wolfSSL · billphipps · Oct 2, 2025 · Sep 17, 2025 · Sep 17, 2025 · Sep 24, 2025
diff --git a/benchmark/bench_modules/wh_bench_mod_rsa.c b/benchmark/bench_modules/wh_bench_mod_rsa.c
@@ -394,9 +394,6 @@ int _benchRsaCrypt(whClientContext* client, whBenchOpContext* ctx, int id,
         WH_BENCH_PRINTF("Failed to wc_RsaPublicEncrypt %d\n", ret);
         goto exit;
     }
-    else {
-        ret = 0;
-    }
 
     /* Set the data size for the benchmark */
     ret = wh_Bench_SetDataSize(ctx, id, encSz);

diff --git a/examples/demo/client/wh_demo_client_crypto.c b/examples/demo/client/wh_demo_client_crypto.c
@@ -91,7 +91,6 @@ int wh_DemoClient_CryptoRsa(whClientContext* clientContext)
         printf("Failed to wc_RsaPublicEncrypt %d\n", ret);
         goto exit;
     }
-    ret = 0;
 
     /* decrypt the ciphertext */
     ret = wc_RsaPrivateDecrypt(cipherText, encSz, plainText, sizeof(plainText),
@@ -194,7 +193,6 @@ int wh_DemoClient_CryptoRsaImport(whClientContext* clientContext)
         printf("Failed to wc_RsaPublicEncrypt %d\n", ret);
         goto exit;
     }
-    ret = 0;
 
     /* decrypt the ciphertext */
     ret = wc_RsaPrivateDecrypt(cipherText, encSz, plainText, sizeof(plainText),

diff --git a/examples/demo/client/wh_demo_client_secboot.c b/examples/demo/client/wh_demo_client_secboot.c
@@ -22,19 +22,19 @@
 
 /* Provisioning process:
  * 1. Generate a server keypair into key cache as keyId 27
- * 2. Commit the server keypair to server NVM 
+ * 2. Commit the server keypair to server NVM
  * 3. Map a file into memory and ask server to hash it using SHA256
  * 4. Sign the hash using the server keypair
- * 5. Store the signature to server NVM as object 29 
+ * 5. Store the signature to server NVM as object 29
  * 6. Hexdump hash, public key, and signature
  * Note: Provisioning can also be done offline using the whnvmtool
- * 
+ *
  * SecBoot process:
  * 1. Load the signature from server NVM as object 29
  * 2. Map a file into memory and ask server to hash it using SHA256
  * 3. Verify the signature using server keyId 27
  * 4. Hexdump hash, public key, and signature
- * 
+ *
  * Zeroization process:
  * 1. Destroy keyId 27
  * 2. Destroy nvmId 29
@@ -52,13 +52,12 @@ static int _showNvm(whClientContext* clientContext);
 
 static int _provisionMakeCommitKey(whClientContext* clientContext);
 static int _sha256File(const char* file_to_measure, uint8_t* hash);
-static int _signHash(   const uint8_t* hash, size_t hash_len, 
-                        uint8_t* sig, uint16_t* sig_len);
-static int _verifyHash( const uint8_t* hash, size_t hash_len, 
-                        const uint8_t* sig, uint16_t sig_len,
-                        int32_t* rc);
+static int _signHash(const uint8_t* hash, size_t hash_len, uint8_t* sig,
+                     uint16_t* sig_len);
+static int _verifyHash(const uint8_t* hash, size_t hash_len, const uint8_t* sig,
+                       uint16_t sig_len, int32_t* rc);
 
