diff --git a/.github/workflows/empty-brace-scan.yml b/.github/workflows/empty-brace-scan.yml new file mode 100644 index 00000000..c97151c7 --- /dev/null +++ b/.github/workflows/empty-brace-scan.yml @@ -0,0 +1,30 @@ +name: Empty Brace Scope Scan + +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '**' ] + repository_dispatch: + types: [nightly-trigger] + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + empty-brace-scan: + name: Empty Brace Scope Scan + runs-on: ubuntu-22.04 + timeout-minutes: 5 + steps: + - name: Checkout wolfTPM + uses: actions/checkout@v4 + + - name: Check for bare C scope blocks + run: | + # Bare scope blocks are disallowed. If one is truly required, document + # the exception directly above the brace or on the brace line: + # /* empty-brace-scan: allow - required because */ + python3 scripts/check-empty-brace-scopes.py diff --git a/examples/keygen/external_import.c b/examples/keygen/external_import.c index 885606f8..1d2b2505 100644 --- a/examples/keygen/external_import.c +++ b/examples/keygen/external_import.c @@ -101,6 +101,14 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[]) TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; const char* keyblobFile = "keyblob.bin"; int loadKeyBlob = 0; +#ifdef USE_TEST_SEED + const byte custSeed[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, + }; +#endif if (argc >= 2) { if (XSTRCMP(argv[1], "-?") == 0 || @@ -167,15 +175,7 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[]) #ifndef USE_TEST_SEED TPM2_GetNonce(seedValue.buffer, seedValue.size); #else - { - const byte custSeed[] = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, - }; - XMEMCPY(seedValue.buffer, custSeed, seedValue.size); - } + XMEMCPY(seedValue.buffer, custSeed, seedValue.size); #endif printf("Import Seed %d\n", seedValue.size); TPM2_PrintBin(seedValue.buffer, seedValue.size); diff --git a/examples/seal/seal_pcr.c b/examples/seal/seal_pcr.c index 3d6bf425..b2dcf255 100644 --- a/examples/seal/seal_pcr.c +++ b/examples/seal/seal_pcr.c @@ -245,6 +245,7 @@ int TPM2_Seal_PCR_Example(void* userCtx, int argc, char *argv[]) /* ---- UNSEAL ---- */ if (doUnseal) { WOLFTPM2_SESSION policySession; + word32 sessionAttrs; XMEMSET(&policySession, 0, sizeof(policySession)); printf("\nUnsealing secret...\n"); @@ -296,15 +297,13 @@ int TPM2_Seal_PCR_Example(void* userCtx, int argc, char *argv[]) } /* Step 4: Use policy session for unseal (with param enc if set) */ - { - word32 sessionAttrs = TPMA_SESSION_continueSession; - if (paramEncAlg != TPM_ALG_NULL) { - sessionAttrs |= (TPMA_SESSION_decrypt | - TPMA_SESSION_encrypt); - } - rc = wolfTPM2_SetAuthSession(&dev, 0, &policySession, - sessionAttrs); + sessionAttrs = TPMA_SESSION_continueSession; + if (paramEncAlg != TPM_ALG_NULL) { + sessionAttrs |= (TPMA_SESSION_decrypt | + TPMA_SESSION_encrypt); } + rc = wolfTPM2_SetAuthSession(&dev, 0, &policySession, + sessionAttrs); if (rc != 0) { wolfTPM2_UnloadHandle(&dev, &policySession.handle); wolfTPM2_UnloadHandle(&dev, &sealBlob.handle); diff --git a/examples/seal/seal_policy_auth.c b/examples/seal/seal_policy_auth.c index 08787ea3..812e0bf7 100644 --- a/examples/seal/seal_policy_auth.c +++ b/examples/seal/seal_policy_auth.c @@ -302,6 +302,7 @@ int TPM2_Seal_PolicyAuth_Example(void* userCtx, int argc, char *argv[]) TPMI_ALG_SIG_SCHEME sigAlg; byte* policyRef = NULL; word32 policyRefSz = 0; + word32 sessionAttrs; XMEMSET(&policySession, 0, sizeof(policySession)); XMEMSET(&checkTicket, 0, sizeof(checkTicket)); @@ -461,15 +462,13 @@ int TPM2_Seal_PolicyAuth_Example(void* userCtx, int argc, char *argv[]) wolfTPM2_UnloadHandle(&dev, &authKeyBlob.handle); /* Step 9: Unseal using the policy session (with param enc if set) */ - { - word32 sessionAttrs = TPMA_SESSION_continueSession; - if (paramEncAlg != TPM_ALG_NULL) { - sessionAttrs |= (TPMA_SESSION_decrypt | - TPMA_SESSION_encrypt); - } - rc = wolfTPM2_SetAuthSession(&dev, 0, &policySession, - sessionAttrs); + sessionAttrs = TPMA_SESSION_continueSession; + if (paramEncAlg != TPM_ALG_NULL) { + sessionAttrs |= (TPMA_SESSION_decrypt | + TPMA_SESSION_encrypt); } + rc = wolfTPM2_SetAuthSession(&dev, 0, &policySession, + sessionAttrs); if (rc != 0) { wolfTPM2_UnloadHandle(&dev, &policySession.handle); wolfTPM2_UnloadHandle(&dev, &sealBlob.handle); diff --git a/examples/tls/tls_client.c b/examples/tls/tls_client.c index 9a171fe2..7311a1ca 100644 --- a/examples/tls/tls_client.c +++ b/examples/tls/tls_client.c @@ -139,6 +139,11 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) WOLFTPM2_SESSION tpmSession; TPMT_PUBLIC publicTemplate; word32 port = TLS_PORT; +#ifndef NO_TLS_MUTUAL_AUTH + byte der[1024]; + word32 derSz; + void* pkey = NULL; +#endif /* initialize variables */ XMEMSET(&storageKey, 0, sizeof(storageKey)); @@ -426,34 +431,31 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]) * public key instead (if crypto callbacks are enabled). */ #ifndef NO_TLS_MUTUAL_AUTH - { - /* Export TPM public key as DER */ - byte der[1024]; - word32 derSz = (word32)sizeof(der); - #if defined(HAVE_ECC) && !defined(NO_RSA) - void* pkey = !useECC ? &rsaKey : &eccKey; - #elif !defined(NO_RSA) - void* pkey = &rsaKey; - #elif defined(HAVE_ECC) - void* pkey = &eccKey; - #else - void* pkey = NULL; - #endif - rc = wolfTPM2_ExportPublicKeyBuffer(&dev, (WOLFTPM2_KEY*)pkey, - ENCODING_TYPE_ASN1, der, &derSz); - if (rc < 0) { - printf("Failed to export TPM public key!\n"); - goto exit; - } + /* Export TPM public key as DER */ + derSz = (word32)sizeof(der); +#if defined(HAVE_ECC) && !defined(NO_RSA) + pkey = !useECC ? &rsaKey : &eccKey; +#elif !defined(NO_RSA) + pkey = &rsaKey; +#elif defined(HAVE_ECC) + pkey = &eccKey; +#else + pkey = NULL; +#endif + rc = wolfTPM2_ExportPublicKeyBuffer(&dev, (WOLFTPM2_KEY*)pkey, + ENCODING_TYPE_ASN1, der, &derSz); + if (rc < 0) { + printf("Failed to export TPM public key!\n"); + goto exit; + } - /* Private key only exists on the TPM and crypto callbacks are used for - * signing. Public key is required to enable TLS client (mutual auth). - * This API accepts public keys when crypto callbacks are enabled */ - if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz, - WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) { - printf("Failed to set RSA key!\n"); - goto exit; - } + /* Private key only exists on the TPM and crypto callbacks are used for + * signing. Public key is required to enable TLS client (mutual auth). + * This API accepts public keys when crypto callbacks are enabled */ + if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz, + WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) { + printf("Failed to set RSA key!\n"); + goto exit; } /* Client Certificate (Mutual Authentication) */ diff --git a/examples/tls/tls_common.h b/examples/tls/tls_common.h index db253b61..925c7c14 100644 --- a/examples/tls/tls_common.h +++ b/examples/tls/tls_common.h @@ -103,6 +103,9 @@ static inline int SockIORecv(WOLFSSL* ssl, char* buff, int sz, void* ctx) { SockIoCbCtx* sockCtx = (SockIoCbCtx*)ctx; int recvd; +#ifdef TLS_BENCH_MODE + const double zeroVal = 0.0; +#endif (void)ssl; @@ -147,11 +150,8 @@ static inline int SockIORecv(WOLFSSL* ssl, char* buff, int sz, void* ctx) } #ifdef TLS_BENCH_MODE - { - const double zeroVal = 0.0; - if (XMEMCMP(&benchStart, &zeroVal, sizeof(double)) == 0) { - benchStart = gettime_secs(1); - } + if (XMEMCMP(&benchStart, &zeroVal, sizeof(double)) == 0) { + benchStart = gettime_secs(1); } #endif diff --git a/examples/tls/tls_server.c b/examples/tls/tls_server.c index 6fafce29..4117aa93 100644 --- a/examples/tls/tls_server.c +++ b/examples/tls/tls_server.c @@ -177,6 +177,9 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) WOLFTPM2_SESSION tpmSession; TPMT_PUBLIC publicTemplate; word32 port = TLS_PORT; + byte der[1024]; + word32 derSz; + void* pkey = NULL; /* initialize variables */ XMEMSET(&storageKey, 0, sizeof(storageKey)); @@ -447,34 +450,31 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[]) #endif /* !NO_FILESYSTEM */ - { - /* Export TPM public key as DER */ - byte der[1024]; - word32 derSz = (word32)sizeof(der); - #if defined(HAVE_ECC) && !defined(NO_RSA) - void* pkey = !useECC ? &rsaKey : &eccKey; - #elif !defined(NO_RSA) - void* pkey = &rsaKey; - #elif defined(HAVE_ECC) - void* pkey = &eccKey; - #else - void* pkey = NULL; - #endif - rc = wolfTPM2_ExportPublicKeyBuffer(&dev, (WOLFTPM2_KEY*)pkey, - ENCODING_TYPE_ASN1, der, &derSz); - if (rc < 0) { - printf("Failed to export TPM public key!