Implement a KDFa replacement using OpenSSL's KBKDF function. The resulting
implementation has a few restrictions compared to the original one.
For example, it cannot accept a counter value to be passed in to resume
the KDFa as the reference implementation could -- OSSL does not support
providing the counter in this becomes problematic with DRBG_Generate
where it seems to want to resume with a counter over the long-term.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
To still be able to run the KDFe test case when the OpenSSL replacement
for the KDFe is to be used, rename the reference implemention to
ReferenceCryptKDFe that coexists with the CryptKDFe function that then
calls OSSLCryptKDFe.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement a KDFe replacement using OpenSSL's SSKDF and add a test
case that compares the current implementation against the one based
on the OpenSSL SSKDF.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Check for an out-of-range command code before using it to access
an index in an array in a debug statement.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
In case a hash algorithm id has a value >= 64 print out and error. This
should never occur since any hash algorithm id should have been set through
unmarshalling or by TPM 2-internal code.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable Camellia-192 and AES-192 and bump up the stateFormatLevel to '4'.
This now prevents using this state with previous stateFormatLevels (< 4)
because there Camellia-192 or AES-192 was not enabled and the user would
otherwise not be able to decrypt data with either one if it was usable.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable new commands ECC_Decrypt and ECC_Encrypt in the TPmProfile.h
and also in the 'default' profile. Since the additional commands extend
the ppList and auditCommands array, bump up the version of the stateLevel
to '2' and use the new marshalling functions by using the PERSISTENT_DATA
blob_version '5'.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Switch the implementation to uncompressed lists (from now on it must
remain uncompressed lists forever) and adapt functions who marshal
and unmarshal arrays that are affected by this switch:
- PERSISTENT_DATA.ppList
- PERSISTENT_DATA.auditCommands
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The maximum SEED_COMPAT_LEVEL that libtpms may use depends on the earliest
version of libtpms that a profile can run on. Therefore, implement
RuntimeProfileGetSeedCompatLevel() to determine the SEED_COMPAT_LEVEL that
a profile can use, which depends on the profile's stateCompatLevel (which
in turn depends on the version of libtpms)
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add a new API call TPMLIB_SetProfile that enables a user to set a profile.
The user gets control over the name of the profile to apply and may supply
the algoritms to enable. The user does not get control over the individual
commands to enable.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
For profiles that work for libtpms v0.10 or later, so for
StatFormatLevel >=2, use ANY_MARSHAL_Object to write OBJECTS into
the NVRAM. This way OBJECTS are written in a more compact format.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Runtime-disabling any hash algorithm also means that the corresponding
hash bank must be disabled as well. In case the SHA-1 bank is disabled,
the output of TPM2_GetCapability must therefore filter-out the SHA-1 bank
that is still compiled-in but otherwise cannot be used.
$ tssgetcapability -cap 5
3 PCR selections
hash TPM_ALG_SHA256
TPMS_PCR_SELECTION length 3
ff ff ff
hash TPM_ALG_SHA384
TPMS_PCR_SELECTION length 3
ff ff ff
hash TPM_ALG_SHA512
TPMS_PCR_SELECTION length 3
ff ff ff
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Rather than returning the hardcoded number of commands for the
TPM_CAP_TPM_PROPERTIES capability return the number of commands
that are currently enabled due to the active profile.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Also extend the man page to describe the new output.
swtpm_ioctl --info 0x40 --tcp :2322 | jq
{
"AvailableProfiles": [
{
"Name": "default-v1",
"StateFormatLevel": 4,
"Commands": "0x11f-0x122,0x124-0x12e,0x130-0x140,0x142-0x159,0x15b-0x15e,0x160-0x165,0x167-0x174,0x176-0x178,0x17a-0x193,0x197,0x199-0x19a",
"Algorithms": "rsa,rsa-min-size=1024,tdes,tdes-min-size=128,sha1,hmac,aes,aes-min-size=128,mgf1,keyedhash,xor,sha256,sha384,sha512,null,rsassa,rsaes,rsapss,oaep,ecdsa,ecdh,ecdaa,sm2,ecschnorr,ecmqv,kdf1-sp800-56a,kdf2,kdf1-sp800-108,ecc,ecc-min-size=192,ecc-nist,ecc-bn,symcipher,camellia,camellia-min-size=128,cmac,ctr,ofb,cbc,cfb,ecb",
"Description": "This profile enables all currenly supported commands and algorithms. It is applied when the user chooses no profile."
