minor coverity fixes for tls ech

Author: sebastian-carpenter

src/tls13.c

@@ -5094,10 +5094,10 @@ static int EchCheckAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
     ret = EchCalcAcceptance(ssl, label, labelSz, input, acceptOffset, helloSz,
             msgType == hello_retry_request, acceptConfirmation);
 
-    tmpHashes = ssl->hsHashes;
-    ssl->hsHashes = ssl->hsHashesEch;
-
     if (ret == 0) {
+        tmpHashes = ssl->hsHashes;
+        ssl->hsHashes = ssl->hsHashesEch;
+
         /* last 8 bytes must match the expand output */
         ret = ConstantCompare(acceptConfirmation, input + acceptOffset,
             ECH_ACCEPT_CONFIRMATION_SZ);
@@ -5126,9 +5126,10 @@ static int EchCheckAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
             FreeHandshakeHashes(ssl);
             ssl->hsHashesEch = NULL;
         }
+
+        ssl->hsHashes = tmpHashes;
     }
 
-    ssl->hsHashes = tmpHashes;
     return ret;
 }
 #endif /* HAVE_ECH */
@@ -6806,25 +6807,28 @@ static int EchWriteAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
             helloSz - headerSz, msgType == hello_retry_request,
             output + acceptOffset);
 
-    tmpHashes = ssl->hsHashes;
-    ssl->hsHashes = ssl->hsHashesEch;
+    if (ret == 0) {
+        tmpHashes = ssl->hsHashes;
+        ssl->hsHashes = ssl->hsHashesEch;
 
-    /* after HRR, hsHashesEch must contain:
-     * message_hash(ClientHelloInner1) || HRR (actual, not zeros) */
-    if (ret == 0 && msgType == hello_retry_request) {
-        ret = HashRaw(ssl, output, helloSz);
-    }
-    /* normal TLS code will calculate transcript of ServerHello */
-    else if (ret == 0) {
-        ssl->options.echAccepted = 1;
+        /* after HRR, hsHashesEch must contain:
+         * message_hash(ClientHelloInner1) || HRR (actual, not zeros) */
+        if (msgType == hello_retry_request) {
+            ret = HashRaw(ssl, output, helloSz);
+        }
+        /* normal TLS code will calculate transcript of ServerHello */
+        else {
+            ssl->options.echAccepted = 1;
+
+            ssl->hsHashes = tmpHashes;
+            FreeHandshakeHashes(ssl);
+            tmpHashes = ssl->hsHashesEch;
+            ssl->hsHashesEch = NULL;
+        }
 
         ssl->hsHashes = tmpHashes;
-        FreeHandshakeHashes(ssl);
-        tmpHashes = ssl->hsHashesEch;
-        ssl->hsHashesEch = NULL;
     }
 
-    ssl->hsHashes = tmpHashes;
     return ret;
 }
 #endif

tests/api.c

@@ -13819,7 +13819,8 @@ static THREAD_RETURN WOLFSSL_THREAD server_task_ech(void* args)
     if (callbacks->ctx_ready)
         callbacks->ctx_ready(ctx);
 
-    AssertNotNull(ssl = wolfSSL_new(ctx));
+    ssl = wolfSSL_new(ctx);
+    AssertNotNull(ssl);
 
     /* set the sni for the server */
     AssertIntEQ(WOLFSSL_SUCCESS,

wolfcrypt/src/hpke.c

@@ -472,11 +472,8 @@ static int wc_HpkeLabeledExtract(Hpke* hpke, byte* suite_id,
     }
 
     /* check that sum of len's will not overflow */
-    remaining = MAX_HPKE_LABEL_SZ;
-    if ((word32)HPKE_VERSION_STR_LEN > remaining) {
-        return BUFFER_E;
-    }
-    remaining -= (word32)HPKE_VERSION_STR_LEN;
+    wc_static_assert(MAX_HPKE_LABEL_SZ > HPKE_VERSION_STR_LEN);
+    remaining = (word32)MAX_HPKE_LABEL_SZ - (word32)HPKE_VERSION_STR_LEN;
 
     if (suite_id_len > remaining) {
         return BUFFER_E;
@@ -541,16 +538,8 @@ static int wc_HpkeLabeledExpand(Hpke* hpke, byte* suite_id, word32 suite_id_len,
     }
 
     /* check that sum of len's will not overflow */
-    remaining = MAX_HPKE_LABEL_SZ;
-    if (2U > remaining){
-        return BUFFER_E;
-    }
-    remaining -= 2U;
-
-    if ((word32)HPKE_VERSION_STR_LEN > remaining) {
-        return BUFFER_E;
-    }
-    remaining -= (word32)HPKE_VERSION_STR_LEN;
+    wc_static_assert(MAX_HPKE_LABEL_SZ > 2 + HPKE_VERSION_STR_LEN);
+    remaining = (word32)MAX_HPKE_LABEL_SZ - 2U - (word32)HPKE_VERSION_STR_LEN;
 
     if (suite_id_len > remaining) {
         return BUFFER_E;