swtpm: Check whether SHA1 signature support is disabled in profile

To avoid setting the environment variable OPENSSL_ENABLE_SHA1_SIGNATURES check whether SHA1 signature support is disabled in the TPM 2 profile. It is disabled if either 'fips-host' or the pair 'no-sha1-signing' and 'no-sha1-verification' are found among the enabled attributes. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
stefanberger · Sep 3, 2024 · d496df1 · d496df1
1 parent 0ddc7ed
commit d496df1
Showing 1 changed file with 42 additions and 3 deletions.
diff --git a/src/swtpm/tpmlib.c b/src/swtpm/tpmlib.c
@@ -137,6 +137,41 @@ static int tpmlib_check_disabled_algorithms(unsigned int *fix_flags,
     return ret;
 }
 
+/*
+ * Check the enabled RuntimeAttributes whether either fips-host or
+ * the pair no-sha1-signing & no-sha1-verification are enabled since these
+ * disable sha1 signature support by the TPM 2. Return '1' if this is the
+ * case, '0' otherwise.
+ */
+static int tpmlib_check_attributes_disable_sha1_signatures(void)
+{
+    char *info_data = TPMLIB_GetInfo(TPMLIB_INFO_RUNTIME_ATTRIBUTES);
+    g_autofree gchar *enabled = NULL;
+    g_auto(GStrv) attributes = NULL;
+    int ret;
+
+    ret = json_get_submap_value(info_data, "RuntimeAttributes", "Enabled",
+                                &enabled);
+    if (ret) {
+        ret = 0;
+        goto error;
+    }
+
+    attributes = g_strsplit(enabled, ",", -1);
+
+    ret = 0;
+    if (strv_contains_all((const gchar *const*)attributes,
+                          (const char*[]){"fips-host", NULL}) ||
+        strv_contains_all((const gchar *const*)attributes,
+                          (const char*[]){"no-sha1-signing", "no-sha1-verification", NULL}))
+        ret = 1;
+
+error:
+    free(info_data);
+
+    return ret;
+}
+
 /*
  * This function only applies to TPM2: If FIPS mode was enabled on the host,
  * determine whether OpenSSL needs to deactivate FIPS mode (FIX_DISABLE_FIPS is
@@ -154,9 +189,13 @@ static int tpmlib_check_need_disable_fips_mode(unsigned int *fix_flags)
 /* Check whether SHA1 signatures need to be enabled. */
 static int tpmlib_check_need_enable_sha1_signatures(unsigned int *fix_flags)
 {
-     return tpmlib_check_disabled_algorithms(fix_flags,
-                                             DISABLED_SHA1_SIGNATURES,
-                                             true);
+    *fix_flags = 0;
+
+    if (tpmlib_check_attributes_disable_sha1_signatures())
+        return 0;
+    return tpmlib_check_disabled_algorithms(fix_flags,
+                                            DISABLED_SHA1_SIGNATURES,
+                                            true);
 }
 
 /*