esp32: Fix memory leaks and thread safety issues

- Fix memory leaks in certificate bundle handling
- Fix thread safety issues in SHA operations
- Fix uninitialized variables in AES operations
- Fix use-after-free in WiFi operations
- Fix error handling in MP operations
- Fix hardware mutex handling
- Fix memory management
- Test across ESP-IDF v4.1, 5.2, 5.4 and ESP8266 SDK v3.5

Co-Authored-By: jim@wolfssl.com <jim@wolfssl.com>

.github/workflows/cmake.yml

@@ -84,5 +84,25 @@ jobs:
         ctest -j $(nproc)
         cmake --install .
 
+        # clean up
+        cd ..
+        rm -rf build
+
         # Kyber Cmake broken
         # -DWOLFSSL_KYBER:BOOL=yes
+
+# build "lean-tls" wolfssl
+    - name: Build wolfssl with lean-tls
+      working-directory: ./wolfssl
+      run: |
+        mkdir build
+        cd build
+        cmake -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" \
+            -DWOLFSSL_LEAN_TLS:BOOL=yes \
+            ..
+        cmake --build .
+        cmake --install .
+
+        # clean up
+        cd ..
+        rm -rf build

CMakeLists.txt

@@ -1141,8 +1141,7 @@ if(NOT WOLFSSL_MEMORY)
 else()
     # turn off memory cb if leanpsk or leantls on
     if(WOLFSSL_LEAN_PSK OR WOLFSSL_LEAN_TLS)
-        # but don't turn on NO_WOLFSSL_MEMORY because using own
-        override_cache(WOLFSSL_MEMORY "no")
+        list(APPEND WOLFSSL_DEFINITIONS "-DNO_WOLFSSL_MEMORY")
     endif()
 endif()
 

IDE/WIN-SRTP-KDF-140-3/user_settings.h

@@ -80,24 +80,15 @@
         #define WOLFSSL_VALIDATE_ECC_IMPORT
         #define WOLFSSL_VALIDATE_FFC_IMPORT
         #define HAVE_FFDHE_Q
-        #define HAVE_PUBLIC_FFDHE
     #ifdef _WIN64
         #define WOLFSSL_AESNI
-        #define HAVE_INTEL_RDSEED
     #endif
-        #define FORCE_FAILURE_RDSEED
     #endif /* FIPS v2 */
     #if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 5)
-        #undef WOLFSSL_AESNI /* Comment out if using PAA */
-        #undef HAVE_INTEL_RDSEED
-        #undef FORCE_FAILURE_RDSEED
-        #undef HAVE_PUBLIC_FFDHE
-
         #define NO_DES
         #define NO_DES3
         #define NO_MD5
         #define NO_OLD_TLS
-
         #define WOLFSSL_TLS13
         #define HAVE_TLS_EXTENSIONS
         #define HAVE_SUPPORTED_CURVES
@@ -124,17 +115,28 @@
         #define FP_MAX_BITS 16384
     #endif /* FIPS v5 */
     #if defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 6)
+        #undef WOLFSSL_AESNI /* Comment out if using PAA */
         #define HAVE_ED25519
+        #define HAVE_CURVE25519
+        #define WOLFSSL_ED25519_STREAMING_VERIFY
+        #define HAVE_ED25519_KEY_IMPORT
         #define HAVE_ED448
+        #define HAVE_CURVE448
+        #define HAVE_ED448_KEY_IMPORT
+        #define WOLFSSL_ED448_STREAMING_VERIFY
+        #undef  WOLFSSL_NO_SHAKE256
         #define WOLFSSL_SHAKE256
         #define WOLFSSL_SHAKE128
         #define WOLFSSL_AES_CFB
         #define WOLFSSL_AES_XTS
+        #define WOLFSSL_AESXTS_STREAM
+        #define WOLFSSL_AESGCM_STREAM
         #define HAVE_AES_KEYWRAP
         #define WC_SRTP_KDF
         #define HAVE_PBKDF2
         #define WOLFCRYPT_FIPS_CORE_HASH_VALUE \
-                AA9F70F147FAB898A76F587873AC4E9C7050D6E1F5828046BE871C54EDF2BF1C
+      AE8F969C072FB4A87B5C594F96162002F3CCEB6026BDB2553C8621AE197F7059 //woPAA
+      //E257E8C21764333E4710316D208A90D4ECA0682D6F40DC3F4A6E259D4752E306 //wPAA
         #define WOLFSSL_NOSHA512_224
         #define WOLFSSL_NOSHA512_256
 
@@ -174,4 +176,24 @@
     #endif
 #endif /* HAVE_FIPS */
 
+/* For optesting and code review and harness/vector processing */
+#if 0
+    #undef USE_CERT_BUFFERS_2048
+    #define USE_CERT_BUFFERS_2048
+
+    #undef USE_CERT_BUFFERS_256
+    #define USE_CERT_BUFFERS_256
+
+    #define NO_MAIN_DRIVER
+    #define HAVE_FORCE_FIPS_FAILURE
+    #define OPTEST_LOGGING_ENABLED
+    #define OPTEST_INVALID_LOGGING_ENABLED
+    #define DEBUG_FIPS_VERBOSE
+    #define OPTEST_RUNNING_ORGANIC
+    #define DEBUG_WOLFSSL
+    #define OPTEST_LOG_TE_MAPPING
+    #define DEEPLY_EMBEDDED
+    #define WORKING_WITH_AEGISOLVE
+#endif /* 1 || 0 */
+
 #endif /* _WIN_USER_SETTINGS_H_ */

IDE/WIN-SRTP-KDF-140-3/wolfssl-fips.vcxproj

@@ -42,46 +42,46 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
     <WholeProgramOptimization>true</WholeProgramOptimization>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Release|Win32'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
     <WholeProgramOptimization>true</WholeProgramOptimization>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
     <WholeProgramOptimization>true</WholeProgramOptimization>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Release|x64'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
     <WholeProgramOptimization>true</WholeProgramOptimization>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug|Win32'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
     <ConfigurationType>StaticLibrary</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug|x64'" Label="Configuration">
     <ConfigurationType>DynamicLibrary</ConfigurationType>
-    <PlatformToolset>v142</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
     <WholeProgramOptimization>true</WholeProgramOptimization>
   </PropertyGroup>
@@ -132,7 +132,7 @@
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <ClCompile>
       <Optimization>Disabled</Optimization>
-      <AdditionalIncludeDirectories>./;../../;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)XXX-fips-test\IDE\WIN-SRTP-KDF-140-3;$(SolutionDir)XXX-fips-test;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
       <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
@@ -144,7 +144,7 @@
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug|Win32'">
     <ClCompile>
       <Optimization>Disabled</Optimization>
-      <AdditionalIncludeDirectories>./;../../;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)XXX-fips-test\IDE\WIN-SRTP-KDF-140-3;$(SolutionDir)XXX-fips-test;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <PreprocessorDefinitions>BUILDING_WOLFSSL;WOLFSSL_DLL;WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <MinimalRebuild>true</MinimalRebuild>
       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@@ -164,7 +164,7 @@
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
     <ClCompile>
       <Optimization>Disabled</Optimization>
-      <AdditionalIncludeDirectories>./;../../;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)XXX-fips-test\IDE\WIN-SRTP-KDF-140-3;$(SolutionDir)XXX-fips-test;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
       <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
@@ -176,7 +176,7 @@
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='DLL Debug|x64'">
     <ClCompile>
       <Optimization>Disabled</Optimization>
-      <AdditionalIncludeDirectories>./;../../;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)XXX-fips-test\IDE\WIN-SRTP-KDF-140-3;$(SolutionDir)XXX-fips-test;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <PreprocessorDefinitions>BUILDING_WOLFSSL;WOLFSSL_DLL;WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <MinimalRebuild>true</MinimalRebuild>
       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
@@ -197,7 +197,7 @@
     <ClCompile>
       <Optimization>MaxSpeed</Optimization>
       <IntrinsicFunctions>true</IntrinsicFunctions>
-      <AdditionalIncludeDirectories>./;../../;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)XXX-fips-test\IDE\WIN-SRTP-KDF-140-3;$(SolutionDir)XXX-fips-test;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -210,7 +210,7 @@
     <ClCompile>
       <Optimization>MaxSpeed</Optimization>
       <IntrinsicFunctions>true</IntrinsicFunctions>
-      <AdditionalIncludeDirectories>./;../../;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)XXX-fips-test\IDE\WIN-SRTP-KDF-140-3;$(SolutionDir)XXX-fips-test;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <PreprocessorDefinitions>BUILDING_WOLFSSL;WOLFSSL_DLL;WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -228,7 +228,7 @@
     <ClCompile>
       <Optimization>MaxSpeed</Optimization>
       <IntrinsicFunctions>true</IntrinsicFunctions>
-      <AdditionalIncludeDirectories>./;../../;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)XXX-fips-test\IDE\WIN-SRTP-KDF-140-3;$(SolutionDir)XXX-fips-test;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <PreprocessorDefinitions>WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -241,7 +241,7 @@
     <ClCompile>
       <Optimization>MaxSpeed</Optimization>
       <IntrinsicFunctions>true</IntrinsicFunctions>
-      <AdditionalIncludeDirectories>./;../../;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(SolutionDir)XXX-fips-test\IDE\WIN-SRTP-KDF-140-3;$(SolutionDir)XXX-fips-test;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <PreprocessorDefinitions>BUILDING_WOLFSSL;WOLFSSL_DLL;WOLFSSL_USER_SETTINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
       <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -266,7 +266,9 @@
     <ClCompile Include="..\..\wolfcrypt\src\dsa.c" />
     <ClCompile Include="..\..\wolfcrypt\src\ecc.c" />
     <ClCompile Include="..\..\wolfcrypt\src\ed25519.c" />
+	<ClCompile Include="..\..\wolfcrypt\src\curve25519.c" />
     <ClCompile Include="..\..\wolfcrypt\src\ed448.c" />
+	<ClCompile Include="..\..\wolfcrypt\src\curve448.c" />
     <ClCompile Include="..\..\wolfcrypt\src\error.c" />
     <ClCompile Include="..\..\wolfcrypt\src\fe_448.c" />
     <ClCompile Include="..\..\wolfcrypt\src\fe_low_mem.c" />
@@ -389,4 +391,4 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
+</Project>

