Address copilot comments

Author: AlexLanzano

src/wh_client_crypto.c

@@ -1040,23 +1040,33 @@ int wh_Client_AesCbcRequest(whClientContext* ctx, Aes* aes, int enc,
 {
     whMessageCrypto_AesCbcRequest* req;
     uint8_t*                       dataPtr;
+    uint16_t                       blocks;
+    uint32_t                       key_len;
+    const uint8_t*                 key;
+    whKeyId                        key_id;
+    uint8_t*                       iv;
+    uint32_t                       iv_len;
+    uint8_t*                       req_in;
+    uint8_t*                       req_key;
+    uint8_t*                       req_iv;
+    uint32_t                       req_len;
 
     if ((ctx == NULL) || (aes == NULL) || ((len % AES_BLOCK_SIZE) != 0) ||
         (in == NULL)) {
         return WH_ERROR_BADARGS;
     }
 
-    uint16_t blocks = len / AES_BLOCK_SIZE;
+    blocks = len / AES_BLOCK_SIZE;
 
     if (blocks == 0) {
         return WH_ERROR_OK;
     }
 
-    uint32_t       key_len = aes->keylen;
-    const uint8_t* key     = (const uint8_t*)(aes->devKey);
-    whKeyId        key_id  = WH_DEVCTX_TO_KEYID(aes->devCtx);
-    uint8_t*       iv      = (uint8_t*)aes->reg;
-    uint32_t       iv_len  = AES_IV_SIZE;
+    key_len = aes->keylen;
+    key     = (const uint8_t*)(aes->devKey);
+    key_id  = WH_DEVCTX_TO_KEYID(aes->devCtx);
+    iv      = (uint8_t*)aes->reg;
+    iv_len  = AES_IV_SIZE;
 
     dataPtr = wh_CommClient_GetDataPtr(ctx->comm);
     if (dataPtr == NULL) {
@@ -1065,11 +1075,11 @@ int wh_Client_AesCbcRequest(whClientContext* ctx, Aes* aes, int enc,
 
     req = (whMessageCrypto_AesCbcRequest*)_createCryptoRequest(
         dataPtr, WC_CIPHER_AES_CBC, ctx->cryptoAffinity);
-    uint8_t* req_in  = (uint8_t*)(req + 1);
-    uint8_t* req_key = req_in + len;
-    uint8_t* req_iv  = req_key + key_len;
-    uint32_t req_len = sizeof(whMessageCrypto_GenericRequestHeader) +
-                       sizeof(*req) + len + key_len + iv_len;
+    req_in  = (uint8_t*)(req + 1);
+    req_key = req_in + len;
+    req_iv  = req_key + key_len;
+    req_len = sizeof(whMessageCrypto_GenericRequestHeader) +
+              sizeof(*req) + len + key_len + iv_len;
 
     if (req_len > WOLFHSM_CFG_COMM_DATA_LEN) {
         return WH_ERROR_BADARGS;
@@ -1110,7 +1120,7 @@ int wh_Client_AesCbcResponse(whClientContext* ctx, Aes* aes, uint8_t* out,
     uint16_t                        res_len = 0;
     whMessageCrypto_AesCbcResponse* res;
 
-    if ((ctx == NULL) || (aes == NULL)) {
+    if ((ctx == NULL) || (aes == NULL) || (out == NULL)) {
         return WH_ERROR_BADARGS;
     }
 
@@ -1124,15 +1134,13 @@ int wh_Client_AesCbcResponse(whClientContext* ctx, Aes* aes, uint8_t* out,
         ret = _getCryptoResponse(dataPtr, WC_CIPHER_AES_CBC, (uint8_t**)&res);
         if (ret == WH_ERROR_OK) {
             uint8_t* res_out = (uint8_t*)(res + 1);
-            if (out != NULL) {
-                memcpy(out, res_out, res->sz);
-                /* For encryption, update the IV with the last ciphertext
-                 * block for CBC chaining */
-                if (res->sz >= AES_BLOCK_SIZE) {
-                    uint32_t last_offset =
-                        ((res->sz / AES_BLOCK_SIZE) - 1) * AES_BLOCK_SIZE;
-                    memcpy((uint8_t*)aes->reg, out + last_offset, AES_IV_SIZE);
-                }
+            memcpy(out, res_out, res->sz);
+            /* For encryption, update the IV with the last ciphertext
+             * block for CBC chaining */
+            if (res->sz >= AES_BLOCK_SIZE) {
+                uint32_t last_offset =
+                    ((res->sz / AES_BLOCK_SIZE) - 1) * AES_BLOCK_SIZE;
+                memcpy((uint8_t*)aes->reg, out + last_offset, AES_IV_SIZE);
             }
             if (out_size != NULL) {
                 *out_size = res->sz;

src/wh_server_crypto.c

@@ -4401,6 +4401,7 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
                                   uint16_t* out_resp_size, void* resp_packet)
 {
     int                                   ret        = 0;
+    int                                   devId      = INVALID_DEVID;
     whMessageCrypto_GenericRequestHeader  rqstHeader = {0};
     whMessageCrypto_GenericResponseHeader respHeader = {0};
 
