fwtpm: peer-review batch 5 + CI --disable-fwtpm

CI: Add --disable-fwtpm to non-fwtpm CI jobs that auto-enable fwtpm
on Linux x86_64 (autodetect, pedantic, clang-asan, symmetric,
swecdhe, old-wolfssl, multi-compiler, sanitizer).

Security (High):
- Session flush: free sessions when continueSession bit is not set
  in command attributes (TPM 2.0 Part 1 §19.6.4)
- Import inner integrity: verify Hash(decryptedSens || objectName)
  after AES-CFB inner decrypt, reject TPM_RC_INTEGRITY on mismatch
- FwImportReconstructKey: reject sensType != objectPublic.type
- KDFa derivation counter: start at 1 per TPM 2.0 spec (was 0)
- ECDH_ZGen/ZGen_2Phase: wc_ecc_check_key on peer points
- ZGen_2Phase: ForceZero ephemeral key after use

Security (Medium):
- ParamEnc/ParamDec: return TPM_RC_FAILURE for unknown symmetric alg
- FwComputeSessionHmac: bounds check sessionKey.size
- FwImportParseSensitive: validate totalSensSize against buffer
- FwDerivePrime: 28 Miller-Rabin rounds per FIPS 186-4 (was 8)
- SwTpmTransmit: reject negative bufSz

Author: dgarske

.github/workflows/make-test-swtpm.yml

@@ -140,38 +140,33 @@ jobs:
 
           # Autodetect (default configure, /dev/tpm0 + SPI dual support)
           - name: autodetect
-            wolftpm_config: ""
+            wolftpm_config: "--disable-fwtpm"
             needs_swtpm: false
 
           # Autodetect with debug
           - name: autodetect-debug
-            wolftpm_config: --enable-debug
+            wolftpm_config: "--enable-debug --disable-fwtpm"
             needs_swtpm: false
 
-          # Clang ASAN
-          - name: clang-asan
-            wolftpm_cflags: "-fsanitize=address -fno-omit-frame-pointer -g"
-            wolftpm_cc: clang
-            test_command: "make check && ASAN_OPTIONS=detect_leaks=1:abort_on_error=1 WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh"
-
           # Pedantic
           - name: pedantic
-            wolftpm_config: ""
             wolftpm_cflags: "-Wpedantic"
             needs_swtpm: false
 
-          # Not provisioning
+          # No provisioning
           - name: no-provisioning
             wolftpm_config: --disable-provisioning
             needs_swtpm: false
 
           # Symmetric encryption
           - name: symmetric
+            wolftpm_config: "--enable-swtpm --disable-fwtpm"
             wolftpm_cflags: "-DWOLFTPM_USE_SYMMETRIC"
             test_command: "make check && WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh"
 
           # Software ECDHE
           - name: swecdhe
+            wolftpm_config: "--enable-swtpm --disable-fwtpm"
             wolftpm_cflags: "-DWOLFTPM2_USE_SW_ECDHE"
             test_command: "make check && WOLFSSL_PATH=./wolfssl ./examples/run_examples.sh"
 
@@ -204,6 +199,7 @@ jobs:
           # Builds latest wolfSSL for examples/client/client and examples/server/server
           # Builds old wolfSSL (v4.7.0) for linking wolfTPM against older shared library
           - name: old-wolfssl
+            wolftpm_config: "--enable-swtpm --disable-fwtpm"
             test_command: "make check && WOLFSSL_PATH=./wolfssl NO_PUBASPRIV=1 ./examples/run_examples.sh"
             needs_install: true
 

src/fwtpm/fwtpm_command.c

@@ -465,7 +465,8 @@ static int FwComputeSessionHmac(FWTPM_Session* sess,
     *hmacOutSz = dSize;
 
