Fenrir fixes

src/tpm2.c

@@ -1069,17 +1069,35 @@ TPM_RC TPM2_GetCapability(GetCapability_In* in, GetCapability_Out* out)
                 {
                     TPML_TAGGED_PCR_PROPERTY* pcrProp =
                         &out->capabilityData.data.pcrProperties;
-                    TPM2_Packet_ParseU32(&packet, &pcrProp->count);
+                    UINT32 wireCount;
+                    UINT32 tag;
+                    UINT8 wireSizeofSelect;
+                    TPM2_Packet_ParseU32(&packet, &wireCount);
+                    pcrProp->count = wireCount;
                     if (pcrProp->count > MAX_PCR_PROPERTIES)
                         pcrProp->count = MAX_PCR_PROPERTIES;
-                    for (i=0; i<(int)pcrProp->count; i++) {
-                        TPMS_TAGGED_PCR_SELECT* sel = &pcrProp->pcrProperty[i];
-                        TPM2_Packet_ParseU32(&packet, &sel->tag);
-                        TPM2_Packet_ParseU8(&packet, &sel->sizeofSelect);
-                        if (sel->sizeofSelect > PCR_SELECT_MAX)
-                            sel->sizeofSelect = PCR_SELECT_MAX;
-                        TPM2_Packet_ParseBytes(&packet, sel->pcrSelect,
-                            sel->sizeofSelect);
+                    for (i=0; i<(int)wireCount; i++) {
+                        TPM2_Packet_ParseU32(&packet, &tag);
+                        TPM2_Packet_ParseU8(&packet, &wireSizeofSelect);
+                        if (i < (int)pcrProp->count) {
+                            TPMS_TAGGED_PCR_SELECT* sel =
+                                &pcrProp->pcrProperty[i];
+                            sel->tag = tag;
+                            sel->sizeofSelect = wireSizeofSelect;
+                            if (sel->sizeofSelect > PCR_SELECT_MAX)
+                                sel->sizeofSelect = PCR_SELECT_MAX;
+                            TPM2_Packet_ParseBytes(&packet, sel->pcrSelect,
+                                sel->sizeofSelect);
+                            if (wireSizeofSelect > sel->sizeofSelect) {
+                                TPM2_Packet_ParseBytes(&packet, NULL,
+                                    wireSizeofSelect - sel->sizeofSelect);
+                            }
+                        }
+                        else {
+                            /* Skip entries beyond array capacity */
+                            TPM2_Packet_ParseBytes(&packet, NULL,
+                                wireSizeofSelect);
+                        }
                     }
                     break;
                 }

src/tpm2_packet.c

@@ -445,17 +445,34 @@ void TPM2_Packet_AppendPCR(TPM2_Packet* packet, TPML_PCR_SELECTION* pcr)
 void TPM2_Packet_ParsePCR(TPM2_Packet* packet, TPML_PCR_SELECTION* pcr)
 {
     int i;
-    TPM2_Packet_ParseU32(packet, &pcr->count);
+    UINT32 wireCount;
+    UINT16 hash;
+    UINT8 wireSizeofSelect;
+    TPM2_Packet_ParseU32(packet, &wireCount);
+    pcr->count = wireCount;
     if (pcr->count > HASH_COUNT)
         pcr->count = HASH_COUNT;
-    for (i=0; i<(int)pcr->count; i++) {
-        TPM2_Packet_ParseU16(packet, &pcr->pcrSelections[i].hash);
-        TPM2_Packet_ParseU8(packet, &pcr->pcrSelections[i].sizeofSelect);
-        if (pcr->pcrSelections[i].sizeofSelect > PCR_SELECT_MIN)
-            pcr->pcrSelections[i].sizeofSelect = PCR_SELECT_MIN;
-        TPM2_Packet_ParseBytes(packet,
-            pcr->pcrSelections[i].pcrSelect,
-            pcr->pcrSelections[i].sizeofSelect);
+    for (i = 0; i < (int)wireCount; i++) {
+        TPM2_Packet_ParseU16(packet, &hash);
+        TPM2_Packet_ParseU8(packet, &wireSizeofSelect);
+        if (i < (int)pcr->count) {
+            pcr->pcrSelections[i].hash = hash;
+            pcr->pcrSelections[i].sizeofSelect = wireSizeofSelect;
+            if (pcr->pcrSelections[i].sizeofSelect > PCR_SELECT_MIN)
+                pcr->pcrSelections[i].sizeofSelect = PCR_SELECT_MIN;
+            TPM2_Packet_ParseBytes(packet,
+                pcr->pcrSelections[i].pcrSelect,
+                pcr->pcrSelections[i].sizeofSelect);
+            /* Skip excess select bytes */
+            if (wireSizeofSelect > pcr->pcrSelections[i].sizeofSelect) {
+                TPM2_Packet_ParseBytes(packet, NULL,
+                    wireSizeofSelect - pcr->pcrSelections[i].sizeofSelect);
+            }
+        }
+        else {
+            /* Skip entire entry for overflow iterations */
+            TPM2_Packet_ParseBytes(packet, NULL, wireSizeofSelect);
+        }
     }
 }
 

