Fix PKCS11 object leak in Pkcs11ECDH

[mattia-moffa]

Description

Pkcs11ECDH leaked two PKCS11 objects per ECDH operation:

• The derived secret via C_DeriveKey is never destroyed after its value is extracted via C_GetAttributeValue
• Ephemeral private keys generated by Pkcs11EcKeyGen (e.g. for TLS ECDHE) is not cleaned up. Pkcs11EcKeyGen intentionally leaves the private key alive for the subsequent Pkcs11ECDH call, but Pkcs11ECDH only destroys private keys created from raw scalar data (if (sessionKey)), not keys found via Pkcs11FindEccKey.

Reported via ZD#20700

Testing

./configure --enable-pkcs11

[dgarske]

Jenkins retest this please. FIPS v3 no history

[SparkiDev]

Please check against NULL.

[SparkiDev]

The private key lifecycle should be bound to the ECC object.
I don't think the private key should be destroyed here.

[Frauschi]

That would be the best option. But AFAICT, we currently don't have logic to handle that case in the ecc_free() method. Would be a great addition, as we will also face the same issue once ML-KEM is added to the PKCS#11 interface (private decapsulation key must also be deleted once the handshake is done on the client side — I'm currently working on that ML-KEM integration).

[SparkiDev]

May want the secret held on the device!
When doing TLS on the device, you don't want the secret to leave it. Instead the secret is used to generate the TLS session keys.

[Frauschi]

In that case, the lifetime of the secret key object should be bound to the handshake duration, shouldn't it? Then, we can still use it in the future for potential key derivations on the external token via PKCS#11.

[mattia-moffa]

But do we have a way of binding it to the handshake duration from the wolfCrypt side?