tss2/SOURCES/0003-Restrict-the-usage-of-SHA-1-in-code-examples.patch
2022-05-17 10:33:30 +00:00

1330 lines
50 KiB
Diff

From 8004d7ddc5e1bd7809f6a385908ceff216061187 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
<shoracek@redhat.com>
Date: Thu, 17 Feb 2022 19:02:10 +0100
Subject: [PATCH 3/4] Restrict the usage of SHA-1 in code examples
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Due to SHA-1 not being considered secure, it should be not used for
cryptographical purposes. This commit disables the usage of SHA-1 in
cases where it is used in potentially exploitable situations, most
notably for creating signatures.
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
---
configure.ac | 4 ++++
utils/certify.c | 7 ++-----
utils/certifycreation.c | 7 ++-----
utils/create.c | 10 ++--------
utils/createloaded.c | 10 ++--------
utils/createprimary.c | 10 ++--------
utils/cryptoutils.c | 3 ---
utils/getcommandauditdigest.c | 7 ++-----
utils/getsessionauditdigest.c | 7 ++-----
utils/gettime.c | 7 ++-----
utils/hash.c | 7 ++-----
utils/hashsequencestart.c | 7 ++-----
utils/hmac.c | 7 ++-----
utils/hmacstart.c | 7 ++-----
utils/importpem.c | 14 ++++----------
utils/loadexternal.c | 14 ++++----------
utils/man/man1/tsscertify.1 | 2 +-
utils/man/man1/tsscertifycreation.1 | 2 +-
utils/man/man1/tsscreate.1 | 4 ++--
utils/man/man1/tsscreateloaded.1 | 4 ++--
utils/man/man1/tsscreateprimary.1 | 4 ++--
utils/man/man1/tssgetcommandauditdigest.1 | 2 +-
utils/man/man1/tssgetsessionauditdigest.1 | 2 +-
utils/man/man1/tssgettime.1 | 2 +-
utils/man/man1/tsshash.1 | 2 +-
utils/man/man1/tsshashsequencestart.1 | 2 +-
utils/man/man1/tsshmac.1 | 2 +-
utils/man/man1/tsshmacstart.1 | 2 +-
utils/man/man1/tssimportpem.1 | 4 ++--
utils/man/man1/tssloadexternal.1 | 4 ++--
utils/man/man1/tssnvcertify.1 | 2 +-
utils/man/man1/tssnvdefinespace.1 | 2 +-
utils/man/man1/tssnvreadpublic.1 | 2 +-
utils/man/man1/tsspolicymaker.1 | 2 +-
utils/man/man1/tsspolicysigned.1 | 2 +-
utils/man/man1/tsspublicname.1 | 4 ++--
utils/man/man1/tssquote.1 | 2 +-
utils/man/man1/tssrsadecrypt.1 | 2 +-
utils/man/man1/tsssetcommandcodeauditstatus.1 | 2 +-
utils/man/man1/tsssetprimarypolicy.1 | 2 +-
utils/man/man1/tsssign.1 | 2 +-
utils/man/man1/tssstartauthsession.1 | 2 +-
utils/man/man1/tssverifysignature.1 | 2 +-
utils/nvcertify.c | 7 ++-----
utils/nvdefinespace.c | 8 ++------
utils/nvreadpublic.c | 7 ++-----
utils/objecttemplates.c | 4 ++--
utils/policymaker.c | 7 ++-----
utils/policysigned.c | 7 ++-----
utils/publicname.c | 14 ++++----------
utils/quote.c | 7 ++-----
utils/reg.sh | 17 +++++++++++++----
utils/regtests/testattest.sh | 15 ++++++++++-----
utils/regtests/testevent.sh | 2 +-
utils/rsadecrypt.c | 12 ++----------
utils/setcommandcodeauditstatus.c | 7 ++-----
utils/setprimarypolicy.c | 5 +----
utils/sign.c | 7 ++-----
utils/startauthsession.c | 7 ++-----
utils/verifysignature.c | 7 ++-----
60 files changed, 122 insertions(+), 212 deletions(-)
diff --git a/configure.ac b/configure.ac
index ad870b1..4e4052e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -123,6 +123,10 @@ AC_ARG_ENABLE(rmtpm,
AM_CONDITIONAL([CONFIG_RMTPM], [test "x$enable_rmtpm" = "xyes"])
AS_IF([test "$enable_rmtpm" != "yes"], [enable_rmtpm="no"])
+AC_ARG_ENABLE(restricted-hash-alg,
+ AS_HELP_STRING([--enable-restricted-hash-alg], [Restrict usage of SHA-1]))
+ AS_IF([test "$enable_restricted_hash_alg" = "yes"], [CFLAGS="-DRESTRICTED_HASH_ALG $CFLAGS"])
+
AC_CONFIG_FILES([Makefile
utils/Makefile
utils12/Makefile
diff --git a/utils/certify.c b/utils/certify.c
index f1f54d0..f3cfc84 100644
--- a/utils/certify.c
+++ b/utils/certify.c
@@ -128,10 +128,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -397,7 +394,7 @@ static void printUsage(void)
printf("\t[-pwdo\tpassword for object (default empty)]\n");
printf("\t-hk\tcertifying key handle\n");
printf("\t[-pwdk\tpassword for key (default empty)]\n");
- printf("\t[-halg\t(sha1, sha256, sha384 sha512) (default sha256)]\n");
+ printf("\t[-halg\t(sha256, sha384 sha512) (default sha256)]\n");
printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n");
printf("\t[-qd\tqualifying data file name]\n");
printf("\t[-os\tsignature file name (default do not save)]\n");
diff --git a/utils/certifycreation.c b/utils/certifycreation.c
index ab54c0a..20377d2 100644
--- a/utils/certifycreation.c
+++ b/utils/certifycreation.c
@@ -121,10 +121,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -437,7 +434,7 @@ static void printUsage(void)
printf("\t-ho\tobject handle\n");
printf("\t-hk\tcertifying key handle\n");
printf("\t[-pwdk\tpassword for key (default empty)]\n");
- printf("\t[-halg\t(sha1, sha256, sha384) (default sha256)]\n");
+ printf("\t[-halg\t(sha256, sha384) (default sha256)]\n");
printf("\t[-salg\tsignature algorithm (rsa, ecc) (default rsa)]\n");
printf("\t[-qd\tqualifying data file name]\n");
printf("\t-tk\tinput ticket file name\n");
