From ec5440b03cde659e1371c24f367e7666f2072073 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 11 Jul 2018 12:45:11 -0400 Subject: [PATCH] rev148: Rework FIPS_COMPLIANT Signed-off-by: Stefan Berger --- src/tpm2/PropertyCap.c | 8 ++++---- src/tpm2/TpmBuildSwitches.h | 6 ++++-- src/tpm2/crypto/openssl/CryptEccMain.c | 2 +- src/tpm2/crypto/openssl/CryptRand.c | 2 +- 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/src/tpm2/PropertyCap.c b/src/tpm2/PropertyCap.c index 422c7970..b249f71c 100644 --- a/src/tpm2/PropertyCap.c +++ b/src/tpm2/PropertyCap.c @@ -1,9 +1,9 @@ /********************************************************************************/ /* */ -/* */ +/* For accessing the TPM_CAP_TPM_PROPERTY values */ /* Written by Ken Goldman */ /* IBM Thomas J. Watson Research Center */ -/* $Id: PropertyCap.c 1047 2017-07-20 18:27:34Z kgoldman $ */ +/* $Id: PropertyCap.c 1259 2018-07-10 19:11:09Z kgoldman $ */ /* */ /* Licenses and Notices */ /* */ @@ -55,7 +55,7 @@ /* arising in any way out of use or reliance upon this specification or any */ /* information herein. */ /* */ -/* (c) Copyright IBM Corp. and others, 2016, 2017 */ +/* (c) Copyright IBM Corp. and others, 2016 - 2018 */ /* */ /********************************************************************************/ @@ -383,7 +383,7 @@ TPMPropertyIsDefined( *value = MAX_NV_BUFFER_SIZE; break; case TPM_PT_MODES: -#ifdef FIPS_COMPLIANT +#if FIPS_COMPLIANT *value = 1; #else *value = 0; diff --git a/src/tpm2/TpmBuildSwitches.h b/src/tpm2/TpmBuildSwitches.h index ddb63eea..8d3901ef 100644 --- a/src/tpm2/TpmBuildSwitches.h +++ b/src/tpm2/TpmBuildSwitches.h @@ -83,9 +83,11 @@ #if !defined LIBRARY_COMPATIBILITY_CHECK && defined SIMULATION # define LIBRARY_COMPATABILITY_CHECK #endif -#ifndef FIPS_COMPLIANT -//# define FIPS_COMPLIANT +#if !(defined FIPS_COMPLIANT) || ((FIPS_COMPLIANT != NO) && (FIPS_COMPLIANT != YES)) +# undef FIPS_COMPLIANT +# define FIPS_COMPLIANT NO // Default: Either YES or NO #endif + // Definition to allow alternate behavior for non-orderly startup. If there is a chance that the TPM // could not update failedTries #if !(defined USE_DA_USED) || ((USE_DA_USED != NO) && (USE_DA_USED != YES)) diff --git a/src/tpm2/crypto/openssl/CryptEccMain.c b/src/tpm2/crypto/openssl/CryptEccMain.c index 86cf8160..c330717e 100644 --- a/src/tpm2/crypto/openssl/CryptEccMain.c +++ b/src/tpm2/crypto/openssl/CryptEccMain.c @@ -737,7 +737,7 @@ CryptEccGenerateKey( BnPointTo2B(&publicArea->unique.ecc, ecQ, E); BnTo2B(bnD, &sensitive->sensitive.ecc.b, publicArea->unique.ecc.x.t.size); } -#if defined FIPS_COMPLIANT || 1 +#if FIPS_COMPLIANT // See if PWCT is required if(OK && (IS_ATTRIBUTE(publicArea->objectAttributes, TPMA_OBJECT, sign))) // kgold // if(OK && publicArea->objectAttributes.sign) diff --git a/src/tpm2/crypto/openssl/CryptRand.c b/src/tpm2/crypto/openssl/CryptRand.c index 1aa8b630..0363dafe 100644 --- a/src/tpm2/crypto/openssl/CryptRand.c +++ b/src/tpm2/crypto/openssl/CryptRand.c @@ -284,7 +284,7 @@ EncryptDRBG( UINT32 *lastValue // Points to the last output value ) { -#ifdef FIPS_COMPLIANT +#if FIPS_COMPLIANT // For FIPS compliance, the DRBG has to do a continuous self-test to make sure that // no two consecutive values are the same. This overhead is not incurred if the TPM // is not required to be FIPS compliant