tss2/SOURCES/0003-tss-Restrict-usage-of-SHA-1.patch
2022-11-15 07:41:52 +00:00

908 lines
31 KiB
Diff

From 163843248ce6bb85fa5a3527f93610328877a1cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
<shoracek@redhat.com>
Date: Sat, 30 Apr 2022 22:15:43 +0200
Subject: [PATCH 3/4] tss: Restrict usage of SHA-1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Due to SHA-1 not being considered secure, it should be not used for
cryptographical purposes. This commit disables the usage of SHA-1 in
cases where it is used in potentially exploitable situations, most
notably for creating signatures.
- Compared to the next branch commit af3154e2, changes related to
unimplemented ECC functionality are ommited.
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
---
configure.ac | 24 +-
utils/Makefile.am | 16 +-
utils/cryptoutils.c | 4 +
utils/reg.sh | 20 +-
utils/regtests/testattest.sh | 3 +-
utils/regtests/testevent.sh | 2 +-
utils/tss20.c | 638 ++++++++++++++++++++++++++++-------
utils/tsscryptoh.c | 9 +-
8 files changed, 582 insertions(+), 134 deletions(-)
diff --git a/configure.ac b/configure.ac
index ad870b1..c570cb0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -123,6 +123,11 @@ AC_ARG_ENABLE(rmtpm,
AM_CONDITIONAL([CONFIG_RMTPM], [test "x$enable_rmtpm" = "xyes"])
AS_IF([test "$enable_rmtpm" != "yes"], [enable_rmtpm="no"])
+AC_ARG_ENABLE(nodeprecatedalgs,
+ AS_HELP_STRING([--enable-nodeprecatedalgs], [Restrict usage of SHA-1]))
+ AM_CONDITIONAL([CONFIG_TSS_NODEPRECATEDALGS], [test "x$enable_nodeprecatedalgs" = "xyes"])
+ AS_IF([test "$enable_nodeprecatedalgs" != "yes"], [enable_nodeprecatedalgs="no"])
+
AC_CONFIG_FILES([Makefile
utils/Makefile
utils12/Makefile
@@ -131,12 +136,13 @@ AC_OUTPUT
# Give some feedback
echo "Configuration:"
-echo " CFLAGS: $CFLAGS"
-echo " tpm12: $tpm12"
-echo " tpm20: $tpm20"
-echo " hwtpm: $enable_hwtpm"
-echo " rmtpm: $enable_rmtpm"
-echo " nofile: $enable_nofile"
-echo " noprint: $enable_noprint"
-echo " nocrypto: $enable_nocrypto"
-echo " noecc: $enable_noecc"
+echo " CFLAGS: $CFLAGS"
+echo " tpm12: $tpm12"
+echo " tpm20: $tpm20"
+echo " hwtpm: $enable_hwtpm"
+echo " rmtpm: $enable_rmtpm"
+echo " nofile: $enable_nofile"
+echo " noprint: $enable_noprint"
+echo " nocrypto: $enable_nocrypto"
+echo " noecc: $enable_noecc"
+echo " nodeprecatedalgs: $enable_nodeprecatedalgs"
diff --git a/utils/Makefile.am b/utils/Makefile.am
index d3af94e..53c53d9 100755
--- a/utils/Makefile.am
+++ b/utils/Makefile.am
@@ -60,6 +60,10 @@ if CONFIG_TSS_NOECC
libibmtss_la_CFLAGS += -DTPM_TSS_NOECC
endif
+if CONFIG_TSS_NODEPRECATEDALGS
+libibmtss_la_CFLAGS += -DTPM_TSS_NODEPRECATEDALGS
+endif
+
libibmtss_la_CCFLAGS = -Wall -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wformat=2 -Wold-style-definition -Wno-self-assign -ggdb
libibmtss_la_LDFLAGS = -version-info @TSSLIB_VERSION_INFO@
@@ -78,6 +82,10 @@ if CONFIG_TSS_NOECC
libibmtssutils_la_CFLAGS += -DTPM_TSS_NOECC