     /* Build HMAC key = sessionKey || authValue */
-    if (sess->sessionKey.size > 0) {
+    if (sess->sessionKey.size > 0 &&
+        sess->sessionKey.size <= TPM_MAX_DIGEST_SIZE) {
         XMEMCPY(hmacKey, sess->sessionKey.buffer, sess->sessionKey.size);
         hmacKeySz = sess->sessionKey.size;
     }
@@ -4208,6 +4209,7 @@ static TPM_RC FwCmd_Import(FWTPM_CTX* ctx, TPM2_Packet* cmd,
     int plainSensSz = 0;
     UINT16 sensType = 0;
     UINT16 primeSz = 0;
+    FWTPM_DECLARE_VAR(innerHashCtx, wc_HashAlg);
     FWTPM_DECLARE_BUF(primeBuf, FWTPM_MAX_DER_SIG_BUF);
     TPM2B_AUTH importedAuth;
     TPM_RC rc = TPM_RC_SUCCESS;
@@ -4218,6 +4220,7 @@ static TPM_RC FwCmd_Import(FWTPM_CTX* ctx, TPM2_Packet* cmd,
     FWTPM_ALLOC_BUF(pubAreaBuf, FWTPM_MAX_PUB_BUF);
     FWTPM_ALLOC_BUF(plainSens, FWTPM_MAX_SENSITIVE_SIZE);
     FWTPM_ALLOC_BUF(primeBuf, FWTPM_MAX_DER_SIG_BUF);
+    FWTPM_ALLOC_VAR(innerHashCtx, wc_HashAlg);
 
     if (cmdSize < TPM2_HEADER_SIZE + 4) {
         rc = TPM_RC_COMMAND_SIZE;
@@ -4440,6 +4443,8 @@ static TPM_RC FwCmd_Import(FWTPM_CTX* ctx, TPM2_Packet* cmd,
         int innerStart;
         byte* encInner;
         int encInnerSz;
+        byte innerHash[TPM_MAX_DIGEST_SIZE];
+        int ihRc;
 
         /* Parse inner integrity size */
         innerIntegSz = FwLoadU16BE(plainSens);
@@ -4465,6 +4470,38 @@ static TPM_RC FwCmd_Import(FWTPM_CTX* ctx, TPM2_Packet* cmd,
             }
         }
 
+        /* Verify inner integrity: Hash(decryptedSensitive || objectName)
+         * Per TPM 2.0 Part 1 §23.4 */
+        if (rc == 0 && objDigestSz > 0 &&
+            (UINT16)objDigestSz != innerIntegSz) {
+            rc = TPM_RC_INTEGRITY;
+        }
+        if (rc == 0) {
+            ihRc = wc_HashInit(innerHashCtx, objWcHash);
+            if (ihRc == 0) {
+                ihRc = wc_HashUpdate(innerHashCtx, objWcHash,
+                    encInner, (word32)encInnerSz);
+            }
+            if (ihRc == 0) {
+                ihRc = wc_HashUpdate(innerHashCtx, objWcHash,
+                    nameBuf, (word32)nameSz);
+            }
+            if (ihRc == 0) {
+                ihRc = wc_HashFinal(innerHashCtx, objWcHash, innerHash);
+            }
+            wc_HashFree(innerHashCtx, objWcHash);
+            if (ihRc != 0) {
+                rc = TPM_RC_FAILURE;
+            }
+            if (rc == 0) {
+                if (TPM2_ConstantCompare(innerHash, plainSens + 2,
+                        innerIntegSz) != 0) {
+                    rc = TPM_RC_INTEGRITY;
+                }
+            }
+            TPM2_ForceZero(innerHash, sizeof(innerHash));
+        }
+
         /* Shift decrypted sensitive to beginning of plainSens buffer */
         if (rc == 0) {
             XMEMMOVE(plainSens, plainSens + innerStart, encInnerSz);
@@ -4526,6 +4563,7 @@ static TPM_RC FwCmd_Import(FWTPM_CTX* ctx, TPM2_Packet* cmd,
     FWTPM_FREE_BUF(plainSens);
     TPM2_ForceZero(primeBuf, FWTPM_MAX_DER_SIG_BUF);
     FWTPM_FREE_BUF(primeBuf);
+    FWTPM_FREE_VAR(innerHashCtx);
     return rc;
 }
 
