diff --git a/SOURCES/0001-tss-Add-missing-parameter-union-members.patch b/SOURCES/0001-tss-Add-missing-parameter-union-members.patch new file mode 100644 index 0000000..6be8438 --- /dev/null +++ b/SOURCES/0001-tss-Add-missing-parameter-union-members.patch @@ -0,0 +1,37 @@ +From 8e8c6777847825c5067b171c2e4ac8b33fe0d6bc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= + +Date: Sun, 1 May 2022 19:33:02 +0200 +Subject: [PATCH 1/4] tss: Add missing parameter union members +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Štěpán Horáček +--- + utils/ibmtss/Parameters.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/utils/ibmtss/Parameters.h b/utils/ibmtss/Parameters.h +index 98a04ff..5b6c29a 100644 +--- a/utils/ibmtss/Parameters.h ++++ b/utils/ibmtss/Parameters.h +@@ -182,6 +182,7 @@ + typedef union { + ActivateCredential_In ActivateCredential; + CertifyCreation_In CertifyCreation; ++ CertifyX509_In CertifyX509; + Certify_In Certify; + ChangeEPS_In ChangeEPS; + ChangePPS_In ChangePPS; +@@ -313,6 +314,7 @@ typedef union + { + ActivateCredential_Out ActivateCredential; + CertifyCreation_Out CertifyCreation; ++ CertifyX509_Out CertifyX509; + Certify_Out Certify; + Commit_Out Commit; + ContextLoad_Out ContextLoad; +-- +2.34.3 + diff --git a/SOURCES/0002-Update-SHA-1-to-SHA-256-in-tests-without-restricting.patch b/SOURCES/0002-regtest-Update-to-SHA-256-without-restricting-the-sc.patch similarity index 99% rename from SOURCES/0002-Update-SHA-1-to-SHA-256-in-tests-without-restricting.patch rename to SOURCES/0002-regtest-Update-to-SHA-256-without-restricting-the-sc.patch index bf9022a..d1b8364 100644 --- a/SOURCES/0002-Update-SHA-1-to-SHA-256-in-tests-without-restricting.patch +++ b/SOURCES/0002-regtest-Update-to-SHA-256-without-restricting-the-sc.patch @@ -1,14 +1,14 @@ -From 14ccbe9112e21fe62d5cbbbebeae71ec38b77e4a Mon Sep 17 00:00:00 2001 +From 3e4c744cf09d43aba0ae9381c1527263e39a7c70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= -Date: Thu, 17 Feb 2022 16:29:39 +0100 -Subject: [PATCH 2/4] Update SHA-1 to SHA-256 in tests without restricting the - scope +Date: Mon, 18 Apr 2022 23:51:02 +0200 +Subject: [PATCH 2/4] regtest: Update to SHA-256 without restricting the scope MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Štěpán Horáček +Signed-off-by: Ken Goldman --- utils/policies/policycountertimer.bin | Bin 20 -> 32 bytes utils/policies/policycphash.bin | Bin 20 -> 32 bytes @@ -596,5 +596,5 @@ index edfa014..8a99bbf 100755 echo "Flush the ECC ${CURVE} signing key" -- -2.34.1 +2.34.3 diff --git a/SOURCES/0003-Restrict-the-usage-of-SHA-1-in-code-examples.patch b/SOURCES/0003-Restrict-the-usage-of-SHA-1-in-code-examples.patch deleted file mode 100644 index edb866d..0000000 --- a/SOURCES/0003-Restrict-the-usage-of-SHA-1-in-code-examples.patch +++ /dev/null @@ -1,1329 +0,0 @@ -From 8004d7ddc5e1bd7809f6a385908ceff216061187 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= - -Date: Thu, 17 Feb 2022 19:02:10 +0100 -Subject: [PATCH 3/4] Restrict the usage of SHA-1 in code examples -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Due to SHA-1 not being considered secure, it should be not used for -cryptographical purposes. This commit disables the usage of SHA-1 in -cases where it is used in potentially exploitable situations, most -notably for creating signatures. - -Signed-off-by: Štěpán Horáček ---- - configure.ac | 4 ++++ - utils/certify.c | 7 ++----- - utils/certifycreation.c | 7 ++----- - utils/create.c | 10 ++-------- - utils/createloaded.c | 10 ++-------- - utils/createprimary.c | 10 ++-------- - utils/cryptoutils.c | 3 --- - utils/getcommandauditdigest.c | 7 ++----- - utils/getsessionauditdigest.c | 7 ++----- - utils/gettime.c | 7 ++----- - utils/hash.c | 7 ++----- - utils/hashsequencestart.c | 7 ++----- - utils/hmac.c | 7 ++----- - utils/hmacstart.c | 7 ++----- - utils/importpem.c | 14 ++++---------- - utils/loadexternal.c | 14 ++++---------- - utils/man/man1/tsscertify.1 | 2 +- - utils/man/man1/tsscertifycreation.1 | 2 +- - utils/man/man1/tsscreate.1 | 4 ++-- - utils/man/man1/tsscreateloaded.1 | 4 ++-- - utils/man/man1/tsscreateprimary.1 | 4 ++-- - utils/man/man1/tssgetcommandauditdigest.1 | 2 +- - utils/man/man1/tssgetsessionauditdigest.1 | 2 +- - utils/man/man1/tssgettime.1 | 2 +- - utils/man/man1/tsshash.1 | 2 +- - utils/man/man1/tsshashsequencestart.1 | 2 +- - utils/man/man1/tsshmac.1 | 2 +- - utils/man/man1/tsshmacstart.1 | 2 +- - utils/man/man1/tssimportpem.1 | 4 ++-- - utils/man/man1/tssloadexternal.1 | 4 ++-- - utils/man/man1/tssnvcertify.1 | 2 +- - utils/man/man1/tssnvdefinespace.1 | 2 +- - utils/man/man1/tssnvreadpublic.1 | 2 +- - utils/man/man1/tsspolicymaker.1 | 2 +- - utils/man/man1/tsspolicysigned.1 | 2 +- - utils/man/man1/tsspublicname.1 | 4 ++-- - utils/man/man1/tssquote.1 | 2 +- - utils/man/man1/tssrsadecrypt.1 | 2 +- - utils/man/man1/tsssetcommandcodeauditstatus.1 | 2 +- - utils/man/man1/tsssetprimarypolicy.1 | 2 +- - utils/man/man1/tsssign.1 | 2 +- - utils/man/man1/tssstartauthsession.1 | 2 +- - utils/man/man1/tssverifysignature.1 | 2 +- - utils/nvcertify.c | 7 ++----- - utils/nvdefinespace.c | 8 ++------ - utils/nvreadpublic.c | 7 ++----- - utils/objecttemplates.c | 4 ++-- - utils/policymaker.c | 7 ++----- - utils/policysigned.c | 7 ++----- - utils/publicname.c | 14 ++++---------- - utils/quote.c | 7 ++----- - utils/reg.sh | 17 +++++++++++++---- - utils/regtests/testattest.sh | 15 ++++++++++----- - utils/regtests/testevent.sh | 2 +- - utils/rsadecrypt.c | 12 ++---------- - utils/setcommandcodeauditstatus.c | 7 ++----- - utils/setprimarypolicy.c | 5 +---- - utils/sign.c | 7 ++----- - utils/startauthsession.c | 7 ++----- - utils/verifysignature.c | 7 ++----- - 60 files changed, 122 insertions(+), 212 deletions(-) - -diff --git a/configure.ac b/configure.ac -index ad870b1..4e4052e 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -123,6 +123,10 @@ AC_ARG_ENABLE(rmtpm, - AM_CONDITIONAL([CONFIG_RMTPM], [test "x$enable_rmtpm" = "xyes"]) - AS_IF([test "$enable_rmtpm" != "yes"], [enable_rmtpm="no"]) - -+AC_ARG_ENABLE(restricted-hash-alg, -+ AS_HELP_STRING([--enable-restricted-hash-alg], [Restrict usage of SHA-1])) -+ AS_IF([test "$enable_restricted_hash_alg" = "yes"], [CFLAGS="-DRESTRICTED_HASH_ALG $CFLAGS"]) -+ - AC_CONFIG_FILES([Makefile - utils/Makefile - utils12/Makefile -diff --git a/utils/certify.c b/utils/certify.c -index f1f54d0..f3cfc84 100644 ---- a/utils/certify.c -+++ b/utils/certify.c -@@ -128,10 +128,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -397,7 +394,7 @@ static void printUsage(void) - printf("\t[-pwdo\tpassword for object (default empty)]\n"); - printf("\t-hk\tcertifying key handle\n"); - printf("\t[-pwdk\tpassword for key (default empty)]\n"); -- printf("\t[-halg\t(sha1, sha256, sha384 sha512) (default sha256)]\n"); -+ printf("\t[-halg\t(sha256, sha384 sha512) (default sha256)]\n"); - printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); - printf("\t[-qd\tqualifying data file name]\n"); - printf("\t[-os\tsignature file name (default do not save)]\n"); -diff --git a/utils/certifycreation.c b/utils/certifycreation.c -index ab54c0a..20377d2 100644 ---- a/utils/certifycreation.c -+++ b/utils/certifycreation.c -@@ -121,10 +121,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -437,7 +434,7 @@ static void printUsage(void) - printf("\t-ho\tobject handle\n"); - printf("\t-hk\tcertifying key handle\n"); - printf("\t[-pwdk\tpassword for key (default empty)]\n"); -- printf("\t[-halg\t(sha1, sha256, sha384) (default sha256)]\n"); -+ printf("\t[-halg\t(sha256, sha384) (default sha256)]\n"); - printf("\t[-salg\tsignature algorithm (rsa, ecc) (default rsa)]\n"); - printf("\t[-qd\tqualifying data file name]\n"); - printf("\t-tk\tinput ticket file name\n"); -diff --git a/utils/create.c b/utils/create.c -index a8b805c..93c5d43 100644 ---- a/utils/create.c -+++ b/utils/create.c -@@ -239,10 +239,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -264,10 +261,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-nalg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- nalg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - nalg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -diff --git a/utils/createloaded.c b/utils/createloaded.c -index d54f791..a21bbda 100644 ---- a/utils/createloaded.c -+++ b/utils/createloaded.c -@@ -235,10 +235,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -257,10 +254,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-nalg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- nalg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - nalg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -diff --git a/utils/createprimary.c b/utils/createprimary.c -index 52ae083..d6374dd 100644 ---- a/utils/createprimary.c -+++ b/utils/createprimary.c -@@ -246,10 +246,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -271,10 +268,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-nalg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- nalg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - nalg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -diff --git a/utils/cryptoutils.c b/utils/cryptoutils.c -index 57eade7..7b5de79 100644 ---- a/utils/cryptoutils.c -+++ b/utils/cryptoutils.c -@@ -2025,9 +2025,6 @@ TPM_RC signRSAFromRSA(uint8_t *signature, size_t *signatureLength, - /* map the hash algorithm to the openssl NID */ - if (rc == 0) { - switch (hashAlg) { -- case TPM_ALG_SHA1: -- nid = NID_sha1; -- break; - case TPM_ALG_SHA256: - nid = NID_sha256; - break; -diff --git a/utils/getcommandauditdigest.c b/utils/getcommandauditdigest.c -index a219785..cc67a17 100644 ---- a/utils/getcommandauditdigest.c -+++ b/utils/getcommandauditdigest.c -@@ -117,10 +117,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -381,7 +378,7 @@ static void printUsage(void) - printf("\t[-pwde\tendorsement hierarchy password (default empty)]\n"); - printf("\t-hk\tsigning key handle\n"); - printf("\t[-pwdk\tpassword for key (default empty)]\n"); -- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); - printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); - printf("\t[-qd\tqualifying data file name]\n"); - printf("\t[-os\tsignature file name (default do not save)]\n"); -diff --git a/utils/getsessionauditdigest.c b/utils/getsessionauditdigest.c -index 61b12e6..e0706a1 100644 ---- a/utils/getsessionauditdigest.c -+++ b/utils/getsessionauditdigest.c -@@ -128,10 +128,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -377,7 +374,7 @@ static void printUsage(void) - printf("\t[-hk\tsigning key handle]\n"); - printf("\t[-pwdk\tpassword for key (default empty)]\n"); - printf("\t-hs\taudit session handle\n"); -- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); - printf("\t[-qd\tqualifying data file name]\n"); - printf("\t[-os\tsignature file name (default do not save)]\n"); - printf("\t[-oa\tattestation output file name (default do not save)]\n"); -diff --git a/utils/gettime.c b/utils/gettime.c -index b07baf1..2e4b819 100644 ---- a/utils/gettime.c -+++ b/utils/gettime.c -@@ -118,10 +118,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -381,7 +378,7 @@ static void printUsage(void) - printf("\t-hk\tsigning key handle\n"); - printf("\t[-pwdk\tpassword for signing key (default empty)]\n"); - printf("\t[-pwde\tpassword for endorsement hierarchy (default empty)]\n"); -- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); - printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); - printf("\t[-qd\tqualifying data file name]\n"); - printf("\t[-os\tsignature file name (default do not save)]\n"); -diff --git a/utils/hash.c b/utils/hash.c -index 71b8a7c..e21ff8c 100644 ---- a/utils/hash.c -+++ b/utils/hash.c -@@ -93,10 +93,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -300,7 +297,7 @@ static void printUsage(void) - printf("\n"); - printf("\t[-hi\thierarchy (e, o, p, n) (default null)]\n"); - printf("\t\te endorsement, o owner, p platform, n null\n"); -- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); - printf("\t-if\tinput file to be hashed\n"); - printf("\t-ic\tdata string to be hashed\n"); - printf("\t[-ns\tno space, no text, no newlines]\n"); -diff --git a/utils/hashsequencestart.c b/utils/hashsequencestart.c -index d54fadd..8b1e6fc 100644 ---- a/utils/hashsequencestart.c -+++ b/utils/hashsequencestart.c -@@ -87,10 +87,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- hashAlg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - hashAlg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -243,7 +240,7 @@ static void printUsage(void) - printf("Runs TPM2_HashSequenceStart\n"); - printf("\n"); - printf("\t[-pwda\tpassword for sequence (default empty)]\n"); -- printf("\t[-halg\t(sha1, sha256, sha384, sha512, null) (default sha256)]\n"); -+ printf("\t[-halg\t(sha256, sha384, sha512, null) (default sha256)]\n"); - printf("\t\tnull is an event sequence\n"); - printf("\n"); - printf("\t-se[0-2] session handle / attributes (default NULL)\n"); -diff --git a/utils/hmac.c b/utils/hmac.c -index be63e1b..7ea325d 100644 ---- a/utils/hmac.c -+++ b/utils/hmac.c -@@ -105,10 +105,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -343,7 +340,7 @@ static void printUsage(void) - printf("\n"); - printf("\t-hk\tkey handle\n"); - printf("\t[-pwdk\tpassword for key (default empty)]\n"); -- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); - printf("\t-if\tinput file to be HMACed\n"); - printf("\t-ic\tdata string to be HMACed\n"); - printf("\t[-os\thmac file name (default do not save)]\n"); -diff --git a/utils/hmacstart.c b/utils/hmacstart.c -index 3fdd0f9..4463376 100644 ---- a/utils/hmacstart.c -+++ b/utils/hmacstart.c -@@ -109,10 +109,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -270,7 +267,7 @@ static void printUsage(void) - printf("\t-hk\tkey handle\n"); - printf("\t-pwdk\tpassword for key (default empty)\n"); - printf("\t-pwda\tpassword for sequence (default empty)\n"); -- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); - printf("\n"); - printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); - printf("\t01\tcontinue\n"); -diff --git a/utils/importpem.c b/utils/importpem.c -index 38ad125..cbf3794 100644 ---- a/utils/importpem.c -+++ b/utils/importpem.c -@@ -215,10 +215,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -240,10 +237,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-nalg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- nalg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - nalg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -478,8 +472,8 @@ static void printUsage(void) - printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n"); - printf("\t-opu\tpublic area file name\n"); - printf("\t-opr\tprivate area file name\n"); -- printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); -- printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-nalg\tname hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-halg\tscheme hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); - printf("\t[-pol\tpolicy file (default empty)]\n"); - printf("\n"); - printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); -diff --git a/utils/loadexternal.c b/utils/loadexternal.c -index 877501c..fc8cd1a 100644 ---- a/utils/loadexternal.c -+++ b/utils/loadexternal.c -@@ -127,10 +127,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -152,10 +149,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-nalg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- nalg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - nalg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -511,8 +505,8 @@ static void printUsage(void) - printf("Runs TPM2_LoadExternal\n"); - printf("\n"); - printf("\t[-hi\thierarchy (e, o, p, n) (default NULL)]\n"); -- printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); -- printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-nalg\tname hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-halg\tscheme hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); - printf("\n"); - printf("\t[Asymmetric Key Algorithm]\n"); - printf("\n"); -diff --git a/utils/man/man1/tsscertify.1 b/utils/man/man1/tsscertify.1 -index 6895ee7..b837209 100644 ---- a/utils/man/man1/tsscertify.1 -+++ b/utils/man/man1/tsscertify.1 -@@ -20,7 +20,7 @@ certifying key handle - password for key (default empty)] - .TP - [\-halg --(sha1, sha256, sha384 sha512) (default sha256)] -+(sha256, sha384 sha512) (default sha256)] - .TP - [\-salg - signature algorithm (rsa, ecc, hmac) (default rsa)] -diff --git a/utils/man/man1/tsscertifycreation.1 b/utils/man/man1/tsscertifycreation.1 -index 4382ed9..7c77a1e 100644 ---- a/utils/man/man1/tsscertifycreation.1 -+++ b/utils/man/man1/tsscertifycreation.1 -@@ -17,7 +17,7 @@ certifying key handle - password for key (default empty)] - .TP - [\-halg --(sha1, sha256, sha384) (default sha256)] -+(sha256, sha384) (default sha256)] - .TP - [\-salg - signature algorithm (rsa, ecc) (default rsa)] -diff --git a/utils/man/man1/tsscreate.1 b/utils/man/man1/tsscreate.1 -index b4eda75..f2f6fc4 100644 ---- a/utils/man/man1/tsscreate.1 -+++ b/utils/man/man1/tsscreate.1 -@@ -89,10 +89,10 @@ userWithAuth attribute clear (default set)] - data (inSensitive) file name] - .TP - [\-nalg --name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] -+name hash algorithm (sha256, sha384, sha512) (default sha256)] - .TP - [\-halg --scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] -+scheme hash algorithm (sha256, sha384, sha512) (default sha256)] - .TP - [\-pwdk - password for key (default empty)] -diff --git a/utils/man/man1/tsscreateloaded.1 b/utils/man/man1/tsscreateloaded.1 -index ccd3d73..ebcf721 100644 ---- a/utils/man/man1/tsscreateloaded.1 -+++ b/utils/man/man1/tsscreateloaded.1 -@@ -93,10 +93,10 @@ userWithAuth attribute clear (default set)] - data (inSensitive) file name] - .TP - [\-nalg --name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] -+name hash algorithm (sha256, sha384, sha512) (default sha256)] - .TP - [\-halg --scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] -+scheme hash algorithm (sha256, sha384, sha512) (default sha256)] - .TP - [\-der - object's parent is a derivation parent] -diff --git a/utils/man/man1/tsscreateprimary.1 b/utils/man/man1/tsscreateprimary.1 -index 895a42e..55a9d85 100644 ---- a/utils/man/man1/tsscreateprimary.1 -+++ b/utils/man/man1/tsscreateprimary.1 -@@ -114,10 +114,10 @@ userWithAuth attribute clear (default set)] - data (inSensitive) file name] - .TP - [\-nalg --name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] -+name hash algorithm (sha256, sha384, sha512) (default sha256)] - .TP - [\-halg --scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] -+scheme hash algorithm (sha256, sha384, sha512) (default sha256)] - .HP - \fB\-se[0\-2]\fR session handle / attributes (default PWAP) - .TP -diff --git a/utils/man/man1/tssgetcommandauditdigest.1 b/utils/man/man1/tssgetcommandauditdigest.1 -index 34711e0..11d3b78 100644 ---- a/utils/man/man1/tssgetcommandauditdigest.1 -+++ b/utils/man/man1/tssgetcommandauditdigest.1 -@@ -17,7 +17,7 @@ signing key handle - password for key (default empty)] - .TP - [\-halg --(sha1, sha256, sha384, sha512) (default sha256)] -+(sha256, sha384, sha512) (default sha256)] - .TP - [\-salg - signature algorithm (rsa, ecc, hmac) (default rsa)] -diff --git a/utils/man/man1/tssgetsessionauditdigest.1 b/utils/man/man1/tssgetsessionauditdigest.1 -index d09c78b..3fa4a03 100644 ---- a/utils/man/man1/tssgetsessionauditdigest.1 -+++ b/utils/man/man1/tssgetsessionauditdigest.1 -@@ -20,7 +20,7 @@ password for key (default empty)] - audit session handle - .TP - [\-halg --(sha1, sha256, sha384, sha512) (default sha256)] -+(sha256, sha384, sha512) (default sha256)] - .TP - [\-qd - qualifying data file name] -diff --git a/utils/man/man1/tssgettime.1 b/utils/man/man1/tssgettime.1 -index bec0627..ac4b425 100644 ---- a/utils/man/man1/tssgettime.1 -+++ b/utils/man/man1/tssgettime.1 -@@ -17,7 +17,7 @@ password for signing key (default empty)] - password for endorsement hierarchy (default empty)] - .TP - [\-halg --(sha1, sha256, sha384, sha512) (default sha256)] -+(sha256, sha384, sha512) (default sha256)] - .TP - [\-salg - signature algorithm (rsa, ecc, hmac) (default rsa)] -diff --git a/utils/man/man1/tsshash.1 b/utils/man/man1/tsshash.1 -index 6eff929..01fa758 100644 ---- a/utils/man/man1/tsshash.1 -+++ b/utils/man/man1/tsshash.1 -@@ -12,7 +12,7 @@ hierarchy (e, o, p, n) (default null)] - e endorsement, o owner, p platform, n null - .TP - [\-halg --(sha1, sha256, sha384, sha512) (default sha256)] -+(sha256, sha384, sha512) (default sha256)] - .TP - \fB\-if\fR - input file to be hashed -diff --git a/utils/man/man1/tsshashsequencestart.1 b/utils/man/man1/tsshashsequencestart.1 -index f6d7f52..33225da 100644 ---- a/utils/man/man1/tsshashsequencestart.1 -+++ b/utils/man/man1/tsshashsequencestart.1 -@@ -11,7 +11,7 @@ Runs TPM2_HashSequenceStart - password for sequence (default empty)] - .TP - [\-halg --(sha1, sha256, sha384, sha512, null) (default sha256)] -+(sha256, sha384, sha512, null) (default sha256)] - null is an event sequence - .HP - \fB\-se[0\-2]\fR session handle / attributes (default NULL) -diff --git a/utils/man/man1/tsshmac.1 b/utils/man/man1/tsshmac.1 -index e64a861..c55b998 100644 ---- a/utils/man/man1/tsshmac.1 -+++ b/utils/man/man1/tsshmac.1 -@@ -14,7 +14,7 @@ key handle - password for key (default empty)] - .TP - [\-halg --(sha1, sha256, sha384, sha512) (default sha256)] -+(sha256, sha384, sha512) (default sha256)] - .TP - \fB\-if\fR - input file to be HMACed -diff --git a/utils/man/man1/tsshmacstart.1 b/utils/man/man1/tsshmacstart.1 -index 65d4ab6..9dd8fbf 100644 ---- a/utils/man/man1/tsshmacstart.1 -+++ b/utils/man/man1/tsshmacstart.1 -@@ -17,7 +17,7 @@ password for key (default empty) - password for sequence (default empty) - .TP - [\-halg --(sha1, sha256, sha384, sha512) (default sha256)] -+(sha256, sha384, sha512) (default sha256)] - .HP - \fB\-se[0\-2]\fR session handle / attributes (default PWAP) - .TP -diff --git a/utils/man/man1/tssimportpem.1 b/utils/man/man1/tssimportpem.1 -index 21c362e..46821eb 100644 ---- a/utils/man/man1/tssimportpem.1 -+++ b/utils/man/man1/tssimportpem.1 -@@ -49,10 +49,10 @@ public area file name - private area file name - .TP - [\-nalg --name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] -+name hash algorithm (sha256, sha384, sha512) (default sha256)] - .TP - [\-halg --scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] -+scheme hash algorithm (sha256, sha384, sha512) (default sha256)] - .TP - [\-pol - policy file (default empty)] -diff --git a/utils/man/man1/tssloadexternal.1 b/utils/man/man1/tssloadexternal.1 -index e32a251..729d357 100644 ---- a/utils/man/man1/tssloadexternal.1 -+++ b/utils/man/man1/tssloadexternal.1 -@@ -11,10 +11,10 @@ Runs TPM2_LoadExternal - hierarchy (e, o, p, n) (default NULL)] - .TP - [\-nalg --name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] -+name hash algorithm (sha256, sha384, sha512) (default sha256)] - .TP - [\-halg --scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] -+scheme hash algorithm (sha256, sha384, sha512) (default sha256)] - .IP - [Asymmetric Key Algorithm] - .TP -diff --git a/utils/man/man1/tssnvcertify.1 b/utils/man/man1/tssnvcertify.1 -index c55f6dc..1a50fd6 100644 ---- a/utils/man/man1/tssnvcertify.1 -+++ b/utils/man/man1/tssnvcertify.1 -@@ -20,7 +20,7 @@ certifying key handle - password for key (default empty)] - .TP - [\-halg --(sha1, sha256, sha384, sha512) (default sha256)] -+(sha256, sha384, sha512) (default