CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2f.patch

   1 diff --git a/crypto/bio/bio.h b/crypto/bio/bio.h
   2 index 6e2293b..325e5d2 100644
   3 --- a/crypto/bio/bio.h
   4 +++ b/crypto/bio/bio.h
   5 @@ -650,10 +650,10 @@ int BIO_asn1_set_suffix(BIO *b, asn1_ps_func *suffix,
   6  int BIO_asn1_get_suffix(BIO *b, asn1_ps_func **psuffix,
   7                          asn1_ps_func **psuffix_free);
   8
   9 -# ifndef OPENSSL_NO_FP_API
  10  BIO_METHOD *BIO_s_file(void);
  11  BIO *BIO_new_file(const char *filename, const char *mode);
  12  BIO *BIO_new_fp(FILE *stream, int close_flag);
  13 +# ifndef OPENSSL_NO_FP_API
  14  #  define BIO_s_file_internal    BIO_s_file
  15  # endif
  16  BIO *BIO_new(BIO_METHOD *type);
  17 diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c
  18 index bfba93e..4f13d1b 100644
  19 --- a/crypto/bio/bss_file.c
  20 +++ b/crypto/bio/bss_file.c
  21 @@ -467,6 +467,23 @@ static int MS_CALLBACK file_puts(BIO *bp, const char *str)
  22      return (ret);
  23  }
  24
  25 +# else
  26 +
  27 +BIO_METHOD *BIO_s_file(void)
  28 +{
  29 +    return NULL;
  30 +}
  31 +
  32 +BIO *BIO_new_file(const char *filename, const char *mode)
  33 +{
  34 +    return NULL;
  35 +}
  36 +
  37 +BIO *BIO_new_fp(FILE *stream, int close_flag)
  38 +{
  39 +    return NULL;
  40 +}
  41 +
  42  # endif                         /* OPENSSL_NO_STDIO */
  43
  44  #endif                          /* HEADER_BSS_FILE_C */
  45 diff --git a/crypto/crypto.h b/crypto/crypto.h
  46 index c450d7a..d6e804e 100644
  47 --- a/crypto/crypto.h
  48 +++ b/crypto/crypto.h
  49 @@ -235,15 +235,15 @@ typedef struct openssl_item_st {
  50  # ifndef OPENSSL_NO_LOCKING
  51  #  ifndef CRYPTO_w_lock
  52  #   define CRYPTO_w_lock(type)     \
  53 -        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)
  54 +        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,NULL,0)
  55  #   define CRYPTO_w_unlock(type)   \
  56 -        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)
  57 +        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,NULL,0)
  58  #   define CRYPTO_r_lock(type)     \
  59 -        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,__FILE__,__LINE__)
  60 +        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,NULL,0)
  61  #   define CRYPTO_r_unlock(type)   \
  62 -        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,__FILE__,__LINE__)
  63 +        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,NULL,0)
  64  #   define CRYPTO_add(addr,amount,type)    \
  65 -        CRYPTO_add_lock(addr,amount,type,__FILE__,__LINE__)
  66 +        CRYPTO_add_lock(addr,amount,type,NULL,0)
  67  #  endif
  68  # else
  69  #  define CRYPTO_w_lock(a)
  70 @@ -378,19 +378,19 @@ int CRYPTO_is_mem_check_on(void);
  71  # define MemCheck_off()  CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE)
  72  # define is_MemCheck_on() CRYPTO_is_mem_check_on()
  73
  74 -# define OPENSSL_malloc(num)     CRYPTO_malloc((int)num,__FILE__,__LINE__)
  75 -# define OPENSSL_strdup(str)     CRYPTO_strdup((str),__FILE__,__LINE__)
  76 +# define OPENSSL_malloc(num)     CRYPTO_malloc((int)num,NULL,0)
  77 +# define OPENSSL_strdup(str)     CRYPTO_strdup((str),NULL,0)
  78  # define OPENSSL_realloc(addr,num) \
  79 -        CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__)
  80 +        CRYPTO_realloc((char *)addr,(int)num,NULL,0)
  81  # define OPENSSL_realloc_clean(addr,old_num,num) \
  82 -        CRYPTO_realloc_clean(addr,old_num,num,__FILE__,__LINE__)
  83 +        CRYPTO_realloc_clean(addr,old_num,num,NULL,0)
  84  # define OPENSSL_remalloc(addr,num) \
  85 -        CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__)
  86 +        CRYPTO_remalloc((char **)addr,(int)num,NULL,0)
  87  # define OPENSSL_freeFunc        CRYPTO_free
  88  # define OPENSSL_free(addr)      CRYPTO_free(addr)
  89
  90  # define OPENSSL_malloc_locked(num) \
  91 -        CRYPTO_malloc_locked((int)num,__FILE__,__LINE__)
  92 +        CRYPTO_malloc_locked((int)num,NULL,0)
  93  # define OPENSSL_free_locked(addr) CRYPTO_free_locked(addr)
  94
  95  const char *SSLeay_version(int type);
