Hardening fixes for examples, fwTPM command handlers, and crypto helpers

examples/attestation/make_credential.c

@@ -133,7 +133,7 @@ int TPM2_MakeCredential_Example(void* userCtx, int argc, char *argv[])
     if (rc != TPM_RC_SUCCESS) {
         printf("TPM2_LoadExternal: failed %d: %s\n", rc,
             wolfTPM2_GetRCString(rc));
-        return rc;
+        goto exit;
     }
     printf("Public key for encryption loaded\n");
     handle.hndl = loadExtOut.objectHandle;

examples/boot/secret_unseal.c

@@ -167,6 +167,12 @@ int TPM2_Boot_SecretUnseal_Example(void* userCtx, int argc, char *argv[])
                 usage();
                 return 0;
             }
+            if (pcrArraySz >= sizeof(pcrArray) / sizeof(pcrArray[0])) {
+                printf("Too many -pcr= arguments (max %zu)\n",
+                    sizeof(pcrArray) / sizeof(pcrArray[0]));
+                usage();
+                return 0;
+            }
             pcrArray[pcrArraySz] = pcrIndex;
             pcrArraySz++;
         }

examples/firmware/ifx_fw_extract.c

@@ -129,16 +129,20 @@ static int extractFW(
 
     READ_BE16(size16, fw, fw_size, offset);
     offset += size16 + 1;
+    if (offset > fw_size) { LOG("FW file too short"); return -1; }
 
     READ_BE16(size16, fw, fw_size, offset);
     offset += size16;
+    if (offset > fw_size) { LOG("FW file too short"); return -1; }
 
     READ_BE16(size16, fw, fw_size, offset);
     offset2 = offset;
     offset += size16;
+    if (offset > fw_size) { LOG("FW file too short"); return -1; }
 
     READ_BE16(size16, fw, offset, offset2);
     offset2 += size16;
+    if (offset2 > offset) { LOG("Bad manifest header size"); return -1; }
 
     READ_BE16(num, fw, offset, offset2);
 
@@ -149,6 +153,10 @@ static int extractFW(
 
         READ_BE16(size16, fw, offset, offset2);
 
+        if ((size_t)offset2 + size16 > offset) {
+            LOG("Bad manifest entry size");
+            return -1;
+        }
         if (group == keygroup_id) {
             printf("Chosen group found: %08x\n", group);
             *manifest = &fw[offset2];

examples/keygen/external_import.c

@@ -127,12 +127,19 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[])
         argc--;
     }
 
+    XMEMSET(&dev, 0, sizeof(dev));
+    XMEMSET(&storage, 0, sizeof(storage));
+    primary = &storage;
+
 #ifndef WOLFTPM2_NO_HEAP
     key2 = wolfTPM2_NewKeyBlob();
     rsaKey3 = wolfTPM2_NewKeyBlob();
+    if (key2 == NULL || rsaKey3 == NULL) {
+        printf("wolfTPM2_NewKeyBlob allocation failed\n");
+        rc = MEMORY_E;
+        goto exit;
+    }
 #endif
-    XMEMSET(&storage, 0, sizeof(storage));
-    primary = &storage;
 
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, NULL);
     if (rc != TPM_RC_SUCCESS) {
@@ -237,8 +244,15 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[])
     }
 
 exit:
+#ifndef WOLFTPM2_NO_HEAP
+    if (rsaKey3 != NULL)
+        wolfTPM2_UnloadHandle(&dev, &rsaKey3->handle);
+    if (key2 != NULL)
+        wolfTPM2_UnloadHandle(&dev, &key2->handle);
+#else
     wolfTPM2_UnloadHandle(&dev, &rsaKey3->handle);
     wolfTPM2_UnloadHandle(&dev, &key2->handle);
+#endif
     wolfTPM2_UnloadHandle(&dev, &primary->handle);
 
