Fixes and cleanups for NXP SE050 support.

2021-08-20 15:45:10 -07:00
parent 3f76a76c46
commit 29f051e585
12 changed files with 805 additions and 750 deletions
--- a/configure.ac
+++ b/configure.ac
@@ -1344,9 +1344,8 @@ AC_ARG_WITH([se050],
    [AS_HELP_STRING([--with-se050=PATH],[PATH to SE050 install (default /usr/local/lib/)])],
    [
        AC_MSG_CHECKING([for SE050])
        CPPFLAGS="$CPPFLAGS -DWOLFSSL_SE050"
        LIBS="$LIBS -lSSS_APIs"
        LIBS="$LIBS -lSSS_APIs"
        AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <fsl_sss_api.h>]], [[ sss_mac_init(0);]])],[ libse050_linked=yes ],[ libse050_linked=no ])
        if test "x$libse050_linked" = "xno" ; then
@@ -1356,20 +1355,25 @@ AC_ARG_WITH([se050],
            if test "x$withval" = "xyes" ; then
                trylibse050dir="/usr/local/lib/"
            fi
-            LDFLAGS="$LDFLAGS -L$trylibse050dir/simw-top_build/raspbian_native_se050_t1oi2c/sss/"
+            LDFLAGS="$LDFLAGS -L$trylibse050dir/build/sss"
-            CPPFLAGS="$CPPFLAGS  -I$trylibse050dir/simw-top/sss/inc   -I$trylibse050dir/simw-top/sss/port/default \ 
+            CPPFLAGS="$CPPFLAGS -I$trylibse050dir/sss/inc"
-            -I$trylibse050dir/simw-top/hostlib/hostLib/inc/  -I$trylibse050dir/simw-top/hostlib/hostLib/libCommon/infra "
+            CPPFLAGS="$CPPFLAGS -I$trylibse050dir/sss/port/default"
-
+            CPPFLAGS="$CPPFLAGS -I$trylibse050dir/hostlib/hostLib/inc"
            CPPFLAGS="$CPPFLAGS -I$trylibse050dir/hostlib/hostLib/libCommon/infra"
            AC_CHECK_FILES([$trylibse050dir/build/sss/libSSS_APIs.a], [SE050_STATIC=yes], [SE050_STATIC=no])
            if test "x$SE050_STATIC" = "xyes"; then
                LIB_STATIC_ADD="$trylibse050dir/build/sss/libSSS_APIs.a $LIB_STATIC_ADD"
            else
                AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <fsl_sss_api.h>]], [[ sss_mac_init(0); ]])],[ libse050_linked=yes ],[ libse050_linked=no ])
                if test "x$libse050_linked" = "xno" ; then
                    AC_MSG_ERROR([SE050 isn't found.
-                If it's already installed, specify its path using --with-SE050=/dir/])
+                    If it's already installed, specify its path using --with-se050=/dir/])
                fi
-            AM_LDFLAGS="$AM_LDFLAGS -L$trylibse050dir/simw-top_build/raspbian_native_se050_t1oi2c/sss/"
+            fi
-            AM_CFLAGS="$AM_CFLAGS -I$trylibse050dir/simw-top/sss/inc/  \
+
-            -DWOLFSSL_AES_DIRECT"   
+            # Requires AES direct
            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
            AC_MSG_RESULT([yes])
        else
@@ -7079,6 +7083,7 @@ AM_CONDITIONAL([BUILD_RC2],[test "x$ENABLED_RC2" = "xyes"])
 AM_CONDITIONAL([BUILD_QNXCAAM],[test "x$ENABLED_CAAM" = "xqnx"])
 AM_CONDITIONAL([BUILD_IOTSAFE],[test "x$ENABLED_IOTSAFE" = "xyes"])
 AM_CONDITIONAL([BUILD_IOTSAFE_HWRNG],[test "x$ENABLED_IOTSAFE_HWRNG" = "xyes"])
 AM_CONDITIONAL([BUILD_SE050],[test "x$ENABLED_SE050" = "xyes"])
 if test "$ax_enable_debug" = "yes" ||
        test "$ENABLED_STACKSIZE" != "no" ||
@@ -7453,6 +7458,7 @@ echo "   * Crypto callbacks:           $ENABLED_CRYPTOCB"
 echo "   * i.MX6 CAAM:                 $ENABLED_CAAM"
 echo "   * IoT-Safe:                   $ENABLED_IOTSAFE"
 echo "   * IoT-Safe HWRNG:             $ENABLED_IOTSAFE_HWRNG"
 echo "   * NXP SE050:                  $ENABLED_SE050"
 echo ""
 echo "---"
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@@ -873,13 +873,14 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits
    static int AES_ECB_encrypt(Aes* aes, const byte* inBlock, byte* outBlock,
        int sz)
    {
-        return se050_aes_crypt(aes, inBlock, outBlock, sz, AES_ENCRYPTION, kAlgorithm_SSS_AES_ECB);
+        return se050_aes_crypt(aes, inBlock, outBlock, sz, AES_ENCRYPTION,
            kAlgorithm_SSS_AES_ECB);
    }
    static int AES_ECB_decrypt(Aes* aes, const byte* inBlock, byte* outBlock,
        int sz)
    {
-        return se050_aes_crypt(aes, inBlock, outBlock, sz, AES_DECRYPTION, kAlgorithm_SSS_AES_ECB);
+        return se050_aes_crypt(aes, inBlock, outBlock, sz, AES_DECRYPTION,
            kAlgorithm_SSS_AES_ECB);
    }
    static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
    {
@@ -2603,22 +2604,25 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
    int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv,
                  int dir)
    {   
-        int ret = 0;
+        int ret;
-    if (aes == NULL ||  !((keylen == 16) || (keylen == 24) || (keylen == 32))) {
+        if (aes == NULL || (keylen != 16 && keylen != 24 && keylen != 32)) {
            return BAD_FUNC_ARG;
        }
        aes->ctxInitDone = 0;
    #if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \
        defined(WOLFSSL_AES_OFB)
        aes->left = 0;
    #endif
        ret = se050_aes_set_key(aes, userKey, keylen, iv, dir);
        if (ret == 0) {
            ret = wc_AesSetIV(aes, iv);
        }
        return ret;
    }
    int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
        const byte* iv, int dir)
    {
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -4701,8 +4701,7 @@ int wc_ecc_make_key_ex2(WC_RNG* rng, int keysize, ecc_key* key, int curve_id,
      err = NOT_COMPILED_IN;
   }
 #elif defined(WOLFSSL_SE050)
-    key->keyId = se050_allocate_key();
+    err = se050_ecc_create_key(key, curve_id, keysize);
    err = se050_ecc_create_key(key, key->keyId, keysize);
    key->type = ECC_PRIVATEKEY;
 #elif defined(WOLFSSL_CRYPTOCELL)
@@ -5008,6 +5007,11 @@ int wc_ecc_init_ex(ecc_key* key, void* heap, int devId)
 #if defined(WOLFSSL_DSP)
    key->handle = -1;
 #endif
 #ifdef WOLFSSL_SE050
    key->keyId = -1;
 #endif
    return ret;
 }
@@ -7116,22 +7120,23 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
   err = KcapiEcc_Verify(key, hash, hashlen, sigRS, key->dp->size * 2);
 #elif defined(WOLFSSL_SE050)
    {
        /* Used when following a hardware sign operation */
        int rLeadingZero = mp_leading_bit(r);
        int sLeadingZero = mp_leading_bit(s);
        int rLen = mp_unsigned_bin_size(r);
        int sLen = mp_unsigned_bin_size(s);
-
+        word32 signatureLen = rLeadingZero + sLeadingZero + 
-    word32 signatureLen = rLeadingZero + sLeadingZero + rLen + sLen + SIG_HEADER_SZ; /* see StoreECC_DSA_Sig */
+            rLen + sLen + SIG_HEADER_SZ; /* see StoreECC_DSA_Sig */
        err = StoreECC_DSA_Sig(sigRS, &signatureLen, r, s);
        if (err == 0) {
            err = se050_ecc_verify_hash_ex(hash, hashlen, sigRS,
                signatureLen, key, res);
        }
        if (err != 0)
            return err;
-
+    }
    err = se050_ecc_verify_hash_ex(hash, hashlen, sigRS, signatureLen, key, res);
    if (err != 0)
       return err;
 #else
  /* checking if private key with no public part */
  if (key->type == ECC_PRIVATEKEY_ONLY) {
--- a/wolfcrypt/src/ed25519.c
+++ b/wolfcrypt/src/ed25519.c
@@ -262,11 +262,12 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
                            word32 *outLen, ed25519_key* key, byte type,
                            const byte* context, byte contextLen)
 {
    int    ret;
 #ifdef WOLFSSL_SE050
    (void)context;
    (void)contextLen;
    (void)type;
-    int ret = se050_ed25519_sign_msg(in, inLen, out, outLen, key);
+    ret = se050_ed25519_sign_msg(in, inLen, out, outLen, key);
 #else
 #ifdef FREESCALE_LTC_ECC
    byte   tempBuf[ED25519_PRV_KEY_SIZE];
@@ -277,7 +278,6 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
    byte   nonce[WC_SHA512_DIGEST_SIZE];
    byte   hram[WC_SHA512_DIGEST_SIZE];
    byte   az[ED25519_PRV_KEY_SIZE];
    int    ret;
    /* sanity check on arguments */
    if (in == NULL || out == NULL || outLen == NULL || key == NULL ||
@@ -681,7 +681,6 @@ int wc_ed25519_verify_msg_ex(const byte* sig, word32 sigLen, const byte* msg,
    (void)type;
    (void)context;
    (void)contextLen;
    if (ed25519Ctx != NULL)
    (void)ed25519Ctx;
    ret = se050_ed25519_verify_msg(sig, sigLen, msg, msgLen, key, res);
 #else
--- a/wolfcrypt/src/include.am
+++ b/wolfcrypt/src/include.am
@@ -68,6 +68,8 @@ EXTRA_DIST += wolfcrypt/src/port/ti/ti-aes.c \
              wolfcrypt/src/port/arm/armv8-32-sha512-asm.c \
              wolfcrypt/src/port/nxp/ksdk_port.c \
              wolfcrypt/src/port/nxp/dcp_port.c \
              wolfcrypt/src/port/nxp/se050_port.c \
              wolfcrypt/src/port/nxp/README.md \
              wolfcrypt/src/port/atmel/README.md \
              wolfcrypt/src/port/xilinx/xil-sha3.c \
              wolfcrypt/src/port/xilinx/xil-aesgcm.c \
@@ -174,3 +176,7 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/port/caam/wolfcaam_qnx.c
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/caam/wolfcaam_ecdsa.c
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/caam/wolfcaam_cmac.c
 endif
 if BUILD_SE050
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/nxp/se050_port.c
 endif
--- a/wolfcrypt/src/port/nxp/README.md
+++ b/wolfcrypt/src/port/nxp/README.md
@@ -0,0 +1,98 @@
 # NXP Ports
 Support for the NXP DCP, KSDK and SE050 hardware acceleration boards. 
 ## NXP SE050
 Support for the SE050 on-board crypto hardware acceleration for symmetric AES, SHA1/SHA256/SHA384/SHA512, ECC (including ed25519) and RNG. **(discuss p-256 ECC)**
 ## SE050 Acceleration
 For details about SE050 HW acceleration, see [NXP's SE050 page](https://www.nxp.com/products/security-and-authentication/authentication/edgelock-se050-plug-trust-secure-element-family-enhanced-iot-security-with-maximum-flexibility:SE050).
 ## Building simw-top
 The code required to communicate with the SE050 is the `EdgeLock SE05x Plug & Trust Middleware (03.03.00)`, which can be found here [link](https://www.nxp.com/products/security-and-authentication/authentication/edgelock-se050-plug-trust-secure-element-family-enhanced-iot-security-with-maximum-flexibility:SE050?tab=Design_Tools_Tab) (An NXP account is required to download).
 Follow the build instruction in AN12570 (EdgeLockTM SE05x Quick start guide with Raspberry Pi) [here](https://www.nxp.com/docs/en/application-note/AN12570.pdf). 
 ## Building wolfSSL
 To enable support run:
 ``sh
 ./configure --with-se050=PATH
 make
 ``
 Where `PATH` is the directory location of `simw-top`.
 Example: `./configure --with-se050=/Users/[user]/simw-top`
 ## Building Examples
 Confirm that you are able to run the examples from the directory:
 ``sh
 /simw-top_build/raspbian_native_se050_t1oi2c/bin/
 ``
 Modify one of those examples in order to tie into wolfSSL. The `./se05x_Minimal` is the easiest one to modify.
 Open the `simw-top/demos/se05x/se05x_Minimal` directory and edit `se05x_Minimal.c`. Add these headers to source file:
 ``c
 #include <wolfssl/options.h>
 #include <wolfssl/wolfcrypt/types.h>
 #include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
 `` 
 If you would like to run our wolfcrypt test or  benchmark tool, add: `#include "test.h"` or `#include benchmark.h`.
 Below is the code that was replaced in `ex_sss_entry()` to run the wolfcrypt test:
 ``c
 sss_status_t status = kStatus_SSS_Success;
 int ret;
 sss_session_t *pSession2 = (sss_session_t *)&pCtx->session;
 sss_key_store_t *pHostSession = (sss_key_store_t *)&pCtx->host_ks;
 LOG_I("running setconfig");
 ret = wc_se050_SetConfig(pSession2, pHostSession);
 if (ret != 0) {
    return kStatus_SSS_Fail;
 }
 LOG_I("ran setconfig correctly");
 wolfcrypt_test(NULL);
 LOG_I("ran wolfcrypt test");
 return status;
 ``
 Note: `wolfcrypt_test(NULL);` can be replaced with `benchmark_test();`
 The two variables used in `wc_se050_SetConfig` are session and key store variables that are required to reference parts of the hardware.
 The Makefile needs to be edited. At the top of the Makefile, the base wolfssl directory needs to be added to `INCLUDE_FLAGS`.
 Next, Inside `CFLAGS`, the `se05x_Minimal` directory needs to be added so that test.c and benchmark.c are included.
 Finally, underneath 'all', test.c, test.h, benchmark.c and benchmark.h need to be added, along with `-L[wolfssl directory] -lwolfssl` at the end of the line. 
 ### Wolfcrypt Test
 To run the wolfcrypt test, two files, `test.h` and `test.c` need to be added to the `./se05x_Minimal` directory. These files can be found inside of `/wolfcrypt/test`. 
 Make sure `NO_MAIN_DRIVER` is defined to avoid `int main()` conflicts. Either in the Makefile or modify test.h to define it.
 You should be able to run `wolfcrypt_test()` now. 
 ### wolfCrypt Benchmark 
 To run the benchmark, both `benchmark.c` and `benchmark.h` need to be copied from wolfcrypt/benchmark to the `./se05x_Minimal` directory.
 In addition, the entire `./certs` directory will need to copied into the directory. 
 Make sure `NO_MAIN_DRIVER` is defined to avoid `int main()` conflicts. Either in the Makefile or modify test.h to define it.
 Now you can run `benchmark_test()`. 
