[mirror_edk2.git] / CryptoPkg / Library / OpensslLib / EDKII_openssl-1.0.2f.patch

diff --git a/crypto/bio/bio.h b/crypto/bio/bio.h\r
index 6e2293b..325e5d2 100644\r
--- a/crypto/bio/bio.h\r
+++ b/crypto/bio/bio.h\r
@@ -650,10 +650,10 @@ int BIO_asn1_set_suffix(BIO *b, asn1_ps_func *suffix,\r
 int BIO_asn1_get_suffix(BIO *b, asn1_ps_func **psuffix,\r
                         asn1_ps_func **psuffix_free);\r
 \r
-# ifndef OPENSSL_NO_FP_API\r
 BIO_METHOD *BIO_s_file(void);\r
 BIO *BIO_new_file(const char *filename, const char *mode);\r
 BIO *BIO_new_fp(FILE *stream, int close_flag);\r
+# ifndef OPENSSL_NO_FP_API\r
 #  define BIO_s_file_internal    BIO_s_file\r
 # endif\r
 BIO *BIO_new(BIO_METHOD *type);\r
diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c\r
index bfba93e..4f13d1b 100644\r
--- a/crypto/bio/bss_file.c\r
+++ b/crypto/bio/bss_file.c\r
@@ -467,6 +467,23 @@ static int MS_CALLBACK file_puts(BIO *bp, const char *str)\r
     return (ret);\r
 }\r
 \r
+# else\r
+\r
+BIO_METHOD *BIO_s_file(void)\r
+{\r
+    return NULL;\r
+}\r
+\r
+BIO *BIO_new_file(const char *filename, const char *mode)\r
+{\r
+    return NULL;\r
+}\r
+\r
+BIO *BIO_new_fp(FILE *stream, int close_flag)\r
+{\r
+    return NULL;\r
+}\r
+\r
 # endif                         /* OPENSSL_NO_STDIO */\r
 \r
 #endif                          /* HEADER_BSS_FILE_C */\r
diff --git a/crypto/crypto.h b/crypto/crypto.h\r
index c450d7a..d6e804e 100644\r
--- a/crypto/crypto.h\r
+++ b/crypto/crypto.h\r
@@ -235,15 +235,15 @@ typedef struct openssl_item_st {\r
 # ifndef OPENSSL_NO_LOCKING\r
 #  ifndef CRYPTO_w_lock\r
 #   define CRYPTO_w_lock(type)     \\r
-        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)\r
+        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,NULL,0)\r
 #   define CRYPTO_w_unlock(type)   \\r
-        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)\r
+        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,NULL,0)\r
 #   define CRYPTO_r_lock(type)     \\r
-        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,__FILE__,__LINE__)\r
+        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,NULL,0)\r
 #   define CRYPTO_r_unlock(type)   \\r
-        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,__FILE__,__LINE__)\r
+        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,NULL,0)\r
 #   define CRYPTO_add(addr,amount,type)    \\r
-        CRYPTO_add_lock(addr,amount,type,__FILE__,__LINE__)\r
+        CRYPTO_add_lock(addr,amount,type,NULL,0)\r
 #  endif\r
 # else\r
 #  define CRYPTO_w_lock(a)\r
@@ -378,19 +378,19 @@ int CRYPTO_is_mem_check_on(void);\r
 # define MemCheck_off()  CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE)\r
 # define is_MemCheck_on() CRYPTO_is_mem_check_on()\r
 \r
-# define OPENSSL_malloc(num)     CRYPTO_malloc((int)num,__FILE__,__LINE__)\r
-# define OPENSSL_strdup(str)     CRYPTO_strdup((str),__FILE__,__LINE__)\r
+# define OPENSSL_malloc(num)     CRYPTO_malloc((int)num,NULL,0)\r
+# define OPENSSL_strdup(str)     CRYPTO_strdup((str),NULL,0)\r
 # define OPENSSL_realloc(addr,num) \\r
-        CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__)\r
+        CRYPTO_realloc((char *)addr,(int)num,NULL,0)\r
 # define OPENSSL_realloc_clean(addr,old_num,num) \\r
-        CRYPTO_realloc_clean(addr,old_num,num,__FILE__,__LINE__)\r
+        CRYPTO_realloc_clean(addr,old_num,num,NULL,0)\r
 # define OPENSSL_remalloc(addr,num) \\r
-        CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__)\r
+        CRYPTO_remalloc((char **)addr,(int)num,NULL,0)\r
 # define OPENSSL_freeFunc        CRYPTO_free\r
 # define OPENSSL_free(addr)      CRYPTO_free(addr)\r
 \r
 # define OPENSSL_malloc_locked(num) \\r
-        CRYPTO_malloc_locked((int)num,__FILE__,__LINE__)\r
+        CRYPTO_malloc_locked((int)num,NULL,0)\r
 # define OPENSSL_free_locked(addr) CRYPTO_free_locked(addr)\r
 \r
 const char *SSLeay_version(int type);\r
