From nobody Mon Jan 20 20:58:43 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YcN3m1CwDz5kwvJ; Mon, 20 Jan 2025 20:58:44 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YcN3m0P1Hz45Hl; Mon, 20 Jan 2025 20:58:44 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1737406724; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=63uKdV7HbjHSHaqorujUIoB2/49aDzNmeCduvMh9ko0=; b=Q+5wCHQRN7KHY9b9iHGxHcL6fOMUa4LTFUpzfT0e5s8RvNIB6+MAz3LH67+Og+fxjW0Hyo hMMz6rQoxs/mx9BUxEDuLD1LIsbJdeVwmEwQdbGX5ECSJQomhd4jiQKGNt/bkkmOgvAeXH sUqWcjHJs7wH9smNVcSzNwpwoVJ6aDOIIxTQVnVhvn0ydTOwjQCqGCFugbNgH3n7IXY4Ro /HekwXE+yCgh4m99y+2hkr1l2X8MpL4Jfxj8o4NSv1/2uAlbANx1qinW+UPZv2wAdPVt+7 Sar4KA1mdfPYz801CXndmH668MPRGVrsIoBvCNRfsVIaFyn+XtgRy5dsa9FWDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1737406724; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=63uKdV7HbjHSHaqorujUIoB2/49aDzNmeCduvMh9ko0=; b=m/1gDFcHyh22k/bVF6Nr20OZsZiuq81fOPO/4foDV7DM2gjn/L08Rk7ks1qfUb80mmMbhY frSEINJeYB5JCOo8bov3ZhS1eG4oNButr5HQe2VXCJq6lwDKHe7C8uEBBU+v0NnvN14LP0 nZtA5QKF8LmMLu9iNShcK6Y4nho050SYuDsKAumWZHVKGggRe7m19dBL6jLxdaFUig3qV9 /LB4LAP25oJy7ZBKcgVtZKKpjZDl98X66eqAaZjEGhFm9LliCMZf2DQq3A5jbKE4byNso/ Oinm2T3fFupYmggXWvQLiGuEh/llohOMf/QryYiiIOv/YGfA+MRC7syIcuMY0g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1737406724; a=rsa-sha256; cv=none; b=TqBNzNJQwSELJBnxUPKc3SJsT9snXqp42FKDGZgsra5pZsURnJYUbMAnCvEZffPFl9ifEY O9BBSvxHF2lYkSdYqdD2jimJtvJlX2ULj2DoCMQoVfdo42pvlSnVP57OJsyVZR4JMF06vO hXQiTSwehE8Mjy/CfZ1xOBc/lZMgjOonrLuS9L+geDWQVTt7jmO9tIeMZHiVOsQGQpPeew JFj5W4KbenW+CjFY1nFuE8KHm5FuUFBuyfH/zTuAI/HoHIcrrFrY0+OqNONIBfmOInFF0A muq/gLbpaPQlM/YpkGaZUyViTk4iDGmqFY/DxpWcnTuokK/2AiohS5TAQJCL0Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YcN3l6nHBzcqT; Mon, 20 Jan 2025 20:58:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50KKwhlD018964; Mon, 20 Jan 2025 20:58:43 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50KKwhp4018961; Mon, 20 Jan 2025 20:58:43 GMT (envelope-from git) Date: Mon, 20 Jan 2025 20:58:43 GMT Message-Id: <202501202058.50KKwhp4018961@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: "Simon J. Gerraty" Subject: git: dae4eb623e86 - main - libsecureboot add sha384 and sha512 for OpenPGP List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: sjg X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: dae4eb623e862789533dca8b644ea531502a088f Auto-Submitted: auto-generated The branch main has been updated by sjg: URL: https://cgit.FreeBSD.org/src/commit/?id=dae4eb623e862789533dca8b644ea531502a088f commit dae4eb623e862789533dca8b644ea531502a088f Author: Simon J. Gerraty AuthorDate: 2025-01-20 20:56:44 +0000 Commit: Simon J. Gerraty CommitDate: 2025-01-20 20:56:44 +0000 libsecureboot add sha384 and sha512 for OpenPGP gpg supports SHA384, SHA512 as well as SHA256 so allow for them. Tweak Makefile.inc so we can build libsecureboot with only OpenPGP trust anchors. Reviewed by: imp Differential Revision: https://reviews.freebsd.org/D48546 --- lib/libsecureboot/Makefile.inc | 6 +++++- lib/libsecureboot/openpgp/opgp_sig.c | 10 ++++++++++ lib/libsecureboot/vets.c | 30 ++++++++++++++++++------------ 3 files changed, 33 insertions(+), 13 deletions(-) diff --git a/lib/libsecureboot/Makefile.inc b/lib/libsecureboot/Makefile.inc index b9d986cdc6b3..21ad019a0cb5 100644 --- a/lib/libsecureboot/Makefile.inc +++ b/lib/libsecureboot/Makefile.inc @@ -77,12 +77,16 @@ VE_SIGNATURE_EXT_LIST?= sig # needs to be yes for FIPS 140-2 compliance VE_SELF_TESTS?= no +CFLAGS+= -I. + +.if ${VE_SIGNATURE_EXT_LIST:M*sig} != "" # this is what we use as our trust anchor -CFLAGS+= -I. -DTRUST_ANCHOR_STR=ta_PEM +CFLAGS+= -DTRUST_ANCHOR_STR=ta_PEM .if ${VE_SELF_TESTS} != "no" XCFLAGS.vets+= -DVERIFY_CERTS_STR=vc_PEM .endif +.endif # clean these up VE_HASH_LIST:= ${VE_HASH_LIST:tu:O:u} diff --git a/lib/libsecureboot/openpgp/opgp_sig.c b/lib/libsecureboot/openpgp/opgp_sig.c index 73c482e4c28d..8846296d7122 100644 --- a/lib/libsecureboot/openpgp/opgp_sig.c +++ b/lib/libsecureboot/openpgp/opgp_sig.c @@ -339,6 +339,16 @@ openpgp_verify(const char *filename, mlen = br_sha256_SIZE; hash_oid = BR_HASH_OID_SHA256; break; + case 9: /* sha384 */ + md = &br_sha384_vtable; + mlen = br_sha384_SIZE; + hash_oid = BR_HASH_OID_SHA384; + break; + case 10: /* sha512 */ + md = &br_sha512_vtable; + mlen = br_sha512_SIZE; + hash_oid = BR_HASH_OID_SHA512; + break; default: warnx("unsupported hash algorithm: %s", hname); rc = -1; diff --git a/lib/libsecureboot/vets.c b/lib/libsecureboot/vets.c index c86b198c45c5..67d27d567485 100644 --- a/lib/libsecureboot/vets.c +++ b/lib/libsecureboot/vets.c @@ -200,11 +200,13 @@ ve_utc_set(time_t utc) } } +#ifdef VERIFY_CERTS_STR static void free_cert_contents(br_x509_certificate *xc) { xfree(xc->data); } +#endif /* * a bit of a dance to get commonName from a certificate @@ -372,13 +374,15 @@ ve_trust_anchors_add_buf(unsigned char *buf, size_t len) size_t num; num = 0; - xcs = parse_certificates(buf, len, &num); - if (xcs != NULL) { - num = ve_trust_anchors_add(xcs, num); + if (len > 0) { + xcs = parse_certificates(buf, len, &num); + if (xcs != NULL) { + num = ve_trust_anchors_add(xcs, num); #ifdef VE_OPENPGP_SUPPORT - } else { - num = openpgp_trust_add_buf(buf, len); + } else { + num = openpgp_trust_add_buf(buf, len); #endif + } } return (num); } @@ -398,15 +402,17 @@ ve_trust_anchors_revoke(unsigned char *buf, size_t len) size_t num; num = 0; - xcs = parse_certificates(buf, len, &num); - if (xcs != NULL) { - num = ve_forbidden_anchors_add(xcs, num); + if (len > 0) { + xcs = parse_certificates(buf, len, &num); + if (xcs != NULL) { + num = ve_forbidden_anchors_add(xcs, num); #ifdef VE_OPENPGP_SUPPORT - } else { - if (buf[len - 1] == '\n') - buf[len - 1] = '\0'; - num = openpgp_trust_revoke((char *)buf); + } else { + if (buf[len - 1] == '\n') + buf[len - 1] = '\0'; + num = openpgp_trust_revoke((char *)buf); #endif + } } return (num); }