-static int _showNvm(whClientContext* clientContext)   
+static int _showNvm(whClientContext* clientContext)
 {
     int ret = 0;
     whNvmAccess access = WH_NVM_ACCESS_ANY;
@@ -68,52 +67,47 @@ static int _showNvm(whClientContext* clientContext)
 
     printf("NVM Contents:\n");
     do {
-        ret = wh_Client_NvmList(    clientContext, 
-                                    access, flags, 
-                                    id, NULL, 
-                                    &count, &id);
+        ret = wh_Client_NvmList(clientContext, access, flags, id, NULL, &count,
+                                &id);
         if (ret != WH_ERROR_OK) {
             printf("wh_Client_NvmList failed with ret:%d\n", ret);
             break;
         }
-        printf( "NVM List: count=%u, id=%u\n", 
-                (unsigned int)count, (unsigned int)id);
+        printf("NVM List: count=%u, id=%u\n", (unsigned int)count,
+               (unsigned int)id);
 
         if (count > 0) {
             whNvmSize data_len = 0;
             uint8_t label[WH_NVM_LABEL_LEN] = {0};
-            ret = wh_Client_NvmGetMetadata( clientContext, id, 
-                                            NULL, NULL, 
-                                            NULL, NULL, 
-                                            &data_len, 
-                                            sizeof(label), label);
+            ret =
+                wh_Client_NvmGetMetadata(clientContext, id, NULL, NULL, NULL,
+                                         NULL, &data_len, sizeof(label), label);
             if (ret != WH_ERROR_OK) {
                 printf("wh_Client_NvmGetMetadata failed with ret:%d\n", ret);
                 break;
             }
 
-            printf( "NVM Object ID %u has label '%-*s' and size:%u\n", 
-                    (unsigned int)id, 
-                    (int)sizeof(label), label, 
-                    (unsigned int)data_len);
+            printf("NVM Object ID %u has label '%-*s' and size:%u\n",
+                   (unsigned int)id, (int)sizeof(label), label,
+                   (unsigned int)data_len);
         }
     } while (count > 0);
     printf("End of NVM Contents\n");
     return ret;
 }
 
-static int _provisionMakeCommitKey(whClientContext* clientContext) 
+static int _provisionMakeCommitKey(whClientContext* clientContext)
 {
     int ret;
-    
+
     /* Use the default ECC curve for 32 byte key, likely P256r1 */
     whKeyId keyId = prov_keyId;
     uint8_t keyLabel[WH_NVM_LABEL_LEN] = {0};
     memcpy(keyLabel, prov_keyLabel, sizeof(prov_keyLabel));
 
-    ret = wh_Client_EccMakeCacheKey(clientContext, 32, ECC_CURVE_DEF, 
-                                    &keyId, WH_NVM_FLAGS_NONE, 
-                                    sizeof(prov_keyLabel), keyLabel);
+    ret = wh_Client_EccMakeCacheKey(clientContext, 32, ECC_CURVE_DEF, &keyId,
+                                    WH_NVM_FLAGS_NONE, sizeof(prov_keyLabel),
+                                    keyLabel);
     if (ret == WH_ERROR_OK) {
         ret = wh_Client_KeyCommit(clientContext, prov_keyId);
     }
@@ -132,8 +126,8 @@ static int _sha256File(const char* file_to_measure, uint8_t* hash)
         close(fd);
 
         if (ptr != (void*)-1) {
-            printf("Generating SHA256 of %s over %u bytes at %p\n", 
-                file_to_measure, (unsigned int)size, ptr);
+            printf("Generating SHA256 of %s over %u bytes at %p\n",
+                   file_to_measure, (unsigned int)size, ptr);
             wc_Sha256 sha256[1];
             ret = wc_InitSha256_ex(sha256, NULL, WH_DEV_ID);
             if (ret == 0) {
@@ -157,8 +151,8 @@ static int _sha256File(const char* file_to_measure, uint8_t* hash)
     return ret;
 }
 
-static int _signHash(   const uint8_t* hash, size_t hash_len, 
-                        uint8_t* sig, uint16_t* sig_len)
+static int _signHash(const uint8_t* hash, size_t hash_len, uint8_t* sig,
+                     uint16_t* sig_len)
 {
     ecc_key key[1];
     int ret = wc_ecc_init_ex(key, NULL, WH_DEV_ID);
@@ -177,19 +171,17 @@ static int _signHash(   const uint8_t* hash, size_t hash_len,
     return ret;
 }
 