sha256)] - .TP - [\-salg - signature algorithm (rsa, ecc, hmac) (default rsa)] -diff --git a/utils/man/man1/tssnvdefinespace.1 b/utils/man/man1/tssnvdefinespace.1 -index 0f378e9..5d9d395 100644 ---- a/utils/man/man1/tssnvdefinespace.1 -+++ b/utils/man/man1/tssnvdefinespace.1 -@@ -36,7 +36,7 @@ password for NV index (default empty)] - sets AUTHWRITE (if not PIN index), AUTHREAD - .TP - [\-nalg --name algorithm (sha1, sha256, sha384 sha512) (default sha256)] -+name algorithm (sha256, sha384 sha512) (default sha256)] - .TP - [\-sz - data size in decimal (default 0)] -diff --git a/utils/man/man1/tssnvreadpublic.1 b/utils/man/man1/tssnvreadpublic.1 -index b8c7bbb..c8619bb 100644 ---- a/utils/man/man1/tssnvreadpublic.1 -+++ b/utils/man/man1/tssnvreadpublic.1 -@@ -11,7 +11,7 @@ Runs TPM2_NV_ReadPublic - NV index handle - .TP - [\-nalg --expected name hash algorithm (sha1, sha256, sha384 sha512) -+expected name hash algorithm (sha256, sha384 sha512) - (default no check)] - .TP - [\-opu -diff --git a/utils/man/man1/tsspolicymaker.1 b/utils/man/man1/tsspolicymaker.1 -index 6660f36..36beaaa 100644 ---- a/utils/man/man1/tsspolicymaker.1 -+++ b/utils/man/man1/tsspolicymaker.1 -@@ -6,7 +6,7 @@ policymaker \- Runs TPM2 policymaker - policymaker - .TP - [\-halg --hash algorithm (sha1 sha256 sha384 sha512) (default sha256)] -+hash algorithm (sha256 sha384 sha512) (default sha256)] - .TP - [\-nz - do not extend starting with zeros, just hash the last line] -diff --git a/utils/man/man1/tsspolicysigned.1 b/utils/man/man1/tsspolicysigned.1 -index f50b81a..dab24ba 100644 ---- a/utils/man/man1/tsspolicysigned.1 -+++ b/utils/man/man1/tsspolicysigned.1 -@@ -26,7 +26,7 @@ policyRef file (default none)] - expiration in decimal (default none)] - .TP - [\-halg --(sha1, sha256, sha384, sha512) (default sha256)] -+(sha256, sha384, sha512) (default sha256)] - .TP - \fB\-sk\fR - RSA signing key file name (PEM format) -diff --git a/utils/man/man1/tsspublicname.1 b/utils/man/man1/tsspublicname.1 -index 6600436..e42481c 100644 ---- a/utils/man/man1/tsspublicname.1 -+++ b/utils/man/man1/tsspublicname.1 -@@ -45,10 +45,10 @@ rsapss - null - .TP - [\-nalg --name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] -+name hash algorithm (sha256, sha384, sha512) (default sha256)] - .TP - [\-halg --scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] -+scheme hash algorithm (sha256, sha384, sha512) (default sha256)] - .TP - [\-uwa - userWithAuth attribute clear (default set)] -diff --git a/utils/man/man1/tssquote.1 b/utils/man/man1/tssquote.1 -index 04a2e60..3de384b 100644 ---- a/utils/man/man1/tssquote.1 -+++ b/utils/man/man1/tssquote.1 -@@ -17,7 +17,7 @@ quoting key handle - password for quoting key (default empty)] - .TP - [\-halg --for signing (sha1, sha256, sha384, sha512) (default sha256)] -+for signing (sha256, sha384, sha512) (default sha256)] - .TP - [\-palg - for PCR bank selection (sha1, sha256, sha384, sha512) (default sha256)] -diff --git a/utils/man/man1/tssrsadecrypt.1 b/utils/man/man1/tssrsadecrypt.1 -index 6c35e42..ff2b0f2 100644 ---- a/utils/man/man1/tssrsadecrypt.1 -+++ b/utils/man/man1/tssrsadecrypt.1 -@@ -16,7 +16,7 @@ password for key (default empty)[ - [\-ipwdk password file for key, nul terminated (default empty)] - \fB\-ie\fR encrypt file name - \fB\-od\fR decrypt file name (default do not save) --[\-oid (sha1, sha256, sha384 sha512)] -+[\-oid (sha256, sha384 sha512)] - .IP - optionally add OID and PKCS1 padding to the - encrypt data (demo of signing with arbitrary OID) -diff --git a/utils/man/man1/tsssetcommandcodeauditstatus.1 b/utils/man/man1/tsssetcommandcodeauditstatus.1 -index c4d19dc..d84a0c2 100644 ---- a/utils/man/man1/tsssetcommandcodeauditstatus.1 -+++ b/utils/man/man1/tsssetcommandcodeauditstatus.1 -@@ -14,7 +14,7 @@ authhandle hierarchy (o, p) (default platform)] - authorization password (default empty)] - .TP - [\-halg --(sha1, sha256, sha384, sha512, null) (default null)] -+(sha256, sha384, sha512, null) (default null)] - .TP - [\-set - command code to set (may be specified more than once (default none)] -diff --git a/utils/man/man1/tsssetprimarypolicy.1 b/utils/man/man1/tsssetprimarypolicy.1 -index c67c1f9..9238407 100644 ---- a/utils/man/man1/tsssetprimarypolicy.1 -+++ b/utils/man/man1/tsssetprimarypolicy.1 -@@ -17,7 +17,7 @@ authorization password (default empty)] - policy file (default empty policy)] - .TP - [\-halg --(sha1, sha256) (default null)] -+(sha256) (default null)] - .HP - \fB\-se[0\-2]\fR session handle / attributes (default PWAP) - .TP -diff --git a/utils/man/man1/tsssign.1 b/utils/man/man1/tsssign.1 -index d5ad351..df67aee 100644 ---- a/utils/man/man1/tsssign.1 -+++ b/utils/man/man1/tsssign.1 -@@ -17,7 +17,7 @@ input message to hash and sign - password for key (default empty)] - .TP - [\-halg --(sha1, sha256, sha384, sha512) (default sha256)] -+(sha256, sha384, sha512) (default sha256)] - .TP - [\-salg - signature algorithm (rsa, ecc, hmac) (default rsa)] -diff --git a/utils/man/man1/tssstartauthsession.1 b/utils/man/man1/tssstartauthsession.1 -index 3e944bb..ad16b0f 100644 ---- a/utils/man/man1/tssstartauthsession.1 -+++ b/utils/man/man1/tssstartauthsession.1 -@@ -19,7 +19,7 @@ t - Trial policy session - .TP - [\-halg --(sha1, sha256, sha384, sha512) (default sha256)] -+(sha256, sha384, sha512) (default sha256)] - .TP - [\-hs - salt handle (default TPM_RH_NULL)] -diff --git a/utils/man/man1/tssverifysignature.1 b/utils/man/man1/tssverifysignature.1 -index e2d6460..d30eee9 100644 ---- a/utils/man/man1/tssverifysignature.1 -+++ b/utils/man/man1/tssverifysignature.1 -@@ -37,7 +37,7 @@ One of \fB\-hk\fR, \fB\-ipem\fR, \fB\-ihmac\fR must be specified - ticket file name (requires \fB\-hk\fR)] - .TP - [\-halg --(sha1, sha256, sha384 sha512) (default sha256)] -+(sha256, sha384 sha512) (default sha256)] - .IP - [Asymmetric Key Algorithm] - .TP -diff --git a/utils/nvcertify.c b/utils/nvcertify.c -index 81bde69..440c894 100644 ---- a/utils/nvcertify.c -+++ b/utils/nvcertify.c -@@ -131,10 +131,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -433,7 +430,7 @@ static void printUsage(void) - printf("\t[-pwdn\tpassword for NV index (default empty)]\n"); - printf("\t-hk\tcertifying key handle\n"); - printf("\t[-pwdk\tpassword for key (default empty)]\n"); -- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); - printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); - printf("\t-sz\tdata size\n"); - printf("\t[-off\toffset (default 0)]\n"); -diff --git a/utils/nvdefinespace.c b/utils/nvdefinespace.c -index 18ce6ea..cbe253e 100644 ---- a/utils/nvdefinespace.c -+++ b/utils/nvdefinespace.c -@@ -124,11 +124,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-nalg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- nalg = TPM_ALG_SHA1; -- hashSize = SHA1_DIGEST_SIZE; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - nalg = TPM_ALG_SHA256; - hashSize = SHA256_DIGEST_SIZE; - } -@@ -562,7 +558,7 @@ static void printUsage(void) - printf("\n"); - printf("\t[-pwdn\tpassword for NV index (default empty)]\n"); - printf("\t\tsets AUTHWRITE (if not PIN index), AUTHREAD\n"); -- printf("\t[-nalg\tname algorithm (sha1, sha256, sha384 sha512) (default sha256)]\n"); -+ printf("\t[-nalg\tname algorithm (sha256, sha384 sha512) (default sha256)]\n"); - printf("\t[-sz\tdata size in decimal (default 0)]\n"); - printf("\t\tIgnored for other than ordinary index\n"); - printf("\t[-ty\tindex type (o, c, b, e, p, f) (default ordinary)]\n"); -diff --git a/utils/nvreadpublic.c b/utils/nvreadpublic.c -index cf36b96..cbcae63 100644 ---- a/utils/nvreadpublic.c -+++ b/utils/nvreadpublic.c -@@ -101,10 +101,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-nalg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- nalg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - nalg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -336,7 +333,7 @@ static void printUsage(void) - printf("Runs TPM2_NV_ReadPublic\n"); - printf("\n"); - printf("\t-ha\tNV index handle\n"); -- printf("\t[-nalg\texpected name hash algorithm (sha1, sha256, sha384 sha512)\n" -+ printf("\t[-nalg\texpected name hash algorithm (sha256, sha384 sha512)\n" - "\t\t(default no check)]\n"); - printf("\t[-opu\tNV public file name (default do not save)]\n"); - printf("\t[-ns\tadditionally print Name in hex ascii on one line]\n"); -diff --git a/utils/objecttemplates.c b/utils/objecttemplates.c -index 37d7b64..4d1269c 100644 ---- a/utils/objecttemplates.c -+++ b/utils/objecttemplates.c -@@ -576,7 +576,7 @@ void printUsageTemplate(void) - printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n"); - printf("\t[-if\tdata (inSensitive) file name]\n"); - printf("\n"); -- printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); -- printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-nalg\tname hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-halg\tscheme hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); - return; - } -diff --git a/utils/policymaker.c b/utils/policymaker.c -index 7290ed7..818ac8b 100644 ---- a/utils/policymaker.c -+++ b/utils/policymaker.c -@@ -107,10 +107,7 @@ int main(int argc, char *argv[]) - if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- digest.hashAlg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - digest.hashAlg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -342,7 +339,7 @@ static void printUsage(void) - printf("\n"); - printf("policymaker\n"); - printf("\n"); -- printf("\t[-halg\thash algorithm (sha1 sha256 sha384 sha512) (default sha256)]\n"); -+ printf("\t[-halg\thash algorithm (sha256 sha384 sha512) (default sha256)]\n"); - printf("\t[-nz\tdo not extend starting with zeros, just hash the last line]\n"); - printf("\t-if\tinput policy statements in hex ascii\n"); - printf("\t[-of\toutput file - policy hash in binary]\n"); -diff --git a/utils/policysigned.c b/utils/policysigned.c -index 469cec9..dbecfe0 100644 ---- a/utils/policysigned.c -+++ b/utils/policysigned.c -@@ -216,10 +216,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -444,7 +441,7 @@ static void printUsage(void) - printf("\t[-cp\tcpHash file (default none)]\n"); - printf("\t[-pref\tpolicyRef file (default none)]\n"); - printf("\t[-exp\texpiration in decimal (default none)]\n"); -- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); - printf("\t-sk\tRSA signing key file name (PEM format)\n"); - printf("\t\tUse this signing key.