Merge into previous after testing

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
stefanberger · Aug 19, 2024 · 98d15ac · 98d15ac
1 parent 5afeaec
commit 98d15ac
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 33 deletions.
diff --git a/src/swtpm/check_algos.c b/src/swtpm/check_algos.c
@@ -317,28 +317,33 @@ static const struct algorithms_tests {
     unsigned int padding;  // padding
     AlgorithmTest testfn;   // function to call
     const char *display;    // display to user
+    unsigned int fix;       // tell the call how to fix it
 } ossl_config_disabled[] = {
     {
       .disabled_type = DISABLED_BY_FIPS | DISABLED_BY_CONFIG,
       .names = (const char *[]){"camellia", NULL},
       .algname = "CAMELLIA-128-CFB",
       .testfn = check_cipher,
       .display = "camellia-128",
+      .fix = FIX_DISABLE_FIPS,
     }, {
       .disabled_type = DISABLED_BY_FIPS | DISABLED_BY_CONFIG,
       .names = (const char *[]){"camellia", NULL},
       .algname = "CAMELLIA-256-CFB",
       .testfn = check_cipher,
       .display = "camellia-256",
+      .fix = FIX_DISABLE_FIPS,
     }, {
       .disabled_type = DISABLED_BY_FIPS,
       .names = (const char *[]){"rsaes", NULL},
       .testfn = check_rsaes,
+      .fix = FIX_DISABLE_FIPS,
     }, {
       .disabled_type = DISABLED_BY_FIPS | DISABLED_BY_CONFIG,
       .names= (const char *[]){"tdes", NULL},
       .algname = "DES-EDE3-CFB",
       .testfn = check_cipher,
+      .fix = FIX_DISABLE_FIPS,
     }, {
       .disabled_type = DISABLED_BY_CONFIG,
       .names = (const char *[]){"sha1", NULL},
@@ -352,6 +357,7 @@ static const struct algorithms_tests {
       .padding = RSA_PKCS1_PSS_PADDING,
       .testfn = check_rsasign,
       .display = "RSA-1024-sign(SHA1, pkcs1-pss)",
+      .fix = FIX_ENABLE_SHA1_SIGNATURES,
     }, {
       .disabled_type = DISABLED_BY_FIPS,
       .names = (const char *[]){"rsa", "sha1", "rsassa", NULL},
@@ -360,6 +366,7 @@ static const struct algorithms_tests {
       .padding = RSA_PKCS1_PADDING,
       .testfn = check_rsasign,
       .display = "RSA-1024-sign(SHA1, pkcs1)",
+      .fix = FIX_ENABLE_SHA1_SIGNATURES,
     }, {
       .disabled_type = DISABLED_BY_FIPS | DISABLED_BY_CONFIG,
       .names = (const char *[]){"rsa", "sha1", "rsapss", NULL},
@@ -368,6 +375,7 @@ static const struct algorithms_tests {
       .padding = RSA_PKCS1_PSS_PADDING,
       .testfn = check_rsasign,
       .display = "RSA-2048-sign(SHA1, pkcs1-pss)",
+      .fix = FIX_ENABLE_SHA1_SIGNATURES,
     }, {
       .disabled_type = DISABLED_BY_FIPS | DISABLED_BY_CONFIG,
       .names = (const char *[]){"rsa", "sha1", "rsapss", NULL},
@@ -376,6 +384,7 @@ static const struct algorithms_tests {
       .padding = RSA_PKCS1_PADDING,
       .testfn = check_rsasign,
       .display = "RSA-2048-sign(SHA1, pkcs1)",
+      .fix = FIX_ENABLE_SHA1_SIGNATURES,
     }, {
       .disabled_type = DISABLED_BY_CONFIG,
       .names = (const char *[]){"rsa", "sha256", "rsapss", NULL},
@@ -413,14 +422,15 @@ static const struct key_sizes {
 };
 
