Fix to auto enable fwtpm and swtpm for x86_64/amd64/aarch64. Fix CMake issue. Fix minor ticket issue after new tests.

dgarske · dgarske · commit 01753bbfc776 · 2026-04-15T15:19:53.000-07:00
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -465,14 +465,16 @@ if (WOLFTPM_EXAMPLES AND BUILD_WOLFTPM_LIB)
     add_library(tpm_test_lib STATIC
         examples/tpm_test_keys.c
         )
-    target_link_libraries(tpm_test_lib wolftpm)
+    # wolftpm_wolfssl_dep is needed explicitly because wolftpm now links it
+    # PRIVATE (so wolfSSL does not leak into wolftpm's installed export set).
+    target_link_libraries(tpm_test_lib PRIVATE wolftpm wolftpm_wolfssl_dep)
 endif()
 
 function(add_tpm_example name src)
     add_executable(${name}
         examples/${src}
         )
-    target_link_libraries(${name} wolftpm tpm_test_lib)
+    target_link_libraries(${name} PRIVATE wolftpm tpm_test_lib wolftpm_wolfssl_dep)
 endfunction()
 
 ####################################################
diff --git a/configure.ac b/configure.ac
@@ -225,16 +225,29 @@ then
     AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_LINUX_DEV"
 fi
 
-# Defaults: fwTPM and swTPM are opt-in via --enable-fwtpm / --enable-swtpm.
-# Auto-enabling them on Linux/BSD changed default behavior for downstream
-# builders (new optional dependencies, different `make check`), so keep the
-# safer opt-in default. CI scripts pass these flags explicitly.
+# Native host defaults — auto-enable fwTPM and swTPM on Linux/BSD x86_64 / aarch64
+# so `make check` provides full coverage out of the box. Users can still
+# explicitly disable with --disable-fwtpm / --disable-swtpm.
 WOLFTPM_DEFAULT_FWTPM=no
 WOLFTPM_DEFAULT_SWTPM=no
+case $host_cpu in
+    x86_64|amd64|aarch64)
+        # Defensive exclusion: fwtpm_server uses POSIX sockets and is not
+        # currently portable to Windows / Darwin. Auto-enable on Linux/BSD only.
+        case $host_os in
+            *mingw*|*cygwin*|*msys*|*darwin*|*win32*)
+                ;;
+            *)
+                WOLFTPM_DEFAULT_FWTPM=yes
+                WOLFTPM_DEFAULT_SWTPM=yes
+                ;;
+        esac
+        ;;
+esac
 
 # SW TPM device Support
 AC_ARG_ENABLE([swtpm],
-    [AS_HELP_STRING([--enable-swtpm],[Enable use of TPM through the SW socket driver (default: disabled)])],
+    [AS_HELP_STRING([--enable-swtpm],[Enable use of TPM through the SW socket driver (default: enabled on Linux x86_64/aarch64, disabled elsewhere)])],
     [ ENABLED_SWTPM=$enableval ],
     [ ENABLED_SWTPM=$WOLFTPM_DEFAULT_SWTPM ]
     )
@@ -286,7 +299,7 @@ AC_SUBST([DISTCHECK_SWTPM_PORT_FLAG])
 
 # Firmware TPM (fwTPM) - software TPM 2.0 simulator
 AC_ARG_ENABLE([fwtpm],
-    [AS_HELP_STRING([--enable-fwtpm],[Enable firmware TPM (fwTPM) server (default: disabled)])],
+    [AS_HELP_STRING([--enable-fwtpm],[Enable firmware TPM (fwTPM) server (default: enabled on Linux x86_64/aarch64, disabled elsewhere)])],
     [ ENABLED_FWTPM=$enableval ],
     [ ENABLED_FWTPM=$WOLFTPM_DEFAULT_FWTPM ]
     )
diff --git a/src/fwtpm/fwtpm_command.c b/src/fwtpm/fwtpm_command.c
@@ -5512,6 +5512,9 @@ static TPM_RC FwCmd_Sign(FWTPM_CTX* ctx, TPM2_Packet* cmd,
     UINT16 ticketTag = 0;
     UINT32 ticketHier = 0;
     byte ticketDigest[TPM_MAX_DIGEST_SIZE];
+    byte expectedHmac[TPM_MAX_DIGEST_SIZE];
+    int expectedSz = 0;
+    int ticketSupplied = 0;
     FWTPM_Object* obj = NULL;
     int paramSzPos = 0;
     int paramStart = 0;
@@ -5603,24 +5606,30 @@ static TPM_RC FwCmd_Sign(FWTPM_CTX* ctx, TPM2_Packet* cmd,
         }
     }
 
