Skip to content

Commit 9c0208f

Browse files
dgarskeclaude
dgarske
and
claude
committed
Fix peer review findings: unchecked returns, bounds validation, STM32 hardening
P0 Critical: - Check wc_Hash/wc_HashUpdate/wc_HashFinal returns (fwtpm_crypto.c) - Validate cmdTotalSz bounds in TIS FIFO path (fwtpm_tis.c) - Clamp reg_data length to buffer size in TIS FIFO write (fwtpm_tis.c) - Check sem_post() return in TisShmSignalResponse (fwtpm_tis_shm.c) - Return TPM_RC_SIZE on OAEP label overflow instead of silent truncation in MakeCredential/ActivateCredential (fwtpm_command.c) P1 High: - Check SocketSend() return in HandleMssimSignal (fwtpm_io.c) - Add UINT16 overflow check for credential blob size (fwtpm_command.c) - Check wc_RNG_GenerateBlock return for nonce generation and fix C89 declaration ordering (fwtpm_command.c) - Log warning on NV slot allocation failure (fwtpm_nv.c) - Check fwrite() return in NV file gap-fill (fwtpm_nv.c) P2 STM32: - Add volatile qualifier to g_fwtpmCtx for TrustZone NSC (main.c, fwtpm_nsc.c) - Use static FWTPM_CTX allocation instead of heap malloc (main.c) - Replace memcpy from volatile with byte-by-byte read (fwtpm_nv_flash.c) - Add HAL_ICACHE_Invalidate() before HAL_ICACHE_Enable() (fwtpm_nv_flash.c) Build/CI: - Guard WC_RSA_NO_PAD with #ifdef WC_RSA_NO_PADDING (fwtpm_command.c) - Add WC_RSA_NO_PADDING to wolfSSL build in CI, README, and build script - Remove sudo from emulator job wolfSSL install (fwtpm-test.yml) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 90096b9 commit 9c0208f

File tree

12 files changed

+126
-64
lines changed

12 files changed

+126
-64
lines changed

.github/workflows/fwtpm-test.yml

Lines changed: 22 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -19,124 +19,124 @@ jobs:
1919
# fwTPM with socket/swtpm transport
2020
- name: fwtpm-socket
2121
wolftpm_config: --enable-fwtpm --enable-swtpm --enable-debug
22-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
22+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
2323
server_args: ""
2424
build_only: false
2525

2626
# fwTPM with TIS/shared-memory transport
2727
- name: fwtpm-tis
2828
wolftpm_config: --enable-fwtpm --enable-debug
29-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
29+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
3030
server_args: ""
3131
build_only: false
3232

3333
# Build-only: fwTPM with RSA disabled
3434
- name: fwtpm-no-rsa
3535
wolftpm_config: --enable-fwtpm --enable-swtpm
36-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen --disable-rsa
36+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING" --disable-rsa
3737
server_args: ""
3838
build_only: true
3939

4040
# Build-only: fwTPM with ECC disabled
4141
- name: fwtpm-no-ecc
4242
wolftpm_config: --enable-fwtpm --enable-swtpm
43-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen --disable-ecc
43+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING" --disable-ecc
4444
server_args: ""
4545
build_only: true
4646

4747
# Build-only: fwTPM server only (no client library)
4848
- name: fwtpm-only
4949
wolftpm_config: --enable-fwtpm-only --enable-swtpm
50-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
50+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
5151
server_args: ""
5252
build_only: true
5353

5454
# Build-only: fwTPM with attestation and NV disabled
5555
- name: fwtpm-minimal
5656
wolftpm_config: --enable-fwtpm --enable-swtpm
57-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
57+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
5858
server_args: ""
5959
build_only: true
6060
extra_cflags: -DFWTPM_NO_ATTESTATION -DFWTPM_NO_NV -DFWTPM_NO_POLICY -DFWTPM_NO_CREDENTIAL -DFWTPM_NO_DA -DFWTPM_NO_PARAM_ENC
6161

6262
# Build-only: individual FWTPM_NO_* macro tests
6363
- name: fwtpm-no-policy
6464
wolftpm_config: --enable-fwtpm --enable-swtpm
65-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
65+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
6666
server_args: ""
6767
build_only: true
6868
extra_cflags: -DFWTPM_NO_POLICY
6969

