public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: Qin Long <qin.long@intel.com>
To: edk2-devel@lists.01.org
Cc: ting.ye@intel.com, jiaxin.wu@intel.com, lersek@redhat.com,
	ard.biesheuvel@linaro.org, glin@suse.com, ronald.cron@arm.com
Subject: [PATCH v1 8/9] CryptoPkg: Update PK Ciphers Wrapper Implementations work with opaque objects.
Date: Tue, 21 Mar 2017 23:56:11 +0800	[thread overview]
Message-ID: <20170321155612.1192-9-qin.long@intel.com> (raw)
In-Reply-To: <20170321155612.1192-1-qin.long@intel.com>

OpenSSL-1.1.xx makes most data structures opaque.
This patch updates Public Key Cipher Wrapper implementations in BaseCryptLib
to use the accessor APIs for opaque object access.
The impacted interfaces includes RSA, DH, X509, PKCS7, etc.

Cc: Ting Ye <ting.ye@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Ronald Cron <ronald.cron@arm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
---
 CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c        |  69 +++-----
 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c |  10 +-
 .../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c     |  68 +++++---
 CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c  | 189 ++++++++++-----------
 CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c    |  70 +++-----
 CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c        |  20 ++-
 CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c      |  41 +++--
 7 files changed, 218 insertions(+), 249 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c
index a5d6e49b8f..f44684f907 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c
@@ -1,7 +1,7 @@
 /** @file
   Diffie-Hellman Wrapper Implementation over OpenSSL.
 
-Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -16,7 +16,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 
-
 /**
   Allocates and Initializes one Diffie-Hellman Context for subsequent use.
 
@@ -88,6 +87,7 @@ DhGenerateParameter (
   )
 {
   BOOLEAN RetVal;
+  BIGNUM  *BnP;
 
   //
   // Check input parameters.
@@ -105,7 +105,8 @@ DhGenerateParameter (
     return FALSE;
   }
 
-  BN_bn2bin (((DH *) DhContext)->p, Prime);
+  DH_get0_pqg (DhContext, (const BIGNUM **)&BnP, NULL, NULL);
+  BN_bn2bin (BnP, Prime);
 
   return TRUE;
 }
@@ -141,7 +142,8 @@ DhSetParameter (
   )
 {
   DH      *Dh;
-  BIGNUM  *Bn;
+  BIGNUM  *BnP;
+  BIGNUM  *BnG;
 
   //
   // Check input parameters.
@@ -149,50 +151,27 @@ DhSetParameter (
   if (DhContext == NULL || Prime == NULL || PrimeLength > INT_MAX) {
     return FALSE;
   }
-  
+
   if (Generator != DH_GENERATOR_2 && Generator != DH_GENERATOR_5) {
     return FALSE;
   }
 
-  Bn = NULL;
-
-  Dh = (DH *) DhContext;
-  Dh->g = NULL;
-  Dh->p = BN_new ();
-  if (Dh->p == NULL) {
-    goto Error;
-  }
-  
-  Dh->g = BN_new ();
-  if (Dh->g == NULL) {
-    goto Error;
-  }
-
-  Bn = BN_bin2bn (Prime, (UINT32) (PrimeLength / 8), Dh->p);
-  if (Bn == NULL) {
-    goto Error;
-  }
-
-  if (BN_set_word (Dh->g, (UINT32) Generator) == 0) {
+  //
+  // Set the generator and prime parameters for DH object.
+  //
+  Dh  = (DH *)DhContext;
+  BnP = BN_bin2bn ((const unsigned char *)Prime, (int)(PrimeLength / 8), NULL);
+  BnG = BN_bin2bn ((const unsigned char *)&Generator, 1, NULL);
+  if ((BnP == NULL) || (BnG == NULL) || !DH_set0_pqg (Dh, BnP, NULL, BnG)) {
     goto Error;
   }
 
   return TRUE;
 
 Error:
+  BN_free (BnP);
+  BN_free (BnG);
 
-  if (Dh->p != NULL) {
-    BN_free (Dh->p);
-  }
-
-  if (Dh->g != NULL) {
-    BN_free (Dh->g);
-  }
-
-  if (Bn != NULL) {
-    BN_free (Bn);
-  }
-  
   return FALSE;
 }
 
@@ -228,6 +207,7 @@ DhGenerateKey (
 {
   BOOLEAN RetVal;
   DH      *Dh;
+  BIGNUM  *DhPubKey;
   INTN    Size;
 
   //
@@ -240,22 +220,19 @@ DhGenerateKey (
   if (PublicKey == NULL && *PublicKeySize != 0) {
     return FALSE;
   }
-  
+
   Dh = (DH *) DhContext;
 
