Revision: 14319
http://edk2.svn.sourceforge.net/edk2/?rev=14319&view=rev
Author: vanjeff
Date: 2013-04-27 08:49:32 +0000 (Sat, 27 Apr 2013)
Log Message:
-----------
Sync patches r13958, r14026 and r14309 from main trunk.
1. Fix issue that RsaPkcs1Verify() may not work in PEI phase.
2. Enable the whole X509v3 extension checking.
3. Replace d2i_X509_bio with d2i_X509.
4. The openssl API RSA_public_decrypt() and RSA_private_encrypt() are
deprecated, use RSA_sign(), RSA_verify() instead.
Revision Links:
--------------
http://edk2.svn.sourceforge.net/edk2/?rev=13958&view=rev
http://edk2.svn.sourceforge.net/edk2/?rev=14026&view=rev
http://edk2.svn.sourceforge.net/edk2/?rev=14309&view=rev
Modified Paths:
--------------
branches/UDK2010.SR1/CryptoPkg/CryptRuntimeDxe/CryptRuntime.c
branches/UDK2010.SR1/CryptoPkg/CryptRuntimeDxe/CryptRuntime.h
branches/UDK2010.SR1/CryptoPkg/Include/Library/BaseCryptLib.h
branches/UDK2010.SR1/CryptoPkg/Include/Protocol/RuntimeCrypt.h
branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/RuntimeDxeIpfCryptLib.c
branches/UDK2010.SR1/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch
Modified: branches/UDK2010.SR1/CryptoPkg/CryptRuntimeDxe/CryptRuntime.c
===================================================================
--- branches/UDK2010.SR1/CryptoPkg/CryptRuntimeDxe/CryptRuntime.c
2013-04-27 02:03:58 UTC (rev 14318)
+++ branches/UDK2010.SR1/CryptoPkg/CryptRuntimeDxe/CryptRuntime.c
2013-04-27 08:49:32 UTC (rev 14319)
@@ -205,7 +205,7 @@
IN VOID *RsaContext,
IN CONST UINT8 *MessageHash,
IN UINTN HashLength,
- IN UINT8 *Signature,
+ IN CONST UINT8 *Signature,
IN UINTN SigLength
)
{
Modified: branches/UDK2010.SR1/CryptoPkg/CryptRuntimeDxe/CryptRuntime.h
===================================================================
--- branches/UDK2010.SR1/CryptoPkg/CryptRuntimeDxe/CryptRuntime.h
2013-04-27 02:03:58 UTC (rev 14318)
+++ branches/UDK2010.SR1/CryptoPkg/CryptRuntimeDxe/CryptRuntime.h
2013-04-27 08:49:32 UTC (rev 14319)
@@ -179,7 +179,7 @@
IN VOID *RsaContext,
IN CONST UINT8 *MessageHash,
IN UINTN HashLength,
- IN UINT8 *Signature,
+ IN CONST UINT8 *Signature,
IN UINTN SigLength
);
Modified: branches/UDK2010.SR1/CryptoPkg/Include/Library/BaseCryptLib.h
===================================================================
--- branches/UDK2010.SR1/CryptoPkg/Include/Library/BaseCryptLib.h
2013-04-27 02:03:58 UTC (rev 14318)
+++ branches/UDK2010.SR1/CryptoPkg/Include/Library/BaseCryptLib.h
2013-04-27 08:49:32 UTC (rev 14319)
@@ -1498,7 +1498,7 @@
IN VOID *RsaContext,
IN CONST UINT8 *MessageHash,
IN UINTN HashSize,
- IN UINT8 *Signature,
+ IN CONST UINT8 *Signature,
IN UINTN SigSize
);
Modified: branches/UDK2010.SR1/CryptoPkg/Include/Protocol/RuntimeCrypt.h
===================================================================
--- branches/UDK2010.SR1/CryptoPkg/Include/Protocol/RuntimeCrypt.h
2013-04-27 02:03:58 UTC (rev 14318)
+++ branches/UDK2010.SR1/CryptoPkg/Include/Protocol/RuntimeCrypt.h
2013-04-27 08:49:32 UTC (rev 14319)
@@ -181,7 +181,7 @@
IN VOID *RsaContext,
IN CONST UINT8 *MessageHash,
IN UINTN HashLength,
- IN UINT8 *Signature,
+ IN CONST UINT8 *Signature,
IN UINTN SigLength
);
Modified:
branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
===================================================================
--- branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
2013-04-27 02:03:58 UTC (rev 14318)
+++ branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
2013-04-27 08:49:32 UTC (rev 14319)
@@ -25,6 +25,7 @@
#include <openssl/objects.h>
#include <openssl/x509.h>
+#include <openssl/x509v3.h>
#include <openssl/pkcs7.h>
UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
@@ -543,7 +544,6 @@
)
{
PKCS7 *Pkcs7;
- BIO *CertBio;
BIO *DataBio;
BOOLEAN Status;
X509 *Cert;
@@ -562,7 +562,6 @@
}
Pkcs7 = NULL;
- CertBio = NULL;
DataBio = NULL;
Cert = NULL;
CertStore = NULL;
@@ -614,12 +613,7 @@
//
// Read DER-encoded root certificate and Construct X509 Certificate
//
- CertBio = BIO_new (BIO_s_mem ());
- BIO_write (CertBio, TrustedCert, (int)CertLength);
- if (CertBio == NULL) {
- goto _Exit;
- }
- Cert = d2i_X509_bio (CertBio, NULL);
+ Cert = d2i_X509 (NULL, &TrustedCert, (long) CertLength);
if (Cert == NULL) {
goto _Exit;
}
@@ -649,6 +643,13 @@
BIO_write (DataBio, InData, (int)DataLength);
//
+ // OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and
+ // doesn't support the extended key usage for Authenticode Code Signing.
