wolfSSL
diff --git a/‎src/crypto.c‎
Lines changed: 28 additions & 60 deletions b/‎src/crypto.c‎
Lines changed: 28 additions & 60 deletions
diff --git a/‎src/internal.c‎
Lines changed: 27 additions & 8 deletions b/‎src/internal.c‎
Lines changed: 27 additions & 8 deletions
diff --git a/‎tests/pbkdf2_keygen_attrs_test.c‎
Lines changed: 3 additions & 3 deletions b/‎tests/pbkdf2_keygen_attrs_test.c‎
Lines changed: 3 additions & 3 deletions
@@ -1909,12 +1909,12 @@ static CK_RV EncryptInit(CK_SESSION_HANDLE hSession,
         ret = CheckOpSupported(obj, CKA_ENCRYPT);
         if (ret != CKR_OK)
             return ret;
-    }
 
-    if (WP11_Session_IsOpCategoryActive(session, WP11_OP_ENCRYPT)) {
-        rv = CKR_OPERATION_ACTIVE;
-        WOLFPKCS11_LEAVE("C_EncryptInit", rv);
-        return rv;
+        if (WP11_Session_IsOpCategoryActive(session, WP11_OP_ENCRYPT)) {
+            rv = CKR_OPERATION_ACTIVE;
+            WOLFPKCS11_LEAVE("C_EncryptInit", rv);
+            return rv;
+        }
     }
 
     type = WP11_Object_GetType(obj);
@@ -2924,12 +2924,12 @@ static CK_RV DecryptInit(CK_SESSION_HANDLE hSession,
         ret = CheckOpSupported(obj, CKA_DECRYPT);
         if (ret != CKR_OK)
             return ret;
-    }
 
-    if (WP11_Session_IsOpCategoryActive(session, WP11_OP_DECRYPT)) {
-        rv = CKR_OPERATION_ACTIVE;
-        WOLFPKCS11_LEAVE("C_DecryptInit", rv);
-        return rv;
+        if (WP11_Session_IsOpCategoryActive(session, WP11_OP_DECRYPT)) {
+            rv = CKR_OPERATION_ACTIVE;
+            WOLFPKCS11_LEAVE("C_DecryptInit", rv);
+            return rv;
+        }
     }
 
     type = WP11_Object_GetType(obj);
@@ -6916,37 +6916,21 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,
                 ret = WP11_Object_SetSecretKey(pbkdf2Key, secretKeyData, secretKeyLen);
                 if (ret == 0) {
                     WP11_Object_SetKeyGeneration(pbkdf2Key, pMechanism->mechanism);
-                    rv = AddObject(session, pbkdf2Key, pTemplate, ulCount, phKey);
-                    if (rv != CKR_OK) {
-                        WP11_Object_Free(pbkdf2Key);
-                    }
+                    rv = SetInitialStates(pbkdf2Key);
                 } else {
-                    WP11_Object_Free(pbkdf2Key);
                     rv = CKR_FUNCTION_FAILED;
                 }
+                if (rv == CKR_OK) {
+                    rv = AddObject(session, pbkdf2Key, pTemplate, ulCount, phKey);
+                }
+                if (rv != CKR_OK) {
+                    WP11_Object_Free(pbkdf2Key);
+                }
             }
 
             wc_ForceZero(derivedKey, derivedKeyLen);
             XFREE(derivedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 
-            if (rv == CKR_OK) {
-                rv = WP11_Object_GetAttr(pbkdf2Key, CKA_SENSITIVE, &getVar,
-                                         &getVarLen);
-                if ((rv == CKR_OK) && (getVar == CK_TRUE)) {
-                    rv = WP11_Object_SetAttr(pbkdf2Key, CKA_ALWAYS_SENSITIVE,
-                                             &trueVar, sizeof(CK_BBOOL));
-                }
-                if (rv == CKR_OK) {
-                    rv = WP11_Object_GetAttr(pbkdf2Key, CKA_EXTRACTABLE,
-                                             &getVar, &getVarLen);
-                    if ((rv == CKR_OK) && (getVar == CK_FALSE)) {
-                        rv = WP11_Object_SetAttr(pbkdf2Key,
-                                                 CKA_NEVER_EXTRACTABLE,
-                                                 &trueVar, sizeof(CK_BBOOL));
-                    }
-                }
-            }
-
             return rv;
         }
 #ifdef WOLFPKCS11_NSS
@@ -7033,37 +7017,21 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,
                 ret = WP11_Object_SetSecretKey(pbeKey, secretKeyData, secretKeyLen);
                 if (ret == 0) {
                     WP11_Object_SetKeyGeneration(pbeKey, pMechanism->mechanism);
-                    rv = AddObject(session, pbeKey, pTemplate, ulCount, phKey);
-                    if (rv != CKR_OK) {
-                        WP11_Object_Free(pbeKey);
-                    }
+                    rv = SetInitialStates(pbeKey);
                 } else {
-                    WP11_Object_Free(pbeKey);
                     rv = CKR_FUNCTION_FAILED;
                 }
+                if (rv == CKR_OK) {
+                    rv = AddObject(session, pbeKey, pTemplate, ulCount, phKey);
+                }
+                if (rv != CKR_OK) {
+                    WP11_Object_Free(pbeKey);
+                }
             }
 