 #ifndef WOLFTPM2_NO_HEAP

examples/keygen/keygen.c

@@ -286,6 +286,12 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
         }
         else if (XSTRNCMP(argv[argc-1], "-auth=", XSTRLEN("-auth=")) == 0) {
             authStr = argv[argc-1] + XSTRLEN("-auth=");
+            if (XSTRLEN(authStr) > sizeof(auth.buffer)) {
+                printf("-auth value too long (max %zu)\n",
+                    sizeof(auth.buffer));
+                usage();
+                return 0;
+            }
         }
         else if (argv[argc-1][0] != '-') {
             outputFile = argv[argc-1];

examples/keygen/keyimport.c

@@ -191,7 +191,15 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
 
     /* setup an auth value */
     if (password != NULL) {
-        impKey.handle.auth.size = (int)XSTRLEN(password);
+        size_t pwLen;
+        pwLen = XSTRLEN(password);
+        if (pwLen > sizeof(impKey.handle.auth.buffer)) {
+            printf("-password too long (max %zu)\n",
+                sizeof(impKey.handle.auth.buffer));
+            rc = BUFFER_E;
+            goto exit;
+        }
+        impKey.handle.auth.size = (UINT16)pwLen;
         XMEMCPY(impKey.handle.auth.buffer, password, impKey.handle.auth.size);
     }
 

examples/native/native_test.c

@@ -1232,7 +1232,7 @@ int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[])
     if (rc != TPM_RC_SUCCESS) {
         printf("TPM2_ObjectChangeAuth failed 0x%x: %s\n", rc,
             TPM2_GetRCString(rc));
-        //goto exit;
+        goto exit;
     }
     hmacKey.priv = cmdOut.objChgAuth.outPrivate;
     printf("TPM2_ObjectChangeAuth: private %d\n", hmacKey.priv.size);

examples/nvram/seal_nv.c

@@ -196,7 +196,15 @@ int TPM2_NVRAM_SealNV_Example(void* userCtx, int argc, char *argv[])
     /* Set owner auth */
     parent.hndl = TPM_RH_OWNER;
     if (XSTRLEN(ownerAuth) > 0) {
-        parent.auth.size = (int)XSTRLEN(ownerAuth);
+        size_t authLen;
+        authLen = XSTRLEN(ownerAuth);
+        if (authLen > sizeof(parent.auth.buffer)) {
+            fprintf(stderr, "-ownerauth value too long (max %zu)\n",
+                sizeof(parent.auth.buffer));
+            rc = BUFFER_E;
+            goto exit;
+        }
+        parent.auth.size = (UINT16)authLen;
         XMEMCPY(parent.auth.buffer, ownerAuth, parent.auth.size);
     }
 

examples/pcr/policy_sign.c

@@ -274,6 +274,12 @@ int TPM2_PCR_PolicySign_Example(void* userCtx, int argc, char *argv[])
                 usage();
                 return 0;
             }
+            if (pcrArraySz >= sizeof(pcrArray) / sizeof(pcrArray[0])) {
+                printf("Too many -pcr= arguments (max %zu)\n",
+                    sizeof(pcrArray) / sizeof(pcrArray[0]));
+                usage();
+                return 0;
+            }
             pcrArray[pcrArraySz] = pcrIndex;
             pcrArraySz++;
         }