@@ -6983,6 +7021,13 @@ static TPM_RC FwCmd_ECDH_ZGen(FWTPM_CTX* ctx, TPM2_Packet* cmd,
             rc = TPM_RC_FAILURE;
         }
     }
+    /* Validate peer point is on the expected curve (invalid curve attack) */
+    if (rc == 0) {
+        rc = wc_ecc_check_key(peerPub);
+        if (rc != 0) {
+            rc = TPM_RC_ECC_POINT;
+        }
+    }
 
     /* Compute shared secret */
     if (rc == 0) {
@@ -11968,6 +12013,10 @@ static TPM_RC FwCmd_ZGen_2Phase(FWTPM_CTX* ctx, TPM2_Packet* cmd,
         rc = wc_ecc_import_unsigned(peerPub,
             inQsB.point.x.buffer, inQsB.point.y.buffer, NULL, wcCurve);
     }
+    if (rc == 0) {
+        rc = wc_ecc_check_key(peerPub);
+        if (rc != 0) rc = TPM_RC_ECC_POINT;
+    }
     if (rc == 0) {
         z1Sz = (word32)sizeof(z1Buf);
         rc = wc_ecc_shared_secret(privKeyA, peerPub, z1Buf, &z1Sz);
@@ -12000,6 +12049,10 @@ static TPM_RC FwCmd_ZGen_2Phase(FWTPM_CTX* ctx, TPM2_Packet* cmd,
         rc = wc_ecc_import_unsigned(peerPub,
             inQeB.point.x.buffer, inQeB.point.y.buffer, NULL, wcCurve);
     }
+    if (rc == 0) {
+        rc = wc_ecc_check_key(peerPub);
+        if (rc != 0) rc = TPM_RC_ECC_POINT;
+    }
     if (rc == 0) {
         z2Sz = (word32)sizeof(z2Buf);
         rc = wc_ecc_shared_secret(privEph, peerPub, z2Buf, &z2Sz);
@@ -12030,6 +12083,9 @@ static TPM_RC FwCmd_ZGen_2Phase(FWTPM_CTX* ctx, TPM2_Packet* cmd,
     /* Cleanup */
     TPM2_ForceZero(z1Buf, sizeof(z1Buf));
     TPM2_ForceZero(z2Buf, sizeof(z2Buf));
+    /* Zero ephemeral key — it was consumed and must not be reused */
+    TPM2_ForceZero(ctx->ecEphemeralKey, sizeof(ctx->ecEphemeralKey));
+    ctx->ecEphemeralKeySz = 0;
     if (privAInit) wc_ecc_free(privKeyA);
     if (ephInit) wc_ecc_free(privEph);
     if (peerInit) wc_ecc_free(peerPub);
@@ -12929,12 +12985,17 @@ int FWTPM_ProcessCommand(FWTPM_CTX* ctx,
         *rspSize = rspPkt.pos;
     }
 
-    /* Deferred clear: flush transient objects after response auth is built.
-     * Sessions are NOT flushed here — the calling tool's ESYS layer flushes
-     * its own auth session handle after the command response, and flushing it
-     * early would cause TPM_RC_HANDLE (0x8B). Stale sessions from prior
-     * commands are naturally invalidated when their auth values change, and
-     * the session slots are reused on next StartAuthSession. */
+    /* Per TPM 2.0 spec Part 1 §19.6.4: flush sessions where the caller
+     * did NOT set the continueSession bit in the command attributes.
+     * This must happen AFTER the response auth area is built. */
+    for (pj = 0; pj < cmdAuthCnt; pj++) {
+        if (cmdAuths[pj].sess != NULL &&
+            !(cmdAuths[pj].attributes & TPMA_SESSION_continueSession)) {
+            FwFreeSession(cmdAuths[pj].sess);
+        }
+    }
+
+    /* Deferred clear: flush transient objects after response auth is built. */
     if (ctx->pendingClear) {
         int nvRc;
         ctx->pendingClear = 0;

