MokManager: Nerf SHA-1 again for actual hashes and signatures.

Nobody should be deploying SHA-1. No hardware deploys it, and the rate of change on https://en.wikipedia.org/wiki/SHA-1#Attacks is wildly uninspiring. Signed-off-by: Peter Jones <pjones@redhat.com>
author: Peter Jones <pjones@redhat.com> 2015-06-16 11:46:14 -0400
committer: Peter Jones <pjones@redhat.com> 2015-06-16 11:46:14 -0400
commit: dcfd6b68bebac84c536177c8a959169a00318ee3 (patch)
tree: 5ee655cb35a71b6a472abdb0550879f330de9f7b
parent: 91ef3c4b670e46d2c6feedd4eece8087701a8ab7 (diff)
download: efi-boot-shim-dcfd6b68bebac84c536177c8a959169a00318ee3.tar.gz
efi-boot-shim-dcfd6b68bebac84c536177c8a959169a00318ee3.zip
1 files changed, 7 insertions, 10 deletions
diff --git a/MokManager.c b/MokManager.c
index ef84e60c..ee6dffb1 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -97,17 +97,14 @@ done:
 	return status;
 }
 
-static BOOLEAN is_sha_hash (EFI_GUID Type)
+static BOOLEAN is_sha2_hash (EFI_GUID Type)
 {
-	EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
 	EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
 	EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
 	EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
 	EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
 
-	if (CompareGuid(&Type, &Sha1) == 0)
-		return TRUE;
-	else if (CompareGuid(&Type, &Sha224) == 0)
+	if (CompareGuid(&Type, &Sha224) == 0)
 		return TRUE;
 	else if (CompareGuid(&Type, &Sha256) == 0)
 		return TRUE;
@@ -149,7 +146,7 @@ static BOOLEAN is_valid_siglist (EFI_GUID Type, UINT32 SigSize)
 	if (CompareGuid (&Type, &CertType) == 0 && SigSize != 0)
 		return TRUE;
 
-	if (!is_sha_hash (Type))
+	if (!is_sha2_hash (Type))
 		return FALSE;
 
 	hash_sig_size = sha_size (Type) + sizeof(EFI_GUID);
@@ -561,14 +558,14 @@ static void show_efi_hash (EFI_GUID Type, void *Mok, UINTN MokSize)
 static void show_mok_info (EFI_GUID Type, void *Mok, UINTN MokSize)
 {
 	EFI_STATUS efi_status;
-	UINT8 hash[SHA1_DIGEST_SIZE];
-	X509 *X509Cert;
 	EFI_GUID CertType = X509_GUID;
 
 	if (!Mok || MokSize == 0)
 		return;
 
 	if (CompareGuid (&Type, &CertType) == 0) {
+		UINT8 hash[SHA1_DIGEST_SIZE];
+		X509 *X509Cert;
 		efi_status = get_sha1sum(Mok, MokSize, hash);
 
 		if (efi_status != EFI_SUCCESS) {
@@ -584,7 +581,7 @@ static void show_mok_info (EFI_GUID Type, void *Mok, UINTN MokSize)
 			console_notify(L"Not a valid X509 certificate");
 			return;
 		}
-	} else if (is_sha_hash(Type)) {
+	} else if (is_sha2_hash(Type)) {
 		show_efi_hash(Type, Mok, MokSize);
 	}
 }
@@ -1328,7 +1325,7 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
 		if (CompareGuid(&(del_key[i].Type), &CertType) == 0) {
 			delete_cert(del_key[i].Mok, del_key[i].MokSize,
 				    mok, mok_num);
-		} else if (is_sha_hash(del_key[i].Type)) {
+		} else if (is_sha2_hash(del_key[i].Type)) {
 			delete_hash_list(del_key[i].Type, del_key[i].Mok,
 					 del_key[i].MokSize, mok, mok_num);
 		}
author	Peter Jones <pjones@redhat.com>	2015-06-16 11:46:14 -0400
committer	Peter Jones <pjones@redhat.com>	2015-06-16 11:46:14 -0400
commit	dcfd6b68bebac84c536177c8a959169a00318ee3 (patch)
tree	5ee655cb35a71b6a472abdb0550879f330de9f7b
parent	91ef3c4b670e46d2c6feedd4eece8087701a8ab7 (diff)
download	efi-boot-shim-dcfd6b68bebac84c536177c8a959169a00318ee3.tar.gz efi-boot-shim-dcfd6b68bebac84c536177c8a959169a00318ee3.zip