wolfSSL · SparkiDev · Mar 18, 2026
diff --git a/wolfcrypt/src/port/Espressif/esp32_aes.c b/wolfcrypt/src/port/Espressif/esp32_aes.c
@@ -475,15 +475,17 @@ int wc_esp32AesDecrypt(Aes *aes, const byte* in, byte* out)
 
     ESP_LOGV(TAG, "enter wc_esp32AesDecrypt");
     /* lock the hw engine */
-    esp_aes_hw_InUse();
-    /* load the key into the register */
-    ret = esp_aes_hw_Set_KeyMode(aes, ESP32_AES_UPDATEKEY_DECRYPT);
-    if (ret != ESP_OK) {
-        ESP_LOGE(TAG, "wc_esp32AesDecrypt failed "
-                      "during esp_aes_hw_Set_KeyMode");
-        /* release hw */
-        esp_aes_hw_Leave();
-        ret = BAD_FUNC_ARG;
+    ret = esp_aes_hw_InUse();
+    if (ret == ESP_OK) {
+        /* load the key into the register */
+        ret = esp_aes_hw_Set_KeyMode(aes, ESP32_AES_UPDATEKEY_DECRYPT);
+        if (ret != ESP_OK) {
+            ESP_LOGE(TAG, "wc_esp32AesDecrypt failed "
+                          "during esp_aes_hw_Set_KeyMode");
+            /* release hw */
+            esp_aes_hw_Leave();
+            ret = BAD_FUNC_ARG;
+        }
     }
 
     if (ret == ESP_OK) {
@@ -606,9 +608,9 @@ int wc_esp32AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
 
             offset += WC_AES_BLOCK_SIZE;
         } /* while (blocks--) */
-        esp_aes_hw_Leave();
     } /* if Set Mode was successful (ret == ESP_OK) */
 
+    esp_aes_hw_Leave();
     ESP_LOGV(TAG, "leave wc_esp32AesCbcDecrypt");
     return ret;
 } /* wc_esp32AesCbcDecrypt */

diff --git a/wolfcrypt/src/port/Espressif/esp32_mp.c b/wolfcrypt/src/port/Espressif/esp32_mp.c
@@ -2249,6 +2249,9 @@ int esp_mp_mulmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
     #ifdef WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS
             ESP_LOGW(TAG, "result exceeds max bit length");
     #endif
+            if (mulmod_lock_called) {
+                esp_mp_hw_unlock();
+            }
             return MP_HW_FALLBACK; /*  Error: value is not able to be used. */
         }
         WordsForOperand = bits2words(OperandBits);
@@ -2343,7 +2346,7 @@ int esp_mp_mulmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
                            OperandBits, ESP_HW_MOD_RSAMAX_BITS);
     #endif
             if (mulmod_lock_called) {
-                ret = esp_mp_hw_unlock();
+                esp_mp_hw_unlock();
             }
             return MP_HW_FALLBACK; /*  Error: value is not able to be used. */
         }
@@ -2440,6 +2443,9 @@ int esp_mp_mulmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
             ESP_LOGW(TAG, "mp_mulmod OperandBits %d exceeds max bit length %d.",
                            OperandBits, ESP_HW_MOD_RSAMAX_BITS);
     #endif
+            if (mulmod_lock_called) {
+                esp_mp_hw_unlock();
+            }
             return MP_HW_FALLBACK; /*  Error: value is not able to be used. */
         }
         WordsForOperand = bits2words(OperandBits);

diff --git a/wolfcrypt/src/port/Espressif/esp32_util.c b/wolfcrypt/src/port/Espressif/esp32_util.c
@@ -1007,6 +1007,7 @@ int show_binary(byte* theVar, size_t dataSz) {
     return 0;
 }
 
+/* Assume toVar is big enough. */
 int hexToBinary(byte* toVar, const char* fromHexString, size_t szHexString ) {
     int ret = 0;
     /* Calculate the actual binary length of the hex string */
@@ -1018,6 +1019,7 @@ int hexToBinary(byte* toVar, const char* fromHexString, size_t szHexString ) {
     }
     if ((szHexString % 2 != 0)) {
         ESP_LOGE("ssh", "fromHexString length not even!");
+        return -1;
     }
 
