X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=CryptoPkg%2FLibrary%2FBaseCryptLib%2FPk%2FCryptPkcs7Sign.c;h=3f8b4642442d79f623cff73a5a978f66056be5db;hb=7c342378317039e632d9a1a5d4cf7c21aec8cb7a;hp=11472ebf3b27669186765d4038294352258216dd;hpb=6b8ebcb8de52ae5cab543181712e53eeb94340a7;p=mirror_edk2.git

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
index 11472ebf3b..3f8b464244 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
@@ -1,14 +1,8 @@
 /** @file
   PKCS#7 SignedData Sign Wrapper Implementation over OpenSSL.
 
-Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution.  The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
 
@@ -18,7 +12,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <openssl/x509.h>
 #include <openssl/pkcs7.h>
 
-
 /**
   Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message
   Syntax Standard, version 1.5". This interface is only intended to be used for
@@ -35,7 +28,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
   @param[in]  OtherCerts       Pointer to an optional additional set of certificates to
                                include in the PKCS#7 signedData (e.g. any intermediate
                                CAs in the chain).
-  @param[out] SignedData       Pointer to output PKCS#7 signedData.
+  @param[out] SignedData       Pointer to output PKCS#7 signedData. It's caller's
+                               responsibility to free the buffer with FreePool().
   @param[out] SignedDataSize   Size of SignedData in bytes.
 
   @retval     TRUE             PKCS#7 data signing succeeded.
@@ -68,8 +62,9 @@ Pkcs7Sign (
   //
   // Check input parameters.
   //
-  if (PrivateKey == NULL || KeyPassword == NULL || InData == NULL ||
-    SignCert == NULL || SignedData == NULL || SignedDataSize == NULL || InDataSize > INT_MAX) {
+  if ((PrivateKey == NULL) || (KeyPassword == NULL) || (InData == NULL) ||
+      (SignCert == NULL) || (SignedData == NULL) || (SignedDataSize == NULL) || (InDataSize > INT_MAX))
+  {
     return FALSE;
   }
 
@@ -85,19 +80,30 @@ Pkcs7Sign (
   Status = RsaGetPrivateKeyFromPem (
              PrivateKey,
              PrivateKeySize,
-             (CONST CHAR8 *) KeyPassword,
-             (VOID **) &RsaContext
+             (CONST CHAR8 *)KeyPassword,
+             (VOID **)&RsaContext
              );
   if (!Status) {
     return Status;
   }
 
+  Status = FALSE;
+
   //
   // Register & Initialize necessary digest algorithms and PRNG for PKCS#7 Handling
   //
-  EVP_add_digest (EVP_md5());
-  EVP_add_digest (EVP_sha1());
-  EVP_add_digest (EVP_sha256());
+  if (EVP_add_digest (EVP_md5 ()) == 0) {
+    goto _Exit;
+  }
+
+  if (EVP_add_digest (EVP_sha1 ()) == 0) {
+    goto _Exit;
+  }
+
+  if (EVP_add_digest (EVP_sha256 ()) == 0) {
+    goto _Exit;
+  }
+
   RandomSeed (NULL, 0);
 
   //
@@ -105,31 +111,36 @@ Pkcs7Sign (
   //
   Key = EVP_PKEY_new ();
   if (Key == NULL) {
-    Status = FALSE;
     goto _Exit;
   }
-  Key->save_type = EVP_PKEY_RSA;
-  Key->type      = EVP_PKEY_type (EVP_PKEY_RSA);
-  Key->pkey.rsa  = (RSA *) RsaContext;
+
+  if (EVP_PKEY_assign_RSA (Key, (RSA *)RsaContext) == 0) {
+    goto _Exit;
+  }
 
   //
-  // Convert the data to be signed to BIO format. 
+  // Convert the data to be signed to BIO format.
   //
   DataBio = BIO_new (BIO_s_mem ());
-  BIO_write (DataBio, InData, (int) InDataSize);
+  if (DataBio == NULL) {
+    goto _Exit;
+  }
+
+  if (BIO_write (DataBio, InData, (int)InDataSize) <= 0) {
+    goto _Exit;
+  }
 
   //
   // Create the PKCS#7 signedData structure.
   //
   Pkcs7 = PKCS7_sign (
-            (X509 *) SignCert,
+            (X509 *)SignCert,
             Key,
-            (STACK_OF(X509) *) OtherCerts,
+            (STACK_OF (X509) *) OtherCerts,
             DataBio,
             PKCS7_BINARY | PKCS7_NOATTR | PKCS7_DETACHED
             );
   if (Pkcs7 == NULL) {
-    Status = FALSE;
     goto _Exit;
   }
 
@@ -138,33 +149,31 @@ Pkcs7Sign (
   //
   P7DataSize = i2d_PKCS7 (Pkcs7, NULL);
   if (P7DataSize <= 19) {
-    Status = FALSE;
     goto _Exit;
   }
 
-  P7Data     = malloc (P7DataSize);
+  P7Data = malloc (P7DataSize);
   if (P7Data == NULL) {
-    Status = FALSE;
     goto _Exit;
   }
 
   Tmp        = P7Data;
-  P7DataSize = i2d_PKCS7 (Pkcs7, (unsigned char **) &Tmp);
+  P7DataSize = i2d_PKCS7 (Pkcs7, (unsigned char **)&Tmp);
+  ASSERT (P7DataSize > 19);
 
   //
   // Strip ContentInfo to content only for signeddata. The data be trimmed off
   // is totally 19 bytes.
   //
   *SignedDataSize = P7DataSize - 19;
-  *SignedData     = malloc (*SignedDataSize);
+  *SignedData     = AllocatePool (*SignedDataSize);
   if (*SignedData == NULL) {
-    Status = FALSE;
     OPENSSL_free (P7Data);
     goto _Exit;
   }
 
   CopyMem (*SignedData, P7Data + 19, *SignedDataSize);
-  
+
   OPENSSL_free (P7Data);
 
   Status = TRUE;
@@ -173,13 +182,6 @@ _Exit:
   //
   // Release Resources
   //
-  if (RsaContext != NULL) {
-    RsaFree (RsaContext);
-    if (Key != NULL) {
-      Key->pkey.rsa = NULL;
-    }
-  }
-
   if (Key != NULL) {
     EVP_PKEY_free (Key);
   }