examples/tls/tls_client_notpm.c

@@ -131,13 +131,15 @@ int TLS_ClientArgs(int argc, char *argv[])
                 ca_cert_der_2048, sizeof_ca_cert_der_2048,
                 WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
             printf("Error loading ca_cert_der_2048 DER cert\n");
+            rc = WOLFSSL_FATAL_ERROR;
             goto exit;
         }
     #elif defined(HAVE_ECC)
         if (wolfSSL_CTX_load_verify_buffer(ctx,
                 ca_ecc_cert_der_256, sizeof_ca_ecc_cert_der_256,
                 WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
             printf("Error loading ca_ecc_cert_der_256 DER cert\n");
+            rc = WOLFSSL_FATAL_ERROR;
             goto exit;
         }
     #endif
@@ -149,22 +151,26 @@ int TLS_ClientArgs(int argc, char *argv[])
         if (wolfSSL_CTX_use_certificate_buffer(ctx,
                 client_cert_der_2048, sizeof_client_cert_der_2048,
                 WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
+            rc = WOLFSSL_FATAL_ERROR;
             goto exit;
         }
         if (wolfSSL_CTX_use_PrivateKey_buffer(ctx,
                 client_key_der_2048, sizeof_client_key_der_2048,
                 WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
+            rc = WOLFSSL_FATAL_ERROR;
             goto exit;
         }
     #elif defined(HAVE_ECC)
         if (wolfSSL_CTX_use_certificate_buffer(ctx,
                 cliecc_cert_der_256, sizeof_cliecc_cert_der_256,
                 WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
+            rc = WOLFSSL_FATAL_ERROR;
             goto exit;
         }
         if (wolfSSL_CTX_use_PrivateKey_buffer(ctx,
                 ecc_clikey_der_256, sizeof_ecc_clikey_der_256,
                 WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
+            rc = WOLFSSL_FATAL_ERROR;
             goto exit;
         }
     #endif

src/fwtpm/fwtpm_command.c

@@ -4630,6 +4630,7 @@ static TPM_RC FwCmd_LoadExternal(FWTPM_CTX* ctx, TPM2_Packet* cmd,
     FWTPM_FREE_BUF(qBuf);
     TPM2_ForceZero(privKeyDer, FWTPM_MAX_PRIVKEY_DER);
     FWTPM_FREE_BUF(privKeyDer);
+    TPM2_ForceZero(&authValue, sizeof(authValue));
     return rc;
 }
 
@@ -5024,6 +5025,8 @@ static TPM_RC FwCmd_Import(FWTPM_CTX* ctx, TPM2_Packet* cmd,
     TPM2_ForceZero(seedBuf, sizeof(seedBuf));
     TPM2_ForceZero(aesKey, sizeof(aesKey));
     TPM2_ForceZero(hmacKeyBuf, sizeof(hmacKeyBuf));
+    TPM2_ForceZero(encKeyBuf, sizeof(encKeyBuf));
+    TPM2_ForceZero(&importedAuth, sizeof(importedAuth));
     FWTPM_FREE_BUF(dupBuf);
     FWTPM_FREE_BUF(symSeedBuf);
     TPM2_ForceZero(privKeyDer, FWTPM_MAX_PRIVKEY_DER);
@@ -6087,6 +6090,16 @@ static TPM_RC FwCmd_Sign(FWTPM_CTX* ctx, TPM2_Packet* cmd,
         if (!(obj->pub.objectAttributes & TPMA_OBJECT_sign))
             rc = TPM_RC_KEY;
     }
+    /* Part 3 Sec.20.5.1: keyHandle MUST NOT have x509sign SET on
+     * TPM2_Sign; that attribute restricts the key to X.509-cert signing
+     * via the dedicated commands. Reject with TPM_RC_ATTRIBUTES to match
+     * the gate already present in FwCmd_SignDigest and
+     * FwCmd_SignSequenceComplete. The attribute itself is v1.85-only. */
+#ifdef WOLFTPM_V185
+    if (rc == 0 && (obj->pub.objectAttributes & TPMA_OBJECT_x509sign)) {
+        rc = TPM_RC_ATTRIBUTES;
+    }
+#endif
 
     /* Skip auth area */
     if (rc == 0 && cmdTag == TPM_ST_SESSIONS) {
@@ -6185,14 +6198,20 @@ static TPM_RC FwCmd_Sign(FWTPM_CTX* ctx, TPM2_Packet* cmd,
         }
     }
     if (rc == 0 && ticketSupplied) {
-        rc = FwComputeTicketHmac(ctx, ticketHier, obj->pub.nameAlg,
+        int hmacRc;
+        UINT16 sizeMismatch;
+        word32 cmpLen;
+        int diff;
+        hmacRc = FwComputeTicketHmac(ctx, ticketHier, obj->pub.nameAlg,
             TPM_ST_HASHCHECK,
             digest.buffer, digest.size,
             NULL, 0,
             expectedHmac, &expectedSz);
-        if (rc != 0 || vdSz != (UINT16)expectedSz ||
-                TPM2_ConstantCompare(ticketDigest, expectedHmac,
-                    (word32)expectedSz) != 0) {
+        sizeMismatch = (vdSz != (UINT16)expectedSz);
+        cmpLen = (vdSz < (UINT16)expectedSz) ?
+            (word32)vdSz : (word32)expectedSz;
+        diff = TPM2_ConstantCompare(ticketDigest, expectedHmac, cmpLen);
+        if (hmacRc != 0 || (sizeMismatch | (UINT16)(diff != 0))) {
             rc = TPM_RC_TICKET;
         }
         TPM2_ForceZero(expectedHmac, sizeof(expectedHmac));
@@ -10752,6 +10771,10 @@ static TPM_RC FwCmd_NV_Write(FWTPM_CTX* ctx, TPM2_Packet* cmd,
         FwRspNoParams(rsp, cmdTag);
     }
 
+#ifdef WOLFTPM_SMALL_STACK
+    if (dataBuf != NULL)
+#endif
+        TPM2_ForceZero(dataBuf, FWTPM_MAX_NV_DATA);
     FWTPM_FREE_BUF(dataBuf);
     return rc;
 }
@@ -11997,14 +12020,22 @@ static TPM_RC FwCmd_CertifyCreation(FWTPM_CTX* ctx, TPM2_Packet* cmd,
                 objToSign->name.size);
             ticketDataSz += objToSign->name.size;
 
-            if (FwComputeTicketHmac(ctx, hier, objToSign->pub.nameAlg,
-                    TPM_ST_CREATION,
-                    ticketData, ticketDataSz,
-                    NULL, 0,
-                    expectedHmac, &expectedSz) != 0 ||
-                tickDSz != (UINT16)expectedSz ||
-                TPM2_ConstantCompare(ticketDigest, expectedHmac,
-                    (word32)expectedSz) != 0) {
+            int hmacRc;
+            UINT16 sizeMismatch;
+            word32 cmpLen;
+            int diff;
+            hmacRc = FwComputeTicketHmac(ctx, hier,
+                objToSign->pub.nameAlg,
+                TPM_ST_CREATION,
+                ticketData, ticketDataSz,
+                NULL, 0,
+                expectedHmac, &expectedSz);
+            sizeMismatch = (tickDSz != (UINT16)expectedSz);
+            cmpLen = (tickDSz < (UINT16)expectedSz) ?
+                (word32)tickDSz : (word32)expectedSz;
+            diff = TPM2_ConstantCompare(ticketDigest, expectedHmac,
+                cmpLen);
+            if (hmacRc != 0 || (sizeMismatch | (UINT16)(diff != 0))) {
                 rc = TPM_RC_TICKET;
             }
             TPM2_ForceZero(expectedHmac, sizeof(expectedHmac));

