wolfSSL · ColtonWilley · Aug 7, 2025 · Aug 5, 2025 · Aug 6, 2025 · Aug 6, 2025
diff --git a/src/wp_dh_kmgmt.c b/src/wp_dh_kmgmt.c
@@ -490,10 +490,12 @@ static int wp_dh_copy_params(const wp_Dh *src, wp_Dh *dst)
  */
 static wp_Dh* wp_dh_dup(const wp_Dh *src, int selection)
 {
-    wp_Dh* dst;
+    wp_Dh* dst = NULL;
 
-    /* Create a new DH key object to return. */
-    dst = wp_dh_new(src->provCtx);
+    if (wolfssl_prov_is_running()) {
+        /* Create a new dh object. */
+        dst = wp_dh_new(src->provCtx);
+    }
     if (dst != NULL) {
         int ok = 1;
 
@@ -2189,14 +2191,20 @@ static int wp_dh_decode(wp_DhEncDecCtx* ctx, OSSL_CORE_BIO *cBio,
     unsigned char* data = NULL;
     word32 len = 0;
 
+    if (!wolfssl_prov_is_running()) {
+        ok = 0;
+    }
+
     (void)pwCb;
     (void)pwCbArg;
 
     ctx->selection = selection;
 
-    dh = wp_dh_new(ctx->provCtx);
-    if (dh == NULL) {
-        ok = 0;
+    if (ok) {
+        dh = wp_dh_new(ctx->provCtx);
+        if (dh == NULL) {
+            ok = 0;
+        }
     }
     if (ok && (!wp_read_der_bio(ctx->provCtx, cBio, &data, &len))) {
         ok = 0;
@@ -2529,6 +2537,11 @@ static int wp_dh_encode(wp_DhEncDecCtx* ctx, OSSL_CORE_BIO *cBio,
     OSSL_PASSPHRASE_CALLBACK *pwCb, void *pwCbArg)
 {
     int ok = 1;
+
+    if (!wolfssl_prov_is_running()) {
+        ok = 0;
+    }
+
 #if (LIBWOLFSSL_VERSION_HEX >= 0x05000000 && defined(WOLFSSL_DH_EXTRA))
     int rc;
     BIO* out = wp_corebio_get_bio(ctx->provCtx, cBio);

diff --git a/src/wp_ecc_kmgmt.c b/src/wp_ecc_kmgmt.c
@@ -416,9 +416,12 @@ void wp_ecc_free(wp_Ecc* ecc)
  */
 static wp_Ecc* wp_ecc_dup(const wp_Ecc *src, int selection)
 {
-    wp_Ecc* dst;
+    wp_Ecc* dst = NULL;
 
-    dst = wp_ecc_new(src->provCtx);
+    if (wolfssl_prov_is_running()) {
+        /* Create a new ecc object. */
+        dst = wp_ecc_new(src->provCtx);
+    }
     if (dst != NULL) {
         int ok = 1;
         int rc;
@@ -2037,10 +2040,15 @@ static int wp_ecc_decode_spki(wp_Ecc* ecc, unsigned char* data, word32 len)
     int rc;
     word32 idx = 0;
 
-    rc = wc_EccPublicKeyDecode(data, &idx, &ecc->key, len);
-    if (rc != 0) {
+    if (!wolfssl_prov_is_running()) {
         ok = 0;
     }
+    if (ok) {
+        rc = wc_EccPublicKeyDecode(data, &idx, &ecc->key, len);
+        if (rc != 0) {
+            ok = 0;
+        }
+    }
     if (ok) {
         ecc->curveId = ecc->key.dp->id;
         ecc->hasPub = 1;
@@ -2069,10 +2077,15 @@ static int wp_ecc_decode_pki(wp_Ecc* ecc, unsigned char* data, word32 len)
     int rc;
     word32 idx = 0;
 
-    rc = wc_EccPrivateKeyDecode(data, &idx, &ecc->key, len);
-    if (rc != 0) {
+    if (!wolfssl_prov_is_running()) {
         ok = 0;
     }
+    if (ok) {
+        rc = wc_EccPrivateKeyDecode(data, &idx, &ecc->key, len);
+        if (rc != 0) {
+            ok = 0;
+        }
+    }
 #if LIBWOLFSSL_VERSION_HEX < 0x05000000
     if (!ok) {
         idx = 0;

diff --git a/src/wp_ecx_kmgmt.c b/src/wp_ecx_kmgmt.c
@@ -345,11 +345,13 @@ void wp_ecx_free(wp_Ecx* ecx)
  */
 static wp_Ecx* wp_ecx_dup(const wp_Ecx* src, int selection)
 {
-    wp_Ecx* dst;
+    wp_Ecx* dst = NULL;
 