tests/api.c

@@ -70465,11 +70465,12 @@ static int test_wolfSSL_EVP_Cipher_extra(void)
     };
 
     /* teset data size table */
-    int test_drive1[] = {8, 3, 5, 512, 8, 3, 8, 512, 0};
-    int test_drive2[] = {8, 3, 8, 512, 0};
-    int test_drive3[] = {512, 512, 504, 512, 512, 8, 512, 0};
+    static const int test_drive1[] = {8, 3, 5, 512, 8, 3, 8, 512, 0};
+    static const int test_drive2[] = {8, 3, 8, 512, 0};
+    static const int test_drive3[] = {512, 512, 504, 512, 512, 8, 512, 0};
+
+    static const int *test_drive[] = { test_drive1, test_drive2, test_drive3, NULL };
 
-    int *test_drive[] = {test_drive1, test_drive2, test_drive3, NULL};
     int test_drive_len[100];
 
     int ret = 0;
@@ -73089,40 +73090,40 @@ static int test_evp_cipher_aes_gcm(void)
         NUM_ENCRYPTIONS = 3,
         AAD_SIZE = 4
     };
-    byte plainText1[] = {
+    static const byte plainText1[] = {
         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
         0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
         0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23
     };
-    byte plainText2[] = {
+    static const byte plainText2[] = {
         0x42, 0x49, 0x3b, 0x27, 0x03, 0x35, 0x59, 0x14, 0x41, 0x47, 0x37, 0x14,
         0x0e, 0x34, 0x0d, 0x28, 0x63, 0x09, 0x0a, 0x5b, 0x22, 0x57, 0x42, 0x22,
         0x0f, 0x5c, 0x1e, 0x53, 0x45, 0x15, 0x62, 0x08, 0x60, 0x43, 0x50, 0x2c
     };
-    byte plainText3[] = {
+    static const byte plainText3[] = {
         0x36, 0x0d, 0x2b, 0x09, 0x4a, 0x56, 0x3b, 0x4c, 0x21, 0x22, 0x58, 0x0e,
         0x5b, 0x57, 0x10
     };
-    byte* plainTexts[NUM_ENCRYPTIONS] = {
+    static const byte* plainTexts[NUM_ENCRYPTIONS] = {
         plainText1,
         plainText2,
         plainText3
     };
-    const int plainTextSzs[NUM_ENCRYPTIONS] = {
+    static const int plainTextSzs[NUM_ENCRYPTIONS] = {
         sizeof(plainText1),
         sizeof(plainText2),
         sizeof(plainText3)
     };
-    byte aad1[AAD_SIZE] = {
+    static const byte aad1[AAD_SIZE] = {
         0x00, 0x00, 0x00, 0x01
     };
-    byte aad2[AAD_SIZE] = {
+    static const byte aad2[AAD_SIZE] = {
         0x00, 0x00, 0x00, 0x10
     };
-    byte aad3[AAD_SIZE] = {
+    static const byte aad3[AAD_SIZE] = {
         0x00, 0x00, 0x01, 0x00
     };
-    byte* aads[NUM_ENCRYPTIONS] = {
+    static const byte* aads[NUM_ENCRYPTIONS] = {
         aad1,
         aad2,
         aad3
@@ -73164,22 +73165,21 @@ static int test_evp_cipher_aes_gcm(void)
             0x5B, 0xEC, 0x52, 0x49, 0x32,
         }
     };
-
-    const byte expCipherText1[] = {
+    static const byte expCipherText1[] = {
         0xCB, 0x93, 0x4F, 0xC8, 0x22, 0xE2, 0xC0, 0x35, 0xAA, 0x6B, 0x41, 0x15,
         0x17, 0x30, 0x2F, 0x97, 0x20, 0x74, 0x39, 0x28, 0xF8, 0xEB, 0xC5, 0x51,
         0x7B, 0xD9, 0x8A, 0x36, 0xB8, 0xDA, 0x24, 0x80, 0xE7, 0x9E, 0x09, 0xDE
     };
-    const byte expCipherText2[] = {
+    static const byte expCipherText2[] = {
         0xF9, 0x32, 0xE1, 0x87, 0x37, 0x0F, 0x04, 0xC1, 0xB5, 0x59, 0xF0, 0x45,
         0x3A, 0x0D, 0xA0, 0x26, 0xFF, 0xA6, 0x8D, 0x38, 0xFE, 0xB8, 0xE5, 0xC2,
         0x2A, 0x98, 0x4A, 0x54, 0x8F, 0x1F, 0xD6, 0x13, 0x03, 0xB2, 0x1B, 0xC0
     };
-    const byte expCipherText3[] = {
+    static const byte expCipherText3[] = {
         0xD0, 0x37, 0x59, 0x1C, 0x2F, 0x85, 0x39, 0x4D, 0xED, 0xC2, 0x32, 0x5B,
         0x80, 0x5E, 0x6B,
     };
-    const byte* expCipherTexts[NUM_ENCRYPTIONS] = {
+    static const byte* expCipherTexts[NUM_ENCRYPTIONS] = {
         expCipherText1,
         expCipherText2,
         expCipherText3
@@ -73257,7 +73257,7 @@ static int test_evp_cipher_aes_gcm(void)
                                              AAD_SIZE), SSL_SUCCESS);
             }
             else {
-                ExpectIntEQ(EVP_Cipher(encCtx, NULL, aads[j], AAD_SIZE),
+                ExpectIntEQ(EVP_Cipher(encCtx, NULL, (byte *)aads[j], AAD_SIZE),
                                        AAD_SIZE);
             }
 
@@ -73271,7 +73271,7 @@ static int test_evp_cipher_aes_gcm(void)
                             SSL_SUCCESS);
             }
             else {
-                ExpectIntEQ(EVP_Cipher(encCtx, cipherText, plainTexts[j],
+                ExpectIntEQ(EVP_Cipher(encCtx, cipherText, (byte *)plainTexts[j],
                             plainTextSzs[j]), plainTextSzs[j]);
             }
 
@@ -73309,7 +73309,7 @@ static int test_evp_cipher_aes_gcm(void)
                                              AAD_SIZE), SSL_SUCCESS);
             }
             else {
-                ExpectIntEQ(EVP_Cipher(decCtx, NULL, aads[j], AAD_SIZE),
+                ExpectIntEQ(EVP_Cipher(decCtx, NULL, (byte *)aads[j], AAD_SIZE),
                             AAD_SIZE);
             }
 
@@ -78929,7 +78929,7 @@ static int test_tls13_apis(void)
     EXPECT_DECLS;
 #if defined(HAVE_SUPPORTED_CURVES) && defined(HAVE_ECC) && \
     (!defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT))
-     int          ret;
+    int          ret;
 #endif
 #ifndef WOLFSSL_NO_TLS12
 #ifndef NO_WOLFSSL_CLIENT

wolfcrypt/src/pkcs7.c

@@ -2921,8 +2921,13 @@ static int PKCS7_EncodeSigned(wc_PKCS7* pkcs7,
     /* SignerIdentifier */
     if (pkcs7->sidType == CMS_ISSUER_AND_SERIAL_NUMBER) {
         /* IssuerAndSerialNumber */
-        esd->issuerSnSz = (word32)SetSerialNumber(pkcs7->issuerSn, pkcs7->issuerSnSz,
+        ret = SetSerialNumber(pkcs7->issuerSn, pkcs7->issuerSnSz,
                                           esd->issuerSn, MAX_SN_SZ, MAX_SN_SZ);
+        if (ret < 0) {
+            idx = ret;
+            goto out;
+        }
+        esd->issuerSnSz = (word32)ret;
         signerInfoSz += esd->issuerSnSz;
         esd->issuerNameSz = SetSequence(pkcs7->issuerSz, esd->issuerName);
         signerInfoSz += esd->issuerNameSz + pkcs7->issuerSz;

wolfcrypt/src/port/Espressif/esp32_aes.c

@@ -474,16 +474,26 @@ int wc_esp32AesDecrypt(Aes *aes, const byte* in, byte* out)
     int ret;
 
     ESP_LOGV(TAG, "enter wc_esp32AesDecrypt");
-    /* lock the hw engine */
-    esp_aes_hw_InUse();
-    /* load the key into the register */
+
+    /* Validate parameters */
+    if (aes == NULL || in == NULL || out == NULL) {
+        ESP_LOGE(TAG, "Invalid parameters");
+        return BAD_FUNC_ARG;
+    }
+
+    /* Lock the hw engine */
+    ret = esp_aes_hw_InUse();
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Failed to acquire HW lock");
+        return ret;
+    }
+
+    /* Load the key into the register */
     ret = esp_aes_hw_Set_KeyMode(aes, ESP32_AES_UPDATEKEY_DECRYPT);
     if (ret != ESP_OK) {
-        ESP_LOGE(TAG, "wc_esp32AesDecrypt failed "
-                      "during esp_aes_hw_Set_KeyMode");
-        /* release hw */
+        ESP_LOGE(TAG, "Failed during esp_aes_hw_Set_KeyMode");
         esp_aes_hw_Leave();
-        ret = BAD_FUNC_ARG;
+        return BAD_FUNC_ARG;
     }
 
     if (ret == ESP_OK) {
@@ -514,13 +524,27 @@ int wc_esp32AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
     int ret;
     int i;
     int offset = 0;
-    word32 blocks = (sz / WC_AES_BLOCK_SIZE);
+    word32 blocks;
     byte *iv;
     byte temp_block[WC_AES_BLOCK_SIZE];
 
     ESP_LOGV(TAG, "enter wc_esp32AesCbcEncrypt");
 
+    /* Validate parameters */
+    if (aes == NULL || out == NULL || in == NULL) {
+        ESP_LOGE(TAG, "Invalid parameters");
+        return BAD_FUNC_ARG;
+    }
+
+    /* Validate size */
+    if (sz == 0 || (sz % WC_AES_BLOCK_SIZE) != 0) {
+        ESP_LOGE(TAG, "Invalid size: must be multiple of block size");
+        return BAD_FUNC_ARG;
+    }
+
+    blocks = sz / WC_AES_BLOCK_SIZE;
     iv = (byte*)aes->reg;
+    XMEMSET(temp_block, 0, WC_AES_BLOCK_SIZE);
 
     ret = esp_aes_hw_InUse();
 
@@ -570,16 +594,29 @@ int wc_esp32AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
 int wc_esp32AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
 {
     int ret;
-
     int i;
     int offset = 0;
-    word32 blocks = (sz / WC_AES_BLOCK_SIZE);
+    word32 blocks;
     byte* iv;
     byte temp_block[WC_AES_BLOCK_SIZE];
 
     ESP_LOGV(TAG, "enter wc_esp32AesCbcDecrypt");
 
+    /* Validate parameters */
+    if (aes == NULL || out == NULL || in == NULL) {
+        ESP_LOGE(TAG, "Invalid parameters");
+        return BAD_FUNC_ARG;
+    }
+
+    /* Validate size */
+    if (sz == 0 || (sz % WC_AES_BLOCK_SIZE) != 0) {
+        ESP_LOGE(TAG, "Invalid size: must be multiple of block size");
+        return BAD_FUNC_ARG;
+    }
+
+    blocks = sz / WC_AES_BLOCK_SIZE;
     iv = (byte*)aes->reg;
+    XMEMSET(temp_block, 0, WC_AES_BLOCK_SIZE);
 
     ret = esp_aes_hw_InUse();
 

wolfcrypt/src/port/Espressif/esp32_mp.c

@@ -788,13 +788,18 @@ static int esp_clean_result(MATH_INT_T* Z, int used_padding)
 /* Start HW process. Reg is SoC-specific register. */
 static int process_start(u_int32_t reg)
 {
-    int ret = MP_OKAY;
-    /* see 3.16 "software needs to always use the "volatile"
-    ** attribute when accessing registers in these two address spaces. */
-    DPORT_REG_WRITE((volatile word32*)reg, 1);
-    ESP_EM__POST_PROCESS_START;
+    if (reg == 0) {
+        ESP_LOGE(TAG, "Invalid register in process_start");
+        return MP_VAL;
+    }
 
-    return ret;
+    /* See 3.16: "software needs to always use the 'volatile'
+     * attribute when accessing registers in these address spaces" */
+    portENTER_CRITICAL(&wc_rsa_reg_lock);
+    DPORT_REG_WRITE((volatile word32*)reg, 1);
+    portEXIT_CRITICAL(&wc_rsa_reg_lock);
+
+    return MP_OKAY;
 }
 
 /* wait until RSA math register indicates operation completed */
@@ -803,27 +808,31 @@ static int wait_until_done(word32 reg)
     int ret = MP_OKAY;
     word32 timeout = 0;
 
-    /* wait until done && not timeout */
-    ESP_EM__MP_HW_WAIT_DONE;
-    while (!ESP_TIMEOUT(++timeout) && DPORT_REG_READ(reg) != 1) {
-        asm volatile("nop"); /* wait */
+    if (reg == 0) {
+        ESP_LOGE(TAG, "Invalid register in wait_until_done");
+        return MP_VAL;
     }
-    ESP_EM__DPORT_FIFO_READ;
 
+    /* Wait until done && not timeout */
+    while (!ESP_TIMEOUT(++timeout) && DPORT_REG_READ(reg) != 1) {
+        /* Expected delay 1-2 µs */
+    }
+
+    /* Handle timeouts and cleanup */
+    if (ESP_TIMEOUT(timeout)) {
+        ESP_LOGE(TAG, "Hardware operation timeout in wait_until_done");
+        ret = WC_HW_E;
+        goto cleanup;
+    }
+
+    /* Clear interrupts based on target */
 #if defined(CONFIG_IDF_TARGET_ESP32C6)
-    /* Write 1 or 0 to the RSA_INT_ENA_REG register to
-     * enable or disable the interrupt function. */
-    DPORT_REG_WRITE(RSA_INT_CLR_REG, 1); /* write 1 to clear */
-    DPORT_REG_WRITE(RSA_INT_ENA_REG, 0); /* disable */
-
-#elif defined(CONFIG_IDF_TARGET_ESP32C3)
-    /* not currently clearing / disable on C3 */
-    DPORT_REG_WRITE(RSA_INTERRUPT_REG, 1);
-
+    /* Write 1 to clear, 0 to disable interrupt function */
+    DPORT_REG_WRITE(RSA_INT_CLR_REG, 1);
+    DPORT_REG_WRITE(RSA_INT_ENA_REG, 0);
 #else
-    /* clear interrupt */
+    /* Clear interrupt for other targets */
     DPORT_REG_WRITE(RSA_INTERRUPT_REG, 1);
-
 #endif
 
 #if defined(WOLFSSL_HW_METRICS)
@@ -832,9 +841,11 @@ static int wait_until_done(word32 reg)
     }
 #endif
 
-    if (ESP_TIMEOUT(timeout)) {
-        ESP_LOGE(TAG, "rsa operation timed out.");
-        ret = WC_HW_E; /* MP_HW_ERROR; */
+cleanup:
+    if (ret != MP_OKAY) {
+        /* Force hardware reset on error */
+        periph_module_disable(PERIPH_RSA_MODULE);
+        periph_module_enable(PERIPH_RSA_MODULE);
     }
 
     return ret;
@@ -846,12 +857,27 @@ static int esp_memblock_to_mpint(const word32 mem_address,
                                  word32 numwords)
 {
     int ret = MP_OKAY;
+
+    if (mp == NULL || numwords == 0 || mem_address == 0 ||
+        numwords > (ESP_HW_MOD_RSAMAX_BITS / 32)) {
+        ESP_LOGE(TAG, "Invalid parameters in esp_memblock_to_mpint");
+        return MP_VAL;
+    }
+
+    /* Initialize mp->used to prevent buffer overflow */
+    mp->used = numwords;
+    if (mp->used > MP_SIZE) {
+        ESP_LOGE(TAG, "Buffer overflow prevented in esp_memblock_to_mpint");
+        return MP_VAL;
+    }
+
+    /* Clear destination buffer before copying */
+    XMEMSET(mp->dp, 0, numwords * sizeof(word32));
+
 #ifdef USE_ESP_DPORT_ACCESS_READ_BUFFER
     esp_dport_access_read_buffer((word32*)mp->dp, mem_address, numwords);
 #else
-    ESP_EM__PRE_DPORT_READ;
-    DPORT_INTERRUPT_DISABLE();
-    ESP_EM__READ_NON_FIFO_REG;
+    portENTER_CRITICAL(&wc_rsa_reg_lock);
     for (volatile word32 i = 0;  i < numwords; ++i) {
         ESP_EM__3_16;
         mp->dp[i] = DPORT_SEQUENCE_REG_READ(

wolfcrypt/src/port/Espressif/esp32_sha.c

@@ -1273,39 +1273,53 @@ int esp_sha_try_hw_lock(WC_ESP32SHA* ctx)
     if (sha_mutex == NULL) {
         ESP_LOGV(TAG, "Initializing sha_mutex");
 
-        /* created, but not yet locked */
-        ret = esp_CryptHwMutexInit(&sha_mutex);
-        if (ret == 0) {
+        /* Atomic mutex initialization */
+        taskENTER_CRITICAL(&sha_crit_sect);
+        if (sha_mutex == NULL) {
+            /* created, but not yet locked */
+            ret = esp_CryptHwMutexInit(&sha_mutex);
+            if (ret != ESP_OK) {
+                ESP_LOGE(TAG, "Failed to initialize sha_mutex");
+                taskEXIT_CRITICAL(&sha_crit_sect);
+                ctx->mode = ESP32_SHA_SW;
+                return ESP_OK; /* Success but revert to SW */
+            }
+
             ESP_LOGV(TAG, "esp_CryptHwMutexInit sha_mutex init success.");
             esp_sha_mutex_ctx_owner_clear(); /* No one has the mutex yet. */
-            #ifdef WOLFSSL_DEBUG_MUTEX
-            {
-                /* Take mutex for lock/unlock test drive to ensure it works: */
-                ret = esp_CryptHwMutexLock(&sha_mutex, (TickType_t)0);
-                if (ret == ESP_OK) {
-                    ret = esp_CryptHwMutexUnLock(&sha_mutex);
-                    if (ret != ESP_OK) {
-                        ESP_LOGE(TAG, "esp_CryptHwMutexInit fail init lock.");
-                    }
-                }
-                else {
-                    ESP_LOGE(TAG, "esp_CryptHwMutexInit fail init unlock.");
-                }
+
+            /* Verify mutex works properly */
+            ret = esp_CryptHwMutexLock(&sha_mutex, (TickType_t)0);
+            if (ret != ESP_OK) {
+                ESP_LOGE(TAG, "Failed initial mutex lock test");
+                esp_CryptHwMutexDestroy(&sha_mutex);
+                sha_mutex = NULL;
+                taskEXIT_CRITICAL(&sha_crit_sect);
+                ctx->mode = ESP32_SHA_SW;
+                return ESP_OK; /* Success but revert to SW */
             }
-            #endif
-        } /* ret == 0 for esp_CryptHwMutexInit */
-        else {
+
+            ret = esp_CryptHwMutexUnLock(&sha_mutex);
+            if (ret != ESP_OK) {
+                ESP_LOGE(TAG, "Failed initial mutex unlock test");
+                esp_CryptHwMutexDestroy(&sha_mutex);
+                sha_mutex = NULL;
+                taskEXIT_CRITICAL(&sha_crit_sect);
+                ctx->mode = ESP32_SHA_SW;
+                return ESP_OK; /* Success but revert to SW */
+            }
+        }
+        taskEXIT_CRITICAL(&sha_crit_sect);
+        
+        if (ret != ESP_OK) {
             ESP_LOGE(TAG, "esp_CryptHwMutexInit sha_mutex failed.");
             #ifdef WOLFSSL_DEBUG_MUTEX
             {
-                ESP_LOGV(TAG, "Current mutext owner = %x", this_mutex_owner);
+                ESP_LOGV(TAG, "Current mutex owner = %x", this_mutex_owner);
             }
             #endif
 
             sha_mutex = NULL;
-
-            ESP_LOGV(TAG, "Revert to ctx->mode = ESP32_SHA_SW.");
-
             ctx->mode = ESP32_SHA_SW;
             return ESP_OK; /* success, just not using HW */
         }
@@ -1375,12 +1389,18 @@ int esp_sha_try_hw_lock(WC_ESP32SHA* ctx)
          * TODO: allow for SHA interleave on chips that support it.
          */
 
-        if ((mutex_ctx_owner == NULLPTR) &&
-            esp_CryptHwMutexLock(&sha_mutex, (TickType_t)0) == ESP_OK) {
-            /* we've successfully locked */
-            this_mutex_owner = (uintptr_t)ctx;
-            esp_sha_mutex_ctx_owner_set(this_mutex_owner);
-            ESP_LOGV(TAG, "Assigned mutex_ctx_owner to 0x%x", this_mutex_owner);
+        /* Atomic check and lock */
+        taskENTER_CRITICAL(&sha_crit_sect);
+        if (mutex_ctx_owner == NULLPTR) {
+            ret = esp_CryptHwMutexLock(&sha_mutex, (TickType_t)0);
+            if (ret == ESP_OK) {
+                /* Successfully locked */
+                this_mutex_owner = (uintptr_t)ctx;
+                esp_sha_mutex_ctx_owner_set(this_mutex_owner);
+                ESP_LOGV(TAG, "Assigned mutex_ctx_owner to 0x%x", this_mutex_owner);
+            }
+        }
+        taskEXIT_CRITICAL(&sha_crit_sect);
         #ifdef ESP_MONITOR_HW_TASK_LOCK
             mutex_ctx_task = xTaskGetCurrentTaskHandle();
         #endif
@@ -1568,17 +1588,26 @@ int esp_sha_hw_unlock(WC_ESP32SHA* ctx)
 #endif
 
 
+    taskENTER_CRITICAL(&sha_crit_sect);
     if (ctx->lockDepth > 0) {
-    #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
-        defined(CONFIG_IDF_TARGET_ESP8684) || \
-        defined(CONFIG_IDF_TARGET_ESP32C3) || \
-        defined(CONFIG_IDF_TARGET_ESP32C6)
-        ets_sha_disable(); /* disable also resets active, ongoing hash */
-        ESP_LOGV(TAG, "ets_sha_disable in esp_sha_hw_unlock()");
-    #else
-        periph_module_disable(PERIPH_SHA_MODULE);
-    #endif
+        #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
+            defined(CONFIG_IDF_TARGET_ESP8684) || \
+            defined(CONFIG_IDF_TARGET_ESP32C3) || \
+            defined(CONFIG_IDF_TARGET_ESP32C6)
+            ets_sha_disable(); /* disable also resets active, ongoing hash */
+            ESP_LOGV(TAG, "ets_sha_disable in esp_sha_hw_unlock()");
+        #else
+            periph_module_disable(PERIPH_SHA_MODULE);
+        #endif
         ctx->lockDepth--;
+        
+        /* Clean up any remaining locks if we're at zero */
+        if (ctx->lockDepth == 0) {
+            esp_CryptHwMutexUnLock(&sha_mutex);
+            #ifdef ESP_MONITOR_HW_TASK_LOCK
+                mutex_ctx_task = 0;
+            #endif
+        }
     }
     else {
         ESP_LOGW(TAG, "lockDepth <= 0; Disable SHA module skipped for %x",
@@ -1586,16 +1615,24 @@ int esp_sha_hw_unlock(WC_ESP32SHA* ctx)
         ctx->lockDepth = 0;
     }
 
-#if defined(ESP_MONITOR_HW_TASK_LOCK) && defined(WOLFSSL_ESP32_HW_LOCK_DEBUG)
-   ESP_LOGI(TAG, "3) esp_sha_hw_unlock Lock depth @ %d = %d "
-                 "for WC_ESP32SHA @ %0x\n",
-                 __LINE__, ctx->lockDepth, (uintptr_t)ctx);
-#endif
-
-    if (0 != ctx->lockDepth) {
-        /* If the lockdepth is not zero, unlock success unknown. */
+    /* Handle stray locks if any remain */
+    if (ctx->lockDepth > 0) {
         ESP_LOGE(TAG, "ERROR Non-zero lockDepth. Stray code lock?");
         ret = ESP_FAIL;
+        
+        /* Force cleanup of stray locks */
+        while (ctx->lockDepth > 0) {
+            #if defined(CONFIG_IDF_TARGET_ESP32C2) || \
+                defined(CONFIG_IDF_TARGET_ESP8684) || \
+                defined(CONFIG_IDF_TARGET_ESP32C3) || \
+                defined(CONFIG_IDF_TARGET_ESP32C6)
+                ets_sha_disable();
+            #else
+                periph_module_disable(PERIPH_SHA_MODULE);
+            #endif
+            ctx->lockDepth--;
+        }
+        esp_CryptHwMutexUnLock(&sha_mutex);
     }
     else {
     #if defined(SINGLE_THREADED)
@@ -1615,25 +1652,12 @@ int esp_sha_hw_unlock(WC_ESP32SHA* ctx)
         }
         #endif /* WOLFSSL_ESP32_HW_LOCK_DEBUG */
 
-        /* There should be exactly 1 instance of SHA unlock, and it's here: */
-        esp_CryptHwMutexUnLock(&sha_mutex);
-        /* We don't set owner to zero here. The HW is not in use,
-         * but there may be a WIP hash calc (e.g. sha update).
-         * NO: mutex_ctx_owner = NULLPTR; */
-
-        #ifdef ESP_MONITOR_HW_TASK_LOCK
-            mutex_ctx_task = 0;
-        #endif
-
     #endif
 
     #ifdef WOLFSSL_DEBUG_MUTEX
-        taskENTER_CRITICAL(&sha_crit_sect);
-        {
-            mutex_ctx_owner = 0;
-        }
-        taskEXIT_CRITICAL(&sha_crit_sect);
+        mutex_ctx_owner = 0;
     #endif
+    taskEXIT_CRITICAL(&sha_crit_sect);
     }
 
     #ifdef WOLFSSL_ESP32_HW_LOCK_DEBUG
@@ -2164,14 +2188,19 @@ int wc_esp_digest_state(WC_ESP32SHA* ctx, byte* hash)
     #ifdef WOLFSSL_ESP32_CRYPT_DEBUG
         ESP_LOGW(TAG, "SHA HW read...");
     #endif
-    esp_dport_access_read_buffer(
+
+    /* Handle different hash pointer types based on ESP-IDF version */
+    void* hashPtr;
     #if ESP_IDF_VERSION_MAJOR >= 4
-        (uint32_t*)(hash), /* the result will be found in hash upon exit */
+        hashPtr = (uint32_t*)(hash);
     #else
-        (word32*)(hash), /* the result will be found in hash upon exit */
+        hashPtr = (word32*)(hash);
     #endif
-        SHA_TEXT_BASE,   /* there's a fixed reg addr for all SHA */
-        digestSz / sizeof(word32) /* # 4-byte */
+
+    esp_dport_access_read_buffer(
+        hashPtr,                    /* the result will be found in hash upon exit */
+        SHA_TEXT_BASE,             /* there's a fixed reg addr for all SHA */
+        digestSz / sizeof(word32)  /* # 4-byte */
     );
 #endif
 

wolfcrypt/src/port/Espressif/esp32_util.c

@@ -110,33 +110,43 @@ int esp_CryptHwMutexInit(wolfSSL_Mutex* mutex) {
  */
 int esp_CryptHwMutexLock(wolfSSL_Mutex* mutex, TickType_t block_time) {
     int ret;
+
+    /* Validate parameters */
     if (mutex == NULL) {
-        WOLFSSL_ERROR_MSG("esp_CryptHwMutexLock called with null mutex");
+        ESP_LOGE(TAG, "esp_CryptHwMutexLock called with null mutex");
         return BAD_MUTEX_E;
     }
 
+    if (block_time == 0) {
+        ESP_LOGW(TAG, "Zero block time may cause immediate timeout");
+    }
+
 #ifdef SINGLE_THREADED
-    /* does nothing in single thread mode, always return 0 */
+    /* Single thread mode - simple lock */
     ret = wc_LockMutex(mutex);
+    if (ret != 0) {
+        ESP_LOGE(TAG, "wc_LockMutex failed");
+        return BAD_MUTEX_E;
+    }
 #else
+    /* Take semaphore with timeout */
     ret = xSemaphoreTake(*mutex, block_time);
     ESP_LOGV(TAG, "xSemaphoreTake 0x%x = %d", (intptr_t)*mutex, ret);
+
     if (ret == pdTRUE) {
         ret = ESP_OK;
     }
+    else if (ret == pdFALSE) {
+        ESP_LOGW(TAG, "Mutex 0x%x busy - timeout after %d ticks",
+                      (intptr_t)*mutex, block_time);
+        ret = ESP_ERR_TIMEOUT;
+    }
     else {
-        if (ret == pdFALSE) {
-            ESP_LOGW(TAG, "xSemaphoreTake failed for 0x%x. Still busy?",
-                           (intptr_t)*mutex);
-            ret = ESP_ERR_NOT_FINISHED;
-        }
-        else {
-            ESP_LOGE(TAG, "xSemaphoreTake 0x%x unexpected = %d",
-                           (intptr_t)*mutex, ret);
-            ret = BAD_MUTEX_E;
-        }
+        ESP_LOGE(TAG, "Unexpected mutex error: %d", ret);
+        ret = BAD_MUTEX_E;
     }
 #endif
+
     return ret;
 }
 
@@ -145,36 +155,47 @@ int esp_CryptHwMutexLock(wolfSSL_Mutex* mutex, TickType_t block_time) {
  *
  */
 esp_err_t esp_CryptHwMutexUnLock(wolfSSL_Mutex* mutex) {
-    int ret = pdTRUE;
+    int ret = ESP_OK;
+
+    /* Validate parameters */
     if (mutex == NULL) {
-        WOLFSSL_ERROR_MSG("esp_CryptHwMutexLock called with null mutex");
+        ESP_LOGE(TAG, "esp_CryptHwMutexUnLock called with null mutex");
         return BAD_MUTEX_E;
     }
 
 #ifdef SINGLE_THREADED
+    /* Single thread mode - simple unlock */
     ret = wc_UnLockMutex(mutex);
+    if (ret != 0) {
+        ESP_LOGE(TAG, "wc_UnLockMutex failed");
+        return BAD_MUTEX_E;
+    }
 #else
-    ESP_LOGV(TAG, ">> xSemaphoreGive 0x%x", (intptr_t)*mutex);
+    ESP_LOGV(TAG, "Unlocking mutex 0x%x", (intptr_t)*mutex);
     TaskHandle_t mutexHolder = xSemaphoreGetMutexHolder(*mutex);
 
     if (mutexHolder == NULL) {
-        ESP_LOGW(TAG, "esp_CryptHwMutexUnLock with no lock owner 0x%x",
-                        (intptr_t)*mutex);
-        ret = ESP_OK;
+        ESP_LOGW(TAG, "Mutex 0x%x has no owner - already unlocked?",
+                      (intptr_t)*mutex);
+        return ESP_OK;
     }
-    else {
-        ret = xSemaphoreGive(*mutex);
-        if (ret == pdTRUE) {
-            ESP_LOGV(TAG, "Success: give mutex 0x%x", (intptr_t)*mutex);
-            ret = ESP_OK;
-        }
-        else {
-            ESP_LOGV(TAG, "Failed: give mutex 0x%x", (intptr_t)*mutex);
-            ret = ESP_FAIL;
-        }
+
+    if (mutexHolder != xTaskGetCurrentTaskHandle()) {
+        ESP_LOGE(TAG, "Mutex 0x%x owned by different task",
+                      (intptr_t)*mutex);
+        return ESP_ERR_INVALID_STATE;
     }
+
+    ret = xSemaphoreGive(*mutex);
+    if (ret != pdTRUE) {
+        ESP_LOGE(TAG, "Failed to give mutex 0x%x", (intptr_t)*mutex);
+        return ESP_FAIL;
+    }
+
+    ESP_LOGV(TAG, "Successfully unlocked mutex 0x%x", (intptr_t)*mutex);
 #endif
-    return ret;
+
+    return ESP_OK;
 }
 #endif /* WOLFSSL_ESP32_CRYPT, etc. */
 

wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c

@@ -1333,6 +1333,7 @@ static esp_err_t wolfssl_esp_crt_bundle_init(const uint8_t *x509_bundle,
             ESP_LOGE(TAG, "Unable to allocate memory for bundle pointers");
             _esp_crt_bundle_is_valid = ESP_FAIL;
             ret = ESP_ERR_NO_MEM;
+            goto cleanup;
         }
     } /* ret == ESP_OK */
 