  96 @@ -545,7 +545,7 @@ void CRYPTO_set_mem_debug_options(long bits);
  97  long CRYPTO_get_mem_debug_options(void);
  98
  99  # define CRYPTO_push_info(info) \
 100 -        CRYPTO_push_info_(info, __FILE__, __LINE__);
 101 +        CRYPTO_push_info_(info, NULL, 0);
 102  int CRYPTO_push_info_(const char *info, const char *file, int line);
 103  int CRYPTO_pop_info(void);
 104  int CRYPTO_remove_all_info(void);
 105 @@ -588,7 +588,7 @@ void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb);
 106
 107  /* die if we have to */
 108  void OpenSSLDie(const char *file, int line, const char *assertion);
 109 -# define OPENSSL_assert(e)       (void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1))
 110 +# define OPENSSL_assert(e)       (void)((e) ? 0 : (OpenSSLDie(NULL, 0, #e),1))
 111
 112  unsigned long *OPENSSL_ia32cap_loc(void);
 113  # define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
 114 @@ -605,14 +605,14 @@ void OPENSSL_init(void);
 115  #  define fips_md_init_ctx(alg, cx) \
 116          int alg##_Init(cx##_CTX *c) \
 117          { \
 118 -        if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
 119 +        if (FIPS_mode()) OpenSSLDie(NULL, 0, \
 120                  "Low level API call to digest " #alg " forbidden in FIPS mode!"); \
 121          return private_##alg##_Init(c); \
 122          } \
 123          int private_##alg##_Init(cx##_CTX *c)
 124
 125  #  define fips_cipher_abort(alg) \
 126 -        if (FIPS_mode()) OpenSSLDie(__FILE__, __LINE__, \
 127 +        if (FIPS_mode()) OpenSSLDie(NULL, 0, \
 128                  "Low level API call to cipher " #alg " forbidden in FIPS mode!")
 129
 130  # else
 131 diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
 132 index b58e3fa..e5f345a 100644
 133 --- a/crypto/dh/dh_pmeth.c
 134 +++ b/crypto/dh/dh_pmeth.c
 135 @@ -449,6 +449,9 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
 136          *keylen = ret;
 137          return 1;
 138      } else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) {
 139 +#ifdef OPENSSL_NO_CMS
 140 +        return 0;
 141 +#else
 142          unsigned char *Z = NULL;
 143          size_t Zlen = 0;
 144          if (!dctx->kdf_outlen || !dctx->kdf_oid)
 145 @@ -478,6 +481,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
 146              OPENSSL_free(Z);
 147          }
 148          return ret;
 149 +#endif
 150      }
 151      return 1;
 152  }
 153 diff --git a/crypto/pem/pem.h b/crypto/pem/pem.h
 154 index d3b23fc..d61605b 100644
 155 --- a/crypto/pem/pem.h
 156 +++ b/crypto/pem/pem.h
 157 @@ -324,6 +324,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
 158
 159  #  define DECLARE_PEM_read_fp(name, type) /**/
 160  #  define DECLARE_PEM_write_fp(name, type) /**/
 161 +#  define DECLARE_PEM_write_fp_const(name, type) /**/
 162  #  define DECLARE_PEM_write_cb_fp(name, type) /**/
 163  # else
 164
 165 diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
 166 index c4d3724..fd531c9 100644
 167 --- a/crypto/pkcs7/pk7_smime.c
 168 +++ b/crypto/pkcs7/pk7_smime.c
 169 @@ -254,7 +254,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
 170      STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
 171      PKCS7_SIGNER_INFO *si;
 172      X509_STORE_CTX cert_ctx;
 173 -    char buf[4096];
 174 +    char *buf = NULL;
 175 +    int bufsiz;
 176      int i, j = 0, k, ret = 0;
 177      BIO *p7bio = NULL;
 178      BIO *tmpin = NULL, *tmpout = NULL;
 179 @@ -274,12 +275,29 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
 180          PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_NO_CONTENT);
 181          return 0;
 182      }
 183 +#if 0
 184 +    /*
 185 +     * NB: this test commented out because some versions of Netscape
 186 +     * illegally include zero length content when signing data. Also
 187 +     * Microsoft Authenticode includes a SpcIndirectDataContent data
 188 +     * structure which describes the content to be protected by the
 189 +     * signature, rather than directly embedding that content. So
 190 +     * Authenticode implementations are also expected to use
 191 +     * PKCS7_verify() with explicit external data, on non-detached
 192 +     * PKCS#7 signatures.
