fixes from CI testing and peer review:

wolfcrypt/src/tfm.c and wolfssl/wolfcrypt/tfm.h: fix for -Wdiscarded-qualifiers in ecc_check_order_minus_1().

wolfssl/wolfcrypt/types.h: in WC_BARRIER(), use XFENCE() too, for best possible barrier.  fixes an ARM32 -Ofast -Wmaybe-uninitialized in blake2s_init_key().

wolfcrypt/src/asn_orig.c: set Stored flag after each allocation of a member that needs it.

wolfcrypt/src/signature.c: in wc_SignatureGetSize(), provide for legacy FIPS non-const-arg wc_ecc_sig_size() and wc_RsaEncryptSize().

Author: douzzer

wolfcrypt/src/asn_orig.c

@@ -3182,6 +3182,7 @@ static int DecodeConstructedOtherName(DecodedCert* cert, const byte* input,
             ret = MEMORY_E;
         }
         else {
+            dnsEntry->nameStored = 1;
             XMEMCPY((void *)(wc_ptr_t)dnsEntry->name, &input[*idx],
                     (size_t)strLen);
             ((char *)(wc_ptr_t)dnsEntry->name)[strLen] = '\0';
@@ -3272,6 +3273,7 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
                 XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
                 return MEMORY_E;
             }
+            dnsEntry->nameStored = 1;
             dnsEntry->len = strLen;
             XMEMCPY((void *)(wc_ptr_t)dnsEntry->name, &input[idx],
                     (size_t)strLen);
@@ -3317,6 +3319,7 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
                 XFREE(dirEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
                 return MEMORY_E;
             }
+            dirEntry->nameStored = 1;
             dirEntry->len = strLen;
             XMEMCPY((void *)(wc_ptr_t)dirEntry->name, &input[idx],
                     (size_t)strLen);
@@ -3346,7 +3349,7 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
                 WOLFSSL_MSG("\tOut of Memory");
                 return MEMORY_E;
             }
-
+            emailEntry->nameStored = 1;
             emailEntry->type = ASN_RFC822_TYPE;
             emailEntry->name = (char*)XMALLOC((size_t)strLen + 1, cert->heap,
                                          DYNAMIC_TYPE_ALTNAME);
@@ -3430,7 +3433,7 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
                 WOLFSSL_MSG("\tOut of Memory");
                 return MEMORY_E;
             }
-
+            uriEntry->nameStored = 1;
             uriEntry->type = ASN_URI_TYPE;
             uriEntry->name = (char*)XMALLOC((size_t)strLen + 1, cert->heap,
                                          DYNAMIC_TYPE_ALTNAME);
@@ -3474,7 +3477,7 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
                 WOLFSSL_MSG("\tOut of Memory");
                 return MEMORY_E;
             }
-
+            ipAddr->nameStored = 1;
             ipAddr->type = ASN_IP_TYPE;
             ipAddr->name = (char*)XMALLOC((size_t)strLen + 1, cert->heap,
                                          DYNAMIC_TYPE_ALTNAME);
@@ -3534,6 +3537,7 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
                 XFREE(rid, cert->heap, DYNAMIC_TYPE_ALTNAME);
                 return MEMORY_E;
             }
+            rid->nameStored = 1;
             rid->len = strLen;
             XMEMCPY((void *)(wc_ptr_t)rid->name, &input[idx], strLen);
             ((char *)(wc_ptr_t)rid->name)[strLen] = '\0';

wolfcrypt/src/signature.c

@@ -95,7 +95,11 @@ int wc_SignatureGetSize(enum wc_SignatureType sig_type,
 #ifdef HAVE_ECC
             /* Sanity check that void* key is at least ecc_key in size */
             if (key_len >= sizeof(ecc_key)) {
+#if defined(HAVE_SELFTEST) || (defined(HAVE_FIPS) && FIPS_VERSION3_LT(5,0,0))
+                sig_len = wc_ecc_sig_size((ecc_key*)(wc_ptr_t)key);
+#else
                 sig_len = wc_ecc_sig_size((const ecc_key*)key);
+#endif
             }
             else {
                 WOLFSSL_MSG("wc_SignatureGetSize: Invalid ECC key size");
@@ -110,7 +114,11 @@ int wc_SignatureGetSize(enum wc_SignatureType sig_type,
 #ifndef NO_RSA
             /* Sanity check that void* key is at least RsaKey in size */
             if (key_len >= sizeof(RsaKey)) {
+#if defined(HAVE_SELFTEST) || (defined(HAVE_FIPS) && FIPS_VERSION3_LT(5,0,0))
+                sig_len = wc_RsaEncryptSize((RsaKey*)(wc_ptr_t)key);
+#else
                 sig_len = wc_RsaEncryptSize((const RsaKey*)key);
+#endif
             }
             else {
                 WOLFSSL_MSG("wc_SignatureGetSize: Invalid RsaKey key size");

wolfcrypt/src/tfm.c

@@ -4540,9 +4540,9 @@ int mp_exptmod_nct (mp_int * G, mp_int * X, mp_int * P, mp_int * Y)
 
 
 /* compare two ints (signed)*/
-int mp_cmp (mp_int * a, mp_int * b)
+int mp_cmp (const mp_int * a, const mp_int * b)
 {
-  return fp_cmp(a, b);
+  return fp_cmp((mp_int *)a, (mp_int *)b);
 }
 
 /* compare a digit */

wolfssl/wolfcrypt/tfm.h

@@ -843,7 +843,7 @@ MP_API int  mp_2expt(mp_int* a, int b);
 
 MP_API int  mp_div(mp_int * a, mp_int * b, mp_int * c, mp_int * d);
 
-MP_API int  mp_cmp(mp_int *a, mp_int *b);
+MP_API int  mp_cmp(const mp_int *a, const mp_int *b);
 #define mp_cmp_ct(a, b, n) mp_cmp(a, b)
 MP_API int  mp_cmp_d(mp_int *a, mp_digit b);
 

wolfssl/wolfcrypt/types.h

@@ -489,7 +489,11 @@ enum {
     static WC_INLINE WARN_UNUSED_RESULT int WC_WUR_INT(int x) { return x; }
 #endif
 
-#define WC_BARRIER() do { volatile byte _xfence = 0; (void)_xfence; } while(0)
+/* XFENCE() is a no-op on some targets.  WC_BARRIER() uses C89 intrinsics as an
+ * additional portable barrier.
+ */
+#define WC_BARRIER() do { volatile byte _xfence = 0; (void)_xfence; XFENCE(); \
+        } while(0)
 
 #ifdef WORD64_AVAILABLE
     #define WC_MAX_UINT_OF(x)                                        \