@@ -545,7 +545,7 @@ void CRYPTO_set_mem_debug_options(long bits);\r
 long CRYPTO_get_mem_debug_options(void);\r
 \r
 # define CRYPTO_push_info(info) \\r
-        CRYPTO_push_info_(info, __FILE__, __LINE__);\r
+        CRYPTO_push_info_(info, NULL, 0);\r
 int CRYPTO_push_info_(const char *info, const char *file, int line);\r
 int CRYPTO_pop_info(void);\r
 int CRYPTO_remove_all_info(void);\r
@@ -588,7 +588,7 @@ void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb);\r
 \r
 /* die if we have to */\r
 void OpenSSLDie(const char *file, int line, const char *assertion);\r
-# define OPENSSL_assert(e)       (void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1))\r
+# define OPENSSL_assert(e)       (void)((e) ? 0 : (OpenSSLDie(NULL, 0, #e),1))\r
 \r
 unsigned long *OPENSSL_ia32cap_loc(void);\r
 # define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))\r
@@ -605,14 +605,14 @@ void OPENSSL_init(void);\r
 #  define fips_md_init_ctx(alg, cx) \\r
         int alg##_Init(cx##_CTX *c) \\r
         { \\r
-        if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \\r
+        if (FIPS_mode()) OpenSSLDie(NULL, 0, \\r
                 "Low level API call to digest " #alg " forbidden in FIPS mode!"); \\r
         return private_##alg##_Init(c); \\r
         } \\r
         int private_##alg##_Init(cx##_CTX *c)\r
 \r
 #  define fips_cipher_abort(alg) \\r
-        if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \\r
+        if (FIPS_mode()) OpenSSLDie(NULL, 0, \\r
                 "Low level API call to cipher " #alg " forbidden in FIPS mode!")\r
 \r
 # else\r
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c\r
index b58e3fa..e5f345a 100644\r
--- a/crypto/dh/dh_pmeth.c\r
+++ b/crypto/dh/dh_pmeth.c\r
@@ -449,6 +449,9 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,\r
         *keylen = ret;\r
         return 1;\r
     } else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {\r
+#ifdef OPENSSL_NO_CMS\r
+        return 0;\r
+#else\r
         unsigned char *Z = NULL;\r
         size_t Zlen = 0;\r
         if (!dctx->kdf_outlen || !dctx->kdf_oid)\r
@@ -478,6 +481,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,\r
             OPENSSL_free(Z);\r
         }\r
         return ret;\r
+#endif\r
     }\r
     return 1;\r
 }\r
diff --git a/crypto/pem/pem.h b/crypto/pem/pem.h\r
index d3b23fc..d61605b 100644\r
--- a/crypto/pem/pem.h\r
+++ b/crypto/pem/pem.h\r
@@ -324,6 +324,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \\r
 \r
 #  define DECLARE_PEM_read_fp(name, type) /**/\r
 #  define DECLARE_PEM_write_fp(name, type) /**/\r
+#  define DECLARE_PEM_write_fp_const(name, type) /**/\r
 #  define DECLARE_PEM_write_cb_fp(name, type) /**/\r
 # else\r
 \r
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c\r
index c4d3724..fd531c9 100644\r
--- a/crypto/pkcs7/pk7_smime.c\r
+++ b/crypto/pkcs7/pk7_smime.c\r
@@ -254,7 +254,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,\r
     STACK_OF(PKCS7_SIGNER_INFO) *sinfos;\r
     PKCS7_SIGNER_INFO *si;\r
     X509_STORE_CTX cert_ctx;\r
-    char buf[4096];\r
+    char *buf = NULL;\r
+    int bufsiz;\r
     int i, j = 0, k, ret = 0;\r
     BIO *p7bio = NULL;\r
     BIO *tmpin = NULL, *tmpout = NULL;\r
@@ -274,12 +275,29 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,\r
         PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_NO_CONTENT);\r
         return 0;\r
     }\r
+#if 0\r
+    /*\r
+     * NB: this test commented out because some versions of Netscape\r
+     * illegally include zero length content when signing data. Also\r
+     * Microsoft Authenticode includes a SpcIndirectDataContent data\r
+     * structure which describes the content to be protected by the\r
+     * signature, rather than directly embedding that content. So\r
+     * Authenticode implementations are also expected to use\r
+     * PKCS7_verify() with explicit external data, on non-detached\r
+     * PKCS#7 signatures.\r
+     *\r