 193 +     *
 194 +     * In OpenSSL 1.1 a new flag PKCS7_NO_DUAL_CONTENT has been
 195 +     * introduced to disable this sanity check. For the 1.0.2 branch
 196 +     * this change is not acceptable, so the check remains completely
 197 +     * commented out (as it has been for a long time).
 198 +     */
 199
 200      /* Check for data and content: two sets of data */
 201      if (!PKCS7_get_detached(p7) && indata) {
 202          PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT);
 203          return 0;
 204      }
 205 +#endif
 206
 207      sinfos = PKCS7_get_signer_info(p7);
 208
 209 @@ -355,9 +373,14 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
 210      } else
 211          tmpout = out;
 212
 213 +    bufsiz = 4096;
 214 +    buf = OPENSSL_malloc(bufsiz);
 215 +    if (buf == NULL) {
 216 +        goto err;
 217 +    }
 218      /* We now have to 'read' from p7bio to calculate digests etc. */
 219      for (;;) {
 220 -        i = BIO_read(p7bio, buf, sizeof(buf));
 221 +        i = BIO_read(p7bio, buf, bufsiz);
 222          if (i <= 0)
 223              break;
 224          if (tmpout)
 225 @@ -394,6 +417,9 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
 226      }
 227      BIO_free_all(p7bio);
 228      sk_X509_free(signers);
 229 +    if (buf != NULL) {
 230 +        OPENSSL_free(buf);
 231 +    }
 232      return ret;
 233  }
 234
 235 diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c
 236 index 266111e..f60fac6 100644
 237 --- a/crypto/rand/rand_unix.c
 238 +++ b/crypto/rand/rand_unix.c
 239 @@ -116,7 +116,7 @@
 240  #include <openssl/rand.h>
 241  #include "rand_lcl.h"
 242
 243 -#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE))
 244 +#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_UEFI))
 245
 246  # include <sys/types.h>
 247  # include <sys/time.h>
 248 @@ -439,7 +439,7 @@ int RAND_poll(void)
 249                                   * defined(OPENSSL_SYS_VXWORKS) ||
 250                                   * defined(OPENSSL_SYS_NETWARE)) */
 251
 252 -#if defined(OPENSSL_SYS_VXWORKS)
 253 +#if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)
 254  int RAND_poll(void)
 255  {
 256      return 0;
 257 diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
 258 index 4e06218..f591f0f 100644
 259 --- a/crypto/rsa/rsa_ameth.c
 260 +++ b/crypto/rsa/rsa_ameth.c
 261 @@ -68,10 +68,12 @@
 262  #endif
 263  #include "asn1_locl.h"
 264
 265 +#ifndef OPENSSL_NO_CMS
 266  static int rsa_cms_sign(CMS_SignerInfo *si);
 267  static int rsa_cms_verify(CMS_SignerInfo *si);
 268  static int rsa_cms_decrypt(CMS_RecipientInfo *ri);
 269  static int rsa_cms_encrypt(CMS_RecipientInfo *ri);
 270 +#endif
 271
 272  static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
 273  {
 274 @@ -665,6 +667,7 @@ static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,
 275      return rv;
 276  }
 277
 278 +#ifndef OPENSSL_NO_CMS
 279  static int rsa_cms_verify(CMS_SignerInfo *si)
 280  {
 281      int nid, nid2;
 282 @@ -683,6 +686,7 @@ static int rsa_cms_verify(CMS_SignerInfo *si)
 283      }
 284      return 0;
 285  }
 286 +#endif
 287
 288  /*
 289   * Customised RSA item verification routine. This is called when a signature
 290 @@ -705,6 +709,7 @@ static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
 291      return -1;
 292  }
 293
 294 +#ifndef OPENSSL_NO_CMS
 295  static int rsa_cms_sign(CMS_SignerInfo *si)
 296  {
 297      int pad_mode = RSA_PKCS1_PADDING;
 298 @@ -729,6 +734,7 @@ static int rsa_cms_sign(CMS_SignerInfo *si)
 299      X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os);
 300      return 1;
 301  }
 302 +#endif
 303
 304  static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
 305                           X509_ALGOR *alg1, X509_ALGOR *alg2,
 306 @@ -785,6 +791,7 @@ static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg,
 307      return pss;
 308  }
 309
 310 +#ifndef OPENSSL_NO_CMS
 311  static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
 312  {
 313      EVP_PKEY_CTX *pkctx;
 314 @@ -857,7 +864,9 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
 315          X509_ALGOR_free(maskHash);
 316      return rv;
 317  }
 318 +#endif
 319
 320 +#ifndef OPENSSL_NO_CMS
 321  static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
 322  {
 323      const EVP_MD *md, *mgf1md;
 324 @@ -920,6 +929,7 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
 325          ASN1_STRING_free(os);
 326      return rv;
 327  }
 328 +#endif
 329
 330  const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
 331      {
 332 diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
 333 index 0429767..7ddc21c 100644
 334 --- a/crypto/x509/x509_vfy.c
 335 +++ b/crypto/x509/x509_vfy.c
 336 @@ -940,6 +940,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
 337          ctx->current_crl = crl;
 338      if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
 339          ptime = &ctx->param->check_time;
 340 +    else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
 341 +        return 1;
 342      else
 343          ptime = NULL;
 344
 345 @@ -1663,6 +1665,8 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
 346
 347      if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
 348          ptime = &ctx->param->check_time;
 349 +    else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
 350 +        return 1;
 351      else
 352          ptime = NULL;
 353
 354 diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
 355 index 2663e1c..98d0b4c 100644
 356 --- a/crypto/x509/x509_vfy.h
 357 +++ b/crypto/x509/x509_vfy.h
 358 @@ -438,6 +438,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 359   * will force the behaviour to match that of previous versions.
 360   */
 361  # define X509_V_FLAG_NO_ALT_CHAINS               0x100000
 362 +/* Do not check certificate/CRL validity against current time */
 363 +# define X509_V_FLAG_NO_CHECK_TIME               0x200000
 364
 365  # define X509_VP_FLAG_DEFAULT                    0x1
 366  # define X509_VP_FLAG_OVERWRITE                  0x2
 367 diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h
 368 index c3a6fce..01edd2a 100644
 369 --- a/crypto/x509v3/ext_dat.h
 370 +++ b/crypto/x509v3/ext_dat.h
 371 @@ -127,8 +127,10 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
 372      &v3_idp,
 373      &v3_alt[2],
 374      &v3_freshest_crl,
 375 +#ifndef OPENSSL_SYS_UEFI
 376      &v3_ct_scts[0],
 377      &v3_ct_scts[1],
 378 +#endif
 379  };
 380
 381  /* Number of standard extensions */
 382 diff --git a/e_os.h b/e_os.h
 383 index 1fa36c1..3e9dae2 100644
 384 --- a/e_os.h
 385 +++ b/e_os.h
 386 @@ -136,7 +136,7 @@ extern "C" {
 387  #  define MSDOS
 388  # endif
 389
 390 -# if defined(MSDOS) && !defined(GETPID_IS_MEANINGLESS)
 391 +# if (defined(MSDOS) || defined(OPENSSL_SYS_UEFI)) && !defined(GETPID_IS_MEANINGLESS)
 392  #  define GETPID_IS_MEANINGLESS
 393  # endif
 394
 395 diff --git a/e_os2.h b/e_os2.h
 396 index 7be9989..909e22f 100644
 397 --- a/e_os2.h
 398 +++ b/e_os2.h
 399 @@ -97,7 +97,14 @@ extern "C" {
 400   * For 32 bit environment, there seems to be the CygWin environment and then
 401   * all the others that try to do the same thing Microsoft does...
 402   */
 403 -# if defined(OPENSSL_SYSNAME_UWIN)
 404 +/*
 405 + * UEFI lives here because it might be built with a Microsoft toolchain and
 406 + * we need to avoid the false positive match on Windows.
 407 + */
 408 +# if defined(OPENSSL_SYSNAME_UEFI)
 409 +#  undef OPENSSL_SYS_UNIX
 410 +#  define OPENSSL_SYS_UEFI
 411 +# elif defined(OPENSSL_SYSNAME_UWIN)
 412  #  undef OPENSSL_SYS_UNIX
 413  #  define OPENSSL_SYS_WIN32_UWIN
 414  # else