packages/shim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!55 bugfix for SMx feature

Browse Source 
From: @HuaxinLuGitee 
Reviewed-by: @zhujianwei001 
Signed-off-by: @zhujianwei001
This commit is contained in:
openeuler-ci-bot 2022-11-12 09:35:29 +00:00 committed by Gitee
commit eee98029d4
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 123 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
Feature-shim-cryptlib-support-sm2-signature-verify.patch
View File

@ -1,7 +1,7 @@
From 9137b68d161ccb95b1019c4885d0519ebbf4678a Mon Sep 17 00:00:00 2001
From df8dab733a8795e896acfd459b2b9adc9607e831 Mon Sep 17 00:00:00 2001
From: Huaxin Lu <luhuaxin1@huawei.com>
Date: Mon, 7 Nov 2022 11:46:33 +0800
Subject: [PATCH 4/5] shim cryptlib support sm2 signature verify
Subject: [PATCH 1/2] shim cryptlib support sm2 signature verify
Co-authored-by: Yusong Gao <gaoyusong2@huawei.com>
Signed-off-by: Yusong Gao <gaoyusong2@huawei.com>
@ -12,9 +12,9 @@ Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
Cryptlib/Include/openssl/ec.h | 20 ++
Cryptlib/Include/openssl/ecdsa.h | 7 +
Cryptlib/Include/openssl/err.h | 6 +
Cryptlib/Include/openssl/evp.h | 25 +++
Cryptlib/Include/openssl/evp.h | 27 ++-
Cryptlib/Include/openssl/obj_mac.h | 33 +++
Cryptlib/Include/openssl/opensslconf.h | 8 +-
Cryptlib/Include/openssl/opensslconf.h | 7 +-
Cryptlib/Include/openssl/x509.h | 7 +
Cryptlib/Library/BaseCryptLib.h | 111 ++++++++++
Cryptlib/Makefile | 6 +
@ -27,7 +27,7 @@ Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
Cryptlib/OpenSSL/crypto/err/err.c | 1 +
Cryptlib/OpenSSL/crypto/evp/c_alld.c | 3 +
Cryptlib/OpenSSL/crypto/evp/digest.c | 62 +++++-
Cryptlib/OpenSSL/crypto/evp/evp_lib.c | 5 +
Cryptlib/OpenSSL/crypto/evp/evp_lib.c | 24 +++
Cryptlib/OpenSSL/crypto/evp/evp_locl.h | 10 +
Cryptlib/OpenSSL/crypto/evp/m_sigver.c | 17 ++
Cryptlib/OpenSSL/crypto/evp/p_lib.c | 44 ++++
@ -37,14 +37,14 @@ Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
Cryptlib/OpenSSL/crypto/objects/obj_dat.h | 46 +++-
Cryptlib/OpenSSL/crypto/objects/obj_xref.h | 2 +
Cryptlib/OpenSSL/crypto/pkcs7/pk7_doit.c | 34 ++-
Cryptlib/OpenSSL/crypto/x509/x_all.c | 142 +++++++++++++
Cryptlib/OpenSSL/crypto/x509/x_all.c | 145 +++++++++++++
Cryptlib/Pk/CryptPkcs7Verify.c | 5 +
32 files changed, 997 insertions(+), 38 deletions(-)
32 files changed, 1020 insertions(+), 38 deletions(-)
create mode 100644 Cryptlib/Hash/CryptSm3.c
diff --git a/Cryptlib/Hash/CryptSm3.c b/Cryptlib/Hash/CryptSm3.c
new file mode 100644
index 0000000..c522365
index 0000000..84d7acc
--- /dev/null
+++ b/Cryptlib/Hash/CryptSm3.c
@@ -0,0 +1,231 @@
@ -433,7 +433,7 @@ index 5a01980..c8286e1 100644
/*
* 99 is the maximum possible ERR_R_... code, higher values are reserved for
diff --git a/Cryptlib/Include/openssl/evp.h b/Cryptlib/Include/openssl/evp.h
index 376f260..4e1d9bb 100644
index 376f260..26e8f04 100644
--- a/Cryptlib/Include/openssl/evp.h
+++ b/Cryptlib/Include/openssl/evp.h
@@ -115,6 +115,7 @@
@ -457,16 +457,17 @@ index 376f260..4e1d9bb 100644
/*
* Type needs to be a bit field Sub-type needs to be for variations on the
* method, as in, can it do arbitrary encryption....
