Static analysis fixes

apps/wolfsshd/auth.c

@@ -430,6 +430,7 @@ static int CheckPasswordUnix(const char* usr, const byte* pw, word32 pwSz, WOLFS
     }
 
     if (pwStr != NULL) {
+        ForceZero(pwStr, pwSz + 1);
         WFREE(pwStr, NULL, DYNTYPE_STRING);
     }
     if (storedHashCpy != NULL) {
@@ -915,7 +916,7 @@ static int SetupUserTokenWin(const char* usr,
         authName.Buffer = MSV1_0_PACKAGE_NAME;
         authName.Length = (USHORT)WSTRLEN(MSV1_0_PACKAGE_NAME);
         authName.MaximumLength = authName.Length + 1;
-        if (rc = LsaLookupAuthenticationPackage(lsaHandle, &authName, &authId) != STATUS_SUCCESS) {
+        if ((rc = LsaLookupAuthenticationPackage(lsaHandle, &authName, &authId)) != STATUS_SUCCESS) {
             wolfSSH_Log(WS_LOG_ERROR, "[SSHD] LSA Lookup Authentication Package Error %d", rc);
             ret = WSSHD_AUTH_FAILURE;
         }

src/agent.c

@@ -374,6 +374,7 @@ static int PostLock(WOLFSSH_AGENT_CTX* agent,
     word32 ppSz;
 
     WLOG(WS_LOG_AGENT, "Posting lock to agent %p", agent);
+    WOLFSSH_UNUSED(agent);
 
     ppSz = sizeof(pp) - 1;
     if (passphraseSz < ppSz)
@@ -395,6 +396,7 @@ static int PostUnlock(WOLFSSH_AGENT_CTX* agent,
     word32 ppSz;
 
     WLOG(WS_LOG_AGENT, "Posting unlock to agent %p", agent);
+    WOLFSSH_UNUSED(agent);
 
     ppSz = sizeof(pp) - 1;
     if (passphraseSz < ppSz)
@@ -679,24 +681,25 @@ static int SignHashRsa(WOLFSSH_AGENT_KEY_RSA* rawKey, enum wc_HashType hashType,
 {
     RsaKey key;
     byte encSig[MAX_ENCODED_SIG_SZ];
-    int encSigSz;
-    int ret = 0;
-
-    wc_InitRsaKey(&key, heap);
-    mp_read_unsigned_bin(&key.n, rawKey->n, rawKey->nSz);
-    mp_read_unsigned_bin(&key.e, rawKey->e, rawKey->eSz);
-    mp_read_unsigned_bin(&key.d, rawKey->d, rawKey->dSz);
-    mp_read_unsigned_bin(&key.p, rawKey->p, rawKey->pSz);
-    mp_read_unsigned_bin(&key.q, rawKey->q, rawKey->qSz);
-    mp_read_unsigned_bin(&key.u, rawKey->iqmp, rawKey->iqmpSz);
-
-    encSigSz = wc_EncodeSignature(encSig, digest, digestSz,
-            wc_HashGetOID(hashType));
-    if (encSigSz <= 0) {
-        WLOG(WS_LOG_DEBUG, "Bad Encode Sig");
-        ret = WS_CRYPTO_FAILED;
+    int encSigSz, ret;
+
+    ret = wc_InitRsaKey(&key, heap);
+    if (ret == 0) {
+        mp_read_unsigned_bin(&key.n, rawKey->n, rawKey->nSz);
+        mp_read_unsigned_bin(&key.e, rawKey->e, rawKey->eSz);
+        mp_read_unsigned_bin(&key.d, rawKey->d, rawKey->dSz);
+        mp_read_unsigned_bin(&key.p, rawKey->p, rawKey->pSz);
+        mp_read_unsigned_bin(&key.q, rawKey->q, rawKey->qSz);
+        mp_read_unsigned_bin(&key.u, rawKey->iqmp, rawKey->iqmpSz);
+
+        encSigSz = wc_EncodeSignature(encSig, digest, digestSz,
+                wc_HashGetOID(hashType));
+        if (encSigSz <= 0) {
+            WLOG(WS_LOG_DEBUG, "Bad Encode Sig");
+            ret = WS_CRYPTO_FAILED;
+        }
     }
-    else {
+    if (ret == 0) {
         WLOG(WS_LOG_INFO, "Signing hash with RSA.");
         *sigSz = wc_RsaSSL_Sign(encSig, encSigSz, sig, *sigSz, &key, rng);
         if (*sigSz <= 0) {
@@ -730,8 +733,12 @@ static int SignHashEcc(WOLFSSH_AGENT_KEY_ECDSA* rawKey, int curveId,
     ecc_key key;
     int ret;
 
