From 97f015b07c1bff256eff2e59a051b1c25dee4515 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Tue, 19 Dec 2023 13:55:52 -0800
Subject: [PATCH 1/4] Fix for portability case where XREALLOC is not available.

---
 src/internal.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index 4e0fa11..9f0ca81 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -8056,6 +8056,7 @@ int WP11_AesGcm_DecryptUpdate(unsigned char* enc, word32 encSz,
     unsigned char* newEnc;
     WP11_GcmParams* gcm = &session->params.gcm;
 
+#ifdef XREALLOC
     newEnc = (unsigned char*)XREALLOC(gcm->enc, gcm->encSz + encSz, NULL,
                                                        DYNAMIC_TYPE_TMP_BUFFER);
     if (newEnc == NULL)
@@ -8065,6 +8066,20 @@ int WP11_AesGcm_DecryptUpdate(unsigned char* enc, word32 encSz,
         XMEMCPY(gcm->enc + gcm->encSz, enc, encSz);
         gcm->encSz += encSz;
     }
+#else
+    newEnc = (unsigned char*)XMALLOC(gcm->encSz + encSz, NULL,
+                                                       DYNAMIC_TYPE_TMP_BUFFER);
+    if (newEnc == NULL)
+        ret = MEMORY_E;
+    if (ret == 0) {
+        if (gcm->enc != NULL)
+            XMEMCPY(newEnc, gcm->enc, gcm->encSz);
+        XFREE(gcm->enc, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        gcm->enc = newEnc;
+        XMEMCPY(gcm->enc + gcm->encSz, enc, encSz);
+        gcm->encSz += encSz;
+    }
+#endif /* !XREALLOC */
 
     return ret;
 }

From b2d28f07a8fab559de7a886035a1e642c6ec93ba Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Wed, 20 Dec 2023 14:50:42 -0800
Subject: [PATCH 2/4] Add support for custom setenv/get env using
 `WOLFPKCS11_USER_ENV`.

---
 src/internal.c        |  6 +++---
 tests/pkcs11mtt.c     |  2 +-
 tests/pkcs11str.c     |  4 ++--
 tests/pkcs11test.c    |  2 +-
 wolfpkcs11/internal.h |  8 +++-----
 wolfpkcs11/pkcs11.h   | 11 +++++++++++
 6 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 9f0ca81..66ca833 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -695,7 +695,7 @@ int wolfPKCS11_Store_Open(int type, CK_ULONG id1, CK_ULONG id2, int read,
     void** store)
 {
     int ret = 0;
-#if defined(XGETENV) || !defined(WOLFPKCS11_TPM_STORE)
+#ifndef WOLFPKCS11_NO_ENV
     const char* str = NULL;
 #endif
 #ifdef WOLFPKCS11_TPM_STORE
@@ -715,7 +715,7 @@ int wolfPKCS11_Store_Open(int type, CK_ULONG id1, CK_ULONG id2, int read,
         type, id1, id2, read);
 #endif
 
-#ifdef XGETENV
+#ifndef WOLFPKCS11_NO_ENV
     str = XGETENV("WOLFPKCS11_NO_STORE");
     if (str != NULL) {
         return NOT_AVAILABLE_E;
@@ -764,7 +764,7 @@ int wolfPKCS11_Store_Open(int type, CK_ULONG id1, CK_ULONG id2, int read,
     #endif
 
 #else
-    #ifdef XGETENV
+    #ifndef WOLFPKCS11_NO_ENV
     str = XGETENV("WOLFPKCS11_TOKEN_PATH");
     #endif
     if (str == NULL) {
diff --git a/tests/pkcs11mtt.c b/tests/pkcs11mtt.c
index 40bcd9e..be34356 100644
--- a/tests/pkcs11mtt.c
+++ b/tests/pkcs11mtt.c
@@ -6499,7 +6499,7 @@ int pkcs11test_mtt(int argc, char* argv[])
     int i;
 
 #ifndef WOLFPKCS11_NO_ENV
-    setenv("WOLFPKCS11_NO_STORE", "1", 1);
+    XSETENV("WOLFPKCS11_NO_STORE", "1", 1);
 #endif
 
     argc--;
diff --git a/tests/pkcs11str.c b/tests/pkcs11str.c
index 25b25a2..d392935 100644
--- a/tests/pkcs11str.c
+++ b/tests/pkcs11str.c
@@ -923,8 +923,8 @@ int pkcs11test_str(int argc, char* argv[])
     int closeDl = 1;
 
 #ifndef WOLFPKCS11_NO_ENV
-    if (!getenv("WOLFPKCS11_TOKEN_PATH")) {
-        setenv("WOLFPKCS11_TOKEN_PATH", "./tests", 1);
+    if (!XGETENV("WOLFPKCS11_TOKEN_PATH")) {
+        XSETENV("WOLFPKCS11_TOKEN_PATH", "./tests", 1);
     }
 #endif
 
diff --git a/tests/pkcs11test.c b/tests/pkcs11test.c
index c34201b..9593ca8 100644
--- a/tests/pkcs11test.c
+++ b/tests/pkcs11test.c
@@ -7913,7 +7913,7 @@ int pkcs11test_test(int argc, char* argv[])
     int i;
 
