From patchwork Thu Jun 24 08:43:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Axtens X-Patchwork-Id: 1496451 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org (client-ip=112.213.38.117; helo=lists.ozlabs.org; envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=rVsDKQ/Y; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4G9YZx3jSdz9sXL for ; Thu, 24 Jun 2021 18:44:09 +1000 (AEST) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4G9YZy19Dyz305n for ; Thu, 24 Jun 2021 18:44:10 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=rVsDKQ/Y; dkim-atps=neutral X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::102f; helo=mail-pj1-x102f.google.com; envelope-from=dja@axtens.net; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=rVsDKQ/Y; dkim-atps=neutral Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4G9YZv3ZJsz2yxl for ; Thu, 24 Jun 2021 18:44:07 +1000 (AEST) Received: by mail-pj1-x102f.google.com with SMTP id z3-20020a17090a3983b029016bc232e40bso3020524pjb.4 for ; Thu, 24 Jun 2021 01:44:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=FRJkcQ6JVfWXxN7lli7qjdEK3ndgGPv9Of0usUjUCHk=; b=rVsDKQ/YqDJzHlofEf66YhCoUZwPWT01meYNjb1K7pKKSmaxdDrkhuWAVWxYTkM4B2 c69aqP3irSO17U/ztUWUT1P/Few3ThEQdrZ9+xIRKgTV0Pzyi/6kVYqE9K44IRfGYLe9 0V9GRYIYWO1ep4+lgP6Mcb6kjcwQMMQ7mxA48= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=FRJkcQ6JVfWXxN7lli7qjdEK3ndgGPv9Of0usUjUCHk=; b=Wh5Fw0Zww3Zfttc0n1DYQOfkavq7HbVaMQmGgGxxv28e0p7oU0R0y9iTmQeg0kT1H3 gEsuexxmyNX2B25m3dGMbfR7LfP7V1tJLuzkJv0xaB6Sw8mYqECo1iHzkC3iEhmx87dL GE5zFaS2RM995jB0sUwKVBtaTfw8SOlnfhcwhabVgvtgBvZ+EQEVqTdzAi1+z+Z+7OOo ujEResSag21ZQcwkVgEFQpNPJIRCdld00Ba3Dxv7coFGUN5hvN3Vqo1BWocozLKc+pr1 d4dWGQJDEVKoND3f6U5JnQ3l0jlh6shiTIo8hr6aedWahsKBy7j4PX9MmiePzcCw+1zm am7w== X-Gm-Message-State: AOAM530gr5hbfzqrkbFCG2yw3y/UiUq8f9udHdysu71kI2RZ+FkFev1v GC3PM/4PwkYS+f0L7xWsnJRwVOhwy1zHVA== X-Google-Smtp-Source: ABdhPJxLmG+IY6eBP5LsFNqTsjodDxQbKpsADgHpIY/r+VwpD8hjBH89P3SJt2u5TD8gcZQ+cesmIg== X-Received: by 2002:a17:902:208:b029:125:f09c:8712 with SMTP id 8-20020a1709020208b0290125f09c8712mr3393753plc.15.1624524243970; Thu, 24 Jun 2021 01:44:03 -0700 (PDT) Received: from localhost ([203.206.29.204]) by smtp.gmail.com with ESMTPSA id i13sm7038645pjl.2.2021.06.24.01.44.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Jun 2021 01:44:03 -0700 (PDT) From: Daniel Axtens To: skiboot@lists.ozlabs.org Date: Thu, 24 Jun 2021 18:43:57 +1000 Message-Id: <20210624084357.565950-1-dja@axtens.net> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Subject: [Skiboot] [PATCH v3] secvar/backend: require sha256 in our PKCS#7 messages X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nick.child@ibm.com, nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" We only handle sha256 hashes in auth structures. In the process of verifying an auth structure, we extract the pkcs7 message and we calculate the hopefully-matching hash, which is sha256(name || vendor guid || attributes || timestamp || newcontent) We then verify that the PKCS#7 signature matches that calculated hash. However, at no point do we check that the PKCS#7 hash algorithm is sha256. So if the PKCS#7 message says that it is a signature on a sha512, mbedtls will compare 64 bytes of hash from the signature with 64 bytes from our hash, resulting in a 32 byte overread. Verify that the hash algorithm in the PKCS#7 message is sha256. Add a test. Signed-off-by: Daniel Axtens Reviewed-by: Nayna Jain Tested-by: Nayna Jain --- This is the minimal fix for the underlying bug. It should probably go in ahead of any potential future reworking of the area. v3: add a test. Without the fix, valgrind observes overreads when running the test. Thanks Nayna. The test reveals that the pkcs is checked for each potential authority key rather than just once, but that can be dealt with via refactor at another point. v2: thanks Nick and Nayna for your feedback. Added error messages and properly cleaned up the pkcs7 structure. --- libstb/secvar/backend/edk2-compat-process.c | 22 +++ libstb/secvar/test/data/pkcs7_sha512.h | 181 +++++++++++++++++++ libstb/secvar/test/secvar-test-edk2-compat.c | 13 ++ 3 files changed, 216 insertions(+) create mode 100644 libstb/secvar/test/data/pkcs7_sha512.h diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c index 244f23403fe0..df9753245014 100644 --- a/libstb/secvar/backend/edk2-compat-process.c +++ b/libstb/secvar/backend/edk2-compat-process.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include "libstb/crypto/pkcs7/pkcs7.h" @@ -460,6 +461,7 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth, { mbedtls_pkcs7 *pkcs7 = NULL; mbedtls_x509_crt x509; + mbedtls_md_type_t md_alg; char *signing_cert = NULL; char *x509_buf = NULL; int signing_cert_size; @@ -478,6 +480,25 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth, if (!pkcs7) return OPAL_PARAMETER; + /* + * We only support sha256, which has a hash length of 