@@ -526,6 +533,8 @@ const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);
@@ -526,6 +533,9 @@ const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);
# define EVP_MD_CTX_block_size(e) EVP_MD_block_size(EVP_MD_CTX_md(e))
# define EVP_MD_CTX_type(e) EVP_MD_type(EVP_MD_CTX_md(e))
+void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx);
+void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx);
+
int EVP_CIPHER_nid(const EVP_CIPHER *cipher);
# define EVP_CIPHER_name(e) OBJ_nid2sn(EVP_CIPHER_nid(e))
int EVP_CIPHER_block_size(const EVP_CIPHER *cipher);
@@ -583,6 +592,9 @@ int EVP_Cipher(EVP_CIPHER_CTX *c,
@@ -583,6 +593,9 @@ int EVP_Cipher(EVP_CIPHER_CTX *c,
# define EVP_delete_digest_alias(alias) \
OBJ_NAME_remove(alias,OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS);
@ -476,7 +477,7 @@ index 376f260..4e1d9bb 100644
void EVP_MD_CTX_init(EVP_MD_CTX *ctx);
int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx);
EVP_MD_CTX *EVP_MD_CTX_create(void);
@@ -666,6 +678,10 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
@@ -666,6 +679,10 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx,
const unsigned char *sig, size_t siglen);
@ -487,7 +488,7 @@ index 376f260..4e1d9bb 100644
int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
const unsigned char *ek, int ekl, const unsigned char *iv,
EVP_PKEY *priv);
@@ -741,6 +757,9 @@ const EVP_MD *EVP_ripemd160(void);
@@ -741,6 +758,9 @@ const EVP_MD *EVP_ripemd160(void);
# ifndef OPENSSL_NO_WHIRLPOOL
const EVP_MD *EVP_whirlpool(void);
# endif
@ -497,7 +498,7 @@ index 376f260..4e1d9bb 100644
const EVP_CIPHER *EVP_enc_null(void); /* does nothing :-) */
# ifndef OPENSSL_NO_DES
const EVP_CIPHER *EVP_des_ecb(void);
@@ -954,10 +973,15 @@ int EVP_PKEY_base_id(const EVP_PKEY *pkey);
@@ -954,10 +974,15 @@ int EVP_PKEY_base_id(const EVP_PKEY *pkey);
int EVP_PKEY_bits(EVP_PKEY *pkey);
int EVP_PKEY_size(EVP_PKEY *pkey);
int EVP_PKEY_set_type(EVP_PKEY *pkey, int type);
@ -513,7 +514,7 @@ index 376f260..4e1d9bb 100644
# ifndef OPENSSL_NO_RSA
struct rsa_st;
int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, struct rsa_st *key);
@@ -976,6 +1000,7 @@ struct dh_st *EVP_PKEY_get1_DH(EVP_PKEY *pkey);
@@ -976,6 +1001,7 @@ struct dh_st *EVP_PKEY_get1_DH(EVP_PKEY *pkey);
# ifndef OPENSSL_NO_EC
struct ec_key_st;
int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, struct ec_key_st *key);
@ -521,6 +522,14 @@ index 376f260..4e1d9bb 100644
struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
# endif
@@ -1268,7 +1294,6 @@ int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);
int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
-void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX *ctx, EVP_PKEY_gen_cb *cb);
EVP_PKEY_gen_cb *EVP_PKEY_CTX_get_cb(EVP_PKEY_CTX *ctx);
int EVP_PKEY_CTX_get_keygen_info(EVP_PKEY_CTX *ctx, int idx);
