Skip to content

Change wrap object size argument to be in/out instead of in #241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bigbrett merged 3 commits into from
Nov 14, 2025
Merged

Change wrap object size argument to be in/out instead of in #241

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1730587
Change wrap object size argument to be in/out instead of in
AlexLanzano Nov 14, 2025
c97e7be
Clarify new InOut arg on wrapping API. Add missing null check
AlexLanzano Nov 14, 2025
b240c30
Fix formatting. Remove debug print
AlexLanzano Nov 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 8 additions & 7 deletions examples/demo/client/wh_demo_client_keywrap.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ int wh_DemoClient_AesGcmKeyWrap(whClientContext* client)
WC_RNG rng[1];
uint8_t key[WH_DEMO_KEYWRAP_AES_KEYSIZE];
uint8_t exportedKey[WH_DEMO_KEYWRAP_AES_KEYSIZE];
uint16_t exportedKeySz = sizeof(exportedKey);
whNvmMetadata metadata = {
.id = WH_CLIENT_KEYID_MAKE_WRAPPED_META(
client->comm->client_id, WH_DEMO_KEYWRAP_AESGCM_WRAPKEY_ID),
Expand All @@ -88,6 +89,7 @@ int wh_DemoClient_AesGcmKeyWrap(whClientContext* client)
.len = WH_DEMO_KEYWRAP_AES_KEYSIZE};
whNvmMetadata exportedMetadata;
uint8_t wrappedKey[WH_DEMO_KEYWRAP_AES_WRAPPED_KEYSIZE];
uint16_t wrappedKeySz = sizeof(wrappedKey);
whKeyId wrappedKeyId;

const uint8_t plaintext[] = "hello, wolfSSL AES-GCM!";
Expand Down Expand Up @@ -131,9 +133,9 @@ int wh_DemoClient_AesGcmKeyWrap(whClientContext* client)

/* Now we request the server to wrap the key using the KEK we
* establish above in the first step. */
ret = wh_Client_KeyWrap(client, WC_CIPHER_AES_GCM, WH_DEMO_KEYWRAP_KEKID,
key, sizeof(key), &metadata, wrappedKey,
sizeof(wrappedKey));
ret =
wh_Client_KeyWrap(client, WC_CIPHER_AES_GCM, WH_DEMO_KEYWRAP_KEKID, key,
sizeof(key), &metadata, wrappedKey, &wrappedKeySz);
if (ret != 0) {
WOLFHSM_CFG_PRINTF("Failed to wh_Client_KeyWrap %d\n", ret);
goto cleanup_rng;
Expand Down Expand Up @@ -212,10 +214,9 @@ int wh_DemoClient_AesGcmKeyWrap(whClientContext* client)
/* Exporting a wrapped key */

/* Request the server to unwrap and export the wrapped key we created */
ret = wh_Client_KeyUnwrapAndExport(client, WC_CIPHER_AES_GCM,
WH_DEMO_KEYWRAP_KEKID, wrappedKey,
sizeof(wrappedKey), &exportedMetadata,
exportedKey, sizeof(exportedKey));
ret = wh_Client_KeyUnwrapAndExport(
client, WC_CIPHER_AES_GCM, WH_DEMO_KEYWRAP_KEKID, wrappedKey,
sizeof(wrappedKey), &exportedMetadata, exportedKey, &exportedKeySz);
if (ret != 0) {
WOLFHSM_CFG_PRINTF("Failed to wh_Client_KeyUnwrapAndCache %d\n", ret);
goto cleanup_aes;
Expand Down
76 changes: 46 additions & 30 deletions src/wh_client_keywrap.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ int wh_Client_KeyWrapRequest(whClientContext* ctx,

int wh_Client_KeyWrapResponse(whClientContext* ctx,
enum wc_CipherType cipherType,
void* wrappedKeyOut, uint16_t wrappedKeySz)
void* wrappedKeyOut, uint16_t* wrappedKeyInOutSz)
{
int ret;
uint16_t group;
Expand All @@ -59,7 +59,7 @@ int wh_Client_KeyWrapResponse(whClientContext* ctx,
whMessageKeystore_KeyWrapResponse* resp = NULL;
uint8_t* respData;

if (ctx == NULL || wrappedKeyOut == NULL) {
if (ctx == NULL || wrappedKeyOut == NULL || wrappedKeyInOutSz == NULL) {
return WH_ERROR_BADARGS;
}

Expand All @@ -77,31 +77,35 @@ int wh_Client_KeyWrapResponse(whClientContext* ctx,
}

if (group != WH_MESSAGE_GROUP_KEY || action != WH_KEY_KEYWRAP ||
size < sizeof(*resp) || size > sizeof(*resp) + wrappedKeySz ||
size < sizeof(*resp) || size > sizeof(*resp) + resp->wrappedKeySz ||
resp->cipherType != cipherType) {
return WH_ERROR_ABORTED;
}

if (resp->rc != 0) {
return resp->rc;
}
else if (resp->wrappedKeySz > *wrappedKeyInOutSz) {
return WH_ERROR_BUFFER_SIZE;
}