 ## Support
 For questions please email support@wolfssl.com
--- a/wolfcrypt/src/port/nxp/se050_port.c
+++ b/wolfcrypt/src/port/nxp/se050_port.c
@@ -33,37 +33,53 @@
 #include <wolfssl/wolfcrypt/ed25519.h>
-#if defined(WOLFSSL_SE050)
+#ifdef WOLFSSL_SE050
 #include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
 #include "fsl_sss_api.h"
 #include "fsl_sss_se05x_types.h"
 #ifdef WOLFSSL_SP_MATH
    struct sp_int;
    #define MATH_INT_T struct sp_int
 #elif defined(USE_FAST_MATH)
    struct fp_int;
    #define MATH_INT_T struct fp_int
 #else
    struct mp_int;
    #define MATH_INT_T struct mp_int
 #endif
 struct ecc_key;
 #include <wolfssl/wolfcrypt/ecc.h>
 #include <wolfssl/wolfcrypt/asn_public.h>
 /* ECC SIGN 70 = keyStoreId - Implementation specific ID */
 /* AES 55 = keyStoreId - Implementation specific ID */
 /* ECC Shared Secret 60 = keyStoreId - Implementation specific ID */
 /* ECC VERIFY 61 = keyStoreId - Implementation specific ID */
 /* ECC VERIFY AFTER SIGN 60 = keyStoreId - Implementation specific ID */
 /* ED25519 55 = keyStoreId - Implementation specific ID */
 /* Global variables */
 static sss_session_t *cfg_se050_i2c_pi;
 static sss_key_store_t *hostKeyStore;
 static sss_key_store_t *keyStore;
 int keyId_allocater = 100;
-int wolfcrypt_se050_SetConfig(sss_session_t *pSession, sss_key_store_t *pHostKeyStore, sss_key_store_t *pKeyStore) 
+int wc_se050_SetConfig(sss_session_t *pSession, sss_key_store_t *pHostKeyStore,
    sss_key_store_t *pKeyStore)
 {
-	printf("Setting SE050 session configuration\n");
+    WOLFSSL_MSG("Setting SE050 session configuration");
 	XMEMSET(&cfg_se050_i2c_pi, 0, sizeof(cfg_se050_i2c_pi));
    cfg_se050_i2c_pi = pSession;
    XMEMSET(&hostKeyStore, 0, sizeof(hostKeyStore));
    hostKeyStore = pHostKeyStore;
    XMEMSET(&keyStore, 0, sizeof(keyStore));
    keyStore = pKeyStore;
    return 0;
 }
-int se050_allocate_key()
+int se050_allocate_key(void)
 {
    static int keyId_allocater = 100;
    return keyId_allocater++;
 }
@@ -74,7 +90,9 @@ int se050_get_random_number(uint32_t count, uint8_t* rand_out)
    sss_rng_context_t rng;
    int ret = 0;
-    if (wolfSSL_CryptHwMutexLock() == 0) {
+    if (wolfSSL_CryptHwMutexLock() != 0) {
        return BAD_MUTEX_E;
    }
    status = sss_rng_context_init(&rng, cfg_se050_i2c_pi);
    if (status == kStatus_SSS_Success)
@@ -86,12 +104,11 @@ int se050_get_random_number(uint32_t count, uint8_t* rand_out)
    if (status != kStatus_SSS_Success) {
        ret = RNG_FAILURE_E;
    }
    }
    wolfSSL_CryptHwMutexUnLock();
    return ret;
 }
-#endif /* WC_NO_RNG */
+#endif /* !WC_NO_RNG */
 /* Used for sha/sha224/sha384/sha512 */
 int se050_hash_init(SE050_HASH_Context* se050Ctx, void* heap)
@@ -111,78 +128,58 @@ int se050_hash_update(SE050_HASH_Context* se050Ctx, const byte* data, word32 len
    if (se050Ctx->len < se050Ctx->used + len) {
        if (se050Ctx->msg == NULL) {
-            se050Ctx->msg = (byte*)XMALLOC(se050Ctx->used + len, se050Ctx->heap,
+            se050Ctx->msg = (byte*)XMALLOC(se050Ctx->used + len,
-                    DYNAMIC_TYPE_TMP_BUFFER);
+                se050Ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
        }
        else {
            se050Ctx->msg = (byte*)XREALLOC(se050Ctx->msg, se050Ctx->used + len,
                se050Ctx->heap, DYNAMIC_TYPE_TMP_BUFFER);
        }
        if (se050Ctx->msg == NULL) {
            return MEMORY_E;
        }
        } 
        else {
            byte* pt = (byte*)XREALLOC(se050Ctx->msg, se050Ctx->used + len, se050Ctx->heap,
                    DYNAMIC_TYPE_TMP_BUFFER);
            if (pt == NULL) {
                return MEMORY_E;
            }
            se050Ctx->msg = pt;
        }
        se050Ctx->len = se050Ctx->used + len;
    }
    XMEMCPY(se050Ctx->msg + se050Ctx->used, data , len);
    se050Ctx->used += len;
    return 0;
 }
-int se050_hash_final(SE050_HASH_Context* se050Ctx, byte* hash, size_t digestLen, sss_algorithm_t algo)
+int se050_hash_final(SE050_HASH_Context* se050Ctx, byte* hash, size_t digestLen,
    sss_algorithm_t algo)
 {
    sss_status_t status;
    sss_digest_t digest_ctx;
   // XMEMSET(&digest_ctx, 0, sizeof(digest_ctx));
    const byte*  data = se050Ctx->msg;
    int          size = (se050Ctx->len) / SSS_BLOCK_SIZE;
    int          leftover = (se050Ctx->len) % SSS_BLOCK_SIZE;
-    const byte*     blocks;
+    const byte*  blocks = data;
                    blocks = data;    
-
+    if (wolfSSL_CryptHwMutexLock() != 0) {
-    if (wolfSSL_CryptHwMutexLock() == 0) { 
+        return BAD_MUTEX_E;
        status = sss_digest_context_init(&digest_ctx, cfg_se050_i2c_pi, algo, kMode_SSS_Digest);  
        if(status != kStatus_SSS_Success){
            printf("error 1\n");
            return -1;
    }
    status = sss_digest_context_init(&digest_ctx, cfg_se050_i2c_pi, algo,
        kMode_SSS_Digest);
    if (status == kStatus_SSS_Success) {
        status = sss_digest_init(&digest_ctx);
        if(status != kStatus_SSS_Success){
            printf("error 2 - hash_final...\n");
            return -1;
    }
    if (status == kStatus_SSS_Success) {
    /* used to send chunks of size 512 */
-        while (size--) {
+    while (status == kStatus_SSS_Success && size--) {
        status = sss_digest_update(&digest_ctx, blocks, SSS_BLOCK_SIZE);
            if(status != kStatus_SSS_Success){
                printf("error 3\n");
                return -1;
            }
        blocks += SSS_BLOCK_SIZE;
    }
-        if (leftover) {
+    if (status == kStatus_SSS_Success && leftover) {
        status = sss_digest_update(&digest_ctx, blocks, leftover);
            if(status != kStatus_SSS_Success){
                printf("error 3\n");
                return -1;
    }
-        }        
+    if (status == kStatus_SSS_Success) {
        status = sss_digest_finish(&digest_ctx, hash, &digestLen);
        if(status != kStatus_SSS_Success){
            printf("error 4\n");
            return -1;
    }
    sss_digest_context_free(&digest_ctx);
    }
    wolfSSL_CryptHwMutexUnLock();
    return 0;
@@ -197,19 +194,24 @@ void se050_hash_free(SE050_HASH_Context* se050Ctx)
 int se050_aes_set_key(Aes* aes, const byte* key, word32 len,
                                        const byte* iv, int dir)
 {
    printf("\n\nrunning se050_set_key\n");
    (void)dir;
    (void)iv;
    sss_status_t status;
    aes->rounds = len/4 + 6;
    sss_object_t newKey;
    sss_key_store_t host_keystore;
-    uint32_t keyId = se050_allocate_key();
+    int keyId = se050_allocate_key();
    aes->keyId = keyId;
    int ret = BAD_MUTEX_E;
-    if (wolfSSL_CryptHwMutexLock() == 0) {
+    WOLFSSL_MSG("se050_set_key");
-        ret = 0;
+
    (void)dir;
    (void)iv;
    aes->rounds = len/4 + 6;
    aes->keyId = keyId;
    if (wolfSSL_CryptHwMutexLock() != 0) {
        return BAD_MUTEX_E;
    }
    status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
    if (status == kStatus_SSS_Success) {
@@ -219,18 +221,20 @@ int se050_aes_set_key(Aes* aes, const byte* key, word32 len,
    if (status == kStatus_SSS_Success) {
        status = sss_key_object_init(&newKey, &host_keystore);
    }
