You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
136 lines
4.6 KiB
136 lines
4.6 KiB
From 506ae7f508cdcaca1cad7433725e8f4c115f843b Mon Sep 17 00:00:00 2001 |
|
From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20Hor=C3=A1=C4=8Dek?= |
|
<shoracek@redhat.com> |
|
Date: Fri, 25 Feb 2022 15:28:28 +0100 |
|
Subject: [PATCH 4/4] Restrict SHA-1 in TSS |
|
MIME-Version: 1.0 |
|
Content-Type: text/plain; charset=UTF-8 |
|
Content-Transfer-Encoding: 8bit |
|
|
|
Signed-off-by: Štěpán Horáček <shoracek@redhat.com> |
|
--- |
|
utils/cryptoutils.c | 4 --- |
|
utils/tss20.c | 81 ++++++++++++++++++++++++++++++++++++++++++++- |
|
2 files changed, 80 insertions(+), 5 deletions(-) |
|
|
|
diff --git a/utils/cryptoutils.c b/utils/cryptoutils.c |
|
index 7b5de79..98396a7 100644 |
|
--- a/utils/cryptoutils.c |
|
+++ b/utils/cryptoutils.c |
|
@@ -2136,10 +2136,6 @@ TPM_RC verifyRSASignatureFromRSA(unsigned char *message, |
|
/* map from hash algorithm to openssl nid */ |
|
if (rc == 0) { |
|
switch (halg) { |
|
- case TPM_ALG_SHA1: |
|
- nid = NID_sha1; |
|
- md = EVP_sha1(); |
|
- break; |
|
case TPM_ALG_SHA256: |
|
nid = NID_sha256; |
|
md = EVP_sha256(); |
|
diff --git a/utils/tss20.c b/utils/tss20.c |
|
index c778069..bd05cf3 100644 |
|
--- a/utils/tss20.c |
|
+++ b/utils/tss20.c |
|
@@ -678,6 +678,76 @@ extern int tssVerbose; |
|
extern int tssVverbose; |
|
extern int tssFirstCall; |
|
|
|
+int TSS_CheckSha1_PublicArea(TPMT_PUBLIC *publicArea) |
|
+{ |
|
+ return publicArea->nameAlg == TPM_ALG_SHA1 || |
|
+ ((publicArea->type == TPM_ALG_RSA || publicArea->type == TPM_ALG_ECC) && |
|
+ publicArea->parameters.asymDetail.scheme.scheme != TPM_ALG_NULL && |
|
+ publicArea->parameters.asymDetail.scheme.details.anySig.hashAlg == TPM_ALG_SHA1); |
|
+} |
|
+ |
|
+int TSS_CheckSha1_SigScheme(TPMT_SIG_SCHEME *sigScheme) |
|
+{ |
|
+ return sigScheme->details.any.hashAlg == TPM_ALG_SHA1; |
|
+} |
|
+ |
|
+int TSS_CheckSha1(COMMAND_PARAMETERS *in, |
|
+ TPM_CC commandCode) |
|
+{ |
|
+ switch (commandCode) |
|
+ { |
|
+ case TPM_CC_Certify: |
|
+ return TSS_CheckSha1_SigScheme(&in->Certify.inScheme); |
|
+ case TPM_CC_CertifyCreation: |
|
+ return TSS_CheckSha1_SigScheme(&in->CertifyCreation.inScheme); |
|
+ case TPM_CC_Create: |
|
+ return TSS_CheckSha1_PublicArea(&in->Create.inPublic.publicArea); |
|
+ case TPM_CC_CreateLoaded: |
|
+ return TSS_CheckSha1_PublicArea(&in->Create.inPublic.publicArea); |
|
+ case TPM_CC_CreatePrimary: |
|
+ return TSS_CheckSha1_PublicArea(&in->CreatePrimary.inPublic.publicArea); |
|
