Fix build issues and findings

Author: LinuxJedi

src/crypto.c

@@ -4093,6 +4093,8 @@ CK_RV C_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey)
 
     if (ret < 0)
         return CKR_FUNCTION_FAILED;
+    if (ret > 0)
+        return (CK_RV)ret;
     return CKR_OK;
 }
 
@@ -6704,9 +6706,6 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,
     CK_RV rv = CKR_OK;
     WP11_Session* session = NULL;
     WP11_Object* key = NULL;
-    CK_BBOOL trueVar = CK_TRUE;
-    CK_BBOOL getVar;
-    CK_ULONG getVarLen = sizeof(CK_BBOOL);
     CK_KEY_TYPE keyType;
 
     WOLFPKCS11_ENTER("C_GenerateKey");
@@ -6916,37 +6915,21 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,
                 ret = WP11_Object_SetSecretKey(pbkdf2Key, secretKeyData, secretKeyLen);
                 if (ret == 0) {
                     WP11_Object_SetKeyGeneration(pbkdf2Key, pMechanism->mechanism);
-                    rv = AddObject(session, pbkdf2Key, pTemplate, ulCount, phKey);
-                    if (rv != CKR_OK) {
-                        WP11_Object_Free(pbkdf2Key);
-                    }
+                    rv = SetInitialStates(pbkdf2Key);
                 } else {
-                    WP11_Object_Free(pbkdf2Key);
                     rv = CKR_FUNCTION_FAILED;
                 }
+                if (rv == CKR_OK) {
+                    rv = AddObject(session, pbkdf2Key, pTemplate, ulCount, phKey);
+                }
+                if (rv != CKR_OK) {
+                    WP11_Object_Free(pbkdf2Key);
+                }
             }
 
             wc_ForceZero(derivedKey, derivedKeyLen);
             XFREE(derivedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 
-            if (rv == CKR_OK) {
-                rv = WP11_Object_GetAttr(pbkdf2Key, CKA_SENSITIVE, &getVar,
-                                         &getVarLen);
-                if ((rv == CKR_OK) && (getVar == CK_TRUE)) {
-                    rv = WP11_Object_SetAttr(pbkdf2Key, CKA_ALWAYS_SENSITIVE,
-                                             &trueVar, sizeof(CK_BBOOL));
-                }
-                if (rv == CKR_OK) {
-                    rv = WP11_Object_GetAttr(pbkdf2Key, CKA_EXTRACTABLE,
-                                             &getVar, &getVarLen);
-                    if ((rv == CKR_OK) && (getVar == CK_FALSE)) {
-                        rv = WP11_Object_SetAttr(pbkdf2Key,
-                                                 CKA_NEVER_EXTRACTABLE,
-                                                 &trueVar, sizeof(CK_BBOOL));
-                    }
-                }
-            }
-
             return rv;
         }
 #ifdef WOLFPKCS11_NSS
@@ -7033,37 +7016,21 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,
                 ret = WP11_Object_SetSecretKey(pbeKey, secretKeyData, secretKeyLen);
                 if (ret == 0) {
                     WP11_Object_SetKeyGeneration(pbeKey, pMechanism->mechanism);
-                    rv = AddObject(session, pbeKey, pTemplate, ulCount, phKey);
-                    if (rv != CKR_OK) {
-                        WP11_Object_Free(pbeKey);
-                    }
+                    rv = SetInitialStates(pbeKey);
                 } else {
-                    WP11_Object_Free(pbeKey);
                     rv = CKR_FUNCTION_FAILED;
                 }
+                if (rv == CKR_OK) {
+                    rv = AddObject(session, pbeKey, pTemplate, ulCount, phKey);
+                }
+                if (rv != CKR_OK) {
+                    WP11_Object_Free(pbeKey);
+                }
             }
 
             wc_ForceZero(derivedKey, derivedKeyLen);
             XFREE(derivedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 
-            if (rv == CKR_OK) {
-                rv = WP11_Object_GetAttr(pbeKey, CKA_SENSITIVE, &getVar,
-                                         &getVarLen);
-                if ((rv == CKR_OK) && (getVar == CK_TRUE)) {
-                    rv = WP11_Object_SetAttr(pbeKey, CKA_ALWAYS_SENSITIVE,
-                                             &trueVar, sizeof(CK_BBOOL));
-                }
-                if (rv == CKR_OK) {
-                    rv = WP11_Object_GetAttr(pbeKey, CKA_EXTRACTABLE,
-                                             &getVar, &getVarLen);
-                    if ((rv == CKR_OK) && (getVar == CK_FALSE)) {
-                        rv = WP11_Object_SetAttr(pbeKey,
-                                                 CKA_NEVER_EXTRACTABLE,
-                                                 &trueVar, sizeof(CK_BBOOL));
-                    }
-                }
-            }
-
             return rv;
         }
 #endif
@@ -7094,29 +7061,16 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession,
                                              WP11_Session_GetSlot(session),
                                              pMechanism->mechanism);
             if (ret != 0) {
-                WP11_Object_Free(key);
                 rv = CKR_FUNCTION_FAILED;
             }
-            else {
-               rv = AddObject(session, key, pTemplate, ulCount, phKey);
-               if (rv != CKR_OK) {
-                   WP11_Object_Free(key);
-               }
-            }
-        }
-    }
-    if (rv == CKR_OK) {
-        rv = WP11_Object_GetAttr(key, CKA_SENSITIVE, &getVar, &getVarLen);
-        if ((rv == CKR_OK) && (getVar == CK_TRUE)) {
-            rv = WP11_Object_SetAttr(key, CKA_ALWAYS_SENSITIVE, &trueVar,
-                                     sizeof(CK_BBOOL));
         }
+        if (rv == CKR_OK)
+            rv = SetInitialStates(key);
         if (rv == CKR_OK) {
-            rv = WP11_Object_GetAttr(key, CKA_EXTRACTABLE, &getVar, &getVarLen);
-            if ((rv == CKR_OK) && (getVar == CK_FALSE)) {
-                rv = WP11_Object_SetAttr(key, CKA_NEVER_EXTRACTABLE, &trueVar,
-                                     sizeof(CK_BBOOL));
-            }
+            rv = AddObject(session, key, pTemplate, ulCount, phKey);
+        }
+        if (rv != CKR_OK && key != NULL) {
+            WP11_Object_Free(key);
         }
     }
 
@@ -9052,11 +9006,11 @@ CK_RV C_EncapsulateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
                                            secretKeyLen);
             if (ret != 0)
                 rv = CKR_FUNCTION_FAILED;
+            if (rv == CKR_OK)
+                rv = SetInitialStates(secretObj);
             if (rv == CKR_OK)
                 rv = AddObject(session, secretObj, pTemplate, ulAttributeCount,
                                phKey);
-            if (rv == CKR_OK)
-                rv = SetInitialStates(secretObj);
         }
         if (rv != CKR_OK && secretObj != NULL) {
             WP11_Object_Free(secretObj);
@@ -9158,11 +9112,11 @@ CK_RV C_DecapsulateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
                                            secretKeyLen);
             if (ret != 0)
                 rv = CKR_FUNCTION_FAILED;
+            if (rv == CKR_OK)
+                rv = SetInitialStates(secretObj);
             if (rv == CKR_OK)
                 rv = AddObject(session, secretObj, pTemplate, ulAttributeCount,
                                phKey);
-            if (rv == CKR_OK)
-                rv = SetInitialStates(secretObj);
         }
         if (rv != CKR_OK && secretObj != NULL) {
             WP11_Object_Free(secretObj);

src/internal.c

@@ -2699,6 +2699,15 @@ int WP11_Object_Copy(WP11_Object *src, WP11_Object *dest)
         else
 #endif
         {
+#ifndef WOLFPKCS11_NO_STORE
+            /* When the source key is encoded (encrypted at rest), the crypto
+             * key struct has been freed. The keyData blob is already copied
+             * above via OBJ_COPY_DATA, so skip the deep key copy. */
+            if (src->encoded) {
+                dest->type = src->type;
+            }
+            else
+#endif
             switch (src->type) {
 #ifndef NO_RSA
                 case CKK_RSA: {
@@ -4896,10 +4905,9 @@ static int MlKemKeyTryDecode(MlKemKey* key, int level, byte* data, word32 len,
         else {
             ret = wc_MlKemKey_DecodePublicKey(key, data, len);
         }
-    }
-
-    if (ret != 0) {
-        wc_MlKemKey_Free(key);
+        if (ret != 0) {
+            wc_MlKemKey_Free(key);
+        }
     }
 
     return ret;
@@ -4922,7 +4930,7 @@ static int wp11_Object_Decode_MlKemKey(WP11_Object* object)
         unsigned char* der;
         int len;
 
-        if (object->keyDataLen < AES_BLOCK_SIZE)
+        if (object->keyDataLen <= AES_BLOCK_SIZE)
             return BAD_FUNC_ARG;
         len = object->keyDataLen - AES_BLOCK_SIZE;
 
@@ -9403,7 +9411,9 @@ int WP11_Object_SetMlKemKey(WP11_Object* object, unsigned char** data,
                                     object->devId);
             break;
         default:
-            ret = ASN_PARSE_E;
+            if (object->onToken)
+                WP11_Lock_UnlockRW(object->lock);
+            return ASN_PARSE_E;
     }
 
     /* Set seed (only for private keys). */
@@ -13387,6 +13397,13 @@ int WP11_MlKem_GenerateKeyPair(WP11_Object* pub, WP11_Object* priv,
         ret = wc_MlKemKey_EncodePublicKey(priv->data.mlKemKey, pubKeyBytes,
                                           pubKeyLen);
     }
+    if (ret == 0) {
+        /* Re-init the public key before decoding into it since it was
+         * already Init'd during NewObject -> WP11_Object_SetMlKemKey. */
+        wc_MlKemKey_Free(pub->data.mlKemKey);
+        ret = wc_MlKemKey_Init(pub->data.mlKemKey, priv->data.mlKemKey->type,
+                               NULL, pub->devId);
+    }
     if (ret == 0) {
         ret = wc_MlKemKey_DecodePublicKey(pub->data.mlKemKey, pubKeyBytes,
                                           pubKeyLen);
@@ -13423,7 +13440,7 @@ int WP11_MlKem_Encapsulate(WP11_Object* pub, unsigned char** sharedSecret,
     int ret;
     int rngInit = 0;
     WC_RNG rng;
-    MlKemKey* mlKemKey = pub->data.mlKemKey;
+    MlKemKey* mlKemKey;
     word32 ctLen = 0;
 
     *sharedSecret = NULL;
@@ -13436,6 +13453,7 @@ int WP11_MlKem_Encapsulate(WP11_Object* pub, unsigned char** sharedSecret,
     if (pub->onToken)
         WP11_Lock_LockRO(pub->lock);
 
+    mlKemKey = pub->data.mlKemKey;
     ret = wc_MlKemKey_CipherTextSize(mlKemKey, &ctLen);
     if (ret == 0) {
         if (pCiphertext == NULL) {
@@ -13501,7 +13519,7 @@ int WP11_MlKem_Decapsulate(WP11_Object* priv, unsigned char** sharedSecret,
                            CK_ULONG ulCiphertextLen)
 {
     int ret;
-    MlKemKey* mlKemKey = priv->data.mlKemKey;
+    MlKemKey* mlKemKey;
 
     *sharedSecret = NULL;
 
@@ -13513,6 +13531,7 @@ int WP11_MlKem_Decapsulate(WP11_Object* priv, unsigned char** sharedSecret,
     if (priv->onToken)
         WP11_Lock_LockRO(priv->lock);
 
+    mlKemKey = priv->data.mlKemKey;
     ret = wc_MlKemKey_SharedSecretSize(mlKemKey, ssLen);
     if (ret == 0) {
         *sharedSecret = (unsigned char*)XMALLOC(*ssLen, NULL,

tests/pbkdf2_keygen_attrs_test.c

@@ -45,7 +45,7 @@
 
 #include "testdata.h"
 
-#ifndef NO_PWDBASED
+#if !defined(NO_PWDBASED) && !defined(NO_HMAC)
 
 #define TEST_DIR "./store/pbkdf2_keygen_attrs_test"
 #define WOLFPKCS11_TOKEN_FILENAME "wp11_token_0000000000000001"
@@ -428,14 +428,14 @@ int main(int argc, char* argv[])
     return (test_failed == 0) ? 0 : 1;
 }
 
-#else /* NO_PWDBASED */
+#else /* NO_PWDBASED || NO_HMAC */
 
 int main(int argc, char* argv[])
 {
     (void)argc;
     (void)argv;
 
-    printf("PWDBASED not available, skipping PBKDF2 keygen attributes test\n");
+    printf("PWDBASED/HMAC not available, skipping PBKDF2 keygen attributes test\n");
     return 0;
 }