   RetVal = (BOOLEAN) DH_generate_key (DhContext);
   if (RetVal) {
-    Size = BN_num_bytes (Dh->pub_key);
-    if (Size <= 0) {
-      *PublicKeySize = 0;
-      return FALSE;
-    }
-    if (*PublicKeySize < (UINTN) Size) {
+    DH_get0_key (Dh, (const BIGNUM **)&DhPubKey, NULL);
+    Size = BN_num_bytes (DhPubKey);
+    if ((Size > 0) && (*PublicKeySize < (UINTN) Size)) {
       *PublicKeySize = Size;
       return FALSE;
     }
-    
-    BN_bn2bin (Dh->pub_key, PublicKey);
+
+    BN_bn2bin (DhPubKey, PublicKey);
     *PublicKeySize = Size;
   }
 
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
index 704eb4ec94..d3b1a907aa 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
@@ -1,7 +1,7 @@
 /** @file
   PKCS#7 SignedData Sign Wrapper Implementation over OpenSSL.
 
-Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -18,7 +18,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <openssl/x509.h>
 #include <openssl/pkcs7.h>
 
-
 /**
   Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message
   Syntax Standard, version 1.5". This interface is only intended to be used for
@@ -184,13 +183,6 @@ _Exit:
   //
   // Release Resources
   //
-  if (RsaContext != NULL) {
-    RsaFree (RsaContext);
-    if (Key != NULL) {
-      Key->pkey.rsa = NULL;
-    }
-  }
-
   if (Key != NULL) {
     EVP_PKEY_free (Key);
   }
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index dcaba43679..bf24e92127 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -10,7 +10,7 @@
   WrapPkcs7Data(), Pkcs7GetSigners(), Pkcs7Verify() will get UEFI Authenticated
   Variable and will do basic check for data structure.
 
-Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -163,6 +163,7 @@ X509PopCertificate (
   STACK_OF(X509)  *CertStack;
   BOOLEAN         Status;
   INT32           Result;
+  BUF_MEM         *Ptr;
   INT32           Length;
   VOID            *Buffer;
 
@@ -192,7 +193,8 @@ X509PopCertificate (
     goto _Exit;
   }
 
-  Length = (INT32)(((BUF_MEM *) CertBio->ptr)->length);
+  BIO_get_mem_ptr (CertBio, &Ptr);
+  Length = (INT32)(Ptr->length);
   if (Length <= 0) {
     goto _Exit;
   }
@@ -463,12 +465,15 @@ Pkcs7GetCertificatesList (
   BOOLEAN          Wrapped;
   UINT8            Index;
   PKCS7            *Pkcs7;
-  X509_STORE_CTX   CertCtx;
+  X509_STORE_CTX   *CertCtx;
+  STACK_OF(X509)   *CtxChain;
+  STACK_OF(X509)   *CtxUntrusted;
+  X509             *CtxCert;
   STACK_OF(X509)   *Signers;
   X509             *Signer;
   X509             *Cert;
-  X509             *TempCert;
   X509             *Issuer;
+  X509_NAME        *IssuerName;
   UINT8            *CertBuf;
   UINT8            *OldBuf;
   UINTN            BufferSize;
@@ -482,8 +487,11 @@ Pkcs7GetCertificatesList (
   Status         = FALSE;
   NewP7Data      = NULL;
   Pkcs7          = NULL;
+  CertCtx        = NULL;
+  CtxChain       = NULL;
+  CtxCert        = NULL;
+  CtxUntrusted   = NULL;
   Cert           = NULL;
-  TempCert       = NULL;
   SingleCert     = NULL;
   CertBuf        = NULL;
   OldBuf         = NULL;
@@ -531,19 +539,26 @@ Pkcs7GetCertificatesList (
   }
   Signer = sk_X509_value (Signers, 0);
 
-  if (!X509_STORE_CTX_init (&CertCtx, NULL, Signer, Pkcs7->d.sign->cert)) {
+  CertCtx = X509_STORE_CTX_new ();
+  if (CertCtx == NULL) {
+    goto _Error;
+  }
+  if (!X509_STORE_CTX_init (CertCtx, NULL, Signer, Pkcs7->d.sign->cert)) {
     goto _Error;
   }
   //
   // Initialize Chained & Untrusted stack
   //
-  if (CertCtx.chain == NULL) {
-    if (((CertCtx.chain = sk_X509_new_null ()) == NULL) ||
-        (!sk_X509_push (CertCtx.chain, CertCtx.cert))) {
+  CtxChain = X509_STORE_CTX_get0_chain (CertCtx);
+  CtxCert  = X509_STORE_CTX_get0_cert (CertCtx);
+  if (CtxChain == NULL) {
+    if (((CtxChain = sk_X509_new_null ()) == NULL) ||
+        (!sk_X509_push (CtxChain, CtxCert))) {
       goto _Error;
     }
   }
-  (VOID)sk_X509_delete_ptr (CertCtx.untrusted, Signer);
+  CtxUntrusted = X509_STORE_CTX_get0_untrusted (CertCtx);
+  (VOID)sk_X509_delete_ptr (CtxUntrusted, Signer);
 