7070
- name: fwtpm-no-nv
7171
wolftpm_config: --enable-fwtpm --enable-swtpm
72-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
72+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
7373
server_args: ""
7474
build_only: true
7575
extra_cflags: -DFWTPM_NO_NV
7676

7777
- name: fwtpm-no-attestation
7878
wolftpm_config: --enable-fwtpm --enable-swtpm
79-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
79+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
8080
server_args: ""
8181
build_only: true
8282
extra_cflags: -DFWTPM_NO_ATTESTATION
8383

8484
- name: fwtpm-no-credential
8585
wolftpm_config: --enable-fwtpm --enable-swtpm
86-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
86+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
8787
server_args: ""
8888
build_only: true
8989
extra_cflags: -DFWTPM_NO_CREDENTIAL
9090

9191
- name: fwtpm-no-da
9292
wolftpm_config: --enable-fwtpm --enable-swtpm
93-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
93+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
9494
server_args: ""
9595
build_only: true
9696
extra_cflags: -DFWTPM_NO_DA
9797

9898
- name: fwtpm-no-param-enc
9999
wolftpm_config: --enable-fwtpm --enable-swtpm
100-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
100+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
101101
server_args: ""
102102
build_only: true
103103
extra_cflags: -DFWTPM_NO_PARAM_ENC
104104

105105
# Build-only: cross-algorithm + feature macro combinations
106106
- name: fwtpm-no-rsa-no-policy
107107
wolftpm_config: --enable-fwtpm --enable-swtpm
108-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen --disable-rsa
108+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING" --disable-rsa
109109
server_args: ""
110110
build_only: true
111111
extra_cflags: -DFWTPM_NO_POLICY
112112

113113
- name: fwtpm-no-ecc-no-nv
114114
wolftpm_config: --enable-fwtpm --enable-swtpm
115-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen --disable-ecc
115+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING" --disable-ecc
116116
server_args: ""
117117
build_only: true
118118
extra_cflags: -DFWTPM_NO_NV
119119

120120
# Build-only: WOLFTPM_SMALL_STACK (heap-allocated crypto objects)
121121
- name: fwtpm-small-stack
122122
wolftpm_config: --enable-fwtpm --enable-swtpm
123-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
123+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
124124
server_args: ""
125125
build_only: true
126126
extra_cflags: -DWOLFTPM_SMALL_STACK
127127

128128
# Build-only: pedantic warnings with -Werror (GCC)
129129
- name: fwtpm-pedantic-gcc
130130
wolftpm_config: --enable-fwtpm --enable-swtpm
131-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
131+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
132132
server_args: ""
133133
build_only: true
134134
make_cflags: "-Wall -Wextra -Wpedantic -Werror -Wshadow -Wstrict-prototypes -Wmissing-prototypes -Wformat=2"
135135

136136
# Build-only: pedantic warnings with -Werror (clang)
137137
- name: fwtpm-pedantic-clang
138138
wolftpm_config: --enable-fwtpm --enable-swtpm
139-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
139+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
140140
server_args: ""
141141
build_only: true
142142
cc: clang
@@ -145,15 +145,15 @@ jobs:
145145
# Build-only: pedantic fwTPM-only (no client library)
146146
- name: fwtpm-pedantic-only
147147
wolftpm_config: --enable-fwtpm-only
148-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
148+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
149149
server_args: ""
150150
build_only: true
151151
make_cflags: "-Wall -Wextra -Wpedantic -Werror -Wshadow -Wstrict-prototypes -Wmissing-prototypes -Wformat=2"
152152

153153
# AddressSanitizer: fwTPM server + examples
154154
- name: fwtpm-asan
155155
wolftpm_config: --enable-fwtpm --enable-swtpm --enable-debug
156-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
156+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
157157
server_args: ""
158158
build_only: false
159159
extra_cflags: "-fsanitize=address -fno-omit-frame-pointer -g -O1"
@@ -163,7 +163,7 @@ jobs:
163163
# UndefinedBehaviorSanitizer: fwTPM server + examples
164164
- name: fwtpm-ubsan
165165
wolftpm_config: --enable-fwtpm --enable-swtpm --enable-debug
166-
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen
166+
wolfssl_config: --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
167167
server_args: ""
168168
build_only: false
169169
extra_cflags: "-fsanitize=undefined -fno-sanitize-recover=all -fno-omit-frame-pointer -g"
@@ -355,8 +355,8 @@ jobs:
355355
./autogen.sh
356356
./configure --enable-wolftpm --enable-pkcallbacks --enable-keygen
357357
make
358-
sudo make install
359-
sudo ldconfig
358+
make install
359+
ldconfig
360360
361361
- name: Copy wolfSSL to /tmp/wolfssl-fwtpm
362362
run: cp -a wolfssl /tmp/wolfssl-fwtpm