\n"); - printf("\t-is\tsignature file name\n"); -diff --git a/utils/publicname.c b/utils/publicname.c -index f599d36..fbe9ee4 100644 ---- a/utils/publicname.c -+++ b/utils/publicname.c -@@ -90,10 +90,7 @@ int main(int argc, char *argv[]) - if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -115,10 +112,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-nalg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- nalg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - nalg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -441,8 +435,8 @@ static void printUsage(void) - printf("\t\trsassa\n"); - printf("\t\trsapss\n"); - printf("\t\tnull\n"); -- printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); -- printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-nalg\tname hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-halg\tscheme hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); - printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n"); - printf("\t[-si\tsigning (default) RSA]\n"); - printf("\t[-st\tstorage (default NULL scheme)]\n"); -diff --git a/utils/quote.c b/utils/quote.c -index c29fad0..154187c 100644 ---- a/utils/quote.c -+++ b/utils/quote.c -@@ -130,10 +130,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -424,7 +421,7 @@ static void printUsage(void) - printf("\t-hp\tpcr handle (may be specified more than once)\n"); - printf("\t-hk\tquoting key handle\n"); - printf("\t[-pwdk\tpassword for quoting key (default empty)]\n"); -- printf("\t[-halg\tfor signing (sha1, sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-halg\tfor signing (sha256, sha384, sha512) (default sha256)]\n"); - printf("\t[-palg\tfor PCR bank selection (sha1, sha256, sha384, sha512) (default sha256)]\n"); - printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); - printf("\t[-qd\tqualifying data file name]\n"); -diff --git a/utils/reg.sh b/utils/reg.sh -index 2d9d100..671720f 100755 ---- a/utils/reg.sh -+++ b/utils/reg.sh -@@ -70,11 +70,20 @@ PREFIX=./ - #PREFIX="valgrind ./" - - # hash algorithms to be used for testing -+export RESTRICTED_HASH_ALG - --export ITERATE_ALGS="sha1 sha256 sha384 sha512" --export ITERATE_ALGS_SIZES="20 32 48 64" --export ITERATE_ALGS_COUNT=4 --export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1" -+if [ "${RESTRICTED_HASH_ALG}" ]; then -+ export ITERATE_ALGS="sha256 sha384 sha512" -+ export ITERATE_ALGS_SIZES="32 48 64" -+ export ITERATE_ALGS_COUNT=3 -+ export BAD_ITERATE_ALGS="sha384 sha512 sha256" -+else -+ export ITERATE_ALGS="sha1 sha256 sha384 sha512" -+ export ITERATE_ALGS_SIZES="20 32 48 64" -+ export ITERATE_ALGS_COUNT=4 -+ export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1" -+fi -+export ITERATE_ALGS_WITH_SHA1="sha1 sha256 sha384 sha512" - - printUsage () - { -diff --git a/utils/regtests/testattest.sh b/utils/regtests/testattest.sh -index 2dacf88..044d35f 100755 ---- a/utils/regtests/testattest.sh -+++ b/utils/regtests/testattest.sh -@@ -379,21 +379,26 @@ echo "" - echo "Audit a PCR Read" - echo "" - --for HALG in ${ITERATE_ALGS} -+for HALG in ${ITERATE_ALGS_WITH_SHA1} - do -+ if [ "${HALG}" = "sha1" ] && [ "${RESTRICTED_HASH_ALG}" ]; then -+ ALT_HALG=sha256 -+ else -+ ALT_HALG=${HALG} -+ fi - - echo "Start an audit session ${HALG}" -- ${PREFIX}startauthsession -se h -halg ${HALG} > run.out -+ ${PREFIX}startauthsession -se h -halg ${ALT_HALG} > run.out - checkSuccess $? - - echo "PCR 16 reset" - ${PREFIX}pcrreset -ha 16 > run.out - checkSuccess $? - -- cp policies/zero${HALG}.bin tmpdigestr.bin -+ cp policies/zero${ALT_HALG}.bin tmpdigestr.bin - - echo "PCR 16 read ${HALG}" -- ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${HALG} -iosad tmpdigestr.bin > run.out -+ ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${ALT_HALG} -iosad tmpdigestr.bin > run.out - checkSuccess $? - - echo "Get session audit digest" -@@ -409,7 +414,7 @@ do - checkSuccess $? - - echo "PCR 16 read ${HALG}" -- ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${HALG} -iosad tmpdigestr.bin > run.out -+ ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${ALT_HALG} -iosad tmpdigestr.bin > run.out - checkSuccess $? - - echo "Get session audit digest" -diff --git a/utils/regtests/testevent.sh b/utils/regtests/testevent.sh -index 6336920..57a96d2 100755 ---- a/utils/regtests/testevent.sh -+++ b/utils/regtests/testevent.sh -@@ -62,7 +62,7 @@ echo "" - - for TYPE in "1" "2" - do -- for HALG in ${ITERATE_ALGS} -+ for HALG in ${ITERATE_ALGS_WITH_SHA1} - do - - echo "Power cycle to reset IMA PCR" -diff --git a/utils/rsadecrypt.c b/utils/rsadecrypt.c -index e2846af..a521edf 100644 ---- a/utils/rsadecrypt.c -+++ b/utils/rsadecrypt.c -@@ -130,10 +130,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-oid") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -391,7 +388,6 @@ static TPM_RC padData(uint8_t **buffer, - uint16_t digestSize; - const uint8_t *oid; - uint16_t oidSize; -- const uint8_t sha1Oid[] = {SHA1_DER}; - const uint8_t sha256Oid[] = {SHA256_DER}; - const uint8_t sha384Oid[] = {SHA384_DER}; - const uint8_t sha512Oid[] = {SHA512_DER}; -@@ -419,10 +415,6 @@ static TPM_RC padData(uint8_t **buffer, - /* determine the OID */ - if (rc == 0) { - switch (halg) { -- case TPM_ALG_SHA1: -- oid = sha1Oid; -- oidSize = SHA1_DER_SIZE; -- break; - case TPM_ALG_SHA256: - oid = sha256Oid; - oidSize = SHA256_DER_SIZE; -@@ -499,7 +491,7 @@ static void printUsage(void) - printf("\t[-ipwdk\tpassword file for key, nul terminated (default empty)]\n"); - printf("\t-ie\tencrypt file name\n"); - printf("\t-od\tdecrypt file name (default do not save)\n"); -- printf("\t[-oid\t(sha1, sha256, sha384 sha512)]\n"); -+ printf("\t[-oid\t(sha256, sha384 sha512)]\n"); - printf("\t\toptionally add OID and PKCS1 padding to the\n"); - printf("\t\tencrypt data (demo of signing with arbitrary OID)\n"); - printf("\n"); -diff --git a/utils/setcommandcodeauditstatus.c b/utils/setcommandcodeauditstatus.c -index 7a880ae..7a95a59 100644 ---- a/utils/setcommandcodeauditstatus.c -+++ b/utils/setcommandcodeauditstatus.c -@@ -125,10 +125,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- in.auditAlg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - in.auditAlg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -287,7 +284,7 @@ static void printUsage(void) - printf("\n"); - printf("\t[-hi\tauthhandle hierarchy (o, p) (default platform)]\n"); - printf("\t[-pwda\tauthorization password (default empty)]\n"); -- printf("\t[-halg\t(sha1, sha256, sha384, sha512, null) (default null)]\n"); -+ printf("\t[-halg\t(sha256, sha384, sha512, null) (default null)]\n"); - printf("\t[-set\tcommand code to set (may be specified more than once (default none)]\n"); - printf("\t[-clr\tcommand code to clear (may be specified more than once (default none)]\n"); - printf("\n"); -diff --git a/utils/setprimarypolicy.c b/utils/setprimarypolicy.c -index 619937f..100e265 100644 ---- a/utils/setprimarypolicy.c -+++ b/utils/setprimarypolicy.c -@@ -113,9 +113,6 @@ int main(int argc, char *argv[]) - if (strcmp(argv[i],"sha256") == 0) { - in.hashAlg = TPM_ALG_SHA256; - } -- else if (strcmp(argv[i],"sha1") == 0) { -- in.hashAlg = TPM_ALG_SHA1; -- } - else { - printf("Bad parameter %s for -halg\n", argv[i]); - printUsage(); -@@ -291,7 +288,7 @@ static void printUsage(void) - printf("\t[-hi\tauthhandle hierarchy (l, e, o, p) (default platform)]\n"); - printf("\t[-pwda\tauthorization password (default empty)]\n"); - printf("\t[-pol\tpolicy file (default empty policy)]\n"); -- printf("\t[-halg\t(sha1, sha256) (default null)]\n"); -+ printf("\t[-halg\t(sha256) (default null)]\n"); - printf("\n"); - printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); - printf("\t01\tcontinue\n"); -diff --git a/utils/sign.c b/utils/sign.c -index ba2be27..d37f786 100644 ---- a/utils/sign.c -+++ b/utils/sign.c -@@ -123,10 +123,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -474,7 +471,7 @@ static void printUsage(void) - printf("\t-hk\tkey handle\n"); - printf("\t-if\tinput message to hash and sign\n"); - printf("\t[-pwdk\tpassword for key (default empty)]\n"); -- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); - printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); - printf("\t[-scheme signing scheme (rsassa, rsapss, ecdsa, ecdaa, hmac)]\n"); - printf("\t\t(default rsassa, ecdsa, hmac)]\n"); -diff --git a/utils/startauthsession.c b/utils/startauthsession.c -index d47c731..93dc511 100644 ---- a/utils/startauthsession.c -+++ b/utils/startauthsession.c -@@ -88,10 +88,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -291,7 +288,7 @@ static void printUsage(void) - printf("\t\tp Policy session\n"); - printf("\t\tt Trial policy session\n"); - printf("\n"); -- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); -+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); - printf("\t[-hs\tsalt handle (default TPM_RH_NULL)]\n"); - printf("\t[-bi\tbind handle (default TPM_RH_NULL)]\n"); - printf("\t[-pwdb\tbind password for bind handle (default empty)]\n"); -diff --git a/utils/verifysignature.c b/utils/verifysignature.c -index 57978d5..7603a1f 100644 ---- a/utils/verifysignature.c -+++ b/utils/verifysignature.c -@@ -133,10 +133,7 @@ int main(int argc, char *argv[]) - else if (strcmp(argv[i],"-halg") == 0) { - i++; - if (i < argc) { -- if (strcmp(argv[i],"sha1") == 0) { -- halg = TPM_ALG_SHA1; -- } -- else if (strcmp(argv[i],"sha256") == 0) { -+ if (strcmp(argv[i],"sha256") == 0) { - halg = TPM_ALG_SHA256; - } - else if (strcmp(argv[i],"sha384") == 0) { -@@ -473,7 +470,7 @@ static void printUsage(void) - printf("\n"); - printf("\t[-tk\tticket file name (requires -hk)]\n"); - printf("\n"); -- printf("\t[-halg\t(sha1, sha256, sha384 sha512) (default sha256)]\n"); -+ printf("\t[-halg\t(sha256, sha384 sha512) (default sha256)]\n"); - printf("\n"); - printf("\t[Asymmetric Key Algorithm]\n"); - printf("\n"); --- -2.34.1 - diff --git a/SOURCES/0003-tss-Restrict-usage-of-SHA-1.patch b/SOURCES/0003-tss-Restrict-usage-of-SHA-1.patch new file mode 100644 index 0000000..dcf3972 --- /dev/null +++ b/SOURCES/0003-tss-Restrict-usage-of-SHA-1.patch @@ -0,0 +1,907 @@ +From 163843248ce6bb85fa5a3527f93610328877a1cf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= + +Date: Sat, 30 Apr 2022 22:15:43 +0200 +Subject: [PATCH 3/4] tss: Restrict usage of SHA-1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Due to SHA-1 not being considered secure, it should be not used for +cryptographical purposes. This commit disables the usage of SHA-1 in +cases where it is used in potentially exploitable situations, most +notably for creating signatures. + +- Compared to the next branch commit af3154e2, changes related to + unimplemented ECC functionality are ommited. + +Signed-off-by: Štěpán Horáček +Signed-off-by: Ken Goldman +--- + configure.ac | 24 +- + utils/Makefile.am | 16 +- + utils/cryptoutils.c | 4 + + utils/reg.sh | 20 +- + utils/regtests/testattest.sh | 3 +- + utils/regtests/testevent.sh | 2 +- + utils/tss20.c | 638 ++++++++++++++++++++++++++++------- + utils/tsscryptoh.c | 9 +- + 8 files changed, 582 insertions(+), 134 deletions(-) + +diff --git a/configure.ac b/configure.ac +index ad870b1..c570cb0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -123,6 +123,11 @@ AC_ARG_ENABLE(rmtpm, + AM_CONDITIONAL([CONFIG_RMTPM], [test "x$enable_rmtpm" = "xyes"]) + AS_IF([test "$enable_rmtpm" != "yes"], [enable_rmtpm="no"]) + ++AC_ARG_ENABLE(nodeprecatedalgs, ++ AS_HELP_STRING([--enable-nodeprecatedalgs], [Restrict usage of SHA-1])) ++ AM_CONDITIONAL([CONFIG_TSS_NODEPRECATEDALGS], [test "x$enable_nodeprecatedalgs" = "xyes"]) ++ AS_IF([test "$enable_nodeprecatedalgs" != "yes"], [enable_nodeprecatedalgs="no"]) ++ + AC_CONFIG_FILES([Makefile + utils/Makefile + utils12/Makefile +@@ -131,12 +136,13 @@ AC_OUTPUT + + # Give some feedback + echo "Configuration:" +-echo " CFLAGS: $CFLAGS" +-echo " tpm12: $tpm12" +-echo " tpm20: $tpm20" +-echo " hwtpm: $enable_hwtpm" +-echo " rmtpm: $enable_rmtpm" +-echo " nofile: $enable_nofile" +-echo " noprint: $enable_noprint" +-echo " nocrypto: $enable_nocrypto" +-echo " noecc: $enable_noecc" ++echo " CFLAGS: $CFLAGS" ++echo " tpm12: $tpm12" ++echo " tpm20: $tpm20" ++echo " hwtpm: $enable_hwtpm" ++echo " rmtpm: $enable_rmtpm" ++echo " nofile: $enable_nofile" ++echo " noprint: $enable_noprint" ++echo " nocrypto: $enable_nocrypto" ++echo " noecc: $enable_noecc" ++echo " nodeprecatedalgs: $enable_nodeprecatedalgs" +diff --git a/utils/Makefile.am b/utils/Makefile.am +index d3af94e..53c53d9 100755 +--- a/utils/Makefile.am ++++ b/utils/Makefile.am +@@ -60,6 +60,10 @@ if CONFIG_TSS_NOECC + libibmtss_la_CFLAGS += -DTPM_TSS_NOECC + endif + ++if CONFIG_TSS_NODEPRECATEDALGS ++libibmtss_la_CFLAGS += -DTPM_TSS_NODEPRECATEDALGS ++endif ++ + libibmtss_la_CCFLAGS = -Wall -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wformat=2 -Wold-style-definition -Wno-self-assign -ggdb + libibmtss_la_LDFLAGS = -version-info @TSSLIB_VERSION_INFO@ + +@@ -78,6 +82,10 @@ if CONFIG_TSS_NOECC + libibmtssutils_la_CFLAGS += -DTPM_TSS_NOECC + endif + ++if CONFIG_TSS_NODEPRECATEDALGS ++libibmtssutils_la_CFLAGS += -DTPM_TSS_NODEPRECATEDALGS ++endif ++ + #current[:revision[:age]] + #result: [current-age].age.revision + libibmtssutils_la_LDFLAGS = -version-info @TSSLIB_VERSION_INFO@ +@@ -115,8 +123,14 @@ bin_PROGRAMS = activatecredential eventextend imaextend certify certifycreation + verifysignature zgen2phase signapp writeapp timepacket createek createekcert tpm2pem tpmpublic2eccpoint \ + ntc2getconfig ntc2preconfig ntc2lockconfig publicname tpmcmd printattr + ++UTILS_CFLAGS = ++ + if CONFIG_TSS_NOECC +-UTILS_CFLAGS = -DTPM_TSS_NOECC ++UTILS_CFLAGS += -DTPM_TSS_NOECC ++endif ++ ++if CONFIG_TSS_NODEPRECATEDALGS ++UTILS_CFLAGS += -DTPM_TSS_NODEPRECATEDALGS + endif + + activatecredential_SOURCES = activatecredential.c +diff --git a/utils/cryptoutils.c b/utils/cryptoutils.c +index 7c4e931..9ac77a1 100644 +--- a/utils/cryptoutils.c ++++ b/utils/cryptoutils.c +@@ -1834,9 +1834,11 @@ TPM_RC signRSAFromRSA(uint8_t *signature, size_t *signatureLength, + /* map the hash algorithm to the openssl NID */ + if (rc == 0) { + switch (hashAlg) { ++#ifndef TPM_TSS_NODEPRECATEDALGS + case TPM_ALG_SHA1: + nid = NID_sha1; + break; ++#endif + case TPM_ALG_SHA256: + nid = NID_sha256; + break; +@@ -1896,10 +1898,12 @@ TPM_RC verifyRSASignatureFromRSA(unsigned char *message, + /* map from hash algorithm to openssl nid */ + if (rc == 0) { + switch (halg) { ++#ifndef TPM_TSS_NODEPRECATEDALGS + case TPM_ALG_SHA1: + nid = NID_sha1; + md = EVP_sha1(); + break; ++#endif + case TPM_ALG_SHA256: + nid = NID_sha256; + md = EVP_sha256(); +diff --git a/utils/reg.sh b/utils/reg.sh +index 2d9d100..02d7d5f 100755 +--- a/utils/reg.sh ++++ b/utils/reg.sh +@@ -69,12 +69,20 @@ PREFIX=./ + + #PREFIX="valgrind ./" + +-# hash algorithms to be used for testing +- +-export ITERATE_ALGS="sha1 sha256 sha384 sha512" +-export ITERATE_ALGS_SIZES="20 32 48 64" +-export ITERATE_ALGS_COUNT=4 +-export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1" ++# Hash algorithms to be used for testing. Uncomment or set shell env variable to restrict. ++# export TPM_TSS_NODEPRECATEDALGS=1 ++if [ "${TPM_TSS_NODEPRECATEDALGS}" ]; then ++ export ITERATE_ALGS="sha256 sha384 sha512" ++ export ITERATE_ALGS_SIZES="32 48 64" ++ export ITERATE_ALGS_COUNT=3 ++ export BAD_ITERATE_ALGS="sha384 sha512 sha256" ++else ++ export ITERATE_ALGS="sha1 sha256 sha384 sha512" ++ export ITERATE_ALGS_SIZES="20 32 48 64" ++ export ITERATE_ALGS_COUNT=4 ++ export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1" ++fi ++export ITERATE_ALGS_WITH_SHA1="sha1 sha256 sha384 sha512" + + printUsage () + { +diff --git a/utils/regtests/testattest.sh b/utils/regtests/testattest.sh +index 2dacf88..4766554 100755 +--- a/utils/regtests/testattest.sh ++++ b/utils/regtests/testattest.sh +@@ -381,9 +381,8 @@ echo "" + + for HALG in ${ITERATE_ALGS} + do +- + echo "Start an audit session ${HALG}" +- ${PREFIX}startauthsession -se h -halg ${HALG} > run.out ++ ${PREFIX}startauthsession -se h -halg ${HALG} > run.out + checkSuccess $? + + echo "PCR 16 reset" +diff --git a/utils/regtests/testevent.sh b/utils/regtests/testevent.sh +index 6336920..57a96d2 100755 +--- a/utils/regtests/testevent.sh ++++ b/utils/regtests/testevent.sh +@@ -62,7 +62,7 @@ echo "" + + for TYPE in "1" "2" + do +- for HALG in ${ITERATE_ALGS} ++ for HALG in ${ITERATE_ALGS_WITH_SHA1} + do + + echo "Power cycle to reset IMA PCR" +diff --git a/utils/tss20.c b/utils/tss20.c +index c778069..6b1e79b 100644 +--- a/utils/tss20.c ++++ b/utils/tss20.c +@@ -112,6 +112,7 @@ struct TSS_HMAC_CONTEXT { + + /* functions for command pre- and post- processing */ + ++typedef TPM_RC (*TSS_CheckParametersFunction_t)(COMMAND_PARAMETERS *in); + typedef TPM_RC (*TSS_PreProcessFunction_t)(TSS_CONTEXT *tssContext, + COMMAND_PARAMETERS *in, + EXTRA_PARAMETERS *extra); +@@ -238,11 +239,378 @@ static TPM_RC TSS_PO_NV_ReadLock(TSS_CONTEXT *tssContext, + void *out, + void *extra); + ++/* ++ Functions to check for usage of deprecated algorithms. ++*/ ++ ++static TPM_RC TSS_CheckSha1_PublicArea(TPMT_PUBLIC *publicArea) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (publicArea->nameAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ if (rc == 0) { ++ if (((publicArea->type == TPM_ALG_RSA) || (publicArea->type == TPM_ALG_ECC)) && ++ (publicArea->parameters.asymDetail.scheme.scheme != TPM_ALG_NULL) && ++ (publicArea->parameters.asymDetail.scheme.details.anySig.hashAlg == TPM_ALG_SHA1)) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CheckSha1_SigScheme(TPMT_SIG_SCHEME *sigScheme) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (sigScheme->details.any.hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_StartAuthSession(StartAuthSession_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->authHash == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_Create(Create_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_PublicArea(&in->inPublic.publicArea); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_Load(Load_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_PublicArea(&in->inPublic.publicArea); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_LoadExternal(LoadExternal_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_PublicArea(&in->inPublic.publicArea); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_CreateLoaded(CreateLoaded_In *in) ++{ ++ TPM_RC rc = 0; ++ uint32_t size = sizeof(in->inPublic.t.buffer); ++ uint8_t *buffer = in->inPublic.t.buffer; ++ TPMT_PUBLIC publicArea; ++ ++ if (rc == 0) { ++ rc = TSS_TPMT_PUBLIC_Unmarshalu(&publicArea, &buffer, &size, TRUE); ++ } ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_PublicArea(&publicArea); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_Import(Import_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_PublicArea(&in->objectPublic.publicArea); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_RSA_Encrypt(RSA_Encrypt_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->inScheme.details.anySig.hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_RSA_Decrypt(RSA_Decrypt_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->inScheme.details.anySig.hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_Hash(Hash_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_HMAC(HMAC_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_HMAC_Start(HMAC_Start_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_HashSequenceStart(HashSequenceStart_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_Certify(Certify_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_CertifyX509(CertifyX509_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_CertifyCreation(CertifyCreation_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_Quote(Quote_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_GetSessionAuditDigest(GetSessionAuditDigest_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_GetCommandAuditDigest(GetCommandAuditDigest_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_GetTime(GetTime_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_VerifySignature(VerifySignature_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->signature.signature.any.hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_Sign(Sign_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_SetCommandCodeAuditStatus(SetCommandCodeAuditStatus_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->auditAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_PolicySigned(PolicySigned_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->auth.signature.any.hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_CreatePrimary(CreatePrimary_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_PublicArea(&in->inPublic.publicArea); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_SetPrimaryPolicy(SetPrimaryPolicy_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_NV_DefineSpace(NV_DefineSpace_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->publicInfo.nvPublic.nameAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_NV_Certify(NV_Certify_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ + typedef struct TSS_TABLE { +- TPM_CC commandCode; +- TSS_PreProcessFunction_t preProcessFunction; +- TSS_ChangeAuthFunction_t changeAuthFunction; +- TSS_PostProcessFunction_t postProcessFunction; ++ TPM_CC commandCode; ++ TSS_CheckParametersFunction_t checkParametersFunction; ++ TSS_PreProcessFunction_t preProcessFunction; ++ TSS_ChangeAuthFunction_t changeAuthFunction; ++ TSS_PostProcessFunction_t postProcessFunction; + } TSS_TABLE; + + /* This table indexes from the command to pre- and post- processing functions. A missing entry is +@@ -250,116 +618,116 @@ typedef struct TSS_TABLE { + + static const TSS_TABLE tssTable [] = { + +- {TPM_CC_Startup, NULL, NULL, NULL}, +- {TPM_CC_Shutdown, NULL, NULL, NULL}, +- {TPM_CC_SelfTest, NULL, NULL, NULL}, +- {TPM_CC_IncrementalSelfTest, NULL, NULL, NULL}, +- {TPM_CC_GetTestResult, NULL, NULL, NULL}, +- {TPM_CC_StartAuthSession, (TSS_PreProcessFunction_t)TSS_PR_StartAuthSession, NULL, (TSS_PostProcessFunction_t)TSS_PO_StartAuthSession}, +- {TPM_CC_PolicyRestart, NULL, NULL, NULL}, +- {TPM_CC_Create, NULL, NULL, NULL}, +- {TPM_CC_Load, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_Load}, +- {TPM_CC_LoadExternal, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_LoadExternal}, +- {TPM_CC_ReadPublic, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ReadPublic}, +- {TPM_CC_ActivateCredential, NULL, NULL, NULL}, +- {TPM_CC_MakeCredential, NULL, NULL, NULL}, +- {TPM_CC_Unseal, NULL, NULL, NULL}, +- {TPM_CC_ObjectChangeAuth, NULL, NULL, NULL}, +- {TPM_CC_CreateLoaded, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreateLoaded}, +- {TPM_CC_Duplicate, NULL, NULL, NULL}, +- {TPM_CC_Rewrap, NULL, NULL, NULL}, +- {TPM_CC_Import, NULL, NULL, NULL}, +- {TPM_CC_RSA_Encrypt, NULL, NULL, NULL}, +- {TPM_CC_RSA_Decrypt, NULL, NULL, NULL}, +- {TPM_CC_ECDH_KeyGen, NULL, NULL, NULL}, +- {TPM_CC_ECDH_ZGen, NULL, NULL, NULL}, +- {TPM_CC_ECC_Parameters, NULL, NULL, NULL}, +- {TPM_CC_ZGen_2Phase, NULL, NULL, NULL}, +- {TPM_CC_EncryptDecrypt, NULL, NULL, NULL}, +- {TPM_CC_EncryptDecrypt2, NULL, NULL, NULL}, +- {TPM_CC_Hash, NULL, NULL, NULL}, +- {TPM_CC_HMAC, NULL, NULL, NULL}, +- {TPM_CC_GetRandom, NULL, NULL, NULL}, +- {TPM_CC_StirRandom, NULL, NULL, NULL}, +- {TPM_CC_HMAC_Start, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HMAC_Start}, +- {TPM_CC_HashSequenceStart, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HashSequenceStart}, +- {TPM_CC_SequenceUpdate, NULL, NULL, NULL}, +- {TPM_CC_SequenceComplete, NULL,NULL, (TSS_PostProcessFunction_t)TSS_PO_SequenceComplete}, +- {TPM_CC_EventSequenceComplete, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EventSequenceComplete}, +- {TPM_CC_Certify, NULL, NULL, NULL}, +- {TPM_CC_CertifyX509, NULL, NULL, NULL}, +- {TPM_CC_CertifyCreation, NULL, NULL, NULL}, +- {TPM_CC_Quote, NULL, NULL, NULL}, +- {TPM_CC_GetSessionAuditDigest, NULL, NULL, NULL}, +- {TPM_CC_GetCommandAuditDigest, NULL, NULL, NULL}, +- {TPM_CC_GetTime, NULL, NULL, NULL}, +- {TPM_CC_Commit, NULL, NULL, NULL}, +- {TPM_CC_EC_Ephemeral, NULL, NULL, NULL}, +- {TPM_CC_VerifySignature, NULL, NULL, NULL}, +- {TPM_CC_Sign, NULL, NULL, NULL}, +- {TPM_CC_SetCommandCodeAuditStatus, NULL, NULL, NULL}, +- {TPM_CC_PCR_Extend, NULL, NULL, NULL}, +- {TPM_CC_PCR_Event, NULL, NULL, NULL}, +- {TPM_CC_PCR_Read, NULL, NULL, NULL}, +- {TPM_CC_PCR_Allocate, NULL, NULL, NULL}, +- {TPM_CC_PCR_SetAuthPolicy, NULL, NULL, NULL}, +- {TPM_CC_PCR_SetAuthValue, NULL, NULL, NULL}, +- {TPM_CC_PCR_Reset, NULL, NULL, NULL}, +- {TPM_CC_PolicySigned, NULL, NULL, NULL}, +- {TPM_CC_PolicySecret, NULL, NULL, NULL}, +- {TPM_CC_PolicyTicket, NULL, NULL, NULL}, +- {TPM_CC_PolicyOR, NULL, NULL, NULL}, +- {TPM_CC_PolicyPCR, NULL, NULL, NULL}, +- {TPM_CC_PolicyLocality, NULL, NULL, NULL}, +- {TPM_CC_PolicyNV, NULL, NULL, NULL}, +- {