Merge pull request #9189 from misch7/fix-v3.6-issues-9186-and-9188

Fix build of v3.6 (issues #9186 and #9188)

CMakeLists.txt

@@ -204,7 +204,7 @@ if(CMAKE_COMPILER_IS_GNU)
     # note: starting with CMake 2.8 we could use CMAKE_C_COMPILER_VERSION
     execute_process(COMMAND ${CMAKE_C_COMPILER} -dumpversion
                     OUTPUT_VARIABLE GCC_VERSION)
-    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wmissing-prototypes")
     if (GCC_VERSION VERSION_GREATER 3.0 OR GCC_VERSION VERSION_EQUAL 3.0)
         set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat=2 -Wno-format-nonliteral")
     endif()
@@ -238,7 +238,7 @@ if(CMAKE_COMPILER_IS_GNU)
 endif(CMAKE_COMPILER_IS_GNU)
 
 if(CMAKE_COMPILER_IS_CLANG)
-    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wmissing-prototypes -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral")
     set(CMAKE_C_FLAGS_RELEASE     "-O2")
     set(CMAKE_C_FLAGS_DEBUG       "-O0 -g3")
     set(CMAKE_C_FLAGS_COVERAGE    "-O0 -g3 --coverage")

ChangeLog.d/fix-clang-psa-build-without-dhm.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * Fix Clang compilation error when MBEDTLS_USE_PSA_CRYPTO is enabled
+     but MBEDTLS_DHM_C is disabled. Reported by Michael Schuster in #9188.

ChangeLog.d/fix-server-mode-only-build.txt

@@ -0,0 +1,3 @@
+Bugfix
+   * Fix server mode only build when MBEDTLS_SSL_SRV_C is enabled but
+     MBEDTLS_SSL_CLI_C is disabled. Reported by M-Bab on GitHub in #9186.

library/CMakeLists.txt

@@ -201,11 +201,11 @@ else()
 endif()
 
 if(CMAKE_COMPILER_IS_GNUCC)
-    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations")
 endif(CMAKE_COMPILER_IS_GNUCC)
 
 if(CMAKE_COMPILER_IS_CLANG)
-    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code")
 endif(CMAKE_COMPILER_IS_CLANG)
 
 if(CMAKE_COMPILER_IS_MSVC)

library/ssl_misc.h

@@ -1507,7 +1507,7 @@ int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
 
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
-#if defined(MBEDTLS_SSL_CLI_C)
+#if defined(MBEDTLS_SSL_CLI_C) || defined(MBEDTLS_SSL_SRV_C)
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf);
 #endif

library/ssl_tls12_server.c

@@ -3921,7 +3921,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
         psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
         psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
-        uint8_t ecpoint_len;
+        size_t ecpoint_len;
 
         mbedtls_ssl_handshake_params *handshake = ssl->handshake;
 

programs/cipher/cipher_aead_demo.c

@@ -79,7 +79,7 @@ const unsigned char msg2_part2[] = { 0x15, 0x16, 0x17 };
 const unsigned char key_bytes[32] = { 0x2a };
 
 /* Print the contents of a buffer in hex */
-void print_buf(const char *title, unsigned char *buf, size_t len)
+static void print_buf(const char *title, unsigned char *buf, size_t len)
 {
     printf("%s:", title);
     for (size_t i = 0; i < len; i++) {

programs/fuzz/common.h

@@ -23,3 +23,6 @@ int dummy_random(void *p_rng, unsigned char *output, size_t output_len);
 int dummy_entropy(void *data, unsigned char *output, size_t len);
 int fuzz_recv_timeout(void *ctx, unsigned char *buf, size_t len,
                       uint32_t timeout);
+
+/* Implemented in the fuzz_*.c sources and required by onefile.c */
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);

programs/fuzz/fuzz_pkcs7.c

@@ -1,5 +1,6 @@
 #include <stdint.h>
 #include "mbedtls/pkcs7.h"
+#include "common.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 {

programs/fuzz/fuzz_pubkey.c

@@ -1,6 +1,7 @@
 #include <stdint.h>
 #include <stdlib.h>
 #include "mbedtls/pk.h"
+#include "common.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 {

programs/fuzz/fuzz_x509crl.c

@@ -1,5 +1,6 @@
 #include <stdint.h>
 #include "mbedtls/x509_crl.h"
+#include "common.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 {

programs/fuzz/fuzz_x509crt.c

@@ -1,5 +1,6 @@
 #include <stdint.h>
 #include "mbedtls/x509_crt.h"
+#include "common.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 {

programs/fuzz/fuzz_x509csr.c

@@ -1,5 +1,6 @@
 #include <stdint.h>
 #include "mbedtls/x509_csr.h"
+#include "common.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 {

programs/fuzz/onefile.c

@@ -1,14 +1,13 @@
 #include <stdint.h>
 #include <stdlib.h>
 #include <stdio.h>
+#include "common.h"
 
 /* This file doesn't use any Mbed TLS function, but grab mbedtls_config.h anyway
  * in case it contains platform-specific #defines related to malloc or
  * stdio functions. */
 #include "mbedtls/build_info.h"
 
-int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
-
 int main(int argc, char **argv)
 {
     FILE *fp;

programs/hash/md_hmac_demo.c

@@ -57,7 +57,7 @@ const unsigned char msg2_part2[] = { 0x06, 0x06 };
 const unsigned char key_bytes[32] = { 0 };
 
 /* Print the contents of a buffer in hex */
-void print_buf(const char *title, unsigned char *buf, size_t len)
+static void print_buf(const char *title, unsigned char *buf, size_t len)
 {
     printf("%s:", title);
     for (size_t i = 0; i < len; i++) {
@@ -87,7 +87,7 @@ void print_buf(const char *title, unsigned char *buf, size_t len)
  * This function demonstrates computation of the HMAC of two messages using
  * the multipart API.
  */
-int hmac_demo(void)
+static int hmac_demo(void)
 {
     int ret;
     const mbedtls_md_type_t alg = MBEDTLS_MD_SHA256;

programs/pkey/gen_key.c

@@ -39,7 +39,7 @@ int main(void)
 
 #define DEV_RANDOM_THRESHOLD        32
 
-int dev_random_entropy_poll(void *data, unsigned char *output,
+static int dev_random_entropy_poll(void *data, unsigned char *output,
                                    size_t len, size_t *olen)
 {
     FILE *file;

programs/psa/aead_demo.c

@@ -82,7 +82,7 @@ const unsigned char msg2_part2[] = { 0x15, 0x16, 0x17 };
 const unsigned char key_bytes[32] = { 0x2a };
 
 /* Print the contents of a buffer in hex */
-void print_buf(const char *title, uint8_t *buf, size_t len)
+static void print_buf(const char *title, uint8_t *buf, size_t len)
 {
     printf("%s:", title);
     for (size_t i = 0; i < len; i++) {

programs/psa/hmac_demo.c

@@ -59,7 +59,7 @@ const unsigned char msg2_part2[] = { 0x06, 0x06 };
 const unsigned char key_bytes[32] = { 0 };
 
 /* Print the contents of a buffer in hex */
-void print_buf(const char *title, uint8_t *buf, size_t len)
+static void print_buf(const char *title, uint8_t *buf, size_t len)
 {
     printf("%s:", title);
     for (size_t i = 0; i < len; i++) {
@@ -90,7 +90,7 @@ void print_buf(const char *title, uint8_t *buf, size_t len)
  * This function demonstrates computation of the HMAC of two messages using
  * the multipart API.
  */
-psa_status_t hmac_demo(void)
+static psa_status_t hmac_demo(void)
 {
     psa_status_t status;
     const psa_algorithm_t alg = PSA_ALG_HMAC(PSA_ALG_SHA_256);

programs/psa/psa_constant_names.c

@@ -192,7 +192,7 @@ typedef enum {
     TYPE_STATUS,
 } signed_value_type;
 
-int process_signed(signed_value_type type, long min, long max, char **argp)
+static int process_signed(signed_value_type type, long min, long max, char **argp)
 {
     for (; *argp != NULL; argp++) {
         char buffer[200];
@@ -231,7 +231,7 @@ typedef enum {
     TYPE_KEY_USAGE,
 } unsigned_value_type;
 
