fwTPM v185: final skoll reivew pass

Author: aidangarske

.github/workflows/pqc-examples.yml

@@ -139,8 +139,10 @@ jobs:
         env:
           WOLFSSL_PATH: ${{ github.workspace }}/wolfssl
         run: |
+          set +e
           bash -x ./examples/run_examples.sh
           rc=$?
+          set -e
           if [ $rc -ne 0 ]; then
             echo "=== run.out (last 200 lines) ==="
             tail -200 run.out

examples/pqc/mldsa_sign.c

@@ -72,8 +72,10 @@ static int mldsa_sign_run(int argc, char *argv[])
     TPMT_TK_VERIFIED validation;
     byte message[] = "wolfTPM PQC example: Pure ML-DSA sign/verify";
     int messageSz = (int)sizeof(message) - 1;
-    byte sig[5000]; /* ML-DSA-87 sig = 4627 bytes; slack included */
-    int sigSz = (int)sizeof(sig);
+    /* ML-DSA-87 sig = 4627 bytes; heap-alloc to keep stack small. */
+    byte* sig = NULL;
+    int sigBufSz = 5000;
+    int sigSz = sigBufSz;
 
     if (argc >= 2) {
         if (XSTRCMP(argv[1], "-?") == 0 ||
@@ -110,10 +112,17 @@ static int mldsa_sign_run(int argc, char *argv[])
         paramSet == TPM_MLDSA_44 ? "44" :
         paramSet == TPM_MLDSA_87 ? "87" : "65");
 
+    sig = (byte*)XMALLOC(sigBufSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (sig == NULL) {
+        printf("XMALLOC sig failed\n");
+        return MEMORY_E;
+    }
+
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, NULL);
     if (rc != TPM_RC_SUCCESS) {
         printf("wolfTPM2_Init failed 0x%x: %s\n",
             rc, wolfTPM2_GetRCString(rc));
+        XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         return rc;
     }
 
@@ -186,6 +195,7 @@ static int mldsa_sign_run(int argc, char *argv[])
 exit:
     wolfTPM2_UnloadHandle(&dev, &mldsaKey.handle);
     wolfTPM2_Cleanup(&dev);
+    XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     return rc;
 }
 

examples/pqc/mlkem_encap.c

@@ -61,8 +61,10 @@ static int mlkem_encap_run(int argc, char *argv[])
     WOLFTPM2_KEY mlkemKey;
     TPMT_PUBLIC pubTemplate;
     TPMI_MLKEM_PARAMETER_SET paramSet = TPM_MLKEM_768;
-    byte ciphertext[1600];
-    int ciphertextSz = (int)sizeof(ciphertext);
+    /* MLKEM-1024 ct = 1568 bytes; heap-alloc to keep stack small. */
+    byte* ciphertext = NULL;
+    int ciphertextBufSz = 1600;
+    int ciphertextSz = ciphertextBufSz;
     byte sharedSecret1[64];
     int sharedSecret1Sz = (int)sizeof(sharedSecret1);
     byte sharedSecret2[64];
@@ -96,7 +98,6 @@ static int mlkem_encap_run(int argc, char *argv[])
     XMEMSET(&dev, 0, sizeof(dev));
     XMEMSET(&mlkemKey, 0, sizeof(mlkemKey));
     XMEMSET(&pubTemplate, 0, sizeof(pubTemplate));
-    XMEMSET(ciphertext, 0, sizeof(ciphertext));
     XMEMSET(sharedSecret1, 0, sizeof(sharedSecret1));
     XMEMSET(sharedSecret2, 0, sizeof(sharedSecret2));
 
@@ -105,10 +106,18 @@ static int mlkem_encap_run(int argc, char *argv[])
         paramSet == TPM_MLKEM_512  ? "512"  :
         paramSet == TPM_MLKEM_1024 ? "1024" : "768");
 