-static int _verifyHash( const uint8_t* hash, size_t hash_len, 
-                        const uint8_t* sig, uint16_t sig_len,
-                        int32_t* rc)
+static int _verifyHash(const uint8_t* hash, size_t hash_len, const uint8_t* sig,
+                       uint16_t sig_len, int32_t* rc)
 {
     ecc_key key[1];
     int ret = wc_ecc_init_ex(key, NULL, WH_DEV_ID);
     if (ret == 0) {
         ret = wh_Client_EccSetKeyId(key, prov_keyId);
         if (ret == 0) {
             int res = 0;
-            ret = wc_ecc_verify_hash(   sig, (word32)sig_len, 
-                                        hash, (word32)hash_len, 
-                                        &res, key);
+            ret     = wc_ecc_verify_hash(sig, (word32)sig_len, hash,
+                                         (word32)hash_len, &res, key);
             if (ret == 0) {
                 *rc = res;
             }
@@ -208,7 +200,7 @@ int wh_DemoClient_SecBoot_Provision(whClientContext* clientContext)
     if (clientContext == NULL) {
         return WH_ERROR_BADARGS;
     }
-    
+
     ret = wh_Client_CommInit(clientContext, &client_id, &server_id);
     if (ret == WH_ERROR_OK) {
         printf("Provision client connected to server id %u with client id %u\n",
@@ -227,8 +219,7 @@ int wh_DemoClient_SecBoot_Provision(whClientContext* clientContext)
                 uint16_t siglen = sizeof(sig);
 
                 printf("Signing hash...\n");
-                ret = _signHash(    hash, sizeof(hash), 
-                                    sig, &siglen);
+                ret = _signHash(hash, sizeof(hash), sig, &siglen);
                 if (ret == WH_ERROR_OK) {
                     int32_t rc = 0;
                     uint8_t sigLabel[WH_NVM_LABEL_LEN] = {0};
@@ -237,11 +228,10 @@ int wh_DemoClient_SecBoot_Provision(whClientContext* clientContext)
                     wh_Utils_Hexdump("Signature:\n", sig, siglen);
                     printf("Storing the signature in NVM as nvmId %u\n",
                             sig_nvmId);
-                    ret = wh_Client_NvmAddObject(clientContext, sig_nvmId,
-                                        WH_NVM_ACCESS_NONE, WH_NVM_FLAGS_NONE, 
-                                        sizeof(sig_nvmLabel), sigLabel,
-                                        siglen, sig, 
-                                        &rc);
+                    ret = wh_Client_NvmAddObject(
+                        clientContext, sig_nvmId, WH_NVM_ACCESS_NONE,
+                        WH_NVM_FLAGS_NONE, sizeof(sig_nvmLabel), sigLabel,
+                        siglen, sig, &rc);
                     printf("Stored signature with ret:%d and rc:%d\n", ret, rc);
                 }
             }
@@ -266,7 +256,7 @@ int wh_DemoClient_SecBoot_Boot(whClientContext* clientContext)
     if (ret == WH_ERROR_OK) {
         printf("SecBoot Client connected to server id %u with client id %u\n",
                 server_id, client_id);
-        
+
         _showNvm(clientContext);
 
         uint8_t sig[ECC_MAX_SIG_SIZE] = {0};
@@ -276,10 +266,19 @@ int wh_DemoClient_SecBoot_Boot(whClientContext* clientContext)
                 sig_nvmId);
         ret = wh_Client_NvmGetMetadata(clientContext,
             sig_nvmId, &rc, NULL, NULL, NULL, &siglen, 0, NULL);
+        if (ret != WH_ERROR_OK) {
+            printf("wh_Client_NvmGetMetadata failed with ret:%d\n", ret);
+            return ret;
+        }
         printf("SecBoot got siglen %d with ret:%d rc:%d\n", siglen, ret, rc);
-        ret = wh_Client_NvmRead(clientContext, sig_nvmId, 
-                                0, siglen, &rc, 
-                                NULL, sig);
+        ret = wh_Client_NvmRead(clientContext, sig_nvmId, 0, siglen, &rc, NULL,
+                                sig);
+        if (ret != WH_ERROR_OK || rc != 0) {
+            printf("Read Object %d failed with error code: %d, server error "
+                   "code: %d\n",
+                   sig_nvmId, ret, rc);
+            return (ret != WH_ERROR_OK) ? ret : rc;
+        }
         wh_Utils_Hexdump("Signature:\n", sig, siglen);
 
