Merge pull request #104 from LinuxJedi/fix-jenkins

dgarske · web-flow · commit 1c3df168abae · 2025-06-25T07:14:06.000-07:00
Fix issues found by Jenkins FIPS test
diff --git a/examples/add_cert_file.c b/examples/add_cert_file.c
@@ -148,7 +148,7 @@ static CK_RV load_cert(char* filename, unsigned char **certData,
                        CK_ULONG *certDataLen)
 {
     int ret = 0;
-    unsigned char *buffer;
+    unsigned char *buffer = NULL;
     int len;
     XFILE file;
 
diff --git a/src/internal.c b/src/internal.c
@@ -9269,19 +9269,43 @@ int WP11_EC_Derive(unsigned char* point, word32 pointLen, unsigned char* key,
 {
     int ret;
     ecc_key pubKey;
+    unsigned char* x963Data = point;
+    word32 x963Len = pointLen;
+    int dataLen;
+    int i = 0;
 #if defined(ECC_TIMING_RESISTANT) && (!defined(HAVE_FIPS) || \
     (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)))
     WC_RNG rng;
 #endif
 
+    /* Check if the point data is DER-encoded (starts with OCTET STRING tag) */
+    if (pointLen >= 3 && point[0] == ASN_OCTET_STRING) {
+        /* Strip DER encoding - similar to EcSetPoint function */
+        i = 1;
+        if (point[i] >= ASN_LONG_LENGTH) {
+            if (point[i] == (ASN_LONG_LENGTH | 1)) {
+                i++;
+            }
+            else {
+                ret = ASN_PARSE_E;
+                goto cleanup;
+            }
+        }
+        dataLen = point[i++];
+        if (dataLen == (int)(pointLen - i)) {
+            x963Data = point + i;
+            x963Len = dataLen;
+        }
+    }
+
     ret = wc_ecc_init_ex(&pubKey, NULL, priv->slot->devId);
     if (ret == 0) {
         if (priv->data.ecKey.dp) {
-            ret = wc_ecc_import_x963_ex(point, pointLen, &pubKey,
+            ret = wc_ecc_import_x963_ex(x963Data, x963Len, &pubKey,
                                         priv->data.ecKey.dp->id);
         }
         else {
-            ret = wc_ecc_import_x963(point, pointLen, &pubKey);
+            ret = wc_ecc_import_x963(x963Data, x963Len, &pubKey);
         }
     }
 #if defined(ECC_TIMING_RESISTANT) && (!defined(HAVE_FIPS) || \
@@ -9305,6 +9329,7 @@ int WP11_EC_Derive(unsigned char* point, word32 pointLen, unsigned char* key,
 #endif
     }
 
+cleanup:
     wc_ecc_free(&pubKey);
 
     return ret;
diff --git a/tests/pkcs11test.c b/tests/pkcs11test.c
@@ -10146,12 +10146,14 @@ static CK_RV test_tls_mac_tls_prf(void* args)
     CK_RV ret;
     CK_OBJECT_HANDLE key;
     static unsigned char keyData[] = {
-        0x74, 0x9A, 0xBD, 0xAA, 0x2A, 0x52, 0x07, 0x47,
-        0xD6, 0xA6, 0x36, 0xB2, 0x07, 0x32, 0x8E, 0xD0,
+        0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88,
+        0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x00,
+        0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88,
+        0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x00
     };
     static unsigned char exp[] = {
-        0x17, 0x74, 0x60, 0x8b, 0x2c, 0x7d, 0x75, 0x60,
-        0xe7, 0x2d, 0xef, 0x6c
+        0xda, 0x00, 0x2c, 0x57, 0xfc, 0x41, 0xdb, 0xb5,
+        0x34, 0x04, 0x07, 0xdc
     };
 
     ret = get_generic_key(session, keyData, sizeof(keyData), CK_FALSE, &key);
@@ -11693,26 +11695,26 @@ static CK_RV test_hkdf_derive_extract_then_expand_salt_data(void* args)
 