diff --git a/Cryptlib/Include/openssl/obj_mac.h b/Cryptlib/Include/openssl/obj_mac.h
index 779c309..91b75e0 100644
--- a/Cryptlib/Include/openssl/obj_mac.h
@ -563,18 +572,10 @@ index 779c309..91b75e0 100644
+#define NID_SM2_with_SM3 964
+#define OBJ_SM2_with_SM3 OBJ_sm_scheme,501L
diff --git a/Cryptlib/Include/openssl/opensslconf.h b/Cryptlib/Include/openssl/opensslconf.h
index 4a36e9f..6f19ce6 100644
index 4a36e9f..12ec552 100644
--- a/Cryptlib/Include/openssl/opensslconf.h
+++ b/Cryptlib/Include/openssl/opensslconf.h
@@ -10,7 +10,6 @@ extern "C" {
#endif
#ifndef OPENSSL_DOING_MAKEDEPEND
-
#ifndef OPENSSL_NO_BF
# define OPENSSL_NO_BF
#endif
@@ -41,8 +40,8 @@ extern "C" {
@@ -41,8 +41,8 @@ extern "C" {
#ifndef OPENSSL_NO_DYNAMIC_ENGINE
# define OPENSSL_NO_DYNAMIC_ENGINE
#endif
@ -585,7 +586,7 @@ index 4a36e9f..6f19ce6 100644
#endif
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
# define OPENSSL_NO_EC_NISTP_64_GCC_128
@@ -50,9 +49,6 @@ extern "C" {
@@ -50,9 +50,6 @@ extern "C" {
#ifndef OPENSSL_NO_ECDH
# define OPENSSL_NO_ECDH
#endif
@ -750,14 +751,14 @@ index 2df8bd2..a7fea2c 100644
// MAC (Message Authentication Code) Primitive
//=====================================================================================
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
index 89fd5cd..7885a1a 100644
index 89fd5cd..c95a960 100644
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -66,6 +66,12 @@ OBJS = Hash/CryptMd4Null.o \
SysCall/BaseMemAllocation.o \
SysCall/BaseStrings.o
+ifdef SHIM_ENABLE_SM
+ifdef ENABLE_SHIM_SM
+OBJS += Hash/CryptSm3.o
+else
+DEFINES += -DOPENSSL_NO_SM3
@ -767,7 +768,7 @@ index 89fd5cd..7885a1a 100644
libcryptlib.a: $(OBJS)
diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
index 795f471..32fb235 100644
index 795f471..4923ac3 100644
--- a/Cryptlib/OpenSSL/Makefile
+++ b/Cryptlib/OpenSSL/Makefile
@@ -459,7 +459,43 @@ OBJS = crypto/cryptlib.o \
@ -777,7 +778,7 @@ index 795f471..32fb235 100644
- crypto/cmac/cm_pmeth.o \
+ crypto/cmac/cm_pmeth.o
+
+ifdef SHIM_ENABLE_SM
+ifdef ENABLE_SHIM_SM
+OBJS +=crypto/ec/ec_ameth.o \
+ crypto/ec/ec_cvt.o \
+ crypto/ec/eck_prn.o \
@ -1074,10 +1075,10 @@ index 4db1796..ffc03ef 100644
}
}
diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_lib.c b/Cryptlib/OpenSSL/crypto/evp/evp_lib.c
index 7e0bab9..5945494 100644
index 7e0bab9..24da25d 100644
--- a/Cryptlib/OpenSSL/crypto/evp/evp_lib.c
+++ b/Cryptlib/OpenSSL/crypto/evp/evp_lib.c
@@ -389,3 +389,8 @@ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags)
@@ -389,3 +389,27 @@ int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags)
{
return (ctx->flags & flags);
}
@ -1086,6 +1087,25 @@ index 7e0bab9..5945494 100644
+{
+ return ctx->md_data;
+}
+
+void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx)
+{
+ /*
+ * it's reasonable to set NULL pctx (a.k.a clear the ctx->pctx), so
+ * we have to deal with the cleanup job here.