-/* aes_test runs perfectly with kKeyObject_Mode_Persistent, but might have caused previous board to have no free key slots */
+
    /* aes_test runs perfectly with kKeyObject_Mode_Persistent,
        * but might have caused previous board to have no free key slots */
    if (status == kStatus_SSS_Success) {
-            status = sss_key_object_allocate_handle(&newKey, keyId, kSSS_KeyPart_Default,
+        status = sss_key_object_allocate_handle(&newKey, keyId,
-                                                kSSS_CipherType_AES, len, 
+            kSSS_KeyPart_Default, kSSS_CipherType_AES, len,
-                                                kKeyObject_Mode_Transient); //kKeyObject_Mode_Persistent
+            kKeyObject_Mode_Transient);
    }
    if (status == kStatus_SSS_Success) {
        status = sss_key_store_set_key(&host_keystore, &newKey, key, len,
                                    len * 8, NULL, 0);
    }
-    }
+
    wolfSSL_CryptHwMutexUnLock();
    if (status != kStatus_SSS_Success)
@@ -239,13 +243,15 @@ int se050_aes_set_key(Aes* aes, const byte* key, word32 len,
 }
-int se050_aes_crypt(Aes* aes, const byte* in, byte* out, word32 sz, int dir, sss_algorithm_t algorithm)
+int se050_aes_crypt(Aes* aes, const byte* in, byte* out, word32 sz, int dir,
    sss_algorithm_t algorithm)
 {
    sss_status_t    status;
    sss_object_t    keyObject;
    sss_mode_t      mode;
    sss_key_store_t host_keystore;
    int             ret = BAD_MUTEX_E;
    XMEMSET(&mode, 0, sizeof(mode));
    if (dir == AES_DECRYPTION)
@@ -253,8 +259,9 @@ int se050_aes_crypt(Aes* aes, const byte* in, byte* out, word32 sz, int dir, sss
    else if (dir == AES_ENCRYPTION)
        mode = kMode_SSS_Encrypt;
-    if (wolfSSL_CryptHwMutexLock() == 0) {
+    if (wolfSSL_CryptHwMutexLock() != 0) {
-        ret = 0;
+        return BAD_MUTEX_E;
    }
    status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
@@ -270,22 +277,24 @@ int se050_aes_crypt(Aes* aes, const byte* in, byte* out, word32 sz, int dir, sss
        status = sss_key_object_get_handle(&keyObject, aes->keyId);
    }
-        /* The first call to this function needs an initialization call, subsequent calls just need to call update */
+    /* The first call to this function needs an initialization call,
        * subsequent calls just need to call update */
    if (aes->ctxInitDone == 0) {
        aes->ctxInitDone = 1;
        if (status == kStatus_SSS_Success) {
-                status = sss_symmetric_context_init(&aes->aes_ctx, cfg_se050_i2c_pi,
+            status = sss_symmetric_context_init(&aes->aes_ctx,
-                                                    &keyObject, algorithm, mode);
+                cfg_se050_i2c_pi, &keyObject, algorithm, mode);
        }
        if (status == kStatus_SSS_Success) {
-                status = sss_cipher_init(&aes->aes_ctx, (uint8_t *)aes->reg, sizeof(aes->reg));
+            status = sss_cipher_init(&aes->aes_ctx, (uint8_t*)aes->reg,
                sizeof(aes->reg));
        }
    }
    if (status == kStatus_SSS_Success) {
        status = sss_cipher_update(&aes->aes_ctx, in, sz, out, &sz);
    }
-    }
+
    wolfSSL_CryptHwMutexUnLock();
    if (status != kStatus_SSS_Success)
@@ -298,9 +307,14 @@ void se050_aes_free(Aes* aes)
    sss_status_t    status;
    sss_key_store_t host_keystore;
    sss_object_t    keyObject;
    aes->ctxInitDone = 0; /* sets back to zero to indicate that a free has been called */
-    if (wolfSSL_CryptHwMutexLock() == 0) {    
+    /* sets back to zero to indicate that a free has been called */
    aes->ctxInitDone = 0;
    if (wolfSSL_CryptHwMutexLock() != 0) {
        return BAD_MUTEX_E;
    }
    status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
    if (status == kStatus_SSS_Success) {
@@ -318,26 +332,10 @@ void se050_aes_free(Aes* aes)
    sss_symmetric_context_free(&aes->aes_ctx);
    }
    wolfSSL_CryptHwMutexUnLock();
 }
-#endif /* NO_AES */
+#endif /* !NO_AES */
 #ifdef WOLFSSL_SP_MATH
    struct sp_int;
    #define MATH_INT_T struct sp_int
 #elif defined(USE_FAST_MATH)
    struct fp_int;
    #define MATH_INT_T struct fp_int
 #else
    struct mp_int;
 	#define MATH_INT_T struct mp_int
 #endif
 struct ecc_key;
 #include <wolfssl/wolfcrypt/ecc.h>
 #include <wolfssl/wolfcrypt/asn_public.h>
 #ifdef HAVE_ECC
 int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, byte* out,
@@ -347,10 +345,8 @@ int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, byte* out,
    sss_asymmetric_t    ctx_asymm;
    sss_key_store_t     host_keystore;
    sss_object_t        newKey;
-    sss_algorithm_t     algorithm;
+    sss_algorithm_t     algorithm = kAlgorithm_None;
-    XMEMSET(&algorithm, 0, sizeof(algorithm));
+    int         keyId = se050_allocate_key();
    uint32_t    keyId = se050_allocate_key();
    int         keysize = (word32)key->dp->size;
    int         ret = BAD_MUTEX_E;
@@ -369,9 +365,10 @@ int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, byte* out,
    else if (inLen == 64)
        algorithm = kAlgorithm_SSS_SHA512;
    if (wolfSSL_CryptHwMutexLock() != 0) {
        return BAD_MUTEX_E;
    }
    if (wolfSSL_CryptHwMutexLock() == 0) {
        ret = 0;
    status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
    if (status == kStatus_SSS_Success) {
@@ -384,8 +381,8 @@ int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, byte* out,
    if (status == kStatus_SSS_Success) {
-            status = sss_key_object_allocate_handle(&newKey, keyId, kSSS_KeyPart_Pair, 
+        status = sss_key_object_allocate_handle(&newKey, keyId,
-                                                kSSS_CipherType_EC_NIST_P, keysize, 
+            kSSS_KeyPart_Pair, kSSS_CipherType_EC_NIST_P, keysize,
            kKeyObject_Mode_Transient);
    }
@@ -405,14 +402,15 @@ int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, byte* out,
    }
    sss_asymmetric_context_free(&ctx_asymm);
    }
    wolfSSL_CryptHwMutexUnLock();
-    if (status != kStatus_SSS_Success) 
+    if (status == kStatus_SSS_Success) {
        ret = WC_HW_E;
        key->keyId = keyId;
        ret = 0;
    }
    else {
        ret = WC_HW_E;
    }
    return ret;
 }
@@ -420,21 +418,17 @@ int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, byte* out,
 int se050_ecc_verify_hash_ex(const byte* hash, word32 hashLen, byte* signature,
                             word32 signatureLen, struct ecc_key* key, int* res)
 {
    printf("runing verify!\n");
    sss_status_t        status;
    sss_asymmetric_t    ctx_asymm;
    sss_object_t        newKey;
    sss_key_store_t     host_keystore;
-    sss_algorithm_t     algorithm;
+    sss_algorithm_t     algorithm = kAlgorithm_None;
    XMEMSET(&algorithm, 0, sizeof(algorithm));
    word32      derSz = 0;
-    int         ret = WC_HW_E;
+    int         ret;
    byte*       derBuf;
    uint32_t    keyId = rand();
    int         keySize = (word32)key->dp->size;
    WOLFSSL_MSG("se050_ecc_verify_hash_ex");
    *res = 0;
    if (hashLen > 64)
@@ -451,81 +445,80 @@ int se050_ecc_verify_hash_ex(const byte* hash, word32 hashLen, byte* signature,
    else if (hashLen == 64)
        algorithm = kAlgorithm_SSS_SHA512;
-    printf("KeyId 3 = %d\n", key->keyId);