-int process_unsigned(unsigned_value_type type, unsigned long max, char **argp)
+static int process_unsigned(unsigned_value_type type, unsigned long max, char **argp)
 {
     for (; *argp != NULL; argp++) {
         char buffer[200];

programs/ssl/ssl_client2.c

@@ -597,7 +597,7 @@ static int my_verify(void *data, mbedtls_x509_crt *crt,
 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
 
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-int report_cid_usage(mbedtls_ssl_context *ssl,
+static int report_cid_usage(mbedtls_ssl_context *ssl,
                             const char *additional_description)
 {
     int ret;

programs/ssl/ssl_context_info.c

@@ -111,12 +111,12 @@ const char buf_ln_err[] = "Buffer does not have enough data to complete the pars
 /*
  * Basic printing functions
  */
-void print_version(void)
+static void print_version(void)
 {
     printf("%s v%d.%d\n", PROG_NAME, VER_MAJOR, VER_MINOR);
 }
 
-void print_usage(void)
+static void print_usage(void)
 {
     print_version();
     printf("\nThis program is used to deserialize an Mbed TLS SSL session from the base64 code provided\n"
@@ -138,7 +138,7 @@ void print_usage(void)
         );
 }
 
-void printf_dbg(const char *str, ...)
+static void printf_dbg(const char *str, ...)
 {
     if (debug) {
         va_list args;
@@ -151,7 +151,7 @@ void printf_dbg(const char *str, ...)
 }
 
 MBEDTLS_PRINTF_ATTRIBUTE(1, 2)
-void printf_err(const char *str, ...)
+static void printf_err(const char *str, ...)
 {
     va_list args;
     va_start(args, str);
@@ -165,7 +165,7 @@ void printf_err(const char *str, ...)
 /*
  * Exit from the program in case of error
  */
-void error_exit(void)
+static void error_exit(void)
 {
     if (NULL != b64_file) {
         fclose(b64_file);
@@ -176,7 +176,7 @@ void error_exit(void)
 /*
  * This function takes the input arguments of this program
  */
-void parse_arguments(int argc, char *argv[])
+static void parse_arguments(int argc, char *argv[])
 {
     int i = 1;
 
@@ -223,7 +223,7 @@ void parse_arguments(int argc, char *argv[])
 /*
  * This function prints base64 code to the stdout
  */
-void print_b64(const uint8_t *b, size_t len)
+static void print_b64(const uint8_t *b, size_t len)
 {
     size_t i = 0;
     const uint8_t *end = b + len;
@@ -247,7 +247,7 @@ void print_b64(const uint8_t *b, size_t len)
  * /p in_line   number of bytes in one line
  * /p prefix    prefix for the new lines
  */
-void print_hex(const uint8_t *b, size_t len,
+static void print_hex(const uint8_t *b, size_t len,
                       const size_t in_line, const char *prefix)
 {
     size_t i = 0;
@@ -271,7 +271,7 @@ void print_hex(const uint8_t *b, size_t len,
 /*
  *  Print the value of time_t in format e.g. 2020-01-23 13:05:59
  */
-void print_time(const uint64_t *time)
+static void print_time(const uint64_t *time)
 {
 #if defined(MBEDTLS_HAVE_TIME)
     char buf[20];
@@ -292,7 +292,7 @@ void print_time(const uint64_t *time)
 /*
  * Print the input string if the bit is set in the value
  */
-void print_if_bit(const char *str, int bit, int val)
+static void print_if_bit(const char *str, int bit, int val)
 {
     if (bit & val) {
         printf("\t%s\n", str);
@@ -302,7 +302,7 @@ void print_if_bit(const char *str, int bit, int val)
 /*
  * Return pointer to hardcoded "enabled" or "disabled" depending on the input value
  */
-const char *get_enabled_str(int is_en)
+static const char *get_enabled_str(int is_en)
 {
     return (is_en) ? "enabled" : "disabled";
 }
@@ -310,7 +310,7 @@ const char *get_enabled_str(int is_en)
 /*
  * Return pointer to hardcoded MFL string value depending on the MFL code at the input
  */
-const char *get_mfl_str(int mfl_code)
+static const char *get_mfl_str(int mfl_code)
 {
     switch (mfl_code) {
         case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
@@ -343,7 +343,7 @@ const char *get_mfl_str(int mfl_code)
  * \retval      number of bytes written in to the b64 buffer or 0 in case no more
  *              data was found
  */
-size_t read_next_b64_code(uint8_t **b64, size_t *max_len)
+static size_t read_next_b64_code(uint8_t **b64, size_t *max_len)
 {
     int valid_balance = 0;  /* balance between valid and invalid characters */
     size_t len = 0;
@@ -443,7 +443,7 @@ size_t read_next_b64_code(uint8_t **b64, size_t *max_len)
  * /p ssl   pointer to serialized certificate
  * /p len   number of bytes in the buffer
  */
-void print_deserialized_ssl_cert(const uint8_t *ssl, uint32_t len)
+static void print_deserialized_ssl_cert(const uint8_t *ssl, uint32_t len)
 {
     enum { STRLEN = 4096 };
     mbedtls_x509_crt crt;
@@ -509,7 +509,7 @@ void print_deserialized_ssl_cert(const uint8_t *ssl, uint32_t len)
  * /p len               number of bytes in the buffer
  * /p session_cfg_flag  session configuration flags
  */
-void print_deserialized_ssl_session(const uint8_t *ssl, uint32_t len,
+static void print_deserialized_ssl_session(const uint8_t *ssl, uint32_t len,
                                            int session_cfg_flag)
 {
     const struct mbedtls_ssl_ciphersuite_t *ciphersuite_info;
@@ -746,7 +746,7 @@ void print_deserialized_ssl_session(const uint8_t *ssl, uint32_t len,
  * /p ssl   pointer to serialized session
  * /p len   number of bytes in the buffer
  */
-void print_deserialized_ssl_context(const uint8_t *ssl, size_t len)
+static void print_deserialized_ssl_context(const uint8_t *ssl, size_t len)
 {
     const uint8_t *end = ssl + len;
     uint32_t session_len;

programs/ssl/ssl_server2.c

@@ -756,7 +756,7 @@ struct _sni_entry {
     sni_entry *next;
 };
 
-void sni_free(sni_entry *head)
+static void sni_free(sni_entry *head)
 {
     sni_entry *cur = head, *next;
 
@@ -786,7 +786,7 @@ void sni_free(sni_entry *head)
  *
  * Modifies the input string! This is not production quality!
  */
-sni_entry *sni_parse(char *sni_string)
+static sni_entry *sni_parse(char *sni_string)
 {
     sni_entry *cur = NULL, *new = NULL;
     char *p = sni_string;
@@ -878,7 +878,7 @@ error:
 /*
  * SNI callback.
  */
-int sni_callback(void *p_info, mbedtls_ssl_context *ssl,
+static int sni_callback(void *p_info, mbedtls_ssl_context *ssl,
                         const unsigned char *name, size_t name_len)
 {
     const sni_entry *cur = (const sni_entry *) p_info;
@@ -909,7 +909,7 @@ int sni_callback(void *p_info, mbedtls_ssl_context *ssl,
 /*
  * server certificate selection callback.
  */
-int cert_callback(mbedtls_ssl_context *ssl)
+static int cert_callback(mbedtls_ssl_context *ssl)
 {
     const sni_entry *cur = (sni_entry *) mbedtls_ssl_get_user_data_p(ssl);
     if (cur != NULL) {
@@ -954,7 +954,7 @@ struct _psk_entry {
 /*
  * Free a list of psk_entry's
  */
-int psk_free(psk_entry *head)
+static int psk_free(psk_entry *head)
 {
     psk_entry *next;
 
