From 0787f73a1f086a2136e2d5e65856e594c319555c Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 15 Sep 2023 14:10:18 -0700
Subject: [PATCH] Fix to use the new unset auth session API, that captures the
 last TPM nonce, so the session auth can be properly set again. Requires
 wolfTPM PR https://github.com/wolfSSL/wolfTPM/pull/299

---
 lib/wolfTPM |  2 +-
 src/tpm.c   | 10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/lib/wolfTPM b/lib/wolfTPM
index acdbc446d..549783056 160000
--- a/lib/wolfTPM
+++ b/lib/wolfTPM
@@ -1 +1 @@
-Subproject commit acdbc446d27272735177f768c3b06f4ae776570d
+Subproject commit 5497830567222e9a278e5a69aaeef32d5f3fc890
diff --git a/src/tpm.c b/src/tpm.c
index b5a65522f..7744e83d4 100644
--- a/src/tpm.c
+++ b/src/tpm.c
@@ -769,7 +769,7 @@ int wolfBoot_seal_blob(uint8_t* pubkey_hint, uint8_t* policy, uint16_t policySz,
     }
 
     wolfTPM2_UnloadHandle(&wolftpm_dev, &policy_session.handle);
-    wolfTPM2_UnsetAuth(&wolftpm_dev, 1);
+    wolfTPM2_UnsetAuthSession(&wolftpm_dev, 1, &wolftpm_session);
 
     return rc;
 }
@@ -949,7 +949,7 @@ int wolfBoot_unseal_blob(uint8_t* pubkey_hint,
 
     wolfTPM2_UnloadHandle(&wolftpm_dev, &seal_blob->handle);
     wolfTPM2_UnloadHandle(&wolftpm_dev, &policy_session.handle);
-    wolfTPM2_UnsetAuth(&wolftpm_dev, 1);
+    wolfTPM2_UnsetAuthSession(&wolftpm_dev, 1, &wolftpm_session);
 
     return rc;
 }
@@ -996,6 +996,7 @@ static int wolfRNG_GetSeedCB(OS_Seed* os, uint8_t* seed, uint32_t sz)
     if (rc == 0) {
         rc = wolfTPM2_GetRandom(&wolftpm_dev, seed, sz);
     }
+    wolfTPM2_UnsetAuthSession(&wolftpm_dev, 0, &wolftpm_session);
     return rc;
 }
 #endif
@@ -1141,7 +1142,8 @@ int wolfBoot_check_rot(int key_slot, uint8_t* pubkey_hint)
     nv.handle.hndl = WOLFBOOT_TPM_KEYSTORE_NV_BASE + key_slot;
 #ifdef WOLFBOOT_TPM_KEYSTORE_AUTH
     nv.handle.auth.size = (UINT16)strlen(WOLFBOOT_TPM_KEYSTORE_AUTH);
-    memcpy(nv.handle.auth.buffer, WOLFBOOT_TPM_KEYSTORE_AUTH, nv.handle.auth.size);
+    memcpy(nv.handle.auth.buffer, WOLFBOOT_TPM_KEYSTORE_AUTH,
+        nv.handle.auth.size);
 #endif
     wolfTPM2_SetAuthHandle(&wolftpm_dev, 0, &nv.handle);
 
@@ -1170,7 +1172,7 @@ int wolfBoot_check_rot(int key_slot, uint8_t* pubkey_hint)
             wolfBoot_print_hexstr(pubkey_hint, digestSz, 0);
         }
     }
-    wolfTPM2_UnsetAuth(&wolftpm_dev, 1);
+    wolfTPM2_UnsetAuthSession(&wolftpm_dev, 1, &wolftpm_session);
 
     return rc;
 }