32. + * If the alg is not sha256, then we should bail now. + */ + rc = mbedtls_oid_get_md_alg(&pkcs7->signed_data.digest_alg_identifiers, + &md_alg); + if (rc != 0) { + prlog(PR_ERR, "Failed to get the Digest Algorithm Identifier: %d\n", rc); + rc = OPAL_PARAMETER; + goto err_pkcs7; + } + + if (md_alg != MBEDTLS_MD_SHA256) { + prlog(PR_ERR, "Unexpected digest algorithm: expected %d (SHA-256), got %d\n", + MBEDTLS_MD_SHA256, md_alg); + rc = OPAL_PARAMETER; + goto err_pkcs7; + } + prlog(PR_INFO, "Load the signing certificate from the keystore"); eslvarsize = avar->data_size; @@ -562,6 +583,7 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth, } free(signing_cert); +err_pkcs7: mbedtls_pkcs7_free(pkcs7); free(pkcs7); diff --git a/libstb/secvar/test/data/pkcs7_sha512.h b/libstb/secvar/test/data/pkcs7_sha512.h new file mode 100644 index 000000000000..bd120b11e042 --- /dev/null +++ b/libstb/secvar/test/data/pkcs7_sha512.h @@ -0,0 +1,181 @@ +unsigned char pkcs7_sha512[] = { + 0xe5, 0x07, 0x06, 0x18, 0x12, 0x0e, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xe8, 0x04, 0x00, 0x00, 0x00, 0x02, 0xf1, 0x0e, + 0x9d, 0xd2, 0xaf, 0x4a, 0xdf, 0x68, 0xee, 0x49, 0x8a, 0xa9, 0x34, 0x7d, + 0x37, 0x56, 0x65, 0xa7, 0x30, 0x82, 0x04, 0xcc, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x04, 0xbd, 0x30, + 0x82, 0x04, 0xb9, 0x02, 0x01, 0x01, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x30, 0x0b, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, + 0x03, 0x2d, 0x30, 0x82, 0x03, 0x29, 0x30, 0x82, 0x02, 0x11, 0xa0, 0x03, + 0x02, 0x01, 0x02, 0x02, 0x14, 0x6b, 0x7b, 0x12, 0xf0, 0xc6, 0x66, 0x78, + 0x78, 0xa1, 0xa2, 0xe8, 0x79, 0x4b, 0x31, 0xa5, 0xa8, 0x9e, 0x58, 0x7a, + 0x41, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x0b, 0x05, 0x00, 0x30, 0x24, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, + 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x43, 0x31, 0x15, 0x30, 0x13, 0x06, + 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x69, 0x6e, + 0x67, 0x20, 0x63, 0x6f, 0x72, 0x70, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x30, + 0x31, 0x30, 0x31, 0x36, 0x31, 0x39, 0x30, 0x38, 0x30, 0x35, 0x5a, 0x17, + 0x0d, 0x32, 0x30, 0x31, 0x31, 0x31, 0x35, 0x31, 0x39, 0x30, 0x38, 0x30, + 0x35, 0x5a, 0x30, 0x24, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, + 0x06, 0x13, 0x02, 0x4e, 0x43, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, + 0x04, 0x0a, 0x0c, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x20, + 