From patchwork Mon Dec 21 11:43:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346403 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp4384204jai; Mon, 21 Dec 2020 03:44:04 -0800 (PST) X-Google-Smtp-Source: ABdhPJxa1hGkX+D0z4Fz5aUWD1P/zFcLGLskkLUa+EtHz53IEVPu3mISF/dZdR/8pejtoPMU9BMl X-Received: by 2002:a05:6402:31b5:: with SMTP id dj21mr15861349edb.90.1608551044152; Mon, 21 Dec 2020 03:44:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608551044; cv=none; d=google.com; s=arc-20160816; b=qpUVEAi0SeomQwQDM/N+g0TA6d5BsLFU6DQsOGwOop8iIKLlpLa9ul+Uj/4jb3AC1j VhuK88NUO6W2eWyl9idVp+ShLi4szguTO6EpiMFwdbvx8dppLbUIcvq133bxtnB+fqQe vUzQoqdfUHC8WCU4ndtPAv575gIJNmtdsKscvtqh/XYY53jd8n1WQMmdwAEy0EAfwemU a+1vmixLFJlz/Clgo6DDKGsrtclq70UOJIy6PtYQrdOuTjS/2kwPfWTbe2n79GbKbcW6 9Nn/QYjUguKf5ADla3iGUVMpedvJXkciKEC1KQQ6aQtVADxRYhm9qqMJfv2l0rRsYMgs vCVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=Ffdb8SAbjMWJmAZvklOvtYWluQGlVJkRf2tCmZua52I=; b=FMV3I8BvYDrJrWumgFjJa8uRXKS5Mz2/PQZ2WsuaHFzlFhUUFyJazlVB5/sSxa8jNc +UO8/mUmSU5UUSqZTlDddmavgB8ip+esfUUCeOzuzcanP8djbJXzjmwrMjcNjw9Mn7/1 JM3VSGtRTUuYScvIdvgWt/69AxbvyLOfxARgVHLctD1ECMfhnuQ4nh9wGykIUGnIbrnd 7mCQScBhGAHVZmp0NRZHBek96+AaAHvJ7jQdZxJGHjYmyXZt8jSnIsxMj8HHGQxWwwAU DT0cAM9IlHrNXRVm6/o0S8+1GwKJ4MBoAMj+86lPcg/Ip8UlWpxEUIBjugVSCNS1DO+S i+ww== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id f21si9981163eds.396.2020.12.21.03.44.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Dec 2020 03:44:04 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id F11DB827EC; Mon, 21 Dec 2020 12:43:43 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id AA662827F7; Mon, 21 Dec 2020 12:43:39 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id CE687827D7 for ; Mon, 21 Dec 2020 12:43:36 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 126611063; Mon, 21 Dec 2020 03:43:36 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 70DD23F718; Mon, 21 Dec 2020 03:43:33 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v2 03/14] crypto: Fix the logic to calculate hash with authattributes set Date: Mon, 21 Dec 2020 17:13:03 +0530 Message-Id: <20201221114314.25588-4-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201221114314.25588-1-sughosh.ganu@linaro.org> References: <20201221114314.25588-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean RFC 2315 Section 9.3 describes the message digesting process. The digest calculated depends on whether the authenticated attributes are present. In case of a scenario where the authenticated attributes are present, the message digest that gets signed and is part of the pkcs7 message is computed from the auth attributes rather than the contents field. Check if the auth attributes are present, and if set, use the auth attributes to compute the hash that would be compared with the encrypted hash on the pkcs7 message. Signed-off-by: Sughosh Ganu --- Changes since V1: None lib/crypto/pkcs7_verify.c | 37 ++++++++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 11 deletions(-) -- 2.17.1 diff --git a/lib/crypto/pkcs7_verify.c b/lib/crypto/pkcs7_verify.c index 320ba49f79..58683ef614 100644 --- a/lib/crypto/pkcs7_verify.c +++ b/lib/crypto/pkcs7_verify.c @@ -50,8 +50,15 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, struct image_region regions[2]; int ret = 0; - /* The digest was calculated already. */ - if (sig->digest) + /* + * [RFC2315 9.3] + * If the authenticated attributes are present, + * the message-digest is calculated on the + * attributes present in the + * authenticatedAttributes field and not just + * the contents field + */ + if (!sinfo->authattrs && sig->digest) return 0; if (!sinfo->sig->hash_algo) @@ -63,17 +70,25 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, else return -ENOPKG; - sig->digest = calloc(1, sig->digest_size); - if (!sig->digest) { - pr_warn("Sig %u: Out of memory\n", sinfo->index); - return -ENOMEM; - } + /* + * Calculate the hash only if the data is present. + * In case of authenticated variable and capsule, + * the hash has already been calculated on the + * efi_image_regions and populated + */ + if (pkcs7->data) { + sig->digest = calloc(1, sig->digest_size); + if (!sig->digest) { + pr_warn("Sig %u: Out of memory\n", sinfo->index); + return -ENOMEM; + } - regions[0].data = pkcs7->data; - regions[0].size = pkcs7->data_len; + regions[0].data = pkcs7->data; + regions[0].size = pkcs7->data_len; - /* Digest the message [RFC2315 9.3] */ - hash_calculate(sinfo->sig->hash_algo, regions, 1, sig->digest); + /* Digest the message [RFC2315 9.3] */ + hash_calculate(sinfo->sig->hash_algo, regions, 1, sig->digest); + } /* However, if there are authenticated attributes, there must be a * message digest attribute amongst them which corresponds to the