summaryrefslogtreecommitdiff
path: root/CryptoPkg
AgeCommit message (Collapse)AuthorFilesLines
2016-03-15CryptoPkg: Fix the potential system hang issueJiaxin Wu1-12/+17
This patch is used to fix the potential system hang caused by the NULL 'time' parameter usage. Cc: David Woodhouse <dwmw2@infradead.org> Cc: Long Qin <qin.long@intel.com> Cc: Ye Ting <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com> Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
2016-03-11CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2gQin Long7-79/+56
OpenSSL 1.0.2g was released with several severity fixes at 01-Mar-2016(https://www.openssl.org/news/secadv/20160301.txt). Upgrade the supported OpenSSL version in CryptoPkg/OpensslLib to catch the latest release 1.0.2g. (NOTE: RT4175 from David Woodhouse was included in 1.0.2g. The new-generated patch will remove this part. And the line endings were still kept as before in this version for consistency) CC: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
2016-03-11CryptoPkg/OpensslLib: Convert saved opensslconf.h to DOS line endingsDavid Woodhouse1-2/+3
Until we fix the git repository to store line endings properly and then just check them out in the appropriate form for the platform, let's make process_files.sh convert the opensslconf.h to DOS line endings when it creates it. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Qin Long <qin.long@intel.com>
2016-03-05CryptoPkg/OpensslLib: Fix CRLF breakage in process_files.shDavid Woodhouse1-97/+97
This got broken in committing, due to a catalogue of broken practices. Firstly, we should *pull* git submissions, never recommit them. You preserve the correct history then, and don't risk rebasing to result in a history which *never* worked in the form that gets preserved. That would have kept the authorship attrbution correct too. Secondly, we shouldn't be storing CRLF line endings in the objects that git stores in its database. It is designed to store simple LF line endings, and then check that out as appropriate for the system (resulting in CRLF in the working tree for Windows users, as they expect). That would avoid this problem, and all the other problems we have with patches being exchanged. Make it executable too, which also got lost in the commit mess. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
2016-03-05CryptoPkg/OpensslLib: Automatically configure OpenSSL and generate file listQin Long3-378/+120
OpenSSL 1.1 (as well as our backport to 1.0.2) now allows us to run its standard Configure script and import the result into the EDK II source repository for others to build natively. The opensslconf.h file and the list of files in OpensslLib.inf don't need to be managed manually. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> Tested-by: Qin Long <qin.long@intel.com>
2016-03-05CryptoPkg/OpensslLib: Fix OpenSSL link failures on Windows (RT#4310)Qin Long1-0/+80
This is pull request #755 for OpenSSL 1.1, along with a little extra fix in the RSA_NET code which has been removed from 1.1 so we can't fix it there. https://github.com/openssl/openssl/pull/755 Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> Tested-by: Qin Long <qin.long@intel.com>
2016-03-05CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3969Qin Long1-3/+35
Support for the UEFI target has been added to OpenSSL in commit 4d60c7e10. Drop our partial implementation and use a backported version of what's upstream. This includes a couple of fixes which will be needed when we automatically generate the file list and opensslconf.h instead of manually maintaining those. This includes the subsequent fix in commit fb4844bbc. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> Tested-by: Qin Long <qin.long@intel.com>
2016-03-05CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3992Qin Long1-2/+69
Instead of commenting out the Signed Certificate Timestamps purely based on the OPENSSL_SYS_UEFI flag, OpenSSL 1.1 supports a no-sct configuration option, added in commit 05d7bf6c5. Drop our own hack and use that. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> Tested-by: Qin Long <qin.long@intel.com>
2016-03-05CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3951Qin Long1-0/+28
A more complete implementation of the X509_V_FLAG_NO_CHECK_TIME flag was added to OpenSSL 1.1 as commit d35ff2c0a. Drop our own version and use a backport of what was committed upstream. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> Tested-by: Qin Long <qin.long@intel.com>
2016-03-05CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3674Qin Long1-26/+147
A more complete fix for the no-cms configuration has been added to OpenSSL 1.1 as commit e968561d5. Drop our own version and use a backport of what was committed upstream. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> Tested-by: Qin Long <qin.long@intel.com>
2016-03-05CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3955Qin Long1-19/+137
A different fix for the excessive stack usage has been merged into OpenSSL 1.1 as commit 8e704858f. Drop our own version and use a backport of what was committed upstream. Note: This requires the free() function to work correctly when passed a NULL argument (qv). Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> Tested-by: Qin Long <qin.long@intel.com>
2016-03-05CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3628Qin Long2-17/+652
