diff options
| author | Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com> | 2017-09-13 12:09:40 -0700 |
|---|---|---|
| committer | Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com> | 2017-09-13 12:09:40 -0700 |
| commit | b6f94dbeacfc6f0a507413096189304c58dbe66c (patch) | |
| tree | bce8c7db22209078618294c51d95a0c033aec7d9 /Cryptlib/Pk | |
| parent | 25f7fd1fb389a5f6356f353d16c5ead80dac6bbc (diff) | |
| download | efi-boot-shim-upstream/13_git1505328970.9c1c35c5.tar.gz efi-boot-shim-upstream/13_git1505328970.9c1c35c5.zip | |
New upstream version 13~git1505328970.9c1c35c5upstream/13_git1505328970.9c1c35c5
Diffstat (limited to 'Cryptlib/Pk')
| -rw-r--r-- | Cryptlib/Pk/CryptPkcs7Verify.c | 68 | ||||
| -rw-r--r-- | Cryptlib/Pk/CryptRsaBasic.c | 189 | ||||
| -rw-r--r-- | Cryptlib/Pk/CryptTs.c | 20 | ||||
| -rw-r--r-- | Cryptlib/Pk/CryptX509.c | 41 |
4 files changed, 150 insertions, 168 deletions
diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c index bf24e921..dcaba436 100644 --- a/Cryptlib/Pk/CryptPkcs7Verify.c +++ b/Cryptlib/Pk/CryptPkcs7Verify.c @@ -10,7 +10,7 @@ WrapPkcs7Data(), Pkcs7GetSigners(), Pkcs7Verify() will get UEFI Authenticated
Variable and will do basic check for data structure.
-Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -163,7 +163,6 @@ X509PopCertificate ( STACK_OF(X509) *CertStack;
BOOLEAN Status;
INT32 Result;
- BUF_MEM *Ptr;
INT32 Length;
VOID *Buffer;
@@ -193,8 +192,7 @@ X509PopCertificate ( goto _Exit;
}
- BIO_get_mem_ptr (CertBio, &Ptr);
- Length = (INT32)(Ptr->length);
+ Length = (INT32)(((BUF_MEM *) CertBio->ptr)->length);
if (Length <= 0) {
goto _Exit;
}
@@ -465,15 +463,12 @@ Pkcs7GetCertificatesList ( BOOLEAN Wrapped;
UINT8 Index;
PKCS7 *Pkcs7;
- X509_STORE_CTX *CertCtx;
- STACK_OF(X509) *CtxChain;
- STACK_OF(X509) *CtxUntrusted;
- X509 *CtxCert;
+ X509_STORE_CTX CertCtx;
STACK_OF(X509) *Signers;
X509 *Signer;
X509 *Cert;
+ X509 *TempCert;
X509 *Issuer;
- X509_NAME *IssuerName;
UINT8 *CertBuf;
UINT8 *OldBuf;
UINTN BufferSize;
@@ -487,11 +482,8 @@ Pkcs7GetCertificatesList ( Status = FALSE;
NewP7Data = NULL;
Pkcs7 = NULL;
- CertCtx = NULL;
- CtxChain = NULL;
- CtxCert = NULL;
- CtxUntrusted = NULL;
Cert = NULL;
+ TempCert = NULL;
SingleCert = NULL;
CertBuf = NULL;
OldBuf = NULL;
@@ -539,26 +531,19 @@ Pkcs7GetCertificatesList ( }
Signer = sk_X509_value (Signers, 0);
- CertCtx = X509_STORE_CTX_new ();
- if (CertCtx == NULL) {
- goto _Error;
- }
- if (!X509_STORE_CTX_init (CertCtx, NULL, Signer, Pkcs7->d.sign->cert)) {
+ if (!X509_STORE_CTX_init (&CertCtx, NULL, Signer, Pkcs7->d.sign->cert)) {
goto _Error;
}
//
// Initialize Chained & Untrusted stack
//
- CtxChain = X509_STORE_CTX_get0_chain (CertCtx);
- CtxCert = X509_STORE_CTX_get0_cert (CertCtx);
- if (CtxChain == NULL) {
- if (((CtxChain = sk_X509_new_null ()) == NULL) ||
- (!sk_X509_push (CtxChain, CtxCert))) {
+ if (CertCtx.chain == NULL) {
+ if (((CertCtx.chain = sk_X509_new_null ()) == NULL) ||
+ (!sk_X509_push (CertCtx.chain, CertCtx.cert))) {
goto _Error;
}
}
- CtxUntrusted = X509_STORE_CTX_get0_untrusted (CertCtx);
- (VOID)sk_X509_delete_ptr (CtxUntrusted, Signer);
+ (VOID)sk_X509_delete_ptr (CertCtx.untrusted, Signer);
//
// Build certificates stack chained from Signer's certificate.