     ESP_LOGW(TAG, "Replacing %d bytes at %x", byteLen, (word32)toVar);

diff --git a/wolfcrypt/src/port/Espressif/esp_sdk_time_lib.c b/wolfcrypt/src/port/Espressif/esp_sdk_time_lib.c
@@ -189,7 +189,7 @@ int set_fixed_default_time(void)
     struct tm timeinfo = {
         .tm_year = YEAR  - 1900, /* years since 1900                 */
         .tm_mon  = MONTH - 1,    /* Month, where 0 = Jan             */
-        .tm_mday = DAY   - 1,    /* Numeric decimal day of the month */
+        .tm_mday = DAY,          /* Numeric decimal day of the month */
         .tm_hour = 13,
         .tm_min  =  1,
         .tm_sec  =  5
@@ -276,7 +276,7 @@ int set_time_from_string(const char* time_buffer)
     char offset[28]; /* large arrays, just in case there's still bad data */
     char day_str[28];
     char month_str[28];
-    const char *format = "%3s %3s %d %d:%d:%d %d %s";
+    const char *format = "%3s %3s %d %d:%d:%d %d %27s";
     struct tm this_timeinfo;
     struct timeval now;
     time_t interim_time;
@@ -304,18 +304,23 @@ int set_time_from_string(const char* time_buffer)
                                      "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
                                    };
 
-            for (int i = 0; i < 12; i++) {
+            int i;
+            for (i = 0; i < 12; i++) {
                 if (strcmp(month_str, months[i]) == 0) {
                     this_timeinfo.tm_mon = i;
                     break;
                 }
             }
+            if (i == 12) {
+                return ESP_FAIL;
+            }
 
             this_timeinfo.tm_mday = day;
             this_timeinfo.tm_hour = hour;
             this_timeinfo.tm_min = minute;
             this_timeinfo.tm_sec = second;
             this_timeinfo.tm_year = year - 1900; /* Years since 1900 */
+            this_timeinfo.tm_isdst = -1;
 
             interim_time = mktime(&this_timeinfo);
             now = (struct timeval){ .tv_sec = interim_time };
@@ -397,11 +402,11 @@ int set_time(void)
         }
         ESP_LOGI(TAG, "sntp_setservername:");
         for (i = 0; i < CONFIG_LWIP_SNTP_MAX_SERVERS; i++) {
-            const char* thisServer = ntpServerList[i];
-            if (strncmp(thisServer, "\x00", 1) == 0) {
-                /* just in case we run out of NTP servers */
-                break;
+            const char* thisServer;
+            if (i >= NTP_SERVER_COUNT) {
+               break;
             }
+            thisServer = ntpServerList[i];
             ESP_LOGI(TAG, "%s", thisServer);
             sntp_setservername(i, thisServer);
             ret = ESP_OK;

diff --git a/wolfcrypt/src/port/Espressif/esp_sdk_wifi_lib.c b/wolfcrypt/src/port/Espressif/esp_sdk_wifi_lib.c
@@ -324,6 +324,7 @@ static EventGroupHandle_t s_wifi_event_group;
 
 
 static int s_retry_num = 0;
+/* TODO: use event in wc_wifi_show_ip - logging the IP string causes a panic. */
 ip_event_got_ip_t* event;
 
 

diff --git a/wolfcrypt/src/port/Renesas/renesas_common.c b/wolfcrypt/src/port/Renesas/renesas_common.c
@@ -440,12 +440,12 @@ int wc_CryptoCb_CryptInitRenesasCmn(struct WOLFSSL* ssl, void* ctx)
         if (cbInfo->internal == NULL) {
             return MEMORY_E;
         }
+        ForceZero(cbInfo->internal, internal_sz);
        #if defined(WOLFSSL_RENESAS_FSPSM_TLS) ||\
             defined(WOLFSSL_RENESAS_TSIP_TLS)
         if (ssl)
             cbInfo->internal->heap = ssl->heap;
        #endif
-        ForceZero(cbInfo->internal, internal_sz);
     }
     /* need exclusive control because of static variable */
     if ((cmn_hw_lock()) == 0) {

diff --git a/wolfcrypt/src/port/Renesas/renesas_fspsm_rsa.c b/wolfcrypt/src/port/Renesas/renesas_fspsm_rsa.c
@@ -248,7 +248,7 @@ WOLFSSL_LOCAL int wc_fspsm_RsaSign(const byte* in, word32 inLen, byte* out,
     message_hash.data_type =
             info->keyflgs_crypt.bits.message_type;/* message 0, hash 1 */
     signature.pdata = out;
-    signature.data_length = (word32*)outLen;
+    signature.data_length = *outLen;
 
