1. Fix build break issue for NOOPT target.

2. Fix potential system hang issue in X509_STORE_CTX_cleanup.
3. Fix potential overflow when convert UINTN to INT.
4. Update Pkcs7Sign() to output stripped PKCS#7 SignedData.
5. Update Pkcs7Verify() to support both wrapped/stripped PKCS#7 SignedData.

Signed-off-by: tye
Reviewed-by: xdu2



git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12593 6f19259b-4bc3-4df7-8a09-765794883524

CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c

@@ -85,6 +85,10 @@ RsaGetPrivateKeyFromPem (
   ASSERT (PemData    != NULL);
   ASSERT (RsaContext != NULL);
 
+  if (PemSize > INT_MAX) {
+    return FALSE;
+  }
+
   Status = FALSE;
   PemBio = NULL;
 

CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c

@@ -65,6 +65,10 @@ AuthenticodeVerify (
   ASSERT (AuthData  != NULL);
   ASSERT (ImageHash != NULL);
 
+  if (DataSize > INT_MAX) {
+    return FALSE;
+  }
+
   Status       = FALSE;
   Pkcs7        = NULL;
   OrigAuthData = AuthData;

CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7.c

@@ -18,6 +18,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <openssl/x509.h>
 #include <openssl/pkcs7.h>
 
+UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
 
 /**
   Verification callback function to override any existing callbacks in OpenSSL
@@ -143,6 +144,8 @@ Pkcs7Sign (
   PKCS7     *Pkcs7;
   UINT8     *RsaContext;
   UINT8     *P7Data;
+  UINTN     P7DataSize;
+  UINT8     *Tmp;
 
   //
   // Check input parameters.
@@ -155,6 +158,10 @@ Pkcs7Sign (
     return FALSE;
   }
 
+  if (InDataSize > INT_MAX) {
+    return FALSE;
+  }
+
   RsaContext = NULL;
   Key        = NULL;
   Pkcs7      = NULL;
@@ -216,13 +223,23 @@ Pkcs7Sign (
   //
   // Convert PKCS#7 signedData structure into DER-encoded buffer.
   //
-  *SignedDataSize = i2d_PKCS7 (Pkcs7, NULL);
-  if (*SignedDataSize == 0) {
+  P7DataSize = i2d_PKCS7 (Pkcs7, NULL);
+  if (P7DataSize <= 19) {
     goto _Exit;
   }
+  P7Data     = OPENSSL_malloc (P7DataSize);
+  Tmp        = P7Data;
+  P7DataSize = i2d_PKCS7 (Pkcs7, (unsigned char **) &Tmp);
+
+  //
+  // Strip ContentInfo to content only for signeddata. The data be trimmed off
+  // is totally 19 bytes.
+  //
+  *SignedDataSize = P7DataSize - 19;
   *SignedData     = OPENSSL_malloc (*SignedDataSize);
-  P7Data          = *SignedData;
-  *SignedDataSize = i2d_PKCS7 (Pkcs7, (unsigned char **) &P7Data);
+  CopyMem (*SignedData, P7Data + 19, *SignedDataSize);
+  
+  OPENSSL_free (P7Data);
 
   Status = TRUE;
 
@@ -253,8 +270,9 @@ _Exit:
 }
 
 /**
-  Verifies the validility of a PKCS#7 signed data as described in "PKCS #7: Cryptographic
-  Message Syntax Standard".
+  Verifies the validility of a PKCS#7 signed data as described in "PKCS #7:
+  Cryptographic Message Syntax Standard". The input signed data could be wrapped
+  in a ContentInfo structure.
 
   If P7Data is NULL, then ASSERT().
 
@@ -287,11 +305,19 @@ Pkcs7Verify (
   BOOLEAN     Status;
   X509        *Cert;
   X509_STORE  *CertStore;
+  UINT8       *SignedData;
+  UINT8       *Temp;
+  UINTN       SignedDataSize;
+  BOOLEAN     Wrapped;
 
   //
-  // ASSERT if P7Data is NULL
+  // ASSERT if P7Data is NULL or P7Length is not larger than 19 bytes.
   //
-  ASSERT (P7Data != NULL);
+  ASSERT ((P7Data != NULL) || (P7Length <= 19));
+
+  if ((CertLength > INT_MAX) || (DataLength > INT_MAX)) {
+    return FALSE;
+  }
 
   Status    = FALSE;
   Pkcs7     = NULL;
@@ -308,10 +334,81 @@ Pkcs7Verify (
   EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA);
   EVP_add_digest (EVP_sha256());
 