+     * In OpenSSL 1.1 a new flag PKCS7_NO_DUAL_CONTENT has been\r
+     * introduced to disable this sanity check. For the 1.0.2 branch\r
+     * this change is not acceptable, so the check remains completely\r
+     * commented out (as it has been for a long time).\r
+     */\r
 \r
     /* Check for data and content: two sets of data */\r
     if (!PKCS7_get_detached(p7) && indata) {\r
         PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT);\r
         return 0;\r
     }\r
+#endif\r
 \r
     sinfos = PKCS7_get_signer_info(p7);\r
 \r
@@ -355,9 +373,14 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,\r
     } else\r
         tmpout = out;\r
 \r
+    bufsiz = 4096;\r
+    buf = OPENSSL_malloc(bufsiz);\r
+    if (buf == NULL) {\r
+        goto err;\r
+    }\r
     /* We now have to 'read' from p7bio to calculate digests etc. */\r
     for (;;) {\r
-        i = BIO_read(p7bio, buf, sizeof(buf));\r
+        i = BIO_read(p7bio, buf, bufsiz);\r
         if (i <= 0)\r
             break;\r
         if (tmpout)\r
@@ -394,6 +417,9 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,\r
     }\r
     BIO_free_all(p7bio);\r
     sk_X509_free(signers);\r
+    if (buf != NULL) {\r
+        OPENSSL_free(buf);\r
+    }\r
     return ret;\r
 }\r
 \r
diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c\r
index 266111e..f60fac6 100644\r
--- a/crypto/rand/rand_unix.c\r
+++ b/crypto/rand/rand_unix.c\r
@@ -116,7 +116,7 @@\r
 #include <openssl/rand.h>\r
 #include "rand_lcl.h"\r
 \r
-#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE))\r
+#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_UEFI))\r
 \r
 # include <sys/types.h>\r
 # include <sys/time.h>\r
@@ -439,7 +439,7 @@ int RAND_poll(void)\r
                                  * defined(OPENSSL_SYS_VXWORKS) ||\r
                                  * defined(OPENSSL_SYS_NETWARE)) */\r
 \r
-#if defined(OPENSSL_SYS_VXWORKS)\r
+#if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)\r
 int RAND_poll(void)\r
 {\r
     return 0;\r
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c\r
index 4e06218..f591f0f 100644\r
--- a/crypto/rsa/rsa_ameth.c\r
+++ b/crypto/rsa/rsa_ameth.c\r
@@ -68,10 +68,12 @@\r
 #endif\r
 #include "asn1_locl.h"\r
 \r
+#ifndef OPENSSL_NO_CMS\r
 static int rsa_cms_sign(CMS_SignerInfo *si);\r
 static int rsa_cms_verify(CMS_SignerInfo *si);\r
 static int rsa_cms_decrypt(CMS_RecipientInfo *ri);\r
 static int rsa_cms_encrypt(CMS_RecipientInfo *ri);\r
+#endif\r
 \r
 static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)\r
 {\r
@@ -665,6 +667,7 @@ static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,\r
     return rv;\r
 }\r
 \r
+#ifndef OPENSSL_NO_CMS\r
 static int rsa_cms_verify(CMS_SignerInfo *si)\r
 {\r
     int nid, nid2;\r
@@ -683,6 +686,7 @@ static int rsa_cms_verify(CMS_SignerInfo *si)\r
     }\r
     return 0;\r
 }\r
+#endif\r
 \r
 /*\r
  * Customised RSA item verification routine. This is called when a signature\r
@@ -705,6 +709,7 @@ static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,\r
     return -1;\r
 }\r
 \r
+#ifndef OPENSSL_NO_CMS\r
 static int rsa_cms_sign(CMS_SignerInfo *si)\r
 {\r
     int pad_mode = RSA_PKCS1_PADDING;\r
@@ -729,6 +734,7 @@ static int rsa_cms_sign(CMS_SignerInfo *si)\r
     X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os);\r
     return 1;\r
 }\r
+#endif\r
 \r
 static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,\r
                          X509_ALGOR *alg1, X509_ALGOR *alg2,\r
@@ -785,6 +791,7 @@ static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg,\r
     return pss;\r
 }\r
 \r
+#ifndef OPENSSL_NO_CMS\r
 static int rsa_cms_decrypt(CMS_RecipientInfo *ri)\r
 {\r
     EVP_PKEY_CTX *pkctx;\r
@@ -857,7 +864,9 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)\r
         X509_ALGOR_free(maskHash);\r
     return rv;\r
 }\r
+#endif\r
 \r
+#ifndef OPENSSL_NO_CMS\r
 static int rsa_cms_encrypt(CMS_RecipientInfo *ri)\r
 {\r
     const EVP_MD *md, *mgf1md;\r
