From patchwork Wed Jun 23 02:51:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Axtens X-Patchwork-Id: 1495908 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org (client-ip=2404:9400:2:0:216:3eff:fee1:b9f1; helo=lists.ozlabs.org; envelope-from=skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=penKYMjN; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2404:9400:2:0:216:3eff:fee1:b9f1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4G8npz0LjQz9sWQ for ; Wed, 23 Jun 2021 12:51:55 +1000 (AEST) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4G8npz1t1xz302f for ; Wed, 23 Jun 2021 12:51:55 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=penKYMjN; dkim-atps=neutral X-Original-To: skiboot@lists.ozlabs.org Delivered-To: skiboot@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::62c; helo=mail-pl1-x62c.google.com; envelope-from=dja@axtens.net; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.a=rsa-sha256 header.s=google header.b=penKYMjN; dkim-atps=neutral Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4G8npw2pLHz2xvc for ; Wed, 23 Jun 2021 12:51:51 +1000 (AEST) Received: by mail-pl1-x62c.google.com with SMTP id i4so371084plt.12 for ; Tue, 22 Jun 2021 19:51:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=hfCOS1I3r7GUDCo11o8W2zgXqWtJYmyWlUQidcFVXiM=; b=penKYMjNGX7TUDlghQ43DAuXVgn2oNa+LbSng4WFSVkYa6TI5KL/g3F4TrP+b3wVCQ gUnPQ8mODDleArSBRr0z+7A+PWJcXwdi3TxTsKTPw7nq34h666WwS/EgXheQKeHZh1Yd 3jjKSNyH8v731OjTvoRfvOEiFqUOUIggFXw+A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=hfCOS1I3r7GUDCo11o8W2zgXqWtJYmyWlUQidcFVXiM=; b=OHu7QkkXpguzppFJ6Bx4pbvN7nYwFc/YwYmBRSjGgj8SwAAFhgSdcR9nnF5n8Qx7pJ bYVRC54sbnHbEY02IEGhdDG8EE9cxrVTul8FhvpAjf7auMqHAMy+3ue52NcNuju5Dg/g zOdxEySjnhVJ6p4ctAgGMdDkusQlBuMSgEhA6h2NKGnfHox8qOhTHDVCdhY1sH0PHYJN 0wSP6UkDI9IG3jpQ5iFe2n6ujqhX52zFL/+2dn1VeaX1QaezWPJ55tjIRfCUKwZbaWUh NVnqgoqcuX9wlwZfSO08tER4OqqUM8sRTtCWe8aWy0C0DPm9JmxpVoxFrLa5A4MtaSNb mqwA== X-Gm-Message-State: AOAM533qpMtoedZepAcFfCGg4yxrIftogmGGh0R8wU3OPPydDu0qOJAJ IiVc7SPmYiDykZxnxEkogmJdLC7MNvN/gQ== X-Google-Smtp-Source: ABdhPJwShFn/Tmdq+SsFPee1qxlUpxeW55gHAUEIx65Z6VVafiqjW0T4x2tQxzod5Lje6NwhlrUtIw== X-Received: by 2002:a17:902:934b:b029:121:1215:66fd with SMTP id g11-20020a170902934bb0290121121566fdmr24931054plp.19.1624416707087; Tue, 22 Jun 2021 19:51:47 -0700 (PDT) Received: from localhost ([203.206.29.204]) by smtp.gmail.com with ESMTPSA id gi20sm3590030pjb.20.2021.06.22.19.51.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Jun 2021 19:51:46 -0700 (PDT) From: Daniel Axtens To: skiboot@lists.ozlabs.org Date: Wed, 23 Jun 2021 12:51:41 +1000 Message-Id: <20210623025141.278900-1-dja@axtens.net> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Subject: [Skiboot] [PATCH v2] secvar/backend: require sha256 in our PKCS#7 messages X-BeenThere: skiboot@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Mailing list for skiboot development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: nick.child@ibm.com, nayna@linux.ibm.com Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" We only handle sha256 hashes in auth structures. In the process of verifying an auth structure, we extract the pkcs7 message and we calculate the hopefully-matching hash, which is sha256(name || vendor guid || attributes || timestamp || newcontent) We then verify that the PKCS#7 signature matches that calculated hash. However, at no point do we check that the PKCS#7 hash algorithm is sha256. So if the PKCS#7 message says that it is a signature on a sha512, mbedtls will compare 64 bytes of hash from the signature with 64 bytes from our hash, resulting in a 32 byte overread. Verify that the hash algorithm in the PKCS#7 message is sha256. Signed-off-by: Daniel Axtens --- This is the minimal fix for the underlying bug. It should probably go in ahead of any potential future reworking of the area. v2: thanks Nick and Nayna for your feedback. Added error messages and properly cleaned up the pkcs7 structure. As always, compile tested only because I don't have access to a box set up to test this. --- libstb/secvar/backend/edk2-compat-process.c | 22 +++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/libstb/secvar/backend/edk2-compat-process.c b/libstb/secvar/backend/edk2-compat-process.c index 244f23403fe0..df9753245014 100644 --- a/libstb/secvar/backend/edk2-compat-process.c +++ b/libstb/secvar/backend/edk2-compat-process.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include "libstb/crypto/pkcs7/pkcs7.h" @@ -460,6 +461,7 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth, { mbedtls_pkcs7 *pkcs7 = NULL; mbedtls_x509_crt x509; + mbedtls_md_type_t md_alg; char *signing_cert = NULL; char *x509_buf = NULL; int signing_cert_size; @@ -478,6 +480,25 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth, if (!pkcs7) return OPAL_PARAMETER; + /* + * We only support sha256, which has a hash length of 32. + * If the alg is not sha256, then we should bail now. + */ + rc = mbedtls_oid_get_md_alg(&pkcs7->signed_data.digest_alg_identifiers, + &md_alg); + if (rc != 0) { + prlog(PR_ERR, "Failed to get the Digest Algorithm Identifier: %d\n", rc); + rc = OPAL_PARAMETER; + goto err_pkcs7; + } + + if (md_alg != MBEDTLS_MD_SHA256) { + prlog(PR_ERR, "Unexpected digest algorithm: expected %d (SHA-256), got %d\n", + MBEDTLS_MD_SHA256, md_alg); + rc = OPAL_PARAMETER; + goto err_pkcs7; + } + prlog(PR_INFO, "Load the signing certificate from the keystore"); eslvarsize = avar->data_size; @@ -562,6 +583,7 @@ static int verify_signature(const struct efi_variable_authentication_2 *auth, } free(signing_cert); +err_pkcs7: mbedtls_pkcs7_free(pkcs7); free(pkcs7);