+  //
+  // Check whether input P7Data is a wrapped ContentInfo structure or not.
+  //
+  Wrapped = FALSE;
+  if ((P7Data[4] == 0x06) && (P7Data[5] == 0x09)) {
+    if (CompareMem (P7Data + 6, mOidValue, sizeof (mOidValue)) == 0) {
+      if ((P7Data[15] == 0xA0) && (P7Data[16] == 0x82)) {
+        Wrapped = TRUE;
+      }
+    }
+  }
+
+  if (Wrapped) {
+    SignedData     = (UINT8 *) P7Data;
+    SignedDataSize = P7Length;
+  } else {
+    //
+    // Wrap PKCS#7 signeddata to a ContentInfo structure - add a header in 19 bytes.
+    //
+    SignedDataSize = P7Length + 19;
+    SignedData     = OPENSSL_malloc (SignedDataSize);
+    if (SignedData == NULL) {
+      return FALSE;
+    }
+
+    //
+    // Part1: 0x30, 0x82.
+    //
+    SignedData[0] = 0x30;
+    SignedData[1] = 0x82;
+
+    //
+    // Part2: Length1 = P7Length + 19 - 4, in big endian.
+    //
+    SignedData[2] = (UINT8) (((UINT16) (SignedDataSize - 4)) >> 8);
+    SignedData[3] = (UINT8) (((UINT16) (SignedDataSize - 4)) & 0xff);
+
+    //
+    // Part3: 0x06, 0x09.
+    //
+    SignedData[4] = 0x06;
+    SignedData[5] = 0x09;
+
+    //
+    // Part4: OID value -- 0x2A 0x86 0x48 0x86 0xF7 0x0D 0x01 0x07 0x02.
+    //
+    CopyMem (SignedData + 6, mOidValue, sizeof (mOidValue));
+
+    //
+    // Part5: 0xA0, 0x82.
+    //
+    SignedData[15] = 0xA0;
+    SignedData[16] = 0x82;
+
+    //
+    // Part6: Length2 = P7Length, in big endian.
+    //
+    SignedData[17] = (UINT8) (((UINT16) P7Length) >> 8);
+    SignedData[18] = (UINT8) (((UINT16) P7Length) & 0xff);
+
+    //
+    // Part7: P7Data.
+    //
+    CopyMem (SignedData + 19, P7Data, P7Length);
+  }
+  
   //
   // Retrieve PKCS#7 Data (DER encoding)
   //
-  Pkcs7 = d2i_PKCS7 (NULL, &P7Data, (int)P7Length);
+  if (SignedDataSize > INT_MAX) {
+    goto _Exit;
+  }
+
+  Temp = SignedData;
+  Pkcs7 = d2i_PKCS7 (NULL, &Temp, (int) SignedDataSize);
   if (Pkcs7 == NULL) {
     goto _Exit;
   }
@@ -375,5 +472,9 @@ _Exit:
   X509_STORE_free (CertStore);
   PKCS7_free (Pkcs7);
 
+  if (!Wrapped) {
+    OPENSSL_free (SignedData);
+  }
+
   return Status;
 }

CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c

@@ -48,6 +48,10 @@ X509ConstructCertificate (
   ASSERT (Cert != NULL);
   ASSERT (SingleX509Cert != NULL);
 
+  if (CertSize > INT_MAX) {
+    return FALSE;
+  }
+
   Status = FALSE;
 
   //
@@ -439,6 +443,7 @@ X509VerifyCert (
   // X509 Certificate Verification.
   //
   Status = (BOOLEAN) X509_verify_cert (&CertCtx);
+  X509_STORE_CTX_cleanup (&CertCtx);
 
 _Exit:
   //
@@ -447,7 +452,6 @@ _Exit:
   X509_free (X509Cert);
   X509_free (X509CACert);
   X509_STORE_free (CertStore);
-  X509_STORE_CTX_cleanup (&CertCtx);
 
   return Status;
 }

CryptoPkg/Library/OpensslLib/OpensslLib.inf

@@ -597,8 +597,8 @@
    MSFT:RELEASE_*_X64_CC_FLAGS            == /nologo /c /WX /GS- /X /Gs32768 /D UNICODE /O1ib2s /GL /Gy /FIAutoGen.h /EHs-c- /GR- /GF -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w
    MSFT:DEBUG_*_IPF_CC_FLAGS              == /nologo /c /WX /GS- /X /EHs-c- /GR- /Gy /Os /GL /FIAutoGen.h /QIPF_fr32 /Zi -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w
    MSFT:RELEASE_*_IPF_CC_FLAGS            == /nologo /c /WX /GS- /X /EHs-c- /GR- /Gy /Os /GL /FIAutoGen.h /QIPF_fr32 -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w
-  INTEL:*_*_*_CC_FLAGS                    = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w
-    GCC:*_*_*_CC_FLAGS                    = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -w
+   MSFT:NOOPT_*_IA32_CC_FLAGS             == /nologo /c /WX /GS- /Gs32768 /D UNICODE /Od /FIAutoGen.h /EHs-c- /GR- /GF /Gy /Zi /Gm -U_WIN32 -U_WIN64 -U_MSC_VER $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w
+   INTEL:*_*_*_CC_FLAGS                   = -U_WIN32 -U_WIN64 -U_MSC_VER -U__ICC $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) /w
+   GCC:*_*_*_CC_FLAGS                     = -U_WIN32 -U_WIN64 $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) -w
    RVCT:DEBUG_*_*_CC_FLAGS                = $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) --library_interface=aeabi_clib99 --fpu=vfpv3
    RVCT:RELEASE_*_*_CC_FLAGS              = $(OPENSSL_FLAGS) $(OPENSSL_EXFLAGS) --library_interface=aeabi_clib99 --fpu=vfpv3
-