Fix Fenrir static analysis findings

Address Fenrir findings covering missing object attribute
enforcement, missing operation termination on error paths, and an
authentication fail-open on the SO PIN check.

Attribute enforcement:
- C_CopyObject rejects non-copyable objects (CKR_ACTION_PROHIBITED).
- C_DestroyObject rejects non-destroyable objects (CKR_ACTION_PROHIBITED).
- C_DeriveKey enforces CKA_DERIVE on the base key.
- C_EncapsulateKey/C_DecapsulateKey enforce CKA_ENCAPSULATE/DECAPSULATE
  and return CKR_KEY_FUNCTION_NOT_PERMITTED.
- C_SetAttributeValue rejects flipping CKA_COPYABLE/CKA_DESTROYABLE
  from CK_FALSE back to CK_TRUE per PKCS#11 v2.40 sec. 4.4.1.
- CKA_COPYABLE/CKA_DESTROYABLE are now stored via inverted opFlag bits
  (WP11_FLAG_NOT_COPYABLE/NOT_DESTROYABLE) so the values survive
  C_GetAttributeValue/C_SetAttributeValue round trips.

CKA_COPYABLE default flips from CK_FALSE to CK_TRUE to match the
PKCS#11 spec. The legacy read-back behavior is preserved behind
WOLFPKCS11_LEGACY_COPYABLE_FALSE_DEFAULT. The C_CopyObject gate reads
the stored flag bit directly via WP11_Object_IsCopyable so the legacy
macro never disables copy for objects that explicitly opted in.

Operation termination: C_Encrypt, C_Decrypt, C_EncryptUpdate,
C_DecryptUpdate, C_DigestUpdate, C_SignUpdate, C_VerifyUpdate, and
C_DigestKey now call WP11_Session_SetOpInitialized(session, 0) on
their early-return error paths so a follow-up *Init succeeds.
C_DigestKey preserves positive CK_RV returns (e.g.
CKR_FUNCTION_NOT_SUPPORTED on WOLFPKCS11_NO_STORE builds) instead of
collapsing them to CKR_FUNCTION_FAILED.

SO PIN check: WP11_Slot_CheckSOPin no longer accepts an empty PIN
when the SO PIN has not been set. Previously the empty-PIN
constant-compare against the zero-length unset PIN returned equal,
granting WP11_APP_STATE_RW_SO without authentication.

C_CopyObject and C_DestroyObject now run the COPYABLE/DESTROYABLE
gates after the R/W session check so the previously-returned
CKR_SESSION_READ_ONLY is preserved for read-only sessions.

Tests: new test_copy_object_not_copyable, test_destroy_object_not_-
destroyable, test_derive_key_not_allowed, test_mlkem_encap_decap_-
not_permitted, test_op_active_after_data_len_range, test_op_active_-
after_update_data_len_range, test_op_active_after_sign_verify_-
update_failure, test_op_active_after_digest_key_failure, and
WOLFPKCS11_NO_STORE-gated test_op_active_after_digest_key_no_store
in pkcs11test/pkcs11v3test, plus a new tests/so_login_uninit_test
binary that walks C_Login(CKU_SO, ...) on a fresh uninitialized
token. test_copy_object_not_copyable and test_destroy_object_not_-
destroyable also assert that the FALSE->TRUE flip is rejected.
Several existing helpers (get_generic_key, get_ecc_priv_key,
get_aes_128_key, gen_aes_key, the HKDF and ML-KEM templates) now
set CKA_DERIVE=CK_TRUE explicitly so they survive the new gate.

README.md documents the new WOLFPKCS11_LEGACY_COPYABLE_FALSE_DEFAULT
build define and the spec-compliance behavior changes that callers
upgrading from earlier versions need to be aware of.

Author: LinuxJedi

README.md

@@ -97,6 +97,38 @@ See wolfpkcs11/store.h for prototypes of functions to implement.
 
 Sets the private key's label against the public key when generating key pairs.
 
+#### Define WOLFPKCS11_LEGACY_COPYABLE_FALSE_DEFAULT
+
+Restores the pre-fix behavior where an unset `CKA_COPYABLE` attribute reads as
+`CK_FALSE`. The default (without this flag) is `CK_TRUE`, matching the PKCS#11
+specification. Define this only if your application or stored tokens depend on
+the old read-back behavior. The `C_CopyObject` enforcement consults the stored
+copyable flag directly, so this macro does not change which objects can be
+copied; it only affects what `C_GetAttributeValue` reports for objects whose
+`CKA_COPYABLE` was never explicitly set.
+
+### Behavior changes for PKCS#11 spec compliance
+
+Several pre-existing gaps were closed; applications upgrading from earlier
+versions may need to update templates or error-handling:
+
+- `C_DeriveKey` now enforces `CKA_DERIVE` on the base key. Keys that do not
+  set `CKA_DERIVE=CK_TRUE` at creation are rejected with
+  `CKR_KEY_TYPE_INCONSISTENT`. RSA, EC, and ML-DSA private keys default
+  `CKA_DERIVE` to `CK_FALSE`, so applications doing ECDH or other key
+  derivation must now set `CKA_DERIVE=CK_TRUE` explicitly in the key
+  template.
+- `C_CopyObject` enforces `CKA_COPYABLE` (returns `CKR_ACTION_PROHIBITED`
+  on `CK_FALSE`).
+- `C_DestroyObject` enforces `CKA_DESTROYABLE` (returns
+  `CKR_ACTION_PROHIBITED` on `CK_FALSE`).
+- `C_EncapsulateKey`/`C_DecapsulateKey` enforce `CKA_ENCAPSULATE` /
+  `CKA_DECAPSULATE` and return `CKR_KEY_FUNCTION_NOT_PERMITTED` when the
+  flag is `CK_FALSE`.
+- `C_SetAttributeValue` rejects flipping `CKA_COPYABLE` or
+  `CKA_DESTROYABLE` from `CK_FALSE` back to `CK_TRUE`, returning
+  `CKR_ATTRIBUTE_READ_ONLY` per spec section 4.4.1.
+
 #### Analog Devices, Inc. MAXQ10xx Secure Elements ([MAXQ1065](https://www.analog.com/en/products/maxq1065.html)/MAXQ1080)
 
 Support has been added to use the MAXQ10xx hardware for cryptographic operations

src/crypto.c

@@ -7012,10 +7012,12 @@ int WP11_Slot_CheckSOPin(WP11_Slot* slot, char* pin, int pinLen)
 
     if (token->state != WP11_TOKEN_STATE_INITIALIZED)
         ret = PIN_NOT_SET_E;
-    /* NSS PK11_InitPin tries to login with an empty pin before setting the pin.
-     * This is effectively a public access, so should be OK.
+    /* Reject any PIN check (including the NSS empty-PIN public probe) when
+     * the SO PIN has not been set; otherwise an empty PIN would
+     * constant-compare equal to the unset zero-length stored PIN and grant
+     * SO authentication.
      */
-    if (!(token->tokenFlags & WP11_TOKEN_FLAG_SO_PIN_SET) && pinLen > 0)
+    if (!(token->tokenFlags & WP11_TOKEN_FLAG_SO_PIN_SET))
         ret = PIN_NOT_SET_E;
 
     if (ret == 0) {
@@ -8941,6 +8943,32 @@ CK_OBJECT_CLASS WP11_Object_GetClass(WP11_Object* object)
     return object->objClass;
 }
 
+/**
+ * Check whether the object is copyable.
+ *
+ * Reads the underlying WP11_FLAG_NOT_COPYABLE bit directly so the result is
+ * not affected by the WOLFPKCS11_LEGACY_COPYABLE_FALSE_DEFAULT macro that
+ * controls the C_GetAttributeValue view.
+ *
+ * @param  object  [in]  Object object.
+ * @return  1 when copyable, 0 when not.
+ */
+int WP11_Object_IsCopyable(WP11_Object* object)
+{
+    return (object->opFlag & WP11_FLAG_NOT_COPYABLE) == 0;
+}
+
+/**
+ * Check whether the object is destroyable.
+ *
+ * @param  object  [in]  Object object.
+ * @return  1 when destroyable, 0 when not.
+ */
+int WP11_Object_IsDestroyable(WP11_Object* object)
+{
+    return (object->opFlag & WP11_FLAG_NOT_DESTROYABLE) == 0;
+}
+
 #if !defined(NO_RSA) || defined(HAVE_ECC)
 /**
  * Set the multi-precision integer from the data.
@@ -10866,10 +10894,16 @@ int WP11_Object_GetAttr(WP11_Object* object, CK_ATTRIBUTE_TYPE type, byte* data,
             ret = GetOpFlagBool(object->opFlag, WP11_FLAG_TRUSTED, data, len);
             break;
         case CKA_COPYABLE:
+#ifdef WOLFPKCS11_LEGACY_COPYABLE_FALSE_DEFAULT
             ret = GetBool(CK_FALSE, data, len);
+#else
+            ret = GetBool(
+                !(object->opFlag & WP11_FLAG_NOT_COPYABLE), data, len);
+#endif
             break;
         case CKA_DESTROYABLE:
-            ret = GetBool(CK_TRUE, data, len);
+            ret = GetBool(
+                !(object->opFlag & WP11_FLAG_NOT_DESTROYABLE), data, len);
             break;
         case CKA_APPLICATION:
             if (object->objClass == CKO_DATA) {
@@ -11220,6 +11254,15 @@ int WP11_Object_SetAttr(WP11_Object* object, CK_ATTRIBUTE_TYPE type, byte* data,
         case CKA_DERIVE:
             WP11_Object_SetOpFlag(object, WP11_FLAG_DERIVE, *(CK_BBOOL*)data);
             break;
+        case CKA_COPYABLE:
+            /* Stored as the inverse: flag set when value is CK_FALSE. */
+            WP11_Object_SetOpFlag(object, WP11_FLAG_NOT_COPYABLE,
+                                  !*(CK_BBOOL*)data);
+            break;
+        case CKA_DESTROYABLE:
+            WP11_Object_SetOpFlag(object, WP11_FLAG_NOT_DESTROYABLE,
+                                  !*(CK_BBOOL*)data);
+            break;
         case CKA_ID:
             ret = WP11_Object_SetKeyId(object, data, (int)len);
             break;

src/internal.c

@@ -41,6 +41,11 @@ noinst_PROGRAMS += tests/empty_pin_store_test
 tests_empty_pin_store_test_SOURCES = tests/empty_pin_store_test.c
 tests_empty_pin_store_test_LDADD =
 
+check_PROGRAMS += tests/so_login_uninit_test
+noinst_PROGRAMS += tests/so_login_uninit_test
+tests_so_login_uninit_test_SOURCES = tests/so_login_uninit_test.c
+tests_so_login_uninit_test_LDADD =
+
 check_PROGRAMS += tests/find_objects_null_template_test
 noinst_PROGRAMS += tests/find_objects_null_template_test
 tests_find_objects_null_template_test_SOURCES = tests/find_objects_null_template_test.c
@@ -90,6 +95,7 @@ tests_rsa_session_persistence_test_LDADD += src/libwolfpkcs11.la
 tests_debug_test_LDADD += src/libwolfpkcs11.la
 tests_object_id_uniqueness_test_LDADD += src/libwolfpkcs11.la
 tests_empty_pin_store_test_LDADD += src/libwolfpkcs11.la
+tests_so_login_uninit_test_LDADD += src/libwolfpkcs11.la
 tests_find_objects_null_template_test_LDADD += src/libwolfpkcs11.la
 tests_aes_cbc_pad_padding_test_LDADD += src/libwolfpkcs11.la
 tests_ecb_check_value_error_test_LDADD += src/libwolfpkcs11.la
@@ -101,6 +107,7 @@ tests_rsa_exponent_test_LDADD += src/libwolfpkcs11.la
 else
 tests_object_id_uniqueness_test_LDADD += src/libwolfpkcs11.la
 tests_empty_pin_store_test_LDADD += src/libwolfpkcs11.la
+tests_so_login_uninit_test_LDADD += src/libwolfpkcs11.la
 tests_find_objects_null_template_test_LDADD += src/libwolfpkcs11.la
 tests_aes_cbc_pad_padding_test_LDADD += src/libwolfpkcs11.la
 tests_ecb_check_value_error_test_LDADD += src/libwolfpkcs11.la

tests/include.am

@@ -805,6 +805,7 @@ static CK_RV get_generic_key(CK_SESSION_HANDLE session, unsigned char* data,
         { CKA_SENSITIVE,         &sensitive,         sizeof(CK_BBOOL)          },
         { CKA_SIGN,              &ckTrue,           sizeof(ckTrue)            },
         { CKA_VERIFY,            &ckTrue,           sizeof(ckTrue)            },
+        { CKA_DERIVE,            &ckTrue,           sizeof(ckTrue)            },
         { CKA_VALUE,             data,              len                       },
     };
     int cnt = sizeof(generic_key)/sizeof(*generic_key);
@@ -3434,6 +3435,7 @@ static CK_OBJECT_HANDLE get_ecc_priv_key(CK_SESSION_HANDLE session,
         { CKA_EXTRACTABLE,       &extractable,      sizeof(CK_BBOOL)          },
         { CKA_SENSITIVE,         &sensitive,         sizeof(CK_BBOOL)          },
         { CKA_VERIFY,            &ckTrue,           sizeof(ckTrue)            },
+        { CKA_DERIVE,            &ckTrue,           sizeof(ckTrue)            },
         { CKA_EC_PARAMS,         ecc_p256_params,   sizeof(ecc_p256_params)   },
         { CKA_VALUE,             ecc_p256_priv,     sizeof(ecc_p256_priv)     },
     };