From 072c5311a568fdec3f2bd92d04f3173cfcf5b937 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Wed, 18 Sep 2024 16:24:55 -0500
Subject: [PATCH] m4/ax_atomic.m4: fixes for C++ compatibility.

wolfssl/wolfcrypt/wc_port.h: add WOLFSSL_API attribute to wolfSSL_Atomic_Int_Init, wolfSSL_Atomic_Int_FetchAdd, and wolfSSL_Atomic_Int_FetchAdd, and add fallback definitions for them, allowing elimination of SINGLE_THREADED implementations of wolfSSL_Ref*(), and allowing ungated use of wolfSSL_Atomic_* calls in api.c.

wolfcrypt/src/dh.c: in wc_DhAgree_ct(), remove frivolous XMEMSET() and stray semicolon.

wolfcrypt/benchmark/benchmark.c: fix bench_rsaKeyGen() to skip tests of key sizes below RSA_MIN_SIZE, and add 4096 bit benchmark if RSA_MAX_SIZE is big enough.

tests/unit.h:
* adopt definitions of TEST_FAIL, TEST_SUCCESS, and TEST_SKIPPED from unit.c, remap TEST_SKIPPED from -7777 to 3, and add TEST_SUCCESS_NO_MSGS, TEST_SKIPPED_NO_MSGS, EXPECT_DECLS_NO_MSGS(), and EXPECT_FAILURE_CODEPOINT_ID, to support existing and future expected-particular-failure test cases without log noise.
* rename outer gate from CyaSSL_UNIT_H to TESTS_UNIT_H.

tests/api.c:
* use EXPECT_DECLS_NO_MSGS() in test_ssl_memio_setup(), test_ssl_memio_read_write(), and test_wolfSSL_client_server_nofail_memio(), and globally update affected expected error codes to correspond.
* use atomics for {client,server}SessRemCount{Malloc,free} to fix races in SessRemCtxCb() and SessRemSslSetupCb().
---
 m4/ax_atomic.m4                 | 10 +++--
 tests/api.c                     | 79 +++++++++++++++++++--------------
 tests/unit.h                    | 70 ++++++++++++++++++++---------
 wolfcrypt/benchmark/benchmark.c | 27 +++++++++--
 wolfcrypt/src/dh.c              |  3 +-
 wolfssl/wolfcrypt/wc_port.h     | 37 ++++++---------
 6 files changed, 137 insertions(+), 89 deletions(-)

diff --git a/m4/ax_atomic.m4 b/m4/ax_atomic.m4
index b1fa58753..d8c8d0d2c 100644
--- a/m4/ax_atomic.m4
+++ b/m4/ax_atomic.m4
@@ -9,18 +9,20 @@ AC_DEFUN([AC_C___ATOMIC],
       [[int
         main (int argc, char **argv)
         {
-          volatile unsigned long ul1 = 1, ul2 = 0, ul3 = 2;
+          volatile unsigned long ul1 = 1;
+          unsigned long ul2 = 0, ul3 = 2;
           __atomic_load_n(&ul1, __ATOMIC_SEQ_CST);
           __atomic_compare_exchange(&ul1, &ul2, &ul3, 1, __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST);
           __atomic_fetch_add(&ul1, 1, __ATOMIC_SEQ_CST);
-          __atomic_fetch_sub(&ul3, 1, __ATOMIC_SEQ_CST);
+          __atomic_fetch_sub(&ul1, 1, __ATOMIC_SEQ_CST);
           __atomic_or_fetch(&ul1, ul2, __ATOMIC_SEQ_CST);
           __atomic_and_fetch(&ul1, ul2, __ATOMIC_SEQ_CST);
-          volatile unsigned long long ull1 = 1, ull2 = 0, ull3 = 2;
+          volatile unsigned long long ull1 = 1;
+          unsigned long long ull2 = 0, ull3 = 2;
           __atomic_load_n(&ull1, __ATOMIC_SEQ_CST);
           __atomic_compare_exchange(&ull1, &ull2, &ull3, 1, __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST);
           __atomic_fetch_add(&ull1, 1, __ATOMIC_SEQ_CST);
-          __atomic_fetch_sub(&ull3, 1, __ATOMIC_SEQ_CST);
+          __atomic_fetch_sub(&ull1, 1, __ATOMIC_SEQ_CST);
           __atomic_or_fetch(&ull1, ull2, __ATOMIC_SEQ_CST);
           __atomic_and_fetch(&ull1, ull2, __ATOMIC_SEQ_CST);
           return 0;
diff --git a/tests/api.c b/tests/api.c
index 4df1c32ba..2c7804d62 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -532,15 +532,6 @@ int tmpDirNameSet = 0;
  | Constants
  *----------------------------------------------------------------------------*/
 
