F-2987 - https://fenrir.wolfssl.com/finding/2987 - Fix ECC ECDAA scheme serialization missing count field, RSA RSAES spurious hashAlg, and TPM2_Sign ECDAA count

aidangarske · aidangarske · commit c02fb0da7239 · 2026-04-15T09:51:05.000-07:00
diff --git a/src/tpm2.c b/src/tpm2.c
@@ -3689,6 +3689,10 @@ TPM_RC TPM2_Sign(Sign_In* in, Sign_Out* out)
         TPM2_Packet_AppendU16(&packet, in->inScheme.scheme);
         if (in->inScheme.scheme != TPM_ALG_NULL) {
             TPM2_Packet_AppendU16(&packet, in->inScheme.details.any.hashAlg);
+            if (in->inScheme.scheme == TPM_ALG_ECDAA) {
+                TPM2_Packet_AppendU16(&packet,
+                    in->inScheme.details.ecdaa.count);
+            }
         }
 
         TPM2_Packet_AppendU16(&packet, in->validation.tag);
diff --git a/src/tpm2_packet.c b/src/tpm2_packet.c
@@ -519,26 +519,36 @@ void TPM2_Packet_ParseSymmetric(TPM2_Packet* packet, TPMT_SYM_DEF* symmetric)
 void TPM2_Packet_AppendEccScheme(TPM2_Packet* packet, TPMT_SIG_SCHEME* scheme)
 {
     TPM2_Packet_AppendU16(packet, scheme->scheme);
-    if (scheme->scheme != TPM_ALG_NULL)
+    if (scheme->scheme != TPM_ALG_NULL) {
         TPM2_Packet_AppendU16(packet, scheme->details.any.hashAlg);
+        if (scheme->scheme == TPM_ALG_ECDAA) {
+            TPM2_Packet_AppendU16(packet, scheme->details.ecdaa.count);
+        }
+    }
 }
 void TPM2_Packet_ParseEccScheme(TPM2_Packet* packet, TPMT_SIG_SCHEME* scheme)
 {
     TPM2_Packet_ParseU16(packet, &scheme->scheme);
-    if (scheme->scheme != TPM_ALG_NULL)
+    if (scheme->scheme != TPM_ALG_NULL) {
         TPM2_Packet_ParseU16(packet, &scheme->details.any.hashAlg);
+        if (scheme->scheme == TPM_ALG_ECDAA) {
+            TPM2_Packet_ParseU16(packet, &scheme->details.ecdaa.count);
+        }
+    }
 }
 
 void TPM2_Packet_AppendRsaScheme(TPM2_Packet* packet, TPMT_RSA_SCHEME* scheme)
 {
     TPM2_Packet_AppendU16(packet, scheme->scheme);
-    if (scheme->scheme != TPM_ALG_NULL)
+    if (scheme->scheme != TPM_ALG_NULL &&
+        scheme->scheme != TPM_ALG_RSAES)
         TPM2_Packet_AppendU16(packet, scheme->details.anySig.hashAlg);
 }
 void TPM2_Packet_ParseRsaScheme(TPM2_Packet* packet, TPMT_RSA_SCHEME* scheme)
 {
     TPM2_Packet_ParseU16(packet, &scheme->scheme);
-    if (scheme->scheme != TPM_ALG_NULL)
+    if (scheme->scheme != TPM_ALG_NULL &&
+        scheme->scheme != TPM_ALG_RSAES)
         TPM2_Packet_ParseU16(packet, &scheme->details.anySig.hashAlg);
 }
 