+ case TPM_CC_GetCommandAuditDigest: |
|
+ return TSS_CheckSha1_SigScheme(&in->GetCommandAuditDigest.inScheme); |
|
+ case TPM_CC_GetSessionAuditDigest: |
|
+ return TSS_CheckSha1_SigScheme(&in->GetSessionAuditDigest.inScheme); |
|
+ case TPM_CC_GetTime: |
|
+ return TSS_CheckSha1_SigScheme(&in->GetTime.inScheme); |
|
+ case TPM_CC_Hash: |
|
+ return in->Hash.hashAlg == TPM_ALG_SHA1; |
|
+ case TPM_CC_HashSequenceStart: |
|
+ return in->HashSequenceStart.hashAlg == TPM_ALG_SHA1; |
|
+ case TPM_CC_HMAC: |
|
+ return in->HMAC.hashAlg == TPM_ALG_SHA1; |
|
+ case TPM_CC_HMAC_Start: |
|
+ return in->HMAC_Start.hashAlg == TPM_ALG_SHA1; |
|
+ case TPM_CC_Import: |
|
+ return TSS_CheckSha1_PublicArea(&in->Import.objectPublic.publicArea); |
|
+ case TPM_CC_LoadExternal: |
|
+ return TSS_CheckSha1_PublicArea(&in->LoadExternal.inPublic.publicArea); |
|
+ case TPM_CC_NV_Certify: |
|
+ return TSS_CheckSha1_SigScheme(&in->NV_Certify.inScheme); |
|
+ case TPM_CC_NV_DefineSpace: |
|
+ return in->NV_DefineSpace.publicInfo.nvPublic.nameAlg == TPM_ALG_SHA1; |
|
+ case TPM_CC_PolicySigned: |
|
+ return in->PolicySigned.auth.signature.any.hashAlg == TPM_ALG_SHA1; |
|
+ case TPM_CC_Quote: |
|
+ return TSS_CheckSha1_SigScheme(&in->Quote.inScheme); |
|
+ case TPM_CC_RSA_Decrypt: |
|
+ return TSS_CheckSha1_SigScheme(&in->RSA_Decrypt.inScheme); |
|
+ case TPM_CC_SetCommandCodeAuditStatus: |
|
+ return in->SetCommandCodeAuditStatus.auditAlg == TPM_ALG_SHA1; |
|
+ case TPM_CC_SetPrimaryPolicy: |
|
+ return in->SetPrimaryPolicy.hashAlg == TPM_ALG_SHA1; |
|
+ case TPM_CC_Sign: |
|
+ return TSS_CheckSha1_SigScheme(&in->Sign.inScheme); |
|
+ case TPM_CC_StartAuthSession: |
|
+ return in->StartAuthSession.authHash == TPM_ALG_SHA1; |
|
+ case TPM_CC_VerifySignature: |
|
+ return in->VerifySignature.signature.signature.any.hashAlg == TPM_ALG_SHA1; |
|
+ } |
|
+ |
|
+ return 0; |
|
+} |
|
|
|
TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext, |
|
RESPONSE_PARAMETERS *out, |
|
@@ -687,11 +757,20 @@ TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext, |
|
va_list ap) |
|
{ |
|
TPM_RC rc = 0; |
|
- |
|
+ |
|
+#ifdef RESTRICTED_HASH_ALG |
|
+ if (rc == 0) { |
|
+ if (TSS_CheckSha1(in, commandCode)) { |
|
+ rc = TPM_RC_HASH; |
|
+ } |
|
+ } |
|
+#endif /* RESTRICTED_HASH_ALG */ |
|
+ |
|
/* create a TSS authorization context */ |
|
if (rc == 0) { |
|
TSS_InitAuthContext(tssContext->tssAuthContext); |
|
} |
|
+ |
|
/* handle any command specific command pre-processing */ |
|
if (rc == 0) { |
|
rc = TSS_Command_PreProcessor(tssContext, |
|
-- |
|
2.34.1 |
|
|
|
|