Merge pull request #7991 from douzzer/20240917-fixes

20240917-fixes
2024-09-20 15:20:51 +10:00 · 2024-09-20 15:20:51 +10:00 · 8768c55579
parent b9908409d4 5be198fa0e
commit 8768c55579
14 changed files with 231 additions and 107 deletions
--- a/.github/workflows/packaging.yml
+++ b/.github/workflows/packaging.yml
@ -37,8 +37,9 @@ jobs:
      - name: Build wolfSSL .deb
        run: make deb-docker
-      - name: Build wolfSSL .rpm
+# disabled 20240919 -- broken target.
-        run: make rpm-docker
+#      - name: Build wolfSSL .rpm
 #        run: make rpm-docker
      - name: Confirm packages built
        run: |
@ -47,8 +48,9 @@ jobs:
            echo Did not find exactly two deb packages!!!
            exit 1
          fi
-          RPM_COUNT=$(find -name 'wolfssl*.rpm' | wc -l)
+# disabled 20240919 -- broken target.
-          if [ "$RPM_COUNT" != "4" ]; then
+#          RPM_COUNT=$(find -name 'wolfssl*.rpm' | wc -l)
-            echo Did not find exactly four rpm packages!!!
+#          if [ "$RPM_COUNT" != "4" ]; then
-            exit 1
+#            echo Did not find exactly four rpm packages!!!
-          fi
+#            exit 1
 #          fi
--- a/m4/ax_atomic.m4
+++ b/m4/ax_atomic.m4
@ -9,18 +9,20 @@ AC_DEFUN([AC_C___ATOMIC],
      [[int
        main (int argc, char **argv)
        {
-          volatile unsigned long ul1 = 1, ul2 = 0, ul3 = 2;
+          volatile unsigned long ul1 = 1;
          unsigned long ul2 = 0, ul3 = 2;
          __atomic_load_n(&ul1, __ATOMIC_SEQ_CST);
          __atomic_compare_exchange(&ul1, &ul2, &ul3, 1, __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST);
          __atomic_fetch_add(&ul1, 1, __ATOMIC_SEQ_CST);
-          __atomic_fetch_sub(&ul3, 1, __ATOMIC_SEQ_CST);
+          __atomic_fetch_sub(&ul1, 1, __ATOMIC_SEQ_CST);
          __atomic_or_fetch(&ul1, ul2, __ATOMIC_SEQ_CST);
          __atomic_and_fetch(&ul1, ul2, __ATOMIC_SEQ_CST);
-          volatile unsigned long long ull1 = 1, ull2 = 0, ull3 = 2;
+          volatile unsigned long long ull1 = 1;
          unsigned long long ull2 = 0, ull3 = 2;
          __atomic_load_n(&ull1, __ATOMIC_SEQ_CST);
          __atomic_compare_exchange(&ull1, &ull2, &ull3, 1, __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST);
          __atomic_fetch_add(&ull1, 1, __ATOMIC_SEQ_CST);
-          __atomic_fetch_sub(&ull3, 1, __ATOMIC_SEQ_CST);
+          __atomic_fetch_sub(&ull1, 1, __ATOMIC_SEQ_CST);
          __atomic_or_fetch(&ull1, ull2, __ATOMIC_SEQ_CST);
          __atomic_and_fetch(&ull1, ull2, __ATOMIC_SEQ_CST);
          return 0;
--- a/src/dtls13.c
+++ b/src/dtls13.c
@ -71,6 +71,8 @@ typedef struct Dtls13HandshakeHeader {
    byte fragmentLength[3];
 } Dtls13HandshakeHeader;
 static_assert(sizeof(Dtls13HandshakeHeader) == DTLS13_HANDSHAKE_HEADER_SZ);
 /**
 * struct Dtls13Recordplaintextheader: represent header of unprotected DTLSv1.3
 * record
--- a/src/tls13.c
+++ b/src/tls13.c
@ -4165,7 +4165,11 @@ static int EchHashHelloInner(WOLFSSL* ssl, WOLFSSL_ECH* ech)
 {
    int ret;
    HS_Hashes* tmpHashes;
 #ifdef WOLFSSL_DTLS13
    byte falseHeader[DTLS13_HANDSHAKE_HEADER_SZ];
 #else
    byte falseHeader[HANDSHAKE_HEADER_SZ];
 #endif
    if (ssl == NULL || ech == NULL)
        return BAD_FUNC_ARG;
--- a/tests/api.c
+++ b/tests/api.c
@ -532,15 +532,6 @@ int tmpDirNameSet = 0;
 | Constants
 *----------------------------------------------------------------------------*/
 /* Test result constants and macros. */
 /* Test succeeded. */
 #define TEST_SUCCESS    (1)
 /* Test failed. */
 #define TEST_FAIL       (0)
 /* Test skipped - not run. */
 #define TEST_SKIPPED    (-7777)
 /* Returns the result based on whether check is true.
