perfer local IPP libraries, memory usage and casting

2015-11-29 23:34:58 -07:00
parent db599bb361
commit 6030970026
3 changed files with 274 additions and 124 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -59,7 +59,7 @@ EXTRA_DIST+= gencertbuf.pl
 EXTRA_DIST+= README.md
 EXTRA_DIST+= LICENSING
 EXTRA_DIST+= INSTALL
-EXTRA_DIST+= IPP/
+EXTRA_DIST+= IPP

 # user crypto plug in example
 EXTRA_DIST+= wolfcrypt/user-crypto/configure.ac
--- a/configure.ac
+++ b/configure.ac
@ -2285,8 +2285,9 @@ AC_ARG_WITH([cavium],

 # Fast RSA using Intel IPP
 ippdir="${srcdir}/IPP"
-ipplib="lib" # if autoconf guesses 32 changes lib directory
-fastRSA_headers=no
+ipplib="lib" # if autoconf guesses 32bit system changes lib directory
+fastRSA_found=no
+abs_path=`pwd`

 # set up variables used
 IPPLIBS=
@ -2301,11 +2302,12 @@ AC_ARG_ENABLE([fast-rsa],

 if test "$ENABLED_USER_RSA" = "no" && test "$ENABLED_FIPS" = "no"; then

-if test "$enable_shared" = "no" && test "$ENABLED_FAST_RSA" = "yes"; then
    if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then
        ipplib="lib_32" # 32 bit OS detected
    fi

+#   Use static IPP Libraries
+if test "$enable_shared" = "no" && test "$ENABLED_FAST_RSA" = "yes"; then
    case $host_os in
    *darwin*)
        ipplib="$ipplib/mac_static"
@ -2322,92 +2324,100 @@ if test "$enable_shared" = "no" && test "$ENABLED_FAST_RSA" = "yes"; then

    AC_CHECK_FILES([$srcdir/IPP/$ipplib/libippcore.a $srcdir/IPP/$ipplib/libippcp.a], [], [ENABLED_FAST_RSA=no])
    AC_CHECK_FILES([$srcdir/IPP/include/ipp.h $srcdir/IPP/include/ippcp.h], [AM_CPPFLAGS="-I$srcdir/IPP/include $AM_CPPFLAGS"], [ENABLED_FAST_RSA=no])
-    LIB_STATIC_ADD="$srcdir/IPP/$ipplib/libippcp.a $srcdir/IPP/$ipplib/libippcore.a"
+    LIB_STATIC_ADD="$srcdir/IPP/$ipplib/libippcp.a $srcdir/IPP/$ipplib/libippcore.a $LIB_STATIC_ADD"
    if test "$ENABLED_FAST_RSA" = "no"; then
        AC_MSG_ERROR([Could not find fast rsa libraries])
    fi
 else
-# just check link and see if user has already exported paths
-if test "$ENABLED_FAST_RSA" = "yes"
-    then
-        AC_MSG_NOTICE([Checking if IPP crypto library installed])
-        AC_CHECK_HEADER([ippcp.h], [AC_CHECK_LIB([ippcp], [ippsRSAEncrypt_PKCSv15], [LIBS="$LIBS -lippcore"; fastRSA_headers=yes], [AS_UNSET([ac_cv_lib_ippcp_ippsRSAEncrypt_PKCSv15]); fastRSA_headers=no])], [fastRSA_headers=no])
-    if test "$fastRSA_headers" = "yes"; then
-        AM_LDFLAGS="${AM_LDFLAGS} -lippcore -lippcp"
-    fi
-fi

-# Don't cache the result so it can be checked again
-AS_UNSET([ac_cv_header_ippcp_h])
-AS_UNSET([ac_cv_header_ipp_h])
-
-if test "$fastRSA_headers" = "no"; then
-dnl set default paths
+#   Check for and use bundled IPP libraries
 if test "$ENABLED_FAST_RSA" = "yes"; then
    AC_MSG_NOTICE([Using local IPP crypto library])
-    # build and default locations on linux and mac
-    STORE_LDFLAGS=${LDFLAGS}
-    STORE_CPPFLAGS=${CPPFLAGS}
-    if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then
-        ipplib="lib_32" # 32 bit OS detected
-    fi
-    # using LDFLAGS instead of AM_ temporarily to test link to library
-    LDFLAGS="-L$ippdir/$ipplib -lippcp -lippcore"
-    CPPFLAGS="-I$ippdir/include"
-    AC_CHECK_HEADERS([ippcp.h], [AC_CHECK_LIB([ippcp], [ippsRSAEncrypt_PKCSv15], [], [ENABLED_FAST_RSA=no])], [ENABLED_FAST_RSA=no])

-    if test "$ENABLED_FAST_RSA" = "yes"; then
-    # was succesfull so add tested LDFLAGS to AM_ flags
-    AM_LDFLAGS="${AM_LDFLAGS} ${LDFLAGS}"
-    AM_CPPFLAGS="${AM_CPPFLAGS} ${CPPFLAGS}"
+    AC_CHECK_FILES([$abs_path/IPP/include/ippcp.h],
+    [
+        # build and default locations on linux and mac
+        STORE_LDFLAGS=${LDFLAGS}
+        STORE_CPPFLAGS=${CPPFLAGS}

-    case $host_os in
-    *darwin*)
+        # using LDFLAGS instead of AM_ temporarily to test link to library
+        LDFLAGS="-L$ippdir/$ipplib -lippcp -lippcore"
+        CPPFLAGS="-I$ippdir/include"
+        AC_CHECK_HEADERS([ippcp.h], [AC_CHECK_LIB([ippcp], [ippsRSAEncrypt_PKCSv15], [fastRSA_found=yes], [fastRSA_found=no])], [fastRSA_found=no])
        name="$ippdir/$ipplib/libippcp"
-        IPPLIBS="${name}.dylib ${name}-9.0.dylib ${name}e9-9.0.dylib ${name}g9-9.0.dylib ${name}h9-9.0.dylib ${name}k0-9.0.dylib ${name}l9-9.0.dylib ${name}n8-9.0.dylib ${name}p8-9.0.dylib ${name}s8-9.0.dylib ${name}y8-9.0.dylib IPP/lib/libippcore.dylib IPP/lib/libippcore-9.0.dylib"
-        IPPLINK="mkdir -p src/.libs && ln -f ${name}.dylib src/.libs/libippcp.dylib && ln -f ${srcdir}/${name}-9.0.dylib src/.libs/libippcp-9.0.dylib && ln -f ${srcdir}/${name}e9-9.0.dylib src/.libs/libippcpe9-9.0.dylib && ln -f ${srcdir}/${name}g9-9.0.dylib src/.libs/libippcpg9-9.0.dylib && ln -f ${srcdir}/${name}h9-9.0.dylib src/.libs/libippcph9-9.0.dylib && ln -f ${srcdir}/${name}k0-9.0.dylib src/.libs/libippcpk0-9.0.dylib && ln -f ${srcdir}/${name}l9-9.0.dylib src/.libs/libippcpl9-9.0.dylib && ln -f ${srcdir}/${name}n8-9.0.dylib src/.libs/libippcpn8-9.0.dylib && ln -f ${srcdir}/${name}p8-9.0.dylib src/.libs/libippcpp8-9.0.dylib && ln -f ${srcdir}/${name}s8-9.0.dylib src/.libs/libippcps8-9.0.dylib && ln -f ${srcdir}/${name}y8-9.0.dylib src/.libs/libippcpy8-9.0.dylib && ln -f ${srcdir}/IPP/lib/libippcore.dylib src/.libs/libippcore.dylib && ln -f ${srcdir}/IPP/lib/libippcore-9.0.dylib src/.libs/libippcore-9.0.dylib"
-        break;;
+        case $host_os in
+        *darwin*)
+            # check file existence and conditionally set variables
+            AC_CHECK_FILES([$abs_path/IPP/$ipplib/libippcp.dylib], [
+            IPPLIBS="${name}.dylib ${name}-9.0.dylib ${name}e9-9.0.dylib ${name}g9-9.0.dylib ${name}h9-9.0.dylib ${name}k0-9.0.dylib ${name}l9-9.0.dylib ${name}n8-9.0.dylib ${name}p8-9.0.dylib ${name}s8-9.0.dylib ${name}y8-9.0.dylib IPP/lib/libippcore.dylib IPP/lib/libippcore-9.0.dylib"
+            IPPLINK="mkdir -p src/.libs && ln -f ${name}.dylib src/.libs/libippcp.dylib && ln -f ${srcdir}/${name}-9.0.dylib src/.libs/libippcp-9.0.dylib && ln -f ${srcdir}/${name}e9-9.0.dylib src/.libs/libippcpe9-9.0.dylib && ln -f ${srcdir}/${name}g9-9.0.dylib src/.libs/libippcpg9-9.0.dylib && ln -f ${srcdir}/${name}h9-9.0.dylib src/.libs/libippcph9-9.0.dylib && ln -f ${srcdir}/${name}k0-9.0.dylib src/.libs/libippcpk0-9.0.dylib && ln -f ${srcdir}/${name}l9-9.0.dylib src/.libs/libippcpl9-9.0.dylib && ln -f ${srcdir}/${name}n8-9.0.dylib src/.libs/libippcpn8-9.0.dylib && ln -f ${srcdir}/${name}p8-9.0.dylib src/.libs/libippcpp8-9.0.dylib && ln -f ${srcdir}/${name}s8-9.0.dylib src/.libs/libippcps8-9.0.dylib && ln -f ${srcdir}/${name}y8-9.0.dylib src/.libs/libippcpy8-9.0.dylib && ln -f ${srcdir}/IPP/lib/libippcore.dylib src/.libs/libippcore.dylib && ln -f ${srcdir}/IPP/lib/libippcore-9.0.dylib src/.libs/libippcore-9.0.dylib"
+            ], [fastRSA_found=no])
+            break;;

