From 7596de15a081ee6a0c282072c3b4bac40d913bbf Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 11 May 2026 17:18:55 -0600 Subject: [PATCH 1/4] add NULL sanity check for SHA512 init with psoc6 port --- wolfcrypt/src/port/cypress/psoc6_crypto.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/wolfcrypt/src/port/cypress/psoc6_crypto.c b/wolfcrypt/src/port/cypress/psoc6_crypto.c index 2cb0007fbbd..325eeb42202 100644 --- a/wolfcrypt/src/port/cypress/psoc6_crypto.c +++ b/wolfcrypt/src/port/cypress/psoc6_crypto.c @@ -527,6 +527,9 @@ int wc_InitSha512_ex(wc_Sha512* sha, void* heap, int devid) int ret; (void)heap; (void)devid; + if (sha == NULL) { + return BAD_FUNC_ARG; + } XMEMSET(sha, 0, sizeof(wc_Sha512)); /* Lock the mutex to perform crypto operations */ ret = wolfSSL_CryptHwMutexLock(); From 495f2f8c527f78e7cf321208397a106ac16137fb Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Tue, 12 May 2026 10:17:41 -0600 Subject: [PATCH 2/4] sanity check on return value of SHA3 call with Xilinx port --- wolfcrypt/src/port/xilinx/xil-sha3.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/wolfcrypt/src/port/xilinx/xil-sha3.c b/wolfcrypt/src/port/xilinx/xil-sha3.c index 1f17066f1cd..d3bd331dd6b 100644 --- a/wolfcrypt/src/port/xilinx/xil-sha3.c +++ b/wolfcrypt/src/port/xilinx/xil-sha3.c @@ -71,11 +71,16 @@ int wc_InitSha3_384(wc_Sha3* sha, void* heap, int devId) */ int wc_Sha3_384_Update(wc_Sha3* sha, const byte* data, word32 len) { + int status; if (sha == NULL || (data == NULL && len > 0)) { return BAD_FUNC_ARG; } WOLFSSL_XIL_DCACHE_FLUSH_RANGE((UINTPTR)data, len); - XSecure_Sha3Update(&(sha->xSec.cinst), XIL_CAST_U64(data), len); + status = XSecure_Sha3Update(&(sha->xSec.cinst), XIL_CAST_U64(data), len); + if (status != XST_SUCCESS) { + WOLFSSL_MSG("XSecure_Sha3Update failed"); + return WC_HW_E; + } return 0; } @@ -88,11 +93,16 @@ int wc_Sha3_384_Update(wc_Sha3* sha, const byte* data, word32 len) */ int wc_Sha3_384_Final(wc_Sha3* sha, byte* out) { + int status; if (sha == NULL || out == NULL) { return BAD_FUNC_ARG; } WOLFSSL_XIL_DCACHE_FLUSH_RANGE((UINTPTR)out, WC_SHA3_384_DIGEST_SIZE); - XSecure_Sha3Finish(&(sha->xSec.cinst), XIL_CAST_U64(out)); + status = XSecure_Sha3Finish(&(sha->xSec.cinst), XIL_CAST_U64(out)); + if (status != XST_SUCCESS) { + WOLFSSL_MSG("XSecure_Sha3Finish failed"); + return WC_HW_E; + } return wc_InitSha3_384(sha, NULL, INVALID_DEVID); } @@ -159,10 +169,15 @@ int wc_InitSha3_384(wc_Sha3* sha, void* heap, int devId) */ int wc_Sha3_384_Update(wc_Sha3* sha, const byte* data, word32 len) { + int status; if (sha == NULL || (data == NULL && len > 0)) { return BAD_FUNC_ARG; } - XSecure_Sha3Update(&(sha->hw), (byte*)data, len); + status = XSecure_Sha3Update(&(sha->hw), (byte*)data, len); + if (status != XST_SUCCESS) { + WOLFSSL_MSG("XSecure_Sha3Update failed"); + return WC_HW_E; + } return 0; } @@ -175,10 +190,15 @@ int wc_Sha3_384_Update(wc_Sha3* sha, const byte* data, word32 len) */ int wc_Sha3_384_Final(wc_Sha3* sha, byte* out) { + int