 *
 * @param [in] check  Condition for success.
@ -7291,7 +7282,7 @@ static WC_INLINE int test_ssl_memio_read_cb(WOLFSSL *ssl, char *data, int sz,
 static WC_INLINE int test_ssl_memio_setup(test_ssl_memio_ctx *ctx)
 {
-    EXPECT_DECLS;
+    EXPECT_DECLS_NO_MSGS(-2000);
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)
    int c_sharedCtx = 0;
    int s_sharedCtx = 0;
@ -7564,7 +7555,7 @@ static int test_ssl_memio_do_handshake(test_ssl_memio_ctx* ctx, int max_rounds,
 static int test_ssl_memio_read_write(test_ssl_memio_ctx* ctx)
 {
-    EXPECT_DECLS;
+    EXPECT_DECLS_NO_MSGS(-3000);
    char input[1024];
    int idx = 0;
    const char* msg_c = "hello wolfssl!";
@ -7653,7 +7644,14 @@ static void test_ssl_memio_cleanup(test_ssl_memio_ctx* ctx)
 int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb,
    test_ssl_cbf* server_cb, cbType client_on_handshake)
 {
-    EXPECT_DECLS;
+    /* We use EXPECT_DECLS_NO_MSGS() here because this helper routine is used
     * for numerous but varied expected-to-fail scenarios that should not emit
     * error messages on the expected failures.  Instead, we return a distinct
     * code for each failure point, allowing the caller to assert on a
     * particular mode of expected failure.  On success, the usual TEST_SUCCESS
     * is returned.
     */
    EXPECT_DECLS_NO_MSGS(-1000);
    struct test_ssl_memio_ctx test_ctx;
 #ifdef WOLFSSL_HAVE_TLS_UNIQUE
    size_t msg_len;
@ -7665,8 +7663,8 @@ int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb,
    test_ctx.c_ctx = client_cb->ctx;
    test_ctx.s_ctx = server_cb->ctx;
-    test_ctx.c_cb.return_code = TEST_FAIL;
+    test_ctx.c_cb.return_code = EXPECT_FAILURE_CODEPOINT_ID;
-    test_ctx.s_cb.return_code = TEST_FAIL;
+    test_ctx.s_cb.return_code = EXPECT_FAILURE_CODEPOINT_ID;
    ExpectIntEQ(test_ssl_memio_setup(&test_ctx), TEST_SUCCESS);
    ExpectIntEQ(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
@ -9575,10 +9573,10 @@ static int test_wolfSSL_CTX_verifyDepth_ServerClient_3(void)
     * therefore, handshake becomes failure.