-    *linux*)
-        if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then
-            name="$ippdir/$ipplib/libippcp"
-            IPPLIBS="${name}.so.9.0 ${name}g9.so.9.0 ${name}h9.so.9.0 ${name}p8.so.9.0 ${name}px.so.9.0 ${name}s8.so.9.0 ${name}.so ${name}w7.so.9.0 IPP/$ipplib/libippcore.so"
-            IPPLINK="mkdir -p src/.libs && ln -f ${name}.so.9.0 src/.libs/libippcp.so.9.0 && ln -f ${name}g9.so.9.0 src/.libs/libippcpg9.so.9.0 && ln -f ${name}h9.so.9.0 src/.libs/libippcph9.so.9.0 && ln -f ${name}p8.so.9.0 src/.libs/libippcpp8.so.9.0 && ln -f ${name}px.so.9.0 src/.libs/libippcppx.so.9.0 && ln -f ${name}s8.so.9.0 src/.libs/libippcps8.so.9.0 && ln -f ${name}.so src/.libs/libippcp.so && ln -f ${name}w7.so.9.0 src/.libs/libippcpw7.so.9.0 && ln -f IPP/$ipplib/libippcore.so src/.libs/libippcore.so && ln -f IPP/$ipplib/libippcore.so.9.0 src/.libs/libippcore.so.9.0"
-            else
-            name="$ippdir/$ipplib/libippcp"
-            IPPLIBS="${name}.so.9.0 ${name}e9.so.9.0 ${name}k0.so.9.0 ${name}l9.so.9.0 ${name}m7.so.9.0 ${name}mx.so.9.0 ${name}.so ${name}n8.so.9.0 ${name}y8.so.9.0 IPP/lib/libippcore.so"
-            IPPLINK="mkdir -p src/.libs && ln -f ${name}.so.9.0 src/.libs/libippcp.so.9.0 && ln -f ${name}e9.so.9.0 src/.libs/libippcpe9.so.9.0 && ln -f ${name}k0.so.9.0 src/.libs/libippcpk0.so.9.0 && ln -f ${name}l9.so.9.0 src/.libs/libippcpl9.so.9.0 && ln -f ${name}m7.so.9.0 src/.libs/libippcpm7.so.9.0 && ln -f ${name}mx.so.9.0 src/.libs/libippcpmx.so.9.0 && ln -f ${name}.so src/.libs/libippcp.so && ln -f ${name}n8.so.9.0 src/.libs/libippcpn8.so.9.0 && ln -f ${name}y8.so.9.0 src/.libs/libippcpy8.so.9.0 && ln -f IPP/lib/libippcore.so src/.libs/libippcore.so && ln -f IPP/lib/libippcore.so.9.0 src/.libs/libippcore.so.9.0"
+        *linux*)
+            # check file existence and conditionally set variables
+            AC_CHECK_FILES([$abs_path/IPP/$ipplib/libippcp.so.9.0], [
+            if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then
+                IPPLIBS="${name}.so.9.0 ${name}g9.so.9.0 ${name}h9.so.9.0 ${name}p8.so.9.0 ${name}px.so.9.0 ${name}s8.so.9.0 ${name}.so ${name}w7.so.9.0 IPP/$ipplib/libippcore.so IPP/$ipplib/libippcore.so.9.0"
+                IPPLINK="mkdir -p src/.libs && ln -f ${name}.so.9.0 src/.libs/libippcp.so.9.0 && ln -f ${name}g9.so.9.0 src/.libs/libippcpg9.so.9.0 && ln -f ${name}h9.so.9.0 src/.libs/libippcph9.so.9.0 && ln -f ${name}p8.so.9.0 src/.libs/libippcpp8.so.9.0 && ln -f ${name}px.so.9.0 src/.libs/libippcppx.so.9.0 && ln -f ${name}s8.so.9.0 src/.libs/libippcps8.so.9.0 && ln -f ${name}.so src/.libs/libippcp.so && ln -f ${name}w7.so.9.0 src/.libs/libippcpw7.so.9.0 && ln -f IPP/$ipplib/libippcore.so src/.libs/libippcore.so && ln -f IPP/$ipplib/libippcore.so.9.0 src/.libs/libippcore.so.9.0"
+                else
+                IPPLIBS="${name}.so.9.0 ${name}e9.so.9.0 ${name}k0.so.9.0 ${name}l9.so.9.0 ${name}m7.so.9.0 ${name}mx.so.9.0 ${name}.so ${name}n8.so.9.0 ${name}y8.so.9.0 IPP/lib/libippcore.so IPP/lib/libippcore.so.9.0"
+                IPPLINK="mkdir -p src/.libs && ln -f ${name}.so.9.0 src/.libs/libippcp.so.9.0 && ln -f ${name}e9.so.9.0 src/.libs/libippcpe9.so.9.0 && ln -f ${name}k0.so.9.0 src/.libs/libippcpk0.so.9.0 && ln -f ${name}l9.so.9.0 src/.libs/libippcpl9.so.9.0 && ln -f ${name}m7.so.9.0 src/.libs/libippcpm7.so.9.0 && ln -f ${name}mx.so.9.0 src/.libs/libippcpmx.so.9.0 && ln -f ${name}.so src/.libs/libippcp.so && ln -f ${name}n8.so.9.0 src/.libs/libippcpn8.so.9.0 && ln -f ${name}y8.so.9.0 src/.libs/libippcpy8.so.9.0 && ln -f IPP/lib/libippcore.so src/.libs/libippcore.so && ln -f IPP/lib/libippcore.so.9.0 src/.libs/libippcore.so.9.0"
+            fi
+            ], [fastRSA_found=no])
+            break;;
+        *)
+            fastRSA_found=no
+        esac
+
+        if test "$fastRSA_found" = "yes"; then
+            # was succesfull so add tested LDFLAGS to AM_ flags
+            AM_LDFLAGS="${AM_LDFLAGS} ${LDFLAGS}"
+            AM_CPPFLAGS="${AM_CPPFLAGS} ${CPPFLAGS}"
+            IPPHEADERS="${srcdir}/IPP/include/*.h"
        fi
-        break;;
-    *)
-        ENABLED_FAST_RSA=no
-    esac
-    fi
-    # restore LDFLAGS to user set
-    LDFLAGS=${STORE_LDFLAGS}
-    CPPFLAGS=${STORE_CPPFLAGS}
-    IPPHEADERS="${srcdir}/IPP/include/*.h"
+
+        # restore LDFLAGS to user set
+        LDFLAGS=${STORE_LDFLAGS}
+        CPPFLAGS=${STORE_CPPFLAGS}
+    ], [fastRSA_found=no])
+fi
+
+# Don't cache the result so it can be checked
+AS_UNSET([ac_cv_header_ippcp_h])
+AS_UNSET([ac_cv_header_ipp_h])
+AS_UNSET([ac_cv_lib_ippcp_ippsRSAEncrypt_PKCSv15]);
+
+#   Check link and see if user has pre-existing IPP Libraries if not using local
+if test "$ENABLED_FAST_RSA" = "yes" && test "$fastRSA_found" = "no"; then
+    AC_MSG_NOTICE([Checking if IPP crypto library installed])
+    AC_CHECK_HEADER([ippcp.h], [AC_CHECK_LIB([ippcp], [ippsRSAEncrypt_PKCSv15],
+        [
+            fastRSA_found=yes
+            AM_LDFLAGS="${AM_LDFLAGS} -lippcore -lippcp"
+        ], [ fastRSA_found=no])
+    ], [fastRSA_found=no])

