Skip to content

Add empty brace scope CI scan #507

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
aidangarske wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add empty brace scope CI scan #507

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6b82a08
Add empty brace scope CI scan
aidangarske May 15, 2026
1e63939
Fix empty brace scope scan findings
aidangarske May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions .github/workflows/empty-brace-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Empty Brace Scope Scan

on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:
branches: [ '**' ]
repository_dispatch:
types: [nightly-trigger]
workflow_dispatch:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
empty-brace-scan:
name: Empty Brace Scope Scan
runs-on: ubuntu-22.04
timeout-minutes: 5
steps:
- name: Checkout wolfTPM
uses: actions/checkout@v4

- name: Check for bare C scope blocks
run: |
# Bare scope blocks are disallowed. If one is truly required, document
# the exception directly above the brace or on the brace line:
# /* empty-brace-scan: allow - required because <specific reason> */
python3 scripts/check-empty-brace-scopes.py
18 changes: 9 additions & 9 deletions examples/keygen/external_import.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,14 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[])
TPMI_ALG_PUBLIC alg = TPM_ALG_RSA;
const char* keyblobFile = "keyblob.bin";
int loadKeyBlob = 0;
#ifdef USE_TEST_SEED
const byte custSeed[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
};
#endif

if (argc >= 2) {
if (XSTRCMP(argv[1], "-?") == 0 ||
Expand Down Expand Up @@ -167,15 +175,7 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[])
#ifndef USE_TEST_SEED
TPM2_GetNonce(seedValue.buffer, seedValue.size);
#else
{
const byte custSeed[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
};
XMEMCPY(seedValue.buffer, custSeed, seedValue.size);
}
XMEMCPY(seedValue.buffer, custSeed, seedValue.size);
#endif
printf("Import Seed %d\n", seedValue.size);
TPM2_PrintBin(seedValue.buffer, seedValue.size);
Expand Down
15 changes: 7 additions & 8 deletions examples/seal/seal_pcr.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,7 @@ int TPM2_Seal_PCR_Example(void* userCtx, int argc, char *argv[])
/* ---- UNSEAL ---- */
if (doUnseal) {
WOLFTPM2_SESSION policySession;
word32 sessionAttrs;
XMEMSET(&policySession, 0, sizeof(policySession));

printf("\nUnsealing secret...\n");
Expand Down Expand Up @@ -296,15 +297,13 @@ int TPM2_Seal_PCR_Example(void* userCtx, int argc, char *argv[])
}

/* Step 4: Use policy session for unseal (with param enc if set) */
{
word32 sessionAttrs = TPMA_SESSION_continueSession;
if (paramEncAlg != TPM_ALG_NULL) {
sessionAttrs |= (TPMA_SESSION_decrypt |
TPMA_SESSION_encrypt);
}
rc = wolfTPM2_SetAuthSession(&dev, 0, &policySession,
sessionAttrs);
sessionAttrs = TPMA_SESSION_continueSession;
if (paramEncAlg != TPM_ALG_NULL) {
sessionAttrs |= (TPMA_SESSION_decrypt |
TPMA_SESSION_encrypt);
}
rc = wolfTPM2_SetAuthSession(&dev, 0, &policySession,
sessionAttrs);
if (rc != 0) {
wolfTPM2_UnloadHandle(&dev, &policySession.handle);
wolfTPM2_UnloadHandle(&dev, &sealBlob.handle);
Expand Down
15 changes: 7 additions & 8 deletions examples/seal/seal_policy_auth.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -302,6 +302,7 @@ int TPM2_Seal_PolicyAuth_Example(void* userCtx, int argc, char *argv[])
TPMI_ALG_SIG_SCHEME sigAlg;
byte* policyRef = NULL;
word32 policyRefSz = 0;
word32 sessionAttrs;

XMEMSET(&policySession, 0, sizeof(policySession));
XMEMSET(&checkTicket, 0, sizeof(checkTicket));
Expand Down Expand Up @@ -461,15 +462,13 @@ int TPM2_Seal_PolicyAuth_Example(void* userCtx, int argc, char *argv[])
wolfTPM2_UnloadHandle(&dev, &authKeyBlob.handle);

/* Step 9: Unseal using the policy session (with param enc if set) */
{
word32 sessionAttrs = TPMA_SESSION_continueSession;
if (paramEncAlg != TPM_ALG_NULL) {
sessionAttrs |= (TPMA_SESSION_decrypt |
TPMA_SESSION_encrypt);
}
rc = wolfTPM2_SetAuthSession(&dev, 0, &policySession,
sessionAttrs);
sessionAttrs = TPMA_SESSION_continueSession;
if (paramEncAlg != TPM_ALG_NULL) {
sessionAttrs |= (TPMA_SESSION_decrypt |
TPMA_SESSION_encrypt);
}
rc = wolfTPM2_SetAuthSession(&dev, 0, &policySession,
sessionAttrs);
if (rc != 0) {
wolfTPM2_UnloadHandle(&dev, &policySession.handle);
wolfTPM2_UnloadHandle(&dev, &sealBlob.handle);
Expand Down
56 changes: 29 additions & 27 deletions examples/tls/tls_client.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,11 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
WOLFTPM2_SESSION tpmSession;
TPMT_PUBLIC publicTemplate;
word32 port = TLS_PORT;
#ifndef NO_TLS_MUTUAL_AUTH
byte der[1024];
word32 derSz;
void* pkey = NULL;
#endif

/* initialize variables */
XMEMSET(&storageKey, 0, sizeof(storageKey));
Expand Down Expand Up @@ -426,34 +431,31 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
* public key instead (if crypto callbacks are enabled).
*/
#ifndef NO_TLS_MUTUAL_AUTH
{
/* Export TPM public key as DER */
byte der[1024];
word32 derSz = (word32)sizeof(der);
#if defined(HAVE_ECC) && !defined(NO_RSA)
void* pkey = !useECC ? &rsaKey : &eccKey;
#elif !defined(NO_RSA)
void* pkey = &rsaKey;
#elif defined(HAVE_ECC)
void* pkey = &eccKey;
#else
void* pkey = NULL;
#endif
rc = wolfTPM2_ExportPublicKeyBuffer(&dev, (WOLFTPM2_KEY*)pkey,
ENCODING_TYPE_ASN1, der, &derSz);
if (rc < 0) {
printf("Failed to export TPM public key!\n");
goto exit;
}
/* Export TPM public key as DER */
derSz = (word32)sizeof(der);
#if defined(HAVE_ECC) && !defined(NO_RSA)
pkey = !useECC ? &rsaKey : &eccKey;
#elif !defined(NO_RSA)
pkey = &rsaKey;
#elif defined(HAVE_ECC)
pkey = &eccKey;
#else
pkey = NULL;
#endif
rc = wolfTPM2_ExportPublicKeyBuffer(&dev, (WOLFTPM2_KEY*)pkey,
ENCODING_TYPE_ASN1, der, &derSz);
if (rc < 0) {
printf("Failed to export TPM public key!\n");
goto exit;
}

/* Private key only exists on the TPM and crypto callbacks are used for
* signing. Public key is required to enable TLS client (mutual auth).
* This API accepts public keys when crypto callbacks are enabled */
if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz,
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
printf("Failed to set RSA key!\n");
goto exit;
}
/* Private key only exists on the TPM and crypto callbacks are used for
* signing. Public key is required to enable TLS client (mutual auth).
* This API accepts public keys when crypto callbacks are enabled */
if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz,
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
printf("Failed to set RSA key!\n");
goto exit;
}

/* Client Certificate (Mutual Authentication) */
Expand Down
10 changes: 5 additions & 5 deletions examples/tls/tls_common.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,9 @@ static inline int SockIORecv(WOLFSSL* ssl, char* buff, int sz, void* ctx)
{
SockIoCbCtx* sockCtx = (SockIoCbCtx*)ctx;
int recvd;
#ifdef TLS_BENCH_MODE
const double zeroVal = 0.0;
#endif

(void)ssl;

