Fixes from AI review

Author: SparkiDev

wolfcrypt/src/port/Espressif/esp32_aes.c

@@ -475,15 +475,17 @@ int wc_esp32AesDecrypt(Aes *aes, const byte* in, byte* out)
 
     ESP_LOGV(TAG, "enter wc_esp32AesDecrypt");
     /* lock the hw engine */
-    esp_aes_hw_InUse();
-    /* load the key into the register */
-    ret = esp_aes_hw_Set_KeyMode(aes, ESP32_AES_UPDATEKEY_DECRYPT);
-    if (ret != ESP_OK) {
-        ESP_LOGE(TAG, "wc_esp32AesDecrypt failed "
-                      "during esp_aes_hw_Set_KeyMode");
-        /* release hw */
-        esp_aes_hw_Leave();
-        ret = BAD_FUNC_ARG;
+    ret = esp_aes_hw_InUse();
+    if (ret == ESP_OK) {
+        /* load the key into the register */
+        ret = esp_aes_hw_Set_KeyMode(aes, ESP32_AES_UPDATEKEY_DECRYPT);
+        if (ret != ESP_OK) {
+            ESP_LOGE(TAG, "wc_esp32AesDecrypt failed "
+                          "during esp_aes_hw_Set_KeyMode");
+            /* release hw */
+            esp_aes_hw_Leave();
+            ret = BAD_FUNC_ARG;
+        }
     }
 
     if (ret == ESP_OK) {
@@ -606,9 +608,9 @@ int wc_esp32AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
 
             offset += WC_AES_BLOCK_SIZE;
         } /* while (blocks--) */
-        esp_aes_hw_Leave();
     } /* if Set Mode was successful (ret == ESP_OK) */
 
+    esp_aes_hw_Leave();
     ESP_LOGV(TAG, "leave wc_esp32AesCbcDecrypt");
     return ret;
 } /* wc_esp32AesCbcDecrypt */

wolfcrypt/src/port/Espressif/esp32_mp.c

@@ -2249,6 +2249,9 @@ int esp_mp_mulmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
     #ifdef WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS
             ESP_LOGW(TAG, "result exceeds max bit length");
     #endif
+            if (mulmod_lock_called) {
+                esp_mp_hw_unlock();
+            }
             return MP_HW_FALLBACK; /*  Error: value is not able to be used. */
         }
         WordsForOperand = bits2words(OperandBits);
@@ -2343,7 +2346,7 @@ int esp_mp_mulmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
                            OperandBits, ESP_HW_MOD_RSAMAX_BITS);
     #endif
             if (mulmod_lock_called) {
-                ret = esp_mp_hw_unlock();
+                esp_mp_hw_unlock();
             }
             return MP_HW_FALLBACK; /*  Error: value is not able to be used. */
         }
@@ -2440,6 +2443,9 @@ int esp_mp_mulmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
             ESP_LOGW(TAG, "mp_mulmod OperandBits %d exceeds max bit length %d.",
                            OperandBits, ESP_HW_MOD_RSAMAX_BITS);
     #endif
+            if (mulmod_lock_called) {
+                esp_mp_hw_unlock();
+            }
             return MP_HW_FALLBACK; /*  Error: value is not able to be used. */
         }
         WordsForOperand = bits2words(OperandBits);

wolfcrypt/src/port/Espressif/esp32_util.c

@@ -1007,6 +1007,7 @@ int show_binary(byte* theVar, size_t dataSz) {
     return 0;
 }
 
+/* Assume toVar is big enough. */
 int hexToBinary(byte* toVar, const char* fromHexString, size_t szHexString ) {
     int ret = 0;
     /* Calculate the actual binary length of the hex string */
@@ -1018,6 +1019,7 @@ int hexToBinary(byte* toVar, const char* fromHexString, size_t szHexString ) {
     }
     if ((szHexString % 2 != 0)) {
         ESP_LOGE("ssh", "fromHexString length not even!");
+        return -1;
     }
 
     ESP_LOGW(TAG, "Replacing %d bytes at %x", byteLen, (word32)toVar);

wolfcrypt/src/port/Espressif/esp_sdk_time_lib.c

@@ -189,7 +189,7 @@ int set_fixed_default_time(void)
     struct tm timeinfo = {
         .tm_year = YEAR  - 1900, /* years since 1900                 */
         .tm_mon  = MONTH - 1,    /* Month, where 0 = Jan             */
-        .tm_mday = DAY   - 1,    /* Numeric decimal day of the month */
+        .tm_mday = DAY,          /* Numeric decimal day of the month */
         .tm_hour = 13,
         .tm_min  =  1,
         .tm_sec  =  5
@@ -276,7 +276,7 @@ int set_time_from_string(const char* time_buffer)
     char offset[28]; /* large arrays, just in case there's still bad data */
     char day_str[28];
     char month_str[28];
-    const char *format = "%3s %3s %d %d:%d:%d %d %s";
+    const char *format = "%3s %3s %d %d:%d:%d %d %27s";
     struct tm this_timeinfo;
     struct timeval now;
     time_t interim_time;
@@ -304,18 +304,23 @@ int set_time_from_string(const char* time_buffer)
                                      "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
                                    };
 