-/* Test result constants and macros. */
-
-/* Test succeeded. */
-#define TEST_SUCCESS    (1)
-/* Test failed. */
-#define TEST_FAIL       (0)
-/* Test skipped - not run. */
-#define TEST_SKIPPED    (-7777)
-
 /* Returns the result based on whether check is true.
  *
  * @param [in] check  Condition for success.
@@ -7291,7 +7282,7 @@ static WC_INLINE int test_ssl_memio_read_cb(WOLFSSL *ssl, char *data, int sz,
 
 static WC_INLINE int test_ssl_memio_setup(test_ssl_memio_ctx *ctx)
 {
-    EXPECT_DECLS;
+    EXPECT_DECLS_NO_MSGS(-2000);
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)
     int c_sharedCtx = 0;
     int s_sharedCtx = 0;
@@ -7564,7 +7555,7 @@ static int test_ssl_memio_do_handshake(test_ssl_memio_ctx* ctx, int max_rounds,
 
 static int test_ssl_memio_read_write(test_ssl_memio_ctx* ctx)
 {
-    EXPECT_DECLS;
+    EXPECT_DECLS_NO_MSGS(-3000);
     char input[1024];
     int idx = 0;
     const char* msg_c = "hello wolfssl!";
@@ -7653,7 +7644,14 @@ static void test_ssl_memio_cleanup(test_ssl_memio_ctx* ctx)
 int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb,
     test_ssl_cbf* server_cb, cbType client_on_handshake)
 {
-    EXPECT_DECLS;
+    /* We use EXPECT_DECLS_NO_MSGS() here because this helper routine is used
+     * for numerous but varied expected-to-fail scenarios that should not emit
+     * error messages on the expected failures.  Instead, we return a distinct
+     * code for each failure point, allowing the caller to assert on a
+     * particular mode of expected failure.  On success, the usual TEST_SUCCESS
+     * is returned.
+     */
+    EXPECT_DECLS_NO_MSGS(-1000);
     struct test_ssl_memio_ctx test_ctx;
 #ifdef WOLFSSL_HAVE_TLS_UNIQUE
     size_t msg_len;
@@ -7665,8 +7663,8 @@ int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb,
 
     test_ctx.c_ctx = client_cb->ctx;
     test_ctx.s_ctx = server_cb->ctx;
-    test_ctx.c_cb.return_code = TEST_FAIL;
-    test_ctx.s_cb.return_code = TEST_FAIL;
+    test_ctx.c_cb.return_code = EXPECT_FAILURE_CODEPOINT_ID;
+    test_ctx.s_cb.return_code = EXPECT_FAILURE_CODEPOINT_ID;
 
     ExpectIntEQ(test_ssl_memio_setup(&test_ctx), TEST_SUCCESS);
     ExpectIntEQ(test_ssl_memio_do_handshake(&test_ctx, 10, NULL), TEST_SUCCESS);
@@ -9575,10 +9573,10 @@ static int test_wolfSSL_CTX_verifyDepth_ServerClient_3(void)
      * therefore, handshake becomes failure.
      */
     ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf,
-        &server_cbf, NULL), TEST_FAIL);
+        &server_cbf, NULL), -1001);
 