@@ -568,25 +553,27 @@ Pkcs7GetCertificatesList ( //
// Self-Issue checking
//
- Issuer = NULL;
- if (X509_STORE_CTX_get1_issuer (&Issuer, CertCtx, Cert) == 1) {
- if (X509_cmp (Issuer, Cert) == 0) {
- break;
- }
+ if (CertCtx.check_issued (&CertCtx, Cert, Cert)) {
+ break;
}
//
// Found the issuer of the current certificate
//
- if (CtxUntrusted != NULL) {
+ if (CertCtx.untrusted != NULL) {
Issuer = NULL;
- IssuerName = X509_get_issuer_name (Cert);
- Issuer = X509_find_by_subject (CtxUntrusted, IssuerName);
+ for (Index = 0; Index < sk_X509_num (CertCtx.untrusted); Index++) {
+ TempCert = sk_X509_value (CertCtx.untrusted, Index);
+ if (CertCtx.check_issued (&CertCtx, Cert, TempCert)) {
+ Issuer = TempCert;
+ break;
+ }
+ }
if (Issuer != NULL) {
- if (!sk_X509_push (CtxChain, Issuer)) {
+ if (!sk_X509_push (CertCtx.chain, Issuer)) {
goto _Error;
}
- (VOID)sk_X509_delete_ptr (CtxUntrusted, Issuer);
+ (VOID)sk_X509_delete_ptr (CertCtx.untrusted, Issuer);
Cert = Issuer;
continue;
@@ -608,13 +595,13 @@ Pkcs7GetCertificatesList ( // UINT8 Certn[];
//
- if (CtxChain != NULL) {
+ if (CertCtx.chain != NULL) {
BufferSize = sizeof (UINT8);
OldSize = BufferSize;
CertBuf = NULL;
for (Index = 0; ; Index++) {
- Status = X509PopCertificate (CtxChain, &SingleCert, &CertSize);
+ Status = X509PopCertificate (CertCtx.chain, &SingleCert, &CertSize);
if (!Status) {
break;
}
@@ -652,13 +639,13 @@ Pkcs7GetCertificatesList ( }
}
- if (CtxUntrusted != NULL) {
+ if (CertCtx.untrusted != NULL) {
BufferSize = sizeof (UINT8);
OldSize = BufferSize;
CertBuf = NULL;
for (Index = 0; ; Index++) {
- Status = X509PopCertificate (CtxUntrusted, &SingleCert, &CertSize);
+ Status = X509PopCertificate (CertCtx.untrusted, &SingleCert, &CertSize);
if (!Status) {
break;
}
@@ -711,8 +698,7 @@ _Error: }
sk_X509_free (Signers);
- X509_STORE_CTX_cleanup (CertCtx);
- X509_STORE_CTX_free (CertCtx);
+ X509_STORE_CTX_cleanup (&CertCtx);
if (SingleCert != NULL) {
free (SingleCert);
diff --git a/Cryptlib/Pk/CryptRsaBasic.c b/Cryptlib/Pk/CryptRsaBasic.c index ba1bcf0f..e68dd024 100644 --- a/Cryptlib/Pk/CryptRsaBasic.c +++ b/Cryptlib/Pk/CryptRsaBasic.c @@ -7,7 +7,7 @@ 3) RsaSetKey
4) RsaPkcs1Verify
-Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -92,15 +92,7 @@ RsaSetKey ( IN UINTN BnSize
)
{
- RSA *RsaKey;
- BIGNUM *BnN;
- BIGNUM *BnE;
- BIGNUM *BnD;
- BIGNUM *BnP;
- BIGNUM *BnQ;
- BIGNUM *BnDp;
- BIGNUM *BnDq;
- BIGNUM *BnQInv;
+ RSA *RsaKey;
//
// Check input parameters.
@@ -109,23 +101,7 @@ RsaSetKey ( return FALSE;
}
- BnN = NULL;
- BnE = NULL;
- BnD = NULL;
- BnP = NULL;
- BnQ = NULL;
- BnDp = NULL;
- BnDq = NULL;
- BnQInv = NULL;
-
- //
- // Retrieve the components from RSA object.
- //
RsaKey = (RSA *) RsaContext;
- RSA_get0_key (RsaKey, (const BIGNUM **)&BnN, (const BIGNUM **)&BnE, (const BIGNUM **)&BnD);
- RSA_get0_factors (RsaKey, (const BIGNUM **)&BnP, (const BIGNUM **)&BnQ);
- RSA_get0_crt_params (RsaKey, (const BIGNUM **)&BnDp, (const BIGNUM **)&BnDq, (const BIGNUM **)&BnQInv);
-
//
// Set RSA Key Components by converting octet string to OpenSSL BN representation.
// NOTE: For RSA public key (used in signature verification), only public components
@@ -134,109 +110,144 @@ RsaSetKey ( switch (KeyTag) {
//
- // RSA Public Modulus (N), Public Exponent (e) and Private Exponent (d)
+ // RSA Public Modulus (N)
//
case RsaKeyN:
- case RsaKeyE:
- case RsaKeyD:
- if (BnN == NULL) {
- BnN = BN_new ();
+ if (RsaKey->n != NULL) {
+ BN_free (RsaKey->n);
}
- if (BnE == NULL) {
- BnE = BN_new ();
+ RsaKey->n = NULL;
+ if (BigNumber == NULL) {
+ break;
}
- if (BnD == NULL) {
- BnD = BN_new ();
+ RsaKey->n = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->n);
+ if (RsaKey->n == NULL) {
+ return FALSE;
}
- if ((BnN == NULL) || (BnE == NULL) || (BnD == NULL)) {
+ break;
+
+ //
+ // RSA Public Exponent (e)
+ //
+ case RsaKeyE:
+ if (RsaKey->e != NULL) {
+ BN_free (RsaKey->e);
+ }
+ RsaKey->e = NULL;
+ if (BigNumber == NULL) {
+ break;
+ }
+ RsaKey->e = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->e);
+ if (RsaKey->e == NULL) {
return FALSE;
}
- switch (KeyTag) {
- case RsaKeyN:
- BnN = BN_bin2bn (BigNumber, (UINT32)BnSize, BnN);
- break;
- case RsaKeyE:
- BnE = BN_bin2bn (BigNumber, (UINT32)BnSize, BnE);
- break;
- case RsaKeyD:
- BnD = BN_bin2bn (BigNumber, (UINT32)BnSize, BnD);
+ break;
+
+ //
+ // RSA Private Exponent (d)
+ //
+ case RsaKeyD:
+ if (RsaKey->d != NULL) {
+ BN_free (RsaKey->d);
+ }
+ RsaKey->d = NULL;
+ if (BigNumber == NULL) {
break;
- default:
- return FALSE;
}
- if (RSA_set0_key (RsaKey, BN_dup(BnN), BN_dup(BnE), BN_dup(BnD)) == 0) {
+ RsaKey->d = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->d);
+ if (RsaKey->d == NULL) {
return FALSE;
}
break;
//
- // RSA Secret Prime Factor of Modulus (p and q)
+ // RSA Secret Prime Factor of Modulus (p)
//
case RsaKeyP:
- case RsaKeyQ:
- if (BnP == NULL) {
- BnP = BN_new ();
+ if (RsaKey->p != NULL) {
+ BN_free (RsaKey->p);
}
- if (BnQ == NULL) {
- BnQ = BN_new ();
+ RsaKey->p = NULL;
+ if (BigNumber == NULL) {
+ break;
}
- if ((BnP == NULL) || (BnQ == NULL)) {
+ RsaKey->p = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->p);
+ if (RsaKey->p == NULL) {
return FALSE;
}
- switch (KeyTag) {
- case RsaKeyP:
- BnP = BN_bin2bn (BigNumber, (UINT32)BnSize, BnP);
- break;
- case RsaKeyQ:
- BnQ = BN_bin2bn (BigNumber, (UINT32)BnSize, BnQ);
+ break;
+
+ //
+ // RSA Secret Prime Factor of Modules (q)
+ //
+ case RsaKeyQ:
+ if (RsaKey->q != NULL) {
+ BN_free (RsaKey->q);
+ }
+ RsaKey->q = NULL;
+ if (BigNumber == NULL) {
break;
- default:
- return FALSE;
}
- if (RSA_set0_factors (RsaKey, BN_dup(BnP), BN_dup(BnQ)) == 0) {
+ RsaKey->q = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->q);
+ if (RsaKey->q == NULL) {
return FALSE;
}
break;
//
- // p's CRT Exponent (== d mod (p - 1)), q's CRT Exponent (== d mod (q - 1)),
- // and CRT Coefficient (== 1/q mod p)
+ // p's CRT Exponent (== d mod (p - 1))
//
case RsaKeyDp:
- case RsaKeyDq:
- case RsaKeyQInv:
- if (BnDp == NULL) {
- BnDp = BN_new ();
- }
- if (BnDq == NULL) {
- BnDq = BN_new ();