@@ -4430,10 +4431,10 @@ int wh_Server_HandleCryptoRequest(whServerContext* ctx, uint16_t magic,
         magic, (whMessageCrypto_GenericRequestHeader*)req_packet, &rqstHeader);
 
     /* Compute devId from the per-message affinity field */
-    int devId = (rqstHeader.affinity == WH_CRYPTO_AFFINITY_HW &&
-                 ctx->devId != INVALID_DEVID)
-                    ? ctx->devId
-                    : INVALID_DEVID;
+    devId = (rqstHeader.affinity == WH_CRYPTO_AFFINITY_HW &&
+             ctx->devId != INVALID_DEVID)
+                ? ctx->devId
+                : INVALID_DEVID;
 
     WH_DEBUG_SERVER_VERBOSE("HandleCryptoRequest. Action:%u\n", action);
     WH_DEBUG_VERBOSE_HEXDUMP("[server] Crypto Request:\n", (const uint8_t*)req_packet,
@@ -5864,6 +5865,7 @@ int wh_Server_HandleCryptoDmaRequest(whServerContext* ctx, uint16_t magic,
                                      uint16_t* out_resp_size, void* resp_packet)
 {
     int                                   ret        = 0;
+    int                                   devId      = INVALID_DEVID;
     whMessageCrypto_GenericRequestHeader  rqstHeader = {0};
     whMessageCrypto_GenericResponseHeader respHeader = {0};
 
@@ -5893,10 +5895,10 @@ int wh_Server_HandleCryptoDmaRequest(whServerContext* ctx, uint16_t magic,
         magic, (whMessageCrypto_GenericRequestHeader*)req_packet, &rqstHeader);
 
     /* Compute devId from the per-message affinity field */
-    int devId = (rqstHeader.affinity == WH_CRYPTO_AFFINITY_HW &&
-                 ctx->devId != INVALID_DEVID)
-                    ? ctx->devId
-                    : INVALID_DEVID;
+    devId = (rqstHeader.affinity == WH_CRYPTO_AFFINITY_HW &&
+             ctx->devId != INVALID_DEVID)
+                ? ctx->devId
+                : INVALID_DEVID;
 
     switch (action) {
         case WC_ALGO_TYPE_HASH:

test/wh_test_crypto_affinity.c

@@ -210,7 +210,7 @@ static int whTest_CryptoAffinityWithCb(void)
     WH_TEST_ASSERT_RETURN(rc == WH_ERROR_OK);
     WH_TEST_ASSERT_RETURN(affinity == WH_CRYPTO_AFFINITY_HW);
 
-    /* Test 2: Set HW affinity - local only, no round-trip */
+    /* Test 2: Set SW affinity - local only, no round-trip */
     rc = wh_Client_SetCryptoAffinity(client, WH_CRYPTO_AFFINITY_SW);
     WH_TEST_ASSERT_RETURN(rc == WH_ERROR_OK);
 

wolfhsm/wh_client_crypto.h

@@ -739,7 +739,7 @@ int wh_Client_AesCbcRequest(whClientContext* ctx, Aes* aes, int enc,
  *
  * @param[in] ctx Pointer to the client context
  * @param[in,out] aes Pointer to the AES structure (IV updated on encrypt)
- * @param[out] out Pointer to where the output data is placed. May be NULL.
+ * @param[out] out Pointer to where the output data is placed. Must not be NULL.
  * @param[out] out_size Set to the number of bytes produced. May be NULL.
  * @return int Returns 0 on success, WH_ERROR_NOTREADY if the response is not
  *             yet available, or a negative error code on failure.

wolfhsm/wh_server.h

@@ -69,6 +69,7 @@ typedef struct whServerCryptoContext {
 #ifndef WC_NO_RNG
     WC_RNG rng[1];
 #else
+    /* Placeholder to prevent empty struct in C90 */
     uint8_t WH_PAD[1];
 #endif
 } whServerCryptoContext;