diff options
| author | Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com> | 2018-08-21 14:22:44 -0400 |
|---|---|---|
| committer | Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com> | 2018-08-21 14:22:44 -0400 |
| commit | 7bf7a6d0852382bb645119b18df3ff461aaba247 (patch) | |
| tree | 74089c9a1e552dfb9e5efa57468c8d7afda7e415 /shim.c | |
| parent | f892ac66084ab0315adb0c52e4a39b518730d023 (diff) | |
| download | efi-boot-shim-upstream/15+1533136590.3beb971.tar.gz efi-boot-shim-upstream/15+1533136590.3beb971.zip | |
New upstream version 15+1533136590.3beb971upstream/15+1533136590.3beb971
Diffstat (limited to 'shim.c')
| -rw-r--r-- | shim.c | 40 |
1 files changed, 35 insertions, 5 deletions
@@ -35,6 +35,8 @@ #include "shim.h" +#include <stdarg.h> + #include <openssl/err.h> #include <openssl/bn.h> #include <openssl/dh.h> @@ -46,7 +48,7 @@ #include <openssl/x509.h> #include <openssl/x509v3.h> #include <openssl/rsa.h> -#include <openssl/dso.h> +#include <internal/dso.h> #include <Library/BaseCryptLib.h> @@ -401,11 +403,27 @@ static BOOLEAN verify_eku(UINT8 *Cert, UINTN CertSize) X509_free(x509); } - OBJ_cleanup(); - return TRUE; } +static void show_ca_warning() +{ + CHAR16 *text[9]; + + text[0] = L"WARNING!"; + text[1] = L""; + text[2] = L"The CA certificate used to verify this image doesn't "; + text[3] = L"contain the CA flag in Basic Constraints or KeyCertSign"; + text[4] = L"in KeyUsage. Such CA certificates will not be supported"; + text[5] = L"in the future. "; + text[6] = L""; + text[7] = L"Please contact the issuer to update the certificate. "; + text[8] = NULL; + + console_reset(); + console_print_box(text, -1); +} + static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList, UINTN dbsize, WIN_CERTIFICATE_EFI_PKCS *data, @@ -422,12 +440,16 @@ static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList, CertSize = CertList->SignatureSize - sizeof(EFI_GUID); if (verify_x509(Cert->SignatureData, CertSize)) { if (verify_eku(Cert->SignatureData, CertSize)) { + clear_ca_warning(); IsFound = AuthenticodeVerify (data->CertData, data->Hdr.dwLength - sizeof(data->Hdr), Cert->SignatureData, CertSize, hash, SHA256_DIGEST_SIZE); if (IsFound) { + if (get_ca_warning()) { + show_ca_warning(); + } tpm_measure_variable(dbname, guid, CertSize, Cert->SignatureData); drain_openssl_errors(); return DATA_FOUND; @@ -1049,11 +1071,15 @@ static EFI_STATUS verify_buffer (char *data, int datasize, /* * Check against the shim build key */ + clear_ca_warning(); if (sizeof(shim_cert) && AuthenticodeVerify(cert->CertData, cert->Hdr.dwLength - sizeof(cert->Hdr), shim_cert, sizeof(shim_cert), sha256hash, SHA256_DIGEST_SIZE)) { + if (get_ca_warning()) { + show_ca_warning(); + } update_verification_method(VERIFIED_BY_CERT); tpm_measure_variable(L"Shim", SHIM_LOCK_GUID, sizeof(shim_cert), shim_cert); @@ -1068,11 +1094,15 @@ static EFI_STATUS verify_buffer (char *data, int datasize, /* * And finally, check against shim's built-in key */ + clear_ca_warning(); if (vendor_cert_size && AuthenticodeVerify(cert->CertData, cert->Hdr.dwLength - sizeof(cert->Hdr), vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE)) { + if (get_ca_warning()) { + show_ca_warning(); + } update_verification_method(VERIFIED_BY_CERT); tpm_measure_variable(L"Shim", SHIM_LOCK_GUID, vendor_cert_size, vendor_cert); @@ -2314,13 +2344,13 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) } static void * -ossl_malloc(size_t num) +ossl_malloc(size_t num, const char *file, int line) { return AllocatePool(num); } static void -ossl_free(void *addr) +ossl_free(void *addr, const char *file, int line) { FreePool(addr); } |