137 lines
4.6 KiB
Diff
137 lines
4.6 KiB
Diff
From 506ae7f508cdcaca1cad7433725e8f4c115f843b Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
|
|
<shoracek@redhat.com>
|
|
Date: Fri, 25 Feb 2022 15:28:28 +0100
|
|
Subject: [PATCH 4/4] Restrict SHA-1 in TSS
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
|
|
---
|
|
utils/cryptoutils.c | 4 ---
|
|
utils/tss20.c | 81 ++++++++++++++++++++++++++++++++++++++++++++-
|
|
2 files changed, 80 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/utils/cryptoutils.c b/utils/cryptoutils.c
|
|
index 7b5de79..98396a7 100644
|
|
--- a/utils/cryptoutils.c
|
|
+++ b/utils/cryptoutils.c
|
|
@@ -2136,10 +2136,6 @@ TPM_RC verifyRSASignatureFromRSA(unsigned char *message,
|
|
/* map from hash algorithm to openssl nid */
|
|
if (rc == 0) {
|
|
switch (halg) {
|
|
- case TPM_ALG_SHA1:
|
|
- nid = NID_sha1;
|
|
- md = EVP_sha1();
|
|
- break;
|
|
case TPM_ALG_SHA256:
|
|
nid = NID_sha256;
|
|
md = EVP_sha256();
|
|
diff --git a/utils/tss20.c b/utils/tss20.c
|
|
index c778069..bd05cf3 100644
|
|
--- a/utils/tss20.c
|
|
+++ b/utils/tss20.c
|
|
@@ -678,6 +678,76 @@ extern int tssVerbose;
|
|
extern int tssVverbose;
|
|
extern int tssFirstCall;
|
|
|
|
+int TSS_CheckSha1_PublicArea(TPMT_PUBLIC *publicArea)
|
|
+{
|
|
+ return publicArea->nameAlg == TPM_ALG_SHA1 ||
|
|
+ ((publicArea->type == TPM_ALG_RSA || publicArea->type == TPM_ALG_ECC) &&
|
|
+ publicArea->parameters.asymDetail.scheme.scheme != TPM_ALG_NULL &&
|
|
+ publicArea->parameters.asymDetail.scheme.details.anySig.hashAlg == TPM_ALG_SHA1);
|
|
+}
|
|
+
|
|
+int TSS_CheckSha1_SigScheme(TPMT_SIG_SCHEME *sigScheme)
|
|
+{
|
|
+ return sigScheme->details.any.hashAlg == TPM_ALG_SHA1;
|
|
+}
|
|
+
|
|
+int TSS_CheckSha1(COMMAND_PARAMETERS *in,
|
|
+ TPM_CC commandCode)
|
|
+{
|
|
+ switch (commandCode)
|
|
+ {
|
|
+ case TPM_CC_Certify:
|
|
+ return TSS_CheckSha1_SigScheme(&in->Certify.inScheme);
|
|
+ case TPM_CC_CertifyCreation:
|
|
+ return TSS_CheckSha1_SigScheme(&in->CertifyCreation.inScheme);
|
|
+ case TPM_CC_Create:
|
|
+ return TSS_CheckSha1_PublicArea(&in->Create.inPublic.publicArea);
|
|
+ case TPM_CC_CreateLoaded:
|
|
+ return TSS_CheckSha1_PublicArea(&in->Create.inPublic.publicArea);
|
|
+ case TPM_CC_CreatePrimary:
|
|
+ return TSS_CheckSha1_PublicArea(&in->CreatePrimary.inPublic.publicArea);
|
|
+ case TPM_CC_GetCommandAuditDigest:
|
|
+ return TSS_CheckSha1_SigScheme(&in->GetCommandAuditDigest.inScheme);
|
|
+ case TPM_CC_GetSessionAuditDigest:
|
|
+ return TSS_CheckSha1_SigScheme(&in->GetSessionAuditDigest.inScheme);
|
|
+ case TPM_CC_GetTime:
|
|
+ return TSS_CheckSha1_SigScheme(&in->GetTime.inScheme);
|
|
+ case TPM_CC_Hash:
|
|
+ return in->Hash.hashAlg == TPM_ALG_SHA1;
|
|
+ case TPM_CC_HashSequenceStart:
|
|
+ return in->HashSequenceStart.hashAlg == TPM_ALG_SHA1;
|
|
+ case TPM_CC_HMAC:
|
|
+ return in->HMAC.hashAlg == TPM_ALG_SHA1;
|
|
+ case TPM_CC_HMAC_Start:
|
|
+ return in->HMAC_Start.hashAlg == TPM_ALG_SHA1;
|
|
+ case TPM_CC_Import:
|
|
+ return TSS_CheckSha1_PublicArea(&in->Import.objectPublic.publicArea);
|
|
+ case TPM_CC_LoadExternal:
|
|
+ return TSS_CheckSha1_PublicArea(&in->LoadExternal.inPublic.publicArea);
|
|
+ case TPM_CC_NV_Certify:
|
|
+ return TSS_CheckSha1_SigScheme(&in->NV_Certify.inScheme);
|
|
+ case TPM_CC_NV_DefineSpace:
|
|
+ return in->NV_DefineSpace.publicInfo.nvPublic.nameAlg == TPM_ALG_SHA1;
|
|
+ case TPM_CC_PolicySigned:
|
|
+ return in->PolicySigned.auth.signature.any.hashAlg == TPM_ALG_SHA1;
|
|
+ case TPM_CC_Quote:
|
|
+ return TSS_CheckSha1_SigScheme(&in->Quote.inScheme);
|
|
+ case TPM_CC_RSA_Decrypt:
|
|
+ return TSS_CheckSha1_SigScheme(&in->RSA_Decrypt.inScheme);
|
|
+ case TPM_CC_SetCommandCodeAuditStatus:
|
|
+ return in->SetCommandCodeAuditStatus.auditAlg == TPM_ALG_SHA1;
|
|
+ case TPM_CC_SetPrimaryPolicy:
|
|
+ return in->SetPrimaryPolicy.hashAlg == TPM_ALG_SHA1;
|
|
+ case TPM_CC_Sign:
|
|
+ return TSS_CheckSha1_SigScheme(&in->Sign.inScheme);
|
|
+ case TPM_CC_StartAuthSession:
|
|
+ return in->StartAuthSession.authHash == TPM_ALG_SHA1;
|
|
+ case TPM_CC_VerifySignature:
|
|
+ return in->VerifySignature.signature.signature.any.hashAlg == TPM_ALG_SHA1;
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
+}
|
|
|
|
TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext,
|
|
RESPONSE_PARAMETERS *out,
|
|
@@ -687,11 +757,20 @@ TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext,
|
|
va_list ap)
|
|
{
|
|
TPM_RC rc = 0;
|
|
-
|
|
+
|
|
+#ifdef RESTRICTED_HASH_ALG
|
|
+ if (rc == 0) {
|
|
+ if (TSS_CheckSha1(in, commandCode)) {
|
|
+ rc = TPM_RC_HASH;
|
|
+ }
|
|
+ }
|
|
+#endif /* RESTRICTED_HASH_ALG */
|
|
+
|
|
/* create a TSS authorization context */
|
|
if (rc == 0) {
|
|
TSS_InitAuthContext(tssContext->tssAuthContext);
|
|
}
|
|
+
|
|
/* handle any command specific command pre-processing */
|
|
if (rc == 0) {
|
|
rc = TSS_Command_PreProcessor(tssContext,
|
|
--
|
|
2.34.1
|
|
|