   //
   // Build certificates stack chained from Signer's certificate.
@@ -553,27 +568,25 @@ Pkcs7GetCertificatesList (
     //
     // Self-Issue checking
     //
-    if (CertCtx.check_issued (&CertCtx, Cert, Cert)) {
-      break;
+    Issuer = NULL;
+    if (X509_STORE_CTX_get1_issuer (&Issuer, CertCtx, Cert) == 1) {
+      if (X509_cmp (Issuer, Cert) == 0) {
+        break;
+      }
     }
 
     //
     // Found the issuer of the current certificate
     //
-    if (CertCtx.untrusted != NULL) {
+    if (CtxUntrusted != NULL) {
       Issuer = NULL;
-      for (Index = 0; Index < sk_X509_num (CertCtx.untrusted); Index++) {
-        TempCert = sk_X509_value (CertCtx.untrusted, Index);
-        if (CertCtx.check_issued (&CertCtx, Cert, TempCert)) {
-          Issuer = TempCert;
-          break;
-        }
-      }
+      IssuerName = X509_get_issuer_name (Cert);
+      Issuer     = X509_find_by_subject (CtxUntrusted, IssuerName);
       if (Issuer != NULL) {
-        if (!sk_X509_push (CertCtx.chain, Issuer)) {
+        if (!sk_X509_push (CtxChain, Issuer)) {
           goto _Error;
         }
-        (VOID)sk_X509_delete_ptr (CertCtx.untrusted, Issuer);
+        (VOID)sk_X509_delete_ptr (CtxUntrusted, Issuer);
 
         Cert = Issuer;
         continue;
@@ -595,13 +608,13 @@ Pkcs7GetCertificatesList (
   //      UINT8  Certn[];
   //
 
-  if (CertCtx.chain != NULL) {
+  if (CtxChain != NULL) {
     BufferSize = sizeof (UINT8);
     OldSize    = BufferSize;
     CertBuf    = NULL;
 
     for (Index = 0; ; Index++) {
-      Status = X509PopCertificate (CertCtx.chain, &SingleCert, &CertSize);
+      Status = X509PopCertificate (CtxChain, &SingleCert, &CertSize);
       if (!Status) {
         break;
       }
@@ -639,13 +652,13 @@ Pkcs7GetCertificatesList (
     }
   }
 
-  if (CertCtx.untrusted != NULL) {
+  if (CtxUntrusted != NULL) {
     BufferSize = sizeof (UINT8);
     OldSize    = BufferSize;
     CertBuf    = NULL;
 
     for (Index = 0; ; Index++) {
-      Status = X509PopCertificate (CertCtx.untrusted, &SingleCert, &CertSize);
+      Status = X509PopCertificate (CtxUntrusted, &SingleCert, &CertSize);
       if (!Status) {
         break;
       }
@@ -698,7 +711,8 @@ _Error:
   }
   sk_X509_free (Signers);
 
-  X509_STORE_CTX_cleanup (&CertCtx);
+  X509_STORE_CTX_cleanup (CertCtx);
+  X509_STORE_CTX_free (CertCtx);
 
   if (SingleCert != NULL) {
     free (SingleCert);
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
index e68dd02480..ba1bcf0f0b 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c
@@ -7,7 +7,7 @@
   3) RsaSetKey
   4) RsaPkcs1Verify
 
-Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -92,7 +92,15 @@ RsaSetKey (
   IN      UINTN        BnSize
   )
 {
-  RSA  *RsaKey;
+  RSA     *RsaKey;
+  BIGNUM  *BnN;
+  BIGNUM  *BnE;
+  BIGNUM  *BnD;
+  BIGNUM  *BnP;
+  BIGNUM  *BnQ;
+  BIGNUM  *BnDp;
+  BIGNUM  *BnDq;
+  BIGNUM  *BnQInv;
 
   //
   // Check input parameters.
@@ -101,7 +109,23 @@ RsaSetKey (
     return FALSE;
   }
 