0x63, 0x6f, 0x72, 0x70, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, + 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, + 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, + 0x00, 0xcf, 0xf3, 0x6e, 0xc9, 0xaf, 0x12, 0x42, 0xdb, 0xa9, 0x59, 0x6d, + 0xef, 0xf6, 0x0e, 0x54, 0xe8, 0x21, 0x57, 0xc4, 0x78, 0x3f, 0x6d, 0x83, + 0x37, 0x1a, 0x29, 0x10, 0xd2, 0xb8, 0xb7, 0x24, 0x49, 0x5f, 0x5f, 0x32, + 0xc9, 0x39, 0xdc, 0x40, 0xa4, 0x5d, 0xea, 0x7b, 0xb7, 0xb3, 0x42, 0xab, + 0x43, 0x47, 0x3d, 0x91, 0x6e, 0xf1, 0x5d, 0x3f, 0xf9, 0x2d, 0x9e, 0x88, + 0xc4, 0x05, 0x73, 0x9b, 0x0a, 0xa8, 0xf7, 0xb2, 0x8e, 0x24, 0x69, 0x13, + 0xf0, 0xbc, 0x5d, 0xde, 0x32, 0x40, 0x42, 0x31, 0x58, 0x9e, 0x48, 0x76, + 0x1f, 0x6b, 0x10, 0x19, 0x1c, 0x4e, 0x45, 0x82, 0x19, 0xc0, 0xed, 0xfc, + 0x5c, 0x7c, 0x19, 0xfd, 0x85, 0x13, 0x2b, 0xf0, 0x38, 0x83, 0x7b, 0xe5, + 0x1d, 0x86, 0x70, 0xed, 0x8f, 0x52, 0x16, 0x60, 0x14, 0xfb, 0xaf, 0x23, + 0x19, 0xa5, 0x45, 0x44, 0x91, 0x54, 0xd0, 0xe8, 0x79, 0x34, 0xbe, 0x4f, + 0xb3, 0x8c, 0x56, 0x8c, 0x7c, 0xbf, 0x6a, 0xa2, 0x44, 0x04, 0x51, 0xe5, + 0x0f, 0x30, 0x04, 0xe9, 0x90, 0xb1, 0x8a, 0xe3, 0x9b, 0x95, 0xb1, 0xd6, + 0xde, 0x9e, 0x98, 0x14, 0x07, 0x63, 0xbd, 0x88, 0x94, 0x54, 0xb6, 0x03, + 0x8d, 0xf5, 0x8e, 0xca, 0x82, 0xc8, 0xb1, 0x78, 0xba, 0xb4, 0x21, 0x45, + 0x6f, 0xd4, 0x0c, 0xda, 0xcb, 0x81, 0x1a, 0x9b, 0xb2, 0x0c, 0xa9, 0x7c, + 0x48, 0x84, 0xc8, 0xbd, 0xce, 0x46, 0x1b, 0x8b, 0x38, 0xe2, 0x67, 0x50, + 0x3c, 0x3e, 0x3e, 0x32, 0xec, 0x0b, 0x39, 0xc7, 0xe0, 0xd5, 0x00, 0xc5, + 0x7a, 0xd3, 0x1c, 0xd1, 0xfb, 0x0a, 0xc7, 0x5b, 0x1d, 0x21, 0x3d, 0x50, + 0x53, 0x87, 0xa1, 0xb4, 0x16, 0x5b, 0x1e, 0x80, 0x80, 0xaa, 0xe5, 0xf9, + 0x69, 0x6c, 0x48, 0xab, 0x45, 0x66, 0x05, 0x04, 0xc7, 0xad, 0xc1, 0x24, + 0x4a, 0xde, 0xad, 0x14, 0x55, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, + 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, + 0x14, 0x69, 0x73, 0x3b, 0xcc, 0xa5, 0x2b, 0x5b, 0xd1, 0xfe, 0xe9, 0x73, + 0xa3, 0xcb, 0x90, 0x84, 0x0a, 0xa3, 0x60, 0x5f, 0xbb, 0x30, 0x1f, 0x06, + 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x69, 0x73, + 0x3b, 0xcc, 0xa5, 0x2b, 0x5b, 0xd1, 0xfe, 0xe9, 0x73, 0xa3, 0xcb, 0x90, + 0x84, 0x0a, 0xa3, 0x60, 0x5f, 0xbb, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, + 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, + 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, + 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x99, 0xdd, 0xbb, 0x72, 0xf5, + 0x8e, 0xdc, 0x7b, 0xe7, 0x9c, 0x6d, 0x47, 0x37, 0x01, 0xc9, 0xc2, 0xc9, + 0x90, 0x01, 0x5d, 0x26, 0x80, 0xce, 0x2b, 0xd3, 0xdd, 0x26, 0x67, 0x2a, + 0x77, 0x41, 0x06, 0x78, 0xed, 0xe7, 0xb0, 0x58, 0x93, 0x44, 0xe5, 0x79, + 0xc0, 0xa6, 0x52, 0x1d, 0x2c, 0x10, 0x16, 0xaa, 0xee, 0x97, 0x05, 0x80, + 0x6d, 0xba, 0x45, 0xd8, 0xd3, 0xf5, 0x98, 0x8d, 0xd1, 0x66, 0x9a, 0x1c, + 0x96, 0xf5, 0x2e, 0xb4, 0x4d, 0xa3, 0x79, 0x5f, 0x81, 0xb9, 0x5c, 0xcd, + 0x45, 0x80, 0xa4, 0x15, 0xb3, 0x3e, 0x05, 0xf9, 0x12, 0x62, 0x41, 0x7b, + 0x97, 0x08, 0x90, 0x13, 0xd3, 0x1a, 0xe7, 0xe5, 0x68, 0x1d, 0x24, 0xdb, + 0x7c, 0x78, 0xd7, 0x3a, 0x4a, 0x5d, 0x7c, 0xb7, 0xf8, 0x5d, 0xa4, 0xe2, + 0x40, 0x86, 0x26, 0xc0, 0x45, 0x00, 0x80, 0x16, 0x88, 0x97, 0x3e, 0x8c, + 0x5c, 0x38, 0x6b, 0xa6, 0x3f, 0x7d, 0x80, 0xb4, 0xec, 0x1f, 0x89, 0x0a, + 0xd3, 0x64, 0x3a, 0x85, 0xab, 0xd7, 0x0b, 0x17, 0x68, 0xc1, 0x41, 0xfc, + 0xe6, 0xa0, 0x2d, 0xc8, 0x0e, 0xfd, 0xf0, 0x28, 0xf3, 0xe0, 0xb7, 0x98, + 0xf3, 0xc9, 0x93, 0x97, 0xeb, 0x7f, 0x81, 0x13, 0x86, 0x95, 0x17, 0x45, + 0x0d, 0x3e, 0x0d, 0x35, 0x5d, 0x2d, 0xa4, 0xa4, 0x04, 0xaa, 0x22, 0x7b, + 0x40, 0x47, 0xc7, 0x31, 0x88, 0x99, 0x03, 0xaf, 0xf7, 0xe6, 0x14, 0x1b, + 0xcf, 0xf7, 0x3b, 0x5d, 0xc6, 0x48, 0x24, 0x42, 0xcf, 0xfe, 0x10, 0x10, + 0xc0, 0x2b, 0x23, 0x28, 0xb8, 0x4a, 0x3a, 0xff, 0x21, 0xd4, 0xa3, 0x15, + 0x51, 0xbc, 0xd4, 0xd2, 0x09, 0x77, 0x77, 0x3e, 0x65, 0xb4, 0x3d, 0x1e, + 0xd6, 0xc0, 0xe9, 0x3b, 0x0e, 0xee, 0xa8, 0x68, 0x46, 0x25, 0x47, 0x57, + 0x08, 0x2e, 0x80, 0x99, 0x9b, 0x49, 0xfb, 0xd9, 0xc5, 0x46, 0xd7, 0x31, + 0x82, 0x01, 0x65, 0x30, 0x82, 0x01, 0x61, 0x02, 0x01, 0x01, 0x30, 0x3c, + 0x30, 0x24, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, + 0x02, 0x4e, 0x43, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, + 0x0c, 0x0c, 0x74, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x20, 0x63, 0x6f, + 0x72, 0x70, 0x02, 0x14, 0x6b, 0x7b, 0x12, 0xf0, 0xc6, 0x66, 0x78, 0x78, + 0xa1, 0xa2, 0xe8, 0x79, 0x4b, 0x31, 0xa5, 0xa8, 0x9e, 0x58, 0x7a, 0x41, + 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, + 0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xbe, 0xa2, 0xf0, 0x8e, + 0x02, 0x81, 0x48, 0x13, 0xfa, 0x48, 0x63, 0x1a, 0x92, 0xc1, 0x8f, 0xdd, + 0x5e, 0xaa, 0xb8, 0xdb, 0x0c, 0xe0, 0x60, 0xb4, 0xfe, 0xf3, 0xc3, 0xb6, + 0x78, 0xa1, 0x59, 0xaf, 0x3b, 0xaf, 0x73, 0x64, 0x16, 0x7f, 0x0e, 0x00, + 0x24, 0x73, 0x50, 0x2f, 0x7e, 0x75, 0xde, 0x96, 0xe9, 0xe0, 0x5e, 0xb4, + 0x26, 0x18, 0x31, 0x54, 0xdf, 0x56, 0x3e, 0x95, 0x40, 0xc6, 0xa0, 0xdd, + 0x3e, 0xb1, 0x10, 0x63, 0x2b, 0xb2, 0x9d, 0x4f, 0xee, 0xce, 0x47, 0xf1, + 0x52, 0xcf, 0x8c, 0x5e, 0x94, 0xc5, 0xa0, 0xb7, 0x0f, 0xb4, 0x41, 0x2e, + 0x00, 0x48, 0xeb, 0x22, 0x1b, 0x6a, 0x52, 0x18, 0x02, 0x08, 0xc3, 0x64, + 0xcf, 0x62, 0x84, 0x0e, 0xa1, 0xfc, 0x60, 0xe2, 0x75, 0xe5, 0x87, 0x7d, + 0x4e, 0xa0, 0x2b, 0x91, 0x00, 0xec, 0x44, 0x67, 0x36, 0x83, 0x45, 0x76, + 0x64, 0xd4, 0xa5, 0xf1, 0xec, 0xba, 0x9b, 0x5f, 0xa8, 0x4e, 0x4b, 0xdf, + 0xe3, 0x51, 0xf1, 0xba, 0x65, 0x66, 0x3f, 0x60, 0xe2, 0xee, 0xb6, 0xc1, + 0xc8, 0xb3, 0xdb, 0xc9, 0x0a, 0x53, 0x43, 0xb1, 0x73, 0xb6, 0x8a, 0xcc, + 0xa0, 0x22, 0x7c, 0x54, 0xbb, 0xf9, 0x71, 0x83, 0x1f, 0xd4, 0xd4, 0x4c, + 0xb9, 0xfc, 0x99, 0xf4, 0x07, 0xe2, 0x94, 0x6d, 0x82, 0xdc, 0x98, 0x31, + 0x8f, 0x5b, 0xba, 0x39, 0x12, 0x58, 0xa4, 0x88, 0x92, 0x2f, 0xb0, 0x62, + 0x43, 0x7a, 0xc6, 0x46, 0x83, 0xde, 0x95, 0x2a, 0x46, 0x2b, 0x91, 0x72, + 0x14, 0x93, 0x3d, 0xed, 0xbb, 0xbd, 0x0b, 0x79, 0x80, 0x96, 0x9e, 0x36, + 0x38, 0x2a, 0xf7, 0x13, 0x0d, 0xcc, 0xb7, 0x95, 0xcc, 0x59, 0x4b, 0x8f, + 0x59, 0xc1, 0xf1, 0xc7, 0x5d, 0x70, 0xcf, 0x73, 0x92, 0xf5, 0x4d, 0x6f, + 0xd5, 0x41, 0x1d, 0x3b, 0x73, 0x11, 0x96, 0xb8, 0xdb, 0x84, 0xd6, 0x6e, + 0xa1, 0x59, 0xc0, 0xa5, 0xe4, 0x94, 0xa7, 0x4a, 0x87, 0xb5, 0xab, 0x15, + 0x5c, 0x2b, 0xf0, 0x72, 0x59, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x3d, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x82, 0x03, 0x29, + 0x30, 0x82, 0x02, 0x11, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x14, 0x1a, + 0x6b, 0x6e, 0x57, 0x9b, 0xe1, 0x3b, 0x0a, 0x61, 0xca, 0x88, 0xa1, 0x22, + 0x67, 0x1f, 0xdd, 0x0f, 0x43, 0xc3, 0x86, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x24, + 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, + 0x43, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, + 0x74, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x20, 0x63, 0x6f, 0x72, 0x70, + 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x30, 0x31, 0x30, 0x31, 0x36, 0x31, 0x39, + 0x30, 0x38, 0x30, 0x37, 0x5a, 0x17, 0x0d, 0x32, 0x30, 0x31, 0x31, 0x31, + 0x35, 0x31, 0x39, 0x30, 0x38, 0x30, 0x37, 0x5a, 0x30, 0x24, 0x31, 0x0b, + 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x43, 0x31, + 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x74, 0x65, + 0x73, 0x74, 0x69, 0x6e, 0x67, 0x20, 0x63, 0x6f, 0x72, 0x70, 0x30, 0x82, + 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, + 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xde, 0x05, 0xb4, 0x0a, 0x74, + 0x02, 0x1d, 0x88, 0x92, 0x6b, 0x58, 0x72, 0x77, 0xf4, 0xa0, 0x71, 0x69, + 0xf4, 0x9f, 0x24, 0x00, 0xab, 0x7f, 0x62, 0x39, 0xfb, 0x56, 0xd0, 0x4c, + 0xc5, 0xb1, 0x7e, 0x16, 0x7f, 0x44, 0xfb, 0xc9, 0x9d, 0xb6, 0x7c, 0x9e, + 0x86, 0x38, 0xc2, 0x56, 0x4e, 0x39, 0x7a, 0x2b, 0x79, 0xbf, 0x4b, 0x2e, + 0xe1, 0x49, 0xd6, 0xce, 0x62, 0x44, 0xc1, 0xbc, 0xbe, 0x12, 0x98, 0xfd, + 0x62, 0x51, 0x29, 0x1d, 0x66, 0xd1, 0x71, 0x6e, 0x2c, 0xfb, 0xa9, 0x19, + 0x11, 0xac, 0x01, 0xee, 0x3a, 0xd4, 0xd2, 0x69, 0x5d, 0x47, 0x12, 0x74, + 0x9a, 0xc6, 0x6a, 0x71, 0x6e, 0xbe, 0x4b, 0x72, 0x68, 0x41, 0xec, 0x38, + 0x12, 0x45, 0xf2, 0x1d, 0xbe, 0x97, 0xfd, 0xc5, 0x1a, 0xdf, 0xc7, 0xd1, + 0x10, 0xf1, 0x15, 0xe7, 0x68, 0x3d, 0xc2, 0x65, 0xc9, 0x1d, 0xe7, 0x55, + 0x2e, 0x51, 0xc6, 0xc9, 0xde, 0x94, 0x59, 0x8a, 0x2b, 0xf0, 0x84, 0xc3, + 0x02, 0x79, 0xbb, 0x21, 0x46, 0x7c, 0xbb, 0x30, 0x91, 0xa0, 0x5b, 0x96, + 0xf0, 0x27, 0x37, 0x70, 0x13, 0x97, 0x2e, 0x8b, 0x10, 0xb7, 0x7b, 0xf8, + 0x46, 0xa7, 0x8c, 0xb7, 0x4d, 0x82, 0xc4, 0xa4, 0x14, 0xd5, 0x7e, 0x10, + 0xb0, 0xf6, 0xca, 0xf8, 0xc1, 0xe7, 0xa5, 0x65, 0x32, 0xf5, 0x1e, 0xa9, + 0x8a, 0x3d, 0x8c, 0xa6, 0x43, 0xa5, 0x82, 0x2a, 0xb5, 0xf3, 0x88, 0x06, + 0xb4, 0x36, 0x94, 0x3a, 0x17, 0x9a, 0x6f, 0x9d, 0x2c, 0x7c, 0xee, 0x29, + 0x47, 0x01, 0x6b, 0xf7, 0x6b, 0x1e, 0xd8, 0x2c, 0xe4, 0xb3, 0xea, 0x38, + 0x5e, 0x00, 0xc1, 0xae, 0x7f, 0x8e, 0x1f, 0xef, 0xc1, 0x53, 0x65, 0x9b, + 0x52, 0xce, 0x37, 0x91, 0xe7, 0x3b, 0x0e, 0x66, 0x79, 0x6d, 0xd1, 0xd9, + 0xbd, 0x45, 0x2e, 0x35, 0x7c, 0xc7, 0x81, 0x14, 0x7e, 0x2e, 0xd5, 0x02, + 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, + 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x54, 0x7d, 0x90, 0xdc, 0xd8, + 0xb0, 0x52, 0x83, 0x4e, 0x07, 0xa4, 0x89, 0xab, 0x03, 0x78, 0xe4, 0x7b, + 0x58, 0xeb, 0x05, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, + 0x30, 0x16, 0x80, 0x14, 0x54, 0x7d, 0x90, 0xdc, 0xd8, 0xb0, 0x52, 0x83, + 0x4e, 0x07, 0xa4, 0x89, 0xab, 0x03, 0x78, 0xe4, 0x7b, 0x58, 0xeb, 0x05, + 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, + 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, + 0x00, 0xa2, 0xd2, 0xd9, 0x88, 0x48, 0x0c, 0x93, 0x51, 0xed, 0xe2, 0xe6, + 0x05, 0xdf, 0xd9, 0x85, 0x7f, 0x8a, 0x50, 0xaf, 0x23, 0xe4, 0xba, 0x7f, + 0xf2, 0xc4, 0xe8, 0xa2, 0x8e, 0x45, 0xfa, 0x98, 0x83, 0x95, 0x0d, 0xaa, + 0xc8, 0x7f, 0x36, 0x8c, 0x0b, 0xfc, 0x0f, 0x24, 0x52, 0xde, 0x0b, 0x3c, + 0x08, 0xa7, 0x4c, 0x63, 0x66, 0x04, 0x87, 0x49, 0xcb, 0x2c, 0xd7, 0x13, + 0x33, 0x07, 0x35, 0x08, 0x79, 0xd1, 0x63, 0x1a, 0x50, 0x69, 0x66, 0xdf, + 0x29, 0xe5, 0xa8, 0x09, 0xa0, 0xb6, 0x9c, 0xed, 0x9c, 0xa5, 0xf7, 0x30, + 0x9d, 0x73, 0x14, 0x04, 0x68, 0x2c, 0x8b, 0xa2, 0x34, 0x50, 0x59, 0xc2, + 0x62, 0xbf, 0xf4, 0xda, 0xa3, 0xff, 0x7b, 0x3d, 0x7b, 0x15, 0xe6, 0xad, + 0x02, 0xc1, 0x8a, 0x54, 0xa7, 0x4f, 0x42, 0xb5, 0xc3, 0xa2, 0x22, 0xe6, + 0x92, 0xad, 0x8b, 0xc1, 0x37, 0x4f, 0xd1, 0xca, 0xa4, 0xf3, 0x01, 0xa7, + 0xb0, 0xdd, 0x0d, 0xb4, 0x11, 0x1b, 0x07, 0x9f, 0x5d, 0x7a, 0x2a, 0x0c, + 0xf8, 0xf2, 0x01, 0xb0, 0x4c, 0x69, 0xf7, 0x6c, 0x33, 0x65, 0x03, 0x29, + 0x8a, 0x19, 0xbb, 0x54, 0xfe, 0xfb, 0xb7, 0x1f, 0x9e, 0x99, 0x56, 0x1d, + 0x71, 0x0d, 0x1d, 0x5d, 0x33, 0x3e, 0x0f, 0xbf, 0xc0, 0x0b, 0xcc, 0x56, + 0x74, 0x3f, 0xb2, 0x1f, 0xaf, 0x75, 0xe4, 0x5b, 0xc1, 0xd8, 0x5f, 0x83, + 0xbf, 0x21, 0xa4, 0xd5, 0xe9, 0xa2, 0x14, 0xfc, 0xd8, 0x9e, 0x6b, 0x33, + 0x58, 0x5c, 0x20, 0x79, 0xc7, 0x09, 0x01, 0x32, 0x80, 0xa8, 0x34, 0x14, + 0xe2, 0x8f, 0x8e, 0x59, 0x3d, 0x8a, 0x31, 0xd4, 0x60, 0x3a, 0x14, 0x5f, + 0x57, 0x22, 0x05, 0xe4, 0x42, 0xe3, 0x97, 0xd5, 0x24, 0x10, 0xcc, 0xe6, + 0x38, 0x95, 0x82, 0xf0, 0xfb, 0xdf, 0x72, 0x67, 0x8a, 0x9b, 0x86, 0x22, + 0xed, 0x9f, 0xea, 0x87, 0x6c +}; +unsigned int pkcs7_sha512_len = 2129; diff --git a/libstb/secvar/test/secvar-test-edk2-compat.c b/libstb/secvar/test/secvar-test-edk2-compat.c index 8259ffa172d2..87c3fe34d4a8 100644 --- a/libstb/secvar/test/secvar-test-edk2-compat.c +++ b/libstb/secvar/test/secvar-test-edk2-compat.c @@ -22,6 +22,7 @@ #include "./data/dbxcert.h" #include "./data/dbxsha512.h" #include "./data/dbxmalformed.h" +#include "./data/pkcs7_sha512.h" bool test_hw_key_hash = false; @@ -383,6 +384,18 @@ int run_test() ASSERT(0 != tmp->data_size); ASSERT(!setup_mode); + /* updates with pkcs#7 messages with sha512 hashes should be rejected */ + printf("Add db where auth has sha512 in PKCS#7\n"); + tmp = new_secvar("db", 3, pkcs7_sha512, pkcs7_sha512_len, 0); + ASSERT(0 == edk2_compat_validate(tmp)); + list_add_tail(&update_bank, &tmp->link); + ASSERT(1 == list_length(&update_bank)); + + rc = edk2_compat_process(&variable_bank, &update_bank); + ASSERT(OPAL_PARAMETER == rc); + ASSERT(5 == list_length(&variable_bank)); + ASSERT(0 == list_length(&update_bank)); + /* Delete PK. */ printf("Delete PK\n"); /* Add hw_key_hash explicitly to ensure it is deleted as part of PK deletion. */