wolfSSL · dgarske · Mar 19, 2026 · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026
diff --git a/src/crypto.c b/src/crypto.c
@@ -704,6 +704,17 @@ static CK_RV SetAttributeValue(WP11_Session* session, WP11_Object* obj,
             if ((getVar == CK_TRUE) && (*(CK_BBOOL*)attr->pValue == CK_FALSE))
                 return CKR_ATTRIBUTE_READ_ONLY;
         }
+        /* Cannot change extractable from false to true */
+        if (!newObject && attr->type == CKA_EXTRACTABLE) {
+            getVarLen = sizeof(getVar);
+            rv = WP11_Object_GetAttr(obj, CKA_EXTRACTABLE, &getVar,
+                                     &getVarLen);
+            if (rv != CKR_OK)
+                return rv;
+
+            if ((getVar == CK_FALSE) && (*(CK_BBOOL*)attr->pValue == CK_TRUE))
+                return CKR_ATTRIBUTE_READ_ONLY;
+        }
         ret = WP11_Object_SetAttr(obj, attr->type, (byte*)attr->pValue,
                                                               attr->ulValueLen);
         if (ret == MEMORY_E)
@@ -747,15 +758,21 @@ static CK_RV NewObject(WP11_Session* session, CK_KEY_TYPE keyType,
         return CKR_FUNCTION_FAILED;
 
     ret = WP11_Object_SetClass(obj, keyClass);
-    if (ret != 0)
+    if (ret != 0) {
+        WP11_Object_Free(obj);
         return CKR_FUNCTION_FAILED;
+    }
 
     /* Now that object class is set, allocate type-specific data */
     ret = wp11_Object_AllocateTypeData(obj);
-    if (ret == MEMORY_E)
+    if (ret == MEMORY_E) {
+        WP11_Object_Free(obj);
         return CKR_DEVICE_MEMORY;
-    if (ret != 0)
+    }
+    if (ret != 0) {
+        WP11_Object_Free(obj);
         return CKR_FUNCTION_FAILED;
+    }
 
     rv = SetAttributeValue(session, obj, pTemplate, ulCount, CK_TRUE);
     if (rv != CKR_OK) {
@@ -1206,15 +1223,21 @@ CK_RV C_CopyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
 
     /* Set the object class from the original object */
     ret = WP11_Object_SetClass(newObj, WP11_Object_GetClass(obj));
-    if (ret != 0)
+    if (ret != 0) {
+        WP11_Object_Free(newObj);
         return CKR_FUNCTION_FAILED;
+    }
 
     /* Now that object class is set, allocate type-specific data */
     ret = wp11_Object_AllocateTypeData(newObj);
-    if (ret == MEMORY_E)
+    if (ret == MEMORY_E) {
+        WP11_Object_Free(newObj);
         return CKR_DEVICE_MEMORY;
-    if (ret != 0)
+    }
+    if (ret != 0) {
+        WP11_Object_Free(newObj);
         return CKR_FUNCTION_FAILED;
+    }
 
     /* copy all the attributes from the original object to the new object */
     rv = WP11_Object_Copy(obj, newObj);
@@ -1573,7 +1596,7 @@ CK_RV C_FindObjectsInit(CK_SESSION_HANDLE hSession,
         WOLFPKCS11_LEAVE("C_FindObjectsInit", rv);
         return rv;
     }
-    if (pTemplate == NULL) {
+    if (pTemplate == NULL && ulCount != 0) {
         rv = CKR_ARGUMENTS_BAD;
         WOLFPKCS11_LEAVE("C_FindObjectsInit", rv);
         return rv;
@@ -7399,15 +7422,22 @@ static int SetKeyExtract(WP11_Session* session, byte* ptr, CK_ULONG length,
         secretKeyData[1] = ptr + (length - symmKeyLen);
         secretKeyLen[1] = symmKeyLen;
         ret = WP11_Object_SetSecretKey(secret, secretKeyData, secretKeyLen);
-        if (ret != CKR_OK)
+        if (ret != CKR_OK) {
+            WP11_Object_Free(secret);
             return CKR_FUNCTION_FAILED;
+        }
         ret = (int)AddObject(session, secret, pTemplate, ulAttributeCount,
             handle);
         if (ret != CKR_OK) {
+            WP11_Object_Free(secret);
             return ret;
         }
     }
-    if ((ret == 0) && (isMac)) {
+    else {
+        WP11_Object_Free(secret);
+        return ret;
+    }
+    if (isMac) {
         ret = WP11_Object_SetAttr(secret, CKA_KEY_TYPE, (byte*)&keyType,
                                   sizeof(keyType));
         if (ret != CKR_OK)
@@ -7840,8 +7870,10 @@ CK_RV C_DeriveKey(CK_SESSION_HANDLE hSession,
                 secretKeyLen[1] = symmKeyLen;
                 ret = WP11_Object_SetSecretKey(obj, secretKeyData,
                                                 secretKeyLen);
-                if (ret != 0)
+                if (ret != 0) {
+                    WP11_Object_Free(obj);
                     rv = CKR_FUNCTION_FAILED;
+                }
                 if (ret == 0) {
                     rv = AddObject(session, obj, pTemplate,
                                     ulAttributeCount, phKey);

diff --git a/src/internal.c b/src/internal.c
@@ -2831,6 +2831,7 @@ static int wp11_EncryptData(byte* out, byte* data, int len, byte* key,
         ret = wc_AesGcmEncrypt(&aes, out, data, len, iv, ivSz, out + len,
                                                        AES_BLOCK_SIZE, NULL, 0);
     }
+    wc_AesFree(&aes);
 
     return ret;
 }
@@ -2865,6 +2866,7 @@ static int wp11_DecryptData(byte* out, byte* data, int len, byte* key,
         ret = wc_AesGcmDecrypt(&aes, out, data, len, iv, ivSz, data + len,
                                                        AES_BLOCK_SIZE, NULL, 0);
     }
+    wc_AesFree(&aes);
 
     return ret;
 }
@@ -7010,6 +7012,17 @@ WP11_Slot* WP11_Session_GetSlot(WP11_Session* session)
     return session->slot;
 }
 
+/**
+ * Get the slot id associated with the session.
+ *
+ * @param  session  [in]  Session object.
+ * @return  Slot id.
+ */
+CK_SLOT_ID WP11_Session_GetSlotId(WP11_Session* session)
+{
+    return session->slotId;
+}
+
 /**
  * Get the mechanism associated with the session.
  *
@@ -9133,10 +9146,11 @@ static int GetSha1CheckValue(const byte* dataIn, int inLen, byte* dataOut,
     }
 
     ret = wc_Hash(WC_HASH_TYPE_SHA, dataIn, inLen, hash, WC_SHA_DIGEST_SIZE);
-    if (ret == 0) {
-        XMEMCPY(dataOut, hash, PKCS11_CHECK_VALUE_SIZE);
-        *outLen = PKCS11_CHECK_VALUE_SIZE;
+    if (ret != 0) {
+        return CKR_FUNCTION_FAILED;
     }
+    XMEMCPY(dataOut, hash, PKCS11_CHECK_VALUE_SIZE);
+    *outLen = PKCS11_CHECK_VALUE_SIZE;
 
     return CKR_OK;
 }

diff --git a/src/slot.c b/src/slot.c
@@ -571,7 +571,7 @@ static CK_MECHANISM_INFO rsaOaepMechInfo = {
 #ifdef WC_RSA_PSS
 /* Info on RSA PKCS#1 PSS mechanism. */
 static CK_MECHANISM_INFO rsaPssMechInfo = {
-    256, 521, CKF_SIGN | CKF_VERIFY
+    1024, 4096, CKF_SIGN | CKF_VERIFY
 };
 #endif
 #ifndef NO_SHA256
@@ -1639,6 +1639,7 @@ CK_RV C_GetSessionInfo(CK_SESSION_HANDLE hSession,
         return rv;
     }
 
+    pInfo->slotID = WP11_Session_GetSlotId(session);
     pInfo->state = WP11_Session_GetState(session);
     pInfo->flags = CKF_SERIAL_SESSION;
     if (WP11_Session_IsRW(session))