drbg-continous-test enables an existing code block that was previously
only enabled when FIPS_COMPLIANT #define was set. This code block
ensures that previous 4 consecutive random numbers do not appear again
at the beginning of a 16-byte block.
Extend an existing test case with this new attribute.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Prevent SHA1 signature verification like FIPS mode on the host does
by implementing attribute no-sha1-signing.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Prevent SHA1 signature generation like FIPS mode on the host does
for RSA and all ECC (ecdsa, ecdaa, ecschnorr, sm2) signing algorithms
by implementing attribute no-sha1-signing.
Since CryptRSASign and CryptEccSign are called from CryptSign the
check for SHA1 can be done there. The other call locations are
from the algorithm test functions where the default hash is SHA512.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for RuntimeAttributes which will be provided using
the Attribute key in the map.
Implement a fip-host attribute that at this point does not do much.
Add test case for fips-host attribute.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use free rather than TPM_Free to avoid the following warning:
tpm2_setprofile.c:377:18: warning: passing 'char *' to parameter \
of type 'unsigned char *' converts between pointers to integer \
types with different sign [-Wpointer-sign]
TPM_Free(profile);
../include/libtpms/tpm_memory.h:57:36: note: passing argument to \
parameter 'buffer' here
void TPM_Free(unsigned char *buffer);
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Bump up the StateFormatLevel to 6 and use it to introduce a new OBJECT
marshalling format version '4' that slighly changes how an OBJECT is
marshalled:
- only marshal the private exponent for an RSA key
- always marshal the new hierarchy field
The marshalling code can still write previous version '3' when an older
StateFormatLevel is used to support backwards compatibility.
Adjust the test cases marshalling an RSA key OBJECT to check against
expected sizes across a series of StateFormatLevels.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Test that a user is able to choose a specific StateFormatLevel that is not
required by any of the chosen commands but enables a bugfix in the TPM 2
code for example.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable Camellia-192 and AES-192 and bump up the stateFormatLevel to '4'.
This now prevents using this state with previous stateFormatLevels (< 4)
because there Camellia-192 or AES-192 was not enabled and the user would
otherwise not be able to decrypt data with either one if it was usable.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable new commands ECC_Decrypt and ECC_Encrypt in the TPmProfile.h
and also in the 'default' profile. Since the additional commands extend
the ppList and auditCommands array, bump up the version of the stateLevel
to '2' and use the new marshalling functions by using the PERSISTENT_DATA
blob_version '5'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