Expand Down Expand Up @@ -147,11 +150,8 @@ static inline int SockIORecv(WOLFSSL* ssl, char* buff, int sz, void* ctx)
}

#ifdef TLS_BENCH_MODE
{
const double zeroVal = 0.0;
if (XMEMCMP(&benchStart, &zeroVal, sizeof(double)) == 0) {
benchStart = gettime_secs(1);
}
if (XMEMCMP(&benchStart, &zeroVal, sizeof(double)) == 0) {
benchStart = gettime_secs(1);
}
#endif

Expand Down
54 changes: 27 additions & 27 deletions examples/tls/tls_server.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,9 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
WOLFTPM2_SESSION tpmSession;
TPMT_PUBLIC publicTemplate;
word32 port = TLS_PORT;
byte der[1024];
word32 derSz;
void* pkey = NULL;

/* initialize variables */
XMEMSET(&storageKey, 0, sizeof(storageKey));
Expand Down Expand Up @@ -447,34 +450,31 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
#endif /* !NO_FILESYSTEM */


{
/* Export TPM public key as DER */
byte der[1024];
word32 derSz = (word32)sizeof(der);
#if defined(HAVE_ECC) && !defined(NO_RSA)
void* pkey = !useECC ? &rsaKey : &eccKey;
#elif !defined(NO_RSA)
void* pkey = &rsaKey;
#elif defined(HAVE_ECC)
void* pkey = &eccKey;
#else
void* pkey = NULL;
#endif
rc = wolfTPM2_ExportPublicKeyBuffer(&dev, (WOLFTPM2_KEY*)pkey,
ENCODING_TYPE_ASN1, der, &derSz);
if (rc < 0) {
printf("Failed to export TPM public key!\n");
goto exit;
}
/* Export TPM public key as DER */
derSz = (word32)sizeof(der);
#if defined(HAVE_ECC) && !defined(NO_RSA)
pkey = !useECC ? &rsaKey : &eccKey;
#elif !defined(NO_RSA)
pkey = &rsaKey;
#elif defined(HAVE_ECC)
pkey = &eccKey;
#else
pkey = NULL;
#endif
rc = wolfTPM2_ExportPublicKeyBuffer(&dev, (WOLFTPM2_KEY*)pkey,
ENCODING_TYPE_ASN1, der, &derSz);
if (rc < 0) {
printf("Failed to export TPM public key!\n");
goto exit;
}

/* Private key only exists on the TPM and crypto callbacks are used for
* signing. Public key is required to enable TLS client (mutual auth).
* This API accepts public keys when crypto callbacks are enabled */
if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz,
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
printf("Failed to set RSA key!\n");
goto exit;
}
/* Private key only exists on the TPM and crypto callbacks are used for
* signing. Public key is required to enable TLS client (mutual auth).
* This API accepts public keys when crypto callbacks are enabled */
if (wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz,
WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
printf("Failed to set RSA key!\n");
goto exit;
}

/* Server certificate */
Expand Down
61 changes: 29 additions & 32 deletions examples/wrap/wrap_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,8 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
TPM2B_ECC_POINT pubPoint;
#ifndef WOLFTPM_WINAPI
word32 nvAttributes = 0;
WOLFTPM2_HANDLE parent;
WOLFTPM2_NV nv;
#endif
#ifdef WOLFTPM_CRYPTOCB
TpmCryptoDevCtx tpmCtx;
Expand Down Expand Up @@ -753,47 +755,42 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
/*------------------------------------------------------------------------*/
/* NV with Auth (preferred API's) */
#ifndef WOLFTPM_WINAPI
{
WOLFTPM2_HANDLE parent;
WOLFTPM2_NV nv;
XMEMSET(&parent, 0, sizeof(parent));
parent.hndl = TPM_RH_OWNER;