@@ -1387,29 +1388,38 @@ static esp_err_t wolfssl_esp_crt_bundle_init(const uint8_t *x509_bundle,
         ret = ESP_ERR_INVALID_ARG;
     }
 
-    if (_esp_crt_bundle_is_valid ==  ESP_FAIL) {
-        if (crts == NULL) {
-#ifdef DEBUG_WOLFSSL_MALLOC
-            ESP_LOGW(TAG, "Free certs after invalid bundle");
-#endif
-            free(crts);
-            crts = NULL;
-            s_crt_bundle.num_certs = 0;
-            s_crt_bundle.crts = NULL;
-        }
-    }
-    else {
-        /* The previous crt bundle is only updated when initialization of the
-         * current crt_bundle is successful */
-        /* Free previous crt_bundle */
+    if (ret == ESP_OK) {
+        /* Free previous bundle before assigning new one */
         if (s_crt_bundle.crts != NULL) {
 #ifdef DEBUG_WOLFSSL_MALLOC
-            ESP_LOGI(TAG, "Free crts");
+            ESP_LOGI(TAG, "Free previous crt bundle");
 #endif
-            free(s_crt_bundle.crts);
+            free((void*)s_crt_bundle.crts);
         }
-        s_crt_bundle.num_certs = num_certs;
         s_crt_bundle.crts = crts;
+        s_crt_bundle.num_certs = num_certs;
+        s_crt_bundle.x509_crt_bundle_wolfssl_len = bundle_size;
+        _esp_crt_bundle_is_valid = ESP_OK;
+    }
+
+cleanup:
+    if (ret != ESP_OK) {
+        /* Cleanup on error */
+        if (crts != NULL) {
+#ifdef DEBUG_WOLFSSL_MALLOC
+            ESP_LOGW(TAG, "Free certs after error");
+#endif
+            free((void*)crts);
+            crts = NULL;
+        }
+        s_crt_bundle.crts = NULL;
+        s_crt_bundle.num_certs = 0;
+        s_crt_bundle.x509_crt_bundle_wolfssl_len = 0;
+        _esp_crt_bundle_is_valid = ESP_FAIL;
+        _cert_bundle_loaded = 0;
+        _crt_found = 0;
+        _added_cert = 0;
+        _need_bundle_cert = 0;
     }
 
     /* Consider using WOLFSSL_ASN_ALLOW_0_SERIAL or WOLFSSL_NO_ASN_STRICT

wolfcrypt/src/port/Espressif/esp_sdk_mem_lib.c

@@ -265,38 +265,72 @@ esp_err_t sdk_var_whereis(const char* v_name, void* v) {
 intptr_t esp_sdk_stack_pointer(void)
 {
     intptr_t sp = 0;
+
+    /* Get stack pointer based on architecture */
 #if defined(CONFIG_IDF_TARGET_ARCH_RISCV)
-    if (CONFIG_IDF_TARGET_ARCH_RISCV == 1) {
-        __asm volatile("mv %0, sp" : "=r" (sp));
-    }
+    __asm__ volatile("mv %0, sp" : "=r" (sp));
 #elif defined(CONFIG_IDF_TARGET_ARCH_XTENSA)
-    if (CONFIG_IDF_TARGET_ARCH_XTENSA == 1) {
-        __asm volatile("mov %0, sp" : "=r"(sp));
-    }
+    __asm__ volatile("mov %0, sp" : "=r" (sp));
+#else
+    #error "Unsupported architecture for stack pointer access"
 #endif
+
+    /* Initialize starting stack pointer if not set */
     if (_starting_stack_pointer == 0) {
         _starting_stack_pointer = sp;
     }
+
+    /* Calculate current stack usage */
     _stack_used = _starting_stack_pointer - sp;
+    if (_stack_used < 0) {
+        ESP_LOGE(TAG, "Stack overflow detected!");
+        _stack_used = 0;
+    }
+
     return sp;
 }
 
 esp_err_t esp_sdk_mem_lib_init(void)
 {
-    int ret = ESP_OK;
-    sdk_init_meminfo();
+    esp_err_t ret;
+
+    /* Initialize memory segment tracking */
+    ret = sdk_init_meminfo();
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Failed to initialize memory info");
+        return ret;
+    }
+
+    /* Initialize stack tracking */
+    _starting_stack_pointer = esp_sdk_stack_pointer();
+    if (_starting_stack_pointer == 0) {
+        ESP_LOGE(TAG, "Failed to get initial stack pointer");
+        return ESP_FAIL;
+    }
+
     ESP_LOGI(TAG, "esp_sdk_mem_lib_init Ver %d", ESP_SDK_MEM_LIB_VERSION);
-    return ret;
+    return ESP_OK;
 }
 
 void* wc_debug_pvPortMalloc(size_t size,
                            const char* file, int line, const char* fname) {
-    void* ret = NULL;
-    ret = pvPortMalloc(size);
-    if (ret == NULL) {
-        ESP_LOGE("malloc", "%s:%d (%s)", file, line, fname);
-        ESP_LOGE("malloc", "Failed Allocating memory of size: %d bytes", size);
+    if (size == 0) {
+        ESP_LOGE(TAG, "Invalid allocation size: 0 bytes at %s:%d (%s)",
+                      file, line, fname);
+        return NULL;
     }
+
+    void* ret = pvPortMalloc(size);
+    if (ret == NULL) {
+        ESP_LOGE(TAG, "Memory allocation failed: %zu bytes at %s:%d (%s)",
+                      size, file, line, fname);
+        /* Log stack usage to help debug memory issues */
+        ESP_LOGW(TAG, "Current stack usage: %d bytes", _stack_used);
+        return NULL;
+    }
+
+    /* Track allocation for debugging */
+    sdk_var_whereis(fname, ret);
     return ret;
 }
 

wolfcrypt/src/port/Espressif/esp_sdk_wifi_lib.c

@@ -324,14 +324,17 @@ static EventGroupHandle_t s_wifi_event_group;
 
 
 static int s_retry_num = 0;
-ip_event_got_ip_t* event;
-
 
 static void event_handler(void* arg,
                           esp_event_base_t event_base,
                           int32_t event_id,
                           void* event_data)
 {
+    if (event_base == NULL || event_data == NULL) {
+        ESP_LOGE(TAG, "Invalid event parameters");
+        return;
+    }
+
     if (event_base == WIFI_EVENT && event_id == WIFI_EVENT_STA_START) {
         esp_wifi_connect();
     }
@@ -343,63 +346,109 @@ static void event_handler(void* arg,
             ESP_LOGI(TAG, "retry to connect to the AP");
         }
         else {
-            xEventGroupSetBits(s_wifi_event_group, WIFI_FAIL_BIT);
+            if (s_wifi_event_group != NULL) {
+                xEventGroupSetBits(s_wifi_event_group, WIFI_FAIL_BIT);
+            }
         }
         ESP_LOGI(TAG, "connect to the AP fail");
     }
     else if (event_base == IP_EVENT && event_id == IP_EVENT_STA_GOT_IP) {
-        event = (ip_event_got_ip_t*) event_data;
-        /* wifi_show_ip(); */
-        s_retry_num = 0;
-        xEventGroupSetBits(s_wifi_event_group, WIFI_CONNECTED_BIT);
+        ip_event_got_ip_t* ip_event = (ip_event_got_ip_t*)event_data;
+        if (ip_event != NULL) {
+            s_retry_num = 0;
+            if (s_wifi_event_group != NULL) {
+                xEventGroupSetBits(s_wifi_event_group, WIFI_CONNECTED_BIT);
+            }
+        }
     }
 }
 
 esp_err_t wc_wifi_init_sta(void)
 {
-    esp_err_t ret = ESP_OK;
+    esp_err_t ret;
+    esp_event_handler_instance_t instance_any_id = NULL;
+    esp_event_handler_instance_t instance_got_ip = NULL;
 
     s_wifi_event_group = xEventGroupCreate();
+    if (s_wifi_event_group == NULL) {
+        ESP_LOGE(TAG, "Failed to create event group");
+        return ESP_FAIL;
+    }
 
