CryptoPkg/BaseCryptLib: Add NULL pointer checks in DH and P7Verify

[mirror_edk2.git] / CryptoPkg / Library / BaseCryptLib / Pk / CryptTs.c

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
index 449a08db2c6391599e5d42ffbd2961adec4cc496..d63c23df0970ef6878303e2cfc3f203da03f57e7 100644 (file)
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
@@ -5,7 +5,7 @@
   the lifetime of the signature when a signing certificate expires or is later\r
   revoked.\r
 \r
-Copyright (c) 2014 - 2015, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2014 - 2017, Intel Corporation. All rights reserved.<BR>\r
 This program and the accompanying materials\r
 are licensed and made available under the terms and conditions of the BSD License\r
 which accompanies this distribution.  The full text of the license may be found at\r
@@ -239,7 +239,7 @@ CheckTSTInfo (
   TS_MESSAGE_IMPRINT  *Imprint;\r
   X509_ALGOR          *HashAlgo;\r
   CONST EVP_MD        *Md;\r
-  EVP_MD_CTX          MdCtx;\r
+  EVP_MD_CTX          *MdCtx;\r
   UINTN               MdSize;\r
   UINT8               *HashedMsg;\r
 \r
@@ -249,6 +249,7 @@ CheckTSTInfo (
   Status    = FALSE;\r
   HashAlgo  = NULL;\r
   HashedMsg = NULL;\r
+  MdCtx     = NULL;\r
 \r
   //\r
   // -- Check version number of Timestamp:\r
@@ -285,11 +286,17 @@ CheckTSTInfo (
   if (HashedMsg == NULL) {\r
     goto _Exit;\r
   }\r
-  EVP_DigestInit (&MdCtx, Md);\r
-  EVP_DigestUpdate (&MdCtx, TimestampedData, DataSize);\r
-  EVP_DigestFinal (&MdCtx, HashedMsg, NULL);\r
+  MdCtx = EVP_MD_CTX_new ();\r
+  if (MdCtx == NULL) {\r
+    goto _Exit;\r
+  }\r
+  if ((EVP_DigestInit_ex (MdCtx, Md, NULL) != 1) ||\r
+      (EVP_DigestUpdate (MdCtx, TimestampedData, DataSize) != 1) ||\r
+      (EVP_DigestFinal (MdCtx, HashedMsg, NULL) != 1)) {\r
+    goto _Exit;\r
+  }\r
   if ((MdSize == (UINTN)ASN1_STRING_length (Imprint->HashedMessage)) &&\r
-      (CompareMem (HashedMsg, ASN1_STRING_data (Imprint->HashedMessage), MdSize) != 0)) {\r
+      (CompareMem (HashedMsg, ASN1_STRING_get0_data (Imprint->HashedMessage), MdSize) != 0)) {\r
     goto _Exit;\r
   }\r
 \r
@@ -315,6 +322,7 @@ CheckTSTInfo (
 \r
 _Exit:\r
   X509_ALGOR_free (HashAlgo);\r
+  EVP_MD_CTX_free (MdCtx);\r
   if (HashedMsg != NULL) {\r
     FreePool (HashedMsg);\r
   }\r
@@ -323,7 +331,7 @@ _Exit:
 }\r
 \r
 /**\r
-  Verifies the validility of a TimeStamp Token as described in RFC 3161 ("Internet\r
+  Verifies the validity of a TimeStamp Token as described in RFC 3161 ("Internet\r
   X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)").\r
 \r
   If TSToken is NULL, then return FALSE.\r
@@ -426,9 +434,10 @@ TimestampTokenVerify (
 \r
   //\r
   // Allow partial certificate chains, terminated by a non-self-signed but\r
-  // still trusted intermediate certificate.\r
+  // still trusted intermediate certificate. Also disable time checks.\r
   //\r
-  X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);\r
+  X509_STORE_set_flags (CertStore,\r
+                        X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME);\r
 \r
   X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);\r
 \r
@@ -496,7 +505,7 @@ _Exit:
 }\r
 \r
 /**\r
-  Verifies the validility of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode\r
+  Verifies the validity of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode\r
   signature.\r
 \r
   If AuthData is NULL, then return FALSE.\r