libsecureboot add sha384 and sha512 for OpenPGP

gpg supports SHA384, SHA512 as well as SHA256 so allow for them. Tweak Makefile.inc so we can build libsecureboot with only OpenPGP trust anchors. Reviewed by: imp Differential Revision: https://reviews.freebsd.org/D48546
2026-01-16 23:02:24 +00:00 · 2025-01-20 12:56:44 -08:00 · 2025-01-20 12:56:44 -08:00 · dae4eb623e
commit dae4eb623e
parent f2a4eed3e1
3 changed files with 33 additions and 13 deletions
--- a/lib/libsecureboot/Makefile.inc
+++ b/lib/libsecureboot/Makefile.inc
@ -77,12 +77,16 @@ VE_SIGNATURE_EXT_LIST?= sig
 # needs to be yes for FIPS 140-2 compliance
 VE_SELF_TESTS?= no

+CFLAGS+= -I.
+
+.if ${VE_SIGNATURE_EXT_LIST:M*sig} != ""
 # this is what we use as our trust anchor
-CFLAGS+= -I. -DTRUST_ANCHOR_STR=ta_PEM
+CFLAGS+= -DTRUST_ANCHOR_STR=ta_PEM

 .if ${VE_SELF_TESTS} != "no"
 XCFLAGS.vets+= -DVERIFY_CERTS_STR=vc_PEM
 .endif
+.endif

 # clean these up
 VE_HASH_LIST:= ${VE_HASH_LIST:tu:O:u}
--- a/lib/libsecureboot/openpgp/opgp_sig.c
+++ b/lib/libsecureboot/openpgp/opgp_sig.c
@ -339,6 +339,16 @@ openpgp_verify(const char *filename,
 				mlen = br_sha256_SIZE;
 				hash_oid = BR_HASH_OID_SHA256;
 				break;
+			case 9:			/* sha384 */
+				md = &br_sha384_vtable;
+				mlen = br_sha384_SIZE;
+				hash_oid = BR_HASH_OID_SHA384;
+				break;
+			case 10:		/* sha512 */
+				md = &br_sha512_vtable;
+				mlen = br_sha512_SIZE;
+				hash_oid = BR_HASH_OID_SHA512;
+				break;
 			default:
 				warnx("unsupported hash algorithm: %s", hname);
 				rc = -1;
--- a/lib/libsecureboot/vets.c
+++ b/lib/libsecureboot/vets.c
@ -200,11 +200,13 @@ ve_utc_set(time_t utc)
 	}
 }

+#ifdef VERIFY_CERTS_STR
 static void
 free_cert_contents(br_x509_certificate *xc)
 {
 	xfree(xc->data);
 }
+#endif

 /*
 * a bit of a dance to get commonName from a certificate
@ -372,13 +374,15 @@ ve_trust_anchors_add_buf(unsigned char *buf, size_t len)
 	size_t num;

 	num = 0;
-	xcs = parse_certificates(buf, len, &num);
-	if (xcs != NULL) {
-		num = ve_trust_anchors_add(xcs, num);
+	if (len > 0) {
+		xcs = parse_certificates(buf, len, &num);
+		if (xcs != NULL) {
+			num = ve_trust_anchors_add(xcs, num);
 #ifdef VE_OPENPGP_SUPPORT
-	} else {
-		num = openpgp_trust_add_buf(buf, len);
+		} else {
+			num = openpgp_trust_add_buf(buf, len);
 #endif
+		}
 	}
 	return (num);
 }
@ -398,15 +402,17 @@ ve_trust_anchors_revoke(unsigned char *buf, size_t len)
 	size_t num;

 	num = 0;
-	xcs = parse_certificates(buf, len, &num);
-	if (xcs != NULL) {
-		num = ve_forbidden_anchors_add(xcs, num);
+	if (len > 0) {
+		xcs = parse_certificates(buf, len, &num);
+		if (xcs != NULL) {
+			num = ve_forbidden_anchors_add(xcs, num);
 #ifdef VE_OPENPGP_SUPPORT
-	} else {
-		if (buf[len - 1] == '\n')
-			buf[len - 1] = '\0';
-		num = openpgp_trust_revoke((char *)buf);
+		} else {
+			if (buf[len - 1] == '\n')
+				buf[len - 1] = '\0';
+			num = openpgp_trust_revoke((char *)buf);
 #endif
+		}
 	}
 	return (num);
 }