Address code review comments

julek-wolfssl · julek-wolfssl · commit 4e2f166d0918 · 2026-04-13T10:41:03.000Z
- Close outFile on early return in clu_decrypt.c to fix handle leak
- Fix misleading "Input file does not exist" error message in decrypt
- Add #undef LARGE_TEMP_SZ to prevent macro namespace pollution
- Require path separator after drive letter in Windows absolute path check
- Use dynamic port allocation in OCSP and OCSP-SCGI tests to avoid
  port conflicts
diff --git a/src/crypto/clu_decrypt.c b/src/crypto/clu_decrypt.c
@@ -81,6 +81,7 @@ int wolfCLU_decrypt(int alg, char* mode, byte* pwdKey, byte* key, int size,
     if (length < saltAndIvSize) {
         wolfCLU_LogError("Input file too small (missing salt/IV).");
         XFCLOSE(inFile);
+        XFCLOSE(outFile);
         return DECRYPT_ERROR;
     }
 
diff --git a/src/x509/clu_x509_sign.c b/src/x509/clu_x509_sign.c
@@ -288,6 +288,7 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
     int  caCertSz = LARGE_TEMP_SZ;
     byte serverKeyBuf[LARGE_TEMP_SZ];
     int  serverKeySz = LARGE_TEMP_SZ;
+    #undef LARGE_TEMP_SZ
 
     if (bioCaKey == NULL || bioAltCaKey == NULL || bioAltSubjPubKey == NULL
         || subject == NULL || outFileName == NULL) {
@@ -1049,7 +1050,9 @@ int wolfCLU_CertSignAppendOut(WOLFCLU_CERT_SIGN* csign, char* out)
          * Matches OpenSSL's ossl_is_absolute_path() behaviour. */
         if (out[0] == '/'
 #ifdef _WIN32
-                || out[0] == '\\' || (out[0] != '\0' && out[1] == ':')
+                || out[0] == '\\'
+                || (isalpha((unsigned char)out[0]) && out[1] == ':'
+                    && (out[2] == '\\' || out[2] == '/'))
 #endif
                 ) {
             s = (char*)XMALLOC(outSz + 1, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
diff --git a/tests/ocsp-scgi/ocsp-scgi-test.py b/tests/ocsp-scgi/ocsp-scgi-test.py
@@ -25,8 +25,11 @@
 
 HAS_OPENSSL = shutil.which("openssl") is not None
 
-SCGI_PORT = 6961
-HTTP_PORT = 8089
+def _find_free_port():
+    """Bind to port 0 to let the OS assign a free ephemeral port."""
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+        s.bind(("127.0.0.1", 0))
+        return s.getsockname()[1]
 
 INDEX_VALID = (
     "V\t991231235959Z\t\t01\tunknown\t"
@@ -74,7 +77,7 @@ class _SCGIProxyHandler(http.server.BaseHTTPRequestHandler):
     """HTTP handler that proxies POST requests to an SCGI backend."""
 
     scgi_host = "127.0.0.1"
-    scgi_port = SCGI_PORT
+    scgi_port = None
 
     def do_POST(self):
         length = int(self.headers.get("Content-Length", 0))
@@ -138,7 +141,9 @@ def setUpClass(cls):
         cls._tmpdir = tempfile.mkdtemp()
         cls._wolfclu_proc = None
         cls._wolfclu_log = None
-        cls._proxy = _HTTPProxy(HTTP_PORT, SCGI_PORT)
+        cls._scgi_port = _find_free_port()
+        cls._http_port = _find_free_port()
+        cls._proxy = _HTTPProxy(cls._http_port, cls._scgi_port)
         cls._proxy.start()
 
