From 6c180c6004ac464d7e83c1dc4c24047fad281b32 Mon Sep 17 00:00:00 2001
From: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
Date: Wed, 17 Aug 2016 17:05:53 -0400
Subject: [PATCH] shim: verify Extended Key Usage flags

For starters; don't allow the "module signing" OID; which ought to
only ever be used for signing kernel modules, not signing EFI binaries.

Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
---
 shim.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 47 insertions(+), 7 deletions(-)

diff --git a/shim.c b/shim.c
index 533f5aa..c69961b 100644
--- a/shim.c
+++ b/shim.c
@@ -52,9 +52,15 @@
 #include "console.h"
 #include "version.h"
 
+#include <stdarg.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
 #define FALLBACK L"\\fb" EFI_ARCH L".efi"
 #define MOK_MANAGER L"\\mm" EFI_ARCH L".efi"
 
+#define OID_EKU_MODSIGN "1.3.6.1.4.1.2312.16.1.2"
+
 static EFI_SYSTEM_TABLE *systab;
 static EFI_HANDLE image_handle;
 static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *system_table);
@@ -389,6 +395,38 @@ static BOOLEAN verify_x509(UINT8 *Cert, UINTN CertSize)
 	return TRUE;
 }
 
+static BOOLEAN verify_eku(UINT8 *Cert, UINTN CertSize)
+{
+	X509 *x509;
+	CONST UINT8 *Temp = Cert;
+	EXTENDED_KEY_USAGE *eku;
+	ASN1_OBJECT *module_signing;
+
+	module_signing = OBJ_nid2obj(OBJ_create(OID_EKU_MODSIGN, NULL, NULL));
+
+	x509 = d2i_X509 (NULL, &Temp, (long) CertSize);
+	if (x509 != NULL) {
+		eku = X509_get_ext_d2i(x509, NID_ext_key_usage, NULL, NULL);
+
+		if (eku) {
+			int i = 0;
+			for (i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
+				ASN1_OBJECT *key_usage = sk_ASN1_OBJECT_value(eku, i);
+
+				if (OBJ_cmp(module_signing, key_usage) == 0)
+					return FALSE;
+			}
+			EXTENDED_KEY_USAGE_free(eku);
+		}
+
+		X509_free(x509);
+	}
+
+	OBJ_cleanup();
+
+	return TRUE;
+}
+
 static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList,
 					 UINTN dbsize,
 					 WIN_CERTIFICATE_EFI_PKCS *data,
@@ -404,13 +442,15 @@ static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList,
 			Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
 			CertSize = CertList->SignatureSize - sizeof(EFI_GUID);
 			if (verify_x509(Cert->SignatureData, CertSize)) {
-				IsFound = AuthenticodeVerify (data->CertData,
-							      data->Hdr.dwLength - sizeof(data->Hdr),
-							      Cert->SignatureData,
-							      CertSize,
-							      hash, SHA256_DIGEST_SIZE);
-				if (IsFound)
-					return DATA_FOUND;
+				if (verify_eku(Cert->SignatureData, CertSize)) {
+					IsFound = AuthenticodeVerify (data->CertData,
+								      data->Hdr.dwLength - sizeof(data->Hdr),
+								      Cert->SignatureData,
+								      CertSize,
+								      hash, SHA256_DIGEST_SIZE);
+					if (IsFound)
+						return DATA_FOUND;
+				}
 			} else if (verbose) {
 				console_notify(L"Not a DER encoding x.509 Certificate");
 			}