     (void)selection;
-
-    dst = wp_ecx_new(src->provCtx, src->data);
+    if (wolfssl_prov_is_running()) {
+        /* Create a new ecx object. */
+        dst = wp_ecx_new(src->provCtx, src->data);
+    }
     if (dst != NULL) {
         XMEMCPY(&dst->key, &src->key, sizeof(src->key));
         dst->includePublic = src->includePublic;
@@ -1073,11 +1075,17 @@ static int wp_ecx_export(wp_Ecx* ecx, int selection, OSSL_CALLBACK* paramCb,
     size_t len = 0;
     int expPriv = (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0;
 
-    XMEMSET(params, 0, sizeof(params));
-    data = OPENSSL_malloc(wp_ecx_export_keypair_alloc_size(ecx, expPriv));
-    if (data == NULL) {
+    if (!wolfssl_prov_is_running()) {
         ok = 0;
     }
+
+    if (ok) {
+        XMEMSET(params, 0, sizeof(params));
+        data = OPENSSL_malloc(wp_ecx_export_keypair_alloc_size(ecx, expPriv));
+        if (data == NULL) {
+            ok = 0;
+        }
+    }
     if (ok && !wp_ecx_export_keypair(ecx, params, &paramsSz, data, &len,
             expPriv)) {
         ok = 0;
@@ -1928,43 +1936,49 @@ static int wp_ecx_decode(wp_EcxEncDecCtx* ctx, OSSL_CORE_BIO* cBio,
     wp_Ecx* ecx;
     const char* dataType = NULL;
 
+    if (!wolfssl_prov_is_running()) {
+        ok = 0;
+    }
+
     (void)pwCb;
     (void)pwCbArg;
 
-    ctx->selection = selection;
+    if (ok) {
+        ctx->selection = selection;
 #ifdef WP_HAVE_X25519
-    if (ctx->keyType == WP_KEY_TYPE_X25519) {
-        ecx = wp_x25519_new(ctx->provCtx);
-        dataType = "X25519";
-    }
-    else
+        if (ctx->keyType == WP_KEY_TYPE_X25519) {
+            ecx = wp_x25519_new(ctx->provCtx);
+            dataType = "X25519";
+        }
+        else
 #endif /* WP_HAVE_X25519 */
 #ifdef WP_HAVE_ED25519
-    if (ctx->keyType == WP_KEY_TYPE_ED25519) {
-        ecx = wp_ed25519_new(ctx->provCtx);
-        dataType = "ED25519";
-    }
-    else
+        if (ctx->keyType == WP_KEY_TYPE_ED25519) {
+            ecx = wp_ed25519_new(ctx->provCtx);
+            dataType = "ED25519";
+        }
+        else
 #endif /* WP_HAVE_ED25519 */
 #ifdef WP_HAVE_X448
-    if (ctx->keyType == WP_KEY_TYPE_X448) {
-        ecx = wp_x448_new(ctx->provCtx);
-        dataType = "X448";
-    }
-    else
+        if (ctx->keyType == WP_KEY_TYPE_X448) {
+            ecx = wp_x448_new(ctx->provCtx);
+            dataType = "X448";
+        }
+        else
 #endif /* WP_HAVE_X448 */
 #ifdef WP_HAVE_ED448
-    if (ctx->keyType == WP_KEY_TYPE_ED448) {
-        ecx = wp_ed448_new(ctx->provCtx);
-        dataType = "ED448";
-    }
-    else
+        if (ctx->keyType == WP_KEY_TYPE_ED448) {
+            ecx = wp_ed448_new(ctx->provCtx);
+            dataType = "ED448";
+        }
+        else
 #endif /* WP_HAVE_ED448 */
-    {
-        ecx = NULL;
-    }
-    if (ecx == NULL) {
-        ok = 0;
+        {
+            ecx = NULL;
+        }
+        if (ecx == NULL) {
+            ok = 0;
+        }
     }
 
     if (ok) {
@@ -2021,6 +2035,10 @@ static int wp_ecx_encode(wp_EcxEncDecCtx* ctx, OSSL_CORE_BIO *cBio,
     int ok = 1;
     int rc;
     BIO* out = wp_corebio_get_bio(ctx->provCtx, cBio);
+
+    if (!wolfssl_prov_is_running()) {
+        ok = 0;
+    }
     unsigned char* keyData = NULL;
     size_t keyLen = 0;
     unsigned char derData[160];

diff --git a/src/wp_mac_kmgmt.c b/src/wp_mac_kmgmt.c
@@ -246,11 +246,13 @@ void wp_mac_free(wp_Mac* mac)
  */
 static wp_Mac* wp_mac_dup(const wp_Mac *src, int selection)
 {
-    wp_Mac* dst;
+    wp_Mac* dst = NULL;
 
     (void)selection;
-
-    dst = wp_mac_new(src->provCtx, src->type);
+    if (wolfssl_prov_is_running()) {
+        /* Create a new mac object. */
+        dst = wp_mac_new(src->provCtx, src->type);
+    }
     if (dst != NULL) {
         int ok = 1;
 
