-
Notifications
You must be signed in to change notification settings - Fork 144
Restricted Crypto Algorithm Support
Stefan Berger edited this page Jun 18, 2022
·
2 revisions
The following is a compatibility table for the OpenSSL crypto library supporting a restricted set of crypto algorithms versus mandatory algorithms for a PC Client TPM 2 (TCG PC Client Platform TPM Profile Specification for TPM 2.0; Table 2).
OS Group A: CentOS 9, Fedora 35
Algorithm | TPM 2 Profile Spec | libtpms | OS Group A FIPS Mode |
---|---|---|---|
RSA | Mandatory | Available | |
TDES | Optional | Unavailable | |
SHA1 | Mandatory / Deprecated | Available | |
HMAC | Mandatory | Available | |
AES | Mandatory | Available | |
MGF1 | Mandatory | Available | |
KEYEDHASH | Mandatory | Available | |
XOR | Mandatory | Available | |
SHA256 | Mandatory | Available | |
SHA384 | Mandatory | Available | |
SHA512 | Optional | Available | |
NULL | Mandatory | Available | |
SM3_256 | Optional | not supported | |
SM4 | Optional | not supported | |
RSASSA | Mandatory | Available | |
RSAES | Mandatory | Available | |
RSAPSS | Mandatory | Unavailable | |
OAEP | Mandatory | Available | |
ECDSA | Mandatory | Available | |
ECDH | Mandatory | Available | |
ECDAA | Mandatory | Available | |
SM2 | Optional | Available | |
ECSCHNORR | Mandatory | Available | |
ECC | Mandatory | Available | |
ECMQV | Optional | Available | |
SYMCIPHER | Mandatory | Available | |
CAMELLIA | Optional | Unavailable | |
SHA3_256 | Optional | not supported | |
SHA3_256 | Optional | not supported | |
SHA3_512 | Optional | not supported |
FIPS mode was enabled using command fips-mode-setup --enable
Notes:
- Mandatory algorithms (per PC Client spec) that are not available during runtime are a potential problem for applications relying on them. RSA-PSS is one of them.
- Test suites show errors if sha1 or rsapss are missing. Also RSA-1024 may in some cases be required.