Merge pull request #440 from dgarske/rel_v3.10.0

Release v3.10.0 prep

Author: embhorn

CMakeLists.txt

@@ -21,7 +21,7 @@
 
 cmake_minimum_required(VERSION 3.16)
 
-project(wolfTPM VERSION 3.9.2 LANGUAGES C)
+project(wolfTPM VERSION 3.10.0 LANGUAGES C)
 
 set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin)
 set(WOLFTPM_DEFINITIONS)
@@ -170,7 +170,7 @@ if("${WOLFTPM_INTERFACE}" STREQUAL "SWTPM")
     # SWTPM port configuration
     set(WOLFTPM_SWTPM_PORT "2321" CACHE STRING
         "Set SWTPM socket port (default: 2321)")
-    list(APPEND WOLFTPM_DEFINITIONS "-DTPM2_SWTPM_PORT=\"${WOLFTPM_SWTPM_PORT}\"")
+    list(APPEND WOLFTPM_DEFINITIONS "-DTPM2_SWTPM_PORT=${WOLFTPM_SWTPM_PORT}")
 
 elseif("${WOLFTPM_INTERFACE}" STREQUAL "DEVTPM")
     list(APPEND WOLFTPM_DEFINITIONS "-DWOLFTPM_LINUX_DEV")

ChangeLog.md

@@ -1,5 +1,50 @@
 # Release Notes
 
+## wolfTPM Release 3.10.0 (Dec 4, 2025)
+
+**Summary**
+
+This release includes important bug fixes for password handling, hash algorithm selection, and TLS shutdown. Enhanced CMake support with TPM module selection. Improved Linux TPM resource manager handling. Security improvements for HMAC validation and payload length checks. Various build system improvements and test enhancements.
+
+**Detail**
+
+* Fixes for minor Coverity reports (PR #441)
+* Fixed critical bug in password handling (PR #439)
+  - Fixed `wolfTPM2_SetKeyAuthPassword` that was truncating password to 2 bytes (bug introduced in PR #427 and release v3.9.2)
+  - Added test to catch this and verified no other similar issues exist
+* Added Espressif HAL SPI support (PR #386)
+* Enhanced CMake support and TPM module selection (PR #438)
+  - Added CMake support for choosing a TPM module
+  - Finished CMake options to sync with configure
+  - Further improvements to CMake interfaces and test scripts
+* Security improvements for TPM response validation (PR #437)
+  - Validate `TPM2_GetProductInfo` payload length to avoid signed underflow and out-of-bounds access
+  - Enforce TPM response HMAC length checks to reject zero-length or mismatched response HMACs for authenticated sessions
+* Added Linux TPM Resource Manager support (PR #435, #434)
+  - Added persistent access to `/dev/tpmrmX` (enabled with `WOLFTPM_USE_TPMRM`)
+  - Fixed TPM Linux `read()` error return code handling
+* Fixed crypto callback and hash algorithm selection (PR #433)
+  - Fixed crypto callback to return CRYPTOCB_UNAVAILABLE when a TPM key is not set
+  - Fixed to use curve type to determine hash type not digest size
+* Improved signature verification hash detection (PR #432)
+  - Fixed `TPM2_VerifySignature` to detect correct hash algorithm
+  - Added more test cases for signature verification
+* Improved TLS bidirectional shutdown (PR #431)
+  - Improved the TLS bidirectional shutdown
+  - Fixed for missing `WC_PK_TYPE_RSA_GET_SIZE` in older releases
+* Fixed CMake lock options (PR #430)
+  - Fixed backward yes/no logic of `WOLFTPM_NO_LOCK_DEFAULT`
+  - Fixed if check statement of `WOLFTPM_NO_LOCK`
+  - Updated default logic for `WOLFTPM_NO_LOCK` depending on state of `WOLFTPM_SINGLE_THREADED`
+* Build system and testing improvements
+  - Added new `make cppcheck` option with fixes for cppcheck
+  - Fixed issue with possible use of uninitialized `rc` in `TPM2_GetNonceNoLock`
+  - Fixed for build and testing with `--enable-infineon=9670` with additional build tests
+  - Support for swtpm port arguments
+  - Split up the make tests into matrix (improve test time)
+* Various spelling fixes and code cleanup
+
+
 ## wolfTPM Release 3.9.2 (July 30, 2025)
 
 **Summary**

configure.ac

@@ -3,7 +3,7 @@
 # All right reserved.
 
 AC_COPYRIGHT([Copyright (C) 2014-2025 wolfSSL Inc.])
-AC_INIT([wolftpm],[3.9.2],[https://github.com/wolfssl/wolfTPM/issues],[wolftpm],[http://www.wolfssl.com])
+AC_INIT([wolftpm],[3.10.0],[https://github.com/wolfssl/wolfTPM/issues],[wolftpm],[http://www.wolfssl.com])
 
 AC_PREREQ([2.63])
 AC_CONFIG_AUX_DIR([build-aux])
@@ -28,7 +28,7 @@ AC_ARG_PROGRAM
 
 AC_CONFIG_HEADERS([src/config.h])
 
-WOLFTPM_LIBRARY_VERSION=16:7:0
+WOLFTPM_LIBRARY_VERSION=16:8:0
 #                        | | |
 #                 +------+ | +---+
 #                 |        |     |
@@ -250,7 +250,7 @@ then
     fi
 
     AM_CFLAGS="$AM_CFLAGS -DWOLFTPM_SWTPM"
-    AM_CFLAGS="$AM_CFLAGS -DTPM2_SWTPM_PORT=\"$SWTPM_PORT\""
+    AM_CFLAGS="$AM_CFLAGS -DTPM2_SWTPM_PORT=$SWTPM_PORT"
 
     # Set distcheck flag if port is not default (only when SWTPM is enabled)
     if test "x$SWTPM_PORT" != "x2321"; then

src/tpm2_swtpm.c

@@ -62,7 +62,7 @@
 #define TPM2_SWTPM_HOST         "localhost"
 #endif
 #ifndef TPM2_SWTPM_PORT
-#define TPM2_SWTPM_PORT         "2321"
+#define TPM2_SWTPM_PORT         2321
 #endif
 
 static TPM_RC SwTpmTransmit(TPM2_CTX* ctx, const void* buffer, ssize_t bufSz)
@@ -268,7 +268,7 @@ int TPM2_SWTPM_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet)
     }
 
     if (ctx->tcpCtx.fd < 0) {
-        rc = SwTpmConnect(ctx, TPM2_SWTPM_HOST, TPM2_SWTPM_PORT);
+        rc = SwTpmConnect(ctx, TPM2_SWTPM_HOST, XSTRINGIFY(TPM2_SWTPM_PORT));
     }
 
 #ifdef WOLFTPM_DEBUG_VERBOSE

wolftpm/tpm2_types.h

@@ -288,6 +288,11 @@ typedef int64_t  INT64;
     #define WOLFTPM_NO_LOCK
 #endif
 
+/* Helper to convert macro to string */
+#ifndef XSTRINGIFY
+#define XSTRINGIFY(s) STRINGIFY(s)
+#define STRINGIFY(s)  #s
+#endif
 
 /* ---------------------------------------------------------------------------*/
 /* TPM HARDWARE TYPE */

wolftpm/version.h

@@ -34,8 +34,8 @@
 extern "C" {
 #endif
 
-#define LIBWOLFTPM_VERSION_STRING "3.9.2"
-#define LIBWOLFTPM_VERSION_HEX 0x03009002
+#define LIBWOLFTPM_VERSION_STRING "3.10.0"
+#define LIBWOLFTPM_VERSION_HEX 0x03010000
 
 #ifdef __cplusplus
 }