@@ -920,6 +929,7 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri)\r
         ASN1_STRING_free(os);\r
     return rv;\r
 }\r
+#endif\r
 \r
 const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {\r
     {\r
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c\r
index 0429767..7ddc21c 100644\r
--- a/crypto/x509/x509_vfy.c\r
+++ b/crypto/x509/x509_vfy.c\r
@@ -940,6 +940,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)\r
         ctx->current_crl = crl;\r
     if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)\r
         ptime = &ctx->param->check_time;\r
+    else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)\r
+        return 1;\r
     else\r
         ptime = NULL;\r
 \r
@@ -1663,6 +1665,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)\r
 \r
     if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)\r
         ptime = &ctx->param->check_time;\r
+    else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)\r
+        return 1;\r
     else\r
         ptime = NULL;\r
 \r
diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h\r
index 2663e1c..98d0b4c 100644\r
--- a/crypto/x509/x509_vfy.h\r
+++ b/crypto/x509/x509_vfy.h\r
@@ -438,6 +438,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);\r
  * will force the behaviour to match that of previous versions.\r
  */\r
 # define X509_V_FLAG_NO_ALT_CHAINS               0x100000\r
+/* Do not check certificate/CRL validity against current time */\r
+# define X509_V_FLAG_NO_CHECK_TIME               0x200000\r
 \r
 # define X509_VP_FLAG_DEFAULT                    0x1\r
 # define X509_VP_FLAG_OVERWRITE                  0x2\r
diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h\r
index c3a6fce..01edd2a 100644\r
--- a/crypto/x509v3/ext_dat.h\r
+++ b/crypto/x509v3/ext_dat.h\r
@@ -127,8 +127,10 @@ static const X509V3_EXT_METHOD *standard_exts[] = {\r
     &v3_idp,\r
     &v3_alt[2],\r
     &v3_freshest_crl,\r
+#ifndef OPENSSL_SYS_UEFI\r
     &v3_ct_scts[0],\r
     &v3_ct_scts[1],\r
+#endif\r
 };\r
 \r
 /* Number of standard extensions */\r
diff --git a/e_os.h b/e_os.h\r
index 1fa36c1..3e9dae2 100644\r
--- a/e_os.h\r
+++ b/e_os.h\r
@@ -136,7 +136,7 @@ extern "C" {\r
 #  define MSDOS\r
 # endif\r
 \r
-# if defined(MSDOS) && !defined(GETPID_IS_MEANINGLESS)\r
+# if (defined(MSDOS) || defined(OPENSSL_SYS_UEFI)) && !defined(GETPID_IS_MEANINGLESS)\r
 #  define GETPID_IS_MEANINGLESS\r
 # endif\r
 \r
diff --git a/e_os2.h b/e_os2.h\r
index 7be9989..909e22f 100644\r
--- a/e_os2.h\r
+++ b/e_os2.h\r
@@ -97,7 +97,14 @@ extern "C" {\r
  * For 32 bit environment, there seems to be the CygWin environment and then\r
  * all the others that try to do the same thing Microsoft does...\r
  */\r
-# if defined(OPENSSL_SYSNAME_UWIN)\r
+/*\r
+ * UEFI lives here because it might be built with a Microsoft toolchain and\r
+ * we need to avoid the false positive match on Windows.\r
+ */\r
+# if defined(OPENSSL_SYSNAME_UEFI)\r
+#  undef OPENSSL_SYS_UNIX\r
+#  define OPENSSL_SYS_UEFI\r
+# elif defined(OPENSSL_SYSNAME_UWIN)\r
 #  undef OPENSSL_SYS_UNIX\r
 #  define OPENSSL_SYS_WIN32_UWIN\r
 # else\r
Commit	Line	Data
3f73ccb3 QL	1	diff --git a/crypto/bio/bio.h b/crypto/bio/bio.h\r
	2	index 6e2293b..325e5d2 100644\r
	3	--- a/crypto/bio/bio.h\r
	4	+++ b/crypto/bio/bio.h\r
	5	@@ -650,10 +650,10 @@ int BIO_asn1_set_suffix(BIO b, asn1_ps_func suffix,\r
f93f78ea QL	6	int BIO_asn1_get_suffix(BIO b, asn1_ps_func *psuffix,\r
	7	asn1_ps_func **psuffix_free);\r
	8	\r
	9	-# ifndef OPENSSL_NO_FP_API\r
	10	BIO_METHOD *BIO_s_file(void);\r
	11	BIO BIO_new_file(const char filename, const char *mode);\r
	12	BIO BIO_new_fp(FILE stream, int close_flag);\r
	13	+# ifndef OPENSSL_NO_FP_API\r
	14	# define BIO_s_file_internal BIO_s_file\r
	15	# endif\r
	16	BIO BIO_new(BIO_METHOD type);\r
3f73ccb3 QL	17	diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c\r
	18	index bfba93e..4f13d1b 100644\r
	19	--- a/crypto/bio/bss_file.c\r
	20	+++ b/crypto/bio/bss_file.c\r
