Compare commits

..

No commits in common. "c8-beta" and "c9-beta" have entirely different histories.

19 changed files with 7109 additions and 149 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/ibmtss1331.tar.gz SOURCES/ibmtss1.6.0.tar.gz

View File

@ -1 +1 @@
39a13864ad42cafae27683fa52bc1d5d21dad39c SOURCES/ibmtss1331.tar.gz fcd86e864f69443f72ecbf18f26e39844aefee44 SOURCES/ibmtss1.6.0.tar.gz

View File

@ -0,0 +1,37 @@
From 8e8c6777847825c5067b171c2e4ac8b33fe0d6bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
<shoracek@redhat.com>
Date: Sun, 1 May 2022 19:33:02 +0200
Subject: [PATCH 1/4] tss: Add missing parameter union members
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
---
utils/ibmtss/Parameters.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/utils/ibmtss/Parameters.h b/utils/ibmtss/Parameters.h
index 98a04ff..5b6c29a 100644
--- a/utils/ibmtss/Parameters.h
+++ b/utils/ibmtss/Parameters.h
@@ -182,6 +182,7 @@
typedef union {
ActivateCredential_In ActivateCredential;
CertifyCreation_In CertifyCreation;
+ CertifyX509_In CertifyX509;
Certify_In Certify;
ChangeEPS_In ChangeEPS;
ChangePPS_In ChangePPS;
@@ -313,6 +314,7 @@ typedef union
{
ActivateCredential_Out ActivateCredential;
CertifyCreation_Out CertifyCreation;
+ CertifyX509_Out CertifyX509;
Certify_Out Certify;
Commit_Out Commit;
ContextLoad_Out ContextLoad;
--
2.34.3

View File

@ -1,31 +0,0 @@
From 8f232900d3b8f8af65a029f49c17ee53d3cca122 Mon Sep 17 00:00:00 2001
From: Jerry Snitselaar <jsnitsel@redhat.com>
Date: Thu, 6 Jun 2019 14:53:18 -0700
Subject: [PATCH] tss2: fix bounds check in IMA_Event_PcrExtend
pcrs is declared with IMPLEMENTATION_PCR elements,
so the index bounds check should be >= IMPLEMENTATION_PCR
since indexing at value IMPLEMENTATION_PCR would be off the
end of the array. This was flagged by coverity.
Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
---
utils/imalib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/utils/imalib.c b/utils/imalib.c
index 4957c1b..a841cd6 100644
--- a/utils/imalib.c
+++ b/utils/imalib.c
@@ -1306,7 +1306,7 @@ uint32_t IMA_Event_PcrExtend(TPMT_HA pcrs[IMA_PCR_BANKS][IMPLEMENTATION_PCR],
/* validate PCR number */
if (rc == 0) {
- if (imaEvent->pcrIndex > IMPLEMENTATION_PCR) {
+ if (imaEvent->pcrIndex >= IMPLEMENTATION_PCR) {
printf("ERROR: IMA_Event_PcrExtend: PCR number %u out of range\n", imaEvent->pcrIndex);
rc = TSS_RC_BAD_PROPERTY;
}
--
2.21.0

View File

@ -0,0 +1,62 @@
From e0c1e3efd187a3cfa77906eef978fa6beada0b31 Mon Sep 17 00:00:00 2001
From: Ken Goldman <kgoldman@us.ibm.com>
Date: Thu, 1 Jul 2021 13:55:28 -0400
Subject: [PATCH] utils: Generate X509 certificate serial number using sha256
This is just a test certificate, not a real CA. Certificate serial
numbers can be 20 octets maximum. Use a truncated sha256 because some
'lint' programs are now scanning for sha1.
Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
---
utils/ekutils.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/utils/ekutils.c b/utils/ekutils.c
index a0a2734..aad6fba 100644
--- a/utils/ekutils.c
+++ b/utils/ekutils.c
@@ -61,6 +61,7 @@
#include <openssl/pem.h>
#include <openssl/x509.h>
+#include <openssl/evp.h>
#include <ibmtss/tssresponsecode.h>
#include <ibmtss/tssutils.h>
@@ -1835,7 +1836,7 @@ TPM_RC startCertificate(X509 *x509Certificate, /* X509 certificate to be generat
ASN1_TIME *arc; /* return code */
ASN1_INTEGER *x509Serial; /* certificate serial number in ASN1 */
BIGNUM *x509SerialBN; /* certificate serial number as a BIGNUM */
- unsigned char x509Serialbin[SHA1_DIGEST_SIZE]; /* certificate serial number in binary */
+ unsigned char x509Serialbin[EVP_MAX_MD_SIZE]; /* certificate serial number in binary */
X509_NAME *x509IssuerName; /* composite issuer name, key/value pairs */
X509_NAME *x509SubjectName; /* composite subject name, key/value pairs */
@@ -1855,11 +1856,20 @@ TPM_RC startCertificate(X509 *x509Certificate, /* X509 certificate to be generat
add certificate serial number
*/
if (rc == 0) {
+ const EVP_MD *type;
+
if (tssUtilsVerbose) printf("startCertificate: Adding certificate serial number\n");
/* to create a unique serial number, hash the key to be certified */
- SHA1(keyBuffer, keyLength, x509Serialbin);
- /* convert the SHA1 digest to a BIGNUM */
- x509SerialBN = BN_bin2bn(x509Serialbin, SHA1_DIGEST_SIZE, x509SerialBN);
+ type = EVP_sha256();
+ irc = EVP_Digest(keyBuffer, keyLength, x509Serialbin, NULL, type, NULL);
+ if (irc == 0) {
+ printf("startCertificate: Error in serial number EVP_Digest\n");
+ rc = TSS_RC_X509_ERROR;
+ }
+ }
+ if (rc == 0) {
+ /* convert the digest to a BIGNUM, use 20 octets */
+ x509SerialBN = BN_bin2bn(x509Serialbin, 20, x509SerialBN);
if (x509SerialBN == NULL) {
printf("startCertificate: Error in serial number BN_bin2bn\n");
rc = TSS_RC_X509_ERROR;
--
2.34.1

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,600 @@
From 3e4c744cf09d43aba0ae9381c1527263e39a7c70 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
<shoracek@redhat.com>
Date: Mon, 18 Apr 2022 23:51:02 +0200
Subject: [PATCH 2/4] regtest: Update to SHA-256 without restricting the scope
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Å pán HoráÄ<C2A1>ek <shoracek@redhat.com>
Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
---
utils/policies/policycountertimer.bin | Bin 20 -> 32 bytes
utils/policies/policycphash.bin | Bin 20 -> 32 bytes
utils/policies/policycphash.txt | 2 +-
utils/policies/policycphashhash.bin | 2 +-
utils/policies/policynvargs.txt | Bin 13 -> 12 bytes
utils/policies/policynvnv.bin | Bin 20 -> 32 bytes
utils/policies/policynvnv.txt | 2 +-
utils/policies/policypcr.bin | 2 +-
utils/policies/policypcr0.txt | 2 +-
utils/policies/policypcrbm0.bin | Bin 20 -> 32 bytes
utils/policies/policywrittenset.bin | 2 +-
utils/reg.sh | 2 +
utils/regtests/testchangeauth.sh | 4 +-
utils/regtests/testevict.sh | 12 ++--
utils/regtests/testnv.sh | 6 +-
utils/regtests/testpolicy.sh | 80 +++++++++++++-------------
utils/regtests/testrsa.sh | 8 +--
utils/regtests/testsign.sh | 12 ++--
18 files changed, 69 insertions(+), 67 deletions(-)
diff --git a/utils/policies/policycountertimer.bin b/utils/policies/policycountertimer.bin
index f767440113ab39251794257628b34f761ae05121..8937a155bdcdc535e5f013a03ce58fd5a193a6fd 100644
GIT binary patch
literal 32
ocmeBTv0vY?A&j>pRZ{#s$085m*E`r54EYbFMa|K0nsfat0L0V`*#H0l
literal 20
ccmaFX(x@JK!18iNvf_!!0jhUbsX5I80B48^c>n+a
diff --git a/utils/policies/policycphash.bin b/utils/policies/policycphash.bin
index 1c357a65cc7cf408bc27d0a2a5c6a0735778e5ed..0f998b85ac2b6620049e350b0c31cc38b2f7414a 100644
GIT binary patch
literal 32
qcmV+*0N?)`MNQmb<N(X@{1co_-#=a<IaKWOQl0d(fR)m3=&W@Mq7i=p
literal 20
ccmZR3lJoQPaee~<iJE0anHyTR1PSH?0A-{JC;$Ke
diff --git a/utils/policies/policycphash.txt b/utils/policies/policycphash.txt
index 52edeab..bc06262 100644
--- a/utils/policies/policycphash.txt
+++ b/utils/policies/policycphash.txt
@@ -1 +1 @@
-0000016eb5f919bbc01f0ebad02010169a67a8c158ec12f3
+0000016e58f8c9f3300b71c97c7c6ec3e18afba176e3f582d96ab67df29acb559fc7d34f
diff --git a/utils/policies/policycphashhash.bin b/utils/policies/policycphashhash.bin
index a30627d..e88c974 100644
--- a/utils/policies/policycphashhash.bin
+++ b/utils/policies/policycphashhash.bin
@@ -1 +1 @@
-µù»ÀºÐ šg¨ÁXìó
\ No newline at end of file
+XøÉó0 qÉ||nÃáŠû¡vãõÙj¶}òšËUŸÇÓO
\ No newline at end of file
diff --git a/utils/policies/policynvargs.txt b/utils/policies/policynvargs.txt
index 4f4d97c4a15e2f16ef61e8b3d31182382bc88b6d..ce58bc9f84b9623e708de4eb8427a57d9f9a160f 100644
GIT binary patch
literal 12
KcmZQzKmY&$3;+QD
literal 13
LcmZQzKmaZP02crY
diff --git a/utils/policies/policynvnv.bin b/utils/policies/policynvnv.bin
index df080a73e76146d5474cc3d1b2ed1e09fad62e3d..bb54d249107c9ff17a8af7141d491f6bec88b001 100644
GIT binary patch
literal 32
qcmV+*0N?+4*1${A{L{NkNx*#e^i_%2jn+j)Ac{3i{<g<lL9fU}!V=B^
literal 20
ccmdlp+sD6}Ax$z`_U4>Pb!)?)%V_-p09oM)7XSbN
diff --git a/utils/policies/policynvnv.txt b/utils/policies/policynvnv.txt
index a124ea9..5d3d62e 100644
--- a/utils/policies/policynvnv.txt
+++ b/utils/policies/policynvnv.txt
@@ -1 +1 @@
-000001492c513f149e737ec4063fc1d37aee9beabc4b4bbf00042234b8df7cdf8605ee0a2088ac7dfe34c6566c5c
\ No newline at end of file
+0000014915ec7bf0b50732b49f8228e07d24365338f9e3ab994b00af08e5a3bffe55fd8b000b45a8f4283309cd5ef189746d7526786f712eb3df9960508ee343d3e63376bc6c
\ No newline at end of file
diff --git a/utils/policies/policypcr.bin b/utils/policies/policypcr.bin
index 8f69740..2597338 100644
--- a/utils/policies/policypcr.bin
+++ b/utils/policies/policypcr.bin
@@ -1 +1 @@
-…3ƒõè<`C4oŸ7!
\ No newline at end of file
+¿òÕŽ˜ù|ïÁOr­<72>3¼pÖR·Èw• 6
\ No newline at end of file
diff --git a/utils/policies/policypcr0.txt b/utils/policies/policypcr0.txt
index b61f288..cd09bbf 100644
--- a/utils/policies/policypcr0.txt
+++ b/utils/policies/policypcr0.txt
@@ -1 +1 @@
-0000000000000000000000000000000000000000
\ No newline at end of file
+0000000000000000000000000000000000000000000000000000000000000000
diff --git a/utils/policies/policypcrbm0.bin b/utils/policies/policypcrbm0.bin
index bd0f292e05dc793b2831fec273c2eefa7b3a9672..666ea3c731d2f46d4d94768cab4464ff0bb0e5af 100644
GIT binary patch
literal 32
ocmb>Z5cE02?1^I8ss%e3mgaqqyRPviCuhr<=Bo*jp4^KQ0V0YJ<^TWy
literal 20
bcmd0`@U(b%wL7eEQs@+Ww#>9`zjTxVT?`1l
diff --git a/utils/policies/policywrittenset.bin b/utils/policies/policywrittenset.bin
index 4f6bb8c..4ed9066 100644
--- a/utils/policies/policywrittenset.bin
+++ b/utils/policies/policywrittenset.bin
@@ -1 +1 @@
-0sHß_ëíe”æý¬„"ã
\ No newline at end of file
+÷ˆ}ŠèÓà¬SózžaõH…E<zTݰƦ
\ No newline at end of file
diff --git a/utils/reg.sh b/utils/reg.sh
index 048863b..2d9d100 100755
--- a/utils/reg.sh
+++ b/utils/reg.sh
@@ -72,6 +72,8 @@ PREFIX=./
# hash algorithms to be used for testing
export ITERATE_ALGS="sha1 sha256 sha384 sha512"
+export ITERATE_ALGS_SIZES="20 32 48 64"
+export ITERATE_ALGS_COUNT=4
export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1"
printUsage ()
diff --git a/utils/regtests/testchangeauth.sh b/utils/regtests/testchangeauth.sh
index 303b318..b830a96 100755
--- a/utils/regtests/testchangeauth.sh
+++ b/utils/regtests/testchangeauth.sh
@@ -67,11 +67,11 @@ do
checkSuccess $?
echo "Sign a digest with the original key ${SESS}"
- ${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig ${SESS} > run.out
+ ${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig ${SESS} > run.out
checkSuccess $?
echo "Sign a digest with the changed key"
- ${PREFIX}sign -hk 80000002 -halg sha1 -if policies/aaa -os sig.bin -pwdk xxx > run.out
+ ${PREFIX}sign -hk 80000002 -halg sha256 -if policies/aaa -os sig.bin -pwdk xxx > run.out
checkSuccess $?
echo "Flush the key"
diff --git a/utils/regtests/testevict.sh b/utils/regtests/testevict.sh
index 761eaa8..8f2806f 100755
--- a/utils/regtests/testevict.sh
+++ b/utils/regtests/testevict.sh
@@ -58,11 +58,11 @@ ${PREFIX}evictcontrol -ho 80000001 -hp 81800000 -hi p > run.out
checkSuccess $?
echo "Sign a digest with the transient key"
-${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out
checkSuccess $?
echo "Sign a digest with the persistent key"
-${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+${PREFIX}sign -hk 81800000 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out
checkSuccess $?
echo "Flush the transient key"
@@ -74,11 +74,11 @@ ${PREFIX}flushcontext -ha 81800000 > run.out
checkFailure $?
echo "Sign a digest with the transient key- should fail"
-${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out
checkFailure $?
echo "Sign a digest with the persistent key"
-${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+${PREFIX}sign -hk 81800000 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out
checkSuccess $?
echo "Flush the persistent key"
@@ -86,11 +86,11 @@ ${PREFIX}evictcontrol -ho 81800000 -hp 81800000 -hi p > run.out
checkSuccess $?
echo "Sign a digest with the persistent key - should fail"
-${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+${PREFIX}sign -hk 81800000 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out
checkFailure $?
echo "Sign a digest with the transient key - should fail"
-${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os sig.bin -pwdk sig > run.out
checkFailure $?
# ${PREFIX}getcapability -cap 1 -pr 80000000
diff --git a/utils/regtests/testnv.sh b/utils/regtests/testnv.sh
index b941f2e..39a9a18 100755
--- a/utils/regtests/testnv.sh
+++ b/utils/regtests/testnv.sh
@@ -56,7 +56,7 @@ checkSuccess $?
NALG=(${ITERATE_ALGS})
BADNALG=(${BAD_ITERATE_ALGS})
-for ((i = 0 ; i < 4; i++))
+for ((i = 0 ; i < ${ITERATE_ALGS_COUNT}; i++))
do
for SESS in "" "-se0 02000000 1"
@@ -212,10 +212,10 @@ checkSuccess $?
for SESS in "" "-se0 02000000 1"
do
- SZ=(20 32 48 64)
+ SZ=(${ITERATE_ALGS_SIZES})
HALG=(${ITERATE_ALGS})
- for ((i = 0 ; i < 4; i++))
+ for ((i = 0 ; i < ${ITERATE_ALGS_COUNT}; i++))
do
echo "NV Define Space ${HALG[$i]}"
diff --git a/utils/regtests/testpolicy.sh b/utils/regtests/testpolicy.sh
index e2e8bec..971e67f 100755
--- a/utils/regtests/testpolicy.sh
+++ b/utils/regtests/testpolicy.sh
@@ -752,17 +752,17 @@ echo "Policy PCR no select"
echo ""
# create AND term for policy PCR
-# > policymakerpcr -halg sha1 -bm 0 -v -pr -of policies/policypcr.txt
+# > policymakerpcr -halg sha256 -bm 0 -v -pr -of policies/policypcr.txt
# 0000017f00000001000403000000da39a3ee5e6b4b0d3255bfef95601890afd80709
# convert to binary policy
-# > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcrbm0.bin -pr -v
+# > policymaker -halg sha256 -if policies/policypcr.txt -of policies/policypcrbm0.bin -pr -v
# 6d 38 49 38 e1 d5 8b 56 71 92 55 94 3f 06 69 66
# b6 fa 2c 23
echo "Create a signing key with policy PCR no select"
-${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcrbm0.bin > run.out
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha256 -pol policies/policypcrbm0.bin > run.out
checkSuccess $?
echo "Load the signing key under the primary key"
@@ -770,11 +770,11 @@ ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
checkSuccess $?
echo "Start a policy session"
-${PREFIX}startauthsession -halg sha1 -se p > run.out
+${PREFIX}startauthsession -halg sha256 -se p > run.out
checkSuccess $?
echo "Policy PCR, update with the correct digest"
-${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 0 > run.out
+${PREFIX}policypcr -ha 03000000 -halg sha256 -bm 0 > run.out
checkSuccess $?
echo "Policy get digest - should be 6d 38 49 38 ... "
@@ -790,11 +790,11 @@ ${PREFIX}policyrestart -ha 03000000 > run.out
checkSuccess $?
echo "Policy PCR, update with the correct digest"
-${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 0 > run.out
+${PREFIX}policypcr -ha 03000000 -halg sha256 -bm 0 > run.out
checkSuccess $?
echo "PCR extend PCR 0, updates pcr counter"
-${PREFIX}pcrextend -ha 0 -halg sha1 -if policies/aaa > run.out
+${PREFIX}pcrextend -ha 0 -halg sha256 -if policies/aaa > run.out
checkSuccess $?
echo "Sign, should fail"
@@ -816,17 +816,17 @@ echo ""
# policypcr0.txt has 20 * 00
# create AND term for policy PCR
-# > policymakerpcr -halg sha1 -bm 010000 -if policies/policypcr0.txt -v -pr -of policies/policypcr.txt
+# > policymakerpcr -halg sha256 -bm 010000 -if policies/policypcr0.txt -v -pr -of policies/policypcr.txt
# 0000017f000000010004030000016768033e216468247bd031a0a2d9876d79818f8f
# convert to binary policy
-# > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcr.bin -pr -v
+# > policymaker -halg sha256 -if policies/policypcr.txt -of policies/policypcr.bin -pr -v
# 85 33 11 83 19 03 12 f5 e8 3c 60 43 34 6f 9f 37
# 21 04 76 8e
echo "Create a signing key with policy PCR PCR 16 zero"
-${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcr.bin > run.out
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha256 -pol policies/policypcr.bin > run.out
checkSuccess $?
echo "Load the signing key under the primary key"
@@ -838,11 +838,11 @@ ${PREFIX}pcrreset -ha 16 > run.out
checkSuccess $?
echo "Read PCR 16, should be 00 00 00 00 ..."
-${PREFIX}pcrread -ha 16 -halg sha1 > run.out
+${PREFIX}pcrread -ha 16 -halg sha256 > run.out
checkSuccess $?
echo "Start a policy session"
-${PREFIX}startauthsession -se p -halg sha1 > run.out
+${PREFIX}startauthsession -se p -halg sha256 > run.out
checkSuccess $?
echo "Sign, policy not satisfied - should fail"
@@ -850,7 +850,7 @@ ${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
checkFailure $?
echo "Policy PCR, update with the correct digest"
-${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out
+${PREFIX}policypcr -ha 03000000 -halg sha256 -bm 10000 > run.out
checkSuccess $?
echo "Policy get digest - should be 85 33 11 83 ..."
@@ -862,19 +862,19 @@ ${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
checkSuccess $?
echo "PCR extend PCR 16"
-${PREFIX}pcrextend -ha 16 -halg sha1 -if policies/aaa > run.out
+${PREFIX}pcrextend -ha 16 -halg sha256 -if policies/aaa > run.out
checkSuccess $?
echo "Read PCR 0, should be 1d 47 f6 8a ..."
-${PREFIX}pcrread -ha 16 -halg sha1 > run.out
+${PREFIX}pcrread -ha 16 -halg sha256 > run.out
checkSuccess $?
echo "Start a policy session"
-${PREFIX}startauthsession -se p -halg sha1 > run.out
+${PREFIX}startauthsession -se p -halg sha256 > run.out
checkSuccess $?
echo "Policy PCR, update with the wrong digest"
-${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out
+${PREFIX}policypcr -ha 03000000 -halg sha256 -bm 10000 > run.out
checkSuccess $?
echo "Policy get digest - should be 66 dd e5 e3"
@@ -903,21 +903,21 @@ checkSuccess $?
#
# policynvargs.txt (binary)
# args = hash of 0000 0000 0000 0000 | 0000 | 0000 (eight bytes of zero | offset | op ==)
-# hash -hi n -halg sha1 -if policies/policynvargs.txt -v
-# openssl dgst -sha1 policies/policynvargs.txt
+# hash -hi n -halg sha256 -if policies/policynvargs.txt -v
+# openssl dgst -sha256 policies/policynvargs.txt
# 2c513f149e737ec4063fc1d37aee9beabc4b4bbf
#
# NV authorizing index
#
# after defining index and NV write to set written, use
-# ${PREFIX}nvreadpublic -ha 01000000 -nalg sha1
+# ${PREFIX}nvreadpublic -ha 01000000 -nalg sha256
# to get name
# 00042234b8df7cdf8605ee0a2088ac7dfe34c6566c5c
#
# append Name to policynvnv.txt
#
# convert to binary policy
-# > policymaker -halg sha1 -if policies/policynvnv.txt -of policies/policynvnv.bin -pr -v
+# > policymaker -halg sha256 -if policies/policynvnv.txt -of policies/policynvnv.bin -pr -v
# bc 9b 4c 4f 7b 00 66 19 5b 1d d9 9c 92 7e ad 57 e7 1c 2a fc
#
# file zero8.bin has 8 bytes of hex zero
@@ -927,11 +927,11 @@ echo "Policy NV, NV index authorizing"
echo ""
echo "Define a setbits index, authorizing index"
-${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -ty b > run.out
+${PREFIX}nvdefinespace -hi p -nalg sha256 -ha 01000000 -pwdn nnn -ty b > run.out
checkSuccess $?
echo "NV Read public, get Name, not written"
-${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out
+${PREFIX}nvreadpublic -ha 01000000 -nalg sha256 > run.out
checkSuccess $?
echo "NV setbits to set written"
@@ -939,7 +939,7 @@ ${PREFIX}nvsetbits -ha 01000000 -pwdn nnn > run.out
checkSuccess $?
echo "NV Read public, get Name, written"
-${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out
+${PREFIX}nvreadpublic -ha 01000000 -nalg sha256 > run.out
checkSuccess $?
echo "NV Read, should be zero"
@@ -947,11 +947,11 @@ ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
checkSuccess $?
echo "Define an ordinary index, authorized index, policyNV"
-${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000001 -pwdn nnn -sz 2 -ty o -pol policies/policynvnv.bin > run.out
+${PREFIX}nvdefinespace -hi p -nalg sha256 -ha 01000001 -pwdn nnn -sz 2 -ty o -pol policies/policynvnv.bin > run.out
checkSuccess $?
echo "NV Read public, get Name, not written"
-${PREFIX}nvreadpublic -ha 01000001 -nalg sha1 > run.out
+${PREFIX}nvreadpublic -ha 01000001 -nalg sha256 > run.out
checkSuccess $?
echo "NV write to set written"
@@ -959,7 +959,7 @@ ${PREFIX}nvwrite -ha 01000001 -pwdn nnn -ic aa > run.out
checkSuccess $?
echo "Start policy session"
-${PREFIX}startauthsession -se p -halg sha1 > run.out
+${PREFIX}startauthsession -se p -halg sha256 > run.out
checkSuccess $?
echo "NV write, policy not satisfied - should fail"
@@ -1015,15 +1015,15 @@ echo "Policy NV Written"
echo ""
echo "Define an ordinary index, authorized index, policyNV"
-${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -sz 2 -ty o -pol policies/policywrittenset.bin > run.out
+${PREFIX}nvdefinespace -hi p -nalg sha256 -ha 01000000 -pwdn nnn -sz 2 -ty o -pol policies/policywrittenset.bin > run.out
checkSuccess $?
echo "NV Read public, get Name, not written"
-${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out
+${PREFIX}nvreadpublic -ha 01000000 -nalg sha256 > run.out
checkSuccess $?
echo "Start policy session"
-${PREFIX}startauthsession -se p -halg sha1 > run.out
+${PREFIX}startauthsession -se p -halg sha256 > run.out
checkSuccess $?
echo "NV write, policy not satisfied - should fail"
@@ -1043,7 +1043,7 @@ ${PREFIX}flushcontext -ha 03000000 > run.out
checkSuccess $?
echo "Start policy session"
-${PREFIX}startauthsession -se p -halg sha1 > run.out
+${PREFIX}startauthsession -se p -halg sha256 > run.out
checkSuccess $?
echo "Policy NV Written yes, satisfy policy"
@@ -1063,7 +1063,7 @@ ${PREFIX}nvwrite -ha 01000000 -ic aa -pwdn nnn > run.out
checkSuccess $?
echo "Start policy session"
-${PREFIX}startauthsession -se p -halg sha1 > run.out
+${PREFIX}startauthsession -se p -halg sha256 > run.out
checkSuccess $?
echo "Policy NV Written yes, satisfy policy"
@@ -1079,7 +1079,7 @@ ${PREFIX}flushcontext -ha 03000000 > run.out
checkSuccess $?
echo "Start policy session"
-${PREFIX}startauthsession -se p -halg sha1 > run.out
+${PREFIX}startauthsession -se p -halg sha256 > run.out
checkSuccess $?
echo "Policy NV Written no"
@@ -1326,12 +1326,12 @@ checkSuccess $?
# test using clockrateadjust
# policycphashhash.txt is (hex) 00000130 4000000c 000
-# hash -if policycphashhash.txt -oh policycphashhash.bin -halg sha1 -v
-# openssl dgst -sha1 policycphashhash.txt
+# hash -if policycphashhash.txt -oh policycphashhash.bin -halg sha256 -v
+# openssl dgst -sha256 policycphashhash.txt
# cpHash is
# b5f919bbc01f0ebad02010169a67a8c158ec12f3
# append to policycphash.txt 00000163 + cpHash
-# policymaker -halg sha1 -if policies/policycphash.txt -of policies/policycphash.bin -pr
+# policymaker -halg sha256 -if policies/policycphash.txt -of policies/policycphash.bin -pr
# 06 e4 6c f9 f3 c7 0f 30 10 18 7c a6 72 69 b0 84 b4 52 11 6f
echo ""
@@ -1339,7 +1339,7 @@ echo "Policy cpHash"
echo ""
echo "Set the platform policy to policy cpHash"
-${PREFIX}setprimarypolicy -hi p -pol policies/policycphash.bin -halg sha1 > run.out
+${PREFIX}setprimarypolicy -hi p -pol policies/policycphash.bin -halg sha256 > run.out
checkSuccess $?
echo "Clockrate adjust using wrong password - should fail"
@@ -1347,7 +1347,7 @@ ${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 0 > run.out
checkFailure $?
echo "Start policy session"
-${PREFIX}startauthsession -se p -halg sha1 > run.out
+${PREFIX}startauthsession -se p -halg sha256 > run.out
checkSuccess $?
echo "Clockrate adjust, policy not satisfied - should fail"
@@ -1690,7 +1690,7 @@ echo "Policy Counter Timer"
echo ""
echo "Set the platform policy to policy "
-${PREFIX}setprimarypolicy -hi p -pol policies/policycountertimer.bin -halg sha1 > run.out
+${PREFIX}setprimarypolicy -hi p -pol policies/policycountertimer.bin -halg sha256 > run.out
checkSuccess $?
echo "Clockrate adjust using wrong password - should fail"
@@ -1698,7 +1698,7 @@ ${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 0 > run.out
checkFailure $?
echo "Start policy session"
-${PREFIX}startauthsession -se p -halg sha1 > run.out
+${PREFIX}startauthsession -se p -halg sha256 > run.out
checkSuccess $?
echo "Clockrate adjust, policy not satisfied - should fail"
diff --git a/utils/regtests/testrsa.sh b/utils/regtests/testrsa.sh
index 4f76522..6e25398 100755
--- a/utils/regtests/testrsa.sh
+++ b/utils/regtests/testrsa.sh
@@ -131,10 +131,10 @@ do
${PREFIX}load -hp 80000000 -ipu derrsa${BITS}pub.bin -ipr derrsa${BITS}priv.bin -pwdp sto > run.out
checkSuccess $?
+ HSIZ=(${ITERATE_ALGS_SIZES})
HALG=(${ITERATE_ALGS})
- HSIZ=("20" "32" "48" "64")
- for ((i = 0 ; i < 4 ; i++))
+ for ((i = 0 ; i < ${ITERATE_ALGS_COUNT} ; i++))
do
echo "Decrypt/Sign with a caller specified OID - ${HALG[i]}"
@@ -298,7 +298,7 @@ echo "Encrypt with OpenSSL OAEP, decrypt with TPM"
echo ""
echo "Create OAEP encryption key"
-${PREFIX}create -hp 80000000 -pwdp sto -deo -kt f -kt p -halg sha1 -opr tmpprivkey.bin -opu tmppubkey.bin -opem tmppubkey.pem > run.out
+${PREFIX}create -hp 80000000 -pwdp sto -deo -kt f -kt p -halg sha256 -opr tmpprivkey.bin -opu tmppubkey.bin -opem tmppubkey.pem > run.out
checkSuccess $?
echo "Load encryption key at 80000001"
@@ -306,7 +306,7 @@ ${PREFIX}load -hp 80000000 -pwdp sto -ipr tmpprivkey.bin -ipu tmppubkey.bin > r
checkSuccess $?
echo "Encrypt using OpenSSL and the PEM public key"
-openssl rsautl -oaep -encrypt -inkey tmppubkey.pem -pubin -in policies/aaa -out enc.bin > run.out 2>&1
+openssl pkeyutl -encrypt -inkey tmppubkey.pem -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -in policies/aaa -out enc.bin > run.out 2>&1
checkSuccess $?
echo "Decrypt using TPM key at 80000001"
diff --git a/utils/regtests/testsign.sh b/utils/regtests/testsign.sh
index edfa014..8a99bbf 100755
--- a/utils/regtests/testsign.sh
+++ b/utils/regtests/testsign.sh
@@ -302,14 +302,14 @@ echo ""
# > openssl dgst -sha1 -sign rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin
echo "Load external just the public part of PEM RSA"
-${PREFIX}loadexternal -halg sha1 -nalg sha1 -ipem policies/rsapubkey.pem > run.out
+${PREFIX}loadexternal -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out
checkSuccess $?
echo "Sign a test message with openssl RSA"
-openssl dgst -sha1 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin > run.out 2>&1
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin > run.out 2>&1
echo "Verify the RSA signature"
-${PREFIX}verifysignature -hk 80000001 -halg sha1 -if msg.bin -is pssig.bin -raw > run.out
+${PREFIX}verifysignature -hk 80000001 -halg sha256 -if msg.bin -is pssig.bin -raw > run.out
checkSuccess $?
echo "Flush the signing key"
@@ -328,14 +328,14 @@ for CURVE in p256 p384
do
echo "Load external just the public part of PEM ECC ${CURVE}"
- ${PREFIX}loadexternal -halg sha1 -nalg sha1 -ipem policies/${CURVE}pubkey.pem -ecc > run.out
+ ${PREFIX}loadexternal -halg sha256 -nalg sha256 -ipem policies/${CURVE}pubkey.pem -ecc > run.out
checkSuccess $?
echo "Sign a test message with openssl ECC ${CURVE}"
- openssl dgst -sha1 -sign policies/${CURVE}privkey.pem -out pssig.bin msg.bin > run.out 2>&1
+ openssl dgst -sha256 -sign policies/${CURVE}privkey.pem -out pssig.bin msg.bin > run.out 2>&1
echo "Verify the ECC signature ${CURVE}"
- ${PREFIX}verifysignature -hk 80000001 -halg sha1 -if msg.bin -is pssig.bin -raw -ecc > run.out
+ ${PREFIX}verifysignature -hk 80000001 -halg sha256 -if msg.bin -is pssig.bin -raw -ecc > run.out
checkSuccess $?
echo "Flush the ECC ${CURVE} signing key"
--
2.34.3