     */
    ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf,
-        &server_cbf, NULL), TEST_FAIL);
+        &server_cbf, NULL), -1001);
-    ExpectIntEQ(client_cbf.return_code, TEST_FAIL);
+    ExpectIntEQ(client_cbf.return_code, -1000);
-    ExpectIntEQ(server_cbf.return_code, TEST_FAIL);
+    ExpectIntEQ(server_cbf.return_code, -1000);
    ExpectIntEQ(client_cbf.last_err, WC_NO_ERR_TRACE(MAX_CHAIN_ERROR));
    ExpectIntEQ(server_cbf.last_err, WC_NO_ERR_TRACE(FATAL_ERROR));
 #endif /* OPENSSL_EXTRA && HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */
@ -14120,7 +14118,7 @@ static int test_wolfSSL_X509_TLS_version_test_1(void)
 #ifndef OPENSSL_COMPATIBLE_DEFAULTS
    ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client,
-        &func_cb_server, NULL), TEST_FAIL);
+        &func_cb_server, NULL), -1001);
 #else
    ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client,
        &func_cb_server, NULL), TEST_SUCCESS);
@ -15009,6 +15007,11 @@ static int test_Sha512_Family_Final(int type, int isRaw)
    hash_test[2] = hash3;
    times = sizeof(hash_test) / sizeof(byte *);
 #if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) || \
        defined(WOLFSSL_NO_HASH_RAW)
    if (finalFp != NULL)
 #endif
    {
        /* Good test args. */
        for (i = 0; i < times; i++) {
            ExpectIntEQ(finalFp(&sha512, hash_test[i]), 0);
@ -15017,6 +15020,7 @@ static int test_Sha512_Family_Final(int type, int isRaw)
        ExpectIntEQ(finalFp(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
        ExpectIntEQ(finalFp(NULL, hash1), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
        ExpectIntEQ(finalFp(&sha512, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
    }
    freeFp(&sha512);
@ -61861,7 +61865,7 @@ static int test_wolfSSL_curves_mismatch(void)
        func_cb_server.method = test_params[i].server_meth;
        ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client,
-            &func_cb_server, NULL), TEST_FAIL);
+            &func_cb_server, NULL), -1001);
        ExpectIntEQ(func_cb_client.last_err, test_params[i].client_last_err);
        ExpectIntEQ(func_cb_server.last_err, test_params[i].server_last_err);
@ -69656,10 +69660,16 @@ static int test_wolfSSL_SESSION_expire_downgrade(void)
 #if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \
    defined(HAVE_EX_DATA) && !defined(NO_SESSION_CACHE)
-static int clientSessRemCountMalloc = 0;
+#ifdef WOLFSSL_ATOMIC_OPS
-static int serverSessRemCountMalloc = 0;
+    typedef wolfSSL_Atomic_Int SessRemCounter_t;
-static int clientSessRemCountFree = 0;
+#else
-static int serverSessRemCountFree = 0;
+    typedef int SessRemCounter_t;
 #endif
 static SessRemCounter_t clientSessRemCountMalloc;
 static SessRemCounter_t serverSessRemCountMalloc;
 static SessRemCounter_t clientSessRemCountFree;
 static SessRemCounter_t serverSessRemCountFree;
 static WOLFSSL_CTX* serverSessCtx = NULL;
 static WOLFSSL_SESSION* serverSess = NULL;
 #if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \
@ -69680,9 +69690,9 @@ static void SessRemCtxCb(WOLFSSL_CTX *ctx, WOLFSSL_SESSION *sess)
    side = (int*)SSL_SESSION_get_ex_data(sess, serverSessRemIdx);
    if (side != NULL) {
        if (*side == WOLFSSL_CLIENT_END)
-            clientSessRemCountFree++;
+            (void)wolfSSL_Atomic_Int_FetchAdd(&clientSessRemCountFree, 1);
        else
-            serverSessRemCountFree++;
+            (void)wolfSSL_Atomic_Int_FetchAdd(&serverSessRemCountFree, 1);
        SSL_SESSION_set_ex_data(sess, serverSessRemIdx, NULL);
    }
@ -69719,14 +69729,14 @@ static int SessRemSslSetupCb(WOLFSSL* ssl)
    if (SSL_is_server(ssl)) {
        side = &sessRemCtx_Server;
-        serverSessRemCountMalloc++;
+        (void)wolfSSL_Atomic_Int_FetchAdd(&serverSessRemCountMalloc, 1);
        ExpectNotNull(serverSess = SSL_get1_session(ssl));
        ExpectIntEQ(SSL_CTX_up_ref(serverSessCtx = SSL_get_SSL_CTX(ssl)),
                SSL_SUCCESS);
    }
    else {
        side = &sessRemCtx_Client;
-        clientSessRemCountMalloc++;
