git: a13066579c6f - stable/14 - libsecureboot: be more verbose about validation failures
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 08 Jan 2024 14:46:13 UTC
The branch stable/14 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=a13066579c6f0b80786472505f115cadbf301c25 commit a13066579c6f0b80786472505f115cadbf301c25 Author: Stéphane Rochoy <stephane.rochoy@stormshield.eu> AuthorDate: 2023-12-04 09:57:43 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2024-01-07 19:39:17 +0000 libsecureboot: be more verbose about validation failures Reviewed by: imp, sjg Pull Request: https://github.com/freebsd/freebsd-src/pull/916 (cherry picked from commit 4b9d605768acabc460aa6dcfe8a1f8db35b16794) --- lib/libbearssl/Makefile.inc | 1 + lib/libbearssl/Makefile.libsa.inc | 3 +++ lib/libsecureboot/vets.c | 14 +++++++++++--- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/lib/libbearssl/Makefile.inc b/lib/libbearssl/Makefile.inc index 764984de9067..453630d038cd 100644 --- a/lib/libbearssl/Makefile.inc +++ b/lib/libbearssl/Makefile.inc @@ -1,6 +1,7 @@ BEARSSL?= ${SRCTOP}/contrib/bearssl BEARSSL_SRC= ${BEARSSL}/src +BEARSSL_TOOLS= ${BEARSSL}/tools CFLAGS+= -I${BEARSSL}/inc CFLAGS+= ${NO_WDEPRECATED_NON_PROTOTYPE} diff --git a/lib/libbearssl/Makefile.libsa.inc b/lib/libbearssl/Makefile.libsa.inc index c31d3f85975a..c171e141f0db 100644 --- a/lib/libbearssl/Makefile.libsa.inc +++ b/lib/libbearssl/Makefile.libsa.inc @@ -83,3 +83,6 @@ SRCS+= \ x509/x509_decoder.c \ x509/x509_minimal.c \ +# We want find_error_name(). +SRCS+= \ + ${BEARSSL_TOOLS}/errors.c \ diff --git a/lib/libsecureboot/vets.c b/lib/libsecureboot/vets.c index 4a2aba433191..c86b198c45c5 100644 --- a/lib/libsecureboot/vets.c +++ b/lib/libsecureboot/vets.c @@ -568,9 +568,17 @@ verify_signer_xcs(br_x509_certificate *xcs, ve_error_set("Validation failed, certificate not valid as of %s", gdate(date, sizeof(date), ve_utc)); break; - default: - ve_error_set("Validation failed, err = %d", err); - break; + default: { + const char *err_desc = NULL; + const char *err_name = find_error_name(err, &err_desc); + + if (err_name == NULL) + ve_error_set("Validation failed, err = %d", + err); + else + ve_error_set("Validation failed, %s (%s)", + err_desc, err_name); + break; } } } else { tpk = mc.vtable->get_pkey(&mc.vtable, &usages);