View File

@ -0,0 +1,54 @@
From 87120cf7fedcfc063ba5cd28ae4571909209a547 Mon Sep 17 00:00:00 2001
From: Ken Goldman <kgoldman@us.ibm.com>
Date: Mon, 23 Aug 2021 17:30:56 -0400
Subject: [PATCH 2/7] utils: Remove unused variables from certifyx509
notBefore and notAfter are set driectly in the partialCertificate
structure, and that is used to directly set the x509 structure.
Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
---
utils/certifyx509.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/utils/certifyx509.c b/utils/certifyx509.c
index ed42ac0..44640aa 100644
--- a/utils/certifyx509.c
+++ b/utils/certifyx509.c
@@ -204,6 +204,7 @@ int main(int argc, char *argv[])
setvbuf(stdout, 0, _IONBF, 0); /* output may be going through pipe to log file */
TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+ curveID = curveID; /* no longer used, get from parent */
/* command line argument defaults */
for (i=1 ; (i<argc) && (rc == 0) ; i++) {
if (strcmp(argv[i],"-ho") == 0) {
@@ -686,8 +687,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
X509_NAME *x509SubjectName = NULL;/* composite subject name, key/value pairs */
size_t issuerEntriesSize = sizeof(issuerEntries)/sizeof(char *);
size_t subjectEntriesSize = sizeof(subjectEntries)/sizeof(char *);
- ASN1_TIME *notBefore = NULL;
- ASN1_TIME *notAfter = NULL;
uint8_t *tmpPartialDer = NULL; /* for the i2d */
/* add issuer */
@@ -717,8 +716,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
}
}
if (rc == 0) {
- /* can't fail, just returns a structure member */
- notBefore = X509_get_notBefore(x509Certificate);
irc = X509_set1_notBefore(x509Certificate, partialCertificate->validity->notBefore);
if (irc == 0) {
printf("createPartialCertificate: Error setting notBefore time\n");
@@ -737,7 +734,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
}
}
if (rc == 0) {
- notAfter = X509_get_notAfter(x509Certificate);
irc = X509_set1_notAfter(x509Certificate,partialCertificate->validity->notAfter);
if (irc == 0) {
printf("createPartialCertificate: Error setting notAfter time\n");
--
2.34.1

View File

@ -0,0 +1,99 @@
From 1c462889a517d6dbab721aa3e0597878e9c237d5 Mon Sep 17 00:00:00 2001
From: Ken Goldman <kgold@linux.ibm.com>
Date: Wed, 25 Aug 2021 18:02:11 -0400
Subject: [PATCH 3/7] : Update certifyx509 for Windows
Add static_ to the ASN1_SEQUENCE_END macros to suppress a gcc warning.
Change free to OPENSSL_free, required with i2d when OpenSSL is a dll.
Remove the tmpx509i file handling from the .bat file since certifyx509
no longer outputs it.
Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
---
utils/certifyx509.c | 10 +++++-----
utils/regtests/testx509.bat | 5 -----
2 files changed, 5 insertions(+), 10 deletions(-)
diff --git a/utils/certifyx509.c b/utils/certifyx509.c
index 44640aa..5602f62 100644
--- a/utils/certifyx509.c
+++ b/utils/certifyx509.c
@@ -94,7 +94,7 @@ typedef struct {
ASN1_SEQUENCE(TPM_PARTIAL_CERT_VALIDITY) = {
ASN1_SIMPLE(TPM_PARTIAL_CERT_VALIDITY, notBefore, ASN1_TIME),
ASN1_SIMPLE(TPM_PARTIAL_CERT_VALIDITY, notAfter, ASN1_TIME),
-} ASN1_SEQUENCE_END(TPM_PARTIAL_CERT_VALIDITY)
+} static_ASN1_SEQUENCE_END(TPM_PARTIAL_CERT_VALIDITY)
/* the signature algorithm is optional while the extension list is mandatory */
ASN1_SEQUENCE(TPM_PARTIAL_CERT) = {
@@ -103,7 +103,7 @@ ASN1_SEQUENCE(TPM_PARTIAL_CERT) = {
ASN1_SIMPLE(TPM_PARTIAL_CERT, validity, TPM_PARTIAL_CERT_VALIDITY),
ASN1_SIMPLE(TPM_PARTIAL_CERT, subject, X509_NAME),
ASN1_EXP_SEQUENCE_OF(TPM_PARTIAL_CERT, extensions, X509_EXTENSION, 3),
-} ASN1_SEQUENCE_END(TPM_PARTIAL_CERT)
+} static_ASN1_SEQUENCE_END(TPM_PARTIAL_CERT)
DECLARE_ASN1_FUNCTIONS(TPM_PARTIAL_CERT)
IMPLEMENT_ASN1_FUNCTIONS(TPM_PARTIAL_CERT)
@@ -122,7 +122,7 @@ ASN1_SEQUENCE(TPM_ADDTOCERT) = {
ASN1_SIMPLE(TPM_ADDTOCERT, serialNumber, ASN1_INTEGER),
ASN1_SIMPLE(TPM_ADDTOCERT, signatureAlgorithm, X509_ALGOR),
ASN1_SIMPLE(TPM_ADDTOCERT, key, X509_PUBKEY),
-} ASN1_SEQUENCE_END(TPM_ADDTOCERT)
+} static_ASN1_SEQUENCE_END(TPM_ADDTOCERT)
DECLARE_ASN1_FUNCTIONS(TPM_ADDTOCERT)
IMPLEMENT_ASN1_FUNCTIONS(TPM_ADDTOCERT)
@@ -629,7 +629,7 @@ int main(int argc, char *argv[])
X509_free(x509Certificate); /* @1 */
}
free(x509Der); /* @2 */
- free(addToCert); /* @3 */
+ OPENSSL_free(addToCert); /* @3 */
return rc;
}
@@ -808,7 +808,7 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
#endif
X509_NAME_free(x509IssuerName); /* @1 */
X509_NAME_free(x509SubjectName); /* @2 */
- free(tmpPartialDer); /* @3 */
+ OPENSSL_free(tmpPartialDer); /* @3 */
return rc;
}
diff --git a/utils/regtests/testx509.bat b/utils/regtests/testx509.bat
index 0951ad6..17b69f6 100644
--- a/utils/regtests/testx509.bat
+++ b/utils/regtests/testx509.bat
@@ -80,8 +80,6 @@ for /L %%i in (1,1,!L!) do (
exit /B 1
)
- rem # dumpasn1 -a -l -d tmpx509i.bin > tmpx509i1.dump
- rem # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i1.dumphh
rem # dumpasn1 -a -l -d tmppart1.bin > tmppart1.dump
rem # dumpasn1 -a -l -d -hh tmppart1.bin > tmppart1.dumphh
rem # dumpasn1 -a -l -d tmpadd1.bin > tmpadd1.dump
@@ -102,8 +100,6 @@ for /L %%i in (1,1,!L!) do (
exit /B 1
)
-rem # dumpasn1 -a -l -d tmpx509i.bin > tmpx509i2.dump
-rem # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i2.dumphh
rem # dumpasn1 -a -l -d tmppart2.bin > tmppart2.dump
rem # dumpasn1 -a -l -d -hh tmppart2.bin > tmppart2.dumphhe
rem # dumpasn1 -a -l -d tmpadd2.bin > tmpadd2.dump
@@ -446,7 +442,6 @@ rm tmpsig1.bin
rm tmpx5091.bin
rm tmpx5091.pem
rm tmpx5092.pem
-rm tmpx509i.bin
rm tmppart2.bin
rm tmpadd2.bin
rm tmptbs2.bin
--
2.34.1

