wolfSSL · aidankeefe2022 · Jun 24, 2026
diff --git a/tests/api/test_aes.c b/tests/api/test_aes.c
@@ -3274,7 +3274,7 @@ int test_wc_AesGcmEncryptDecrypt_Sizes(void)
     }
 
     i = 0;
-    for (sz = WC_AES_BLOCK_SIZE; sz <= GCM_LEN; sz *= 2) {
+    for (sz = WC_AES_BLOCK_SIZE; sz < GCM_LEN; sz *= 2) {
         XMEMSET(cipher, 0, GCM_LEN);
         ExpectIntEQ(wc_AesGcmEncrypt(&aes, cipher, plain, sz, iv, ivLen, tag,
             sizeof(tag), NULL, 0), 0);
@@ -3727,7 +3727,8 @@ int test_wc_AesGcmNonStdNonce(void)
  * and cannot exercise the GHASH-based counter derivation. */
 #if !defined(NO_AES) && defined(HAVE_AESGCM) && \
     !defined(HAVE_FIPS) && \
-    !defined(WOLFSSL_AFALG) && !defined(WOLFSSL_KCAPI)
+    !defined(WOLFSSL_AFALG) && !defined(WOLFSSL_KCAPI) && \
+    !defined(WOLFSSL_DEVCRYPTO_AES)
 
     /* ------------------------------------------------------------------
      * Section 1: 1-byte IV, AES-128

diff --git a/wolfcrypt/src/des3.c b/wolfcrypt/src/des3.c
@@ -1571,10 +1571,14 @@
 
                 /* rotate left and right halves independently */
                 for (j = 0; j < 48; j++) {        /* select bits individually     */
-                    if (pcr[pc2[j] - 1]) {        /* check bit that goes to ks[j] */
-                        l= j % 6;                 /* mask it in if it's there     */
-                        ks[j/6] |= (byte)(bytebit[l] >> 2);
-                    }
+                    byte bit;
+                    byte mask;
+                    bit =
+                        (byte)(pcr[pc2[j] - 1]); /* all pcr values are either 0 or 1 */
+                    mask = (byte)(0 - bit);   /* mask is either 0xFF or 0x00 */
+                    ks[j/6] |=
+                        (byte)((bytebit[j % 6] >> 2) & mask); /* only set to bytebit value
+                                                             if bit == 1*/
                 }
 
                 /* Now convert to odd/even interleaved form for use in F */

diff --git a/wolfcrypt/src/dsa.c b/wolfcrypt/src/dsa.c
@@ -1121,6 +1121,9 @@ int wc_DsaVerify_ex(const byte* digest, word32 digestSz, const byte* sig,
     if (digest == NULL || sig == NULL || key == NULL || answer == NULL)
         return BAD_FUNC_ARG;
 
+    /* assign default value so we return 0 on error */
+    *answer = 0;
+
     /* Note the min allowed digestSz here is WC_SHA_DIGEST_SIZE, not
      * WC_MIN_DIGEST_SIZE, to allow verify-only legacy DSA operations, as
      * expressly allowed under FIPS 186-5, FIPS 140-3, and SP 800-131A.

diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
@@ -254,10 +254,6 @@ ECC Curve Sizes:
     #include <wolfssl/wolfcrypt/port/cypress/psoc6_crypto.h>
 #endif
 
-#if defined(WOLFSSL_CAAM)
-    #include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
-#endif
-
 #if defined(WOLFSSL_KCAPI_ECC)
     #include <wolfssl/wolfcrypt/port/kcapi/kcapi_ecc.h>
 #endif
@@ -10043,7 +10039,7 @@ static int _ecc_export_x963(ecc_key* key, byte* out, word32* outLen)
         /* store byte point type */
         out[0] = ECC_POINT_UNCOMP;
 
-        if (caamReadPartition((CAAM_ADDRESS)key->securePubKey, out+1, keySz*2) != 0)
+        if (caamReadPartition(key->securePubKey, out+1, keySz*2) != 0)
             return WC_HW_E;
 