-    ret = wc_ecc_import_private_key_ex(rawKey->d, rawKey->dSz,
-            rawKey->q, rawKey->qSz, &key, curveId);
+    ret = wc_ecc_init(&key);
+
+    if (ret == 0) {
+        ret = wc_ecc_import_private_key_ex(rawKey->d, rawKey->dSz,
+                rawKey->q, rawKey->qSz, &key, curveId);
+    }
 
     if (ret == 0) {
         ret = wc_ecc_sign_hash(digest, digestSz, sig, sigSz, rng, &key);

src/wolfsftp.c

@@ -1939,45 +1939,23 @@ struct fd_entry {
     int used;
 };
 
+#define O_ACCMODE (WOLFSSH_O_RDONLY | WOLFSSH_O_WRONLY)
+
 static struct fd_entry fd_pool[WOLFSSH_FATFS_MAX_FILES];
 int ff_open(const char *fname, int flag, int perm)
 {
     int i;
-    BYTE mode;
     WOLFSSH_UNUSED(perm);
     PRINTF("\r\nfatFS open: %s", fname);
 
-    if (flag & WOLFSSH_O_RDONLY) {
-        mode = FA_READ;
-
-    } else if (flag & WOLFSSH_O_RDWR) {
-        if ((flag & WOLFSSH_O_CREAT) &&
-                (flag & WOLFSSH_O_TRUNC)) {
-            mode = FA_READ | FA_WRITE | FA_CREATE_ALWAYS;
-
-        } else if ((flag & WOLFSSH_O_CREAT) &&
-                (flag & WOLFSSH_O_APPEND)) {
-            mode = FA_READ | FA_WRITE | FA_CREATE_NEW | FA_OPEN_APPEND;
-
-        } else {
-            mode = AM_ARC;
-        }
-    } else if (flag & WOLFSSH_O_WRONLY) {
-        if ((flag & WOLFSSH_O_CREAT) &&
-                (flag & WOLFSSH_O_TRUNC)) {
-            mode = FA_READ | FA_CREATE_ALWAYS | FA_WRITE;
-        } else if ((flag & WOLFSSH_O_CREAT) &&
-                (flag & WOLFSSH_O_APPEND)) {
-            mode = FA_READ | FA_WRITE | FA_CREATE_NEW | FA_OPEN_APPEND;
-        }
-    } else {
+    /* Make sure the access mode is read or write. */
+    if ((flag & O_ACCMODE) == 0) {
         return -1;
     }
 
-
     for (i = 0; i < WOLFSSH_FATFS_MAX_FILES; i++) {
         if (fd_pool[i].used == 0) {
-            if (f_open(&(fd_pool[i].f), fname, mode) == FR_OK) {
+            if (f_open(&(fd_pool[i].f), fname, (BYTE)flag) == FR_OK) {
                 fd_pool[i].used = 1;
                 PRINTF("\r\nfatFS open success: %d", i);
                 return i;

src/wolfterm.c

@@ -510,6 +510,7 @@ static int wolfSSH_DoControlSeq(WOLFSSH* ssh, WOLFSSH_HANDLE handle, byte* buf,
                 default:
                     WLOG(WS_LOG_DEBUG, "Unexpected erase value %d", args[0]);
             }
+            break;
 
         case 'K':
             if (numArgs == 0) { /* erase start of cursor to end of line */