+    ciphertext = (byte*)XMALLOC(ciphertextBufSz, NULL,
+        DYNAMIC_TYPE_TMP_BUFFER);
+    if (ciphertext == NULL) {
+        printf("XMALLOC ciphertext failed\n");
+        return MEMORY_E;
+    }
+
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, NULL);
     if (rc != TPM_RC_SUCCESS) {
         printf("wolfTPM2_Init failed 0x%x: %s\n",
             rc, wolfTPM2_GetRCString(rc));
+        XFREE(ciphertext, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         return rc;
     }
 
@@ -161,6 +170,7 @@ static int mlkem_encap_run(int argc, char *argv[])
     wc_ForceZero(sharedSecret2, sizeof(sharedSecret2));
     wolfTPM2_UnloadHandle(&dev, &mlkemKey.handle);
     wolfTPM2_Cleanup(&dev);
+    XFREE(ciphertext, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     return rc;
 }
 

examples/pqc/pqc_mssim_e2e.c

@@ -62,24 +62,31 @@ static int test_mlkem_roundtrip(WOLFTPM2_DEV* dev)
     int rc;
     byte ss1[32], ss2[32];
     int ss1Sz = sizeof(ss1), ss2Sz = sizeof(ss2);
-    byte ct[MAX_MLKEM_CT_SIZE];
-    int ctSz = sizeof(ct);
+    /* MLKEM ciphertext can be up to 1568 bytes — heap-alloc. */
+    byte* ct = NULL;
+    int ctBufSz = MAX_MLKEM_CT_SIZE;
+    int ctSz = ctBufSz;
 
     XMEMSET(&mlkem, 0, sizeof(mlkem));
     XMEMSET(&tpl, 0, sizeof(tpl));
 
+    ct = (byte*)XMALLOC(ctBufSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (ct == NULL) return MEMORY_E;
+
     rc = wolfTPM2_GetKeyTemplate_MLKEM(&tpl,
         TPMA_OBJECT_decrypt | TPMA_OBJECT_fixedTPM | TPMA_OBJECT_fixedParent |
         TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth,
         TPM_MLKEM_768);
     if (rc != 0) {
         printf("GetKeyTemplate_MLKEM rc=%d\n", rc);
+        XFREE(ct, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         return rc;
     }
 
     rc = wolfTPM2_CreatePrimaryKey(dev, &mlkem, TPM_RH_OWNER, &tpl, NULL, 0);
     if (rc != 0) {
         printf("CreatePrimary(MLKEM-768) rc=%d\n", rc);
+        XFREE(ct, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         return rc;
     }
 
@@ -121,6 +128,7 @@ static int test_mlkem_roundtrip(WOLFTPM2_DEV* dev)
     wc_ForceZero(ss1, sizeof(ss1));
     wc_ForceZero(ss2, sizeof(ss2));
     wolfTPM2_UnloadHandle(dev, &mlkem.handle);
+    XFREE(ct, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     return rc;
 }
 
@@ -130,27 +138,34 @@ static int test_hash_mldsa_digest_roundtrip(WOLFTPM2_DEV* dev)
     TPMT_PUBLIC tpl;
     int rc;
     byte digest[32];
-    byte sig[MAX_MLDSA_SIG_SIZE];
-    int sigSz = sizeof(sig);
+    /* MLDSA-87 sig = 4627 bytes — heap-alloc to keep stack small. */
+    byte* sig = NULL;
+    int sigBufSz = MAX_MLDSA_SIG_SIZE;
+    int sigSz = sigBufSz;
     TPMT_TK_VERIFIED validation;
 
     XMEMSET(&mldsa, 0, sizeof(mldsa));
     XMEMSET(&tpl, 0, sizeof(tpl));
     XMEMSET(&validation, 0, sizeof(validation));
     XMEMSET(digest, 0xAA, sizeof(digest));
 
+    sig = (byte*)XMALLOC(sigBufSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (sig == NULL) return MEMORY_E;
+
     rc = wolfTPM2_GetKeyTemplate_HASH_MLDSA(&tpl,
         TPMA_OBJECT_sign | TPMA_OBJECT_fixedTPM | TPMA_OBJECT_fixedParent |
         TPMA_OBJECT_sensitiveDataOrigin | TPMA_OBJECT_userWithAuth,
         TPM_MLDSA_65, TPM_ALG_SHA256);
     if (rc != 0) {
         printf("GetKeyTemplate_HASH_MLDSA rc=%d\n", rc);
+        XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         return rc;
     }
 
     rc = wolfTPM2_CreatePrimaryKey(dev, &mldsa, TPM_RH_OWNER, &tpl, NULL, 0);
     if (rc != 0) {
         printf("CreatePrimary(HashMLDSA-65) rc=%d\n", rc);
+        XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         return rc;
     }
 