         *outLen = 1 + 2*keySz;
@@ -11636,15 +11632,15 @@ static int _ecc_import_private_key_ex(const byte* priv, word32 privSz,
             }
 
             key->partNum  = part;
-            key->blackKey = (word32)vaddr;
+            key->blackKey = vaddr;
             if (caamWriteToPartition(vaddr, priv, privSz) != 0)
                 return WC_HW_E;
 
             if (pub != NULL) {
                 /* +1 to account for x963 compressed bit */
                 if (caamWriteToPartition(vaddr + privSz, pub + 1, pubSz - 1) != 0)
                     return WC_HW_E;
-                key->securePubKey = (word32)vaddr + privSz;
+                key->securePubKey = vaddr + privSz;
             }
         }
         else {

diff --git a/wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c b/wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c
@@ -983,14 +983,12 @@ static CB_INLINE int wolfssl_ssl_conf_verify_cb_no_signer(int preverify,
     /* Clean up and exit */
     if ((_crt_found == 0) && (bundle_cert != NULL)) {
         ESP_LOGW(TAG, "Cert not found, free bundle_cert");
+        /* this_subject and this_issuer are apart of bundle_cert and will be
+         * freed here*/
         wolfSSL_X509_free(bundle_cert);
         bundle_cert = NULL;
-        /* this_subject and this_issuer are pointers into cert used.
-         * Don't free if the cert was found. */
-        wolfSSL_X509_NAME_free(this_subject);
-        this_subject = NULL;
-        wolfSSL_X509_NAME_free(this_issuer);
         this_issuer = NULL;
+        this_subject = NULL;
     }
 
     /* We don't clean up the store_cert and x509 as we are in a callback,

diff --git a/wolfcrypt/src/port/Renesas/renesas_fspsm_aes.c b/wolfcrypt/src/port/Renesas/renesas_fspsm_aes.c
@@ -415,6 +415,7 @@ int  wc_fspsm_AesGcmEncrypt(struct Aes* aes, byte* out,
                 XFREE(plainBuf,  aes->heap, DYNAMIC_TYPE_AES);
                 XFREE(cipherBuf, aes->heap, DYNAMIC_TYPE_AES);
                 XFREE(aTagBuf,   aes->heap, DYNAMIC_TYPE_AES);
+                wc_fspsm_hw_unlock();
                 return MEMORY_E;
             }
 

diff --git a/wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c b/wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c
@@ -418,7 +418,7 @@ static int FSPSM_HashFinal(wolfssl_FSPSM_Hash* hash, byte* out, word32 outSz)
  #endif
     wc_fspsm_hw_lock();
 
-    if (Init(&handle) == FSP_SUCCESS) {
+    if ((ret = Init(&handle)) == FSP_SUCCESS) {
         ret = Update(&handle, (uint8_t*)hash->msg, hash->used);
         if (ret == FSP_SUCCESS) {
             ret = Final(&handle, out, (uint32_t*)&sz);

diff --git a/wolfcrypt/src/port/devcrypto/devcrypto_aes.c b/wolfcrypt/src/port/devcrypto/devcrypto_aes.c
@@ -110,7 +110,7 @@ int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen,
     const word32 max_key_len = (AES_MAX_KEY_SIZE / 8);
 #endif
 
-    if (aes == NULL ||
+    if (aes == NULL || userKey == NULL ||
             !((keylen == 16) || (keylen == 24) || (keylen == 32))) {
         return BAD_FUNC_ARG;
     }

diff --git a/wolfcrypt/src/port/devcrypto/devcrypto_hash.c b/wolfcrypt/src/port/devcrypto/devcrypto_hash.c
@@ -135,20 +135,14 @@ int wc_Sha256Update(wc_Sha256* sha, const byte* in, word32 sz)
 #ifdef WOLFSSL_DEVCRYPTO_HASH_KEEP
     /* keep full message to hash at end instead of incremental updates */
     if (sha->len < sha->used + sz) {
-        if (sha->msg == NULL) {
-            sha->msg = (byte*)XMALLOC(sha->used + sz, sha->heap,
-                    DYNAMIC_TYPE_TMP_BUFFER);
-        } else {
-            byte* pt = (byte*)XREALLOC(sha->msg, sha->used + sz, sha->heap,
-                    DYNAMIC_TYPE_TMP_BUFFER);
-            if (pt == NULL) {
-                return MEMORY_E;
-        }
-            sha->msg = pt;
-        }
-        if (sha->msg == NULL) {
+        byte* pt = (byte*)XREALLOC(sha->msg, sha->used + sz, sha->heap,
+                DYNAMIC_TYPE_TMP_BUFFER);
+        if (pt == NULL) {
             return MEMORY_E;
         }
+
+        sha->msg = pt;
+
         sha->len = sha->used + sz;
     }
     XMEMCPY(sha->msg + sha->used, in, sz);
@@ -180,6 +174,7 @@ int wc_Sha256Final(wc_Sha256* sha, byte* hash)
 #endif
     ret = GetDigest(sha, CRYPTO_SHA2_256, hash);
     if (ret != 0) {
+        wc_Sha256Free(sha);
        return ret;
     }
 
@@ -190,6 +185,7 @@ int wc_Sha256Final(wc_Sha256* sha, byte* hash)
 
 int wc_Sha256GetHash(wc_Sha256* sha, byte* hash)
 {
+
     if (sha == NULL || hash == NULL) {
         return BAD_FUNC_ARG;
     }
@@ -198,6 +194,11 @@ int wc_Sha256GetHash(wc_Sha256* sha, byte* hash)
     {
         int ret;
         wc_Sha256 cpy;
+        XMEMSET(&cpy, 0, sizeof(cpy)); /* ZII */
+        /* mark as having no /dev/crypto session yet so the wc_Sha256Free()
+         * in wc_Sha256Copy() does not close fd 0 (cfd == -1 is the
+         * "no session" sentinel, matching wc_AesInit()) */
+        cpy.ctx.cfd = -1;
         wc_Sha256Copy(sha, &cpy);
 
         if ((ret = HashUpdate(&cpy, CRYPTO_SHA2_256, cpy.msg, cpy.used)) == 0) {
@@ -219,10 +220,12 @@ int wc_Sha256GetHash(wc_Sha256* sha, byte* hash)
 
 int wc_Sha256Copy(wc_Sha256* src, wc_Sha256* dst)
 {
+
     if (src == NULL || dst == NULL) {
         return BAD_FUNC_ARG;
     }
 
+    wc_Sha256Free(dst);
     wc_InitSha256_ex(dst, src->heap, 0);
 #ifdef WOLFSSL_DEVCRYPTO_HASH_KEEP
     dst->len  = src->len;
@@ -232,9 +235,15 @@ int wc_Sha256Copy(wc_Sha256* src, wc_Sha256* dst)
         return MEMORY_E;
     }
     XMEMCPY(dst->msg, src->msg, src->len);
-#endif
 
     return 0;
+#else
+    (void)src;
+    (void)dst;
+
+    WOLFSSL_MSG("Compile with WOLFSSL_DEVCRYPTO_HASH_KEEP for this feature");
+    return NOT_COMPILED_IN;
+#endif
 }
 
 #endif /* !NO_SHA256 */

diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
@@ -380,19 +380,29 @@ static int sha512DrbgDisabled = 0;
 static wolfSSL_Mutex drbgStateMutex
     WOLFSSL_MUTEX_INITIALIZER_CLAUSE(drbgStateMutex);
 #ifndef WOLFSSL_MUTEX_INITIALIZER
+#ifdef WOLFSSL_ATOMIC_OPS
+static wolfSSL_Atomic_Int drbgStateMutex_inited = WOLFSSL_ATOMIC_INITIALIZER(0);
+#else
 static int drbgStateMutex_inited = 0;
 #endif
+#endif
 #endif /* !SINGLE_THREADED */
 
 int wc_DrbgState_MutexInit(void)
 {
 #ifndef SINGLE_THREADED
 #ifndef WOLFSSL_MUTEX_INITIALIZER
-    if (!drbgStateMutex_inited) {
+    int expected = 0;
+    /* Check if mutex is not inited and set it to true before init.
+     * This means that the mutex is marked as init before it actually is.
+     * Necessary to ensure that two threads don't init at the same time.*/
+    if (wolfSSL_Atomic_Int_CompareExchange(&drbgStateMutex_inited,
+                                           &expected, 1)) {
         int ret = wc_InitMutex(&drbgStateMutex);
-        if (ret != 0)
+        if (ret != 0) {
+            (void)wolfSSL_Atomic_Int_Exchange(&drbgStateMutex_inited, 0);
             return ret;
-        drbgStateMutex_inited = 1;
+        }
     }
 #endif
 #endif
@@ -3716,9 +3726,11 @@ static int wc_GenerateSeed_IntelRD(OS_Seed* os, byte* output, word32 sz)
 
     for (; (sz / sizeof(word64)) > 0; sz -= sizeof(word64),
                                                     output += sizeof(word64)) {
-        ret = IntelRDseed64_r((word64*)output);
+        word32 rndTmplocal;
+        ret = IntelRDseed64_r(&rndTmpLocal);
         if (ret != 0)
             return ret;
+        writeUnalignedWord64(output, rndTmpLocal);
     }
     if (sz == 0)
         return 0;

diff --git a/wolfcrypt/src/siphash.c b/wolfcrypt/src/siphash.c
@@ -411,8 +411,8 @@ int wc_SipHash(const unsigned char* key, const unsigned char* in, word32 inSz,
         return BAD_FUNC_ARG;
     }
 