 
@@ -289,9 +288,7 @@ int wh_DemoClient_SecBoot_Boot(whClientContext* clientContext)
         if (ret == WH_ERROR_OK) {
 
             printf("SecBoot Client Verifying signature using keyId %u\n", prov_keyId);
-            ret = _verifyHash(  hash, sizeof(hash), 
-                                sig, siglen, 
-                                &rc);
+            ret = _verifyHash(hash, sizeof(hash), sig, siglen, &rc);
             printf("ecc_verify:%d rc:%d\n", ret, rc);
 
             if ((ret == 0) && (rc == 1)) {
@@ -326,8 +323,8 @@ int wh_DemoClient_SecBoot_Zeroize(whClientContext* clientContext)
         printf("Zeroize Client erased keyId:%u ret:%d\n", prov_keyId, ret);
 
         ret = wh_Client_NvmDestroyObjects(clientContext, 1, &sig_nvmId, &rc);
-        printf("Zeroize Client destroyed NVM object:%u ret:%d with rc:%d\n", 
-            sig_nvmId, ret, rc);
+        printf("Zeroize Client destroyed NVM object:%u ret:%d with rc:%d\n",
+               sig_nvmId, ret, rc);
 
         _showNvm(clientContext);
     }

diff --git a/examples/posix/wh_posix_server/wh_posix_server.c b/examples/posix/wh_posix_server/wh_posix_server.c
@@ -391,7 +391,10 @@ int main(int argc, char** argv)
     }
 
     rc = wh_ServerTask(s_conf, keyFilePath, keyId, clientId);
-
+    if (rc != WH_ERROR_OK) {
+        printf("Server task failed: %d\n", rc);
+        return rc;
+    }
     rc = wc_FreeRng(crypto->rng);
     if (rc != 0) {
         printf("Failed to wc_FreeRng: %d\n", rc);

diff --git a/src/wh_nvm_flash.c b/src/wh_nvm_flash.c
@@ -359,12 +359,13 @@ static int nfPartition_ReadMemDirectory(whNvmFlashContext* context, int partitio
                 NF_PARTITION_DIRECTORY_OFFSET;
     memset(directory, 0, sizeof(*directory));
 
-    for(index = 0; (index < WOLFHSM_CFG_NVM_OBJECT_COUNT) && (ret == 0); index++) {
-        /* TODO: Handle errors better here.  Break out of loop? */
-        ret = nfMemObject_Read(
-                context,
-                offset + NF_DIRECTORY_OBJECT_OFFSET(index),
-                &directory->objects[index]);
+    for (index = 0; (index < WOLFHSM_CFG_NVM_OBJECT_COUNT); index++) {
+        /* Read all objects from the Partition Directory.
+         * Don't break on an error.
+         */
+        (void)nfMemObject_Read(context,
+                               offset + NF_DIRECTORY_OBJECT_OFFSET(index),
+                               &directory->objects[index]);
     }
     return ret;
 }
@@ -1087,8 +1088,8 @@ int wh_NvmFlash_AddObject(void* c, whNvmMetadata *meta,
     }
 
     /* Find existing object so we can increment the epoch */
-    (void)nfMemDirectory_FindObjectIndexById(d, meta->id, &oldentry);
-    if (oldentry >= 0) {
+    ret = nfMemDirectory_FindObjectIndexById(d, meta->id, &oldentry);
+    if (ret == WH_ERROR_OK && oldentry >= 0) {
         epoch = d->objects[oldentry].state.epoch + 1;
     }