    # Error out on not finding libraries
-    if test "$ENABLED_FAST_RSA" = "no"; then
+    if test "$fastRSA_found" = "no"; then
        AC_MSG_ERROR([Could not find fast rsa libraries])
    fi
 fi
-fi # end of if found exported paths
 fi # end of if for shared library
 else # if user rsa is set than do not use fast rsa option
    if test "$ENABLED_FAST_RSA" = "yes"; then
        AC_MSG_ERROR([Could not use fast rsa libraries with user crypto or fips])
    fi
-fi # end of if for user rsa crypto
+fi # end of if for user rsa crypto or fips

+#   End result of checking for IPP Libraries
 AC_MSG_CHECKING([for fast RSA])
 if test "$ENABLED_FAST_RSA" = "yes"; then
    AM_CFLAGS="$AM_CFLAGS -DHAVE_FAST_RSA -DHAVE_USER_RSA"
    # add in user crypto header that uses Intel IPP
    AM_CPPFLAGS="$AM_CPPFLAGS -I$srcdir/wolfcrypt/user-crypto/include"
    if test "$enable_shared" = "yes"; then
-        LIBS="$LIBS -lippcore"
+        LIBS="$LIBS -lippcore -lippcp"
        LIB_ADD="-lippcp -lippcore $LIB_ADD"
    else
        LIB_ADD="$srcdir/IPP/$ipplib/libippcp.a $srcdir/IPP/$ipplib/libippcore.a $LIB_ADD"
@ -2420,7 +2430,6 @@ fi
 AC_SUBST([IPPLIBS])
 AC_SUBST([IPPHEADERS])
 AC_SUBST([IPPLINK])
-# Found IPP library now build in user crypto to use it
 AM_CONDITIONAL([BUILD_FAST_RSA], [test "x$ENABLED_FAST_RSA" = "xyes"])


--- a/wolfcrypt/user-crypto/src/rsa.c
+++ b/wolfcrypt/user-crypto/src/rsa.c
@ -160,7 +160,7 @@ static int SetIndividualExternal(WOLFSSL_BIGNUM** bn, IppsBigNumState* in)
    if (ret != ippStsNoErr)
        return USER_CRYPTO_ERROR;

-    data = XMALLOC(sz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+    data = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
    if (data == NULL)
        return USER_CRYPTO_ERROR;

@ -200,13 +200,15 @@ static int SetIndividualInternal(WOLFSSL_BIGNUM* bn, IppsBigNumState** mpi)
        if (ret != ippStsNoErr)
            return USER_CRYPTO_ERROR;

-        *mpi = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
+        *mpi = (IppsBigNumState*)XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
        if (*mpi == NULL)
            return USER_CRYPTO_ERROR;

        ret = ippsBigNumInit(length, *mpi);
-        if (ret != ippStsNoErr)
+        if (ret != ippStsNoErr) {
+            XFREE(*mpi, NULL, DYNAMIC_TYPE_USER_CRYPTO);
            return USER_CRYPTO_ERROR;
+        }

