Add test case for early returns from test_wolfTPM2_EncryptSecret

padelsbach · padelsbach · commit 383bdb488744 · 2026-03-08T22:16:12.000-07:00
diff --git a/.gitignore b/.gitignore
@@ -60,6 +60,8 @@ pkcs7tpmsignedex.p7s
 examples/tls/tls_server
 examples/tls/tls_client_notpm
 tests/unit.test
+tests/unit.log
+unit.trs
 examples/keygen/create_primary
 examples/keygen/keyload
 examples/keygen/keygen
diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
@@ -1595,9 +1595,7 @@ static int wolfTPM2_EncryptSecret_RSA(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* tpm
     }
 
     wc_FreeRsaKey(&rsaKey);
-    TPM2_ForceZero(&rsaKey, sizeof(rsaKey));
     wc_FreeRng(&rng);
-    TPM2_ForceZero(&rng, sizeof(rng));
 
     if (rc > 0) {
         rc = (rc == secret->size) ? 0 /* success */ : BUFFER_E /* fail */;
diff --git a/tests/unit_tests.c b/tests/unit_tests.c
@@ -429,6 +429,43 @@ static void test_TPM2_Policy_NULL_Args(void)
     printf("Test TPM2:\t\tPolicy NULL Args:\tPassed\n");
 }
 
+static void test_wolfTPM2_EncryptSecret(void)
+{
+    int rc;
+    WOLFTPM2_DEV dev;
+    WOLFTPM2_KEY tpmKey;
+    TPM2B_DATA data;
+    TPM2B_ENCRYPTED_SECRET secret;
+
+    XMEMSET(&tpmKey, 0, sizeof(tpmKey));
+    XMEMSET(&data, 0, sizeof(data));
+    XMEMSET(&secret, 0, sizeof(secret));
+
+    rc = wolfTPM2_Init(&dev, TPM2_IoCb, NULL);
+    AssertIntEQ(rc, 0);
+
+    /* Test NULL tpmKey returns success (unsalted session) */
+    rc = wolfTPM2_EncryptSecret(&dev, NULL, &data, &secret, "SECRET");
+    AssertIntEQ(rc, TPM_RC_SUCCESS);
+
+    /* Test NULL dev returns BAD_FUNC_ARG */
+    rc = wolfTPM2_EncryptSecret(NULL, &tpmKey, &data, &secret, "SECRET");
+    AssertIntEQ(rc, BAD_FUNC_ARG);
+
+    /* Test NULL data returns BAD_FUNC_ARG */
+    rc = wolfTPM2_EncryptSecret(&dev, &tpmKey, NULL, &secret, "SECRET");
+    AssertIntEQ(rc, BAD_FUNC_ARG);
+
+    /* Test NULL secret returns BAD_FUNC_ARG */
+    rc = wolfTPM2_EncryptSecret(&dev, &tpmKey, &data, NULL, "SECRET");
+    AssertIntEQ(rc, BAD_FUNC_ARG);
+
+    wolfTPM2_Cleanup(&dev);
+
+    printf("Test TPM Wrapper:\tEncryptSecret:\t%s\n",
+        rc == BAD_FUNC_ARG ? "Passed" : "Failed");
+}
+
 static void test_wolfTPM2_Cleanup(void)
 {
     int rc;
@@ -1047,6 +1084,7 @@ int unit_tests(int argc, char *argv[])
     test_wolfTPM_ImportPublicKey();
     test_wolfTPM2_PCRPolicy();
     #endif
+    test_wolfTPM2_EncryptSecret();
     test_wolfTPM2_KeyBlob(TPM_ALG_RSA);
     test_wolfTPM2_KeyBlob(TPM_ALG_ECC);
     #if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC) && \
diff --git a/wolftpm/tpm2_wrap.h b/wolftpm/tpm2_wrap.h
@@ -3402,7 +3402,7 @@ WOLFTPM_API int wolfTPM2_ChangeHierarchyAuth(WOLFTPM2_DEV* dev, WOLFTPM2_SESSION
 #define wolfTPM2_GetCurveSize TPM2_GetCurveSize
 
 /* for encrypting secrets (like salt) used in auth sessions and external key import */
-WOLFTPM_LOCAL int wolfTPM2_EncryptSecret(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* tpmKey,
+WOLFTPM_API int wolfTPM2_EncryptSecret(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* tpmKey,
     TPM2B_DATA *secret, TPM2B_ENCRYPTED_SECRET *encSecret, const char* label);
 
 

Original file line number	Diff line number	Diff line change
`@@ -1595,9 +1595,7 @@ static int wolfTPM2_EncryptSecret_RSA(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* tpm`
`1595`	`1595`	`}`
`1596`	`1596`
`1597`	`1597`	`wc_FreeRsaKey(&rsaKey);`
`1598`		`- TPM2_ForceZero(&rsaKey, sizeof(rsaKey));`
`1599`	`1598`	`wc_FreeRng(&rng);`
`1600`		`- TPM2_ForceZero(&rng, sizeof(rng));`
`1601`	`1599`
`1602`	`1600`	`if (rc > 0) {`
`1603`	`1601`	`rc = (rc == secret->size) ? 0 /* success / : BUFFER_E / fail */;`