diff options
Diffstat (limited to 'CryptoPkg/Library/BaseCryptLib/Pk')
| -rw-r--r-- | CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c | 82 | ||||
| -rw-r--r-- | CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 20 | ||||
| -rw-r--r-- | CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 17 | ||||
| -rw-r--r-- | CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c | 36 | ||||
| -rw-r--r-- | CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c | 60 | ||||
| -rw-r--r-- | CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 55 |
6 files changed, 213 insertions, 57 deletions
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c index 30792d27ca..942b3d103e 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c @@ -91,7 +91,7 @@ DhGenerateParameter ( //
// Check input parameters.
//
- if (DhContext == NULL || Prime == NULL) {
+ if (DhContext == NULL || Prime == NULL || PrimeLength > INT_MAX) {
return FALSE;
}
@@ -139,12 +139,13 @@ DhSetParameter ( IN CONST UINT8 *Prime
)
{
- DH *Dh;
+ DH *Dh;
+ BIGNUM *Bn;
//
// Check input parameters.
//
- if (DhContext == NULL || Prime == NULL) {
+ if (DhContext == NULL || Prime == NULL || PrimeLength > INT_MAX) {
return FALSE;
}
@@ -152,14 +153,46 @@ DhSetParameter ( return FALSE;
}
+ Bn = NULL;
+
Dh = (DH *) DhContext;
- Dh->p = BN_new();
- Dh->g = BN_new();
+ Dh->g = NULL;
+ Dh->p = BN_new ();
+ if (Dh->p == NULL) {
+ goto Error;
+ }
+
+ Dh->g = BN_new ();
+ if (Dh->g == NULL) {
+ goto Error;
+ }
- BN_bin2bn (Prime, (UINT32) (PrimeLength / 8), Dh->p);
- BN_set_word (Dh->g, (UINT32) Generator);
+ Bn = BN_bin2bn (Prime, (UINT32) (PrimeLength / 8), Dh->p);
+ if (Bn == NULL) {
+ goto Error;
+ }
+
+ if (BN_set_word (Dh->g, (UINT32) Generator) == 0) {
+ goto Error;
+ }
return TRUE;
+
+Error:
+
+ if (Dh->p != NULL) {
+ BN_free (Dh->p);
+ }
+
+ if (Dh->g != NULL) {
+ BN_free (Dh->g);
+ }
+
+ if (Bn != NULL) {
+ BN_free (Bn);
+ }
+
+ return FALSE;
}
/**
@@ -194,6 +227,7 @@ DhGenerateKey ( {
BOOLEAN RetVal;
DH *Dh;
+ INTN Size;
//
// Check input parameters.
@@ -207,12 +241,17 @@ DhGenerateKey ( }
Dh = (DH *) DhContext;
- *PublicKeySize = 0;
RetVal = (BOOLEAN) DH_generate_key (DhContext);
if (RetVal) {
+ Size = BN_num_bytes (Dh->pub_key);
+ if ((Size > 0) && (*PublicKeySize < (UINTN) Size)) {
+ *PublicKeySize = Size;
+ return FALSE;
+ }
+
BN_bn2bin (Dh->pub_key, PublicKey);
- *PublicKeySize = BN_num_bytes (Dh->pub_key);
+ *PublicKeySize = Size;
}
return RetVal;
@@ -227,7 +266,8 @@ DhGenerateKey ( If DhContext is NULL, then return FALSE.
If PeerPublicKey is NULL, then return FALSE.
If KeySize is NULL, then return FALSE.
- If KeySize is large enough but Key is NULL, then return FALSE.
+ If Key is NULL, then return FALSE.
+ If KeySize is not large enough, then return FALSE.
@param[in, out] DhContext Pointer to the DH context.
@param[in] PeerPublicKey Pointer to the peer's public key.
@@ -252,23 +292,37 @@ DhComputeKey ( )
{
BIGNUM *Bn;
+ INTN Size;
//
// Check input parameters.