@@ -196,6 +211,7 @@ static int test_hash_mldsa_digest_roundtrip(WOLFTPM2_DEV* dev)
 
 cleanup:
     wolfTPM2_UnloadHandle(dev, &mldsa.handle);
+    XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     return rc;
 }
 

examples/run_examples.sh

@@ -33,7 +33,9 @@ if [ -z "$ENABLE_V185" ]; then
     ENABLE_V185=0
     for cfg in src/config.h config.h ../src/config.h ../config.h \
                wolftpm/options.h wolftpm/version.h; do
-        if [ -f "$cfg" ] && grep -q "WOLFTPM_V185[[:space:]]*1" "$cfg"; then
+        if [ -f "$cfg" ] && grep -qE \
+                '^[[:space:]]*#[[:space:]]*define[[:space:]]+WOLFTPM_V185([[:space:]]|$)' \
+                "$cfg"; then
             ENABLE_V185=1
             break
         fi

src/fwtpm/fwtpm_command.c

@@ -7154,6 +7154,9 @@ static TPM_RC FwCmd_SequenceComplete(FWTPM_CTX* ctx, TPM2_Packet* cmd,
     TPMI_ALG_HASH hashAlg = TPM_ALG_NULL;
     int paramSzPos, paramStart;
     int trc;
+#ifdef WOLFTPM_V185
+    FWTPM_SignSeq* misRoutedSign = NULL;
+#endif
 
     FWTPM_ALLOC_BUF(dataBuf, FWTPM_MAX_DATA_BUF);
 
@@ -7167,6 +7170,11 @@ static TPM_RC FwCmd_SequenceComplete(FWTPM_CTX* ctx, TPM2_Packet* cmd,
         seq = FwFindHashSeq(ctx, seqHandle);
         if (seq == NULL) {
             rc = TPM_RC_HANDLE;
+#ifdef WOLFTPM_V185
+            /* Free a sign/verify slot mis-routed here so it doesn't leak. */
+            misRoutedSign = FwFindSignSeq(ctx, seqHandle);
+            if (misRoutedSign != NULL) FwFreeSignSeq(misRoutedSign);
+#endif
         }
         else {
             hashAlg = seq->hashAlg;
@@ -13054,9 +13062,10 @@ static TPM_RC FwCmd_Encapsulate(FWTPM_CTX* ctx, TPM2_Packet* cmd, int cmdSize,
     if (rc == 0 && cmdTag == TPM_ST_SESSIONS) {
         rc = FwSkipAuthArea(cmd, cmdSize);
     }
-    /* Two KEM types per Part 2 Sec.10.3.13 Table 100: ML-KEM (FIPS 203) and
-     * ECC DHKEM (RFC 9180 Sec.4.1). For ECC the kdf scheme MUST be HKDF
-     * (Part 2 Sec.12.2.3.5) — TPM_RC_KEY for any other key type or unset kdf. */
+    /* KEM types per Part 2 Sec.10.3.13 Table 100: ML-KEM (FIPS 203) and ECC
+     * DHKEM (RFC 9180 Sec.4.1, ECC kdf MUST be HKDF). Part 3 Sec.14.10.1
+     * explicitly says the TPM does NOT verify objectAttributes here (only
+     * the public portion may be loaded), so no decrypt/restricted check. */
     if (rc == 0) {
         if (obj->pub.type == TPM_ALG_MLKEM) {
             ps = obj->pub.parameters.mlkemDetail.parameterSet;
@@ -13311,13 +13320,15 @@ static TPM_RC FwCmd_SignSequenceStart(FWTPM_CTX* ctx, TPM2_Packet* cmd,
             rc = TPM_RC_KEY;
         }
         /* Accept ML-DSA, Hash-ML-DSA, classical RSA/ECC, and KEYEDHASH
-         * (HMAC) signing keys. Other types (SM2, ECSCHNORR) unsupported. */
+         * (HMAC) signing keys. Other types (SYMCIPHER, SM2, ECSCHNORR)
+         * map to TPM_RC_KEY ("not a signing key" — Part 3 Sec.17.5.1
+         * reserves TPM_RC_SCHEME for the NULL-scheme case below). */
         else if (obj->pub.type != TPM_ALG_MLDSA &&
                  obj->pub.type != TPM_ALG_HASH_MLDSA &&
                  obj->pub.type != TPM_ALG_RSA &&
                  obj->pub.type != TPM_ALG_ECC &&
                  obj->pub.type != TPM_ALG_KEYEDHASH) {
-            rc = TPM_RC_SCHEME;
+            rc = TPM_RC_KEY;
         }
     }
 
