Merge pull request #473 from aidangarske/fix-tls-ecdh-curve-mismatch

aidangarske · web-flow · commit b8ad8f7cca89 · 2026-03-21T13:42:57.000-07:00
Fix tls ecdh curve mismatch (wolfTPM build test CI failures)
diff --git a/examples/run_examples.sh b/examples/run_examples.sh
@@ -410,7 +410,7 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs] [tlsversi
     generate_port
     pushd $WOLFSSL_PATH >> $TPMPWD/run.out 2>&1
     echo -e "./examples/server/server -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem"
-    ./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem >> $TPMPWD/run.out 2>&1 &
+    ./examples/server/server -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem >> $TPMPWD/run.out 2>&1 &
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1
     popd >> $TPMPWD/run.out 2>&1
@@ -431,10 +431,10 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs] [tlsversi
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tpm tls server $1 $2 failed! $RESULT" && exit 1
     pushd $WOLFSSL_PATH >> $TPMPWD/run.out 2>&1
-    sleep 0.1
+    sleep 1
 
     echo -e "./examples/client/client -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem $4"
-    ./examples/client/client -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem $4 >> $TPMPWD/run.out 2>&1
+    ./examples/client/client -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem $4 >> $TPMPWD/run.out 2>&1
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tls client $1 $2 failed! $RESULT" && exit 1
     popd >> $TPMPWD/run.out 2>&1
diff --git a/src/tpm2_cryptocb.c b/src/tpm2_cryptocb.c
@@ -268,8 +268,22 @@ int wolfTPM2_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx)
             }
         #ifndef WOLFTPM2_USE_SW_ECDHE
             else {
-                /* Generate ephemeral key - if one isn't already created */
+                /* Generate ephemeral key - if one isn't already created
+                 * or if the curve has changed (e.g. TLS 1.3 key share
+                 * negotiation may generate a key for one curve, then
+                 * fall back to a different curve) */
                 key = tlsCtx->ecdhKey;
+                if (key->handle.hndl != 0 &&
+                    key->handle.hndl != TPM_RH_NULL &&
+                    (int)key->pub.publicArea.parameters.eccDetail.curveID
+                        != curve_id) {
+                    /* curve changed, release old key */
+                    rc = wolfTPM2_UnloadHandle(tlsCtx->dev,
+                        &key->handle);
+                    if (rc != 0) {
+                        return rc;
+                    }
+                }
                 if (key->handle.hndl == 0 ||
                     key->handle.hndl == TPM_RH_NULL) {
                     rc = wolfTPM2_ECDHGenKey(tlsCtx->dev, tlsCtx->ecdhKey,
