From patchwork Mon Jun 21 08:26:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Axtens X-Patchwork-Id: 1494940 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org; envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=GriMrQp0; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4G7jLW2H84z9sWQ for ; Mon, 21 Jun 2021 18:26:59 +1000 (AEST) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4G7jLW6bdtz3083 for ; Mon, 21 Jun 2021 18:26:59 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=GriMrQp0; dkim-atps=neutral X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::52e; helo=mail-pg1-x52e.google.com; envelope-from=dja@axtens.net; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=GriMrQp0; dkim-atps=neutral Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4G7jLP5WJDz2xxq for ; Mon, 21 Jun 2021 18:26:53 +1000 (AEST) Received: by mail-pg1-x52e.google.com with SMTP id t9so13547066pgn.4 for ; Mon, 21 Jun 2021 01:26:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=xILOCbPTOFeSZ7M1DRFX32FQPXJRxv42ByTjDlLGyZg=; b=GriMrQp0MLy35pRA6Z0Enyje4rWcI/TPtVx9wAneTcM8NX/TJY0rOVzyLOTfrYsqRi FwTHXBKrCET2XsmIxEjGNoFJyGcaw+rODGl494iGnFFz2u5SjsEALIn+KIDppcIsVpsd lZ3z9r8BVkVAaT8VHNa+pXNZaBb+lZiRMkGRs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xILOCbPTOFeSZ7M1DRFX32FQPXJRxv42ByTjDlLGyZg=; b=jrRwHsSdqWHNosfHo+xR8qLXBzKtOjC9X5NT5dVhu8TS8JsnNwvbgTny/FLKHaXGvv JVd+Xx+otWDIup0yMV+nxdTt6ym93iE8BKnzjkCEr+FOD11fiZUwHCkc28QZ16sQ+L3N OHL6kb16uIPpQ9IzYG/DHsjTGHRf/tuUCO3Uagts2iX2FfZy1f2U1WFl489SUNGtAI5U lpwCj+lynINRVWPaxMRyJjnagffbbyrBJtbaonoLKq3QKzsM1SCZ7zKjSo+27wJuqkHj hvJUrzFf+SJxWv79cXiL/1QuxEDIAd/RYnHYblsmnUcXW8syiQOdFUW9MBp6oPjOLfi1 /y9A== X-Gm-Message-State: AOAM531GGqZZwLHwtuDPvL5Ym+d7dzRhCVpQ29nn9zLbbnu9YJusDqpY fjI8eWKhcixjoYKn2lBWFAen/CB+ynNOHQ== X-Google-Smtp-Source: ABdhPJz92L4Q97OXmjv1cbkp6jyc6F+4tlOUJvHYC5VRPt2nbU/EMfgFGYc8n8AZ8DJ8s60KCfP74g== X-Received: by 2002:aa7:829a:0:b029:2e9:e53:198d with SMTP id s26-20020aa7829a0000b02902e90e53198dmr18580035pfm.72.1624264009199; Mon, 21 Jun 2021 01:26:49 -0700 (PDT) Received: from localhost ([203.206.29.204]) by smtp.gmail.com with ESMTPSA id r128sm2773563pfc.138.2021.06.21.01.26.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Jun 2021 01:26:48 -0700 (PDT) From: Daniel Axtens To: skiboot@lists.ozlabs.org Date: Mon, 21 Jun 2021 18:26:37 +1000 Message-Id: <20210621082641.26476-2-dja@axtens.net> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210621082641.26476-1-dja@axtens.net> References: <20210621082641.26476-1-dja@axtens.net> MIME-Version: 1.0 Subject: [Skiboot] [PATCH v2 1/5] secvar/backend: rename verify_signature parameters X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nick.child@ibm.com, nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" verify_signature() currently takes newcert and new_data_len. However, these variables are used only as parameters to mbedtls_pkcs7_signed_hash_verify() where they represent a hash value and the length of the hash value. verify_signature() is static, and the only caller of the function is process_update(). process_update() passes in tbhbuffer and tbhbuffersize. Those are unfortunate names too - because the data that process_update() passes in is not a to-be-hashed buffer, but a hash. We'll fix that later. Call the parameters hash and hash_len. Signed-off-by: Daniel Axtens Reviewed-by: Nick Child Tested-by: Nick Child --- libstb/secvar/backend/edk2-compat-process.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c index 244f23403fe0..8324dc068b8e 100644 --- a/libstb/secvar/backend/edk2-compat-process.c +++ b/libstb/secvar/backend/edk2-compat-process.c @@ -455,7 +455,7 @@ out: /* Verify the PKCS7 signature on the signed data. */ static int verify_signature(const struct efi_variable_authentication_2 *auth, - const char *newcert, const size_t new_data_size, + const char *hash, const size_t hash_len, const struct secvar *avar) { mbedtls_pkcs7 *pkcs7 = NULL; @@ -534,7 +534,7 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth, free(x509_buf); x509_buf = NULL; - rc = mbedtls_pkcs7_signed_hash_verify(pkcs7, &x509, newcert, new_data_size); + rc = mbedtls_pkcs7_signed_hash_verify(pkcs7, &x509, hash, hash_len); /* If you find a signing certificate, you are done */ if (rc == 0) {