src/tpm2_param_enc.c

@@ -196,7 +196,7 @@ int TPM2_KDFa(
 
 
 /* Perform XOR encryption over the first parameter of a TPM packet */
-static int TPM2_ParamEnc_XOR(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey,
+int TPM2_ParamEnc_XOR(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey,
     TPM2B_AUTH* bindKey, TPM2B_NONCE* nonceCaller, TPM2B_NONCE* nonceTPM,
     BYTE *paramData, UINT32 paramSz)
 {
@@ -259,7 +259,7 @@ static int TPM2_ParamEnc_XOR(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey,
 }
 
 /* Perform XOR decryption over the first parameter of a TPM packet */
-static int TPM2_ParamDec_XOR(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey,
+int TPM2_ParamDec_XOR(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey,
     TPM2B_AUTH* bindKey, TPM2B_NONCE* nonceCaller, TPM2B_NONCE* nonceTPM,
     BYTE *paramData, UINT32 paramSz)
 {
@@ -322,7 +322,7 @@ static int TPM2_ParamDec_XOR(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey,
 
 #if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFSSL_AES_CFB)
 /* Perform AES CFB encryption over the first parameter of a TPM packet */
-static int TPM2_ParamEnc_AESCFB(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey,
+int TPM2_ParamEnc_AESCFB(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey,
     TPM2B_AUTH* bindKey, TPM2B_NONCE* nonceCaller, TPM2B_NONCE* nonceTPM,
     BYTE *paramData, UINT32 paramSz)
 {
@@ -396,7 +396,7 @@ static int TPM2_ParamEnc_AESCFB(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey,
 }
 
 /* Perform AES CFB decryption over the first parameter of a TPM packet */
-static int TPM2_ParamDec_AESCFB(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey,
+int TPM2_ParamDec_AESCFB(TPM2_AUTH_SESSION *session, TPM2B_AUTH* sessKey,
     TPM2B_AUTH* bindKey, TPM2B_NONCE* nonceCaller, TPM2B_NONCE* nonceTPM,
     BYTE *paramData, UINT32 paramSz)
 {

src/tpm2_wrap.c

@@ -6805,6 +6805,7 @@ int wolfTPM2_LoadKeyedHashKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
     #ifdef DEBUG_WOLFTPM
         printf("TPM2_Create key failed %d: %s\n", rc, wolfTPM2_GetRCString(rc));
     #endif
+        TPM2_ForceZero(&createIn.inSensitive, sizeof(createIn.inSensitive));
         return rc;
     }
 
@@ -6827,6 +6828,8 @@ int wolfTPM2_LoadKeyedHashKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
     #ifdef DEBUG_WOLFTPM
         printf("TPM2_Load key failed %d: %s\n", rc, wolfTPM2_GetRCString(rc));
     #endif
+        TPM2_ForceZero(&createIn.inSensitive,
+            sizeof(createIn.inSensitive));
         return rc;
     }
     key->handle.hndl = loadOut.objectHandle;
@@ -7894,6 +7897,7 @@ int wolfTPM2_CreateKeySeal_ex(WOLFTPM2_DEV* dev, WOLFTPM2_KEYBLOB* keyBlob,
         printf("wolfTPM2_CreateKeySeal failed %d: %s\n",
             rc, wolfTPM2_GetRCString(rc));
     #endif
+        TPM2_ForceZero(&createIn.inSensitive, sizeof(createIn.inSensitive));
         return rc;
     }