More CI and peer review fixes

Author: dgarske

CMakeLists.txt

@@ -562,7 +562,7 @@ if(WOLFTPM_FWTPM)
     enable_testing()
     add_test(NAME fwtpm_unit_test
         COMMAND fwtpm_unit_test
-        WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+        WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
     )
 
     message(STATUS "fwTPM server: enabled")

src/tpm2_packet.c

@@ -591,8 +591,12 @@ void TPM2_Packet_ParsePCR(TPM2_Packet* packet, TPML_PCR_SELECTION* pcr)
         }
     }
     /* Skip remaining wire entries beyond the capped loop so packet->pos
-     * stays synchronized with the wire format for subsequent parsing */
+     * stays synchronized with the wire format for subsequent parsing.
+     * Break when the packet is exhausted to avoid spinning on an
+     * attacker-controlled wireCount (same threat as the first loop). */
     for (; i < (int)wireCount; i++) {
+        if (packet == NULL || packet->pos >= packet->size)
+            break;
         TPM2_Packet_ParseU16(packet, &hash);
         TPM2_Packet_ParseU8(packet, &wireSizeofSelect);
         TPM2_Packet_ParseBytes(packet, NULL, wireSizeofSelect);

src/tpm2_wrap.c

@@ -1763,7 +1763,7 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
                 handle->auth.size);
             session->name.size = handle->name.size;
             if (session->name.size > sizeof(session->name.name)) {
-                session->name.size = sizeof(session->name.name); /* truncate */
+                return BUFFER_E;
             }
             XMEMCPY(session->name.name, handle->name.name, session->name.size);
             return TPM_RC_SUCCESS;
@@ -1824,7 +1824,7 @@ int wolfTPM2_SetAuthHandleName(WOLFTPM2_DEV* dev, int index,
     }
     session->name.size = name->size;
     if (session->name.size > sizeof(session->name.name)) {
-        session->name.size = sizeof(session->name.name); /* truncate */
+        return BUFFER_E;
     }
     XMEMCPY(session->name.name, name->name, session->name.size);
 
@@ -2229,7 +2229,9 @@ static int wolfTPM2_EncryptSecret_RSA(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* tpm
     }
 
     wc_FreeRsaKey(&rsaKey);
+    TPM2_ForceZero(&rsaKey, sizeof(rsaKey));
     wc_FreeRng(&rng);
+    TPM2_ForceZero(&rng, sizeof(rng));
 
     if (rc > 0) {
         rc = (rc == secret->size) ? 0 /* success */ : BUFFER_E /* fail */;
@@ -9677,11 +9679,12 @@ int wolfTPM2_FirmwareUpgradeHash(WOLFTPM2_DEV* dev, TPM_ALG_ID hashAlg,
     return TPM_RC_COMMAND_CODE;
 }
 
-#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFSSL_SHA384)
+#ifndef WOLFTPM2_NO_WOLFCRYPT
 int wolfTPM2_FirmwareUpgrade(WOLFTPM2_DEV* dev,
     uint8_t* manifest, uint32_t manifest_sz,
     wolfTPM2FwDataCb cb, void* cb_ctx)
 {
+#ifdef WOLFSSL_SHA384
     int rc;
     uint8_t manifest_hash[TPM_SHA384_DIGEST_SIZE];
 
@@ -9693,6 +9696,11 @@ int wolfTPM2_FirmwareUpgrade(WOLFTPM2_DEV* dev,
             manifest, manifest_sz, cb, cb_ctx);
     }
     return rc;
+#else
+    (void)dev; (void)manifest; (void)manifest_sz;
+    (void)cb; (void)cb_ctx;
+    return NOT_COMPILED_IN;
+#endif
 }
 #endif
 

tests/fwtpm_check.sh

@@ -103,10 +103,10 @@ check_wolfssl_options() {
     local opts_file
     opts_file=$(find_wolfssl_options "$base")
     [ -n "$opts_file" ] || return 1
-    grep -q "HAVE_PK_CALLBACKS" "$opts_file" && \
-    grep -q "WOLFSSL_KEY_GEN" "$opts_file" && \
-    grep -q "WOLFSSL_PUBLIC_MP" "$opts_file" && \
-    grep -q "WC_RSA_NO_PADDING" "$opts_file"
+    grep -q "^#define HAVE_PK_CALLBACKS" "$opts_file" && \
+    grep -q "^#define WOLFSSL_KEY_GEN" "$opts_file" && \
+    grep -q "^#define WOLFSSL_PUBLIC_MP" "$opts_file" && \
+    grep -q "^#define WC_RSA_NO_PADDING" "$opts_file"
 }
 