@@ -571,13 +581,15 @@ void TPM2_Packet_ParseKdfScheme(TPM2_Packet* packet, TPMT_KDF_SCHEME* scheme)
 void TPM2_Packet_AppendAsymScheme(TPM2_Packet* packet, TPMT_ASYM_SCHEME* scheme)
 {
     TPM2_Packet_AppendU16(packet, scheme->scheme);
-    if (scheme->scheme != TPM_ALG_NULL)
+    if (scheme->scheme != TPM_ALG_NULL &&
+        scheme->scheme != TPM_ALG_RSAES)
         TPM2_Packet_AppendU16(packet, scheme->details.anySig.hashAlg);
 }
 void TPM2_Packet_ParseAsymScheme(TPM2_Packet* packet, TPMT_ASYM_SCHEME* scheme)
 {
     TPM2_Packet_ParseU16(packet, &scheme->scheme);
-    if (scheme->scheme != TPM_ALG_NULL)
+    if (scheme->scheme != TPM_ALG_NULL &&
+        scheme->scheme != TPM_ALG_RSAES)
         TPM2_Packet_ParseU16(packet, &scheme->details.anySig.hashAlg);
 }
 
diff --git a/tests/unit_tests.c b/tests/unit_tests.c
@@ -1034,6 +1034,68 @@ static void test_wolfTPM2_ComputeName(void)
 }
 #endif
 