 /* Determine whether any of the algorithms in the array are FIPS-disable */
-static bool _ossl_algorithms_are_disabled(const gchar *const*algorithms,
-                                          const struct algorithms_tests *ossl_config_disabled_algos,
-                                          const struct key_sizes *key_sizes,
-                                          unsigned int disabled_filter,          // filter by these flags (optional)
-                                          bool stop_on_first_disabled
-                                          )
+static unsigned int _ossl_algorithms_are_disabled(const gchar *const*algorithms,
+                                                  const struct algorithms_tests *ossl_config_disabled_algos,
+                                                  const struct key_sizes *key_sizes,
+                                                  unsigned int disabled_filter,          // filter by these flags (optional)
+                                                  bool stop_on_first_disabled
+                                                 )
 {
     unsigned int disabled_type;
+    unsigned int fix_flags = 0;
     bool all_good = true;
     const char *display;
     unsigned long v;
@@ -445,6 +455,7 @@ static bool _ossl_algorithms_are_disabled(const gchar *const*algorithms,
                 display = ossl_config_disabled_algos[i].names[0];
             if (rc) {
                 all_good = false;
+                fix_flags |= ossl_config_disabled_algos[i].fix;
 
                 logprintf(STDERR_FILENO,
                           "Warning%s: Profile-enabled algorithms contain disabled '%s':\n",
@@ -492,9 +503,9 @@ static bool _ossl_algorithms_are_disabled(const gchar *const*algorithms,
  * returned, 'true' otherwise. If 'false' is returned then OpenSSL's FIPS mode
  * must be disabled for libtpms to not cause selftest failures.
  */
-bool ossl_algorithms_are_disabled(const gchar *const*algorithms,
-                                  unsigned int disabled_filter,
-                                  bool stop_on_first_disabled)
+unsigned int ossl_algorithms_are_disabled(const gchar *const*algorithms,
+                                          unsigned int disabled_filter,
+                                          bool stop_on_first_disabled)
 {
     return _ossl_algorithms_are_disabled(algorithms, ossl_config_disabled, fips_key_sizes,
                                          disabled_filter,

diff --git a/src/swtpm/check_algos.h b/src/swtpm/check_algos.h
@@ -42,12 +42,16 @@
 
 #include <glib.h>
 
-bool ossl_algorithms_are_disabled(const gchar *const*algorithms,
-                                  unsigned int disabled_filter,
-                                  bool stop_on_first_disabled);
+unsigned int ossl_algorithms_are_disabled(const gchar *const*algorithms,
+                                          unsigned int disabled_filter,
+                                          bool stop_on_first_disabled);
 
 /* disabled_filters: */
 #define DISABLED_BY_FIPS   (1 << 0)
 #define DISABLED_BY_CONFIG (1 << 1)
 
+/* how to fix it */
+#define FIX_DISABLE_FIPS            (1 << 0) /* fix by disabling FIPS mode */
+#define FIX_ENABLE_SHA1_SIGNATURES  (1 << 1) /* fix by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1 */
+
 #endif /* _SWTPM_CHECK_ALGOS_H_ */
diff --git a/src/swtpm/tpmlib.c b/src/swtpm/tpmlib.c
@@ -108,7 +108,7 @@ TPM_RESULT tpmlib_choose_tpm_version(TPMLIB_TPMVersion tpmversion)
     return res;
 }
 
-static int tpmlib_check_disabled_algorithms(bool *need_disabled,
+static int tpmlib_check_disabled_algorithms(unsigned int *fix_flags,
                                             unsigned int disabled_filter,
                                             bool stop_on_first_disabled)
 {
@@ -117,7 +117,7 @@ static int tpmlib_check_disabled_algorithms(bool *need_disabled,
     gchar **algorithms;
     int ret;
 
-    *need_disabled = false;
+    *fix_flags = 0;
 
     ret = json_get_submap_value(info_data, "RuntimeAlgorithms", "Enabled",
                                 &enabled);
@@ -126,9 +126,9 @@ static int tpmlib_check_disabled_algorithms(bool *need_disabled,
 
     algorithms = g_strsplit(enabled, ",", -1);
 