+ */
+ if (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX))
+ EVP_PKEY_CTX_free(ctx->pctx);
+
+ ctx->pctx = pctx;
+
+ if (pctx != NULL) {
+ /* make sure pctx is not freed when destroying EVP_MD_CTX */
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
+ } else {
+ EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
+ }
+}
diff --git a/Cryptlib/OpenSSL/crypto/evp/evp_locl.h b/Cryptlib/OpenSSL/crypto/evp/evp_locl.h
index 2bb709a..1d179ef 100644
--- a/Cryptlib/OpenSSL/crypto/evp/evp_locl.h
@ -1642,10 +1662,10 @@ index dd6c73f..846fcf8 100644
return (ret);
}
diff --git a/Cryptlib/OpenSSL/crypto/x509/x_all.c b/Cryptlib/OpenSSL/crypto/x509/x_all.c
index 0f26c54..0228582 100644
index 0f26c54..59a41e3 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x_all.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x_all.c
@@ -71,16 +71,158 @@
@@ -71,16 +71,161 @@
# include <openssl/dsa.h>
#endif
@ -1660,7 +1680,7 @@ index 0f26c54..0228582 100644
+{
+ X509 *x = NULL;
+ X509_REQ *r = NULL;
+ EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx = NULL;
+ unsigned char *buf_in = NULL;
+ int ret = -1, inl = 0;
+ size_t inll = 0;
@ -1694,17 +1714,20 @@ index 0f26c54..0228582 100644
+ return -1;
+ }
+
+ EVP_MD_CTX_init(&ctx);
+ ctx = EVP_MD_CTX_new();
+ if (ctx == NULL)
+ goto err;
+
+ /* Check public key OID matches public key type */
+ if (EVP_PKEY_type(pknid) != pkey->ameth->pkey_id) {
+ goto err;
+ }
+
+ if (!EVP_PKEY_set_type(pkey, EVP_PKEY_SM2)) {
+ if (!EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)) {
+ ret = 0;
+ goto err;
+ }
+
+ pctx = EVP_PKEY_CTX_new(pkey, NULL);
+ if (pctx == NULL) {
+ ret = 0;
@ -1716,9 +1739,9 @@ index 0f26c54..0228582 100644
+ ret = 0;
+ goto err;
+ }
+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
+
+ if (!EVP_DigestVerifyInit(&ctx, NULL, type, NULL, pkey)) {
+ EVP_MD_CTX_set_pkey_ctx(ctx, pctx);
+ if (!EVP_DigestVerifyInit(ctx, NULL, type, NULL, pkey)) {
+ ret = 0;
+ goto err;
+ }
@ -1735,7 +1758,7 @@ index 0f26c54..0228582 100644
+ }
+ inll = inl;
+
+ ret = EVP_DigestVerify(&ctx, signature->data,
+ ret = EVP_DigestVerify(ctx, signature->data,
+ (size_t)signature->length, buf_in, inl);
+ if (ret <= 0) {
+ goto err;
@ -1743,7 +1766,7 @@ index 0f26c54..0228582 100644
+ ret = 1;
+ err:
+ OPENSSL_cleanse(buf_in, inll);
+ EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(ctx);
+ EVP_PKEY_CTX_free(pctx);
+ return ret;
+}

90
Feature-shim-support-sm2-and-sm3-algorithm.patch
View File

@ -1,26 +1,36 @@
From b56474e6f7d0ddece0f5dd87e410f8f482f66a58 Mon Sep 17 00:00:00 2001
From e1f5fc87be6581b63550218d991c713ad0f23113 Mon Sep 17 00:00:00 2001
From: Huaxin Lu <luhuaxin1@huawei.com>
Date: Mon, 7 Nov 2022 11:47:42 +0800
Subject: [PATCH 5/5] shim support sm2 and sm3 algorithm
Subject: [PATCH 2/2] shim support sm2 and sm3 algorithm
Co-authored-by: Yusong Gao <gaoyusong2@huawei.com>
Signed-off-by: Yusong Gao <gaoyusong2@huawei.com>
Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
---
Makefile | 2 +-
Makefile | 5 ++-
MokManager.c | 8 ++++
include/pe.h | 7 ++++
include/peimage.h | 3 ++
pe.c | 100 ++++++++++++++++++++++++++++++++++++++++++++++
shim.c | 73 +++++++++++++++++++++++++++++++--
shim.c | 74 ++++++++++++++++++++++++++++++++--
shim.h | 20 ++++++++++
7 files changed, 208 insertions(+), 5 deletions(-)
7 files changed, 212 insertions(+), 5 deletions(-)
diff --git a/Makefile b/Makefile
index 24ac314..8876f9f 100644
index 24ac314..9b8d7e8 100644
--- a/Makefile
+++ b/Makefile
@@ -163,7 +163,7 @@ Cryptlib/libcryptlib.a:
@@ -38,6 +38,9 @@ CFLAGS += -DENABLE_SHIM_CERT
else
TARGETS += $(MMNAME) $(FBNAME)
endif
+ifneq ($(origin ENABLE_SHIM_SM),undefined)
+CFLAGS += -DENABLE_SHIM_SM
+endif
OBJS = shim.o globals.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o csv.o load-options.o
KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