+  BnN    = NULL;
+  BnE    = NULL;
+  BnD    = NULL;
+  BnP    = NULL;
+  BnQ    = NULL;
+  BnDp   = NULL;
+  BnDq   = NULL;
+  BnQInv = NULL;
+
+  //
+  // Retrieve the components from RSA object.
+  //
   RsaKey = (RSA *) RsaContext;
+  RSA_get0_key (RsaKey, (const BIGNUM **)&BnN, (const BIGNUM **)&BnE, (const BIGNUM **)&BnD);
+  RSA_get0_factors (RsaKey, (const BIGNUM **)&BnP, (const BIGNUM **)&BnQ);
+  RSA_get0_crt_params (RsaKey, (const BIGNUM **)&BnDp, (const BIGNUM **)&BnDq, (const BIGNUM **)&BnQInv);
+
   //
   // Set RSA Key Components by converting octet string to OpenSSL BN representation.
   // NOTE: For RSA public key (used in signature verification), only public components
@@ -110,144 +134,109 @@ RsaSetKey (
   switch (KeyTag) {
 
   //
-  // RSA Public Modulus (N)
+  // RSA Public Modulus (N), Public Exponent (e) and Private Exponent (d)
   //
   case RsaKeyN:
-    if (RsaKey->n != NULL) {
-      BN_free (RsaKey->n);
-    }
-    RsaKey->n = NULL;
-    if (BigNumber == NULL) {
-      break;
-    }
-    RsaKey->n = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->n);
-    if (RsaKey->n == NULL) {
-      return FALSE;
-    }
-
-    break;
-
-  //
-  // RSA Public Exponent (e)
-  //
   case RsaKeyE:
-    if (RsaKey->e != NULL) {
-      BN_free (RsaKey->e);
+  case RsaKeyD:
+    if (BnN == NULL) {
+      BnN = BN_new ();
     }
-    RsaKey->e = NULL;
-    if (BigNumber == NULL) {
-      break;
+    if (BnE == NULL) {
+      BnE = BN_new ();
     }
-    RsaKey->e = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->e);
-    if (RsaKey->e == NULL) {
-      return FALSE;
+    if (BnD == NULL) {
+      BnD = BN_new ();
     }
 
-    break;
-
-  //
-  // RSA Private Exponent (d)
-  //
-  case RsaKeyD:
-    if (RsaKey->d != NULL) {
-      BN_free (RsaKey->d);
-    }
-    RsaKey->d = NULL;
-    if (BigNumber == NULL) {
-      break;
-    }
-    RsaKey->d = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->d);
-    if (RsaKey->d == NULL) {
+    if ((BnN == NULL) || (BnE == NULL) || (BnD == NULL)) {
       return FALSE;
     }
 
-    break;
-
-  //
-  // RSA Secret Prime Factor of Modulus (p)
-  //
-  case RsaKeyP:
-    if (RsaKey->p != NULL) {
-      BN_free (RsaKey->p);
-    }
-    RsaKey->p = NULL;
-    if (BigNumber == NULL) {
+    switch (KeyTag) {
+    case RsaKeyN:
+      BnN = BN_bin2bn (BigNumber, (UINT32)BnSize, BnN);
+      break;
+    case RsaKeyE:
+      BnE = BN_bin2bn (BigNumber, (UINT32)BnSize, BnE);
       break;
+    case RsaKeyD:
+      BnD = BN_bin2bn (BigNumber, (UINT32)BnSize, BnD);
+      break;
+    default:
+      return FALSE;
     }
-    RsaKey->p = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->p);
-    if (RsaKey->p == NULL) {
+    if (RSA_set0_key (RsaKey, BN_dup(BnN), BN_dup(BnE), BN_dup(BnD)) == 0) {
       return FALSE;
     }
 
     break;
 
   //
-  // RSA Secret Prime Factor of Modules (q)
+  // RSA Secret Prime Factor of Modulus (p and q)
   //
+  case RsaKeyP:
   case RsaKeyQ:
-    if (RsaKey->q != NULL) {
-      BN_free (RsaKey->q);
+    if (BnP == NULL) {
+      BnP = BN_new ();
     }
-    RsaKey->q = NULL;
-    if (BigNumber == NULL) {
-      break;
+    if (BnQ == NULL) {
+      BnQ = BN_new ();
     }
-    RsaKey->q = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->q);
-    if (RsaKey->q == NULL) {
+    if ((BnP == NULL) || (BnQ == NULL)) {
       return FALSE;
     }
 