scripts/fwtpm_build_test.sh

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,8 @@ check_wolfssl_options() {
5858
[ -f "$opts_file" ] || return 1
5959
grep -q "HAVE_PK_CALLBACKS" "$opts_file" && \
6060
grep -q "WOLFSSL_KEY_GEN" "$opts_file" && \
61-
grep -q "WOLFSSL_PUBLIC_MP" "$opts_file"
61+
grep -q "WOLFSSL_PUBLIC_MP" "$opts_file" && \
62+
grep -q "WC_RSA_NO_PADDING" "$opts_file"
6263
}
6364

6465
ensure_wolfssl() {
@@ -103,6 +104,7 @@ ensure_wolfssl() {
103104
./autogen.sh > /dev/null 2>&1 && \
104105
./configure \
105106
--enable-wolftpm --enable-pkcallbacks --enable-keygen \
107+
CFLAGS="-DWC_RSA_NO_PADDING" \
106108
> /tmp/wolfssl-fwtpm-configure.log 2>&1 && \
107109
make -j"$(nproc)" > /tmp/wolfssl-fwtpm-build.log 2>&1 && \
108110
sudo make install > /tmp/wolfssl-fwtpm-install.log 2>&1 && \

src/fwtpm/README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,11 +11,11 @@ SPI/I2C for bare-metal integration. Implements 103 of 113 TPM 2.0 v1.38 commands
1111

1212
## Building
1313

14-
wolfSSL must be built with `--enable-keygen`:
14+
wolfSSL must be built with `--enable-keygen` and `WC_RSA_NO_PADDING`:
1515

1616
```bash
1717
cd wolfssl
18-
./configure --enable-wolftpm --enable-pkcallbacks --enable-keygen
18+
./configure --enable-wolftpm --enable-pkcallbacks --enable-keygen CFLAGS="-DWC_RSA_NO_PADDING"
1919
make && make install
2020
```
2121

