X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=blobdiff_plain;f=CryptoPkg%2FLibrary%2FBaseCryptLib%2FPk%2FCryptTs.c;h=540c5715cb8ad996f5d3924174bb308613ca79be;hp=e4b5a8497fdefc5debe3c7ab0beb2e5f0ca1d020;hb=2a784a2cc356df5a8958afe88bc7e844dc0fb7cc;hpb=017c285ef1c326853c4a1390b741cecb57677162
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
index e4b5a8497f..540c5715cb 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
@@ -5,7 +5,7 @@
the lifetime of the signature when a signing certificate expires or is later
revoked.
-Copyright (c) 2014, Intel Corporation. All rights reserved.
+Copyright (c) 2014 - 2017, Intel Corporation. All rights reserved.
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -136,94 +136,13 @@ ASN1_SEQUENCE (TS_TST_INFO) = {
IMPLEMENT_ASN1_FUNCTIONS (TS_TST_INFO)
-/**
- Verification callback function to override any existing callbacks in OpenSSL
- for intermediate TSA certificate supports.
-
- @param[in] Status Original status before calling this callback.
- @param[in] Context X509 store context.
-
- @retval 1 Current X509 certificate is verified successfully.
- @retval 0 Verification failed.
-
-**/
-int
-TSVerifyCallback (
- IN int Status,
- IN X509_STORE_CTX *Context
- )
-{
- X509_OBJECT *Obj;
- INTN Error;
- INTN Index;
- INTN Count;
-
- Obj = NULL;
- Error = (INTN) X509_STORE_CTX_get_error (Context);
-
- //
- // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_
- // CERT_LOCALLY mean a X509 certificate is not self signed and its issuer
- // can not be found in X509_verify_cert of X509_vfy.c.
- // In order to support intermediate certificate node, we override the
- // errors if the certification is obtained from X509 store, i.e. it is
- // a trusted ceritifcate node that is enrolled by user.
- // Besides,X509_V_ERR_CERT_UNTRUSTED and X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
- // are also ignored to enable such feature.
- //
- if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) ||
- (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {
- Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT));
- if (Obj == NULL) {
- return 0;
- }
-
- Obj->type = X509_LU_X509;
- Obj->data.x509 = Context->current_cert;
-
- CRYPTO_w_lock (CRYPTO_LOCK_X509_STORE);
-
- if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {
- Status = 1;
- } else {
- //
- // If any certificate in the chain is enrolled as trusted certificate,
- // pass the certificate verification.
- //
- if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {
- Count = (INTN) sk_X509_num (Context->chain);
- for (Index = 0; Index < Count; Index++) {
- Obj->data.x509 = sk_X509_value (Context->chain, (int) Index);
- if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {
- Status = 1;
- break;
- }
- }
- }
- }
-
- CRYPTO_w_unlock (CRYPTO_LOCK_X509_STORE);
- }
-
- if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||
- (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
- Status = 1;
- }
-
- if (Obj != NULL) {
- OPENSSL_free (Obj);
- }
-
- return Status;
-}
-
/**
Convert ASN.1 GeneralizedTime to EFI Time.
@param[in] Asn1Time Pointer to the ASN.1 GeneralizedTime to be converted.
@param[out] SigningTime Return the corresponding EFI Time.
- @retval TRUE The time convertion succeeds.
+ @retval TRUE The time conversion succeeds.
@retval FALSE Invalid parameters.
**/
@@ -320,7 +239,7 @@ CheckTSTInfo (
TS_MESSAGE_IMPRINT *Imprint;
X509_ALGOR *HashAlgo;
CONST EVP_MD *Md;
- EVP_MD_CTX MdCtx;
+ EVP_MD_CTX *MdCtx;
UINTN MdSize;
UINT8 *HashedMsg;
@@ -330,6 +249,7 @@ CheckTSTInfo (
Status = FALSE;
HashAlgo = NULL;
HashedMsg = NULL;
+ MdCtx = NULL;
//
// -- Check version number of Timestamp:
@@ -366,11 +286,17 @@ CheckTSTInfo (
if (HashedMsg == NULL) {
goto _Exit;
}
- EVP_DigestInit (&MdCtx, Md);
- EVP_DigestUpdate (&MdCtx, TimestampedData, DataSize);
- EVP_DigestFinal (&MdCtx, HashedMsg, NULL);
+ MdCtx = EVP_MD_CTX_new ();
+ if (MdCtx == NULL) {
+ goto _Exit;
+ }
+ if ((EVP_DigestInit_ex (MdCtx, Md, NULL) != 1) ||
+ (EVP_DigestUpdate (MdCtx, TimestampedData, DataSize) != 1) ||
+ (EVP_DigestFinal (MdCtx, HashedMsg, NULL) != 1)) {
+ goto _Exit;
+ }
if ((MdSize == (UINTN)ASN1_STRING_length (Imprint->HashedMessage)) &&
- (CompareMem (HashedMsg, ASN1_STRING_data (Imprint->HashedMessage), MdSize) != 0)) {
+ (CompareMem (HashedMsg, ASN1_STRING_get0_data (Imprint->HashedMessage), MdSize) != 0)) {
goto _Exit;
}
@@ -396,6 +322,7 @@ CheckTSTInfo (
_Exit:
X509_ALGOR_free (HashAlgo);
+ EVP_MD_CTX_free (MdCtx);
if (HashedMsg != NULL) {
FreePool (HashedMsg);
}
@@ -404,7 +331,7 @@ _Exit:
}
/**
- Verifies the validility of a TimeStamp Token as described in RFC 3161 ("Internet
+ Verifies the validity of a TimeStamp Token as described in RFC 3161 ("Internet
X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)").
If TSToken is NULL, then return FALSE.
@@ -441,11 +368,12 @@ TimestampTokenVerify (
CONST UINT8 *TokenTemp;
PKCS7 *Pkcs7;
X509 *Cert;
+ CONST UINT8 *CertTemp;
X509_STORE *CertStore;
BIO *OutBio;
UINT8 *TstData;
UINTN TstSize;
- UINT8 *TstTemp;
+ CONST UINT8 *TstTemp;
TS_TST_INFO *TstInfo;
Status = FALSE;
@@ -490,7 +418,8 @@ TimestampTokenVerify (
//
// Read the trusted TSA certificate (DER-encoded), and Construct X509 Certificate.
//
- Cert = d2i_X509 (NULL, &TsaCert, (long) CertSize);
+ CertTemp = TsaCert;
+ Cert = d2i_X509 (NULL, &CertTemp, (long) CertSize);
if (Cert == NULL) {
goto _Exit;
}
@@ -504,10 +433,11 @@ TimestampTokenVerify (
}
//
- // Register customized X509 verification callback function to support
- // trusted intermediate TSA certificate anchor.
+ // Allow partial certificate chains, terminated by a non-self-signed but
+ // still trusted intermediate certificate. Also disable time checks.
//
- CertStore->verify_cb = TSVerifyCallback;
+ X509_STORE_set_flags (CertStore,
+ X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME);
X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);
@@ -575,7 +505,7 @@ _Exit:
}
/**
- Verifies the validility of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode
+ Verifies the validity of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode
signature.
If AuthData is NULL, then return FALSE.
@@ -605,11 +535,13 @@ ImageTimestampVerify (
{
BOOLEAN Status;
PKCS7 *Pkcs7;
+ CONST UINT8 *Temp;
STACK_OF(PKCS7_SIGNER_INFO) *SignerInfos;
PKCS7_SIGNER_INFO *SignInfo;
UINTN Index;
STACK_OF(X509_ATTRIBUTE) *Sk;
X509_ATTRIBUTE *Xa;
+ ASN1_OBJECT *XaObj;
ASN1_TYPE *Asn1Type;
ASN1_OCTET_STRING *EncDigest;
UINT8 *TSToken;
@@ -644,7 +576,8 @@ ImageTimestampVerify (
//
// Decode ASN.1-encoded Authenticode data into PKCS7 structure.
//
- Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &AuthData, (int) DataSize);
+ Temp = AuthData;
+ Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) DataSize);
if (Pkcs7 == NULL) {
goto _Exit;
}
@@ -688,11 +621,18 @@ ImageTimestampVerify (
// Search valid RFC3161 timestamp counterSignature based on OBJID.
//
Xa = sk_X509_ATTRIBUTE_value (Sk, (int)Index);
- if ((Xa->object->length != sizeof (mSpcRFC3161OidValue)) ||
- (CompareMem (Xa->object->data, mSpcRFC3161OidValue, sizeof (mSpcRFC3161OidValue)) != 0)) {
+ if (Xa == NULL) {
+ continue;
+ }
+ XaObj = X509_ATTRIBUTE_get0_object(Xa);
+ if (XaObj == NULL) {
+ continue;
+ }
+ if ((OBJ_length(XaObj) != sizeof (mSpcRFC3161OidValue)) ||
+ (CompareMem (OBJ_get0_data(XaObj), mSpcRFC3161OidValue, sizeof (mSpcRFC3161OidValue)) != 0)) {
continue;
}
- Asn1Type = sk_ASN1_TYPE_value (Xa->value.set, 0);
+ Asn1Type = X509_ATTRIBUTE_get0_type(Xa, 0);
}
if (Asn1Type == NULL) {