	21	@@ -467,6 +467,23 @@ static int MS_CALLBACK file_puts(BIO bp, const char str)\r
f93f78ea QL	22	return (ret);\r
	23	}\r
	24	\r
	25	+# else\r
	26	+\r
	27	+BIO_METHOD *BIO_s_file(void)\r
	28	+{\r
	29	+ return NULL;\r
	30	+}\r
	31	+\r
	32	+BIO BIO_new_file(const char filename, const char *mode)\r
	33	+{\r
	34	+ return NULL;\r
	35	+}\r
	36	+\r
	37	+BIO BIO_new_fp(FILE stream, int close_flag)\r
	38	+{\r
	39	+ return NULL;\r
	40	+}\r
	41	+\r
	42	# endif /* OPENSSL_NO_STDIO */\r
	43	\r
	44	#endif /* HEADER_BSS_FILE_C */\r
3f73ccb3 QL	45	diff --git a/crypto/crypto.h b/crypto/crypto.h\r
	46	index c450d7a..d6e804e 100644\r
	47	--- a/crypto/crypto.h\r
	48	+++ b/crypto/crypto.h\r
	49	@@ -235,15 +235,15 @@ typedef struct openssl_item_st {\r
	50	# ifndef OPENSSL_NO_LOCKING\r
	51	# ifndef CRYPTO_w_lock\r
	52	# define CRYPTO_w_lock(type) \\r
	53	- CRYPTO_lock(CRYPTO_LOCK\|CRYPTO_WRITE,type,__FILE__,__LINE__)\r
	54	+ CRYPTO_lock(CRYPTO_LOCK\|CRYPTO_WRITE,type,NULL,0)\r
	55	# define CRYPTO_w_unlock(type) \\r
	56	- CRYPTO_lock(CRYPTO_UNLOCK\|CRYPTO_WRITE,type,__FILE__,__LINE__)\r
	57	+ CRYPTO_lock(CRYPTO_UNLOCK\|CRYPTO_WRITE,type,NULL,0)\r
	58	# define CRYPTO_r_lock(type) \\r
	59	- CRYPTO_lock(CRYPTO_LOCK\|CRYPTO_READ,type,__FILE__,__LINE__)\r
	60	+ CRYPTO_lock(CRYPTO_LOCK\|CRYPTO_READ,type,NULL,0)\r
	61	# define CRYPTO_r_unlock(type) \\r
	62	- CRYPTO_lock(CRYPTO_UNLOCK\|CRYPTO_READ,type,__FILE__,__LINE__)\r
	63	+ CRYPTO_lock(CRYPTO_UNLOCK\|CRYPTO_READ,type,NULL,0)\r
	64	# define CRYPTO_add(addr,amount,type) \\r
	65	- CRYPTO_add_lock(addr,amount,type,__FILE__,__LINE__)\r
	66	+ CRYPTO_add_lock(addr,amount,type,NULL,0)\r
	67	# endif\r
	68	# else\r
	69	# define CRYPTO_w_lock(a)\r
	70	@@ -378,19 +378,19 @@ int CRYPTO_is_mem_check_on(void);\r
	71	# define MemCheck_off() CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE)\r
	72	# define is_MemCheck_on() CRYPTO_is_mem_check_on()\r
	73	\r
	74	-# define OPENSSL_malloc(num) CRYPTO_malloc((int)num,__FILE__,__LINE__)\r
	75	-# define OPENSSL_strdup(str) CRYPTO_strdup((str),__FILE__,__LINE__)\r
	76	+# define OPENSSL_malloc(num) CRYPTO_malloc((int)num,NULL,0)\r
	77	+# define OPENSSL_strdup(str) CRYPTO_strdup((str),NULL,0)\r
	78	# define OPENSSL_realloc(addr,num) \\r
	79	- CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__)\r
	80	+ CRYPTO_realloc((char *)addr,(int)num,NULL,0)\r
	81	# define OPENSSL_realloc_clean(addr,old_num,num) \\r
	82	- CRYPTO_realloc_clean(addr,old_num,num,__FILE__,__LINE__)\r
	83	+ CRYPTO_realloc_clean(addr,old_num,num,NULL,0)\r
	84	# define OPENSSL_remalloc(addr,num) \\r
	85	- CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__)\r
	86	+ CRYPTO_remalloc((char **)addr,(int)num,NULL,0)\r
	87	# define OPENSSL_freeFunc CRYPTO_free\r
	88	# define OPENSSL_free(addr) CRYPTO_free(addr)\r
	89	\r
	90	# define OPENSSL_malloc_locked(num) \\r
	91	- CRYPTO_malloc_locked((int)num,__FILE__,__LINE__)\r
	92	+ CRYPTO_malloc_locked((int)num,NULL,0)\r
	93	# define OPENSSL_free_locked(addr) CRYPTO_free_locked(addr)\r
	94	\r
	95	const char *SSLeay_version(int type);\r
	96	@@ -545,7 +545,7 @@ void CRYPTO_set_mem_debug_options(long bits);\r
	97	long CRYPTO_get_mem_debug_options(void);\r
	98	\r
	99	# define CRYPTO_push_info(info) \\r
	100	- CRYPTO_push_info_(info, __FILE__, __LINE__);\r
	101	+ CRYPTO_push_info_(info, NULL, 0);\r
	102	int CRYPTO_push_info_(const char info, const char file, int line);\r
	103	int CRYPTO_pop_info(void);\r
	104	int CRYPTO_remove_all_info(void);\r
	105	@@ -588,7 +588,7 @@ void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb);\r
	106	\r
	107	/* die if we have to */\r
	108	void OpenSSLDie(const char file, int line, const char assertion);\r
109	-# define OPENSSL_assert(e) (void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1))\r
110	+# define OPENSSL_assert(e) (void)((e) ? 0 : (OpenSSLDie(NULL, 0, #e),1))\r
111	\r
112	unsigned long *OPENSSL_ia32cap_loc(void);\r
113	# define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))\r
114	@@ -605,14 +605,14 @@ void OPENSSL_init(void);\r
115	# define fips_md_init_ctx(alg, cx) \\r
116	int alg##_Init(cx##_CTX *c) \\r
117	{ \\r
118	- if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \\r
119	+ if (FIPS_mode()) OpenSSLDie(NULL, 0, \\r
120	"Low level API call to digest " #alg " forbidden in FIPS mode!"); \\r
121	return private_##alg##_Init(c); \\r
122	} \\r
123	int private_##alg##_Init(cx##_CTX *c)\r
124	\r
125	# define fips_cipher_abort(alg) \\r
126	- if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \\r
127	+ if (FIPS_mode()) OpenSSLDie(NULL, 0, \\r
128	"Low level API call to cipher " #alg " forbidden in FIPS mode!")\r
129	\r
130	# else\r
131	diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c\r
132	index b58e3fa..e5f345a 100644\r
133	--- a/crypto/dh/dh_pmeth.c\r
134	+++ b/crypto/dh/dh_pmeth.c\r
135	@@ -449,6 +449,9 @@ static int pkey_dh_derive(EVP_PKEY_CTX ctx, unsigned char key,\r
f93f78ea QL	136	*keylen = ret;\r
	137	return 1;\r
	138	} else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {\r
	139	+#ifdef OPENSSL_NO_CMS\r
	140	+ return 0;\r
	141	+#else\r
	142	unsigned char *Z = NULL;\r
	143	size_t Zlen = 0;\r
	144	if (!dctx->kdf_outlen \|\| !dctx->kdf_oid)\r
3f73ccb3	145	@@ -478,6 +481,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX ctx, unsigned char key,\r
f93f78ea QL	146	OPENSSL_free(Z);\r
	147	}\r
	148	return ret;\r
	149	+#endif\r
	150	}\r
	151	return 1;\r
	152	}\r
3f73ccb3 QL	153	diff --git a/crypto/pem/pem.h b/crypto/pem/pem.h\r
	154	index d3b23fc..d61605b 100644\r
	155	--- a/crypto/pem/pem.h\r
	156	+++ b/crypto/pem/pem.h\r
	157	@@ -324,6 +324,7 @@ int PEM_write_bio_##name(BIO bp, type x, const EVP_CIPHER *enc, \\r
f93f78ea QL	158	\r
	159	# define DECLARE_PEM_read_fp(name, type) /**/\r
	160	# define DECLARE_PEM_write_fp(name, type) /**/\r
	161	+# define DECLARE_PEM_write_fp_const(name, type) /**/\r
	162	# define DECLARE_PEM_write_cb_fp(name, type) /**/\r
	163	# else\r
	164	\r
3f73ccb3	165	diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c\r
503f6e38	166	index c4d3724..fd531c9 100644\r
3f73ccb3 QL	167	--- a/crypto/pkcs7/pk7_smime.c\r
	168	+++ b/crypto/pkcs7/pk7_smime.c\r
	169	@@ -254,7 +254,8 @@ int PKCS7_verify(PKCS7 p7, STACK_OF(X509) certs, X509_STORE *store,\r
f93f78ea QL	170	STACK_OF(PKCS7_SIGNER_INFO) *sinfos;\r
	171	PKCS7_SIGNER_INFO *si;\r
	172	X509_STORE_CTX cert_ctx;\r
	173	- char buf[4096];\r
	174	+ char *buf = NULL;\r
	175	+ int bufsiz;\r
	176	int i, j = 0, k, ret = 0;\r
65202874 QL	177	BIO *p7bio = NULL;\r
65202874 QL	178	BIO tmpin = NULL, tmpout = NULL;\r
503f6e38 QL	179	@@ -274,12 +275,29 @@ int PKCS7_verify(PKCS7 p7, STACK_OF(X509) certs, X509_STORE *store,\r
503f6e38 QL	180	PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_NO_CONTENT);\r
65202874 QL	181	return 0;\r
65202874 QL	182	}\r
503f6e38 QL	183	+#if 0\r
	184	+ /*\r
	185	+ * NB: this test commented out because some versions of Netscape\r
	186	+ * illegally include zero length content when signing data. Also\r
	187	+ * Microsoft Authenticode includes a SpcIndirectDataContent data\r
	188	+ * structure which describes the content to be protected by the\r
	189	+ * signature, rather than directly embedding that content. So\r
	190	+ * Authenticode implementations are also expected to use\r
	191	+ * PKCS7_verify() with explicit external data, on non-detached\r
	192	+ * PKCS#7 signatures.\r
	193	+ *\r
	194	+ * In OpenSSL 1.1 a new flag PKCS7_NO_DUAL_CONTENT has been\r
	195	+ * introduced to disable this sanity check. For the 1.0.2 branch\r
	196	+ * this change is not acceptable, so the check remains completely\r
	197	+ * commented out (as it has been for a long time).\r
	198	+ */\r
	199	\r
	200	/* Check for data and content: two sets of data */\r
	201	if (!PKCS7_get_detached(p7) && indata) {\r
	202	PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT);\r
	203	return 0;\r
	204	}\r
	205	+#endif\r
65202874	206	\r
65202874 QL	207	sinfos = PKCS7_get_signer_info(p7);\r
65202874 QL	208	\r
503f6e38	209	@@ -355,9 +373,14 @@ int PKCS7_verify(PKCS7 p7, STACK_OF(X509) certs, X509_STORE *store,\r
f93f78ea QL	210	} else\r
	211	tmpout = out;\r
	212	\r
	213	+ bufsiz = 4096;\r
	214	+ buf = OPENSSL_malloc(bufsiz);\r
	215	+ if (buf == NULL) {\r
	216	+ goto err;\r
	217	+ }\r
	218	/* We now have to 'read' from p7bio to calculate digests etc. */\r
	219	for (;;) {\r
	220	- i = BIO_read(p7bio, buf, sizeof(buf));\r
	221	+ i = BIO_read(p7bio, buf, bufsiz);\r
	222	if (i <= 0)\r
	223	break;\r
	224	if (tmpout)\r
503f6e38	225	@@ -394,6 +417,9 @@ int PKCS7_verify(PKCS7 p7, STACK_OF(X509) certs, X509_STORE *store,\r
65202874	226	}\r
f93f78ea	227	BIO_free_all(p7bio);\r
f93f78ea	228	sk_X509_free(signers);\r
f93f78ea	229	+ if (buf != NULL) {\r
e6b2c991	230	+ OPENSSL_free(buf);\r
f93f78ea	231	+ }\r
f93f78ea QL	232	return ret;\r
f93f78ea QL	233	}\r
65202874	234	\r
3f73ccb3 QL	235	diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c\r
	236	index 266111e..f60fac6 100644\r
	237	--- a/crypto/rand/rand_unix.c\r
	238	+++ b/crypto/rand/rand_unix.c\r
f93f78ea QL	239	@@ -116,7 +116,7 @@\r
	240	#include <openssl/rand.h>\r
	241	#include "rand_lcl.h"\r
	242	\r
	243	-#if !(defined(OPENSSL_SYS_WINDOWS) \|\| defined(OPENSSL_SYS_WIN32) \|\| defined(OPENSSL_SYS_VMS) \|\| defined(OPENSSL_SYS_OS2) \|\| defined(OPENSSL_SYS_VXWORKS) \|\| defined(OPENSSL_SYS_NETWARE))\r
	244	+#if !(defined(OPENSSL_SYS_WINDOWS) \|\| defined(OPENSSL_SYS_WIN32) \|\| defined(OPENSSL_SYS_VMS) \|\| defined(OPENSSL_SYS_OS2) \|\| defined(OPENSSL_SYS_VXWORKS) \|\| defined(OPENSSL_SYS_NETWARE) \|\| defined(OPENSSL_SYS_UEFI))\r
	245	\r
	246	# include <sys/types.h>\r
	247	# include <sys/time.h>\r
3f73ccb3	248	@@ -439,7 +439,7 @@ int RAND_poll(void)\r
f93f78ea QL	249	* defined(OPENSSL_SYS_VXWORKS) \|\|\r
	250	* defined(OPENSSL_SYS_NETWARE)) */\r
	251	\r
	252	-#if defined(OPENSSL_SYS_VXWORKS)\r
	253	+#if defined(OPENSSL_SYS_VXWORKS) \|\| defined(OPENSSL_SYS_UEFI)\r
	254	int RAND_poll(void)\r
	255	{\r
	256	return 0;\r
3f73ccb3 QL	257	diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c\r
	258	index 4e06218..f591f0f 100644\r
	259	--- a/crypto/rsa/rsa_ameth.c\r
	260	+++ b/crypto/rsa/rsa_ameth.c\r
f93f78ea QL	261	@@ -68,10 +68,12 @@\r
	262	#endif\r
	263	#include "asn1_locl.h"\r
	264	\r
	265	+#ifndef OPENSSL_NO_CMS\r
	266	static int rsa_cms_sign(CMS_SignerInfo *si);\r
	267	static int rsa_cms_verify(CMS_SignerInfo *si);\r
	268	static int rsa_cms_decrypt(CMS_RecipientInfo *ri);\r
	269	static int rsa_cms_encrypt(CMS_RecipientInfo *ri);\r
	270	+#endif\r
	271	\r
	272	static int rsa_pub_encode(X509_PUBKEY pk, const EVP_PKEY pkey)\r
	273	{\r
3f73ccb3	274	@@ -665,6 +667,7 @@ static int rsa_pss_to_ctx(EVP_MD_CTX ctx, EVP_PKEY_CTX pkctx,\r
f93f78ea QL	275	return rv;\r
	276	}\r
	277	\r
	278	+#ifndef OPENSSL_NO_CMS\r
	279	static int rsa_cms_verify(CMS_SignerInfo *si)\r
	280	{\r
	281	int nid, nid2;\r
3f73ccb3	282	@@ -683,6 +686,7 @@ static int rsa_cms_verify(CMS_SignerInfo *si)\r
f93f78ea QL	283	}\r
	284	return 0;\r
	285	}\r
	286	+#endif\r
	287	\r
	288	/*\r
	289	* Customised RSA item verification routine. This is called when a signature\r
3f73ccb3	290	@@ -705,6 +709,7 @@ static int rsa_item_verify(EVP_MD_CTX ctx, const ASN1_ITEM it, void *asn,\r
f93f78ea QL	291	return -1;\r
	292	}\r
	293	\r
	294	+#ifndef OPENSSL_NO_CMS\r
	295	static int rsa_cms_sign(CMS_SignerInfo *si)\r
	296	{\r
	297	int pad_mode = RSA_PKCS1_PADDING;\r
3f73ccb3	298	@@ -729,6 +734,7 @@ static int rsa_cms_sign(CMS_SignerInfo *si)\r
f93f78ea QL	299	X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os);\r
	300	return 1;\r
	301	}\r
	302	+#endif\r
	303	\r
	304	static int rsa_item_sign(EVP_MD_CTX ctx, const ASN1_ITEM it, void *asn,\r
	305	X509_ALGOR alg1, X509_ALGOR alg2,\r
3f73ccb3	306	@@ -785,6 +791,7 @@ static RSA_OAEP_PARAMS rsa_oaep_decode(const X509_ALGOR alg,\r
f93f78ea QL	307	return pss;\r
	308	}\r
	309	\r
	310	+#ifndef OPENSSL_NO_CMS\r
	311	static int rsa_cms_decrypt(CMS_RecipientInfo *ri)\r
	312	{\r
	313	EVP_PKEY_CTX *pkctx;\r
3f73ccb3	314	@@ -857,7 +864,9 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)\r
f93f78ea QL	315	X509_ALGOR_free(maskHash);\r
	316	return rv;\r
	317	}\r
	318	+#endif\r
	319	\r
	320	+#ifndef OPENSSL_NO_CMS\r
	321	static int rsa_cms_encrypt(CMS_RecipientInfo *ri)\r
	322	{\r
	323	const EVP_MD md, mgf1md;\r
3f73ccb3	324	@@ -920,6 +929,7 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri)\r
f93f78ea QL	325	ASN1_STRING_free(os);\r
	326	return rv;\r
	327	}\r
	328	+#endif\r
	329	\r
	330	const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {\r
	331	{\r
3f73ccb3 QL	332	diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c\r
	333	index 0429767..7ddc21c 100644\r
	334	--- a/crypto/x509/x509_vfy.c\r
	335	+++ b/crypto/x509/x509_vfy.c\r
	336	@@ -940,6 +940,8 @@ static int check_crl_time(X509_STORE_CTX ctx, X509_CRL crl, int notify)\r
de0408be DW	337	ctx->current_crl = crl;\r
	338	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)\r
	339	ptime = &ctx->param->check_time;\r
	340	+ else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)\r
	341	+ return 1;\r
	342	else\r
	343	ptime = NULL;\r
f93f78ea	344	\r
3f73ccb3	345	@@ -1663,6 +1665,8 @@ static int check_cert_time(X509_STORE_CTX ctx, X509 x)\r
f93f78ea	346	\r
de0408be DW	347	if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)\r
	348	ptime = &ctx->param->check_time;\r
	349	+ else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)\r
	350	+ return 1;\r
	351	else\r
	352	ptime = NULL;\r
f93f78ea	353	\r
3f73ccb3 QL	354	diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h\r
	355	index 2663e1c..98d0b4c 100644\r
	356	--- a/crypto/x509/x509_vfy.h\r
	357	+++ b/crypto/x509/x509_vfy.h\r
	358	@@ -438,6 +438,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);\r
de0408be DW	359	* will force the behaviour to match that of previous versions.\r
	360	*/\r
	361	# define X509_V_FLAG_NO_ALT_CHAINS 0x100000\r
	362	+/* Do not check certificate/CRL validity against current time */\r
	363	+# define X509_V_FLAG_NO_CHECK_TIME 0x200000\r
f93f78ea	364	\r
de0408be DW	365	# define X509_VP_FLAG_DEFAULT 0x1\r
de0408be DW	366	# define X509_VP_FLAG_OVERWRITE 0x2\r
3f73ccb3 QL	367	diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h\r
	368	index c3a6fce..01edd2a 100644\r
	369	--- a/crypto/x509v3/ext_dat.h\r
	370	+++ b/crypto/x509v3/ext_dat.h\r
	371	@@ -127,8 +127,10 @@ static const X509V3_EXT_METHOD *standard_exts[] = {\r
f93f78ea QL	372	&v3_idp,\r
	373	&v3_alt[2],\r
	374	&v3_freshest_crl,\r
	375	+#ifndef OPENSSL_SYS_UEFI\r
	376	&v3_ct_scts[0],\r
	377	&v3_ct_scts[1],\r
	378	+#endif\r
	379	};\r
	380	\r
	381	/* Number of standard extensions */\r
3f73ccb3 QL	382	diff --git a/e_os.h b/e_os.h\r
	383	index 1fa36c1..3e9dae2 100644\r
	384	--- a/e_os.h\r
	385	+++ b/e_os.h\r
	386	@@ -136,7 +136,7 @@ extern "C" {\r
97468ab9 DW	387	# define MSDOS\r
	388	# endif\r
	389	\r
	390	-# if defined(MSDOS) && !defined(GETPID_IS_MEANINGLESS)\r
	391	+# if (defined(MSDOS) \|\| defined(OPENSSL_SYS_UEFI)) && !defined(GETPID_IS_MEANINGLESS)\r
	392	# define GETPID_IS_MEANINGLESS\r
	393	# endif\r
	394	\r
3f73ccb3 QL	395	diff --git a/e_os2.h b/e_os2.h\r
	396	index 7be9989..909e22f 100644\r
	397	--- a/e_os2.h\r
	398	+++ b/e_os2.h\r
	399	@@ -97,7 +97,14 @@ extern "C" {\r
3b21958b DW	400	* For 32 bit environment, there seems to be the CygWin environment and then\r
	401	* all the others that try to do the same thing Microsoft does...\r
	402	*/\r
	403	-# if defined(OPENSSL_SYSNAME_UWIN)\r
	404	+/*\r
	405	+ * UEFI lives here because it might be built with a Microsoft toolchain and\r
	406	+ * we need to avoid the false positive match on Windows.\r
	407	+ */\r
	408	+# if defined(OPENSSL_SYSNAME_UEFI)\r
	409	+# undef OPENSSL_SYS_UNIX\r
	410	+# define OPENSSL_SYS_UEFI\r
	411	+# elif defined(OPENSSL_SYSNAME_UWIN)\r
	412	# undef OPENSSL_SYS_UNIX\r
	413	# define OPENSSL_SYS_WIN32_UWIN\r
	414	# else\r