     #if defined(WOLFSSL_RENESAS_RSIP)
     message_hash.hash_type = signature.hash_type =

diff --git a/wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c b/wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c
@@ -785,7 +785,7 @@ int wc_Sha512_256Final(wc_Sha512* sha, byte* hash)
 }
 int wc_Sha512_256GetHash(wc_Sha512* sha, byte* hash)
 {
-    return FSPSM_HashGet(sha, hash, WC_SHA512_224_DIGEST_SIZE);
+    return FSPSM_HashGet(sha, hash, WC_SHA512_256_DIGEST_SIZE);
 }
 
 int wc_Sha512_256Copy(wc_Sha512* src, wc_Sha512* dst)

diff --git a/wolfcrypt/src/port/Renesas/renesas_fspsm_util.c b/wolfcrypt/src/port/Renesas/renesas_fspsm_util.c
@@ -195,7 +195,7 @@ int wc_fspsm_GenerateRandBlock(byte* output, word32 sz)
     uint32_t fspbuf[RANDGEN_WORDS];
 
     while (sz > 0) {
-        word32 len = sizeof(buffer);
+        word32 len = sizeof(fspbuf);
 
         if (sz < len) {
             len = sz;

diff --git a/wolfcrypt/src/port/Renesas/renesas_tsip_aes.c b/wolfcrypt/src/port/Renesas/renesas_tsip_aes.c
@@ -261,8 +261,8 @@ WOLFSSL_LOCAL int tsip_Tls13AesDecrypt(
 
     WOLFSSL_ENTER("tsip_Tls13AesDecrypt");
 
-    if ((ssl == NULL) || (input == NULL) || (output == NULL) || (sz == 0) ||
-        (ssl->RenesasUserCtx == NULL)) {
+    if ((ssl == NULL) || (input == NULL) || (output == NULL) ||
+        (sz < TSIP_AES_GCM_AUTH_TAG_SIZE) || (ssl->RenesasUserCtx == NULL)) {
         return BAD_FUNC_ARG;
     }
 

diff --git a/wolfcrypt/src/port/Renesas/renesas_tsip_sha.c b/wolfcrypt/src/port/Renesas/renesas_tsip_sha.c
@@ -398,6 +398,7 @@ static int TSIPHashFinal(wolfssl_TSIP_Hash* hash, byte* out, word32 outSz)
         if (ret == TSIP_SUCCESS) {
             ret = Final(&handle, out, (uint32_t*)&sz);
             if (ret != TSIP_SUCCESS || sz != outSz) {
+                tsip_hw_unlock();
                 return ret;
             }
         }
@@ -442,6 +443,7 @@ static int TSIPHashGet(wolfssl_TSIP_Hash* hash, byte* out, word32 outSz)
         if (ret == TSIP_SUCCESS) {
             ret = Final(&handle, out, &sz);
             if (ret != TSIP_SUCCESS || sz != outSz) {
+                tsip_hw_unlock();
                 return ret;
             }
         }

diff --git a/wolfcrypt/src/port/af_alg/afalg_aes.c b/wolfcrypt/src/port/af_alg/afalg_aes.c
@@ -50,7 +50,7 @@ static int wc_AesSetup(Aes* aes, const char* type, const char* name, int ivSz, i
     byte* key = (byte*)aes->key;
 #endif
 
-    if (aes->alFd <= 0) {
+    if (aes->alFd == WC_SOCK_NOTSET) {
         aes->alFd = wc_Afalg_Socket();
         if (aes->alFd < 0) {
             WOLFSSL_MSG("Unable to open an AF_ALG socket");
@@ -133,11 +133,11 @@ int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen,
     aes->left = 0;
 #endif
 