/* Copy the wrapped key from the response data into wrappedKeyOut */
respData = (uint8_t*)(resp + 1);
memcpy(wrappedKeyOut, respData, wrappedKeySz);
memcpy(wrappedKeyOut, respData, resp->wrappedKeySz);
*wrappedKeyInOutSz = resp->wrappedKeySz;

return WH_ERROR_OK;
}

int wh_Client_KeyWrap(whClientContext* ctx, enum wc_CipherType cipherType,
uint16_t serverKeyId, void* keyIn, uint16_t keySz,
whNvmMetadata* metadataIn, void* wrappedKeyOut,
uint16_t wrappedKeySz)
uint16_t* wrappedKeySz)
{
int ret = WH_ERROR_OK;

if (ctx == NULL || keyIn == NULL || metadataIn == NULL ||
wrappedKeyOut == NULL) {
wrappedKeyOut == NULL || wrappedKeySz == NULL) {
return WH_ERROR_BADARGS;
}

Expand Down Expand Up @@ -159,7 +163,7 @@ int wh_Client_KeyUnwrapAndExportRequest(whClientContext* ctx,
int wh_Client_KeyUnwrapAndExportResponse(whClientContext* ctx,
enum wc_CipherType cipherType,
whNvmMetadata* metadataOut,
void* keyOut, uint16_t keySz)
void* keyOut, uint16_t* keyInOutSz)
{
int ret;
uint16_t group;
Expand All @@ -168,7 +172,8 @@ int wh_Client_KeyUnwrapAndExportResponse(whClientContext* ctx,
whMessageKeystore_KeyUnwrapAndExportResponse* resp = NULL;
uint8_t* respData;

if (ctx == NULL || metadataOut == NULL || keyOut == NULL) {
if (ctx == NULL || metadataOut == NULL || keyOut == NULL ||
keyInOutSz == NULL) {
return WH_ERROR_BADARGS;
}

Expand All @@ -188,23 +193,24 @@ int wh_Client_KeyUnwrapAndExportResponse(whClientContext* ctx,

if (group != WH_MESSAGE_GROUP_KEY || action != WH_KEY_KEYUNWRAPEXPORT ||
size < sizeof(*resp) ||
size > sizeof(*resp) + sizeof(*metadataOut) + keySz ||
size > sizeof(*resp) + sizeof(*metadataOut) + resp->keySz ||
resp->cipherType != cipherType) {
return WH_ERROR_ABORTED;
}

if (resp->rc != WH_ERROR_OK) {
return resp->rc;
}
else if (resp->keySz != keySz) {
else if (resp->keySz > *keyInOutSz) {
return WH_ERROR_BUFFER_SIZE;
}

/* Copy the metadata and key from the response data into metadataOut and
* keyOut */
respData = (uint8_t*)(resp + 1);
memcpy(metadataOut, respData, sizeof(*metadataOut));
memcpy(keyOut, respData + sizeof(*metadataOut), keySz);
memcpy(keyOut, respData + sizeof(*metadataOut), resp->keySz);
*keyInOutSz = resp->keySz;

return WH_ERROR_OK;
}
Expand All @@ -214,12 +220,12 @@ int wh_Client_KeyUnwrapAndExport(whClientContext* ctx,
uint16_t serverKeyId, void* wrappedKeyIn,
uint16_t wrappedKeySz,
whNvmMetadata* metadataOut, void* keyOut,
uint16_t keySz)
uint16_t* keyInOutSz)
{
int ret = WH_ERROR_OK;

if (ctx == NULL || wrappedKeyIn == NULL || metadataOut == NULL ||
keyOut == NULL)
keyOut == NULL || keyInOutSz == NULL)
return WH_ERROR_BADARGS;

ret = wh_Client_KeyUnwrapAndExportRequest(ctx, cipherType, serverKeyId,
Expand All @@ -230,7 +236,7 @@ int wh_Client_KeyUnwrapAndExport(whClientContext* ctx,

do {
ret = wh_Client_KeyUnwrapAndExportResponse(ctx, cipherType, metadataOut,
keyOut, keySz);
keyOut, keyInOutSz);
} while (ret == WH_ERROR_NOTREADY);

return ret;
Expand Down Expand Up @@ -372,7 +378,7 @@ int wh_Client_DataWrapRequest(whClientContext* ctx,

int wh_Client_DataWrapResponse(whClientContext* ctx,
enum wc_CipherType cipherType,
void* wrappedDataOut, uint32_t wrappedDataSz)
void* wrappedDataOut, uint32_t* wrappedDataSz)
{
int ret;
uint16_t group;
Expand All @@ -381,7 +387,7 @@ int wh_Client_DataWrapResponse(whClientContext* ctx,
whMessageKeystore_DataWrapResponse* resp = NULL;
uint8_t* respData;

if (ctx == NULL || wrappedDataOut == NULL) {
if (ctx == NULL || wrappedDataOut == NULL || wrappedDataSz == NULL) {
return WH_ERROR_BADARGS;
}