             wc_ForceZero(derivedKey, derivedKeyLen);
             XFREE(derivedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 
-            if (rv == CKR_OK) {
-                rv = WP11_Object_GetAttr(pbeKey, CKA_SENSITIVE, &getVar,
-                                         &getVarLen);
-                if ((rv == CKR_OK) && (getVar == CK_TRUE)) {
-                    rv = WP11_Object_SetAttr(pbeKey, CKA_ALWAYS_SENSITIVE,
-                                             &trueVar, sizeof(CK_BBOOL));
-                }
-                if (rv == CKR_OK) {
-                    rv = WP11_Object_GetAttr(pbeKey, CKA_EXTRACTABLE,
-                                             &getVar, &getVarLen);
-                    if ((rv == CKR_OK) && (getVar == CK_FALSE)) {
-                        rv = WP11_Object_SetAttr(pbeKey,
-                                                 CKA_NEVER_EXTRACTABLE,
-                                                 &trueVar, sizeof(CK_BBOOL));
-                    }
-                }
-            }
-
             return rv;
         }
 #endif
@@ -9052,11 +9020,11 @@ CK_RV C_EncapsulateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
                                            secretKeyLen);
             if (ret != 0)
                 rv = CKR_FUNCTION_FAILED;
+            if (rv == CKR_OK)
+                rv = SetInitialStates(secretObj);
             if (rv == CKR_OK)
                 rv = AddObject(session, secretObj, pTemplate, ulAttributeCount,
                                phKey);
-            if (rv == CKR_OK)
-                rv = SetInitialStates(secretObj);
         }
         if (rv != CKR_OK && secretObj != NULL) {
             WP11_Object_Free(secretObj);
@@ -9158,11 +9126,11 @@ CK_RV C_DecapsulateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
                                            secretKeyLen);
             if (ret != 0)
                 rv = CKR_FUNCTION_FAILED;
+            if (rv == CKR_OK)
+                rv = SetInitialStates(secretObj);
             if (rv == CKR_OK)
                 rv = AddObject(session, secretObj, pTemplate, ulAttributeCount,
                                phKey);
-            if (rv == CKR_OK)
-                rv = SetInitialStates(secretObj);
         }
         if (rv != CKR_OK && secretObj != NULL) {
             WP11_Object_Free(secretObj);
 
@@ -2699,6 +2699,15 @@ int WP11_Object_Copy(WP11_Object *src, WP11_Object *dest)
         else
 #endif
         {
+#ifndef WOLFPKCS11_NO_STORE
+            /* When the source key is encoded (encrypted at rest), the crypto
+             * key struct has been freed. The keyData blob is already copied
+             * above via OBJ_COPY_DATA, so skip the deep key copy. */
+            if (src->encoded) {
+                dest->type = src->type;
+            }
+            else
+#endif
             switch (src->type) {
 #ifndef NO_RSA
                 case CKK_RSA: {
@@ -4896,10 +4905,9 @@ static int MlKemKeyTryDecode(MlKemKey* key, int level, byte* data, word32 len,
         else {
             ret = wc_MlKemKey_DecodePublicKey(key, data, len);
         }
-    }
-
-    if (ret != 0) {
-        wc_MlKemKey_Free(key);
+        if (ret != 0) {
+            wc_MlKemKey_Free(key);
+        }
     }
 
     return ret;
@@ -4922,7 +4930,7 @@ static int wp11_Object_Decode_MlKemKey(WP11_Object* object)
         unsigned char* der;
         int len;
 
-        if (object->keyDataLen < AES_BLOCK_SIZE)
+        if (object->keyDataLen <= AES_BLOCK_SIZE)
             return BAD_FUNC_ARG;
         len = object->keyDataLen - AES_BLOCK_SIZE;
 
@@ -9403,7 +9411,9 @@ int WP11_Object_SetMlKemKey(WP11_Object* object, unsigned char** data,
                                     object->devId);
             break;
         default:
-            ret = ASN_PARSE_E;
+            if (object->onToken)
+                WP11_Lock_UnlockRW(object->lock);
+            return ASN_PARSE_E;
     }
 
