From 785d183b4eae6ac2749d1ffdc1b67facf92610e6 Mon Sep 17 00:00:00 2001 From: Long Qin Date: Wed, 25 Mar 2015 08:13:32 +0000 Subject: [PATCH] Upgrade to OpenSSL-0.9.8zf (released on 19-MAR-2015). Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Long Qin Reviewed-by: Dong Guo Reviewed-by: Ye Ting git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17072 6f19259b-4bc3-4df7-8a09-765794883524 --- .../OpensslLib/EDKII_openssl-0.9.8ze.patch | 281 ------------------ .../OpensslLib/EDKII_openssl-0.9.8zf.patch | 279 +++++++++++++++++ CryptoPkg/Library/OpensslLib/Install.cmd | 2 +- CryptoPkg/Library/OpensslLib/Install.sh | 2 +- CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 +- CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 26 +- 6 files changed, 295 insertions(+), 297 deletions(-) delete mode 100644 CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8ze.patch create mode 100644 CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8ze.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8ze.patch deleted file mode 100644 index c5f646ee96..0000000000 --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8ze.patch +++ /dev/null @@ -1,281 +0,0 @@ -Index: crypto/bio/bss_file.c -=================================================================== ---- crypto/bio/bss_file.c (revision 1) -+++ crypto/bio/bss_file.c (working copy) -@@ -428,6 +428,23 @@ - return(ret); - } - -+#else -+ -+BIO_METHOD *BIO_s_file(void) -+ { -+ return NULL; -+ } -+ -+BIO *BIO_new_file(const char *filename, const char *mode) -+ { -+ return NULL; -+ } -+ -+BIO *BIO_new_fp(FILE *stream, int close_flag) -+ { -+ return NULL; -+ } -+ - #endif /* OPENSSL_NO_STDIO */ - - #endif /* HEADER_BSS_FILE_C */ -Index: crypto/crypto.h -=================================================================== ---- crypto/crypto.h (revision 1) -+++ crypto/crypto.h (working copy) -@@ -235,15 +235,15 @@ - #ifndef OPENSSL_NO_LOCKING - #ifndef CRYPTO_w_lock - #define CRYPTO_w_lock(type) \ -- CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) -+ CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,NULL,0) - #define CRYPTO_w_unlock(type) \ -- CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) -+ CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,NULL,0) - #define CRYPTO_r_lock(type) \ -- CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,__FILE__,__LINE__) -+ CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,NULL,0) - #define CRYPTO_r_unlock(type) \ -- CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,__FILE__,__LINE__) -+ CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,NULL,0) - #define CRYPTO_add(addr,amount,type) \ -- CRYPTO_add_lock(addr,amount,type,__FILE__,__LINE__) -+ CRYPTO_add_lock(addr,amount,type,NULL,0) - #endif - #else - #define CRYPTO_w_lock(a) -@@ -361,19 +361,19 @@ - #define MemCheck_off() CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) - #define is_MemCheck_on() CRYPTO_is_mem_check_on() - --#define OPENSSL_malloc(num) CRYPTO_malloc((int)num,__FILE__,__LINE__) --#define OPENSSL_strdup(str) CRYPTO_strdup((str),__FILE__,__LINE__) -+#define OPENSSL_malloc(num) CRYPTO_malloc((int)num,NULL,0) -+#define OPENSSL_strdup(str) CRYPTO_strdup((str),NULL,0) - #define OPENSSL_realloc(addr,num) \ -- CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__) -+ CRYPTO_realloc((char *)addr,(int)num,NULL,0) - #define OPENSSL_realloc_clean(addr,old_num,num) \ -- CRYPTO_realloc_clean(addr,old_num,num,__FILE__,__LINE__) -+ CRYPTO_realloc_clean(addr,old_num,num,NULL,0) - #define OPENSSL_remalloc(addr,num) \ -- CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__) -+ CRYPTO_remalloc((char **)addr,(int)num,NULL,0) - #define OPENSSL_freeFunc CRYPTO_free - #define OPENSSL_free(addr) CRYPTO_free(addr) - - #define OPENSSL_malloc_locked(num) \ -- CRYPTO_malloc_locked((int)num,__FILE__,__LINE__) -+ CRYPTO_malloc_locked((int)num,NULL,0) - #define OPENSSL_free_locked(addr) CRYPTO_free_locked(addr) - - -@@ -487,7 +487,7 @@ - long CRYPTO_get_mem_debug_options(void); - - #define CRYPTO_push_info(info) \ -- CRYPTO_push_info_(info, __FILE__, __LINE__); -+ CRYPTO_push_info_(info, NULL, 0); - int CRYPTO_push_info_(const char *info, const char *file, int line); - int CRYPTO_pop_info(void); - int CRYPTO_remove_all_info(void); -@@ -528,17 +528,17 @@ - - /* die if we have to */ - void OpenSSLDie(const char *file,int line,const char *assertion); --#define OPENSSL_assert(e) (void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1)) -+#define OPENSSL_assert(e) (void)((e) ? 0 : (OpenSSLDie(NULL, 0, #e),1)) - - unsigned long *OPENSSL_ia32cap_loc(void); - #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc())) - int OPENSSL_isservice(void); - - #ifdef OPENSSL_FIPS --#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \ -+#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(NULL, 0, \ - alg " previous FIPS forbidden algorithm error ignored"); - --#define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \ -+#define FIPS_BAD_ABORT(alg) OpenSSLDie(NULL, 0, \ - #alg " Algorithm forbidden in FIPS mode"); - - #ifdef OPENSSL_FIPS_STRICT -Index: crypto/err/err.c -=================================================================== ---- crypto/err/err.c (revision 1) -+++ crypto/err/err.c (working copy) -@@ -313,7 +313,12 @@ - es->err_data_flags[i]=flags; - } - -+/* Add EFIAPI for UEFI version. */ -+#if defined(OPENSSL_SYS_UEFI) -+void EFIAPI ERR_add_error_data(int num, ...) -+#else - void ERR_add_error_data(int num, ...) -+#endif - { - va_list args; - int i,n,s; -Index: crypto/err/err.h -=================================================================== ---- crypto/err/err.h (revision 1) -+++ crypto/err/err.h (working copy) -@@ -286,8 +286,14 @@ - #endif - #ifndef OPENSSL_NO_BIO - void ERR_print_errors(BIO *bp); -+ -+/* Add EFIAPI for UEFI version. */ -+#if defined(OPENSSL_SYS_UEFI) -+void EFIAPI ERR_add_error_data(int num, ...); -+#else - void ERR_add_error_data(int num, ...); - #endif -+#endif - void ERR_load_strings(int lib,ERR_STRING_DATA str[]); - void ERR_unload_strings(int lib,ERR_STRING_DATA str[]); - void ERR_load_ERR_strings(void); -Index: crypto/opensslconf.h -=================================================================== ---- crypto/opensslconf.h (revision 1) -+++ crypto/opensslconf.h (working copy) -@@ -162,6 +162,9 @@ - /* The prime number generation stuff may not work when - * EIGHT_BIT but I don't care since I've only used this mode - * for debuging the bignum libraries */ -+ -+/* Bypass following definition for UEFI version. */ -+#if !defined(OPENSSL_SYS_UEFI) - #undef SIXTY_FOUR_BIT_LONG - #undef SIXTY_FOUR_BIT - #define THIRTY_TWO_BIT -@@ -169,6 +172,8 @@ - #undef EIGHT_BIT - #endif - -+#endif -+ - #if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) - #define CONFIG_HEADER_RC4_LOCL_H - /* if this is defined data[i] is used instead of *data, this is a %20 -Index: crypto/pkcs7/pk7_smime.c -=================================================================== ---- crypto/pkcs7/pk7_smime.c (revision 1) -+++ crypto/pkcs7/pk7_smime.c (working copy) -@@ -88,7 +88,10 @@ - if (!PKCS7_content_new(p7, NID_pkcs7_data)) - goto err; - -- if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha1()))) { -+ /* -+ NOTE: Update to SHA-256 digest algorithm for UEFI version. -+ */ -+ if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha256()))) { - PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR); - goto err; - } -@@ -173,7 +176,8 @@ - STACK_OF(PKCS7_SIGNER_INFO) *sinfos; - PKCS7_SIGNER_INFO *si; - X509_STORE_CTX cert_ctx; -- char buf[4096]; -+ char *buf = NULL; -+ int bufsiz; - int i, j=0, k, ret = 0; - BIO *p7bio; - BIO *tmpin, *tmpout; -@@ -284,10 +288,16 @@ - BIO_set_mem_eof_return(tmpout, 