ci: check for s2n_array_len in loop bounds (#4802)

aws · Oct 1, 2024 · 373bc2d · 373bc2d
1 parent 7c584e0
commit 373bc2d
Show file tree

Hide file tree

Showing 11 changed files with 66 additions and 46 deletions.
diff --git a/codebuild/bin/grep_simple_mistakes.sh b/codebuild/bin/grep_simple_mistakes.sh
@@ -101,6 +101,26 @@ for file in $S2N_FILES_ARRAY_SIZING_RETURN; do
   fi
 done
 
+#############################################
+# Detect any suspicious loops not using s2n_array_len().
+# This is not necessarily a problem, but it's been a common source of errors,
+# so we should just enforce stricter conventions.
+#############################################
+S2N_FILES_WITH_SIZEOF_LOOP=$(find "$PWD" -type f -name "s2n*.c" -path "*")
+for file in $S2N_FILES_WITH_SIZEOF_LOOP; do
+  WITH_QUESTIONABLE_SIZEOF_LOOP=`grep -Ern 'for \(.+; .+ <=? sizeof\(.+\); .+\)' $file | \
+    grep -vE '<=? sizeof\(.*bytes\);' |
+    grep -vE '<=? sizeof\(.*data\);' |
+    grep -vE '<=? sizeof\(.*u8\);'`
+  if [ "${#WITH_QUESTIONABLE_SIZEOF_LOOP}" != "0" ]; then
+    FAILED=1
+    printf "\e[1;34mWarning: sizeof is only valid for arrays of chars or uint8_ts. "
+    printf "Use s2n_array_len for other types, "
+    printf "or append \"bytes\", \"data\", or \"u8\" to your variable name for clarity.\n"
+    printf "File: $file:\e[0m\n$WITH_QUESTIONABLE_SIZEOF_LOOP\n\n"
+  fi
+done
+
 #############################################
 # Assert that all assignments from s2n_stuffer_raw_read() have a
 # notnull_check (or similar manual null check) on the same, or next, line.

diff --git a/tests/unit/s2n_client_extensions_test.c b/tests/unit/s2n_client_extensions_test.c
@@ -32,7 +32,7 @@
 #define ZERO_TO_THIRTY_ONE 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, \
                            0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
 
-static uint8_t server_ocsp_status[] = {
+static uint8_t server_ocsp_status_bytes[] = {
     /* clang-format off */
         0x30, 0x82, 0x06, 0x45, 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x06, 0x3e, 0x30, 0x82, 0x06, 0x3a, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01, 0x04, 0x82, 0x06, 0x2b, 0x30, 0x82, 0x06, 0x27, 0x30, 0x81, 0xeb, 0xa1, 0x70, 0x30, 0x6e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x49, 0x4c, 0x31, 0x31, 0x30, 0x2f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x28, 0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6f, 0x6d, 0x20, 0x4c, 0x74, 0x64, 0x2e, 0x20, 0x28, 0x53, 0x74, 0x61, 0x72, 0x74, 0x20, 0x43, 0x6f, 0x6d, 0x6d, 0x65, 0x72, 0x63, 0x69, 0x61, 0x6c, 0x20, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x65, 0x64, 0x29, 0x31, 0x2c, 0x30, 0x2a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x23, 0x53, 0x74, 0x61, 0x72,
         0x74, 0x43, 0x6f, 0x6d, 0x20, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x31, 0x20, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x4f, 0x43, 0x53, 0x50, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x65, 0x72, 0x18, 0x0f, 0x32, 0x30, 0x31, 0x35, 0x30, 0x32, 0x32, 0x37, 0x30, 0x36, 0x34, 0x36, 0x34, 0x35, 0x5a, 0x30, 0x66, 0x30, 0x64, 0x30, 0x3c, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14, 0x65, 0x68, 0x87, 0x4f, 0x40, 0x75, 0x0f, 0x01, 0x6a, 0x34, 0x75, 0x62, 0x5e, 0x1f, 0x5c, 0x93, 0xe5, 0xa2, 0x6d, 0x58, 0x04, 0x14, 0xeb, 0x42, 0x34, 0xd0, 0x98, 0xb0, 0xab, 0x9f, 0xf4, 0x1b, 0x6b, 0x08, 0xf7, 0xcc, 0x64, 0x2e, 0xef, 0x0e, 0x2c, 0x45, 0x02, 0x03, 0x0f, 0x87, 0x2c, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30,
@@ -753,7 +753,7 @@ int main(int argc, char **argv)
         EXPECT_SUCCESS(s2n_read_test_pem(S2N_DEFAULT_TEST_PRIVATE_KEY, private_key, S2N_MAX_TEST_PEM_SIZE));
         EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(server_config, cert_chain, private_key));
         EXPECT_SUCCESS(s2n_config_set_extension_data(server_config, S2N_EXTENSION_OCSP_STAPLING,
-                server_ocsp_status, sizeof(server_ocsp_status)));
+                server_ocsp_status_bytes, sizeof(server_ocsp_status_bytes)));
         EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
 
         EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
@@ -862,7 +862,7 @@ int main(int argc, char **argv)
         EXPECT_SUCCESS(s2n_read_test_pem(S2N_DEFAULT_TEST_PRIVATE_KEY, private_key, S2N_MAX_TEST_PEM_SIZE));
         EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(server_config, cert_chain, private_key));
         EXPECT_SUCCESS(s2n_config_set_extension_data(server_config, S2N_EXTENSION_OCSP_STAPLING,
-                server_ocsp_status, sizeof(server_ocsp_status)));
+                server_ocsp_status_bytes, sizeof(server_ocsp_status_bytes)));
 
         EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
         EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
@@ -877,10 +877,10 @@ int main(int argc, char **argv)
         /* Verify that the client received an OCSP response. */
         EXPECT_EQUAL(s2n_connection_is_ocsp_stapled(client_conn), 1);
         EXPECT_NOT_NULL(server_ocsp_reply = s2n_connection_get_ocsp_response(client_conn, &length));
-        EXPECT_EQUAL(length, sizeof(server_ocsp_status));
+        EXPECT_EQUAL(length, sizeof(server_ocsp_status_bytes));
 
-        for (size_t i = 0; i < sizeof(server_ocsp_status); i++) {
-            EXPECT_EQUAL(server_ocsp_reply[i], server_ocsp_status[i]);
+        for (size_t i = 0; i < sizeof(server_ocsp_status_bytes); i++) {
+            EXPECT_EQUAL(server_ocsp_reply[i], server_ocsp_status_bytes[i]);
         }
 
         EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
@@ -923,7 +923,7 @@ int main(int argc, char **argv)
         EXPECT_SUCCESS(s2n_read_test_pem(S2N_DEFAULT_TEST_PRIVATE_KEY, private_key, S2N_MAX_TEST_PEM_SIZE));
         EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(server_config, cert_chain, private_key));
         EXPECT_SUCCESS(s2n_config_set_extension_data(server_config, S2N_EXTENSION_OCSP_STAPLING,
-                server_ocsp_status, sizeof(server_ocsp_status)));
+                server_ocsp_status_bytes, sizeof(server_ocsp_status_bytes)));
         EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
 
         EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
@@ -934,10 +934,10 @@ int main(int argc, char **argv)
         /* Verify that the client received an OCSP response. */
         EXPECT_EQUAL(s2n_connection_is_ocsp_stapled(client_conn), 1);
         EXPECT_NOT_NULL(server_ocsp_reply = s2n_connection_get_ocsp_response(client_conn, &length));
-        EXPECT_EQUAL(length, sizeof(server_ocsp_status));
+        EXPECT_EQUAL(length, sizeof(server_ocsp_status_bytes));
 
-        for (size_t i = 0; i < sizeof(server_ocsp_status); i++) {
-            EXPECT_EQUAL(server_ocsp_reply[i], server_ocsp_status[i]);
+        for (size_t i = 0; i < sizeof(server_ocsp_status_bytes); i++) {
+            EXPECT_EQUAL(server_ocsp_reply[i], server_ocsp_status_bytes[i]);
         }
 
         EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
@@ -985,7 +985,7 @@ int main(int argc, char **argv)
         EXPECT_SUCCESS(s2n_read_test_pem(S2N_DEFAULT_ECDSA_TEST_PRIVATE_KEY, private_key, S2N_MAX_TEST_PEM_SIZE));
         EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(server_config, cert_chain, private_key));
         EXPECT_SUCCESS(s2n_config_set_extension_data(server_config, S2N_EXTENSION_OCSP_STAPLING,
-                server_ocsp_status, sizeof(server_ocsp_status)));
+                server_ocsp_status_bytes, sizeof(server_ocsp_status_bytes)));
         EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
 
         EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
@@ -997,10 +997,10 @@ int main(int argc, char **argv)
         EXPECT_EQUAL(s2n_connection_is_ocsp_stapled(client_conn), 1);
 
         EXPECT_NOT_NULL(server_ocsp_reply = s2n_connection_get_ocsp_response(client_conn, &length));
-        EXPECT_EQUAL(length, sizeof(server_ocsp_status));
+        EXPECT_EQUAL(length, sizeof(server_ocsp_status_bytes));
 
-        for (size_t i = 0; i < sizeof(server_ocsp_status); i++) {
-            EXPECT_EQUAL(server_ocsp_reply[i], server_ocsp_status[i]);
+        for (size_t i = 0; i < sizeof(server_ocsp_status_bytes); i++) {
+            EXPECT_EQUAL(server_ocsp_reply[i], server_ocsp_status_bytes[i]);
         }
 
         EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));

diff --git a/tests/unit/s2n_client_hello_recv_test.c b/tests/unit/s2n_client_hello_recv_test.c
@@ -521,19 +521,19 @@ int main(int argc, char **argv)
         EXPECT_SUCCESS(s2n_connection_set_config(server, tls12_config));
 
         struct s2n_stuffer server_in = { 0 };
-        uint8_t sslv2_client_hello[] = {
+        uint8_t sslv2_client_hello_bytes[] = {
             SSLv2_CLIENT_HELLO_HEADER,
             SSLv2_CLIENT_HELLO_PREFIX,
             SSLv2_CLIENT_HELLO_CIPHER_SUITES,
             SSLv2_CLIENT_HELLO_CHALLENGE,
         };
         EXPECT_SUCCESS(s2n_blob_init(&server_in.blob,
-                sslv2_client_hello, sizeof(sslv2_client_hello)));
+                sslv2_client_hello_bytes, sizeof(sslv2_client_hello_bytes)));
         EXPECT_SUCCESS(s2n_connection_set_recv_io_stuffer(&server_in, server));
 
         /* Read message one byte at a time */
         s2n_blocked_status blocked = S2N_NOT_BLOCKED;
-        for (size_t i = 0; i < sizeof(sslv2_client_hello); i++) {
+        for (size_t i = 0; i < sizeof(sslv2_client_hello_bytes); i++) {
             EXPECT_ERROR_WITH_ERRNO(
                     s2n_negotiate_until_message(server, &blocked, SERVER_HELLO),
                     S2N_ERR_IO_BLOCKED);

diff --git a/tests/unit/s2n_client_key_share_extension_pq_test.c b/tests/unit/s2n_client_key_share_extension_pq_test.c
@@ -656,7 +656,7 @@ int main()
 
                     /* Do NOT mark the highest priority available KEM group as mutually supported */
                     EXPECT_OK(s2n_set_all_mutually_supported_groups(server_conn));
-                    for (int i = 0; i < sizeof(server_conn->kex_params.mutually_supported_kem_groups); i++) {
+                    for (int i = 0; i < s2n_array_len(server_conn->kex_params.mutually_supported_kem_groups); i++) {
                         if (server_conn->kex_params.mutually_supported_kem_groups[i]
                                 && s2n_kem_group_is_available(server_conn->kex_params.mutually_supported_kem_groups[i])) {
                             server_conn->kex_params.mutually_supported_kem_groups[i] = NULL;
@@ -717,7 +717,7 @@ int main()
 