ORIG_SOURCES = shim.c globals.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h) cert.S
@@ -163,7 +166,7 @@ Cryptlib/libcryptlib.a:
$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
Cryptlib/OpenSSL/libopenssl.a:
@ -94,7 +104,7 @@ index e97b29c..7a4f356 100644
typedef struct {
diff --git a/pe.c b/pe.c
index ba3e2bb..37b08a3 100644
index ba3e2bb..f48d635 100644
--- a/pe.c
+++ b/pe.c
@@ -297,13 +297,24 @@ get_section_vma_by_name (char *name, size_t namesz,
@ -126,12 +136,12 @@ index ba3e2bb..37b08a3 100644
sha1ctxsize = Sha1GetContextSize();
sha1ctx = AllocatePool(sha1ctxsize);
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ sm3ctxsize = Sm3GetContextSize();
+ sm3ctx = AllocatePool(sm3ctxsize);
+#endif
+
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ if (!sha256ctx || !sha1ctx || !sm3ctx) {
+#else
if (!sha256ctx || !sha1ctx) {
@ -140,7 +150,7 @@ index ba3e2bb..37b08a3 100644
return EFI_OUT_OF_RESOURCES;
}
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ if (!Sha256Init(sha256ctx) || !Sha1Init(sha1ctx) || !Sm3Init(sm3ctx)) {
+#else
if (!Sha256Init(sha256ctx) || !Sha1Init(sha1ctx)) {
@ -152,7 +162,7 @@ index ba3e2bb..37b08a3 100644
hashbase;
check_size(data, datasize, hashbase, hashsize);
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
+ !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
+ !(Sm3Update(sm3ctx, hashbase, hashsize))) {
@ -167,7 +177,7 @@ index ba3e2bb..37b08a3 100644
hashsize = (char *)context->SecDir - hashbase;
check_size(data, datasize, hashbase, hashsize);
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
+ !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
+ !(Sm3Update(sm3ctx, hashbase, hashsize))) {
@ -182,7 +192,7 @@ index ba3e2bb..37b08a3 100644
}
check_size(data, datasize, hashbase, hashsize);
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
+ !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
+ !(Sm3Update(sm3ctx, hashbase, hashsize))) {
@ -197,7 +207,7 @@ index ba3e2bb..37b08a3 100644
hashsize = (unsigned int) Section->SizeOfRawData;
check_size(data, datasize, hashbase, hashsize);
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
+ !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
+ !(Sm3Update(sm3ctx, hashbase, hashsize))) {
@ -212,7 +222,7 @@ index ba3e2bb..37b08a3 100644
}
check_size(data, datasize, hashbase, hashsize);
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
+ !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
+ !(Sm3Update(sm3ctx, hashbase, hashsize))) {
@ -227,7 +237,7 @@ index ba3e2bb..37b08a3 100644
check_size(data, datasize, hashbase, hashsize);
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ if (!(Sha256Update(sha256ctx, hashbase, hashsize)) ||
+ !(Sha1Update(sha1ctx, hashbase, hashsize)) ||
+ !(Sm3Update(sm3ctx, hashbase, hashsize))) {
@ -242,7 +252,7 @@ index ba3e2bb..37b08a3 100644
}
#endif
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ if (!(Sha256Final(sha256ctx, sha256hash)) ||
+ !(Sha1Final(sha1ctx, sha1hash)) ||
+ !(Sm3Final(sm3ctx, sm3hash))) {
@ -257,7 +267,7 @@ index ba3e2bb..37b08a3 100644
dhexdumpat(sha1hash, SHA1_DIGEST_SIZE, 0);
dprint(L"sha256 authenticode hash:\n");
dhexdumpat(sha256hash, SHA256_DIGEST_SIZE, 0);
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ dprint(L"sm3 authenticode hash:\n");
+ dhexdumpat(sm3hash, SM3_DIGEST_SIZE, 0);
+#endif
@ -268,7 +278,7 @@ index ba3e2bb..37b08a3 100644
FreePool(sha1ctx);
if (sha256ctx)
FreePool(sha256ctx);
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ if (sm3ctx)
+ FreePool(sm3ctx);
+#endif
@ -279,7 +289,7 @@ index ba3e2bb..37b08a3 100644
EFI_STATUS efi_status;
UINT8 sha1hash[SHA1_DIGEST_SIZE];
UINT8 sha256hash[SHA256_DIGEST_SIZE];
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ UINT8 sm3hash[SHA256_DIGEST_SIZE];
+#endif
@ -289,7 +299,7 @@ index ba3e2bb..37b08a3 100644
* in order to load it.