    }

@ -219,7 +221,7 @@ static int SetIndividualInternal(WOLFSSL_BIGNUM* bn, IppsBigNumState** mpi)
        return USER_CRYPTO_ERROR;
    }

-    data = XMALLOC(length, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+    data = (Ipp8u*)XMALLOC(length, NULL, DYNAMIC_TYPE_USER_CRYPTO);
    if (data == NULL)
        return USER_CRYPTO_ERROR;

@ -399,7 +401,8 @@ int SetRsaInternal(WOLFSSL_RSA* rsa)
        return USER_CRYPTO_ERROR;
    }

-    key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+    key->pPub = (IppsRSAPublicKeyState*)XMALLOC(ctxSz, NULL,
+                                                      DYNAMIC_TYPE_USER_CRYPTO);
    if (key->pPub == NULL)
        return USER_CRYPTO_ERROR;

@ -452,7 +455,8 @@ int SetRsaInternal(WOLFSSL_RSA* rsa)
        }

        key->prvSz = ctxSz;
-        key->pPrv = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
+        key->pPrv = (IppsRSAPrivateKeyState*)XMALLOC(ctxSz, 0,
+                                                      DYNAMIC_TYPE_USER_CRYPTO);
        if (key->pPrv == NULL)
            return USER_CRYPTO_ERROR;

@ -575,13 +579,15 @@ static IppStatus init_bn(IppsBigNumState** in, int sz)
        return ret;
    }

-    *in = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
+    *in = (IppsBigNumState*)XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
    if (*in == NULL) {
        return ippStsNoMemErr;
    }

    ret = ippsBigNumInit(sz, *in);
    if (ret != ippStsNoErr) {
+        XFREE(*in, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        *in = NULL;
        return ret;
    }

@ -592,41 +598,51 @@ static IppStatus init_bn(IppsBigNumState** in, int sz)
 /* Set up memory and structure for a Montgomery struct
 * returns ippStsNoErr on success
 */
-static IppStatus init_mont(IppsMontState** mont, IppsBigNumState* modul)
+static IppStatus init_mont(IppsMontState** mont, int* ctxSz,
+                                                         IppsBigNumState* modul)
 {
-    int ctxSz, mSz;
-    Ipp32u*    m;
-    IppStatus  ret;
+    int       mSz;
+    Ipp32u*   m;
+    IppStatus ret;

-    ret = ippsExtGet_BN(NULL, &ctxSz, NULL, modul);
+    ret = ippsExtGet_BN(NULL, ctxSz, NULL, modul);
    if (ret != ippStsNoErr) {
        return ret;
    }

-    mSz = (ctxSz/32)+((ctxSz % 32)? 1: 0);
-    m = XMALLOC(mSz * sizeof(Ipp32u), 0, DYNAMIC_TYPE_USER_CRYPTO);
+    /* convert bits to Ipp32u array size and round up
+       32 is number of bits in type */
+    mSz = (*ctxSz/32)+((*ctxSz % 32)? 1: 0);
+    m = (Ipp32u*)XMALLOC(mSz * sizeof(Ipp32u), 0, DYNAMIC_TYPE_USER_CRYPTO);
    if (m == NULL) {
+        XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO);
        return ippStsNoMemErr;
    }

    ret = ippsExtGet_BN(NULL, NULL, m, modul);
    if (ret != ippStsNoErr) {
+        XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO);
        return ret;
    }

-    ret = ippsMontGetSize(IppsBinaryMethod, mSz, &ctxSz);
+    ret = ippsMontGetSize(IppsSlidingWindows, mSz, ctxSz);
    if (ret != ippStsNoErr) {
+        XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO);
        return ret;
    }

    /* 2. Allocate working buffer using malloc */
-    *mont = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
+    *mont = (IppsMontState*)XMALLOC(*ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
    if (mont == NULL) {
+        XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO);
        return ippStsNoMemErr;
    }
-    ret = ippsMontInit(IppsBinaryMethod, mSz, *mont);
+    ret = ippsMontInit(IppsSlidingWindows, mSz, *mont);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("ippsMontInit error of %s\n", ippGetStatusString(ret)));
+        XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        XFREE(*mont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        *mont = NULL;
        return ret;
    }

@ -634,6 +650,9 @@ static IppStatus init_mont(IppsMontState** mont, IppsBigNumState* modul)
    ret = ippsMontSet(m, mSz, *mont);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("ippsMontSet error of %s\n", ippGetStatusString(ret)));
+        XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        XFREE(*mont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        *mont = NULL;
        return ret;
    }

@ -779,7 +798,7 @@ static int GetInt(IppsBigNumState** mpi, const byte* input, word32* inOutIdx,
    if (ret != ippStsNoErr)
        return USER_CRYPTO_ERROR;

-    *mpi = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
+    *mpi = (IppsBigNumState*)XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
    if (*mpi == NULL)
        return USER_CRYPTO_ERROR;