src/fwtpm/fwtpm_crypto.c

@@ -552,7 +552,7 @@ TPM_RC FwDeriveEccPrimaryKey(TPMI_ALG_HASH nameAlg,
     word32 xSz, ySz;
     byte dBuf[MAX_ECC_BYTES];
     byte counterBuf[4];
-    UINT32 counter = 0;
+    UINT32 counter = 1;
     int kdfRet;
     int valid = 0;
     int i;
@@ -657,7 +657,7 @@ static TPM_RC FwDerivePrime(TPMI_ALG_HASH nameAlg,
     TPM_RC rc = TPM_RC_SUCCESS;
     byte primeBuf[256]; /* max RSA-4096 half = 256 bytes */
     byte counterBuf[4];
-    UINT32 counter = 0;
+    UINT32 counter = 1;
     int isPrime = 0;
     int kdfRet;
 
@@ -686,7 +686,8 @@ static TPM_RC FwDerivePrime(TPMI_ALG_HASH nameAlg,
             break;
         }
 
-        rc = mp_prime_is_prime_ex(outPrime, 8, &isPrime, rng);
+        /* FIPS 186-4 Table C.3: 28 rounds for RSA-2048 */
+        rc = mp_prime_is_prime_ex(outPrime, 28, &isPrime, rng);
         if (rc != 0) {
             rc = TPM_RC_FAILURE;
             break;
@@ -1886,7 +1887,9 @@ TPM_RC FwImportParseSensitive(
     if (rc == 0) {
         totalSensSize = FwLoadU16BE(plainSens + sp);
         sp += 2;
-        (void)totalSensSize;
+        if (totalSensSize + 2 > (UINT16)plainSensSz) {
+            return TPM_RC_SIZE;
+        }
         if (sp + 2 > plainSensSz) {
             rc = TPM_RC_FAILURE;
         }
@@ -1968,6 +1971,12 @@ TPM_RC FwImportReconstructKey(
 {
     TPM_RC rc = TPM_RC_SUCCESS;
 
+    /* Validate that sensitive type matches the public area type to prevent
+     * type confusion (e.g., ECC scalar used with RSA public params) */
+    if (sensType != objectPublic->publicArea.type) {
+        return TPM_RC_TYPE;
+    }
+
 #ifdef HAVE_ECC
     if (sensType == TPM_ALG_ECC && primeSz > 0) {
         FWTPM_DECLARE_VAR(eccKey, ecc_key);

src/tpm2_param_enc.c

@@ -229,6 +229,9 @@ TPM_RC TPM2_ParamEnc_CmdRequest(TPM2_AUTH_SESSION *session,
             session->nonceTPM.buffer, session->nonceTPM.size,
             paramData, paramSz, 1);
     }
+    else {
+        rc = TPM_RC_FAILURE;
+    }
 
     TPM2_ForceZero(keyBuf, sizeof(keyBuf));
     return rc;
@@ -275,6 +278,9 @@ TPM_RC TPM2_ParamDec_CmdResponse(TPM2_AUTH_SESSION *session,
             session->nonceCaller.buffer, session->nonceCaller.size,
             paramData, paramSz, 0);
     }
+    else {
+        rc = TPM_RC_FAILURE;
+    }
 
     TPM2_ForceZero(keyBuf, sizeof(keyBuf));
     return rc;

src/tpm2_swtpm.c

@@ -98,7 +98,7 @@ static TPM_RC SwTpmTransmit(TPM2_CTX* ctx, const void* buffer, ssize_t bufSz)
     const char* ptr;
     int remaining;
 
-    if (ctx == NULL || ctx->tcpCtx.fd < 0 || buffer == NULL) {
+    if (ctx == NULL || ctx->tcpCtx.fd < 0 || buffer == NULL || bufSz <= 0) {
         return BAD_FUNC_ARG;
     }