Skip to content

port update fixes #285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
billphipps merged 5 commits into from
Feb 16, 2026
Merged

port update fixes #285

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
54fd3e6
fix CMAC DMA message padding, fix types
bigbrett Feb 11, 2026
f5441e5
Fix SHE alignment, fix crypto test key cache leakage
bigbrett Feb 13, 2026
d963a28
fix leakage of server-side keys when key usage enforcement fails
bigbrett Feb 13, 2026
ca2d533
remove unused debug macro protection
bigbrett Feb 13, 2026
faf47b3
restore old test printf behavior
bigbrett Feb 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 39 additions & 27 deletions src/wh_server_crypto.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -451,7 +451,7 @@ static int _HandleRsaFunction( whServerContext* ctx, uint16_t magic,
}
}
if (ret != WH_ERROR_OK) {
return ret;
goto cleanup;
}
}
}
Expand All @@ -472,6 +472,7 @@ static int _HandleRsaFunction( whServerContext* ctx, uint16_t magic,
/* free the key */
wc_FreeRsaKey(rsa);
}
cleanup:
if (evict != 0) {
/* User requested to evict from cache, even if the call failed */
(void)wh_Server_KeystoreEvictKey(ctx, key_id);
Expand Down Expand Up @@ -930,7 +931,7 @@ static int _HandleEccSharedSecret(whServerContext* ctx, uint16_t magic,
ret = wh_Server_KeystoreFindEnforceKeyUsage(ctx, prv_key_id,
WH_NVM_FLAGS_USAGE_DERIVE);
if (ret != WH_ERROR_OK) {
return ret;
goto cleanup;
}
}

Expand Down Expand Up @@ -965,6 +966,7 @@ static int _HandleEccSharedSecret(whServerContext* ctx, uint16_t magic,
}
wc_ecc_free(pub_key);
}
cleanup:
if (evict_pub) {
/* User requested to evict from cache, even if the call failed */
(void)wh_Server_KeystoreEvictKey(ctx, pub_key_id);
Expand Down Expand Up @@ -1026,7 +1028,7 @@ static int _HandleEccSign(whServerContext* ctx, uint16_t magic,
ret = wh_Server_KeystoreFindEnforceKeyUsage(ctx, key_id,
WH_NVM_FLAGS_USAGE_SIGN);
if (ret != WH_ERROR_OK) {
return ret;
goto cleanup;
}
}

Expand All @@ -1053,6 +1055,7 @@ static int _HandleEccSign(whServerContext* ctx, uint16_t magic,
}
wc_ecc_free(key);
}
cleanup:
if (evict != 0) {
/* typecasting to void so that not overwrite ret */
(void)wh_Server_KeystoreEvictKey(ctx, key_id);
Expand Down Expand Up @@ -1120,7 +1123,7 @@ static int _HandleEccVerify(whServerContext* ctx, uint16_t magic,
ret = wh_Server_KeystoreFindEnforceKeyUsage(ctx, key_id,
WH_NVM_FLAGS_USAGE_VERIFY);
if (ret != WH_ERROR_OK) {
return ret;
goto cleanup;
}
}

Expand Down Expand Up @@ -1162,6 +1165,8 @@ static int _HandleEccVerify(whServerContext* ctx, uint16_t magic,
}
wc_ecc_free(key);
}

cleanup:
if (evict != 0) {
/* User requested to evict from cache, even if the call failed */
(void)wh_Server_KeystoreEvictKey(ctx, key_id);
Expand Down Expand Up @@ -1759,7 +1764,7 @@ static int _HandleCurve25519SharedSecret(whServerContext* ctx, uint16_t magic,
ret = wh_Server_KeystoreFindEnforceKeyUsage(ctx, prv_key_id,
WH_NVM_FLAGS_USAGE_DERIVE);
if (ret != WH_ERROR_OK) {
return ret;
goto cleanup;
}
}

Expand Down Expand Up @@ -1796,6 +1801,7 @@ static int _HandleCurve25519SharedSecret(whServerContext* ctx, uint16_t magic,
}
wc_curve25519_free(priv);
}
cleanup:
if (evict_pub) {
/* User requested to evict from cache, even if the call failed */
(void)wh_Server_KeystoreEvictKey(ctx, pub_key_id);
Expand Down Expand Up @@ -1943,7 +1949,7 @@ static int _HandleEd25519Sign(whServerContext* ctx, uint16_t magic,
ret = wh_Server_KeystoreFindEnforceKeyUsage(ctx, key_id,
WH_NVM_FLAGS_USAGE_SIGN);
if (ret != WH_ERROR_OK) {
return ret;
goto cleanup;
}
}

Expand All @@ -1970,6 +1976,7 @@ static int _HandleEd25519Sign(whServerContext* ctx, uint16_t magic,
memcpy(res_sig, sig, sig_len);
}

cleanup:
if (evict) {
/* User requested to evict from cache, even if the call failed */
(void)wh_Server_KeystoreEvictKey(ctx, key_id);
Expand Down Expand Up @@ -2043,7 +2050,7 @@ static int _HandleEd25519Verify(whServerContext* ctx, uint16_t magic,
ret = wh_Server_KeystoreFindEnforceKeyUsage(ctx, key_id,
WH_NVM_FLAGS_USAGE_VERIFY);
if (ret != WH_ERROR_OK) {
return ret;
goto cleanup;
}
}

Expand All @@ -2060,6 +2067,7 @@ static int _HandleEd25519Verify(whServerContext* ctx, uint16_t magic,
wc_ed25519_free(key);
}

cleanup:
if (evict != 0) {
(void)wh_Server_KeystoreEvictKey(ctx, key_id);
}
Expand Down Expand Up @@ -2121,7 +2129,7 @@ static int _HandleEd25519SignDma(whServerContext* ctx, uint16_t magic,
ret = wh_Server_KeystoreFindEnforceKeyUsage(ctx, key_id,
WH_NVM_FLAGS_USAGE_SIGN);
if (ret != WH_ERROR_OK) {
return ret;
goto cleanup;
}
}

Expand Down Expand Up @@ -2168,6 +2176,7 @@ static int _HandleEd25519SignDma(whServerContext* ctx, uint16_t magic,
ctx, (uintptr_t)req.msg.addr, &msgAddr, req.msg.sz,
WH_DMA_OPER_CLIENT_READ_POST, (whServerDmaFlags){0});

cleanup:
if (evict != 0) {
(void)wh_Server_KeystoreEvictKey(ctx, key_id);
}
Expand Down Expand Up @@ -2227,7 +2236,7 @@ static int _HandleEd25519VerifyDma(whServerContext* ctx, uint16_t magic,
ret = wh_Server_KeystoreFindEnforceKeyUsage(ctx, key_id,
WH_NVM_FLAGS_USAGE_VERIFY);
if (ret != WH_ERROR_OK) {
return ret;
goto cleanup;
}
}

Expand Down Expand Up @@ -2272,6 +2281,7 @@ static int _HandleEd25519VerifyDma(whServerContext* ctx, uint16_t magic,
ctx, (uintptr_t)req.sig.addr, &sigAddr, req.sig.sz,
WH_DMA_OPER_CLIENT_READ_POST, (whServerDmaFlags){0});

cleanup:
if (evict != 0) {
(void)wh_Server_KeystoreEvictKey(ctx, key_id);
}
Expand Down Expand Up @@ -2974,7 +2984,7 @@ static int _HandleAesGcmDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
* outKey must be at least AES_MAX_KEY_SIZE bytes. */
static int _CmacResolveKey(whServerContext* ctx, const uint8_t* requestKey,
uint32_t requestKeySz, whKeyId clientKeyId,
uint8_t* outKey, word32* outKeyLen)
uint8_t* outKey, uint32_t* outKeyLen)
{
int ret = WH_ERROR_OK;

Expand Down Expand Up @@ -3052,7 +3062,6 @@ static int _HandleCmac(whServerContext* ctx, uint16_t magic, uint16_t seq,
return WH_ERROR_BADARGS;
}

word32 len;

/* Setup fixed size fields */
uint8_t* in =
Expand All @@ -3064,20 +3073,21 @@ static int _HandleCmac(whServerContext* ctx, uint16_t magic, uint16_t seq,
memset(&res, 0, sizeof(res));

uint8_t tmpKey[AES_MAX_KEY_SIZE];
word32 tmpKeyLen = sizeof(tmpKey);
uint32_t tmpKeyLen = sizeof(tmpKey);
Cmac cmac[1];

/* Resolve the key to use */
ret = _CmacResolveKey(ctx, key, req.keySz, req.keyId, tmpKey, &tmpKeyLen);

/* Oneshot: input and output are both present */
if (ret == 0 && req.inSz != 0 && req.outSz != 0) {
len = req.outSz;
word32 len = (word32)req.outSz;

WH_DEBUG_SERVER_VERBOSE("cmac generate oneshot\n");

ret = wc_AesCmacGenerate_ex(cmac, out, &len, in, req.inSz, tmpKey,
tmpKeyLen, NULL, ctx->crypto->devId);
ret =
wc_AesCmacGenerate_ex(cmac, out, &len, in, req.inSz, tmpKey,
(word32)tmpKeyLen, NULL, ctx->crypto->devId);

if (ret == 0) {
res.outSz = len;
Expand Down Expand Up @@ -3113,10 +3123,10 @@ static int _HandleCmac(whServerContext* ctx, uint16_t magic, uint16_t seq,

if (ret == 0 && req.outSz != 0) {
/* Finalize CMAC operation */
len = req.outSz;
word32 len = (word32)req.outSz;
WH_DEBUG_SERVER_VERBOSE("cmac final len:%d\n", len);
ret = wc_CmacFinal(cmac, out, &len);
res.outSz = len;
res.outSz = (uint32_t)len;
res.keyId = WH_KEYID_ERASED;
}
else if (ret == 0) {
Expand Down Expand Up @@ -3642,7 +3652,7 @@ static int _HandleMlDsaSign(whServerContext* ctx, uint16_t magic,
ret = wh_Server_KeystoreFindEnforceKeyUsage(ctx, key_id,
WH_NVM_FLAGS_USAGE_SIGN);
if (ret != WH_ERROR_OK) {
return ret;
goto cleanup;
}
}

Expand Down Expand Up @@ -3675,6 +3685,7 @@ static int _HandleMlDsaSign(whServerContext* ctx, uint16_t magic,
}
wc_MlDsaKey_Free(key);
}
cleanup:
if (evict != 0) {
/* User requested to evict from cache, even if the call failed */
(void)wh_Server_KeystoreEvictKey(ctx, key_id);
Expand Down Expand Up @@ -3726,13 +3737,14 @@ static int _HandleMlDsaVerify(whServerContext* ctx, uint16_t magic,
uint32_t sig_len = req.sigSz;
byte* req_sig =
(uint8_t*)(cryptoDataIn) + sizeof(whMessageCrypto_MlDsaVerifyRequest);
int evict = !!(options & WH_MESSAGE_CRYPTO_MLDSA_VERIFY_OPTIONS_EVICT);

/* Validate key usage policy for verification */
if (!WH_KEYID_ISERASED(key_id)) {
ret = wh_Server_KeystoreFindEnforceKeyUsage(ctx, key_id,
WH_NVM_FLAGS_USAGE_VERIFY);
if (ret != WH_ERROR_OK) {
return ret;
goto cleanup;
}
}

Expand All @@ -3746,8 +3758,7 @@ static int _HandleMlDsaVerify(whServerContext* ctx, uint16_t magic,
return WH_ERROR_BADARGS;
}

byte* req_hash = req_sig + sig_len;
int evict = !!(options & WH_MESSAGE_CRYPTO_MLDSA_VERIFY_OPTIONS_EVICT);
byte* req_hash = req_sig + sig_len;

/* Response message */
int result = 0;
Expand All @@ -3764,6 +3775,7 @@ static int _HandleMlDsaVerify(whServerContext* ctx, uint16_t magic,
}
wc_MlDsaKey_Free(key);
}
cleanup:
if (evict != 0) {
/* User requested to evict from cache, even if the call failed */
(void)wh_Server_KeystoreEvictKey(ctx, key_id);
Expand Down Expand Up @@ -5111,7 +5123,7 @@ static int _HandleCmacDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
void* inAddr = NULL;

uint8_t tmpKey[AES_MAX_KEY_SIZE];
word32 tmpKeyLen = sizeof(tmpKey);
uint32_t tmpKeyLen = sizeof(tmpKey);
Cmac cmac[1];

/* Attempt oneshot if input and output are both present */
Expand All @@ -5137,16 +5149,16 @@ static int _HandleCmacDma(whServerContext* ctx, uint16_t magic, uint16_t seq,
WH_DEBUG_SERVER_VERBOSE("dma cmac generate oneshot\n");

ret = wc_AesCmacGenerate_ex(cmac, out, &len, inAddr, req.input.sz,
tmpKey, tmpKeyLen, NULL,
tmpKey, (word32)tmpKeyLen, NULL,
ctx->crypto->devId);
}
else if (ret == WH_ERROR_OK) {
/* HSM-local key via keyId - init then generate */
WH_DEBUG_SERVER_VERBOSE("dma cmac generate oneshot with keyId:%x\n",
req.keyId);

ret = wc_InitCmac_ex(cmac, tmpKey, tmpKeyLen, WC_CMAC_AES, NULL,
NULL, ctx->crypto->devId);
ret = wc_InitCmac_ex(cmac, tmpKey, (word32)tmpKeyLen, WC_CMAC_AES,
NULL, NULL, ctx->crypto->devId);

if (ret == WH_ERROR_OK) {
ret =
Expand All @@ -5171,8 +5183,8 @@ static int _HandleCmacDma(whServerContext* ctx, uint16_t magic, uint16_t seq,