+    if (wolfSSL_CryptHwMutexLock() != 0) {
        return BAD_MUTEX_E;
    }
-    if (wolfSSL_CryptHwMutexLock() == 0) {
+    /* this is run when a key was not generated and was instead passed in */
-        if (key->keyId == 0) { //this is run when a key was not generated and was instead passed in
+    if (key->keyId == 0) {
        int keyId = se050_allocate_key();
        byte* derBuf = NULL;
        ret = wc_EccKeyToPKCS8(key, NULL, &derSz);
-            if (ret != -202){
+        if (ret != LENGTH_ONLY_E) {
-                printf("first wc_EccKeyToPKCS8 failed\n");
+            return ret;
-                return -1;
+        }
        derBuf = (byte*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
        if (derBuf == NULL) {
            return MEMORY_E;
        }
            derBuf = (byte*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_OPENSSL);
        ret = wc_EccKeyToPKCS8(key, derBuf, &derSz);
        if (ret <= 0) {
-                printf("second wc_EccKeyToPKCS8 failed, ret = %d\n", ret);
+            XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-                return -1;
+            return ret;
        }
        status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
        if (status == kStatus_SSS_Success) {
            status = sss_key_store_allocate(&host_keystore, 61);
        }
        if (status == kStatus_SSS_Success) {
            status = sss_key_object_init(&newKey, &host_keystore);
        }
        if (status == kStatus_SSS_Success) {
-                status = sss_key_object_allocate_handle(&newKey, keyId, kSSS_KeyPart_Pair,
+            status = sss_key_object_allocate_handle(&newKey, keyId,
-                                                kSSS_CipherType_EC_NIST_P, derSz, 
+                kSSS_KeyPart_Pair, kSSS_CipherType_EC_NIST_P, derSz,
                kKeyObject_Mode_Transient);
        }
        if (status == kStatus_SSS_Success) {
            status = sss_key_store_set_key(&host_keystore, &newKey, derBuf,
                                            derSz, keySize * 8, NULL, 0);
        }
        if (derBuf) {
            XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
        }
        if (status == kStatus_SSS_Success) {
            status = sss_asymmetric_context_init(&ctx_asymm, cfg_se050_i2c_pi,
                                        &newKey, algorithm, kMode_SSS_Verify);
        }
            printf("ran through inital key setup !\n");
        if (status == kStatus_SSS_Success) {
            status = sss_asymmetric_verify_digest(&ctx_asymm, (uint8_t *)hash,
                                            hashLen, signature, signatureLen);
        }
        sss_asymmetric_context_free(&ctx_asymm);
            printf("sss_asymmetric_verify_digest with set key worked!\n\n\n");
        key->keyId = keyId;
    }
-        else if (key->keyId != 0) { //this is run after a sign function has taken place
+    /* this is run after a sign function has taken place */
-            ret = 0;
+    else if (key->keyId != 0) {
        status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
-            if (status == kStatus_SSS_Success)
+        if (status == kStatus_SSS_Success) {
            status = sss_key_store_allocate(&host_keystore, 60);
-
+        }
-            if (status == kStatus_SSS_Success)
+        if (status == kStatus_SSS_Success) {
            status = sss_key_object_init(&newKey, &host_keystore);
-
+        }
-            if (status == kStatus_SSS_Success)
+        if (status == kStatus_SSS_Success) {
            status = sss_key_object_get_handle(&newKey, key->keyId);
-            
+        }
        if (status == kStatus_SSS_Success) {
            status = sss_asymmetric_context_init(&ctx_asymm, cfg_se050_i2c_pi,
                                        &newKey, algorithm, kMode_SSS_Verify);
        }
        if (status == kStatus_SSS_Success) {
            status = sss_asymmetric_verify_digest(&ctx_asymm, (uint8_t *)hash,
                                            hashLen, signature, signatureLen);
@@ -533,17 +526,16 @@ int se050_ecc_verify_hash_ex(const byte* hash, word32 hashLen, byte* signature,
        sss_asymmetric_context_free(&ctx_asymm);
    }
    }
    wolfSSL_CryptHwMutexUnLock();
-    if (status != kStatus_SSS_Success) 
+    if (status == kStatus_SSS_Success) {
        ret = WC_HW_E;
    printf("ran verify correctly!!\n\n\n");
        *res = 1;
        ret = 0;
    }
    else {
        ret = WC_HW_E;
    }
    return 0;
 }
@@ -555,89 +547,93 @@ int se050_ecc_free_key(struct ecc_key* key)
    int             ret = WC_HW_E;
    sss_key_store_t host_keystore;
-    /* less tha 10,000 as one example from test.c tried to free a key that was not created on the SE050 */
+    if (key->keyId <= 0) {
-    if(key->keyId != 0 && key->keyId < 10000) {
+        return BAD_FUNC_ARG;
-        if (wolfSSL_CryptHwMutexLock() == 0) {
+    }
-            ret = 0;
+
    if (wolfSSL_CryptHwMutexLock() != 0) {
        return BAD_MUTEX_E;
    }
    status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
-            if (status == kStatus_SSS_Success)
+    if (status == kStatus_SSS_Success) {
        status = sss_key_store_allocate(&host_keystore, 60);
            if (status == kStatus_SSS_Success)
                status = sss_key_object_init(&keyObject, &host_keystore);
            if (status == kStatus_SSS_Success)
                status = sss_key_object_get_handle(&keyObject, key->keyId);
            if (status == kStatus_SSS_Success)
                    sss_key_object_free(&keyObject);
    }
    if (status == kStatus_SSS_Success) {
        status = sss_key_object_init(&keyObject, &host_keystore);
    }
    if (status == kStatus_SSS_Success) {
        status = sss_key_object_get_handle(&keyObject, key->keyId);
    }
    if (status == kStatus_SSS_Success) {
        sss_key_object_free(&keyObject);
    }
    wolfSSL_CryptHwMutexUnLock();
-    if (status != kStatus_SSS_Success)
+    if (status != kStatus_SSS_Success) {
        ret = WC_CLEANUP_E;
    }
    return ret;
 }
-int se050_ecc_create_key(struct ecc_key* key, int keyId, int keySize)
+int se050_ecc_create_key(struct ecc_key* key, int curve_id, int keySize)
 {
    sss_status_t    status = kStatus_SSS_Success;
    sss_object_t    keyPair;
    sss_key_store_t host_keystore;
-    
+    int keyId = se050_allocate_key();
-    uint8_t keyPairExport[128];
+    uint8_t keyPairExport[MAX_ECC_BYTES];
    size_t keyPairExportLen = sizeof(keyPairExport);
    size_t keyPairExportBitLen = sizeof(keyPairExport) * 8;
-    int ret = WC_HW_E;
+    int ret;
    (void)curve_id;
-    if (wolfSSL_CryptHwMutexLock() == 0) {
+    if (wolfSSL_CryptHwMutexLock() != 0) {
-        ret = 0;
+        return BAD_MUTEX_E;
    }
    status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
    if (status == kStatus_SSS_Success) {
        status = sss_key_store_allocate(&host_keystore, 60);
    }
    if (status == kStatus_SSS_Success) {
        status = sss_key_object_init(&keyPair, &host_keystore);
    }
    if (status == kStatus_SSS_Success) {
-            status = sss_key_object_allocate_handle(&keyPair, keyId, kSSS_KeyPart_Pair,