+        (void)wolfSSL_Atomic_Int_FetchAdd(&clientSessRemCountMalloc, 1);
    #if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \
        !defined(NO_SESSION_CACHE_REF)
        ExpectNotNull(clientSess = SSL_get1_session(ssl));
@ -69750,6 +69760,11 @@ static int test_wolfSSL_CTX_sess_set_remove_cb(void)
     * session object */
    test_ssl_cbf func_cb;
    wolfSSL_Atomic_Int_Init(&clientSessRemCountMalloc, 0);
    wolfSSL_Atomic_Int_Init(&serverSessRemCountMalloc, 0);
    wolfSSL_Atomic_Int_Init(&clientSessRemCountFree, 0);
    wolfSSL_Atomic_Int_Init(&serverSessRemCountFree, 0);
    XMEMSET(&func_cb, 0, sizeof(func_cb));
    func_cb.ctx_ready = SessRemCtxSetupCb;
    func_cb.on_result = SessRemSslSetupCb;
@ -78615,7 +78630,7 @@ static int test_DhCallbacks(void)
    func_cb_server.method = wolfTLSv1_2_server_method;
    ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client,
-        &func_cb_server, NULL), TEST_FAIL);
+        &func_cb_server, NULL), -1001);
 #endif
    return EXPECT_RESULT();
 }
@ -85792,7 +85807,7 @@ static int test_multiple_crls_same_issuer(void)
        client_cbs.ctx_ready = test_multiple_crls_same_issuer_ctx_ready;
        ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbs,
-            &server_cbs, NULL), TEST_FAIL);
+            &server_cbs, NULL), -1001);
    }
 #endif
    return EXPECT_RESULT();
@ -90339,7 +90354,7 @@ static int test_wolfSSL_CRL_CERT_REVOKED_alert(void)
    server_cbs.on_cleanup = test_wolfSSL_CRL_CERT_REVOKED_alert_on_cleanup;
    ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbs,
-        &server_cbs, NULL), TEST_FAIL);
+        &server_cbs, NULL), -1001);
    return EXPECT_RESULT();
 }
@ -91146,7 +91161,7 @@ static int test_override_alt_cert_chain(void)
        {test_override_alt_cert_chain_client_ctx_ready,
                test_override_alt_cert_chain_server_ctx_ready, TEST_SUCCESS},
        {test_override_alt_cert_chain_client_ctx_ready2,
-                test_override_alt_cert_chain_server_ctx_ready, TEST_FAIL},
+                test_override_alt_cert_chain_server_ctx_ready, -1001},
    };
    for (i = 0; i < sizeof(params)/sizeof(*params); i++) {
@ -91162,8 +91177,10 @@ static int test_override_alt_cert_chain(void)
        ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbs,
            &server_cbs, NULL), params[i].result);
-        ExpectIntEQ(client_cbs.return_code, params[i].result);
+        ExpectIntEQ(client_cbs.return_code,
-        ExpectIntEQ(server_cbs.return_code, params[i].result);
+                    params[i].result <= 0 ? -1000 : TEST_SUCCESS);
        ExpectIntEQ(server_cbs.return_code,
                    params[i].result <= 0 ? -1000 : TEST_SUCCESS);
    }
    return EXPECT_RESULT();
@ -93766,7 +93783,7 @@ static int test_revoked_loaded_int_cert(void)
        client_cbf.ctx_ready = test_params[i].client_ctx_ready;
        ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf,
-            &server_cbf, NULL), TEST_FAIL);
+            &server_cbf, NULL), -1001);
        ExpectIntEQ(client_cbf.last_err, WC_NO_ERR_TRACE(CRL_CERT_REVOKED));
        ExpectIntEQ(server_cbf.last_err, WC_NO_ERR_TRACE(FATAL_ERROR));
--- a/tests/unit.h
+++ b/tests/unit.h
@ -20,8 +20,8 @@
 */
-#ifndef CyaSSL_UNIT_H
+#ifndef TESTS_UNIT_H
-#define CyaSSL_UNIT_H
+#define TESTS_UNIT_H
 #include <wolfssl/ssl.h>
 #include <wolfssl/test.h>    /* thread and tcp stuff */
@ -121,27 +121,55 @@
 #define AssertPtrGE(x, y) AssertPtr(x, y, >=,  <)
 #define AssertPtrLE(x, y) AssertPtr(x, y, <=,  >)
 #define TEST_FAIL               0
 #define TEST_SUCCESS            1
 #define TEST_SUCCESS_NO_MSGS    2
 #define TEST_SKIPPED            3  /* Test skipped - not run. */
 #define TEST_SKIPPED_NO_MSGS    4  /* Test skipped - not run. */
 #define EXPECT_DECLS \
-    int _ret = TEST_SKIPPED
+    int _ret = TEST_SKIPPED, _fail_codepoint_id = TEST_FAIL
 #define EXPECT_DECLS_NO_MSGS(fail_codepoint_offset)     \
    int _ret = TEST_SKIPPED_NO_MSGS,                    \
        _fail_codepoint_id = (fail_codepoint_offset)
 #define EXPECT_FAILURE_CODEPOINT_ID _fail_codepoint_id