View File

@ -0,0 +1,907 @@
From 163843248ce6bb85fa5a3527f93610328877a1cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
<shoracek@redhat.com>
Date: Sat, 30 Apr 2022 22:15:43 +0200
Subject: [PATCH 3/4] tss: Restrict usage of SHA-1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Due to SHA-1 not being considered secure, it should be not used for
cryptographical purposes. This commit disables the usage of SHA-1 in
cases where it is used in potentially exploitable situations, most
notably for creating signatures.
- Compared to the next branch commit af3154e2, changes related to
unimplemented ECC functionality are ommited.
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
---
configure.ac | 24 +-
utils/Makefile.am | 16 +-
utils/cryptoutils.c | 4 +
utils/reg.sh | 20 +-
utils/regtests/testattest.sh | 3 +-
utils/regtests/testevent.sh | 2 +-
utils/tss20.c | 638 ++++++++++++++++++++++++++++-------
utils/tsscryptoh.c | 9 +-
8 files changed, 582 insertions(+), 134 deletions(-)
diff --git a/configure.ac b/configure.ac
index ad870b1..c570cb0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -123,6 +123,11 @@ AC_ARG_ENABLE(rmtpm,
AM_CONDITIONAL([CONFIG_RMTPM], [test "x$enable_rmtpm" = "xyes"])
AS_IF([test "$enable_rmtpm" != "yes"], [enable_rmtpm="no"])
+AC_ARG_ENABLE(nodeprecatedalgs,
+ AS_HELP_STRING([--enable-nodeprecatedalgs], [Restrict usage of SHA-1]))
+ AM_CONDITIONAL([CONFIG_TSS_NODEPRECATEDALGS], [test "x$enable_nodeprecatedalgs" = "xyes"])
+ AS_IF([test "$enable_nodeprecatedalgs" != "yes"], [enable_nodeprecatedalgs="no"])
+
AC_CONFIG_FILES([Makefile
utils/Makefile
utils12/Makefile
@@ -131,12 +136,13 @@ AC_OUTPUT
# Give some feedback
echo "Configuration:"
-echo " CFLAGS: $CFLAGS"
-echo " tpm12: $tpm12"
-echo " tpm20: $tpm20"
-echo " hwtpm: $enable_hwtpm"
-echo " rmtpm: $enable_rmtpm"
-echo " nofile: $enable_nofile"
-echo " noprint: $enable_noprint"
-echo " nocrypto: $enable_nocrypto"
-echo " noecc: $enable_noecc"
+echo " CFLAGS: $CFLAGS"
+echo " tpm12: $tpm12"
+echo " tpm20: $tpm20"
+echo " hwtpm: $enable_hwtpm"
+echo " rmtpm: $enable_rmtpm"
+echo " nofile: $enable_nofile"
+echo " noprint: $enable_noprint"
+echo " nocrypto: $enable_nocrypto"
+echo " noecc: $enable_noecc"
+echo " nodeprecatedalgs: $enable_nodeprecatedalgs"
diff --git a/utils/Makefile.am b/utils/Makefile.am
index d3af94e..53c53d9 100755
--- a/utils/Makefile.am
+++ b/utils/Makefile.am
@@ -60,6 +60,10 @@ if CONFIG_TSS_NOECC
libibmtss_la_CFLAGS += -DTPM_TSS_NOECC
endif
+if CONFIG_TSS_NODEPRECATEDALGS
+libibmtss_la_CFLAGS += -DTPM_TSS_NODEPRECATEDALGS
+endif
+
libibmtss_la_CCFLAGS = -Wall -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wformat=2 -Wold-style-definition -Wno-self-assign -ggdb
libibmtss_la_LDFLAGS = -version-info @TSSLIB_VERSION_INFO@
@@ -78,6 +82,10 @@ if CONFIG_TSS_NOECC
libibmtssutils_la_CFLAGS += -DTPM_TSS_NOECC
endif
+if CONFIG_TSS_NODEPRECATEDALGS
+libibmtssutils_la_CFLAGS += -DTPM_TSS_NODEPRECATEDALGS
+endif
+
#current[:revision[:age]]
#result: [current-age].age.revision
libibmtssutils_la_LDFLAGS = -version-info @TSSLIB_VERSION_INFO@
@@ -115,8 +123,14 @@ bin_PROGRAMS = activatecredential eventextend imaextend certify certifycreation
verifysignature zgen2phase signapp writeapp timepacket createek createekcert tpm2pem tpmpublic2eccpoint \
ntc2getconfig ntc2preconfig ntc2lockconfig publicname tpmcmd printattr
+UTILS_CFLAGS =
+
if CONFIG_TSS_NOECC
-UTILS_CFLAGS = -DTPM_TSS_NOECC
+UTILS_CFLAGS += -DTPM_TSS_NOECC
+endif
+
+if CONFIG_TSS_NODEPRECATEDALGS
+UTILS_CFLAGS += -DTPM_TSS_NODEPRECATEDALGS
endif
activatecredential_SOURCES = activatecredential.c
diff --git a/utils/cryptoutils.c b/utils/cryptoutils.c
index 7c4e931..9ac77a1 100644
--- a/utils/cryptoutils.c
+++ b/utils/cryptoutils.c
@@ -1834,9 +1834,11 @@ TPM_RC signRSAFromRSA(uint8_t *signature, size_t *signatureLength,
/* map the hash algorithm to the openssl NID */
if (rc == 0) {
switch (hashAlg) {
+#ifndef TPM_TSS_NODEPRECATEDALGS
case TPM_ALG_SHA1:
nid = NID_sha1;
break;
+#endif
case TPM_ALG_SHA256:
nid = NID_sha256;
break;
@@ -1896,10 +1898,12 @@ TPM_RC verifyRSASignatureFromRSA(unsigned char *message,
/* map from hash algorithm to openssl nid */
if (rc == 0) {
switch (halg) {
+#ifndef TPM_TSS_NODEPRECATEDALGS
case TPM_ALG_SHA1:
nid = NID_sha1;
md = EVP_sha1();
break;
+#endif
case TPM_ALG_SHA256:
nid = NID_sha256;
md = EVP_sha256();
diff --git a/utils/reg.sh b/utils/reg.sh
index 2d9d100..02d7d5f 100755
--- a/utils/reg.sh
+++ b/utils/reg.sh
@@ -69,12 +69,20 @@ PREFIX=./
#PREFIX="valgrind ./"
-# hash algorithms to be used for testing
-
-export ITERATE_ALGS="sha1 sha256 sha384 sha512"
-export ITERATE_ALGS_SIZES="20 32 48 64"
-export ITERATE_ALGS_COUNT=4
-export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1"
+# Hash algorithms to be used for testing. Uncomment or set shell env variable to restrict.
+# export TPM_TSS_NODEPRECATEDALGS=1
+if [ "${TPM_TSS_NODEPRECATEDALGS}" ]; then
+ export ITERATE_ALGS="sha256 sha384 sha512"
+ export ITERATE_ALGS_SIZES="32 48 64"
+ export ITERATE_ALGS_COUNT=3
+ export BAD_ITERATE_ALGS="sha384 sha512 sha256"
+else
+ export ITERATE_ALGS="sha1 sha256 sha384 sha512"
+ export ITERATE_ALGS_SIZES="20 32 48 64"
+ export ITERATE_ALGS_COUNT=4
+ export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1"
+fi
+export ITERATE_ALGS_WITH_SHA1="sha1 sha256 sha384 sha512"
printUsage ()
{
diff --git a/utils/regtests/testattest.sh b/utils/regtests/testattest.sh
index 2dacf88..4766554 100755
--- a/utils/regtests/testattest.sh
+++ b/utils/regtests/testattest.sh
@@ -381,9 +381,8 @@ echo ""
for HALG in ${ITERATE_ALGS}
do
-
echo "Start an audit session ${HALG}"
- ${PREFIX}startauthsession -se h -halg ${HALG} > run.out
+ ${PREFIX}startauthsession -se h -halg ${HALG} > run.out
checkSuccess $?
echo "PCR 16 reset"
diff --git a/utils/regtests/testevent.sh b/utils/regtests/testevent.sh
index 6336920..57a96d2 100755
--- a/utils/regtests/testevent.sh
+++ b/utils/regtests/testevent.sh
@@ -62,7 +62,7 @@ echo ""
for TYPE in "1" "2"
do
- for HALG in ${ITERATE_ALGS}
+ for HALG in ${ITERATE_ALGS_WITH_SHA1}
do
echo "Power cycle to reset IMA PCR"
diff --git a/utils/tss20.c b/utils/tss20.c
index c778069..6b1e79b 100644
--- a/utils/tss20.c
+++ b/utils/tss20.c
@@ -112,6 +112,7 @@ struct TSS_HMAC_CONTEXT {
/* functions for command pre- and post- processing */
+typedef TPM_RC (*TSS_CheckParametersFunction_t)(COMMAND_PARAMETERS *in);
typedef TPM_RC (*TSS_PreProcessFunction_t)(TSS_CONTEXT *tssContext,
COMMAND_PARAMETERS *in,
EXTRA_PARAMETERS *extra);
@@ -238,11 +239,378 @@ static TPM_RC TSS_PO_NV_ReadLock(TSS_CONTEXT *tssContext,
void *out,
void *extra);
+/*
+ Functions to check for usage of deprecated algorithms.
+*/
+
+static TPM_RC TSS_CheckSha1_PublicArea(TPMT_PUBLIC *publicArea)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (publicArea->nameAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ if (rc == 0) {
+ if (((publicArea->type == TPM_ALG_RSA) || (publicArea->type == TPM_ALG_ECC)) &&
+ (publicArea->parameters.asymDetail.scheme.scheme != TPM_ALG_NULL) &&
+ (publicArea->parameters.asymDetail.scheme.details.anySig.hashAlg == TPM_ALG_SHA1)) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CheckSha1_SigScheme(TPMT_SIG_SCHEME *sigScheme)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (sigScheme->details.any.hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_StartAuthSession(StartAuthSession_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->authHash == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_Create(Create_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_PublicArea(&in->inPublic.publicArea);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_Load(Load_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_PublicArea(&in->inPublic.publicArea);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_LoadExternal(LoadExternal_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_PublicArea(&in->inPublic.publicArea);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_CreateLoaded(CreateLoaded_In *in)
+{
+ TPM_RC rc = 0;
+ uint32_t size = sizeof(in->inPublic.t.buffer);
+ uint8_t *buffer = in->inPublic.t.buffer;
+ TPMT_PUBLIC publicArea;
+
+ if (rc == 0) {
+ rc = TSS_TPMT_PUBLIC_Unmarshalu(&publicArea, &buffer, &size, TRUE);
+ }
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_PublicArea(&publicArea);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_Import(Import_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_PublicArea(&in->objectPublic.publicArea);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_RSA_Encrypt(RSA_Encrypt_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->inScheme.details.anySig.hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_RSA_Decrypt(RSA_Decrypt_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->inScheme.details.anySig.hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_Hash(Hash_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_HMAC(HMAC_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_HMAC_Start(HMAC_Start_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_HashSequenceStart(HashSequenceStart_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_Certify(Certify_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_CertifyX509(CertifyX509_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_CertifyCreation(CertifyCreation_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_Quote(Quote_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_GetSessionAuditDigest(GetSessionAuditDigest_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_GetCommandAuditDigest(GetCommandAuditDigest_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_GetTime(GetTime_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_VerifySignature(VerifySignature_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->signature.signature.any.hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_Sign(Sign_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_SetCommandCodeAuditStatus(SetCommandCodeAuditStatus_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->auditAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_PolicySigned(PolicySigned_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->auth.signature.any.hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_CreatePrimary(CreatePrimary_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_PublicArea(&in->inPublic.publicArea);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_SetPrimaryPolicy(SetPrimaryPolicy_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_NV_DefineSpace(NV_DefineSpace_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->publicInfo.nvPublic.nameAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_NV_Certify(NV_Certify_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
typedef struct TSS_TABLE {
- TPM_CC commandCode;
- TSS_PreProcessFunction_t preProcessFunction;
- TSS_ChangeAuthFunction_t changeAuthFunction;
- TSS_PostProcessFunction_t postProcessFunction;
+ TPM_CC commandCode;
+ TSS_CheckParametersFunction_t checkParametersFunction;
+ TSS_PreProcessFunction_t preProcessFunction;
+ TSS_ChangeAuthFunction_t changeAuthFunction;
+ TSS_PostProcessFunction_t postProcessFunction;
} TSS_TABLE;
/* This table indexes from the command to pre- and post- processing functions. A missing entry is
@@ -250,116 +618,116 @@ typedef struct TSS_TABLE {
static const TSS_TABLE tssTable [] = {
- {TPM_CC_Startup, NULL, NULL, NULL},
- {TPM_CC_Shutdown, NULL, NULL, NULL},
- {TPM_CC_SelfTest, NULL, NULL, NULL},
- {TPM_CC_IncrementalSelfTest, NULL, NULL, NULL},
- {TPM_CC_GetTestResult, NULL, NULL, NULL},
- {TPM_CC_StartAuthSession, (TSS_PreProcessFunction_t)TSS_PR_StartAuthSession, NULL, (TSS_PostProcessFunction_t)TSS_PO_StartAuthSession},
- {TPM_CC_PolicyRestart, NULL, NULL, NULL},
- {TPM_CC_Create, NULL, NULL, NULL},
- {TPM_CC_Load, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_Load},
- {TPM_CC_LoadExternal, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_LoadExternal},
- {TPM_CC_ReadPublic, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ReadPublic},
- {TPM_CC_ActivateCredential, NULL, NULL, NULL},
- {TPM_CC_MakeCredential, NULL, NULL, NULL},
- {TPM_CC_Unseal, NULL, NULL, NULL},
- {TPM_CC_ObjectChangeAuth, NULL, NULL, NULL},
- {TPM_CC_CreateLoaded, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreateLoaded},
- {TPM_CC_Duplicate, NULL, NULL, NULL},
- {TPM_CC_Rewrap, NULL, NULL, NULL},
- {TPM_CC_Import, NULL, NULL, NULL},
- {TPM_CC_RSA_Encrypt, NULL, NULL, NULL},
- {TPM_CC_RSA_Decrypt, NULL, NULL, NULL},
- {TPM_CC_ECDH_KeyGen, NULL, NULL, NULL},
- {TPM_CC_ECDH_ZGen, NULL, NULL, NULL},
- {TPM_CC_ECC_Parameters, NULL, NULL, NULL},
- {TPM_CC_ZGen_2Phase, NULL, NULL, NULL},
- {TPM_CC_EncryptDecrypt, NULL, NULL, NULL},
- {TPM_CC_EncryptDecrypt2, NULL, NULL, NULL},
- {TPM_CC_Hash, NULL, NULL, NULL},
- {TPM_CC_HMAC, NULL, NULL, NULL},
- {TPM_CC_GetRandom, NULL, NULL, NULL},
- {TPM_CC_StirRandom, NULL, NULL, NULL},
- {TPM_CC_HMAC_Start, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HMAC_Start},
- {TPM_CC_HashSequenceStart, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HashSequenceStart},
- {TPM_CC_SequenceUpdate, NULL, NULL, NULL},
- {TPM_CC_SequenceComplete, NULL,NULL, (TSS_PostProcessFunction_t)TSS_PO_SequenceComplete},
- {TPM_CC_EventSequenceComplete, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EventSequenceComplete},
- {TPM_CC_Certify, NULL, NULL, NULL},
- {TPM_CC_CertifyX509, NULL, NULL, NULL},
- {TPM_CC_CertifyCreation, NULL, NULL, NULL},
- {TPM_CC_Quote, NULL, NULL, NULL},
- {TPM_CC_GetSessionAuditDigest, NULL, NULL, NULL},
- {TPM_CC_GetCommandAuditDigest, NULL, NULL, NULL},
- {TPM_CC_GetTime, NULL, NULL, NULL},
- {TPM_CC_Commit, NULL, NULL, NULL},
- {TPM_CC_EC_Ephemeral, NULL, NULL, NULL},
- {TPM_CC_VerifySignature, NULL, NULL, NULL},
- {TPM_CC_Sign, NULL, NULL, NULL},
- {TPM_CC_SetCommandCodeAuditStatus, NULL, NULL, NULL},
- {TPM_CC_PCR_Extend, NULL, NULL, NULL},
- {TPM_CC_PCR_Event, NULL, NULL, NULL},
- {TPM_CC_PCR_Read, NULL, NULL, NULL},
- {TPM_CC_PCR_Allocate, NULL, NULL, NULL},
- {TPM_CC_PCR_SetAuthPolicy, NULL, NULL, NULL},
- {TPM_CC_PCR_SetAuthValue, NULL, NULL, NULL},
- {TPM_CC_PCR_Reset, NULL, NULL, NULL},
- {TPM_CC_PolicySigned, NULL, NULL, NULL},
- {TPM_CC_PolicySecret, NULL, NULL, NULL},
- {TPM_CC_PolicyTicket, NULL, NULL, NULL},
- {TPM_CC_PolicyOR, NULL, NULL, NULL},
- {TPM_CC_PolicyPCR, NULL, NULL, NULL},
- {TPM_CC_PolicyLocality, NULL, NULL, NULL},
- {TPM_CC_PolicyNV, NULL, NULL, NULL},
- {TPM_CC_PolicyAuthorizeNV, NULL, NULL, NULL},
- {TPM_CC_PolicyCounterTimer, NULL, NULL, NULL},
- {TPM_CC_PolicyCommandCode, NULL, NULL, NULL},
- {TPM_CC_PolicyPhysicalPresence, NULL, NULL, NULL},
- {TPM_CC_PolicyCpHash, NULL, NULL, NULL},
- {TPM_CC_PolicyNameHash, NULL, NULL, NULL},
- {TPM_CC_PolicyDuplicationSelect, NULL, NULL, NULL},
- {TPM_CC_PolicyAuthorize, NULL, NULL, NULL},
- {TPM_CC_PolicyAuthValue, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyAuthValue},
- {TPM_CC_PolicyPassword, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyPassword},
- {TPM_CC_PolicyGetDigest, NULL, NULL, NULL},
- {TPM_CC_PolicyNvWritten, NULL, NULL, NULL},
- {TPM_CC_PolicyTemplate, NULL, NULL, NULL},
- {TPM_CC_CreatePrimary, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreatePrimary},
- {TPM_CC_HierarchyControl, NULL, NULL, NULL},
- {TPM_CC_SetPrimaryPolicy, NULL, NULL, NULL},
- {TPM_CC_ChangePPS, NULL, NULL, NULL},
- {TPM_CC_ChangeEPS, NULL, NULL, NULL},
- {TPM_CC_Clear, NULL, NULL, NULL},
- {TPM_CC_ClearControl, NULL, NULL, NULL},
- {TPM_CC_HierarchyChangeAuth, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_HierarchyChangeAuth, NULL},
- {TPM_CC_DictionaryAttackLockReset, NULL, NULL, NULL},
- {TPM_CC_DictionaryAttackParameters, NULL, NULL, NULL},
- {TPM_CC_PP_Commands, NULL, NULL, NULL},
- {TPM_CC_SetAlgorithmSet, NULL, NULL, NULL},
- {TPM_CC_ContextSave, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextSave},
- {TPM_CC_ContextLoad, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextLoad},
- {TPM_CC_FlushContext, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_FlushContext},
- {TPM_CC_EvictControl, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EvictControl},
- {TPM_CC_ReadClock, NULL, NULL, NULL},
- {TPM_CC_ClockSet, NULL, NULL, NULL},
- {TPM_CC_ClockRateAdjust, NULL, NULL, NULL},
- {TPM_CC_GetCapability, NULL, NULL, NULL},
- {TPM_CC_TestParms, NULL, NULL, NULL},
- {TPM_CC_NV_DefineSpace, (TSS_PreProcessFunction_t)TSS_PR_NV_DefineSpace, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_DefineSpace},
- {TPM_CC_NV_UndefineSpace, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpace},
- {TPM_CC_NV_UndefineSpaceSpecial, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_UndefineSpaceSpecial, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpaceSpecial},
- {TPM_CC_NV_ReadPublic, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadPublic},
- {TPM_CC_NV_Write, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
- {TPM_CC_NV_Increment, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
- {TPM_CC_NV_Extend, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
- {TPM_CC_NV_SetBits, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
- {TPM_CC_NV_WriteLock, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_WriteLock},
- {TPM_CC_NV_GlobalWriteLock, NULL, NULL, NULL},
- {TPM_CC_NV_Read, NULL, NULL, NULL},
- {TPM_CC_NV_ReadLock, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadLock},
- {TPM_CC_NV_ChangeAuth, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_ChangeAuth, NULL},
- {TPM_CC_NV_Certify, NULL, NULL, NULL}
+ {TPM_CC_Startup, NULL, NULL, NULL, NULL},
+ {TPM_CC_Shutdown, NULL, NULL, NULL, NULL},
+ {TPM_CC_SelfTest, NULL, NULL, NULL, NULL},
+ {TPM_CC_IncrementalSelfTest, NULL, NULL, NULL, NULL},
+ {TPM_CC_GetTestResult, NULL, NULL, NULL, NULL},
+ {TPM_CC_StartAuthSession, (TSS_CheckParametersFunction_t)TSS_CH_StartAuthSession, (TSS_PreProcessFunction_t)TSS_PR_StartAuthSession, NULL, (TSS_PostProcessFunction_t)TSS_PO_StartAuthSession},
+ {TPM_CC_PolicyRestart, NULL, NULL, NULL, NULL},
+ {TPM_CC_Create, (TSS_CheckParametersFunction_t)TSS_CH_Create, NULL, NULL, NULL},
+ {TPM_CC_Load, (TSS_CheckParametersFunction_t)TSS_CH_Load, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_Load},
+ {TPM_CC_LoadExternal, (TSS_CheckParametersFunction_t)TSS_CH_LoadExternal, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_LoadExternal},
+ {TPM_CC_ReadPublic, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ReadPublic},
+ {TPM_CC_ActivateCredential, NULL, NULL, NULL, NULL},
+ {TPM_CC_MakeCredential, NULL, NULL, NULL, NULL},
+ {TPM_CC_Unseal, NULL, NULL, NULL, NULL},
+ {TPM_CC_ObjectChangeAuth, NULL, NULL, NULL, NULL},
+ {TPM_CC_CreateLoaded, (TSS_CheckParametersFunction_t)TSS_CH_CreateLoaded, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreateLoaded},
+ {TPM_CC_Duplicate, NULL, NULL, NULL, NULL},
+ {TPM_CC_Rewrap, NULL, NULL, NULL, NULL},
+ {TPM_CC_Import, (TSS_CheckParametersFunction_t)TSS_CH_Import, NULL, NULL, NULL},
+ {TPM_CC_RSA_Encrypt, (TSS_CheckParametersFunction_t)TSS_CH_RSA_Encrypt, NULL, NULL, NULL},
+ {TPM_CC_RSA_Decrypt, (TSS_CheckParametersFunction_t)TSS_CH_RSA_Decrypt, NULL, NULL, NULL},
+ {TPM_CC_ECDH_KeyGen, NULL, NULL, NULL, NULL},
+ {TPM_CC_ECDH_ZGen, NULL, NULL, NULL, NULL},
+ {TPM_CC_ECC_Parameters, NULL, NULL, NULL, NULL},
+ {TPM_CC_ZGen_2Phase, NULL, NULL, NULL, NULL},
+ {TPM_CC_EncryptDecrypt, NULL, NULL, NULL, NULL},
+ {TPM_CC_EncryptDecrypt2, NULL, NULL, NULL, NULL},
+ {TPM_CC_Hash, (TSS_CheckParametersFunction_t)TSS_CH_Hash, NULL, NULL, NULL},
+ {TPM_CC_HMAC, (TSS_CheckParametersFunction_t)TSS_CH_HMAC, NULL, NULL, NULL},
+ {TPM_CC_GetRandom, NULL, NULL, NULL, NULL},
+ {TPM_CC_StirRandom, NULL, NULL, NULL, NULL},
+ {TPM_CC_HMAC_Start, (TSS_CheckParametersFunction_t)TSS_CH_HMAC_Start, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HMAC_Start},
+ {TPM_CC_HashSequenceStart, (TSS_CheckParametersFunction_t)TSS_CH_HashSequenceStart, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HashSequenceStart},
+ {TPM_CC_SequenceUpdate, NULL, NULL, NULL, NULL},
+ {TPM_CC_SequenceComplete, NULL, NULL,NULL, (TSS_PostProcessFunction_t)TSS_PO_SequenceComplete},
+ {TPM_CC_EventSequenceComplete, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EventSequenceComplete},
+ {TPM_CC_Certify, (TSS_CheckParametersFunction_t)TSS_CH_Certify, NULL, NULL, NULL},
+ {TPM_CC_CertifyX509, (TSS_CheckParametersFunction_t)TSS_CH_CertifyX509, NULL, NULL, NULL},
+ {TPM_CC_CertifyCreation, (TSS_CheckParametersFunction_t)TSS_CH_CertifyCreation, NULL, NULL, NULL},
+ {TPM_CC_Quote, (TSS_CheckParametersFunction_t)TSS_CH_Quote, NULL, NULL, NULL},
+ {TPM_CC_GetSessionAuditDigest, (TSS_CheckParametersFunction_t)TSS_CH_GetSessionAuditDigest, NULL, NULL, NULL},
+ {TPM_CC_GetCommandAuditDigest, (TSS_CheckParametersFunction_t)TSS_CH_GetCommandAuditDigest, NULL, NULL, NULL},
+ {TPM_CC_GetTime, (TSS_CheckParametersFunction_t)TSS_CH_GetTime, NULL, NULL, NULL},
+ {TPM_CC_Commit, NULL, NULL, NULL, NULL},
+ {TPM_CC_EC_Ephemeral, NULL, NULL, NULL, NULL},
+ {TPM_CC_VerifySignature, (TSS_CheckParametersFunction_t)TSS_CH_VerifySignature, NULL, NULL, NULL},
+ {TPM_CC_Sign, (TSS_CheckParametersFunction_t)TSS_CH_Sign, NULL, NULL, NULL},
+ {TPM_CC_SetCommandCodeAuditStatus, (TSS_CheckParametersFunction_t)TSS_CH_SetCommandCodeAuditStatus, NULL, NULL, NULL},
+ {TPM_CC_PCR_Extend, NULL, NULL, NULL, NULL},
+ {TPM_CC_PCR_Event, NULL, NULL, NULL, NULL},
+ {TPM_CC_PCR_Read, NULL, NULL, NULL, NULL},
+ {TPM_CC_PCR_Allocate, NULL, NULL, NULL, NULL},
+ {TPM_CC_PCR_SetAuthPolicy, NULL, NULL, NULL, NULL},
+ {TPM_CC_PCR_SetAuthValue, NULL, NULL, NULL, NULL},
+ {TPM_CC_PCR_Reset, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicySigned, (TSS_CheckParametersFunction_t)TSS_CH_PolicySigned, NULL, NULL, NULL},
+ {TPM_CC_PolicySecret, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyTicket, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyOR, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyPCR, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyLocality, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyNV, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyAuthorizeNV, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyCounterTimer, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyCommandCode, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyPhysicalPresence, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyCpHash, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyNameHash, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyDuplicationSelect, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyAuthorize, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyAuthValue, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyAuthValue},
+ {TPM_CC_PolicyPassword, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyPassword},
+ {TPM_CC_PolicyGetDigest, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyNvWritten, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyTemplate, NULL, NULL, NULL, NULL},
+ {TPM_CC_CreatePrimary, (TSS_CheckParametersFunction_t)TSS_CH_CreatePrimary, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreatePrimary},
+ {TPM_CC_HierarchyControl, NULL, NULL, NULL, NULL},
+ {TPM_CC_SetPrimaryPolicy, (TSS_CheckParametersFunction_t)TSS_CH_SetPrimaryPolicy, NULL, NULL, NULL},
+ {TPM_CC_ChangePPS, NULL, NULL, NULL, NULL},
+ {TPM_CC_ChangeEPS, NULL, NULL, NULL, NULL},
+ {TPM_CC_Clear, NULL, NULL, NULL, NULL},
+ {TPM_CC_ClearControl, NULL, NULL, NULL, NULL},
+ {TPM_CC_HierarchyChangeAuth, NULL, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_HierarchyChangeAuth, NULL},
+ {TPM_CC_DictionaryAttackLockReset, NULL, NULL, NULL, NULL},
+ {TPM_CC_DictionaryAttackParameters, NULL, NULL, NULL, NULL},
+ {TPM_CC_PP_Commands, NULL, NULL, NULL, NULL},
+ {TPM_CC_SetAlgorithmSet, NULL, NULL, NULL, NULL},
+ {TPM_CC_ContextSave, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextSave},
+ {TPM_CC_ContextLoad, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextLoad},
+ {TPM_CC_FlushContext, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_FlushContext},
+ {TPM_CC_EvictControl, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EvictControl},
+ {TPM_CC_ReadClock, NULL, NULL, NULL, NULL},
+ {TPM_CC_ClockSet, NULL, NULL, NULL, NULL},
+ {TPM_CC_ClockRateAdjust, NULL, NULL, NULL, NULL},
+ {TPM_CC_GetCapability, NULL, NULL, NULL, NULL},
+ {TPM_CC_TestParms, NULL, NULL, NULL, NULL},
+ {TPM_CC_NV_DefineSpace, (TSS_CheckParametersFunction_t)TSS_CH_NV_DefineSpace, (TSS_PreProcessFunction_t)TSS_PR_NV_DefineSpace, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_DefineSpace},
+ {TPM_CC_NV_UndefineSpace, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpace},
+ {TPM_CC_NV_UndefineSpaceSpecial, NULL, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_UndefineSpaceSpecial, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpaceSpecial},
+ {TPM_CC_NV_ReadPublic, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadPublic},
+ {TPM_CC_NV_Write, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
+ {TPM_CC_NV_Increment, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
+ {TPM_CC_NV_Extend, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
+ {TPM_CC_NV_SetBits, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
+ {TPM_CC_NV_WriteLock, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_WriteLock},
+ {TPM_CC_NV_GlobalWriteLock, NULL, NULL, NULL, NULL},
+ {TPM_CC_NV_Read, NULL, NULL, NULL, NULL},
+ {TPM_CC_NV_ReadLock, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadLock},
+ {TPM_CC_NV_ChangeAuth, NULL, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_ChangeAuth, NULL},
+ {TPM_CC_NV_Certify, (TSS_CheckParametersFunction_t)TSS_CH_NV_Certify, NULL, NULL, NULL}
};
#ifndef TPM_TSS_NO_PRINT
@@ -646,6 +1014,10 @@ static TPM_RC TSS_Command_ChangeAuthProcessor(TSS_CONTEXT *tssContext,
COMMAND_PARAMETERS *in);
#endif /* TPM_TSS_NOCRYPTO */
+#ifdef TPM_TSS_NODEPRECATEDALGS
+static TPM_RC TSS_Command_CheckParameters(TPM_CC commandCode,
+ COMMAND_PARAMETERS *in);
+#endif
static TPM_RC TSS_Command_PreProcessor(TSS_CONTEXT *tssContext,
TPM_CC commandCode,
COMMAND_PARAMETERS *in,
@@ -688,6 +1060,12 @@ TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext,
{
TPM_RC rc = 0;
+#ifdef TPM_TSS_NODEPRECATEDALGS
+ if (rc == 0) {
+ rc = TSS_Command_CheckParameters(commandCode, in);
+ }
+#endif
+
/* create a TSS authorization context */
if (rc == 0) {
TSS_InitAuthContext(tssContext->tssAuthContext);
@@ -3751,6 +4129,38 @@ static TPM_RC TSS_CA_NV_UndefineSpaceSpecial(TSS_CONTEXT *tssContext,
return rc;
}
+#ifdef TPM_TSS_NODEPRECATEDALGS
+static TPM_RC TSS_Command_CheckParameters(TPM_CC commandCode,
+ COMMAND_PARAMETERS *in)
+{
+ TPM_RC rc = 0;
+ size_t index;
+ int found;
+ TSS_CheckParametersFunction_t checkParametersFunction = NULL;
+
+ /* search the table for a check parameters function */
+ if (rc == 0) {
+ found = FALSE;
+ for (index = 0 ; (index < (sizeof(tssTable) / sizeof(TSS_TABLE))) && !found ; index++) {
+ if (tssTable[index].commandCode == commandCode) {
+ found = TRUE;
+ break; /* don't increment index if found */
+ }
+ }
+ }
+ /* found false means there is no check parameters function. This permits the table to be smaller
+ if desired. */
+ if ((rc == 0) && found) {
+ checkParametersFunction = tssTable[index].checkParametersFunction;
+ /* call the check parameters function if there is one */
+ if (checkParametersFunction != NULL) {
+ rc = checkParametersFunction(in);
+ }
+ }
+ return rc;
+}
+#endif
+
/*
Command Pre-Processor
*/
diff --git a/utils/tsscryptoh.c b/utils/tsscryptoh.c
index 197549d..52f4616 100644
--- a/utils/tsscryptoh.c
+++ b/utils/tsscryptoh.c
@@ -454,7 +454,14 @@ TPM_RC TSS_RSA_padding_add_PKCS1_OAEP(unsigned char *em, uint32_t emLen,
unsigned char *maskedSeed;
uint16_t hlen = TSS_GetDigestSize(halg);
- em[0] = 0x00; /* firsr byte is 0x00 per the standard */
+ em[0] = 0x00; /* first byte is 0x00 per the standard */
+#ifdef TPM_TSS_NODEPRECATEDALGS
+ if (rc == 0) {
+ if (halg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+#endif
/* 1.a. If the length of L is greater than the input limitation for */
/* the hash function (2^61-1 octets for SHA-1) then output "parameter */
/* string too long" and stop. */
--
2.34.3