\n"); - goto exit; - } + /* Export TPM public key as DER */ + derSz = (word32)sizeof(der); +#if defined(HAVE_ECC) && !defined(NO_RSA) + pkey = !useECC ? &rsaKey : &eccKey; +#elif !defined(NO_RSA) + pkey = &rsaKey; +#elif defined(HAVE_ECC) + pkey = &eccKey; +#else + pkey = NULL; +#endif + rc = wolfTPM2_ExportPublicKeyBuffer(&dev, (WOLFTPM2_KEY*)pkey, + ENCODING_TYPE_ASN1, der, &derSz); + if (rc < 0) { + printf("Failed to export TPM public key!\n"); + goto exit; + } - /* Private key only exists on the TPM and crypto callbacks are used for - * signing. Public key is required to enable TLS client (mutual auth). - * This API accepts public keys when crypto callbacks are enabled */ - if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz, - WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) { - printf("Failed to set RSA key!\n"); - goto exit; - } + /* Private key only exists on the TPM and crypto callbacks are used for + * signing. Public key is required to enable TLS client (mutual auth). + * This API accepts public keys when crypto callbacks are enabled */ + if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz, + WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) { + printf("Failed to set RSA key!\n"); + goto exit; } /* Server certificate */ diff --git a/examples/wrap/wrap_test.c b/examples/wrap/wrap_test.c index 5809608a..f74d8896 100644 --- a/examples/wrap/wrap_test.c +++ b/examples/wrap/wrap_test.c @@ -79,6 +79,8 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) TPM2B_ECC_POINT pubPoint; #ifndef WOLFTPM_WINAPI word32 nvAttributes = 0; + WOLFTPM2_HANDLE parent; + WOLFTPM2_NV nv; #endif #ifdef WOLFTPM_CRYPTOCB TpmCryptoDevCtx tpmCtx; @@ -753,47 +755,42 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]) /*------------------------------------------------------------------------*/ /* NV with Auth (preferred API's) */ #ifndef WOLFTPM_WINAPI - { - WOLFTPM2_HANDLE parent; - WOLFTPM2_NV nv; + XMEMSET(&parent, 0, sizeof(parent)); + parent.hndl = TPM_RH_OWNER; - XMEMSET(&parent, 0, sizeof(parent)); - parent.hndl = TPM_RH_OWNER; - - rc = wolfTPM2_GetNvAttributesTemplate(parent.hndl, &nvAttributes); - if (rc != 0) goto exit; - rc = wolfTPM2_NVCreateAuth(&dev, &parent, &nv, TPM2_DEMO_NV_TEST_AUTH_INDEX, - nvAttributes, TPM2_DEMO_NV_TEST_SIZE, (byte*)gNvAuth, sizeof(gNvAuth)-1); - if (rc != 0 && rc != TPM_RC_NV_DEFINED) goto exit; - - wolfTPM2_SetAuthHandle(&dev, 0, &nv.handle); + rc = wolfTPM2_GetNvAttributesTemplate(parent.hndl, &nvAttributes); + if (rc != 0) goto exit; + rc = wolfTPM2_NVCreateAuth(&dev, &parent, &nv, TPM2_DEMO_NV_TEST_AUTH_INDEX, + nvAttributes, TPM2_DEMO_NV_TEST_SIZE, (byte*)gNvAuth, sizeof(gNvAuth)-1); + if (rc != 0 && rc != TPM_RC_NV_DEFINED) goto exit; - message.size = TPM2_DEMO_NV_TEST_SIZE; /* test message 0x11,0x11,etc */ - XMEMSET(message.buffer, 0x11, message.size); - rc = wolfTPM2_NVWriteAuth(&dev, &nv, TPM2_DEMO_NV_TEST_AUTH_INDEX, - message.buffer, message.size, 0); - if (rc != 0) goto exit; + wolfTPM2_SetAuthHandle(&dev, 0, &nv.handle); - plain.size = TPM2_DEMO_NV_TEST_SIZE; - rc = wolfTPM2_NVReadAuth(&dev, &nv, TPM2_DEMO_NV_TEST_AUTH_INDEX, - plain.buffer, (word32*)&plain.size, 0); - if (rc != 0) goto exit; + message.size = TPM2_DEMO_NV_TEST_SIZE; /* test message 0x11,0x11,etc */ + XMEMSET(message.buffer, 0x11, message.size); + rc = wolfTPM2_NVWriteAuth(&dev, &nv, TPM2_DEMO_NV_TEST_AUTH_INDEX, + message.buffer, message.size, 0); + if (rc != 0) goto exit; - rc = wolfTPM2_NVReadPublic(&dev, TPM2_DEMO_NV_TEST_AUTH_INDEX, NULL); - if (rc != 0) goto exit; + plain.size = TPM2_DEMO_NV_TEST_SIZE; + rc = wolfTPM2_NVReadAuth(&dev, &nv, TPM2_DEMO_NV_TEST_AUTH_INDEX, + plain.buffer, (word32*)&plain.size, 0); + if (rc != 0) goto exit; - rc = wolfTPM2_NVDeleteAuth(&dev, &parent, TPM2_DEMO_NV_TEST_AUTH_INDEX); - if (rc != 0) goto exit; + rc = wolfTPM2_NVReadPublic(&dev, TPM2_DEMO_NV_TEST_AUTH_INDEX, NULL); + if (rc != 0) goto exit; - if (message.size != plain.size || - XMEMCMP(message.buffer, plain.buffer, message.size) != 0) { - rc = TPM_RC_TESTING; goto exit; - } + rc = wolfTPM2_NVDeleteAuth(&dev, &parent, TPM2_DEMO_NV_TEST_AUTH_INDEX); + if (rc != 0) goto exit; - printf("NV Test (with auth) on index 0x%x with %d bytes passed\n", - TPM2_DEMO_NV_TEST_AUTH_INDEX, TPM2_DEMO_NV_TEST_SIZE); + if (message.size != plain.size || + XMEMCMP(message.buffer, plain.buffer, message.size) != 0) { + rc = TPM_RC_TESTING; goto exit; } + printf("NV Test (with auth) on index 0x%x with %d bytes passed\n", + TPM2_DEMO_NV_TEST_AUTH_INDEX, TPM2_DEMO_NV_TEST_SIZE); + /* NV Tests (older API's without auth) */ rc = wolfTPM2_GetNvAttributesTemplate(TPM_RH_OWNER, &nvAttributes); if (rc != 0) goto exit; diff --git a/scripts/check-empty-brace-scopes.py b/scripts/check-empty-brace-scopes.py new file mode 100644 index 00000000..e8bf9278 --- /dev/null +++ b/scripts/check-empty-brace-scopes.py @@ -0,0 +1,191 @@ +#!/usr/bin/env python3 +"""Reject standalone C scope blocks used only to limit variable lifetime.""" + +from __future__ import annotations + +import os +import re +import sys +from pathlib import Path + + +C_EXTENSIONS = {".c", ".h"} +SKIP_DIRS = { + ".git", + ".github", + ".dSYM", + "__pycache__", + "build", + "builddir", + "cmake-build-debug", + "cmake-build-release", + "Debug", + "Release", +} + +BRACE_LINE = re.compile(r"^\s*\{\s*(?://.*|/\*.*\*/\s*)?$") +CONTROL_PREFIX = re.compile( + r"^(?:\}\s*)?(?:else\b(?:\s+if\b)?|if\b|for\b|while\b|switch\b|do\b)" +) +TYPE_PREFIX = re.compile(r"^(?:typedef\s+)?(?:struct|union|enum)\b") +ALLOW_EXCEPTION = re.compile(r"empty-brace-scan:\s*allow\s*-\s*\S") +TRAILING_BLOCK_COMMENT = re.compile(r"\s*/\*.*?\*/\s*$") + + +def strip_line_comment(line: str) -> str: + """Remove simple // comments without trying to parse C strings.""" + stripped = line.split("//", 1)[0].strip() + while TRAILING_BLOCK_COMMENT.search(stripped): + stripped = TRAILING_BLOCK_COMMENT.sub("", stripped).strip() + return stripped + + +def is_comment_only(line: str) -> bool: + stripped = line.strip() + return ( + stripped.startswith("/*") + or stripped.startswith("* ") + or stripped.startswith("*\t") + or stripped == "*" + or stripped == "*/" + ) + + +def has_allow_exception(lines: list[str], index: int) -> bool: + if ALLOW_EXCEPTION.search(lines[index]): + return True + + for prev_index in range(index - 1, max(index - 4, -1), -1): + stripped = lines[prev_index].strip() + if not stripped: + return False + if ALLOW_EXCEPTION.search(stripped): + return True + if not is_comment_only(stripped): + return False + + return False + + +def previous_code_line(lines: list[str], index: int) -> tuple[int, str] | None: + """Return the previous non-empty, non-preprocessor code line.""" + for prev_index in range(index - 1, -1, -1): + if is_comment_only(lines[prev_index]): + continue + stripped = strip_line_comment(lines[prev_index]) + if not stripped: + continue + if stripped.startswith("#"): + continue + return prev_index + 1, stripped + return None + + +def is_allowed_open_brace(previous: str | None) -> bool: + if previous is None: + return True + + if CONTROL_PREFIX.match(previous): + return True + if previous.startswith("case ") or previous.startswith("default:"): + return True + if TYPE_PREFIX.match(previous): + return True + + # Function definitions and multi-line control headers normally end in ')' + # on the line before the opening brace. Function calls end in ');' instead. + if previous.endswith(")") and not previous.endswith(");"): + return True + + # Aggregate initializers and macro continuations can place the brace alone. + if previous.endswith(("{", "=", ",", "(", "[", "\\")): + return True + + return False + + +def iter_c_files(paths: list[Path]) -> list[Path]: + files: list[Path] = [] + + for path in paths: + if not path.exists(): + continue + if path.is_file(): + if path.suffix in C_EXTENSIONS: + files.append(path) + continue + + for root, dirs, names in os.walk(path): + dirs[:] = [ + d for d in dirs + if d not in SKIP_DIRS and not d.endswith(".dSYM") + ] + for name in names: + candidate = Path(root) / name + if candidate.suffix in C_EXTENSIONS: + files.append(candidate) + + return sorted(set(files)) + + +def scan_file(path: Path) -> list[tuple[Path, int, int, str | None]]: + try: + lines = path.read_text(encoding="utf-8").splitlines() + except UnicodeDecodeError: + lines = path.read_text(encoding="latin-1").splitlines() + + findings: list[tuple[Path, int, int, str | None]] = [] + for index, line in enumerate(lines): + if not BRACE_LINE.match(line): + continue + previous = previous_code_line(lines, index) + previous_text = previous[1] if previous else None + if is_allowed_open_brace(previous_text): + continue + if has_allow_exception(lines, index): + continue + column = line.index("{") + 1 + findings.append((path, index + 1, column, previous_text)) + + return findings + + +def emit_finding(path: Path, line: int, column: int, previous: str | None) -> None: + message = ( + "standalone scope block is not allowed; if truly required, add " + "'empty-brace-scan: allow - ' directly above the brace" + ) + if os.environ.get("GITHUB_ACTIONS") == "true": + print(f"::error file={path},line={line},col={column}::{message}") + print(f"{path}:{line}:{column}: {message}") + if previous: + print(f" previous code: {previous}") + + +def main(argv: list[str]) -> int: + roots = [Path(arg) for arg in argv] if argv else [ + Path("src"), + Path("wolftpm"), + Path("tests"), + Path("examples"), + Path("hal"), + Path("IDE"), + Path("zephyr"), + ] + files = iter_c_files(roots) + findings: list[tuple[Path, int, int, str | None]] = [] + for path in files: + findings.extend(scan_file(path)) + + if findings: + print("Bare C scope block(s) found. Use normal control flow and cleanup at the end of the function instead.") + for finding in findings: + emit_finding(*finding) + return 1 + + print(f"OK: scanned {len(files)} C source/header file(s); no bare scope blocks found.") + return 0 + + +if __name__ == "__main__": + raise SystemExit(main(sys.argv[1:])) diff --git a/src/fwtpm/fwtpm_io.c b/src/fwtpm/fwtpm_io.c index 3cfd1c06..d26f94d0 100644 --- a/src/fwtpm/fwtpm_io.c +++ b/src/fwtpm/fwtpm_io.c @@ -492,6 +492,10 @@ int FWTPM_IO_SetHAL(FWTPM_CTX* ctx, FWTPM_IO_HAL* hal) int FWTPM_IO_Init(FWTPM_CTX* ctx) { +#if !defined(WOLFTPM_FWTPM_TIS) && defined(_WIN32) + WSADATA wsaData; +#endif + if (ctx == NULL) { return BAD_FUNC_ARG; } @@ -500,12 +504,9 @@ int FWTPM_IO_Init(FWTPM_CTX* ctx) return FWTPM_TIS_Init(ctx); #else #ifdef _WIN32 - { - WSADATA wsaData; - if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) { - fprintf(stderr, "fwTPM: WSAStartup failed\n"); - return TPM_RC_FAILURE; - } + if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) { + fprintf(stderr, "fwTPM: WSAStartup failed\n"); + return TPM_RC_FAILURE; } #endif XMEMSET(&ctx->io, 0, sizeof(ctx->io)); diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c index 76ff464d..f36817ee 100644 --- a/src/tpm2_wrap.c +++ b/src/tpm2_wrap.c @@ -1237,6 +1237,7 @@ int wolfTPM2_SpdmConnectNuvoton(WOLFTPM2_DEV* dev, TPM2_Packet pktPub; TPMT_PUBLIC pub; byte rawPubKey[WOLFSPDM_ECC_POINT_SIZE]; + UINT16 wireSize; XMEMSET(&pub, 0, sizeof(pub)); pktPub.buf = (byte*)reqPubKey; @@ -1246,21 +1247,19 @@ int wolfTPM2_SpdmConnectNuvoton(WOLFTPM2_DEV* dev, TPM2_Packet_ParseU16(&pktPub, &pub.type); TPM2_Packet_ParseU16(&pktPub, &pub.nameAlg); TPM2_Packet_ParseU32(&pktPub, &pub.objectAttributes); - { - UINT16 wireSize = 0; - TPM2_Packet_ParseU16(&pktPub, &wireSize); - pub.authPolicy.size = wireSize; - if (pub.authPolicy.size > - (UINT16)sizeof(pub.authPolicy.buffer)) { - pub.authPolicy.size = - (UINT16)sizeof(pub.authPolicy.buffer); - } - TPM2_Packet_ParseBytes(&pktPub, pub.authPolicy.buffer, - pub.authPolicy.size); - if (wireSize > pub.authPolicy.size) - TPM2_Packet_ParseBytes(&pktPub, NULL, - wireSize - pub.authPolicy.size); - } + wireSize = 0; + TPM2_Packet_ParseU16(&pktPub, &wireSize); + pub.authPolicy.size = wireSize; + if (pub.authPolicy.size > + (UINT16)sizeof(pub.authPolicy.buffer)) { + pub.authPolicy.size = + (UINT16)sizeof(pub.authPolicy.buffer); + } + TPM2_Packet_ParseBytes(&pktPub, pub.authPolicy.buffer, + pub.authPolicy.size); + if (wireSize > pub.authPolicy.size) + TPM2_Packet_ParseBytes(&pktPub, NULL, + wireSize - pub.authPolicy.size); TPM2_Packet_ParsePublicParms(&pktPub, pub.type, &pub.parameters); TPM2_Packet_ParseEccPoint(&pktPub, &pub.unique.ecc); @@ -1424,6 +1423,7 @@ int wolfTPM2_SpdmConnectNations(WOLFTPM2_DEV* dev, TPM2_Packet pktPub; TPMT_PUBLIC pub; byte rawPubKey[WOLFSPDM_ECC_POINT_SIZE]; + UINT16 wireSize; XMEMSET(&pub, 0, sizeof(pub)); pktPub.buf = (byte*)reqPubKey; @@ -1433,21 +1433,19 @@ int wolfTPM2_SpdmConnectNations(WOLFTPM2_DEV* dev, TPM2_Packet_ParseU16(&pktPub, &pub.type); TPM2_Packet_ParseU16(&pktPub, &pub.nameAlg); TPM2_Packet_ParseU32(&pktPub, &pub.objectAttributes); - { - UINT16 wireSize = 0; - TPM2_Packet_ParseU16(&pktPub, &wireSize); - pub.authPolicy.size = wireSize; - if (pub.authPolicy.size > - (UINT16)sizeof(pub.authPolicy.buffer)) { - pub.authPolicy.size = - (UINT16)sizeof(pub.authPolicy.buffer); - } - TPM2_Packet_ParseBytes(&pktPub, pub.authPolicy.buffer, - pub.authPolicy.size); - if (wireSize > pub.authPolicy.size) - TPM2_Packet_ParseBytes(&pktPub, NULL, - wireSize - pub.authPolicy.size); - } + wireSize = 0; + TPM2_Packet_ParseU16(&pktPub, &wireSize); + pub.authPolicy.size = wireSize; + if (pub.authPolicy.size > + (UINT16)sizeof(pub.authPolicy.buffer)) { + pub.authPolicy.size = + (UINT16)sizeof(pub.authPolicy.buffer); + } + TPM2_Packet_ParseBytes(&pktPub, pub.authPolicy.buffer, + pub.authPolicy.size); + if (wireSize > pub.authPolicy.size) + TPM2_Packet_ParseBytes(&pktPub, NULL, + wireSize - pub.authPolicy.size); TPM2_Packet_ParsePublicParms(&pktPub, pub.type, &pub.parameters); TPM2_Packet_ParseEccPoint(&pktPub, &pub.unique.ecc); diff --git a/tests/fwtpm_unit_tests.c b/tests/fwtpm_unit_tests.c index dd7aff30..46fafa9c 100644 --- a/tests/fwtpm_unit_tests.c +++ b/tests/fwtpm_unit_tests.c @@ -3020,6 +3020,7 @@ static void test_fwtpm_mldsa_loadexternal_verify(void) { FWTPM_CTX ctx; int rc, rspSize, cmdSz, pos; + int pubStart; UINT32 handle; UINT16 valTag; @@ -3035,22 +3036,20 @@ static void test_fwtpm_mldsa_loadexternal_verify(void) /* Parameters: inPrivate (TPM2B_SENSITIVE, empty) */ PutU16BE(gCmd + pos, 0); pos += 2; /* inPublic (TPM2B_PUBLIC) — TPMT_PUBLIC for Pure MLDSA-44 */ - { - int pubStart = pos; - PutU16BE(gCmd + pos, 0); pos += 2; /* size placeholder */ - PutU16BE(gCmd + pos, TPM_ALG_MLDSA); pos += 2; /* type */ - PutU16BE(gCmd + pos, TPM_ALG_SHA256); pos += 2; /* nameAlg */ - PutU32BE(gCmd + pos, 0x00000040); pos += 4; /* attrs: userWithAuth */ - PutU16BE(gCmd + pos, 0); pos += 2; /* authPolicy */ - /* TPMS_MLDSA_PARMS */ - PutU16BE(gCmd + pos, TPM_MLDSA_44); pos += 2; - gCmd[pos++] = NO; /* allowExternalMu */ - /* unique.mldsa: size + bytes */ - PutU16BE(gCmd + pos, sizeof(gNistMldsa44Pk)); pos += 2; - memcpy(gCmd + pos, gNistMldsa44Pk, sizeof(gNistMldsa44Pk)); - pos += sizeof(gNistMldsa44Pk); - PutU16BE(gCmd + pubStart, (UINT16)(pos - pubStart - 2)); - } + pubStart = pos; + PutU16BE(gCmd + pos, 0); pos += 2; /* size placeholder */ + PutU16BE(gCmd + pos, TPM_ALG_MLDSA); pos += 2; /* type */ + PutU16BE(gCmd + pos, TPM_ALG_SHA256); pos += 2; /* nameAlg */ + PutU32BE(gCmd + pos, 0x00000040); pos += 4; /* attrs: userWithAuth */ + PutU16BE(gCmd + pos, 0); pos += 2; /* authPolicy */ + /* TPMS_MLDSA_PARMS */ + PutU16BE(gCmd + pos, TPM_MLDSA_44); pos += 2; + gCmd[pos++] = NO; /* allowExternalMu */ + /* unique.mldsa: size + bytes */ + PutU16BE(gCmd + pos, sizeof(gNistMldsa44Pk)); pos += 2; + memcpy(gCmd + pos, gNistMldsa44Pk, sizeof(gNistMldsa44Pk)); + pos += sizeof(gNistMldsa44Pk); + PutU16BE(gCmd + pubStart, (UINT16)(pos - pubStart - 2)); /* hierarchy (TPMI_RH_HIERARCHY+) = TPM_RH_NULL */ PutU32BE(gCmd + pos, TPM_RH_NULL); pos += 4; PutU32BE(gCmd + 2, (UINT32)pos); @@ -4256,6 +4255,7 @@ static void test_fwtpm_verifydigest_ticket_hmac_eq5_compliance(void) int hmacExpectedSz = 0; byte metaBytes[2]; FWTPM_Object* obj; + int oi; FWTPM_ALLOC_BUF(sig, MAX_MLDSA_SIG_SIZE); memset(&ctx, 0, sizeof(ctx)); @@ -4331,13 +4331,10 @@ static void test_fwtpm_verifydigest_ticket_hmac_eq5_compliance(void) * Walk the public object table to find keyHandle (FwFindObject is * static-local to fwtpm_command.c). */ obj = NULL; - { - int oi; - for (oi = 0; oi < FWTPM_MAX_OBJECTS; oi++) { - if (ctx.objects[oi].handle == keyHandle) { - obj = &ctx.objects[oi]; - break; - } + for (oi = 0; oi < FWTPM_MAX_OBJECTS; oi++) { + if (ctx.objects[oi].handle == keyHandle) { + obj = &ctx.objects[oi]; + break; } } AssertNotNull(obj); @@ -5685,7 +5682,9 @@ static void test_fwtpm_mldsa87_maxbuf(void) FWTPM_CTX ctx; int rc, rspSize, cmdSz, pos; UINT32 handle; + UINT32 seqHandle; UINT16 sigAlg, sigSz; + byte msg[16]; memset(&ctx, 0, sizeof(ctx)); AssertIntEQ(fwtpm_test_startup(&ctx), 0); @@ -5711,40 +5710,37 @@ static void test_fwtpm_mldsa87_maxbuf(void) rspSize = 0; FWTPM_ProcessCommand(&ctx, gCmd, pos, gRsp, &rspSize, 0); AssertIntEQ(GetRspRC(gRsp), TPM_RC_SUCCESS); - { - UINT32 seqHandle = GetU32BE(gRsp + TPM2_HEADER_SIZE); - byte msg[16]; - memset(msg, 0xAB, sizeof(msg)); + seqHandle = GetU32BE(gRsp + TPM2_HEADER_SIZE); + memset(msg, 0xAB, sizeof(msg)); - /* SignSequenceComplete: 2 auth handles + small buffer. */ - pos = 0; - PutU16BE(gCmd + pos, TPM_ST_SESSIONS); pos += 2; - PutU32BE(gCmd + pos, 0); pos += 4; - PutU32BE(gCmd + pos, TPM_CC_SignSequenceComplete); pos += 4; - PutU32BE(gCmd + pos, seqHandle); pos += 4; - PutU32BE(gCmd + pos, handle); pos += 4; - PutU32BE(gCmd + pos, 18); pos += 4; - PutU32BE(gCmd + pos, TPM_RS_PW); pos += 4; - PutU16BE(gCmd + pos, 0); pos += 2; - gCmd[pos++] = 0; PutU16BE(gCmd + pos, 0); pos += 2; - PutU32BE(gCmd + pos, TPM_RS_PW); pos += 4; - PutU16BE(gCmd + pos, 0); pos += 2; - gCmd[pos++] = 0; PutU16BE(gCmd + pos, 0); pos += 2; - PutU16BE(gCmd + pos, sizeof(msg)); pos += 2; - memcpy(gCmd + pos, msg, sizeof(msg)); pos += sizeof(msg); - PutU32BE(gCmd + 2, (UINT32)pos); - rspSize = 0; - rc = FWTPM_ProcessCommand(&ctx, gCmd, pos, gRsp, &rspSize, 0); - AssertIntEQ(rc, TPM_RC_SUCCESS); - AssertIntEQ(GetRspRC(gRsp), TPM_RC_SUCCESS); + /* SignSequenceComplete: 2 auth handles + small buffer. */ + pos = 0; + PutU16BE(gCmd + pos, TPM_ST_SESSIONS); pos += 2; + PutU32BE(gCmd + pos, 0); pos += 4; + PutU32BE(gCmd + pos, TPM_CC_SignSequenceComplete); pos += 4; + PutU32BE(gCmd + pos, seqHandle); pos += 4; + PutU32BE(gCmd + pos, handle); pos += 4; + PutU32BE(gCmd + pos, 18); pos += 4; + PutU32BE(gCmd + pos, TPM_RS_PW); pos += 4; + PutU16BE(gCmd + pos, 0); pos += 2; + gCmd[pos++] = 0; PutU16BE(gCmd + pos, 0); pos += 2; + PutU32BE(gCmd + pos, TPM_RS_PW); pos += 4; + PutU16BE(gCmd + pos, 0); pos += 2; + gCmd[pos++] = 0; PutU16BE(gCmd + pos, 0); pos += 2; + PutU16BE(gCmd + pos, sizeof(msg)); pos += 2; + memcpy(gCmd + pos, msg, sizeof(msg)); pos += sizeof(msg); + PutU32BE(gCmd + 2, (UINT32)pos); + rspSize = 0; + rc = FWTPM_ProcessCommand(&ctx, gCmd, pos, gRsp, &rspSize, 0); + AssertIntEQ(rc, TPM_RC_SUCCESS); + AssertIntEQ(GetRspRC(gRsp), TPM_RC_SUCCESS); - /* Response: hdr | paramSize | sigAlg | TPM2B { size, bytes }. */ - pos = TPM2_HEADER_SIZE + 4; - sigAlg = GetU16BE(gRsp + pos); pos += 2; - AssertIntEQ(sigAlg, TPM_ALG_MLDSA); - sigSz = GetU16BE(gRsp + pos); - AssertIntEQ(sigSz, 4627); - } + /* Response: hdr | paramSize | sigAlg | TPM2B { size, bytes }. */ + pos = TPM2_HEADER_SIZE + 4; + sigAlg = GetU16BE(gRsp + pos); pos += 2; + AssertIntEQ(sigAlg, TPM_ALG_MLDSA); + sigSz = GetU16BE(gRsp + pos); + AssertIntEQ(sigSz, 4627); BuildCmdHeader(gCmd, TPM_ST_NO_SESSIONS, 14, TPM_CC_FlushContext); PutU32BE(gCmd + 10, handle); @@ -6331,6 +6327,13 @@ static void test_fwtpm_hash(void) { FWTPM_CTX ctx; int rc, rspSize, cmdSz; + static const byte expected[] = { + 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA, + 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23, + 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C, + 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD + }; + UINT16 digestSz; memset(&ctx, 0, sizeof(ctx)); rc = fwtpm_test_startup(&ctx); @@ -6355,18 +6358,10 @@ static void test_fwtpm_hash(void) AssertIntGT(rspSize, TPM2_HEADER_SIZE + 2 + 32); /* Verify SHA-256("abc") = known value */ - { - static const byte expected[] = { - 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA, - 0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23, - 0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C, - 0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD - }; - UINT16 digestSz = GetU16BE(gRsp + TPM2_HEADER_SIZE); - AssertIntEQ(digestSz, 32); - Assert(memcmp(gRsp + TPM2_HEADER_SIZE + 2, expected, 32) == 0, - ("SHA-256(abc) matches expected"), ("digest mismatch")); - } + digestSz = GetU16BE(gRsp + TPM2_HEADER_SIZE); + AssertIntEQ(digestSz, 32); + Assert(memcmp(gRsp + TPM2_HEADER_SIZE + 2, expected, 32) == 0, + ("SHA-256(abc) matches expected"), ("digest mismatch")); FWTPM_Cleanup(&ctx); fwtpm_pass("Hash(SHA256, \"abc\"):", 0); diff --git a/tests/unit_tests.c b/tests/unit_tests.c index fc4edbbd..9c7f9aa6 100644 --- a/tests/unit_tests.c +++ b/tests/unit_tests.c @@ -761,49 +761,43 @@ static void test_TPM2_KDFa_SessionLabels(void) .buffer = {0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7, 0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xCF, 0xD0} }; + const byte expATH[] = { + 0x0d, 0x17, 0x5f, 0xf7, 0xac, 0xf9, 0x41, 0x9a, + 0x73, 0x75, 0x7c, 0xa6, 0x42, 0x82, 0x49, 0x61, + 0xa2, 0xc9, 0x72, 0xd9, 0x13, 0xdc, 0xbf, 0x72, + 0x06, 0xe6, 0x73, 0xe7, 0x21, 0x5f, 0x99, 0x6a + }; + const byte expSECRET[] = { + 0x1a, 0xc4, 0xc1, 0x34, 0x78, 0x87, 0x67, 0x5e, + 0x91, 0xd1, 0xa2, 0xcd, 0xcb, 0xac, 0xdb, 0x62, + 0xed, 0x4e, 0xfe, 0x44, 0xed, 0x52, 0x34, 0x3b, + 0xf1, 0x87, 0xfb, 0x8b, 0xa9, 0xec, 0x43, 0x59 + }; + const byte expDUPLICATE[] = { + 0xa3, 0xe5, 0x57, 0xc6, 0x49, 0x4c, 0xe5, 0x4f, + 0x45, 0xae, 0xf7, 0x19, 0x4d, 0x9e, 0x21, 0xa2, + 0x91, 0xeb, 0x05, 0x2d, 0x43, 0x06, 0x9f, 0xfb, + 0x69, 0x67, 0x1f, 0x99, 0x00, 0xb0, 0xcc, 0x39 + }; byte key[TEST_KDFA_LABEL_KEYSZ]; /* Test "ATH" label (session key derivation, TPM 2.0 Part 1 s19.6.8) */ - { - const byte expATH[] = { - 0x0d, 0x17, 0x5f, 0xf7, 0xac, 0xf9, 0x41, 0x9a, - 0x73, 0x75, 0x7c, 0xa6, 0x42, 0x82, 0x49, 0x61, - 0xa2, 0xc9, 0x72, 0xd9, 0x13, 0xdc, 0xbf, 0x72, - 0x06, 0xe6, 0x73, 0xe7, 0x21, 0x5f, 0x99, 0x6a - }; - rc = TPM2_KDFa(TPM_ALG_SHA256, &keyIn, "ATH", &nonceTPM, &nonceCaller, - key, TEST_KDFA_LABEL_KEYSZ); - AssertIntEQ(TEST_KDFA_LABEL_KEYSZ, rc); - AssertIntEQ(XMEMCMP(key, expATH, sizeof(expATH)), 0); - } + rc = TPM2_KDFa(TPM_ALG_SHA256, &keyIn, "ATH", &nonceTPM, &nonceCaller, + key, TEST_KDFA_LABEL_KEYSZ); + AssertIntEQ(TEST_KDFA_LABEL_KEYSZ, rc); + AssertIntEQ(XMEMCMP(key, expATH, sizeof(expATH)), 0); /* Test "SECRET" label (salt encryption, TPM 2.0 Part 1 s19.6.8) */ - { - const byte expSECRET[] = { - 0x1a, 0xc4, 0xc1, 0x34, 0x78, 0x87, 0x67, 0x5e, - 0x91, 0xd1, 0xa2, 0xcd, 0xcb, 0xac, 0xdb, 0x62, - 0xed, 0x4e, 0xfe, 0x44, 0xed, 0x52, 0x34, 0x3b, - 0xf1, 0x87, 0xfb, 0x8b, 0xa9, 0xec, 0x43, 0x59 - }; - rc = TPM2_KDFa(TPM_ALG_SHA256, &keyIn, "SECRET", &nonceTPM, &nonceCaller, - key, TEST_KDFA_LABEL_KEYSZ); - AssertIntEQ(TEST_KDFA_LABEL_KEYSZ, rc); - AssertIntEQ(XMEMCMP(key, expSECRET, sizeof(expSECRET)), 0); - } + rc = TPM2_KDFa(TPM_ALG_SHA256, &keyIn, "SECRET", &nonceTPM, &nonceCaller, + key, TEST_KDFA_LABEL_KEYSZ); + AssertIntEQ(TEST_KDFA_LABEL_KEYSZ, rc); + AssertIntEQ(XMEMCMP(key, expSECRET, sizeof(expSECRET)), 0); /* Test "DUPLICATE" label (key import, TPM 2.0 Part 1 s23.3) */ - { - const byte expDUPLICATE[] = { - 0xa3, 0xe5, 0x57, 0xc6, 0x49, 0x4c, 0xe5, 0x4f, - 0x45, 0xae, 0xf7, 0x19, 0x4d, 0x9e, 0x21, 0xa2, - 0x91, 0xeb, 0x05, 0x2d, 0x43, 0x06, 0x9f, 0xfb, - 0x69, 0x67, 0x1f, 0x99, 0x00, 0xb0, 0xcc, 0x39 - }; - rc = TPM2_KDFa(TPM_ALG_SHA256, &keyIn, "DUPLICATE", &nonceTPM, &nonceCaller, - key, TEST_KDFA_LABEL_KEYSZ); - AssertIntEQ(TEST_KDFA_LABEL_KEYSZ, rc); - AssertIntEQ(XMEMCMP(key, expDUPLICATE, sizeof(expDUPLICATE)), 0); - } + rc = TPM2_KDFa(TPM_ALG_SHA256, &keyIn, "DUPLICATE", &nonceTPM, &nonceCaller, + key, TEST_KDFA_LABEL_KEYSZ); + AssertIntEQ(TEST_KDFA_LABEL_KEYSZ, rc); + AssertIntEQ(XMEMCMP(key, expDUPLICATE, sizeof(expDUPLICATE)), 0); printf("Test TPM Wrapper: %-40s Passed\n", "KDFa Session Labels:"); #else @@ -3541,6 +3535,7 @@ static void test_wolfTPM2_SPDM_Functions(void) #endif #ifdef WOLFSPDM_NATIONS WOLFSPDM_NATIONS_STATUS nStatus; + TPM2_AUTH_SESSION nationsOrigSess; #endif /* Initialize device */ @@ -3645,20 +3640,18 @@ static void test_wolfTPM2_SPDM_Functions(void) AssertIntEQ(rc, BAD_FUNC_ARG); /* Test 4b: SpdmNationsIdentityKeySet must preserve session[0] */ - { - TPM2_AUTH_SESSION origSess; - dev.session[0].sessionHandle = HMAC_SESSION_FIRST; - dev.session[0].sessionAttributes = 0x27; - dev.session[0].auth.size = 4; - XMEMCPY(dev.session[0].auth.buffer, "\x01\x02\x03\x04", 4); - XMEMCPY(&origSess, &dev.session[0], sizeof(origSess)); - - /* May fail (no Nations HW) but must restore session[0] */ - (void)wolfTPM2_SpdmNationsIdentityKeySet(&dev, 1); - AssertIntEQ(dev.session[0].sessionHandle, origSess.sessionHandle); - AssertIntEQ(dev.session[0].sessionAttributes, origSess.sessionAttributes); - AssertIntEQ(dev.session[0].auth.size, origSess.auth.size); - } + dev.session[0].sessionHandle = HMAC_SESSION_FIRST; + dev.session[0].sessionAttributes = 0x27; + dev.session[0].auth.size = 4; + XMEMCPY(dev.session[0].auth.buffer, "\x01\x02\x03\x04", 4); + XMEMCPY(&nationsOrigSess, &dev.session[0], sizeof(nationsOrigSess)); + + /* May fail (no Nations HW) but must restore session[0] */ + (void)wolfTPM2_SpdmNationsIdentityKeySet(&dev, 1); + AssertIntEQ(dev.session[0].sessionHandle, nationsOrigSess.sessionHandle); + AssertIntEQ(dev.session[0].sessionAttributes, + nationsOrigSess.sessionAttributes); + AssertIntEQ(dev.session[0].auth.size, nationsOrigSess.auth.size); #endif /* WOLFSPDM_NATIONS */ wolfTPM2_Cleanup(&dev);