status; if (sha == NULL || out == NULL) { return BAD_FUNC_ARG; } - XSecure_Sha3Finish(&(sha->hw), out); + status = XSecure_Sha3Finish(&(sha->hw), out); + if (status != XST_SUCCESS) { + WOLFSSL_MSG("XSecure_Sha3Finish failed"); + return WC_HW_E; + } return wc_InitSha3_384(sha, NULL, INVALID_DEVID); } From e3afeeea8ce4f293e46b7c80c3929a0b68c14b7c Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Tue, 12 May 2026 10:25:13 -0600 Subject: [PATCH 3/4] check return value of XSecure_Sha3_ReadHash() call --- wolfcrypt/src/port/xilinx/xil-sha3.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/port/xilinx/xil-sha3.c b/wolfcrypt/src/port/xilinx/xil-sha3.c index d3bd331dd6b..57833f18cf9 100644 --- a/wolfcrypt/src/port/xilinx/xil-sha3.c +++ b/wolfcrypt/src/port/xilinx/xil-sha3.c @@ -224,6 +224,8 @@ int wc_Sha3_384_GetHash(wc_Sha3* sha, byte* out) { #ifdef WOLFSSL_XILINX_CRYPTO_OLD wc_Sha3 s; +#else + int status; #endif if (sha == NULL || out == NULL) { @@ -237,7 +239,11 @@ int wc_Sha3_384_GetHash(wc_Sha3* sha, byte* out) return wc_Sha3_384_Final(&s, out); #else - XSecure_Sha3_ReadHash(&(sha->hw), out); + status = XSecure_Sha3_ReadHash(&(sha->hw), out); + if (status != XST_SUCCESS) { + WOLFSSL_MSG("XSecure_Sha3_ReadHash failed"); + return WC_HW_E; + } return 0; #endif } From e32d5adba57fd57250398a7e9c3e9b9a1cea1825 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Tue, 12 May 2026 10:27:41 -0600 Subject: [PATCH 4/4] adding return value check on XSecure_AesInitialize() call --- wolfcrypt/src/port/xilinx/xil-aesgcm.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/wolfcrypt/src/port/xilinx/xil-aesgcm.c b/wolfcrypt/src/port/xilinx/xil-aesgcm.c index d07020f6bbf..096ef05cbd2 100644 --- a/wolfcrypt/src/port/xilinx/xil-aesgcm.c +++ b/wolfcrypt/src/port/xilinx/xil-aesgcm.c @@ -558,9 +558,18 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, tmp = out; #endif - XSecure_AesInitialize(&(aes->xilAes), &(aes->dma), aes->kup, (word32*)iv, - aes->keyInit); - XSecure_AesEncryptData(&(aes->xilAes), tmp, in, sz); + ret = XSecure_AesInitialize(&(aes->xilAes), &(aes->dma), aes->kup, + (word32*)iv, aes->keyInit); + if (ret == XST_SUCCESS) { + ret = XSecure_AesEncryptData(&(aes->xilAes), tmp, in, sz); + } + if (ret != XST_SUCCESS) { + #ifndef NO_WOLFSSL_XILINX_TAG_MALLOC + XFREE(tmp, aes->heap, DYNAMIC_TYPE_TMP_BUFFER); + #endif + WOLFSSL_MSG("Xilinx AES-GCM encrypt failed"); + return WC_HW_E; + } XMEMCPY(authTag, tmp + sz, authTagSz); #ifndef NO_WOLFSSL_XILINX_TAG_MALLOC XMEMCPY(out, tmp, sz); @@ -624,8 +633,12 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, } /* calls to hardened crypto */ - XSecure_AesInitialize(&(aes->xilAes), &(aes->dma), aes->kup, + ret = XSecure_AesInitialize(&(aes->xilAes), &(aes->dma), aes->kup, (word32*)iv, aes->keyInit); + if (ret != XST_SUCCESS) { + WOLFSSL_MSG("XSecure_AesInitialize failed"); + return WC_HW_E; + } ret = XSecure_AesDecryptData(&(aes->xilAes), out, in, sz, tag); /* account for additional data */