-    ESP_ERROR_CHECK(esp_netif_init());
+    ret = esp_netif_init();
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Failed to initialize netif");
+        vEventGroupDelete(s_wifi_event_group);
+        return ret;
+    }
+
+    ret = esp_event_loop_create_default();
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Failed to create event loop");
+        esp_netif_deinit();
+        vEventGroupDelete(s_wifi_event_group);
+        return ret;
+    }
 
-    ESP_ERROR_CHECK(esp_event_loop_create_default());
     esp_netif_create_default_wifi_sta();
 
     wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT();
-    ESP_ERROR_CHECK(esp_wifi_init(&cfg));
+    ret = esp_wifi_init(&cfg);
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Failed to init wifi");
+        esp_netif_deinit();
+        vEventGroupDelete(s_wifi_event_group);
+        return ret;
+    }
 
-    esp_event_handler_instance_t instance_any_id;
-    esp_event_handler_instance_t instance_got_ip;
-    ESP_ERROR_CHECK(esp_event_handler_instance_register(WIFI_EVENT,
-                                                        ESP_EVENT_ANY_ID,
-                                                        &event_handler,
-                                                        NULL,
-                                                        &instance_any_id));
-    ESP_ERROR_CHECK(esp_event_handler_instance_register(IP_EVENT,
-                                                        IP_EVENT_STA_GOT_IP,
-                                                        &event_handler,
-                                                        NULL,
-                                                        &instance_got_ip));
+    ret = esp_event_handler_instance_register(WIFI_EVENT,
+                                            ESP_EVENT_ANY_ID,
+                                            &event_handler,
+                                            NULL,
+                                            &instance_any_id);
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Failed to register WIFI event handler");
+        esp_wifi_deinit();
+        esp_netif_deinit();
+        vEventGroupDelete(s_wifi_event_group);
+        return ret;
+    }
 
-    wifi_config_t wifi_config = {
-        .sta = {
-            .ssid = EXAMPLE_ESP_WIFI_SSID,
-            .password = EXAMPLE_ESP_WIFI_PASS,
-            /* Authmode threshold resets to WPA2 as default if password matches
-             * WPA2 standards (password len => 8). If you want to connect the
-             * device to deprecated WEP/WPA networks, Please set the threshold
-             * value WIFI_AUTH_WEP/WIFI_AUTH_WPA_PSK and set the password with
-             * length and format matching to WIFI_AUTH_WEP/WIFI_AUTH_WPA_PSK
-             * standards. */
-            .threshold.authmode = ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD,
-        #ifdef HAS_WPA3_FEATURES
-            .sae_pwe_h2e = WPA3_SAE_PWE_BOTH,
-        #endif
-        },
-    };
-    ESP_ERROR_CHECK(esp_wifi_set_mode(WIFI_MODE_STA) );
-    ESP_ERROR_CHECK(esp_wifi_set_config(WIFI_IF_STA, &wifi_config) );
+    ret = esp_event_handler_instance_register(IP_EVENT,
+                                            IP_EVENT_STA_GOT_IP,
+                                            &event_handler,
+                                            NULL,
+                                            &instance_got_ip);
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Failed to register IP event handler");
+        esp_event_handler_instance_unregister(WIFI_EVENT, ESP_EVENT_ANY_ID, instance_any_id);
+        esp_wifi_deinit();
+        esp_netif_deinit();
+        vEventGroupDelete(s_wifi_event_group);
+        return ret;
+    }
+
+    wifi_config_t wifi_config;
+    memset(&wifi_config, 0, sizeof(wifi_config_t));
+    memcpy(wifi_config.sta.ssid, EXAMPLE_ESP_WIFI_SSID, 
+           sizeof(EXAMPLE_ESP_WIFI_SSID));
+    memcpy(wifi_config.sta.password, EXAMPLE_ESP_WIFI_PASS,
+           sizeof(EXAMPLE_ESP_WIFI_PASS));
+    wifi_config.sta.threshold.authmode = ESP_WIFI_SCAN_AUTH_MODE_THRESHOLD;
+#ifdef HAS_WPA3_FEATURES
+    wifi_config.sta.sae_pwe_h2e = WPA3_SAE_PWE_BOTH;
+#endif
+    ret = esp_wifi_set_mode(WIFI_MODE_STA);
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Failed to set WiFi mode");
+        goto cleanup;
+    }
+
+    ret = esp_wifi_set_config(WIFI_IF_STA, &wifi_config);
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Failed to set WiFi config");
+        goto cleanup;
+    }
 
 #ifdef CONFIG_EXAMPLE_WIFI_SSID
     if (XSTRCMP(CONFIG_EXAMPLE_WIFI_SSID, "myssid") == 0) {
@@ -411,7 +460,11 @@ esp_err_t wc_wifi_init_sta(void)
     ESP_LOGW(TAG, "WARNING: CONFIG_EXAMPLE_WIFI_SSID not defined.");
 #endif
 
-    ESP_ERROR_CHECK(esp_wifi_start() );
+    ret = esp_wifi_start();
+    if (ret != ESP_OK) {
+        ESP_LOGE(TAG, "Failed to start WiFi");
+        goto cleanup;
+    }
 
     ESP_LOGI(TAG, "wifi_init_sta finished.");
 
@@ -454,6 +507,24 @@ esp_err_t wc_wifi_init_sta(void)
         ret = -2;
     }
 #endif
+
+cleanup:
+    if (instance_got_ip != NULL) {
+        esp_event_handler_instance_unregister(IP_EVENT,
+                                            IP_EVENT_STA_GOT_IP,
+                                            instance_got_ip);
+    }
+    if (instance_any_id != NULL) {
+        esp_event_handler_instance_unregister(WIFI_EVENT,
+                                            ESP_EVENT_ANY_ID,
+                                            instance_any_id);
+    }
+    esp_wifi_deinit();
+    esp_netif_deinit();
+    if (s_wifi_event_group != NULL) {
+        vEventGroupDelete(s_wifi_event_group);
+        s_wifi_event_group = NULL;
+    }
     return ret;
 }
 

wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h

@@ -33,6 +33,19 @@
     #error  "WOLFSSL_USER_SETTINGS must be defined for Espressif targets"
 #endif
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Forward declarations */
+struct wolfSSL_Mutex;
+struct Aes;
+struct wc_Sha;
+struct wc_Sha256;
+struct wc_Sha512;
+
+/* Function declarations */
+
 #include "sdkconfig.h" /* ensure ESP-IDF settings are available everywhere */
 
 /* wolfSSL  */
@@ -658,65 +671,32 @@ enum {
 ******************************************************************************
 */
 
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-
 /*
 ******************************************************************************
-** Some common esp utilities
+** Function Declarations
 ******************************************************************************
 */
 
-    WOLFSSL_LOCAL int esp_ShowExtendedSystemInfo(void);
+/* System utilities */
+WOLFSSL_LOCAL int esp_ShowExtendedSystemInfo(void);
+WOLFSSL_LOCAL esp_err_t esp_DisableWatchdog(void);
+WOLFSSL_LOCAL esp_err_t esp_EnableWatchdog(void);
 
-    WOLFSSL_LOCAL esp_err_t esp_DisableWatchdog(void);
+/* Math operations */
+WOLFSSL_LOCAL int esp_mp_cmp(char* name_A, MATH_INT_T* A, char* name_B, MATH_INT_T* B);
+WOLFSSL_LOCAL int esp_show_mp_attributes(char* c, MATH_INT_T* X);
+WOLFSSL_LOCAL int esp_show_mp(char* name_X, MATH_INT_T* X);
 