endif
+if CONFIG_TSS_NODEPRECATEDALGS
+libibmtssutils_la_CFLAGS += -DTPM_TSS_NODEPRECATEDALGS
+endif
+
#current[:revision[:age]]
#result: [current-age].age.revision
libibmtssutils_la_LDFLAGS = -version-info @TSSLIB_VERSION_INFO@
@@ -115,8 +123,14 @@ bin_PROGRAMS = activatecredential eventextend imaextend certify certifycreation
verifysignature zgen2phase signapp writeapp timepacket createek createekcert tpm2pem tpmpublic2eccpoint \
ntc2getconfig ntc2preconfig ntc2lockconfig publicname tpmcmd printattr
+UTILS_CFLAGS =
+
if CONFIG_TSS_NOECC
-UTILS_CFLAGS = -DTPM_TSS_NOECC
+UTILS_CFLAGS += -DTPM_TSS_NOECC
+endif
+
+if CONFIG_TSS_NODEPRECATEDALGS
+UTILS_CFLAGS += -DTPM_TSS_NODEPRECATEDALGS
endif
activatecredential_SOURCES = activatecredential.c
diff --git a/utils/cryptoutils.c b/utils/cryptoutils.c
index 7c4e931..9ac77a1 100644
--- a/utils/cryptoutils.c
+++ b/utils/cryptoutils.c
@@ -1834,9 +1834,11 @@ TPM_RC signRSAFromRSA(uint8_t *signature, size_t *signatureLength,
/* map the hash algorithm to the openssl NID */
if (rc == 0) {
switch (hashAlg) {
+#ifndef TPM_TSS_NODEPRECATEDALGS
case TPM_ALG_SHA1:
nid = NID_sha1;
break;
+#endif
case TPM_ALG_SHA256:
nid = NID_sha256;
break;
@@ -1896,10 +1898,12 @@ TPM_RC verifyRSASignatureFromRSA(unsigned char *message,
/* map from hash algorithm to openssl nid */
if (rc == 0) {
switch (halg) {
+#ifndef TPM_TSS_NODEPRECATEDALGS
case TPM_ALG_SHA1:
nid = NID_sha1;
md = EVP_sha1();
break;
+#endif
case TPM_ALG_SHA256:
nid = NID_sha256;
md = EVP_sha256();
diff --git a/utils/reg.sh b/utils/reg.sh
index 2d9d100..02d7d5f 100755
--- a/utils/reg.sh
+++ b/utils/reg.sh
@@ -69,12 +69,20 @@ PREFIX=./
#PREFIX="valgrind ./"
-# hash algorithms to be used for testing
-
-export ITERATE_ALGS="sha1 sha256 sha384 sha512"
-export ITERATE_ALGS_SIZES="20 32 48 64"
-export ITERATE_ALGS_COUNT=4
-export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1"
+# Hash algorithms to be used for testing. Uncomment or set shell env variable to restrict.
+# export TPM_TSS_NODEPRECATEDALGS=1
+if [ "${TPM_TSS_NODEPRECATEDALGS}" ]; then
+ export ITERATE_ALGS="sha256 sha384 sha512"
+ export ITERATE_ALGS_SIZES="32 48 64"
+ export ITERATE_ALGS_COUNT=3
+ export BAD_ITERATE_ALGS="sha384 sha512 sha256"
+else
+ export ITERATE_ALGS="sha1 sha256 sha384 sha512"
+ export ITERATE_ALGS_SIZES="20 32 48 64"
+ export ITERATE_ALGS_COUNT=4
+ export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1"
+fi
+export ITERATE_ALGS_WITH_SHA1="sha1 sha256 sha384 sha512"
printUsage ()
{
diff --git a/utils/regtests/testattest.sh b/utils/regtests/testattest.sh
index 2dacf88..4766554 100755
--- a/utils/regtests/testattest.sh
+++ b/utils/regtests/testattest.sh
@@ -381,9 +381,8 @@ echo ""
for HALG in ${ITERATE_ALGS}
do
-
echo "Start an audit session ${HALG}"
- ${PREFIX}startauthsession -se h -halg ${HALG} > run.out
+ ${PREFIX}startauthsession -se h -halg ${HALG} > run.out
checkSuccess $?