-            for (int i = 0; i < 12; i++) {
+            int i;
+            for (i = 0; i < 12; i++) {
                 if (strcmp(month_str, months[i]) == 0) {
                     this_timeinfo.tm_mon = i;
                     break;
                 }
             }
+            if (i == 12) {
+                return ESP_FAIL;
+            }
 
             this_timeinfo.tm_mday = day;
             this_timeinfo.tm_hour = hour;
             this_timeinfo.tm_min = minute;
             this_timeinfo.tm_sec = second;
             this_timeinfo.tm_year = year - 1900; /* Years since 1900 */
+            this_timeinfo.tm_isdst = -1;
 
             interim_time = mktime(&this_timeinfo);
             now = (struct timeval){ .tv_sec = interim_time };
@@ -397,11 +402,11 @@ int set_time(void)
         }
         ESP_LOGI(TAG, "sntp_setservername:");
         for (i = 0; i < CONFIG_LWIP_SNTP_MAX_SERVERS; i++) {
-            const char* thisServer = ntpServerList[i];
-            if (strncmp(thisServer, "\x00", 1) == 0) {
-                /* just in case we run out of NTP servers */
-                break;
+            const char* thisServer;
+            if (i >= NTP_SERVER_COUNT) {
+               break;
             }
+            thisServer = ntpServerList[i];
             ESP_LOGI(TAG, "%s", thisServer);
             sntp_setservername(i, thisServer);
             ret = ESP_OK;

wolfcrypt/src/port/Espressif/esp_sdk_wifi_lib.c

@@ -324,6 +324,7 @@ static EventGroupHandle_t s_wifi_event_group;
 
 
 static int s_retry_num = 0;
+/* TODO: use event in wc_wifi_show_ip - logging the IP string causes a panic. */
 ip_event_got_ip_t* event;
 
 

wolfcrypt/src/port/Renesas/renesas_common.c

@@ -440,12 +440,12 @@ int wc_CryptoCb_CryptInitRenesasCmn(struct WOLFSSL* ssl, void* ctx)
         if (cbInfo->internal == NULL) {
             return MEMORY_E;
         }
+        ForceZero(cbInfo->internal, internal_sz);
        #if defined(WOLFSSL_RENESAS_FSPSM_TLS) ||\
             defined(WOLFSSL_RENESAS_TSIP_TLS)
         if (ssl)
             cbInfo->internal->heap = ssl->heap;
        #endif
-        ForceZero(cbInfo->internal, internal_sz);
     }
     /* need exclusive control because of static variable */
     if ((cmn_hw_lock()) == 0) {

wolfcrypt/src/port/Renesas/renesas_fspsm_rsa.c

@@ -248,7 +248,7 @@ WOLFSSL_LOCAL int wc_fspsm_RsaSign(const byte* in, word32 inLen, byte* out,
     message_hash.data_type =
             info->keyflgs_crypt.bits.message_type;/* message 0, hash 1 */
     signature.pdata = out;
-    signature.data_length = (word32*)outLen;
+    signature.data_length = *outLen;
 
     #if defined(WOLFSSL_RENESAS_RSIP)
     message_hash.hash_type = signature.hash_type =

wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c

@@ -785,7 +785,7 @@ int wc_Sha512_256Final(wc_Sha512* sha, byte* hash)
 }
 int wc_Sha512_256GetHash(wc_Sha512* sha, byte* hash)
 {
-    return FSPSM_HashGet(sha, hash, WC_SHA512_224_DIGEST_SIZE);
+    return FSPSM_HashGet(sha, hash, WC_SHA512_256_DIGEST_SIZE);
 }
 
 int wc_Sha512_256Copy(wc_Sha512* src, wc_Sha512* dst)

wolfcrypt/src/port/Renesas/renesas_fspsm_util.c

@@ -195,7 +195,7 @@ int wc_fspsm_GenerateRandBlock(byte* output, word32 sz)
     uint32_t fspbuf[RANDGEN_WORDS];
 
     while (sz > 0) {
-        word32 len = sizeof(buffer);
+        word32 len = sizeof(fspbuf);
 
         if (sz < len) {
             len = sz;

wolfcrypt/src/port/Renesas/renesas_tsip_aes.c

@@ -261,8 +261,8 @@ WOLFSSL_LOCAL int tsip_Tls13AesDecrypt(
 
     WOLFSSL_ENTER("tsip_Tls13AesDecrypt");
 
-    if ((ssl == NULL) || (input == NULL) || (output == NULL) || (sz == 0) ||
-        (ssl->RenesasUserCtx == NULL)) {
+    if ((ssl == NULL) || (input == NULL) || (output == NULL) ||
+        (sz < TSIP_AES_GCM_AUTH_TAG_SIZE) || (ssl->RenesasUserCtx == NULL)) {
         return BAD_FUNC_ARG;
     }