sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-12-08 00:00:29 -05:00
Code Issues Projects Releases Wiki Activity

tpm: Check FIPS-140-2 and FIPS-186-4 compliance

Browse Source
This commit is contained in:
Andreas Steffen 2018-10-23 18:30:55 +02:00 committed by Tobias Brunner
parent b158404c5f
commit 526c5abd0f
5 changed files with 60 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
conf/plugins/tpm.opt
View File

@ -1,6 +1,10 @@
charon.plugins.tpm.use_rng = no charon.plugins.tpm.use_rng = no
Whether the TPM should be used as RNG. Whether the TPM should be used as RNG.
charon.plugins.tpm.fips_186_4 = no
Is the TPM 2.0 FIPS-186-4 compliant, forcing e.g. the use of the default
salt length instead of maximum salt length with RSAPSS padding.
charon.plugins.tpm.tcti.name = device|tabrmd charon.plugins.tpm.tcti.name = device|tabrmd
Name of TPM 2.0 TCTI library. Valid values: _tabrmd_, _device_ or _mssim_. Name of TPM 2.0 TCTI library. Valid values: _tabrmd_, _device_ or _mssim_.
Defaults are _device_ if the _/dev/tpmrm0_ in-kernel TPM 2.0 resource manager Defaults are _device_ if the _/dev/tpmrm0_ in-kernel TPM 2.0 resource manager

2
src/libtpmtss/plugins/tpm/tpm_private_key.c
View File

@ -1,6 +1,6 @@
/* /*
* Copyright (C) 2018 Tobias Brunner * Copyright (C) 2018 Tobias Brunner
* Copyright (C) 2017 Andreas Steffen * Copyright (C) 2017-2018 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil * HSR Hochschule fuer Technik Rapperswil
* *
* This program is free software; you can redistribute it and/or modify it * This program is free software; you can redistribute it and/or modify it

2
src/libtpmtss/tpm_tss.h
View File

@ -1,6 +1,6 @@
/* /*
* Copyright (C) 2018 Tobias Brunner * Copyright (C) 2018 Tobias Brunner
* Copyright (C) 2016 Andreas Steffen * Copyright (C) 2016-2018 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil * HSR Hochschule fuer Technik Rapperswil
* *
* This program is free software; you can redistribute it and/or modify it * This program is free software; you can redistribute it and/or modify it

30
src/libtpmtss/tpm_tss_tss2_v1.c
View File

@ -69,6 +69,12 @@ struct private_tpm_tss_tss2_t {
* List of supported algorithms * List of supported algorithms
*/ */
TPM_ALG_ID supported_algs[TPM_PT_ALGORITHM_SET]; TPM_ALG_ID supported_algs[TPM_PT_ALGORITHM_SET];
/**
* Is TPM FIPS 186-4 compliant ?
*/
bool fips_186_4;
}; };
/** /**
@ -154,6 +160,7 @@ static bool get_algs_capability(private_tpm_tss_tss2_t *this)
TPMS_TAGGED_PROPERTY tp; TPMS_TAGGED_PROPERTY tp;
TPMI_YES_NO more_data; TPMI_YES_NO more_data;
TPM_ALG_ID alg; TPM_ALG_ID alg;
bool fips_140_2 = FALSE;
uint32_t rval, i, offset, revision = 0, year = 0; uint32_t rval, i, offset, revision = 0, year = 0;
size_t len = BUF_LEN; size_t len = BUF_LEN;
char buf[BUF_LEN], manufacturer[5], vendor_string[17]; char buf[BUF_LEN], manufacturer[5], vendor_string[17];
@ -194,12 +201,25 @@ static bool get_algs_capability(private_tpm_tss_tss2_t *this)
offset = 4 * (tp.property - TPM_PT_VENDOR_STRING_1); offset = 4 * (tp.property - TPM_PT_VENDOR_STRING_1);
htoun32(vendor_string + offset, tp.value); htoun32(vendor_string + offset, tp.value);
break; break;
case TPM_PT_MODES:
if (tp.value & TPMA_MODES_FIPS_140_2)
{
this->fips_186_4 = fips_140_2 = TRUE;
}
break;
default: default:
break; break;
} }
} }
DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u", LABEL, manufacturer,
vendor_string, (float)revision/100, year); if (!fips_140_2)
{
this->fips_186_4 = lib->settings->get_bool(lib->settings,
"%s.plugins.tpm.fips_186_4", FALSE, lib->ns);
}
DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u %s", LABEL,
manufacturer, vendor_string, (float)revision/100, year,
fips_140_2 ? "FIPS 140-2" : (this->fips_186_4 ? "FIPS 186-4" : ""));
/* get supported algorithms */ /* get supported algorithms */
rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM_CAP_ALGS, rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM_CAP_ALGS,
@ -551,10 +571,14 @@ METHOD(tpm_tss_t, supported_signature_schemes, enumerator_t*,
{ {
case TPM_ALG_RSAPSS: case TPM_ALG_RSAPSS:
{ {
ssize_t salt_len;
salt_len = this->fips_186_4 ? RSA_PSS_SALT_LEN_DEFAULT :
RSA_PSS_SALT_LEN_MAX;
rsa_pss_params_t pss_params = { rsa_pss_params_t pss_params = {
.hash = digest, .hash = digest,
.mgf1_hash = digest, .mgf1_hash = digest,
.salt_len = RSA_PSS_SALT_LEN_MAX, .salt_len = salt_len,
}; };
supported_scheme = (signature_params_t){ supported_scheme = (signature_params_t){
.scheme = SIGN_RSA_EMSA_PSS, .scheme = SIGN_RSA_EMSA_PSS,