@@ -985,7 +985,7 @@ int psk_free(psk_entry *head)
  *
  * Modifies the input string! This is not production quality!
  */
-psk_entry *psk_parse(char *psk_string)
+static psk_entry *psk_parse(char *psk_string)
 {
     psk_entry *cur = NULL, *new = NULL;
     char *p = psk_string;
@@ -1027,7 +1027,7 @@ error:
 /*
  * PSK callback
  */
-int psk_callback(void *p_info, mbedtls_ssl_context *ssl,
+static int psk_callback(void *p_info, mbedtls_ssl_context *ssl,
                         const unsigned char *name, size_t name_len)
 {
     psk_entry *cur = (psk_entry *) p_info;
@@ -1055,7 +1055,7 @@ static mbedtls_net_context listen_fd, client_fd;
 /* Interruption handler to ensure clean exit (for valgrind testing) */
 #if !defined(_WIN32)
 static int received_sigterm = 0;
-void term_handler(int sig)
+static void term_handler(int sig)
 {
     ((void) sig);
     received_sigterm = 1;
@@ -1105,7 +1105,7 @@ typedef struct {
     void *p_rng;
 } ssl_async_key_context_t;
 
-int ssl_async_set_key(ssl_async_key_context_t *ctx,
+static int ssl_async_set_key(ssl_async_key_context_t *ctx,
                              mbedtls_x509_crt *cert,
                              mbedtls_pk_context *pk,
                              int pk_take_ownership,
@@ -1332,7 +1332,7 @@ static psa_status_t psa_setup_psk_key_slot(mbedtls_svc_key_id_t *slot,
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-int report_cid_usage(mbedtls_ssl_context *ssl,
+static int report_cid_usage(mbedtls_ssl_context *ssl,
                             const char *additional_description)
 {
     int ret;
@@ -1376,14 +1376,15 @@ int report_cid_usage(mbedtls_ssl_context *ssl,
 }
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 
-#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_HAVE_TIME)
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) && \
+    defined(MBEDTLS_HAVE_TIME)
 static inline void put_unaligned_uint32(void *p, uint32_t x)
 {
     memcpy(p, &x, sizeof(x));
 }
 
 /* Functions for session ticket tests */
-int dummy_ticket_write(void *p_ticket, const mbedtls_ssl_session *session,
+static int dummy_ticket_write(void *p_ticket, const mbedtls_ssl_session *session,
                               unsigned char *start, const unsigned char *end,
                               size_t *tlen, uint32_t *ticket_lifetime)
 {
@@ -1410,7 +1411,7 @@ int dummy_ticket_write(void *p_ticket, const mbedtls_ssl_session *session,
     return 0;
 }
 
-int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
+static int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
                               unsigned char *buf, size_t len)
 {
     int ret;
@@ -1467,9 +1468,9 @@ int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
 
     return ret;
 }
-#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_HAVE_TIME */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_TICKET_C && MBEDTLS_HAVE_TIME */
 
-int parse_cipher(char *buf)
+static int parse_cipher(char *buf)
 {
     if (strcmp(buf, "AES-128-CCM")) {
         return MBEDTLS_CIPHER_AES_128_CCM;

programs/ssl/ssl_test_common_source.c

@@ -12,7 +12,7 @@
  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
-void eap_tls_key_derivation(void *p_expkey,
+static void eap_tls_key_derivation(void *p_expkey,
                                    mbedtls_ssl_key_export_type secret_type,
                                    const unsigned char *secret,
                                    size_t secret_len,
@@ -36,7 +36,7 @@ void eap_tls_key_derivation(void *p_expkey,
     keys->tls_prf_type = tls_prf_type;
 }
 
-void nss_keylog_export(void *p_expkey,
+static void nss_keylog_export(void *p_expkey,
                               mbedtls_ssl_key_export_type secret_type,
                               const unsigned char *secret,
                               size_t secret_len,
@@ -106,7 +106,7 @@ exit:
 }
 
 #if defined(MBEDTLS_SSL_DTLS_SRTP)
-void dtls_srtp_key_derivation(void *p_expkey,
+static void dtls_srtp_key_derivation(void *p_expkey,
                                      mbedtls_ssl_key_export_type secret_type,
                                      const unsigned char *secret,
                                      size_t secret_len,
@@ -131,7 +131,7 @@ void dtls_srtp_key_derivation(void *p_expkey,
 }
 #endif /* MBEDTLS_SSL_DTLS_SRTP */
 
-int ssl_check_record(mbedtls_ssl_context const *ssl,
+static int ssl_check_record(mbedtls_ssl_context const *ssl,
                             unsigned char const *buf, size_t len)
 {
     int my_ret = 0, ret_cr1, ret_cr2;
@@ -195,7 +195,7 @@ cleanup:
     return my_ret;
 }
 
-int recv_cb(void *ctx, unsigned char *buf, size_t len)
+static int recv_cb(void *ctx, unsigned char *buf, size_t len)
 {
     io_ctx_t *io_ctx = (io_ctx_t *) ctx;
     size_t recv_len;
@@ -223,7 +223,7 @@ int recv_cb(void *ctx, unsigned char *buf, size_t len)
     return (int) recv_len;
 }
 
-int recv_timeout_cb(void *ctx, unsigned char *buf, size_t len,
+static int recv_timeout_cb(void *ctx, unsigned char *buf, size_t len,
                            uint32_t timeout)
 {
     io_ctx_t *io_ctx = (io_ctx_t *) ctx;
@@ -248,7 +248,7 @@ int recv_timeout_cb(void *ctx, unsigned char *buf, size_t len,
     return (int) recv_len;
 }
 
-int send_cb(void *ctx, unsigned char const *buf, size_t len)
+static int send_cb(void *ctx, unsigned char const *buf, size_t len)
 {
     io_ctx_t *io_ctx = (io_ctx_t *) ctx;
 
@@ -319,7 +319,7 @@ uint16_t ssl_sig_algs_for_test[] = {
 /** Functionally equivalent to mbedtls_x509_crt_verify_info, see that function
  *  for more info.
  */
-int x509_crt_verify_info(char *buf, size_t size, const char *prefix,
+static int x509_crt_verify_info(char *buf, size_t size, const char *prefix,
                                 uint32_t flags)
 {
 #if !defined(MBEDTLS_X509_REMOVE_INFO)
@@ -352,7 +352,8 @@ int x509_crt_verify_info(char *buf, size_t size, const char *prefix,
 }
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
-void mbedtls_print_supported_sig_algs(void)
+#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
+static void mbedtls_print_supported_sig_algs(void)
 {
     mbedtls_printf("supported signature algorithms:\n");
     mbedtls_printf("\trsa_pkcs1_sha256 ");
@@ -373,3 +374,4 @@ void mbedtls_print_supported_sig_algs(void)
     mbedtls_printf("ecdsa_sha1\n");
     mbedtls_printf("\n");
 }
+#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */

programs/test/metatest.c

@@ -76,13 +76,13 @@ void(*volatile do_nothing_with_object_but_the_compiler_does_not_know)(void *) =
 /* Test framework features */
 /****************************************************************/
 
-void meta_test_fail(const char *name)
+static void meta_test_fail(const char *name)
 {
     (void) name;
     mbedtls_test_fail("Forced test failure", __LINE__, __FILE__);
 }
 
-void meta_test_not_equal(const char *name)
+static void meta_test_not_equal(const char *name)
 {
     int left = 20;
     int right = 10;
@@ -94,7 +94,7 @@ exit:
     ;
 }
 
-void meta_test_not_le_s(const char *name)
+static void meta_test_not_le_s(const char *name)
 {
     int left = 20;
     int right = 10;
@@ -106,7 +106,7 @@ exit:
     ;
 }
 
-void meta_test_not_le_u(const char *name)
+static void meta_test_not_le_u(const char *name)
 {
     size_t left = 20;
     size_t right = 10;
@@ -122,16 +122,16 @@ exit:
 /* Platform features */
 /****************************************************************/
 
-void null_pointer_dereference(const char *name)
+static void null_pointer_dereference(const char *name)
 {
     (void) name;
     volatile char *volatile p;
     set_to_zero_but_the_compiler_does_not_know(&p, sizeof(p));
     /* Undefined behavior (read from null data pointer) */
-    mbedtls_printf("%p -> %u\n", p, (unsigned) *p);
+    mbedtls_printf("%p -> %u\n", (void *) p, (unsigned) *p);
 }
 