-    *need_disabled = ! ossl_algorithms_are_disabled((const gchar * const *)algorithms,
-                                                    disabled_filter,
-                                                    stop_on_first_disabled);
+    *fix_flags = ossl_algorithms_are_disabled((const gchar * const *)algorithms,
+                                              disabled_filter,
+                                              stop_on_first_disabled);
 
     g_strfreev(algorithms);
 error:
@@ -139,24 +139,24 @@ static int tpmlib_check_disabled_algorithms(bool *need_disabled,
 
 /*
  * This function only applies to TPM2: If FIPS mode was enabled on the host,
- * determine whether OpenSSL needs to deactivate FIPS mode. It doesn't need
- * to deactivate it if a profile was chosen that has no algorithms that FIPS
- * deactivates, otherwise it has to deactivate FIPS mode in the OpenSSL
- * instance being used.
+ * determine whether OpenSSL needs to deactivate FIPS mode (FIX_DISABLE_FIPS is
+ * set). It doesn't need to deactivate it if a profile was chosen that has no
+ * algorithms that FIPS deactivates, otherwise it has to deactivate FIPS mode in
+ * the OpenSSL instance being used.
  */
-static int tpmlib_check_need_disable_fips_mode_tpm2(bool *need_disabled)
+static int tpmlib_check_need_disable_fips_mode_tpm2(unsigned int *fix_flags)
 {
-     return tpmlib_check_disabled_algorithms(need_disabled,
+     return tpmlib_check_disabled_algorithms(fix_flags,
                                              DISABLED_BY_FIPS, true);
 }
 
 /*
  * Check whether swtpm would have to be started with OpenSSL_no_config() so
  * that libtpms can use the algorithms given by its profile.
  */
-static bool tpmlib_check_need_no_ossl_config(bool *need_disabled)
+static bool tpmlib_check_need_no_ossl_config(unsigned int *fix_flags)
 {
-     return tpmlib_check_disabled_algorithms(need_disabled,
+     return tpmlib_check_disabled_algorithms(fix_flags,
                                              0, false);
 }
 
@@ -168,27 +168,30 @@ static bool tpmlib_check_need_no_ossl_config(bool *need_disabled)
  */
 static int tpmlib_maybe_disable_fips_mode(TPMLIB_TPMVersion tpmversion)
 {
-    bool disable_fips = false;
+    unsigned int fix_flags = 0;
     int ret = 0;
 
     if (fips_mode_enabled()) {
         switch (tpmversion) {
         case TPMLIB_TPM_VERSION_1_2:
-            disable_fips = true;
+            fix_flags = FIX_DISABLE_FIPS | FIX_ENABLE_SHA1_SIGNATURES;
             break;
         case TPMLIB_TPM_VERSION_2:
-            ret = tpmlib_check_need_disable_fips_mode_tpm2(&disable_fips);
+            ret = tpmlib_check_need_disable_fips_mode_tpm2(&fix_flags);
             break;
         }
-        if (!ret && disable_fips && fips_mode_disable())
+        if (!ret && (fix_flags & FIX_DISABLE_FIPS) && fips_mode_disable())
             ret = 1;
+        if (!ret && (fix_flags & FIX_ENABLE_SHA1_SIGNATURES)) {
+            logprintf(STDOUT_FILENO,
+                      "Setting OPENSSL_ENABLE_SHA1_SIGNATURES=1 to enable SHA1 signatures.\n");
+            g_setenv("OPENSSL_ENABLE_SHA1_SIGNATURES", "1", true);
+        }
     }
 
     if (!ret && tpmversion == TPMLIB_TPM_VERSION_2) {
-        bool disable_config = false;
-
-        ret = tpmlib_check_need_no_ossl_config(&disable_config);
-        if (!ret && disable_config) {
+        ret = tpmlib_check_need_no_ossl_config(&fix_flags);
+        if (!ret && fix_flags) {
             logprintf(STDERR_FILENO,
                      "Error: Need to start with OpenSSL config file to enable all needed algorithms.\n");
             ret = 1;