 #define EXPECT_RESULT() \
-    _ret
+    ((void)_fail_codepoint_id,                                          \
     _ret == TEST_SUCCESS_NO_MSGS ? TEST_SUCCESS :                      \
     _ret == TEST_SKIPPED_NO_MSGS ? TEST_SKIPPED :                      \
     _ret)
 #define EXPECT_SUCCESS() \
-    ((_ret == TEST_SUCCESS) || (_ret == TEST_SKIPPED))
+    ((_ret == TEST_SUCCESS) ||                                          \
     (_ret == TEST_SKIPPED) ||                                          \
     (_ret == TEST_SUCCESS_NO_MSGS) ||                                  \
     (_ret == TEST_SKIPPED_NO_MSGS))
 #define EXPECT_FAIL() \
-    (_ret == TEST_FAIL)
+    (! EXPECT_SUCCESS())
 #define ExpFail(description, result) do {                                    \
    if ((_ret == TEST_SUCCESS_NO_MSGS) || (_ret == TEST_SKIPPED_NO_MSGS))    \
        _ret = _fail_codepoint_id;                                           \
    else {                                                                   \
        printf("\nERROR - %s line %d failed with:", __FILE__, __LINE__);     \
        fputs("\n    expected: ", stdout); printf description;               \
-    fputs("\n    result:   ", stdout); printf result; fputs("\n\n", stdout);   \
+        fputs("\n    result:   ", stdout); printf result;                    \
        fputs("\n\n", stdout);                                               \
        fflush(stdout);                                                      \
        _ret = TEST_FAIL;                                                    \
    }                                                                        \
 } while (0)
 #define Expect(test, description, result) do {                               \
-    if (_ret != TEST_FAIL) { if (!(test)) ExpFail(description, result);        \
+    if (EXPECT_SUCCESS()) {                                                  \
-                             else _ret = TEST_SUCCESS; }                       \
+        if (!(test))                                                         \
            ExpFail(description, result);                                    \
        else if (_ret == TEST_SKIPPED_NO_MSGS)                               \
            _ret = TEST_SUCCESS_NO_MSGS;                                     \
        else                                                                 \
            _ret = TEST_SUCCESS;                                             \
    }                                                                        \
    if (_ret == TEST_SUCCESS_NO_MSGS)                                        \
        --_fail_codepoint_id;                                                \
 } while (0)
 #define ExpectTrue(x)    Expect( (x), ("%s is true",     #x), (#x " => FALSE"))
@ -149,14 +177,14 @@
 #define ExpectNotNull(x) Expect( (x), ("%s is not null", #x), (#x " => NULL"))
 #define ExpectNull(x) do {                                                     \
-    if (_ret != TEST_FAIL) {                                                   \
+    if (EXPECT_SUCCESS()) {                                                    \
        PEDANTIC_EXTENSION void* _x = (void*)(x);                              \
        Expect(!_x, ("%s is null", #x), (#x " => %p", _x));                    \
    }                                                                          \
 } while(0)
 #define ExpectInt(x, y, op, er) do {                                           \
-    if (_ret != TEST_FAIL) {                                                   \
+    if (EXPECT_SUCCESS()) {                                                    \
        int _x = (int)(x);                                                     \
        int _y = (int)(y);                                                     \
        Expect(_x op _y, ("%s " #op " %s", #x, #y), ("%d " #er " %d", _x, _y));\
@ -171,7 +199,7 @@
 #define ExpectIntLE(x, y) ExpectInt(x, y, <=,  >)
 #define ExpectStr(x, y, op, er) do {                                           \
-    if (_ret != TEST_FAIL) {                                                   \
+    if (EXPECT_SUCCESS()) {                                                    \
        const char* _x = (const char*)(x);                                     \
        const char* _y = (const char*)(y);                                     \
        int         _z = (_x && _y) ? XSTRCMP(_x, _y) : -1;                    \
@ -188,7 +216,7 @@
 #define ExpectStrLE(x, y) ExpectStr(x, y, <=,  >)
 #define ExpectPtr(x, y, op, er) do {                                           \
-    if (_ret != TEST_FAIL) {                                                   \
+    if (EXPECT_SUCCESS()) {                                                    \
        PRAGMA_DIAG_PUSH                                                       \
          /* remarkably, without this inhibition, */                           \
          /* the _Pragma()s make the declarations warn. */                     \
@ -211,7 +239,7 @@
 #define ExpectPtrLE(x, y) ExpectPtr(x, y, <=,  >)
 #define ExpectBuf(x, y, z, op, er) do {                                        \
-    if (_ret != TEST_FAIL) {                                                   \
+    if (EXPECT_SUCCESS()) {                                                    \
        const byte* _x = (const byte*)(x);                                     \
        const byte* _y = (const byte*)(y);                                     \
        int         _z = (int)(z);                                             \
@ -306,4 +334,4 @@ int w64wrapper_test(void);
 int QuicTest(void);
-#endif /* CyaSSL_UNIT_H */
+#endif /* TESTS_UNIT_H */
--- a/wolfcrypt/benchmark/benchmark.c
+++ b/wolfcrypt/benchmark/benchmark.c
@ -8433,11 +8433,37 @@ exit:
 void bench_rsaKeyGen(int useDeviceID)
 {
    int    k;
-#if !defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL) && \
+
 #if !defined(RSA_MAX_SIZE) || !defined(RSA_MIN_SIZE)
    static const word32  keySizes[2] = {1024, 2048 };
 #elif RSA_MAX_SIZE >= 4096
    #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) &&      \
        (RSA_MIN_SIZE <= 1024)
-    static const word32  keySizes[2] = {1024, 2048};
+        static const word32  keySizes[4] = {1024, 2048, 3072, 4096 };
-#else
+    #else
        static const word32  keySizes[3] = {2048, 3072, 4096};
    #endif
 #elif RSA_MAX_SIZE >= 3072
    #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) &&      \
        (RSA_MIN_SIZE <= 1024)
        static const word32  keySizes[3] = {1024, 2048, 3072 };
    #else
        static const word32  keySizes[2] = {2048, 3072 };
    #endif
 #elif RSA_MAX_SIZE >= 2048
    #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) &&      \
        (RSA_MIN_SIZE <= 1024)
        static const word32  keySizes[2] = {1024, 2048 };
    #else
        static const word32  keySizes[1] = {2048};
    #endif
 #else
    #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) &&      \
        (RSA_MIN_SIZE <= 1024)
        static const word32  keySizes[1] = {1024 };
    #else
        #error No candidate RSA key sizes to benchmark.
    #endif
 #endif
    for (k = 0; k < (int)(sizeof(keySizes)/sizeof(int)); k++) {
--- a/wolfcrypt/src/dh.c
+++ b/wolfcrypt/src/dh.c
@ -2323,7 +2323,6 @@ int wc_DhAgree_ct(DhKey* key, byte* agree, word32 *agreeSz, const byte* priv,
        return MEMORY_E;
 #endif
    XMEMSET(agree, 0, requested_agreeSz);
    XMEMSET(agree_buffer, 0, requested_agreeSz);
    ret = wc_DhAgree_Sync(key, agree_buffer, agreeSz, priv, privSz, otherPub,
@ -2340,7 +2339,7 @@ int wc_DhAgree_ct(DhKey* key, byte* agree, word32 *agreeSz, const byte* priv,
        byte *agree_src = agree_buffer + *agreeSz - 1,
            *agree_dst = agree + requested_agreeSz - 1;
        while (agree_dst >= agree) {
-            word32 mask = (agree_src >= agree_buffer) - 1U;;
+            word32 mask = (agree_src >= agree_buffer) - 1U;
            agree_src += (mask & requested_agreeSz);
            *agree_dst-- = *agree_src--;
        }
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@ -856,6 +856,14 @@ enum {
 /* This holds the key settings.