0); - } else tmpout = out; - -+ bufsiz = 4096; -+ buf = OPENSSL_malloc (bufsiz); -+ if (buf == NULL) { -+ goto err; -+ } -+ - /* We now have to 'read' from p7bio to calculate digests etc. */ - for (;;) - { -- i=BIO_read(p7bio,buf,sizeof(buf)); -+ i=BIO_read(p7bio,buf,bufsiz); - if (i <= 0) break; - if (tmpout) BIO_write(tmpout, buf, i); - } -@@ -326,6 +336,10 @@ - - sk_X509_free(signers); - -+ if (buf != NULL) { -+ OPENSSL_free (buf); -+ } -+ - return ret; - } - -Index: crypto/rand/rand_egd.c -=================================================================== ---- crypto/rand/rand_egd.c (revision 1) -+++ crypto/rand/rand_egd.c (working copy) -@@ -95,7 +95,7 @@ - * RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255. - */ - --#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) -+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_UEFI) - int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) - { - return(-1); -Index: crypto/rand/rand_unix.c -=================================================================== ---- crypto/rand/rand_unix.c (revision 1) -+++ crypto/rand/rand_unix.c (working copy) -@@ -116,7 +116,7 @@ - #include - #include "rand_lcl.h" - --#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE)) -+#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_UEFI)) - - #include - #include -@@ -322,7 +322,7 @@ - #endif /* !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE)) */ - - --#if defined(OPENSSL_SYS_VXWORKS) -+#if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI) - int RAND_poll(void) - { - return 0; -Index: crypto/x509/x509_vfy.c -=================================================================== ---- crypto/x509/x509_vfy.c (revision 1) -+++ crypto/x509/x509_vfy.c (working copy) -@@ -899,6 +899,10 @@ - - static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) - { -+#if defined(OPENSSL_SYS_UEFI) -+ /* Bypass Certificate Time Checking for UEFI version. */ -+ return 1; -+#else - time_t *ptime; - int i; - -@@ -942,6 +946,7 @@ - } - - return 1; -+#endif - } - - static int internal_verify(X509_STORE_CTX *ctx) diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch new file mode 100644 index 0000000000..4abe62c52e --- /dev/null +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch @@ -0,0 +1,279 @@ +Index: crypto/bio/bss_file.c +=================================================================== +--- crypto/bio/bss_file.c (revision 1) ++++ crypto/bio/bss_file.c (working copy) +@@ -418,6 +418,23 @@ + return (ret); + } + ++#else ++ ++BIO_METHOD *BIO_s_file(void) ++{ ++ return NULL; ++} ++ ++BIO *BIO_new_file(const char *filename, const char *mode) ++{ ++ return NULL; ++} ++ ++BIO *BIO_new_fp(FILE *stream, int close_flag) ++{ ++ return NULL; ++} ++ + # endif /* OPENSSL_NO_STDIO */ + + #endif /* HEADER_BSS_FILE_C */ +Index: crypto/crypto.h +=================================================================== +--- crypto/crypto.h (revision 1) ++++ crypto/crypto.h (working copy) +@@ -239,15 +239,15 @@ + # ifndef OPENSSL_NO_LOCKING + # ifndef CRYPTO_w_lock + # define CRYPTO_w_lock(type) \ +- CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) ++ CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,NULL,0) + # define CRYPTO_w_unlock(type) \ +- CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) ++ CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,NULL,0) + # define CRYPTO_r_lock(type) \ +- CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,__FILE__,__LINE__) ++ CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,NULL,0) + # define CRYPTO_r_unlock(type) \ +- CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,__FILE__,__LINE__) ++ CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,NULL,0) + # define CRYPTO_add(addr,amount,type) \ +- CRYPTO_add_lock(addr,amount,type,__FILE__,__LINE__) ++ CRYPTO_add_lock(addr,amount,type,NULL,0) + # endif + # else + # define CRYPTO_w_lock(a) +@@ -374,19 +374,19 @@ + # define MemCheck_off() CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) + # define is_MemCheck_on() CRYPTO_is_mem_check_on() + +-# define OPENSSL_malloc(num) CRYPTO_malloc((int)num,__FILE__,__LINE__) +-# define OPENSSL_strdup(str) CRYPTO_strdup((str),__FILE__,__LINE__) ++# define OPENSSL_malloc(num) CRYPTO_malloc((int)num,NULL,0) ++# define OPENSSL_strdup(str) CRYPTO_strdup((str),NULL,0) + # define OPENSSL_realloc(addr,num) \ +- CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__) ++ CRYPTO_realloc((char *)addr,(int)num,NULL,0) + # define OPENSSL_realloc_clean(addr,old_num,num) \ +- CRYPTO_realloc_clean(addr,old_num,num,__FILE__,__LINE__) ++ CRYPTO_realloc_clean(addr,old_num,num,NULL,0) + # define OPENSSL_remalloc(addr,num) \ +- CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__) ++ CRYPTO_remalloc((char **)addr,(int)num,NULL,0) + # define OPENSSL_freeFunc CRYPTO_free + # define OPENSSL_free(addr) CRYPTO_free(addr) + + # define OPENSSL_malloc_locked(num) \ +- CRYPTO_malloc_locked((int)num,__FILE__,__LINE__) ++ CRYPTO_malloc_locked((int)num,NULL,0) + # define OPENSSL_free_locked(addr) CRYPTO_free_locked(addr) + + const char *SSLeay_version(int type); +@@ -531,7 +531,7 @@ + long CRYPTO_get_mem_debug_options(void); + + # define CRYPTO_push_info(info) \ +- CRYPTO_push_info_(info, __FILE__, __LINE__); ++ CRYPTO_push_info_(info, NULL, 0); + int CRYPTO_push_info_(const char *info, const char *file, int line); + int CRYPTO_pop_info(void); + int CRYPTO_remove_all_info(void); +@@ -578,7 +578,7 @@ + + /* die if we have to */ + void OpenSSLDie(const char *file, int line, const char *assertion); +-# define OPENSSL_assert(e) (void)((e) ? 0 : (OpenSSLDie(__FILE__, __LINE__, #e),1)) ++# define OPENSSL_assert(e) (void)((e) ? 0 : (OpenSSLDie(NULL, 0, #e),1)) + + unsigned long *OPENSSL_ia32cap_loc(void); + # define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc())) +@@ -585,10 +585,10 @@ + int OPENSSL_isservice(void); + + # ifdef OPENSSL_FIPS +-# define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \ ++# define FIPS_ERROR_IGNORED(alg) OpenSSLDie(NULL, 0, \ + alg " previous FIPS forbidden algorithm error ignored"); + +-# define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \ ++# define FIPS_BAD_ABORT(alg) OpenSSLDie(NULL, 0, \ + #alg " Algorithm forbidden in FIPS mode"); + + # ifdef OPENSSL_FIPS_STRICT +Index: crypto/err/err.c +=================================================================== +--- crypto/err/err.c (revision 1) ++++ crypto/err/err.c (working copy) +@@ -321,7 +321,12 @@ + es->err_data_flags[i] = flags; + } + ++/* Add EFIAPI for UEFI version. */ ++#if defined(OPENSSL_SYS_UEFI) ++void EFIAPI ERR_add_error_data(int num, ...) ++#else + void ERR_add_error_data(int num, ...) ++#endif + { + va_list args; + int i, n, s; +Index: crypto/err/err.h +=================================================================== +--- crypto/err/err.h (revision 1) ++++ crypto/err/err.h (working copy) +@@ -285,7 +285,13 @@ + # endif + # ifndef OPENSSL_NO_BIO + void ERR_print_errors(BIO *bp); ++ ++/* Add EFIAPI for UEFI version. */ ++#if defined(OPENSSL_SYS_UEFI) ++void EFIAPI ERR_add_error_data(int num, ...); ++#else + void ERR_add_error_data(int num, ...); ++#endif + # endif + void ERR_load_strings(int lib, ERR_STRING_DATA str[]); + void ERR_unload_strings(int lib, ERR_STRING_DATA str[]); +Index: crypto/opensslconf.h +=================================================================== +--- crypto/opensslconf.h (revision 1) ++++ crypto/opensslconf.h (working copy) +@@ -162,6 +162,9 @@ + /* The prime number generation stuff may not work when + * EIGHT_BIT but I don't care since I've only used this mode + * for debuging the bignum libraries */ ++ ++/* Bypass following definition for UEFI version. */ ++#if !defined(OPENSSL_SYS_UEFI) + #undef SIXTY_FOUR_BIT_LONG + #undef SIXTY_FOUR_BIT + #define THIRTY_TWO_BIT +@@ -169,6 +172,8 @@ + #undef EIGHT_BIT + #endif + ++#endif ++ + #if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) + #define CONFIG_HEADER_RC4_LOCL_H + /* if this is defined data[i] is used instead of *data, this is a %20 +Index: crypto/pkcs7/pk7_smime.c +=================================================================== +--- crypto/pkcs7/pk7_smime.c (revision 1) ++++ crypto/pkcs7/pk7_smime.c (working copy) +@@ -90,7 +90,14 @@ + if (!PKCS7_content_new(p7, NID_pkcs7_data)) + goto err; + ++#if defined(OPENSSL_SYS_UEFI) ++ /* ++ * NOTE: Update to SHA-256 digest algorithm for UEFI version. ++ */ ++ if (!(si = PKCS7_add_signature(p7, signcert, pkey, EVP_sha256()))) { ++#else + if (!(si = PKCS7_add_signature(p7, signcert, pkey, EVP_sha1()))) { ++#endif + PKCS7err(PKCS7_F_PKCS7_SIGN, PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR); + goto err; + } +@@ -175,7 +182,8 @@ + STACK_OF(PKCS7_SIGNER_INFO) *sinfos; + PKCS7_SIGNER_INFO *si; + X509_STORE_CTX cert_ctx; +- char buf[4096]; ++ char *buf = NULL; ++ int bufsiz; + int i, j = 0, k, ret = 0; + BIO *p7bio; + BIO *tmpin, *tmpout; +@@ -286,6 +294,12 @@ + } else + tmpout = out; + ++ bufsiz = 4096; ++ buf = OPENSSL_malloc (bufsiz); ++ if (buf == NULL) { ++ goto err; ++ } ++ + /* We now have to 'read' from p7bio to calculate digests etc. */ + for (;;) { + i = BIO_read(p7bio, buf, sizeof(buf)); +@@ -328,6 +342,10 @@ + + sk_X509_free(signers); + ++ if (buf != NULL) { ++ OPENSSL_free (buf); ++ } ++ + return ret; + } + +Index: crypto/rand/rand_egd.c +=================================================================== +--- crypto/rand/rand_egd.c (revision 1) ++++ crypto/rand/rand_egd.c (working copy) +@@ -95,7 +95,7 @@ + * RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255. + */ + +-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) ++#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_UEFI) + int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) + { + return (-1); +Index: crypto/rand/rand_unix.c +=================================================================== +--- crypto/rand/rand_unix.c (revision 1) ++++ crypto/rand/rand_unix.c (working copy) +@@ -116,7 +116,7 @@ + #include + #include "rand_lcl.h" + +-#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE)) ++#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_UEFI)) + + # include + # include +@@ -332,7 +332,7 @@ + * defined(OPENSSL_SYS_VXWORKS) || + * defined(OPENSSL_SYS_NETWARE)) */ + +-#if defined(OPENSSL_SYS_VXWORKS) ++#if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI) + int RAND_poll(void) + { + return 0; +Index: crypto/x509/x509_vfy.c +=================================================================== +--- crypto/x509/x509_vfy.c (revision 1) ++++ crypto/x509/x509_vfy.c (working copy) +@@ -871,6 +871,10 @@ + + static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) + { ++#if defined(OPENSSL_SYS_UEFI) ++ /* Bypass Certificate Time Checking for UEFI version. */ ++ return 1; ++#else + time_t *ptime; + int i; + +@@ -910,6 +914,7 @@ + } + + return 1; ++#endif + } + + static int internal_verify(X509_STORE_CTX *ctx) diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd b/CryptoPkg/Library/OpensslLib/Install.cmd index ac9f4999b1..8f1d016ed7 100755 --- a/CryptoPkg/Library/OpensslLib/Install.cmd +++ b/CryptoPkg/Library/OpensslLib/Install.cmd @@ -1,4 +1,4 @@ -cd openssl-0.9.8ze +cd openssl-0.9.8zf copy e_os2.h ..\..\..\Include\openssl copy crypto\crypto.h ..\..\..\Include\openssl copy crypto\tmdiff.h ..\..\..\Include\openssl diff --git a/CryptoPkg/Library/OpensslLib/Install.sh b/CryptoPkg/Library/OpensslLib/Install.sh index 69fd563c91..4a022e666b 100755 --- a/CryptoPkg/Library/OpensslLib/Install.sh +++ b/CryptoPkg/Library/OpensslLib/Install.sh @@ -1,6 +1,6 @@ #!/bin/sh -cd openssl-0.9.8ze +cd openssl-0.9.8zf cp e_os2.h ../../../Include/openssl cp crypto/crypto.h ../../../Include/openssl cp crypto/tmdiff.h ../../../Include/openssl diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf index be46aea1ef..f564145c5a 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf @@ -20,7 +20,7 @@ MODULE_TYPE = BASE VERSION_STRING = 1.0 LIBRARY_CLASS = OpensslLib - DEFINE OPENSSL_PATH = openssl-0.9.8ze + DEFINE OPENSSL_PATH = openssl-0.9.8zf DEFINE OPENSSL_FLAGS = -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_ASM DEFINE OPENSSL_EXFLAGS = -DOPENSSL_SMALL_FOOTPRINT -DOPENSSL_NO_MD2 -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_RC2 -DOPENSSL_NO_IDEA -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_DSA -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH -DOPENSSL_NO_ECDSA -DOPENSSL_NO_ENGINE diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt index 58ff5bb315..de60a5fc20 100644 --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt @@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building under UEFI environment. ================================================================================ OpenSSL-Version ================================================================================ - Current supported OpenSSL version for UEFI Crypto Library is 0.9.8ze. - http://www.openssl.org/source/openssl-0.9.8ze.tar.gz + Current supported OpenSSL version for UEFI Crypto Library is 0.9.8zf. + http://www.openssl.org/source/openssl-0.9.8zf.tar.gz ================================================================================ HOW to Install Openssl for UEFI Building ================================================================================ -1. Download OpenSSL 0.9.8ze from official website: - http://www.openssl.org/source/openssl-0.9.8ze.tar.gz +1. Download OpenSSL 0.9.8zf from official website: + http://www.openssl.org/source/openssl-0.9.8zf.tar.gz - NOTE: Some web browsers may rename the downloaded TAR file to openssl-0.9.8ze.tar.tar. - When you do the download, rename the "openssl-0.9.8ze.tar.tar" to - "openssl-0.9.8ze.tar.gz" or rename the local downloaded file with ".tar.tar" + NOTE: Some web browsers may rename the downloaded TAR file to openssl-0.9.8zf.tar.tar. + When you do the download, rename the "openssl-0.9.8zf.tar.tar" to + "openssl-0.9.8zf.tar.gz" or rename the local downloaded file with ".tar.tar" extension to ".tar.gz". -2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-0.9.8ze +2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-0.9.8zf NOTE: If you use WinZip to unpack the openssl source in Windows, please uncheck the WinZip smart CR/LF conversion option (WINZIP: Options --> Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion"). -3. Apply this patch: EDKII_openssl-0.9.8ze.patch, and make installation +3. Apply this patch: EDKII_openssl-0.9.8zf.patch, and make installation For Windows Environment: ------------------------ 1) Make sure the patch utility has been installed in your machine. Install Cygwin or get the patch utility binary from http://gnuwin32.sourceforge.net/packages/patch.htm - 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-0.9.8ze - 3) patch -p0 -i ..\EDKII_openssl-0.9.8ze.patch + 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-0.9.8zf + 3) patch -p0 -i ..\EDKII_openssl-0.9.8zf.patch 4) cd .. 5) Install.cmd @@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under UEFI environment. ----------------------- 1) Make sure the patch utility has been installed in your machine. Patch utility is available from http://directory.fsf.org/project/patch/ - 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-0.9.8ze - 3) patch -p0 -i ../EDKII_openssl-0.9.8ze.patch + 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-0.9.8zf + 3) patch -p0 -i ../EDKII_openssl-0.9.8zf.patch 4) cd .. 5) ./Install.sh -- 2.39.2