+ // Bypass the certificate purpose checking by enabling any purposes setting.
+ //
+ X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);
+
+ //
// Verifies the PKCS#7 signedData structure
//
Status = (BOOLEAN) PKCS7_verify (Pkcs7, NULL, CertStore, DataBio, NULL,
PKCS7_BINARY);
@@ -658,7 +659,6 @@
// Release Resources
//
BIO_free (DataBio);
- BIO_free (CertBio);
X509_free (Cert);
X509_STORE_free (CertStore);
PKCS7_free (Pkcs7);
Modified: branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
===================================================================
--- branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
2013-04-27 02:03:58 UTC (rev 14318)
+++ branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
2013-04-27 08:49:32 UTC (rev 14319)
@@ -7,7 +7,7 @@
3) RsaSetKey
4) RsaPkcs1Verify
-Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
which accompanies this distribution. The full text of the license may be
found at
@@ -21,9 +21,8 @@
#include "InternalCryptLib.h"
#include <openssl/rsa.h>
-#include <openssl/err.h>
+#include <openssl/objects.h>
-
/**
Allocates and initializes one RSA context for subsequent use.
@@ -285,67 +284,52 @@
IN VOID *RsaContext,
IN CONST UINT8 *MessageHash,
IN UINTN HashSize,
- IN UINT8 *Signature,
+ IN CONST UINT8 *Signature,
IN UINTN SigSize
)
{
- INTN Length;
+ INT32 DigestType;
+ UINT8 *SigBuf;
//
// Check input parameters.
//
- if (RsaContext == NULL || MessageHash == NULL || Signature == NULL ||
SigSize > INT_MAX) {
+ if (RsaContext == NULL || MessageHash == NULL || Signature == NULL) {
return FALSE;
}
-
- //
- // Check for unsupported hash size:
- // Only MD5, SHA-1 or SHA-256 digest size is supported
- //
- if (HashSize != MD5_DIGEST_SIZE && HashSize != SHA1_DIGEST_SIZE && HashSize
!= SHA256_DIGEST_SIZE) {
+ if (SigSize > INT_MAX || SigSize == 0) {
return FALSE;
}
-
- //
- // RSA PKCS#1 Signature Decoding using OpenSSL RSA Decryption with Public Key
- //
- Length = RSA_public_decrypt (
- (UINT32) SigSize,
- Signature,
- Signature,
- RsaContext,
- RSA_PKCS1_PADDING
- );
//
- // Invalid RSA Key or PKCS#1 Padding Checking Failed (if Length < 0)
- // NOTE: Length should be the addition of HashSize and some DER value.
- // Ignore more strict length checking here.
+ // Determine the message digest algorithm according to digest size.
+ // Only MD5, SHA-1 or SHA-256 algorithm is supported.
//
- if (Length < (INTN) HashSize) {
- return FALSE;
- }
+ switch (HashSize) {
+ case MD5_DIGEST_SIZE:
+ DigestType = NID_md5;
+ break;
+
+ case SHA1_DIGEST_SIZE:
+ DigestType = NID_sha1;
+ break;
+
+ case SHA256_DIGEST_SIZE:
+ DigestType = NID_sha256;
+ break;
- //
- // Validate the MessageHash and Decoded Signature
- // NOTE: The decoded Signature should be the DER encoding of the DigestInfo
value
- // DigestInfo ::= SEQUENCE {
- // digestAlgorithm AlgorithmIdentifier
- // digest OCTET STRING
- // }
- // Then Memory Comparing should skip the DER value of the underlying
SEQUENCE
- // type and AlgorithmIdentifier.
- //
- if (CompareMem (MessageHash, Signature + Length - HashSize, HashSize) == 0) {
- //
- // Valid RSA PKCS#1 Signature
- //
- return TRUE;
- } else {
- //
- // Failed to verification
- //
+ default:
return FALSE;
}
+
+ SigBuf = (UINT8 *) Signature;
+ return (BOOLEAN) RSA_verify (
+ DigestType,
+ MessageHash,
+ (UINT32) HashSize,
+ SigBuf,
+ (UINT32) SigSize,
+ (RSA *) RsaContext
+ );
}
Modified: branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
===================================================================
--- branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
2013-04-27 02:03:58 UTC (rev 14318)
+++ branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
2013-04-27 08:49:32 UTC (rev 14319)
@@ -7,7 +7,7 @@
3) RsaCheckKey
4) RsaPkcs1Sign
-Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
which accompanies this distribution. The full text of the license may be
found at
@@ -22,27 +22,8 @@
#include <openssl/rsa.h>
#include <openssl/err.h>
+#include <openssl/objects.h>
-//
-// ASN.1 value for Hash Algorithm ID with the Distringuished Encoding Rules
(DER)
-// Refer to Section 9.2 of PKCS#1 v2.1
-//
-CONST UINT8 Asn1IdMd5[] = {
- 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86,
- 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10
- };
-
-CONST UINT8 Asn1IdSha1[] = {
- 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
- 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14
- };
-
-CONST UINT8 Asn1IdSha256[] = {
- 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
- 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
- 0x00, 0x04, 0x20
- };
-
/**
Gets the tag-designated RSA key component from the established RSA context.
@@ -307,75 +288,6 @@
}
/**
- Performs the PKCS1-v1_5 encoding methods defined in RSA PKCS #1.
-
- @param[in] Message Message buffer to be encoded.
- @param[in] MessageSize Size of message buffer in bytes.
- @param[out] DigestInfo Pointer to buffer of digest info for output.
- @param[in,out] DigestInfoSize On input, the size of DigestInfo buffer in
bytes.
- On output, the size of data returned in
DigestInfo
- buffer in bytes.
-
- @retval TRUE PKCS1-v1_5 encoding finished successfully.
- @retval FALSE Any input parameter is invalid.
- @retval FALSE DigestInfo buffer is not large enough.
-
-**/
-BOOLEAN
-DigestInfoEncoding (
- IN CONST UINT8 *Message,
- IN UINTN MessageSize,
- OUT UINT8 *DigestInfo,
- IN OUT UINTN *DigestInfoSize
- )
-{
- CONST UINT8 *HashDer;
- UINTN DerSize;
-
- //
- // Check input parameters.
- //
- if (Message == NULL || DigestInfo == NULL || DigestInfoSize == NULL) {
- return FALSE;
- }
-
- //
- // The original message length is used to determine the hash algorithm since
- // message is digest value hashed by the specified algorithm.
- //
- switch (MessageSize) {
- case MD5_DIGEST_SIZE:
- HashDer = Asn1IdMd5;
- DerSize = sizeof (Asn1IdMd5);
- break;
-
- case SHA1_DIGEST_SIZE:
- HashDer = Asn1IdSha1;
- DerSize = sizeof (Asn1IdSha1);
- break;
-
- case SHA256_DIGEST_SIZE:
- HashDer = Asn1IdSha256;
- DerSize = sizeof (Asn1IdSha256);
- break;
-
- default:
- return FALSE;
- }
-
- if (*DigestInfoSize < DerSize + MessageSize) {
- *DigestInfoSize = DerSize + MessageSize;
- return FALSE;
- }
-
- CopyMem (DigestInfo, HashDer, DerSize);
- CopyMem (DigestInfo + DerSize, Message, MessageSize);
-
- *DigestInfoSize = DerSize + MessageSize;
- return TRUE;
-}
-
-/**
Carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding
scheme.
This function carries out the RSA-SSA signature generation with
EMSA-PKCS1-v1_5 encoding scheme defined in
@@ -412,13 +324,12 @@
{
RSA *Rsa;
UINTN Size;
- INTN ReturnVal;
+ INT32 DigestType;
//
// Check input parameters.
//
- if (RsaContext == NULL || MessageHash == NULL ||
- (HashSize != MD5_DIGEST_SIZE && HashSize != SHA1_DIGEST_SIZE && HashSize
!= SHA256_DIGEST_SIZE)) {
+ if (RsaContext == NULL || MessageHash == NULL) {
return FALSE;
}
@@ -429,28 +340,38 @@
*SigSize = Size;
return FALSE;
}
-
+
if (Signature == NULL) {
return FALSE;
}
+
+ //
+ // Determine the message digest algorithm according to digest size.
