From patchwork Tue May 25 03:34:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Axtens X-Patchwork-Id: 1483146 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org (client-ip=112.213.38.117; helo=lists.ozlabs.org; envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=G8Ws1lAC; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Fq07s1ZwKz9sT6 for ; Tue, 25 May 2021 13:34:49 +1000 (AEST) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4Fq07s11bXz2yxk for ; Tue, 25 May 2021 13:34:49 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=G8Ws1lAC; dkim-atps=neutral X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::436; helo=mail-pf1-x436.google.com; envelope-from=dja@axtens.net; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=G8Ws1lAC; dkim-atps=neutral Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4Fq07j39llz2yjY for ; Tue, 25 May 2021 13:34:41 +1000 (AEST) Received: by mail-pf1-x436.google.com with SMTP id g18so20859991pfr.2 for ; Mon, 24 May 2021 20:34:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=a683iBtG+WH5jA4zPhxLlkshjCXrLYoZGyQ3QZhzgWg=; b=G8Ws1lACqWvAs/L8mKMJmx1vpvWL2Jv0pbfWgkOdCtXy6YIwjhTc/PBtTAu7YY8r0k Es8bn5jMHW3aOfmpTk4BbFlXmgJvIrvMr30YMRMAdd/zAeNtQ7nt8iX79j2dnIxV9Abt RYM+ItfPHCE89CyD0MtxwngUIbUyZldY5HiS4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=a683iBtG+WH5jA4zPhxLlkshjCXrLYoZGyQ3QZhzgWg=; b=I2lAlShvNeC3YouLo4nPYZY9USiF2QZ59FuScGO8SXJala+nvuhKRKdFAC3BWuYZb+ 3T4/77313xnHYYljd28QGY9Vbw6rIMVtvJlHXYcuwcHM3nlB3ZNqzlvDNiEzG2/gf/We v0cDWVQQ0u137RfEpnNtWL2eP7gLi5sbTwZMje15EtDBBBMgkiGr5UFlP+xhP12w49yS 2WLvB4KAvqq8gqpkhTNyiyR3BO9oJ+3WtNIaDrE8giVgNAcEoiEIeFeygCTUbNqpTsZ+ G2iJZ9NIAxvDrYekq1hqPpJ01nsUaChWSqVbmui7gcwZXlPBTnHJPvwVm0ltdZRRngS3 +Ttw== X-Gm-Message-State: AOAM530qSTXIp5pMJ2YeBkAbJ5+ebcSwQRldGoKGcLFPtmCfEPGNTR5q XmbekebvK5I7oVtZyTQ06VsdcbaSQTpG+A== X-Google-Smtp-Source: ABdhPJxfGRlWkWqGtbx/mpTfvUHQ3jZPeJ3fY266UCFYMcVkq9Nhv4stpHayZUboELmRD0MRD1rtdQ== X-Received: by 2002:aa7:8a99:0:b029:2e9:b9f:bf4e with SMTP id a25-20020aa78a990000b02902e90b9fbf4emr290413pfc.56.1621913677896; Mon, 24 May 2021 20:34:37 -0700 (PDT) Received: from localhost ([101.178.215.23]) by smtp.gmail.com with ESMTPSA id b21sm8960551pfo.47.2021.05.24.20.34.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 May 2021 20:34:37 -0700 (PDT) From: Daniel Axtens To: skiboot@lists.ozlabs.org Date: Tue, 25 May 2021 13:34:23 +1000 Message-Id: <20210525033425.972519-2-dja@axtens.net> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210525033425.972519-1-dja@axtens.net> References: <20210525033425.972519-1-dja@axtens.net> MIME-Version: 1.0 Subject: [Skiboot] [PATCH 1/3] secvar/backend: rename verify_signature parameters X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nick.child@ibm.com, nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" verify_signature() currently takes newcert and new_data_len. However, these variables are used only as parameters to mbedtls_pkcs7_signed_hash_verify() where they represent a hash value and the length of the hash value. verify_signature() is static, and the only caller of the function is process_update(). process_update() passes in tbhbuffer and tbhbuffersize. Those are unfortunate names too - because the data that process_update() passes in is not a to-be-hashed buffer, but a hash. We'll fix that later. Call the parameters hash and hash_len. Signed-off-by: Daniel Axtens --- libstb/secvar/backend/edk2-compat-process.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c index 244f23403fe0..8324dc068b8e 100644 --- a/libstb/secvar/backend/edk2-compat-process.c +++ b/libstb/secvar/backend/edk2-compat-process.c @@ -455,7 +455,7 @@ out: /* Verify the PKCS7 signature on the signed data. */ static int verify_signature(const struct efi_variable_authentication_2 *auth, - const char *newcert, const size_t new_data_size, + const char *hash, const size_t hash_len, const struct secvar *avar) { mbedtls_pkcs7 *pkcs7 = NULL; @@ -534,7 +534,7 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth, free(x509_buf); x509_buf = NULL; - rc = mbedtls_pkcs7_signed_hash_verify(pkcs7, &x509, newcert, new_data_size); + rc = mbedtls_pkcs7_signed_hash_verify(pkcs7, &x509, hash, hash_len); /* If you find a signing certificate, you are done */ if (rc == 0) {