From 8004d7ddc5e1bd7809f6a385908ceff216061187 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= Date: Thu, 17 Feb 2022 19:02:10 +0100 Subject: [PATCH 3/4] Restrict the usage of SHA-1 in code examples MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Due to SHA-1 not being considered secure, it should be not used for cryptographical purposes. This commit disables the usage of SHA-1 in cases where it is used in potentially exploitable situations, most notably for creating signatures. Signed-off-by: Štěpán Horáček --- configure.ac | 4 ++++ utils/certify.c | 7 ++----- utils/certifycreation.c | 7 ++----- utils/create.c | 10 ++-------- utils/createloaded.c | 10 ++-------- utils/createprimary.c | 10 ++-------- utils/cryptoutils.c | 3 --- utils/getcommandauditdigest.c | 7 ++----- utils/getsessionauditdigest.c | 7 ++----- utils/gettime.c | 7 ++----- utils/hash.c | 7 ++----- utils/hashsequencestart.c | 7 ++----- utils/hmac.c | 7 ++----- utils/hmacstart.c | 7 ++----- utils/importpem.c | 14 ++++---------- utils/loadexternal.c | 14 ++++---------- utils/man/man1/tsscertify.1 | 2 +- utils/man/man1/tsscertifycreation.1 | 2 +- utils/man/man1/tsscreate.1 | 4 ++-- utils/man/man1/tsscreateloaded.1 | 4 ++-- utils/man/man1/tsscreateprimary.1 | 4 ++-- utils/man/man1/tssgetcommandauditdigest.1 | 2 +- utils/man/man1/tssgetsessionauditdigest.1 | 2 +- utils/man/man1/tssgettime.1 | 2 +- utils/man/man1/tsshash.1 | 2 +- utils/man/man1/tsshashsequencestart.1 | 2 +- utils/man/man1/tsshmac.1 | 2 +- utils/man/man1/tsshmacstart.1 | 2 +- utils/man/man1/tssimportpem.1 | 4 ++-- utils/man/man1/tssloadexternal.1 | 4 ++-- utils/man/man1/tssnvcertify.1 | 2 +- utils/man/man1/tssnvdefinespace.1 | 2 +- utils/man/man1/tssnvreadpublic.1 | 2 +- utils/man/man1/tsspolicymaker.1 | 2 +- utils/man/man1/tsspolicysigned.1 | 2 +- utils/man/man1/tsspublicname.1 | 4 ++-- utils/man/man1/tssquote.1 | 2 +- utils/man/man1/tssrsadecrypt.1 | 2 +- utils/man/man1/tsssetcommandcodeauditstatus.1 | 2 +- utils/man/man1/tsssetprimarypolicy.1 | 2 +- utils/man/man1/tsssign.1 | 2 +- utils/man/man1/tssstartauthsession.1 | 2 +- utils/man/man1/tssverifysignature.1 | 2 +- utils/nvcertify.c | 7 ++----- utils/nvdefinespace.c | 8 ++------ utils/nvreadpublic.c | 7 ++----- utils/objecttemplates.c | 4 ++-- utils/policymaker.c | 7 ++----- utils/policysigned.c | 7 ++----- utils/publicname.c | 14 ++++---------- utils/quote.c | 7 ++----- utils/reg.sh | 17 +++++++++++++---- utils/regtests/testattest.sh | 15 ++++++++++----- utils/regtests/testevent.sh | 2 +- utils/rsadecrypt.c | 12 ++---------- utils/setcommandcodeauditstatus.c | 7 ++----- utils/setprimarypolicy.c | 5 +---- utils/sign.c | 7 ++----- utils/startauthsession.c | 7 ++----- utils/verifysignature.c | 7 ++----- 60 files changed, 122 insertions(+), 212 deletions(-) diff --git a/configure.ac b/configure.ac index ad870b1..4e4052e 100644 --- a/configure.ac +++ b/configure.ac @@ -123,6 +123,10 @@ AC_ARG_ENABLE(rmtpm, AM_CONDITIONAL([CONFIG_RMTPM], [test "x$enable_rmtpm" = "xyes"]) AS_IF([test "$enable_rmtpm" != "yes"], [enable_rmtpm="no"]) +AC_ARG_ENABLE(restricted-hash-alg, + AS_HELP_STRING([--enable-restricted-hash-alg], [Restrict usage of SHA-1])) + AS_IF([test "$enable_restricted_hash_alg" = "yes"], [CFLAGS="-DRESTRICTED_HASH_ALG $CFLAGS"]) + AC_CONFIG_FILES([Makefile utils/Makefile utils12/Makefile diff --git a/utils/certify.c b/utils/certify.c index f1f54d0..f3cfc84 100644 --- a/utils/certify.c +++ b/utils/certify.c @@ -128,10 +128,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -397,7 +394,7 @@ static void printUsage(void) printf("\t[-pwdo\tpassword for object (default empty)]\n"); printf("\t-hk\tcertifying key handle\n"); printf("\t[-pwdk\tpassword for key (default empty)]\n"); - printf("\t[-halg\t(sha1, sha256, sha384 sha512) (default sha256)]\n"); + printf("\t[-halg\t(sha256, sha384 sha512) (default sha256)]\n"); printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); printf("\t[-qd\tqualifying data file name]\n"); printf("\t[-os\tsignature file name (default do not save)]\n"); diff --git a/utils/certifycreation.c b/utils/certifycreation.c index ab54c0a..20377d2 100644 --- a/utils/certifycreation.c +++ b/utils/certifycreation.c @@ -121,10 +121,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -437,7 +434,7 @@ static void printUsage(void) printf("\t-ho\tobject handle\n"); printf("\t-hk\tcertifying key handle\n"); printf("\t[-pwdk\tpassword for key (default empty)]\n"); - printf("\t[-halg\t(sha1, sha256, sha384) (default sha256)]\n"); + printf("\t[-halg\t(sha256, sha384) (default sha256)]\n"); printf("\t[-salg\tsignature algorithm (rsa, ecc) (default rsa)]\n"); printf("\t[-qd\tqualifying data file name]\n"); printf("\t-tk\tinput ticket file name\n"); diff --git a/utils/create.c b/utils/create.c index a8b805c..93c5d43 100644 --- a/utils/create.c +++ b/utils/create.c @@ -239,10 +239,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -264,10 +261,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-nalg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - nalg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { nalg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { diff --git a/utils/createloaded.c b/utils/createloaded.c index d54f791..a21bbda 100644 --- a/utils/createloaded.c +++ b/utils/createloaded.c @@ -235,10 +235,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -257,10 +254,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-nalg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - nalg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { nalg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { diff --git a/utils/createprimary.c b/utils/createprimary.c index 52ae083..d6374dd 100644 --- a/utils/createprimary.c +++ b/utils/createprimary.c @@ -246,10 +246,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -271,10 +268,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-nalg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - nalg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { nalg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { diff --git a/utils/cryptoutils.c b/utils/cryptoutils.c index 57eade7..7b5de79 100644 --- a/utils/cryptoutils.c +++ b/utils/cryptoutils.c @@ -2025,9 +2025,6 @@ TPM_RC signRSAFromRSA(uint8_t *signature, size_t *signatureLength, /* map the hash algorithm to the openssl NID */ if (rc == 0) { switch (hashAlg) { - case TPM_ALG_SHA1: - nid = NID_sha1; - break; case TPM_ALG_SHA256: nid = NID_sha256; break; diff --git a/utils/getcommandauditdigest.c b/utils/getcommandauditdigest.c index a219785..cc67a17 100644 --- a/utils/getcommandauditdigest.c +++ b/utils/getcommandauditdigest.c @@ -117,10 +117,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -381,7 +378,7 @@ static void printUsage(void) printf("\t[-pwde\tendorsement hierarchy password (default empty)]\n"); printf("\t-hk\tsigning key handle\n"); printf("\t[-pwdk\tpassword for key (default empty)]\n"); - printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); printf("\t[-qd\tqualifying data file name]\n"); printf("\t[-os\tsignature file name (default do not save)]\n"); diff --git a/utils/getsessionauditdigest.c b/utils/getsessionauditdigest.c index 61b12e6..e0706a1 100644 --- a/utils/getsessionauditdigest.c +++ b/utils/getsessionauditdigest.c @@ -128,10 +128,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -377,7 +374,7 @@ static void printUsage(void) printf("\t[-hk\tsigning key handle]\n"); printf("\t[-pwdk\tpassword for key (default empty)]\n"); printf("\t-hs\taudit session handle\n"); - printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); printf("\t[-qd\tqualifying data file name]\n"); printf("\t[-os\tsignature file name (default do not save)]\n"); printf("\t[-oa\tattestation output file name (default do not save)]\n"); diff --git a/utils/gettime.c b/utils/gettime.c index b07baf1..2e4b819 100644 --- a/utils/gettime.c +++ b/utils/gettime.c @@ -118,10 +118,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -381,7 +378,7 @@ static void printUsage(void) printf("\t-hk\tsigning key handle\n"); printf("\t[-pwdk\tpassword for signing key (default empty)]\n"); printf("\t[-pwde\tpassword for endorsement hierarchy (default empty)]\n"); - printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); printf("\t[-qd\tqualifying data file name]\n"); printf("\t[-os\tsignature file name (default do not save)]\n"); diff --git a/utils/hash.c b/utils/hash.c index 71b8a7c..e21ff8c 100644 --- a/utils/hash.c +++ b/utils/hash.c @@ -93,10 +93,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -300,7 +297,7 @@ static void printUsage(void) printf("\n"); printf("\t[-hi\thierarchy (e, o, p, n) (default null)]\n"); printf("\t\te endorsement, o owner, p platform, n null\n"); - printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); printf("\t-if\tinput file to be hashed\n"); printf("\t-ic\tdata string to be hashed\n"); printf("\t[-ns\tno space, no text, no newlines]\n"); diff --git a/utils/hashsequencestart.c b/utils/hashsequencestart.c index d54fadd..8b1e6fc 100644 --- a/utils/hashsequencestart.c +++ b/utils/hashsequencestart.c @@ -87,10 +87,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - hashAlg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { hashAlg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -243,7 +240,7 @@ static void printUsage(void) printf("Runs TPM2_HashSequenceStart\n"); printf("\n"); printf("\t[-pwda\tpassword for sequence (default empty)]\n"); - printf("\t[-halg\t(sha1, sha256, sha384, sha512, null) (default sha256)]\n"); + printf("\t[-halg\t(sha256, sha384, sha512, null) (default sha256)]\n"); printf("\t\tnull is an event sequence\n"); printf("\n"); printf("\t-se[0-2] session handle / attributes (default NULL)\n"); diff --git a/utils/hmac.c b/utils/hmac.c index be63e1b..7ea325d 100644 --- a/utils/hmac.c +++ b/utils/hmac.c @@ -105,10 +105,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -343,7 +340,7 @@ static void printUsage(void) printf("\n"); printf("\t-hk\tkey handle\n"); printf("\t[-pwdk\tpassword for key (default empty)]\n"); - printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); printf("\t-if\tinput file to be HMACed\n"); printf("\t-ic\tdata string to be HMACed\n"); printf("\t[-os\thmac file name (default do not save)]\n"); diff --git a/utils/hmacstart.c b/utils/hmacstart.c index 3fdd0f9..4463376 100644 --- a/utils/hmacstart.c +++ b/utils/hmacstart.c @@ -109,10 +109,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -270,7 +267,7 @@ static void printUsage(void) printf("\t-hk\tkey handle\n"); printf("\t-pwdk\tpassword for key (default empty)\n"); printf("\t-pwda\tpassword for sequence (default empty)\n"); - printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); printf("\n"); printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); printf("\t01\tcontinue\n"); diff --git a/utils/importpem.c b/utils/importpem.c index 38ad125..cbf3794 100644 --- a/utils/importpem.c +++ b/utils/importpem.c @@ -215,10 +215,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -240,10 +237,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-nalg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - nalg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { nalg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -478,8 +472,8 @@ static void printUsage(void) printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n"); printf("\t-opu\tpublic area file name\n"); printf("\t-opr\tprivate area file name\n"); - printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); - printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-nalg\tname hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-halg\tscheme hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); printf("\t[-pol\tpolicy file (default empty)]\n"); printf("\n"); printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); diff --git a/utils/loadexternal.c b/utils/loadexternal.c index 877501c..fc8cd1a 100644 --- a/utils/loadexternal.c +++ b/utils/loadexternal.c @@ -127,10 +127,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -152,10 +149,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-nalg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - nalg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { nalg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -511,8 +505,8 @@ static void printUsage(void) printf("Runs TPM2_LoadExternal\n"); printf("\n"); printf("\t[-hi\thierarchy (e, o, p, n) (default NULL)]\n"); - printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); - printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-nalg\tname hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-halg\tscheme hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); printf("\n"); printf("\t[Asymmetric Key Algorithm]\n"); printf("\n"); diff --git a/utils/man/man1/tsscertify.1 b/utils/man/man1/tsscertify.1 index 6895ee7..b837209 100644 --- a/utils/man/man1/tsscertify.1 +++ b/utils/man/man1/tsscertify.1 @@ -20,7 +20,7 @@ certifying key handle password for key (default empty)] .TP [\-halg -(sha1, sha256, sha384 sha512) (default sha256)] +(sha256, sha384 sha512) (default sha256)] .TP [\-salg signature algorithm (rsa, ecc, hmac) (default rsa)] diff --git a/utils/man/man1/tsscertifycreation.1 b/utils/man/man1/tsscertifycreation.1 index 4382ed9..7c77a1e 100644 --- a/utils/man/man1/tsscertifycreation.1 +++ b/utils/man/man1/tsscertifycreation.1 @@ -17,7 +17,7 @@ certifying key handle password for key (default empty)] .TP [\-halg -(sha1, sha256, sha384) (default sha256)] +(sha256, sha384) (default sha256)] .TP [\-salg signature algorithm (rsa, ecc) (default rsa)] diff --git a/utils/man/man1/tsscreate.1 b/utils/man/man1/tsscreate.1 index b4eda75..f2f6fc4 100644 --- a/utils/man/man1/tsscreate.1 +++ b/utils/man/man1/tsscreate.1 @@ -89,10 +89,10 @@ userWithAuth attribute clear (default set)] data (inSensitive) file name] .TP [\-nalg -name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] +name hash algorithm (sha256, sha384, sha512) (default sha256)] .TP [\-halg -scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] +scheme hash algorithm (sha256, sha384, sha512) (default sha256)] .TP [\-pwdk password for key (default empty)] diff --git a/utils/man/man1/tsscreateloaded.1 b/utils/man/man1/tsscreateloaded.1 index ccd3d73..ebcf721 100644 --- a/utils/man/man1/tsscreateloaded.1 +++ b/utils/man/man1/tsscreateloaded.1 @@ -93,10 +93,10 @@ userWithAuth attribute clear (default set)] data (inSensitive) file name] .TP [\-nalg -name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] +name hash algorithm (sha256, sha384, sha512) (default sha256)] .TP [\-halg -scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] +scheme hash algorithm (sha256, sha384, sha512) (default sha256)] .TP [\-der object's parent is a derivation parent] diff --git a/utils/man/man1/tsscreateprimary.1 b/utils/man/man1/tsscreateprimary.1 index 895a42e..55a9d85 100644 --- a/utils/man/man1/tsscreateprimary.1 +++ b/utils/man/man1/tsscreateprimary.1 @@ -114,10 +114,10 @@ userWithAuth attribute clear (default set)] data (inSensitive) file name] .TP [\-nalg -name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] +name hash algorithm (sha256, sha384, sha512) (default sha256)] .TP [\-halg -scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] +scheme hash algorithm (sha256, sha384, sha512) (default sha256)] .HP \fB\-se[0\-2]\fR session handle / attributes (default PWAP) .TP diff --git a/utils/man/man1/tssgetcommandauditdigest.1 b/utils/man/man1/tssgetcommandauditdigest.1 index 34711e0..11d3b78 100644 --- a/utils/man/man1/tssgetcommandauditdigest.1 +++ b/utils/man/man1/tssgetcommandauditdigest.1 @@ -17,7 +17,7 @@ signing key handle password for key (default empty)] .TP [\-halg -(sha1, sha256, sha384, sha512) (default sha256)] +(sha256, sha384, sha512) (default sha256)] .TP [\-salg signature algorithm (rsa, ecc, hmac) (default rsa)] diff --git a/utils/man/man1/tssgetsessionauditdigest.1 b/utils/man/man1/tssgetsessionauditdigest.1 index d09c78b..3fa4a03 100644 --- a/utils/man/man1/tssgetsessionauditdigest.1 +++ b/utils/man/man1/tssgetsessionauditdigest.1 @@ -20,7 +20,7 @@ password for key (default empty)] audit session handle .TP [\-halg -(sha1, sha256, sha384, sha512) (default sha256)] +(sha256, sha384, sha512) (default sha256)] .TP [\-qd qualifying data file name] diff --git a/utils/man/man1/tssgettime.1 b/utils/man/man1/tssgettime.1 index bec0627..ac4b425 100644 --- a/utils/man/man1/tssgettime.1 +++ b/utils/man/man1/tssgettime.1 @@ -17,7 +17,7 @@ password for signing key (default empty)] password for endorsement hierarchy (default empty)] .TP [\-halg -(sha1, sha256, sha384, sha512) (default sha256)] +(sha256, sha384, sha512) (default sha256)] .TP [\-salg signature algorithm (rsa, ecc, hmac) (default rsa)] diff --git a/utils/man/man1/tsshash.1 b/utils/man/man1/tsshash.1 index 6eff929..01fa758 100644 --- a/utils/man/man1/tsshash.1 +++ b/utils/man/man1/tsshash.1 @@ -12,7 +12,7 @@ hierarchy (e, o, p, n) (default null)] e endorsement, o owner, p platform, n null .TP [\-halg -(sha1, sha256, sha384, sha512) (default sha256)] +(sha256, sha384, sha512) (default sha256)] .TP \fB\-if\fR input file to be hashed diff --git a/utils/man/man1/tsshashsequencestart.1 b/utils/man/man1/tsshashsequencestart.1 index f6d7f52..33225da 100644 --- a/utils/man/man1/tsshashsequencestart.1 +++ b/utils/man/man1/tsshashsequencestart.1 @@ -11,7 +11,7 @@ Runs TPM2_HashSequenceStart password for sequence (default empty)] .TP [\-halg -(sha1, sha256, sha384, sha512, null) (default sha256)] +(sha256, sha384, sha512, null) (default sha256)] null is an event sequence .HP \fB\-se[0\-2]\fR session handle / attributes (default NULL) diff --git a/utils/man/man1/tsshmac.1 b/utils/man/man1/tsshmac.1 index e64a861..c55b998 100644 --- a/utils/man/man1/tsshmac.1 +++ b/utils/man/man1/tsshmac.1 @@ -14,7 +14,7 @@ key handle password for key (default empty)] .TP [\-halg -(sha1, sha256, sha384, sha512) (default sha256)] +(sha256, sha384, sha512) (default sha256)] .TP \fB\-if\fR input file to be HMACed diff --git a/utils/man/man1/tsshmacstart.1 b/utils/man/man1/tsshmacstart.1 index 65d4ab6..9dd8fbf 100644 --- a/utils/man/man1/tsshmacstart.1 +++ b/utils/man/man1/tsshmacstart.1 @@ -17,7 +17,7 @@ password for key (default empty) password for sequence (default empty) .TP [\-halg -(sha1, sha256, sha384, sha512) (default sha256)] +(sha256, sha384, sha512) (default sha256)] .HP \fB\-se[0\-2]\fR session handle / attributes (default PWAP) .TP diff --git a/utils/man/man1/tssimportpem.1 b/utils/man/man1/tssimportpem.1 index 21c362e..46821eb 100644 --- a/utils/man/man1/tssimportpem.1 +++ b/utils/man/man1/tssimportpem.1 @@ -49,10 +49,10 @@ public area file name private area file name .TP [\-nalg -name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] +name hash algorithm (sha256, sha384, sha512) (default sha256)] .TP [\-halg -scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] +scheme hash algorithm (sha256, sha384, sha512) (default sha256)] .TP [\-pol policy file (default empty)] diff --git a/utils/man/man1/tssloadexternal.1 b/utils/man/man1/tssloadexternal.1 index e32a251..729d357 100644 --- a/utils/man/man1/tssloadexternal.1 +++ b/utils/man/man1/tssloadexternal.1 @@ -11,10 +11,10 @@ Runs TPM2_LoadExternal hierarchy (e, o, p, n) (default NULL)] .TP [\-nalg -name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] +name hash algorithm (sha256, sha384, sha512) (default sha256)] .TP [\-halg -scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] +scheme hash algorithm (sha256, sha384, sha512) (default sha256)] .IP [Asymmetric Key Algorithm] .TP diff --git a/utils/man/man1/tssnvcertify.1 b/utils/man/man1/tssnvcertify.1 index c55f6dc..1a50fd6 100644 --- a/utils/man/man1/tssnvcertify.1 +++ b/utils/man/man1/tssnvcertify.1 @@ -20,7 +20,7 @@ certifying key handle password for key (default empty)] .TP [\-halg -(sha1, sha256, sha384, sha512) (default sha256)] +(sha256, sha384, sha512) (default sha256)] .TP [\-salg signature algorithm (rsa, ecc, hmac) (default rsa)] diff --git a/utils/man/man1/tssnvdefinespace.1 b/utils/man/man1/tssnvdefinespace.1 index 0f378e9..5d9d395 100644 --- a/utils/man/man1/tssnvdefinespace.1 +++ b/utils/man/man1/tssnvdefinespace.1 @@ -36,7 +36,7 @@ password for NV index (default empty)] sets AUTHWRITE (if not PIN index), AUTHREAD .TP [\-nalg -name algorithm (sha1, sha256, sha384 sha512) (default sha256)] +name algorithm (sha256, sha384 sha512) (default sha256)] .TP [\-sz data size in decimal (default 0)] diff --git a/utils/man/man1/tssnvreadpublic.1 b/utils/man/man1/tssnvreadpublic.1 index b8c7bbb..c8619bb 100644 --- a/utils/man/man1/tssnvreadpublic.1 +++ b/utils/man/man1/tssnvreadpublic.1 @@ -11,7 +11,7 @@ Runs TPM2_NV_ReadPublic NV index handle .TP [\-nalg -expected name hash algorithm (sha1, sha256, sha384 sha512) +expected name hash algorithm (sha256, sha384 sha512) (default no check)] .TP [\-opu diff --git a/utils/man/man1/tsspolicymaker.1 b/utils/man/man1/tsspolicymaker.1 index 6660f36..36beaaa 100644 --- a/utils/man/man1/tsspolicymaker.1 +++ b/utils/man/man1/tsspolicymaker.1 @@ -6,7 +6,7 @@ policymaker \- Runs TPM2 policymaker policymaker .TP [\-halg -hash algorithm (sha1 sha256 sha384 sha512) (default sha256)] +hash algorithm (sha256 sha384 sha512) (default sha256)] .TP [\-nz do not extend starting with zeros, just hash the last line] diff --git a/utils/man/man1/tsspolicysigned.1 b/utils/man/man1/tsspolicysigned.1 index f50b81a..dab24ba 100644 --- a/utils/man/man1/tsspolicysigned.1 +++ b/utils/man/man1/tsspolicysigned.1 @@ -26,7 +26,7 @@ policyRef file (default none)] expiration in decimal (default none)] .TP [\-halg -(sha1, sha256, sha384, sha512) (default sha256)] +(sha256, sha384, sha512) (default sha256)] .TP \fB\-sk\fR RSA signing key file name (PEM format) diff --git a/utils/man/man1/tsspublicname.1 b/utils/man/man1/tsspublicname.1 index 6600436..e42481c 100644 --- a/utils/man/man1/tsspublicname.1 +++ b/utils/man/man1/tsspublicname.1 @@ -45,10 +45,10 @@ rsapss null .TP [\-nalg -name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] +name hash algorithm (sha256, sha384, sha512) (default sha256)] .TP [\-halg -scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)] +scheme hash algorithm (sha256, sha384, sha512) (default sha256)] .TP [\-uwa userWithAuth attribute clear (default set)] diff --git a/utils/man/man1/tssquote.1 b/utils/man/man1/tssquote.1 index 04a2e60..3de384b 100644 --- a/utils/man/man1/tssquote.1 +++ b/utils/man/man1/tssquote.1 @@ -17,7 +17,7 @@ quoting key handle password for quoting key (default empty)] .TP [\-halg -for signing (sha1, sha256, sha384, sha512) (default sha256)] +for signing (sha256, sha384, sha512) (default sha256)] .TP [\-palg for PCR bank selection (sha1, sha256, sha384, sha512) (default sha256)] diff --git a/utils/man/man1/tssrsadecrypt.1 b/utils/man/man1/tssrsadecrypt.1 index 6c35e42..ff2b0f2 100644 --- a/utils/man/man1/tssrsadecrypt.1 +++ b/utils/man/man1/tssrsadecrypt.1 @@ -16,7 +16,7 @@ password for key (default empty)[ [\-ipwdk password file for key, nul terminated (default empty)] \fB\-ie\fR encrypt file name \fB\-od\fR decrypt file name (default do not save) -[\-oid (sha1, sha256, sha384 sha512)] +[\-oid (sha256, sha384 sha512)] .IP optionally add OID and PKCS1 padding to the encrypt data (demo of signing with arbitrary OID) diff --git a/utils/man/man1/tsssetcommandcodeauditstatus.1 b/utils/man/man1/tsssetcommandcodeauditstatus.1 index c4d19dc..d84a0c2 100644 --- a/utils/man/man1/tsssetcommandcodeauditstatus.1 +++ b/utils/man/man1/tsssetcommandcodeauditstatus.1 @@ -14,7 +14,7 @@ authhandle hierarchy (o, p) (default platform)] authorization password (default empty)] .TP [\-halg -(sha1, sha256, sha384, sha512, null) (default null)] +(sha256, sha384, sha512, null) (default null)] .TP [\-set command code to set (may be specified more than once (default none)] diff --git a/utils/man/man1/tsssetprimarypolicy.1 b/utils/man/man1/tsssetprimarypolicy.1 index c67c1f9..9238407 100644 --- a/utils/man/man1/tsssetprimarypolicy.1 +++ b/utils/man/man1/tsssetprimarypolicy.1 @@ -17,7 +17,7 @@ authorization password (default empty)] policy file (default empty policy)] .TP [\-halg -(sha1, sha256) (default null)] +(sha256) (default null)] .HP \fB\-se[0\-2]\fR session handle / attributes (default PWAP) .TP diff --git a/utils/man/man1/tsssign.1 b/utils/man/man1/tsssign.1 index d5ad351..df67aee 100644 --- a/utils/man/man1/tsssign.1 +++ b/utils/man/man1/tsssign.1 @@ -17,7 +17,7 @@ input message to hash and sign password for key (default empty)] .TP [\-halg -(sha1, sha256, sha384, sha512) (default sha256)] +(sha256, sha384, sha512) (default sha256)] .TP [\-salg