-void null_pointer_call(const char *name)
+static void null_pointer_call(const char *name)
 {
     (void) name;
     unsigned(*volatile p)(void);
@@ -148,7 +148,7 @@ void null_pointer_call(const char *name)
 /* Memory */
 /****************************************************************/
 
-void read_after_free(const char *name)
+static void read_after_free(const char *name)
 {
     (void) name;
     volatile char *p = calloc_but_the_compiler_does_not_know(1, 1);
@@ -158,7 +158,7 @@ void read_after_free(const char *name)
     mbedtls_printf("%u\n", (unsigned) *p);
 }
 
-void double_free(const char *name)
+static void double_free(const char *name)
 {
     (void) name;
     volatile char *p = calloc_but_the_compiler_does_not_know(1, 1);
@@ -168,7 +168,7 @@ void double_free(const char *name)
     free_but_the_compiler_does_not_know((void *) p);
 }
 
-void read_uninitialized_stack(const char *name)
+static void read_uninitialized_stack(const char *name)
 {
     (void) name;
     char buf[1];
@@ -182,7 +182,7 @@ void read_uninitialized_stack(const char *name)
     }
 }
 
-void memory_leak(const char *name)
+static void memory_leak(const char *name)
 {
     (void) name;
     volatile char *p = calloc_but_the_compiler_does_not_know(1, 1);
@@ -196,7 +196,7 @@ void memory_leak(const char *name)
  * %(start), %(offset) and %(count) are decimal integers.
  * %(direction) is either the character 'r' for read or 'w' for write.
  */
-void test_memory_poison(const char *name)
+static void test_memory_poison(const char *name)
 {
     size_t start = 0, offset = 0, count = 0;
     char direction = 'r';
@@ -254,7 +254,7 @@ void test_memory_poison(const char *name)
 /* Threading */
 /****************************************************************/
 
-void mutex_lock_not_initialized(const char *name)
+static void mutex_lock_not_initialized(const char *name)
 {
     (void) name;
 #if defined(MBEDTLS_THREADING_C)
@@ -270,7 +270,7 @@ exit:
 #endif
 }
 
-void mutex_unlock_not_initialized(const char *name)
+static void mutex_unlock_not_initialized(const char *name)
 {
     (void) name;
 #if defined(MBEDTLS_THREADING_C)
@@ -286,7 +286,7 @@ exit:
 #endif
 }
 
-void mutex_free_not_initialized(const char *name)
+static void mutex_free_not_initialized(const char *name)
 {
     (void) name;
 #if defined(MBEDTLS_THREADING_C)
@@ -300,7 +300,7 @@ void mutex_free_not_initialized(const char *name)
 #endif
 }
 
-void mutex_double_init(const char *name)
+static void mutex_double_init(const char *name)
 {
     (void) name;
 #if defined(MBEDTLS_THREADING_C)
@@ -315,7 +315,7 @@ void mutex_double_init(const char *name)
 #endif
 }
 
-void mutex_double_free(const char *name)
+static void mutex_double_free(const char *name)
 {
     (void) name;
 #if defined(MBEDTLS_THREADING_C)
@@ -330,7 +330,7 @@ void mutex_double_free(const char *name)
 #endif
 }
 
-void mutex_leak(const char *name)
+static void mutex_leak(const char *name)
 {
     (void) name;
 #if defined(MBEDTLS_THREADING_C)

programs/test/selftest.c

@@ -241,7 +241,7 @@ static void create_entropy_seed_file(void)
 }
 #endif
 
-int mbedtls_entropy_self_test_wrapper(int verbose)
+static int mbedtls_entropy_self_test_wrapper(int verbose)
 {
 #if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
     create_entropy_seed_file();
@@ -252,7 +252,7 @@ int mbedtls_entropy_self_test_wrapper(int verbose)
 
 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
-int mbedtls_memory_buffer_alloc_free_and_self_test(int verbose)
+static int mbedtls_memory_buffer_alloc_free_and_self_test(int verbose)
 {
     if (verbose != 0) {
 #if defined(MBEDTLS_MEMORY_DEBUG)

programs/test/udp_proxy.c

@@ -483,7 +483,7 @@ typedef struct {
 } packet;
 
 /* Print packet. Outgoing packets come with a reason (forward, dupl, etc.) */
-void print_packet(const packet *p, const char *why)
+static void print_packet(const packet *p, const char *why)
 {
 #if defined(MBEDTLS_TIMING_C)
     if (why == NULL) {
@@ -527,7 +527,7 @@ typedef enum {
 static inject_clihlo_state_t inject_clihlo_state;
 static packet initial_clihlo;
 
-int send_packet(const packet *p, const char *why)
+static int send_packet(const packet *p, const char *why)
 {
     int ret;
     mbedtls_net_context *dst = p->dst;
@@ -616,13 +616,13 @@ int send_packet(const packet *p, const char *why)
 static size_t prev_len;
 static packet prev[MAX_DELAYED_MSG];
 
-void clear_pending(void)
+static void clear_pending(void)
 {
     memset(&prev, 0, sizeof(prev));
     prev_len = 0;
 }
 
-void delay_packet(packet *delay)
+static void delay_packet(packet *delay)
 {
     if (prev_len == MAX_DELAYED_MSG) {
         return;
@@ -631,7 +631,7 @@ void delay_packet(packet *delay)
     memcpy(&prev[prev_len++], delay, sizeof(packet));
 }
 
-int send_delayed(void)
+static int send_delayed(void)
 {
     uint8_t offset;
     int ret;
@@ -663,7 +663,7 @@ int send_delayed(void)
 static unsigned char held[2048] = { 0 };
 #define HOLD_MAX 2
 
-int handle_message(const char *way,
+static int handle_message(const char *way,
                           mbedtls_net_context *dst,
                           mbedtls_net_context *src)
 {

programs/test/zeroize.c

@@ -23,7 +23,7 @@
 
 #define BUFFER_LEN 1024
 
-void usage(void)
+static void usage(void)
 {
     mbedtls_printf("Zeroize is a simple program to assist with testing\n");
     mbedtls_printf("the mbedtls_platform_zeroize() function by using the\n");

programs/util/pem2der.c

@@ -45,7 +45,7 @@ struct options {
     const char *output_file;    /* where to store the output              */
 } opt;
 
-int convert_pem_to_der(const unsigned char *input, size_t ilen,
+static int convert_pem_to_der(const unsigned char *input, size_t ilen,
                               unsigned char *output, size_t *olen)
 {
     int ret;

programs/x509/cert_req.c

@@ -107,7 +107,7 @@ struct options {
     mbedtls_md_type_t md_alg;         /* Hash algorithm used for signature.       */
 } opt;
 
-int write_certificate_request(mbedtls_x509write_csr *req, const char *output_file,
+static int write_certificate_request(mbedtls_x509write_csr *req, const char *output_file,
                                      int (*f_rng)(void *, unsigned char *, size_t),
                                      void *p_rng)
 {

programs/x509/cert_write.c

@@ -204,7 +204,7 @@ struct options {
     int format;                 /* format                               */
 } opt;
 
-int write_certificate(mbedtls_x509write_cert *crt, const char *output_file,
+static int write_certificate(mbedtls_x509write_cert *crt, const char *output_file,
                              int (*f_rng)(void *, unsigned char *, size_t),
                              void *p_rng)
 {
@@ -249,7 +249,7 @@ int write_certificate(mbedtls_x509write_cert *crt, const char *output_file,
     return 0;
 }
 
-int parse_serial_decimal_format(unsigned char *obuf, size_t obufmax,
+static int parse_serial_decimal_format(unsigned char *obuf, size_t obufmax,
                                        const char *ibuf, size_t *len)
 {
     unsigned long long int dec;

programs/x509/load_roots.c

@@ -48,7 +48,7 @@ struct options {
 } opt;
 