src/fwtpm/fwtpm_crypto.c

@@ -1209,13 +1209,15 @@ TPM_RC FwEncapsulateEcdhDhkem(WC_RNG* rng,
         if (wc_ecc_shared_secret(ephKey, recipKey, dh, &dhSz) != 0)
             rc = TPM_RC_FAILURE;
     }
-    /* RFC 9180 Sec.7: left-pad X to Nsk for HPKE peer interop. */
+    /* RFC 9180 Sec.7: left-pad X to Nsk for HPKE peer interop. The
+     * dhSz <= nSk guard prevents a defensive truncation if
+     * wc_ecc_shared_secret ever returned more bytes than the curve size. */
     if (rc == 0) {
         int nSk = wc_ecc_get_curve_size_from_id(wcCurve);
-        if (nSk > 0 && (word32)nSk > dhSz &&
-                (word32)nSk <= sizeof(dh)) {
-            XMEMMOVE(dh + (nSk - dhSz), dh, dhSz);
-            XMEMSET(dh, 0, nSk - dhSz);
+        if (nSk > 0 && (word32)nSk <= sizeof(dh) && dhSz <= (word32)nSk) {
+            word32 padLen = (word32)nSk - dhSz;
+            XMEMMOVE(dh + padLen, dh, dhSz);
+            XMEMSET(dh, 0, padLen);
             dhSz = (word32)nSk;
         }
     }
@@ -1317,13 +1319,15 @@ TPM_RC FwDecapsulateEcdhDhkem(WC_RNG* rng, const FWTPM_Object* recipObj,
         if (wc_ecc_shared_secret(recipKey, ephKey, dh, &dhSz) != 0)
             rc = TPM_RC_FAILURE;
     }
-    /* Left-pad X to Nsk per RFC 9180 Sec.7 (mirrors Encap). */
+    /* Left-pad X to Nsk per RFC 9180 Sec.7 (mirrors Encap). The
+     * dhSz <= nSk guard prevents a defensive truncation if
+     * wc_ecc_shared_secret ever returned more bytes than the curve size. */
     if (rc == 0) {
         int nSk = wc_ecc_get_curve_size_from_id(wcCurve);
-        if (nSk > 0 && (word32)nSk > dhSz &&
-                (word32)nSk <= sizeof(dh)) {
-            XMEMMOVE(dh + (nSk - dhSz), dh, dhSz);
-            XMEMSET(dh, 0, nSk - dhSz);
+        if (nSk > 0 && (word32)nSk <= sizeof(dh) && dhSz <= (word32)nSk) {
+            word32 padLen = (word32)nSk - dhSz;
+            XMEMMOVE(dh + padLen, dh, dhSz);
+            XMEMSET(dh, 0, padLen);
             dhSz = (word32)nSk;
         }
     }

src/spdm/spdm_msg.c

@@ -480,7 +480,7 @@ int wolfSPDM_ParseKeyExchangeRsp(WOLFSPDM_CTX* ctx, const byte* buf, word32 bufS
     }
     if (rc == WOLFSPDM_SUCCESS) {
         word32 i;
-        int diff = 0;
+        volatile int diff = 0;
         for (i = 0; i < WOLFSPDM_HASH_SIZE; i++) {
             diff |= expectedHmac[i] ^ rspVerifyData[i];
         }

src/spdm/spdm_psk.c

@@ -181,7 +181,7 @@ int wolfSPDM_ParsePskExchangeRsp(WOLFSPDM_CTX* ctx, const byte* buf,
     }
     if (rc == WOLFSPDM_SUCCESS) {
         word32 i;
-        int diff = 0;
+        volatile int diff = 0;
         wolfSPDM_DebugHex(ctx, "Expected HMAC", expectedHmac,
             WOLFSPDM_HASH_SIZE);
         wolfSPDM_DebugHex(ctx, "Received HMAC", rspVerifyData,

src/tpm2.c

@@ -6964,6 +6964,20 @@ TPM_ALG_ID TPM2_GetAlgId(const char* name)
         return TPM_ALG_CFB;
     if (!XSTRCMP(name, "AES-ECB"))
         return TPM_ALG_ECB;
+    if (!XSTRCMP(name, "SHA3_256"))
+        return TPM_ALG_SHA3_256;
+    if (!XSTRCMP(name, "SHA3_384"))
+        return TPM_ALG_SHA3_384;
+    if (!XSTRCMP(name, "SHA3_512"))
+        return TPM_ALG_SHA3_512;
+#ifdef WOLFTPM_V185
+    if (!XSTRCMP(name, "ML-KEM"))
+        return TPM_ALG_MLKEM;
+    if (!XSTRCMP(name, "ML-DSA"))
+        return TPM_ALG_MLDSA;
+    if (!XSTRCMP(name, "HashML-DSA"))
+        return TPM_ALG_HASH_MLDSA;
+#endif
 
     return TPM_ALG_ERROR;
 }