 #ifndef WOLFPKCS11_NO_ENV
-    setenv("WOLFPKCS11_NO_STORE", "1", 1);
+    XSETENV("WOLFPKCS11_NO_STORE", "1", 1);
 #endif
 
     argc--;
diff --git a/wolfpkcs11/internal.h b/wolfpkcs11/internal.h
index 1e7d8b1..15600d3 100644
--- a/wolfpkcs11/internal.h
+++ b/wolfpkcs11/internal.h
@@ -24,19 +24,17 @@
 #define WOLFPKCS11_INTERNAL_H
 
 #ifndef WOLFSSL_USER_SETTINGS
-#include <wolfssl/options.h>
-#else
-#include "user_settings.h"
+    #include <wolfssl/options.h>
 #endif
+#include <wolfssl/wolfcrypt/settings.h>
 #include <wolfssl/wolfcrypt/rsa.h>
 #include <wolfssl/wolfcrypt/ecc.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/wc_encrypt.h>
 
 #ifndef WOLFPKCS11_USER_SETTINGS
-#include <wolfpkcs11/options.h>
+    #include <wolfpkcs11/options.h>
 #endif
-
 #include <wolfpkcs11/pkcs11.h>
 #include <wolfpkcs11/version.h>
 
diff --git a/wolfpkcs11/pkcs11.h b/wolfpkcs11/pkcs11.h
index f63fc6c..4e1ba96 100644
--- a/wolfpkcs11/pkcs11.h
+++ b/wolfpkcs11/pkcs11.h
@@ -28,6 +28,17 @@
 extern "C" {
 #endif
 
+/* Helpers for setenv/getenv */
+#if !defined(WOLFPKCS11_USER_ENV) && !defined(WOLFPKCS11_NO_ENV)
+    #include <stdlib.h>
+    #ifndef XSETENV
+        #define XSETENV setenv
+    #endif
+    #ifndef XGETENV
+        #define XGETENV getenv
+    #endif
+#endif
+
 #ifndef NULL_PTR
 #define NULL_PTR        0
 #endif

From 57540867d1d5dd056c3b4254ba89a919434dbc57 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Wed, 20 Dec 2023 15:03:08 -0800
Subject: [PATCH 3/4] Fix for final not being called after init in edge case
 pin failure.

---
 tests/pkcs11test.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tests/pkcs11test.c b/tests/pkcs11test.c
index 9593ca8..68830a8 100644
--- a/tests/pkcs11test.c
+++ b/tests/pkcs11test.c
@@ -7791,8 +7791,10 @@ static CK_RV pkcs11_test(int slotId, int setPin, int onlySet, int closeDl)
         ret = pkcs11_lib_init();
 
     /* Do tests after library initialization but without SO PIN. */
-    if (ret == CKR_OK)
+    if (ret == CKR_OK) {
+        inited = 1;
         ret = run_tests(testFunc, testFuncCnt, onlySet, TEST_FLAG_INIT);
+    }
 
     if (ret == CKR_OK)
         ret = pkcs11_init_token();
@@ -7805,7 +7807,6 @@ static CK_RV pkcs11_test(int slotId, int setPin, int onlySet, int closeDl)
 
     /* Set user PIN. */
     if (ret == CKR_OK) {
-        inited = 1;
         if (setPin)
             ret = pkcs11_set_user_pin(slotId);
     }

From fd6c4b47b92216820d51381e51287db50aa63742 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Wed, 20 Dec 2023 15:37:15 -0800
Subject: [PATCH 4/4] For embedded systems allow pin hashing using SHA2-256 vs
 script (which uses multiple MB of memory).

---
 src/internal.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index 66ca833..eceea48 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -33,6 +33,7 @@
 #include <wolfssl/version.h>
 #include <wolfssl/wolfcrypt/pwdbased.h>
 #include <wolfssl/wolfcrypt/asn.h>
+#include <wolfssl/wolfcrypt/hash.h>
 #include <wolfssl/wolfcrypt/hmac.h>
 #include <wolfssl/wolfcrypt/ecc.h>
 #include <wolfssl/wolfcrypt/rsa.h>
@@ -3639,6 +3640,12 @@ static int HashPIN(char* pin, int pinLen, byte* seed, int seedLen, byte* hash,
     return wc_scrypt(hash, (byte*)pin, pinLen, seed, seedLen,
                                     WP11_HASH_PIN_COST, WP11_HASH_PIN_BLOCKSIZE,
                                     WP11_HASH_PIN_PARALLEL, hashLen);
+#elif !defined(NO_SHA256)
+    /* fallback to simple SHA2-256 hash of pin */
+    (void)seed;
+    (void)seedLen;
+    XMEMSET(hash, 0, hashLen);
+    return wc_Sha256Hash((const byte*)pin, pinLen, hash);
 #else
     (void)pin;
     (void)pinLen;