diff --git a/utils/create.c b/utils/create.c
index a8b805c..93c5d43 100644
--- a/utils/create.c
+++ b/utils/create.c
@@ -239,10 +239,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -264,10 +261,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-nalg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- nalg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
nalg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
diff --git a/utils/createloaded.c b/utils/createloaded.c
index d54f791..a21bbda 100644
--- a/utils/createloaded.c
+++ b/utils/createloaded.c
@@ -235,10 +235,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -257,10 +254,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-nalg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- nalg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
nalg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
diff --git a/utils/createprimary.c b/utils/createprimary.c
index 52ae083..d6374dd 100644
--- a/utils/createprimary.c
+++ b/utils/createprimary.c
@@ -246,10 +246,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -271,10 +268,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-nalg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- nalg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
nalg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
diff --git a/utils/cryptoutils.c b/utils/cryptoutils.c
index 57eade7..7b5de79 100644
--- a/utils/cryptoutils.c
+++ b/utils/cryptoutils.c
@@ -2025,9 +2025,6 @@ TPM_RC signRSAFromRSA(uint8_t *signature, size_t *signatureLength,
/* map the hash algorithm to the openssl NID */
if (rc == 0) {
switch (hashAlg) {
- case TPM_ALG_SHA1:
- nid = NID_sha1;
- break;
case TPM_ALG_SHA256:
nid = NID_sha256;
break;
diff --git a/utils/getcommandauditdigest.c b/utils/getcommandauditdigest.c
index a219785..cc67a17 100644
--- a/utils/getcommandauditdigest.c
+++ b/utils/getcommandauditdigest.c
@@ -117,10 +117,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -381,7 +378,7 @@ static void printUsage(void)
printf("\t[-pwde\tendorsement hierarchy password (default empty)]\n");
printf("\t-hk\tsigning key handle\n");
printf("\t[-pwdk\tpassword for key (default empty)]\n");
- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n");
printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n");
printf("\t[-qd\tqualifying data file name]\n");
printf("\t[-os\tsignature file name (default do not save)]\n");
diff --git a/utils/getsessionauditdigest.c b/utils/getsessionauditdigest.c
index 61b12e6..e0706a1 100644
--- a/utils/getsessionauditdigest.c
+++ b/utils/getsessionauditdigest.c
@@ -128,10 +128,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -377,7 +374,7 @@ static void printUsage(void)
printf("\t[-hk\tsigning key handle]\n");
printf("\t[-pwdk\tpassword for key (default empty)]\n");
printf("\t-hs\taudit session handle\n");
- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n");
printf("\t[-qd\tqualifying data file name]\n");
printf("\t[-os\tsignature file name (default do not save)]\n");
printf("\t[-oa\tattestation output file name (default do not save)]\n");
diff --git a/utils/gettime.c b/utils/gettime.c
index b07baf1..2e4b819 100644
--- a/utils/gettime.c
+++ b/utils/gettime.c
@@ -118,10 +118,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -381,7 +378,7 @@ static void printUsage(void)
printf("\t-hk\tsigning key handle\n");
printf("\t[-pwdk\tpassword for signing key (default empty)]\n");
printf("\t[-pwde\tpassword for endorsement hierarchy (default empty)]\n");
- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n");
printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n");
printf("\t[-qd\tqualifying data file name]\n");
printf("\t[-os\tsignature file name (default do not save)]\n");
diff --git a/utils/hash.c b/utils/hash.c
index 71b8a7c..e21ff8c 100644
--- a/utils/hash.c
+++ b/utils/hash.c
@@ -93,10 +93,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -300,7 +297,7 @@ static void printUsage(void)
printf("\n");
printf("\t[-hi\thierarchy (e, o, p, n) (default null)]\n");
printf("\t\te endorsement, o owner, p platform, n null\n");
- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n");
printf("\t-if\tinput file to be hashed\n");
printf("\t-ic\tdata string to be hashed\n");
printf("\t[-ns\tno space, no text, no newlines]\n");
diff --git a/utils/hashsequencestart.c b/utils/hashsequencestart.c
index d54fadd..8b1e6fc 100644
--- a/utils/hashsequencestart.c
+++ b/utils/hashsequencestart.c
@@ -87,10 +87,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- hashAlg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
hashAlg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -243,7 +240,7 @@ static void printUsage(void)
printf("Runs TPM2_HashSequenceStart\n");
printf("\n");
printf("\t[-pwda\tpassword for sequence (default empty)]\n");
- printf("\t[-halg\t(sha1, sha256, sha384, sha512, null) (default sha256)]\n");
