From nobody Thu May 2 10:36:00 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail(p=none dis=none) header.from=HansenPartnership.com Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 152590375266686.48949051138936; Wed, 9 May 2018 15:09:12 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 49B2520965DD2; Wed, 9 May 2018 15:09:11 -0700 (PDT) Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [66.63.167.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id ED59A2063E31D for ; Wed, 9 May 2018 15:09:09 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 0661E8EE11E; Wed, 9 May 2018 15:09:09 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6nVtpYkKV0pN; Wed, 9 May 2018 15:09:08 -0700 (PDT) Received: from [153.66.254.194] (unknown [50.35.65.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id A39C78EE0EA; Wed, 9 May 2018 15:09:08 -0700 (PDT) X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.63.167.143; helo=bedivere.hansenpartnership.com; envelope-from=james.bottomley@hansenpartnership.com; receiver=edk2-devel@lists.01.org DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1525903748; bh=qlM2F5V0h450mkwP6ZK6XJQuKlQ3dgfNAL/hX69zviM=; h=Subject:From:To:Cc:Date:From; b=Cj6God2cWk+2xv3oLSp4aaLyU0n9R2qmiTzLzTu4N0eWma8wLsfrfvlQQy6oiOjXa MMPdAqovTicrIz5Hoj+E9dPzqSYpoHyAKOctJBoJqnHDeBiuvHU4EJURE4QrSC60F0 6L3z/NX3zHfQHDcjcoUtUQX2UKcJQtZGBj/QysFI= Message-ID: <1525903747.5882.11.camel@HansenPartnership.com> From: James Bottomley To: "edk2-devel@lists.01.org" Date: Wed, 09 May 2018 15:09:07 -0700 X-Mailer: Evolution 3.22.6 Mime-Version: 1.0 Subject: [edk2] [PATCH] SecurityPkg: fix sha256 signature check X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Zhang Lubo Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZohoMail: RDKM_2 RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" commit c035e37335ae43229d7e68de74a65f2c01ebc0af Author: Zhang Lubo Date: Thu Jan 5 14:58:05 2017 +0800 SecurityPkg: enhance secure boot Config Dxe & Time Based AuthVariable. Added a check for sha256 being the ownly allowed signature hash. Unfortuantely this commit assumed the form of the signature data was a raw SignedData sequence. Most tools actually generate a ContentInfo sequence instead which contains a header identifying the content as pkcs7-SignedData. Fix this check to allow either format to work. This fix is needed at least for efitools because we generate signed variable updates with the ContentInfo header. Signed-off-by: James Bottomley --- CryptoPkg/Library/OpensslLib/openssl | 2 +- SecurityPkg/Library/AuthVariableLib/AuthService.c | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CryptoPkg/Library/OpensslLib/openssl b/CryptoPkg/Library/Opens= slLib/openssl index b2758a2292..d4e4bd2a81 160000 --- a/CryptoPkg/Library/OpensslLib/openssl +++ b/CryptoPkg/Library/OpensslLib/openssl @@ -1 +1 @@ -Subproject commit b2758a2292aceda93e9f44c219b94fe21bb9a650 +Subproject commit d4e4bd2a8163f355fa8a3884077eaec7adc75ff7 diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPk= g/Library/AuthVariableLib/AuthService.c index 213a524f27..855ea3350a 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -1908,10 +1908,19 @@ VerifyTimeBasedPayload ( // in VARIABLE_AUTHENTICATION_2 descriptor. // This field has the fixed offset (+13) and be calculated based on t= wo bytes of length encoding. // + // However the data may also begin + // ContentInfo ::=3D SEQUENCE { + // contentType ContentType, + // content + // [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL } + // + // In which case the fixed offset is +32 + // if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != =3D 0) { if (SigDataSize >=3D (13 + sizeof (mSha256OidValue))) { if (((*(SigData + 1) & TWO_BYTE_ENCODE) !=3D TWO_BYTE_ENCODE) ||=20 - (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256Oid= Value)) !=3D 0)) { + (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) = !=3D 0 && + CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha256OidValue)) = !=3D 0)) { return EFI_SECURITY_VIOLATION; } } --=20 2.13.6 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel