1 files changed, 132 insertions, 15 deletions
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index 05c3f87743..d0b0c838b8 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -10,7 +10,7 @@
   WrapPkcs7Data(), Pkcs7GetSigners(), Pkcs7Verify() will get UEFI Authenticated
   Variable and will do basic check for data structure.
 
-Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -123,7 +123,7 @@ X509VerifyCb (
   @param[in]  P7Length     Length of the PKCS#7 message in bytes.
   @param[out] WrapFlag     If TRUE P7Data is a ContentInfo structure, otherwise
                            return FALSE.
-  @param[out] WrapData     If return status of this function is TRUE: 
+  @param[out] WrapData     If return status of this function is TRUE:
                            1) when WrapFlag is TRUE, pointer to P7Data.
                            2) when WrapFlag is FALSE, pointer to a new ContentInfo
                            structure. It's caller's responsibility to free this
@@ -227,7 +227,7 @@ WrapPkcs7Data (
   @param[in]  X509Stack       Pointer to a X509 stack object.
   @param[out] Cert            Pointer to a X509 certificate.
   @param[out] CertSize        Length of output X509 certificate in bytes.
-                                 
+
   @retval     TRUE            The X509 stack pop succeeded.
   @retval     FALSE           The pop operation failed.
 
@@ -273,7 +273,7 @@ X509PopCertificate (
     goto _Exit;
   }
 
-  Length = ((BUF_MEM *) CertBio->ptr)->length;
+  Length = (INT32)(((BUF_MEM *) CertBio->ptr)->length);
   if (Length <= 0) {
     goto _Exit;
   }
@@ -343,7 +343,7 @@ Pkcs7GetSigners (
   PKCS7            *Pkcs7;
   BOOLEAN          Status;
   UINT8            *SignedData;
-  UINT8            *Temp;
+  CONST UINT8      *Temp;
   UINTN            SignedDataSize;
   BOOLEAN          Wrapped;
   STACK_OF(X509)   *Stack;
@@ -359,7 +359,7 @@ Pkcs7GetSigners (
       (TrustedCert == NULL) || (CertLength == NULL) || (P7Length > INT_MAX)) {
     return FALSE;
   }
-  
+
   Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);
   if (!Status) {
     return Status;
@@ -410,7 +410,7 @@ Pkcs7GetSigners (
   //
   BufferSize = sizeof (UINT8);
   OldSize    = BufferSize;
-  
+
   for (Index = 0; ; Index++) {
     Status = X509PopCertificate (Stack, &SingleCert, &SingleCertSize);
     if (!Status) {
@@ -455,7 +455,7 @@ Pkcs7GetSigners (
     *CertStack   = CertBuf;
     *StackLength = BufferSize;
     Status = TRUE;
-  } 
+  }
 
 _Exit:
   //
@@ -485,7 +485,7 @@ _Exit:
   if (OldBuf != NULL) {
     free (OldBuf);
   }
-  
+
   return Status;
 }
 
@@ -549,18 +549,18 @@ Pkcs7Verify (
   X509        *Cert;
   X509_STORE  *CertStore;
   UINT8       *SignedData;
-  UINT8       *Temp;
+  CONST UINT8 *Temp;
   UINTN       SignedDataSize;
   BOOLEAN     Wrapped;
 
   //
   // Check input parameters.
   //
-  if (P7Data == NULL || TrustedCert == NULL || InData == NULL || 
+  if (P7Data == NULL || TrustedCert == NULL || InData == NULL ||
     P7Length > INT_MAX || CertLength > INT_MAX || DataLength > INT_MAX) {
     return FALSE;
   }
-  
+
   Pkcs7     = NULL;
   DataBio   = NULL;
   Cert      = NULL;
@@ -578,18 +578,23 @@ Pkcs7Verify (
   if (EVP_add_digest (EVP_sha256 ()) == 0) {
     return FALSE;
   }
+  if (EVP_add_digest (EVP_sha384 ()) == 0) {
+    return FALSE;
+  }
+  if (EVP_add_digest (EVP_sha512 ()) == 0) {
+    return FALSE;
+  }
   if (EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA) == 0) {
     return FALSE;
   }
 