-    /* For restricted signing keys: verify the ticket proves the digest
-     * was produced by this TPM per TPM 2.0 Part 3 Section 12.4 */
-    if (rc == 0 && (obj->pub.objectAttributes & TPMA_OBJECT_restricted)) {
-        if (ticketTag != TPM_ST_HASHCHECK || ticketHier == TPM_RH_NULL) {
+    /* Validate TK_HASHCHECK ticket per TPM 2.0 Part 3 Section 18.7 / 12.4:
+     *   - Restricted signing keys REQUIRE a valid ticket.
+     *   - For any key, if a ticket is supplied, it must verify. */
+    if (rc == 0) {
+        ticketSupplied = (ticketHier != TPM_RH_NULL && vdSz > 0);
+        if ((obj->pub.objectAttributes & TPMA_OBJECT_restricted) &&
+                !ticketSupplied) {
             rc = TPM_RC_TICKET;
         }
-        if (rc == 0) {
-            byte expectedHmac[TPM_MAX_DIGEST_SIZE];
-            int expectedSz = 0;
-            int trc = FwComputeTicketHmac(ctx, ticketHier, obj->pub.nameAlg,
-                digest.buffer, digest.size, expectedHmac, &expectedSz);
-            if (trc != 0 || vdSz != (UINT16)expectedSz ||
+    }
+    if (rc == 0 && ticketSupplied) {
+        if (ticketTag != TPM_ST_HASHCHECK) {
+            rc = TPM_RC_TICKET;
+        }
+    }
+    if (rc == 0 && ticketSupplied) {
+        rc = FwComputeTicketHmac(ctx, ticketHier, obj->pub.nameAlg,
+            digest.buffer, digest.size, expectedHmac, &expectedSz);
+        if (rc != 0 || vdSz != (UINT16)expectedSz ||
                 TPM2_ConstantCompare(ticketDigest, expectedHmac,
                     (word32)expectedSz) != 0) {
-                rc = TPM_RC_TICKET;
-            }
-            TPM2_ForceZero(expectedHmac, sizeof(expectedHmac));
+            rc = TPM_RC_TICKET;
         }
+        TPM2_ForceZero(expectedHmac, sizeof(expectedHmac));
     }
 
 #ifdef DEBUG_WOLFTPM
diff --git a/src/tpm2_crypto.c b/src/tpm2_crypto.c
@@ -23,6 +23,7 @@
     #include <config.h>
 #endif
 
+#include <wolftpm/tpm2.h>
 #include <wolftpm/tpm2_crypto.h>
 #include <wolftpm/tpm2_packet.h>
 
diff --git a/tests/unit_tests.c b/tests/unit_tests.c
@@ -853,7 +853,7 @@ static void test_TPM2_KDFa(void)
 static void test_TPM2_KDFe(void)
 {
     int rc;
-    #define TEST_KDFE_KEYSZ 32
+    enum { TEST_KDFE_KEYSZ = 32 };
     /* Use a simple known Z, label, and party info */
     const byte Z[TEST_KDFE_KEYSZ] = {
         0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,

Original file line number	Diff line number	Diff line change
`@@ -853,7 +853,7 @@ static void test_TPM2_KDFa(void)`
`853`	`853`	`static void test_TPM2_KDFe(void)`
`854`	`854`	`{`
`855`	`855`	`int rc;`
`856`		`- #define TEST_KDFE_KEYSZ 32`
	`856`	`+ enum { TEST_KDFE_KEYSZ = 32 };`
`857`	`857`	`/* Use a simple known Z, label, and party info */`
`858`	`858`	`const byte Z[TEST_KDFE_KEYSZ] = {`
`859`	`859`	`0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,`