     CK_BYTE salt_bytes[] = {
         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-        0x08, 0x09, 0x0a, 0x0b, 0x0c
+        0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
     };
     CK_BYTE expected_prk[] = {
-        0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf,
-        0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63,
-        0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31,
-        0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5
+        0x77, 0x9e, 0x31, 0x7a, 0x04, 0x47, 0xae, 0x12,
+        0x06, 0x79, 0xa6, 0x78, 0x6d, 0x66, 0x6d, 0x95,
+        0x75, 0x14, 0x0e, 0x73, 0xbc, 0xa2, 0xcc, 0xde,
+        0xb0, 0xc1, 0xe5, 0x50, 0xdc, 0xd7, 0x62, 0x31
     };
     CK_BYTE ikm_tc1_hex[] = {
         0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
         0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
         0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b
     };
     CK_BYTE expected_okm[] = {
-        0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a,
-        0x90, 0x43, 0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a,
-        0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c,
-        0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf,
-        0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18,
-        0x58, 0x65
+        0xdb, 0x32, 0x19, 0x87, 0x36, 0xee, 0x02, 0x1e,
+        0x65, 0x8c, 0xcc, 0xa7, 0xd6, 0x21, 0xc5, 0xe7,
+        0x9e, 0x81, 0xda, 0x48, 0xc6, 0xa3, 0x6c, 0x8b,
+        0x41, 0x2b, 0xce, 0xbe, 0x5e, 0x86, 0xf1, 0xc1,
+        0x83, 0x7b, 0xf5, 0xa4, 0xf5, 0x94, 0xe3, 0x37,
+        0x33, 0xb8
     };
     CK_BYTE info_bytes[] = {
         0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
@@ -11873,7 +11875,7 @@ static CK_RV test_hkdf_derive_extract_then_expand_salt_data(void* args)
     }
 
     if (ret == CKR_OK) {
-        if (XMEMCMP(expected_okm, derived_value2, sizeof(expected_prk))) {
+        if (XMEMCMP(expected_okm, derived_value2, sizeof(expected_okm))) {
             ret = CKR_DATA_INVALID;
             CHECK_CKR(ret, "Derived PRK doesn't match");
         }
@@ -11891,15 +11893,15 @@ static CK_RV test_hkdf_derive_extract_with_expand_salt_data(void* args)
 
     CK_BYTE salt_bytes[] = {
         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-        0x08, 0x09, 0x0a, 0x0b, 0x0c
+        0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
     };
     CK_BYTE expected_okm[] = {
-        0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a,
-        0x90, 0x43, 0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a,
-        0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c,
-        0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf,
-        0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18,
-        0x58, 0x65
+        0xdb, 0x32, 0x19, 0x87, 0x36, 0xee, 0x02, 0x1e,
+        0x65, 0x8c, 0xcc, 0xa7, 0xd6, 0x21, 0xc5, 0xe7,
+        0x9e, 0x81, 0xda, 0x48, 0xc6, 0xa3, 0x6c, 0x8b,
+        0x41, 0x2b, 0xce, 0xbe, 0x5e, 0x86, 0xf1, 0xc1,
+        0x83, 0x7b, 0xf5, 0xa4, 0xf5, 0x94, 0xe3, 0x37,
+        0x33, 0xb8
     };
     CK_BYTE info_bytes[] = {
         0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
@@ -12130,16 +12132,16 @@ static CK_RV test_hkdf_derive_extract_with_expand_salt_key(void* args)
 
     CK_BYTE salt_bytes[] = {
         0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-        0x08, 0x09, 0x0a, 0x0b, 0x0c
+        0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
     };
     CK_ULONG salt_bytes_len = sizeof(salt_bytes);
     CK_BYTE expected_okm[] = {
-        0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a,
-        0x90, 0x43, 0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a,
-        0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c,
-        0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf,
-        0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18,
-        0x58, 0x65
+        0xdb, 0x32, 0x19, 0x87, 0x36, 0xee, 0x02, 0x1e,
+        0x65, 0x8c, 0xcc, 0xa7, 0xd6, 0x21, 0xc5, 0xe7,
+        0x9e, 0x81, 0xda, 0x48, 0xc6, 0xa3, 0x6c, 0x8b,
+        0x41, 0x2b, 0xce, 0xbe, 0x5e, 0x86, 0xf1, 0xc1,
+        0x83, 0x7b, 0xf5, 0xa4, 0xf5, 0x94, 0xe3, 0x37,
+        0x33, 0xb8
     };
     CK_BYTE info_bytes[] = {
         0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
diff --git a/wolfpkcs11/internal.h b/wolfpkcs11/internal.h
@@ -35,6 +35,10 @@
 #include <wolfpkcs11/pkcs11.h>
 #include <wolfpkcs11/version.h>
 
+#ifdef HAVE_FIPS
+    #define NO_MD5
+#endif
+
 /* store requires AES */
 #ifdef NO_AES
     #undef  WOLFPKCS11_NO_STORE

Original file line number	Diff line number	Diff line change
`@@ -148,7 +148,7 @@ static CK_RV load_cert(char* filename, unsigned char **certData,`
`148`	`148`	`CK_ULONG *certDataLen)`
`149`	`149`	`{`
`150`	`150`	`int ret = 0;`
`151`		`- unsigned char *buffer;`
	`151`	`+ unsigned char *buffer = NULL;`
`152`	`152`	`int len;`
`153`	`153`	`XFILE file;`
`154`	`154`