signature algorithm (rsa, ecc, hmac) (default rsa)] diff --git a/utils/man/man1/tssstartauthsession.1 b/utils/man/man1/tssstartauthsession.1 index 3e944bb..ad16b0f 100644 --- a/utils/man/man1/tssstartauthsession.1 +++ b/utils/man/man1/tssstartauthsession.1 @@ -19,7 +19,7 @@ t Trial policy session .TP [\-halg -(sha1, sha256, sha384, sha512) (default sha256)] +(sha256, sha384, sha512) (default sha256)] .TP [\-hs salt handle (default TPM_RH_NULL)] diff --git a/utils/man/man1/tssverifysignature.1 b/utils/man/man1/tssverifysignature.1 index e2d6460..d30eee9 100644 --- a/utils/man/man1/tssverifysignature.1 +++ b/utils/man/man1/tssverifysignature.1 @@ -37,7 +37,7 @@ One of \fB\-hk\fR, \fB\-ipem\fR, \fB\-ihmac\fR must be specified ticket file name (requires \fB\-hk\fR)] .TP [\-halg -(sha1, sha256, sha384 sha512) (default sha256)] +(sha256, sha384 sha512) (default sha256)] .IP [Asymmetric Key Algorithm] .TP diff --git a/utils/nvcertify.c b/utils/nvcertify.c index 81bde69..440c894 100644 --- a/utils/nvcertify.c +++ b/utils/nvcertify.c @@ -131,10 +131,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -433,7 +430,7 @@ static void printUsage(void) printf("\t[-pwdn\tpassword for NV index (default empty)]\n"); printf("\t-hk\tcertifying key handle\n"); printf("\t[-pwdk\tpassword for key (default empty)]\n"); - printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); printf("\t-sz\tdata size\n"); printf("\t[-off\toffset (default 0)]\n"); diff --git a/utils/nvdefinespace.c b/utils/nvdefinespace.c index 18ce6ea..cbe253e 100644 --- a/utils/nvdefinespace.c +++ b/utils/nvdefinespace.c @@ -124,11 +124,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-nalg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - nalg = TPM_ALG_SHA1; - hashSize = SHA1_DIGEST_SIZE; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { nalg = TPM_ALG_SHA256; hashSize = SHA256_DIGEST_SIZE; } @@ -562,7 +558,7 @@ static void printUsage(void) printf("\n"); printf("\t[-pwdn\tpassword for NV index (default empty)]\n"); printf("\t\tsets AUTHWRITE (if not PIN index), AUTHREAD\n"); - printf("\t[-nalg\tname algorithm (sha1, sha256, sha384 sha512) (default sha256)]\n"); + printf("\t[-nalg\tname algorithm (sha256, sha384 sha512) (default sha256)]\n"); printf("\t[-sz\tdata size in decimal (default 0)]\n"); printf("\t\tIgnored for other than ordinary index\n"); printf("\t[-ty\tindex type (o, c, b, e, p, f) (default ordinary)]\n"); diff --git a/utils/nvreadpublic.c b/utils/nvreadpublic.c index cf36b96..cbcae63 100644 --- a/utils/nvreadpublic.c +++ b/utils/nvreadpublic.c @@ -101,10 +101,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-nalg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - nalg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { nalg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -336,7 +333,7 @@ static void printUsage(void) printf("Runs TPM2_NV_ReadPublic\n"); printf("\n"); printf("\t-ha\tNV index handle\n"); - printf("\t[-nalg\texpected name hash algorithm (sha1, sha256, sha384 sha512)\n" + printf("\t[-nalg\texpected name hash algorithm (sha256, sha384 sha512)\n" "\t\t(default no check)]\n"); printf("\t[-opu\tNV public file name (default do not save)]\n"); printf("\t[-ns\tadditionally print Name in hex ascii on one line]\n"); diff --git a/utils/objecttemplates.c b/utils/objecttemplates.c index 37d7b64..4d1269c 100644 --- a/utils/objecttemplates.c +++ b/utils/objecttemplates.c @@ -576,7 +576,7 @@ void printUsageTemplate(void) printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n"); printf("\t[-if\tdata (inSensitive) file name]\n"); printf("\n"); - printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); - printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-nalg\tname hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-halg\tscheme hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); return; } diff --git a/utils/policymaker.c b/utils/policymaker.c index 7290ed7..818ac8b 100644 --- a/utils/policymaker.c +++ b/utils/policymaker.c @@ -107,10 +107,7 @@ int main(int argc, char *argv[]) if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - digest.hashAlg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { digest.hashAlg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -342,7 +339,7 @@ static void printUsage(void) printf("\n"); printf("policymaker\n"); printf("\n"); - printf("\t[-halg\thash algorithm (sha1 sha256 sha384 sha512) (default sha256)]\n"); + printf("\t[-halg\thash algorithm (sha256 sha384 sha512) (default sha256)]\n"); printf("\t[-nz\tdo not extend starting with zeros, just hash the last line]\n"); printf("\t-if\tinput policy statements in hex ascii\n"); printf("\t[-of\toutput file - policy hash in binary]\n"); diff --git a/utils/policysigned.c b/utils/policysigned.c index 469cec9..dbecfe0 100644 --- a/utils/policysigned.c +++ b/utils/policysigned.c @@ -216,10 +216,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -444,7 +441,7 @@ static void printUsage(void) printf("\t[-cp\tcpHash file (default none)]\n"); printf("\t[-pref\tpolicyRef file (default none)]\n"); printf("\t[-exp\texpiration in decimal (default none)]\n"); - printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); printf("\t-sk\tRSA signing key file name (PEM format)\n"); printf("\t\tUse this signing key.