*/
if (secure_mode()) {
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ efi_status = verify_buffer(data, datasize,
+ context, sha256hash, sha1hash, sm3hash);
+#else
@ -303,7 +313,7 @@ index ba3e2bb..37b08a3 100644
* this is only useful for the TPM1.2 case. We should try to fix
* this in a follow-up.
*/
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ efi_status = generate_hash(data, datasize, context, sha256hash,
+ sha1hash, sm3hash);
+#else
@ -317,7 +327,7 @@ index ba3e2bb..37b08a3 100644
int found_entry_point = 0;
UINT8 sha1hash[SHA1_DIGEST_SIZE];
UINT8 sha256hash[SHA256_DIGEST_SIZE];
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ UINT8 sm3hash[SM3_DIGEST_SIZE];
+#endif
@ -327,7 +337,7 @@ index ba3e2bb..37b08a3 100644
* in order to load it.
*/
if (secure_mode ()) {
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ efi_status = verify_buffer(data, datasize, &context, sha256hash,
+ sha1hash, sm3hash);
+#else
@ -341,7 +351,7 @@ index ba3e2bb..37b08a3 100644
* this is only useful for the TPM1.2 case. We should try to fix
* this in a follow-up.
*/
+#ifdef SHIM_ENABLE_SM
+#ifdef ENABLE_SHIM_SM
+ efi_status = generate_hash(data, datasize, &context, sha256hash,
+ sha1hash, sm3hash);
+#else
@ -352,7 +362,7 @@ index ba3e2bb..37b08a3 100644
return efi_status;
diff --git a/shim.c b/shim.c
index fdd205e..5662ca8 100644
index fdd205e..400bd9a 100644
--- a/shim.c
+++ b/shim.c
@@ -458,11 +458,20 @@ BOOLEAN secure_mode (void)
@ -376,27 +386,29 @@ index fdd205e..5662ca8 100644
/*
* Ensure that the binary isn't forbidden
@@ -533,10 +542,15 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig,
@@ -532,11 +541,17 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig,
if (vendor_cert_size) {
dprint("verifying against vendor_cert\n");
}
+#ifdef ENABLE_SHIM_SM
if (vendor_cert_size &&
- AuthenticodeVerify(sig->CertData,
- sig->Hdr.dwLength - sizeof(sig->Hdr),
- vendor_cert, vendor_cert_size,
- sha256hash, SHA256_DIGEST_SIZE)) {
+#ifdef ENABLE_SHIM_SM
+ (AuthenticodeVerify(sig->CertData, sig->Hdr.dwLength - sizeof(sig->Hdr),
+ vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE) ||
+ AuthenticodeVerify(sig->CertData, sig->Hdr.dwLength - sizeof(sig->Hdr),
+ vendor_cert, vendor_cert_size, sm3hash, SM3_DIGEST_SIZE))) {
+#else
+ if (vendor_cert_size &&
+ (AuthenticodeVerify(sig->CertData, sig->Hdr.dwLength - sizeof(sig->Hdr),
+ vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE)) {
+ vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE))) {
+#endif
dprint(L"AuthenticodeVerify(vendor_cert) succeeded\n");
update_verification_method(VERIFIED_BY_CERT);
tpm_measure_variable(L"Shim", SHIM_LOCK_GUID,
@@ -558,10 +572,17 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig,
@@ -558,10 +573,17 @@ verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig,
/*
* Check that the signature is valid and matches the binary
*/