30
src/libtpmtss/tpm_tss_tss2_v2.c
View File

@ -65,6 +65,12 @@ struct private_tpm_tss_tss2_t {
* List of supported algorithms * List of supported algorithms
*/ */
TPM2_ALG_ID supported_algs[TPM2_PT_ALGORITHM_SET]; TPM2_ALG_ID supported_algs[TPM2_PT_ALGORITHM_SET];
/**
* Is TPM FIPS 186-4 compliant ?
*/
bool fips_186_4;
}; };
/** /**
@ -153,6 +159,7 @@ static bool get_algs_capability(private_tpm_tss_tss2_t *this)
TPMS_TAGGED_PROPERTY tp; TPMS_TAGGED_PROPERTY tp;
TPMI_YES_NO more_data; TPMI_YES_NO more_data;
TPM2_ALG_ID alg; TPM2_ALG_ID alg;
bool fips_140_2 = FALSE;
uint32_t rval, i, offset, revision = 0, year = 0; uint32_t rval, i, offset, revision = 0, year = 0;
size_t len = BUF_LEN; size_t len = BUF_LEN;
char buf[BUF_LEN], manufacturer[5], vendor_string[17]; char buf[BUF_LEN], manufacturer[5], vendor_string[17];
@ -194,12 +201,25 @@ static bool get_algs_capability(private_tpm_tss_tss2_t *this)
offset = 4 * (tp.property - TPM2_PT_VENDOR_STRING_1); offset = 4 * (tp.property - TPM2_PT_VENDOR_STRING_1);
htoun32(vendor_string + offset, tp.value); htoun32(vendor_string + offset, tp.value);
break; break;
case TPM2_PT_MODES:
if (tp.value & TPMA_MODES_FIPS_140_2)
{
this->fips_186_4 = fips_140_2 = TRUE;
}
break;
default: default:
break; break;
} }
} }
DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u", LABEL, manufacturer,
vendor_string, (float)revision/100, year); if (!fips_140_2)
{
this->fips_186_4 = lib->settings->get_bool(lib->settings,
"%s.plugins.tpm.fips_186_4", FALSE, lib->ns);
}
DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u %s", LABEL,
manufacturer, vendor_string, (float)revision/100, year,
fips_140_2 ? "FIPS 140-2" : (this->fips_186_4 ? "FIPS 186-4" : ""));
/* get supported algorithms */ /* get supported algorithms */
rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM2_CAP_ALGS, rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM2_CAP_ALGS,
@ -505,10 +525,14 @@ METHOD(tpm_tss_t, supported_signature_schemes, enumerator_t*,
{ {
case TPM2_ALG_RSAPSS: case TPM2_ALG_RSAPSS:
{ {
ssize_t salt_len;
salt_len = this->fips_186_4 ? RSA_PSS_SALT_LEN_DEFAULT :
RSA_PSS_SALT_LEN_MAX;
rsa_pss_params_t pss_params = { rsa_pss_params_t pss_params = {
.hash = digest, .hash = digest,
.mgf1_hash = digest, .mgf1_hash = digest,
.salt_len = RSA_PSS_SALT_LEN_MAX, .salt_len = salt_len,
}; };
supported_scheme = (signature_params_t){ supported_scheme = (signature_params_t){
.scheme = SIGN_RSA_EMSA_PSS, .scheme = SIGN_RSA_EMSA_PSS,