-
   Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);
   if (!Status) {
     return Status;
   }
 
   Status = FALSE;
-  
+
   //
   // Retrieve PKCS#7 Data (DER encoding)
   //
@@ -613,7 +618,8 @@ Pkcs7Verify (
   //
   // Read DER-encoded root certificate and Construct X509 Certificate
   //
-  Cert = d2i_X509 (NULL, &TrustedCert, (long) CertLength);
+  Temp = TrustedCert;
+  Cert = d2i_X509 (NULL, &Temp, (long) CertLength);
   if (Cert == NULL) {
     goto _Exit;
   }
@@ -675,3 +681,114 @@ _Exit:
 
   return Status;
 }
+
+/**
+  Extracts the attached content from a PKCS#7 signed data if existed. The input signed
+  data could be wrapped in a ContentInfo structure.
+
+  If P7Data, Content, or ContentSize is NULL, then return FALSE. If P7Length overflow,
+  then return FAlSE. If the P7Data is not correctly formatted, then return FALSE.
+
+  Caution: This function may receive untrusted input. So this function will do
+           basic check for PKCS#7 data structure.
+
+  @param[in]   P7Data       Pointer to the PKCS#7 signed data to process.
+  @param[in]   P7Length     Length of the PKCS#7 signed data in bytes.
+  @param[out]  Content      Pointer to the extracted content from the PKCS#7 signedData.
+                            It's caller's responsiblity to free the buffer.
+  @param[out]  ContentSize  The size of the extracted content in bytes.
+
+  @retval     TRUE          The P7Data was correctly formatted for processing.
+  @retval     FALSE         The P7Data was not correctly formatted for processing.
+
+*/
+BOOLEAN
+EFIAPI
+Pkcs7GetAttachedContent (
+  IN  CONST UINT8  *P7Data,
+  IN  UINTN        P7Length,
+  OUT VOID         **Content,
+  OUT UINTN        *ContentSize
+  )
+{
+  BOOLEAN            Status;
+  PKCS7              *Pkcs7;
+  UINT8              *SignedData;
+  UINTN              SignedDataSize;
+  BOOLEAN            Wrapped;
+  CONST UINT8        *Temp;
+  ASN1_OCTET_STRING  *OctStr;
+
+  //
+  // Check input parameter.
+  //
+  if ((P7Data == NULL) || (P7Length > INT_MAX) || (Content == NULL) || (ContentSize == NULL)) {
+    return FALSE;
+  }
+
+  *Content   = NULL;
+  Pkcs7      = NULL;
+  SignedData = NULL;
+  OctStr     = NULL;
+
+  Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);
+  if (!Status || (SignedDataSize > INT_MAX)) {
+    goto _Exit;
+  }
+
+  Status = FALSE;
+
+  //
+  // Decoding PKCS#7 SignedData
+  //
+  Temp  = SignedData;
+  Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **)&Temp, (int)SignedDataSize);
+  if (Pkcs7 == NULL) {
+    goto _Exit;
+  }
+
+  //
+  // The type of Pkcs7 must be signedData
+  //
+  if (!PKCS7_type_is_signed (Pkcs7)) {
+    goto _Exit;
+  }
+
+  //
+  // Check for detached or attached content
+  //
+  if (PKCS7_get_detached (Pkcs7)) {
+    //
+    // No Content supplied for PKCS7 detached signedData
+    //
+    *Content     = NULL;
+    *ContentSize = 0;
+  } else {
+    //
+    // Retrieve the attached content in PKCS7 signedData
+    //
+    OctStr = Pkcs7->d.sign->contents->d.data;
+    if ((OctStr->length > 0) && (OctStr->data != NULL)) {
+      *ContentSize = OctStr->length;
+      *Content     = malloc (*ContentSize);
+      if (*Content == NULL) {
+        *ContentSize = 0;
+        goto _Exit;
+      }
+      CopyMem (*Content, OctStr->data, *ContentSize);
+    }
+  }
+  Status = TRUE;
+
+_Exit:
+  //
+  // Release Resources
+  //
+  PKCS7_free (Pkcs7);
+
+  if (!Wrapped) {
+    OPENSSL_free (SignedData);
+  }
+
+  return Status;
+}