@@ -13336,6 +13347,9 @@ static TPM_RC FwCmd_SignSequenceStart(FWTPM_CTX* ctx, TPM2_Packet* cmd,
         if (authSz > sizeof(((TPM2B_AUTH*)0)->buffer)) {
             rc = TPM_RC_SIZE;
         }
+        else if (cmd->pos + authSz > cmdSize) {
+            rc = TPM_RC_COMMAND_SIZE;
+        }
     }
     /* Parse context (TPM2B_SIGNATURE_CTX) */
     if (rc == 0) {
@@ -13475,13 +13489,15 @@ static TPM_RC FwCmd_VerifySequenceStart(FWTPM_CTX* ctx, TPM2_Packet* cmd,
             rc = TPM_RC_KEY;
         }
         /* Accept ML-DSA, Hash-ML-DSA, classical RSA/ECC, and KEYEDHASH
-         * (HMAC) signing keys. */
+         * (HMAC) signing keys. Other types map to TPM_RC_KEY per
+         * Part 3 Sec.17.6.1 (TPM_RC_SCHEME is reserved for the
+         * NULL-scheme case below). */
         else if (obj->pub.type != TPM_ALG_MLDSA &&
                  obj->pub.type != TPM_ALG_HASH_MLDSA &&
                  obj->pub.type != TPM_ALG_RSA &&
                  obj->pub.type != TPM_ALG_ECC &&
                  obj->pub.type != TPM_ALG_KEYEDHASH) {
-            rc = TPM_RC_SCHEME;
+            rc = TPM_RC_KEY;
         }
     }
 
@@ -13497,6 +13513,9 @@ static TPM_RC FwCmd_VerifySequenceStart(FWTPM_CTX* ctx, TPM2_Packet* cmd,
         if (authSz > sizeof(((TPM2B_AUTH*)0)->buffer)) {
             rc = TPM_RC_SIZE;
         }
+        else if (cmd->pos + authSz > cmdSize) {
+            rc = TPM_RC_COMMAND_SIZE;
+        }
     }
     if (rc == 0) {
         seq = FwAllocSignSeq(ctx, &seqHandle);
@@ -13509,8 +13528,11 @@ static TPM_RC FwCmd_VerifySequenceStart(FWTPM_CTX* ctx, TPM2_Packet* cmd,
         TPM2_Packet_ParseBytes(cmd, seq->authValue.buffer, authSz);
 
         TPM2_Packet_ParseU16(cmd, &hintSz);
-        /* Part 2 Sec.11.3.9: hint MUST be zero-length for non-EdDSA schemes.
-         * Reject any non-zero hint up front; nothing to consume on the wire. */
+        /* Part 3 Sec.17.6.1: hint carries the EdDSA R for EDDSA verify;
+         * MUST be zero-length for all other schemes. wolfTPM does not yet
+         * implement EDDSA verify-sequences (no TPM_ALG_EDDSA dispatch in
+         * VerifySequenceComplete), so reject any non-zero hint with
+         * TPM_RC_VALUE. Re-gate this on obj->pub.type when EDDSA is added. */
         if (hintSz > 0) {
             rc = TPM_RC_VALUE;
         }
@@ -13633,7 +13655,13 @@ static TPM_RC FwCmd_SignSequenceComplete(FWTPM_CTX* ctx, TPM2_Packet* cmd,
         TPM2_Packet_ParseU32(cmd, &sequenceHandle);
         TPM2_Packet_ParseU32(cmd, &keyHandle);
         seq = FwFindSignSeq(ctx, sequenceHandle);
-        if (seq == NULL || seq->isVerifySeq) {
+        /* NULL out seq for a peer's verify-sequence so cleanup
+         * doesn't free their slot. */
+        if (seq != NULL && seq->isVerifySeq) {
+            seq = NULL;
+            rc = TPM_RC_HANDLE;
+        }
+        else if (seq == NULL) {
             rc = TPM_RC_HANDLE;
         }
     }
@@ -13879,12 +13907,15 @@ static TPM_RC FwCmd_SignSequenceComplete(FWTPM_CTX* ctx, TPM2_Packet* cmd,
                         rc = TPM_RC_SCHEME;
                     }
                     else {
-                        paramStart = FwRspParamsBegin(rsp, cmdTag, &paramSzPos);
+                        paramStart = FwRspParamsBegin(rsp, cmdTag,
+                            &paramSzPos);
                         rc = FwSignDigestAndAppend(ctx, keyObj,
                             schemeAlg, hashAlg,
                             digestOut, digestSz, rsp);
+                        /* Always pair Begin with End so the param-size
+                         * back-patch fires even on failure. */
+                        FwRspParamsEnd(rsp, cmdTag, paramSzPos, paramStart);
                         if (rc == 0) {
-                            FwRspParamsEnd(rsp, cmdTag, paramSzPos, paramStart);
                             FwFreeSignSeq(seq);
                             FWTPM_FREE_BUF(msgBuf);
                             FWTPM_FREE_VAR(sigOut);
@@ -13983,7 +14014,13 @@ static TPM_RC FwCmd_VerifySequenceComplete(FWTPM_CTX* ctx, TPM2_Packet* cmd,
         TPM2_Packet_ParseU32(cmd, &sequenceHandle);
         TPM2_Packet_ParseU32(cmd, &keyHandle);
         seq = FwFindSignSeq(ctx, sequenceHandle);
-        if (seq == NULL || !seq->isVerifySeq) {
+        /* NULL out seq for a peer's sign-sequence so cleanup
+         * doesn't free their slot. */
+        if (seq != NULL && !seq->isVerifySeq) {
+            seq = NULL;
+            rc = TPM_RC_HANDLE;
+        }
+        else if (seq == NULL) {
             rc = TPM_RC_HANDLE;
         }
     }
@@ -14473,6 +14510,12 @@ static TPM_RC FwCmd_SignDigest(FWTPM_CTX* ctx, TPM2_Packet* cmd, int cmdSize,
             if (sigScheme == TPM_ALG_NULL || sigHashAlg == TPM_ALG_NULL) {
                 rc = TPM_RC_SCHEME;
             }
+            else if (digest->size !=
+                    (UINT16)TPM2_GetHashDigestSize(sigHashAlg)) {
+                /* Part 3 Sec.20.7.1: digest size MUST match the hashAlg
+                 * digest size for ALL signing schemes. */
+                rc = TPM_RC_SIZE;
+            }
             else {
                 rc = FwSignDigestAndAppend(ctx, obj, sigScheme, sigHashAlg,
                     digest->buffer, digest->size, rsp);
@@ -14654,6 +14697,12 @@ static TPM_RC FwCmd_VerifyDigestSignature(FWTPM_CTX* ctx, TPM2_Packet* cmd,
                 keyHashAlg != classicalSig.signature.any.hashAlg) {
             rc = TPM_RC_SCHEME;
         }
+        else if (digest->size !=
+                (UINT16)TPM2_GetHashDigestSize(keyHashAlg)) {
+            /* Part 3 Sec.20.4.1: digest size MUST match the hashAlg
+             * digest size for ALL signing schemes. */
+            rc = TPM_RC_SIZE;
+        }
         else {
             rc = FwVerifySignatureCore(obj, digest->buffer, digest->size,
                 &classicalSig);