+ printf("\t[-halg\t(sha256, sha384, sha512, null) (default sha256)]\n");
printf("\t\tnull is an event sequence\n");
printf("\n");
printf("\t-se[0-2] session handle / attributes (default NULL)\n");
diff --git a/utils/hmac.c b/utils/hmac.c
index be63e1b..7ea325d 100644
--- a/utils/hmac.c
+++ b/utils/hmac.c
@@ -105,10 +105,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -343,7 +340,7 @@ static void printUsage(void)
printf("\n");
printf("\t-hk\tkey handle\n");
printf("\t[-pwdk\tpassword for key (default empty)]\n");
- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n");
printf("\t-if\tinput file to be HMACed\n");
printf("\t-ic\tdata string to be HMACed\n");
printf("\t[-os\thmac file name (default do not save)]\n");
diff --git a/utils/hmacstart.c b/utils/hmacstart.c
index 3fdd0f9..4463376 100644
--- a/utils/hmacstart.c
+++ b/utils/hmacstart.c
@@ -109,10 +109,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -270,7 +267,7 @@ static void printUsage(void)
printf("\t-hk\tkey handle\n");
printf("\t-pwdk\tpassword for key (default empty)\n");
printf("\t-pwda\tpassword for sequence (default empty)\n");
- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n");
printf("\n");
printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
printf("\t01\tcontinue\n");
diff --git a/utils/importpem.c b/utils/importpem.c
index 38ad125..cbf3794 100644
--- a/utils/importpem.c
+++ b/utils/importpem.c
@@ -215,10 +215,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -240,10 +237,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-nalg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- nalg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
nalg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -478,8 +472,8 @@ static void printUsage(void)
printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n");
printf("\t-opu\tpublic area file name\n");
printf("\t-opr\tprivate area file name\n");
- printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
- printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-nalg\tname hash algorithm (sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-halg\tscheme hash algorithm (sha256, sha384, sha512) (default sha256)]\n");
printf("\t[-pol\tpolicy file (default empty)]\n");
printf("\n");
printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
diff --git a/utils/loadexternal.c b/utils/loadexternal.c
index 877501c..fc8cd1a 100644
--- a/utils/loadexternal.c
+++ b/utils/loadexternal.c
@@ -127,10 +127,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -152,10 +149,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-nalg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- nalg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
nalg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -511,8 +505,8 @@ static void printUsage(void)
printf("Runs TPM2_LoadExternal\n");
printf("\n");
printf("\t[-hi\thierarchy (e, o, p, n) (default NULL)]\n");
- printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
- printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-nalg\tname hash algorithm (sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-halg\tscheme hash algorithm (sha256, sha384, sha512) (default sha256)]\n");
printf("\n");
printf("\t[Asymmetric Key Algorithm]\n");
printf("\n");
diff --git a/utils/man/man1/tsscertify.1 b/utils/man/man1/tsscertify.1
index 6895ee7..b837209 100644
--- a/utils/man/man1/tsscertify.1
+++ b/utils/man/man1/tsscertify.1
@@ -20,7 +20,7 @@ certifying key handle
password for key (default empty)]
.TP
[\-halg
-(sha1, sha256, sha384 sha512) (default sha256)]
+(sha256, sha384 sha512) (default sha256)]
.TP
[\-salg
signature algorithm (rsa, ecc, hmac) (default rsa)]
diff --git a/utils/man/man1/tsscertifycreation.1 b/utils/man/man1/tsscertifycreation.1
index 4382ed9..7c77a1e 100644
--- a/utils/man/man1/tsscertifycreation.1
+++ b/utils/man/man1/tsscertifycreation.1
@@ -17,7 +17,7 @@ certifying key handle
password for key (default empty)]
.TP
[\-halg
-(sha1, sha256, sha384) (default sha256)]
+(sha256, sha384) (default sha256)]
.TP
[\-salg
signature algorithm (rsa, ecc) (default rsa)]
diff --git a/utils/man/man1/tsscreate.1 b/utils/man/man1/tsscreate.1
index b4eda75..f2f6fc4 100644
--- a/utils/man/man1/tsscreate.1
+++ b/utils/man/man1/tsscreate.1
@@ -89,10 +89,10 @@ userWithAuth attribute clear (default set)]
data (inSensitive) file name]
.TP
[\-nalg
-name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+name hash algorithm (sha256, sha384, sha512) (default sha256)]
.TP
[\-halg
-scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+scheme hash algorithm (sha256, sha384, sha512) (default sha256)]
.TP
[\-pwdk
password for key (default empty)]
diff --git a/utils/man/man1/tsscreateloaded.1 b/utils/man/man1/tsscreateloaded.1
index ccd3d73..ebcf721 100644
--- a/utils/man/man1/tsscreateloaded.1
+++ b/utils/man/man1/tsscreateloaded.1
@@ -93,10 +93,10 @@ userWithAuth attribute clear (default set)]
data (inSensitive) file name]
.TP
[\-nalg
-name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+name hash algorithm (sha256, sha384, sha512) (default sha256)]
.TP
[\-halg
-scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+scheme hash algorithm (sha256, sha384, sha512) (default sha256)]
.TP
[\-der
object's parent is a derivation parent]
diff --git a/utils/man/man1/tsscreateprimary.1 b/utils/man/man1/tsscreateprimary.1
index 895a42e..55a9d85 100644
--- a/utils/man/man1/tsscreateprimary.1
+++ b/utils/man/man1/tsscreateprimary.1
@@ -114,10 +114,10 @@ userWithAuth attribute clear (default set)]
data (inSensitive) file name]
.TP
[\-nalg
-name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+name hash algorithm (sha256, sha384, sha512) (default sha256)]
.TP
[\-halg
-scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+scheme hash algorithm (sha256, sha384, sha512) (default sha256)]
.HP
\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
.TP
diff --git a/utils/man/man1/tssgetcommandauditdigest.1 b/utils/man/man1/tssgetcommandauditdigest.1
index 34711e0..11d3b78 100644
--- a/utils/man/man1/tssgetcommandauditdigest.1
+++ b/utils/man/man1/tssgetcommandauditdigest.1
@@ -17,7 +17,7 @@ signing key handle
password for key (default empty)]
.TP
[\-halg
-(sha1, sha256, sha384, sha512) (default sha256)]
+(sha256, sha384, sha512) (default sha256)]
.TP
[\-salg
signature algorithm (rsa, ecc, hmac) (default rsa)]
diff --git a/utils/man/man1/tssgetsessionauditdigest.1 b/utils/man/man1/tssgetsessionauditdigest.1
index d09c78b..3fa4a03 100644
--- a/utils/man/man1/tssgetsessionauditdigest.1
+++ b/utils/man/man1/tssgetsessionauditdigest.1
@@ -20,7 +20,7 @@ password for key (default empty)]
audit session handle
.TP
[\-halg
-(sha1, sha256, sha384, sha512) (default sha256)]
+(sha256, sha384, sha512) (default sha256)]
.TP
[\-qd
qualifying data file name]
diff --git a/utils/man/man1/tssgettime.1 b/utils/man/man1/tssgettime.1
index bec0627..ac4b425 100644
--- a/utils/man/man1/tssgettime.1
+++ b/utils/man/man1/tssgettime.1
@@ -17,7 +17,7 @@ password for signing key (default empty)]
password for endorsement hierarchy (default empty)]
.TP
[\-halg
-(sha1, sha256, sha384, sha512) (default sha256)]
+(sha256, sha384, sha512) (default sha256)]
.TP
[\-salg
signature algorithm (rsa, ecc, hmac) (default rsa)]
diff --git a/utils/man/man1/tsshash.1 b/utils/man/man1/tsshash.1
index 6eff929..01fa758 100644
--- a/utils/man/man1/tsshash.1
+++ b/utils/man/man1/tsshash.1
@@ -12,7 +12,7 @@ hierarchy (e, o, p, n) (default null)]
e endorsement, o owner, p platform, n null
.TP
[\-halg
-(sha1, sha256, sha384, sha512) (default sha256)]
+(sha256, sha384, sha512) (default sha256)]
.TP
\fB\-if\fR
input file to be hashed
diff --git a/utils/man/man1/tsshashsequencestart.1 b/utils/man/man1/tsshashsequencestart.1
index f6d7f52..33225da 100644
--- a/utils/man/man1/tsshashsequencestart.1
+++ b/utils/man/man1/tsshashsequencestart.1
@@ -11,7 +11,7 @@ Runs TPM2_HashSequenceStart
password for sequence (default empty)]
.TP
[\-halg
-(sha1, sha256, sha384, sha512, null) (default sha256)]
+(sha256, sha384, sha512, null) (default sha256)]
null is an event sequence
.HP
\fB\-se[0\-2]\fR session handle / attributes (default NULL)
diff --git a/utils/man/man1/tsshmac.1 b/utils/man/man1/tsshmac.1
index e64a861..c55b998 100644
--- a/utils/man/man1/tsshmac.1
+++ b/utils/man/man1/tsshmac.1
@@ -14,7 +14,7 @@ key handle
password for key (default empty)]
.TP
[\-halg
-(sha1, sha256, sha384, sha512) (default sha256)]
+(sha256, sha384, sha512) (default sha256)]
.TP
\fB\-if\fR
input file to be HMACed
diff --git a/utils/man/man1/tsshmacstart.1 b/utils/man/man1/tsshmacstart.1
index 65d4ab6..9dd8fbf 100644
--- a/utils/man/man1/tsshmacstart.1
+++ b/utils/man/man1/tsshmacstart.1
@@ -17,7 +17,7 @@ password for key (default empty)
password for sequence (default empty)
.TP
[\-halg
-(sha1, sha256, sha384, sha512) (default sha256)]
+(sha256, sha384, sha512) (default sha256)]
.HP
\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
.TP
diff --git a/utils/man/man1/tssimportpem.1 b/utils/man/man1/tssimportpem.1
index 21c362e..46821eb 100644
--- a/utils/man/man1/tssimportpem.1
+++ b/utils/man/man1/tssimportpem.1
@@ -49,10 +49,10 @@ public area file name
private area file name
.TP
[\-nalg
-name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+name hash algorithm (sha256, sha384, sha512) (default sha256)]
.TP
[\-halg
-scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+scheme hash algorithm (sha256, sha384, sha512) (default sha256)]
.TP
[\-pol
policy file (default empty)]
diff --git a/utils/man/man1/tssloadexternal.1 b/utils/man/man1/tssloadexternal.1
index e32a251..729d357 100644
--- a/utils/man/man1/tssloadexternal.1
+++ b/utils/man/man1/tssloadexternal.1
@@ -11,10 +11,10 @@ Runs TPM2_LoadExternal
hierarchy (e, o, p, n) (default NULL)]
.TP
[\-nalg
-name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+name hash algorithm (sha256, sha384, sha512) (default sha256)]
.TP
[\-halg
-scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+scheme hash algorithm (sha256, sha384, sha512) (default sha256)]
.IP
[Asymmetric Key Algorithm]
.TP
diff --git a/utils/man/man1/tssnvcertify.1 b/utils/man/man1/tssnvcertify.1
index c55f6dc..1a50fd6 100644
--- a/utils/man/man1/tssnvcertify.1
+++ b/utils/man/man1/tssnvcertify.1
@@ -20,7 +20,7 @@ certifying key handle
password for key (default empty)]
.TP
[\-halg
-(sha1, sha256, sha384, sha512) (default sha256)]
+(sha256, sha384, sha512) (default sha256)]
.TP
[\-salg
signature algorithm (rsa, ecc, hmac) (default rsa)]
diff --git a/utils/man/man1/tssnvdefinespace.1 b/utils/man/man1/tssnvdefinespace.1
index 0f378e9..5d9d395 100644
--- a/utils/man/man1/tssnvdefinespace.1
+++ b/utils/man/man1/tssnvdefinespace.1
@@ -36,7 +36,7 @@ password for NV index (default empty)]
sets AUTHWRITE (if not PIN index), AUTHREAD
.TP
[\-nalg
-name algorithm (sha1, sha256, sha384 sha512) (default sha256)]
+name algorithm (sha256, sha384 sha512) (default sha256)]
.TP
[\-sz
data size in decimal (default 0)]
diff --git a/utils/man/man1/tssnvreadpublic.1 b/utils/man/man1/tssnvreadpublic.1
index b8c7bbb..c8619bb 100644
--- a/utils/man/man1/tssnvreadpublic.1
+++ b/utils/man/man1/tssnvreadpublic.1
@@ -11,7 +11,7 @@ Runs TPM2_NV_ReadPublic
NV index handle
.TP
[\-nalg
-expected name hash algorithm (sha1, sha256, sha384 sha512)
+expected name hash algorithm (sha256, sha384 sha512)
(default no check)]
.TP
[\-opu
diff --git a/utils/man/man1/tsspolicymaker.1 b/utils/man/man1/tsspolicymaker.1
index 6660f36..36beaaa 100644
--- a/utils/man/man1/tsspolicymaker.1
+++ b/utils/man/man1/tsspolicymaker.1
@@ -6,7 +6,7 @@ policymaker \- Runs TPM2 policymaker
policymaker
.TP
[\-halg
-hash algorithm (sha1 sha256 sha384 sha512) (default sha256)]
+hash algorithm (sha256 sha384 sha512) (default sha256)]
.TP
[\-nz
do not extend starting with zeros, just hash the last line]
diff --git a/utils/man/man1/tsspolicysigned.1 b/utils/man/man1/tsspolicysigned.1
index f50b81a..dab24ba 100644
--- a/utils/man/man1/tsspolicysigned.1
+++ b/utils/man/man1/tsspolicysigned.1
@@ -26,7 +26,7 @@ policyRef file (default none)]
expiration in decimal (default none)]
.TP
[\-halg
-(sha1, sha256, sha384, sha512) (default sha256)]
+(sha256, sha384, sha512) (default sha256)]
.TP
\fB\-sk\fR
RSA signing key file name (PEM format)
diff --git a/utils/man/man1/tsspublicname.1 b/utils/man/man1/tsspublicname.1
index 6600436..e42481c 100644
--- a/utils/man/man1/tsspublicname.1
+++ b/utils/man/man1/tsspublicname.1
@@ -45,10 +45,10 @@ rsapss
null
.TP
[\-nalg
-name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+name hash algorithm (sha256, sha384, sha512) (default sha256)]
.TP
[\-halg
-scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+scheme hash algorithm (sha256, sha384, sha512) (default sha256)]
.TP
[\-uwa
userWithAuth attribute clear (default set)]
diff --git a/utils/man/man1/tssquote.1 b/utils/man/man1/tssquote.1
index 04a2e60..3de384b 100644
--- a/utils/man/man1/tssquote.1
+++ b/utils/man/man1/tssquote.1
@@ -17,7 +17,7 @@ quoting key handle
password for quoting key (default empty)]
.TP
[\-halg
-for signing (sha1, sha256, sha384, sha512) (default sha256)]
+for signing (sha256, sha384, sha512) (default sha256)]
.TP
[\-palg
for PCR bank selection (sha1, sha256, sha384, sha512) (default sha256)]
diff --git a/utils/man/man1/tssrsadecrypt.1 b/utils/man/man1/tssrsadecrypt.1
index 6c35e42..ff2b0f2 100644
--- a/utils/man/man1/tssrsadecrypt.1
+++ b/utils/man/man1/tssrsadecrypt.1
@@ -16,7 +16,7 @@ password for key (default empty)[
[\-ipwdk password file for key, nul terminated (default empty)]
\fB\-ie\fR encrypt file name
\fB\-od\fR decrypt file name (default do not save)
-[\-oid (sha1, sha256, sha384 sha512)]
+[\-oid (sha256, sha384 sha512)]
.IP
optionally add OID and PKCS1 padding to the
encrypt data (demo of signing with arbitrary OID)
diff --git a/utils/man/man1/tsssetcommandcodeauditstatus.1 b/utils/man/man1/tsssetcommandcodeauditstatus.1
index c4d19dc..d84a0c2 100644
--- a/utils/man/man1/tsssetcommandcodeauditstatus.1
+++ b/utils/man/man1/tsssetcommandcodeauditstatus.1
@@ -14,7 +14,7 @@ authhandle hierarchy (o, p) (default platform)]
authorization password (default empty)]
.TP
[\-halg
-(sha1, sha256, sha384, sha512, null) (default null)]
+(sha256, sha384, sha512, null) (default null)]
.TP
[\-set
command code to set (may be specified more than once (default none)]
diff --git a/utils/man/man1/tsssetprimarypolicy.1 b/utils/man/man1/tsssetprimarypolicy.1
index c67c1f9..9238407 100644
--- a/utils/man/man1/tsssetprimarypolicy.1
+++ b/utils/man/man1/tsssetprimarypolicy.1
@@ -17,7 +17,7 @@ authorization password (default empty)]
policy file (default empty policy)]
.TP
[\-halg
-(sha1, sha256) (default null)]
+(sha256) (default null)]
.HP
