Fixes for CI failures

dgarske · dgarske · commit b186ecc97634 · 2026-03-23T13:50:27.000-07:00
diff --git a/.github/workflows/fwtpm-test.yml b/.github/workflows/fwtpm-test.yml
@@ -351,6 +351,13 @@ jobs:
           apt-get update -qq
           apt-get install -y -qq autoconf automake libtool
 
+      - name: Install STM32Cube H5 SDK
+        run: |
+          mkdir -p $HOME/STM32Cube/Repository
+          git clone --depth 1 --branch v1.5.0 \
+            https://github.com/STMicroelectronics/STM32CubeH5.git \
+            $HOME/STM32Cube/Repository/STM32Cube_FW_H5_V1.5.1
+
       - name: Build wolfSSL (for fwTPM STM32 port)
         working-directory: ./wolfssl
         run: |
diff --git a/examples/run_examples.sh b/examples/run_examples.sh
@@ -416,7 +416,7 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs] [tlsversi
     generate_port
     pushd $WOLFSSL_PATH >> $TPMPWD/run.out 2>&1
     echo -e "./examples/server/server -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem"
-    ./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem >> $TPMPWD/run.out 2>&1 &
+    ./examples/server/server -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem >> $TPMPWD/run.out 2>&1 &
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1
     popd >> $TPMPWD/run.out 2>&1
@@ -437,10 +437,10 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs] [tlsversi
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tpm tls server $1 $2 failed! $RESULT" && exit 1
     pushd $WOLFSSL_PATH >> $TPMPWD/run.out 2>&1
-    sleep 0.1
+    sleep 1
 
     echo -e "./examples/client/client -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem $4"
-    ./examples/client/client -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem $4 >> $TPMPWD/run.out 2>&1
+    ./examples/client/client -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem $4 >> $TPMPWD/run.out 2>&1
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tls client $1 $2 failed! $RESULT" && exit 1
     popd >> $TPMPWD/run.out 2>&1
diff --git a/src/fwtpm/fwtpm_command.c b/src/fwtpm/fwtpm_command.c
@@ -3100,17 +3100,25 @@ static TPM_RC FwCmd_Create(FWTPM_CTX* ctx, TPM2_Packet* cmd,
         cmd->pos += outsideInfoSize;
     }
 
-    /* Skip creationPCR */
+    /* Parse creationPCR (TPML_PCR_SELECTION) - skip */
     if (rc == 0) {
         if (cmd->pos + 4 > cmdSize) {
             rc = TPM_RC_COMMAND_SIZE;
         }
     }
     if (rc == 0) {
         TPM2_Packet_ParseU32(cmd, &creationPcrCount);
-        for (s = 0; s < creationPcrCount; s++) {
+        for (s = 0; s < creationPcrCount && rc == 0; s++) {
+            if (cmd->pos + 3 > cmdSize) {
+                rc = TPM_RC_COMMAND_SIZE;
+                break;
+            }
             cmd->pos += 2; /* hashAlg */
             TPM2_Packet_ParseU8(cmd, &selectSize);
+            if (cmd->pos + selectSize > cmdSize) {
+                rc = TPM_RC_COMMAND_SIZE;
+                break;
+            }
             cmd->pos += selectSize;
         }
     }
diff --git a/src/tpm2_cryptocb.c b/src/tpm2_cryptocb.c
@@ -268,8 +268,22 @@ int wolfTPM2_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx)
             }
         #ifndef WOLFTPM2_USE_SW_ECDHE
             else {
-                /* Generate ephemeral key - if one isn't already created */
+                /* Generate ephemeral key - if one isn't already created
+                 * or if the curve has changed (e.g. TLS 1.3 key share
+                 * negotiation may generate a key for one curve, then
+                 * fall back to a different curve) */
                 key = tlsCtx->ecdhKey;
+                if (key->handle.hndl != 0 &&
+                    key->handle.hndl != TPM_RH_NULL &&
+                    (int)key->pub.publicArea.parameters.eccDetail.curveID
+                        != curve_id) {
+                    /* curve changed, release old key */
+                    rc = wolfTPM2_UnloadHandle(tlsCtx->dev,
+                        &key->handle);
+                    if (rc != 0) {
+                        return rc;
+                    }
+                }
                 if (key->handle.hndl == 0 ||
                     key->handle.hndl == TPM_RH_NULL) {
                     rc = wolfTPM2_ECDHGenKey(tlsCtx->dev, tlsCtx->ecdhKey,
@@ -842,6 +856,7 @@ int wolfTPM2_PK_RsaSign(WOLFSSL* ssl,
                     inPad, inPadSz,
                     out, (int*)outSz);
             }
+            TPM2_ForceZero(inPad, sizeof(inPad));
         }
         wc_FreeRsaKey(&rsapub);
     }

Original file line number	Diff line number	Diff line change
`@@ -3100,17 +3100,25 @@ static TPM_RC FwCmd_Create(FWTPM_CTX* ctx, TPM2_Packet* cmd,`
`3100`	`3100`	`cmd->pos += outsideInfoSize;`
`3101`	`3101`	`}`
`3102`	`3102`
`3103`		`- /* Skip creationPCR */`
	`3103`	`+ /* Parse creationPCR (TPML_PCR_SELECTION) - skip */`
`3104`	`3104`	`if (rc == 0) {`
`3105`	`3105`	`if (cmd->pos + 4 > cmdSize) {`
`3106`	`3106`	`rc = TPM_RC_COMMAND_SIZE;`
`3107`	`3107`	`}`
`3108`	`3108`	`}`
`3109`	`3109`	`if (rc == 0) {`
`3110`	`3110`	`TPM2_Packet_ParseU32(cmd, &creationPcrCount);`
`3111`		`- for (s = 0; s < creationPcrCount; s++) {`
	`3111`	`+ for (s = 0; s < creationPcrCount && rc == 0; s++) {`
	`3112`	`+ if (cmd->pos + 3 > cmdSize) {`
	`3113`	`+ rc = TPM_RC_COMMAND_SIZE;`
	`3114`	`+ break;`
	`3115`	`+ }`
`3112`	`3116`	`cmd->pos += 2; /* hashAlg */`
`3113`	`3117`	`TPM2_Packet_ParseU8(cmd, &selectSize);`
	`3118`	`+ if (cmd->pos + selectSize > cmdSize) {`
	`3119`	`+ rc = TPM_RC_COMMAND_SIZE;`
	`3120`	`+ break;`
	`3121`	`+ }`
`3114`	`3122`	`cmd->pos += selectSize;`
`3115`	`3123`	`}`
`3116`	`3124`	`}`