diff options
| author | Peter Jones <pjones@redhat.com> | 2017-08-31 14:51:49 -0400 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2017-08-31 15:13:46 -0400 |
| commit | eae64276ffe0361d2b4087c48390d12f157f65f0 (patch) | |
| tree | fabcdc7a944b50495f14ba5d09c6d40b2ac579a6 | |
| parent | 36d20ac0aa52d60f27b3e3d31b4fdf6ccda7287c (diff) | |
| download | efi-boot-shim-eae64276ffe0361d2b4087c48390d12f157f65f0.tar.gz efi-boot-shim-eae64276ffe0361d2b4087c48390d12f157f65f0.zip | |
Drain the OpenSSL error stack and report crypto verification errors
Signed-off-by: Peter Jones <pjones@redhat.com>
| -rw-r--r-- | shim.c | 19 |
1 files changed, 19 insertions, 0 deletions
@@ -386,6 +386,14 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, return EFI_SUCCESS; } +static void +drain_openssl_errors(void) +{ + unsigned long err = -1; + while (err != 0) + err = ERR_get_error(); +} + static BOOLEAN verify_x509(UINT8 *Cert, UINTN CertSize) { UINTN length; @@ -456,7 +464,9 @@ static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList, Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); CertSize = CertList->SignatureSize - sizeof(EFI_GUID); if (verify_x509(Cert->SignatureData, CertSize)) { + drain_openssl_errors(); if (verify_eku(Cert->SignatureData, CertSize)) { + drain_openssl_errors(); IsFound = AuthenticodeVerify (data->CertData, data->Hdr.dwLength - sizeof(data->Hdr), Cert->SignatureData, @@ -470,6 +480,7 @@ static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList, } else if (verbose) { console_notify(L"Not a DER encoding x.509 Certificate"); } + drain_openssl_errors(); } dbsize -= CertList->SignatureListSize; @@ -667,6 +678,7 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, } update_verification_method(VERIFIED_BY_NOTHING); + crypterr(EFI_SECURITY_VIOLATION); return EFI_SECURITY_VIOLATION; } @@ -1011,6 +1023,13 @@ static EFI_STATUS verify_buffer (char *data, int datasize, } } + /* + * Clear OpenSSL's error log, because we get some DSO unimplemented + * errors during its intialization, and we don't want those to look + * like they're the reason for validation failures. + */ + drain_openssl_errors(); + status = generate_hash(data, datasize, context, sha256hash, sha1hash); if (status != EFI_SUCCESS) return status; |