-    ExpectIntEQ(client_cbf.return_code, TEST_FAIL);
-    ExpectIntEQ(server_cbf.return_code, TEST_FAIL);
+    ExpectIntEQ(client_cbf.return_code, -1000);
+    ExpectIntEQ(server_cbf.return_code, -1000);
     ExpectIntEQ(client_cbf.last_err, WC_NO_ERR_TRACE(MAX_CHAIN_ERROR));
     ExpectIntEQ(server_cbf.last_err, WC_NO_ERR_TRACE(FATAL_ERROR));
 #endif /* OPENSSL_EXTRA && HAVE_SSL_MEMIO_TESTS_DEPENDENCIES */
@@ -14120,7 +14118,7 @@ static int test_wolfSSL_X509_TLS_version_test_1(void)
 
 #ifndef OPENSSL_COMPATIBLE_DEFAULTS
     ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client,
-        &func_cb_server, NULL), TEST_FAIL);
+        &func_cb_server, NULL), -1001);
 #else
     ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client,
         &func_cb_server, NULL), TEST_SUCCESS);
@@ -61861,7 +61859,7 @@ static int test_wolfSSL_curves_mismatch(void)
         func_cb_server.method = test_params[i].server_meth;
 
         ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client,
-            &func_cb_server, NULL), TEST_FAIL);
+            &func_cb_server, NULL), -1001);
         ExpectIntEQ(func_cb_client.last_err, test_params[i].client_last_err);
         ExpectIntEQ(func_cb_server.last_err, test_params[i].server_last_err);
 
@@ -69656,10 +69654,16 @@ static int test_wolfSSL_SESSION_expire_downgrade(void)
 
 #if defined(OPENSSL_EXTRA) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \
     defined(HAVE_EX_DATA) && !defined(NO_SESSION_CACHE)
-static int clientSessRemCountMalloc = 0;
-static int serverSessRemCountMalloc = 0;
-static int clientSessRemCountFree = 0;
-static int serverSessRemCountFree = 0;
+#ifdef WOLFSSL_ATOMIC_OPS
+    typedef wolfSSL_Atomic_Int SessRemCounter_t;
+#else
+    typedef int SessRemCounter_t;
+#endif
+static SessRemCounter_t clientSessRemCountMalloc;
+static SessRemCounter_t serverSessRemCountMalloc;
+static SessRemCounter_t clientSessRemCountFree;
+static SessRemCounter_t serverSessRemCountFree;
+
 static WOLFSSL_CTX* serverSessCtx = NULL;
 static WOLFSSL_SESSION* serverSess = NULL;
 #if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \
@@ -69680,9 +69684,9 @@ static void SessRemCtxCb(WOLFSSL_CTX *ctx, WOLFSSL_SESSION *sess)
     side = (int*)SSL_SESSION_get_ex_data(sess, serverSessRemIdx);
     if (side != NULL) {
         if (*side == WOLFSSL_CLIENT_END)
-            clientSessRemCountFree++;
+            (void)wolfSSL_Atomic_Int_FetchAdd(&clientSessRemCountFree, 1);
         else
-            serverSessRemCountFree++;
+            (void)wolfSSL_Atomic_Int_FetchAdd(&serverSessRemCountFree, 1);
 
         SSL_SESSION_set_ex_data(sess, serverSessRemIdx, NULL);
     }
@@ -69719,14 +69723,14 @@ static int SessRemSslSetupCb(WOLFSSL* ssl)
 
     if (SSL_is_server(ssl)) {
         side = &sessRemCtx_Server;
-        serverSessRemCountMalloc++;
+        (void)wolfSSL_Atomic_Int_FetchAdd(&serverSessRemCountMalloc, 1);
         ExpectNotNull(serverSess = SSL_get1_session(ssl));
         ExpectIntEQ(SSL_CTX_up_ref(serverSessCtx = SSL_get_SSL_CTX(ssl)),
                 SSL_SUCCESS);
     }
     else {
         side = &sessRemCtx_Client;
-        clientSessRemCountMalloc++;
+        (void)wolfSSL_Atomic_Int_FetchAdd(&clientSessRemCountMalloc, 1);
     #if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \
         !defined(NO_SESSION_CACHE_REF)
         ExpectNotNull(clientSess = SSL_get1_session(ssl));
@@ -69750,6 +69754,11 @@ static int test_wolfSSL_CTX_sess_set_remove_cb(void)
      * session object */
     test_ssl_cbf func_cb;
 
+    wolfSSL_Atomic_Int_Init(&clientSessRemCountMalloc, 0);
+    wolfSSL_Atomic_Int_Init(&serverSessRemCountMalloc, 0);
+    wolfSSL_Atomic_Int_Init(&clientSessRemCountFree, 0);
+    wolfSSL_Atomic_Int_Init(&serverSessRemCountFree, 0);
+
     XMEMSET(&func_cb, 0, sizeof(func_cb));
     func_cb.ctx_ready = SessRemCtxSetupCb;
     func_cb.on_result = SessRemSslSetupCb;
@@ -78615,7 +78624,7 @@ static int test_DhCallbacks(void)
     func_cb_server.method = wolfTLSv1_2_server_method;
 
     ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client,
-        &func_cb_server, NULL), TEST_FAIL);
+        &func_cb_server, NULL), -1001);
 #endif
     return EXPECT_RESULT();
 }
@@ -85792,7 +85801,7 @@ static int test_multiple_crls_same_issuer(void)
         client_cbs.ctx_ready = test_multiple_crls_same_issuer_ctx_ready;
 
         ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbs,
-            &server_cbs, NULL), TEST_FAIL);
+            &server_cbs, NULL), -1001);
     }
 #endif
     return EXPECT_RESULT();
@@ -90339,7 +90348,7 @@ static int test_wolfSSL_CRL_CERT_REVOKED_alert(void)
     server_cbs.on_cleanup = test_wolfSSL_CRL_CERT_REVOKED_alert_on_cleanup;
 
     ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbs,
-        &server_cbs, NULL), TEST_FAIL);
+        &server_cbs, NULL), -1001);
 
     return EXPECT_RESULT();
 }
@@ -91146,7 +91155,7 @@ static int test_override_alt_cert_chain(void)
         {test_override_alt_cert_chain_client_ctx_ready,
                 test_override_alt_cert_chain_server_ctx_ready, TEST_SUCCESS},
         {test_override_alt_cert_chain_client_ctx_ready2,
-                test_override_alt_cert_chain_server_ctx_ready, TEST_FAIL},
+                test_override_alt_cert_chain_server_ctx_ready, -1001},
     };
 
     for (i = 0; i < sizeof(params)/sizeof(*params); i++) {
@@ -91162,8 +91171,10 @@ static int test_override_alt_cert_chain(void)
         ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbs,
             &server_cbs, NULL), params[i].result);
 
-        ExpectIntEQ(client_cbs.return_code, params[i].result);
-        ExpectIntEQ(server_cbs.return_code, params[i].result);
+        ExpectIntEQ(client_cbs.return_code,
+                    params[i].result <= 0 ? -1000 : TEST_SUCCESS);
+        ExpectIntEQ(server_cbs.return_code,
+                    params[i].result <= 0 ? -1000 : TEST_SUCCESS);
     }
 
     return EXPECT_RESULT();
@@ -93766,7 +93777,7 @@ static int test_revoked_loaded_int_cert(void)
         client_cbf.ctx_ready = test_params[i].client_ctx_ready;
 
         ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbf,
-            &server_cbf, NULL), TEST_FAIL);
+            &server_cbf, NULL), -1001);
         ExpectIntEQ(client_cbf.last_err, WC_NO_ERR_TRACE(CRL_CERT_REVOKED));
         ExpectIntEQ(server_cbf.last_err, WC_NO_ERR_TRACE(FATAL_ERROR));
 
diff --git a/tests/unit.h b/tests/unit.h
index f63c4bd63..63825bc23 100644
--- a/tests/unit.h
+++ b/tests/unit.h
@@ -20,8 +20,8 @@
  */
 
 
-#ifndef CyaSSL_UNIT_H
-#define CyaSSL_UNIT_H
+#ifndef TESTS_UNIT_H
+#define TESTS_UNIT_H
 
 #include <wolfssl/ssl.h>
 #include <wolfssl/test.h>    /* thread and tcp stuff */
@@ -121,27 +121,55 @@
 #define AssertPtrGE(x, y) AssertPtr(x, y, >=,  <)
 #define AssertPtrLE(x, y) AssertPtr(x, y, <=,  >)
 
