Changeset View
Changeset View
Standalone View
Standalone View
lib/libsecureboot/vets.c
Show All 31 Lines | |||||
* We leverage code from BearSSL www.bearssl.org | * We leverage code from BearSSL www.bearssl.org | ||||
*/ | */ | ||||
#include <sys/time.h> | #include <sys/time.h> | ||||
#include <stdarg.h> | #include <stdarg.h> | ||||
#define NEED_BRSSL_H | #define NEED_BRSSL_H | ||||
#include "libsecureboot-priv.h" | #include "libsecureboot-priv.h" | ||||
#include <brssl.h> | #include <brssl.h> | ||||
#include <fa.h> | |||||
sjg: This should be bounded by `#ifdef FORBIDDEN_ANCHORS_STR` | |||||
#include <ta.h> | #include <ta.h> | ||||
#ifndef TRUST_ANCHOR_STR | #ifndef TRUST_ANCHOR_STR | ||||
# define TRUST_ANCHOR_STR ta_PEM | # define TRUST_ANCHOR_STR ta_PEM | ||||
#endif | #endif | ||||
#ifndef FORBIDDEN_ANCHORS_STR | |||||
# define FORBIDDEN_ANCHORS_STR fa_PEM | |||||
#endif | |||||
#define SECONDS_PER_DAY 86400 | #define SECONDS_PER_DAY 86400 | ||||
#define SECONDS_PER_YEAR 365 * SECONDS_PER_DAY | #define SECONDS_PER_YEAR 365 * SECONDS_PER_DAY | ||||
#ifndef VE_UTC_MAX_JUMP | #ifndef VE_UTC_MAX_JUMP | ||||
# define VE_UTC_MAX_JUMP 20 * SECONDS_PER_YEAR | # define VE_UTC_MAX_JUMP 20 * SECONDS_PER_YEAR | ||||
#endif | #endif | ||||
#define X509_DAYS_TO_UTC0 719528 | #define X509_DAYS_TO_UTC0 719528 | ||||
▲ Show 20 Lines • Show All 242 Lines • ▼ Show 20 Lines | |||||
* @return number of anchors added | * @return number of anchors added | ||||
*/ | */ | ||||
size_t | size_t | ||||
ve_trust_anchors_add_buf(unsigned char *buf, size_t len) | ve_trust_anchors_add_buf(unsigned char *buf, size_t len) | ||||
{ | { | ||||
br_x509_certificate *xcs; | br_x509_certificate *xcs; | ||||
size_t num; | size_t num; | ||||
if (len == 0) | |||||
return (0); | |||||
num = 0; | num = 0; | ||||
xcs = parse_certificates(buf, len, &num); | xcs = parse_certificates(buf, len, &num); | ||||
if (xcs != NULL) { | if (xcs != NULL) { | ||||
num = ve_trust_anchors_add(xcs, num); | num = ve_trust_anchors_add(xcs, num); | ||||
#ifdef VE_OPENPGP_SUPPORT | #ifdef VE_OPENPGP_SUPPORT | ||||
} else { | } else { | ||||
num = openpgp_trust_add_buf(buf, len); | num = openpgp_trust_add_buf(buf, len); | ||||
#endif | #endif | ||||
▲ Show 20 Lines • Show All 50 Lines • ▼ Show 20 Lines | #ifdef VE_PCR_SUPPORT | ||||
ve_pcr_init(); | ve_pcr_init(); | ||||
#endif | #endif | ||||
#ifdef TRUST_ANCHOR_STR | #ifdef TRUST_ANCHOR_STR | ||||
ve_trust_anchors_add_buf(__DECONST(unsigned char *, TRUST_ANCHOR_STR), | ve_trust_anchors_add_buf(__DECONST(unsigned char *, TRUST_ANCHOR_STR), | ||||
sizeof(TRUST_ANCHOR_STR)); | sizeof(TRUST_ANCHOR_STR)); | ||||
#endif | #endif | ||||
once = (int) VEC_LEN(trust_anchors); | once = (int) VEC_LEN(trust_anchors); | ||||
#ifdef FORBIDDEN_ANCHORS_STR | |||||
ve_trust_anchors_revoke(__DECONST(unsigned char *, FORBIDDEN_ANCHORS_STR), | |||||
sizeof(FORBIDDEN_ANCHORS_STR)); | |||||
#endif | |||||
#ifdef VE_OPENPGP_SUPPORT | #ifdef VE_OPENPGP_SUPPORT | ||||
once += openpgp_trust_init(); | once += openpgp_trust_init(); | ||||
#endif | #endif | ||||
return (once); | return (once); | ||||
} | } | ||||
/** | /** | ||||
* if we can verify the certificate chain in "certs", | * if we can verify the certificate chain in "certs", | ||||
▲ Show 20 Lines • Show All 647 Lines • Show Last 20 Lines |
This should be bounded by #ifdef FORBIDDEN_ANCHORS_STR