}\r
\r
DevicePathSize = GetDevicePathSize (DevicePath);\r
- NewImageExeInfoEntrySize = sizeof (EFI_IMAGE_EXECUTION_INFO) + NameStringLen + DevicePathSize + SignatureSize;\r
+ NewImageExeInfoEntrySize = sizeof (EFI_IMAGE_EXECUTION_INFO) - sizeof (EFI_SIGNATURE_LIST) + NameStringLen + DevicePathSize + SignatureSize;\r
NewImageExeInfoTable = (EFI_IMAGE_EXECUTION_INFO_TABLE *) AllocateRuntimePool (ImageExeInfoTableSize + NewImageExeInfoEntrySize);\r
if (NewImageExeInfoTable == NULL) {\r
return ;\r
)\r
{\r
BOOLEAN IsFound;\r
- EFI_STATUS Status;\r
+ BOOLEAN Status;\r
EFI_SIGNATURE_LIST *DbxList;\r
UINTN DbxSize;\r
EFI_SIGNATURE_DATA *CertHash;\r
UINT8 CertDigest[MAX_DIGEST_SIZE];\r
UINT8 *DbxCertHash;\r
UINTN SiglistHeaderSize;\r
+ UINT8 *TBSCert;\r
+ UINTN TBSCertSize;\r
\r
IsFound = FALSE;\r
DbxList = SignatureList;\r
HashCtx = NULL;\r
HashAlg = HASHALG_MAX;\r
\r
- ASSERT (RevocationTime != NULL);\r
+ if ((RevocationTime == NULL) || (DbxList == NULL)) {\r
+ return FALSE;\r
+ }\r
+\r
+ //\r
+ // Retrieve the TBSCertificate from the X.509 Certificate.\r
+ //\r
+ if (!X509GetTBSCert (Certificate, CertSize, &TBSCert, &TBSCertSize)) {\r
+ return FALSE;\r
+ }\r
\r
while ((DbxSize > 0) && (SignatureListSize >= DbxList->SignatureListSize)) {\r
//\r
}\r
\r
//\r
- // Calculate the hash value of current db certificate for comparision.\r
+ // Calculate the hash value of current TBSCertificate for comparision.\r
//\r
if (mHash[HashAlg].GetContextSize == NULL) {\r
goto Done;\r
if (!Status) {\r
goto Done;\r
}\r
- Status = mHash[HashAlg].HashUpdate (HashCtx, Certificate, CertSize);\r
+ Status = mHash[HashAlg].HashUpdate (HashCtx, TBSCert, TBSCertSize);\r
if (!Status) {\r
goto Done;\r
}\r
//\r
DbtDataSize = 0;\r
Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid, NULL, &DbtDataSize, NULL);\r
- if (Status == EFI_BUFFER_TOO_SMALL) {\r
- DbtData = (UINT8 *) AllocateZeroPool (DbtDataSize);\r
- if (DbtData == NULL) {\r
- goto Done;\r
- }\r
- Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid, NULL, &DbtDataSize, (VOID *) DbtData);\r
- if (EFI_ERROR (Status)) {\r
- goto Done;\r
- }\r
+ if (Status != EFI_BUFFER_TOO_SMALL) {\r
+ goto Done;\r
+ }\r
+ DbtData = (UINT8 *) AllocateZeroPool (DbtDataSize);\r
+ if (DbtData == NULL) {\r
+ goto Done;\r
+ }\r
+ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid, NULL, &DbtDataSize, (VOID *) DbtData);\r
+ if (EFI_ERROR (Status)) {\r
+ goto Done;\r
}\r
\r
CertList = (EFI_SIGNATURE_LIST *) DbtData;\r
//\r
DataSize = 0;\r
Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL);\r
- if (Status == EFI_BUFFER_TOO_SMALL) {\r
- Data = (UINT8 *) AllocateZeroPool (DataSize);\r
- if (Data == NULL) {\r
- return IsForbidden;\r
- }\r
-\r
- Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, (VOID *) Data);\r
+ if (Status != EFI_BUFFER_TOO_SMALL) {\r
+ return IsForbidden;\r
+ }\r
+ Data = (UINT8 *) AllocateZeroPool (DataSize);\r
+ if (Data == NULL) {\r
+ return IsForbidden;\r
}\r
+\r
+ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, (VOID *) Data);\r
if (EFI_ERROR (Status)) {\r
return IsForbidden;\r
}\r
// UINT8 Certn[];\r
//\r
Pkcs7GetSigners (AuthData, AuthDataSize, &CertBuffer, &BufferLength, &TrustedCert, &TrustedCertLength);\r
- if (BufferLength == 0) {\r
+ if ((BufferLength == 0) || (CertBuffer == NULL)) {\r
IsForbidden = TRUE;\r
goto Done;\r
}\r
UINTN AuthDataSize;\r
EFI_IMAGE_DATA_DIRECTORY *SecDataDir;\r
UINT32 OffSet;\r
+ CHAR16 *NameStr;\r
\r
SignatureList = NULL;\r
SignatureListSize = 0;\r
//\r
for (OffSet = SecDataDir->VirtualAddress;\r
OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);\r
- OffSet += WinCertificate->dwLength, OffSet += ALIGN_SIZE (OffSet)) {\r
+ OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength))) {\r
WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);\r
if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <= sizeof (WIN_CERTIFICATE) ||\r
(SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) < WinCertificate->dwLength) {\r
//\r
// Policy decides to defer or reject the image; add its information in image executable information table.\r
//\r
- AddImageExeInfo (Action, NULL, File, SignatureList, SignatureListSize);\r
+ NameStr = ConvertDevicePathToText (File, FALSE, TRUE);\r
+ AddImageExeInfo (Action, NameStr, File, SignatureList, SignatureListSize);\r
+ if (NameStr != NULL) {\r
+ DEBUG((EFI_D_INFO, "The image doesn't pass verification: %s\n", NameStr));\r
+ FreePool(NameStr);\r
+ }\r
Status = EFI_SECURITY_VIOLATION;\r
}\r
\r
projects / mirror_edk2.git / blobdiff