Fix for endorsement high range to use zero unique size.

wolfSSL · Jul 25, 2024 · 5d04a38 · 5d04a38
1 parent d27256a
commit 5d04a38
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 23 deletions.
diff --git a/examples/endorsement/get_ek_certs.c b/examples/endorsement/get_ek_certs.c
@@ -222,6 +222,7 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
     #endif
 
         wolfTPM2_UnloadHandle(&dev, &endorse.handle);
+        XMEMSET(&endorse, 0, sizeof(endorse));
     }
 
 exit:

diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
@@ -5881,40 +5881,49 @@ int wolfTPM2_GetKeyTemplate_EK(TPMT_PUBLIC* publicTemplate, TPM_ALG_ID alg,
     if (alg == TPM_ALG_RSA) {
         rc = GetKeyTemplateRSA(publicTemplate, nameAlg,
             objectAttributes, keyBits, 0, TPM_ALG_NULL, TPM_ALG_NULL);
+        if (rc == 0 && highRange) { /* high range uses 0 unique size */
+            publicTemplate->unique.rsa.size = 0;
+        }
     }
     else if (alg == TPM_ALG_ECC) {
         rc = GetKeyTemplateECC(publicTemplate, nameAlg,
             objectAttributes, curveID, TPM_ALG_NULL, TPM_ALG_NULL);
+        if (rc == 0 && highRange) { /* high range uses 0 unique size */
+            publicTemplate->unique.ecc.x.size = 0;
+            publicTemplate->unique.ecc.y.size = 0;
+        }
 
     }
     else {
         rc = BAD_FUNC_ARG; /* not yet supported */
     }
 
-    if (nameAlg == TPM_ALG_SHA256 && !highRange) {
-        publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY);
-        XMEMCPY(publicTemplate->authPolicy.buffer,
-            TPM_20_EK_AUTH_POLICY, publicTemplate->authPolicy.size);
-    }
-    else if (nameAlg == TPM_ALG_SHA256) {
-        publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY_SHA256);
-        XMEMCPY(publicTemplate->authPolicy.buffer,
-            TPM_20_EK_AUTH_POLICY_SHA256, publicTemplate->authPolicy.size);
-    }
-#ifdef WOLFSSL_SHA384
-    else if (nameAlg == TPM_ALG_SHA384) {
-        publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY_SHA384);
-        XMEMCPY(publicTemplate->authPolicy.buffer,
-            TPM_20_EK_AUTH_POLICY_SHA384, publicTemplate->authPolicy.size);
-    }
-#endif
-#ifdef WOLFSSL_SHA512
-    else if (nameAlg == TPM_ALG_SHA512) {
-        publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY_SHA512);
-        XMEMCPY(publicTemplate->authPolicy.buffer,
-            TPM_20_EK_AUTH_POLICY_SHA512, publicTemplate->authPolicy.size);
+    if (rc == 0) {
+        if (nameAlg == TPM_ALG_SHA256 && !highRange) {
+            publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY);
+            XMEMCPY(publicTemplate->authPolicy.buffer,
+                TPM_20_EK_AUTH_POLICY, publicTemplate->authPolicy.size);
+        }
+        else if (nameAlg == TPM_ALG_SHA256) {
+            publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY_SHA256);
+            XMEMCPY(publicTemplate->authPolicy.buffer,
+                TPM_20_EK_AUTH_POLICY_SHA256, publicTemplate->authPolicy.size);
+        }
+    #ifdef WOLFSSL_SHA384
+        else if (nameAlg == TPM_ALG_SHA384) {
+            publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY_SHA384);
+            XMEMCPY(publicTemplate->authPolicy.buffer,
+                TPM_20_EK_AUTH_POLICY_SHA384, publicTemplate->authPolicy.size);
+        }
+    #endif
+    #ifdef WOLFSSL_SHA512
+        else if (nameAlg == TPM_ALG_SHA512) {
+            publicTemplate->authPolicy.size = sizeof(TPM_20_EK_AUTH_POLICY_SHA512);
+            XMEMCPY(publicTemplate->authPolicy.buffer,
+                TPM_20_EK_AUTH_POLICY_SHA512, publicTemplate->authPolicy.size);
+        }
+    #endif
     }
-#endif
 
     return rc;
 }
-Original file line number
+Diff line change
@@ Expand Up @@
         #endif
             wolfTPM2_UnloadHandle(&dev, &endorse.handle);
+            XMEMSET(&endorse, 0, sizeof(endorse));
         }
     exit:
@@ Expand Down @@