git: dae4eb623e86 - main - libsecureboot add sha384 and sha512 for OpenPGP

The branch main has been updated by sjg:

URL: https://cgit.FreeBSD.org/src/commit/?id=dae4eb623e862789533dca8b644ea531502a088f

commit dae4eb623e862789533dca8b644ea531502a088f
Author:     Simon J. Gerraty <sjg@FreeBSD.org>
AuthorDate: 2025-01-20 20:56:44 +0000
Commit:     Simon J. Gerraty <sjg@FreeBSD.org>
CommitDate: 2025-01-20 20:56:44 +0000

    libsecureboot add sha384 and sha512 for OpenPGP
    
    gpg supports SHA384, SHA512 as well as SHA256 so allow for them.
    
    Tweak Makefile.inc so we can build libsecureboot with only OpenPGP
    trust anchors.
    
    Reviewed by: imp
    Differential Revision:  https://reviews.freebsd.org/D48546
---
 lib/libsecureboot/Makefile.inc       |  6 +++++-
 lib/libsecureboot/openpgp/opgp_sig.c | 10 ++++++++++
 lib/libsecureboot/vets.c             | 30 ++++++++++++++++++------------
 3 files changed, 33 insertions(+), 13 deletions(-)

diff --git a/lib/libsecureboot/Makefile.inc b/lib/libsecureboot/Makefile.inc
index b9d986cdc6b3..21ad019a0cb5 100644
--- a/lib/libsecureboot/Makefile.inc
+++ b/lib/libsecureboot/Makefile.inc
@@ -77,12 +77,16 @@ VE_SIGNATURE_EXT_LIST?= sig
 # needs to be yes for FIPS 140-2 compliance
 VE_SELF_TESTS?= no
 
+CFLAGS+= -I.
+
+.if ${VE_SIGNATURE_EXT_LIST:M*sig} != ""
 # this is what we use as our trust anchor
-CFLAGS+= -I. -DTRUST_ANCHOR_STR=ta_PEM
+CFLAGS+= -DTRUST_ANCHOR_STR=ta_PEM
 
 .if ${VE_SELF_TESTS} != "no"
 XCFLAGS.vets+= -DVERIFY_CERTS_STR=vc_PEM
 .endif
+.endif
 
 # clean these up
 VE_HASH_LIST:= ${VE_HASH_LIST:tu:O:u}
diff --git a/lib/libsecureboot/openpgp/opgp_sig.c b/lib/libsecureboot/openpgp/opgp_sig.c
index 73c482e4c28d..8846296d7122 100644
--- a/lib/libsecureboot/openpgp/opgp_sig.c
+++ b/lib/libsecureboot/openpgp/opgp_sig.c
@@ -339,6 +339,16 @@ openpgp_verify(const char *filename,
 				mlen = br_sha256_SIZE;
 				hash_oid = BR_HASH_OID_SHA256;
 				break;
+			case 9:			/* sha384 */
+				md = &br_sha384_vtable;
+				mlen = br_sha384_SIZE;
+				hash_oid = BR_HASH_OID_SHA384;
+				break;
+			case 10:		/* sha512 */
+				md = &br_sha512_vtable;
+				mlen = br_sha512_SIZE;
+				hash_oid = BR_HASH_OID_SHA512;
+				break;
 			default:
 				warnx("unsupported hash algorithm: %s", hname);
 				rc = -1;
diff --git a/lib/libsecureboot/vets.c b/lib/libsecureboot/vets.c
index c86b198c45c5..67d27d567485 100644
--- a/lib/libsecureboot/vets.c
+++ b/lib/libsecureboot/vets.c
@@ -200,11 +200,13 @@ ve_utc_set(time_t utc)
 	}
 }
 
+#ifdef VERIFY_CERTS_STR
 static void
 free_cert_contents(br_x509_certificate *xc)
 {
 	xfree(xc->data);
 }
+#endif
 
 /*
  * a bit of a dance to get commonName from a certificate
@@ -372,13 +374,15 @@ ve_trust_anchors_add_buf(unsigned char *buf, size_t len)
 	size_t num;
 
 	num = 0;
-	xcs = parse_certificates(buf, len, &num);
-	if (xcs != NULL) {
-		num = ve_trust_anchors_add(xcs, num);
+	if (len > 0) {
+		xcs = parse_certificates(buf, len, &num);
+		if (xcs != NULL) {
+			num = ve_trust_anchors_add(xcs, num);
 #ifdef VE_OPENPGP_SUPPORT
-	} else {
-		num = openpgp_trust_add_buf(buf, len);
+		} else {
+			num = openpgp_trust_add_buf(buf, len);
 #endif
+		}
 	}
 	return (num);
 }
@@ -398,15 +402,17 @@ ve_trust_anchors_revoke(unsigned char *buf, size_t len)
 	size_t num;
 
 	num = 0;
-	xcs = parse_certificates(buf, len, &num);
-	if (xcs != NULL) {
-		num = ve_forbidden_anchors_add(xcs, num);
+	if (len > 0) {
+		xcs = parse_certificates(buf, len, &num);
+		if (xcs != NULL) {
+			num = ve_forbidden_anchors_add(xcs, num);
 #ifdef VE_OPENPGP_SUPPORT
-	} else {
-		if (buf[len - 1] == '\n')
-			buf[len - 1] = '\0';
-		num = openpgp_trust_revoke((char *)buf);
+		} else {
+			if (buf[len - 1] == '\n')
+				buf[len - 1] = '\0';
+			num = openpgp_trust_revoke((char *)buf);
 #endif
+		}
 	}
 	return (num);
 }