 
-int read_certificates(const char *const *filenames)
+static int read_certificates(const char *const *filenames)
 {
     mbedtls_x509_crt cas;
     int ret = 0;

tests/scripts/components-configuration-tls.sh

@@ -244,14 +244,14 @@ component_build_no_ssl_srv () {
     msg "build: full config except SSL server, make, gcc" # ~ 30s
     scripts/config.py full
     scripts/config.py unset MBEDTLS_SSL_SRV_C
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1'
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -Wmissing-prototypes'
 }
 
 component_build_no_ssl_cli () {
     msg "build: full config except SSL client, make, gcc" # ~ 30s
     scripts/config.py full
     scripts/config.py unset MBEDTLS_SSL_CLI_C
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1'
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -Wmissing-prototypes'
 }
 
 component_test_no_max_fragment_length () {

tests/src/asn1_helpers.c

@@ -15,6 +15,8 @@
 
 #include <mbedtls/asn1.h>
 
+#include <test/asn1_helpers.h>
+
 int mbedtls_test_asn1_skip_integer(unsigned char **p, const unsigned char *end,
                                    size_t min_bits, size_t max_bits,
                                    int must_be_odd)

tests/src/drivers/platform_builtin_keys.c

@@ -10,6 +10,8 @@
 
 #include <test/helpers.h>
 
+#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+
 #include <psa/crypto.h>
 #include <psa/crypto_extra.h>
 
@@ -76,3 +78,5 @@ psa_status_t mbedtls_psa_platform_get_builtin_key(
 
     return PSA_ERROR_DOES_NOT_EXIST;
 }
+
+#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */

tests/src/psa_memory_poisoning_wrappers.c

@@ -4,7 +4,8 @@
  *  Copyright The Mbed TLS Contributors
  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
-#include "test/memory.h"
+#include <test/memory.h>
+#include <test/psa_memory_poisoning_wrappers.h>
 
 #include "psa_crypto_invasive.h"
 

tests/src/test_helpers/ssl_helpers.c

@@ -950,7 +950,7 @@ int mbedtls_test_move_handshake_to_state(mbedtls_ssl_context *ssl,
 /*
  * Write application data. Increase write counter if necessary.
  */
-int mbedtls_ssl_write_fragment(mbedtls_ssl_context *ssl,
+static int mbedtls_ssl_write_fragment(mbedtls_ssl_context *ssl,
                                       unsigned char *buf, int buf_len,
                                       int *written,
                                       const int expected_fragments)
@@ -997,7 +997,7 @@ exit:
  * Read application data and increase read counter and fragments counter
  * if necessary.
  */
-int mbedtls_ssl_read_fragment(mbedtls_ssl_context *ssl,
+static int mbedtls_ssl_read_fragment(mbedtls_ssl_context *ssl,
                                      unsigned char *buf, int buf_len,
                                      int *read, int *fragments,
                                      const int expected_fragments)

tests/suites/test_suite_debug.function

@@ -9,7 +9,7 @@ struct buffer_data {
     char *ptr;
 };
 
-void string_debug(void *data, int level, const char *file, int line, const char *str)
+static void string_debug(void *data, int level, const char *file, int line, const char *str)
 {
     struct buffer_data *buffer = (struct buffer_data *) data;
     char *p = buffer->ptr;

tests/suites/test_suite_pkcs7.function

@@ -17,7 +17,7 @@
  * END_DEPENDENCIES
  */
 /* BEGIN_SUITE_HELPERS */
-int pkcs7_parse_buffer(unsigned char *pkcs7_buf, int buflen)
+static int pkcs7_parse_buffer(unsigned char *pkcs7_buf, int buflen)
 {
     int res;
     mbedtls_pkcs7 pkcs7;

tests/suites/test_suite_x509parse.function

@@ -60,7 +60,10 @@ const mbedtls_x509_crt_profile profile_sha512 =
     1024,
 };
 
-int verify_none(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+
+#if defined(MBEDTLS_FS_IO)
+static int verify_none(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
 {
     ((void) data);
     ((void) crt);
@@ -70,7 +73,7 @@ int verify_none(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32
     return 0;
 }
 
-int verify_all(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
+static int verify_all(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
 {
     ((void) data);
     ((void) crt);
@@ -80,8 +83,10 @@ int verify_all(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_
     return 0;
 }
 
-#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+#if defined(MBEDTLS_X509_CRL_PARSE_C) && \
-int ca_callback_fail(void *data, mbedtls_x509_crt const *child, mbedtls_x509_crt **candidates)
+    defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+static int ca_callback_fail(void *data, mbedtls_x509_crt const *child,
+                            mbedtls_x509_crt **candidates)
 {
     ((void) data);
     ((void) child);
@@ -89,8 +94,8 @@ int ca_callback_fail(void *data, mbedtls_x509_crt const *child, mbedtls_x509_crt
 
     return -1;
 }
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+
-int ca_callback(void *data, mbedtls_x509_crt const *child,
+static int ca_callback(void *data, mbedtls_x509_crt const *child,
                        mbedtls_x509_crt **candidates)
 {
     int ret = 0;
@@ -138,10 +143,9 @@ exit:
     *candidates = first;
     return ret;
 }
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_X509_CRL_PARSE_C && MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
-#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
 
-int verify_fatal(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
+static int verify_fatal(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
 {
     int *levels = (int *) data;
 
@@ -158,7 +162,7 @@ int verify_fatal(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint3
 }
 
 /* strsep() not available on Windows */
-char *mystrsep(char **stringp, const char *delim)
+static char *mystrsep(char **stringp, const char *delim)
 {
     const char *p;
     char *ret = *stringp;
@@ -186,19 +190,18 @@ done:
     return ret;
 }
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
 typedef struct {
     char buf[512];
     char *p;
 } verify_print_context;
 
-void verify_print_init(verify_print_context *ctx)
+static void verify_print_init(verify_print_context *ctx)
 {
     memset(ctx, 0, sizeof(verify_print_context));
     ctx->p = ctx->buf;
 }
 
-int verify_print(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
+static int verify_print(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
 {
     int ret;
     verify_print_context *ctx = (verify_print_context *) data;
@@ -226,7 +229,7 @@ int verify_print(void *data, mbedtls_x509_crt *crt, int certificate_depth, uint3
     return 0;
 }
 
-int verify_parse_san(mbedtls_x509_subject_alternative_name *san,
+static int verify_parse_san(mbedtls_x509_subject_alternative_name *san,
                             char **buf, size_t *size)
 {
     int ret;
@@ -316,8 +319,9 @@ int verify_parse_san(mbedtls_x509_subject_alternative_name *san,
 
     return 0;
 }
+#endif /* MBEDTLS_FS_IO */
 
-int parse_crt_ext_cb(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid,
+static int parse_crt_ext_cb(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf const *oid,
                             int critical, const unsigned char *cp, const unsigned char *end)
 {
     (void) crt;
@@ -416,9 +420,14 @@ int parse_crt_ext_cb(void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf
 }
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
-#if defined(MBEDTLS_X509_CSR_PARSE_C)
+#if defined(MBEDTLS_X509_CSR_PARSE_C) && \
-int parse_csr_ext_accept_cb(void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x509_buf const *oid,
+    !defined(MBEDTLS_X509_REMOVE_INFO)
-                            int critical, const unsigned char *cp, const unsigned char *end)
+static int parse_csr_ext_accept_cb(void *p_ctx,
+                                   mbedtls_x509_csr const *csr,
+                                   mbedtls_x509_buf const *oid,
+                                   int critical,
+                                   const unsigned char *cp,
+                                   const unsigned char *end)
 {
     (void) p_ctx;
     (void) csr;
@@ -430,8 +439,12 @@ int parse_csr_ext_accept_cb(void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x5
     return 0;
 }
 
-int parse_csr_ext_reject_cb(void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x509_buf const *oid,
+static int parse_csr_ext_reject_cb(void *p_ctx,
-                            int critical, const unsigned char *cp, const unsigned char *end)
+                                   mbedtls_x509_csr const *csr,
+                                   mbedtls_x509_buf const *oid,
+                                   int critical,
+                                   const unsigned char *cp,
+                                   const unsigned char *end)
 {
     (void) p_ctx;
     (void) csr;
@@ -443,7 +456,7 @@ int parse_csr_ext_reject_cb(void *p_ctx, mbedtls_x509_csr const *csr, mbedtls_x5
     return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
                              MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
 }
-#endif /* MBEDTLS_X509_CSR_PARSE_C */
+#endif /* MBEDTLS_X509_CSR_PARSE_C && !MBEDTLS_X509_REMOVE_INFO */
 /* END_HEADER */
 
 /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */

tests/suites/test_suite_x509write.function

@@ -10,15 +10,19 @@
 #include "mbedtls/pk.h"
 #include "mbedtls/psa_util.h"
 
-#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_PEM_WRITE_C) && \
-int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen,
+    defined(MBEDTLS_X509_CRT_WRITE_C) && \
+    defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    defined(MBEDTLS_MD_CAN_SHA1) && \
+    defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+static int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen,
                                     const unsigned char *input, unsigned char *output,
                                     size_t output_max_len)
 {
     return mbedtls_rsa_pkcs1_decrypt((mbedtls_rsa_context *) ctx, NULL, NULL,
                                      olen, input, output, output_max_len);
 }
-int mbedtls_rsa_sign_func(void *ctx,
+static int mbedtls_rsa_sign_func(void *ctx,
                                  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
                                  mbedtls_md_type_t md_alg, unsigned int hashlen,
                                  const unsigned char *hash, unsigned char *sig)
@@ -26,11 +30,11 @@ int mbedtls_rsa_sign_func(void *ctx,
     return mbedtls_rsa_pkcs1_sign((mbedtls_rsa_context *) ctx, f_rng, p_rng,
                                   md_alg, hashlen, hash, sig);
 }
-size_t mbedtls_rsa_key_len_func(void *ctx)
+static size_t mbedtls_rsa_key_len_func(void *ctx)
 {
     return ((const mbedtls_rsa_context *) ctx)->len;
 }
-#endif /* MBEDTLS_RSA_C */
+#endif
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
     defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C)

tf-psa-crypto/tests/suites/host_test.function

@@ -8,7 +8,7 @@
  *
  * \return      0 if success else 1
  */
-int verify_string(char **str)
+static int verify_string(char **str)
 {
     if ((*str)[0] != '"' ||
         (*str)[strlen(*str) - 1] != '"') {
@@ -32,7 +32,7 @@ int verify_string(char **str)
  *
  * \return      0 if success else 1
  */
-int verify_int(char *str, intmax_t *p_value)
+static int verify_int(char *str, intmax_t *p_value)
 {
     char *end = NULL;
     errno = 0;
@@ -80,7 +80,7 @@ int verify_int(char *str, intmax_t *p_value)
  *
  * \return      0 if success else -1
  */
-int get_line(FILE *f, char *buf, size_t len)
+static int get_line(FILE *f, char *buf, size_t len)
 {
     char *ret;
     int i = 0, str_len = 0, has_string = 0;
@@ -485,7 +485,7 @@ static void try_chdir_if_supported(const char *argv0)
  *
  * \return      Program exit status.
  */
-int execute_tests(int argc, const char **argv)
+static int execute_tests(int argc, const char **argv)
 {
     /* Local Configurations and options */
     const char *default_filename = "DATA_FILE";

tf-psa-crypto/tests/suites/main_test.function

@@ -69,7 +69,7 @@ __MBEDTLS_TEST_TEMPLATE__FUNCTIONS_CODE
  *
  * \return       0 if exp_id is found. 1 otherwise.
  */
-int get_expression(int32_t exp_id, intmax_t *out_value)
+static int get_expression(int32_t exp_id, intmax_t *out_value)
 {
     int ret = KEY_VALUE_MAPPING_FOUND;
 
@@ -100,7 +100,7 @@ int get_expression(int32_t exp_id, intmax_t *out_value)
  *
  * \return       DEPENDENCY_SUPPORTED if set else DEPENDENCY_NOT_SUPPORTED
  */
-int dep_check(int dep_id)
+static int dep_check(int dep_id)
 {
     int ret = DEPENDENCY_NOT_SUPPORTED;
 
@@ -155,7 +155,7 @@ TestWrapper_t test_funcs[] =
  *               DISPATCH_TEST_FN_NOT_FOUND if not found
  *               DISPATCH_UNSUPPORTED_SUITE if not compile time enabled.
  */
-int dispatch_test(size_t func_idx, void **params)
+static int dispatch_test(size_t func_idx, void **params)
 {
     int ret = DISPATCH_TEST_SUCCESS;
     TestWrapper_t fp = NULL;
@@ -193,7 +193,7 @@ int dispatch_test(size_t func_idx, void **params)
  *               DISPATCH_TEST_FN_NOT_FOUND if not found
  *               DISPATCH_UNSUPPORTED_SUITE if not compile time enabled.
  */
-int check_test(size_t func_idx)
+static int check_test(size_t func_idx)
 {
     int ret = DISPATCH_TEST_SUCCESS;
     TestWrapper_t fp = NULL;

tf-psa-crypto/tests/suites/test_suite_alignment.function

@@ -10,7 +10,7 @@
 /*
  * Convert a string of the form "abcd" (case-insensitive) to a uint64_t.
  */
-int parse_hex_string(char *hex_string, uint64_t *result)
+static int parse_hex_string(char *hex_string, uint64_t *result)
 {
     uint8_t raw[8] = { 0 };
     size_t olen;

tf-psa-crypto/tests/suites/test_suite_asn1parse.function

@@ -122,7 +122,7 @@ exit:
     return ERR_PARSE_INCONSISTENCY;
 }
 
-int get_len_step(const data_t *input, size_t buffer_size,
+static int get_len_step(const data_t *input, size_t buffer_size,
                         size_t actual_length)
 {
     unsigned char *buf = NULL;

tf-psa-crypto/tests/suites/test_suite_asn1write.function

@@ -12,7 +12,7 @@ typedef struct {
     size_t size;
 } generic_write_data_t;
 
-int generic_write_start_step(generic_write_data_t *data)
+static int generic_write_start_step(generic_write_data_t *data)
 {
     mbedtls_test_set_step(data->size);
     mbedtls_free(data->output);
@@ -26,7 +26,7 @@ exit:
     return 0;
 }
 
-int generic_write_finish_step(generic_write_data_t *data,
+static int generic_write_finish_step(generic_write_data_t *data,
                                      const data_t *expected, int ret)
 {
     int ok = 0;

tf-psa-crypto/tests/suites/test_suite_bignum.function

@@ -32,6 +32,7 @@ static int sign_is_valid(const mbedtls_mpi *X)
     return 1;
 }
 
+#if defined(MBEDTLS_GENPRIME)
 typedef struct mbedtls_test_mpi_random {
     data_t *data;
     size_t  pos;
@@ -44,7 +45,7 @@ typedef struct mbedtls_test_mpi_random {
  * test) are stored in the data member of the state structure. Each number is in
  * the format that mbedtls_mpi_read_string understands and is chunk_len long.
  */
-int mbedtls_test_mpi_miller_rabin_determinizer(void *state,
+static int mbedtls_test_mpi_miller_rabin_determinizer(void *state,
                                                       unsigned char *buf,
                                                       size_t len)
 {
@@ -73,6 +74,7 @@ int mbedtls_test_mpi_miller_rabin_determinizer(void *state,
 
     return 0;
 }
+#endif /* MBEDTLS_GENPRIME */
 
 /* Random generator that is told how many bytes to return. */
 static int f_rng_bytes_left(void *state, unsigned char *buf, size_t len)

tf-psa-crypto/tests/suites/test_suite_cipher.function

@@ -129,7 +129,7 @@ exit:
  * return   1 if it is,
  *          0 if it isn't.
  */
-int buffer_is_all_zero(const uint8_t *buf, size_t size)
+static int buffer_is_all_zero(const uint8_t *buf, size_t size)
 {
     for (size_t i = 0; i < size; i++) {
         if (buf[i] != 0) {

tf-psa-crypto/tests/suites/test_suite_common.function

@@ -1,7 +1,11 @@
 /* BEGIN_HEADER */
 #include "common.h"
 
-void fill_arrays(unsigned char *a, unsigned char *b, unsigned char *r1, unsigned char *r2, size_t n)
+static void fill_arrays(unsigned char *a,
+                        unsigned char *b,
+                        unsigned char *r1,
+                        unsigned char *r2,
+                        size_t n)
 {
     for (size_t i = 0; i < n; i++) {
         a[i]  = (unsigned char) i * 3;

tf-psa-crypto/tests/suites/test_suite_ctr_drbg.function

@@ -96,6 +96,7 @@ exit:
 }
 
 static const int thread_random_reps = 10;
+void *thread_random_function(void *ctx); /* only used conditionally in ctr_drbg_threads */
 void *thread_random_function(void *ctx)
 {
     unsigned char out[16];

tf-psa-crypto/tests/suites/test_suite_dhm.function

@@ -1,7 +1,7 @@
 /* BEGIN_HEADER */
 #include "mbedtls/dhm.h"
 
-int check_get_value(const mbedtls_dhm_context *ctx,
+static int check_get_value(const mbedtls_dhm_context *ctx,
                            mbedtls_dhm_parameter param,
                            const mbedtls_mpi *expected)
 {

tf-psa-crypto/tests/suites/test_suite_entropy.function

@@ -60,12 +60,14 @@ static void entropy_clear_sources(mbedtls_entropy_context *ctx)
 }
 
 #if defined(MBEDTLS_ENTROPY_NV_SEED)
+
+#if defined(MBEDTLS_MD_LIGHT) && defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
 /*
  * NV seed read/write functions that use a buffer instead of a file
  */
 static unsigned char buffer_seed[MBEDTLS_ENTROPY_BLOCK_SIZE];
 
-int buffer_nv_seed_read(unsigned char *buf, size_t buf_len)
+static int buffer_nv_seed_read(unsigned char *buf, size_t buf_len)
 {
     if (buf_len != MBEDTLS_ENTROPY_BLOCK_SIZE) {
         return -1;
@@ -75,7 +77,7 @@ int buffer_nv_seed_read(unsigned char *buf, size_t buf_len)
     return 0;
 }
 
-int buffer_nv_seed_write(unsigned char *buf, size_t buf_len)
+static int buffer_nv_seed_write(unsigned char *buf, size_t buf_len)
 {
     if (buf_len != MBEDTLS_ENTROPY_BLOCK_SIZE) {
         return -1;
@@ -84,7 +86,9 @@ int buffer_nv_seed_write(unsigned char *buf, size_t buf_len)
     memcpy(buffer_seed, buf, MBEDTLS_ENTROPY_BLOCK_SIZE);
     return 0;
 }
+#endif /* MBEDTLS_MD_LIGHT && MBEDTLS_PLATFORM_NV_SEED_ALT */
 
+#if defined(MBEDTLS_FS_IO)
 /*
  * NV seed read/write helpers that fill the base seedfile
  */
@@ -111,7 +115,8 @@ static int write_nv_seed(unsigned char *buf, size_t buf_len)
     return 0;
 }
 
-int read_nv_seed(unsigned char *buf, size_t buf_len)
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+static int read_nv_seed(unsigned char *buf, size_t buf_len)
 {
     FILE *f;
 
@@ -133,6 +138,8 @@ int read_nv_seed(unsigned char *buf, size_t buf_len)
 
     return 0;
 }
+#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
+#endif /* MBEDTLS_FS_IO */
 #endif /* MBEDTLS_ENTROPY_NV_SEED */
 /* END_HEADER */
 

tf-psa-crypto/tests/suites/test_suite_lmots.function

@@ -2,8 +2,8 @@
 #include "lmots.h"
 #include "mbedtls/lms.h"
 
-#if defined(MBEDTLS_TEST_HOOKS)
+#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_LMS_PRIVATE)
-int check_lmots_private_key_for_leak(unsigned char *sig)
+static int check_lmots_private_key_for_leak(unsigned char *sig)
 {
     size_t idx;
 
@@ -18,7 +18,7 @@ int check_lmots_private_key_for_leak(unsigned char *sig)
 exit:
     return -1;
 }
-#endif /* defined(MBEDTLS_TEST_HOOKS) */
+#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_LMS_PRIVATE */
 
 /* END_HEADER */
 

tf-psa-crypto/tests/suites/test_suite_pk.function

@@ -221,7 +221,7 @@ exit:
 }
 
 #if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
-psa_status_t pk_psa_import_key(const unsigned char *key_data, size_t key_len,
+static psa_status_t pk_psa_import_key(const unsigned char *key_data, size_t key_len,
                                       psa_key_type_t type, psa_key_usage_t usage,
                                       psa_algorithm_t alg, mbedtls_svc_key_id_t *key)
 {
@@ -320,7 +320,7 @@ exit:
  *                              for volatile keys.
  * \param[out] key              Identifier of the "generated" (actually imported) PSA key.
  */
-psa_status_t pk_psa_setup(psa_key_type_t type, size_t bits,
+static psa_status_t pk_psa_setup(psa_key_type_t type, size_t bits,
                                  psa_key_usage_t usage, psa_algorithm_t alg,
                                  psa_algorithm_t enrollment_alg,
                                  mbedtls_svc_key_id_t persistent_key_id,
@@ -467,8 +467,8 @@ exit:
 }
 #endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
 
-#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
-int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen,
+static int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen,
                                     const unsigned char *input, unsigned char *output,
                                     size_t output_max_len)
 {
@@ -476,7 +476,7 @@ int mbedtls_rsa_decrypt_func(void *ctx, size_t *olen,
                                      mbedtls_test_rnd_std_rand, NULL,
                                      olen, input, output, output_max_len);
 }
-int mbedtls_rsa_sign_func(void *ctx,
+static int mbedtls_rsa_sign_func(void *ctx,
                                  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
                                  mbedtls_md_type_t md_alg, unsigned int hashlen,
                                  const unsigned char *hash, unsigned char *sig)
@@ -487,11 +487,11 @@ int mbedtls_rsa_sign_func(void *ctx,
                                   mbedtls_test_rnd_std_rand, NULL,
                                   md_alg, hashlen, hash, sig);
 }
-size_t mbedtls_rsa_key_len_func(void *ctx)
+static size_t mbedtls_rsa_key_len_func(void *ctx)
 {
     return ((const mbedtls_rsa_context *) ctx)->len;
 }
-#endif /* MBEDTLS_RSA_C */
+#endif /* MBEDTLS_RSA_C && MBEDTLS_PK_RSA_ALT_SUPPORT */
 
 typedef enum {
     /* The values are compatible with thinking of "from pair" as a boolean. */
@@ -618,7 +618,7 @@ exit:
 
 /* Create a copy of a PSA key with same usage and algorithm policy and destroy
  * the original one. */
-mbedtls_svc_key_id_t psa_copy_and_destroy(mbedtls_svc_key_id_t orig_key_id)
+static mbedtls_svc_key_id_t psa_copy_and_destroy(mbedtls_svc_key_id_t orig_key_id)
 {
     psa_key_attributes_t orig_attr = PSA_KEY_ATTRIBUTES_INIT;
     psa_key_attributes_t new_attr = PSA_KEY_ATTRIBUTES_INIT;

tf-psa-crypto/tests/suites/test_suite_platform.function

@@ -18,7 +18,7 @@
 #else
 #include <unistd.h>
 #endif
-void sleep_ms(int milliseconds)
+static void sleep_ms(int milliseconds)
 {
 #if defined(_WIN32) || defined(WIN32) || defined(__CYGWIN__) || \
     defined(__MINGW32__) || defined(_WIN64)

tf-psa-crypto/tests/suites/test_suite_psa_crypto.function

@@ -39,28 +39,6 @@
 #define ASSERT_OPERATION_IS_ACTIVE(operation) TEST_ASSERT(operation.id != 0)
 #define ASSERT_OPERATION_IS_INACTIVE(operation) TEST_ASSERT(operation.id == 0)
 
-#if defined(PSA_WANT_ALG_JPAKE)
-int ecjpake_operation_setup(psa_pake_operation_t *operation,
-                            psa_pake_cipher_suite_t *cipher_suite,
-                            psa_pake_role_t role,
-                            mbedtls_svc_key_id_t key,
-                            size_t key_available)
-{
-    PSA_ASSERT(psa_pake_abort(operation));
-
-    PSA_ASSERT(psa_pake_setup(operation, cipher_suite));
-
-    PSA_ASSERT(psa_pake_set_role(operation, role));
-
-    if (key_available) {
-        PSA_ASSERT(psa_pake_set_password_key(operation, key));
-    }
-    return 0;
-exit:
-    return 1;
-}
-#endif
-
 /** An invalid export length that will never be set by psa_export_key(). */
 static const size_t INVALID_EXPORT_LENGTH = ~0U;
 
@@ -175,7 +153,7 @@ static int construct_fake_rsa_key(unsigned char *buffer,
 }
 #endif /* MBEDTLS_ASN1_WRITE_C */
 
-int exercise_mac_setup(psa_key_type_t key_type,
+static int exercise_mac_setup(psa_key_type_t key_type,
                               const unsigned char *key_bytes,
                               size_t key_length,
                               psa_algorithm_t alg,
@@ -207,7 +185,7 @@ exit:
     return 0;
 }
 
-int exercise_cipher_setup(psa_key_type_t key_type,
+static int exercise_cipher_setup(psa_key_type_t key_type,
                                  const unsigned char *key_bytes,
                                  size_t key_length,
                                  psa_algorithm_t alg,
@@ -1314,6 +1292,7 @@ exit:
 
 #if defined(MBEDTLS_THREADING_PTHREAD)
 
+#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
 typedef struct same_key_context {
     data_t *data;
     mbedtls_svc_key_id_t key;
@@ -1330,7 +1309,7 @@ same_key_context;
 /* Attempt to import the key in ctx. This handles any valid error codes
  * and reports an error for any invalid codes. This function also insures
  * that once imported by some thread, all threads can use the key. */
-void *thread_import_key(void *ctx)
+static void *thread_import_key(void *ctx)
 {
     mbedtls_svc_key_id_t returned_key_id;
     same_key_context *skc = (struct same_key_context *) ctx;
@@ -1404,7 +1383,7 @@ exit:
     return NULL;
 }
 
-void *thread_use_and_destroy_key(void *ctx)
+static void *thread_use_and_destroy_key(void *ctx)
 {
     same_key_context *skc = (struct same_key_context *) ctx;
 
@@ -1432,6 +1411,7 @@ void *thread_use_and_destroy_key(void *ctx)
 exit:
     return NULL;
 }
+#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
 
 typedef struct generate_key_context {
     psa_key_type_t type;
@@ -1444,7 +1424,7 @@ typedef struct generate_key_context {
     int reps;
 }
 generate_key_context;
-void *thread_generate_key(void *ctx)
+static void *thread_generate_key(void *ctx)
 {
     mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
     psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;

tf-psa-crypto/tests/suites/test_suite_psa_crypto_metadata.function

@@ -106,7 +106,7 @@
  * The expected parity is even so that 0 is considered a valid encoding.
  *
  * Return a nonzero value if value has even parity and 0 otherwise. */
-int has_even_parity(uint32_t value)
+static int has_even_parity(uint32_t value)
 {
     value ^= value >> 16;
     value ^= value >> 8;
@@ -116,7 +116,7 @@ int has_even_parity(uint32_t value)
 #define TEST_PARITY(value)                    \
     TEST_ASSERT(has_even_parity(value))
 
-void algorithm_classification(psa_algorithm_t alg, unsigned flags)
+static void algorithm_classification(psa_algorithm_t alg, unsigned flags)
 {
     unsigned classification_flags_tested = 0;
     TEST_CLASSIFICATION_MACRO(1, ALG_IS_VENDOR_DEFINED, alg, flags);
@@ -155,7 +155,7 @@ void algorithm_classification(psa_algorithm_t alg, unsigned flags)
 exit:;
 }
 
-void key_type_classification(psa_key_type_t type, unsigned flags)
+static void key_type_classification(psa_key_type_t type, unsigned flags)
 {
     unsigned classification_flags_tested = 0;
 
@@ -192,7 +192,7 @@ void key_type_classification(psa_key_type_t type, unsigned flags)
 exit:;
 }
 
-void mac_algorithm_core(psa_algorithm_t alg, int classification_flags,
+static void mac_algorithm_core(psa_algorithm_t alg, int classification_flags,
                                psa_key_type_t key_type, size_t key_bits,
                                size_t length)
 {
@@ -218,7 +218,7 @@ void mac_algorithm_core(psa_algorithm_t alg, int classification_flags,
 exit:;
 }
 
-void aead_algorithm_core(psa_algorithm_t alg, int classification_flags,
+static void aead_algorithm_core(psa_algorithm_t alg, int classification_flags,
                                 psa_key_type_t key_type, size_t key_bits,
                                 size_t tag_length)
 {

tf-psa-crypto/tests/suites/test_suite_psa_crypto_se_driver_hal.function

@@ -599,7 +599,7 @@ exit:
  * If this changes, the storage format version must change.
  * See psa_get_se_driver_its_file_uid() in psa_crypto_se.c.
  */
-psa_storage_uid_t file_uid_for_location(psa_key_location_t location)
+static psa_storage_uid_t file_uid_for_location(psa_key_location_t location)
 {
     if (location > PSA_MAX_SE_LOCATION) {
         return 0;

tf-psa-crypto/tests/suites/test_suite_psa_crypto_se_driver_hal_mocks.function

@@ -162,7 +162,7 @@ static psa_status_t mock_import(psa_drv_se_context_t *drv_context,
     return mock_import_data.return_value;
 }
 
-psa_status_t mock_export(psa_drv_se_context_t *context,
+static psa_status_t mock_export(psa_drv_se_context_t *context,
                                 psa_key_slot_number_t slot_number,
                                 uint8_t *p_data,
                                 size_t data_size,
@@ -179,7 +179,7 @@ psa_status_t mock_export(psa_drv_se_context_t *context,
     return mock_export_data.return_value;
 }
 
-psa_status_t mock_export_public(psa_drv_se_context_t *context,
+static psa_status_t mock_export_public(psa_drv_se_context_t *context,
                                        psa_key_slot_number_t slot_number,
                                        uint8_t *p_data,
                                        size_t data_size,
@@ -196,7 +196,7 @@ psa_status_t mock_export_public(psa_drv_se_context_t *context,
     return mock_export_public_data.return_value;
 }
 
-psa_status_t mock_sign(psa_drv_se_context_t *context,
+static psa_status_t mock_sign(psa_drv_se_context_t *context,
                               psa_key_slot_number_t key_slot,
                               psa_algorithm_t alg,
                               const uint8_t *p_hash,
@@ -219,7 +219,7 @@ psa_status_t mock_sign(psa_drv_se_context_t *context,
     return mock_sign_data.return_value;
 }
 
-psa_status_t mock_verify(psa_drv_se_context_t *context,
+static psa_status_t mock_verify(psa_drv_se_context_t *context,
                                 psa_key_slot_number_t key_slot,
                                 psa_algorithm_t alg,
                                 const uint8_t *p_hash,
@@ -240,7 +240,7 @@ psa_status_t mock_verify(psa_drv_se_context_t *context,
     return mock_verify_data.return_value;
 }
 
-psa_status_t mock_allocate(psa_drv_se_context_t *drv_context,
+static psa_status_t mock_allocate(psa_drv_se_context_t *drv_context,
                                   void *persistent_data,
                                   const psa_key_attributes_t *attributes,
                                   psa_key_creation_method_t method,
@@ -258,7 +258,7 @@ psa_status_t mock_allocate(psa_drv_se_context_t *drv_context,
     return mock_allocate_data.return_value;
 }
 
-psa_status_t mock_destroy(psa_drv_se_context_t *context,
+static psa_status_t mock_destroy(psa_drv_se_context_t *context,
                                  void *persistent_data,
                                  psa_key_slot_number_t slot_number)
 {