View File

@ -0,0 +1,593 @@
From df5038caa1785d2661d283e6eeb1d6d5184d5272 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
<shoracek@redhat.com>
Date: Mon, 2 May 2022 23:51:15 +0200
Subject: [PATCH 4/4] man: Include information about possible hash restriction
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
---
utils/certify.c | 2 ++
utils/certifycreation.c | 2 ++
utils/create.c | 2 ++
utils/createloaded.c | 2 ++
utils/createprimary.c | 2 ++
utils/getcommandauditdigest.c | 2 ++
utils/getsessionauditdigest.c | 2 ++
utils/gettime.c | 2 ++
utils/hash.c | 2 ++
utils/hashsequencestart.c | 2 ++
utils/hmac.c | 2 ++
utils/hmacstart.c | 2 ++
utils/importpem.c | 2 ++
utils/loadexternal.c | 2 ++
utils/man/man1/tsscertify.1 | 2 ++
utils/man/man1/tsscertifycreation.1 | 2 ++
utils/man/man1/tsscreate.1 | 2 ++
utils/man/man1/tsscreateloaded.1 | 2 ++
utils/man/man1/tsscreateprimary.1 | 2 ++
utils/man/man1/tssgetcommandauditdigest.1 | 2 ++
utils/man/man1/tssgetsessionauditdigest.1 | 2 ++
utils/man/man1/tssgettime.1 | 2 ++
utils/man/man1/tsshash.1 | 2 ++
utils/man/man1/tsshashsequencestart.1 | 2 ++
utils/man/man1/tsshmac.1 | 2 ++
utils/man/man1/tsshmacstart.1 | 2 ++
utils/man/man1/tssimportpem.1 | 2 ++
utils/man/man1/tssloadexternal.1 | 2 ++
utils/man/man1/tssnvcertify.1 | 2 ++
utils/man/man1/tssnvdefinespace.1 | 2 ++
utils/man/man1/tsspolicysigned.1 | 2 ++
utils/man/man1/tssquote.1 | 2 ++
utils/man/man1/tssrsadecrypt.1 | 2 ++
utils/man/man1/tsssetcommandcodeauditstatus.1 | 2 ++
utils/man/man1/tsssetprimarypolicy.1 | 2 ++
utils/man/man1/tsssign.1 | 2 ++
utils/man/man1/tssstartauthsession.1 | 2 ++
utils/man/man1/tssverifysignature.1 | 2 ++
utils/nvcertify.c | 2 ++
utils/nvdefinespace.c | 2 ++
utils/policysigned.c | 2 ++
utils/quote.c | 2 ++
utils/rsadecrypt.c | 2 ++
utils/setcommandcodeauditstatus.c | 2 ++
utils/setprimarypolicy.c | 2 ++
utils/sign.c | 2 ++
utils/startauthsession.c | 2 ++
utils/verifysignature.c | 2 ++
48 files changed, 96 insertions(+)
diff --git a/utils/certify.c b/utils/certify.c
index f1f54d0..f9a07c5 100644
--- a/utils/certify.c
+++ b/utils/certify.c
@@ -407,5 +407,7 @@ static void printUsage(void)
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
printf("\t40\tresponse encrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/certifycreation.c b/utils/certifycreation.c
index ab54c0a..b4fa095 100644
--- a/utils/certifycreation.c
+++ b/utils/certifycreation.c
@@ -449,5 +449,7 @@ static void printUsage(void)
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
printf("\t40\tresponse encrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/create.c b/utils/create.c
index a8b805c..880af28 100644
--- a/utils/create.c
+++ b/utils/create.c
@@ -710,5 +710,7 @@ static void printUsage(void)
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
printf("\t40\tresponse encrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/createloaded.c b/utils/createloaded.c
index d54f791..5bcf69e 100644
--- a/utils/createloaded.c
+++ b/utils/createloaded.c
@@ -628,5 +628,7 @@ static void printUsage(void)
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
printf("\t40\tresponse encrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/createprimary.c b/utils/createprimary.c
index 52ae083..81cc91d 100644
--- a/utils/createprimary.c
+++ b/utils/createprimary.c
@@ -799,5 +799,7 @@ static void printUsage(void)
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
printf("\t40\tresponse encrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/getcommandauditdigest.c b/utils/getcommandauditdigest.c
index a219785..6412d90 100644
--- a/utils/getcommandauditdigest.c
+++ b/utils/getcommandauditdigest.c
@@ -391,5 +391,7 @@ static void printUsage(void)
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
printf("\t40\tresponse encrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/getsessionauditdigest.c b/utils/getsessionauditdigest.c
index 61b12e6..4138bc7 100644
--- a/utils/getsessionauditdigest.c
+++ b/utils/getsessionauditdigest.c
@@ -387,5 +387,7 @@ static void printUsage(void)
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
printf("\t40\tresponse encrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/gettime.c b/utils/gettime.c
index b07baf1..547faa9 100644
--- a/utils/gettime.c
+++ b/utils/gettime.c
@@ -391,5 +391,7 @@ static void printUsage(void)
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
printf("\t40\tresponse encrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/hash.c b/utils/hash.c
index 71b8a7c..5a0df6a 100644
--- a/utils/hash.c
+++ b/utils/hash.c
@@ -306,5 +306,7 @@ static void printUsage(void)
printf("\t[-ns\tno space, no text, no newlines]\n");
printf("\t[-oh\thash file name (default do not save)]\n");
printf("\t[-tk\tticket file name (default do not save)]\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/hashsequencestart.c b/utils/hashsequencestart.c
index d54fadd..88d15fc 100644
--- a/utils/hashsequencestart.c
+++ b/utils/hashsequencestart.c
@@ -249,5 +249,7 @@ static void printUsage(void)
printf("\t-se[0-2] session handle / attributes (default NULL)\n");
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/hmac.c b/utils/hmac.c
index be63e1b..7ab2b34 100644
--- a/utils/hmac.c
+++ b/utils/hmac.c
@@ -352,5 +352,7 @@ static void printUsage(void)
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
printf("\t40\tresponse encrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/hmacstart.c b/utils/hmacstart.c
index 3fdd0f9..171af6c 100644
--- a/utils/hmacstart.c
+++ b/utils/hmacstart.c
@@ -274,5 +274,7 @@ static void printUsage(void)
printf("\n");
printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
printf("\t01\tcontinue\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/importpem.c b/utils/importpem.c
index 38ad125..75c8cb2 100644
--- a/utils/importpem.c
+++ b/utils/importpem.c
@@ -486,5 +486,7 @@ static void printUsage(void)
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
printf("\t40\tresponse encrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/loadexternal.c b/utils/loadexternal.c
index 877501c..ff4b46f 100644
--- a/utils/loadexternal.c
+++ b/utils/loadexternal.c
@@ -538,5 +538,7 @@ static void printUsage(void)
printf("\t20\tcommand decrypt\n");
printf("\t40\tresponse encrypt\n");
printf("\t80\taudit\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/man/man1/tsscertify.1 b/utils/man/man1/tsscertify.1
index 6895ee7..7b34e2f 100644
--- a/utils/man/man1/tsscertify.1
+++ b/utils/man/man1/tsscertify.1
@@ -44,3 +44,5 @@ command decrypt
.TP
40
response encrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tsscertifycreation.1 b/utils/man/man1/tsscertifycreation.1
index 4382ed9..5f51d05 100644
--- a/utils/man/man1/tsscertifycreation.1
+++ b/utils/man/man1/tsscertifycreation.1
@@ -47,3 +47,5 @@ command decrypt
.TP
40
response encrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tsscreate.1 b/utils/man/man1/tsscreate.1
index b4eda75..92f53a7 100644
--- a/utils/man/man1/tsscreate.1
+++ b/utils/man/man1/tsscreate.1
@@ -125,3 +125,5 @@ command decrypt
.TP
40
response encrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tsscreateloaded.1 b/utils/man/man1/tsscreateloaded.1
index ccd3d73..7e6c422 100644
--- a/utils/man/man1/tsscreateloaded.1
+++ b/utils/man/man1/tsscreateloaded.1
@@ -126,3 +126,5 @@ command decrypt
.TP
40
response encrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tsscreateprimary.1 b/utils/man/man1/tsscreateprimary.1
index 895a42e..c189f17 100644
--- a/utils/man/man1/tsscreateprimary.1
+++ b/utils/man/man1/tsscreateprimary.1
@@ -129,3 +129,5 @@ command decrypt
.TP
40
response encrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tssgetcommandauditdigest.1 b/utils/man/man1/tssgetcommandauditdigest.1
index 34711e0..e67adac 100644
--- a/utils/man/man1/tssgetcommandauditdigest.1
+++ b/utils/man/man1/tssgetcommandauditdigest.1
@@ -41,3 +41,5 @@ command decrypt
.TP
40
response encrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tssgetsessionauditdigest.1 b/utils/man/man1/tssgetsessionauditdigest.1
index d09c78b..272127e 100644
--- a/utils/man/man1/tssgetsessionauditdigest.1
+++ b/utils/man/man1/tssgetsessionauditdigest.1
@@ -44,3 +44,5 @@ command decrypt
.TP
40
response encrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tssgettime.1 b/utils/man/man1/tssgettime.1
index bec0627..1cb46f6 100644
--- a/utils/man/man1/tssgettime.1
+++ b/utils/man/man1/tssgettime.1
@@ -41,3 +41,5 @@ command decrypt
.TP
40
response encrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tsshash.1 b/utils/man/man1/tsshash.1
index 6eff929..0a9c54e 100644
--- a/utils/man/man1/tsshash.1
+++ b/utils/man/man1/tsshash.1
@@ -28,3 +28,5 @@ hash file name (default do not save)]
.TP
[\-tk
ticket file name (default do not save)]
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tsshashsequencestart.1 b/utils/man/man1/tsshashsequencestart.1
index f6d7f52..663ae69 100644
--- a/utils/man/man1/tsshashsequencestart.1
+++ b/utils/man/man1/tsshashsequencestart.1
@@ -21,3 +21,5 @@ continue
.TP
20
command decrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tsshmac.1 b/utils/man/man1/tsshmac.1
index e64a861..70d2632 100644
--- a/utils/man/man1/tsshmac.1
+++ b/utils/man/man1/tsshmac.1
@@ -35,3 +35,5 @@ command decrypt
.TP
40
response encrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tsshmacstart.1 b/utils/man/man1/tsshmacstart.1
index 65d4ab6..64bcf2f 100644
--- a/utils/man/man1/tsshmacstart.1
+++ b/utils/man/man1/tsshmacstart.1
@@ -23,3 +23,5 @@ password for sequence (default empty)
.TP
01
continue
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tssimportpem.1 b/utils/man/man1/tssimportpem.1
index 21c362e..bf79c92 100644
--- a/utils/man/man1/tssimportpem.1
+++ b/utils/man/man1/tssimportpem.1
@@ -67,3 +67,5 @@ command decrypt
.TP
40
response encrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tssloadexternal.1 b/utils/man/man1/tssloadexternal.1
index e32a251..2a9ba66 100644
--- a/utils/man/man1/tssloadexternal.1
+++ b/utils/man/man1/tssloadexternal.1
@@ -71,3 +71,5 @@ response encrypt
.TP
80
audit
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tssnvcertify.1 b/utils/man/man1/tssnvcertify.1
index c55f6dc..83d2380 100644
--- a/utils/man/man1/tssnvcertify.1
+++ b/utils/man/man1/tssnvcertify.1
@@ -50,3 +50,5 @@ command decrypt
.TP
40
response encrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tssnvdefinespace.1 b/utils/man/man1/tssnvdefinespace.1
index 0f378e9..642508b 100644
--- a/utils/man/man1/tssnvdefinespace.1
+++ b/utils/man/man1/tssnvdefinespace.1
@@ -99,3 +99,5 @@ continue
.TP
20
command decrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tsspolicysigned.1 b/utils/man/man1/tsspolicysigned.1
index f50b81a..2f745c0 100644
--- a/utils/man/man1/tsspolicysigned.1
+++ b/utils/man/man1/tsspolicysigned.1
@@ -44,3 +44,5 @@ ticket file name]
.TP
[\-to
timeout file name]
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tssquote.1 b/utils/man/man1/tssquote.1
index 04a2e60..fef5c39 100644
--- a/utils/man/man1/tssquote.1
+++ b/utils/man/man1/tssquote.1
@@ -44,3 +44,5 @@ command decrypt
.TP
40
response encrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tssrsadecrypt.1 b/utils/man/man1/tssrsadecrypt.1
index 6c35e42..ab77103 100644
--- a/utils/man/man1/tssrsadecrypt.1
+++ b/utils/man/man1/tssrsadecrypt.1
@@ -31,3 +31,5 @@ command decrypt
.TP
40
response encrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tsssetcommandcodeauditstatus.1 b/utils/man/man1/tsssetcommandcodeauditstatus.1
index c4d19dc..7d44fb2 100644
--- a/utils/man/man1/tsssetcommandcodeauditstatus.1
+++ b/utils/man/man1/tsssetcommandcodeauditstatus.1
@@ -29,3 +29,5 @@ continue
.TP
20
command decrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tsssetprimarypolicy.1 b/utils/man/man1/tsssetprimarypolicy.1
index c67c1f9..a3db8d2 100644
--- a/utils/man/man1/tsssetprimarypolicy.1
+++ b/utils/man/man1/tsssetprimarypolicy.1
@@ -26,3 +26,5 @@ continue
.TP
20
command decrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tsssign.1 b/utils/man/man1/tsssign.1
index d5ad351..83d3cfa 100644
--- a/utils/man/man1/tsssign.1
+++ b/utils/man/man1/tsssign.1
@@ -46,3 +46,5 @@ continue
.TP
20
command decrypt
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tssstartauthsession.1 b/utils/man/man1/tssstartauthsession.1
index 3e944bb..0bb5022 100644
--- a/utils/man/man1/tssstartauthsession.1
+++ b/utils/man/man1/tssstartauthsession.1
@@ -35,3 +35,5 @@ bind password for bind handle (default empty)]
.TP
[\-on
nonceTPM file for policy session (default do not save)]
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/man/man1/tssverifysignature.1 b/utils/man/man1/tssverifysignature.1
index e2d6460..67b7ff5 100644
--- a/utils/man/man1/tssverifysignature.1
+++ b/utils/man/man1/tssverifysignature.1
@@ -57,3 +57,5 @@ command decrypt
.TP
80
audit
+.PP
+Depending on the build configuration, some hash algorithms may not be available.
diff --git a/utils/nvcertify.c b/utils/nvcertify.c
index 81bde69..6882bfb 100644
--- a/utils/nvcertify.c
+++ b/utils/nvcertify.c
@@ -445,5 +445,7 @@ static void printUsage(void)
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
printf("\t40\tresponse encrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/nvdefinespace.c b/utils/nvdefinespace.c
index 18ce6ea..94e6cbd 100644
--- a/utils/nvdefinespace.c
+++ b/utils/nvdefinespace.c
@@ -590,5 +590,7 @@ static void printUsage(void)
printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/policysigned.c b/utils/policysigned.c
index 469cec9..8283464 100644
--- a/utils/policysigned.c
+++ b/utils/policysigned.c
@@ -452,5 +452,7 @@ static void printUsage(void)
printf("\t[-pwdk\tsigning key password (default null)]\n");
printf("\t[-tk\tticket file name]\n");
printf("\t[-to\ttimeout file name]\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/quote.c b/utils/quote.c
index c29fad0..7523578 100644
--- a/utils/quote.c
+++ b/utils/quote.c
@@ -435,5 +435,7 @@ static void printUsage(void)
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
printf("\t40\tresponse encrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/rsadecrypt.c b/utils/rsadecrypt.c
index e2846af..fe5086a 100644
--- a/utils/rsadecrypt.c
+++ b/utils/rsadecrypt.c
@@ -507,5 +507,7 @@ static void printUsage(void)
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
printf("\t40\tresponse encrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/setcommandcodeauditstatus.c b/utils/setcommandcodeauditstatus.c
index 7a880ae..ddecad5 100644
--- a/utils/setcommandcodeauditstatus.c
+++ b/utils/setcommandcodeauditstatus.c
@@ -294,5 +294,7 @@ static void printUsage(void)
printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/setprimarypolicy.c b/utils/setprimarypolicy.c
index 619937f..c03883f 100644
--- a/utils/setprimarypolicy.c
+++ b/utils/setprimarypolicy.c
@@ -296,5 +296,7 @@ static void printUsage(void)
printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/sign.c b/utils/sign.c
index 0635366..f31196b 100644
--- a/utils/sign.c
+++ b/utils/sign.c
@@ -485,5 +485,7 @@ static void printUsage(void)
printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/startauthsession.c b/utils/startauthsession.c
index d47c731..e6ddd5a 100644
--- a/utils/startauthsession.c
+++ b/utils/startauthsession.c
@@ -297,5 +297,7 @@ static void printUsage(void)
printf("\t[-pwdb\tbind password for bind handle (default empty)]\n");
printf("\t[-sym\t(xor, aes) symmetric parameter encryption algorithm (default xor)]\n");
printf("\t[-on\tnonceTPM file for policy session (default do not save)]\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
diff --git a/utils/verifysignature.c b/utils/verifysignature.c
index 57978d5..41ba05b 100644
--- a/utils/verifysignature.c
+++ b/utils/verifysignature.c
@@ -484,5 +484,7 @@ static void printUsage(void)
printf("\t01\tcontinue\n");
printf("\t20\tcommand decrypt\n");
printf("\t80\taudit\n");
+ printf("\n");
+ printf("Depending on the build configuration, some hash algorithms may not be available.\n");
exit(1);
}
--
2.34.3

View File

@ -0,0 +1,111 @@
From d77514273aa88f67b85c398a222ab2195c42f5fd Mon Sep 17 00:00:00 2001
From: Ken Goldman <kgold@linux.ibm.com>
Date: Tue, 31 Aug 2021 13:45:21 -0400
Subject: [PATCH 4/7] utils: Clean up certifyx509 memory allocation
Make TPM_ADDTOCERT input const. Annotate malloc and free calls. Free
TPM_PARTIAL_CERT. Use TPM_ADDTOCERT_free. Remove unused
x509IssuerName and x509SubjectName and their frees. Free
TPM_PARTIAL_CERT issuer and subject because createX509Name() mallocs.
Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
---
utils/certifyx509.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/utils/certifyx509.c b/utils/certifyx509.c
index 5602f62..8ac5abd 100644
--- a/utils/certifyx509.c
+++ b/utils/certifyx509.c
@@ -147,7 +147,7 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *certificate,
TPM_RC reformCertificate(X509 *x509Certificate,
TPMI_ALG_HASH halg,
TPMI_ALG_SIG_SCHEME scheme,
- TPM_ADDTOCERT *addToCert,
+ const TPM_ADDTOCERT *addToCert,
TPMT_SIGNATURE *tSignature);
TPM_RC addSignatureRsa(X509 *x509Certificate,
TPMI_ALG_HASH halg,
@@ -618,7 +618,7 @@ int main(int argc, char *argv[])
if (rc == 0) {
if (verbose) X509_print_fp(stdout, x509Certificate); /* for debug */
rc = convertX509ToDer(&x509DerLength,
- &x509Der, /* freed @2 */
+ &x509Der, /* freed @4 */
x509Certificate);
}
if ((rc == 0) && (outCertificateFilename != NULL)) {
@@ -628,8 +628,13 @@ int main(int argc, char *argv[])
if (x509Certificate != NULL) {
X509_free(x509Certificate); /* @1 */
}
- free(x509Der); /* @2 */
- OPENSSL_free(addToCert); /* @3 */
+ if (partialCertificate != NULL) {
+ TPM_PARTIAL_CERT_free(partialCertificate); /* @2 */
+ }
+ if (addToCert != NULL) {
+ TPM_ADDTOCERT_free(addToCert); /* @3 */
+ }
+ free(x509Der); /* @4 */
return rc;
}
@@ -683,8 +688,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
int irc;
ASN1_TIME *arc; /* return code */
- X509_NAME *x509IssuerName = NULL; /* composite issuer name, key/value pairs */
- X509_NAME *x509SubjectName = NULL;/* composite subject name, key/value pairs */
size_t issuerEntriesSize = sizeof(issuerEntries)/sizeof(char *);
size_t subjectEntriesSize = sizeof(subjectEntries)/sizeof(char *);
uint8_t *tmpPartialDer = NULL; /* for the i2d */
@@ -693,6 +696,9 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
if (rc == 0) {
if (verbose) printf("createPartialCertificate: Adding issuer, size %lu\n",
(unsigned long)issuerEntriesSize);
+ /* _new allocates the member. free it because createX509Name() allocates a new structure */
+ X509_NAME_free(partialCertificate->issuer);
+ partialCertificate->issuer = NULL;
rc = createX509Name(&partialCertificate->issuer, /* freed @1 */
issuerEntriesSize,
issuerEntries);
@@ -746,6 +752,8 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
if (!subeqiss) {
if (verbose) printf("createPartialCertificate: Adding subject, size %lu\n",
(unsigned long)subjectEntriesSize);
+ X509_NAME_free(partialCertificate->subject);
+ partialCertificate->subject = NULL;
rc = createX509Name(&partialCertificate->subject, /* freed @2 */
subjectEntriesSize,
subjectEntries);
@@ -754,6 +762,8 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
else {
if (verbose) printf("createPartialCertificate: Adding subject (issuer), size %lu\n",
(unsigned long)issuerEntriesSize);
+ X509_NAME_free(partialCertificate->subject);
+ partialCertificate->subject = NULL;
rc = createX509Name(&partialCertificate->subject, /* freed @2 */
issuerEntriesSize,
issuerEntries);
@@ -806,8 +816,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate, /* input /
if (verbose) X509_print_fp(stdout, x509Certificate);
}
#endif
- X509_NAME_free(x509IssuerName); /* @1 */
- X509_NAME_free(x509SubjectName); /* @2 */
OPENSSL_free(tmpPartialDer); /* @3 */
return rc;
}
@@ -956,7 +964,7 @@ TPM_RC addPartialCertExtensionTpmaOid(TPM_PARTIAL_CERT *partialCertificate,
TPM_RC reformCertificate(X509 *x509Certificate,
TPMI_ALG_HASH halg,
TPMI_ALG_SIG_SCHEME scheme,
- TPM_ADDTOCERT *addToCert,
+ const TPM_ADDTOCERT *addToCert,
TPMT_SIGNATURE *tSignature)
{
TPM_RC rc = 0;
--
2.34.1

View File

@ -0,0 +1,91 @@
From bcbc2f0400cfc2f596283e8c528aed4576bfea69 Mon Sep 17 00:00:00 2001
From: Ken Goldman <kgold@linux.ibm.com>
Date: Fri, 3 Sep 2021 14:58:20 -0400
Subject: [PATCH 5/7] utils: Fix errors detected by gcc asan
In Uint32_Convert(), case the byte to uint32_t before the left shift
24 to suppress a warning.
In TSS_EFI_GetNameIndex(), do not compare data if the length does not
match, because this could cause a buffer overflow. Test should be &&,
not &.
TSS_Delete should only memset sessionData if the pointer is not NULL.
Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
---
utils/efilib.c | 11 +++++++----
utils/eventlib.c | 10 +++++-----
utils/tss.c | 6 ++++--
3 files changed, 16 insertions(+), 11 deletions(-)
diff --git a/utils/efilib.c b/utils/efilib.c
index 201a1f5..ab8177b 100644
--- a/utils/efilib.c
+++ b/utils/efilib.c
@@ -399,16 +399,19 @@ static void TSS_EFI_GetNameIndex(size_t *index,
const uint8_t *name,
uint64_t nameLength) /* half the total bytes in array */
{
- int m1,m2;
+ int m1 = 0;
+ int m2 = 0;
for (*index = 0 ;
*index < sizeof(tagTable) / sizeof(TAG_TABLE) ;
(*index)++) {
/* length match */
m1 = (nameLength * 2) == tagTable[*index].nameLength;
- /* string match */
- m2 = memcmp(name, tagTable[*index].name, (size_t)(nameLength * 2)) == 0;
- if (m1 & m2) {
+ if (m1) {
+ /* string match */
+ m2 = memcmp(name, tagTable[*index].name, (size_t)(nameLength * 2)) == 0;
+ }
+ if (m1 && m2) {
return;
}
}
diff --git a/utils/eventlib.c b/utils/eventlib.c
index 0c2801c..c56a22f 100644
--- a/utils/eventlib.c
+++ b/utils/eventlib.c
@@ -1346,12 +1346,12 @@ static uint32_t Uint32_Convert(uint32_t in)
{
uint32_t out = 0;
unsigned char *inb = (unsigned char *)&in;
-
+
/* little endian input */
- out = (inb[0] << 0) |
- (inb[1] << 8) |
- (inb[2] << 16) |
- (inb[3] << 24);
+ out = ((((uint32_t)inb[0]) << 0) |
+ (((uint32_t)inb[1]) << 8) |
+ (((uint32_t)inb[2]) << 16) |
+ (((uint32_t)inb[3]) << 24));
return out;
}
#endif /* TPM_TSS_NOFILE */
diff --git a/utils/tss.c b/utils/tss.c
index 574c448..6f0eede 100644
--- a/utils/tss.c
+++ b/utils/tss.c
@@ -179,8 +179,10 @@ TPM_RC TSS_Delete(TSS_CONTEXT *tssContext)
for (i = 0 ; i < (sizeof(tssContext->sessions) / sizeof(TSS_SESSIONS)) ; i++) {
tssContext->sessions[i].sessionHandle = TPM_RH_NULL;
/* erase any secrets */
- memset(tssContext->sessions[i].sessionData,
- 0, tssContext->sessions[i].sessionDataLength);
+ if (tssContext->sessions[i].sessionData != NULL) {
+ memset(tssContext->sessions[i].sessionData,
+ 0, tssContext->sessions[i].sessionDataLength);
+ }
free(tssContext->sessions[i].sessionData);
tssContext->sessions[i].sessionData = NULL;
tssContext->sessions[i].sessionDataLength = 0;
--
2.34.1

View File

@ -0,0 +1,103 @@
From 7128994537a7103b25acb1df238db747d7cb3274 Mon Sep 17 00:00:00 2001
From: Ken Goldman <kgold@linux.ibm.com>
Date: Fri, 10 Sep 2021 16:33:10 -0400
Subject: [PATCH 6/7] tss: Port HMAC operations to openssl 3.0
Replace the deprecated APIs.
- Compared to the next branch commit 6e22032d, changes related to HMAC are
ommited.
Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
---
utils/tsscrypto.c | 58 ++++++++++++++++++++++++++++++-----------------
1 file changed, 37 insertions(+), 21 deletions(-)
diff --git a/utils/tsscrypto.c b/utils/tsscrypto.c
index 23d3b6e..1974563 100644
--- a/utils/tsscrypto.c
+++ b/utils/tsscrypto.c
@@ -79,6 +79,7 @@ extern int tssVerbose;
/* local prototypes */
+static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg);
static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
TPMI_ALG_HASH hashAlg);
@@ -129,36 +130,51 @@ TPM_RC TSS_Crypto_Init(void)
Digests
*/
-static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
- TPMI_ALG_HASH hashAlg)
+/* TSS_Hash_GetString() maps from the TCG hash algorithm to the OpenSSL string */
+
+static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg)
{
- TPM_RC rc = 0;
+ TPM_RC rc = 0;
- if (rc == 0) {
- switch (hashAlg) {
+ switch (hashAlg) {
#ifdef TPM_ALG_SHA1
- case TPM_ALG_SHA1:
- *md = EVP_get_digestbyname("sha1");
- break;
+ case TPM_ALG_SHA1:
+ *str = "sha1";
+ break;
#endif
-#ifdef TPM_ALG_SHA256
- case TPM_ALG_SHA256:
- *md = EVP_get_digestbyname("sha256");
- break;
+#ifdef TPM_ALG_SHA256
+ case TPM_ALG_SHA256:
+ *str = "sha256";
+ break;
#endif
#ifdef TPM_ALG_SHA384
- case TPM_ALG_SHA384:
- *md = EVP_get_digestbyname("sha384");
- break;
+ case TPM_ALG_SHA384:
+ *str = "sha384";
+ break;
#endif
#ifdef TPM_ALG_SHA512
- case TPM_ALG_SHA512:
- *md = EVP_get_digestbyname("sha512");
- break;
+ case TPM_ALG_SHA512:
+ *str = "sha512";
+ break;
#endif
- default:
- rc = TSS_RC_BAD_HASH_ALGORITHM;
- }
+ default:
+ *str = NULL;
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ return rc;
+}
+
+static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
+ TPMI_ALG_HASH hashAlg)
+{
+ TPM_RC rc = 0;
+ const char *str = NULL;
+
+ if (rc == 0) {
+ rc = TSS_Hash_GetOsslString(&str, hashAlg);
+ }
+ if (rc == 0) {
+ *md = EVP_get_digestbyname(str);
}
return rc;
}
--
2.34.1

File diff suppressed because it is too large Load Diff

View File

@ -1,33 +0,0 @@
diff -ur tss2-1234/utils/makefile-common tss2-1234-new/utils/makefile-common
--- tss2-1234/utils/makefile-common 2018-05-29 12:00:46.000000000 -0700
+++ tss2-1234-new/utils/makefile-common 2018-10-02 15:10:20.783078580 -0700
@@ -44,7 +44,7 @@
CCFLAGS += \
-Wall -W -Wmissing-declarations -Wmissing-prototypes -Wnested-externs \
-Wformat=2 -Wold-style-definition -Wno-self-assign \
- -ggdb -O0 -c
+ -ggdb -c
# to compile with optimizations on (warning will result)
# -O3 -c
diff -ur tss2-1234/utils/makefile.fedora tss2-1234-new/utils/makefile.fedora
--- tss2-1234/utils/makefile.fedora 2018-05-15 10:07:20.000000000 -0700
+++ tss2-1234-new/utils/makefile.fedora 2018-10-02 15:11:33.909083615 -0700
@@ -71,7 +71,7 @@
# compile - common flags for TSS library and applications
-CCFLAGS += -DTPM_POSIX
+CCFLAGS += -DTPM_POSIX -DTPM_INTERFACE_TYPE_DEFAULT="\"dev\"" -DTPM_DEVICE_DEFAULT="\"/dev/tpmrm0\""
# example of pointing to a locally built openssl 1.1
# CCFLAGS += -I/home/kgold/openssl-1.1.0c/include
@@ -119,7 +119,7 @@
LNLFLAGS += -shared -Wl,-z,now
# This is an alternative to using the bfd linker on Ubuntu
-# LNLLIBS += -lcrypto
+LNLLIBS += -lcrypto
# link - for applications, TSS path, TSS and OpenSSl libraries

View File

@ -1,18 +0,0 @@
diff -ur tss2-1234/utils/policymaker.c tss2-1234-new/utils/policymaker.c
--- tss2-1234/utils/policymaker.c 2018-10-18 12:16:59.742439220 -0700
+++ tss2-1234-new/utils/policymaker.c 2018-10-18 12:34:34.991755536 -0700
@@ -208,10 +208,10 @@
}
/* hash extend */
if ((rc == 0) && (prc != NULL)) {
- TSS_Hash_Generate(&digest,
- startSizeInBytes, (uint8_t *)&digest.digest, /* extend */
- lineLength /2, lineBinary,
- 0, NULL);
+ rc = TSS_Hash_Generate(&digest,
+ startSizeInBytes, (uint8_t *)&digest.digest, /* extend */
+ lineLength /2, lineBinary,
+ 0, NULL);
}
if ((rc == 0) && (prc != NULL)) {
if (verbose) TSS_PrintAll("intermediate policy digest",

File diff suppressed because it is too large Load Diff

View File

@ -3,25 +3,38 @@
# #
%{!?__global_ldflags: %global __global_ldflags -Wl,-z,relro} %{!?__global_ldflags: %global __global_ldflags -Wl,-z,relro}
%global incname ibmtss
Name: tss2 Name: tss2
Version: 1331 Version: 1.6.0
Release: 2%{?dist} Release: 7%{?dist}
Epoch: 1
Summary: IBM's TCG Software Stack (TSS) for TPM 2.0 and related utilities Summary: IBM's TCG Software Stack (TSS) for TPM 2.0 and related utilities
Group: Applications/System
License: BSD License: BSD
URL: http://sourceforge.net/projects/ibmtpm20tss/ URL: http://sourceforge.net/projects/ibmtpm20tss/
Source0: https://sourceforge.net/projects/ibmtpm20tss/files/ibmtss%{version}.tar.gz Source0: https://sourceforge.net/projects/ibmtpm20tss/files/ibmtss%{version}.tar.gz
Patch0: tss2-1.6.0-manpage-cleanup.patch
Patch1: 0001-utils-Update-certifyx509-for-Openssl-3.0.0.patch
Patch2: 0002-utils-Remove-unused-variables-from-certifyx509.patch
Patch3: 0003-Update-certifyx509-for-Windows.patch
Patch4: 0004-utils-Clean-up-certifyx509-memory-allocation.patch
Patch5: 0005-utils-Fix-errors-detected-by-gcc-asan.patch
Patch6: 0006-tss-Port-HMAC-operations-to-openssl-3.0.patch
Patch7: 0007-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch
Patch8: 0001-utils-Generate-X509-certificate-serial-number-using-.patch
Patch9: 0001-tss-Add-missing-parameter-union-members.patch
Patch10: 0002-regtest-Update-to-SHA-256-without-restricting-the-sc.patch
Patch11: 0003-tss-Restrict-usage-of-SHA-1.patch
Patch12: 0004-man-Include-information-about-possible-hash-restrict.patch
Patch4: flags-fixup.patch
# reported upstream https://sourceforge.net/p/ibmtpm20tss/mailman/message/36444738/
# and reported fixed, but not yet pushed to sourceforge.
Patch5: hash_generate.patch
# Submitted upstream
Patch6: 0001-tss2-fix-bounds-check-in-IMA_Event_PcrExtend.patch
BuildRequires: openssl-devel BuildRequires: automake
BuildRequires: autoconf
BuildRequires: libtool
BuildRequires: gcc BuildRequires: gcc
BuildRequires: openssl-devel
BuildRequires: git
Requires: openssl Requires: openssl
%description %description
@ -35,90 +48,99 @@ education and debugging.
%package devel %package devel
Summary: Development libraries and headers for IBM's TSS 2.0 Summary: Development libraries and headers for IBM's TSS 2.0
Group: Development/Libraries Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}%{?_isa} = %{version}-%{release}
%description devel %description devel
Development libraries and headers for IBM's TSS 2.0. You will need this in Development libraries and headers for IBM's TSS 2.0. You will need this in
order to build TSS 2.0 applications. order to build TSS 2.0 applications.
%define incname ibmtss
%prep %prep
%autosetup -p1 -c %{name}-%{version} %autosetup -S git -p1 -c %{name}-%{version}
%build %build
# nonstandard variable names are used in place of CFLAGS and LDFLAGS autoreconf -vi
pushd utils %configure --disable-static --disable-tpm-1.2 --program-prefix=tss --enable-nodeprecatedalgs
CCFLAGS="%{optflags}" \ CCFLAGS="%{optflags}" \
LNFLAGS="%{__global_ldflags}" \ LNFLAGS="%{__global_ldflags}" \
make -f makefile.fedora %{?_smp_mflags} %{make_build}
popd
%install %install
# Prefix for namespacing %make_install
BIN_PREFIX=tss find %{buildroot} -type f -name "*.la" -delete -print
mkdir -p %{buildroot}/%{_bindir}
mkdir -p %{buildroot}/%{_libdir}
mkdir -p %{buildroot}/%{_includedir}/%{incname}/
mkdir -p %{buildroot}/%{_mandir}/man1
pushd utils
# Pick out executables and copy with namespacing
for f in *; do
if [[ -x $f && -f $f && ! $f =~ .*\..* ]]; then
cp -p $f %{buildroot}/%{_bindir}/${BIN_PREFIX}$f
fi;
done
cp -p *.so.1.1 %{buildroot}/%{_libdir}
cp -p %{incname}/*.h %{buildroot}/%{_includedir}/%{incname}/
cp -p man/man1/tss*.1 %{buildroot}/%{_mandir}/man1/
popd
%ldconfig_scriptlets
# Make symbolic links to the shared lib
pushd %{buildroot}/%{_libdir}
rm -f libibmtss.so.1
ln -sf libibmtss.so.1.1 libibmtss.so.1
rm -f libibmtss.so
ln -sf libibmtss.so.1 libibmtss.so
popd
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files %files
%license LICENSE %license LICENSE
%{_bindir}/tss* %{_bindir}/tss*
%{_libdir}/libibmtss.so.1 %{_libdir}/libibmtss.so.*
%{_libdir}/libibmtss.so.1.* %{_libdir}/libibmtssutils.so.*
%attr(0644, root, root) %{_mandir}/man1/tss*.1* %attr(0644, root, root) %{_mandir}/man1/tss*.1*
%files devel %files devel
%{_includedir}/%{incname} %{_includedir}/%{incname}
%{_libdir}/libibmtss.so %{_libdir}/libibmtss.so
%{_libdir}/libibmtssutils.so
%doc ibmtss.doc %doc ibmtss.doc
%changelog %changelog
* Thu Jun 06 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 1331-2 * Fri Jul 8 2022 Stepan Horacek <shoracek@redhat.com> - 1:1.6.0-7
- Fix bounds check in IMA_Event_PcrExtend - Version bump
resolves: rhbz#1669239 Resolves: rhbz#2060768
* Wed Jun 29 2022 Stepan Horacek <shoracek@redhat.com> - 1:1.6.0-6
- Restrict SHA-1 usage
Resolves: rhbz#2060768
* Fri Jan 28 2022 Stepan Horacek <shoracek@redhat.com> - 1:1.6.0-5
- Fix failures introduced with OpenSSL 3
Resolves: rhbz#1984621
Resolves: rhbz#1992339
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.6.0-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.6.0-3
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.6.0-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Mon Feb 8 2021 Jerry Snitselaar <jsnitsel@redhat.com> - 1.6.0-1
- Rebase to v1.6.0 release.
- Manpage cleanup.
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1331-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1331-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Feb 14 2020 Tom Stellard <tstellar@redhat.com> - 1331-5
- Use make_build macro
- https://docs.fedoraproject.org/en-US/packaging-guidelines/#_parallel_make
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1331-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Jan 17 2020 Jeff Law <law@redhat.com> - 1331-3
- Ensure tssprintcmd has the compilation compilation flags,
PIC in particular
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1331-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu May 30 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 1331-1 * Thu May 30 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 1331-1
- Rebase to v1331 - Rebase to version 1331
- Add initial CI gating support
resolves: rhbz#1669239
* Fri Oct 05 2018 Jerry Snitselaar <jsnitsel@redhat.com> - 1234-5 * Tue May 28 2019 Jerry Snitselaar <jsnitsel@redhat.com> - 1234-4
- Move header files to ibmtss directory. - Fix covscan issues
- Check return value of TSS_Hash_Generate. - Fix compile and linker flag issues
resolves: rhbz#1636245
* Tue Oct 02 2018 Jerry Snitselaar <jsnitsel@redhat.com> - 1234-4 * Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1234-3
- Fix compile and link flags - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
resolves: rhbz#1624182
* Thu Jul 19 2018 Jerry Snitselaar <jsnitsel@redhat.com> - 1234-3
- Clean up covscan issues.
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1234-2 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1234-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild