mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-15 12:54:27 +00:00
Add -S option to veriexec
During software installation, use veriexec -S to strictly enforce certificate validity checks (notBefore, notAfter). Otherwise ignore certificate validity period. It is generally unacceptible for the Internet to stop working just because someone did not upgrade their infrastructure for a decade. Sponsored by: Juniper Networks, Inc. Reviewed by: sebastien.bini_stormshield.eu Differential Revision: https://reviews.freebsd.org/D35758
This commit is contained in:
parent
f7d5459ece
commit
ab4f0a1518
|
@ -2,7 +2,6 @@
|
||||||
# Autogenerated - do NOT edit!
|
# Autogenerated - do NOT edit!
|
||||||
|
|
||||||
DIRDEPS = \
|
DIRDEPS = \
|
||||||
lib/libstand \
|
|
||||||
|
|
||||||
|
|
||||||
.include <dirdeps.mk>
|
.include <dirdeps.mk>
|
||||||
|
|
|
@ -59,6 +59,7 @@ size_t ve_trust_anchors_add_buf(unsigned char *, size_t);
|
||||||
size_t ve_trust_anchors_revoke(unsigned char *, size_t);
|
size_t ve_trust_anchors_revoke(unsigned char *, size_t);
|
||||||
int ve_trust_add(const char *);
|
int ve_trust_add(const char *);
|
||||||
void ve_debug_set(int);
|
void ve_debug_set(int);
|
||||||
|
void ve_enforce_validity_set(int);
|
||||||
void ve_anchor_verbose_set(int);
|
void ve_anchor_verbose_set(int);
|
||||||
int ve_anchor_verbose_get(void);
|
int ve_anchor_verbose_get(void);
|
||||||
void ve_utc_set(time_t utc);
|
void ve_utc_set(time_t utc);
|
||||||
|
|
|
@ -86,6 +86,20 @@ ve_debug_set(int n)
|
||||||
DebugVe = n;
|
DebugVe = n;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* For embedded systems (and boot loaders)
|
||||||
|
* we do not want to enforce certificate validity post install.
|
||||||
|
* It is generally unacceptible for infrastructure to stop working
|
||||||
|
* just because it has not been updated recently.
|
||||||
|
*/
|
||||||
|
static int enforce_validity = 0;
|
||||||
|
|
||||||
|
void
|
||||||
|
ve_enforce_validity_set(int i)
|
||||||
|
{
|
||||||
|
enforce_validity = i;
|
||||||
|
}
|
||||||
|
|
||||||
static char ebuf[512];
|
static char ebuf[512];
|
||||||
|
|
||||||
char *
|
char *
|
||||||
|
@ -444,23 +458,23 @@ verify_time_cb(void *tctx __unused,
|
||||||
char date[12], nb_date[12], na_date[12];
|
char date[12], nb_date[12], na_date[12];
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
not_before = ((not_before_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_before_seconds;
|
if (enforce_validity) {
|
||||||
not_after = ((not_after_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_after_seconds;
|
not_before = ((not_before_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_before_seconds;
|
||||||
if (ve_utc < not_before)
|
not_after = ((not_after_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_after_seconds;
|
||||||
rc = -1;
|
if (ve_utc < not_before)
|
||||||
else if (ve_utc > not_after)
|
rc = -1;
|
||||||
rc = 1;
|
else if (ve_utc > not_after)
|
||||||
else
|
rc = 1;
|
||||||
rc = 0;
|
else
|
||||||
|
rc = 0;
|
||||||
#ifdef UNIT_TEST
|
#ifdef UNIT_TEST
|
||||||
printf("notBefore %s notAfter %s date %s rc %d\n",
|
printf("notBefore %s notAfter %s date %s rc %d\n",
|
||||||
gdate(nb_date, sizeof(nb_date), not_before),
|
gdate(nb_date, sizeof(nb_date), not_before),
|
||||||
gdate(na_date, sizeof(na_date), not_after),
|
gdate(na_date, sizeof(na_date), not_after),
|
||||||
gdate(date, sizeof(date), ve_utc), rc);
|
gdate(date, sizeof(date), ve_utc), rc);
|
||||||
#endif
|
|
||||||
#if defined(_STANDALONE)
|
|
||||||
rc = 0; /* don't fail */
|
|
||||||
#endif
|
#endif
|
||||||
|
} else
|
||||||
|
rc = 0; /* don't fail */
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -24,7 +24,7 @@
|
||||||
.\"
|
.\"
|
||||||
.\" $FreeBSD$
|
.\" $FreeBSD$
|
||||||
.\"
|
.\"
|
||||||
.Dd February 14, 2022
|
.Dd July 8, 2022
|
||||||
.Dt VERIEXEC 8
|
.Dt VERIEXEC 8
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
|
@ -34,6 +34,7 @@
|
||||||
.Nm
|
.Nm
|
||||||
.Op Fl v
|
.Op Fl v
|
||||||
.Op Fl C Ar directory
|
.Op Fl C Ar directory
|
||||||
|
.Op Fl S
|
||||||
.Pa manifest
|
.Pa manifest
|
||||||
.Nm
|
.Nm
|
||||||
.Fl z Ar state
|
.Fl z Ar state
|
||||||
|
@ -53,6 +54,11 @@ The first form is for loading a
|
||||||
first verifies a digital signature of the
|
first verifies a digital signature of the
|
||||||
.Ar manifest
|
.Ar manifest
|
||||||
and if successful, parses it and feeds its content to kernel.
|
and if successful, parses it and feeds its content to kernel.
|
||||||
|
The
|
||||||
|
.Fl S
|
||||||
|
flag indicates that certificate validity should be checked.
|
||||||
|
Without this, a valid signature with an expired certificate
|
||||||
|
will still be accepted.
|
||||||
.Pp
|
.Pp
|
||||||
The second form with
|
The second form with
|
||||||
.Fl z
|
.Fl z
|
||||||
|
|
|
@ -148,7 +148,7 @@ main(int argc, char *argv[])
|
||||||
|
|
||||||
dev_fd = open(_PATH_DEV_VERIEXEC, O_WRONLY, 0);
|
dev_fd = open(_PATH_DEV_VERIEXEC, O_WRONLY, 0);
|
||||||
|
|
||||||
while ((c = getopt(argc, argv, "hC:i:xvz:")) != -1) {
|
while ((c = getopt(argc, argv, "hC:i:Sxvz:")) != -1) {
|
||||||
switch (c) {
|
switch (c) {
|
||||||
case 'h':
|
case 'h':
|
||||||
/* Print usage info */
|
/* Print usage info */
|
||||||
|
@ -174,6 +174,10 @@ main(int argc, char *argv[])
|
||||||
|
|
||||||
exit((x & state) == 0);
|
exit((x & state) == 0);
|
||||||
break;
|
break;
|
||||||
|
case 'S':
|
||||||
|
/* Strictly enforce certificate validity */
|
||||||
|
ve_enforce_validity_set(1);
|
||||||
|
break;
|
||||||
case 'v':
|
case 'v':
|
||||||
/* Increase the verbosity */
|
/* Increase the verbosity */
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue