From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <James.Bottomley@HansenPartnership.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=66.63.167.143; helo=bedivere.hansenpartnership.com;
 envelope-from=james.bottomley@hansenpartnership.com;
 receiver=edk2-devel@lists.01.org 
Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com
 [66.63.167.143])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id ED59A2063E31D
 for <edk2-devel@lists.01.org>; Wed,  9 May 2018 15:09:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
 by bedivere.hansenpartnership.com (Postfix) with ESMTP id 0661E8EE11E;
 Wed,  9 May 2018 15:09:09 -0700 (PDT)
Received: from bedivere.hansenpartnership.com ([127.0.0.1])
 by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new,
 port 10024)
 with ESMTP id 6nVtpYkKV0pN; Wed,  9 May 2018 15:09:08 -0700 (PDT)
Received: from [153.66.254.194] (unknown [50.35.65.221])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id A39C78EE0EA;
 Wed,  9 May 2018 15:09:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com;
 s=20151216; t=1525903748;
 bh=qlM2F5V0h450mkwP6ZK6XJQuKlQ3dgfNAL/hX69zviM=;
 h=Subject:From:To:Cc:Date:From;
 b=Cj6God2cWk+2xv3oLSp4aaLyU0n9R2qmiTzLzTu4N0eWma8wLsfrfvlQQy6oiOjXa
 MMPdAqovTicrIz5Hoj+E9dPzqSYpoHyAKOctJBoJqnHDeBiuvHU4EJURE4QrSC60F0
 6L3z/NX3zHfQHDcjcoUtUQX2UKcJQtZGBj/QysFI=
Message-ID: <1525903747.5882.11.camel@HansenPartnership.com>
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: "edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: Zhang Lubo <lubo.zhang@intel.com>
Date: Wed, 09 May 2018 15:09:07 -0700
X-Mailer: Evolution 3.22.6 
Mime-Version: 1.0
Subject: [PATCH] SecurityPkg: fix sha256 signature check
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2018 22:09:10 -0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit

commit c035e37335ae43229d7e68de74a65f2c01ebc0af
Author: Zhang Lubo <lubo.zhang@intel.com>
Date:   Thu Jan 5 14:58:05 2017 +0800

    SecurityPkg: enhance secure boot Config Dxe & Time Based AuthVariable.

Added a check for sha256 being the ownly allowed signature hash.
Unfortuantely this commit assumed the form of the signature data was a
raw SignedData sequence.  Most tools actually generate a ContentInfo
sequence instead which contains a header identifying the content as
pkcs7-SignedData.  Fix this check to allow either format to work.

This fix is needed at least for efitools because we generate signed
variable updates with the ContentInfo header.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
 CryptoPkg/Library/OpensslLib/openssl              |  2 +-
 SecurityPkg/Library/AuthVariableLib/AuthService.c | 11 ++++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CryptoPkg/Library/OpensslLib/openssl b/CryptoPkg/Library/OpensslLib/openssl
index b2758a2292..d4e4bd2a81 160000
--- a/CryptoPkg/Library/OpensslLib/openssl
+++ b/CryptoPkg/Library/OpensslLib/openssl
@@ -1 +1 @@
-Subproject commit b2758a2292aceda93e9f44c219b94fe21bb9a650
+Subproject commit d4e4bd2a8163f355fa8a3884077eaec7adc75ff7
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 213a524f27..855ea3350a 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -1908,10 +1908,19 @@ VerifyTimeBasedPayload (
   //    in VARIABLE_AUTHENTICATION_2 descriptor.
   //    This field has the fixed offset (+13) and be calculated based on two bytes of length encoding.
   //
+  // However the data may also begin
+  //   ContentInfo ::= SEQUENCE {
+  //	   contentType ContentType,
+  //	   content
+  //	     [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
+  //
+  // In which case the fixed offset is +32
+  //
   if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
     if (SigDataSize >= (13 + sizeof (mSha256OidValue))) {
       if (((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) || 
-           (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)) {
+	  (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0 &&
+	   CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)) {
           return EFI_SECURITY_VIOLATION;
         }
     }
-- 
2.13.6