+        status = sss_key_object_allocate_handle(&keyPair, keyId,
-                                            kSSS_CipherType_EC_NIST_P, 256, 
+            kSSS_KeyPart_Pair, kSSS_CipherType_EC_NIST_P, 256,
-                                            kKeyObject_Mode_None); //kKeyObject_Mode_Transient
+            kKeyObject_Mode_None);
    }
    if (status == kStatus_SSS_Success) {
-            status = sss_key_store_generate_key(&host_keystore, &keyPair, 256, NULL);
+        status = sss_key_store_generate_key(&host_keystore, &keyPair,
            256, NULL);
    }
    if (status == kStatus_SSS_Success) {
-            status = sss_key_store_get_key(&host_keystore, &keyPair, keyPairExport,
+        status = sss_key_store_get_key(&host_keystore, &keyPair,
-                                         &keyPairExportLen, &keyPairExportBitLen);
+            keyPairExport, &keyPairExportLen, &keyPairExportBitLen);
        }
    }
    wolfSSL_CryptHwMutexUnLock();
-    if (status != kStatus_SSS_Success)
+    if (status == kStatus_SSS_Success) {
        ret = WC_CLEANUP_E;
        mp_read_unsigned_bin(key->pubkey.x, keyPairExport, keySize);
        mp_read_unsigned_bin(key->pubkey.y, keyPairExport + keySize, keySize);
        key->keyId = keyId;
        ret = 0;
    }
    else {
        ret = WC_HW_E;
    }
    return ret;
 }
-int se050_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out,
+int se050_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key,
-                      word32* outlen)
+    byte* out, word32* outlen)
 {
    sss_status_t            status = kStatus_SSS_Success;
    sss_key_store_t         host_keystore;
@@ -646,27 +642,21 @@ int se050_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out
    sss_object_t            ref_public_key;
    sss_object_t            deriveKey;
    sss_derive_key_t        ctx_derive_key;
-    int                     keyId = se050_allocate_key();
+    int                     keyId;
    int                     keySize = (word32)public_key->dp->size;
    size_t                  ecdhKeyLen = keySize;
    size_t                  ecdhKeyBitLen = keySize;
    int                     ret = WC_HW_E;
-    
+    if (private_key->keyId <= 0 || public_key->keyId <= 0) {
-    if (public_key->keyId == 0) {
+        return BAD_FUNC_ARG;
-        public_key->keyId = se050_allocate_key();
+    }
-        se050_ecc_create_key(public_key, public_key->keyId, keySize);
+
-
+    if (wolfSSL_CryptHwMutexLock() != 0) {
-    }
+        return BAD_MUTEX_E;
    if (private_key->keyId == 0) {
        private_key->keyId = se050_allocate_key();
        se050_ecc_create_key(private_key, private_key->keyId, keySize);
    }
    if (wolfSSL_CryptHwMutexLock() == 0) {
        ret = 0;
    status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
    if (status == kStatus_SSS_Success) {
        status = sss_key_store_allocate(&host_keystore, 60);
    }
@@ -700,12 +690,14 @@ int se050_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out
    }
    if (status == kStatus_SSS_Success) {
        keyId = se050_allocate_key();
        status = sss_key_object_allocate_handle(&deriveKey,
            keyId,
-                kSSS_KeyPart_Default, //try kSSS_KeyPart_Part, didn't have any noticable changes
+            kSSS_KeyPart_Default,
            kSSS_CipherType_AES,
            ecdhKeyLen,
-                kKeyObject_Mode_Transient); //try kKeyObject_Mode_None
+            kKeyObject_Mode_Transient);
    }
    if (status == kStatus_SSS_Success) {
@@ -727,9 +719,11 @@ int se050_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out
    if (deriveKey.keyStore != NULL)
        sss_key_object_free(&deriveKey);
-        if (status != kStatus_SSS_Success) 
+    if (status == kStatus_SSS_Success)
        ret = 0;
    else
        ret = WC_HW_E;
-    }
+
    wolfSSL_CryptHwMutexUnLock();
    return ret;
@@ -738,21 +732,20 @@ int se050_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out
 #ifdef HAVE_ED25519
 int se050_ed25519_create_key(ed25519_key* key)
 {
    printf("\n\nrunning se050_ed25519_create_key\n");
    sss_status_t    status;
    sss_key_store_t host_keystore;
    sss_object_t    newKey;
    int             keysize = ED25519_KEY_SIZE;
-    uint32_t        keyId = se050_allocate_key();
+    int             keyId;
                    key->keyId = keyId;
    int             ret = 0;
-    if (wolfSSL_CryptHwMutexLock() == 0) {
+    if (wolfSSL_CryptHwMutexLock() != 0) {
-        status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);     
+        return BAD_MUTEX_E;
    }
    status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
    if (status == kStatus_SSS_Success) {
        status = sss_key_store_allocate(&host_keystore, 55);
    }
@@ -762,25 +755,28 @@ int se050_ed25519_create_key(ed25519_key* key)
    }
    if (status == kStatus_SSS_Success) {
-            status = sss_key_object_allocate_handle(&newKey, keyId, kSSS_KeyPart_Pair, 
+        keyId = se050_allocate_key();
-                                                kSSS_CipherType_EC_TWISTED_ED, keysize, 
+        status = sss_key_object_allocate_handle(&newKey, keyId,
            kSSS_KeyPart_Pair, kSSS_CipherType_EC_TWISTED_ED, keysize,
            kKeyObject_Mode_Transient);
    }
    if (status == kStatus_SSS_Success) {
-            status = sss_key_store_generate_key(&host_keystore, &newKey, keysize * 8, NULL);
+        status = sss_key_store_generate_key(&host_keystore, &newKey,
            keysize * 8, NULL);
    }
-        if (status != kStatus_SSS_Success) {
+    if (status == kStatus_SSS_Success) {
        key->keyId = keyId;
        ret = 0;
    }
    else {
        sss_key_object_free(&newKey);
        ret = WC_HW_E;
    }
    }
    wolfSSL_CryptHwMutexUnLock();
    printf("ran se050_ed25519_create_key\n\n\n");
    return ret;
 }
@@ -790,12 +786,14 @@ void se050_ed25519_free_key(ed25519_key* key)
    sss_object_t newKey;
    sss_key_store_t host_keystore;
-        if (wolfSSL_CryptHwMutexLock() == 0) {
+    if (wolfSSL_CryptHwMutexLock() != 0) {
        return BAD_MUTEX_E;
    }
    status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
    if (status == kStatus_SSS_Success) {
-                status = sss_key_store_allocate(&host_keystore, 60);
+        status = sss_key_store_allocate(&host_keystore, 55);
    }
    if (status == kStatus_SSS_Success) {
        status = sss_key_object_init(&newKey, &host_keystore);
@@ -806,39 +804,29 @@ void se050_ed25519_free_key(ed25519_key* key)
    if (status == kStatus_SSS_Success) {
        sss_key_object_free(&newKey);
    }
        }
    wolfSSL_CryptHwMutexUnLock();
 }
 int se050_ed25519_sign_msg(const byte* in, word32 inLen, byte* out,
                         word32 *outLen, ed25519_key* key)
 {
    printf("\n\nhit se050_ed25519_sign_msg...\n");
    sss_status_t        status = kStatus_SSS_Success;
    sss_asymmetric_t    ctx_asymm;
    sss_key_store_t     host_keystore;
    sss_object_t        newKey;
    int                 ret = 0;
    inLen = 64;
    *outLen = 64;
-    /* used to fix edge case when ed25519_init is not called prior to signing */
+    if (wolfSSL_CryptHwMutexLock() != 0) {
-    /* figure out if needed or not for -10801 */