\n"); printf("\t-is\tsignature file name\n"); diff --git a/utils/publicname.c b/utils/publicname.c index f599d36..fbe9ee4 100644 --- a/utils/publicname.c +++ b/utils/publicname.c @@ -90,10 +90,7 @@ int main(int argc, char *argv[]) if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -115,10 +112,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-nalg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - nalg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { nalg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -441,8 +435,8 @@ static void printUsage(void) printf("\t\trsassa\n"); printf("\t\trsapss\n"); printf("\t\tnull\n"); - printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); - printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-nalg\tname hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-halg\tscheme hash algorithm (sha256, sha384, sha512) (default sha256)]\n"); printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n"); printf("\t[-si\tsigning (default) RSA]\n"); printf("\t[-st\tstorage (default NULL scheme)]\n"); diff --git a/utils/quote.c b/utils/quote.c index c29fad0..154187c 100644 --- a/utils/quote.c +++ b/utils/quote.c @@ -130,10 +130,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -424,7 +421,7 @@ static void printUsage(void) printf("\t-hp\tpcr handle (may be specified more than once)\n"); printf("\t-hk\tquoting key handle\n"); printf("\t[-pwdk\tpassword for quoting key (default empty)]\n"); - printf("\t[-halg\tfor signing (sha1, sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-halg\tfor signing (sha256, sha384, sha512) (default sha256)]\n"); printf("\t[-palg\tfor PCR bank selection (sha1, sha256, sha384, sha512) (default sha256)]\n"); printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); printf("\t[-qd\tqualifying data file name]\n"); diff --git a/utils/reg.sh b/utils/reg.sh index 2d9d100..671720f 100755 --- a/utils/reg.sh +++ b/utils/reg.sh @@ -70,11 +70,20 @@ PREFIX=./ #PREFIX="valgrind ./" # hash algorithms to be used for testing +export RESTRICTED_HASH_ALG -export ITERATE_ALGS="sha1 sha256 sha384 sha512" -export ITERATE_ALGS_SIZES="20 32 48 64" -export ITERATE_ALGS_COUNT=4 -export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1" +if [ "${RESTRICTED_HASH_ALG}" ]; then + export ITERATE_ALGS="sha256 sha384 sha512" + export ITERATE_ALGS_SIZES="32 48 64" + export ITERATE_ALGS_COUNT=3 + export BAD_ITERATE_ALGS="sha384 sha512 sha256" +else + export ITERATE_ALGS="sha1 sha256 sha384 sha512" + export ITERATE_ALGS_SIZES="20 32 48 64" + export ITERATE_ALGS_COUNT=4 + export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1" +fi +export ITERATE_ALGS_WITH_SHA1="sha1 sha256 sha384 sha512" printUsage () { diff --git a/utils/regtests/testattest.sh b/utils/regtests/testattest.sh index 2dacf88..044d35f 100755 --- a/utils/regtests/testattest.sh +++ b/utils/regtests/testattest.sh @@ -379,21 +379,26 @@ echo "" echo "Audit a PCR Read" echo "" -for HALG in ${ITERATE_ALGS} +for HALG in ${ITERATE_ALGS_WITH_SHA1} do + if [ "${HALG}" = "sha1" ] && [ "${RESTRICTED_HASH_ALG}" ]; then + ALT_HALG=sha256 + else + ALT_HALG=${HALG} + fi echo "Start an audit session ${HALG}" - ${PREFIX}startauthsession -se h -halg ${HALG} > run.out + ${PREFIX}startauthsession -se h -halg ${ALT_HALG} > run.out checkSuccess $? echo "PCR 16 reset" ${PREFIX}pcrreset -ha 16 > run.out checkSuccess $? - cp policies/zero${HALG}.bin tmpdigestr.bin + cp policies/zero${ALT_HALG}.bin tmpdigestr.bin echo "PCR 16 read ${HALG}" - ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${HALG} -iosad tmpdigestr.bin > run.out + ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${ALT_HALG} -iosad tmpdigestr.bin > run.out checkSuccess $? echo "Get session audit digest" @@ -409,7 +414,7 @@ do checkSuccess $? echo "PCR 16 read ${HALG}" - ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${HALG} -iosad tmpdigestr.bin > run.out + ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${ALT_HALG} -iosad tmpdigestr.bin > run.out checkSuccess $? echo "Get session audit digest" diff --git a/utils/regtests/testevent.sh b/utils/regtests/testevent.sh index 6336920..57a96d2 100755 --- a/utils/regtests/testevent.sh +++ b/utils/regtests/testevent.sh @@ -62,7 +62,7 @@ echo "" for TYPE in "1" "2" do - for HALG in ${ITERATE_ALGS} + for HALG in ${ITERATE_ALGS_WITH_SHA1} do echo "Power cycle to reset IMA PCR" diff --git a/utils/rsadecrypt.c b/utils/rsadecrypt.c index e2846af..a521edf 100644 --- a/utils/rsadecrypt.c +++ b/utils/rsadecrypt.c @@ -130,10 +130,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-oid") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -391,7 +388,6 @@ static TPM_RC padData(uint8_t **buffer, uint16_t digestSize; const uint8_t *oid; uint16_t oidSize; - const uint8_t sha1Oid[] = {SHA1_DER}; const uint8_t sha256Oid[] = {SHA256_DER}; const uint8_t sha384Oid[] = {SHA384_DER}; const uint8_t sha512Oid[] = {SHA512_DER}; @@ -419,10 +415,6 @@ static TPM_RC padData(uint8_t **buffer, /* determine the OID */ if (rc == 0) { switch (halg) { - case TPM_ALG_SHA1: - oid = sha1Oid; - oidSize = SHA1_DER_SIZE; - break; case TPM_ALG_SHA256: oid = sha256Oid; oidSize = SHA256_DER_SIZE; @@ -499,7 +491,7 @@ static void printUsage(void) printf("\t[-ipwdk\tpassword file for key, nul terminated (default empty)]\n"); printf("\t-ie\tencrypt file name\n"); printf("\t-od\tdecrypt file name (default do not save)\n"); - printf("\t[-oid\t(sha1, sha256, sha384 sha512)]\n"); + printf("\t[-oid\t(sha256, sha384 sha512)]\n"); printf("\t\toptionally add OID and PKCS1 padding to the\n"); printf("\t\tencrypt data (demo of signing with arbitrary OID)\n"); printf("\n"); diff --git a/utils/setcommandcodeauditstatus.c b/utils/setcommandcodeauditstatus.c index 7a880ae..7a95a59 100644 --- a/utils/setcommandcodeauditstatus.c +++ b/utils/setcommandcodeauditstatus.c @@ -125,10 +125,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - in.auditAlg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { in.auditAlg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -287,7 +284,7 @@ static void printUsage(void) printf("\n"); printf("\t[-hi\tauthhandle hierarchy (o, p) (default platform)]\n"); printf("\t[-pwda\tauthorization password (default empty)]\n"); - printf("\t[-halg\t(sha1, sha256, sha384, sha512, null) (default null)]\n"); + printf("\t[-halg\t(sha256, sha384, sha512, null) (default null)]\n"); printf("\t[-set\tcommand code to set (may be specified more than once (default none)]\n"); printf("\t[-clr\tcommand code to clear (may be specified more than once (default none)]\n"); printf("\n"); diff --git a/utils/setprimarypolicy.c b/utils/setprimarypolicy.c index 619937f..100e265 100644 --- a/utils/setprimarypolicy.c +++ b/utils/setprimarypolicy.c @@ -113,9 +113,6 @@ int main(int argc, char *argv[]) if (strcmp(argv[i],"sha256") == 0) { in.hashAlg = TPM_ALG_SHA256; } - else if (strcmp(argv[i],"sha1") == 0) { - in.hashAlg = TPM_ALG_SHA1; - } else { printf("Bad parameter %s for -halg\n", argv[i]); printUsage(); @@ -291,7 +288,7 @@ static void printUsage(void) printf("\t[-hi\tauthhandle hierarchy (l, e, o, p) (default platform)]\n"); printf("\t[-pwda\tauthorization password (default empty)]\n"); printf("\t[-pol\tpolicy file (default empty policy)]\n"); - printf("\t[-halg\t(sha1, sha256) (default null)]\n"); + printf("\t[-halg\t(sha256) (default null)]\n"); printf("\n"); printf("\t-se[0-2] session handle / attributes (default PWAP)\n"); printf("\t01\tcontinue\n"); diff --git a/utils/sign.c b/utils/sign.c index ba2be27..d37f786 100644 --- a/utils/sign.c +++ b/utils/sign.c @@ -123,10 +123,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -474,7 +471,7 @@ static void printUsage(void) printf("\t-hk\tkey handle\n"); printf("\t-if\tinput message to hash and sign\n"); printf("\t[-pwdk\tpassword for key (default empty)]\n"); - printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n"); printf("\t[-scheme signing scheme (rsassa, rsapss, ecdsa, ecdaa, hmac)]\n"); printf("\t\t(default rsassa, ecdsa, hmac)]\n"); diff --git a/utils/startauthsession.c b/utils/startauthsession.c index d47c731..93dc511 100644 --- a/utils/startauthsession.c +++ b/utils/startauthsession.c @@ -88,10 +88,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -291,7 +288,7 @@ static void printUsage(void) printf("\t\tp Policy session\n"); printf("\t\tt Trial policy session\n"); printf("\n"); - printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n"); + printf("\t[-halg\t(sha256, sha384, sha512) (default sha256)]\n"); printf("\t[-hs\tsalt handle (default TPM_RH_NULL)]\n"); printf("\t[-bi\tbind handle (default TPM_RH_NULL)]\n"); printf("\t[-pwdb\tbind password for bind handle (default empty)]\n"); diff --git a/utils/verifysignature.c b/utils/verifysignature.c index 57978d5..7603a1f 100644 --- a/utils/verifysignature.c +++ b/utils/verifysignature.c @@ -133,10 +133,7 @@ int main(int argc, char *argv[]) else if (strcmp(argv[i],"-halg") == 0) { i++; if (i < argc) { - if (strcmp(argv[i],"sha1") == 0) { - halg = TPM_ALG_SHA1; - } - else if (strcmp(argv[i],"sha256") == 0) { + if (strcmp(argv[i],"sha256") == 0) { halg = TPM_ALG_SHA256; } else if (strcmp(argv[i],"sha384") == 0) { @@ -473,7 +470,7 @@ static void printUsage(void) printf("\n"); printf("\t[-tk\tticket file name (requires -hk)]\n"); printf("\n"); - printf("\t[-halg\t(sha1, sha256, sha384 sha512) (default sha256)]\n"); + printf("\t[-halg\t(sha256, sha384 sha512) (default sha256)]\n"); printf("\n"); printf("\t[Asymmetric Key Algorithm]\n"); printf("\n"); -- 2.34.1