From patchwork Wed Dec 23 07:03:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sughosh Ganu X-Patchwork-Id: 346989 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp5970311jai; Tue, 22 Dec 2020 23:04:27 -0800 (PST) X-Google-Smtp-Source: ABdhPJx4oVes6l/9+eCJxc6LTuPECMtptHuSFGrzsRtAQ1QJaECvtGpzVpnqhPfpqFnqYRxG6eAR X-Received: by 2002:a05:6402:95c:: with SMTP id h28mr23418693edz.26.1608707067649; Tue, 22 Dec 2020 23:04:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608707067; cv=none; d=google.com; s=arc-20160816; b=IitOXzSo6ZCeLujhl5XVWsHLh7LmpGQkMuk41M/wZ7VdrLP5t0T4OAfXMYwimcUeMf 5lZr2S7hUdW0k2YCQ9fMSOu6tjEqxqIP9zwpmIXt5d7TP20WPRH8OEue44CITWWZB9Jx g/J4zqmogDL+mawMR8E0ZZW6yHZa595OhJ7SR/DlhDCoAIT1lZmYMCtlczW6FLvmAKtg JTCl0x+NbS1BAastnquon8D5pjNj8LPukwkRNUu4f1pQvdejCR1APcG6IFOohMf3en7L y8ICs0grBPGLQ3j3lNCRj70wUdzSV6TjYA3DbUcwCRwhoI0i6SN+8YK0VCNg6VCuSIUB LUEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:references:in-reply-to :message-id:date:subject:cc:to:from; bh=QtyDF/ICHxxCZUr8HO7pFHR9PmUdy3Cp8IlDomR6XNI=; b=p7zbeDfNWAWtY8GqhpQwjNQQ0l29PyEgyOtnoXJGoy6WYClskOBmVHtM2rJocYyifm DbPjrqt6pSEcggM1kvYH0le9ogY07CDaPORXgvIdYRp1NdJwxLMWb8s1LSWrusbBMZ3L qw/tLUc0mtdYJ/KpuFoWM1qCSTqve4EZ6WPaxXGP5gOvs/GSGW1h6S+RrekVBbRJKnWD 4qU8IX3DBA+GW0mwSXr4ihUIDE5xYHVj1LUriRASGXqRs8v9WD5TQKmXe9z64Hkk8eXh V51rLq90FW+3KgXZKkjmzPHwsOIHSG7wX13bfPaNF11yGhKVYzwAgURWo6VRTQo978JM tEKQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id d14si13784986edp.294.2020.12.22.23.04.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Dec 2020 23:04:27 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C491C829B7; Wed, 23 Dec 2020 08:04:01 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 7152882A38; Wed, 23 Dec 2020 08:03:57 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id 86764827EE for ; Wed, 23 Dec 2020 08:03:54 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=sughosh.ganu@linaro.org Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 26FB41396; Tue, 22 Dec 2020 23:03:53 -0800 (PST) Received: from a076522.blr.arm.com (a076522.blr.arm.com [10.162.16.44]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 86B013F66E; Tue, 22 Dec 2020 23:03:50 -0800 (PST) From: Sughosh Ganu To: u-boot@lists.denx.de Cc: Takahiro Akashi , Heinrich Schuchardt , Alexander Graf , Lukasz Majewski , Tuomas Tynkkynen , Tom Rini , Ilias Apalodimas , Sughosh Ganu Subject: [PATCH v3 03/14] crypto: Fix the logic to calculate hash with authattributes set Date: Wed, 23 Dec 2020 12:33:19 +0530 Message-Id: <20201223070330.21361-4-sughosh.ganu@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201223070330.21361-1-sughosh.ganu@linaro.org> References: <20201223070330.21361-1-sughosh.ganu@linaro.org> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean RFC 2315 Section 9.3 describes the message digesting process. The digest calculated depends on whether the authenticated attributes are present. In case of a scenario where the authenticated attributes are present, the message digest that gets signed and is part of the pkcs7 message is computed from the auth attributes rather than the contents field. Check if the auth attributes are present, and if set, use the auth attributes to compute the hash that would be compared with the encrypted hash on the pkcs7 message. Signed-off-by: Sughosh Ganu --- Changes since V2: None lib/crypto/pkcs7_verify.c | 37 ++++++++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 11 deletions(-) -- 2.17.1 diff --git a/lib/crypto/pkcs7_verify.c b/lib/crypto/pkcs7_verify.c index 320ba49f79..58683ef614 100644 --- a/lib/crypto/pkcs7_verify.c +++ b/lib/crypto/pkcs7_verify.c @@ -50,8 +50,15 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, struct image_region regions[2]; int ret = 0; - /* The digest was calculated already. */ - if (sig->digest) + /* + * [RFC2315 9.3] + * If the authenticated attributes are present, + * the message-digest is calculated on the + * attributes present in the + * authenticatedAttributes field and not just + * the contents field + */ + if (!sinfo->authattrs && sig->digest) return 0; if (!sinfo->sig->hash_algo) @@ -63,17 +70,25 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, else return -ENOPKG; - sig->digest = calloc(1, sig->digest_size); - if (!sig->digest) { - pr_warn("Sig %u: Out of memory\n", sinfo->index); - return -ENOMEM; - } + /* + * Calculate the hash only if the data is present. + * In case of authenticated variable and capsule, + * the hash has already been calculated on the + * efi_image_regions and populated + */ + if (pkcs7->data) { + sig->digest = calloc(1, sig->digest_size); + if (!sig->digest) { + pr_warn("Sig %u: Out of memory\n", sinfo->index); + return -ENOMEM; + } - regions[0].data = pkcs7->data; - regions[0].size = pkcs7->data_len; + regions[0].data = pkcs7->data; + regions[0].size = pkcs7->data_len; - /* Digest the message [RFC2315 9.3] */ - hash_calculate(sinfo->sig->hash_algo, regions, 1, sig->digest); + /* Digest the message [RFC2315 9.3] */ + hash_calculate(sinfo->sig->hash_algo, regions, 1, sig->digest); + } /* However, if there are authenticated attributes, there must be a * message digest attribute amongst them which corresponds to the