XMEMSET(&parent, 0, sizeof(parent));
parent.hndl = TPM_RH_OWNER;

rc = wolfTPM2_GetNvAttributesTemplate(parent.hndl, &nvAttributes);
if (rc != 0) goto exit;
rc = wolfTPM2_NVCreateAuth(&dev, &parent, &nv, TPM2_DEMO_NV_TEST_AUTH_INDEX,
nvAttributes, TPM2_DEMO_NV_TEST_SIZE, (byte*)gNvAuth, sizeof(gNvAuth)-1);
if (rc != 0 && rc != TPM_RC_NV_DEFINED) goto exit;

wolfTPM2_SetAuthHandle(&dev, 0, &nv.handle);
rc = wolfTPM2_GetNvAttributesTemplate(parent.hndl, &nvAttributes);
if (rc != 0) goto exit;
rc = wolfTPM2_NVCreateAuth(&dev, &parent, &nv, TPM2_DEMO_NV_TEST_AUTH_INDEX,
nvAttributes, TPM2_DEMO_NV_TEST_SIZE, (byte*)gNvAuth, sizeof(gNvAuth)-1);
if (rc != 0 && rc != TPM_RC_NV_DEFINED) goto exit;

message.size = TPM2_DEMO_NV_TEST_SIZE; /* test message 0x11,0x11,etc */
XMEMSET(message.buffer, 0x11, message.size);
rc = wolfTPM2_NVWriteAuth(&dev, &nv, TPM2_DEMO_NV_TEST_AUTH_INDEX,
message.buffer, message.size, 0);
if (rc != 0) goto exit;
wolfTPM2_SetAuthHandle(&dev, 0, &nv.handle);

plain.size = TPM2_DEMO_NV_TEST_SIZE;
rc = wolfTPM2_NVReadAuth(&dev, &nv, TPM2_DEMO_NV_TEST_AUTH_INDEX,
plain.buffer, (word32*)&plain.size, 0);
if (rc != 0) goto exit;
message.size = TPM2_DEMO_NV_TEST_SIZE; /* test message 0x11,0x11,etc */
XMEMSET(message.buffer, 0x11, message.size);
rc = wolfTPM2_NVWriteAuth(&dev, &nv, TPM2_DEMO_NV_TEST_AUTH_INDEX,
message.buffer, message.size, 0);
if (rc != 0) goto exit;

rc = wolfTPM2_NVReadPublic(&dev, TPM2_DEMO_NV_TEST_AUTH_INDEX, NULL);
if (rc != 0) goto exit;
plain.size = TPM2_DEMO_NV_TEST_SIZE;
rc = wolfTPM2_NVReadAuth(&dev, &nv, TPM2_DEMO_NV_TEST_AUTH_INDEX,
plain.buffer, (word32*)&plain.size, 0);
if (rc != 0) goto exit;

rc = wolfTPM2_NVDeleteAuth(&dev, &parent, TPM2_DEMO_NV_TEST_AUTH_INDEX);
if (rc != 0) goto exit;
rc = wolfTPM2_NVReadPublic(&dev, TPM2_DEMO_NV_TEST_AUTH_INDEX, NULL);
if (rc != 0) goto exit;

if (message.size != plain.size ||
XMEMCMP(message.buffer, plain.buffer, message.size) != 0) {
rc = TPM_RC_TESTING; goto exit;
}
rc = wolfTPM2_NVDeleteAuth(&dev, &parent, TPM2_DEMO_NV_TEST_AUTH_INDEX);
if (rc != 0) goto exit;

printf("NV Test (with auth) on index 0x%x with %d bytes passed\n",
TPM2_DEMO_NV_TEST_AUTH_INDEX, TPM2_DEMO_NV_TEST_SIZE);
if (message.size != plain.size ||
XMEMCMP(message.buffer, plain.buffer, message.size) != 0) {
rc = TPM_RC_TESTING; goto exit;
}

printf("NV Test (with auth) on index 0x%x with %d bytes passed\n",
TPM2_DEMO_NV_TEST_AUTH_INDEX, TPM2_DEMO_NV_TEST_SIZE);

/* NV Tests (older API's without auth) */
rc = wolfTPM2_GetNvAttributesTemplate(TPM_RH_OWNER, &nvAttributes);
if (rc != 0) goto exit;
Expand Down
Loading
Loading