+ // Only MD5, SHA-1 or SHA-256 algorithm is supported.
+ //
+ switch (HashSize) {
+ case MD5_DIGEST_SIZE:
+ DigestType = NID_md5;
+ break;
+
+ case SHA1_DIGEST_SIZE:
+ DigestType = NID_sha1;
+ break;
+
+ case SHA256_DIGEST_SIZE:
+ DigestType = NID_sha256;
+ break;
- if (!DigestInfoEncoding (MessageHash, HashSize, Signature, SigSize)) {
+ default:
return FALSE;
- }
+ }
- ReturnVal = RSA_private_encrypt (
- (UINT32) *SigSize,
- Signature,
- Signature,
- Rsa,
- RSA_PKCS1_PADDING
- );
-
- if (ReturnVal < (INTN) *SigSize) {
- return FALSE;
- }
-
- *SigSize = (UINTN) ReturnVal;
- return TRUE;
+ return (BOOLEAN) RSA_sign (
+ DigestType,
+ MessageHash,
+ (UINT32) HashSize,
+ Signature,
+ (UINT32 *) SigSize,
+ (RSA *) RsaContext
+ );
}
-
Modified: branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
===================================================================
--- branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
2013-04-27 02:03:58 UTC (rev 14318)
+++ branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
2013-04-27 08:49:32 UTC (rev 14319)
@@ -38,9 +38,7 @@
OUT UINT8 **SingleX509Cert
)
{
- BIO *CertBio;
X509 *X509Cert;
- BOOLEAN Status;
//
// Check input parameters.
@@ -49,31 +47,17 @@
return FALSE;
}
- Status = FALSE;
-
//
// Read DER-encoded X509 Certificate and Construct X509 object.
//
- CertBio = BIO_new (BIO_s_mem ());
- BIO_write (CertBio, Cert, (int) CertSize);
- if (CertBio == NULL) {
- goto _Exit;
- }
- X509Cert = d2i_X509_bio (CertBio, NULL);
+ X509Cert = d2i_X509 (NULL, &Cert, (long) CertSize);
if (X509Cert == NULL) {
- goto _Exit;
+ return FALSE;
}
*SingleX509Cert = (UINT8 *) X509Cert;
- Status = TRUE;
-_Exit:
- //
- // Release Resources.
- //
- BIO_free (CertBio);
-
- return Status;
+ return TRUE;
}
/**
Modified:
branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/RuntimeDxeIpfCryptLib.c
===================================================================
---
branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/RuntimeDxeIpfCryptLib.c
2013-04-27 02:03:58 UTC (rev 14318)
+++
branches/UDK2010.SR1/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/RuntimeDxeIpfCryptLib.c
2013-04-27 08:49:32 UTC (rev 14319)
@@ -401,7 +401,7 @@
IN VOID *RsaContext,
IN CONST UINT8 *MessageHash,
IN UINTN HashSize,
- IN UINT8 *Signature,
+ IN CONST UINT8 *Signature,
IN UINTN SigSize
)
{
Modified:
branches/UDK2010.SR1/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch
===================================================================
---
branches/UDK2010.SR1/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch
2013-04-27 02:03:58 UTC (rev 14318)
+++
branches/UDK2010.SR1/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch
2013-04-27 08:49:32 UTC (rev 14319)
@@ -260,21 +260,8 @@
===================================================================
--- crypto/x509/x509_vfy.c (revision 1)
+++ crypto/x509/x509_vfy.c (working copy)
-@@ -386,7 +386,11 @@
+@@ -899,6 +899,10 @@
- static int check_chain_extensions(X509_STORE_CTX *ctx)
- {
--#ifdef OPENSSL_NO_CHAIN_VERIFY
-+#if defined(OPENSSL_NO_CHAIN_VERIFY) || defined(OPENSSL_SYS_UEFI)
-+ /*
-+ NOTE: Bypass KU Flags Checking for UEFI version. There are incorrect KU
flag setting
-+ in Authenticode Signing Certificates.
-+ */
- return 1;
- #else
- int i, ok=0, must_be_ca, plen = 0;
-@@ -899,6 +903,10 @@
-
static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
{
+#if defined(OPENSSL_SYS_UEFI)
@@ -284,7 +271,7 @@
time_t *ptime;
int i;
-@@ -942,6 +950,7 @@
+@@ -942,6 +946,7 @@
}
return 1;
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
edk2-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-commits
