Fix CI for mldsa, firefox and nss tests

aidangarske · aidangarske · commit e463dd7344eb · 2026-04-10T15:21:59.000-07:00
diff --git a/src/crypto.c b/src/crypto.c
@@ -514,9 +514,11 @@ static CK_RV SetAttributeDefaults(WP11_Object* obj, CK_OBJECT_CLASS keyType,
                                     ulCount);
             break;
         case CKO_SECRET_KEY:
+#ifndef WOLFPKCS11_NSS
             if (ret == CKR_OK)
                 ret = SetIfNotFound(obj, CKA_SENSITIVE, trueVal, pTemplate,
                                     ulCount);
+#endif
             if (ret == CKR_OK)
                 ret = SetIfNotFound(obj, CKA_EXTRACTABLE, trueVal, pTemplate,
                                     ulCount);
@@ -534,12 +536,19 @@ static CK_RV SetAttributeDefaults(WP11_Object* obj, CK_OBJECT_CLASS keyType,
                                     ulCount);
             break;
         case CKO_PRIVATE_KEY:
+#ifndef WOLFPKCS11_NSS
             if (ret == CKR_OK)
                 ret = SetIfNotFound(obj, CKA_SENSITIVE, trueVal, pTemplate,
                                     ulCount);
             if (ret == CKR_OK)
                 ret = SetIfNotFound(obj, CKA_EXTRACTABLE, falseVal, pTemplate,
                                     ulCount);
+#else
+            /* NSS needs extractable private keys as internal crypto module */
+            if (ret == CKR_OK)
+                ret = SetIfNotFound(obj, CKA_EXTRACTABLE, trueVal, pTemplate,
+                                    ulCount);
+#endif
             if (ret == CKR_OK)
                 ret = SetIfNotFound(obj, CKA_DECRYPT, encrypt, pTemplate,
                                     ulCount);
diff --git a/src/internal.c b/src/internal.c
@@ -964,7 +964,12 @@ static void wp11_Session_Final(WP11_Session* session)
 #ifdef HAVE_AESCMAC
     if ((session->init & ~WP11_INIT_DIGEST_MASK) == WP11_INIT_AES_CMAC_SIGN ||
         (session->init & ~WP11_INIT_DIGEST_MASK) == WP11_INIT_AES_CMAC_VERIFY) {
+#if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3))
         (void)wc_CmacFree(&session->params.cmac.cmac);
+#else
+        wc_ForceZero(&session->params.cmac.cmac,
+                      sizeof(session->params.cmac.cmac));
+#endif
         session->init = 0;
     }
 #endif
@@ -6981,8 +6986,8 @@ void WP11_Slot_Logout(WP11_Slot* slot)
             ret = wp11_Object_Encode(object, 1);
             object = object->next;
         }
+        wc_ForceZero(slot->token.key, sizeof(slot->token.key));
     }
-    wc_ForceZero(slot->token.key, sizeof(slot->token.key));
 #endif
     slot->token.loginState = WP11_APP_STATE_RW_PUBLIC;
 
@@ -12364,6 +12369,12 @@ int WP11_Mldsa_Verify(unsigned char* sig, word32 sigLen, unsigned char* data,
                     params->ctxSz, params->preHashType, data, dataLen, stat,
                     pub->data.mldsaKey);
         }
+        /* wolfCrypt may return SIG_VERIFY_E instead of stat=0 for invalid
+         * signatures. Map to stat=0 so caller returns CKR_SIGNATURE_INVALID. */
+        if (ret == SIG_VERIFY_E) {
+            *stat = 0;
+            ret = 0;
+        }
     }
 
     XFREE(params->ctx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@@ -14256,6 +14267,8 @@ int WP11_Digest_Single(unsigned char* data, word32 dataLen,
     WP11_Digest* digest = &session->params.digest;
 
     blockLen = wc_HashGetDigestSize(digest->hashType);
+    if (blockLen < 0)
+        return CKR_FUNCTION_FAILED;
 
     if (dataOut == NULL) {
         *dataOutLen = (word32)blockLen;
@@ -14265,6 +14278,7 @@ int WP11_Digest_Single(unsigned char* data, word32 dataLen,
         return BUFFER_E;
     }
     ret = wc_Hash(digest->hashType, data, dataLen, dataOut, *dataOutLen);
+    *dataOutLen = (word32)blockLen;
 
     wc_HashFree(&digest->hash, digest->hashType);
 
diff --git a/tests/pkcs11test.c b/tests/pkcs11test.c
@@ -6051,6 +6051,7 @@ static CK_RV test_generate_key_pair(void* args)
     return ret;
 }
 
+#ifndef WOLFPKCS11_NSS
 static CK_RV test_private_key_secure_defaults(void* args)
 {
     CK_SESSION_HANDLE session = *(CK_SESSION_HANDLE*)args;
@@ -6104,6 +6105,7 @@ static CK_RV test_private_key_secure_defaults(void* args)
 
     return ret;
 }
+#endif /* !WOLFPKCS11_NSS */
 #endif
 
 #if defined(HAVE_AES_KEYWRAP) && !defined(WOLFPKCS11_NO_STORE)
@@ -17298,8 +17300,10 @@ static TEST_FUNC testFunc[] = {
     PKCS11TEST_FUNC_SESS_DECL(test_generate_key),
 #if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN)
     PKCS11TEST_FUNC_SESS_DECL(test_generate_key_pair),
+#ifndef WOLFPKCS11_NSS
     PKCS11TEST_FUNC_SESS_DECL(test_private_key_secure_defaults),
 #endif
+#endif
 #if defined(HAVE_AES_KEYWRAP) && !defined(WOLFPKCS11_NO_STORE)
     PKCS11TEST_FUNC_SESS_DECL(test_aes_wrap_unwrap_key),
     PKCS11TEST_FUNC_SESS_DECL(test_aes_wrap_unwrap_pad_key),
