git: 4b9d605768ac - main - libsecureboot: be more verbose about validation failures
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 10 Dec 2023 20:14:28 UTC
The branch main has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=4b9d605768acabc460aa6dcfe8a1f8db35b16794
commit 4b9d605768acabc460aa6dcfe8a1f8db35b16794
Author: Stéphane Rochoy <stephane.rochoy@stormshield.eu>
AuthorDate: 2023-12-04 09:57:43 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-12-10 20:13:56 +0000
libsecureboot: be more verbose about validation failures
Reviewed by: imp, sjg
Pull Request: https://github.com/freebsd/freebsd-src/pull/916
---
lib/libbearssl/Makefile.inc | 1 +
lib/libbearssl/Makefile.libsa.inc | 3 +++
lib/libsecureboot/vets.c | 14 +++++++++++---
3 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/lib/libbearssl/Makefile.inc b/lib/libbearssl/Makefile.inc
index 764984de9067..453630d038cd 100644
--- a/lib/libbearssl/Makefile.inc
+++ b/lib/libbearssl/Makefile.inc
@@ -1,6 +1,7 @@
BEARSSL?= ${SRCTOP}/contrib/bearssl
BEARSSL_SRC= ${BEARSSL}/src
+BEARSSL_TOOLS= ${BEARSSL}/tools
CFLAGS+= -I${BEARSSL}/inc
CFLAGS+= ${NO_WDEPRECATED_NON_PROTOTYPE}
diff --git a/lib/libbearssl/Makefile.libsa.inc b/lib/libbearssl/Makefile.libsa.inc
index c31d3f85975a..c171e141f0db 100644
--- a/lib/libbearssl/Makefile.libsa.inc
+++ b/lib/libbearssl/Makefile.libsa.inc
@@ -83,3 +83,6 @@ SRCS+= \
x509/x509_decoder.c \
x509/x509_minimal.c \
+# We want find_error_name().
+SRCS+= \
+ ${BEARSSL_TOOLS}/errors.c \
diff --git a/lib/libsecureboot/vets.c b/lib/libsecureboot/vets.c
index 4a2aba433191..c86b198c45c5 100644
--- a/lib/libsecureboot/vets.c
+++ b/lib/libsecureboot/vets.c
@@ -568,9 +568,17 @@ verify_signer_xcs(br_x509_certificate *xcs,
ve_error_set("Validation failed, certificate not valid as of %s",
gdate(date, sizeof(date), ve_utc));
break;
- default:
- ve_error_set("Validation failed, err = %d", err);
- break;
+ default: {
+ const char *err_desc = NULL;
+ const char *err_name = find_error_name(err, &err_desc);
+
+ if (err_name == NULL)
+ ve_error_set("Validation failed, err = %d",
+ err);
+ else
+ ve_error_set("Validation failed, %s (%s)",
+ err_desc, err_name);
+ break; }
}
} else {
tpk = mc.vtable->get_pkey(&mc.vtable, &usages);