Add RuntimeAttribute 'fips-140-3' that restricts a TPM 2 following
requirements of the FIPS-140-3 standard:
- Prevents raw RSA encryption and decryption
- Prevents SHA1 signature generation + verification
- Prevents derivation of ECC keys from derivation parent and for creation
of ephemeral keys
- Performs a pairwise consistency test on RSA keys and ECC signing keys
- Enables continous DRBG test
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Per "TCG FIPS 140-3 guidance for TPM 2.0" document the following functions
must prevent an asymmetric ECC key derivation:
- Table 14: TPM2_CreateLoaded
- Table 18: TPM2_ZGen_2Phase
- Table 26: TPM2_Commit
- Table 26: TPM2_EC_Ephemeral
Return TPM_RC_TYPE as a return code to indicate failure of deriving a key.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Restrict profile names to 32 characters to avoid having to carry
excessively long names in the TPM's state file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Allow setting the minimum HMAC key size and add enforcement gates.
Check that the value of hmac=min-key-size given in the profile is not
larger than 1024. This value is taken from the maximum size of
TPM2B_SENSITIVE, which is MAX_SYM_DATA (=128), which can be provided as
key to an HMAC.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Some function parameters are unused due to OpenSSL usage and other changes
by libtpms. Mark those as unused to avoid static analyzer warnings.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To avoid static analyzer warnings due to non-literal format strings being
used, wrap asprintf in TPMLIB_asprintf and call vasprintf from there.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implemewnt a pairwise consistency test for RSA keys that is to be enabled
with FIPS_COMPLIANT #define temporarily. Test encryption+decryption and
sign+verify with the created key on random input data.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
drbg-continous-test enables an existing code block that was previously
only enabled when FIPS_COMPLIANT #define was set. This code block
ensures that previous 4 consecutive random numbers do not appear again
at the beginning of a 16-byte block.
Extend an existing test case with this new attribute.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Only constant strings will be assigned to the static array, so make the
name field also a const char *.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
When a non-modifyable profile is chosen then copy the StateFormatLevel
(SFL) from the internal profile as before. A reason for copying the SFL
is also because the user is not allowed to make modifications to this
type of profile. Otherwise, if the user chooses a modifyable profile,
then let the user choose the StateFormatLevel.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Deduplicate verbs in Commands, Algorithms, and Attributes strings in a
profile and when a verb with an '=' sign is found, such as
ecc-min-size=224, and there is a duplicate later in the string, such as
ecc-min-size=256, then keep the last one.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Remove the test case and renaming of the reference implementation of
CryptKDFe. Reverting this patch would bring the test case back in case
it was necessary.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To still be able to run the KDFe test case when the OpenSSL replacement
for the KDFe is to be used, rename the reference implemention to
ReferenceCryptKDFe that coexists with the CryptKDFe function that then
calls OSSLCryptKDFe.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a KDFe replacement using OpenSSL's SSKDF and add a test
case that compares the current implementation against the one based
on the OpenSSL SSKDF.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Prevent SHA1 signature verification like FIPS mode on the host does
by implementing attribute no-sha1-signing.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Prevent SHA1 signature generation like FIPS mode on the host does
for RSA and all ECC (ecdsa, ecdaa, ecschnorr, sm2) signing algorithms
by implementing attribute no-sha1-signing.
Since CryptRSASign and CryptEccSign are called from CryptSign the
check for SHA1 can be done there. The other call locations are
from the algorithm test functions where the default hash is SHA512.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement support for RuntimeAttributes which will be provided using
the Attribute key in the map.
Implement a fip-host attribute that at this point does not do much.
Add test case for fips-host attribute.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use free rather than TPM_Free to avoid the following warning:
tpm2_setprofile.c:377:18: warning: passing 'char *' to parameter \
of type 'unsigned char *' converts between pointers to integer \
types with different sign [-Wpointer-sign]
TPM_Free(profile);
../include/libtpms/tpm_memory.h:57:36: note: passing argument to \
parameter 'buffer' here
void TPM_Free(unsigned char *buffer);
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement TPMLIB_WasManufactured API call for a TPM 2 so that callers can
detect whether a TPM 2 instance was newly created and therefore the
profile that was set was also applied.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add the missing entry to the sieveMarks array. The new entry would only
be used for RSA 3072 keys but due to the following change in
RsaAdjustPrimeLimit it will not be used.
primeLimit = s_LastPrimeInTable - 2; // libtpms: Fix for 3072 bit keys to avoid mark=5
If it was to be used (above change removed) it would occasionally produce
different RSA 3072 prime numbers from the TPM's seeds and therefore any
change to the above will have to depend on the SEED_COMPAT_LEVEL so that
the same keys are always produced.
Use the full sieveMarks array to generate RSA 3072 keys when
SEED_COMPAT_LEVEL > SEED_COMPAT_LEVEL_RSA_PRIME_ADJUST_PREREV169,
otherwise keep the previous adjustment to avoid mark=5.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since go.preservedSignaled is not available due to __ACT_DISABLED being defined
apply the same conditional code enablement here.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
