additional sanity checks on arguments from static analysis tests

src/crypto/clu_evp_crypto.c

@@ -222,7 +222,9 @@ int wolfCLU_evp_crypto(const WOLFSSL_EVP_CIPHER* cphr, char* mode, byte* pwdKey,
         else {
             /* write to stdout if no file provided  */
             out = wolfSSL_BIO_new(wolfSSL_BIO_s_file());
-            wolfSSL_BIO_set_fp(out, stdout, BIO_NOCLOSE);
+            if (out != NULL) {
+                wolfSSL_BIO_set_fp(out, stdout, BIO_NOCLOSE);
+            }
         }
         if (out == NULL) {
             wolfCLU_LogError("unable to open output file %s", fileOut);

src/pkcs/clu_pkcs7.c

@@ -128,7 +128,12 @@ int wolfCLU_PKCS7(int argc, char** argv)
     /* currently only supporting PKCS7 parsing, input is expected */
     if (ret == WOLFCLU_SUCCESS && bioIn == NULL) {
         bioIn = wolfSSL_BIO_new(wolfSSL_BIO_s_file());
-        wolfSSL_BIO_set_fp(bioIn, stdin, BIO_NOCLOSE);
+        if (bioIn == NULL) {
+            ret = WOLFCLU_FATAL_ERROR;
+        }
+        else {
+            wolfSSL_BIO_set_fp(bioIn, stdin, BIO_NOCLOSE);
+        }
     }
 
     /* read the input bio to a temporary buffer and convert to PKCS7 */

src/pkey/clu_rsa.c

@@ -162,7 +162,7 @@ int wolfCLU_RSA(int argc, char** argv)
         else {
             if (pubIn) {
                 unsigned char *der;
-                const unsigned char **pp;
+                const unsigned char *p;
                 long derSz;
 
                 derSz = wolfSSL_BIO_get_len(bioIn);
@@ -177,8 +177,9 @@ int wolfCLU_RSA(int argc, char** argv)
                     }
 
                     if (ret == WOLFCLU_SUCCESS) {
-                        pp = (const unsigned char**)&der;
-                        rsa = wolfSSL_d2i_RSAPublicKey(NULL, pp, derSz);
+                        /* d2i may advance *pp; preserve base for XFREE */
+                        p = der;
+                        rsa = wolfSSL_d2i_RSAPublicKey(NULL, &p, derSz);
                     }
                     XFREE(der, HEAP_HINT, DYNAMIC_TYPE_PUBLIC_KEY);
                 }

src/sign-verify/clu_crl_verify.c

@@ -256,7 +256,12 @@ int wolfCLU_CRLVerify(int argc, char** argv)
         WOLFSSL_CERT_MANAGER* cm;
 
         cm = wolfSSL_CertManagerNew();
-        if (wolfSSL_CertManagerLoadCA(cm, caCert, NULL) != WOLFSSL_SUCCESS) {
+        if (cm == NULL) {
+            wolfCLU_LogError("Failed to create CertManager");
+            ret = WOLFCLU_FATAL_ERROR;
+        }
+        else if (wolfSSL_CertManagerLoadCA(cm, caCert, NULL)
+                != WOLFSSL_SUCCESS) {
             wolfCLU_LogError("Unable to open CA file");
             ret = WOLFCLU_FATAL_ERROR;
         }

src/sign-verify/clu_x509_verify.c

@@ -241,7 +241,9 @@ int wolfCLU_x509Verify(int argc, char** argv)
             wolfCLU_LogError("Failed to create untrusted chain stack");
             ret = WOLFCLU_FATAL_ERROR;
         }
-         wolfSSL_sk_X509_push(intermStack, intermediate);
+        else {
+            wolfSSL_sk_X509_push(intermStack, intermediate);
+        }
     }
 
     if (ret == WOLFCLU_SUCCESS) {

tests/encrypt/enc-test.py

@@ -137,6 +137,20 @@ def test_small_file(self):
         self.assertTrue(filecmp.cmp(small, dec, shallow=False),
                         "small file decryption mismatch")
 
+    def test_enc_to_stdout(self):
+        """enc with no -out writes ciphertext to stdout."""
+        src = "enc_stdout_test.bin"
+        self._cleanup(src)
+        with open(src, "wb") as f:
+            f.write(b"plaintext\n")
+
+        r = subprocess.run(
+            [WOLFSSL_BIN, "enc", "-aes-128-cbc", "-in", src,
+             "-pass", "pass:test"],
+            capture_output=True, stdin=subprocess.DEVNULL, timeout=60)
+        self.assertEqual(r.returncode, 0, r.stderr)
+        self.assertTrue(len(r.stdout) > 0)
+
     def test_explicit_hex_key_iv(self):
         """Regression: explicit --key/--iv hex strings must be copied correctly."""
         src = "enc_hex_test.txt"

tests/pkey/rsa-test.py

@@ -139,6 +139,21 @@ def test_modulus_noout(self):
         self.assertIn("Modulus", r.stdout)
         self.assertNotIn("BEGIN", r.stdout)
 
+    def test_pubin_der(self):
+        """-pubin -inform DER round-trip prints the modulus."""
+        der_path = "test_pubkey.der"
+        self._cleanup(der_path)
+
+        r = run_wolfssl("rsa", "-in",
+                        os.path.join(CERTS_DIR, "server-keyPub.pem"),
+                        "-pubin", "-outform", "DER", "-out", der_path)
+        self.assertEqual(r.returncode, 0, r.stderr)
+
+        r = run_wolfssl("rsa", "-in", der_path, "-inform", "DER",
+                        "-pubin", "-noout", "-modulus")
+        self.assertEqual(r.returncode, 0, r.stderr)
+        self.assertIn("Modulus", r.stdout)
+
     def test_invalid_outform_error_message(self):
         """Invalid -outform value must produce an outform-related error.