx, buffer, requestSz, certSignCtx->sig,
         MAX_ENCODED_SIG_SZ, rsaKey, eccKey, ed25519Key, rng, sType, heap);
     if (sigSz == WC_PENDING_E) {
-        XFREE(certSignCtx->sig, heap, DYNAMIC_TYPE_TMP_BUFFER);
+        /* Not free'ing certSignCtx->sig here because it could still be in use
+         * with async operations. */
         return sigSz;
     }