+        return BAD_MUTEX_E;
    if (key->keyId > 10000 || key->keyId == 0) { 
        key->keyId = se050_allocate_key();
        ret = se050_ed25519_create_key(key);
        if (ret != 0) {
            printf("calling se050_ed25519_create_key failed..., ret = %d\n", ret);
    }
    }
    if (wolfSSL_CryptHwMutexLock() == 0 && ret == 0) {
    status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
    if (status == kStatus_SSS_Success) {
-            status = sss_key_store_allocate(&host_keystore, 60);
+        status = sss_key_store_allocate(&host_keystore, 55);
    }
    if (status == kStatus_SSS_Success) {
@@ -859,33 +847,34 @@ int se050_ed25519_sign_msg(const byte* in, word32 inLen, byte* out,
                                            (uint8_t *)in, inLen, out, outLen);
    }
    sss_asymmetric_context_free(&ctx_asymm);
    if (status != kStatus_SSS_Success) {
            printf("status != kStatus_SSS_Success, status = %d\n", status);
        sss_key_object_free(&newKey);
        ret = WC_HW_E;
    }
-        sss_asymmetric_context_free(&ctx_asymm);
+
    }
    wolfSSL_CryptHwMutexUnLock();
    return ret;
 }
-int se050_ed25519_verify_msg(const byte* signature, word32 signatureLen, const byte* msg,
+int se050_ed25519_verify_msg(const byte* signature, word32 signatureLen,
-                             word32 msgLen, struct ed25519_key* key, int* res)
+    const byte* msg, word32 msgLen, struct ed25519_key* key, int* res)
 {
    printf("runing se050_ed25519_verify_msg!\n");
    sss_status_t        status = kStatus_SSS_Success;
    sss_asymmetric_t    ctx_asymm;
    sss_object_t        newKey;
    sss_key_store_t     host_keystore;
    int                 ret = 0;
                        msgLen = 64;
                        *res = 1;
-    if (wolfSSL_CryptHwMutexLock() == 0) {
+    msgLen = 64;
    if (wolfSSL_CryptHwMutexLock() != 0) {
        return BAD_MUTEX_E;
    }
    status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi);
    if (status == kStatus_SSS_Success) {
@@ -906,22 +895,24 @@ int se050_ed25519_verify_msg(const byte* signature, word32 signatureLen, const b
    }
    if (status == kStatus_SSS_Success) {
-                status = sss_se05x_asymmetric_verify((sss_se05x_asymmetric_t *)&ctx_asymm,
+        status = sss_se05x_asymmetric_verify(
-                                             (uint8_t *)msg, msgLen, 
+                (sss_se05x_asymmetric_t*)&ctx_asymm, (uint8_t*)msg, msgLen,
                (uint8_t*)signature, (size_t)signatureLen);
    }
    sss_asymmetric_context_free(&ctx_asymm);
-    }
+
    wolfSSL_CryptHwMutexUnLock();
-    if (status != kStatus_SSS_Success) {
+    if (status == kStatus_SSS_Success) {
        *res = 1;
    }
    else {
        ret = WC_HW_E;
        *res = 0;
    }
    return ret;
 }
 #endif /* HAVE_ED25519 */
-#endif /* SE050 */
+#endif /* WOLFSSL_SE050 */
--- a/wolfcrypt/src/sha.c
+++ b/wolfcrypt/src/sha.c
@@ -347,7 +347,6 @@
        (void)devId;
        return se050_hash_init(&sha->se050Ctx, heap);
    }
    int wc_ShaUpdate(wc_Sha* sha, const byte* data, word32 len)
--- a/wolfcrypt/src/sha512.c
+++ b/wolfcrypt/src/sha512.c
@@ -49,6 +49,10 @@
    #include <wolfssl/wolfcrypt/cryptocb.h>
 #endif
 #ifdef WOLFSSL_SE050
    #include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
 #endif
 /* deprecated USE_SLOW_SHA2 (replaced with USE_SLOW_SHA512) */
 #if defined(USE_SLOW_SHA2) && !defined(USE_SLOW_SHA512)
    #define USE_SLOW_SHA512
@@ -200,7 +204,6 @@
    /* functions defined in wolfcrypt/src/port/kcapi/kcapi_hash.c */
 #elif defined(WOLFSSL_SE050)
    //#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
    int wc_InitSha512(wc_Sha512* sha512)
    {
        if (sha512 == NULL)
@@ -224,17 +227,31 @@
    int wc_Sha512Final(wc_Sha512* sha512, byte* hash)
    {
        int ret = 0;
        int devId = INVALID_DEVID;
        if (sha512 == NULL) {
            return BAD_FUNC_ARG;
        }
    #ifdef WOLF_CRYPTO_CB
        devId = sha512->devId;
    #endif
        ret = se050_hash_final(&sha512->se050Ctx, hash, WC_SHA512_DIGEST_SIZE,
                               kAlgorithm_SSS_SHA512);
-        (void)wc_InitSha512_ex(sha512);
+        (void)wc_InitSha512_ex(sha512, sha512->heap, devId);
        return ret;
    }
    int wc_Sha512FinalRaw(wc_Sha512* sha512, byte* hash)
    {
        int ret = 0;
        int devId = INVALID_DEVID;
        if (sha512 == NULL) {
            return BAD_FUNC_ARG;
        }
    #ifdef WOLF_CRYPTO_CB
        devId = sha512->devId;
    #endif
        ret = se050_hash_final(&sha512->se050Ctx, hash, WC_SHA512_DIGEST_SIZE,
                               kAlgorithm_SSS_SHA512);
-        (void)wc_InitSha512(sha512);
+        (void)wc_InitSha512_ex(sha512, sha512->heap, devId);
        return ret;
    }
    void wc_Sha512Free(wc_Sha512* sha512)
@@ -948,6 +965,7 @@ int wc_Sha512Update(wc_Sha512* sha512, const byte* data, word32 len)
 #else
 #ifndef WOLFSSL_SE050
 static WC_INLINE int Sha512Final(wc_Sha512* sha512)
 {
    byte* local = (byte*)sha512->buffer;
@@ -1207,6 +1225,7 @@ int wc_Sha512Transform(wc_Sha512* sha, const unsigned char* data)
 }
 #endif /* OPENSSL_EXTRA */
 #endif /* WOLFSSL_SHA512 */
 #endif /* WOLFSSL_SE050 */
 /* -------------------------------------------------------------------------- */
 /* SHA384 */
@@ -1217,8 +1236,6 @@ int wc_Sha512Transform(wc_Sha512* sha, const unsigned char* data)
    !defined(WOLFSSL_QNX_CAAM)
    /* functions defined in wolfcrypt/src/port/caam/caam_sha.c */
 #elif defined(WOLFSSL_SE050)
    #include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
    int wc_InitSha384_ex(wc_Sha384* sha384, void* heap, int devId)
    {
        if (sha384 == NULL) {
--- a/wolfssl/wolfcrypt/port/nxp/README.md
+++ b/wolfssl/wolfcrypt/port/nxp/README.md
@@ -1,68 +0,0 @@
 # NXP Ports
 Support for the NXP DCP, KSDK and SE050 hardware acceleration boards. 
 ## NXP SE050
 Support for the SE050 on-board crypto hardware acceleration for symmetric AES, SHA1/SHA256/SHA384/SHA512, ECC (including ed25519) and RNG. **(discuss p-256 ECC)**
 ## SE050 Acceleration
 For details about SE050 HW acceleration, see [NXP's SE050 page](https://www.nxp.com/products/security-and-authentication/authentication/edgelock-se050-plug-trust-secure-element-family-enhanced-iot-security-with-maximum-flexibility:SE050).
 ## Building
 To enable support run:
 ```
 ./configure --with-se050=PATH
 ```
 Followed by:
 ```
 make && make install
 ```
 With PATH being the directory location of simw-top.
 The code required to communicate with the SE050 can be found at this NXP [link](https://www.nxp.com/products/security-and-authentication/authentication/edgelock-se050-plug-trust-secure-element-family-enhanced-iot-security-with-maximum-flexibility:SE050?tab=Design_Tools_Tab) (An NXP account is required to download). Follow the instructions [here](https://www.nxp.com/docs/en/application-note/AN12570.pdf) to install and setup with a Raspberry Pi. 
 Confirm that you are able to run the examples from the 
 ```
 /simw-top_build/raspbian_native_se050_t1oi2c/bin/
 ```
 directory. Once that's done, it's time to modify one of those examples in order to tie into wolfSSL. 