src/fwtpm/fwtpm_command.c

Lines changed: 42 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -5457,9 +5457,13 @@ static TPM_RC FwCmd_RSA_Encrypt(FWTPM_CTX* ctx, TPM2_Packet* cmd,
54575457
}
54585458
else if (encScheme == TPM_ALG_NULL) {
54595459
/* Raw RSA (no padding) */
5460+
#ifdef WC_RSA_NO_PADDING
54605461
outSz = wc_RsaPublicEncrypt_ex(message.buffer, message.size,
54615462
outBuf, (word32)FWTPM_MAX_PUB_BUF, rsaKey, &ctx->rng,
54625463
WC_RSA_NO_PAD, WC_HASH_TYPE_NONE, 0, NULL, 0);
5464+
#else
5465+
rc = TPM_RC_SCHEME;
5466+
#endif
54635467
}
54645468
else {
54655469
/* RSAES PKCS1 v1.5 */
@@ -5602,9 +5606,13 @@ static TPM_RC FwCmd_RSA_Decrypt(FWTPM_CTX* ctx, TPM2_Packet* cmd,
56025606
}
56035607
else if (decScheme == TPM_ALG_NULL) {
56045608
/* Raw RSA (no padding) */
5609+
#ifdef WC_RSA_NO_PADDING
56055610
outSz = wc_RsaPrivateDecrypt_ex(cipherText.buffer, cipherText.size,
56065611
outBuf, (word32)FWTPM_MAX_PUB_BUF, rsaKey,
56075612
WC_RSA_NO_PAD, WC_HASH_TYPE_NONE, 0, NULL, 0);
5613+
#else
5614+
rc = TPM_RC_SCHEME;
5615+
#endif
56085616
}
56095617
else {
56105618
/* RSAES PKCS1 v1.5 */
@@ -10964,7 +10972,10 @@ static TPM_RC FwCmd_MakeCredential(FWTPM_CTX* ctx, TPM2_Packet* cmd,
1096410972
XMEMCPY(oaepLabel, "IDENTITY", 8);
1096510973
oaepLabelSz = 8;
1096610974
oaepLabel[oaepLabelSz++] = 0x00;
10967-
if (objectName.size + oaepLabelSz <= (int)sizeof(oaepLabel)) {
10975+
if (objectName.size + oaepLabelSz > (int)sizeof(oaepLabel)) {
10976+
rc = TPM_RC_SIZE;
10977+
}
10978+
else {
1096810979
XMEMCPY(oaepLabel + oaepLabelSz, objectName.name,
1096910980
objectName.size);
1097010981
oaepLabelSz += objectName.size;
@@ -11016,14 +11027,20 @@ static TPM_RC FwCmd_MakeCredential(FWTPM_CTX* ctx, TPM2_Packet* cmd,
1101611027
TPM2_Packet_AppendBytes(rsp, encCred, (int)encCredSz);
1101711028
/* patch blob size */
1101811029
blobSz = rsp->pos - blobStart;
11019-
savedPos = rsp->pos;
11020-
rsp->pos = blobSzPos;
11021-
TPM2_Packet_AppendU16(rsp, (UINT16)blobSz);
11022-
rsp->pos = savedPos;
11023-
/* secret = TPM2B_ENCRYPTED_SECRET */
11024-
TPM2_Packet_AppendU16(rsp, (UINT16)encSeedSz);
11025-
TPM2_Packet_AppendBytes(rsp, encSeed, encSeedSz);
11026-
FwRspParamsEnd(rsp, cmdTag, paramSzPos, paramStart);
11030+
if (blobSz < 0 || blobSz > 0xFFFF ||
11031+
encSeedSz < 0 || encSeedSz > 0xFFFF) {
11032+
rc = TPM_RC_SIZE;
11033+
}
11034+
if (rc == 0) {
11035+
savedPos = rsp->pos;
11036+
rsp->pos = blobSzPos;
11037+
TPM2_Packet_AppendU16(rsp, (UINT16)blobSz);
11038+
rsp->pos = savedPos;
11039+
/* secret = TPM2B_ENCRYPTED_SECRET */
11040+
TPM2_Packet_AppendU16(rsp, (UINT16)encSeedSz);
11041+
TPM2_Packet_AppendBytes(rsp, encSeed, encSeedSz);
11042+
FwRspParamsEnd(rsp, cmdTag, paramSzPos, paramStart);
11043+
}
1102711044
}
1102811045

1102911046
TPM2_ForceZero(seed, sizeof(seed));
@@ -11151,7 +11168,10 @@ static TPM_RC FwCmd_ActivateCredential(FWTPM_CTX* ctx, TPM2_Packet* cmd,
1115111168
XMEMCPY(oaepLabel, "IDENTITY", 8);
1115211169
oaepLabelSz = 8;
1115311170
oaepLabel[oaepLabelSz++] = 0x00;
11154-
if (objName->size + oaepLabelSz <= (int)sizeof(oaepLabel)) {
11171+
if (objName->size + oaepLabelSz > (int)sizeof(oaepLabel)) {
11172+
rc = TPM_RC_SIZE;
11173+
}
11174+
else {
1115511175
XMEMCPY(oaepLabel + oaepLabelSz, objName->name, objName->size);
1115611176
oaepLabelSz += objName->size;
1115711177
}
@@ -12293,6 +12313,10 @@ int FWTPM_ProcessCommand(FWTPM_CTX* ctx,
1229312313
int rspParamEnd;
1229412314
#endif
1229512315
int j;
12316+
int rngRc;
12317+
byte rpHash[TPM_MAX_DIGEST_SIZE];
12318+
int rpHashSz = 0;
12319+
TPMI_ALG_HASH rpHashAlg = TPM_ALG_SHA256;
1229612320

1229712321
/* Read parameterSize from response buffer */
1229812322
if (rspHandleEnd + 4 <= rspPkt.pos) {
@@ -12314,9 +12338,14 @@ int FWTPM_ProcessCommand(FWTPM_CTX* ctx,
1231412338
FWTPM_Session* sess = cmdAuths[j].sess;
1231512339
int digestSz = TPM2_GetHashDigestSize(sess->authHash);
1231612340
if (digestSz > 0) {
12317-
sess->nonceTPM.size = digestSz;
12318-
wc_RNG_GenerateBlock(&ctx->rng, sess->nonceTPM.buffer,
12319-
digestSz);
12341+
rngRc = wc_RNG_GenerateBlock(&ctx->rng,
12342+
sess->nonceTPM.buffer, digestSz);
12343+
if (rngRc == 0) {
12344+
sess->nonceTPM.size = digestSz;
12345+
}
12346+
else {
12347+
sess->nonceTPM.size = 0;
12348+
}
1232012349
}
1232112350
}
1232212351
}
@@ -12340,8 +12369,6 @@ int FWTPM_ProcessCommand(FWTPM_CTX* ctx,
1234012369
#endif /* !FWTPM_NO_PARAM_ENC */
1234112370

1234212371
/* Compute rpHash on (possibly encrypted) response parameters */
12343-
byte rpHash[TPM_MAX_DIGEST_SIZE];
12344-
int rpHashSz = 0;
1234512372
{
1234612373
const byte* rpBytes = NULL;
1234712374
int rpBytesSz = 0;
@@ -12350,7 +12377,6 @@ int FWTPM_ProcessCommand(FWTPM_CTX* ctx,
1235012377
rpBytesSz = (int)rspParamSzVal;
1235112378
}
1235212379
/* Use first session's hashAlg for rpHash (or SHA-256 default) */
12353-
TPMI_ALG_HASH rpHashAlg = TPM_ALG_SHA256;
1235412380
for (j = 0; j < cmdAuthCnt; j++) {
1235512381
if (cmdAuths[j].sess != NULL) {
1235612382
rpHashAlg = cmdAuths[j].sess->authHash;

src/fwtpm/fwtpm_crypto.c

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -84,11 +84,15 @@ int FwComputeUniqueHash(TPMI_ALG_HASH nameAlg, const byte* keyData,
8484
FWTPM_DECLARE_VAR(hCtx, wc_HashAlg);
8585
FWTPM_ALLOC_VAR(hCtx, wc_HashAlg);
8686
if (rc == 0 && wc_HashInit(hCtx, wcHash) == 0) {
87-
wc_HashUpdate(hCtx, wcHash, keyData, (word32)keyDataSz);
88-
wc_HashFinal(hCtx, wcHash, outBuf);
87+
rc = wc_HashUpdate(hCtx, wcHash, keyData, (word32)keyDataSz);
88+
if (rc == 0) {
89+
rc = wc_HashFinal(hCtx, wcHash, outBuf);
90+
}
8991
wc_HashFree(hCtx, wcHash);
90-
FWTPM_FREE_VAR(hCtx);
91-
return hSz;
92+
if (rc == 0) {
93+
FWTPM_FREE_VAR(hCtx);
94+
return hSz;
95+
}
9296
}
9397
FWTPM_FREE_VAR(hCtx);
9498
}
@@ -263,10 +267,14 @@ int FwAppendCreationHashAndTicket(FWTPM_CTX* ctx, TPM2_Packet* rsp,
263267
byte ticketData[TPM_MAX_DIGEST_SIZE + sizeof(TPM2B_NAME)];
264268
int chSz = TPM2_GetHashDigestSize(nameAlg);
265269
int ticketDataSz = 0;
270+
int hashRc = 0;
266271

267272
if (chSz > 0) {
268-
wc_Hash(FwGetWcHashType(nameAlg),
273+
hashRc = wc_Hash(FwGetWcHashType(nameAlg),
269274
rsp->buf + cdStart, cdSize, creationHash, chSz);
275+
if (hashRc != 0) {
276+
chSz = 0;
277+
}
270278
}
271279
TPM2_Packet_AppendU16(rsp, (UINT16)chSz);
272280
if (chSz > 0) {

src/fwtpm/fwtpm_io.c

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -261,8 +261,7 @@ static int HandleMssimSignal(FWTPM_CTX* ctx, int clientFd, UINT32 tssCmd)
261261
printf("fwTPM: Cmd-port signal %u (ack)\n", tssCmd);
262262
#endif
263263
netVal = FwTpmSwapU32(0);
264-
SocketSend(clientFd, &netVal, 4);
265-
return TPM_RC_SUCCESS;
264+
return SocketSend(clientFd, &netVal, 4);
266265
}
267266

268267
/* --- Process and send TPM command response --- */

0 commit comments

Comments
 (0)