-    WOLFSSL_LOCAL esp_err_t esp_EnableWatchdog(void);
-
-    /* Compare MATH_INT_T A to MATH_INT_T B
-     * During debug, the strings name_A and name_B can help
-     * identify variable name. */
-    WOLFSSL_LOCAL int esp_mp_cmp(char* name_A, MATH_INT_T* A,
-                                 char* name_B, MATH_INT_T* B);
-
-    /* Show MATH_INT_T value attributes.  */
-    WOLFSSL_LOCAL int esp_show_mp_attributes(char* c, MATH_INT_T* X);
-
-    /* Show MATH_INT_T value.
-     *
-     * Calls esp_show_mp_attributes().
-     *
-     * During debug, the string name_A can help
-     * identify variable name. */
-    WOLFSSL_LOCAL int esp_show_mp(char* name_X, MATH_INT_T* X);
-
-    /* To use a Mutex, it must first be initialized. */
-    WOLFSSL_LOCAL int esp_CryptHwMutexInit(wolfSSL_Mutex* mutex);
-
-    /*  Take the mutex to indicate the HW is in use.  Wait up to [block_time].
-     *  When the HW in use the mutex will be locked. */
-    WOLFSSL_LOCAL int esp_CryptHwMutexLock(wolfSSL_Mutex* mutex,
-                                           TickType_t block_time);
-
-    /* Release the mutex to indicate the HW is no longer in use. */
-    WOLFSSL_LOCAL int esp_CryptHwMutexUnLock(wolfSSL_Mutex* mutex);
-
-    /* Validation active check. When active, we'll fall back to SW. */
-    WOLFSSL_LOCAL int esp_hw_validation_active(void);
-
-/*
-*******************************************************************************
-** AES features:
-*******************************************************************************
-*/
+/* Mutex operations */
+WOLFSSL_LOCAL int esp_CryptHwMutexInit(struct wolfSSL_Mutex* mutex);
+WOLFSSL_LOCAL int esp_CryptHwMutexLock(struct wolfSSL_Mutex* mutex, TickType_t block_time);
+WOLFSSL_LOCAL int esp_CryptHwMutexUnLock(struct wolfSSL_Mutex* mutex);
+WOLFSSL_LOCAL int esp_hw_validation_active(void);
 
 #ifndef NO_AES
-    /* wolfSSL does not use Espressif rom/aes.h */
-    struct Aes; /* see wolcrypt/aes.h */
+struct Aes; /* see wolcrypt/aes.h */
 
-    typedef enum tagES32_AES_PROCESS
+typedef enum tagES32_AES_PROCESS
     {
         ESP32_AES_LOCKHW            = 1,
         ESP32_AES_UPDATEKEY_ENCRYPT = 2,
@@ -730,20 +710,10 @@ extern "C"
     WOLFSSL_LOCAL int wc_esp32AesSupportedKeyLenValue(int keylen);
     WOLFSSL_LOCAL int wc_esp32AesSupportedKeyLen(struct Aes* aes);
 
-    WOLFSSL_LOCAL int wc_esp32AesCbcEncrypt(struct Aes* aes,
-                                            byte*  out,
-                                            const  byte* in,
-                                            word32 sz);
-    WOLFSSL_LOCAL int wc_esp32AesCbcDecrypt(struct Aes* aes,
-                                            byte*  out,
-                                            const  byte* in,
-                                            word32 sz);
-    WOLFSSL_LOCAL int wc_esp32AesEncrypt(   struct Aes* aes,
-                                            const  byte* in,
-                                            byte*  out);
-    WOLFSSL_LOCAL int wc_esp32AesDecrypt(   struct Aes* aes,
-                                            const  byte* in,
-                                            byte*  out);
+    WOLFSSL_LOCAL int wc_esp32AesCbcEncrypt(struct Aes* aes, byte* out, const byte* in, word32 sz);
+    WOLFSSL_LOCAL int wc_esp32AesCbcDecrypt(struct Aes* aes, byte* out, const byte* in, word32 sz);
+    WOLFSSL_LOCAL int wc_esp32AesEncrypt(struct Aes* aes, const byte* in, byte* out);
+    WOLFSSL_LOCAL int wc_esp32AesDecrypt(struct Aes* aes, const byte* in, byte* out);
 #endif /* ! NO_AES */
 
 #ifdef WOLFSSL_ESP32_CRYPT_DEBUG
@@ -753,11 +723,7 @@ extern "C"
 
 #endif /* WOLFSSL_ESP32_CRYPT_DEBUG */
 
-/*
-*******************************************************************************
-** Cryptographic hash algorithms (e.g. SHA[x]):
-*******************************************************************************
-*/
+/* Cryptographic hash algorithms (e.g. SHA[x]) */
 
 #if !defined(NO_WOLFSSL_ESP32_CRYPT_HASH) &&     \
    (!defined(NO_SHA) || !defined(NO_SHA256) ||          \
@@ -914,12 +880,6 @@ extern "C"
 #endif /* NO_SHA && etc */
 
 
-/*
-*******************************************************************************
-** RSA Big Math
-*******************************************************************************
-*/
-
 #if !defined(NO_RSA) || defined(HAVE_ECC)
 
     #if !defined(ESP_RSA_TIMEOUT_CNT)
@@ -927,20 +887,8 @@ extern "C"
     #endif
 
 #ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD
-    /*
-     * The parameter names in the Espressif implementation are arbitrary.
-     *
-     * The wolfSSL names come from DH: Y=G^x mod M  (see wolfcrypt/tfm.h)
-     *
-     * G=base, X is the private exponent, Y is the public value w
-     **/
 
-    /* Z = (X ^ Y) mod M   : Espressif generic notation    */
-    /* Y = (G ^ X) mod P   : wolfSSL DH reference notation */
-    WOLFSSL_LOCAL int esp_mp_exptmod(MATH_INT_T* X,    /* G  */
-                                     MATH_INT_T* Y,    /* X  */
-                                     MATH_INT_T* M,    /* P  */
-                                     MATH_INT_T* Z);   /* Y  */
+    WOLFSSL_LOCAL int esp_mp_exptmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z);
 
     /* HW_MATH_ENABLED is typically used in wolfcrypt tests */
     #undef  HW_MATH_ENABLED
@@ -948,21 +896,14 @@ extern "C"
 #endif /* ! NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */
 
 #ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL
-    /* Z = X * Y */
-    WOLFSSL_LOCAL int esp_mp_mul(MATH_INT_T* X,
-                                 MATH_INT_T* Y,
-                                 MATH_INT_T* Z);
+    WOLFSSL_LOCAL int esp_mp_mul(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* Z);
     /* HW_MATH_ENABLED is typically used in wolfcrypt tests */
     #undef  HW_MATH_ENABLED
     #define HW_MATH_ENABLED
 #endif /* ! NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL */
 
 #ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD
-    /* Z = X * Y (mod M) */
-    WOLFSSL_LOCAL int esp_mp_mulmod(MATH_INT_T* X,
-                                    MATH_INT_T* Y,
-                                    MATH_INT_T* M,
-                                    MATH_INT_T* Z);
+    WOLFSSL_LOCAL int esp_mp_mulmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z);
     /* HW_MATH_ENABLED is typically used in wolfcrypt tests */
     #undef  HW_MATH_ENABLED
     #define HW_MATH_ENABLED
@@ -971,25 +912,11 @@ extern "C"
 #endif /* !NO_RSA || HAVE_ECC*/
 
 
-/* Optionally enable some metrics to count interesting usage */
-/*
-*******************************************************************************
-** Usage metrics
-*******************************************************************************
-*/
 #ifdef WOLFSSL_HW_METRICS
     #define WOLFSSL_HAS_METRICS
-
-    /* Allow sha256 code to keep track of SW fallback during active HW */
     WOLFSSL_LOCAL int esp_sw_sha256_count_add(void);
-
-    /* show MP HW Metrics*/
     WOLFSSL_LOCAL int esp_hw_show_mp_metrics(void);
-
-    /* show SHA HW Metrics*/
     WOLFSSL_LOCAL int esp_hw_show_sha_metrics(void);
-
-    /* show all HW Metrics*/
     WOLFSSL_LOCAL int esp_hw_show_metrics(void);
 #endif
 
@@ -1000,12 +927,7 @@ WOLFSSL_LOCAL int esp_sha_stack_check(WC_ESP32SHA* sha);
 
 #endif /* WOLFSSL_STACK_CHECK */
 
-/*
- * Errata Mitigation. See
- *   esp32_errata_en.pdf
- *   esp32-c3_errata_en.pdf
- *   esp32-s3_errata_en.pdf
- */
+/* Errata Mitigation */
 #define ESP_MP_HW_LOCK_MAX_DELAY ( TickType_t ) 0xffUL
 
 #if defined(CONFIG_IDF_TARGET_ESP32) && !defined(ESP_NO_ERRATA_MITIGATION)
@@ -1104,6 +1026,10 @@ WOLFSSL_LOCAL int esp_sha_stack_check(WC_ESP32SHA* sha);
     #warning "CONFIG_ESP_MAIN_TASK_STACK_SIZE not defined!"
 #endif
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif /* WOLFSSL_ESPIDF (entire contents excluded when not Espressif ESP-IDF) */
 
 #endif  /* __ESP32_CRYPT_H__ */