-    break;
-
-  //
-  // p's CRT Exponent (== d mod (p - 1))
-  //
-  case RsaKeyDp:
-    if (RsaKey->dmp1 != NULL) {
-      BN_free (RsaKey->dmp1);
-    }
-    RsaKey->dmp1 = NULL;
-    if (BigNumber == NULL) {
+    switch (KeyTag) {
+    case RsaKeyP:
+      BnP = BN_bin2bn (BigNumber, (UINT32)BnSize, BnP);
       break;
+    case RsaKeyQ:
+      BnQ = BN_bin2bn (BigNumber, (UINT32)BnSize, BnQ);
+      break;
+    default:
+      return FALSE;
     }
-    RsaKey->dmp1 = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->dmp1);
-    if (RsaKey->dmp1 == NULL) {
+    if (RSA_set0_factors (RsaKey, BN_dup(BnP), BN_dup(BnQ)) == 0) {
       return FALSE;
     }
 
     break;
 
   //
-  // q's CRT Exponent (== d mod (q - 1))
+  // p's CRT Exponent (== d mod (p - 1)),  q's CRT Exponent (== d mod (q - 1)),
+  // and CRT Coefficient (== 1/q mod p)
   //
+  case RsaKeyDp:
   case RsaKeyDq:
-    if (RsaKey->dmq1 != NULL) {
-      BN_free (RsaKey->dmq1);
+  case RsaKeyQInv:
+    if (BnDp == NULL) {
+      BnDp = BN_new ();
     }
-    RsaKey->dmq1 = NULL;
-    if (BigNumber == NULL) {
-      break;
+    if (BnDq == NULL) {
+      BnDq = BN_new ();
     }
-    RsaKey->dmq1 = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->dmq1);
-    if (RsaKey->dmq1 == NULL) {
+    if (BnQInv == NULL) {
+      BnQInv = BN_new ();
+    }
+    if ((BnDp == NULL) || (BnDq == NULL) || (BnQInv == NULL)) {
       return FALSE;
     }
 
-    break;
-
-  //
-  // The CRT Coefficient (== 1/q mod p)
-  //
-  case RsaKeyQInv:
-    if (RsaKey->iqmp != NULL) {
-      BN_free (RsaKey->iqmp);
-    }
-    RsaKey->iqmp = NULL;
-    if (BigNumber == NULL) {
+    switch (KeyTag) {
+    case RsaKeyDp:
+      BnDp = BN_bin2bn (BigNumber, (UINT32)BnSize, BnDp);
+      break;
+    case RsaKeyDq:
+      BnDq = BN_bin2bn (BigNumber, (UINT32)BnSize, BnDq);
+      break;
+    case RsaKeyQInv:
+      BnQInv = BN_bin2bn (BigNumber, (UINT32)BnSize, BnQInv);
       break;
+    default:
+      return FALSE;
     }
-    RsaKey->iqmp = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->iqmp);
-    if (RsaKey->iqmp == NULL) {
+    if (RSA_set0_crt_params (RsaKey, BN_dup(BnDp), BN_dup(BnDq), BN_dup(BnQInv)) == 0) {
       return FALSE;
     }
 
@@ -311,11 +300,11 @@ RsaPkcs1Verify (
   case MD5_DIGEST_SIZE:
     DigestType = NID_md5;
     break;
-    
+
   case SHA1_DIGEST_SIZE:
     DigestType = NID_sha1;
     break;
-    
+
   case SHA256_DIGEST_SIZE:
     DigestType = NID_sha256;
     break;
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
index 30552e4f4b..ca32b1ecc3 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c
@@ -7,7 +7,7 @@
   3) RsaCheckKey
   4) RsaPkcs1Sign
 
-Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -74,6 +74,7 @@ RsaGetKey (
   RsaKey  = (RSA *) RsaContext;
   Size    = *BnSize;
   *BnSize = 0;
+  BnKey   = NULL;
 
   switch (KeyTag) {
 
@@ -81,86 +82,66 @@ RsaGetKey (
   // RSA Public Modulus (N)
   //
   case RsaKeyN:
-    if (RsaKey->n == NULL) {
-      return TRUE;
-    }
-    BnKey = RsaKey->n;
+    RSA_get0_key (RsaKey, (const BIGNUM **)&BnKey, NULL, NULL);
     break;
 
   //
   // RSA Public Exponent (e)
   //
   case RsaKeyE:
-    if (RsaKey->e == NULL) {
-      return TRUE;
-    }
-    BnKey = RsaKey->e;
+    RSA_get0_key (RsaKey, NULL, (const BIGNUM **)&BnKey, NULL);
     break;
 