echo "PCR 16 reset"
diff --git a/utils/regtests/testevent.sh b/utils/regtests/testevent.sh
index 6336920..57a96d2 100755
--- a/utils/regtests/testevent.sh
+++ b/utils/regtests/testevent.sh
@@ -62,7 +62,7 @@ echo ""
for TYPE in "1" "2"
do
- for HALG in ${ITERATE_ALGS}
+ for HALG in ${ITERATE_ALGS_WITH_SHA1}
do
echo "Power cycle to reset IMA PCR"
diff --git a/utils/tss20.c b/utils/tss20.c
index c778069..6b1e79b 100644
--- a/utils/tss20.c
+++ b/utils/tss20.c
@@ -112,6 +112,7 @@ struct TSS_HMAC_CONTEXT {
/* functions for command pre- and post- processing */
+typedef TPM_RC (*TSS_CheckParametersFunction_t)(COMMAND_PARAMETERS *in);
typedef TPM_RC (*TSS_PreProcessFunction_t)(TSS_CONTEXT *tssContext,
COMMAND_PARAMETERS *in,
EXTRA_PARAMETERS *extra);
@@ -238,11 +239,378 @@ static TPM_RC TSS_PO_NV_ReadLock(TSS_CONTEXT *tssContext,
void *out,
void *extra);
+/*
+ Functions to check for usage of deprecated algorithms.
+*/
+
+static TPM_RC TSS_CheckSha1_PublicArea(TPMT_PUBLIC *publicArea)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (publicArea->nameAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ if (rc == 0) {
+ if (((publicArea->type == TPM_ALG_RSA) || (publicArea->type == TPM_ALG_ECC)) &&
+ (publicArea->parameters.asymDetail.scheme.scheme != TPM_ALG_NULL) &&
+ (publicArea->parameters.asymDetail.scheme.details.anySig.hashAlg == TPM_ALG_SHA1)) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CheckSha1_SigScheme(TPMT_SIG_SCHEME *sigScheme)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (sigScheme->details.any.hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_StartAuthSession(StartAuthSession_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->authHash == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_Create(Create_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_PublicArea(&in->inPublic.publicArea);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_Load(Load_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_PublicArea(&in->inPublic.publicArea);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_LoadExternal(LoadExternal_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_PublicArea(&in->inPublic.publicArea);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_CreateLoaded(CreateLoaded_In *in)
+{
+ TPM_RC rc = 0;
+ uint32_t size = sizeof(in->inPublic.t.buffer);
+ uint8_t *buffer = in->inPublic.t.buffer;
+ TPMT_PUBLIC publicArea;
+
+ if (rc == 0) {
+ rc = TSS_TPMT_PUBLIC_Unmarshalu(&publicArea, &buffer, &size, TRUE);
+ }
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_PublicArea(&publicArea);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_Import(Import_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_PublicArea(&in->objectPublic.publicArea);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_RSA_Encrypt(RSA_Encrypt_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->inScheme.details.anySig.hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_RSA_Decrypt(RSA_Decrypt_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->inScheme.details.anySig.hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_Hash(Hash_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_HMAC(HMAC_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_HMAC_Start(HMAC_Start_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_HashSequenceStart(HashSequenceStart_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_Certify(Certify_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_CertifyX509(CertifyX509_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_CertifyCreation(CertifyCreation_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_Quote(Quote_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_GetSessionAuditDigest(GetSessionAuditDigest_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_GetCommandAuditDigest(GetCommandAuditDigest_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_GetTime(GetTime_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_VerifySignature(VerifySignature_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->signature.signature.any.hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_Sign(Sign_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_SetCommandCodeAuditStatus(SetCommandCodeAuditStatus_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->auditAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_PolicySigned(PolicySigned_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->auth.signature.any.hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_CreatePrimary(CreatePrimary_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_PublicArea(&in->inPublic.publicArea);
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_SetPrimaryPolicy(SetPrimaryPolicy_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->hashAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_NV_DefineSpace(NV_DefineSpace_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ if (in->publicInfo.nvPublic.nameAlg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+
+ return rc;
+}
+
+static TPM_RC TSS_CH_NV_Certify(NV_Certify_In *in)
+{
+ TPM_RC rc = 0;
+
+ if (rc == 0) {
+ rc = TSS_CheckSha1_SigScheme(&in->inScheme);
+ }
+
+ return rc;
+}
+
typedef struct TSS_TABLE {
- TPM_CC commandCode;
- TSS_PreProcessFunction_t preProcessFunction;
- TSS_ChangeAuthFunction_t changeAuthFunction;
- TSS_PostProcessFunction_t postProcessFunction;
+ TPM_CC commandCode;
+ TSS_CheckParametersFunction_t checkParametersFunction;
+ TSS_PreProcessFunction_t preProcessFunction;
+ TSS_ChangeAuthFunction_t changeAuthFunction;
+ TSS_PostProcessFunction_t postProcessFunction;
} TSS_TABLE;
/* This table indexes from the command to pre- and post- processing functions. A missing entry is
@@ -250,116 +618,116 @@ typedef struct TSS_TABLE {
static const TSS_TABLE tssTable [] = {
- {TPM_CC_Startup, NULL, NULL, NULL},
- {TPM_CC_Shutdown, NULL, NULL, NULL},
- {TPM_CC_SelfTest, NULL, NULL, NULL},
- {TPM_CC_IncrementalSelfTest, NULL, NULL, NULL},
- {TPM_CC_GetTestResult, NULL, NULL, NULL},
- {TPM_CC_StartAuthSession, (TSS_PreProcessFunction_t)TSS_PR_StartAuthSession, NULL, (TSS_PostProcessFunction_t)TSS_PO_StartAuthSession},
- {TPM_CC_PolicyRestart, NULL, NULL, NULL},
- {TPM_CC_Create, NULL, NULL, NULL},
- {TPM_CC_Load, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_Load},
- {TPM_CC_LoadExternal, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_LoadExternal},
- {TPM_CC_ReadPublic, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ReadPublic},
- {TPM_CC_ActivateCredential, NULL, NULL, NULL},
- {TPM_CC_MakeCredential, NULL, NULL, NULL},
- {TPM_CC_Unseal, NULL, NULL, NULL},
- {TPM_CC_ObjectChangeAuth, NULL, NULL, NULL},
- {TPM_CC_CreateLoaded, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreateLoaded},
- {TPM_CC_Duplicate, NULL, NULL, NULL},
- {TPM_CC_Rewrap, NULL, NULL, NULL},
- {TPM_CC_Import, NULL, NULL, NULL},
- {TPM_CC_RSA_Encrypt, NULL, NULL, NULL},
- {TPM_CC_RSA_Decrypt, NULL, NULL, NULL},
- {TPM_CC_ECDH_KeyGen, NULL, NULL, NULL},
- {TPM_CC_ECDH_ZGen, NULL, NULL, NULL},
- {TPM_CC_ECC_Parameters, NULL, NULL, NULL},
- {TPM_CC_ZGen_2Phase, NULL, NULL, NULL},
- {TPM_CC_EncryptDecrypt, NULL, NULL, NULL},
- {TPM_CC_EncryptDecrypt2, NULL, NULL, NULL},
- {TPM_CC_Hash, NULL, NULL, NULL},
- {TPM_CC_HMAC, NULL, NULL, NULL},
- {TPM_CC_GetRandom, NULL, NULL, NULL},
- {TPM_CC_StirRandom, NULL, NULL, NULL},
- {TPM_CC_HMAC_Start, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HMAC_Start},
- {TPM_CC_HashSequenceStart, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HashSequenceStart},
- {TPM_CC_SequenceUpdate, NULL, NULL, NULL},
- {TPM_CC_SequenceComplete, NULL,NULL, (TSS_PostProcessFunction_t)TSS_PO_SequenceComplete},
- {TPM_CC_EventSequenceComplete, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EventSequenceComplete},
- {TPM_CC_Certify, NULL, NULL, NULL},
- {TPM_CC_CertifyX509, NULL, NULL, NULL},
- {TPM_CC_CertifyCreation, NULL, NULL, NULL},
- {TPM_CC_Quote, NULL, NULL, NULL},
- {TPM_CC_GetSessionAuditDigest, NULL, NULL, NULL},
- {TPM_CC_GetCommandAuditDigest, NULL, NULL, NULL},
- {TPM_CC_GetTime, NULL, NULL, NULL},
- {TPM_CC_Commit, NULL, NULL, NULL},
- {TPM_CC_EC_Ephemeral, NULL, NULL, NULL},
- {TPM_CC_VerifySignature, NULL, NULL, NULL},
- {TPM_CC_Sign, NULL, NULL, NULL},
- {TPM_CC_SetCommandCodeAuditStatus, NULL, NULL, NULL},
- {TPM_CC_PCR_Extend, NULL, NULL, NULL},
- {TPM_CC_PCR_Event, NULL, NULL, NULL},
- {TPM_CC_PCR_Read, NULL, NULL, NULL},
- {TPM_CC_PCR_Allocate, NULL, NULL, NULL},
- {TPM_CC_PCR_SetAuthPolicy, NULL, NULL, NULL},
- {TPM_CC_PCR_SetAuthValue, NULL, NULL, NULL},
- {TPM_CC_PCR_Reset, NULL, NULL, NULL},
- {TPM_CC_PolicySigned, NULL, NULL, NULL},
- {TPM_CC_PolicySecret, NULL, NULL, NULL},
- {TPM_CC_PolicyTicket, NULL, NULL, NULL},
- {TPM_CC_PolicyOR, NULL, NULL, NULL},
- {TPM_CC_PolicyPCR, NULL, NULL, NULL},
- {TPM_CC_PolicyLocality, NULL, NULL, NULL},
- {TPM_CC_PolicyNV, NULL, NULL, NULL},
- {TPM_CC_PolicyAuthorizeNV, NULL, NULL, NULL},
- {TPM_CC_PolicyCounterTimer, NULL, NULL, NULL},
- {TPM_CC_PolicyCommandCode, NULL, NULL, NULL},
- {TPM_CC_PolicyPhysicalPresence, NULL, NULL, NULL},
- {TPM_CC_PolicyCpHash, NULL, NULL, NULL},
- {TPM_CC_PolicyNameHash, NULL, NULL, NULL},
- {TPM_CC_PolicyDuplicationSelect, NULL, NULL, NULL},
- {TPM_CC_PolicyAuthorize, NULL, NULL, NULL},
- {TPM_CC_PolicyAuthValue, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyAuthValue},
- {TPM_CC_PolicyPassword, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyPassword},
- {TPM_CC_PolicyGetDigest, NULL, NULL, NULL},
- {TPM_CC_PolicyNvWritten, NULL, NULL, NULL},
- {TPM_CC_PolicyTemplate, NULL, NULL, NULL},
- {TPM_CC_CreatePrimary, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreatePrimary},
- {TPM_CC_HierarchyControl, NULL, NULL, NULL},
- {TPM_CC_SetPrimaryPolicy, NULL, NULL, NULL},
- {TPM_CC_ChangePPS, NULL, NULL, NULL},
- {TPM_CC_ChangeEPS, NULL, NULL, NULL},
- {TPM_CC_Clear, NULL, NULL, NULL},
- {TPM_CC_ClearControl, NULL, NULL, NULL},
- {TPM_CC_HierarchyChangeAuth, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_HierarchyChangeAuth, NULL},
- {TPM_CC_DictionaryAttackLockReset, NULL, NULL, NULL},
- {TPM_CC_DictionaryAttackParameters, NULL, NULL, NULL},
- {TPM_CC_PP_Commands, NULL, NULL, NULL},
- {TPM_CC_SetAlgorithmSet, NULL, NULL, NULL},
- {TPM_CC_ContextSave, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextSave},
- {TPM_CC_ContextLoad, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextLoad},
- {TPM_CC_FlushContext, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_FlushContext},
- {TPM_CC_EvictControl, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EvictControl},
- {TPM_CC_ReadClock, NULL, NULL, NULL},
- {TPM_CC_ClockSet, NULL, NULL, NULL},
- {TPM_CC_ClockRateAdjust, NULL, NULL, NULL},
- {TPM_CC_GetCapability, NULL, NULL, NULL},
- {TPM_CC_TestParms, NULL, NULL, NULL},
- {TPM_CC_NV_DefineSpace, (TSS_PreProcessFunction_t)TSS_PR_NV_DefineSpace, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_DefineSpace},
- {TPM_CC_NV_UndefineSpace, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpace},
- {TPM_CC_NV_UndefineSpaceSpecial, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_UndefineSpaceSpecial, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpaceSpecial},
- {TPM_CC_NV_ReadPublic, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadPublic},
- {TPM_CC_NV_Write, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
- {TPM_CC_NV_Increment, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
- {TPM_CC_NV_Extend, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
- {TPM_CC_NV_SetBits, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
- {TPM_CC_NV_WriteLock, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_WriteLock},
- {TPM_CC_NV_GlobalWriteLock, NULL, NULL, NULL},
- {TPM_CC_NV_Read, NULL, NULL, NULL},
- {TPM_CC_NV_ReadLock, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadLock},
- {TPM_CC_NV_ChangeAuth, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_ChangeAuth, NULL},
- {TPM_CC_NV_Certify, NULL, NULL, NULL}
+ {TPM_CC_Startup, NULL, NULL, NULL, NULL},
+ {TPM_CC_Shutdown, NULL, NULL, NULL, NULL},
+ {TPM_CC_SelfTest, NULL, NULL, NULL, NULL},
+ {TPM_CC_IncrementalSelfTest, NULL, NULL, NULL, NULL},
+ {TPM_CC_GetTestResult, NULL, NULL, NULL, NULL},
+ {TPM_CC_StartAuthSession, (TSS_CheckParametersFunction_t)TSS_CH_StartAuthSession, (TSS_PreProcessFunction_t)TSS_PR_StartAuthSession, NULL, (TSS_PostProcessFunction_t)TSS_PO_StartAuthSession},
+ {TPM_CC_PolicyRestart, NULL, NULL, NULL, NULL},
+ {TPM_CC_Create, (TSS_CheckParametersFunction_t)TSS_CH_Create, NULL, NULL, NULL},
+ {TPM_CC_Load, (TSS_CheckParametersFunction_t)TSS_CH_Load, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_Load},
+ {TPM_CC_LoadExternal, (TSS_CheckParametersFunction_t)TSS_CH_LoadExternal, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_LoadExternal},
+ {TPM_CC_ReadPublic, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ReadPublic},
+ {TPM_CC_ActivateCredential, NULL, NULL, NULL, NULL},
+ {TPM_CC_MakeCredential, NULL, NULL, NULL, NULL},
+ {TPM_CC_Unseal, NULL, NULL, NULL, NULL},
+ {TPM_CC_ObjectChangeAuth, NULL, NULL, NULL, NULL},
+ {TPM_CC_CreateLoaded, (TSS_CheckParametersFunction_t)TSS_CH_CreateLoaded, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreateLoaded},
+ {TPM_CC_Duplicate, NULL, NULL, NULL, NULL},
+ {TPM_CC_Rewrap, NULL, NULL, NULL, NULL},
+ {TPM_CC_Import, (TSS_CheckParametersFunction_t)TSS_CH_Import, NULL, NULL, NULL},
+ {TPM_CC_RSA_Encrypt, (TSS_CheckParametersFunction_t)TSS_CH_RSA_Encrypt, NULL, NULL, NULL},
+ {TPM_CC_RSA_Decrypt, (TSS_CheckParametersFunction_t)TSS_CH_RSA_Decrypt, NULL, NULL, NULL},
+ {TPM_CC_ECDH_KeyGen, NULL, NULL, NULL, NULL},
+ {TPM_CC_ECDH_ZGen, NULL, NULL, NULL, NULL},
+ {TPM_CC_ECC_Parameters, NULL, NULL, NULL, NULL},
+ {TPM_CC_ZGen_2Phase, NULL, NULL, NULL, NULL},
+ {TPM_CC_EncryptDecrypt, NULL, NULL, NULL, NULL},
+ {TPM_CC_EncryptDecrypt2, NULL, NULL, NULL, NULL},
+ {TPM_CC_Hash, (TSS_CheckParametersFunction_t)TSS_CH_Hash, NULL, NULL, NULL},
+ {TPM_CC_HMAC, (TSS_CheckParametersFunction_t)TSS_CH_HMAC, NULL, NULL, NULL},
+ {TPM_CC_GetRandom, NULL, NULL, NULL, NULL},
+ {TPM_CC_StirRandom, NULL, NULL, NULL, NULL},
+ {TPM_CC_HMAC_Start, (TSS_CheckParametersFunction_t)TSS_CH_HMAC_Start, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HMAC_Start},
+ {TPM_CC_HashSequenceStart, (TSS_CheckParametersFunction_t)TSS_CH_HashSequenceStart, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HashSequenceStart},
+ {TPM_CC_SequenceUpdate, NULL, NULL, NULL, NULL},
+ {TPM_CC_SequenceComplete, NULL, NULL,NULL, (TSS_PostProcessFunction_t)TSS_PO_SequenceComplete},
+ {TPM_CC_EventSequenceComplete, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EventSequenceComplete},
+ {TPM_CC_Certify, (TSS_CheckParametersFunction_t)TSS_CH_Certify, NULL, NULL, NULL},
+ {TPM_CC_CertifyX509, (TSS_CheckParametersFunction_t)TSS_CH_CertifyX509, NULL, NULL, NULL},
+ {TPM_CC_CertifyCreation, (TSS_CheckParametersFunction_t)TSS_CH_CertifyCreation, NULL, NULL, NULL},
+ {TPM_CC_Quote, (TSS_CheckParametersFunction_t)TSS_CH_Quote, NULL, NULL, NULL},
+ {TPM_CC_GetSessionAuditDigest, (TSS_CheckParametersFunction_t)TSS_CH_GetSessionAuditDigest, NULL, NULL, NULL},
+ {TPM_CC_GetCommandAuditDigest, (TSS_CheckParametersFunction_t)TSS_CH_GetCommandAuditDigest, NULL, NULL, NULL},
+ {TPM_CC_GetTime, (TSS_CheckParametersFunction_t)TSS_CH_GetTime, NULL, NULL, NULL},
+ {TPM_CC_Commit, NULL, NULL, NULL, NULL},
+ {TPM_CC_EC_Ephemeral, NULL, NULL, NULL, NULL},
+ {TPM_CC_VerifySignature, (TSS_CheckParametersFunction_t)TSS_CH_VerifySignature, NULL, NULL, NULL},
+ {TPM_CC_Sign, (TSS_CheckParametersFunction_t)TSS_CH_Sign, NULL, NULL, NULL},
+ {TPM_CC_SetCommandCodeAuditStatus, (TSS_CheckParametersFunction_t)TSS_CH_SetCommandCodeAuditStatus, NULL, NULL, NULL},
+ {TPM_CC_PCR_Extend, NULL, NULL, NULL, NULL},
+ {TPM_CC_PCR_Event, NULL, NULL, NULL, NULL},
+ {TPM_CC_PCR_Read, NULL, NULL, NULL, NULL},
+ {TPM_CC_PCR_Allocate, NULL, NULL, NULL, NULL},
+ {TPM_CC_PCR_SetAuthPolicy, NULL, NULL, NULL, NULL},
+ {TPM_CC_PCR_SetAuthValue, NULL, NULL, NULL, NULL},
+ {TPM_CC_PCR_Reset, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicySigned, (TSS_CheckParametersFunction_t)TSS_CH_PolicySigned, NULL, NULL, NULL},
+ {TPM_CC_PolicySecret, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyTicket, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyOR, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyPCR, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyLocality, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyNV, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyAuthorizeNV, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyCounterTimer, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyCommandCode, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyPhysicalPresence, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyCpHash, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyNameHash, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyDuplicationSelect, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyAuthorize, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyAuthValue, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyAuthValue},
+ {TPM_CC_PolicyPassword, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyPassword},
+ {TPM_CC_PolicyGetDigest, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyNvWritten, NULL, NULL, NULL, NULL},
+ {TPM_CC_PolicyTemplate, NULL, NULL, NULL, NULL},
+ {TPM_CC_CreatePrimary, (TSS_CheckParametersFunction_t)TSS_CH_CreatePrimary, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreatePrimary},
+ {TPM_CC_HierarchyControl, NULL, NULL, NULL, NULL},
+ {TPM_CC_SetPrimaryPolicy, (TSS_CheckParametersFunction_t)TSS_CH_SetPrimaryPolicy, NULL, NULL, NULL},
+ {TPM_CC_ChangePPS, NULL, NULL, NULL, NULL},
+ {TPM_CC_ChangeEPS, NULL, NULL, NULL, NULL},
+ {TPM_CC_Clear, NULL, NULL, NULL, NULL},
+ {TPM_CC_ClearControl, NULL, NULL, NULL, NULL},
+ {TPM_CC_HierarchyChangeAuth, NULL, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_HierarchyChangeAuth, NULL},
+ {TPM_CC_DictionaryAttackLockReset, NULL, NULL, NULL, NULL},
+ {TPM_CC_DictionaryAttackParameters, NULL, NULL, NULL, NULL},
+ {TPM_CC_PP_Commands, NULL, NULL, NULL, NULL},
+ {TPM_CC_SetAlgorithmSet, NULL, NULL, NULL, NULL},
+ {TPM_CC_ContextSave, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextSave},
+ {TPM_CC_ContextLoad, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextLoad},
+ {TPM_CC_FlushContext, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_FlushContext},
+ {TPM_CC_EvictControl, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EvictControl},
+ {TPM_CC_ReadClock, NULL, NULL, NULL, NULL},
+ {TPM_CC_ClockSet, NULL, NULL, NULL, NULL},
+ {TPM_CC_ClockRateAdjust, NULL, NULL, NULL, NULL},
+ {TPM_CC_GetCapability, NULL, NULL, NULL, NULL},
+ {TPM_CC_TestParms, NULL, NULL, NULL, NULL},
+ {TPM_CC_NV_DefineSpace, (TSS_CheckParametersFunction_t)TSS_CH_NV_DefineSpace, (TSS_PreProcessFunction_t)TSS_PR_NV_DefineSpace, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_DefineSpace},
+ {TPM_CC_NV_UndefineSpace, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpace},
+ {TPM_CC_NV_UndefineSpaceSpecial, NULL, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_UndefineSpaceSpecial, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpaceSpecial},
+ {TPM_CC_NV_ReadPublic, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadPublic},
+ {TPM_CC_NV_Write, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
+ {TPM_CC_NV_Increment, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
+ {TPM_CC_NV_Extend, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
+ {TPM_CC_NV_SetBits, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
+ {TPM_CC_NV_WriteLock, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_WriteLock},
+ {TPM_CC_NV_GlobalWriteLock, NULL, NULL, NULL, NULL},
+ {TPM_CC_NV_Read, NULL, NULL, NULL, NULL},
+ {TPM_CC_NV_ReadLock, NULL, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadLock},
+ {TPM_CC_NV_ChangeAuth, NULL, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_ChangeAuth, NULL},
+ {TPM_CC_NV_Certify, (TSS_CheckParametersFunction_t)TSS_CH_NV_Certify, NULL, NULL, NULL}
};
#ifndef TPM_TSS_NO_PRINT
@@ -646,6 +1014,10 @@ static TPM_RC TSS_Command_ChangeAuthProcessor(TSS_CONTEXT *tssContext,
COMMAND_PARAMETERS *in);
#endif /* TPM_TSS_NOCRYPTO */
+#ifdef TPM_TSS_NODEPRECATEDALGS
+static TPM_RC TSS_Command_CheckParameters(TPM_CC commandCode,
+ COMMAND_PARAMETERS *in);
+#endif
static TPM_RC TSS_Command_PreProcessor(TSS_CONTEXT *tssContext,
TPM_CC commandCode,
COMMAND_PARAMETERS *in,
@@ -688,6 +1060,12 @@ TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext,
{
TPM_RC rc = 0;
+#ifdef TPM_TSS_NODEPRECATEDALGS
+ if (rc == 0) {
+ rc = TSS_Command_CheckParameters(commandCode, in);
+ }
+#endif
+
/* create a TSS authorization context */
if (rc == 0) {
TSS_InitAuthContext(tssContext->tssAuthContext);
@@ -3751,6 +4129,38 @@ static TPM_RC TSS_CA_NV_UndefineSpaceSpecial(TSS_CONTEXT *tssContext,
return rc;
}
+#ifdef TPM_TSS_NODEPRECATEDALGS
+static TPM_RC TSS_Command_CheckParameters(TPM_CC commandCode,
+ COMMAND_PARAMETERS *in)
+{
+ TPM_RC rc = 0;
+ size_t index;
+ int found;
+ TSS_CheckParametersFunction_t checkParametersFunction = NULL;
+
+ /* search the table for a check parameters function */
+ if (rc == 0) {
+ found = FALSE;
+ for (index = 0 ; (index < (sizeof(tssTable) / sizeof(TSS_TABLE))) && !found ; index++) {
+ if (tssTable[index].commandCode == commandCode) {
+ found = TRUE;
+ break; /* don't increment index if found */
+ }
+ }
+ }
+ /* found false means there is no check parameters function. This permits the table to be smaller
+ if desired. */
+ if ((rc == 0) && found) {
+ checkParametersFunction = tssTable[index].checkParametersFunction;
+ /* call the check parameters function if there is one */
+ if (checkParametersFunction != NULL) {
+ rc = checkParametersFunction(in);
+ }
+ }
+ return rc;
+}
+#endif
+
/*
Command Pre-Processor
*/
diff --git a/utils/tsscryptoh.c b/utils/tsscryptoh.c
index 197549d..52f4616 100644
--- a/utils/tsscryptoh.c
+++ b/utils/tsscryptoh.c
@@ -454,7 +454,14 @@ TPM_RC TSS_RSA_padding_add_PKCS1_OAEP(unsigned char *em, uint32_t emLen,
unsigned char *maskedSeed;
uint16_t hlen = TSS_GetDigestSize(halg);
- em[0] = 0x00; /* firsr byte is 0x00 per the standard */
+ em[0] = 0x00; /* first byte is 0x00 per the standard */
+#ifdef TPM_TSS_NODEPRECATEDALGS
+ if (rc == 0) {
+ if (halg == TPM_ALG_SHA1) {
+ rc = TSS_RC_BAD_HASH_ALGORITHM;
+ }
+ }
+#endif
/* 1.a. If the length of L is greater than the input limitation for */
/* the hash function (2^61-1 octets for SHA-1) then output "parameter */
/* string too long" and stop. */
--
2.34.3