Skip to content

Fenrir wolfPKCS11 Findings and Test Additions#177

Open
aidangarske wants to merge 4 commits intowolfSSL:masterfrom
aidangarske:fenrir-fixes-1
Open

Fenrir wolfPKCS11 Findings and Test Additions#177
aidangarske wants to merge 4 commits intowolfSSL:masterfrom
aidangarske:fenrir-fixes-1

Conversation

@aidangarske
Copy link
Copy Markdown
Member

@aidangarske aidangarske commented Apr 1, 2026

Description

Verified with new tests

  • 1618 - C_FindObjects/C_FindObjectsFinal missing operation check test in test_find_objects_null_template
  • 1619 - C_Logout no login check test in test_logout_not_logged_in
  • 1620 - C_CreateObject/C_CopyObject/C_DestroyObject blocking RO session objects test in test_create_session_obj_ro_session
  • 1622 - C_SetAttributeValue blocking RO session objects test in test_create_session_obj_ro_session
  • 1623 - C_WrapKey incorrectly requiring RW session test in test_wrap_key_ro_session
  • 1624 - C_UnwrapKey blocking RO session objects test in test_wrap_key_ro_session
  • 1630 - C_Encrypt CK_ULONG-to-word32 truncation test in test_encrypt_data_len_range
  • 1632 - C_EncryptUpdate truncation test in test_encrypt_data_len_range
  • 1633 - C_DecryptUpdate truncation test in test_encrypt_data_len_range
  • 1634 - C_Decrypt AES-CBC/ECB truncation test in test_encrypt_data_len_range

Verified by static analysis / code inspection

  • 1617 - C_GetAttributeValue early return on first bad attribute
  • 1621 - C_VerifyRecoverInit missing operation-active check
  • 1629 - C_GenerateKeyPair dangling pointers on error path

Generic code review verification

  • 1607 - OAEP label leak on re-init
  • 1608 - wc_ecc_set_rng called after failed Rng_New
  • 1609 - WP11_Rsa_Verify_Recover missing token lock
  • 1612 - GCM AAD leak on re-init
  • 1613 - CCM AAD leak on re-init
  • 1614 - WP11_Rsa_Sign lock acquired after key access
  • 1615 - WP11_EC_Derive lock acquired too late
  • 1631 - PIN hash left on stack without secure clearing

@aidangarske
1618, 1619, 1620, 1622, 1623, 1624, 1630, 1632, 1633, 1634, 1617, 162…
e5b1dd3 
…1, 1629, 1607, 1608, 1609, 1612, 1613, 1614, 1615, 1631
@aidangarske aidangarske self-assigned this Apr 1, 2026
Copilot AI review requested due to automatic review settings April 1, 2026 00:36

This comment was marked as resolved.

Sign in to view

wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #177

Scan targets checked: wolfpkcs11-bugs, wolfpkcs11-compliance, wolfpkcs11-src

No new issues found in the changed files. ✅

@aidangarske
- Alpine 32-bit build failure — wrapped the 1 << 32 test in #if SIZEO…
838a092 
…F_LONG > 4

  - CKA_TOKEN attribute validation — added ulValueLen == sizeof(CK_BBOOL) checks in C_CreateObject, C_CopyObject, and C_UnwrapKey RO-session guards
  - CK_ULONG_FITS_WORD32 overhead — macro now reserves 64 bytes of headroom for tags/padding/wrap blocks to prevent near-UINT32_MAX overflow in downstream
  word32 arithmetic
@aidangarske aidangarske requested review from Copilot and removed request for Copilot April 2, 2026 15:42
@aidangarske aidangarske requested review from Copilot and removed request for Copilot April 2, 2026 15:54
@aidangarske aidangarske requested a review from LinuxJedi April 2, 2026 16:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left review comments

@LinuxJedi LinuxJedi Awaiting requested review from LinuxJedi

At least 1 approving review is required to merge this pull request.

Assignees

@LinuxJedi LinuxJedi

@aidangarske aidangarske

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aidangarske @wolfSSL-Fenrir-bot @LinuxJedi