@ -886,7 +905,8 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
        return USER_CRYPTO_ERROR;
    }

-    key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+    key->pPub = (IppsRSAPublicKeyState*)XMALLOC(ctxSz, NULL,
+                                                      DYNAMIC_TYPE_USER_CRYPTO);
    if (key->pPub == NULL)
        return USER_CRYPTO_ERROR;

@ -938,7 +958,8 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
    }

    key->prvSz = ctxSz;
-    key->pPrv = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
+    key->pPrv = (IppsRSAPrivateKeyState*)XMALLOC(ctxSz, 0,
+                                                      DYNAMIC_TYPE_USER_CRYPTO);
    if (key->pPrv == NULL)
        return USER_CRYPTO_ERROR;

@ -1056,7 +1077,8 @@ int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
        return USER_CRYPTO_ERROR;
    }

-    key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+    key->pPub = (IppsRSAPublicKeyState*)XMALLOC(ctxSz, NULL,
+                                                      DYNAMIC_TYPE_USER_CRYPTO);
    if (key->pPub == NULL)
        return USER_CRYPTO_ERROR;

@ -1123,7 +1145,8 @@ int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e,
        return USER_CRYPTO_ERROR;
    }

-    key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+    key->pPub = (IppsRSAPublicKeyState*)XMALLOC(ctxSz, NULL,
+                                                      DYNAMIC_TYPE_USER_CRYPTO);
    if (key->pPub == NULL)
        return USER_CRYPTO_ERROR;

@ -1168,8 +1191,8 @@ int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
    if (ret != ippStsNoErr)
        return USER_CRYPTO_ERROR;

-    scratchBuffer = XMALLOC(scratchSz*(sizeof(Ipp8u)), 0,
-                            DYNAMIC_TYPE_USER_CRYPTO);
+    scratchBuffer = (Ipp8u*)XMALLOC(scratchSz*(sizeof(Ipp8u)), 0,
+                                                      DYNAMIC_TYPE_USER_CRYPTO);
    if (scratchBuffer == NULL)
        return USER_CRYPTO_ERROR;

@ -1211,8 +1234,8 @@ int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
        return USER_CRYPTO_ERROR;
    }

-    scratchBuffer = XMALLOC(scratchSz*(sizeof(Ipp8u)), 0,
-                                        DYNAMIC_TYPE_USER_CRYPTO);
+    scratchBuffer = (Ipp8u*)XMALLOC(scratchSz*(sizeof(Ipp8u)), 0,
+                                                      DYNAMIC_TYPE_USER_CRYPTO);
    if (scratchBuffer == NULL) {
        return USER_CRYPTO_ERROR;
    }
@ -1242,7 +1265,7 @@ int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key)
    USER_DEBUG(("Entering wc_RsaPrivateDecryptInline\n"));

    /* allocate a buffer for max decrypted text */
-    tmp = XMALLOC(key->sz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+    tmp = (byte*)XMALLOC(key->sz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
    if (tmp == NULL)
        return USER_CRYPTO_ERROR;

@ -1314,7 +1337,7 @@ int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
        return USER_CRYPTO_ERROR;
    }

-    pPub = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
+    pPub = (IppsRSAPrivateKeyState*)XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
    if (pPub == NULL)
        return USER_CRYPTO_ERROR;

@ -1341,8 +1364,8 @@ int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
        return USER_CRYPTO_ERROR;
    }

-    scratchBuffer = XMALLOC(scratchSz*(sizeof(Ipp8u)), 0,
-                            DYNAMIC_TYPE_USER_CRYPTO);
+    scratchBuffer = (Ipp8u*)XMALLOC(scratchSz*(sizeof(Ipp8u)), 0,
+                                                      DYNAMIC_TYPE_USER_CRYPTO);
    if (scratchBuffer == NULL) {
        FreeHelper(pTxt, cTxt, scratchBuffer, pPub);
        return USER_CRYPTO_ERROR;
@ -1475,23 +1498,58 @@ static IppStatus exptmod(IppsBigNumState* a, IppsBigNumState* b,
 }


+static void Free_BN(IppsBigNumState* bn)
+{
+    int sz, ctxSz;
+    IppStatus ret;
+
+    if (bn != NULL) {
+        ret = ippStsNoErr;
+        ret |= ippsGetSize_BN(bn, &sz);
+        ret |= ippsBigNumGetSize(sz, &ctxSz);
+        if (ret == ippStsNoErr) {
+            ForceZero(bn, ctxSz);
+        }
+        else {
+            USER_DEBUG(("Issue with clearing a struct in RsaSSL_Sign free\n"));
+        }
+        XFREE(bn, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        bn = NULL;
+    }
+}
+
+
+/* free up memory used during CRT sign operation */
+static void FreeSignHelper(IppsBigNumState* one, IppsBigNumState* tmp,
+        IppsBigNumState* tmpP, IppsBigNumState* tmpQ, IppsBigNumState* tmpa,
+        IppsBigNumState* tmpb)
+{
+    Free_BN(one);
+    Free_BN(tmp);
+    Free_BN(tmpP);
+    Free_BN(tmpQ);
+    Free_BN(tmpa);
+    Free_BN(tmpb);
+}
+
+
 /* for Rsa Sign */
 int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
                      RsaKey* key, WC_RNG* rng)
 {
-    int sz;
+    int sz, pSz, qSz;
    IppStatus ret;
    word32 outSz = outLen;