//
- if (DhContext == NULL || PeerPublicKey == NULL || KeySize == NULL) {
+ if (DhContext == NULL || PeerPublicKey == NULL || KeySize == NULL || Key == NULL) {
return FALSE;
}
- if (Key == NULL && *KeySize != 0) {
+ if (PeerPublicKeySize > INT_MAX) {
return FALSE;
}
Bn = BN_bin2bn (PeerPublicKey, (UINT32) PeerPublicKeySize, NULL);
+ if (Bn == NULL) {
+ return FALSE;
+ }
- *KeySize = (BOOLEAN) DH_compute_key (Key, Bn, DhContext);
+ Size = DH_compute_key (Key, Bn, DhContext);
+ if (Size < 0) {
+ BN_free (Bn);
+ return FALSE;
+ }
- BN_free (Bn);
+ if (*KeySize < (UINTN) Size) {
+ *KeySize = Size;
+ BN_free (Bn);
+ return FALSE;
+ }
+ *KeySize = Size;
+ BN_free (Bn);
return TRUE;
}
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c index 11472ebf3b..25865910f6 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c @@ -92,12 +92,21 @@ Pkcs7Sign ( return Status;
}
+ Status = FALSE;
+
//
// Register & Initialize necessary digest algorithms and PRNG for PKCS#7 Handling
//
- EVP_add_digest (EVP_md5());
- EVP_add_digest (EVP_sha1());
- EVP_add_digest (EVP_sha256());
+ if (EVP_add_digest (EVP_md5 ()) == 0) {
+ goto _Exit;
+ }
+ if (EVP_add_digest (EVP_sha1 ()) == 0) {
+ goto _Exit;
+ }
+ if (EVP_add_digest (EVP_sha256 ()) == 0) {
+ goto _Exit;
+ }
+
RandomSeed (NULL, 0);
//
@@ -105,7 +114,6 @@ Pkcs7Sign ( //
Key = EVP_PKEY_new ();
if (Key == NULL) {
- Status = FALSE;
goto _Exit;
}
Key->save_type = EVP_PKEY_RSA;
@@ -129,7 +137,6 @@ Pkcs7Sign ( PKCS7_BINARY | PKCS7_NOATTR | PKCS7_DETACHED
);
if (Pkcs7 == NULL) {
- Status = FALSE;
goto _Exit;
}
@@ -138,13 +145,11 @@ Pkcs7Sign ( //
P7DataSize = i2d_PKCS7 (Pkcs7, NULL);
if (P7DataSize <= 19) {
- Status = FALSE;
goto _Exit;
}
P7Data = malloc (P7DataSize);
if (P7Data == NULL) {
- Status = FALSE;
goto _Exit;
}
@@ -158,7 +163,6 @@ Pkcs7Sign ( *SignedDataSize = P7DataSize - 19;
*SignedData = malloc (*SignedDataSize);
if (*SignedData == NULL) {
- Status = FALSE;
OPENSSL_free (P7Data);
goto _Exit;
}
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c index 24f4c031d5..2e72f892cb 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c @@ -485,10 +485,19 @@ Pkcs7Verify ( //
// Register & Initialize necessary digest algorithms for PKCS#7 Handling
//
- EVP_add_digest (EVP_md5());
- EVP_add_digest (EVP_sha1());
- EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA);
- EVP_add_digest (EVP_sha256());
+ if (EVP_add_digest (EVP_md5 ()) == 0) {
+ return FALSE;
+ }
+ if (EVP_add_digest (EVP_sha1 ()) == 0) {
+ return FALSE;
+ }
+ if (EVP_add_digest (EVP_sha256 ()) == 0) {
+ return FALSE;
+ }
+ if (EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA) == 0) {
+ return FALSE;
+ }
+
Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);
if (!Status) {
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c index d828cb4b3f..76754b4a72 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c @@ -97,7 +97,7 @@ RsaSetKey ( //
// Check input parameters.
//
- if (RsaContext == NULL) {
+ if (RsaContext == NULL || BnSize > INT_MAX) {
return FALSE;
}
@@ -121,6 +121,10 @@ RsaSetKey ( break;
}
RsaKey->n = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->n);
+ if (RsaKey->n == NULL) {
+ return FALSE;
+ }
+
break;
//
@@ -135,6 +139,10 @@ RsaSetKey ( break;
}
RsaKey->e = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->e);
+ if (RsaKey->e == NULL) {
+ return FALSE;
+ }
+
break;
//
@@ -149,6 +157,10 @@ RsaSetKey ( break;
}
RsaKey->d = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->d);
+ if (RsaKey->d == NULL) {
+ return FALSE;
+ }
+
break;
//
@@ -163,6 +175,10 @@ RsaSetKey ( break;
}
RsaKey->p = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->p);
+ if (RsaKey->p == NULL) {
+ return FALSE;
+ }
+
break;
//
@@ -177,6 +193,10 @@ RsaSetKey ( break;
}
RsaKey->q = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->q);
+ if (RsaKey->q == NULL) {
+ return FALSE;
+ }
+
break;
//
@@ -191,6 +211,10 @@ RsaSetKey ( break;
}
RsaKey->dmp1 = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->dmp1);
+ if (RsaKey->dmp1 == NULL) {
+ return FALSE;
+ }
+
break;
//
@@ -205,6 +229,10 @@ RsaSetKey ( break;
}
RsaKey->dmq1 = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->dmq1);
+ if (RsaKey->dmq1 == NULL) {
+ return FALSE;
+ }
+
break;
//
@@ -219,6 +247,10 @@ RsaSetKey ( break;
}
RsaKey->iqmp = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->iqmp);
+ if (RsaKey->iqmp == NULL) {
+ return FALSE;
+ }
+
break;
default:
@@ -262,7 +294,7 @@ RsaPkcs1Verify ( //
// Check input parameters.
//
- if (RsaContext == NULL || MessageHash == NULL || Signature == NULL) {
+ if (RsaContext == NULL || MessageHash == NULL || Signature == NULL || SigSize > INT_MAX) {
return FALSE;
}
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c index 67d8826e6c..b4faafa0c3 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c @@ -231,22 +231,32 @@ RsaGenerateKey ( //
// Check input parameters.
//
- if (RsaContext == NULL) {
+ if (RsaContext == NULL || ModulusLength > INT_MAX || PublicExponentSize > INT_MAX) {
return FALSE;
}
KeyE = BN_new ();
+ if (KeyE == NULL) {
+ return FALSE;
+ }
+
+ RetVal = FALSE;
+
if (PublicExponent == NULL) {
- BN_set_word (KeyE, 0x10001);
+ if (BN_set_word (KeyE, 0x10001) == 0) {
+ goto _Exit;
+ }
} else {
- BN_bin2bn (PublicExponent, (UINT32) PublicExponentSize, KeyE);
+ if (BN_bin2bn (PublicExponent, (UINT32) PublicExponentSize, KeyE) == NULL) {
+ goto _Exit;
+ }
}
- RetVal = FALSE;
if (RSA_generate_key_ex ((RSA *) RsaContext, (UINT32) ModulusLength, KeyE, NULL) == 1) {
RetVal = TRUE;
}
+_Exit:
BN_free (KeyE);
return RetVal;
}
@@ -299,18 +309,24 @@ RsaCheckKey ( /**
Performs the PKCS1-v1_5 encoding methods defined in RSA PKCS #1.
- @param Message Message buffer to be encoded.
- @param MessageSize Size of message buffer in bytes.
- @param DigestInfo Pointer to buffer of digest info for output.
+ @param[in] Message Message buffer to be encoded.
+ @param[in] MessageSize Size of message buffer in bytes.
+ @param[out] DigestInfo Pointer to buffer of digest info for output.
+ @param[in,out] DigestInfoSize On input, the size of DigestInfo buffer in bytes.
+ On output, the size of data returned in DigestInfo
+ buffer in bytes.
- @return Size of DigestInfo in bytes.
+ @retval TRUE PKCS1-v1_5 encoding finished successfully.
+ @retval FALSE Any input parameter is invalid.
+ @retval FALSE DigestInfo buffer is not large enough.
**/
-UINTN
+BOOLEAN
DigestInfoEncoding (
- IN CONST UINT8 *Message,
- IN UINTN MessageSize,
- OUT UINT8 *DigestInfo
+ IN CONST UINT8 *Message,
+ IN UINTN MessageSize,
+ OUT UINT8 *DigestInfo,
+ IN OUT UINTN *DigestInfoSize
)
{
CONST UINT8 *HashDer;
@@ -319,7 +335,7 @@ DigestInfoEncoding ( //
// Check input parameters.