-    if (aes->rdFd > 0) {
+    if (aes->rdFd > WC_SOCK_NOTSET) {
         (void)close(aes->rdFd);
     }
     aes->rdFd = WC_SOCK_NOTSET;
-    if (aes->alFd <= 0) {
+    if (aes->alFd == WC_SOCK_NOTSET) {
         aes->alFd = wc_Afalg_Socket();
     }
 
@@ -527,11 +527,11 @@ int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len)
     aes->keylen = len;
     aes->rounds = len/4 + 6;
 
-    if (aes->rdFd > 0) {
+    if (aes->rdFd > WC_SOCK_NOTSET) {
         (void)close(aes->rdFd);
     }
     aes->rdFd = WC_SOCK_NOTSET;
-    if (aes->alFd <= 0) {
+    if (aes->alFd == WC_SOCK_NOTSET) {
         aes->alFd = wc_Afalg_Socket();
     }
 
@@ -594,7 +594,7 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
         return BAD_FUNC_ARG;
     }
 
-    if (aes->alFd <= 0) {
+    if (aes->alFd == WC_SOCK_NOTSET) {
         WOLFSSL_MSG("AF_ALG GcmEncrypt called with alFd unset");
         return BAD_FUNC_ARG;
     }
@@ -726,14 +726,18 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
     }
 
     {
-        byte* tmp = (byte*)XMALLOC(authInSz, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
-        if (tmp == NULL) {
-            return MEMORY_E;
+        byte* tmp = NULL;
+
+        if (authInSz > 0) {
+            tmp = (byte*)XMALLOC(authInSz, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            if (tmp == NULL) {
+                return MEMORY_E;
+            }
+            /* first 16 bytes was all 0's */
+            iov[0].iov_base = tmp;
+            (void)scratch;
+            iov[0].iov_len  = authInSz;
         }
-        /* first 16 bytes was all 0's */
-        iov[0].iov_base = tmp;
-        (void)scratch;
-        iov[0].iov_len  = authInSz;
 
         iov[1].iov_base = out;
         iov[1].iov_len  = sz;
@@ -743,9 +747,9 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
 
         ret = (int)readv(aes->rdFd, iov, 3);
         XFREE(tmp, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
-    }
-    if (ret < 0) {
-        return WC_AFALG_SOCK_E;
+        if (ret < 0) {
+            return WC_AFALG_SOCK_E;
+        }
     }
 #endif
 
@@ -758,7 +762,8 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
  *
  * Warning: If using Xilinx hardware acceleration it is assumed that the in
  *          buffer is large enough to hold both cipher text and tag. That is
- *          sz | 16 bytes
+ *          sz | 16 bytes. The in buffer has tag appended even though it is
+ *          const for this wolfSSL API.
  */
 int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
                      const byte* iv, word32 ivSz,
@@ -851,9 +856,6 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
         if (ret < 0)
             return ret;
         xorbuf(tag, scratch, WC_AES_BLOCK_SIZE);
-        if (ret != 0) {
-            return AES_GCM_AUTH_E;
-        }
     }
 
     /* it is assumed that in buffer size is large enough to hold TAG */
@@ -933,12 +935,16 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
     }
 
     {
-        byte* tmp = (byte*)XMALLOC(authInSz, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
-        if (tmp == NULL) {
-            return MEMORY_E;
+        byte* tmp = NULL;
+
+        if (authInSz > 0) {
+            tmp = (byte*)XMALLOC(authInSz, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            if (tmp == NULL) {
+                return MEMORY_E;
+            }
+            iov[0].iov_base = tmp;
+            iov[0].iov_len  = authInSz;
         }
-        iov[0].iov_base = tmp;
-        iov[0].iov_len  = authInSz;
         iov[1].iov_base = out;
         iov[1].iov_len  = sz;
         ret = (int)readv(aes->rdFd, iov, 2);
Original file line number	Diff line number	Diff line change
Expand Up		@@ -324,6 +324,7 @@ static EventGroupHandle_t s_wifi_event_group;


		static int s_retry_num = 0;
		/* TODO: use event in wc_wifi_show_ip - logging the IP string causes a panic. */
		ip_event_got_ip_t* event;


Expand Down