diff --git a/man/man3/TPMLIB_SetProfile.pod b/man/man3/TPMLIB_SetProfile.pod index f0c38ec49..72eb9e433 100644 --- a/man/man3/TPMLIB_SetProfile.pod +++ b/man/man3/TPMLIB_SetProfile.pod @@ -211,6 +211,14 @@ algorithms =back +=item B: (since v0.10) + +=over 2 + +=item * Prevents creation of an HMAC using SHA1 + +=back + =item B: (since v0.10) =over 2 diff --git a/src/tpm2/CryptUtil.c b/src/tpm2/CryptUtil.c index 2a560c616..9f59c7ea7 100644 --- a/src/tpm2/CryptUtil.c +++ b/src/tpm2/CryptUtil.c @@ -1537,6 +1537,11 @@ CryptSign(OBJECT* signKey, // IN: signing key RuntimeProfileRequiresAttributeFlags(&g_RuntimeProfile, RUNTIME_ATTRIBUTE_NO_SHA1_SIGNING)) return TPM_RC_HASH; + case TPM_ALG_KEYEDHASH: + if (signScheme->details.any.hashAlg == TPM_ALG_SHA1 && + RuntimeProfileRequiresAttributeFlags(&g_RuntimeProfile, + RUNTIME_ATTRIBUTE_NO_SHA1_HMAC_CREATION)) + return TPM_RC_HASH; break; } // libtpms added end diff --git a/src/tpm2/RuntimeAttributes.c b/src/tpm2/RuntimeAttributes.c index 2f0265100..bf9b13978 100644 --- a/src/tpm2/RuntimeAttributes.c +++ b/src/tpm2/RuntimeAttributes.c @@ -63,6 +63,8 @@ static const struct { 7), ATTRIBUTE("no-sha1-verification", RUNTIME_ATTRIBUTE_NO_SHA1_VERIFICATION, 7), + ATTRIBUTE("no-sha1-hmac-creation", RUNTIME_ATTRIBUTE_NO_SHA1_HMAC_CREATION, + 7), ATTRIBUTE("fips-host", RUNTIME_ATTRIBUTE_NO_UNPADDED_ENCRYPTION | RUNTIME_ATTRIBUTE_NO_SHA1_SIGNING | RUNTIME_ATTRIBUTE_NO_SHA1_VERIFICATION, diff --git a/src/tpm2/RuntimeAttributes_fp.h b/src/tpm2/RuntimeAttributes_fp.h index d7f468975..891bbb470 100644 --- a/src/tpm2/RuntimeAttributes_fp.h +++ b/src/tpm2/RuntimeAttributes_fp.h @@ -42,11 +42,12 @@ #ifndef RUNTIME_ATTRIBUTES_H #define RUNTIME_ATTRIBUTES_H -#define NUM_ENTRIES_ATTRIBUTE_PROPERTIES 4 +#define NUM_ENTRIES_ATTRIBUTE_PROPERTIES 5 #define RUNTIME_ATTRIBUTE_NO_UNPADDED_ENCRYPTION (1 << 0) #define RUNTIME_ATTRIBUTE_NO_SHA1_SIGNING (1 << 1) #define RUNTIME_ATTRIBUTE_NO_SHA1_VERIFICATION (1 << 2) +#define RUNTIME_ATTRIBUTE_NO_SHA1_HMAC_CREATION (1 << 3) struct RuntimeAttributes { /* */