 The ``./se05x_Minimal `` is the easiest one to modify. Open the ``simw-top/demos/se05x/se05x_Minimal `` directory and edit ``se05x_Minimal.c``. Add these headers to source file:
 ```
 #include <wolfssl/options.h>
 #include <wolfssl/wolfcrypt/types.h>
 #include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
 ``` 
 If you would like to run our wolfcrypt test or  benchmark tool, add:
 ``#include "test.h"`` or ``#include benchmark.h``, respectively. Below is the code that was replaced in ``ex_sss_entry()`` that ran the wolfcrypt test:
 ```
    sss_status_t status = kStatus_SSS_Success;
    int ret;
    sss_session_t *pSession2 = (sss_session_t *)&pCtx->session;
    sss_key_store_t *pHostSession = (sss_key_store_t *)&pCtx->host_ks;
    LOG_I("running setconfig");
    ret = wolfcrypt_se050_SetConfig(pSession2, pHostSession);
    if (ret != 0) {
        return kStatus_SSS_Fail;
    }
    LOG_I("ran setconfig correctly");
    wolfcrypt_test(NULL);
    LOG_I("ran wolfcrypt test");
    return status;
 ```
 ``wolfcrypt_test(NULL);`` can be replaced with ``benchmark_test();``
 The two variables used in  ``wolfcrypt_se050_SetConfig`` are session and key store variables that are required to reference parts of the hardware. 
 Next, the Makefile needs to be edited.
 At the top of the Makefile, the base wolfssl directory needs to be added to ``INCLUDE_FLAGS``. Next, Inside ``CFLAGS``, the ``se05x_Minimal`` directory needs to be added so that test.c and benchmark.c are included. Finally, underneath 'all', test.c, test.h, benchmark.c and benchmark.h need to be added, along with ``-L (wolfssl directory) -lwolfssl`` at the end of the line. 
 ## Wolfcrypt Test
 To run the wolfcrypt test, two files, ``test.h`` and ``test.c`` need to be added to the ``./se05x_Minimal`` directory. These files can be found inside of ``/wolfcrypt/test``. 
 Next, ``#define NO_MAIN_DRIVER`` needs to be added to test.h.
 You should be able to run `wolfcrypt_test()` now. 
 ## Benchmark 
 To run the benchmark, both ``benchmark.c`` and ``benchmark.h`` need to be copied from wolfcrypt/benchmark to the `./se05x_Minimal` directory.  In addition, the entire `./certs` directory will need to copied into the directory. ``#define NO_MAIN_DRIVER`` will need to be added to `benchmark.h`. You should be able to run `benchmark_test() ` now. 
--- a/wolfssl/wolfcrypt/port/nxp/se050_port.h
+++ b/wolfssl/wolfcrypt/port/nxp/se050_port.h
@@ -22,7 +22,6 @@
 #ifndef _SE050_PORT_H_
 #define _SE050_PORT_H_
 #include <wolfssl/wolfcrypt/settings.h>
 #include "fsl_sss_api.h"
@@ -39,27 +38,25 @@ typedef struct {
 } SE050_HASH_Context;
-WOLFSSL_API int wolfcrypt_se050_SetConfig(sss_session_t *pSession, sss_key_store_t *pHostKeyStore, sss_key_store_t *pKeyStore);
+WOLFSSL_API int wc_se050_SetConfig(sss_session_t *pSession,
-
+    sss_key_store_t *pHostKeyStore, sss_key_store_t *pKeyStore);
 int se050_allocate_key(void);
 int se050_get_random_number(uint32_t count, uint8_t* rand_out);
 int se050_hash_init(SE050_HASH_Context* se050Ctx, void* heap);
 int se050_hash_update(SE050_HASH_Context* se050Ctx, const byte* data, word32 len);
 int se050_hash_final(SE050_HASH_Context* se050Ctx, byte* hash, size_t digestLen, word32 algo);
 void se050_hash_free(SE050_HASH_Context* se050Ctx);
 WOLFSSL_LOCAL int se050_allocate_key(void);
 WOLFSSL_LOCAL int se050_get_random_number(uint32_t count, uint8_t* rand_out);
 WOLFSSL_LOCAL int se050_hash_init(SE050_HASH_Context* se050Ctx, void* heap);
 WOLFSSL_LOCAL int se050_hash_update(SE050_HASH_Context* se050Ctx,
    const byte* data, word32 len);
 WOLFSSL_LOCAL int se050_hash_final(SE050_HASH_Context* se050Ctx, byte* hash,
    size_t digestLen, word32 algo);
 WOLFSSL_LOCAL void se050_hash_free(SE050_HASH_Context* se050Ctx);
 struct Aes;
-int se050_aes_set_key(struct Aes* aes, const byte* key, word32 len, const byte* iv, int dir);
+WOLFSSL_LOCAL int se050_aes_set_key(struct Aes* aes, const byte* key,
-int se050_aes_crypt(struct Aes* aes, const byte* in, byte* out, word32 sz, int dir, sss_algorithm_t algorithm);
+    word32 len, const byte* iv, int dir);
-void se050_aes_free(struct Aes* aes);
+WOLFSSL_LOCAL int se050_aes_crypt(struct Aes* aes, const byte* in, byte* out,
-//int se050_aes_ctr_crypt(struct Aes* aes, const byte* in, byte* out, word32 sz);
+    word32 sz, int dir, sss_algorithm_t algorithm);
-
+WOLFSSL_LOCAL void se050_aes_free(struct Aes* aes);
 struct ecc_key;
@@ -74,25 +71,26 @@ struct WC_RNG;
    struct mp_int;
 	#define MATH_INT_T struct mp_int
 #endif
 int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, byte* out,
                         word32 *outLen, struct ecc_key* key);
-int se050_ecc_verify_hash_ex(const byte* hash, word32 hashlen, byte* signature,
+WOLFSSL_LOCAL int se050_ecc_sign_hash_ex(const byte* in, word32 inLen,
-                             word32 signatureLen, struct ecc_key* key, int* res);
+    byte* out, word32 *outLen, struct ecc_key* key);
-int se050_ecc_create_key(struct ecc_key* key, int keyId, int keySize);
+WOLFSSL_LOCAL int se050_ecc_verify_hash_ex(const byte* hash, word32 hashlen,
-int se050_ecc_shared_secret(struct ecc_key* private_key, struct ecc_key* public_key, byte* out,
+    byte* signature, word32 signatureLen, struct ecc_key* key, int* res);
-                      word32* outlen);
+
-int se050_ecc_free_key(struct ecc_key* key);
+WOLFSSL_LOCAL int se050_ecc_create_key(struct ecc_key* key, int curve_id, int keySize);
 WOLFSSL_LOCAL int se050_ecc_shared_secret(struct ecc_key* private_key,
    struct ecc_key* public_key, byte* out, word32* outlen);
 WOLFSSL_LOCAL int se050_ecc_free_key(struct ecc_key* key);
 struct ed25519_key;
-//#include <wolfssl/wolfcrypt/ed25519.h>
+WOLFSSL_LOCAL int se050_ed25519_create_key(struct ed25519_key* key);
-int se050_ed25519_create_key(struct ed25519_key* key);
+WOLFSSL_LOCAL void se050_ed25519_free_key(struct ed25519_key* key);
-void se050_ed25519_free_key(struct ed25519_key* key);
+WOLFSSL_LOCAL int se050_ed25519_sign_msg(const byte* in, word32 inLen,
-int se050_ed25519_sign_msg(const byte* in, word32 inLen, byte* out,
+    byte* out, word32 *outLen, struct ed25519_key* key);
                         word32 *outLen, struct ed25519_key* key);
-int se050_ed25519_verify_msg(const byte* signature, word32 signatureLen, const byte* msg,
+WOLFSSL_LOCAL int se050_ed25519_verify_msg(const byte* signature,
-                             word32 msgLen, struct ed25519_key* key, int* res);
+    word32 signatureLen, const byte* msg, word32 msgLen,
    struct ed25519_key* key, int* res);
 #endif /* _SE050_PORT_H_ */