wolfTPM v3.4.0 release

CMakeLists.txt

@@ -21,7 +21,7 @@
 
 cmake_minimum_required(VERSION 3.16)
 
-project(wolfTPM VERSION 3.2.0 LANGUAGES C)
+project(wolfTPM VERSION 3.4.0 LANGUAGES C)
 
 set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin)
 set(WOLFTPM_DEFINITIONS)

ChangeLog.md

@@ -1,5 +1,32 @@
 # Release Notes
 
+## wolfTPM Release 3.4.0 (July 30, 2024)
+
+**Summary**
+
+Added Endorsement Key Certificate support. Added support for NV read/write with policy. Added policy password support. Refactor of the session authentication structures.
+
+**Detail**
+
+* Added EK Certificate Support (PR #360)
+  - Added new API's `wolfTPM2_GetKeyTemplate_EK` and `wolfTPM2_GetKeyTemplate_EK` for getting EK public templates used for generating the EK primary key.
+  - Added `examples/endorsement/get_ek_certs` for showing how to retrieve and validate the manufacturers endorsement key certificates.
+* Improvements to auth handling to support Policy Password and Policy Auth Value (PR #350)
+  - Refactor to eliminate confusing cast between TPMS_AUTH_COMMAND and TPM2_AUTH_SESSION.
+  - Support for policy auth value and policy password.
+  - Add new NV policy write/read API's `wolfTPM2_NVWriteAuthPolicy` and `wolfTPM2_NVReadAuthPolicy`.
+* Fixed ST33KTPM IAK/IDevID provisioning NV indexes. (PR #361)
+* Fixed TLS example build issues with wolfSSL not having crypto callback or PK callback enabled. (PR #360)
+* Fixed CSR version (use version 0) (PR #359)
+* Fixed issue with Doxygen generation of wolfTPM due to doxybook2 crashing on unnamed enum. (PR #357)
+* Fixed HMAC session save last (not typically used) (PR #355)
+* Fixed Infineon I2C HAL gating logic (PR #347)
+* Added documentation for IAK/IDevID build options. (PR #361)
+* Added support for Espressif IDE (see IDE/Espressif) (PR #321)
+* Added tests for create_primary (PR #345)
+* Improved software TPM (docs/SWTPM.md) documentation (PR #348)
+
+
 ## wolfTPM Release 3.2.0 (Apr 24, 2024)
 
 **Summary**

IDE/VisualStudio/user_settings.h

@@ -46,6 +46,7 @@ extern "C" {
 /* TPM */
 #define WOLFSSL_AES_CFB /* required for parameter encryption */
 #define WOLFSSL_PUBLIC_MP /* expose mp_ math functions - required for tpm ECC secret encrypt */
+#define WOLFTPM_AUTODETECT /* support any TPM model (unknown/safe options) */
 
 /* Callbacks */
 #define WOLF_CRYPTO_CB

IDE/VisualStudio/wolftpm.vcxproj

@@ -212,6 +212,7 @@
       <SubSystem>
       </SubSystem>
       <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalDependencies>tbs.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
@@ -254,6 +255,7 @@
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <OptimizeReferences>true</OptimizeReferences>
       <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalDependencies>tbs.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
@@ -289,6 +291,7 @@
       <SubSystem>
       </SubSystem>
       <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalDependencies>tbs.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
@@ -329,6 +332,7 @@
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <OptimizeReferences>true</OptimizeReferences>
       <GenerateDebugInformation>DebugFull</GenerateDebugInformation>
+      <AdditionalDependencies>tbs.lib;%(AdditionalDependencies)</AdditionalDependencies>
     </Link>
   </ItemDefinitionGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

configure.ac

@@ -1,9 +1,9 @@
 # wolftpm
-# Copyright (C) 2021 wolfSSL Inc.
+# Copyright (C) 2024 wolfSSL Inc.
 # All right reserved.
 
-AC_COPYRIGHT([Copyright (C) 2014-2021 wolfSSL Inc.])
-AC_INIT([wolftpm],[3.2.0],[https://github.com/wolfssl/wolfTPM/issues],[wolftpm],[http://www.wolfssl.com])
+AC_COPYRIGHT([Copyright (C) 2014-2024 wolfSSL Inc.])
+AC_INIT([wolftpm],[3.4.0],[https://github.com/wolfssl/wolfTPM/issues],[wolftpm],[http://www.wolfssl.com])
 
 AC_PREREQ([2.63])
 AC_CONFIG_AUX_DIR([build-aux])
@@ -28,7 +28,7 @@ AC_ARG_PROGRAM
 
 AC_CONFIG_HEADERS([src/config.h])
 
-WOLFTPM_LIBRARY_VERSION=16:2:0
+WOLFTPM_LIBRARY_VERSION=16:3:0
 #                        | | |
 #                 +------+ | +---+
 #                 |        |     |

examples/endorsement/get_ek_certs.c

@@ -38,7 +38,9 @@
 
 #ifndef WOLFTPM2_NO_WOLFCRYPT
     #include <wolfssl/wolfcrypt/asn.h>
+    #if !defined(WOLFCRYPT_ONLY)
     #include "trusted_certs.h"
+    #endif
 #endif
 
 /******************************************************************************/
@@ -89,7 +91,7 @@ static void show_ek_public(const TPM2B_PUBLIC* pub)
     }
     else if (pub->publicArea.type == TPM_ALG_ECC) {
         const char* curveName = "NULL";
-    #ifndef WOLFTPM2_NO_WOLFCRYPT
+    #if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC)
         curveName = wc_ecc_get_name(
             TPM2_GetWolfCurve(pub->publicArea.parameters.eccDetail.curveID));
     #endif
@@ -153,8 +155,8 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
     TPMT_PUBLIC publicTemplate;
     word32 nvIndex;
 #ifndef WOLFTPM2_NO_WOLFCRYPT
-    int i;
     #ifndef WOLFCRYPT_ONLY
+    int i;
     WOLFSSL_CERT_MANAGER* cm = NULL;
     #endif
     DecodedCert cert;
@@ -351,9 +353,10 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
             rc = wc_DerToPem(certBuf, certSz, NULL, 0, CERT_TYPE);
             if (rc > 0) { /* returns actual PEM size */
                 pemSz = (word32)rc;
-                rc = 0;
-
                 pemSz++; /* for '\0'*/
+                rc = 0;
+            }
+            if (rc == 0) {
                 pem = (char*)XMALLOC(pemSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
                 if (pem == NULL) {
                     rc = MEMORY_E;

examples/keygen/external_import.c

@@ -88,8 +88,13 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[])
     WOLFTPM2_DEV dev;
     WOLFTPM2_KEY storage; /* SRK */
     WOLFTPM2_KEY *primary;
+#ifndef WOLFTPM2_NO_HEAP
     WOLFTPM2_KEYBLOB* key2;
     WOLFTPM2_KEYBLOB* rsaKey3;
+#else
+    WOLFTPM2_KEYBLOB key2[1];
+    WOLFTPM2_KEYBLOB rsaKey3[1];
+#endif
     TPM2B_DIGEST seedValue;
     TPMT_PUBLIC publicTemplate3;
     TPMA_OBJECT attributes;
@@ -122,8 +127,10 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[])
         argc--;
     }
 
+#ifndef WOLFTPM2_NO_HEAP
     key2 = wolfTPM2_NewKeyBlob();
     rsaKey3 = wolfTPM2_NewKeyBlob();
+#endif
     primary = &storage;
 
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, NULL);
@@ -229,8 +236,10 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[])
     wolfTPM2_UnloadHandle(&dev, &key2->handle);
     wolfTPM2_UnloadHandle(&dev, &primary->handle);
 
+#ifndef WOLFTPM2_NO_HEAP
     wolfTPM2_FreeKeyBlob(key2);
     wolfTPM2_FreeKeyBlob(rsaKey3);
+#endif
 
     wolfTPM2_Cleanup(&dev);
 

examples/tls/tls_common.h

@@ -89,8 +89,8 @@
 /******************************************************************************/
 
 typedef struct SockIoCbCtx {
-    int listenFd;
-    int fd;
+    SOCKET_T listenFd;
+    SOCKET_T fd;
 } SockIoCbCtx;
 
 #ifndef WOLFSSL_USER_IO
@@ -266,7 +266,7 @@ static inline int SetupSocketAndListen(SockIoCbCtx* sockIoCtx, word32 port)
 
 static inline int SocketWaitClient(SockIoCbCtx* sockIoCtx)
 {
-    int connd;
+    SOCKET_T connd;
     struct sockaddr_in clientAddr;
     XSOCKLENT          size = sizeof(clientAddr);
 

src/tpm2.c

@@ -642,7 +642,7 @@ TPM_RC TPM2_Init_ex(TPM2_CTX* ctx, TPM2HalIoCb ioCb, void* userCtx,
     /* Setup HAL IO Callback */
     rc = TPM2_SetHalIoCb(ctx, ioCb, userCtx);
     if (rc != TPM_RC_SUCCESS)
-      return rc;
+        return rc;
 #endif
 