     /* Set seed (only for private keys). */
@@ -13387,6 +13397,13 @@ int WP11_MlKem_GenerateKeyPair(WP11_Object* pub, WP11_Object* priv,
         ret = wc_MlKemKey_EncodePublicKey(priv->data.mlKemKey, pubKeyBytes,
                                           pubKeyLen);
     }
+    if (ret == 0) {
+        /* Re-init the public key before decoding into it since it was
+         * already Init'd during NewObject -> WP11_Object_SetMlKemKey. */
+        wc_MlKemKey_Free(pub->data.mlKemKey);
+        ret = wc_MlKemKey_Init(pub->data.mlKemKey, priv->data.mlKemKey->type,
+                               NULL, pub->devId);
+    }
     if (ret == 0) {
         ret = wc_MlKemKey_DecodePublicKey(pub->data.mlKemKey, pubKeyBytes,
                                           pubKeyLen);
@@ -13423,7 +13440,7 @@ int WP11_MlKem_Encapsulate(WP11_Object* pub, unsigned char** sharedSecret,
     int ret;
     int rngInit = 0;
     WC_RNG rng;
-    MlKemKey* mlKemKey = pub->data.mlKemKey;
+    MlKemKey* mlKemKey;
     word32 ctLen = 0;
 
     *sharedSecret = NULL;
@@ -13436,6 +13453,7 @@ int WP11_MlKem_Encapsulate(WP11_Object* pub, unsigned char** sharedSecret,
     if (pub->onToken)
         WP11_Lock_LockRO(pub->lock);
 
+    mlKemKey = pub->data.mlKemKey;
     ret = wc_MlKemKey_CipherTextSize(mlKemKey, &ctLen);
     if (ret == 0) {
         if (pCiphertext == NULL) {
@@ -13501,7 +13519,7 @@ int WP11_MlKem_Decapsulate(WP11_Object* priv, unsigned char** sharedSecret,
                            CK_ULONG ulCiphertextLen)
 {
     int ret;
-    MlKemKey* mlKemKey = priv->data.mlKemKey;
+    MlKemKey* mlKemKey;
 
     *sharedSecret = NULL;
 
@@ -13513,6 +13531,7 @@ int WP11_MlKem_Decapsulate(WP11_Object* priv, unsigned char** sharedSecret,
     if (priv->onToken)
         WP11_Lock_LockRO(priv->lock);
 
+    mlKemKey = priv->data.mlKemKey;
     ret = wc_MlKemKey_SharedSecretSize(mlKemKey, ssLen);
     if (ret == 0) {
         *sharedSecret = (unsigned char*)XMALLOC(*ssLen, NULL,
 
@@ -45,7 +45,7 @@
 
 #include "testdata.h"
 
-#ifndef NO_PWDBASED
+#if !defined(NO_PWDBASED) && !defined(NO_HMAC)
 
 #define TEST_DIR "./store/pbkdf2_keygen_attrs_test"
 #define WOLFPKCS11_TOKEN_FILENAME "wp11_token_0000000000000001"
@@ -428,14 +428,14 @@ int main(int argc, char* argv[])
     return (test_failed == 0) ? 0 : 1;
 }
 
-#else /* NO_PWDBASED */
+#else /* NO_PWDBASED || NO_HMAC */
 
 int main(int argc, char* argv[])
 {
     (void)argc;
     (void)argv;
 
-    printf("PWDBASED not available, skipping PBKDF2 keygen attributes test\n");
+    printf("PWDBASED/HMAC not available, skipping PBKDF2 keygen attributes test\n");
     return 0;
 }
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@`
`45`	`45`
`46`	`46`	`#include "testdata.h"`
`47`	`47`
`48`		`-#ifndef NO_PWDBASED`
	`48`	`+#if !defined(NO_PWDBASED) && !defined(NO_HMAC)`
`49`	`49`
`50`	`50`	`#define TEST_DIR "./store/pbkdf2_keygen_attrs_test"`
`51`	`51`	`#define WOLFPKCS11_TOKEN_FILENAME "wp11_token_0000000000000001"`
`@@ -428,14 +428,14 @@ int main(int argc, char* argv[])`
`428`	`428`	`return (test_failed == 0) ? 0 : 1;`
`429`	`429`	`}`
`430`	`430`
`431`		`-#else /* NO_PWDBASED */`
	`431`	`+#else /* NO_PWDBASED \|\| NO_HMAC */`
`432`	`432`
`433`	`433`	`int main(int argc, char* argv[])`
`434`	`434`	`{`
`435`	`435`	`(void)argc;`
`436`	`436`	`(void)argv;`
`437`	`437`
`438`		`- printf("PWDBASED not available, skipping PBKDF2 keygen attributes test\n");`
	`438`	`+ printf("PWDBASED/HMAC not available, skipping PBKDF2 keygen attributes test\n");`
`439`	`439`	`return 0;`
`440`	`440`	`}`
`441`	`441`