-    IppsMontState* pMont;
-    IppsMontState* qMont;
+    IppsMontState* pMont = NULL;
+    IppsMontState* qMont = NULL;

-    IppsBigNumState* one;
-    IppsBigNumState* tmp;
-    IppsBigNumState* tmpP;
-    IppsBigNumState* tmpQ;
-    IppsBigNumState* tmpa;
-    IppsBigNumState* tmpb;
+    IppsBigNumState* one  = NULL;
+    IppsBigNumState* tmp  = NULL;
+    IppsBigNumState* tmpP = NULL;
+    IppsBigNumState* tmpQ = NULL;
+    IppsBigNumState* tmpa = NULL;
+    IppsBigNumState* tmpb = NULL;

    IppsBigNumSGN sa, sb;

@ -1507,6 +1565,13 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
        return USER_CRYPTO_ERROR;
    }

+    /* sanity check on key being used */
+    if (key->pipp == NULL || key->qipp == NULL || key->uipp == NULL ||
+            key->dPipp == NULL || key->dQipp == NULL) {
+        USER_DEBUG(("Bad key argument to wc_RsaSSL_Sign\n"));
+        return USER_CRYPTO_ERROR;
+    }
+
    if (sz > (int)outLen) {
        USER_DEBUG(("Bad argument outLen to wc_RsaSSL_Sign\n"));
        return USER_CRYPTO_ERROR;
@ -1527,11 +1592,14 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
    ret = init_bn(&tmp, sz);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret)));
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }
    ret = ippsSetOctString_BN(out, sz, tmp);
    if (ret != ippStsNoErr) {
-        USER_DEBUG(("ippsSetOctString_BN error of %s\n", ippGetStatusString(ret)));
+        USER_DEBUG(("ippsSetOctString_BN error of %s\n",
+                                                      ippGetStatusString(ret)));
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }

@ -1539,6 +1607,7 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
    ret = init_bn(&tmpP, sz);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret)));
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }

@ -1546,6 +1615,7 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
    ret = init_bn(&tmpQ, sz);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret)));
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }

@ -1553,6 +1623,7 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
    ret = init_bn(&tmpa, sz);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret)));
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }

@ -1560,6 +1631,7 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
    ret = init_bn(&tmpb, sz);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret)));
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }

@ -1567,27 +1639,39 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
    ret = init_bn(&one, sz);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret)));
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }
    ret = ippsSetOctString_BN(o, 1, one);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("ippsSetOctString_BN error of %s\n",
                    ippGetStatusString(ret)));
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }

    /**
      Set up Montgomery state
      */
-    ret = init_mont(&pMont, key->pipp);
+    ret = init_mont(&pMont, &pSz, key->pipp);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("init_mont error of %s\n", ippGetStatusString(ret)));
+        if (pMont != NULL) {
+            XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        }
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }

-    ret = init_mont(&qMont, key->qipp);
+    ret = init_mont(&qMont, &qSz, key->qipp);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("init_mont error of %s\n", ippGetStatusString(ret)));
+        if (qMont != NULL) {
+            XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        }
+        ForceZero(pMont, pSz);
+        XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }

@ -1599,6 +1683,11 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
    if (ret != ippStsNoErr)
    {
        USER_DEBUG(("reduce error of %s\n", ippGetStatusString(ret)));
+        ForceZero(pMont, pSz);
+        ForceZero(qMont, qSz);
+        XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }

@ -1606,6 +1695,11 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
    if (ret != ippStsNoErr)
    {
        USER_DEBUG(("reduce error of %s\n", ippGetStatusString(ret)));
+        ForceZero(pMont, pSz);
+        ForceZero(qMont, qSz);
+        XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }

@ -1613,6 +1707,11 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
    ret = exptmod(tmpP, key->dPipp, pMont, tmpa, one);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("exptmod error of %s\n", ippGetStatusString(ret)));
+        ForceZero(pMont, pSz);
+        ForceZero(qMont, qSz);
+        XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }

@ -1620,6 +1719,11 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
    ret = exptmod(tmpQ, key->dQipp, qMont, tmpb, one);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("exptmod error of %s\n", ippGetStatusString(ret)));
+        ForceZero(pMont, pSz);
+        ForceZero(qMont, qSz);
+        XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }

@ -1627,12 +1731,22 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
    ret = ippsSub_BN(tmpa, tmpb, tmp);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("ippsSub_BN error of %s\n", ippGetStatusString(ret)));
+        ForceZero(pMont, pSz);
+        ForceZero(qMont, qSz);
+        XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }

    ret = ippsMul_BN(tmp, key->uipp, tmp);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("ippsMul_BN error of %s\n", ippGetStatusString(ret)));
+        ForceZero(pMont, pSz);
+        ForceZero(qMont, qSz);
+        XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }

@ -1640,6 +1754,11 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
   ret = ippsDiv_BN(tmp, key->pipp, tmpa, tmp);
   if (ret != ippStsNoErr) {
        USER_DEBUG(("ippsDiv_BN error of %s\n", ippGetStatusString(ret)));
+        ForceZero(pMont, pSz);
+        ForceZero(qMont, qSz);
+        XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
   }

@ -1647,17 +1766,32 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
    ret = ippsExtGet_BN(&sa, NULL, NULL, tmp);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("ippsExtGet_BN error of %s\n", ippGetStatusString(ret)));
+        ForceZero(pMont, pSz);
+        ForceZero(qMont, qSz);
+        XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }
    ret = ippsExtGet_BN(&sb, NULL, NULL, key->pipp);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("ippsExtGet_BN error of %s\n", ippGetStatusString(ret)));
+        ForceZero(pMont, pSz);
+        ForceZero(qMont, qSz);
+        XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }
    if (sa != sb) {
        ret = ippsAdd_BN(tmp, key->pipp, tmp);
        if (ret != ippStsNoErr) {
            USER_DEBUG(("ippsAdd_BN error of %s\n", ippGetStatusString(ret)));
+            ForceZero(pMont, pSz);
+            ForceZero(qMont, qSz);
+            XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+            XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+            FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
            return USER_CRYPTO_ERROR;
        }
    }
@ -1666,6 +1800,11 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
    ret = ippsMul_BN(tmp, key->qipp, tmp);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("ippsSub_BN error of %s\n", ippGetStatusString(ret)));
+        ForceZero(pMont, pSz);
+        ForceZero(qMont, qSz);
+        XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }

@ -1673,6 +1812,11 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
    ret = ippsAdd_BN(tmp, tmpb, tmp);
    if (ret != ippStsNoErr) {
        USER_DEBUG(("ippsSub_BN error of %s\n", ippGetStatusString(ret)));
+        ForceZero(pMont, pSz);
+        ForceZero(qMont, qSz);
+        XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }

@ -1681,27 +1825,22 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
    if (ret != ippStsNoErr) {
        USER_DEBUG(("ippsGetOctString_BN error of %s\n",
                    ippGetStatusString(ret)));
+        ForceZero(pMont, pSz);
+        ForceZero(qMont, qSz);
+        XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+        FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
        return USER_CRYPTO_ERROR;
    }

    outSz = sz;

-    XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+    /* clear memory and free */
+    ForceZero(pMont, pSz);
+    ForceZero(qMont, qSz);
    XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
-
-    XFREE(one, NULL, DYNAMIC_TYPE_USER_CRYPTO);
-
-    /* clear memory by setting BN to one and then free */
-    ippsSetOctString_BN(o, 1, tmp);
-    XFREE(tmp, NULL, DYNAMIC_TYPE_USER_CRYPTO);
-    ippsSetOctString_BN(o, 1, tmpP);
-    XFREE(tmpP, NULL, DYNAMIC_TYPE_USER_CRYPTO);
-    ippsSetOctString_BN(o, 1, tmpQ);
-    XFREE(tmpQ, NULL, DYNAMIC_TYPE_USER_CRYPTO);
-    ippsSetOctString_BN(o, 1, tmpa);
-    XFREE(tmpa, NULL, DYNAMIC_TYPE_USER_CRYPTO);
-    ippsSetOctString_BN(o, 1, tmpb);
-    XFREE(tmpb, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+    XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+    FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);

    return outSz;
 }
@ -1829,7 +1968,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
        return USER_CRYPTO_ERROR;
    }

-    pPrime = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+    pPrime = (IppsPrimeState*)XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
    if (pPrime == NULL)
        return USER_CRYPTO_ERROR;

@ -1849,7 +1988,8 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
    }

    key->prvSz = ctxSz; /* used when freeing private key */
-    key->pPrv = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+    key->pPrv = (IppsRSAPrivateKeyState*)XMALLOC(ctxSz, NULL,
+                                                      DYNAMIC_TYPE_USER_CRYPTO);
    if (key->pPrv == NULL)
        return USER_CRYPTO_ERROR;

@ -1869,7 +2009,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
        return USER_CRYPTO_ERROR;
    }

-    scratchBuffer = XMALLOC(scratchSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
+    scratchBuffer = (Ipp8u*)XMALLOC(scratchSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
    if (scratchBuffer == NULL)
        return USER_CRYPTO_ERROR;

@ -1943,7 +2083,8 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
        return USER_CRYPTO_ERROR;
    }

-    key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+    key->pPub = (IppsRSAPublicKeyState*)XMALLOC(ctxSz, NULL,
+                                                      DYNAMIC_TYPE_USER_CRYPTO);
    if (key->pPub == NULL)
        return USER_CRYPTO_ERROR;

@ -2381,7 +2522,7 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
        rawLen += lbit;

        tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap,
-                                 DYNAMIC_TYPE_USER_CRYPTO);
+                                                      DYNAMIC_TYPE_USER_CRYPTO);
        if (tmps[i] == NULL) {
            ret = USER_CRYPTO_ERROR;
            break;