     /* Set the active TPM global */

src/tpm2_wrap.c

@@ -30,7 +30,7 @@
 
 /* For some struct to buffer conversions */
 #include <wolftpm/tpm2_packet.h>
-
+#include <hal/tpm_io.h> /* for default IO callback */
 
 /* Local Functions */
 static int wolfTPM2_GetCapabilities_NoDev(WOLFTPM2_CAPS* cap);
@@ -182,7 +182,7 @@ WOLFTPM2_DEV* wolfTPM2_New(void)
     WOLFTPM2_DEV *dev = (WOLFTPM2_DEV*)XMALLOC(
         sizeof(WOLFTPM2_DEV), NULL, DYNAMIC_TYPE_TMP_BUFFER);
     if (dev != NULL) {
-        if (wolfTPM2_Init(dev, NULL, NULL) != TPM_RC_SUCCESS) {
+        if (wolfTPM2_Init(dev, TPM2_IoCb, NULL) != TPM_RC_SUCCESS) {
             XFREE(dev, NULL, DYNAMIC_TYPE_TMP_BUFFER);
             dev = NULL;
         }
@@ -797,20 +797,27 @@ static int wolfTPM2_GetCapabilities_NoDev(WOLFTPM2_CAPS* cap)
 #if defined(WOLFTPM_SLB9672) || defined(WOLFTPM_SLB9673)
     /* Get vendor specific information */
     if (rc == 0) {
-        rc = tpm2_ifx_cap_vendor_get(cap, TPM_PT_VENDOR_FIX_FU_OPERATION_MODE,
+        int rc_ifx;
+        rc_ifx = tpm2_ifx_cap_vendor_get(cap, TPM_PT_VENDOR_FIX_FU_OPERATION_MODE,
             &cap->opMode, sizeof(cap->opMode));
-    }
-    if (rc == 0) {
-        rc = tpm2_ifx_cap_vendor_get(cap, TPM_PT_VENDOR_FIX_FU_KEYGROUP_ID,
-            (uint8_t*)&cap->keyGroupId, sizeof(cap->keyGroupId));
-    }
-    if (rc == 0) {
-        rc = tpm2_ifx_cap_vendor_get(cap, TPM_PT_VENDOR_FIX_FU_COUNTER,
-            (uint8_t*)&cap->fwCounter, sizeof(cap->fwCounter));
-    }
-    if (rc == 0) {
-        rc = tpm2_ifx_cap_vendor_get(cap, TPM_PT_VENDOR_FIX_FU_COUNTER_SAME,
-            (uint8_t*)&cap->fwCounterSame, sizeof(cap->fwCounterSame));
+        if (rc_ifx == 0) {
+            rc_ifx = tpm2_ifx_cap_vendor_get(cap, TPM_PT_VENDOR_FIX_FU_KEYGROUP_ID,
+                (uint8_t*)&cap->keyGroupId, sizeof(cap->keyGroupId));
+        }
+        if (rc_ifx == 0) {
+            rc_ifx = tpm2_ifx_cap_vendor_get(cap, TPM_PT_VENDOR_FIX_FU_COUNTER,
+                (uint8_t*)&cap->fwCounter, sizeof(cap->fwCounter));
+        }
+        if (rc_ifx == 0) {
+            rc_ifx = tpm2_ifx_cap_vendor_get(cap, TPM_PT_VENDOR_FIX_FU_COUNTER_SAME,
+                (uint8_t*)&cap->fwCounterSame, sizeof(cap->fwCounterSame));
+        }
+        if (rc_ifx != 0) {
+        #ifdef DEBUG_WOLFTPM
+            printf("Error getting Infineon vendor capabilities 0x%x: %s\n",
+                rc_ifx, TPM2_GetRCString(rc_ifx));
+        #endif
+        }
     }
 #endif
 
@@ -1142,7 +1149,7 @@ int wolfTPM2_Cleanup_ex(WOLFTPM2_DEV* dev, int doShutdown)
         return rc;
 #endif
 
-    if (doShutdown)  {
+    if (doShutdown && TPM2_GetActiveCtx() != NULL)  {
         Shutdown_In shutdownIn;
         XMEMSET(&shutdownIn, 0, sizeof(shutdownIn));
         shutdownIn.shutdownType = TPM_SU_CLEAR;

wolftpm/version.h

@@ -34,8 +34,8 @@
 extern "C" {
 #endif
 
-#define LIBWOLFTPM_VERSION_STRING "3.2.0"
-#define LIBWOLFTPM_VERSION_HEX 0x03002000
+#define LIBWOLFTPM_VERSION_STRING "3.4.0"
+#define LIBWOLFTPM_VERSION_HEX 0x03004000
 
 #ifdef __cplusplus
 }