-    k0 = ((const word64*)key)[0];
-    k1 = ((const word64*)key)[1];
+    k0 = GET_U64(key);
+    k1 = GET_U64(key + 8);
     __asm__ __volatile__ (
         "xorq   %[k0], %[v0]\n\t"
         "xorq   %[k1], %[v1]\n\t"
@@ -640,8 +640,8 @@ int wc_SipHash(const unsigned char* key, const unsigned char* in, word32 inSz,
         return BAD_FUNC_ARG;
     }
 
-    k0 = ((word64*)key)[0];
-    k1 = ((word64*)key)[1];
+    k0 = GET_U64(key + 0);
+    k1 = GET_U64(key + 8);
     __asm__ __volatile__ (
         "eor    %[v0], %[v0], %[k0]\n\t"
         "eor    %[v1], %[v1], %[k1]\n\t"

diff --git a/wolfcrypt/src/wc_mlkem_poly.c b/wolfcrypt/src/wc_mlkem_poly.c
@@ -4344,13 +4344,16 @@ static int mlkem_get_noise_k4_avx2(MLKEM_PRF_T* prf, sword16* vec1,
  */
 static void mlkem_get_noise_x3_eta2_aarch64(byte* rand, byte* seed, byte o)
 {
-    word64* state = (word64*)rand;
+    word64 state[3 * 25];
 
     state[0*25 + 4] = 0x1f00 + 0 + o;
     state[1*25 + 4] = 0x1f00 + 1 + o;
     state[2*25 + 4] = 0x1f00 + 2 + o;
 
     mlkem_shake256_blocksx3_seed_neon(state, seed);
+    XMEMCPY(rand + 0 * 25 * 8, state + 0*25, ETA2_RAND_SIZE);
+    XMEMCPY(rand + 1 * 25 * 8, state + 1*25, ETA2_RAND_SIZE);
+    XMEMCPY(rand + 2 * 25 * 8, state + 2*25, ETA2_RAND_SIZE);
 }
 
 #if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512)
@@ -4408,10 +4411,7 @@ static void mlkem_get_noise_eta3_aarch64(byte* rand, byte* seed, byte o)
 {
     word64 state[25];
 
-    state[0] = ((word64*)seed)[0];
-    state[1] = ((word64*)seed)[1];
-    state[2] = ((word64*)seed)[2];
-    state[3] = ((word64*)seed)[3];
+    readUnalignedWords64(state, seed, 4);
     state[4] = 0x1f00 + o;
     XMEMSET(state + 5, 0, sizeof(*state) * (25 - 5));
     state[16] = W64LIT(0x8000000000000000);
@@ -4471,17 +4471,15 @@ static int mlkem_get_noise_k2_aarch64(sword16* vec1, sword16* vec2,
  */
 static void mlkem_get_noise_eta2_aarch64(byte* rand, byte* seed, byte o)
 {
-    word64* state = (word64*)rand;
+    word64 state[25];
 
-    state[0] = ((word64*)seed)[0];
-    state[1] = ((word64*)seed)[1];
-    state[2] = ((word64*)seed)[2];
-    state[3] = ((word64*)seed)[3];
+    readUnalignedWords64(state, seed, 4);
     /* Transposed value same as not. */
     state[4] = 0x1f00 + o;
     XMEMSET(state + 5, 0, sizeof(*state) * (25 - 5));
     state[16] = W64LIT(0x8000000000000000);
     BlockSha3(state);
+    XMEMCPY(rand, state, ETA2_RAND_SIZE);
 }
 
 /* Get the noise/error by calculating random bytes and sampling to a binomial

diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h
@@ -76,6 +76,10 @@
 #endif
 
 
+#if defined(WOLFSSL_CAAM)
+    #include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
+#endif
+
 #ifdef __cplusplus
     extern "C" {
 #endif
@@ -528,8 +532,13 @@ struct ecc_key {
 #endif
 
 #ifdef WOLFSSL_CAAM
-    word32 blackKey;     /* address of key encrypted and in secure memory */
-    word32 securePubKey; /* address of public key in secure memory */
+    #ifndef CAAM_ADDRESS
+        CAAM_ADDRESS blackKey;     /* address of key encrypted and in secure memory */
+        CAAM_ADDRESS securePubKey; /* address of public key in secure memory */
+    #else
+        word32 blackKey;     /* address of key encrypted and in secure memory */
+        word32 securePubKey; /* address of public key in secure memory */
+    #endif
     int    partNum; /* partition number*/
 #endif
 #ifdef WOLFSSL_SE050