Expand All @@ -399,29 +405,33 @@ int wh_Client_DataWrapResponse(whClientContext* ctx,
}

if (group != WH_MESSAGE_GROUP_KEY || action != WH_KEY_DATAWRAP ||
size < sizeof(*resp) || size > sizeof(*resp) + wrappedDataSz ||
resp->wrappedDataSz != wrappedDataSz ||
size < sizeof(*resp) || size > sizeof(*resp) + resp->wrappedDataSz ||
resp->cipherType != cipherType) {
return WH_ERROR_ABORTED;
}

if (resp->rc != 0) {
return resp->rc;
}
else if (resp->wrappedDataSz > *wrappedDataSz) {
return WH_ERROR_BUFFER_SIZE;
}

/* Copy the wrapped key from the response data into wrappedKeyOut */
respData = (uint8_t*)(resp + 1);
memcpy(wrappedDataOut, respData, wrappedDataSz);
memcpy(wrappedDataOut, respData, resp->wrappedDataSz);
*wrappedDataSz = resp->wrappedDataSz;

return WH_ERROR_OK;
}

int wh_Client_DataWrap(whClientContext* ctx, enum wc_CipherType cipherType,
uint16_t serverKeyId, void* dataIn, uint32_t dataInSz,
void* wrappedDataOut, uint32_t wrappedDataOutSz)
void* wrappedDataOut, uint32_t* wrappedDataInOutSz)
{
int ret;
if (ctx == NULL || wrappedDataOut == NULL || dataIn == NULL) {
if (ctx == NULL || wrappedDataOut == NULL || dataIn == NULL ||
wrappedDataInOutSz == NULL) {
return WH_ERROR_BADARGS;
}

Expand All @@ -433,7 +443,7 @@ int wh_Client_DataWrap(whClientContext* ctx, enum wc_CipherType cipherType,

do {
ret = wh_Client_DataWrapResponse(ctx, cipherType, wrappedDataOut,
wrappedDataOutSz);
wrappedDataInOutSz);

} while (ret == WH_ERROR_NOTREADY);

Expand Down Expand Up @@ -476,7 +486,7 @@ int wh_Client_DataUnwrapRequest(whClientContext* ctx,

int wh_Client_DataUnwrapResponse(whClientContext* ctx,
enum wc_CipherType cipherType, void* dataOut,
uint32_t dataSz)
uint32_t* dataSz)
{
int ret;
uint16_t group;
Expand All @@ -485,7 +495,7 @@ int wh_Client_DataUnwrapResponse(whClientContext* ctx,
whMessageKeystore_DataUnwrapResponse* resp = NULL;
uint8_t* respData;

if (ctx == NULL || dataOut == NULL) {
if (ctx == NULL || dataOut == NULL || dataSz == NULL) {
return WH_ERROR_BADARGS;
}

Expand All @@ -503,28 +513,33 @@ int wh_Client_DataUnwrapResponse(whClientContext* ctx,
}

if (group != WH_MESSAGE_GROUP_KEY || action != WH_KEY_DATAUNWRAP ||
size < sizeof(*resp) || size > sizeof(*resp) + dataSz ||
resp->dataSz != dataSz || resp->cipherType != cipherType) {
size < sizeof(*resp) || size > sizeof(*resp) + resp->dataSz ||
resp->cipherType != cipherType) {
return WH_ERROR_ABORTED;
}

if (resp->rc != 0) {
return resp->rc;
}
else if (resp->dataSz > *dataSz) {
return WH_ERROR_BUFFER_SIZE;
}

/* Copy the wrapped key from the response data into wrappedKeyOut */
respData = (uint8_t*)(resp + 1);
memcpy(dataOut, respData, dataSz);
memcpy(dataOut, respData, resp->dataSz);
*dataSz = resp->dataSz;

return WH_ERROR_OK;
}
int wh_Client_DataUnwrap(whClientContext* ctx, enum wc_CipherType cipherType,
uint16_t serverKeyId, void* wrappedDataIn,
uint32_t wrappedDataInSz, void* dataOut,
uint32_t dataOutSz)
uint32_t* dataInOutSz)
{
int ret;
if (ctx == NULL || wrappedDataIn == NULL || dataOut == NULL) {
if (ctx == NULL || wrappedDataIn == NULL || dataOut == NULL ||
dataInOutSz == NULL) {
return WH_ERROR_BADARGS;
}

Expand All @@ -535,7 +550,8 @@ int wh_Client_DataUnwrap(whClientContext* ctx, enum wc_CipherType cipherType,
}

do {
ret = wh_Client_DataUnwrapResponse(ctx, cipherType, dataOut, dataOutSz);
ret =
wh_Client_DataUnwrapResponse(ctx, cipherType, dataOut, dataInOutSz);

} while (ret == WH_ERROR_NOTREADY);

Expand Down
Loading