narrow ecc_size/sig_size guards to SETKEY||EXPORT_KEY, update _WC_PK_TYPE_MAX, const-qualify export_key.obj, call _ecc_import_x963_ex2 directly, fix GetSetKeyTypeStr, fix NULL deref in wc_RsaPrivateKeyDecode with WOLF_CRYPTO_CB_FIND, add FIND CI config.

night1rider · night1rider · commit a99a72029c63 · 2026-04-14T16:21:50.000-06:00
diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml
@@ -68,6 +68,7 @@ jobs:
           '--enable-cryptocb --enable-keygen --enable-cryptocbutils=export',
           '--enable-cryptocb --enable-keygen CPPFLAGS="-DWOLF_CRYPTO_CB_EXPORT_KEY"',
           '--enable-cryptocb --enable-keygen --enable-aesgcm --enable-cryptocbutils=setkey,free,export CPPFLAGS="-DWOLF_CRYPTO_CB_AES_SETKEY"',
+          '--enable-cryptocb --enable-keygen --enable-cryptocbutils=setkey,export CPPFLAGS="-DWOLF_CRYPTO_CB_FIND"',
           'CPPFLAGS=-DWOLFSSL_NO_CLIENT_AUTH',
           'CPPFLAGS=''-DNO_WOLFSSL_CLIENT -DWOLFSSL_NO_CLIENT_AUTH''',
           'CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_CLIENT_AUTH''',
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -8304,7 +8304,7 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
     WC_DECLARE_VAR(tmpKey, RsaKey, 1, NULL);
 #endif
 
-    if (key == NULL) {
+    if (key == NULL || input == NULL || inOutIdx == NULL) {
         return BAD_FUNC_ARG;
     }
 
diff --git a/wolfcrypt/src/cryptocb.c b/wolfcrypt/src/cryptocb.c
@@ -118,14 +118,16 @@ static const char* GetAlgoTypeStr(int algo)
 static const char* GetSetKeyTypeStr(int type)
 {
     switch (type) {
+        case WC_SETKEY_NONE:      return "None";
         case WC_SETKEY_HMAC:      return "HMAC";
         case WC_SETKEY_RSA_PUB:   return "RSA-Pub";
         case WC_SETKEY_RSA_PRIV:  return "RSA-Priv";
         case WC_SETKEY_ECC_PUB:   return "ECC-Pub";
         case WC_SETKEY_ECC_PRIV:  return "ECC-Priv";
         case WC_SETKEY_AES:       return "AES";
+        default:                  break;
     }
-    return "Unknown";
+    return NULL;
 }
 #endif /* WOLF_CRYPTO_CB_SETKEY */
 static const char* GetPkTypeStr(int pk)
@@ -2301,7 +2303,7 @@ int wc_CryptoCb_SetKey(int devId, int type, void* obj,
  * uses normal software export functions on 'out' and frees it.
  * Returns: 0 on success, CRYPTOCB_UNAVAILABLE if not handled, negative on error
  */
-int wc_CryptoCb_ExportKey(int devId, int type, void* obj, void* out)
+int wc_CryptoCb_ExportKey(int devId, int type, const void* obj, void* out)
 {
     int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE);
     CryptoCb* dev;
diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
@@ -9989,7 +9989,7 @@ int wc_ecc_export_x963(ecc_key* key, byte* out, word32* outLen)
         }
 
         ret = wc_CryptoCb_ExportKey(key->devId, WC_PK_TYPE_ECDSA_SIGN,
-                                     (void*)key, tmpKey);
+                                     key, tmpKey);
         if (ret == 0) {
             /* Call software helper (no callback recursion) */
             ret = _ecc_export_x963(tmpKey, out, outLen);
@@ -11345,7 +11345,7 @@ int wc_ecc_export_ex(ecc_key* key, byte* qx, word32* qxLen,
         }
 
         err = wc_CryptoCb_ExportKey(key->devId, WC_PK_TYPE_ECDSA_SIGN,
-                                     (void*)key, tmpKey);
+                                     key, tmpKey);
         if (err == 0) {
             /* Call software helper (no callback recursion) */
             err = _ecc_export_ex(tmpKey, qx, qxLen, qy, qyLen, d, dLen,
@@ -11431,7 +11431,7 @@ static int _ecc_import_private_key_ex(const byte* priv, word32 privSz,
     if (pub != NULL) {
     #ifndef NO_ASN
         word32 idx = 0;
-        ret = wc_ecc_import_x963_ex(pub, pubSz, key, curve_id);
+        ret = _ecc_import_x963_ex2(pub, pubSz, key, curve_id, 0);
         if (ret < 0)
             ret = wc_EccPublicKeyDecode(pub, &idx, key, pubSz);
         key->type = ECC_PRIVATEKEY;
@@ -12269,7 +12269,8 @@ int wc_ecc_size(ecc_key* key)
         return 0;
     }
 
-#ifdef WOLF_CRYPTO_CB
+#if defined(WOLF_CRYPTO_CB) && \
+    (defined(WOLF_CRYPTO_CB_SETKEY) || defined(WOLF_CRYPTO_CB_EXPORT_KEY))
     if (key->devId != INVALID_DEVID) {
         int ret;
         int keySz = 0;
@@ -12320,7 +12321,8 @@ int wc_ecc_sig_size(const ecc_key* key)
         return 0;
     }
 
-#ifdef WOLF_CRYPTO_CB
+#if defined(WOLF_CRYPTO_CB) && \
+    (defined(WOLF_CRYPTO_CB_SETKEY) || defined(WOLF_CRYPTO_CB_EXPORT_KEY))
     if (key->devId != INVALID_DEVID) {
         int ret;
         int cbKeySz = 0;
diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c
@@ -4596,7 +4596,7 @@ int wc_RsaFlattenPublicKey(const RsaKey* key, byte* e, word32* eSz, byte* n,
         }
 
         ret = wc_CryptoCb_ExportKey(key->devId, WC_PK_TYPE_RSA,
-                                     (void*)key, tmpKey);
+                                     key, tmpKey);
         if (ret == 0) {
             /* Call software helper (no callback recursion) */
             ret = _RsaFlattenPublicKey(tmpKey, e, eSz, n, nSz);
@@ -4719,7 +4719,7 @@ int wc_RsaExportKey(const RsaKey* key,
             }
 
             ret = wc_CryptoCb_ExportKey(key->devId, WC_PK_TYPE_RSA,
-                                         (void*)key, tmpKey);
+                                         key, tmpKey);
             if (ret == 0) {
                 /* Call software helper (no callback recursion) */
                 ret = _RsaExportKey(tmpKey, e, eSz, n, nSz,
diff --git a/wolfssl/wolfcrypt/cryptocb.h b/wolfssl/wolfcrypt/cryptocb.h
@@ -526,7 +526,7 @@ typedef struct wc_CryptoInfo {
 #ifdef WOLF_CRYPTO_CB_EXPORT_KEY
     struct {                    /* uses wc_AlgoType=WC_ALGO_TYPE_EXPORT_KEY */
         int type;               /* enum wc_PkType (WC_PK_TYPE_RSA, etc.) */
-        void* obj;              /* Hardware key (has devCtx/id[]) */
+        const void* obj;        /* Hardware key (has devCtx/id[]) */
         void* out;              /* Software key to fill (same type as obj) */
     } export_key;
 #endif /* WOLF_CRYPTO_CB_EXPORT_KEY */
@@ -821,7 +821,7 @@ WOLFSSL_LOCAL int wc_CryptoCb_SetKey(int devId, int type, void* obj,
 #endif /* WOLF_CRYPTO_CB_SETKEY */
 #ifdef WOLF_CRYPTO_CB_EXPORT_KEY
 WOLFSSL_LOCAL int wc_CryptoCb_ExportKey(int devId, int type,
-                                         void* obj, void* out);
+                                         const void* obj, void* out);
 #endif /* WOLF_CRYPTO_CB_EXPORT_KEY */
 
 #endif /* WOLF_CRYPTO_CB */
diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
@@ -1570,6 +1570,8 @@ enum wc_PkType {
     WC_PK_TYPE_RSA_OAEP = 27,
     WC_PK_TYPE_EC_GET_SIZE = 28,
     WC_PK_TYPE_EC_GET_SIG_SIZE = 29,
+    #undef _WC_PK_TYPE_MAX
+    #define _WC_PK_TYPE_MAX WC_PK_TYPE_EC_GET_SIG_SIZE
     WC_PK_TYPE_MAX = _WC_PK_TYPE_MAX
 };
 

Original file line number	Diff line number	Diff line change
`@@ -8304,7 +8304,7 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,`
`8304`	`8304`	`WC_DECLARE_VAR(tmpKey, RsaKey, 1, NULL);`
`8305`	`8305`	`#endif`
`8306`	`8306`
`8307`		`- if (key == NULL) {`
	`8307`	`+ if (key == NULL \|\| input == NULL \|\| inOutIdx == NULL) {`
`8308`	`8308`	`return BAD_FUNC_ARG;`
`8309`	`8309`	`}`
`8310`	`8310`