   //
   // RSA Private Exponent (d)
   //
   case RsaKeyD:
-    if (RsaKey->d == NULL) {
-      return TRUE;
-    }
-    BnKey = RsaKey->d;
+    RSA_get0_key (RsaKey, NULL, NULL, (const BIGNUM **)&BnKey);
     break;
 
   //
   // RSA Secret Prime Factor of Modulus (p)
   //
   case RsaKeyP:
-    if (RsaKey->p == NULL) {
-      return TRUE;
-    }
-    BnKey = RsaKey->p;
+    RSA_get0_factors (RsaKey, (const BIGNUM **)&BnKey, NULL);
     break;
 
   //
   // RSA Secret Prime Factor of Modules (q)
   //
   case RsaKeyQ:
-    if (RsaKey->q == NULL) {
-      return TRUE;
-    }
-    BnKey = RsaKey->q;
+    RSA_get0_factors (RsaKey, NULL, (const BIGNUM **)&BnKey);
     break;
 
   //
   // p's CRT Exponent (== d mod (p - 1))
   //
   case RsaKeyDp:
-    if (RsaKey->dmp1 == NULL) {
-      return TRUE;
-    }
-    BnKey = RsaKey->dmp1;
+    RSA_get0_crt_params (RsaKey, (const BIGNUM **)&BnKey, NULL, NULL);
     break;
 
   //
   // q's CRT Exponent (== d mod (q - 1))
   //
   case RsaKeyDq:
-    if (RsaKey->dmq1 == NULL) {
-      return TRUE;
-    }
-    BnKey = RsaKey->dmq1;
+    RSA_get0_crt_params (RsaKey, NULL, (const BIGNUM **)&BnKey, NULL);
     break;
 
   //
   // The CRT Coefficient (== 1/q mod p)
   //
   case RsaKeyQInv:
-    if (RsaKey->iqmp == NULL) {
-      return TRUE;
-    }
-    BnKey = RsaKey->iqmp;
+    RSA_get0_crt_params (RsaKey, NULL, NULL, (const BIGNUM **)&BnKey);
     break;
 
   default:
     return FALSE;
   }
 
+  if (BnKey == NULL) {
+    return FALSE;
+  }
+
   *BnSize = Size;
   Size    = BN_num_bytes (BnKey);
 
@@ -170,10 +151,11 @@ RsaGetKey (
   }
 
   if (BigNumber == NULL) {
-    return FALSE;
+    *BnSize = Size;
+    return TRUE;
   }
   *BnSize = BN_bn2bin (BnKey, BigNumber) ;
-  
+
   return TRUE;
 }
 
@@ -216,14 +198,14 @@ RsaGenerateKey (
   if (RsaContext == NULL || ModulusLength > INT_MAX || PublicExponentSize > INT_MAX) {
     return FALSE;
   }
-  
+
   KeyE = BN_new ();
   if (KeyE == NULL) {
     return FALSE;
   }
 
   RetVal = FALSE;
-  
+
   if (PublicExponent == NULL) {
     if (BN_set_word (KeyE, 0x10001) == 0) {
       goto _Exit;
@@ -276,7 +258,7 @@ RsaCheckKey (
   if (RsaContext == NULL) {
     return FALSE;
   }
-  
+
   if  (RSA_check_key ((RSA *) RsaContext) != 1) {
     Reason = ERR_GET_REASON (ERR_peek_last_error ());
     if (Reason == RSA_R_P_NOT_PRIME ||
@@ -337,17 +319,17 @@ RsaPkcs1Sign (
   }
 
   Rsa = (RSA *) RsaContext;
-  Size = BN_num_bytes (Rsa->n);
+  Size = RSA_size (Rsa);
 
   if (*SigSize < Size) {
     *SigSize = Size;
     return FALSE;
   }
-  
+
   if (Signature == NULL) {
     return FALSE;
   }
-  
+
   //
   // Determine the message digest algorithm according to digest size.
   //   Only MD5, SHA-1 or SHA-256 algorithm is supported. 
@@ -356,18 +338,18 @@ RsaPkcs1Sign (
   case MD5_DIGEST_SIZE:
     DigestType = NID_md5;
     break;
-    
+
   case SHA1_DIGEST_SIZE:
     DigestType = NID_sha1;
     break;
-    
+
   case SHA256_DIGEST_SIZE:
     DigestType = NID_sha256;
     break;
 
   default:
     return FALSE;
-  }  
+  }
 
   return (BOOLEAN) RSA_sign (
                      DigestType,
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
index 1b78472f4d..d63c23df09 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
@@ -5,7 +5,7 @@
   the lifetime of the signature when a signing certificate expires or is later
   revoked.
 