                     /* Do NOT mark the highest priority available KEM group as mutually supported */
                     EXPECT_OK(s2n_set_all_mutually_supported_groups(server_conn));
-                    for (int i = 0; i < sizeof(server_conn->kex_params.mutually_supported_kem_groups); i++) {
+                    for (int i = 0; i < s2n_array_len(server_conn->kex_params.mutually_supported_kem_groups); i++) {
                         if (server_conn->kex_params.mutually_supported_kem_groups[i]
                                 && s2n_kem_group_is_available(server_conn->kex_params.mutually_supported_kem_groups[i])) {
                             server_conn->kex_params.mutually_supported_kem_groups[i] = NULL;

diff --git a/tests/unit/s2n_quic_support_io_test.c b/tests/unit/s2n_quic_support_io_test.c
@@ -517,7 +517,7 @@ int main(int argc, char **argv)
         EXPECT_FAILURE(s2n_recv_quic_post_handshake_message(NULL, &blocked));
 
         /* Parsable session ticket message */
-        uint8_t ticket_message[] = {
+        uint8_t ticket_message_bytes[] = {
             TLS_SERVER_NEW_SESSION_TICKET,
             0x00, 0x00, 0x12,    /* message size */
             TEST_LIFETIME,       /* ticket lifetime */
@@ -562,7 +562,7 @@ int main(int argc, char **argv)
             EXPECT_SUCCESS(s2n_connection_set_io_stuffers(&stuffer, &stuffer, conn));
 
             /* Construct ST handshake message */
-            EXPECT_SUCCESS(s2n_stuffer_write_bytes(&stuffer, ticket_message, sizeof(ticket_message)));
+            EXPECT_SUCCESS(s2n_stuffer_write_bytes(&stuffer, ticket_message_bytes, sizeof(ticket_message_bytes)));
 
             EXPECT_SUCCESS(s2n_recv_quic_post_handshake_message(conn, &blocked));
 
@@ -571,7 +571,7 @@ int main(int argc, char **argv)
         };
 
         /* Test: successfully reads and processes fragmented post-handshake message */
-        for (size_t i = 1; i < sizeof(ticket_message); i++) {
+        for (size_t i = 1; i < sizeof(ticket_message_bytes); i++) {
             DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
             DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
             EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
@@ -585,7 +585,7 @@ int main(int argc, char **argv)
             EXPECT_SUCCESS(s2n_connection_set_io_stuffers(&stuffer, &stuffer, conn));
 
             /* Mock receiving a fragmented handshake message */
-            EXPECT_SUCCESS(s2n_stuffer_write_bytes(&stuffer, ticket_message, i));
+            EXPECT_SUCCESS(s2n_stuffer_write_bytes(&stuffer, ticket_message_bytes, i));
 
             EXPECT_FAILURE_WITH_ERRNO(s2n_recv_quic_post_handshake_message(conn, &blocked), S2N_ERR_IO_BLOCKED);
             EXPECT_EQUAL(blocked, S2N_BLOCKED_ON_READ);
@@ -594,7 +594,7 @@ int main(int argc, char **argv)
             EXPECT_EQUAL(session_ticket_cb_count, 0);
 
             /* "Write" the rest of the message */
-            EXPECT_SUCCESS(s2n_stuffer_write_bytes(&stuffer, ticket_message + i, sizeof(ticket_message) - i));
+            EXPECT_SUCCESS(s2n_stuffer_write_bytes(&stuffer, ticket_message_bytes + i, sizeof(ticket_message_bytes) - i));
 
             EXPECT_SUCCESS(s2n_recv_quic_post_handshake_message(conn, &blocked));
 

diff --git a/tests/unit/s2n_resume_test.c b/tests/unit/s2n_resume_test.c
@@ -405,7 +405,7 @@ int main(int argc, char **argv)
         conn->secure->cipher_suite = &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256;
 
         uint8_t ems_state[] = { false, true };
-        for (size_t i = 0; i < sizeof(ems_state); i++) {
+        for (size_t i = 0; i < s2n_array_len(ems_state); i++) {
             /* Test the two different EMS states */
             conn->ems_negotiated = ems_state[i];
 

diff --git a/tests/unit/s2n_server_cert_request_test.c b/tests/unit/s2n_server_cert_request_test.c
@@ -68,8 +68,8 @@ int main(int argc, char **argv)
 
         uint8_t *their_cert_type_pref_list = s2n_stuffer_raw_read(in, cert_types_len);
 
-        EXPECT_EQUAL(cert_types_len, sizeof(s2n_cert_type_preference_list));
-        for (size_t idx = 0; idx < sizeof(s2n_cert_type_preference_list); idx++) {
+        EXPECT_EQUAL(cert_types_len, s2n_array_len(s2n_cert_type_preference_list));
+        for (size_t idx = 0; idx < s2n_array_len(s2n_cert_type_preference_list); idx++) {
             EXPECT_EQUAL(their_cert_type_pref_list[idx], s2n_cert_type_preference_list[idx]);
         }
 
@@ -96,8 +96,8 @@ int main(int argc, char **argv)
 
         uint8_t *their_cert_type_pref_list = s2n_stuffer_raw_read(in, cert_types_len);
 
-        EXPECT_EQUAL(cert_types_len, sizeof(s2n_cert_type_preference_list_legacy_dss));
-        for (size_t idx = 0; idx < sizeof(s2n_cert_type_preference_list_legacy_dss); idx++) {
+        EXPECT_EQUAL(cert_types_len, s2n_array_len(s2n_cert_type_preference_list_legacy_dss));
+        for (size_t idx = 0; idx < s2n_array_len(s2n_cert_type_preference_list_legacy_dss); idx++) {
             EXPECT_EQUAL(their_cert_type_pref_list[idx], s2n_cert_type_preference_list_legacy_dss[idx]);
         }
 

diff --git a/tests/unit/s2n_tls12_handshake_test.c b/tests/unit/s2n_tls12_handshake_test.c
@@ -482,7 +482,7 @@ int main(int argc, char **argv)
 
         conn->handshake.handshake_type = test_handshake_type;
 
-        for (size_t i = 0; i < sizeof(expected) / sizeof(char *); i++) {
+        for (size_t i = 0; i < s2n_array_len(expected); i++) {
             conn->handshake.message_number = i;
             EXPECT_STRING_EQUAL(expected[i], s2n_connection_get_last_message_name(conn));
         }

diff --git a/tests/unit/s2n_tls13_cert_verify_test.c b/tests/unit/s2n_tls13_cert_verify_test.c
@@ -226,7 +226,7 @@ int main(int argc, char **argv)
 
     EXPECT_SUCCESS(s2n_enable_tls13_in_test());
 
-    for (size_t i = 0; i < sizeof(test_cases) / sizeof(struct s2n_tls13_cert_verify_test); i++) {
+    for (size_t i = 0; i < s2n_array_len(test_cases); i++) {
         /* Run all tests for server sending and client receiving/verifying cert_verify message */
         run_tests(&test_cases[i], S2N_CLIENT);
 

diff --git a/tests/unit/s2n_tls13_prf_test.c b/tests/unit/s2n_tls13_prf_test.c
@@ -53,10 +53,10 @@ int main(int argc, char **argv)
     DEFER_CLEANUP(struct s2n_stuffer expected_secret_in = { 0 }, s2n_stuffer_free);
     DEFER_CLEANUP(struct s2n_stuffer expected_expanded_in = { 0 }, s2n_stuffer_free);
 
-    char client_handshake_message[sizeof(client_handshake_message_hex_in) / 2] = { 0 };
-    char server_handshake_message[sizeof(server_handshake_message_hex_in) / 2] = { 0 };
-    char expected_secret[sizeof(expected_secret_hex_in) / 2] = { 0 };
-    char expected_expanded[sizeof(expected_expanded_hex_in) / 2] = { 0 };
+    uint8_t client_handshake_message_bytes[sizeof(client_handshake_message_hex_in) / 2] = { 0 };
+    uint8_t server_handshake_message_bytes[sizeof(server_handshake_message_hex_in) / 2] = { 0 };
+    uint8_t expected_secret_bytes[sizeof(expected_secret_hex_in) / 2] = { 0 };
+    uint8_t expected_expanded_bytes[sizeof(expected_expanded_hex_in) / 2] = { 0 };
 
     uint8_t digest_buf[SHA256_DIGEST_LENGTH];
     uint8_t secret_buf[SHA256_DIGEST_LENGTH];
@@ -74,28 +74,28 @@ int main(int argc, char **argv)
     EXPECT_SUCCESS(s2n_stuffer_alloc_ro_from_string(&expected_expanded_in, expected_expanded_hex_in));
 
     /* Parse the hex */
-    for (size_t i = 0; i < sizeof(client_handshake_message); i++) {
+    for (size_t i = 0; i < sizeof(client_handshake_message_bytes); i++) {
         uint8_t c = 0;
         EXPECT_OK(s2n_stuffer_read_uint8_hex(&client_handshake_message_in, &c));
-        client_handshake_message[i] = c;
+        client_handshake_message_bytes[i] = c;
     }
 
-    for (size_t i = 0; i < sizeof(server_handshake_message); i++) {
+    for (size_t i = 0; i < sizeof(server_handshake_message_bytes); i++) {
         uint8_t c = 0;
         EXPECT_OK(s2n_stuffer_read_uint8_hex(&server_handshake_message_in, &c));
-        server_handshake_message[i] = c;
+        server_handshake_message_bytes[i] = c;
     }
 
-    for (size_t i = 0; i < sizeof(expected_secret); i++) {
+    for (size_t i = 0; i < sizeof(expected_secret_bytes); i++) {
         uint8_t c = 0;
         EXPECT_OK(s2n_stuffer_read_uint8_hex(&expected_secret_in, &c));
-        expected_secret[i] = c;
+        expected_secret_bytes[i] = c;
     }
 
-    for (size_t i = 0; i < sizeof(expected_expanded); i++) {
+    for (size_t i = 0; i < sizeof(expected_expanded_bytes); i++) {
         uint8_t c = 0;
         EXPECT_OK(s2n_stuffer_read_uint8_hex(&expected_expanded_in, &c));
-        expected_expanded[i] = c;
+        expected_expanded_bytes[i] = c;
     }
 
     EXPECT_SUCCESS(s2n_hash_new(&transcript_hash));
@@ -124,7 +124,7 @@ int main(int argc, char **argv)
 
     /* Validate the early secret */
     EXPECT_SUCCESS(s2n_hkdf_extract(&throwaway, S2N_HMAC_SHA256, &salt, &ikm, &secret));
-    EXPECT_EQUAL(memcmp(secret_buf, expected_secret, sizeof(secret_buf)), 0);
+    EXPECT_EQUAL(memcmp(secret_buf, expected_secret_bytes, sizeof(secret_buf)), 0);
 
     /* Validate the derived secret */
     S2N_BLOB_LABEL(label, "derived");
@@ -134,7 +134,7 @@ int main(int argc, char **argv)
     EXPECT_SUCCESS(s2n_hmac_new(&hmac));
     EXPECT_SUCCESS(s2n_hkdf_expand_label(&hmac, S2N_HMAC_SHA256, &secret, &label, &digest, &output));
 
-    EXPECT_EQUAL(memcmp(output_buf, expected_expanded, sizeof(output_buf)), 0);
+    EXPECT_EQUAL(memcmp(output_buf, expected_expanded_bytes, sizeof(output_buf)), 0);
 
     EXPECT_SUCCESS(s2n_hmac_free(&throwaway));
     EXPECT_SUCCESS(s2n_hmac_free(&hmac));

diff --git a/tls/s2n_server_cert_request.c b/tls/s2n_server_cert_request.c
@@ -70,7 +70,7 @@ static int s2n_recv_client_cert_preferences(struct s2n_stuffer *in, s2n_cert_typ
     POSIX_ENSURE_REF(their_cert_type_pref_list);
 
     /* Iterate through our preference list from most to least preferred, and return the first match that we find. */
-    for (size_t our_cert_pref_idx = 0; our_cert_pref_idx < sizeof(s2n_cert_type_preference_list); our_cert_pref_idx++) {
+    for (size_t our_cert_pref_idx = 0; our_cert_pref_idx < s2n_array_len(s2n_cert_type_preference_list); our_cert_pref_idx++) {
         for (int their_cert_idx = 0; their_cert_idx < cert_types_len; their_cert_idx++) {
             if (their_cert_type_pref_list[their_cert_idx] == s2n_cert_type_preference_list[our_cert_pref_idx]) {
                 *chosen_cert_type_out = s2n_cert_type_preference_list[our_cert_pref_idx];