Test Mutations, Unit tests, ForceZero Unification, and Fixes for wolfTPM#480
Merged
dgarske merged 37 commits intowolfSSL:masterfrom Apr 15, 2026
Merged
Test Mutations, Unit tests, ForceZero Unification, and Fixes for wolfTPM#480dgarske merged 37 commits intowolfSSL:masterfrom
dgarske merged 37 commits intowolfSSL:masterfrom
Conversation
…n.digest.size in TPM2_VerifySignature response parsing to prevent heap buffer overflow
…y.size in wolfTPM2_SpdmConnectNuvoton and wolfTPM2_SpdmConnectNations to prevent stack buffer overflow
…SensitiveToPrivate pinning KDFa STORAGE and INTEGRITY labels with test vector
…wolfTPM2_PolicyAuthValue verifying auth placed at authDigestSz offset preserving HMAC key slot
…ors for ATH, SECRET, and DUPLICATE labels pinning TPM 2.0 spec-mandated session key derivation labels F-2954 - https://fenrir.wolfssl.com/finding/2954 - Add KDFa test vector for SECRET label F-2955 - https://fenrir.wolfssl.com/finding/2955 - Add KDFa test vector for DUPLICATE label
…wolfTPM2_SetAuthHandle policyAuth branch verifying auth placed at authDigestSz offset F-2959 - https://fenrir.wolfssl.com/finding/2959 - Add unit test for wolfTPM2_SetAuthHandleName policyAuth branch verifying auth placed at authDigestSz offset
…adding in wolfTPM2_CreatePrimaryKey_ex to pass auth as-is matching wolfTPM2_CreateKey behavior
…stead of silently truncating auth values in wolfTPM2_SetAuth, wolfTPM2_CreateKey, wolfTPM2_ChangeAuthKey, wolfTPM2_SetAuthHandleName, wolfTPM2_CreatePrimaryKey_ex, wolfTPM2_CreateLoadedKey, and wolfTPM2_PolicyPassword
…match check outside DEBUG_WOLFTPM guard so it executes in all builds
…for count and sizeofSelect in TPM2_Packet_AppendPCR matching parse-side validation
…pendSymmetric in TPM2_Duplicate to correctly handle TPM_ALG_NULL and TPM_ALG_XOR symmetric algorithms
…yHash boundary check from cc > TPM_CC_FIRST to cc >= TPM_CC_FIRST and add unit test covering cc=0, cc=TPM_CC_FIRST, and cc=TPM_CC_PolicyPCR
…V auth password in wolfTPM2_NVCreateAuthPolicy on all exit paths
…V write data buffer in wolfTPM2_NVWriteData before return
…V read output buffer in wolfTPM2_NVReadAuthPolicy before return
…ymmetric seed in wolfTPM2_ImportPrivateKey on all exit paths
…uth password in wolfTPM2_CreateLoadedKey on all exit path
… redundant alreadyExists check in wolfTPM2_NVCreateAuthPolicy
…efore accessing BIT STRING content in TPM2_ASN_DecodeX509Cert to prevent OOB read on zero-length fields
… parent parameter in wolfTPM2_NVCreateAuthPolicy to prevent NULL pointer dereference
… of TPM2_GetName return codes with sequential error checking in TPM2_CommandProcess
…aller size in XMEMCPY in wolfTPM2_StartSession instead of original unclamped value
…heck before serializing inScheme details in TPM2_Certify, TPM2_CertifyCreation, TPM2_Quote, TPM2_GetSessionAuditDigest, TPM2_GetCommandAuditDigest, TPM2_GetTime, and TPM2_NV_Certify
…pendSymmetric and TPM2_Packet_ParseSymmetric for SYMCIPHER case in AppendPublicParms and ParsePublicParms
…erived identity auth digest in wolfTPM2_SetIdentityAuth before return
…ew auth password in wolfTPM2_ChangeAuthKey on all exit paths
…ocal keyBlob in wolfTPM2_LoadRsaPrivateKey_ex, wolfTPM2_LoadEccPrivateKey, and wolfTPM2_CreateAndLoadKey
…uth password in wolfTPM2_CreateKey on all exit paths
…uth password in wolfTPM2_CreatePrimaryKey_ex on all exit paths
…CC private key in wolfTPM2_SpdmConnectNations error path after wc_ecc_export_public_raw failure
…SS padded buffer in wolfTPM2_PK_RsaPssSign before scope exit
…uth in wolfTPM2_HmacStart on all exit paths
…ey material at early return in wolfTPM2_LoadKeyedHashKey
…ession auth in wolfTPM2_UnloadHandles before return
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
aidangarske
requested review from
Copilot and
dgarske
and removed request for
Copilot
dgarske
requested changes
Apr 14, 2026
…padding in wolfTPM2_CreatePrimaryKey_ex and add matching padding to wolfTPM2_CreateKey and wolfTPM2_CreateLoadedKey for consistent auth handling
aidangarske
requested review from
Copilot and
dgarske
and removed request for
Copilot
dgarske
approved these changes
Apr 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two passes of skoll review already nothing substantial