//
- if (Message == NULL || DigestInfo == NULL) {
+ if (Message == NULL || DigestInfo == NULL || DigestInfoSize == NULL) {
return FALSE;
}
@@ -347,10 +363,16 @@ DigestInfoEncoding ( return FALSE;
}
+ if (*DigestInfoSize < DerSize + MessageSize) {
+ *DigestInfoSize = DerSize + MessageSize;
+ return FALSE;
+ }
+
CopyMem (DigestInfo, HashDer, DerSize);
CopyMem (DigestInfo + DerSize, Message, MessageSize);
- return (DerSize + MessageSize);
+ *DigestInfoSize = DerSize + MessageSize;
+ return TRUE;
}
/**
@@ -412,21 +434,23 @@ RsaPkcs1Sign ( return FALSE;
}
- Size = DigestInfoEncoding (MessageHash, HashSize, Signature);
+ if (!DigestInfoEncoding (MessageHash, HashSize, Signature, SigSize)) {
+ return FALSE;
+ }
ReturnVal = RSA_private_encrypt (
- (UINT32) Size,
+ (UINT32) *SigSize,
Signature,
Signature,
Rsa,
RSA_PKCS1_PADDING
);
- if (ReturnVal < (INTN) Size) {
+ if (ReturnVal < (INTN) *SigSize) {
return FALSE;
}
- *SigSize = (UINTN)ReturnVal;
+ *SigSize = (UINTN) ReturnVal;
return TRUE;
}
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c index f90600473a..f0a5d0ac7f 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c @@ -346,7 +346,6 @@ X509GetSubjectName ( return FALSE;
}
- Status = FALSE;
X509Cert = NULL;
//
@@ -354,13 +353,20 @@ X509GetSubjectName ( //
Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert);
if ((X509Cert == NULL) || (!Status)) {
+ Status = FALSE;
goto _Exit;
}
+ Status = FALSE;
+
//
// Retrieve subject name from certificate object.
//
X509Name = X509_get_subject_name (X509Cert);
+ if (X509Name == NULL) {
+ goto _Exit;
+ }
+
if (*SubjectSize < (UINTN) X509Name->bytes->length) {
*SubjectSize = (UINTN) X509Name->bytes->length;
goto _Exit;
@@ -375,7 +381,9 @@ _Exit: //
// Release Resources.
//
- X509_free (X509Cert);
+ if (X509Cert != NULL) {
+ X509_free (X509Cert);
+ }
return Status;
}
@@ -415,7 +423,6 @@ RsaGetPublicKeyFromX509 ( return FALSE;
}
- Status = FALSE;
Pkey = NULL;
X509Cert = NULL;
@@ -424,9 +431,12 @@ RsaGetPublicKeyFromX509 ( //
Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert);
if ((X509Cert == NULL) || (!Status)) {
+ Status = FALSE;
goto _Exit;
}
+ Status = FALSE;
+
//
// Retrieve and check EVP_PKEY data from X509 Certificate.
//
@@ -446,8 +456,13 @@ _Exit: //
// Release Resources.
//
- X509_free (X509Cert);
- EVP_PKEY_free (Pkey);
+ if (X509Cert != NULL) {
+ X509_free (X509Cert);
+ }
+
+ if (Pkey != NULL) {
+ EVP_PKEY_free (Pkey);
+ }
return Status;
}
@@ -498,15 +513,22 @@ X509VerifyCert ( //
// Register & Initialize necessary digest algorithms for certificate verification.
//
- EVP_add_digest (EVP_md5());
- EVP_add_digest (EVP_sha1());
- EVP_add_digest (EVP_sha256());
+ if (EVP_add_digest (EVP_md5 ()) == 0) {
+ goto _Exit;
+ }
+ if (EVP_add_digest (EVP_sha1 ()) == 0) {
+ goto _Exit;
+ }
+ if (EVP_add_digest (EVP_sha256 ()) == 0) {
+ goto _Exit;
+ }
//
// Read DER-encoded certificate to be verified and Construct X509 object.
//
Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert);
if ((X509Cert == NULL) || (!Status)) {
+ Status = FALSE;
goto _Exit;
}
@@ -515,9 +537,12 @@ X509VerifyCert ( //
Status = X509ConstructCertificate (CACert, CACertSize, (UINT8 **) &X509CACert);
if ((X509CACert == NULL) || (!Status)) {
+ Status = FALSE;
goto _Exit;
}
+ Status = FALSE;
+
//
// Set up X509 Store for trusted certificate.
//
@@ -546,9 +571,17 @@ _Exit: //
// Release Resources.
//
- X509_free (X509Cert);
- X509_free (X509CACert);
- X509_STORE_free (CertStore);
+ if (X509Cert != NULL) {
+ X509_free (X509Cert);
+ }
+
+ if (X509CACert != NULL) {
+ X509_free (X509CACert);
+ }
+ if (CertStore != NULL) {
+ X509_STORE_free (CertStore);
+ }
+
return Status;
}
|