TPM_CC_PolicyAuthorizeNV, NULL, NULL, NULL}, +- {TPM_CC_PolicyCounterTimer, NULL, NULL, NULL}, +- {TPM_CC_PolicyCommandCode, NULL, NULL, NULL}, +- {TPM_CC_PolicyPhysicalPresence, NULL, NULL, NULL}, +- {TPM_CC_PolicyCpHash, NULL, NULL, NULL}, +- {TPM_CC_PolicyNameHash, NULL, NULL, NULL}, +- {TPM_CC_PolicyDuplicationSelect, NULL, NULL, NULL}, +- {TPM_CC_PolicyAuthorize, NULL, NULL, NULL}, +- {TPM_CC_PolicyAuthValue, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyAuthValue}, +- {TPM_CC_PolicyPassword, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyPassword}, +- {TPM_CC_PolicyGetDigest, NULL, NULL, NULL}, +- {TPM_CC_PolicyNvWritten, NULL, NULL, NULL}, +- {TPM_CC_PolicyTemplate, NULL, NULL, NULL}, +- {TPM_CC_CreatePrimary, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreatePrimary}, +- {TPM_CC_HierarchyControl, NULL, NULL, NULL}, +- {TPM_CC_SetPrimaryPolicy, NULL, NULL, NULL}, +- {TPM_CC_ChangePPS, NULL, NULL, NULL}, +- {TPM_CC_ChangeEPS, NULL, NULL, NULL}, +- {TPM_CC_Clear, NULL, NULL, NULL}, +- {TPM_CC_ClearControl, NULL, NULL, NULL}, +- {TPM_CC_HierarchyChangeAuth, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_HierarchyChangeAuth, NULL}, +- {TPM_CC_DictionaryAttackLockReset, NULL, NULL, NULL}, +- {TPM_CC_DictionaryAttackParameters, NULL, NULL, NULL}, +- {TPM_CC_PP_Commands, NULL, NULL, NULL}, +- {TPM_CC_SetAlgorithmSet, NULL, NULL, NULL}, +- {TPM_CC_ContextSave, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextSave}, +- {TPM_CC_ContextLoad, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextLoad}, +- {TPM_CC_FlushContext, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_FlushContext}, +- {TPM_CC_EvictControl, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EvictControl}, +- {TPM_CC_ReadClock, NULL, NULL, NULL}, +- {TPM_CC_ClockSet, NULL, NULL, NULL}, +- {TPM_CC_ClockRateAdjust, NULL, NULL, NULL}, +- {TPM_CC_GetCapability, NULL, NULL, NULL}, +- {TPM_CC_TestParms, NULL, NULL, NULL}, +- {TPM_CC_NV_DefineSpace, (TSS_PreProcessFunction_t)TSS_PR_NV_DefineSpace, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_DefineSpace}, +- {TPM_CC_NV_UndefineSpace, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpace}, +- {TPM_CC_NV_UndefineSpaceSpecial, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_UndefineSpaceSpecial, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpaceSpecial}, +- {TPM_CC_NV_ReadPublic, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadPublic}, +- {TPM_CC_NV_Write, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write}, +- {TPM_CC_NV_Increment, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write}, +- {TPM_CC_NV_Extend, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write}, +- {TPM_CC_NV_SetBits, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write}, +- {TPM_CC_NV_WriteLock, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_WriteLock}, +- {TPM_CC_NV_GlobalWriteLock, NULL, NULL, NULL}, +- {TPM_CC_NV_Read, NULL, NULL, NULL}, +- {TPM_CC_NV_ReadLock, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadLock}, +- {TPM_CC_NV_ChangeAuth, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_ChangeAuth, NULL}, +- {TPM_CC_NV_Certify, NULL, NULL, NULL} ++ {TPM_CC_Startup, NULL, NULL, NULL, NULL}, ++ {TPM_CC_Shutdown, NULL, NULL, NULL, NULL}, ++ {TPM_CC_SelfTest, NULL, NULL, NULL, NULL}, ++ {TPM_CC_IncrementalSelfTest, NULL, NULL, NULL, NULL}, ++ {TPM_CC_GetTestResult, NULL, NULL, NULL, NULL}, ++ {TPM_CC_StartAuthSession, (TSS_CheckParametersFunction_t)TSS_CH_StartAuthSession, (TSS_PreProcessFunction_t)TSS_PR_StartAuthSession, NULL, (TSS_PostProcessFunction_t)TSS_PO_StartAuthSession}, ++ {TPM_CC_PolicyRestart, NULL, NULL, NULL, NULL}, ++ {TPM_CC_Create, (TSS_CheckParametersFunction_t)TSS_CH_Create, NULL, NULL, NULL}, ++ {TPM_CC_Load, (TSS_CheckParametersFunction_t)TSS_CH_Load, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_Load}, ++ {TPM_CC_LoadExternal, (TSS_CheckParametersFunction_t)TSS_CH_LoadExternal, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_LoadExternal}, ++ {TPM_CC_ReadPublic, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ReadPublic}, ++ {TPM_CC_ActivateCredential, NULL, NULL, NULL, NULL}, ++ {TPM_CC_MakeCredential, NULL, NULL, NULL, NULL}, ++ {TPM_CC_Unseal, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ObjectChangeAuth, NULL, NULL, NULL, NULL}, ++ {TPM_CC_CreateLoaded, (TSS_CheckParametersFunction_t)TSS_CH_CreateLoaded, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreateLoaded}, ++ {TPM_CC_Duplicate, NULL, NULL, NULL, NULL}, ++ {TPM_CC_Rewrap, NULL, NULL, NULL, NULL}, ++ {TPM_CC_Import, (TSS_CheckParametersFunction_t)TSS_CH_Import, NULL, NULL, NULL}, ++ {TPM_CC_RSA_Encrypt, (TSS_CheckParametersFunction_t)TSS_CH_RSA_Encrypt, NULL, NULL, NULL}, ++ {TPM_CC_RSA_Decrypt, (TSS_CheckParametersFunction_t)TSS_CH_RSA_Decrypt, NULL, NULL, NULL}, ++ {TPM_CC_ECDH_KeyGen, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ECDH_ZGen, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ECC_Parameters, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ZGen_2Phase, NULL, NULL, NULL, NULL}, ++ {TPM_CC_EncryptDecrypt, NULL, NULL, NULL, NULL}, ++ {TPM_CC_EncryptDecrypt2, NULL, NULL, NULL, NULL}, ++ {TPM_CC_Hash, (TSS_CheckParametersFunction_t)TSS_CH_Hash, NULL, NULL, NULL}, ++ {TPM_CC_HMAC, (TSS_CheckParametersFunction_t)TSS_CH_HMAC, NULL, NULL, NULL}, ++ {TPM_CC_GetRandom, NULL, NULL, NULL, NULL}, ++ {TPM_CC_StirRandom, NULL, NULL, NULL, NULL}, ++ {TPM_CC_HMAC_Start, (TSS_CheckParametersFunction_t)TSS_CH_HMAC_Start, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HMAC_Start}, ++ {TPM_CC_HashSequenceStart, (TSS_CheckParametersFunction_t)TSS_CH_HashSequenceStart, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HashSequenceStart}, ++ {TPM_CC_SequenceUpdate, NULL, NULL, NULL, NULL}, ++ {TPM_CC_SequenceComplete, NULL, NULL,NULL, (TSS_PostProcessFunction_t)TSS_PO_SequenceComplete}, ++ {TPM_CC_EventSequenceComplete, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EventSequenceComplete}, ++ {TPM_CC_Certify, (TSS_CheckParametersFunction_t)TSS_CH_Certify, NULL, NULL, NULL}, ++ {TPM_CC_CertifyX509, (TSS_CheckParametersFunction_t)TSS_CH_CertifyX509, NULL, NULL, NULL}, ++ {TPM_CC_CertifyCreation, (TSS_CheckParametersFunction_t)TSS_CH_CertifyCreation, NULL, NULL, NULL}, ++ {TPM_CC_Quote, (TSS_CheckParametersFunction_t)TSS_CH_Quote, NULL, NULL, NULL}, ++ {TPM_CC_GetSessionAuditDigest, (TSS_CheckParametersFunction_t)TSS_CH_GetSessionAuditDigest, NULL, NULL, NULL}, ++ {TPM_CC_GetCommandAuditDigest, (TSS_CheckParametersFunction_t)TSS_CH_GetCommandAuditDigest, NULL, NULL, NULL}, ++ {TPM_CC_GetTime, (TSS_CheckParametersFunction_t)TSS_CH_GetTime, NULL, NULL, NULL}, ++ {TPM_CC_Commit, NULL, NULL, NULL, NULL}, ++ {TPM_CC_EC_Ephemeral, NULL, NULL, NULL, NULL}, ++ {TPM_CC_VerifySignature, (TSS_CheckParametersFunction_t)TSS_CH_VerifySignature, NULL, NULL, NULL}, ++ {TPM_CC_Sign, (TSS_CheckParametersFunction_t)TSS_CH_Sign, NULL, NULL, NULL}, ++ {TPM_CC_SetCommandCodeAuditStatus, (TSS_CheckParametersFunction_t)TSS_CH_SetCommandCodeAuditStatus, NULL, NULL, NULL}, ++ {TPM_CC_PCR_Extend, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PCR_Event, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PCR_Read, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PCR_Allocate, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PCR_SetAuthPolicy, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PCR_SetAuthValue, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PCR_Reset, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicySigned, (TSS_CheckParametersFunction_t)TSS_CH_PolicySigned, NULL, NULL, NULL}, ++ {TPM_CC_PolicySecret, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyTicket, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyOR, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyPCR, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyLocality, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyNV, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyAuthorizeNV, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyCounterTimer, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyCommandCode, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyPhysicalPresence, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyCpHash, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyNameHash, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyDuplicationSelect, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyAuthorize, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyAuthValue, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyAuthValue}, ++ {TPM_CC_PolicyPassword, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyPassword}, ++ {TPM_CC_PolicyGetDigest, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyNvWritten, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyTemplate, NULL, NULL, NULL, NULL}, ++ {TPM_CC_CreatePrimary, (TSS_CheckParametersFunction_t)TSS_CH_CreatePrimary, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreatePrimary}, ++ {TPM_CC_HierarchyControl, NULL, NULL, NULL, NULL}, ++ {TPM_CC_SetPrimaryPolicy, (TSS_CheckParametersFunction_t)TSS_CH_SetPrimaryPolicy, NULL, NULL, NULL}, ++ {TPM_CC_ChangePPS, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ChangeEPS, NULL, NULL, NULL, NULL}, ++ {TPM_CC_Clear, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ClearControl, NULL, NULL, NULL, NULL}, ++ {TPM_CC_HierarchyChangeAuth, NULL, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_HierarchyChangeAuth, NULL}, ++ {TPM_CC_DictionaryAttackLockReset, NULL, NULL, NULL, NULL}, ++ {TPM_CC_DictionaryAttackParameters, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PP_Commands, NULL, NULL, NULL, NULL}, ++ {TPM_CC_SetAlgorithmSet, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ContextSave, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextSave}, ++ {TPM_CC_ContextLoad, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextLoad}, ++ {TPM_CC_FlushContext, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_FlushContext}, ++ {TPM_CC_EvictControl, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EvictControl}, ++ {TPM_CC_ReadClock, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ClockSet, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ClockRateAdjust, NULL, NULL, NULL, NULL}, ++ {TPM_CC_GetCapability, NULL, NULL, NULL, NULL}, ++ {TPM_CC_TestParms, NULL, NULL, NULL, NULL}, ++ {TPM_CC_NV_DefineSpace, (TSS_CheckParametersFunction_t)TSS_CH_NV_DefineSpace, (TSS_PreProcessFunction_t)TSS_PR_NV_DefineSpace, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_DefineSpace}, ++ {TPM_CC_NV_UndefineSpace, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpace}, ++ {TPM_CC_NV_UndefineSpaceSpecial, NULL, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_UndefineSpaceSpecial, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpaceSpecial}, ++ {TPM_CC_NV_ReadPublic, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadPublic}, ++ {TPM_CC_NV_Write, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write}, ++ {TPM_CC_NV_Increment, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write}, ++ {TPM_CC_NV_Extend, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write}, ++ {TPM_CC_NV_SetBits, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write}, ++ {TPM_CC_NV_WriteLock, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_WriteLock}, ++ {TPM_CC_NV_GlobalWriteLock, NULL, NULL, NULL, NULL}, ++ {TPM_CC_NV_Read, NULL, NULL, NULL, NULL}, ++ {TPM_CC_NV_ReadLock, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadLock}, ++ {TPM_CC_NV_ChangeAuth, NULL, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_ChangeAuth, NULL}, ++ {TPM_CC_NV_Certify, (TSS_CheckParametersFunction_t)TSS_CH_NV_Certify, NULL, NULL, NULL} + }; + + #ifndef TPM_TSS_NO_PRINT +@@ -646,6 +1014,10 @@ static TPM_RC TSS_Command_ChangeAuthProcessor(TSS_CONTEXT *tssContext, + COMMAND_PARAMETERS *in); + #endif /* TPM_TSS_NOCRYPTO */ + ++#ifdef TPM_TSS_NODEPRECATEDALGS ++static TPM_RC TSS_Command_CheckParameters(TPM_CC commandCode, ++ COMMAND_PARAMETERS *in); ++#endif + static TPM_RC TSS_Command_PreProcessor(TSS_CONTEXT *tssContext, + TPM_CC commandCode, + COMMAND_PARAMETERS *in, +@@ -688,6 +1060,12 @@ TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext, + { + TPM_RC rc = 0; + ++#ifdef TPM_TSS_NODEPRECATEDALGS ++ if (rc == 0) { ++ rc = TSS_Command_CheckParameters(commandCode, in); ++ } ++#endif ++ + /* create a TSS authorization context */ + if (rc == 0) { + TSS_InitAuthContext(tssContext->tssAuthContext); +@@ -3751,6 +4129,38 @@ static TPM_RC TSS_CA_NV_UndefineSpaceSpecial(TSS_CONTEXT *tssContext, + return rc; + } + ++#ifdef TPM_TSS_NODEPRECATEDALGS ++static TPM_RC TSS_Command_CheckParameters(TPM_CC commandCode, ++ COMMAND_PARAMETERS *in) ++{ ++ TPM_RC rc = 0; ++ size_t index; ++ int found; ++ TSS_CheckParametersFunction_t checkParametersFunction = NULL; ++ ++ /* search the table for a check parameters function */ ++ if (rc == 0) { ++ found = FALSE; ++ for (index = 0 ; (index < (sizeof(tssTable) / sizeof(TSS_TABLE))) && !found ; index++) { ++ if (tssTable[index].commandCode == commandCode) { ++ found = TRUE; ++ break; /* don't increment index if found */ ++ } ++ } ++ } ++ /* found false means there is no check parameters function. This permits the table to be smaller ++ if desired. */ ++ if ((rc == 0) && found) { ++ checkParametersFunction = tssTable[index].checkParametersFunction; ++ /* call the check parameters function if there is one */ ++ if (checkParametersFunction != NULL) { ++ rc = checkParametersFunction(in); ++ } ++ } ++ return rc; ++} ++#endif ++ + /* + Command Pre-Processor + */ +diff --git a/utils/tsscryptoh.c b/utils/tsscryptoh.c +index 197549d..52f4616 100644 +--- a/utils/tsscryptoh.c ++++ b/utils/tsscryptoh.c +@@ -454,7 +454,14 @@ TPM_RC TSS_RSA_padding_add_PKCS1_OAEP(unsigned char *em, uint32_t emLen, + unsigned char *maskedSeed; + + uint16_t hlen = TSS_GetDigestSize(halg); +- em[0] = 0x00; /* firsr byte is 0x00 per the standard */ ++ em[0] = 0x00; /* first byte is 0x00 per the standard */ ++#ifdef TPM_TSS_NODEPRECATEDALGS ++ if (rc == 0) { ++ if (halg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++#endif + /* 1.a. If the length of L is greater than the input limitation for */ + /* the hash function (2^61-1 octets for SHA-1) then output "parameter */ + /* string too long" and stop. */ +-- +2.34.3 + diff --git a/SOURCES/0004-Restrict-SHA-1-in-TSS.patch b/SOURCES/0004-Restrict-SHA-1-in-TSS.patch deleted file mode 100644 index 0cdd45f..0000000 --- a/SOURCES/0004-Restrict-SHA-1-in-TSS.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 506ae7f508cdcaca1cad7433725e8f4c115f843b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= - -Date: Fri, 25 Feb 2022 15:28:28 +0100 -Subject: [PATCH 4/4] Restrict SHA-1 in TSS -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Štěpán Horáček ---- - utils/cryptoutils.c | 4 --- - utils/tss20.c | 81 ++++++++++++++++++++++++++++++++++++++++++++- - 2 files changed, 80 insertions(+), 5 deletions(-) - -diff --git a/utils/cryptoutils.c b/utils/cryptoutils.c -index 7b5de79..98396a7 100644 ---- a/utils/cryptoutils.c -+++ b/utils/cryptoutils.c -@@ -2136,10 +2136,6 @@ TPM_RC verifyRSASignatureFromRSA(unsigned char *message, - /* map from hash algorithm to openssl nid */ - if (rc == 0) { - switch (halg) { -- case TPM_ALG_SHA1: -- nid = NID_sha1; -- md = EVP_sha1(); -- break; - case TPM_ALG_SHA256: - nid = NID_sha256; - md = EVP_sha256(); -diff --git a/utils/tss20.c b/utils/tss20.c -index c778069..bd05cf3 100644 ---- a/utils/tss20.c -+++ b/utils/tss20.c -@@ -678,6 +678,76 @@ extern int tssVerbose; - extern int tssVverbose; - extern int tssFirstCall; - -+int TSS_CheckSha1_PublicArea(TPMT_PUBLIC *publicArea) -+{ -+ return publicArea->nameAlg == TPM_ALG_SHA1 || -+ ((publicArea->type == TPM_ALG_RSA || publicArea->type == TPM_ALG_ECC) && -+ publicArea->parameters.asymDetail.scheme.scheme != TPM_ALG_NULL && -+ publicArea->parameters.asymDetail.scheme.details.anySig.hashAlg == TPM_ALG_SHA1); -+} -+ -+int TSS_CheckSha1_SigScheme(TPMT_SIG_SCHEME *sigScheme) -+{ -+ return sigScheme->details.any.hashAlg == TPM_ALG_SHA1; -+} -+ -+int TSS_CheckSha1(COMMAND_PARAMETERS *in, -+ TPM_CC commandCode) -+{ -+ switch (commandCode) -+ { -+ case TPM_CC_Certify: -+ return TSS_CheckSha1_SigScheme(&in->Certify.inScheme); -+ case TPM_CC_CertifyCreation: -+ return TSS_CheckSha1_SigScheme(&in->CertifyCreation.inScheme); -+ case TPM_CC_Create: -+ return TSS_CheckSha1_PublicArea(&in->Create.inPublic.publicArea); -+ case TPM_CC_CreateLoaded: -+ return TSS_CheckSha1_PublicArea(&in->Create.inPublic.publicArea); -+ case TPM_CC_CreatePrimary: -+ return TSS_CheckSha1_PublicArea(&in->CreatePrimary.inPublic.publicArea); -+ case TPM_CC_GetCommandAuditDigest: -+ return TSS_CheckSha1_SigScheme(&in->GetCommandAuditDigest.inScheme); -+ case TPM_CC_GetSessionAuditDigest: -+ return TSS_CheckSha1_SigScheme(&in->GetSessionAuditDigest.inScheme); -+ case TPM_CC_GetTime: -+ return TSS_CheckSha1_SigScheme(&in->GetTime.inScheme); -+ case TPM_CC_Hash: -+ return in->Hash.hashAlg == TPM_ALG_SHA1; -+ case TPM_CC_HashSequenceStart: -+ return in->HashSequenceStart.hashAlg == TPM_ALG_SHA1; -+ case TPM_CC_HMAC: -+ return in->HMAC.hashAlg == TPM_ALG_SHA1; -+ case TPM_CC_HMAC_Start: -+ return in->HMAC_Start.hashAlg == TPM_ALG_SHA1; -+ case TPM_CC_Import: -+ return TSS_CheckSha1_PublicArea(&in->Import.objectPublic.publicArea); -+ case TPM_CC_LoadExternal: -+ return TSS_CheckSha1_PublicArea(&in->LoadExternal.inPublic.publicArea); -+ case TPM_CC_NV_Certify: -+ return TSS_CheckSha1_SigScheme(&in->NV_Certify.inScheme); -+ case TPM_CC_NV_DefineSpace: -+ return in->NV_DefineSpace.publicInfo.nvPublic.nameAlg == TPM_ALG_SHA1; -+ case TPM_CC_PolicySigned: -+ return in->PolicySigned.auth.signature.any.hashAlg == TPM_ALG_SHA1; -+ case TPM_CC_Quote: -+ return TSS_CheckSha1_SigScheme(&in->Quote.inScheme); -+ case TPM_CC_RSA_Decrypt: -+ return TSS_CheckSha1_SigScheme(&in->RSA_Decrypt.inScheme); -+ case TPM_CC_SetCommandCodeAuditStatus: -+ return in->SetCommandCodeAuditStatus.auditAlg == TPM_ALG_SHA1; -+ case TPM_CC_SetPrimaryPolicy: -+ return in->SetPrimaryPolicy.hashAlg == TPM_ALG_SHA1; -+ case TPM_CC_Sign: -+ return TSS_CheckSha1_SigScheme(&in->Sign.inScheme); -+ case TPM_CC_StartAuthSession: -+ return in->StartAuthSession.authHash == TPM_ALG_SHA1; -+ case TPM_CC_VerifySignature: -+ return in->VerifySignature.signature.signature.any.hashAlg == TPM_ALG_SHA1; -+ } -+ -+ return 0; -+} - - TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext, - RESPONSE_PARAMETERS *out, -@@ -687,11 +757,20 @@ TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext, - va_list ap) - { - TPM_RC rc = 0; -- -+ -+#ifdef RESTRICTED_HASH_ALG -+ if (rc == 0) { -+ if (TSS_CheckSha1(in, commandCode)) { -+ rc = TPM_RC_HASH; -+ } -+ } -+#endif /* RESTRICTED_HASH_ALG */ -+ - /* create a TSS authorization context */ - if (rc == 0) { - TSS_InitAuthContext(tssContext->tssAuthContext); - } -+ - /* handle any command specific command pre-processing */ - if (rc == 0) { - rc = TSS_Command_PreProcessor(tssContext, --- -2.34.1 - diff --git a/SOURCES/0004-man-Include-information-about-possible-hash-restrict.patch b/SOURCES/0004-man-Include-information-about-possible-hash-restrict.patch new file mode 100644 index 0000000..aff8697 --- /dev/null +++ b/SOURCES/0004-man-Include-information-about-possible-hash-restrict.patch @@ -0,0 +1,593 @@ +From df5038caa1785d2661d283e6eeb1d6d5184d5272 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= + +Date: Mon, 2 May 2022 23:51:15 +0200 +Subject: [PATCH 4/4] man: Include information about possible hash restriction +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Štěpán Horáček +Signed-off-by: Ken Goldman +--- + utils/certify.c | 2 ++ + utils/certifycreation.c | 2 ++ + utils/create.c | 2 ++ + utils/createloaded.c | 2 ++ + utils/createprimary.c | 2 ++ + utils/getcommandauditdigest.c | 2 ++ + utils/getsessionauditdigest.c | 2 ++ + utils/gettime.c | 2 ++ + utils/hash.c | 2 ++ + utils/hashsequencestart.c | 2 ++ + utils/hmac.c | 2 ++ + utils/hmacstart.c | 2 ++ + utils/importpem.c | 2 ++ + utils/loadexternal.c | 2 ++ + utils/man/man1/tsscertify.1 | 2 ++ + utils/man/man1/tsscertifycreation.1 | 2 ++ + utils/man/man1/tsscreate.1 | 2 ++ + utils/man/man1/tsscreateloaded.1 | 2 ++ + utils/man/man1/tsscreateprimary.1 | 2 ++ + utils/man/man1/tssgetcommandauditdigest.1 | 2 ++ + utils/man/man1/tssgetsessionauditdigest.1 | 2 ++ + utils/man/man1/tssgettime.1 | 2 ++ + utils/man/man1/tsshash.1 | 2 ++ + utils/man/man1/tsshashsequencestart.1 | 2 ++ + utils/man/man1/tsshmac.1 | 2 ++ + utils/man/man1/tsshmacstart.1 | 2 ++ + utils/man/man1/tssimportpem.1 | 2 ++ + utils/man/man1/tssloadexternal.1 | 2 ++ + utils/man/man1/tssnvcertify.1 | 2 ++ + utils/man/man1/tssnvdefinespace.1 | 2 ++ + utils/man/man1/tsspolicysigned.1 | 2 ++ + utils/man/man1/tssquote.1 | 2 ++ + utils/man/man1/tssrsadecrypt.1 | 2 ++ + utils/man/man1/tsssetcommandcodeauditstatus.1 | 2 ++ + utils/man/man1/tsssetprimarypolicy.1 | 2 ++ + utils/man/man1/tsssign.1 | 2 ++ + utils/man/man1/tssstartauthsession.1 | 2 ++ + utils/man/man1/tssverifysignature.1 | 2 ++ + utils/nvcertify.c | 2 ++ + utils/nvdefinespace.c | 2 ++ + utils/policysigned.c | 2 ++ + utils/quote.c | 2 ++ + utils/rsadecrypt.c | 2 ++ + utils/setcommandcodeauditstatus.c | 2 ++ + utils/setprimarypolicy.c | 2 ++ + utils/sign.c | 2 ++ + utils/startauthsession.c | 2 ++ + utils/verifysignature.c | 2 ++ + 48 files changed, 96 insertions(+) + +diff --git a/utils/certify.c b/utils/certify.c +index f1f54d0..f9a07c5 100644 +--- a/utils/certify.c ++++ b/utils/certify.c +@@ -407,5 +407,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/certifycreation.c b/utils/certifycreation.c +index ab54c0a..b4fa095 100644 +--- a/utils/certifycreation.c ++++ b/utils/certifycreation.c +@@ -449,5 +449,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/create.c b/utils/create.c +index a8b805c..880af28 100644 +--- a/utils/create.c ++++ b/utils/create.c +@@ -710,5 +710,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/createloaded.c b/utils/createloaded.c +index d54f791..5bcf69e 100644 +--- a/utils/createloaded.c ++++ b/utils/createloaded.c +@@ -628,5 +628,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/createprimary.c b/utils/createprimary.c +index 52ae083..81cc91d 100644 +--- a/utils/createprimary.c ++++ b/utils/createprimary.c +@@ -799,5 +799,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/getcommandauditdigest.c b/utils/getcommandauditdigest.c +index a219785..6412d90 100644 +--- a/utils/getcommandauditdigest.c ++++ b/utils/getcommandauditdigest.c +@@ -391,5 +391,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/getsessionauditdigest.c b/utils/getsessionauditdigest.c +index 61b12e6..4138bc7 100644 +--- a/utils/getsessionauditdigest.c ++++ b/utils/getsessionauditdigest.c +@@ -387,5 +387,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/gettime.c b/utils/gettime.c +index b07baf1..547faa9 100644 +--- a/utils/gettime.c ++++ b/utils/gettime.c +@@ -391,5 +391,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/hash.c b/utils/hash.c +index 71b8a7c..5a0df6a 100644 +--- a/utils/hash.c ++++ b/utils/hash.c +@@ -306,5 +306,7 @@ static void printUsage(void) + printf("\t[-ns\tno space, no text, no newlines]\n"); + printf("\t[-oh\thash file name (default do not save)]\n"); + printf("\t[-tk\tticket file name (default do not save)]\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/hashsequencestart.c b/utils/hashsequencestart.c +index d54fadd..88d15fc 100644 +--- a/utils/hashsequencestart.c ++++ b/utils/hashsequencestart.c +@@ -249,5 +249,7 @@ static void printUsage(void) + printf("\t-se[0-2] session handle / attributes (default NULL)\n"); + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/hmac.c b/utils/hmac.c +index be63e1b..7ab2b34 100644 +--- a/utils/hmac.c ++++ b/utils/hmac.c +@@ -352,5 +352,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/hmacstart.c b/utils/hmacstart.c +index 3fdd0f9..171af6c 100644 +--- a/utils/hmacstart.c ++++ b/utils/hmacstart.c +@@ -274,5 +274,7 @@ static void printUsage(void) + printf("\n"); + printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); + printf("\t01\tcontinue\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/importpem.c b/utils/importpem.c +index 38ad125..75c8cb2 100644 +--- a/utils/importpem.c ++++ b/utils/importpem.c +@@ -486,5 +486,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/loadexternal.c b/utils/loadexternal.c +index 877501c..ff4b46f 100644 +--- a/utils/loadexternal.c ++++ b/utils/loadexternal.c +@@ -538,5 +538,7 @@ static void printUsage(void) + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); + printf("\t80\taudit\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/man/man1/tsscertify.1 b/utils/man/man1/tsscertify.1 +index 6895ee7..7b34e2f 100644 +--- a/utils/man/man1/tsscertify.1 ++++ b/utils/man/man1/tsscertify.1 +@@ -44,3 +44,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsscertifycreation.1 b/utils/man/man1/tsscertifycreation.1 +index 4382ed9..5f51d05 100644 +--- a/utils/man/man1/tsscertifycreation.1 ++++ b/utils/man/man1/tsscertifycreation.1 +@@ -47,3 +47,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsscreate.1 b/utils/man/man1/tsscreate.1 +index b4eda75..92f53a7 100644 +--- a/utils/man/man1/tsscreate.1 ++++ b/utils/man/man1/tsscreate.1 +@@ -125,3 +125,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsscreateloaded.1 b/utils/man/man1/tsscreateloaded.1 +index ccd3d73..7e6c422 100644 +--- a/utils/man/man1/tsscreateloaded.1 ++++ b/utils/man/man1/tsscreateloaded.1 +@@ -126,3 +126,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsscreateprimary.1 b/utils/man/man1/tsscreateprimary.1 +index 895a42e..c189f17 100644 +--- a/utils/man/man1/tsscreateprimary.1 ++++ b/utils/man/man1/tsscreateprimary.1 +@@ -129,3 +129,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssgetcommandauditdigest.1 b/utils/man/man1/tssgetcommandauditdigest.1 +index 34711e0..e67adac 100644 +--- a/utils/man/man1/tssgetcommandauditdigest.1 ++++ b/utils/man/man1/tssgetcommandauditdigest.1 +@@ -41,3 +41,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssgetsessionauditdigest.1 b/utils/man/man1/tssgetsessionauditdigest.1 +index d09c78b..272127e 100644 +--- a/utils/man/man1/tssgetsessionauditdigest.1 ++++ b/utils/man/man1/tssgetsessionauditdigest.1 +@@ -44,3 +44,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssgettime.1 b/utils/man/man1/tssgettime.1 +index bec0627..1cb46f6 100644 +--- a/utils/man/man1/tssgettime.1 ++++ b/utils/man/man1/tssgettime.1 +@@ -41,3 +41,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsshash.1 b/utils/man/man1/tsshash.1 +index 6eff929..0a9c54e 100644 +--- a/utils/man/man1/tsshash.1 ++++ b/utils/man/man1/tsshash.1 +@@ -28,3 +28,5 @@ hash file name (default do not save)] + .TP + [\-tk + ticket file name (default do not save)] ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsshashsequencestart.1 b/utils/man/man1/tsshashsequencestart.1 +index f6d7f52..663ae69 100644 +--- a/utils/man/man1/tsshashsequencestart.1 ++++ b/utils/man/man1/tsshashsequencestart.1 +@@ -21,3 +21,5 @@ continue + .TP + 20 + command decrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsshmac.1 b/utils/man/man1/tsshmac.1 +index e64a861..70d2632 100644 +--- a/utils/man/man1/tsshmac.1 ++++ b/utils/man/man1/tsshmac.1 +@@ -35,3 +35,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsshmacstart.1 b/utils/man/man1/tsshmacstart.1 +index 65d4ab6..64bcf2f 100644 +--- a/utils/man/man1/tsshmacstart.1 ++++ b/utils/man/man1/tsshmacstart.1 +@@ -23,3 +23,5 @@ password for sequence (default empty) + .TP + 01 + continue ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssimportpem.1 b/utils/man/man1/tssimportpem.1 +index 21c362e..bf79c92 100644 +--- a/utils/man/man1/tssimportpem.1 ++++ b/utils/man/man1/tssimportpem.1 +@@ -67,3 +67,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssloadexternal.1 b/utils/man/man1/tssloadexternal.1 +index e32a251..2a9ba66 100644 +--- a/utils/man/man1/tssloadexternal.1 ++++ b/utils/man/man1/tssloadexternal.1 +@@ -71,3 +71,5 @@ response encrypt + .TP + 80 + audit ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssnvcertify.1 b/utils/man/man1/tssnvcertify.1 +index c55f6dc..83d2380 100644 +--- a/utils/man/man1/tssnvcertify.1 ++++ b/utils/man/man1/tssnvcertify.1 +@@ -50,3 +50,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssnvdefinespace.1 b/utils/man/man1/tssnvdefinespace.1 +index 0f378e9..642508b 100644 +--- a/utils/man/man1/tssnvdefinespace.1 ++++ b/utils/man/man1/tssnvdefinespace.1 +@@ -99,3 +99,5 @@ continue + .TP + 20 + command decrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsspolicysigned.1 b/utils/man/man1/tsspolicysigned.1 +index f50b81a..2f745c0 100644 +--- a/utils/man/man1/tsspolicysigned.1 ++++ b/utils/man/man1/tsspolicysigned.1 +@@ -44,3 +44,5 @@ ticket file name] + .TP + [\-to + timeout file name] ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssquote.1 b/utils/man/man1/tssquote.1 +index 04a2e60..fef5c39 100644 +--- a/utils/man/man1/tssquote.1 ++++ b/utils/man/man1/tssquote.1 +@@ -44,3 +44,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssrsadecrypt.1 b/utils/man/man1/tssrsadecrypt.1 +index 6c35e42..ab77103 100644 +--- a/utils/man/man1/tssrsadecrypt.1 ++++ b/utils/man/man1/tssrsadecrypt.1 +@@ -31,3 +31,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsssetcommandcodeauditstatus.1 b/utils/man/man1/tsssetcommandcodeauditstatus.1 +index c4d19dc..7d44fb2 100644 +--- a/utils/man/man1/tsssetcommandcodeauditstatus.1 ++++ b/utils/man/man1/tsssetcommandcodeauditstatus.1 +@@ -29,3 +29,5 @@ continue + .TP + 20 + command decrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsssetprimarypolicy.1 b/utils/man/man1/tsssetprimarypolicy.1 +index c67c1f9..a3db8d2 100644 +--- a/utils/man/man1/tsssetprimarypolicy.1 ++++ b/utils/man/man1/tsssetprimarypolicy.1 +@@ -26,3 +26,5 @@ continue + .TP + 20 + command decrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsssign.1 b/utils/man/man1/tsssign.1 +index d5ad351..83d3cfa 100644 +--- a/utils/man/man1/tsssign.1 ++++ b/utils/man/man1/tsssign.1 +@@ -46,3 +46,5 @@ continue + .TP + 20 + command decrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssstartauthsession.1 b/utils/man/man1/tssstartauthsession.1 +index 3e944bb..0bb5022 100644 +--- a/utils/man/man1/tssstartauthsession.1 ++++ b/utils/man/man1/tssstartauthsession.1 +@@ -35,3 +35,5 @@ bind password for bind handle (default empty)] + .TP + [\-on + nonceTPM file for policy session (default do not save)] ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssverifysignature.1 b/utils/man/man1/tssverifysignature.1 +index e2d6460..67b7ff5 100644 +--- a/utils/man/man1/tssverifysignature.1 ++++ b/utils/man/man1/tssverifysignature.1 +@@ -57,3 +57,5 @@ command decrypt + .TP + 80 + audit ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/nvcertify.c b/utils/nvcertify.c +index 81bde69..6882bfb 100644 +--- a/utils/nvcertify.c ++++ b/utils/nvcertify.c +@@ -445,5 +445,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/nvdefinespace.c b/utils/nvdefinespace.c +index 18ce6ea..94e6cbd 100644 +--- a/utils/nvdefinespace.c ++++ b/utils/nvdefinespace.c +@@ -590,5 +590,7 @@ static void printUsage(void) + printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/policysigned.c b/utils/policysigned.c +index 469cec9..8283464 100644 +--- a/utils/policysigned.c ++++ b/utils/policysigned.c +@@ -452,5 +452,7 @@ static void printUsage(void) + printf("\t[-pwdk\tsigning key password (default null)]\n"); + printf("\t[-tk\tticket file name]\n"); + printf("\t[-to\ttimeout file name]\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/quote.c b/utils/quote.c +index c29fad0..7523578 100644 +--- a/utils/quote.c ++++ b/utils/quote.c +@@ -435,5 +435,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/rsadecrypt.c b/utils/rsadecrypt.c +index e2846af..fe5086a 100644 +--- a/utils/rsadecrypt.c ++++ b/utils/rsadecrypt.c +@@ -507,5 +507,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/setcommandcodeauditstatus.c b/utils/setcommandcodeauditstatus.c +index 7a880ae..ddecad5 100644 +--- a/utils/setcommandcodeauditstatus.c ++++ b/utils/setcommandcodeauditstatus.c +@@ -294,5 +294,7 @@ static void printUsage(void) + printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/setprimarypolicy.c b/utils/setprimarypolicy.c +index 619937f..c03883f 100644 +--- a/utils/setprimarypolicy.c ++++ b/utils/setprimarypolicy.c +@@ -296,5 +296,7 @@ static void printUsage(void) + printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/sign.c b/utils/sign.c +index 0635366..f31196b 100644 +--- a/utils/sign.c ++++ b/utils/sign.c +@@ -485,5 +485,7 @@ static void printUsage(void) + printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/startauthsession.c b/utils/startauthsession.c +index d47c731..e6ddd5a 100644 +--- a/utils/startauthsession.c ++++ b/utils/startauthsession.c +@@ -297,5 +297,7 @@ static void printUsage(void) + printf("\t[-pwdb\tbind password for bind handle (default empty)]\n"); + printf("\t[-sym\t(xor, aes) symmetric parameter encryption algorithm (default xor)]\n"); + printf("\t[-on\tnonceTPM file for policy session (default do not save)]\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/verifysignature.c b/utils/verifysignature.c +index 57978d5..41ba05b 100644 +--- a/utils/verifysignature.c ++++ b/utils/verifysignature.c +@@ -484,5 +484,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t80\taudit\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +-- +2.34.3 + diff --git a/SPECS/tss2.spec b/SPECS/tss2.spec index 477825c..7023eee 100644 --- a/SPECS/tss2.spec +++ b/SPECS/tss2.spec @@ -7,7 +7,7 @@ Name: tss2 Version: 1.6.0 -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 1 Summary: IBM's TCG Software Stack (TSS) for TPM 2.0 and related utilities @@ -23,9 +23,10 @@ Patch5: 0005-utils-Fix-errors-detected-by-gcc-asan.patch Patch6: 0006-tss-Port-HMAC-operations-to-openssl-3.0.patch Patch7: 0007-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch Patch8: 0001-utils-Generate-X509-certificate-serial-number-using-.patch -Patch9: 0002-Update-SHA-1-to-SHA-256-in-tests-without-restricting.patch -Patch10: 0003-Restrict-the-usage-of-SHA-1-in-code-examples.patch -Patch11: 0004-Restrict-SHA-1-in-TSS.patch +Patch9: 0001-tss-Add-missing-parameter-union-members.patch +Patch10: 0002-regtest-Update-to-SHA-256-without-restricting-the-sc.patch +Patch11: 0003-tss-Restrict-usage-of-SHA-1.patch +Patch12: 0004-man-Include-information-about-possible-hash-restrict.patch BuildRequires: automake @@ -58,7 +59,7 @@ order to build TSS 2.0 applications. %build autoreconf -vi -%configure --disable-static --disable-tpm-1.2 --program-prefix=tss --enable-restricted-hash-alg +%configure --disable-static --disable-tpm-1.2 --program-prefix=tss --enable-nodeprecatedalgs CCFLAGS="%{optflags}" \ LNFLAGS="%{__global_ldflags}" \ %{make_build} @@ -83,9 +84,13 @@ find %{buildroot} -type f -name "*.la" -delete -print %doc ibmtss.doc %changelog -* Thu Feb 24 2022 Stepan Horacek - 1:1.6.0-6 +* Fri Jul 8 2022 Stepan Horacek - 1:1.6.0-7 +- Version bump + Resolves: rhbz#2060768 + +* Wed Jun 29 2022 Stepan Horacek - 1:1.6.0-6 - Restrict SHA-1 usage - Resolves: rhbz#1935450 + Resolves: rhbz#2060768 * Fri Jan 28 2022 Stepan Horacek - 1:1.6.0-5 - Fix failures introduced with OpenSSL 3