   ***MUST*** be organized by size from smallest to largest. */
 #if !defined(HAVE_FIPS) || FIPS_VERSION3_GE(6,0,0)
    #undef ecc_sets
    #undef ecc_sets_count
 #endif
 #if !defined(HAVE_FIPS) || FIPS_VERSION3_GE(6,0,0)
 static
 #endif
 const ecc_set_type ecc_sets[] = {
 #ifdef ECC112
    #ifndef NO_ECC_SECP
@ -1399,8 +1407,17 @@ const ecc_set_type ecc_sets[] = {
    }
 };
 #define ECC_SET_COUNT   (sizeof(ecc_sets)/sizeof(ecc_set_type))
 #if !defined(HAVE_FIPS) || FIPS_VERSION3_GE(6,0,0)
 static
 #endif
 const size_t ecc_sets_count = ECC_SET_COUNT - 1;
 const ecc_set_type *wc_ecc_get_sets(void) {
    return ecc_sets;
 }
 size_t wc_ecc_get_sets_count(void) {
    return ecc_sets_count;
 }
 #ifdef HAVE_OID_ENCODING
    /* encoded OID cache */
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@ -34481,7 +34481,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ecc_test_buffers(void)
    } while (ret == WC_NO_ERR_TRACE(WC_PENDING_E));
    if (ret < 0)
        ERROR_OUT(WC_TEST_RET_ENC_EC(ret), done);
-TEST_SLEEP();
+    TEST_SLEEP();
    XMEMSET(plain, 0, sizeof(plain));
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@ -1637,6 +1637,7 @@ enum Misc {
 #endif
    HANDSHAKE_HEADER_SZ   = 4,  /* type + length(3)        */
    DTLS13_HANDSHAKE_HEADER_SZ   = 12, /* sizeof(Dtls13HandshakeHeader) */
    RECORD_HEADER_SZ      = 5,  /* type + version + len(2) */
    CERT_HEADER_SZ        = 3,  /* always 3 bytes          */
    REQ_HEADER_SZ         = 2,  /* cert request header sz  */
--- a/wolfssl/wolfcrypt/ecc.h
+++ b/wolfssl/wolfcrypt/ecc.h
@ -641,8 +641,15 @@ WOLFSSL_ABI WOLFSSL_API void wc_ecc_key_free(ecc_key* key);
 /* ECC predefined curve sets  */
-extern const ecc_set_type ecc_sets[];
+#if defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
-extern const size_t ecc_sets_count;
+    extern const ecc_set_type ecc_sets[];
    extern const size_t ecc_sets_count;
 #else
    WOLFSSL_API const ecc_set_type *wc_ecc_get_sets(void);
    WOLFSSL_API size_t wc_ecc_get_sets_count(void);
    #define ecc_sets wc_ecc_get_sets()
    #define ecc_sets_count wc_ecc_get_sets_count()
 #endif
 WOLFSSL_API
 const char* wc_ecc_get_name(int curve_id);
@ -763,7 +770,7 @@ WOLFSSL_API
 int wc_ecc_set_flags(ecc_key* key, word32 flags);
 WOLFSSL_ABI WOLFSSL_API
 void wc_ecc_fp_free(void);
-WOLFSSL_LOCAL
+WOLFSSL_API
 void wc_ecc_fp_init(void);
 WOLFSSL_API
 int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng);
--- a/wolfssl/wolfcrypt/types.h
+++ b/wolfssl/wolfcrypt/types.h
@ -1694,6 +1694,36 @@ typedef struct w64wrapper {
        #define PRAGMA_DIAG_POP /* null expansion */
    #endif
    #define WC_CPP_CAT_(a, b) a ## b
    #define WC_CPP_CAT(a, b) WC_CPP_CAT_(a, b)
    #if defined(__cplusplus) && (__cplusplus >= 201103L)
        #ifndef static_assert2
            #define static_assert2 static_assert
        #endif
    #elif !defined(static_assert)
        #if !defined(__cplusplus) &&                \
                !defined(__STRICT_ANSI__) &&        \
                !defined(WOLF_C89) &&               \
                defined(__STDC_VERSION__) &&        \
                (__STDC_VERSION__ >= 201112L) &&    \
                ((defined(__GNUC__) &&              \
                  (__GNUC__ >= 5)) ||               \
                 defined(__clang__))
            #define static_assert(expr) _Static_assert(expr, #expr)
            #ifndef static_assert2
                #define static_assert2(expr, msg) _Static_assert(expr, msg)
            #endif
        #else
            #define static_assert(expr) \
                struct WC_CPP_CAT(wc_dummy_struct_L, __LINE__)
            #ifndef static_assert2
                #define static_assert2(expr, msg) static_assert(expr)
            #endif
        #endif
    #elif !defined(static_assert2)
         #define static_assert2(expr, msg) static_assert(expr)
    #endif
    #ifndef SAVE_VECTOR_REGISTERS
        #define SAVE_VECTOR_REGISTERS(...) WC_DO_NOTHING
    #endif
--- a/wolfssl/wolfcrypt/wc_port.h
+++ b/wolfssl/wolfcrypt/wc_port.h
@ -355,11 +355,20 @@
 #endif /* WOLFSSL_NO_ATOMICS */
 #ifdef WOLFSSL_ATOMIC_OPS
-    WOLFSSL_LOCAL void wolfSSL_Atomic_Int_Init(wolfSSL_Atomic_Int* c, int i);
+    WOLFSSL_API void wolfSSL_Atomic_Int_Init(wolfSSL_Atomic_Int* c, int i);
    /* Fetch* functions return the value of the counter immediately preceding
     * the effects of the function. */
-    WOLFSSL_LOCAL int wolfSSL_Atomic_Int_FetchAdd(wolfSSL_Atomic_Int* c, int i);
+    WOLFSSL_API int wolfSSL_Atomic_Int_FetchAdd(wolfSSL_Atomic_Int* c, int i);
-    WOLFSSL_LOCAL int wolfSSL_Atomic_Int_FetchSub(wolfSSL_Atomic_Int* c, int i);
+    WOLFSSL_API int wolfSSL_Atomic_Int_FetchSub(wolfSSL_Atomic_Int* c, int i);
 #else
    /* Code using these fallback macros needs to arrange its own fallback for
     * wolfSSL_Atomic_Int, which is never defined if
     * !defined(WOLFSSL_ATOMIC_OPS).  This forces local awareness of
     * thread-unsafe semantics.
     */
    #define wolfSSL_Atomic_Int_Init(c, i) (*(c) = (i))
    #define wolfSSL_Atomic_Int_FetchAdd(c, i) (*(c) += (i), *(c) - (i))
    #define wolfSSL_Atomic_Int_FetchSub(c, i) (*(c) -= (i), *(c) + (i))
 #endif
 /* Reference counting. */
@ -374,27 +383,7 @@ typedef struct wolfSSL_Ref {
 #endif
 } wolfSSL_Ref;
-#ifdef SINGLE_THREADED
+#if defined(SINGLE_THREADED) || defined(WOLFSSL_ATOMIC_OPS)
 #define wolfSSL_RefInit(ref, err)            \
    do {                                     \
        (ref)->count = 1;                    \
        *(err) = 0;                          \
    } while(0)
 #define wolfSSL_RefFree(ref) WC_DO_NOTHING
    #define wolfSSL_RefInc(ref, err)         \
    do {                                     \
        (ref)->count++;                      \
        *(err) = 0;                          \
    } while(0)
 #define wolfSSL_RefDec(ref, isZero, err)     \
    do {                                     \
        (ref)->count--;                      \
        *(isZero) = ((ref)->count == 0);     \
        *(err) = 0;                          \
    } while(0)
 #elif defined(WOLFSSL_ATOMIC_OPS)
 #define wolfSSL_RefInit(ref, err)            \
    do {                                     \