},
{
"Name": "null",
"StateFormatLevel": 1,
"Commands": "0x11f-0x122,0x124-0x12e,0x130-0x140,0x142-0x159,0x15b-0x15e,0x160-0x165,0x167-0x174,0x176-0x178,0x17a-0x193,0x197",
"Algorithms": "rsa,rsa-min-size=1024,tdes,tdes-min-size=128,sha1,hmac,aes,aes-min-size=128,mgf1,keyedhash,xor,sha256,sha384,sha512,null,rsassa,rsaes,rsapss,oaep,ecdsa,ecdh,ecdaa,sm2,ecschnorr,ecmqv,kdf1-sp800-56a,kdf2,kdf1-sp800-108,ecc,ecc-min-size=192,ecc-nist,ecc-bn,symcipher,camellia,camellia-min-size=128,cmac,ctr,ofb,cbc,cfb,ecb",
"Description": "The profile enables the commands and algorithms that were enabled in libtpms v0.9. This profile is automatically used when the state does not have a profile, for example when it was created by libtpms v0.9 or before."
},
...
}
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Also extend the man page to describe the new output.
swtpm_ioctl --info 0x20 --tcp :2322 | jq
{
"ActiveProfile": {
"Name": "null",
"StateFormatLevel": 1,
"Commands": "0x11f-0x122,0x124-0x12e,0x130-0x140,0x142-0x159,0x15b-0x15e,0x160-0x165,0x167-0x174,0x176-0x178,0x17a-0x193,0x197",
"Algorithms": "rsa,rsa-min-size=1024,tdes,tdes-min-size=128,sha1,hmac,aes,aes-min-size=128,mgf1,keyedhash,xor,sha256,sha384,sha512,null,rsassa,rsaes,rsapss,oaep,ecdsa,ecdh,ecdaa,sm2,ecschnorr,ecmqv,kdf1-sp800-56a,kdf2,kdf1-sp800-108,ecc,ecc-min-size=192,ecc-nist,ecc-bn,symcipher,camellia,camellia-min-size=128,cmac,ctr,ofb,cbc,cfb,ecb",
"Description": "The profile enables the commands and algorithms that were enabled in libtpms v0.9. This profile is automatically used when the state does not have a profile, for example when it was created by libtpms v0.9 or before."
}
}
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Also extend the man page to describe the new output.
swtpm_ioctl --info 0x10 --tcp :2322 | jq
{
"RuntimeCommands": {
"Implemented": "0x11f-0x122,0x124-0x12e,0x130-0x140,0x142-0x159,0x15b-0x15e,0x160-0x165,0x167-0x174,0x176-0x178,0x17a-0x193,0x197,0x199-0x19a",
"CanBeDisabled": "0x11f,0x121-0x122,0x124-0x128,0x12a-0x12e,0x130,0x132-0x13b,0x13d-0x140,0x142,0x146-0x147,0x149-0x14d,0x14f-0x152,0x154-0x155,0x159,0x15b,0x15d-0x15e,0x160-0x164,0x167-0x168,0x16a-0x172,0x174,0x177-0x178,0x17b,0x17f-0x181,0x183-0x184,0x187-0x193,0x197,0x199-0x19a",
"Enabled": "0x11f-0x122,0x124-0x12e,0x130-0x140,0x142-0x159,0x15b-0x15e,0x160-0x165,0x167-0x174,0x176-0x178,0x17a-0x193,0x197,0x199-0x19a",
"Disabled": ""
}
}
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Extend TPM2_GetInfo() to return information about runtime-enabled
algorithms like this:
$ swtpm_ioctl --info 8 --tcp :2322 | jq
{
"RuntimeAlgorithms": {
"Implemented": "rsa,rsa-min-size=1024,tdes,tdes-min-size=128,sha1,hmac,aes,aes-min-size=128,mgf1,keyedhash,xor,sha256,sha384,sha512,null,rsassa,rsaes,rsapss,oaep,ecdsa,ecdh,ecdaa,sm2,ecschnorr,ecmqv,kdf1-sp800-56a,kdf2,kdf1-sp800-108,ecc,ecc-min-size=192,ecc-nist,ecc-bn,ecc-nist-p192,ecc-nist-p224,ecc-nist-p256,ecc-nist-p384,ecc-nist-p521,ecc-bn-p256,ecc-bn-p638,ecc-sm2-p256,symcipher,camellia,camellia-min-size=128,cmac,ctr,ofb,cbc,cfb,ecb",
"CanBeDisabled": "tdes,sha1,sha512,rsassa,rsaes,rsapss,ecmqv,ecc-nist,ecc-bn,ecc-nist-p192,ecc-nist-p224,ecc-nist-p521,ecc-bn-p256,ecc-bn-p638,ecc-sm2-p256,camellia,cmac,ctr,ofb,cbc,ecb",
"Enabled": "rsa,rsa-min-size=1024,hmac,aes,aes-min-size=128,mgf1,keyedhash,xor,sha256,sha384,null,oaep,ecdsa,ecdh,ecdaa,sm2,ecschnorr,kdf1-sp800-56a,kdf2,kdf1-sp800-108,ecc,ecc-min-size=192,ecc-bn,ecc-nist-p192,ecc-nist-p224,ecc-nist-p256,ecc-nist-p384,ecc-nist-p521,ecc-bn-p256,ecc-bn-p638,ecc-sm2-p256,symcipher,camellia,camellia-min-size=128,cmac,ctr,ofb,cbc,cfb,ecb",
"Disabled": "tdes,sha1,sha512,rsassa,rsaes,rsapss,ecmqv,ecc-nist"
}
}
Also describe the JSON object in the TPMLIB_GetInfo man page.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Filter-out disabled commands so that the GetCapability() command does not
return them in the list of implemented/supported commands. Also prevent
them from being executable. Typically the check for whether a command
is enabled/disabled needs to be added around checks for whether the
IS_IMPLEMENTED flag is set on a command.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable all algorithms while unmarshalling state. Some state may contain
algorithms that are runtime-disabled and we need to allow those state
blobs to be readable.
While reading the volatile state save the currently enabled profile,
then set the default profile before unmarshalling the data, and then
restore the original profile.
When reading the permanent state enable the default profile first. At the
end the algorithms read from the state file will be applied.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Write the profile as part of PERMANENT_ALL state v4 and also read it from
the byte stream if the PERMANENT_ALL state has v4 or later.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Filter-out runtime-disabled algorithms from being reported in
TPM2_GetCapability and also don't run tests with runtime-disabled
algorithms during self-test.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Implement functions to set and check runtime-disabled algorithms. Use
these functions when the algorithm capabilities of the TPM 2 are
advertised via the TPM2_GetCapability command. However, it is not
sufficient to just suppress runtime-disabled algorithms in the return
value of this command but also certain code paths have to be instrumented
to check for disabled algorithms since they could otherwise lead to their
usage. Users are not required nor will they always look at the returned
values of TPM2_GetCapability but should still be prevented from using
runtime-disabled algorithms.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Address the following Coverity complaint (1550494) by filtering out bad
input values:
"Expression i--, which is equal to 65535, where i is known to be equal
to 0, underflows the type that receives it, an unsigned integer 16 bits
wide."
aSize is typcially 2048 and n is always >= 1 per the input parameter.
Therefore no side-effects are expected from this filter.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Resolve the following Coverity complaint:
"Expression command->sessionNum - 1U, which is equal to 4294967295,
where command->sessionNum is known to be equal to 0, underflows the
type that receives it, an unsigned integer 32 bits wide."
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Resolve the following Coverity complaint by removing assignment to offset:
"Assigning value from offset + 148UL to offset here, but that stored
value is overwritten before it can be used."
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Resolve the following Coverity complaint:
"Using uninitialized value rsa3072_object. Field rsa3072_object._pad is
uninitialized when calling MemoryCopy."
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