/* Initialize CMAC context with key (re-derives k1/k2 subkeys) */
if (ret == 0) {
ret = wc_InitCmac_ex(cmac, tmpKey, tmpKeyLen, WC_CMAC_AES, NULL,
NULL, ctx->crypto->devId);
ret = wc_InitCmac_ex(cmac, tmpKey, (word32)tmpKeyLen, WC_CMAC_AES,
NULL, NULL, ctx->crypto->devId);
WH_DEBUG_SERVER_VERBOSE("dma cmac init with keylen:%d ret:%d\n",
tmpKeyLen, ret);
}
Expand Down
25 changes: 13 additions & 12 deletions src/wh_server_she.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -459,7 +459,7 @@ static int _LoadKey(whServerContext* server, uint16_t magic, uint16_t req_size,
whNvmMetadata meta[1] = {0};
uint32_t she_meta_count = 0;
uint32_t she_meta_flags = 0;
uint32_t* msg_counter_BE;
uint32_t msg_counter_val;

whMessageShe_LoadKeyRequest req = {0};
whMessageShe_LoadKeyResponse resp = {0};
Expand Down Expand Up @@ -561,18 +561,18 @@ static int _LoadKey(whServerContext* server, uint16_t magic, uint16_t req_size,
sizeof(server->she->uid)) != 0) {
ret = WH_SHE_ERC_KEY_UPDATE_ERROR;
}
/* verify msg_counter_BE is greater than stored value */
msg_counter_BE = (uint32_t*)req.messageTwo;
/* verify msg_counter_val is greater than stored value */
memcpy(&msg_counter_val, req.messageTwo, sizeof(uint32_t));
if (ret == 0 && keyRet != WH_ERROR_NOTFOUND &&
wh_Utils_ntohl(*msg_counter_BE) >> 4 <= she_meta_count) {
wh_Utils_ntohl(msg_counter_val) >> 4 <= she_meta_count) {
ret = WH_SHE_ERC_KEY_UPDATE_ERROR;
}
/* write key with msg_counter_BE */
if (ret == 0) {
meta->id = WH_MAKE_KEYID(WH_KEYTYPE_SHE, server->comm->client_id,
_PopId(req.messageOne));
she_meta_flags = _PopFlags(req.messageTwo);
she_meta_count = wh_Utils_ntohl(*msg_counter_BE) >> 4;
she_meta_count = wh_Utils_ntohl(msg_counter_val) >> 4;
/* Update the meta label with new values */
wh_She_Meta2Label(she_meta_count, she_meta_flags, meta->label);
meta->len = WH_SHE_KEY_SZ;
Expand Down Expand Up @@ -619,8 +619,8 @@ static int _LoadKey(whServerContext* server, uint16_t magic, uint16_t req_size,
}
if (ret == 0) {
/* Prepare counter in separate buffer */
msg_counter_BE = (uint32_t*)counter_buffer;
*msg_counter_BE = wh_Utils_htonl(she_meta_count << 4);
msg_counter_val = wh_Utils_htonl(she_meta_count << 4);
memcpy(counter_buffer, &msg_counter_val, sizeof(uint32_t));
counter_buffer[3] |= 0x08;

/* First copy UID into messageFour */
Expand Down Expand Up @@ -714,7 +714,7 @@ static int _ExportRamKey(whServerContext* server, uint16_t magic,
uint8_t cmacOutput[AES_BLOCK_SIZE];
uint8_t tmpKey[WH_SHE_KEY_SZ];
whNvmMetadata meta[1];
uint32_t* counter;
uint32_t counter_val;
whMessageShe_ExportRamKeyResponse resp;

/* check if ram key was loaded by CMD_LOAD_PLAIN_KEY */
Expand Down Expand Up @@ -750,8 +750,8 @@ static int _ExportRamKey(whServerContext* server, uint16_t magic,
/* set the counter, flags and ram key */
memset(resp.messageTwo, 0, sizeof(resp.messageTwo));
/* set count to 1 */
counter = (uint32_t*)resp.messageTwo;
*counter = (wh_Utils_htonl(1) << 4);
counter_val = (wh_Utils_htonl(1) << 4);
memcpy(resp.messageTwo, &counter_val, sizeof(uint32_t));
keySz = WH_SHE_KEY_SZ;
ret = wh_Server_KeystoreReadKey(
server,
Expand Down Expand Up @@ -821,8 +821,9 @@ static int _ExportRamKey(whServerContext* server, uint16_t magic,
if (ret == 0) {
memset(resp.messageFour, 0, sizeof(resp.messageFour));
/* set counter to 1, pad with 1 bit */
counter = (uint32_t*)(resp.messageFour + WH_SHE_KEY_SZ);
*counter = (wh_Utils_htonl(1) << 4);
counter_val = (wh_Utils_htonl(1) << 4);
memcpy(resp.messageFour + WH_SHE_KEY_SZ, &counter_val,
sizeof(uint32_t));
resp.messageFour[WH_SHE_KEY_SZ + 3] |= 0x08;
/* encrypt the new counter */
ret = wc_AesEncryptDirect(server->she->sheAes,
Expand Down
Loading