diff --git a/man/man3/TPMLIB_SetProfile.pod b/man/man3/TPMLIB_SetProfile.pod index bc60c3ee..baea657d 100644 --- a/man/man3/TPMLIB_SetProfile.pod +++ b/man/man3/TPMLIB_SetProfile.pod @@ -193,6 +193,15 @@ I. The following is a list of supported verbs: =back +=item B: (since v0.10) + +=over 2 + +=item * Prevents signature generation with a SHA1 with RSA and ECC +algorithms + +=back + =back =head1 ERRORS diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c index d807a48c..2a560c61 100644 --- a/src/tpm2/CryptUtil.c +++ b/src/tpm2/CryptUtil.c @@ -1529,6 +1529,17 @@ CryptSign(OBJECT* signKey, // IN: signing key // doesn't have a hashAlg member. signature->signature.any.hashAlg = signScheme->details.any.hashAlg; + switch(signKey->publicArea.type) // libtpms added begin + { + case TPM_ALG_RSA: + case TPM_ALG_ECC: + if (signScheme->details.any.hashAlg == TPM_ALG_SHA1 && + RuntimeProfileRequiresAttributeFlags(&g_RuntimeProfile, + RUNTIME_ATTRIBUTE_NO_SHA1_SIGNING)) + return TPM_RC_HASH; + break; + } // libtpms added end + // perform sign operation based on different key type switch(signKey->publicArea.type) { diff --git a/src/tpm2/RuntimeAttributes.c b/src/tpm2/RuntimeAttributes.c index 71ff68e1..ad17c593 100644 --- a/src/tpm2/RuntimeAttributes.c +++ b/src/tpm2/RuntimeAttributes.c @@ -58,6 +58,8 @@ static const struct { { .name = NAME, .attributeFlags = FLAGS, .stateFormatLevel = SFL } ATTRIBUTE("no-unpadded-encryption", RUNTIME_ATTRIBUTE_NO_UNPADDED_ENCRYPTION, 7), + ATTRIBUTE("no-sha1-signing", RUNTIME_ATTRIBUTE_NO_SHA1_SIGNING, + 7), }; LIB_EXPORT void diff --git a/src/tpm2/RuntimeAttributes_fp.h b/src/tpm2/RuntimeAttributes_fp.h index 059a54c4..d84b93f1 100644 --- a/src/tpm2/RuntimeAttributes_fp.h +++ b/src/tpm2/RuntimeAttributes_fp.h @@ -42,9 +42,10 @@ #ifndef RUNTIME_ATTRIBUTES_H #define RUNTIME_ATTRIBUTES_H -#define NUM_ENTRIES_ATTRIBUTE_PROPERTIES 1 +#define NUM_ENTRIES_ATTRIBUTE_PROPERTIES 2 #define RUNTIME_ATTRIBUTE_NO_UNPADDED_ENCRYPTION (1 << 0) +#define RUNTIME_ATTRIBUTE_NO_SHA1_SIGNING (1 << 1) struct RuntimeAttributes { /* */ diff --git a/src/tpm2/RuntimeProfile.c b/src/tpm2/RuntimeProfile.c index d5183edf..2792467d 100644 --- a/src/tpm2/RuntimeProfile.c +++ b/src/tpm2/RuntimeProfile.c @@ -93,6 +93,7 @@ static const struct RuntimeProfileDesc { * marshalled now * 7 : Attribute support was added: * - no-unpadded-encryption + * - no-sha1-signing */ const char *description; #define DESCRIPTION_MAX_SIZE 250 diff --git a/tests/tpm2_setprofile.c b/tests/tpm2_setprofile.c index 4c710932..bdc6cc5a 100644 --- a/tests/tpm2_setprofile.c +++ b/tests/tpm2_setprofile.c @@ -328,7 +328,7 @@ static const struct { "\"Commands\":\"0x11f-0x122,0x124-0x12e,0x130-0x140,0x142-0x159," "0x15b-0x15e,0x160-0x165,0x167-0x174,0x176-0x178," "0x17a-0x193,0x197\"," - "\"Attributes\":\"no-unpadded-encryption\"," + "\"Attributes\":\"no-unpadded-encryption,no-sha1-signing\"," "\"Description\":\"test\"" "}", .exp_fail = false, @@ -346,7 +346,7 @@ static const struct { "kdf1-sp800-56a,kdf2,kdf1-sp800-108,ecc,ecc-min-size=192," "ecc-nist,ecc-bn,ecc-sm2-p256,symcipher,camellia," "camellia-min-size=128,cmac,ctr,ofb,cbc,cfb,ecb\"," - "\"Attributes\":\"no-unpadded-encryption\"," + "\"Attributes\":\"no-unpadded-encryption,no-sha1-signing\"," "\"Description\":\"test\"" "}}", }, {