-Copyright (c) 2014 - 2015, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2014 - 2017, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -239,7 +239,7 @@ CheckTSTInfo (
   TS_MESSAGE_IMPRINT  *Imprint;
   X509_ALGOR          *HashAlgo;
   CONST EVP_MD        *Md;
-  EVP_MD_CTX          MdCtx;
+  EVP_MD_CTX          *MdCtx;
   UINTN               MdSize;
   UINT8               *HashedMsg;
 
@@ -249,6 +249,7 @@ CheckTSTInfo (
   Status    = FALSE;
   HashAlgo  = NULL;
   HashedMsg = NULL;
+  MdCtx     = NULL;
 
   //
   // -- Check version number of Timestamp:
@@ -285,11 +286,17 @@ CheckTSTInfo (
   if (HashedMsg == NULL) {
     goto _Exit;
   }
-  EVP_DigestInit (&MdCtx, Md);
-  EVP_DigestUpdate (&MdCtx, TimestampedData, DataSize);
-  EVP_DigestFinal (&MdCtx, HashedMsg, NULL);
+  MdCtx = EVP_MD_CTX_new ();
+  if (MdCtx == NULL) {
+    goto _Exit;
+  }
+  if ((EVP_DigestInit_ex (MdCtx, Md, NULL) != 1) ||
+      (EVP_DigestUpdate (MdCtx, TimestampedData, DataSize) != 1) ||
+      (EVP_DigestFinal (MdCtx, HashedMsg, NULL) != 1)) {
+    goto _Exit;
+  }
   if ((MdSize == (UINTN)ASN1_STRING_length (Imprint->HashedMessage)) &&
-      (CompareMem (HashedMsg, ASN1_STRING_data (Imprint->HashedMessage), MdSize) != 0)) {
+      (CompareMem (HashedMsg, ASN1_STRING_get0_data (Imprint->HashedMessage), MdSize) != 0)) {
     goto _Exit;
   }
 
@@ -315,6 +322,7 @@ CheckTSTInfo (
 
 _Exit:
   X509_ALGOR_free (HashAlgo);
+  EVP_MD_CTX_free (MdCtx);
   if (HashedMsg != NULL) {
     FreePool (HashedMsg);
   }
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 7dc4596759..7d275977c5 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -1,7 +1,7 @@
 /** @file
   X.509 Certificate Handler Wrapper Implementation over OpenSSL.
 
-Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -73,7 +73,7 @@ X509ConstructCertificate (
   @param           ...        A list of DER-encoded single certificate data followed
                               by certificate size. A NULL terminates the list. The
                               pairs are the arguments to X509ConstructCertificate().
-                                 
+
   @retval     TRUE            The X509 stack construction succeeded.
   @retval     FALSE           The construction operation failed.
 
@@ -82,7 +82,7 @@ BOOLEAN
 EFIAPI
 X509ConstructCertificateStack (
   IN OUT  UINT8  **X509Stack,
-  ...  
+  ...
   )
 {
   UINT8           *Cert;
@@ -175,14 +175,14 @@ EFIAPI
 X509Free (
   IN  VOID  *X509Cert
   )
-{ 
+{
   //
   // Check input parameters.
   //
   if (X509Cert == NULL) {
     return;
   }
-  
+
   //
   // Free OpenSSL X509 object.
   //
@@ -209,7 +209,7 @@ X509StackFree (
   if (X509Stack == NULL) {
     return;
   }
-  
+
   //
   // Free OpenSSL X509 stack object.
   //
@@ -324,7 +324,7 @@ RsaGetPublicKeyFromX509 (
   BOOLEAN   Status;
   EVP_PKEY  *Pkey;
   X509      *X509Cert;
-  
+
   //
   // Check input parameters.
   //
@@ -350,14 +350,14 @@ RsaGetPublicKeyFromX509 (
   // Retrieve and check EVP_PKEY data from X509 Certificate.
   //
   Pkey = X509_get_pubkey (X509Cert);
-  if ((Pkey == NULL) || (Pkey->type != EVP_PKEY_RSA)) {
+  if ((Pkey == NULL) || (EVP_PKEY_id (Pkey) != EVP_PKEY_RSA)) {
     goto _Exit;
   }
 
   //
   // Duplicate RSA Context from the retrieved EVP_PKEY.
   //
-  if ((*RsaContext = RSAPublicKey_dup (Pkey->pkey.rsa)) != NULL) {
+  if ((*RsaContext = RSAPublicKey_dup (EVP_PKEY_get0_RSA (Pkey))) != NULL) {
     Status = TRUE;
   }
 
@@ -371,7 +371,7 @@ _Exit:
 
   if (Pkey != NULL) {
     EVP_PKEY_free (Pkey);
-  }  
+  }
 
   return Status;
 }
@@ -405,8 +405,8 @@ X509VerifyCert (
   X509            *X509Cert;
   X509            *X509CACert;
   X509_STORE      *CertStore;
-  X509_STORE_CTX  CertCtx;
-  
+  X509_STORE_CTX  *CertCtx;
+
   //
   // Check input parameters.
   //
@@ -418,6 +418,7 @@ X509VerifyCert (
   X509Cert   = NULL;
   X509CACert = NULL;
   CertStore  = NULL;
+  CertCtx    = NULL;
 
   //
   // Register & Initialize necessary digest algorithms for certificate verification.
@@ -473,15 +474,19 @@ X509VerifyCert (
   //
   // Set up X509_STORE_CTX for the subsequent verification operation.
   //
-  if (!X509_STORE_CTX_init (&CertCtx, CertStore, X509Cert, NULL)) {
+  CertCtx = X509_STORE_CTX_new ();
+  if (CertCtx == NULL) {
+    goto _Exit;
+  }
+  if (!X509_STORE_CTX_init (CertCtx, CertStore, X509Cert, NULL)) {
     goto _Exit;
   }
 
   //
   // X509 Certificate Verification.
   //
-  Status = (BOOLEAN) X509_verify_cert (&CertCtx);
-  X509_STORE_CTX_cleanup (&CertCtx);
+  Status = (BOOLEAN) X509_verify_cert (CertCtx);
+  X509_STORE_CTX_cleanup (CertCtx);
 
 _Exit:
   //
@@ -498,7 +503,9 @@ _Exit:
   if (CertStore != NULL) {
     X509_STORE_free (CertStore);
   }
-  
+
+  X509_STORE_CTX_free (CertCtx);
+
   return Status;
 }
 
@@ -575,6 +582,6 @@ X509GetTBSCert (
   }
 
   *TBSCertSize = Length + (Temp - *TBSCert);
-  
+
   return TRUE;
 }
-- 
2.11.1.windows.1



  parent reply	other threads:[~2017-03-21 15:57 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-21 15:56 [PATCH v1 0/9] *** Upgrade CryptoPkg to use the latest OpenSSL 1.1.0xx/stable release *** Qin Long
2017-03-21 15:56 ` [PATCH v1 1/9] CryptoPkg/OpensslLib: Update INF files to support OpenSSL-1.1.0xx build Qin Long
2017-03-22 12:02   ` Laszlo Ersek
2017-03-22 12:18   ` Laszlo Ersek
2017-03-21 15:56 ` [PATCH v1 2/9] CryptoPkg/OpensslLib: Remove patch file and installation scripts Qin Long
2017-03-22 12:05   ` Laszlo Ersek
2017-03-21 15:56 ` [PATCH v1 3/9] CryptoPkg: Fix handling of &strcmp function pointers Qin Long
2017-03-22 10:11   ` Gary Lin
2017-03-23  2:16     ` Long, Qin
2017-03-23  3:39       ` Long, Qin
2017-03-21 15:56 ` [PATCH v1 4/9] CryptoPkg/OpensslLib: Use new Perl script for file list generation Qin Long
2017-03-21 15:56 ` [PATCH v1 5/9] CryptoPkg: Clean-up CRT Library Wrapper Qin Long
2017-03-21 15:56 ` [PATCH v1 6/9] CryptoPkg: Add extra build option to disable VS build warning Qin Long
2017-03-21 15:56 ` [PATCH v1 7/9] CryptoPkg: Update HMAC Wrapper implementation with opaque HMAC_CTX object Qin Long
2017-03-21 15:56 ` Qin Long [this message]
2017-03-21 15:56 ` [PATCH v1 9/9] CryptoPkg/TlsLib: Update TLS Wrapper Library to align with OpenSSL changes Qin Long
2017-03-21 17:42   ` Palmer, Thomas
2017-03-22  1:32     ` Long, Qin
2017-03-23  1:20       ` Wu, Jiaxin
2017-03-23 16:23         ` Palmer, Thomas
2017-03-22  2:22 ` [PATCH v1 0/9] *** Upgrade CryptoPkg to use the latest OpenSSL 1.1.0xx/stable release *** Gao, Liming
2017-03-22  2:44   ` Long, Qin
2017-03-22 13:02 ` Laszlo Ersek
2017-03-22 16:20   ` Long, Qin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170321155612.1192-9-qin.long@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox