Improved PSA & PKCS11 store write boundary checks

danielinux · danielinux · commit 66badb287484 · 2026-03-09T09:51:08.000+01:00
F/220
diff --git a/src/pkcs11_store.c b/src/pkcs11_store.c
@@ -506,8 +506,8 @@ int wolfPKCS11_Store_Write(void* store, unsigned char* buffer, int len)
            % WOLFBOOT_SECTOR_SIZE;
         sector_base = (uintptr_t)handle->buffer + handle->in_buffer_offset - in_sector_offset;
         in_sector_len = WOLFBOOT_SECTOR_SIZE - in_sector_offset;
-        if (in_sector_len > (uint32_t)len)
-            in_sector_len = len;
+        if (in_sector_len > (uint32_t)(len - written))
+            in_sector_len = len - written;
 
         /* Cache the corresponding sector */
         memcpy(cached_sector, (void *)(uintptr_t)sector_base, WOLFBOOT_SECTOR_SIZE);
diff --git a/src/psa_store.c b/src/psa_store.c
@@ -512,8 +512,8 @@ int wolfPSA_Store_Write(void* store, unsigned char* buffer, int len)
            % WOLFBOOT_SECTOR_SIZE;
         sector_base = (uintptr_t)handle->buffer + handle->in_buffer_offset - in_sector_offset;
         in_sector_len = WOLFBOOT_SECTOR_SIZE - in_sector_offset;
-        if (in_sector_len > (uint32_t)len)
-            in_sector_len = len;
+        if (in_sector_len > (uint32_t)(len - written))
+            in_sector_len = len - written;
 
         /* Cache the corresponding sector */
         memcpy(cached_sector, (void *)(uintptr_t)sector_base, WOLFBOOT_SECTOR_SIZE);
diff --git a/tools/unit-tests/Makefile b/tools/unit-tests/Makefile
@@ -8,10 +8,12 @@ endif
 # Default library paths (can be overridden)
 WOLFBOOT_LIB_WOLFSSL?=../../lib/wolfssl
 WOLFBOOT_LIB_WOLFPKCS11?=../../lib/wolfPKCS11
+WOLFBOOT_LIB_WOLFPSA?=../../lib/wolfPSA
 
 # Convert to absolute paths for standalone usage
 WOLFBOOT_LIB_WOLFSSL:=$(abspath $(WOLFBOOT_LIB_WOLFSSL))
 WOLFBOOT_LIB_WOLFPKCS11:=$(abspath $(WOLFBOOT_LIB_WOLFPKCS11))
+WOLFBOOT_LIB_WOLFPSA:=$(abspath $(WOLFBOOT_LIB_WOLFPSA))
 
 CFLAGS=-I. -I../../src -I../../include -I$(WOLFBOOT_LIB_WOLFSSL)
 CFLAGS+=-g -ggdb
@@ -35,7 +37,7 @@ TESTS:=unit-parser unit-extflash unit-string unit-spi-flash unit-aes128 \
        unit-aes256 unit-chacha20 unit-pci unit-mock-state unit-sectorflags \
        unit-image unit-nvm unit-nvm-flagshome unit-enc-nvm \
        unit-enc-nvm-flagshome unit-delta unit-update-flash \
-       unit-update-flash-enc unit-update-ram unit-pkcs11_store unit-disk \
+       unit-update-flash-enc unit-update-ram unit-pkcs11_store unit-psa_store unit-disk \
        unit-multiboot
 
 all: $(TESTS)
@@ -75,6 +77,7 @@ unit-enc-nvm-flagshome:CFLAGS+=-DNVM_FLASH_WRITEONCE -DMOCK_PARTITIONS \
 unit-enc-nvm-flagshome:WOLFCRYPT_SRC+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/chacha.c
 unit-delta:CFLAGS+=-DNVM_FLASH_WRITEONCE -DMOCK_PARTITIONS -DDELTA_UPDATES -DDELTA_BLOCK_SIZE=512
 unit-pkcs11_store:CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPKCS11) -DMOCK_PARTITIONS -DMOCK_KEYVAULT -DSECURE_PKCS11
+unit-psa_store:CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPSA) -DMOCK_PARTITIONS -DMOCK_KEYVAULT -DWOLFCRYPT_TZ_PSA
 unit-update-flash:CFLAGS+=-DMOCK_PARTITIONS -DWOLFBOOT_NO_SIGN -DUNIT_TEST_AUTH \
 	-DWOLFBOOT_HASH_SHA256 -DPRINTF_ENABLED -DEXT_FLASH -DPART_UPDATE_EXT -DPART_SWAP_EXT
 unit-update-ram:CFLAGS+=-DMOCK_PARTITIONS -DWOLFBOOT_NO_SIGN -DUNIT_TEST_AUTH \
@@ -161,6 +164,9 @@ unit-update-ram: ../../include/target.h unit-update-ram.c
 unit-pkcs11_store: ../../include/target.h unit-pkcs11_store.c
 	gcc -o $@ $(WOLFCRYPT_SRC) unit-pkcs11_store.c $(CFLAGS) $(WOLFCRYPT_CFLAGS) $(LDFLAGS)
 
+unit-psa_store: ../../include/target.h unit-psa_store.c
+	gcc -o $@ $(WOLFCRYPT_SRC) unit-psa_store.c $(CFLAGS) $(WOLFCRYPT_CFLAGS) $(LDFLAGS)
+
 gpt-sfdisk-test.h:
 	truncate -s 131072 .gpt-tmp.img
 	printf 'label: gpt\nfirst-lba: 34\nstart=34, size=67, name="boot"\nstart=101, size=100, name="rootfs"\n' \
diff --git a/tools/unit-tests/unit-pkcs11_store.c b/tools/unit-tests/unit-pkcs11_store.c
@@ -242,8 +242,8 @@ START_TEST (test_store_and_load_objs) {
     /* Read out the content */
     memset(secret_rd, 0, KEYVAULT_OBJ_SIZE);
     ret = wolfPKCS11_Store_Read(store, secret_rd, KEYVAULT_OBJ_SIZE);
-    ck_assert(ret == KEYVAULT_OBJ_SIZE - 8);
-    ck_assert(strncmp(dante_filler, secret_rd, KEYVAULT_OBJ_SIZE - 8) == 0);
+    ck_assert_int_eq(ret, strlen(dante_filler) + 1);
+    ck_assert(strncmp(dante_filler, secret_rd, strlen(dante_filler) + 1) == 0);
     wolfPKCS11_Store_Close(store);
 
     /* Reopen for writing, test truncate */
@@ -280,14 +280,55 @@ START_TEST (test_store_and_load_objs) {
 }
 END_TEST
 
+START_TEST(test_cross_sector_write_preserves_length)
+{
+    const int type = DYNAMIC_TYPE_RSA;
+    const CK_ULONG id_tok = 7;
+    const CK_ULONG id_obj = 9;
+    void *store = NULL;
+    unsigned char *payload;
+    struct store_handle *handle;
+    int ret;
+
+    payload = malloc(WOLFBOOT_SECTOR_SIZE);
+    ck_assert_ptr_nonnull(payload);
+
+    for (ret = 0; ret < WOLFBOOT_SECTOR_SIZE; ret++)
+        payload[ret] = (unsigned char)(ret & 0xFF);
+
+    ret = mmap_file("/tmp/wolfboot-unit-keyvault.bin", vault_base,
+            keyvault_size, NULL);
+    ck_assert_int_eq(ret, 0);
+    memset(vault_base, 0xEE, keyvault_size);
+
+    ret = wolfPKCS11_Store_Open(type, id_tok, id_obj, 0, &store);
+    ck_assert_int_eq(ret, 0);
+    ck_assert_ptr_nonnull(store);
+
+    ret = wolfPKCS11_Store_Write(store, payload, WOLFBOOT_SECTOR_SIZE);
+    ck_assert_int_eq(ret, WOLFBOOT_SECTOR_SIZE);
+    handle = store;
+    ck_assert_uint_eq(handle->in_buffer_offset,
+        2 * sizeof(uint32_t) + WOLFBOOT_SECTOR_SIZE);
+    ck_assert_uint_eq(handle->hdr->size,
+        2 * sizeof(uint32_t) + WOLFBOOT_SECTOR_SIZE);
+    wolfPKCS11_Store_Close(store);
+
+    free(payload);
+}
+END_TEST
+
 Suite *wolfboot_suite(void)
 {
     /* Suite initialization */
     Suite *s = suite_create("wolfBoot-pkcs11-store");
 
