From e8dd5c8524a6e3ac392bf5463225d1773c9f8c84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= Date: Thu, 24 Feb 2022 16:39:03 +0100 Subject: [PATCH] Restrict usage of SHA-1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Usage of SHA-1 left only for use with PCR. Resolves: rhbz#2060768 Signed-off-by: Štěpán Horáček --- ...-Add-missing-parameter-union-members.patch | 37 + ...509-certificate-serial-number-using-.patch | 62 ++ ...o-SHA-256-without-restricting-the-sc.patch | 600 ++++++++++++ 0003-tss-Restrict-usage-of-SHA-1.patch | 907 ++++++++++++++++++ ...rmation-about-possible-hash-restrict.patch | 593 ++++++++++++ tests/runtest.sh | 2 +- tss2.spec | 14 +- 7 files changed, 2212 insertions(+), 3 deletions(-) create mode 100644 0001-tss-Add-missing-parameter-union-members.patch create mode 100644 0001-utils-Generate-X509-certificate-serial-number-using-.patch create mode 100644 0002-regtest-Update-to-SHA-256-without-restricting-the-sc.patch create mode 100644 0003-tss-Restrict-usage-of-SHA-1.patch create mode 100644 0004-man-Include-information-about-possible-hash-restrict.patch diff --git a/0001-tss-Add-missing-parameter-union-members.patch b/0001-tss-Add-missing-parameter-union-members.patch new file mode 100644 index 0000000..6be8438 --- /dev/null +++ b/0001-tss-Add-missing-parameter-union-members.patch @@ -0,0 +1,37 @@ +From 8e8c6777847825c5067b171c2e4ac8b33fe0d6bc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= + +Date: Sun, 1 May 2022 19:33:02 +0200 +Subject: [PATCH 1/4] tss: Add missing parameter union members +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Štěpán Horáček +--- + utils/ibmtss/Parameters.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/utils/ibmtss/Parameters.h b/utils/ibmtss/Parameters.h +index 98a04ff..5b6c29a 100644 +--- a/utils/ibmtss/Parameters.h ++++ b/utils/ibmtss/Parameters.h +@@ -182,6 +182,7 @@ + typedef union { + ActivateCredential_In ActivateCredential; + CertifyCreation_In CertifyCreation; ++ CertifyX509_In CertifyX509; + Certify_In Certify; + ChangeEPS_In ChangeEPS; + ChangePPS_In ChangePPS; +@@ -313,6 +314,7 @@ typedef union + { + ActivateCredential_Out ActivateCredential; + CertifyCreation_Out CertifyCreation; ++ CertifyX509_Out CertifyX509; + Certify_Out Certify; + Commit_Out Commit; + ContextLoad_Out ContextLoad; +-- +2.34.3 + diff --git a/0001-utils-Generate-X509-certificate-serial-number-using-.patch b/0001-utils-Generate-X509-certificate-serial-number-using-.patch new file mode 100644 index 0000000..e1ec3dc --- /dev/null +++ b/0001-utils-Generate-X509-certificate-serial-number-using-.patch @@ -0,0 +1,62 @@ +From e0c1e3efd187a3cfa77906eef978fa6beada0b31 Mon Sep 17 00:00:00 2001 +From: Ken Goldman +Date: Thu, 1 Jul 2021 13:55:28 -0400 +Subject: [PATCH] utils: Generate X509 certificate serial number using sha256 + +This is just a test certificate, not a real CA. Certificate serial +numbers can be 20 octets maximum. Use a truncated sha256 because some +'lint' programs are now scanning for sha1. + +Signed-off-by: Ken Goldman +--- + utils/ekutils.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/utils/ekutils.c b/utils/ekutils.c +index a0a2734..aad6fba 100644 +--- a/utils/ekutils.c ++++ b/utils/ekutils.c +@@ -61,6 +61,7 @@ + + #include + #include ++#include + + #include + #include +@@ -1835,7 +1836,7 @@ TPM_RC startCertificate(X509 *x509Certificate, /* X509 certificate to be generat + ASN1_TIME *arc; /* return code */ + ASN1_INTEGER *x509Serial; /* certificate serial number in ASN1 */ + BIGNUM *x509SerialBN; /* certificate serial number as a BIGNUM */ +- unsigned char x509Serialbin[SHA1_DIGEST_SIZE]; /* certificate serial number in binary */ ++ unsigned char x509Serialbin[EVP_MAX_MD_SIZE]; /* certificate serial number in binary */ + X509_NAME *x509IssuerName; /* composite issuer name, key/value pairs */ + X509_NAME *x509SubjectName; /* composite subject name, key/value pairs */ + +@@ -1855,11 +1856,20 @@ TPM_RC startCertificate(X509 *x509Certificate, /* X509 certificate to be generat + add certificate serial number + */ + if (rc == 0) { ++ const EVP_MD *type; ++ + if (tssUtilsVerbose) printf("startCertificate: Adding certificate serial number\n"); + /* to create a unique serial number, hash the key to be certified */ +- SHA1(keyBuffer, keyLength, x509Serialbin); +- /* convert the SHA1 digest to a BIGNUM */ +- x509SerialBN = BN_bin2bn(x509Serialbin, SHA1_DIGEST_SIZE, x509SerialBN); ++ type = EVP_sha256(); ++ irc = EVP_Digest(keyBuffer, keyLength, x509Serialbin, NULL, type, NULL); ++ if (irc == 0) { ++ printf("startCertificate: Error in serial number EVP_Digest\n"); ++ rc = TSS_RC_X509_ERROR; ++ } ++ } ++ if (rc == 0) { ++ /* convert the digest to a BIGNUM, use 20 octets */ ++ x509SerialBN = BN_bin2bn(x509Serialbin, 20, x509SerialBN); + if (x509SerialBN == NULL) { + printf("startCertificate: Error in serial number BN_bin2bn\n"); + rc = TSS_RC_X509_ERROR; +-- +2.34.1 + diff --git a/0002-regtest-Update-to-SHA-256-without-restricting-the-sc.patch b/0002-regtest-Update-to-SHA-256-without-restricting-the-sc.patch new file mode 100644 index 0000000..d1b8364 --- /dev/null +++ b/0002-regtest-Update-to-SHA-256-without-restricting-the-sc.patch @@ -0,0 +1,600 @@ +From 3e4c744cf09d43aba0ae9381c1527263e39a7c70 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= + +Date: Mon, 18 Apr 2022 23:51:02 +0200 +Subject: [PATCH 2/4] regtest: Update to SHA-256 without restricting the scope +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Štěpán Horáček +Signed-off-by: Ken Goldman +--- + utils/policies/policycountertimer.bin | Bin 20 -> 32 bytes + utils/policies/policycphash.bin | Bin 20 -> 32 bytes + utils/policies/policycphash.txt | 2 +- + utils/policies/policycphashhash.bin | 2 +- + utils/policies/policynvargs.txt | Bin 13 -> 12 bytes + utils/policies/policynvnv.bin | Bin 20 -> 32 bytes + utils/policies/policynvnv.txt | 2 +- + utils/policies/policypcr.bin | 2 +- + utils/policies/policypcr0.txt | 2 +- + utils/policies/policypcrbm0.bin | Bin 20 -> 32 bytes + utils/policies/policywrittenset.bin | 2 +- + utils/reg.sh | 2 + + utils/regtests/testchangeauth.sh | 4 +- + utils/regtests/testevict.sh | 12 ++-- + utils/regtests/testnv.sh | 6 +- + utils/regtests/testpolicy.sh | 80 +++++++++++++------------- + utils/regtests/testrsa.sh | 8 +-- + utils/regtests/testsign.sh | 12 ++-- + 18 files changed, 69 insertions(+), 67 deletions(-) + +diff --git a/utils/policies/policycountertimer.bin b/utils/policies/policycountertimer.bin +index f767440113ab39251794257628b34f761ae05121..8937a155bdcdc535e5f013a03ce58fd5a193a6fd 100644 +GIT binary patch +literal 32 +ocmeBTv0vY?A&j>pRZ{#s$085m*E`r54EYbFMa|K0nsfat0L0V`*#H0l + +literal 20 +ccmaFX(x@JK!18iNvf_!!0jhUbsX5I80B48^c>n+a + +diff --git a/utils/policies/policycphash.bin b/utils/policies/policycphash.bin +index 1c357a65cc7cf408bc27d0a2a5c6a0735778e5ed..0f998b85ac2b6620049e350b0c31cc38b2f7414a 100644 +GIT binary patch +literal 32 +qcmV+*0N?)`MNQmbPb!)?)%V_-p09oM)7XSbN + +diff --git a/utils/policies/policynvnv.txt b/utils/policies/policynvnv.txt +index a124ea9..5d3d62e 100644 +--- a/utils/policies/policynvnv.txt ++++ b/utils/policies/policynvnv.txt +@@ -1 +1 @@ +-000001492c513f149e737ec4063fc1d37aee9beabc4b4bbf00042234b8df7cdf8605ee0a2088ac7dfe34c6566c5c +\ No newline at end of file ++0000014915ec7bf0b50732b49f8228e07d24365338f9e3ab994b00af08e5a3bffe55fd8b000b45a8f4283309cd5ef189746d7526786f712eb3df9960508ee343d3e63376bc6c +\ No newline at end of file +diff --git a/utils/policies/policypcr.bin b/utils/policies/policypcr.bin +index 8f69740..2597338 100644 +--- a/utils/policies/policypcr.bin ++++ b/utils/policies/policypcr.bin +@@ -1 +1 @@ +-3<`C4o7!v +\ No newline at end of file ++Վ|Or3pRwT 6 +\ No newline at end of file +diff --git a/utils/policies/policypcr0.txt b/utils/policies/policypcr0.txt +index b61f288..cd09bbf 100644 +--- a/utils/policies/policypcr0.txt ++++ b/utils/policies/policypcr0.txt +@@ -1 +1 @@ +-0000000000000000000000000000000000000000 +\ No newline at end of file ++0000000000000000000000000000000000000000000000000000000000000000 +diff --git a/utils/policies/policypcrbm0.bin b/utils/policies/policypcrbm0.bin +index bd0f292e05dc793b2831fec273c2eefa7b3a9672..666ea3c731d2f46d4d94768cab4464ff0bb0e5af 100644 +GIT binary patch +literal 32 +ocmb>Z5cE02?1^I8ss%e3mgaqqyRPviCuhr<=Bo*jp4^KQ0V0YJ<^TWy + +literal 20 +bcmd0`@U(b%wL7eEQs@+Ww#>9`zjTxVT?`1l + +diff --git a/utils/policies/policywrittenset.bin b/utils/policies/policywrittenset.bin +index 4f6bb8c..4ed9066 100644 +--- a/utils/policies/policywrittenset.bin ++++ b/utils/policies/policywrittenset.bin +@@ -1 +1 @@ +-0sH_e" +\ No newline at end of file ++}ӋSzaHE run.out ++ ${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig ${SESS} > run.out + checkSuccess $? + + echo "Sign a digest with the changed key" +- ${PREFIX}sign -hk 80000002 -halg sha1 -if policies/aaa -os sig.bin -pwdk xxx > run.out ++ ${PREFIX}sign -hk 80000002 -halg sha256 -if policies/aaa -os sig.bin -pwdk xxx > run.out + checkSuccess $? + + echo "Flush the key" +diff --git a/utils/regtests/testevict.sh b/utils/regtests/testevict.sh +index 761eaa8..8f2806f 100755 +--- a/utils/regtests/testevict.sh ++++ b/utils/regtests/testevict.sh +@@ -58,11 +58,11 @@ ${PREFIX}evictcontrol -ho 80000001 -hp 81800000 -hi p > run.out + checkSuccess $? + + echo "Sign a digest with the transient key" +-${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out ++${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out + checkSuccess $? + + echo "Sign a digest with the persistent key" +-${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out ++${PREFIX}sign -hk 81800000 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out + checkSuccess $? + + echo "Flush the transient key" +@@ -74,11 +74,11 @@ ${PREFIX}flushcontext -ha 81800000 > run.out + checkFailure $? + + echo "Sign a digest with the transient key- should fail" +-${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out ++${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out + checkFailure $? + + echo "Sign a digest with the persistent key" +-${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out ++${PREFIX}sign -hk 81800000 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out + checkSuccess $? + + echo "Flush the persistent key" +@@ -86,11 +86,11 @@ ${PREFIX}evictcontrol -ho 81800000 -hp 81800000 -hi p > run.out + checkSuccess $? + + echo "Sign a digest with the persistent key - should fail" +-${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out ++${PREFIX}sign -hk 81800000 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out + checkFailure $? + + echo "Sign a digest with the transient key - should fail" +-${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out ++${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out + checkFailure $? + + # ${PREFIX}getcapability -cap 1 -pr 80000000 +diff --git a/utils/regtests/testnv.sh b/utils/regtests/testnv.sh +index b941f2e..39a9a18 100755 +--- a/utils/regtests/testnv.sh ++++ b/utils/regtests/testnv.sh +@@ -56,7 +56,7 @@ checkSuccess $? + NALG=(${ITERATE_ALGS}) + BADNALG=(${BAD_ITERATE_ALGS}) + +-for ((i = 0 ; i < 4; i++)) ++for ((i = 0 ; i < ${ITERATE_ALGS_COUNT}; i++)) + do + + for SESS in "" "-se0 02000000 1" +@@ -212,10 +212,10 @@ checkSuccess $? + for SESS in "" "-se0 02000000 1" + do + +- SZ=(20 32 48 64) ++ SZ=(${ITERATE_ALGS_SIZES}) + HALG=(${ITERATE_ALGS}) + +- for ((i = 0 ; i < 4; i++)) ++ for ((i = 0 ; i < ${ITERATE_ALGS_COUNT}; i++)) + do + + echo "NV Define Space ${HALG[$i]}" +diff --git a/utils/regtests/testpolicy.sh b/utils/regtests/testpolicy.sh +index e2e8bec..971e67f 100755 +--- a/utils/regtests/testpolicy.sh ++++ b/utils/regtests/testpolicy.sh +@@ -752,17 +752,17 @@ echo "Policy PCR no select" + echo "" + + # create AND term for policy PCR +-# > policymakerpcr -halg sha1 -bm 0 -v -pr -of policies/policypcr.txt ++# > policymakerpcr -halg sha256 -bm 0 -v -pr -of policies/policypcr.txt + # 0000017f00000001000403000000da39a3ee5e6b4b0d3255bfef95601890afd80709 + + # convert to binary policy +-# > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcrbm0.bin -pr -v ++# > policymaker -halg sha256 -if policies/policypcr.txt -of policies/policypcrbm0.bin -pr -v + + # 6d 38 49 38 e1 d5 8b 56 71 92 55 94 3f 06 69 66 + # b6 fa 2c 23 + + echo "Create a signing key with policy PCR no select" +-${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcrbm0.bin > run.out ++${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha256 -pol policies/policypcrbm0.bin > run.out + checkSuccess $? + + echo "Load the signing key under the primary key" +@@ -770,11 +770,11 @@ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out + checkSuccess $? + + echo "Start a policy session" +-${PREFIX}startauthsession -halg sha1 -se p > run.out ++${PREFIX}startauthsession -halg sha256 -se p > run.out + checkSuccess $? + + echo "Policy PCR, update with the correct digest" +-${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 0 > run.out ++${PREFIX}policypcr -ha 03000000 -halg sha256 -bm 0 > run.out + checkSuccess $? + + echo "Policy get digest - should be 6d 38 49 38 ... " +@@ -790,11 +790,11 @@ ${PREFIX}policyrestart -ha 03000000 > run.out + checkSuccess $? + + echo "Policy PCR, update with the correct digest" +-${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 0 > run.out ++${PREFIX}policypcr -ha 03000000 -halg sha256 -bm 0 > run.out + checkSuccess $? + + echo "PCR extend PCR 0, updates pcr counter" +-${PREFIX}pcrextend -ha 0 -halg sha1 -if policies/aaa > run.out ++${PREFIX}pcrextend -ha 0 -halg sha256 -if policies/aaa > run.out + checkSuccess $? + + echo "Sign, should fail" +@@ -816,17 +816,17 @@ echo "" + # policypcr0.txt has 20 * 00 + + # create AND term for policy PCR +-# > policymakerpcr -halg sha1 -bm 010000 -if policies/policypcr0.txt -v -pr -of policies/policypcr.txt ++# > policymakerpcr -halg sha256 -bm 010000 -if policies/policypcr0.txt -v -pr -of policies/policypcr.txt + # 0000017f000000010004030000016768033e216468247bd031a0a2d9876d79818f8f + + # convert to binary policy +-# > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcr.bin -pr -v ++# > policymaker -halg sha256 -if policies/policypcr.txt -of policies/policypcr.bin -pr -v + + # 85 33 11 83 19 03 12 f5 e8 3c 60 43 34 6f 9f 37 + # 21 04 76 8e + + echo "Create a signing key with policy PCR PCR 16 zero" +-${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcr.bin > run.out ++${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha256 -pol policies/policypcr.bin > run.out + checkSuccess $? + + echo "Load the signing key under the primary key" +@@ -838,11 +838,11 @@ ${PREFIX}pcrreset -ha 16 > run.out + checkSuccess $? + + echo "Read PCR 16, should be 00 00 00 00 ..." +-${PREFIX}pcrread -ha 16 -halg sha1 > run.out ++${PREFIX}pcrread -ha 16 -halg sha256 > run.out + checkSuccess $? + + echo "Start a policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "Sign, policy not satisfied - should fail" +@@ -850,7 +850,7 @@ ${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out + checkFailure $? + + echo "Policy PCR, update with the correct digest" +-${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out ++${PREFIX}policypcr -ha 03000000 -halg sha256 -bm 10000 > run.out + checkSuccess $? + + echo "Policy get digest - should be 85 33 11 83 ..." +@@ -862,19 +862,19 @@ ${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out + checkSuccess $? + + echo "PCR extend PCR 16" +-${PREFIX}pcrextend -ha 16 -halg sha1 -if policies/aaa > run.out ++${PREFIX}pcrextend -ha 16 -halg sha256 -if policies/aaa > run.out + checkSuccess $? + + echo "Read PCR 0, should be 1d 47 f6 8a ..." +-${PREFIX}pcrread -ha 16 -halg sha1 > run.out ++${PREFIX}pcrread -ha 16 -halg sha256 > run.out + checkSuccess $? + + echo "Start a policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "Policy PCR, update with the wrong digest" +-${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out ++${PREFIX}policypcr -ha 03000000 -halg sha256 -bm 10000 > run.out + checkSuccess $? + + echo "Policy get digest - should be 66 dd e5 e3" +@@ -903,21 +903,21 @@ checkSuccess $? + # + # policynvargs.txt (binary) + # args = hash of 0000 0000 0000 0000 | 0000 | 0000 (eight bytes of zero | offset | op ==) +-# hash -hi n -halg sha1 -if policies/policynvargs.txt -v +-# openssl dgst -sha1 policies/policynvargs.txt ++# hash -hi n -halg sha256 -if policies/policynvargs.txt -v ++# openssl dgst -sha256 policies/policynvargs.txt + # 2c513f149e737ec4063fc1d37aee9beabc4b4bbf + # + # NV authorizing index + # + # after defining index and NV write to set written, use +-# ${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 ++# ${PREFIX}nvreadpublic -ha 01000000 -nalg sha256 + # to get name + # 00042234b8df7cdf8605ee0a2088ac7dfe34c6566c5c + # + # append Name to policynvnv.txt + # + # convert to binary policy +-# > policymaker -halg sha1 -if policies/policynvnv.txt -of policies/policynvnv.bin -pr -v ++# > policymaker -halg sha256 -if policies/policynvnv.txt -of policies/policynvnv.bin -pr -v + # bc 9b 4c 4f 7b 00 66 19 5b 1d d9 9c 92 7e ad 57 e7 1c 2a fc + # + # file zero8.bin has 8 bytes of hex zero +@@ -927,11 +927,11 @@ echo "Policy NV, NV index authorizing" + echo "" + + echo "Define a setbits index, authorizing index" +-${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -ty b > run.out ++${PREFIX}nvdefinespace -hi p -nalg sha256 -ha 01000000 -pwdn nnn -ty b > run.out + checkSuccess $? + + echo "NV Read public, get Name, not written" +-${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out ++${PREFIX}nvreadpublic -ha 01000000 -nalg sha256 > run.out + checkSuccess $? + + echo "NV setbits to set written" +@@ -939,7 +939,7 @@ ${PREFIX}nvsetbits -ha 01000000 -pwdn nnn > run.out + checkSuccess $? + + echo "NV Read public, get Name, written" +-${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out ++${PREFIX}nvreadpublic -ha 01000000 -nalg sha256 > run.out + checkSuccess $? + + echo "NV Read, should be zero" +@@ -947,11 +947,11 @@ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 > run.out + checkSuccess $? + + echo "Define an ordinary index, authorized index, policyNV" +-${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000001 -pwdn nnn -sz 2 -ty o -pol policies/policynvnv.bin > run.out ++${PREFIX}nvdefinespace -hi p -nalg sha256 -ha 01000001 -pwdn nnn -sz 2 -ty o -pol policies/policynvnv.bin > run.out + checkSuccess $? + + echo "NV Read public, get Name, not written" +-${PREFIX}nvreadpublic -ha 01000001 -nalg sha1 > run.out ++${PREFIX}nvreadpublic -ha 01000001 -nalg sha256 > run.out + checkSuccess $? + + echo "NV write to set written" +@@ -959,7 +959,7 @@ ${PREFIX}nvwrite -ha 01000001 -pwdn nnn -ic aa > run.out + checkSuccess $? + + echo "Start policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "NV write, policy not satisfied - should fail" +@@ -1015,15 +1015,15 @@ echo "Policy NV Written" + echo "" + + echo "Define an ordinary index, authorized index, policyNV" +-${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -sz 2 -ty o -pol policies/policywrittenset.bin > run.out ++${PREFIX}nvdefinespace -hi p -nalg sha256 -ha 01000000 -pwdn nnn -sz 2 -ty o -pol policies/policywrittenset.bin > run.out + checkSuccess $? + + echo "NV Read public, get Name, not written" +-${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out ++${PREFIX}nvreadpublic -ha 01000000 -nalg sha256 > run.out + checkSuccess $? + + echo "Start policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "NV write, policy not satisfied - should fail" +@@ -1043,7 +1043,7 @@ ${PREFIX}flushcontext -ha 03000000 > run.out + checkSuccess $? + + echo "Start policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "Policy NV Written yes, satisfy policy" +@@ -1063,7 +1063,7 @@ ${PREFIX}nvwrite -ha 01000000 -ic aa -pwdn nnn > run.out + checkSuccess $? + + echo "Start policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "Policy NV Written yes, satisfy policy" +@@ -1079,7 +1079,7 @@ ${PREFIX}flushcontext -ha 03000000 > run.out + checkSuccess $? + + echo "Start policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "Policy NV Written no" +@@ -1326,12 +1326,12 @@ checkSuccess $? + + # test using clockrateadjust + # policycphashhash.txt is (hex) 00000130 4000000c 000 +-# hash -if policycphashhash.txt -oh policycphashhash.bin -halg sha1 -v +-# openssl dgst -sha1 policycphashhash.txt ++# hash -if policycphashhash.txt -oh policycphashhash.bin -halg sha256 -v ++# openssl dgst -sha256 policycphashhash.txt + # cpHash is + # b5f919bbc01f0ebad02010169a67a8c158ec12f3 + # append to policycphash.txt 00000163 + cpHash +-# policymaker -halg sha1 -if policies/policycphash.txt -of policies/policycphash.bin -pr ++# policymaker -halg sha256 -if policies/policycphash.txt -of policies/policycphash.bin -pr + # 06 e4 6c f9 f3 c7 0f 30 10 18 7c a6 72 69 b0 84 b4 52 11 6f + + echo "" +@@ -1339,7 +1339,7 @@ echo "Policy cpHash" + echo "" + + echo "Set the platform policy to policy cpHash" +-${PREFIX}setprimarypolicy -hi p -pol policies/policycphash.bin -halg sha1 > run.out ++${PREFIX}setprimarypolicy -hi p -pol policies/policycphash.bin -halg sha256 > run.out + checkSuccess $? + + echo "Clockrate adjust using wrong password - should fail" +@@ -1347,7 +1347,7 @@ ${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 0 > run.out + checkFailure $? + + echo "Start policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "Clockrate adjust, policy not satisfied - should fail" +@@ -1690,7 +1690,7 @@ echo "Policy Counter Timer" + echo "" + + echo "Set the platform policy to policy " +-${PREFIX}setprimarypolicy -hi p -pol policies/policycountertimer.bin -halg sha1 > run.out ++${PREFIX}setprimarypolicy -hi p -pol policies/policycountertimer.bin -halg sha256 > run.out + checkSuccess $? + + echo "Clockrate adjust using wrong password - should fail" +@@ -1698,7 +1698,7 @@ ${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 0 > run.out + checkFailure $? + + echo "Start policy session" +-${PREFIX}startauthsession -se p -halg sha1 > run.out ++${PREFIX}startauthsession -se p -halg sha256 > run.out + checkSuccess $? + + echo "Clockrate adjust, policy not satisfied - should fail" +diff --git a/utils/regtests/testrsa.sh b/utils/regtests/testrsa.sh +index 4f76522..6e25398 100755 +--- a/utils/regtests/testrsa.sh ++++ b/utils/regtests/testrsa.sh +@@ -131,10 +131,10 @@ do + ${PREFIX}load -hp 80000000 -ipu derrsa${BITS}pub.bin -ipr derrsa${BITS}priv.bin -pwdp sto > run.out + checkSuccess $? + ++ HSIZ=(${ITERATE_ALGS_SIZES}) + HALG=(${ITERATE_ALGS}) +- HSIZ=("20" "32" "48" "64") + +- for ((i = 0 ; i < 4 ; i++)) ++ for ((i = 0 ; i < ${ITERATE_ALGS_COUNT} ; i++)) + do + + echo "Decrypt/Sign with a caller specified OID - ${HALG[i]}" +@@ -298,7 +298,7 @@ echo "Encrypt with OpenSSL OAEP, decrypt with TPM" + echo "" + + echo "Create OAEP encryption key" +-${PREFIX}create -hp 80000000 -pwdp sto -deo -kt f -kt p -halg sha1 -opr tmpprivkey.bin -opu tmppubkey.bin -opem tmppubkey.pem > run.out ++${PREFIX}create -hp 80000000 -pwdp sto -deo -kt f -kt p -halg sha256 -opr tmpprivkey.bin -opu tmppubkey.bin -opem tmppubkey.pem > run.out + checkSuccess $? + + echo "Load encryption key at 80000001" +@@ -306,7 +306,7 @@ ${PREFIX}load -hp 80000000 -pwdp sto -ipr tmpprivkey.bin -ipu tmppubkey.bin > r + checkSuccess $? + + echo "Encrypt using OpenSSL and the PEM public key" +-openssl rsautl -oaep -encrypt -inkey tmppubkey.pem -pubin -in policies/aaa -out enc.bin > run.out 2>&1 ++openssl pkeyutl -encrypt -inkey tmppubkey.pem -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -in policies/aaa -out enc.bin > run.out 2>&1 + checkSuccess $? + + echo "Decrypt using TPM key at 80000001" +diff --git a/utils/regtests/testsign.sh b/utils/regtests/testsign.sh +index edfa014..8a99bbf 100755 +--- a/utils/regtests/testsign.sh ++++ b/utils/regtests/testsign.sh +@@ -302,14 +302,14 @@ echo "" + # > openssl dgst -sha1 -sign rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin + + echo "Load external just the public part of PEM RSA" +-${PREFIX}loadexternal -halg sha1 -nalg sha1 -ipem policies/rsapubkey.pem > run.out ++${PREFIX}loadexternal -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out + checkSuccess $? + + echo "Sign a test message with openssl RSA" +-openssl dgst -sha1 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin > run.out 2>&1 ++openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin > run.out 2>&1 + + echo "Verify the RSA signature" +-${PREFIX}verifysignature -hk 80000001 -halg sha1 -if msg.bin -is pssig.bin -raw > run.out ++${PREFIX}verifysignature -hk 80000001 -halg sha256 -if msg.bin -is pssig.bin -raw > run.out + checkSuccess $? + + echo "Flush the signing key" +@@ -328,14 +328,14 @@ for CURVE in p256 p384 + do + + echo "Load external just the public part of PEM ECC ${CURVE}" +- ${PREFIX}loadexternal -halg sha1 -nalg sha1 -ipem policies/${CURVE}pubkey.pem -ecc > run.out ++ ${PREFIX}loadexternal -halg sha256 -nalg sha256 -ipem policies/${CURVE}pubkey.pem -ecc > run.out + checkSuccess $? + + echo "Sign a test message with openssl ECC ${CURVE}" +- openssl dgst -sha1 -sign policies/${CURVE}privkey.pem -out pssig.bin msg.bin > run.out 2>&1 ++ openssl dgst -sha256 -sign policies/${CURVE}privkey.pem -out pssig.bin msg.bin > run.out 2>&1 + + echo "Verify the ECC signature ${CURVE}" +- ${PREFIX}verifysignature -hk 80000001 -halg sha1 -if msg.bin -is pssig.bin -raw -ecc > run.out ++ ${PREFIX}verifysignature -hk 80000001 -halg sha256 -if msg.bin -is pssig.bin -raw -ecc > run.out + checkSuccess $? + + echo "Flush the ECC ${CURVE} signing key" +-- +2.34.3 + diff --git a/0003-tss-Restrict-usage-of-SHA-1.patch b/0003-tss-Restrict-usage-of-SHA-1.patch new file mode 100644 index 0000000..dcf3972 --- /dev/null +++ b/0003-tss-Restrict-usage-of-SHA-1.patch @@ -0,0 +1,907 @@ +From 163843248ce6bb85fa5a3527f93610328877a1cf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= + +Date: Sat, 30 Apr 2022 22:15:43 +0200 +Subject: [PATCH 3/4] tss: Restrict usage of SHA-1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Due to SHA-1 not being considered secure, it should be not used for +cryptographical purposes. This commit disables the usage of SHA-1 in +cases where it is used in potentially exploitable situations, most +notably for creating signatures. + +- Compared to the next branch commit af3154e2, changes related to + unimplemented ECC functionality are ommited. + +Signed-off-by: Štěpán Horáček +Signed-off-by: Ken Goldman +--- + configure.ac | 24 +- + utils/Makefile.am | 16 +- + utils/cryptoutils.c | 4 + + utils/reg.sh | 20 +- + utils/regtests/testattest.sh | 3 +- + utils/regtests/testevent.sh | 2 +- + utils/tss20.c | 638 ++++++++++++++++++++++++++++------- + utils/tsscryptoh.c | 9 +- + 8 files changed, 582 insertions(+), 134 deletions(-) + +diff --git a/configure.ac b/configure.ac +index ad870b1..c570cb0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -123,6 +123,11 @@ AC_ARG_ENABLE(rmtpm, + AM_CONDITIONAL([CONFIG_RMTPM], [test "x$enable_rmtpm" = "xyes"]) + AS_IF([test "$enable_rmtpm" != "yes"], [enable_rmtpm="no"]) + ++AC_ARG_ENABLE(nodeprecatedalgs, ++ AS_HELP_STRING([--enable-nodeprecatedalgs], [Restrict usage of SHA-1])) ++ AM_CONDITIONAL([CONFIG_TSS_NODEPRECATEDALGS], [test "x$enable_nodeprecatedalgs" = "xyes"]) ++ AS_IF([test "$enable_nodeprecatedalgs" != "yes"], [enable_nodeprecatedalgs="no"]) ++ + AC_CONFIG_FILES([Makefile + utils/Makefile + utils12/Makefile +@@ -131,12 +136,13 @@ AC_OUTPUT + + # Give some feedback + echo "Configuration:" +-echo " CFLAGS: $CFLAGS" +-echo " tpm12: $tpm12" +-echo " tpm20: $tpm20" +-echo " hwtpm: $enable_hwtpm" +-echo " rmtpm: $enable_rmtpm" +-echo " nofile: $enable_nofile" +-echo " noprint: $enable_noprint" +-echo " nocrypto: $enable_nocrypto" +-echo " noecc: $enable_noecc" ++echo " CFLAGS: $CFLAGS" ++echo " tpm12: $tpm12" ++echo " tpm20: $tpm20" ++echo " hwtpm: $enable_hwtpm" ++echo " rmtpm: $enable_rmtpm" ++echo " nofile: $enable_nofile" ++echo " noprint: $enable_noprint" ++echo " nocrypto: $enable_nocrypto" ++echo " noecc: $enable_noecc" ++echo " nodeprecatedalgs: $enable_nodeprecatedalgs" +diff --git a/utils/Makefile.am b/utils/Makefile.am +index d3af94e..53c53d9 100755 +--- a/utils/Makefile.am ++++ b/utils/Makefile.am +@@ -60,6 +60,10 @@ if CONFIG_TSS_NOECC + libibmtss_la_CFLAGS += -DTPM_TSS_NOECC + endif + ++if CONFIG_TSS_NODEPRECATEDALGS ++libibmtss_la_CFLAGS += -DTPM_TSS_NODEPRECATEDALGS ++endif ++ + libibmtss_la_CCFLAGS = -Wall -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wformat=2 -Wold-style-definition -Wno-self-assign -ggdb + libibmtss_la_LDFLAGS = -version-info @TSSLIB_VERSION_INFO@ + +@@ -78,6 +82,10 @@ if CONFIG_TSS_NOECC + libibmtssutils_la_CFLAGS += -DTPM_TSS_NOECC + endif + ++if CONFIG_TSS_NODEPRECATEDALGS ++libibmtssutils_la_CFLAGS += -DTPM_TSS_NODEPRECATEDALGS ++endif ++ + #current[:revision[:age]] + #result: [current-age].age.revision + libibmtssutils_la_LDFLAGS = -version-info @TSSLIB_VERSION_INFO@ +@@ -115,8 +123,14 @@ bin_PROGRAMS = activatecredential eventextend imaextend certify certifycreation + verifysignature zgen2phase signapp writeapp timepacket createek createekcert tpm2pem tpmpublic2eccpoint \ + ntc2getconfig ntc2preconfig ntc2lockconfig publicname tpmcmd printattr + ++UTILS_CFLAGS = ++ + if CONFIG_TSS_NOECC +-UTILS_CFLAGS = -DTPM_TSS_NOECC ++UTILS_CFLAGS += -DTPM_TSS_NOECC ++endif ++ ++if CONFIG_TSS_NODEPRECATEDALGS ++UTILS_CFLAGS += -DTPM_TSS_NODEPRECATEDALGS + endif + + activatecredential_SOURCES = activatecredential.c +diff --git a/utils/cryptoutils.c b/utils/cryptoutils.c +index 7c4e931..9ac77a1 100644 +--- a/utils/cryptoutils.c ++++ b/utils/cryptoutils.c +@@ -1834,9 +1834,11 @@ TPM_RC signRSAFromRSA(uint8_t *signature, size_t *signatureLength, + /* map the hash algorithm to the openssl NID */ + if (rc == 0) { + switch (hashAlg) { ++#ifndef TPM_TSS_NODEPRECATEDALGS + case TPM_ALG_SHA1: + nid = NID_sha1; + break; ++#endif + case TPM_ALG_SHA256: + nid = NID_sha256; + break; +@@ -1896,10 +1898,12 @@ TPM_RC verifyRSASignatureFromRSA(unsigned char *message, + /* map from hash algorithm to openssl nid */ + if (rc == 0) { + switch (halg) { ++#ifndef TPM_TSS_NODEPRECATEDALGS + case TPM_ALG_SHA1: + nid = NID_sha1; + md = EVP_sha1(); + break; ++#endif + case TPM_ALG_SHA256: + nid = NID_sha256; + md = EVP_sha256(); +diff --git a/utils/reg.sh b/utils/reg.sh +index 2d9d100..02d7d5f 100755 +--- a/utils/reg.sh ++++ b/utils/reg.sh +@@ -69,12 +69,20 @@ PREFIX=./ + + #PREFIX="valgrind ./" + +-# hash algorithms to be used for testing +- +-export ITERATE_ALGS="sha1 sha256 sha384 sha512" +-export ITERATE_ALGS_SIZES="20 32 48 64" +-export ITERATE_ALGS_COUNT=4 +-export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1" ++# Hash algorithms to be used for testing. Uncomment or set shell env variable to restrict. ++# export TPM_TSS_NODEPRECATEDALGS=1 ++if [ "${TPM_TSS_NODEPRECATEDALGS}" ]; then ++ export ITERATE_ALGS="sha256 sha384 sha512" ++ export ITERATE_ALGS_SIZES="32 48 64" ++ export ITERATE_ALGS_COUNT=3 ++ export BAD_ITERATE_ALGS="sha384 sha512 sha256" ++else ++ export ITERATE_ALGS="sha1 sha256 sha384 sha512" ++ export ITERATE_ALGS_SIZES="20 32 48 64" ++ export ITERATE_ALGS_COUNT=4 ++ export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1" ++fi ++export ITERATE_ALGS_WITH_SHA1="sha1 sha256 sha384 sha512" + + printUsage () + { +diff --git a/utils/regtests/testattest.sh b/utils/regtests/testattest.sh +index 2dacf88..4766554 100755 +--- a/utils/regtests/testattest.sh ++++ b/utils/regtests/testattest.sh +@@ -381,9 +381,8 @@ echo "" + + for HALG in ${ITERATE_ALGS} + do +- + echo "Start an audit session ${HALG}" +- ${PREFIX}startauthsession -se h -halg ${HALG} > run.out ++ ${PREFIX}startauthsession -se h -halg ${HALG} > run.out + checkSuccess $? + + echo "PCR 16 reset" +diff --git a/utils/regtests/testevent.sh b/utils/regtests/testevent.sh +index 6336920..57a96d2 100755 +--- a/utils/regtests/testevent.sh ++++ b/utils/regtests/testevent.sh +@@ -62,7 +62,7 @@ echo "" + + for TYPE in "1" "2" + do +- for HALG in ${ITERATE_ALGS} ++ for HALG in ${ITERATE_ALGS_WITH_SHA1} + do + + echo "Power cycle to reset IMA PCR" +diff --git a/utils/tss20.c b/utils/tss20.c +index c778069..6b1e79b 100644 +--- a/utils/tss20.c ++++ b/utils/tss20.c +@@ -112,6 +112,7 @@ struct TSS_HMAC_CONTEXT { + + /* functions for command pre- and post- processing */ + ++typedef TPM_RC (*TSS_CheckParametersFunction_t)(COMMAND_PARAMETERS *in); + typedef TPM_RC (*TSS_PreProcessFunction_t)(TSS_CONTEXT *tssContext, + COMMAND_PARAMETERS *in, + EXTRA_PARAMETERS *extra); +@@ -238,11 +239,378 @@ static TPM_RC TSS_PO_NV_ReadLock(TSS_CONTEXT *tssContext, + void *out, + void *extra); + ++/* ++ Functions to check for usage of deprecated algorithms. ++*/ ++ ++static TPM_RC TSS_CheckSha1_PublicArea(TPMT_PUBLIC *publicArea) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (publicArea->nameAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ if (rc == 0) { ++ if (((publicArea->type == TPM_ALG_RSA) || (publicArea->type == TPM_ALG_ECC)) && ++ (publicArea->parameters.asymDetail.scheme.scheme != TPM_ALG_NULL) && ++ (publicArea->parameters.asymDetail.scheme.details.anySig.hashAlg == TPM_ALG_SHA1)) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CheckSha1_SigScheme(TPMT_SIG_SCHEME *sigScheme) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (sigScheme->details.any.hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_StartAuthSession(StartAuthSession_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->authHash == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_Create(Create_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_PublicArea(&in->inPublic.publicArea); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_Load(Load_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_PublicArea(&in->inPublic.publicArea); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_LoadExternal(LoadExternal_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_PublicArea(&in->inPublic.publicArea); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_CreateLoaded(CreateLoaded_In *in) ++{ ++ TPM_RC rc = 0; ++ uint32_t size = sizeof(in->inPublic.t.buffer); ++ uint8_t *buffer = in->inPublic.t.buffer; ++ TPMT_PUBLIC publicArea; ++ ++ if (rc == 0) { ++ rc = TSS_TPMT_PUBLIC_Unmarshalu(&publicArea, &buffer, &size, TRUE); ++ } ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_PublicArea(&publicArea); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_Import(Import_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_PublicArea(&in->objectPublic.publicArea); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_RSA_Encrypt(RSA_Encrypt_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->inScheme.details.anySig.hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_RSA_Decrypt(RSA_Decrypt_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->inScheme.details.anySig.hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_Hash(Hash_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_HMAC(HMAC_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_HMAC_Start(HMAC_Start_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_HashSequenceStart(HashSequenceStart_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_Certify(Certify_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_CertifyX509(CertifyX509_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_CertifyCreation(CertifyCreation_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_Quote(Quote_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_GetSessionAuditDigest(GetSessionAuditDigest_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_GetCommandAuditDigest(GetCommandAuditDigest_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_GetTime(GetTime_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_VerifySignature(VerifySignature_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->signature.signature.any.hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_Sign(Sign_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_SetCommandCodeAuditStatus(SetCommandCodeAuditStatus_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->auditAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_PolicySigned(PolicySigned_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->auth.signature.any.hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_CreatePrimary(CreatePrimary_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_PublicArea(&in->inPublic.publicArea); ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_SetPrimaryPolicy(SetPrimaryPolicy_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->hashAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_NV_DefineSpace(NV_DefineSpace_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ if (in->publicInfo.nvPublic.nameAlg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++ ++ return rc; ++} ++ ++static TPM_RC TSS_CH_NV_Certify(NV_Certify_In *in) ++{ ++ TPM_RC rc = 0; ++ ++ if (rc == 0) { ++ rc = TSS_CheckSha1_SigScheme(&in->inScheme); ++ } ++ ++ return rc; ++} ++ + typedef struct TSS_TABLE { +- TPM_CC commandCode; +- TSS_PreProcessFunction_t preProcessFunction; +- TSS_ChangeAuthFunction_t changeAuthFunction; +- TSS_PostProcessFunction_t postProcessFunction; ++ TPM_CC commandCode; ++ TSS_CheckParametersFunction_t checkParametersFunction; ++ TSS_PreProcessFunction_t preProcessFunction; ++ TSS_ChangeAuthFunction_t changeAuthFunction; ++ TSS_PostProcessFunction_t postProcessFunction; + } TSS_TABLE; + + /* This table indexes from the command to pre- and post- processing functions. A missing entry is +@@ -250,116 +618,116 @@ typedef struct TSS_TABLE { + + static const TSS_TABLE tssTable [] = { + +- {TPM_CC_Startup, NULL, NULL, NULL}, +- {TPM_CC_Shutdown, NULL, NULL, NULL}, +- {TPM_CC_SelfTest, NULL, NULL, NULL}, +- {TPM_CC_IncrementalSelfTest, NULL, NULL, NULL}, +- {TPM_CC_GetTestResult, NULL, NULL, NULL}, +- {TPM_CC_StartAuthSession, (TSS_PreProcessFunction_t)TSS_PR_StartAuthSession, NULL, (TSS_PostProcessFunction_t)TSS_PO_StartAuthSession}, +- {TPM_CC_PolicyRestart, NULL, NULL, NULL}, +- {TPM_CC_Create, NULL, NULL, NULL}, +- {TPM_CC_Load, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_Load}, +- {TPM_CC_LoadExternal, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_LoadExternal}, +- {TPM_CC_ReadPublic, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ReadPublic}, +- {TPM_CC_ActivateCredential, NULL, NULL, NULL}, +- {TPM_CC_MakeCredential, NULL, NULL, NULL}, +- {TPM_CC_Unseal, NULL, NULL, NULL}, +- {TPM_CC_ObjectChangeAuth, NULL, NULL, NULL}, +- {TPM_CC_CreateLoaded, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreateLoaded}, +- {TPM_CC_Duplicate, NULL, NULL, NULL}, +- {TPM_CC_Rewrap, NULL, NULL, NULL}, +- {TPM_CC_Import, NULL, NULL, NULL}, +- {TPM_CC_RSA_Encrypt, NULL, NULL, NULL}, +- {TPM_CC_RSA_Decrypt, NULL, NULL, NULL}, +- {TPM_CC_ECDH_KeyGen, NULL, NULL, NULL}, +- {TPM_CC_ECDH_ZGen, NULL, NULL, NULL}, +- {TPM_CC_ECC_Parameters, NULL, NULL, NULL}, +- {TPM_CC_ZGen_2Phase, NULL, NULL, NULL}, +- {TPM_CC_EncryptDecrypt, NULL, NULL, NULL}, +- {TPM_CC_EncryptDecrypt2, NULL, NULL, NULL}, +- {TPM_CC_Hash, NULL, NULL, NULL}, +- {TPM_CC_HMAC, NULL, NULL, NULL}, +- {TPM_CC_GetRandom, NULL, NULL, NULL}, +- {TPM_CC_StirRandom, NULL, NULL, NULL}, +- {TPM_CC_HMAC_Start, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HMAC_Start}, +- {TPM_CC_HashSequenceStart, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HashSequenceStart}, +- {TPM_CC_SequenceUpdate, NULL, NULL, NULL}, +- {TPM_CC_SequenceComplete, NULL,NULL, (TSS_PostProcessFunction_t)TSS_PO_SequenceComplete}, +- {TPM_CC_EventSequenceComplete, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EventSequenceComplete}, +- {TPM_CC_Certify, NULL, NULL, NULL}, +- {TPM_CC_CertifyX509, NULL, NULL, NULL}, +- {TPM_CC_CertifyCreation, NULL, NULL, NULL}, +- {TPM_CC_Quote, NULL, NULL, NULL}, +- {TPM_CC_GetSessionAuditDigest, NULL, NULL, NULL}, +- {TPM_CC_GetCommandAuditDigest, NULL, NULL, NULL}, +- {TPM_CC_GetTime, NULL, NULL, NULL}, +- {TPM_CC_Commit, NULL, NULL, NULL}, +- {TPM_CC_EC_Ephemeral, NULL, NULL, NULL}, +- {TPM_CC_VerifySignature, NULL, NULL, NULL}, +- {TPM_CC_Sign, NULL, NULL, NULL}, +- {TPM_CC_SetCommandCodeAuditStatus, NULL, NULL, NULL}, +- {TPM_CC_PCR_Extend, NULL, NULL, NULL}, +- {TPM_CC_PCR_Event, NULL, NULL, NULL}, +- {TPM_CC_PCR_Read, NULL, NULL, NULL}, +- {TPM_CC_PCR_Allocate, NULL, NULL, NULL}, +- {TPM_CC_PCR_SetAuthPolicy, NULL, NULL, NULL}, +- {TPM_CC_PCR_SetAuthValue, NULL, NULL, NULL}, +- {TPM_CC_PCR_Reset, NULL, NULL, NULL}, +- {TPM_CC_PolicySigned, NULL, NULL, NULL}, +- {TPM_CC_PolicySecret, NULL, NULL, NULL}, +- {TPM_CC_PolicyTicket, NULL, NULL, NULL}, +- {TPM_CC_PolicyOR, NULL, NULL, NULL}, +- {TPM_CC_PolicyPCR, NULL, NULL, NULL}, +- {TPM_CC_PolicyLocality, NULL, NULL, NULL}, +- {TPM_CC_PolicyNV, NULL, NULL, NULL}, +- {TPM_CC_PolicyAuthorizeNV, NULL, NULL, NULL}, +- {TPM_CC_PolicyCounterTimer, NULL, NULL, NULL}, +- {TPM_CC_PolicyCommandCode, NULL, NULL, NULL}, +- {TPM_CC_PolicyPhysicalPresence, NULL, NULL, NULL}, +- {TPM_CC_PolicyCpHash, NULL, NULL, NULL}, +- {TPM_CC_PolicyNameHash, NULL, NULL, NULL}, +- {TPM_CC_PolicyDuplicationSelect, NULL, NULL, NULL}, +- {TPM_CC_PolicyAuthorize, NULL, NULL, NULL}, +- {TPM_CC_PolicyAuthValue, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyAuthValue}, +- {TPM_CC_PolicyPassword, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyPassword}, +- {TPM_CC_PolicyGetDigest, NULL, NULL, NULL}, +- {TPM_CC_PolicyNvWritten, NULL, NULL, NULL}, +- {TPM_CC_PolicyTemplate, NULL, NULL, NULL}, +- {TPM_CC_CreatePrimary, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreatePrimary}, +- {TPM_CC_HierarchyControl, NULL, NULL, NULL}, +- {TPM_CC_SetPrimaryPolicy, NULL, NULL, NULL}, +- {TPM_CC_ChangePPS, NULL, NULL, NULL}, +- {TPM_CC_ChangeEPS, NULL, NULL, NULL}, +- {TPM_CC_Clear, NULL, NULL, NULL}, +- {TPM_CC_ClearControl, NULL, NULL, NULL}, +- {TPM_CC_HierarchyChangeAuth, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_HierarchyChangeAuth, NULL}, +- {TPM_CC_DictionaryAttackLockReset, NULL, NULL, NULL}, +- {TPM_CC_DictionaryAttackParameters, NULL, NULL, NULL}, +- {TPM_CC_PP_Commands, NULL, NULL, NULL}, +- {TPM_CC_SetAlgorithmSet, NULL, NULL, NULL}, +- {TPM_CC_ContextSave, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextSave}, +- {TPM_CC_ContextLoad, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextLoad}, +- {TPM_CC_FlushContext, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_FlushContext}, +- {TPM_CC_EvictControl, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EvictControl}, +- {TPM_CC_ReadClock, NULL, NULL, NULL}, +- {TPM_CC_ClockSet, NULL, NULL, NULL}, +- {TPM_CC_ClockRateAdjust, NULL, NULL, NULL}, +- {TPM_CC_GetCapability, NULL, NULL, NULL}, +- {TPM_CC_TestParms, NULL, NULL, NULL}, +- {TPM_CC_NV_DefineSpace, (TSS_PreProcessFunction_t)TSS_PR_NV_DefineSpace, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_DefineSpace}, +- {TPM_CC_NV_UndefineSpace, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpace}, +- {TPM_CC_NV_UndefineSpaceSpecial, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_UndefineSpaceSpecial, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpaceSpecial}, +- {TPM_CC_NV_ReadPublic, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadPublic}, +- {TPM_CC_NV_Write, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write}, +- {TPM_CC_NV_Increment, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write}, +- {TPM_CC_NV_Extend, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write}, +- {TPM_CC_NV_SetBits, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write}, +- {TPM_CC_NV_WriteLock, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_WriteLock}, +- {TPM_CC_NV_GlobalWriteLock, NULL, NULL, NULL}, +- {TPM_CC_NV_Read, NULL, NULL, NULL}, +- {TPM_CC_NV_ReadLock, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadLock}, +- {TPM_CC_NV_ChangeAuth, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_ChangeAuth, NULL}, +- {TPM_CC_NV_Certify, NULL, NULL, NULL} ++ {TPM_CC_Startup, NULL, NULL, NULL, NULL}, ++ {TPM_CC_Shutdown, NULL, NULL, NULL, NULL}, ++ {TPM_CC_SelfTest, NULL, NULL, NULL, NULL}, ++ {TPM_CC_IncrementalSelfTest, NULL, NULL, NULL, NULL}, ++ {TPM_CC_GetTestResult, NULL, NULL, NULL, NULL}, ++ {TPM_CC_StartAuthSession, (TSS_CheckParametersFunction_t)TSS_CH_StartAuthSession, (TSS_PreProcessFunction_t)TSS_PR_StartAuthSession, NULL, (TSS_PostProcessFunction_t)TSS_PO_StartAuthSession}, ++ {TPM_CC_PolicyRestart, NULL, NULL, NULL, NULL}, ++ {TPM_CC_Create, (TSS_CheckParametersFunction_t)TSS_CH_Create, NULL, NULL, NULL}, ++ {TPM_CC_Load, (TSS_CheckParametersFunction_t)TSS_CH_Load, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_Load}, ++ {TPM_CC_LoadExternal, (TSS_CheckParametersFunction_t)TSS_CH_LoadExternal, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_LoadExternal}, ++ {TPM_CC_ReadPublic, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ReadPublic}, ++ {TPM_CC_ActivateCredential, NULL, NULL, NULL, NULL}, ++ {TPM_CC_MakeCredential, NULL, NULL, NULL, NULL}, ++ {TPM_CC_Unseal, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ObjectChangeAuth, NULL, NULL, NULL, NULL}, ++ {TPM_CC_CreateLoaded, (TSS_CheckParametersFunction_t)TSS_CH_CreateLoaded, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreateLoaded}, ++ {TPM_CC_Duplicate, NULL, NULL, NULL, NULL}, ++ {TPM_CC_Rewrap, NULL, NULL, NULL, NULL}, ++ {TPM_CC_Import, (TSS_CheckParametersFunction_t)TSS_CH_Import, NULL, NULL, NULL}, ++ {TPM_CC_RSA_Encrypt, (TSS_CheckParametersFunction_t)TSS_CH_RSA_Encrypt, NULL, NULL, NULL}, ++ {TPM_CC_RSA_Decrypt, (TSS_CheckParametersFunction_t)TSS_CH_RSA_Decrypt, NULL, NULL, NULL}, ++ {TPM_CC_ECDH_KeyGen, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ECDH_ZGen, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ECC_Parameters, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ZGen_2Phase, NULL, NULL, NULL, NULL}, ++ {TPM_CC_EncryptDecrypt, NULL, NULL, NULL, NULL}, ++ {TPM_CC_EncryptDecrypt2, NULL, NULL, NULL, NULL}, ++ {TPM_CC_Hash, (TSS_CheckParametersFunction_t)TSS_CH_Hash, NULL, NULL, NULL}, ++ {TPM_CC_HMAC, (TSS_CheckParametersFunction_t)TSS_CH_HMAC, NULL, NULL, NULL}, ++ {TPM_CC_GetRandom, NULL, NULL, NULL, NULL}, ++ {TPM_CC_StirRandom, NULL, NULL, NULL, NULL}, ++ {TPM_CC_HMAC_Start, (TSS_CheckParametersFunction_t)TSS_CH_HMAC_Start, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HMAC_Start}, ++ {TPM_CC_HashSequenceStart, (TSS_CheckParametersFunction_t)TSS_CH_HashSequenceStart, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HashSequenceStart}, ++ {TPM_CC_SequenceUpdate, NULL, NULL, NULL, NULL}, ++ {TPM_CC_SequenceComplete, NULL, NULL,NULL, (TSS_PostProcessFunction_t)TSS_PO_SequenceComplete}, ++ {TPM_CC_EventSequenceComplete, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EventSequenceComplete}, ++ {TPM_CC_Certify, (TSS_CheckParametersFunction_t)TSS_CH_Certify, NULL, NULL, NULL}, ++ {TPM_CC_CertifyX509, (TSS_CheckParametersFunction_t)TSS_CH_CertifyX509, NULL, NULL, NULL}, ++ {TPM_CC_CertifyCreation, (TSS_CheckParametersFunction_t)TSS_CH_CertifyCreation, NULL, NULL, NULL}, ++ {TPM_CC_Quote, (TSS_CheckParametersFunction_t)TSS_CH_Quote, NULL, NULL, NULL}, ++ {TPM_CC_GetSessionAuditDigest, (TSS_CheckParametersFunction_t)TSS_CH_GetSessionAuditDigest, NULL, NULL, NULL}, ++ {TPM_CC_GetCommandAuditDigest, (TSS_CheckParametersFunction_t)TSS_CH_GetCommandAuditDigest, NULL, NULL, NULL}, ++ {TPM_CC_GetTime, (TSS_CheckParametersFunction_t)TSS_CH_GetTime, NULL, NULL, NULL}, ++ {TPM_CC_Commit, NULL, NULL, NULL, NULL}, ++ {TPM_CC_EC_Ephemeral, NULL, NULL, NULL, NULL}, ++ {TPM_CC_VerifySignature, (TSS_CheckParametersFunction_t)TSS_CH_VerifySignature, NULL, NULL, NULL}, ++ {TPM_CC_Sign, (TSS_CheckParametersFunction_t)TSS_CH_Sign, NULL, NULL, NULL}, ++ {TPM_CC_SetCommandCodeAuditStatus, (TSS_CheckParametersFunction_t)TSS_CH_SetCommandCodeAuditStatus, NULL, NULL, NULL}, ++ {TPM_CC_PCR_Extend, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PCR_Event, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PCR_Read, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PCR_Allocate, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PCR_SetAuthPolicy, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PCR_SetAuthValue, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PCR_Reset, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicySigned, (TSS_CheckParametersFunction_t)TSS_CH_PolicySigned, NULL, NULL, NULL}, ++ {TPM_CC_PolicySecret, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyTicket, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyOR, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyPCR, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyLocality, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyNV, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyAuthorizeNV, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyCounterTimer, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyCommandCode, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyPhysicalPresence, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyCpHash, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyNameHash, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyDuplicationSelect, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyAuthorize, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyAuthValue, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyAuthValue}, ++ {TPM_CC_PolicyPassword, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyPassword}, ++ {TPM_CC_PolicyGetDigest, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyNvWritten, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PolicyTemplate, NULL, NULL, NULL, NULL}, ++ {TPM_CC_CreatePrimary, (TSS_CheckParametersFunction_t)TSS_CH_CreatePrimary, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreatePrimary}, ++ {TPM_CC_HierarchyControl, NULL, NULL, NULL, NULL}, ++ {TPM_CC_SetPrimaryPolicy, (TSS_CheckParametersFunction_t)TSS_CH_SetPrimaryPolicy, NULL, NULL, NULL}, ++ {TPM_CC_ChangePPS, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ChangeEPS, NULL, NULL, NULL, NULL}, ++ {TPM_CC_Clear, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ClearControl, NULL, NULL, NULL, NULL}, ++ {TPM_CC_HierarchyChangeAuth, NULL, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_HierarchyChangeAuth, NULL}, ++ {TPM_CC_DictionaryAttackLockReset, NULL, NULL, NULL, NULL}, ++ {TPM_CC_DictionaryAttackParameters, NULL, NULL, NULL, NULL}, ++ {TPM_CC_PP_Commands, NULL, NULL, NULL, NULL}, ++ {TPM_CC_SetAlgorithmSet, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ContextSave, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextSave}, ++ {TPM_CC_ContextLoad, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextLoad}, ++ {TPM_CC_FlushContext, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_FlushContext}, ++ {TPM_CC_EvictControl, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EvictControl}, ++ {TPM_CC_ReadClock, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ClockSet, NULL, NULL, NULL, NULL}, ++ {TPM_CC_ClockRateAdjust, NULL, NULL, NULL, NULL}, ++ {TPM_CC_GetCapability, NULL, NULL, NULL, NULL}, ++ {TPM_CC_TestParms, NULL, NULL, NULL, NULL}, ++ {TPM_CC_NV_DefineSpace, (TSS_CheckParametersFunction_t)TSS_CH_NV_DefineSpace, (TSS_PreProcessFunction_t)TSS_PR_NV_DefineSpace, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_DefineSpace}, ++ {TPM_CC_NV_UndefineSpace, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpace}, ++ {TPM_CC_NV_UndefineSpaceSpecial, NULL, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_UndefineSpaceSpecial, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpaceSpecial}, ++ {TPM_CC_NV_ReadPublic, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadPublic}, ++ {TPM_CC_NV_Write, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write}, ++ {TPM_CC_NV_Increment, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write}, ++ {TPM_CC_NV_Extend, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write}, ++ {TPM_CC_NV_SetBits, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write}, ++ {TPM_CC_NV_WriteLock, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_WriteLock}, ++ {TPM_CC_NV_GlobalWriteLock, NULL, NULL, NULL, NULL}, ++ {TPM_CC_NV_Read, NULL, NULL, NULL, NULL}, ++ {TPM_CC_NV_ReadLock, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadLock}, ++ {TPM_CC_NV_ChangeAuth, NULL, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_ChangeAuth, NULL}, ++ {TPM_CC_NV_Certify, (TSS_CheckParametersFunction_t)TSS_CH_NV_Certify, NULL, NULL, NULL} + }; + + #ifndef TPM_TSS_NO_PRINT +@@ -646,6 +1014,10 @@ static TPM_RC TSS_Command_ChangeAuthProcessor(TSS_CONTEXT *tssContext, + COMMAND_PARAMETERS *in); + #endif /* TPM_TSS_NOCRYPTO */ + ++#ifdef TPM_TSS_NODEPRECATEDALGS ++static TPM_RC TSS_Command_CheckParameters(TPM_CC commandCode, ++ COMMAND_PARAMETERS *in); ++#endif + static TPM_RC TSS_Command_PreProcessor(TSS_CONTEXT *tssContext, + TPM_CC commandCode, + COMMAND_PARAMETERS *in, +@@ -688,6 +1060,12 @@ TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext, + { + TPM_RC rc = 0; + ++#ifdef TPM_TSS_NODEPRECATEDALGS ++ if (rc == 0) { ++ rc = TSS_Command_CheckParameters(commandCode, in); ++ } ++#endif ++ + /* create a TSS authorization context */ + if (rc == 0) { + TSS_InitAuthContext(tssContext->tssAuthContext); +@@ -3751,6 +4129,38 @@ static TPM_RC TSS_CA_NV_UndefineSpaceSpecial(TSS_CONTEXT *tssContext, + return rc; + } + ++#ifdef TPM_TSS_NODEPRECATEDALGS ++static TPM_RC TSS_Command_CheckParameters(TPM_CC commandCode, ++ COMMAND_PARAMETERS *in) ++{ ++ TPM_RC rc = 0; ++ size_t index; ++ int found; ++ TSS_CheckParametersFunction_t checkParametersFunction = NULL; ++ ++ /* search the table for a check parameters function */ ++ if (rc == 0) { ++ found = FALSE; ++ for (index = 0 ; (index < (sizeof(tssTable) / sizeof(TSS_TABLE))) && !found ; index++) { ++ if (tssTable[index].commandCode == commandCode) { ++ found = TRUE; ++ break; /* don't increment index if found */ ++ } ++ } ++ } ++ /* found false means there is no check parameters function. This permits the table to be smaller ++ if desired. */ ++ if ((rc == 0) && found) { ++ checkParametersFunction = tssTable[index].checkParametersFunction; ++ /* call the check parameters function if there is one */ ++ if (checkParametersFunction != NULL) { ++ rc = checkParametersFunction(in); ++ } ++ } ++ return rc; ++} ++#endif ++ + /* + Command Pre-Processor + */ +diff --git a/utils/tsscryptoh.c b/utils/tsscryptoh.c +index 197549d..52f4616 100644 +--- a/utils/tsscryptoh.c ++++ b/utils/tsscryptoh.c +@@ -454,7 +454,14 @@ TPM_RC TSS_RSA_padding_add_PKCS1_OAEP(unsigned char *em, uint32_t emLen, + unsigned char *maskedSeed; + + uint16_t hlen = TSS_GetDigestSize(halg); +- em[0] = 0x00; /* firsr byte is 0x00 per the standard */ ++ em[0] = 0x00; /* first byte is 0x00 per the standard */ ++#ifdef TPM_TSS_NODEPRECATEDALGS ++ if (rc == 0) { ++ if (halg == TPM_ALG_SHA1) { ++ rc = TSS_RC_BAD_HASH_ALGORITHM; ++ } ++ } ++#endif + /* 1.a. If the length of L is greater than the input limitation for */ + /* the hash function (2^61-1 octets for SHA-1) then output "parameter */ + /* string too long" and stop. */ +-- +2.34.3 + diff --git a/0004-man-Include-information-about-possible-hash-restrict.patch b/0004-man-Include-information-about-possible-hash-restrict.patch new file mode 100644 index 0000000..aff8697 --- /dev/null +++ b/0004-man-Include-information-about-possible-hash-restrict.patch @@ -0,0 +1,593 @@ +From df5038caa1785d2661d283e6eeb1d6d5184d5272 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= + +Date: Mon, 2 May 2022 23:51:15 +0200 +Subject: [PATCH 4/4] man: Include information about possible hash restriction +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Štěpán Horáček +Signed-off-by: Ken Goldman +--- + utils/certify.c | 2 ++ + utils/certifycreation.c | 2 ++ + utils/create.c | 2 ++ + utils/createloaded.c | 2 ++ + utils/createprimary.c | 2 ++ + utils/getcommandauditdigest.c | 2 ++ + utils/getsessionauditdigest.c | 2 ++ + utils/gettime.c | 2 ++ + utils/hash.c | 2 ++ + utils/hashsequencestart.c | 2 ++ + utils/hmac.c | 2 ++ + utils/hmacstart.c | 2 ++ + utils/importpem.c | 2 ++ + utils/loadexternal.c | 2 ++ + utils/man/man1/tsscertify.1 | 2 ++ + utils/man/man1/tsscertifycreation.1 | 2 ++ + utils/man/man1/tsscreate.1 | 2 ++ + utils/man/man1/tsscreateloaded.1 | 2 ++ + utils/man/man1/tsscreateprimary.1 | 2 ++ + utils/man/man1/tssgetcommandauditdigest.1 | 2 ++ + utils/man/man1/tssgetsessionauditdigest.1 | 2 ++ + utils/man/man1/tssgettime.1 | 2 ++ + utils/man/man1/tsshash.1 | 2 ++ + utils/man/man1/tsshashsequencestart.1 | 2 ++ + utils/man/man1/tsshmac.1 | 2 ++ + utils/man/man1/tsshmacstart.1 | 2 ++ + utils/man/man1/tssimportpem.1 | 2 ++ + utils/man/man1/tssloadexternal.1 | 2 ++ + utils/man/man1/tssnvcertify.1 | 2 ++ + utils/man/man1/tssnvdefinespace.1 | 2 ++ + utils/man/man1/tsspolicysigned.1 | 2 ++ + utils/man/man1/tssquote.1 | 2 ++ + utils/man/man1/tssrsadecrypt.1 | 2 ++ + utils/man/man1/tsssetcommandcodeauditstatus.1 | 2 ++ + utils/man/man1/tsssetprimarypolicy.1 | 2 ++ + utils/man/man1/tsssign.1 | 2 ++ + utils/man/man1/tssstartauthsession.1 | 2 ++ + utils/man/man1/tssverifysignature.1 | 2 ++ + utils/nvcertify.c | 2 ++ + utils/nvdefinespace.c | 2 ++ + utils/policysigned.c | 2 ++ + utils/quote.c | 2 ++ + utils/rsadecrypt.c | 2 ++ + utils/setcommandcodeauditstatus.c | 2 ++ + utils/setprimarypolicy.c | 2 ++ + utils/sign.c | 2 ++ + utils/startauthsession.c | 2 ++ + utils/verifysignature.c | 2 ++ + 48 files changed, 96 insertions(+) + +diff --git a/utils/certify.c b/utils/certify.c +index f1f54d0..f9a07c5 100644 +--- a/utils/certify.c ++++ b/utils/certify.c +@@ -407,5 +407,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/certifycreation.c b/utils/certifycreation.c +index ab54c0a..b4fa095 100644 +--- a/utils/certifycreation.c ++++ b/utils/certifycreation.c +@@ -449,5 +449,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/create.c b/utils/create.c +index a8b805c..880af28 100644 +--- a/utils/create.c ++++ b/utils/create.c +@@ -710,5 +710,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/createloaded.c b/utils/createloaded.c +index d54f791..5bcf69e 100644 +--- a/utils/createloaded.c ++++ b/utils/createloaded.c +@@ -628,5 +628,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/createprimary.c b/utils/createprimary.c +index 52ae083..81cc91d 100644 +--- a/utils/createprimary.c ++++ b/utils/createprimary.c +@@ -799,5 +799,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/getcommandauditdigest.c b/utils/getcommandauditdigest.c +index a219785..6412d90 100644 +--- a/utils/getcommandauditdigest.c ++++ b/utils/getcommandauditdigest.c +@@ -391,5 +391,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/getsessionauditdigest.c b/utils/getsessionauditdigest.c +index 61b12e6..4138bc7 100644 +--- a/utils/getsessionauditdigest.c ++++ b/utils/getsessionauditdigest.c +@@ -387,5 +387,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/gettime.c b/utils/gettime.c +index b07baf1..547faa9 100644 +--- a/utils/gettime.c ++++ b/utils/gettime.c +@@ -391,5 +391,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/hash.c b/utils/hash.c +index 71b8a7c..5a0df6a 100644 +--- a/utils/hash.c ++++ b/utils/hash.c +@@ -306,5 +306,7 @@ static void printUsage(void) + printf("\t[-ns\tno space, no text, no newlines]\n"); + printf("\t[-oh\thash file name (default do not save)]\n"); + printf("\t[-tk\tticket file name (default do not save)]\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/hashsequencestart.c b/utils/hashsequencestart.c +index d54fadd..88d15fc 100644 +--- a/utils/hashsequencestart.c ++++ b/utils/hashsequencestart.c +@@ -249,5 +249,7 @@ static void printUsage(void) + printf("\t-se[0-2] session handle / attributes (default NULL)\n"); + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/hmac.c b/utils/hmac.c +index be63e1b..7ab2b34 100644 +--- a/utils/hmac.c ++++ b/utils/hmac.c +@@ -352,5 +352,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/hmacstart.c b/utils/hmacstart.c +index 3fdd0f9..171af6c 100644 +--- a/utils/hmacstart.c ++++ b/utils/hmacstart.c +@@ -274,5 +274,7 @@ static void printUsage(void) + printf("\n"); + printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); + printf("\t01\tcontinue\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/importpem.c b/utils/importpem.c +index 38ad125..75c8cb2 100644 +--- a/utils/importpem.c ++++ b/utils/importpem.c +@@ -486,5 +486,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/loadexternal.c b/utils/loadexternal.c +index 877501c..ff4b46f 100644 +--- a/utils/loadexternal.c ++++ b/utils/loadexternal.c +@@ -538,5 +538,7 @@ static void printUsage(void) + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); + printf("\t80\taudit\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/man/man1/tsscertify.1 b/utils/man/man1/tsscertify.1 +index 6895ee7..7b34e2f 100644 +--- a/utils/man/man1/tsscertify.1 ++++ b/utils/man/man1/tsscertify.1 +@@ -44,3 +44,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsscertifycreation.1 b/utils/man/man1/tsscertifycreation.1 +index 4382ed9..5f51d05 100644 +--- a/utils/man/man1/tsscertifycreation.1 ++++ b/utils/man/man1/tsscertifycreation.1 +@@ -47,3 +47,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsscreate.1 b/utils/man/man1/tsscreate.1 +index b4eda75..92f53a7 100644 +--- a/utils/man/man1/tsscreate.1 ++++ b/utils/man/man1/tsscreate.1 +@@ -125,3 +125,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsscreateloaded.1 b/utils/man/man1/tsscreateloaded.1 +index ccd3d73..7e6c422 100644 +--- a/utils/man/man1/tsscreateloaded.1 ++++ b/utils/man/man1/tsscreateloaded.1 +@@ -126,3 +126,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsscreateprimary.1 b/utils/man/man1/tsscreateprimary.1 +index 895a42e..c189f17 100644 +--- a/utils/man/man1/tsscreateprimary.1 ++++ b/utils/man/man1/tsscreateprimary.1 +@@ -129,3 +129,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssgetcommandauditdigest.1 b/utils/man/man1/tssgetcommandauditdigest.1 +index 34711e0..e67adac 100644 +--- a/utils/man/man1/tssgetcommandauditdigest.1 ++++ b/utils/man/man1/tssgetcommandauditdigest.1 +@@ -41,3 +41,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssgetsessionauditdigest.1 b/utils/man/man1/tssgetsessionauditdigest.1 +index d09c78b..272127e 100644 +--- a/utils/man/man1/tssgetsessionauditdigest.1 ++++ b/utils/man/man1/tssgetsessionauditdigest.1 +@@ -44,3 +44,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssgettime.1 b/utils/man/man1/tssgettime.1 +index bec0627..1cb46f6 100644 +--- a/utils/man/man1/tssgettime.1 ++++ b/utils/man/man1/tssgettime.1 +@@ -41,3 +41,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsshash.1 b/utils/man/man1/tsshash.1 +index 6eff929..0a9c54e 100644 +--- a/utils/man/man1/tsshash.1 ++++ b/utils/man/man1/tsshash.1 +@@ -28,3 +28,5 @@ hash file name (default do not save)] + .TP + [\-tk + ticket file name (default do not save)] ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsshashsequencestart.1 b/utils/man/man1/tsshashsequencestart.1 +index f6d7f52..663ae69 100644 +--- a/utils/man/man1/tsshashsequencestart.1 ++++ b/utils/man/man1/tsshashsequencestart.1 +@@ -21,3 +21,5 @@ continue + .TP + 20 + command decrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsshmac.1 b/utils/man/man1/tsshmac.1 +index e64a861..70d2632 100644 +--- a/utils/man/man1/tsshmac.1 ++++ b/utils/man/man1/tsshmac.1 +@@ -35,3 +35,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsshmacstart.1 b/utils/man/man1/tsshmacstart.1 +index 65d4ab6..64bcf2f 100644 +--- a/utils/man/man1/tsshmacstart.1 ++++ b/utils/man/man1/tsshmacstart.1 +@@ -23,3 +23,5 @@ password for sequence (default empty) + .TP + 01 + continue ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssimportpem.1 b/utils/man/man1/tssimportpem.1 +index 21c362e..bf79c92 100644 +--- a/utils/man/man1/tssimportpem.1 ++++ b/utils/man/man1/tssimportpem.1 +@@ -67,3 +67,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssloadexternal.1 b/utils/man/man1/tssloadexternal.1 +index e32a251..2a9ba66 100644 +--- a/utils/man/man1/tssloadexternal.1 ++++ b/utils/man/man1/tssloadexternal.1 +@@ -71,3 +71,5 @@ response encrypt + .TP + 80 + audit ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssnvcertify.1 b/utils/man/man1/tssnvcertify.1 +index c55f6dc..83d2380 100644 +--- a/utils/man/man1/tssnvcertify.1 ++++ b/utils/man/man1/tssnvcertify.1 +@@ -50,3 +50,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssnvdefinespace.1 b/utils/man/man1/tssnvdefinespace.1 +index 0f378e9..642508b 100644 +--- a/utils/man/man1/tssnvdefinespace.1 ++++ b/utils/man/man1/tssnvdefinespace.1 +@@ -99,3 +99,5 @@ continue + .TP + 20 + command decrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsspolicysigned.1 b/utils/man/man1/tsspolicysigned.1 +index f50b81a..2f745c0 100644 +--- a/utils/man/man1/tsspolicysigned.1 ++++ b/utils/man/man1/tsspolicysigned.1 +@@ -44,3 +44,5 @@ ticket file name] + .TP + [\-to + timeout file name] ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssquote.1 b/utils/man/man1/tssquote.1 +index 04a2e60..fef5c39 100644 +--- a/utils/man/man1/tssquote.1 ++++ b/utils/man/man1/tssquote.1 +@@ -44,3 +44,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssrsadecrypt.1 b/utils/man/man1/tssrsadecrypt.1 +index 6c35e42..ab77103 100644 +--- a/utils/man/man1/tssrsadecrypt.1 ++++ b/utils/man/man1/tssrsadecrypt.1 +@@ -31,3 +31,5 @@ command decrypt + .TP + 40 + response encrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsssetcommandcodeauditstatus.1 b/utils/man/man1/tsssetcommandcodeauditstatus.1 +index c4d19dc..7d44fb2 100644 +--- a/utils/man/man1/tsssetcommandcodeauditstatus.1 ++++ b/utils/man/man1/tsssetcommandcodeauditstatus.1 +@@ -29,3 +29,5 @@ continue + .TP + 20 + command decrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsssetprimarypolicy.1 b/utils/man/man1/tsssetprimarypolicy.1 +index c67c1f9..a3db8d2 100644 +--- a/utils/man/man1/tsssetprimarypolicy.1 ++++ b/utils/man/man1/tsssetprimarypolicy.1 +@@ -26,3 +26,5 @@ continue + .TP + 20 + command decrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tsssign.1 b/utils/man/man1/tsssign.1 +index d5ad351..83d3cfa 100644 +--- a/utils/man/man1/tsssign.1 ++++ b/utils/man/man1/tsssign.1 +@@ -46,3 +46,5 @@ continue + .TP + 20 + command decrypt ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssstartauthsession.1 b/utils/man/man1/tssstartauthsession.1 +index 3e944bb..0bb5022 100644 +--- a/utils/man/man1/tssstartauthsession.1 ++++ b/utils/man/man1/tssstartauthsession.1 +@@ -35,3 +35,5 @@ bind password for bind handle (default empty)] + .TP + [\-on + nonceTPM file for policy session (default do not save)] ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/man/man1/tssverifysignature.1 b/utils/man/man1/tssverifysignature.1 +index e2d6460..67b7ff5 100644 +--- a/utils/man/man1/tssverifysignature.1 ++++ b/utils/man/man1/tssverifysignature.1 +@@ -57,3 +57,5 @@ command decrypt + .TP + 80 + audit ++.PP ++Depending on the build configuration, some hash algorithms may not be available. +diff --git a/utils/nvcertify.c b/utils/nvcertify.c +index 81bde69..6882bfb 100644 +--- a/utils/nvcertify.c ++++ b/utils/nvcertify.c +@@ -445,5 +445,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/nvdefinespace.c b/utils/nvdefinespace.c +index 18ce6ea..94e6cbd 100644 +--- a/utils/nvdefinespace.c ++++ b/utils/nvdefinespace.c +@@ -590,5 +590,7 @@ static void printUsage(void) + printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/policysigned.c b/utils/policysigned.c +index 469cec9..8283464 100644 +--- a/utils/policysigned.c ++++ b/utils/policysigned.c +@@ -452,5 +452,7 @@ static void printUsage(void) + printf("\t[-pwdk\tsigning key password (default null)]\n"); + printf("\t[-tk\tticket file name]\n"); + printf("\t[-to\ttimeout file name]\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/quote.c b/utils/quote.c +index c29fad0..7523578 100644 +--- a/utils/quote.c ++++ b/utils/quote.c +@@ -435,5 +435,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/rsadecrypt.c b/utils/rsadecrypt.c +index e2846af..fe5086a 100644 +--- a/utils/rsadecrypt.c ++++ b/utils/rsadecrypt.c +@@ -507,5 +507,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t40\tresponse encrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/setcommandcodeauditstatus.c b/utils/setcommandcodeauditstatus.c +index 7a880ae..ddecad5 100644 +--- a/utils/setcommandcodeauditstatus.c ++++ b/utils/setcommandcodeauditstatus.c +@@ -294,5 +294,7 @@ static void printUsage(void) + printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/setprimarypolicy.c b/utils/setprimarypolicy.c +index 619937f..c03883f 100644 +--- a/utils/setprimarypolicy.c ++++ b/utils/setprimarypolicy.c +@@ -296,5 +296,7 @@ static void printUsage(void) + printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/sign.c b/utils/sign.c +index 0635366..f31196b 100644 +--- a/utils/sign.c ++++ b/utils/sign.c +@@ -485,5 +485,7 @@ static void printUsage(void) + printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/startauthsession.c b/utils/startauthsession.c +index d47c731..e6ddd5a 100644 +--- a/utils/startauthsession.c ++++ b/utils/startauthsession.c +@@ -297,5 +297,7 @@ static void printUsage(void) + printf("\t[-pwdb\tbind password for bind handle (default empty)]\n"); + printf("\t[-sym\t(xor, aes) symmetric parameter encryption algorithm (default xor)]\n"); + printf("\t[-on\tnonceTPM file for policy session (default do not save)]\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +diff --git a/utils/verifysignature.c b/utils/verifysignature.c +index 57978d5..41ba05b 100644 +--- a/utils/verifysignature.c ++++ b/utils/verifysignature.c +@@ -484,5 +484,7 @@ static void printUsage(void) + printf("\t01\tcontinue\n"); + printf("\t20\tcommand decrypt\n"); + printf("\t80\taudit\n"); ++ printf("\n"); ++ printf("Depending on the build configuration, some hash algorithms may not be available.\n"); + exit(1); + } +-- +2.34.3 + diff --git a/tests/runtest.sh b/tests/runtest.sh index c5995b4..08ae255 100755 --- a/tests/runtest.sh +++ b/tests/runtest.sh @@ -47,7 +47,7 @@ sed -i -e 's/^PREFIX=\.\//PREFIX=tss/g' reg.sh c=`pwd` sed -i -e "s|/gsa/yktgsa/home/k/g/kgold/tpm2/utils|${c}|g" certificates/rootcerts.txt # run the tests -./reg.sh -a +TPM_TSS_NODEPRECATEDALGS=1 ./reg.sh -a res="$?" popd diff --git a/tss2.spec b/tss2.spec index f290d18..b46b173 100644 --- a/tss2.spec +++ b/tss2.spec @@ -7,7 +7,7 @@ Name: tss2 Version: 1.6.0 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 1 Summary: IBM's TCG Software Stack (TSS) for TPM 2.0 and related utilities @@ -22,6 +22,12 @@ Patch4: 0004-utils-Clean-up-certifyx509-memory-allocation.patch Patch5: 0005-utils-Fix-errors-detected-by-gcc-asan.patch Patch6: 0006-tss-Port-HMAC-operations-to-openssl-3.0.patch Patch7: 0007-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch +Patch8: 0001-utils-Generate-X509-certificate-serial-number-using-.patch +Patch9: 0001-tss-Add-missing-parameter-union-members.patch +Patch10: 0002-regtest-Update-to-SHA-256-without-restricting-the-sc.patch +Patch11: 0003-tss-Restrict-usage-of-SHA-1.patch +Patch12: 0004-man-Include-information-about-possible-hash-restrict.patch + BuildRequires: automake BuildRequires: autoconf @@ -53,7 +59,7 @@ order to build TSS 2.0 applications. %build autoreconf -vi -%configure --disable-static --disable-tpm-1.2 --program-prefix=tss +%configure --disable-static --disable-tpm-1.2 --program-prefix=tss --enable-nodeprecatedalgs CCFLAGS="%{optflags}" \ LNFLAGS="%{__global_ldflags}" \ %{make_build} @@ -78,6 +84,10 @@ find %{buildroot} -type f -name "*.la" -delete -print %doc ibmtss.doc %changelog +* Wed Jun 29 2022 Stepan Horacek - 1:1.6.0-6 +- Restrict SHA-1 usage + Resolves: rhbz#2060768 + * Fri Jan 28 2022 Stepan Horacek - 1:1.6.0-5 - Fix failures introduced with OpenSSL 3 Resolves: rhbz#1984621