diff options
Diffstat (limited to 'lib/libsecureboot/vets.c')
| -rw-r--r-- | lib/libsecureboot/vets.c | 72 |
1 files changed, 47 insertions, 25 deletions
diff --git a/lib/libsecureboot/vets.c b/lib/libsecureboot/vets.c index a3c1fb34a419..c86b198c45c5 100644 --- a/lib/libsecureboot/vets.c +++ b/lib/libsecureboot/vets.c @@ -23,8 +23,6 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - /** * @file vets.c - trust store * @brief verify signatures @@ -86,6 +84,20 @@ ve_debug_set(int n) DebugVe = n; } +/* + * For embedded systems (and boot loaders) + * we do not want to enforce certificate validity post install. + * It is generally unacceptible for infrastructure to stop working + * just because it has not been updated recently. + */ +static int enforce_validity = 0; + +void +ve_enforce_validity_set(int i) +{ + enforce_validity = i; +} + static char ebuf[512]; char * @@ -227,10 +239,11 @@ x509_cn_get(br_x509_certificate *xc, char *buf, size_t len) mc.vtable->start_cert(&mc.vtable, xc->data_len); mc.vtable->append(&mc.vtable, xc->data, xc->data_len); mc.vtable->end_cert(&mc.vtable); - /* we don' actually care about cert status - just its name */ + /* we don't actually care about cert status - just its name */ err = mc.vtable->end_chain(&mc.vtable); + (void)err; /* keep compiler quiet */ - if (!cn.status) + if (cn.status <= 0) buf = NULL; return (buf); } @@ -420,8 +433,9 @@ ve_trust_init(void) #endif #ifdef TRUST_ANCHOR_STR - ve_trust_anchors_add_buf(__DECONST(unsigned char *, TRUST_ANCHOR_STR), - sizeof(TRUST_ANCHOR_STR)); + if (TRUST_ANCHOR_STR != NULL && strlen(TRUST_ANCHOR_STR) != 0ul) + ve_trust_anchors_add_buf(__DECONST(unsigned char *, + TRUST_ANCHOR_STR), sizeof(TRUST_ANCHOR_STR)); #endif once = (int) VEC_LEN(trust_anchors); #ifdef VE_OPENPGP_SUPPORT @@ -443,23 +457,23 @@ verify_time_cb(void *tctx __unused, char date[12], nb_date[12], na_date[12]; #endif - not_before = ((not_before_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_before_seconds; - not_after = ((not_after_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_after_seconds; - if (ve_utc < not_before) - rc = -1; - else if (ve_utc > not_after) - rc = 1; - else - rc = 0; + if (enforce_validity) { + not_before = ((not_before_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_before_seconds; + not_after = ((not_after_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_after_seconds; + if (ve_utc < not_before) + rc = -1; + else if (ve_utc > not_after) + rc = 1; + else + rc = 0; #ifdef UNIT_TEST - printf("notBefore %s notAfter %s date %s rc %d\n", - gdate(nb_date, sizeof(nb_date), not_before), - gdate(na_date, sizeof(na_date), not_after), - gdate(date, sizeof(date), ve_utc), rc); -#endif -#if defined(_STANDALONE) - rc = 0; /* don't fail */ + printf("notBefore %s notAfter %s date %s rc %d\n", + gdate(nb_date, sizeof(nb_date), not_before), + gdate(na_date, sizeof(na_date), not_after), + gdate(date, sizeof(date), ve_utc), rc); #endif + } else + rc = 0; /* don't fail */ return rc; } #endif @@ -505,7 +519,7 @@ verify_signer_xcs(br_x509_certificate *xcs, br_x509_minimal_set_rsa(&mc, &br_rsa_i31_pkcs1_vrfy); #endif #if defined(UNIT_TEST) && defined(VE_DEPRECATED_RSA_SHA1_SUPPORT) - /* This is deprecated! do not enable unless you absoultely have to */ + /* This is deprecated! do not enable unless you absolutely have to */ br_x509_minimal_set_hash(&mc, br_sha1_ID, &br_sha1_vtable); #endif br_x509_minimal_set_hash(&mc, br_sha256_ID, &br_sha256_vtable); @@ -554,9 +568,17 @@ verify_signer_xcs(br_x509_certificate *xcs, ve_error_set("Validation failed, certificate not valid as of %s", gdate(date, sizeof(date), ve_utc)); break; - default: - ve_error_set("Validation failed, err = %d", err); - break; + default: { + const char *err_desc = NULL; + const char *err_name = find_error_name(err, &err_desc); + + if (err_name == NULL) + ve_error_set("Validation failed, err = %d", + err); + else + ve_error_set("Validation failed, %s (%s)", + err_desc, err_name); + break; } } } else { tpk = mc.vtable->get_pkey(&mc.vtable, &usages); |