     TCase* tcase_store_and_load_objs = tcase_create("store_and_load_objs");
+    TCase* tcase_cross_sector_write = tcase_create("cross_sector_write");
     tcase_add_test(tcase_store_and_load_objs, test_store_and_load_objs);
+    tcase_add_test(tcase_cross_sector_write, test_cross_sector_write_preserves_length);
     suite_add_tcase(s, tcase_store_and_load_objs);
+    suite_add_tcase(s, tcase_cross_sector_write);
     return s;
 }
 
diff --git a/tools/unit-tests/unit-psa_store.c b/tools/unit-tests/unit-psa_store.c
@@ -0,0 +1,113 @@
+/* unit-psa_store.c
+ *
+ * Unit test for PSA storage module
+ *
+ * Copyright (C) 2026 wolfSSL Inc.
+ *
+ * This file is part of wolfBoot.
+ *
+ * wolfBoot is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfBoot is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#define WOLFBOOT_HASH_SHA256
+#define EXT_FLASH
+#define PART_UPDATE_EXT
+#define NVM_FLASH_WRITEONCE
+
+#define KEYSTORE_PUBKEY_SIZE KEYSTORE_PUBKEY_SIZE_ECC256
+
+#include <check.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#define XMALLOC_OVERRIDE
+#define XMALLOC(n,h,t) malloc(n)
+#define XFREE(p,h,t) free(p)
+
+#include "user_settings.h"
+#include "wolfssl/wolfcrypt/sha.h"
+#include "wolfssl/wolfcrypt/error-crypt.h"
+#include "wolfboot/wolfboot.h"
+#include "wolfpsa/psa_store.h"
+#include "hal.h"
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/mman.h>
+
+#define MOCK_ADDRESS 0xCF000000
+uint8_t *vault_base = (uint8_t *)MOCK_ADDRESS;
+#include "psa_store.c"
+const uint32_t keyvault_size = KEYVAULT_OBJ_SIZE * KEYVAULT_MAX_ITEMS + 2 * WOLFBOOT_SECTOR_SIZE;
+#include "unit-mock-flash.c"
+
+START_TEST(test_cross_sector_write_preserves_length)
+{
+    enum { type = WOLFPSA_STORE_KEY };
+    const unsigned long id1 = 7;
+    const unsigned long id2 = 9;
+    void *store = NULL;
+    unsigned char *payload;
+    struct store_handle *handle;
+    int ret;
+
+    payload = malloc(WOLFBOOT_SECTOR_SIZE);
+    ck_assert_ptr_nonnull(payload);
+
+    for (ret = 0; ret < WOLFBOOT_SECTOR_SIZE; ret++)
+        payload[ret] = (unsigned char)(ret & 0xFF);
+
+    ret = mmap_file("/tmp/wolfboot-unit-psa-keyvault.bin", vault_base,
+        keyvault_size, NULL);
+    ck_assert_int_eq(ret, 0);
+    memset(vault_base, 0xEE, keyvault_size);
+
+    ret = wolfPSA_Store_Open(type, id1, id2, 0, &store);
+    ck_assert_int_eq(ret, 0);
+    ck_assert_ptr_nonnull(store);
+
+    ret = wolfPSA_Store_Write(store, payload, WOLFBOOT_SECTOR_SIZE);
+    ck_assert_int_eq(ret, WOLFBOOT_SECTOR_SIZE);
+    handle = store;
+    ck_assert_uint_eq(handle->in_buffer_offset,
+        2 * sizeof(uint32_t) + WOLFBOOT_SECTOR_SIZE);
+    ck_assert_uint_eq(handle->hdr->size,
+        2 * sizeof(uint32_t) + WOLFBOOT_SECTOR_SIZE);
+    wolfPSA_Store_Close(store);
+
+    free(payload);
+}
+END_TEST
+
+Suite *wolfboot_suite(void)
+{
+    Suite *s = suite_create("wolfBoot-psa-store");
+    TCase *tcase_write = tcase_create("cross_sector_write");
+
+    tcase_add_test(tcase_write, test_cross_sector_write_preserves_length);
+    suite_add_tcase(s, tcase_write);
+    return s;
+}
+
+int main(void)
+{
+    int fails;
+    Suite *s = wolfboot_suite();
+    SRunner *sr = srunner_create(s);
+
+    srunner_run_all(sr, CK_NORMAL);
+    fails = srunner_ntests_failed(sr);
+    srunner_free(sr);
+    return fails;
+}