\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
.TP
diff --git a/utils/man/man1/tsssign.1 b/utils/man/man1/tsssign.1
index d5ad351..df67aee 100644
--- a/utils/man/man1/tsssign.1
+++ b/utils/man/man1/tsssign.1
@@ -17,7 +17,7 @@ input message to hash and sign
password for key (default empty)]
.TP
[\-halg
-(sha1, sha256, sha384, sha512) (default sha256)]
+(sha256, sha384, sha512) (default sha256)]
.TP
[\-salg
signature algorithm (rsa, ecc, hmac) (default rsa)]
diff --git a/utils/man/man1/tssstartauthsession.1 b/utils/man/man1/tssstartauthsession.1
index 3e944bb..ad16b0f 100644
--- a/utils/man/man1/tssstartauthsession.1
+++ b/utils/man/man1/tssstartauthsession.1
@@ -19,7 +19,7 @@ t
Trial policy session
.TP
[\-halg
-(sha1, sha256, sha384, sha512) (default sha256)]
+(sha256, sha384, sha512) (default sha256)]
.TP
[\-hs
salt handle (default TPM_RH_NULL)]
diff --git a/utils/man/man1/tssverifysignature.1 b/utils/man/man1/tssverifysignature.1
index e2d6460..d30eee9 100644
--- a/utils/man/man1/tssverifysignature.1
+++ b/utils/man/man1/tssverifysignature.1
@@ -37,7 +37,7 @@ One of \fB\-hk\fR, \fB\-ipem\fR, \fB\-ihmac\fR must be specified
ticket file name (requires \fB\-hk\fR)]
.TP
[\-halg
-(sha1, sha256, sha384 sha512) (default sha256)]
+(sha256, sha384 sha512) (default sha256)]
.IP
[Asymmetric Key Algorithm]
.TP
diff --git a/utils/nvcertify.c b/utils/nvcertify.c
index 81bde69..440c894 100644
--- a/utils/nvcertify.c
+++ b/utils/nvcertify.c
@@ -131,10 +131,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -433,7 +430,7 @@ static void printUsage(void)
printf("\t[-pwdn\tpassword for NV index (default empty)]\n");
printf("\t-hk\tcertifying key handle\n");
printf("\t[-pwdk\tpassword for key (default empty)]\n");
- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n");
printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n");
printf("\t-sz\tdata size\n");
printf("\t[-off\toffset (default 0)]\n");
diff --git a/utils/nvdefinespace.c b/utils/nvdefinespace.c
index 18ce6ea..cbe253e 100644
--- a/utils/nvdefinespace.c
+++ b/utils/nvdefinespace.c
@@ -124,11 +124,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-nalg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- nalg = TPM_ALG_SHA1;
- hashSize = SHA1_DIGEST_SIZE;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
nalg = TPM_ALG_SHA256;
hashSize = SHA256_DIGEST_SIZE;
}
@@ -562,7 +558,7 @@ static void printUsage(void)
printf("\n");
printf("\t[-pwdn\tpassword for NV index (default empty)]\n");
printf("\t\tsets AUTHWRITE (if not PIN index), AUTHREAD\n");
- printf("\t[-nalg\tname algorithm (sha1, sha256, sha384 sha512) (default sha256)]\n");
+ printf("\t[-nalg\tname algorithm (sha256, sha384 sha512) (default sha256)]\n");
printf("\t[-sz\tdata size in decimal (default 0)]\n");
printf("\t\tIgnored for other than ordinary index\n");
printf("\t[-ty\tindex type (o, c, b, e, p, f) (default ordinary)]\n");
diff --git a/utils/nvreadpublic.c b/utils/nvreadpublic.c
index cf36b96..cbcae63 100644
--- a/utils/nvreadpublic.c
+++ b/utils/nvreadpublic.c
@@ -101,10 +101,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-nalg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- nalg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
nalg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -336,7 +333,7 @@ static void printUsage(void)
printf("Runs TPM2_NV_ReadPublic\n");
printf("\n");
printf("\t-ha\tNV index handle\n");
- printf("\t[-nalg\texpected name hash algorithm (sha1, sha256, sha384 sha512)\n"
+ printf("\t[-nalg\texpected name hash algorithm (sha256, sha384 sha512)\n"
"\t\t(default no check)]\n");
printf("\t[-opu\tNV public file name (default do not save)]\n");
printf("\t[-ns\tadditionally print Name in hex ascii on one line]\n");
diff --git a/utils/objecttemplates.c b/utils/objecttemplates.c
index 37d7b64..4d1269c 100644
--- a/utils/objecttemplates.c
+++ b/utils/objecttemplates.c
@@ -576,7 +576,7 @@ void printUsageTemplate(void)
printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n");
printf("\t[-if\tdata (inSensitive) file name]\n");
printf("\n");
- printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
- printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-nalg\tname hash algorithm (sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-halg\tscheme hash algorithm (sha256, sha384, sha512) (default sha256)]\n");
return;
}
diff --git a/utils/policymaker.c b/utils/policymaker.c
index 7290ed7..818ac8b 100644
--- a/utils/policymaker.c
+++ b/utils/policymaker.c
@@ -107,10 +107,7 @@ int main(int argc, char *argv[])
if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- digest.hashAlg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
digest.hashAlg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -342,7 +339,7 @@ static void printUsage(void)
printf("\n");
printf("policymaker\n");
printf("\n");
- printf("\t[-halg\thash algorithm (sha1 sha256 sha384 sha512) (default sha256)]\n");
+ printf("\t[-halg\thash algorithm (sha256 sha384 sha512) (default sha256)]\n");
printf("\t[-nz\tdo not extend starting with zeros, just hash the last line]\n");
printf("\t-if\tinput policy statements in hex ascii\n");
printf("\t[-of\toutput file - policy hash in binary]\n");
diff --git a/utils/policysigned.c b/utils/policysigned.c
index 469cec9..dbecfe0 100644
--- a/utils/policysigned.c
+++ b/utils/policysigned.c
@@ -216,10 +216,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -444,7 +441,7 @@ static void printUsage(void)
printf("\t[-cp\tcpHash file (default none)]\n");
printf("\t[-pref\tpolicyRef file (default none)]\n");
printf("\t[-exp\texpiration in decimal (default none)]\n");
- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n");
printf("\t-sk\tRSA signing key file name (PEM format)\n");
printf("\t\tUse this signing key.\n");
printf("\t-is\tsignature file name\n");
diff --git a/utils/publicname.c b/utils/publicname.c
index f599d36..fbe9ee4 100644
--- a/utils/publicname.c
+++ b/utils/publicname.c
@@ -90,10 +90,7 @@ int main(int argc, char *argv[])
if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -115,10 +112,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-nalg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- nalg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
nalg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -441,8 +435,8 @@ static void printUsage(void)
printf("\t\trsassa\n");
printf("\t\trsapss\n");
printf("\t\tnull\n");
- printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
- printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-nalg\tname hash algorithm (sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-halg\tscheme hash algorithm (sha256, sha384, sha512) (default sha256)]\n");
printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n");
printf("\t[-si\tsigning (default) RSA]\n");
printf("\t[-st\tstorage (default NULL scheme)]\n");
diff --git a/utils/quote.c b/utils/quote.c
index c29fad0..154187c 100644
--- a/utils/quote.c
+++ b/utils/quote.c
@@ -130,10 +130,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -424,7 +421,7 @@ static void printUsage(void)
printf("\t-hp\tpcr handle (may be specified more than once)\n");
printf("\t-hk\tquoting key handle\n");
printf("\t[-pwdk\tpassword for quoting key (default empty)]\n");
- printf("\t[-halg\tfor signing (sha1, sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-halg\tfor signing (sha256, sha384, sha512) (default sha256)]\n");
printf("\t[-palg\tfor PCR bank selection (sha1, sha256, sha384, sha512) (default sha256)]\n");
printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n");
printf("\t[-qd\tqualifying data file name]\n");
diff --git a/utils/reg.sh b/utils/reg.sh
index 2d9d100..671720f 100755
--- a/utils/reg.sh
+++ b/utils/reg.sh
@@ -70,11 +70,20 @@ PREFIX=./
#PREFIX="valgrind ./"
# hash algorithms to be used for testing
+export RESTRICTED_HASH_ALG
-export ITERATE_ALGS="sha1 sha256 sha384 sha512"
-export ITERATE_ALGS_SIZES="20 32 48 64"
-export ITERATE_ALGS_COUNT=4
-export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1"
+if [ "${RESTRICTED_HASH_ALG}" ]; then
+ export ITERATE_ALGS="sha256 sha384 sha512"
+ export ITERATE_ALGS_SIZES="32 48 64"
+ export ITERATE_ALGS_COUNT=3
+ export BAD_ITERATE_ALGS="sha384 sha512 sha256"
+else
+ export ITERATE_ALGS="sha1 sha256 sha384 sha512"
+ export ITERATE_ALGS_SIZES="20 32 48 64"
+ export ITERATE_ALGS_COUNT=4
+ export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1"
+fi
+export ITERATE_ALGS_WITH_SHA1="sha1 sha256 sha384 sha512"
printUsage ()
{
diff --git a/utils/regtests/testattest.sh b/utils/regtests/testattest.sh
index 2dacf88..044d35f 100755
--- a/utils/regtests/testattest.sh
+++ b/utils/regtests/testattest.sh
@@ -379,21 +379,26 @@ echo ""
echo "Audit a PCR Read"
echo ""
-for HALG in ${ITERATE_ALGS}
+for HALG in ${ITERATE_ALGS_WITH_SHA1}
do
+ if [ "${HALG}" = "sha1" ] && [ "${RESTRICTED_HASH_ALG}" ]; then
+ ALT_HALG=sha256
+ else
+ ALT_HALG=${HALG}
+ fi
echo "Start an audit session ${HALG}"
- ${PREFIX}startauthsession -se h -halg ${HALG} > run.out
+ ${PREFIX}startauthsession -se h -halg ${ALT_HALG} > run.out
checkSuccess $?
echo "PCR 16 reset"
${PREFIX}pcrreset -ha 16 > run.out
checkSuccess $?
- cp policies/zero${HALG}.bin tmpdigestr.bin
+ cp policies/zero${ALT_HALG}.bin tmpdigestr.bin
echo "PCR 16 read ${HALG}"
- ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${HALG} -iosad tmpdigestr.bin > run.out
+ ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${ALT_HALG} -iosad tmpdigestr.bin > run.out
checkSuccess $?
echo "Get session audit digest"
@@ -409,7 +414,7 @@ do
checkSuccess $?
echo "PCR 16 read ${HALG}"
- ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${HALG} -iosad tmpdigestr.bin > run.out
+ ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${ALT_HALG} -iosad tmpdigestr.bin > run.out
checkSuccess $?
echo "Get session audit digest"
diff --git a/utils/regtests/testevent.sh b/utils/regtests/testevent.sh
index 6336920..57a96d2 100755
--- a/utils/regtests/testevent.sh
+++ b/utils/regtests/testevent.sh
@@ -62,7 +62,7 @@ echo ""
for TYPE in "1" "2"
do
- for HALG in ${ITERATE_ALGS}
+ for HALG in ${ITERATE_ALGS_WITH_SHA1}
do
echo "Power cycle to reset IMA PCR"
diff --git a/utils/rsadecrypt.c b/utils/rsadecrypt.c
index e2846af..a521edf 100644
--- a/utils/rsadecrypt.c
+++ b/utils/rsadecrypt.c
@@ -130,10 +130,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-oid") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -391,7 +388,6 @@ static TPM_RC padData(uint8_t **buffer,
uint16_t digestSize;
const uint8_t *oid;
uint16_t oidSize;
- const uint8_t sha1Oid[] = {SHA1_DER};
const uint8_t sha256Oid[] = {SHA256_DER};
const uint8_t sha384Oid[] = {SHA384_DER};
const uint8_t sha512Oid[] = {SHA512_DER};
@@ -419,10 +415,6 @@ static TPM_RC padData(uint8_t **buffer,
/* determine the OID */
if (rc == 0) {
switch (halg) {
- case TPM_ALG_SHA1:
- oid = sha1Oid;
- oidSize = SHA1_DER_SIZE;
- break;
case TPM_ALG_SHA256:
oid = sha256Oid;
oidSize = SHA256_DER_SIZE;
@@ -499,7 +491,7 @@ static void printUsage(void)
printf("\t[-ipwdk\tpassword file for key, nul terminated (default empty)]\n");
printf("\t-ie\tencrypt file name\n");
printf("\t-od\tdecrypt file name (default do not save)\n");
- printf("\t[-oid\t(sha1, sha256, sha384 sha512)]\n");
+ printf("\t[-oid\t(sha256, sha384 sha512)]\n");
printf("\t\toptionally add OID and PKCS1 padding to the\n");
printf("\t\tencrypt data (demo of signing with arbitrary OID)\n");
printf("\n");
diff --git a/utils/setcommandcodeauditstatus.c b/utils/setcommandcodeauditstatus.c
index 7a880ae..7a95a59 100644
--- a/utils/setcommandcodeauditstatus.c
+++ b/utils/setcommandcodeauditstatus.c
@@ -125,10 +125,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- in.auditAlg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
in.auditAlg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -287,7 +284,7 @@ static void printUsage(void)
printf("\n");
printf("\t[-hi\tauthhandle hierarchy (o, p) (default platform)]\n");
printf("\t[-pwda\tauthorization password (default empty)]\n");
- printf("\t[-halg\t(sha1, sha256, sha384, sha512, null) (default null)]\n");
+ printf("\t[-halg\t(sha256, sha384, sha512, null) (default null)]\n");
printf("\t[-set\tcommand code to set (may be specified more than once (default none)]\n");
printf("\t[-clr\tcommand code to clear (may be specified more than once (default none)]\n");
printf("\n");
diff --git a/utils/setprimarypolicy.c b/utils/setprimarypolicy.c
index 619937f..100e265 100644
--- a/utils/setprimarypolicy.c
+++ b/utils/setprimarypolicy.c
@@ -113,9 +113,6 @@ int main(int argc, char *argv[])
if (strcmp(argv[i],"sha256") == 0) {
in.hashAlg = TPM_ALG_SHA256;
}
- else if (strcmp(argv[i],"sha1") == 0) {
- in.hashAlg = TPM_ALG_SHA1;
- }
else {
printf("Bad parameter %s for -halg\n", argv[i]);
printUsage();
@@ -291,7 +288,7 @@ static void printUsage(void)
printf("\t[-hi\tauthhandle hierarchy (l, e, o, p) (default platform)]\n");
printf("\t[-pwda\tauthorization password (default empty)]\n");
printf("\t[-pol\tpolicy file (default empty policy)]\n");
- printf("\t[-halg\t(sha1, sha256) (default null)]\n");
+ printf("\t[-halg\t(sha256) (default null)]\n");
printf("\n");
printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
printf("\t01\tcontinue\n");
diff --git a/utils/sign.c b/utils/sign.c
index ba2be27..d37f786 100644
--- a/utils/sign.c
+++ b/utils/sign.c
@@ -123,10 +123,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -474,7 +471,7 @@ static void printUsage(void)
printf("\t-hk\tkey handle\n");
printf("\t-if\tinput message to hash and sign\n");
printf("\t[-pwdk\tpassword for key (default empty)]\n");
- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n");
printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n");
printf("\t[-scheme signing scheme (rsassa, rsapss, ecdsa, ecdaa, hmac)]\n");
printf("\t\t(default rsassa, ecdsa, hmac)]\n");
diff --git a/utils/startauthsession.c b/utils/startauthsession.c
index d47c731..93dc511 100644
--- a/utils/startauthsession.c
+++ b/utils/startauthsession.c
@@ -88,10 +88,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -291,7 +288,7 @@ static void printUsage(void)
printf("\t\tp Policy session\n");
printf("\t\tt Trial policy session\n");
printf("\n");
- printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+ printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n");
printf("\t[-hs\tsalt handle (default TPM_RH_NULL)]\n");
printf("\t[-bi\tbind handle (default TPM_RH_NULL)]\n");
printf("\t[-pwdb\tbind password for bind handle (default empty)]\n");
diff --git a/utils/verifysignature.c b/utils/verifysignature.c
index 57978d5..7603a1f 100644
--- a/utils/verifysignature.c
+++ b/utils/verifysignature.c
@@ -133,10 +133,7 @@ int main(int argc, char *argv[])
else if (strcmp(argv[i],"-halg") == 0) {
i++;
if (i < argc) {
- if (strcmp(argv[i],"sha1") == 0) {
- halg = TPM_ALG_SHA1;
- }
- else if (strcmp(argv[i],"sha256") == 0) {
+ if (strcmp(argv[i],"sha256") == 0) {
halg = TPM_ALG_SHA256;
}
else if (strcmp(argv[i],"sha384") == 0) {
@@ -473,7 +470,7 @@ static void printUsage(void)
printf("\n");
printf("\t[-tk\tticket file name (requires -hk)]\n");
printf("\n");
- printf("\t[-halg\t(sha1, sha256, sha384 sha512) (default sha256)]\n");
+ printf("\t[-halg\t(sha256, sha384 sha512) (default sha256)]\n");
printf("\n");
printf("\t[Asymmetric Key Algorithm]\n");
printf("\n");
--
2.34.1