+/* Test ECC ECDAA scheme serialization roundtrip — verifies count field
+ * is preserved, and RSA RSAES scheme produces no spurious hashAlg */
+static void test_TPM2_SchemeSerialize(void)
+{
+    TPM2_Packet packet;
+    byte buf[256];
+    TPMT_SIG_SCHEME eccSchemeIn, eccSchemeOut;
+#ifndef NO_RSA
+    TPMT_RSA_SCHEME rsaSchemeIn, rsaSchemeOut;
+#endif
+
+    /* Test 1: ECDAA scheme roundtrip — count field must survive */
+    XMEMSET(&eccSchemeIn, 0, sizeof(eccSchemeIn));
+    eccSchemeIn.scheme = TPM_ALG_ECDAA;
+    eccSchemeIn.details.ecdaa.hashAlg = TPM_ALG_SHA256;
+    eccSchemeIn.details.ecdaa.count = 5;
+
+    XMEMSET(buf, 0, sizeof(buf));
+    XMEMSET(&packet, 0, sizeof(packet));
+    packet.buf = buf;
+    packet.size = sizeof(buf);
+
+    TPM2_Packet_AppendEccScheme(&packet, &eccSchemeIn);
+
+    /* For ECDAA: scheme(2) + hashAlg(2) + count(2) = 6 bytes */
+    AssertIntEQ(packet.pos, 6);
+
+    /* Parse back */
+    packet.pos = 0;
+    XMEMSET(&eccSchemeOut, 0, sizeof(eccSchemeOut));
+    TPM2_Packet_ParseEccScheme(&packet, &eccSchemeOut);
+
+    AssertIntEQ(eccSchemeOut.scheme, TPM_ALG_ECDAA);
+    AssertIntEQ(eccSchemeOut.details.ecdaa.hashAlg, TPM_ALG_SHA256);
+    AssertIntEQ(eccSchemeOut.details.ecdaa.count, 5);
+
+#ifndef NO_RSA
+    /* Test 2: RSAES scheme roundtrip — no hashAlg field (TPMS_EMPTY) */
+    XMEMSET(&rsaSchemeIn, 0, sizeof(rsaSchemeIn));
+    rsaSchemeIn.scheme = TPM_ALG_RSAES;
+
+    XMEMSET(buf, 0, sizeof(buf));
+    XMEMSET(&packet, 0, sizeof(packet));
+    packet.buf = buf;
+    packet.size = sizeof(buf);
+
+    TPM2_Packet_AppendRsaScheme(&packet, &rsaSchemeIn);
+
+    /* For RSAES: scheme(2) only, no hashAlg */
+    AssertIntEQ(packet.pos, 2);
+
+    /* Parse back */
+    packet.pos = 0;
+    XMEMSET(&rsaSchemeOut, 0, sizeof(rsaSchemeOut));
+    TPM2_Packet_ParseRsaScheme(&packet, &rsaSchemeOut);
+
+    AssertIntEQ(rsaSchemeOut.scheme, TPM_ALG_RSAES);
+#endif
+
+    printf("Test TPM Wrapper:\tSchemeSerialize:\t\tPassed\n");
+}
+
 static void test_GetAlgId(void)
 {
     TPM_ALG_ID alg = TPM2_GetAlgId("SHA256");
@@ -1780,6 +1842,7 @@ int unit_tests(int argc, char *argv[])
     test_TPM2_KDFe();
     test_wolfTPM2_ComputeName();
     #endif
+    test_TPM2_SchemeSerialize();
     test_GetAlgId();
     test_wolfTPM2_ReadPublicKey();
     test_wolfTPM2_CSR();
diff --git a/wolftpm/tpm2_packet.h b/wolftpm/tpm2_packet.h
@@ -155,10 +155,10 @@ WOLFTPM_LOCAL void TPM2_Packet_AppendPCR(TPM2_Packet* packet, TPML_PCR_SELECTION
 WOLFTPM_LOCAL void TPM2_Packet_ParsePCR(TPM2_Packet* packet, TPML_PCR_SELECTION* pcr);
 WOLFTPM_LOCAL void TPM2_Packet_AppendSymmetric(TPM2_Packet* packet, TPMT_SYM_DEF* symmetric);
 WOLFTPM_LOCAL void TPM2_Packet_ParseSymmetric(TPM2_Packet* packet, TPMT_SYM_DEF* symmetric);
-WOLFTPM_LOCAL void TPM2_Packet_AppendEccScheme(TPM2_Packet* packet, TPMT_SIG_SCHEME* scheme);
-WOLFTPM_LOCAL void TPM2_Packet_ParseEccScheme(TPM2_Packet* packet, TPMT_SIG_SCHEME* scheme);
-WOLFTPM_LOCAL void TPM2_Packet_AppendRsaScheme(TPM2_Packet* packet, TPMT_RSA_SCHEME* scheme);
-WOLFTPM_LOCAL void TPM2_Packet_ParseRsaScheme(TPM2_Packet* packet, TPMT_RSA_SCHEME* scheme);
+WOLFTPM_TEST_API void TPM2_Packet_AppendEccScheme(TPM2_Packet* packet, TPMT_SIG_SCHEME* scheme);
+WOLFTPM_TEST_API void TPM2_Packet_ParseEccScheme(TPM2_Packet* packet, TPMT_SIG_SCHEME* scheme);
+WOLFTPM_TEST_API void TPM2_Packet_AppendRsaScheme(TPM2_Packet* packet, TPMT_RSA_SCHEME* scheme);
+WOLFTPM_TEST_API void TPM2_Packet_ParseRsaScheme(TPM2_Packet* packet, TPMT_RSA_SCHEME* scheme);
 WOLFTPM_LOCAL void TPM2_Packet_AppendKeyedHashScheme(TPM2_Packet* packet, TPMT_KEYEDHASH_SCHEME* scheme);
 WOLFTPM_LOCAL void TPM2_Packet_ParseKeyedHashScheme(TPM2_Packet* packet, TPMT_KEYEDHASH_SCHEME* scheme);
 WOLFTPM_LOCAL void TPM2_Packet_AppendKdfScheme(TPM2_Packet* packet, TPMT_KDF_SCHEME* scheme);

Original file line number	Diff line number	Diff line change
`@@ -519,26 +519,36 @@ void TPM2_Packet_ParseSymmetric(TPM2_Packet* packet, TPMT_SYM_DEF* symmetric)`
`519`	`519`	`void TPM2_Packet_AppendEccScheme(TPM2_Packet* packet, TPMT_SIG_SCHEME* scheme)`
`520`	`520`	`{`
`521`	`521`	`TPM2_Packet_AppendU16(packet, scheme->scheme);`
`522`		`- if (scheme->scheme != TPM_ALG_NULL)`
	`522`	`+ if (scheme->scheme != TPM_ALG_NULL) {`
`523`	`523`	`TPM2_Packet_AppendU16(packet, scheme->details.any.hashAlg);`
	`524`	`+ if (scheme->scheme == TPM_ALG_ECDAA) {`
	`525`	`+ TPM2_Packet_AppendU16(packet, scheme->details.ecdaa.count);`
	`526`	`+ }`
	`527`	`+ }`
`524`	`528`	`}`
`525`	`529`	`void TPM2_Packet_ParseEccScheme(TPM2_Packet* packet, TPMT_SIG_SCHEME* scheme)`
`526`	`530`	`{`
`527`	`531`	`TPM2_Packet_ParseU16(packet, &scheme->scheme);`
`528`		`- if (scheme->scheme != TPM_ALG_NULL)`
	`532`	`+ if (scheme->scheme != TPM_ALG_NULL) {`
`529`	`533`	`TPM2_Packet_ParseU16(packet, &scheme->details.any.hashAlg);`
	`534`	`+ if (scheme->scheme == TPM_ALG_ECDAA) {`
	`535`	`+ TPM2_Packet_ParseU16(packet, &scheme->details.ecdaa.count);`
	`536`	`+ }`
	`537`	`+ }`
`530`	`538`	`}`
`531`	`539`
`532`	`540`	`void TPM2_Packet_AppendRsaScheme(TPM2_Packet* packet, TPMT_RSA_SCHEME* scheme)`
`533`	`541`	`{`
`534`	`542`	`TPM2_Packet_AppendU16(packet, scheme->scheme);`
`535`		`- if (scheme->scheme != TPM_ALG_NULL)`
	`543`	`+ if (scheme->scheme != TPM_ALG_NULL &&`
	`544`	`+ scheme->scheme != TPM_ALG_RSAES)`
`536`	`545`	`TPM2_Packet_AppendU16(packet, scheme->details.anySig.hashAlg);`
`537`	`546`	`}`
`538`	`547`	`void TPM2_Packet_ParseRsaScheme(TPM2_Packet* packet, TPMT_RSA_SCHEME* scheme)`
`539`	`548`	`{`
`540`	`549`	`TPM2_Packet_ParseU16(packet, &scheme->scheme);`
`541`		`- if (scheme->scheme != TPM_ALG_NULL)`
	`550`	`+ if (scheme->scheme != TPM_ALG_NULL &&`
	`551`	`+ scheme->scheme != TPM_ALG_RSAES)`
`542`	`552`	`TPM2_Packet_ParseU16(packet, &scheme->details.anySig.hashAlg);`
`543`	`553`	`}`
`544`	`554`
`@@ -571,13 +581,15 @@ void TPM2_Packet_ParseKdfScheme(TPM2_Packet* packet, TPMT_KDF_SCHEME* scheme)`
`571`	`581`	`void TPM2_Packet_AppendAsymScheme(TPM2_Packet* packet, TPMT_ASYM_SCHEME* scheme)`
`572`	`582`	`{`
`573`	`583`	`TPM2_Packet_AppendU16(packet, scheme->scheme);`
`574`		`- if (scheme->scheme != TPM_ALG_NULL)`
	`584`	`+ if (scheme->scheme != TPM_ALG_NULL &&`
	`585`	`+ scheme->scheme != TPM_ALG_RSAES)`
`575`	`586`	`TPM2_Packet_AppendU16(packet, scheme->details.anySig.hashAlg);`
`576`	`587`	`}`
`577`	`588`	`void TPM2_Packet_ParseAsymScheme(TPM2_Packet* packet, TPMT_ASYM_SCHEME* scheme)`
`578`	`589`	`{`
`579`	`590`	`TPM2_Packet_ParseU16(packet, &scheme->scheme);`
`580`		`- if (scheme->scheme != TPM_ALG_NULL)`
	`591`	`+ if (scheme->scheme != TPM_ALG_NULL &&`
	`592`	`+ scheme->scheme != TPM_ALG_RSAES)`
`581`	`593`	`TPM2_Packet_ParseU16(packet, &scheme->details.anySig.hashAlg);`
`582`	`594`	`}`
`583`	`595`