reset ret after CRYPTOCB_UNAVAILABLE fall-through in _InitCmac_common, add test_RsaInit_Pub/test_RsaNew_Pub helpers for keypub, re-add (void)heap, reject oversized CMAC id.

night1rider · night1rider · commit 24c40b543b18 · 2026-04-10T13:19:01.000-06:00
diff --git a/wolfcrypt/src/cmac.c b/wolfcrypt/src/cmac.c
@@ -128,9 +128,10 @@ static int _InitCmac_common(Cmac* cmac, const byte* key, word32 keySz,
      * inspect them to determine the hardware key slot. */
 #ifdef WOLF_PRIVATE_KEY_ID
     cmac->aesInitType = aesInitType;
-    if (aesInitType == CMAC_AES_INIT_ID && id != NULL &&
-            idLen > 0 &&
-            idLen <= (int)sizeof(cmac->id)) {
+    if (aesInitType == CMAC_AES_INIT_ID && id != NULL && idLen > 0) {
+        if (idLen > (int)sizeof(cmac->id)) {
+            return BAD_FUNC_ARG;
+        }
         XMEMCPY(cmac->id, id, (word32)idLen);
         cmac->idLen = idLen;
     }
@@ -161,12 +162,14 @@ static int _InitCmac_common(Cmac* cmac, const byte* key, word32 keySz,
         if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
             return ret;
         }
-        /* fall-through when unavailable, reset ret for software path */
+        /* fall-through when unavailable */
+        ret = 0;
     }
 #else
     (void)devId;
 #endif
     (void)unused;
+    (void)heap;
 
     if (key == NULL || keySz == 0) {
         return BAD_FUNC_ARG;
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
@@ -644,6 +644,17 @@ static WC_MAYBE_UNUSED int test_RsaInit(RsaKey* key, void* heap,
     return wc_InitRsaKey_ex(key, heap, declaredDevId);
 #endif
 }
+
+static WC_MAYBE_UNUSED int test_RsaInit_Pub(RsaKey* key, void* heap,
+                                             int declaredDevId)
+{
+#if defined(WOLF_PRIVATE_KEY_ID) && defined(WC_TEST_RSA_PUB_ID)
+    return wc_InitRsaKey_Id(key, testRsaPubId, testRsaPubIdLen, heap,
+                            declaredDevId);
+#else
+    return wc_InitRsaKey_ex(key, heap, declaredDevId);
+#endif
+}
 #endif /* !NO_RSA */
 
 /* --- CMAC id[] and init helper --- */
@@ -1425,6 +1436,17 @@ static WC_MAYBE_UNUSED RsaKey* test_RsaNew(void* heap, int declaredDevId,
     return wc_NewRsaKey(heap, declaredDevId, ret);
 #endif
 }
+
+static WC_MAYBE_UNUSED RsaKey* test_RsaNew_Pub(void* heap, int declaredDevId,
+                                                int* ret)
+{
+#if defined(WOLF_PRIVATE_KEY_ID) && defined(WC_TEST_RSA_PUB_ID)
+    return wc_NewRsaKey_Id(testRsaPubId, testRsaPubIdLen, heap,
+                           declaredDevId, ret);
+#else
+    return wc_NewRsaKey(heap, declaredDevId, ret);
+#endif
+}
 #endif /* !NO_RSA */
 
 #endif /* !WC_NO_CONSTRUCTORS && !HAVE_SELFTEST */
@@ -25809,7 +25831,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t rsa_test(void)
     if (key == NULL)
         ERROR_OUT(WC_TEST_RET_ENC_EC(ret), exit_rsa);
 #if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_CERT_GEN)
-    keypub = test_RsaNew(HEAP_HINT, devId, &ret);
+    keypub = test_RsaNew_Pub(HEAP_HINT, devId, &ret);
     if (keypub == NULL)
         ERROR_OUT(WC_TEST_RET_ENC_EC(ret), exit_rsa);
 #endif
@@ -25824,7 +25846,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t rsa_test(void)
     if (ret != 0)
         ERROR_OUT(WC_TEST_RET_ENC_EC(ret), exit_rsa);
 #if defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_CERT_GEN)
-    ret = test_RsaInit(keypub, HEAP_HINT, devId);
+    ret = test_RsaInit_Pub(keypub, HEAP_HINT, devId);
     if (ret != 0)
         ERROR_OUT(WC_TEST_RET_ENC_EC(ret), exit_rsa);
 #endif