 ensure_wolfssl() {
@@ -171,13 +171,13 @@ IS_FWTPM_MODE=0
 HAS_GETENV=1
 WOLFTPM_OPTIONS="$BUILD_DIR/wolftpm/options.h"
 if [ -f "$WOLFTPM_OPTIONS" ]; then
-    if grep -q "WOLFTPM_SWTPM" "$WOLFTPM_OPTIONS"; then
+    if grep -q "^#define WOLFTPM_SWTPM" "$WOLFTPM_OPTIONS"; then
         IS_SWTPM_MODE=1
     fi
-    if grep -q "WOLFTPM_FWTPM_BUILD" "$WOLFTPM_OPTIONS"; then
+    if grep -q "^#define WOLFTPM_FWTPM_BUILD" "$WOLFTPM_OPTIONS"; then
         IS_FWTPM_MODE=1
     fi
-    if grep -q "NO_GETENV" "$WOLFTPM_OPTIONS"; then
+    if grep -q "^#define NO_GETENV" "$WOLFTPM_OPTIONS"; then
         HAS_GETENV=0
     fi
 fi
@@ -213,7 +213,7 @@ fi
 HAS_RSA_NO_PAD=0
 for chk_path in "$WOLFSSL_PATH" "/usr/local"; do
     opts=$(find_wolfssl_options "$chk_path" 2>/dev/null)
-    if [ -n "$opts" ] && grep -q "WC_RSA_NO_PADDING" "$opts" 2>/dev/null; then
+    if [ -n "$opts" ] && grep -q "^#define WC_RSA_NO_PADDING" "$opts" 2>/dev/null; then
         HAS_RSA_NO_PAD=1
         break
     fi
@@ -236,7 +236,7 @@ NO_PUBASPRIV=${NO_PUBASPRIV:-0}
 WOLFCRYPT_DEFAULT=${WOLFCRYPT_DEFAULT:-0}
 
 # Detect from wolftpm/options.h
-if [ -f "$WOLFTPM_OPTIONS" ] && grep -q "WOLFTPM2_NO_WOLFCRYPT" "$WOLFTPM_OPTIONS"; then
+if [ -f "$WOLFTPM_OPTIONS" ] && grep -q "^#define WOLFTPM2_NO_WOLFCRYPT" "$WOLFTPM_OPTIONS"; then
     WOLFCRYPT_ENABLE=0
 fi
 
@@ -249,11 +249,11 @@ for chk in /usr/local "$WOLFSSL_PATH"; do
 done
 
 if [ -n "$WOLFSSL_OPTS" ]; then
-    grep -q "NO_RSA" "$WOLFSSL_OPTS" && WOLFCRYPT_RSA=0
-    grep -q "HAVE_ECC" "$WOLFSSL_OPTS" || WOLFCRYPT_ECC=0
-    grep -q "NO_FILESYSTEM" "$WOLFSSL_OPTS" && NO_FILESYSTEM=1
-    grep -q "WOLFSSL_PUBLIC_ASN_PRIV_KEY" "$WOLFSSL_OPTS" || NO_PUBASPRIV=1
-    grep -q "WOLFSSL_AES_CFB" "$WOLFSSL_OPTS" || WOLFCRYPT_DEFAULT=1
+    grep -q "^#define NO_RSA" "$WOLFSSL_OPTS" && WOLFCRYPT_RSA=0
+    grep -q "^#define HAVE_ECC" "$WOLFSSL_OPTS" || WOLFCRYPT_ECC=0
+    grep -q "^#define NO_FILESYSTEM" "$WOLFSSL_OPTS" && NO_FILESYSTEM=1
+    grep -q "^#define WOLFSSL_PUBLIC_ASN_PRIV_KEY" "$WOLFSSL_OPTS" || NO_PUBASPRIV=1
+    grep -q "^#define WOLFSSL_AES_CFB" "$WOLFSSL_OPTS" || WOLFCRYPT_DEFAULT=1
 fi
 
 # --- Determine port and start/detect server ---