     @classmethod
@@ -181,7 +186,7 @@ def _start_responder(self, index_content,
         log_file = open(log_path, "w")
         proc = subprocess.Popen(
             [WOLFSSL_BIN, "ocsp", "-scgi",
-             "-port", str(SCGI_PORT),
+             "-port", str(self._scgi_port),
              "-index", index,
              "-rsigner", rsigner,
              "-rkey", rkey,
@@ -205,7 +210,7 @@ def _ocsp_query(self):
              "-issuer", os.path.join(CERTS_DIR, "ca-cert.pem"),
              "-cert", os.path.join(CERTS_DIR, "server-cert.pem"),
              "-CAfile", os.path.join(CERTS_DIR, "ca-cert.pem"),
-             "-url", f"http://127.0.0.1:{HTTP_PORT}/ocsp"],
+             "-url", f"http://127.0.0.1:{self._http_port}/ocsp"],
             capture_output=True, text=True,
             stdin=subprocess.DEVNULL, timeout=30,
         )
diff --git a/tests/ocsp/ocsp-test.py b/tests/ocsp/ocsp-test.py
@@ -8,6 +8,7 @@
 import os
 import re
 import shutil
+import socket
 import subprocess
 import sys
 import tempfile
@@ -18,7 +19,13 @@
 from wolfclu_test import WOLFSSL_BIN, CERTS_DIR, test_main
 
 HAS_OPENSSL = shutil.which("openssl") is not None
-OCSP_PORT_BASE = 6960
+
+
+def _find_free_port():
+    """Bind to port 0 to let the OS assign a free ephemeral port."""
+    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+        s.bind(("127.0.0.1", 0))
+        return s.getsockname()[1]
 
 INDEX_VALID = (
     "V\t991231235959Z\t\t01\tunknown\t"
@@ -116,7 +123,7 @@ class _OCSPInteropBase(unittest.TestCase):
 
     CLIENT_BIN = None
     RESPONDER_BIN = None
-    PORT = OCSP_PORT_BASE
+    PORT = None
 
     @classmethod
     def setUpClass(cls):
@@ -128,6 +135,7 @@ def setUpClass(cls):
             raise unittest.SkipTest(
                 f"OCSP not supported by {cls.RESPONDER_BIN}")
 
+        cls.PORT = _find_free_port()
         cls._tmpdir = tempfile.mkdtemp()
         cls._responder = None
 
@@ -307,33 +315,29 @@ def test_12_graceful_shutdown(self):
 
 
 # Concrete test classes for each client/responder combination.
-# Each gets a unique port to avoid conflicts if run in parallel.
+# Each gets a dynamically assigned port in setUpClass to avoid conflicts.
 
 class TestWolfsslClientWolfsslResponder(_OCSPInteropBase):
     CLIENT_BIN = WOLFSSL_BIN
     RESPONDER_BIN = WOLFSSL_BIN
-    PORT = OCSP_PORT_BASE
 
 
 @unittest.skipUnless(HAS_OPENSSL, "openssl not available")
 class TestWolfsslClientOpensslResponder(_OCSPInteropBase):
     CLIENT_BIN = WOLFSSL_BIN
     RESPONDER_BIN = "openssl"
-    PORT = OCSP_PORT_BASE + 1
 
 
 @unittest.skipUnless(HAS_OPENSSL, "openssl not available")
 class TestOpensslClientWolfsslResponder(_OCSPInteropBase):
     CLIENT_BIN = "openssl"
     RESPONDER_BIN = WOLFSSL_BIN
-    PORT = OCSP_PORT_BASE + 2
 
 
 @unittest.skipUnless(HAS_OPENSSL, "openssl not available")
 class TestOpensslClientOpensslResponder(_OCSPInteropBase):
     CLIENT_BIN = "openssl"
     RESPONDER_BIN = "openssl"
-    PORT = OCSP_PORT_BASE + 3
 
 
 def load_tests(loader, tests, pattern):

Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,7 @@ int wolfCLU_decrypt(int alg, char* mode, byte* pwdKey, byte* key, int size,`
`81`	`81`	`if (length < saltAndIvSize) {`
`82`	`82`	`wolfCLU_LogError("Input file too small (missing salt/IV).");`
`83`	`83`	`XFCLOSE(inFile);`
	`84`	`+ XFCLOSE(outFile);`
`84`	`85`	`return DECRYPT_ERROR;`
`85`	`86`	`}`
`86`	`87`