From 98d15ac64500194e0ef946b15e6c95a976b2c8dd Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Mon, 19 Aug 2024 10:58:54 -0400 Subject: [PATCH] Merge into previous after testing Signed-off-by: Stefan Berger --- src/swtpm/check_algos.c | 29 +++++++++++++++++--------- src/swtpm/check_algos.h | 10 ++++++--- src/swtpm/tpmlib.c | 45 ++++++++++++++++++++++------------------- 3 files changed, 51 insertions(+), 33 deletions(-) diff --git a/src/swtpm/check_algos.c b/src/swtpm/check_algos.c index a87aee7ae..555495101 100644 --- a/src/swtpm/check_algos.c +++ b/src/swtpm/check_algos.c @@ -317,6 +317,7 @@ static const struct algorithms_tests { unsigned int padding; // padding AlgorithmTest testfn; // function to call const char *display; // display to user + unsigned int fix; // tell the call how to fix it } ossl_config_disabled[] = { { .disabled_type = DISABLED_BY_FIPS | DISABLED_BY_CONFIG, @@ -324,21 +325,25 @@ static const struct algorithms_tests { .algname = "CAMELLIA-128-CFB", .testfn = check_cipher, .display = "camellia-128", + .fix = FIX_DISABLE_FIPS, }, { .disabled_type = DISABLED_BY_FIPS | DISABLED_BY_CONFIG, .names = (const char *[]){"camellia", NULL}, .algname = "CAMELLIA-256-CFB", .testfn = check_cipher, .display = "camellia-256", + .fix = FIX_DISABLE_FIPS, }, { .disabled_type = DISABLED_BY_FIPS, .names = (const char *[]){"rsaes", NULL}, .testfn = check_rsaes, + .fix = FIX_DISABLE_FIPS, }, { .disabled_type = DISABLED_BY_FIPS | DISABLED_BY_CONFIG, .names= (const char *[]){"tdes", NULL}, .algname = "DES-EDE3-CFB", .testfn = check_cipher, + .fix = FIX_DISABLE_FIPS, }, { .disabled_type = DISABLED_BY_CONFIG, .names = (const char *[]){"sha1", NULL}, @@ -352,6 +357,7 @@ static const struct algorithms_tests { .padding = RSA_PKCS1_PSS_PADDING, .testfn = check_rsasign, .display = "RSA-1024-sign(SHA1, pkcs1-pss)", + .fix = FIX_ENABLE_SHA1_SIGNATURES, }, { .disabled_type = DISABLED_BY_FIPS, .names = (const char *[]){"rsa", "sha1", "rsassa", NULL}, @@ -360,6 +366,7 @@ static const struct algorithms_tests { .padding = RSA_PKCS1_PADDING, .testfn = check_rsasign, .display = "RSA-1024-sign(SHA1, pkcs1)", + .fix = FIX_ENABLE_SHA1_SIGNATURES, }, { .disabled_type = DISABLED_BY_FIPS | DISABLED_BY_CONFIG, .names = (const char *[]){"rsa", "sha1", "rsapss", NULL}, @@ -368,6 +375,7 @@ static const struct algorithms_tests { .padding = RSA_PKCS1_PSS_PADDING, .testfn = check_rsasign, .display = "RSA-2048-sign(SHA1, pkcs1-pss)", + .fix = FIX_ENABLE_SHA1_SIGNATURES, }, { .disabled_type = DISABLED_BY_FIPS | DISABLED_BY_CONFIG, .names = (const char *[]){"rsa", "sha1", "rsapss", NULL}, @@ -376,6 +384,7 @@ static const struct algorithms_tests { .padding = RSA_PKCS1_PADDING, .testfn = check_rsasign, .display = "RSA-2048-sign(SHA1, pkcs1)", + .fix = FIX_ENABLE_SHA1_SIGNATURES, }, { .disabled_type = DISABLED_BY_CONFIG, .names = (const char *[]){"rsa", "sha256", "rsapss", NULL}, @@ -413,14 +422,15 @@ static const struct key_sizes { }; /* Determine whether any of the algorithms in the array are FIPS-disable */ -static bool _ossl_algorithms_are_disabled(const gchar *const*algorithms, - const struct algorithms_tests *ossl_config_disabled_algos, - const struct key_sizes *key_sizes, - unsigned int disabled_filter, // filter by these flags (optional) - bool stop_on_first_disabled - ) +static unsigned int _ossl_algorithms_are_disabled(const gchar *const*algorithms, + const struct algorithms_tests *ossl_config_disabled_algos, + const struct key_sizes *key_sizes, + unsigned int disabled_filter, // filter by these flags (optional) + bool stop_on_first_disabled + ) { unsigned int disabled_type; + unsigned int fix_flags = 0; bool all_good = true; const char *display; unsigned long v; @@ -445,6 +455,7 @@ static bool _ossl_algorithms_are_disabled(const gchar *const*algorithms, display = ossl_config_disabled_algos[i].names[0]; if (rc) { all_good = false; + fix_flags |= ossl_config_disabled_algos[i].fix; logprintf(STDERR_FILENO, "Warning%s: Profile-enabled algorithms contain disabled '%s':\n", @@ -492,9 +503,9 @@ static bool _ossl_algorithms_are_disabled(const gchar *const*algorithms, * returned, 'true' otherwise. If 'false' is returned then OpenSSL's FIPS mode * must be disabled for libtpms to not cause selftest failures. */ -bool ossl_algorithms_are_disabled(const gchar *const*algorithms, - unsigned int disabled_filter, - bool stop_on_first_disabled) +unsigned int ossl_algorithms_are_disabled(const gchar *const*algorithms, + unsigned int disabled_filter, + bool stop_on_first_disabled) { return _ossl_algorithms_are_disabled(algorithms, ossl_config_disabled, fips_key_sizes, disabled_filter, diff --git a/src/swtpm/check_algos.h b/src/swtpm/check_algos.h index 4d6009103..c93e1dc7d 100644 --- a/src/swtpm/check_algos.h +++ b/src/swtpm/check_algos.h @@ -42,12 +42,16 @@ #include -bool ossl_algorithms_are_disabled(const gchar *const*algorithms, - unsigned int disabled_filter, - bool stop_on_first_disabled); +unsigned int ossl_algorithms_are_disabled(const gchar *const*algorithms, + unsigned int disabled_filter, + bool stop_on_first_disabled); /* disabled_filters: */ #define DISABLED_BY_FIPS (1 << 0) #define DISABLED_BY_CONFIG (1 << 1) +/* how to fix it */ +#define FIX_DISABLE_FIPS (1 << 0) /* fix by disabling FIPS mode */ +#define FIX_ENABLE_SHA1_SIGNATURES (1 << 1) /* fix by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1 */ + #endif /* _SWTPM_CHECK_ALGOS_H_ */ diff --git a/src/swtpm/tpmlib.c b/src/swtpm/tpmlib.c index 9cbc89da1..f29593f03 100644 --- a/src/swtpm/tpmlib.c +++ b/src/swtpm/tpmlib.c @@ -108,7 +108,7 @@ TPM_RESULT tpmlib_choose_tpm_version(TPMLIB_TPMVersion tpmversion) return res; } -static int tpmlib_check_disabled_algorithms(bool *need_disabled, +static int tpmlib_check_disabled_algorithms(unsigned int *fix_flags, unsigned int disabled_filter, bool stop_on_first_disabled) { @@ -117,7 +117,7 @@ static int tpmlib_check_disabled_algorithms(bool *need_disabled, gchar **algorithms; int ret; - *need_disabled = false; + *fix_flags = 0; ret = json_get_submap_value(info_data, "RuntimeAlgorithms", "Enabled", &enabled); @@ -126,9 +126,9 @@ static int tpmlib_check_disabled_algorithms(bool *need_disabled, algorithms = g_strsplit(enabled, ",", -1); - *need_disabled = ! ossl_algorithms_are_disabled((const gchar * const *)algorithms, - disabled_filter, - stop_on_first_disabled); + *fix_flags = ossl_algorithms_are_disabled((const gchar * const *)algorithms, + disabled_filter, + stop_on_first_disabled); g_strfreev(algorithms); error: @@ -139,14 +139,14 @@ static int tpmlib_check_disabled_algorithms(bool *need_disabled, /* * This function only applies to TPM2: If FIPS mode was enabled on the host, - * determine whether OpenSSL needs to deactivate FIPS mode. It doesn't need - * to deactivate it if a profile was chosen that has no algorithms that FIPS - * deactivates, otherwise it has to deactivate FIPS mode in the OpenSSL - * instance being used. + * determine whether OpenSSL needs to deactivate FIPS mode (FIX_DISABLE_FIPS is + * set). It doesn't need to deactivate it if a profile was chosen that has no + * algorithms that FIPS deactivates, otherwise it has to deactivate FIPS mode in + * the OpenSSL instance being used. */ -static int tpmlib_check_need_disable_fips_mode_tpm2(bool *need_disabled) +static int tpmlib_check_need_disable_fips_mode_tpm2(unsigned int *fix_flags) { - return tpmlib_check_disabled_algorithms(need_disabled, + return tpmlib_check_disabled_algorithms(fix_flags, DISABLED_BY_FIPS, true); } @@ -154,9 +154,9 @@ static int tpmlib_check_need_disable_fips_mode_tpm2(bool *need_disabled) * Check whether swtpm would have to be started with OpenSSL_no_config() so * that libtpms can use the algorithms given by its profile. */ -static bool tpmlib_check_need_no_ossl_config(bool *need_disabled) +static bool tpmlib_check_need_no_ossl_config(unsigned int *fix_flags) { - return tpmlib_check_disabled_algorithms(need_disabled, + return tpmlib_check_disabled_algorithms(fix_flags, 0, false); } @@ -168,27 +168,30 @@ static bool tpmlib_check_need_no_ossl_config(bool *need_disabled) */ static int tpmlib_maybe_disable_fips_mode(TPMLIB_TPMVersion tpmversion) { - bool disable_fips = false; + unsigned int fix_flags = 0; int ret = 0; if (fips_mode_enabled()) { switch (tpmversion) { case TPMLIB_TPM_VERSION_1_2: - disable_fips = true; + fix_flags = FIX_DISABLE_FIPS | FIX_ENABLE_SHA1_SIGNATURES; break; case TPMLIB_TPM_VERSION_2: - ret = tpmlib_check_need_disable_fips_mode_tpm2(&disable_fips); + ret = tpmlib_check_need_disable_fips_mode_tpm2(&fix_flags); break; } - if (!ret && disable_fips && fips_mode_disable()) + if (!ret && (fix_flags & FIX_DISABLE_FIPS) && fips_mode_disable()) ret = 1; + if (!ret && (fix_flags & FIX_ENABLE_SHA1_SIGNATURES)) { + logprintf(STDOUT_FILENO, + "Setting OPENSSL_ENABLE_SHA1_SIGNATURES=1 to enable SHA1 signatures.\n"); + g_setenv("OPENSSL_ENABLE_SHA1_SIGNATURES", "1", true); + } } if (!ret && tpmversion == TPMLIB_TPM_VERSION_2) { - bool disable_config = false; - - ret = tpmlib_check_need_no_ossl_config(&disable_config); - if (!ret && disable_config) { + ret = tpmlib_check_need_no_ossl_config(&fix_flags); + if (!ret && fix_flags) { logprintf(STDERR_FILENO, "Error: Need to start with OpenSSL config file to enable all needed algorithms.\n"); ret = 1;