From patchwork Thu Nov 26 18:41:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 333041 Delivered-To: patch@linaro.org Received: by 2002:a92:5e16:0:0:0:0:0 with SMTP id s22csp1542742ilb; Thu, 26 Nov 2020 10:42:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJwM1jDtMdWdkxYI+alSaTbQtN8N/lsWxP6uObBeAkrnUpk5eZ2rEjrqPFvfgVLXPYXH4GAo X-Received: by 2002:a17:906:e4f:: with SMTP id q15mr3884107eji.220.1606416167960; Thu, 26 Nov 2020 10:42:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606416167; cv=none; d=google.com; s=arc-20160816; b=BIqpPn46bd7joPYwfXPGBlnXPfrlzFYFnnG4ahLcABQFVfkZFTelqmy6RDVm/v7yWL 45wnt8Y6YtQRlSkWJTdMrsG5kYZwuPbw221KcHC4jCvzZs9j1tRveOI9tSgDhpy6zmdk ffXJgl2ohjSr/sWCGI9AqI3x4IbmbMZKqJ3puXcZ3fb4OpvHcfOql9SEAWCDvwiX+dSw FxjVUXbicMHtWhrRX+rG1RV3j3Ds65JKYq3u6uSI+Ncmjk7dnMsoEb9TZINOviz6zQIA rOX7yRTQeQPaDvTVcAsAytpkRn3ZyhGOIAXpk1Lrai9XIb9+0aX9oiRH+RmAZPIVFtzh x/fg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=hZJdmus1SmamA3LhbzPcANb1kR5WAZhboxFBQKGAW4Y=; b=Gjh3icBSPTslZ7u2LJfGfUQ5U9ZbtQOj1+MjN5PJEnP7HcxGa+pJhzLiFfYbm4/rZp YRxGK5uKqjxj4ScyohJ0E90hWn2oPkaw8xZ3F/Yf8AvAuMupvuuPkVrXo5u2JYIaBBZN fHS1zfS8YvkC7iLQkcZV3ZZ4v34thHk/I5JlqYpvaZGwfH2wx0u8r0WVZwSIM2CUFL++ t2VlmzhWgkMC/ckpq4UkH5azLYLrZHeD+w5QmrkpKHyDhSmwnrLRxajjQLEwXgOm1leX cGo9lBVat2xIuouJgtp3ACaHssq8knngkOJIfskERS63R8uTb4eLlFIxe2BpwjIZ9/Lr +a/w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id i17si4495604ejo.171.2020.11.26.10.42.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Nov 2020 10:42:47 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id DB26A826F2; Thu, 26 Nov 2020 19:42:15 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 540E7826E7; Thu, 26 Nov 2020 19:42:07 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 6D74C826E3 for ; Thu, 26 Nov 2020 19:42:02 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B6D6615DB; Thu, 26 Nov 2020 10:42:00 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 4D3F73F23F; Thu, 26 Nov 2020 10:41:58 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Sughosh Ganu Subject: [PATCH 04/14] crypto: Fix the logic to calculate hash with authattributes set Date: Fri, 27 Nov 2020 00:11:00 +0530 Message-Id: <20201126184110.30521-5-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201126184110.30521-1-sughosh.ganu@linaro.org> References: <20201126184110.30521-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean RFC 2315 Section 9.3 describes the message digesting process. The digest calculated depends on whether the authenticated attributes are present. In case of a scenario where the authenticated attributes are present, the message digest that gets signed and is part of the pkcs7 message is computed from the auth attributes rather than the contents field. Check if the auth attributes are present, and if set, use the auth attributes to compute the hash that would be compared with the encrypted hash on the pkcs7 message. Signed-off-by: Sughosh Ganu --- lib/crypto/pkcs7_verify.c | 37 ++++++++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 11 deletions(-) -- 2.17.1 diff --git a/lib/crypto/pkcs7_verify.c b/lib/crypto/pkcs7_verify.c index 320ba49f79..58683ef614 100644 --- a/lib/crypto/pkcs7_verify.c +++ b/lib/crypto/pkcs7_verify.c @@ -50,8 +50,15 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, struct image_region regions[2]; int ret = 0; - /* The digest was calculated already. */ - if (sig->digest) + /* + * [RFC2315 9.3] + * If the authenticated attributes are present, + * the message-digest is calculated on the + * attributes present in the + * authenticatedAttributes field and not just + * the contents field + */ + if (!sinfo->authattrs && sig->digest) return 0; if (!sinfo->sig->hash_algo) @@ -63,17 +70,25 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, else return -ENOPKG; - sig->digest = calloc(1, sig->digest_size); - if (!sig->digest) { - pr_warn("Sig %u: Out of memory\n", sinfo->index); - return -ENOMEM; - } + /* + * Calculate the hash only if the data is present. + * In case of authenticated variable and capsule, + * the hash has already been calculated on the + * efi_image_regions and populated + */ + if (pkcs7->data) { + sig->digest = calloc(1, sig->digest_size); + if (!sig->digest) { + pr_warn("Sig %u: Out of memory\n", sinfo->index); + return -ENOMEM; + } - regions[0].data = pkcs7->data; - regions[0].size = pkcs7->data_len; + regions[0].data = pkcs7->data; + regions[0].size = pkcs7->data_len; - /* Digest the message [RFC2315 9.3] */ - hash_calculate(sinfo->sig->hash_algo, regions, 1, sig->digest); + /* Digest the message [RFC2315 9.3] */ + hash_calculate(sinfo->sig->hash_algo, regions, 1, sig->digest); + } /* However, if there are authenticated attributes, there must be a * message digest attribute amongst them which corresponds to the