Restricted Crypto Algorithm Support
Stefan Berger edited this page Jun 18, 2022
·
2 revisions
The following is a compatibility table for the OpenSSL crypto library supporting a restricted set of crypto algorithms versus mandatory algorithms for a PC Client TPM 2 (TCG PC Client Platform TPM Profile Specification for TPM 2.0; Table 2).
OS Group A: CentOS 9, Fedora 35
| Algorithm | TPM 2 Profile Spec | libtpms | OS Group A FIPS Mode |
|---|---|---|---|
| RSA | Mandatory | Available | |
| TDES | Optional | Unavailable | |
| SHA1 | Mandatory / Deprecated | Available | |
| HMAC | Mandatory | Available | |
| AES | Mandatory | Available | |
| MGF1 | Mandatory | Available | |
| KEYEDHASH | Mandatory | Available | |
| XOR | Mandatory | Available | |
| SHA256 | Mandatory | Available | |
| SHA384 | Mandatory | Available | |
| SHA512 | Optional | Available | |
| NULL | Mandatory | Available | |
| SM3_256 | Optional | not supported | |
| SM4 | Optional | not supported | |
| RSASSA | Mandatory | Available | |
| RSAES | Mandatory | Available | |
| RSAPSS | Mandatory | Unavailable | |
| OAEP | Mandatory | Available | |
| ECDSA | Mandatory | Available | |
| ECDH | Mandatory | Available | |
| ECDAA | Mandatory | Available | |
| SM2 | Optional | Available | |
| ECSCHNORR | Mandatory | Available | |
| ECC | Mandatory | Available | |
| ECMQV | Optional | Available | |
| SYMCIPHER | Mandatory | Available | |
| CAMELLIA | Optional | Unavailable | |
| SHA3_256 | Optional | not supported | |
| SHA3_256 | Optional | not supported | |
| SHA3_512 | Optional | not supported |
FIPS mode was enabled using command fips-mode-setup --enable
Notes:
- Mandatory algorithms (per PC Client spec) that are not available during runtime are a potential problem for applications relying on them. RSA-PSS is one of them.
- Test suites show errors if sha1 or rsapss are missing. Also RSA-1024 may in some cases be required.