@@ -461,9 +463,13 @@ static int wp_mac_export(wp_Mac *mac, int selection, OSSL_CALLBACK *paramCb,
     unsigned char* data = NULL;
     size_t len = 0;
 
+    if (!wolfssl_prov_is_running()) {
+        ok = 0;
+    }
+
     XMEMSET(params, 0, sizeof(params));
 
-    if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
+    if (ok && (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
         size_t idx = 0;
 
         len = wp_mac_export_priv_key_alloc_size(mac);
@@ -503,9 +509,11 @@ static int wp_mac_export(wp_Mac *mac, int selection, OSSL_CALLBACK *paramCb,
 static wp_MacGenCtx* wp_mac_gen_init(WOLFPROV_CTX* provCtx,
     int selection, const OSSL_PARAM params[], int type)
 {
-    wp_MacGenCtx* ctx;
+    wp_MacGenCtx* ctx = NULL;
 
-    ctx = OPENSSL_zalloc(sizeof(*ctx));
+    if (wolfssl_prov_is_running()) {
+        ctx = OPENSSL_zalloc(sizeof(*ctx));
+    }
     if (ctx != NULL) {
         ctx->provCtx = provCtx;
         ctx->selection = selection;

diff --git a/src/wp_rsa_kmgmt.c b/src/wp_rsa_kmgmt.c
@@ -523,7 +523,9 @@ static wp_Rsa* wp_rsa_dup(const wp_Rsa* src, int selection)
 {
     wp_Rsa* dst = NULL;
 
-    if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
+    if (wolfssl_prov_is_running() &&
+        (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
+        /* Create a new rsa object. */
         dst = wp_rsa_base_new(src->provCtx, src->type);
     }
     if (dst != NULL) {
@@ -2147,10 +2149,16 @@ static int wp_rsa_decode_spki(wp_Rsa* rsa, unsigned char* data, word32 len)
     int rc;
     word32 idx = 0;
 
-    rc = wc_RsaPublicKeyDecode(data, &idx, &rsa->key, len);
-    if (rc != 0) {
+    if (!wolfssl_prov_is_running()) {
         ok = 0;
     }
+
+    if (ok) {
+        rc = wc_RsaPublicKeyDecode(data, &idx, &rsa->key, len);
+        if (rc != 0) {
+            ok = 0;
+        }
+    }
     if (ok && !wp_rsa_determine_type(rsa, data, len)) {
         ok = 0;
     }
@@ -2185,10 +2193,16 @@ static int wp_rsa_decode_pki(wp_Rsa* rsa, unsigned char* data, word32 len)
     int rc;
     word32 idx = 0;
 
-    rc = wc_RsaPrivateKeyDecode(data, &idx, &rsa->key, len);
-    if (rc != 0) {
+    if (!wolfssl_prov_is_running()) {
         ok = 0;
     }
+
+    if (ok) {
+        rc = wc_RsaPrivateKeyDecode(data, &idx, &rsa->key, len);
+        if (rc != 0) {
+            ok = 0;
+        }
+    }
 #if LIBWOLFSSL_VERSION_HEX < 0x05000000 || defined(HAVE_FIPS)
     if (!ok) {
         idx = 0;
@@ -2269,8 +2283,12 @@ static int wp_rsa_decode_enc_pki(wp_Rsa* rsa, unsigned char* data, word32 len,
     char password[1024];
     size_t passwordSz = sizeof(password);
 
+    if (!wolfssl_prov_is_running()) {
+        ok = 0;
+    }
+
     /* Look for the PBKDF2 OID to know we have an encrypted key. */
-    if (!wp_rsa_find_pbkdf2_oid(data, len)) {
+    if (ok && !wp_rsa_find_pbkdf2_oid(data, len)) {
         ok = 0;
     }
     /* Get password for decryption. */
@@ -3098,6 +3116,10 @@ static int wp_rsa_encode(wp_RsaEncDecCtx* ctx, OSSL_CORE_BIO* cBio,
     int ok = 1;
     int rc;
     BIO *out = wp_corebio_get_bio(ctx->provCtx, cBio);
+
+    if (!wolfssl_prov_is_running()) {
+        ok = 0;
+    }
     unsigned char* keyData = NULL;
     size_t keyLen;
     unsigned char* derData = NULL;
@@ -4031,6 +4053,10 @@ static int wp_rsa_encode_text(wp_RsaEncDecCtx* ctx, OSSL_CORE_BIO* cBio,
 {
     int ok = 1;
     BIO *out = wp_corebio_get_bio(ctx->provCtx, cBio);
+
+    if (!wolfssl_prov_is_running()) {
+        ok = 0;
+    }
     int hasPriv = (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0;
     int hasPub = (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0;
     char* textData = NULL;