@ -414,7 +426,7 @@ index fdd205e..5662ca8 100644
{
EFI_STATUS ret_efi_status;
size_t size = datasize;
@@ -578,7 +599,12 @@ verify_buffer_authenticode (char *data, int datasize,
@@ -578,7 +600,12 @@ verify_buffer_authenticode (char *data, int datasize,
*/
drain_openssl_errors();
@ -427,7 +439,7 @@ index fdd205e..5662ca8 100644
if (EFI_ERROR(ret_efi_status)) {
dprint(L"generate_hash: %r\n", ret_efi_status);
PrintErrors();
@@ -665,7 +691,11 @@ verify_buffer_authenticode (char *data, int datasize,
@@ -665,7 +692,11 @@ verify_buffer_authenticode (char *data, int datasize,
dprint(L"Attempting to verify signature %d:\n", i++);
@ -439,7 +451,7 @@ index fdd205e..5662ca8 100644
/*
* If we didn't get EFI_SECURITY_VIOLATION from
@@ -746,10 +776,17 @@ verify_buffer_sbat (char *data, int datasize,
@@ -746,10 +777,17 @@ verify_buffer_sbat (char *data, int datasize,
* Check that the signature is valid and matches the binary and that
* the binary is permitted to load by SBAT.
*/
@ -457,7 +469,7 @@ index fdd205e..5662ca8 100644
{
EFI_STATUS efi_status;
@@ -757,7 +794,11 @@ verify_buffer (char *data, int datasize,
@@ -757,7 +795,11 @@ verify_buffer (char *data, int datasize,
if (EFI_ERROR(efi_status))
return efi_status;
@ -469,7 +481,7 @@ index fdd205e..5662ca8 100644
}
static int
@@ -970,6 +1011,9 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
@@ -970,6 +1012,9 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
PE_COFF_LOADER_IMAGE_CONTEXT context;
UINT8 sha1hash[SHA1_DIGEST_SIZE];
UINT8 sha256hash[SHA256_DIGEST_SIZE];
@ -479,7 +491,7 @@ index fdd205e..5662ca8 100644
if ((INT32)size < 0)
return EFI_INVALID_PARAMETER;
@@ -981,8 +1025,13 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
@@ -981,8 +1026,13 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
if (EFI_ERROR(efi_status))
goto done;
@ -493,7 +505,7 @@ index fdd205e..5662ca8 100644
if (EFI_ERROR(efi_status))
goto done;
@@ -1002,16 +1051,27 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
@@ -1002,16 +1052,27 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
goto done;
}
@ -521,7 +533,7 @@ index fdd205e..5662ca8 100644
{
EFI_STATUS efi_status;
@@ -1019,8 +1079,13 @@ static EFI_STATUS shim_hash (char *data, int datasize,
@@ -1019,8 +1080,13 @@ static EFI_STATUS shim_hash (char *data, int datasize,
return EFI_INVALID_PARAMETER;
in_protocol = 1;

8
shim.spec
View File

@ -22,7 +22,7 @@
Name: shim
Version: 15.6
Release: 4
Release: 6
Summary: First-stage UEFI bootloader
ExclusiveArch: x86_64 aarch64
License: BSD
@ -144,6 +144,12 @@ cd ..
/usr/src/debug/%{name}-%{version}-%{release}/*
%changelog
* Fri Nov 11 2022 luhuaxin <luhuaxin1@huawei.com> - 15.6-6
- Bugfix for SM2 certificate chain verify
* Fri Nov 11 2022 luhuaxin <luhuaxin1@huawei.com> - 15.6-5
- Bugfix for SMx feature
* Thu Nov 10 2022 jinlun <jinlun@huawei.com> - 15.6-4
- Add BuildRequires on the arrch64