From 1463ce18ca7c4f971c08cc6341dbb0adb25c831a Mon Sep 17 00:00:00 2001
From: Qin Long <qin.long@intel.com>
Date: Tue, 16 Jun 2015 00:54:16 +0000
Subject: CryptoPkg: Wrapper files updates to support openssl-1.0.2c

This patch updates some support header and wrapper files to support
openssl-1.0.2c build, and correct some openssl API usages and
boundary check.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17635 6f19259b-4bc3-4df7-8a09-765794883524
---
 CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c |  6 ++++--
 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c    | 10 +++++-----
 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c  | 11 ++++++-----
 CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c           | 12 ++++++++----
 CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c         | 18 +++++++++++++-----
 5 files changed, 36 insertions(+), 21 deletions(-)

(limited to 'CryptoPkg/Library/BaseCryptLib/Pk')

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
index 4ce2b06b16..9e933558e6 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
@@ -9,7 +9,7 @@
   AuthenticodeVerify() will get PE/COFF Authenticode and will do basic check for
   data structure.
 
-Copyright (c) 2011 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -72,6 +72,7 @@ AuthenticodeVerify (
 {
   BOOLEAN      Status;
   PKCS7        *Pkcs7;
+  CONST UINT8  *Temp;
   CONST UINT8  *OrigAuthData;
   UINT8        *SpcIndirectDataContent;
   UINT8        Asn1Byte;
@@ -96,7 +97,8 @@ AuthenticodeVerify (
   //
   // Retrieve & Parse PKCS#7 Data (DER encoding) from Authenticode Signature
   //
-  Pkcs7 = d2i_PKCS7 (NULL, &AuthData, (int)DataSize);
+  Temp  = AuthData;
+  Pkcs7 = d2i_PKCS7 (NULL, &Temp, (int)DataSize);
   if (Pkcs7 == NULL) {
     goto _Exit;
   }
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
index 63fe78fc86..704eb4ec94 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
@@ -1,7 +1,7 @@
 /** @file
   PKCS#7 SignedData Sign Wrapper Implementation over OpenSSL.
 
-Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -116,9 +116,9 @@ Pkcs7Sign (
   if (Key == NULL) {
     goto _Exit;
   }
-  Key->save_type = EVP_PKEY_RSA;
-  Key->type      = EVP_PKEY_type (EVP_PKEY_RSA);
-  Key->pkey.rsa  = (RSA *) RsaContext;
+  if (EVP_PKEY_assign_RSA (Key, (RSA *) RsaContext) == 0) {
+    goto _Exit;
+  }
 
   //
   // Convert the data to be signed to BIO format. 
@@ -175,7 +175,7 @@ Pkcs7Sign (
   }
 
   CopyMem (*SignedData, P7Data + 19, *SignedDataSize);
-  
+
   OPENSSL_free (P7Data);
 
   Status = TRUE;
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index a9665d5047..a1bab8a0ce 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -10,7 +10,7 @@
   WrapPkcs7Data(), Pkcs7GetSigners(), Pkcs7Verify() will get UEFI Authenticated
   Variable and will do basic check for data structure.
 
-Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -273,7 +273,7 @@ X509PopCertificate (
     goto _Exit;
   }
 
-  Length = ((BUF_MEM *) CertBio->ptr)->length;
+  Length = (INT32)(((BUF_MEM *) CertBio->ptr)->length);
   if (Length <= 0) {
     goto _Exit;
   }
@@ -343,7 +343,7 @@ Pkcs7GetSigners (
   PKCS7            *Pkcs7;
   BOOLEAN          Status;
   UINT8            *SignedData;
-  UINT8            *Temp;
+  CONST UINT8      *Temp;
   UINTN            SignedDataSize;
   BOOLEAN          Wrapped;
   STACK_OF(X509)   *Stack;
@@ -549,7 +549,7 @@ Pkcs7Verify (
   X509        *Cert;
   X509_STORE  *CertStore;
   UINT8       *SignedData;
-  UINT8       *Temp;
+  CONST UINT8 *Temp;
   UINTN       SignedDataSize;
   BOOLEAN     Wrapped;
 
@@ -618,7 +618,8 @@ Pkcs7Verify (
   //
   // Read DER-encoded root certificate and Construct X509 Certificate
   //
-  Cert = d2i_X509 (NULL, &TrustedCert, (long) CertLength);
+  Temp = TrustedCert;
+  Cert = d2i_X509 (NULL, &Temp, (long) CertLength);
   if (Cert == NULL) {
     goto _Exit;
   }
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
index e4b5a8497f..7d269b0458 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
@@ -5,7 +5,7 @@
   the lifetime of the signature when a signing certificate expires or is later
   revoked.
 
-Copyright (c) 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2014 - 2015, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -441,11 +441,12 @@ TimestampTokenVerify (
   CONST UINT8  *TokenTemp;
   PKCS7        *Pkcs7;
   X509         *Cert;
+  CONST UINT8  *CertTemp;
   X509_STORE   *CertStore;
   BIO          *OutBio;
   UINT8        *TstData;
   UINTN        TstSize;
-  UINT8        *TstTemp;
+  CONST UINT8  *TstTemp;
   TS_TST_INFO  *TstInfo;
 
   Status = FALSE;
@@ -490,7 +491,8 @@ TimestampTokenVerify (
   //
   // Read the trusted TSA certificate (DER-encoded), and Construct X509 Certificate.
   //
-  Cert = d2i_X509 (NULL, &TsaCert, (long) CertSize);
+  CertTemp = TsaCert;
+  Cert = d2i_X509 (NULL, &CertTemp, (long) CertSize);
   if (Cert == NULL) {
     goto _Exit;
   }
@@ -605,6 +607,7 @@ ImageTimestampVerify (
 {
   BOOLEAN                      Status;
   PKCS7                        *Pkcs7;
+  CONST UINT8                  *Temp;
   STACK_OF(PKCS7_SIGNER_INFO)  *SignerInfos;
   PKCS7_SIGNER_INFO            *SignInfo;
   UINTN                        Index;
@@ -644,7 +647,8 @@ ImageTimestampVerify (
   //
   // Decode ASN.1-encoded Authenticode data into PKCS7 structure.
   //
-  Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &AuthData, (int) DataSize);
+  Temp  = AuthData;
+  Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) DataSize);
   if (Pkcs7 == NULL) {
     goto _Exit;
   }
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 29efc42b02..02851d5701 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -1,7 +1,7 @@
 /** @file
   X.509 Certificate Handler Wrapper Implementation over OpenSSL.
 
-Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -38,7 +38,8 @@ X509ConstructCertificate (
   OUT  UINT8        **SingleX509Cert
   )
 {
-  X509     *X509Cert;
+  X509         *X509Cert;
+  CONST UINT8  *Temp;
 
   //
   // Check input parameters.
@@ -50,7 +51,8 @@ X509ConstructCertificate (
   //
   // Read DER-encoded X509 Certificate and Construct X509 object.
   //
-  X509Cert = d2i_X509 (NULL, &Cert, (long) CertSize);
+  Temp     = Cert;
+  X509Cert = d2i_X509 (NULL, &Temp, (long) CertSize);
   if (X509Cert == NULL) {
     return FALSE;
   }
@@ -123,6 +125,9 @@ X509ConstructCertificateStack (
     }
 
     CertSize = VA_ARG (Args, UINTN);
+    if (CertSize == 0) {
+      break;
+    }
 
     //
     // Construct X509 Object from the given DER-encoded certificate data.
@@ -133,7 +138,9 @@ X509ConstructCertificateStack (
                (UINT8 **) &X509Cert
                );
     if (!Status) {
-      X509_free (X509Cert);
+      if (X509Cert != NULL) {
+        X509_free (X509Cert);
+      }
       break;
     }
 
@@ -518,7 +525,8 @@ X509GetTBSCert (
   //
   // Check input parameters.
   //
-  if ((Cert == NULL) || (TBSCert == NULL) || (TBSCertSize == NULL)) {
+  if ((Cert == NULL) || (TBSCert == NULL) ||
+      (TBSCertSize == NULL) || (CertSize > INT_MAX)) {
     return FALSE;
   }
 
-- 
cgit v1.2.3