+#define TEST_FAIL               0
+#define TEST_SUCCESS            1
+#define TEST_SUCCESS_NO_MSGS    2
+#define TEST_SKIPPED            3  /* Test skipped - not run. */
+#define TEST_SKIPPED_NO_MSGS    4  /* Test skipped - not run. */
 
 #define EXPECT_DECLS \
-    int _ret = TEST_SKIPPED
+    int _ret = TEST_SKIPPED, _fail_codepoint_id = TEST_FAIL
+#define EXPECT_DECLS_NO_MSGS(fail_codepoint_offset)     \
+    int _ret = TEST_SKIPPED_NO_MSGS,                    \
+        _fail_codepoint_id = (fail_codepoint_offset)
+#define EXPECT_FAILURE_CODEPOINT_ID _fail_codepoint_id
 #define EXPECT_RESULT() \
-    _ret
+    ((void)_fail_codepoint_id,                                          \
+     _ret == TEST_SUCCESS_NO_MSGS ? TEST_SUCCESS :                      \
+     _ret == TEST_SKIPPED_NO_MSGS ? TEST_SKIPPED :                      \
+     _ret)
 #define EXPECT_SUCCESS() \
-    ((_ret == TEST_SUCCESS) || (_ret == TEST_SKIPPED))
+    ((_ret == TEST_SUCCESS) ||                                          \
+     (_ret == TEST_SKIPPED) ||                                          \
+     (_ret == TEST_SUCCESS_NO_MSGS) ||                                  \
+     (_ret == TEST_SKIPPED_NO_MSGS))
 #define EXPECT_FAIL() \
-    (_ret == TEST_FAIL)
+    (! EXPECT_SUCCESS())
 
-#define ExpFail(description, result) do {                                      \
-    printf("\nERROR - %s line %d failed with:", __FILE__, __LINE__);           \
-    fputs("\n    expected: ", stdout); printf description;                     \
-    fputs("\n    result:   ", stdout); printf result; fputs("\n\n", stdout);   \
-    fflush(stdout);                                                            \
-    _ret = TEST_FAIL;                                                          \
+#define ExpFail(description, result) do {                                    \
+    if ((_ret == TEST_SUCCESS_NO_MSGS) || (_ret == TEST_SKIPPED_NO_MSGS))    \
+        _ret = _fail_codepoint_id;                                           \
+    else {                                                                   \
+        printf("\nERROR - %s line %d failed with:", __FILE__, __LINE__);     \
+        fputs("\n    expected: ", stdout); printf description;               \
+        fputs("\n    result:   ", stdout); printf result;                    \
+        fputs("\n\n", stdout);                                               \
+        fflush(stdout);                                                      \
+        _ret = TEST_FAIL;                                                    \
+    }                                                                        \
 } while (0)
 
-#define Expect(test, description, result) do {                                 \
-    if (_ret != TEST_FAIL) { if (!(test)) ExpFail(description, result);        \
-                             else _ret = TEST_SUCCESS; }                       \
+#define Expect(test, description, result) do {                               \
+    if (EXPECT_SUCCESS()) {                                                  \
+        if (!(test))                                                         \
+            ExpFail(description, result);                                    \
+        else if (_ret == TEST_SKIPPED_NO_MSGS)                               \
+            _ret = TEST_SUCCESS_NO_MSGS;                                     \
+        else                                                                 \
+            _ret = TEST_SUCCESS;                                             \
+    }                                                                        \
+    if (_ret == TEST_SUCCESS_NO_MSGS)                                        \
+        --_fail_codepoint_id;                                                \
 } while (0)
 
 #define ExpectTrue(x)    Expect( (x), ("%s is true",     #x), (#x " => FALSE"))
@@ -149,14 +177,14 @@
 #define ExpectNotNull(x) Expect( (x), ("%s is not null", #x), (#x " => NULL"))
 
 #define ExpectNull(x) do {                                                     \
-    if (_ret != TEST_FAIL) {                                                   \
+    if (EXPECT_SUCCESS()) {                                                    \
         PEDANTIC_EXTENSION void* _x = (void*)(x);                              \
         Expect(!_x, ("%s is null", #x), (#x " => %p", _x));                    \
     }                                                                          \
 } while(0)
 
 #define ExpectInt(x, y, op, er) do {                                           \
-    if (_ret != TEST_FAIL) {                                                   \
+    if (EXPECT_SUCCESS()) {                                                    \
         int _x = (int)(x);                                                     \
         int _y = (int)(y);                                                     \
         Expect(_x op _y, ("%s " #op " %s", #x, #y), ("%d " #er " %d", _x, _y));\
@@ -171,7 +199,7 @@
 #define ExpectIntLE(x, y) ExpectInt(x, y, <=,  >)
 
 #define ExpectStr(x, y, op, er) do {                                           \
-    if (_ret != TEST_FAIL) {                                                   \
+    if (EXPECT_SUCCESS()) {                                                    \
         const char* _x = (const char*)(x);                                     \
         const char* _y = (const char*)(y);                                     \
         int         _z = (_x && _y) ? XSTRCMP(_x, _y) : -1;                    \
@@ -188,7 +216,7 @@
 #define ExpectStrLE(x, y) ExpectStr(x, y, <=,  >)
 
 #define ExpectPtr(x, y, op, er) do {                                           \
-    if (_ret != TEST_FAIL) {                                                   \
+    if (EXPECT_SUCCESS()) {                                                    \
         PRAGMA_DIAG_PUSH                                                       \
           /* remarkably, without this inhibition, */                           \
           /* the _Pragma()s make the declarations warn. */                     \
@@ -211,7 +239,7 @@
 #define ExpectPtrLE(x, y) ExpectPtr(x, y, <=,  >)
 
 #define ExpectBuf(x, y, z, op, er) do {                                        \
-    if (_ret != TEST_FAIL) {                                                   \
+    if (EXPECT_SUCCESS()) {                                                    \
         const byte* _x = (const byte*)(x);                                     \
         const byte* _y = (const byte*)(y);                                     \
         int         _z = (int)(z);                                             \
@@ -306,4 +334,4 @@ int w64wrapper_test(void);
 int QuicTest(void);
 
 
-#endif /* CyaSSL_UNIT_H */
+#endif /* TESTS_UNIT_H */
diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c
index fd65b89ac..a4c119fe9 100644
--- a/wolfcrypt/benchmark/benchmark.c
+++ b/wolfcrypt/benchmark/benchmark.c
@@ -8433,11 +8433,30 @@ exit:
 void bench_rsaKeyGen(int useDeviceID)
 {
     int    k;
-#if !defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL) && \
-    (RSA_MIN_SIZE <= 1024)
-    static const word32  keySizes[2] = {1024, 2048};
+
+#if !defined(RSA_MAX_SIZE) || !defined(RSA_MIN_SIZE)
+    static const word32  keySizes[2] = {1024, 2048 };
+#elif RSA_MAX_SIZE >= 4096
+    #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) &&      \
+        (RSA_MIN_SIZE <= 1024)
+        static const word32  keySizes[3] = {1024, 2048, 4096 };
+    #else
+        static const word32  keySizes[2] = {2048, 4096};
+    #endif
+#elif RSA_MAX_SIZE >= 2048
+    #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) &&      \
+        (RSA_MIN_SIZE <= 1024)
+        static const word32  keySizes[2] = {1024, 2048 };
+    #else
+        static const word32  keySizes[1] = {2048};
+    #endif
 #else
-    static const word32  keySizes[1] = {2048};
+    #if (!defined(WOLFSSL_SP_MATH) || defined(WOLFSSL_SP_MATH_ALL)) &&      \
+        (RSA_MIN_SIZE <= 1024)
+        static const word32  keySizes[1] = {1024 };
+    #else
+        #error No candidate RSA key sizes to benchmark.
+    #endif
 #endif
 
     for (k = 0; k < (int)(sizeof(keySizes)/sizeof(int)); k++) {
diff --git a/wolfcrypt/src/dh.c b/wolfcrypt/src/dh.c
index 96000d4be..c830d7a91 100644
--- a/wolfcrypt/src/dh.c
+++ b/wolfcrypt/src/dh.c
@@ -2323,7 +2323,6 @@ int wc_DhAgree_ct(DhKey* key, byte* agree, word32 *agreeSz, const byte* priv,
         return MEMORY_E;
 #endif
 
-    XMEMSET(agree, 0, requested_agreeSz);
     XMEMSET(agree_buffer, 0, requested_agreeSz);
 
     ret = wc_DhAgree_Sync(key, agree_buffer, agreeSz, priv, privSz, otherPub,
@@ -2340,7 +2339,7 @@ int wc_DhAgree_ct(DhKey* key, byte* agree, word32 *agreeSz, const byte* priv,
         byte *agree_src = agree_buffer + *agreeSz - 1,
             *agree_dst = agree + requested_agreeSz - 1;
         while (agree_dst >= agree) {
-            word32 mask = (agree_src >= agree_buffer) - 1U;;
+            word32 mask = (agree_src >= agree_buffer) - 1U;
             agree_src += (mask & requested_agreeSz);
             *agree_dst-- = *agree_src--;
         }
diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h
index cb36bfe7d..433376894 100644
--- a/wolfssl/wolfcrypt/wc_port.h
+++ b/wolfssl/wolfcrypt/wc_port.h
@@ -355,11 +355,20 @@
 #endif /* WOLFSSL_NO_ATOMICS */
 
 #ifdef WOLFSSL_ATOMIC_OPS
-    WOLFSSL_LOCAL void wolfSSL_Atomic_Int_Init(wolfSSL_Atomic_Int* c, int i);
+    WOLFSSL_API void wolfSSL_Atomic_Int_Init(wolfSSL_Atomic_Int* c, int i);
     /* Fetch* functions return the value of the counter immediately preceding
      * the effects of the function. */
-    WOLFSSL_LOCAL int wolfSSL_Atomic_Int_FetchAdd(wolfSSL_Atomic_Int* c, int i);
-    WOLFSSL_LOCAL int wolfSSL_Atomic_Int_FetchSub(wolfSSL_Atomic_Int* c, int i);
+    WOLFSSL_API int wolfSSL_Atomic_Int_FetchAdd(wolfSSL_Atomic_Int* c, int i);
+    WOLFSSL_API int wolfSSL_Atomic_Int_FetchSub(wolfSSL_Atomic_Int* c, int i);
+#else
+    /* Code using these fallback macros needs to arrange its own fallback for
+     * wolfSSL_Atomic_Int, which is never defined if
+     * !defined(WOLFSSL_ATOMIC_OPS).  This forces local awareness of
+     * thread-unsafe semantics.
+     */
+    #define wolfSSL_Atomic_Int_Init(c, i) (*(c) = (i))
+    #define wolfSSL_Atomic_Int_FetchAdd(c, i) (*(c) += (i), *(c) - (i))
+    #define wolfSSL_Atomic_Int_FetchSub(c, i) (*(c) -= (i), *(c) + (i))
 #endif
 
 /* Reference counting. */
@@ -374,27 +383,7 @@ typedef struct wolfSSL_Ref {
 #endif
 } wolfSSL_Ref;
 
-#ifdef SINGLE_THREADED
-
-#define wolfSSL_RefInit(ref, err)            \
-    do {                                     \
-        (ref)->count = 1;                    \
-        *(err) = 0;                          \
-    } while(0)
-#define wolfSSL_RefFree(ref) WC_DO_NOTHING
-    #define wolfSSL_RefInc(ref, err)         \
-    do {                                     \
-        (ref)->count++;                      \
-        *(err) = 0;                          \
-    } while(0)
-#define wolfSSL_RefDec(ref, isZero, err)     \
-    do {                                     \
-        (ref)->count--;                      \
-        *(isZero) = ((ref)->count == 0);     \
-        *(err) = 0;                          \
-    } while(0)
-
-#elif defined(WOLFSSL_ATOMIC_OPS)
+#if defined(SINGLE_THREADED) || defined(WOLFSSL_ATOMIC_OPS)
 
 #define wolfSSL_RefInit(ref, err)            \
     do {                                     \