[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] verify: search keyid in hashed signature subpackets
|
From: |
Ignat Korchagin |
|
Subject: |
[PATCH] verify: search keyid in hashed signature subpackets |
|
Date: |
Tue, 29 Mar 2016 20:02:46 +0100 |
Currently GRUB2 verify logic searches PGP keyid only in unhashed subpackets of
PGP signature packet. As a result, signatures generated with GoLang openpgp
package (https://godoc.org/golang.org/x/crypto/openpgp) could not be verified,
because this package puts keyid in hashed subpackets and GRUB code never
initializes the keyid variable, therefore is not able to find "verification
key" with id 0x0.
diff --git a/grub-core/commands/verify.c b/grub-core/commands/verify.c
index 166d0aa..dde37c4 100644
--- a/grub-core/commands/verify.c
+++ b/grub-core/commands/verify.c
@@ -532,33 +532,15 @@
hash->write (context, &v, sizeof (v));
hash->write (context, &v4, sizeof (v4));
- while (rem)
- {
- r = grub_file_read (sig, readbuf,
- rem < READBUF_SIZE ? rem : READBUF_SIZE);
- if (r < 0)
- goto fail;
- if (r == 0)
- break;
- hash->write (context, readbuf, r);
- rem -= r;
- }
- hash->write (context, &v, sizeof (v));
- s = 0xff;
- hash->write (context, &s, sizeof (s));
- hash->write (context, &headlen, sizeof (headlen));
- r = grub_file_read (sig, &unhashed_sub, sizeof (unhashed_sub));
- if (r != sizeof (unhashed_sub))
+ if (rem > READBUF_SIZE)
+ goto fail;
+ r = grub_file_read (sig, readbuf, rem);
+ if (r != rem)
goto fail;
{
grub_uint8_t *ptr;
grub_uint32_t l;
- rem = grub_be_to_cpu16 (unhashed_sub);
- if (rem > READBUF_SIZE)
- goto fail;
- r = grub_file_read (sig, readbuf, rem);
- if (r != rem)
- goto fail;
+
for (ptr = readbuf; ptr < readbuf + rem; ptr += l)
{
if (*ptr < 192)
@@ -581,6 +563,46 @@
keyid = grub_get_unaligned64 (ptr + 1);
}
}
+ hash->write (context, readbuf, r);
+ hash->write (context, &v, sizeof (v));
+ s = 0xff;
+ hash->write (context, &s, sizeof (s));
+ hash->write (context, &headlen, sizeof (headlen));
+ r = grub_file_read (sig, &unhashed_sub, sizeof (unhashed_sub));
+ if (r != sizeof (unhashed_sub))
+ goto fail;
+ if (keyid == 0)
+ {
+ grub_uint8_t *ptr;
+ grub_uint32_t l;
+ rem = grub_be_to_cpu16 (unhashed_sub);
+ if (rem > READBUF_SIZE)
+ goto fail;
+ r = grub_file_read (sig, readbuf, rem);
+ if (r != rem)
+ goto fail;
+ for (ptr = readbuf; ptr < readbuf + rem; ptr += l)
+ {
+ if (*ptr < 192)
+ l = *ptr++;
+ else if (*ptr < 255)
+ {
+ if (ptr + 1 >= readbuf + rem)
+ break;
+ l = (((ptr[0] & ~192) << GRUB_CHAR_BIT) | ptr[1]) + 192;
+ ptr += 2;
+ }
+ else
+ {
+ if (ptr + 5 >= readbuf + rem)
+ break;
+ l = grub_be_to_cpu32 (grub_get_unaligned32 (ptr + 1));
+ ptr += 5;
+ }
+ if (*ptr == 0x10 && l >= 8)
+ keyid = grub_get_unaligned64 (ptr + 1);
+ }
+ }
hash->final (context);
- [PATCH] verify: search keyid in hashed signature subpackets,
Ignat Korchagin <=