+ if (RsaKey->dmp1 != NULL) {
+ BN_free (RsaKey->dmp1);
}
- if (BnQInv == NULL) {
- BnQInv = BN_new ();
+ RsaKey->dmp1 = NULL;
+ if (BigNumber == NULL) {
+ break;
}
- if ((BnDp == NULL) || (BnDq == NULL) || (BnQInv == NULL)) {
+ RsaKey->dmp1 = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->dmp1);
+ if (RsaKey->dmp1 == NULL) {
return FALSE;
}
- switch (KeyTag) {
- case RsaKeyDp:
- BnDp = BN_bin2bn (BigNumber, (UINT32)BnSize, BnDp);
- break;
- case RsaKeyDq:
- BnDq = BN_bin2bn (BigNumber, (UINT32)BnSize, BnDq);
- break;
- case RsaKeyQInv:
- BnQInv = BN_bin2bn (BigNumber, (UINT32)BnSize, BnQInv);
+ break;
+
+ //
+ // q's CRT Exponent (== d mod (q - 1))
+ //
+ case RsaKeyDq:
+ if (RsaKey->dmq1 != NULL) {
+ BN_free (RsaKey->dmq1);
+ }
+ RsaKey->dmq1 = NULL;
+ if (BigNumber == NULL) {
break;
- default:
+ }
+ RsaKey->dmq1 = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->dmq1);
+ if (RsaKey->dmq1 == NULL) {
return FALSE;
}
- if (RSA_set0_crt_params (RsaKey, BN_dup(BnDp), BN_dup(BnDq), BN_dup(BnQInv)) == 0) {
+
+ break;
+
+ //
+ // The CRT Coefficient (== 1/q mod p)
+ //
+ case RsaKeyQInv:
+ if (RsaKey->iqmp != NULL) {
+ BN_free (RsaKey->iqmp);
+ }
+ RsaKey->iqmp = NULL;
+ if (BigNumber == NULL) {
+ break;
+ }
+ RsaKey->iqmp = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->iqmp);
+ if (RsaKey->iqmp == NULL) {
return FALSE;
}
@@ -300,11 +311,11 @@ RsaPkcs1Verify ( case MD5_DIGEST_SIZE:
DigestType = NID_md5;
break;
-
+
case SHA1_DIGEST_SIZE:
DigestType = NID_sha1;
break;
-
+
case SHA256_DIGEST_SIZE:
DigestType = NID_sha256;
break;
diff --git a/Cryptlib/Pk/CryptTs.c b/Cryptlib/Pk/CryptTs.c index d63c23df..1b78472f 100644 --- a/Cryptlib/Pk/CryptTs.c +++ b/Cryptlib/Pk/CryptTs.c @@ -5,7 +5,7 @@ the lifetime of the signature when a signing certificate expires or is later
revoked.
-Copyright (c) 2014 - 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2014 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -239,7 +239,7 @@ CheckTSTInfo ( TS_MESSAGE_IMPRINT *Imprint;
X509_ALGOR *HashAlgo;
CONST EVP_MD *Md;
- EVP_MD_CTX *MdCtx;
+ EVP_MD_CTX MdCtx;
UINTN MdSize;
UINT8 *HashedMsg;
@@ -249,7 +249,6 @@ CheckTSTInfo ( Status = FALSE;
HashAlgo = NULL;
HashedMsg = NULL;
- MdCtx = NULL;
//
// -- Check version number of Timestamp:
@@ -286,17 +285,11 @@ CheckTSTInfo ( if (HashedMsg == NULL) {
goto _Exit;
}
- MdCtx = EVP_MD_CTX_new ();
- if (MdCtx == NULL) {
- goto _Exit;
- }
- if ((EVP_DigestInit_ex (MdCtx, Md, NULL) != 1) ||
- (EVP_DigestUpdate (MdCtx, TimestampedData, DataSize) != 1) ||
- (EVP_DigestFinal (MdCtx, HashedMsg, NULL) != 1)) {
- goto _Exit;
- }
+ EVP_DigestInit (&MdCtx, Md);
+ EVP_DigestUpdate (&MdCtx, TimestampedData, DataSize);
+ EVP_DigestFinal (&MdCtx, HashedMsg, NULL);
if ((MdSize == (UINTN)ASN1_STRING_length (Imprint->HashedMessage)) &&
- (CompareMem (HashedMsg, ASN1_STRING_get0_data (Imprint->HashedMessage), MdSize) != 0)) {
+ (CompareMem (HashedMsg, ASN1_STRING_data (Imprint->HashedMessage), MdSize) != 0)) {
goto _Exit;
}
@@ -322,7 +315,6 @@ CheckTSTInfo ( _Exit:
X509_ALGOR_free (HashAlgo);
- EVP_MD_CTX_free (MdCtx);
if (HashedMsg != NULL) {
FreePool (HashedMsg);
}
diff --git a/Cryptlib/Pk/CryptX509.c b/Cryptlib/Pk/CryptX509.c index 7d275977..7dc45967 100644 --- a/Cryptlib/Pk/CryptX509.c +++ b/Cryptlib/Pk/CryptX509.c @@ -1,7 +1,7 @@ /** @file
X.509 Certificate Handler Wrapper Implementation over OpenSSL.
-Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -73,7 +73,7 @@ X509ConstructCertificate ( @param ... A list of DER-encoded single certificate data followed
by certificate size. A NULL terminates the list. The
pairs are the arguments to X509ConstructCertificate().
-
+
@retval TRUE The X509 stack construction succeeded.
@retval FALSE The construction operation failed.
@@ -82,7 +82,7 @@ BOOLEAN EFIAPI
X509ConstructCertificateStack (
IN OUT UINT8 **X509Stack,
- ...
+ ...
)
{
UINT8 *Cert;
@@ -175,14 +175,14 @@ EFIAPI X509Free (
IN VOID *X509Cert
)
-{
+{
//
// Check input parameters.
//
if (X509Cert == NULL) {
return;
}
-
+
//
// Free OpenSSL X509 object.
//
@@ -209,7 +209,7 @@ X509StackFree ( if (X509Stack == NULL) {
return;
}
-
+
//
// Free OpenSSL X509 stack object.
//
@@ -324,7 +324,7 @@ RsaGetPublicKeyFromX509 ( BOOLEAN Status;
EVP_PKEY *Pkey;
X509 *X509Cert;
-
+
//
// Check input parameters.
//
@@ -350,14 +350,14 @@ RsaGetPublicKeyFromX509 ( // Retrieve and check EVP_PKEY data from X509 Certificate.
//
Pkey = X509_get_pubkey (X509Cert);
- if ((Pkey == NULL) || (EVP_PKEY_id (Pkey) != EVP_PKEY_RSA)) {
+ if ((Pkey == NULL) || (Pkey->type != EVP_PKEY_RSA)) {
goto _Exit;
}
//
// Duplicate RSA Context from the retrieved EVP_PKEY.
//
- if ((*RsaContext = RSAPublicKey_dup (EVP_PKEY_get0_RSA (Pkey))) != NULL) {
+ if ((*RsaContext = RSAPublicKey_dup (Pkey->pkey.rsa)) != NULL) {
Status = TRUE;
}
@@ -371,7 +371,7 @@ _Exit: if (Pkey != NULL) {
EVP_PKEY_free (Pkey);
- }
+ }
return Status;
}
@@ -405,8 +405,8 @@ X509VerifyCert ( X509 *X509Cert;
X509 *X509CACert;
X509_STORE *CertStore;
- X509_STORE_CTX *CertCtx;
-
+ X509_STORE_CTX CertCtx;
+
//
// Check input parameters.
//
@@ -418,7 +418,6 @@ X509VerifyCert ( X509Cert = NULL;
X509CACert = NULL;
CertStore = NULL;
- CertCtx = NULL;
//
// Register & Initialize necessary digest algorithms for certificate verification.
@@ -474,19 +473,15 @@ X509VerifyCert ( //
// Set up X509_STORE_CTX for the subsequent verification operation.
//
- CertCtx = X509_STORE_CTX_new ();
- if (CertCtx == NULL) {
- goto _Exit;
- }
- if (!X509_STORE_CTX_init (CertCtx, CertStore, X509Cert, NULL)) {
+ if (!X509_STORE_CTX_init (&CertCtx, CertStore, X509Cert, NULL)) {
goto _Exit;
}
//
// X509 Certificate Verification.
//
- Status = (BOOLEAN) X509_verify_cert (CertCtx);
- X509_STORE_CTX_cleanup (CertCtx);
+ Status = (BOOLEAN) X509_verify_cert (&CertCtx);
+ X509_STORE_CTX_cleanup (&CertCtx);
_Exit:
//
@@ -503,9 +498,7 @@ _Exit: if (CertStore != NULL) {
X509_STORE_free (CertStore);
}
-
- X509_STORE_CTX_free (CertCtx);
-
+
return Status;
}
@@ -582,6 +575,6 @@ X509GetTBSCert ( }
*TBSCertSize = Length + (Temp - *TBSCert);
-
+
return TRUE;
}
|