From 506ae7f508cdcaca1cad7433725e8f4c115f843b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?=
 <shoracek@redhat.com>
Date: Fri, 25 Feb 2022 15:28:28 +0100
Subject: [PATCH 4/4] Restrict SHA-1 in TSS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
---
 utils/cryptoutils.c |  4 ---
 utils/tss20.c       | 81 ++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 80 insertions(+), 5 deletions(-)

diff --git a/utils/cryptoutils.c b/utils/cryptoutils.c
index 7b5de79..98396a7 100644
--- a/utils/cryptoutils.c
+++ b/utils/cryptoutils.c
@@ -2136,10 +2136,6 @@ TPM_RC verifyRSASignatureFromRSA(unsigned char *message,
     /* map from hash algorithm to openssl nid */
     if (rc == 0) {
 	switch (halg) {
-	  case TPM_ALG_SHA1:
-	    nid = NID_sha1;
-	    md = EVP_sha1();
-	    break;
 	  case TPM_ALG_SHA256:
 	    nid = NID_sha256;
 	    md = EVP_sha256();
diff --git a/utils/tss20.c b/utils/tss20.c
index c778069..bd05cf3 100644
--- a/utils/tss20.c
+++ b/utils/tss20.c
@@ -678,6 +678,76 @@ extern int tssVerbose;
 extern int tssVverbose;
 extern int tssFirstCall;
 
+int TSS_CheckSha1_PublicArea(TPMT_PUBLIC *publicArea)
+{
+    return publicArea->nameAlg == TPM_ALG_SHA1 ||
+	   ((publicArea->type == TPM_ALG_RSA || publicArea->type == TPM_ALG_ECC) &&
+	    publicArea->parameters.asymDetail.scheme.scheme != TPM_ALG_NULL &&
+	    publicArea->parameters.asymDetail.scheme.details.anySig.hashAlg == TPM_ALG_SHA1);
+}
+
+int TSS_CheckSha1_SigScheme(TPMT_SIG_SCHEME *sigScheme)
+{
+    return sigScheme->details.any.hashAlg == TPM_ALG_SHA1;
+}
+
+int TSS_CheckSha1(COMMAND_PARAMETERS *in,
+		  TPM_CC commandCode)
+{
+    switch (commandCode)
+    {
+    case TPM_CC_Certify:
+	return TSS_CheckSha1_SigScheme(&in->Certify.inScheme);
+    case TPM_CC_CertifyCreation:
+	return TSS_CheckSha1_SigScheme(&in->CertifyCreation.inScheme);
+    case TPM_CC_Create:
+	return TSS_CheckSha1_PublicArea(&in->Create.inPublic.publicArea);
+    case TPM_CC_CreateLoaded:
+	return TSS_CheckSha1_PublicArea(&in->Create.inPublic.publicArea);
+    case TPM_CC_CreatePrimary:
+	return TSS_CheckSha1_PublicArea(&in->CreatePrimary.inPublic.publicArea);
+    case TPM_CC_GetCommandAuditDigest:
+	return TSS_CheckSha1_SigScheme(&in->GetCommandAuditDigest.inScheme);
+    case TPM_CC_GetSessionAuditDigest:
+	return TSS_CheckSha1_SigScheme(&in->GetSessionAuditDigest.inScheme);
+    case TPM_CC_GetTime:
+	return TSS_CheckSha1_SigScheme(&in->GetTime.inScheme);
+    case TPM_CC_Hash:
+	return in->Hash.hashAlg == TPM_ALG_SHA1;
+    case TPM_CC_HashSequenceStart:
+	return in->HashSequenceStart.hashAlg == TPM_ALG_SHA1;
+    case TPM_CC_HMAC:
+	return in->HMAC.hashAlg == TPM_ALG_SHA1;
+    case TPM_CC_HMAC_Start:
+	return in->HMAC_Start.hashAlg == TPM_ALG_SHA1;
+    case TPM_CC_Import:
+	return TSS_CheckSha1_PublicArea(&in->Import.objectPublic.publicArea);
+    case TPM_CC_LoadExternal:
+	return TSS_CheckSha1_PublicArea(&in->LoadExternal.inPublic.publicArea);
+    case TPM_CC_NV_Certify:
+	return TSS_CheckSha1_SigScheme(&in->NV_Certify.inScheme);
+    case TPM_CC_NV_DefineSpace:
+	return in->NV_DefineSpace.publicInfo.nvPublic.nameAlg == TPM_ALG_SHA1;
+    case TPM_CC_PolicySigned:
+	return in->PolicySigned.auth.signature.any.hashAlg == TPM_ALG_SHA1;
+    case TPM_CC_Quote:
+	return TSS_CheckSha1_SigScheme(&in->Quote.inScheme);
+    case TPM_CC_RSA_Decrypt:
+	return TSS_CheckSha1_SigScheme(&in->RSA_Decrypt.inScheme);
+    case TPM_CC_SetCommandCodeAuditStatus:
+	return in->SetCommandCodeAuditStatus.auditAlg == TPM_ALG_SHA1;
+    case TPM_CC_SetPrimaryPolicy:
+	return in->SetPrimaryPolicy.hashAlg == TPM_ALG_SHA1;
+    case TPM_CC_Sign:
+	return TSS_CheckSha1_SigScheme(&in->Sign.inScheme);
+    case TPM_CC_StartAuthSession:
+	return in->StartAuthSession.authHash == TPM_ALG_SHA1;
+    case TPM_CC_VerifySignature:
+	return in->VerifySignature.signature.signature.any.hashAlg == TPM_ALG_SHA1;
+    }
+
+    return 0;
+}
 
 TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext,
 		     RESPONSE_PARAMETERS *out,
@@ -687,11 +757,20 @@ TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext,
 		     va_list ap)
 {
     TPM_RC		rc = 0;
-	
+
+#ifdef RESTRICTED_HASH_ALG
+    if (rc == 0) {
+	if (TSS_CheckSha1(in, commandCode)) {
+	    rc = TPM_RC_HASH;
+	}
+    }
+#endif /* RESTRICTED_HASH_ALG */
+
     /* create a TSS authorization context */
     if (rc == 0) {
 	TSS_InitAuthContext(tssContext->tssAuthContext);
     }
+
     /* handle any command specific command pre-processing */
     if (rc == 0) {
 	rc = TSS_Command_PreProcessor(tssContext,
-- 
2.34.1