A complete implementation of the no-filenames configuration option was added to OpenSSL 1.1 in commit 02f7114a7. Drop our own version and use a backport of what was committed upstream. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> Tested-by: Qin Long <qin.long@intel.com>
2016-03-05CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3964Qin Long1-42/+768
Extensive fixes for the no-stdio configuration have been merged into OpenSSL 1.1, primarily in commit 984d6c605. The backport to 1.0.2 is slightly different because we still have a mixture of no-fp-api and no-stdio in 1.0.2, although they are hopelessly intertwined. Nevertheless, drop our own original version and switch to a backported version of what went into 1.1. This includes subsequent fixes in commit c0cf5b84d for the TS code. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> Tested-by: Qin Long <qin.long@intel.com>
2016-03-05CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#4175Qin Long1-11/+28
A different fix for the PKCS7_verify() regression on Authenticode signatures has landed in the OpenSSL 1.0.2 branch as commit c436c990f and will be present in the 1.0.2g release. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> Tested-by: Qin Long <qin.long@intel.com>
2016-03-05CryptoPkg/OpensslLib: Regenerate OpenSSL patchQin Long2-146/+159
All the OpenSSL changes we carry in our EDKII_openssl patch for 1.0.2 are now merged into upstream OpenSSL and will be in the upcoming 1.1 release. As a first step towards switching out our original hacks for backported versions of the commits which were actually accepted into OpenSSL 1.1, just regenerate the *existing* patch against the 1.0.2f release using 'git diff'. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> Tested-by: Qin Long <qin.long@intel.com>
2016-03-05CryptoPkg/OpensslLib: Include complete copy of opensslconf.hQin Long4-322/+477
This can be an auto-generated file, and it *isn't* in the OpenSSL git tree; it's only in the generated tarballs. So rather than including it in our OpenSSL patch, just have the user copy it into place. This makes it easier to manage changes, and is a step towards better integration. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> Tested-by: Qin Long <qin.long@intel.com>
2016-03-05CryptoPkg: Use OpenSSL include directory directlyQin Long4-152/+154
The standard OpenSSL 1.0.2 configuration and build process will already symlink or copy the necessary header files to the include/openssl/ directory within the OpenSSL source tree. When we transition to OpenSSL 1.1 it won't even be necessary to link or copy the files there; they have just been moved outright. So let's use them from there. Change the include directory specified in CryptoPkg/CryptoPkg.dec, and modify the Install.cmd and Install.sh scripts to copy the files to the normal directory within the OpenSSL source tree, instead of CryptoPkg/Include/openssl/. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> Tested-by: Qin Long <qin.long@intel.com>
2016-02-25CryptoPkg: RuntimeCryptLib: support realloc(NULL, size)Laszlo Ersek1-0/+4
The ISO C standard says about realloc(), If ptr is a null pointer, the realloc function behaves like the malloc function for the specified size. The realloc() implementation doesn't conform to this currently, so add a check and call malloc() if appropriate. Cc: David Woodhouse <dwmw2@infradead.org> Cc: Qin Long <qin.long@intel.com> Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com>
2016-02-25CryptoPkg: RuntimeCryptLib: support free(NULL)Laszlo Ersek1-1/+7
The ISO C standard says about free(), If ptr is a null pointer, no action occurs. This is not true of the RuntimeFreeMem() internal function. Therefore we must not forward the argument of free() to RuntimeFreeMem() without checking. Cc: David Woodhouse <dwmw2@infradead.org> Cc: Qin Long <qin.long@intel.com> Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com>
2016-02-25CryptoPkg: BaseCryptLib: support free(NULL)Laszlo Ersek1-1/+7
The ISO C standard says about free(), If ptr is a null pointer, no action occurs. This is not true of the FreePool() interface of the MemoryAllocationLib class: Buffer must have been allocated on a previous call to the pool allocation services of the Memory Allocation Library. [...] If Buffer was not allocated with a pool allocation function in the Memory Allocation Library, then ASSERT(). Therefore we must not forward the argument of free() to FreePool() without checking. This bug can be triggered by upstream OpenSSL commit 8e704858f219 ("RT3955: Reduce some stack usage"), for example. Cc: David Woodhouse <dwmw2@infradead.org> Cc: Qin Long <qin.long@intel.com> Cc: Ting Ye <ting.ye@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com>
2016-02-23CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2fQin Long5-49/+48
OpenSSL has released version 1.0.2f with two security fixes (http://www.openssl.org/news/secadv/20160128.txt) at 28-Jan-2016. Upgrade the supported OpenSSL version in CryptoPkg/OpensslLib to catch the latest release 1.0.2f. (NOTE: The patch file was just re-generated, and no new source changes was introduced for 1.0.2f enabling) Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com>
2016-01-26CryptoPkg: Fix function qsort for non 32-bit machinesKaryne Mayer1-2/+2
Although the function qsort receives as an argument a "compare" function which returns an "int", QuickSortWorker (the function used internally by qsort to do its job) receives as an argument a "CompareFunction" which returns an "INTN". In a 32-bit machine, "INTN" is defined as "INT32", which is defined as "int" and everything works well. However, when qsort is compiled for a 64-bit machine, "INTN" is defined as "INT64" and the return values of the compare functions become incompatible ("int" for qsort and "INT64" for QuickSortWorker), causing malfunction. For example, let's assume qsort is being compiled for a 64-bit machine. As stated before, the "compare" function will be returning an "int", and "CompareFunction" will be returning an "INT64". When, for example, the "compare" function (which was passed as an argument to qsort and, then, re-passed as an argument to QuickSortWorker) returns -1 (or 0xffffffff, in a 32-bit integer, its original return type) from inside a call to QuickSortWorker, its return value is interpreted as being an "INT64" value - which turns out to be 4294967295 (or 0x00000000ffffffff, in a 64-bit integer) -, making the function QuickSortWorker to behave unexpectedly. Note that this unexpected (or incorrect) conversion does not happen when casting an "INT32" to an "INT64" directly, but does happen when casting function types. The issue is fixed by changing the return type of SORT_COMPARE (the type of "CompareFunction", used by QuickSortWorker) from "INTN" to "int". This way, both qsort and QuickSortWorker use compatible definitions for their compare functions. Contributed-under: TianoCore Contribution Agreement 1.0 Acked-by: Paulo Alcantara Cavalcanti <paulo.alc.cavalcanti@hp.com> Signed-off-by: Karyne Mayer <kmayer@hp.com> Signed-off-by: Rodrigo Dias Correa <rodrigo.dia.correa@hp.com> Signed-off-by: Arthur Crippa Burigo <acb@hp.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19748 6f19259b-4bc3-4df7-8a09-765794883524
2016-01-19CryptoPkg: Add NOOPT target in CryptoPkg.dscHao Wu1-2/+2
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu <hao.a.wu@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19670 6f19259b-4bc3-4df7-8a09-765794883524
2015-12-17CryptoPkg: fix build support under RVCTArd Biesheuvel5-19/+18
The RVCT compiler chokes on a couple of issues in upstream OpenSSL that can be confirmed to be non-issues by inspection. So just ignore these warnings entirely. Also, move the dummy -J system include from CryptoPkg.dsc to the various .INF files, since it will not be picked up when building the CryptoPkg libraries from a platform .DSC Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19328 6f19259b-4bc3-4df7-8a09-765794883524
2015-12-15CryptoPkg: Convert all .uni files to utf-8Jordan Justen13-0/+0
To convert these files I ran: $ python3 BaseTools/Scripts/ConvertUni.py CryptoPkg Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jordan Justen <jordan.l.justen@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> Reviewed-by: Michael Kinney <michael.d.kinney@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19250 6f19259b-4bc3-4df7-8a09-765794883524
2015-12-11CryptoPkg/OpensslLib: upgrade OpenSSL version to 1.0.2eQin Long5-25/+38
OpenSSL has released version 1.0.2e with security fixes. Upgrade the supported OpenSSL version in CryptoPkg/OpensslLib from 1.0.2d to 1.0.2e. (Note: This is based on Ard's previous patch with extra fix https://rt.openssl.org/Ticket/Display.html?id=4175) Contributed-under: TianoCore Contribution Agreement 1.0 Singed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19218 6f19259b-4bc3-4df7-8a09-765794883524
2015-12-07CryptoPkg/OpensslLib: comment out unused codeArd Biesheuvel1-12/+12
This comments out the pqueue and ts_* source files from the OpensslLib build, since they have no users. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19147 6f19259b-4bc3-4df7-8a09-765794883524
2015-12-07CryptoPkg/BaseCryptLib: make mVirtualAddressChangeEvent STATICArd Biesheuvel1-1/+1
Make mVirtualAddressChangeEvent STATIC to prevent it from conflicting with other variables of the same name that may be defined in other libraries (e.g., MdeModulePkg/Universal/Variable/RuntimeDxe) This also removes the risk of mVirtualAddressChangeEvent being merged with other uninitialized variables with external linkage by toolchains that perform COMMON allocation. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19146 6f19259b-4bc3-4df7-8a09-765794883524
2015-12-07CryptoPkg ARM: add ArmSoftFloatLib resolution to CryptoPkg.dscArd Biesheuvel1-0/+3
In order to build the ARM version of CryptoPkg from its own .DSC file, it needs a resolution for the ArmSoftFloatLib dependency of OpensslLib. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19145 6f19259b-4bc3-4df7-8a09-765794883524
2015-12-07CryptoPkg: remove global variable 'timeval' from OpenSslSupport.hArd Biesheuvel1-1/+1
The header file OpenSslSupport.h not only defines a type 'struct timeval' but also defines a global variable 'timeval' of that type. The RVCT compiler does not merge this definition into a common symbol, resulting in duplicate definition errors in the final link. So remove the variable definition. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19135 6f19259b-4bc3-4df7-8a09-765794883524
2015-12-04CryptoPkg: Disable VS2015 warning C4311 in OpensslLibLiming Gao1-1/+2
Warning C4311: pointer truncation from 'type' to 'type'. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Liming Gao <liming.gao@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> Reviewed-by: Michael Kinney <michael.d.kinney@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19115 6f19259b-4bc3-4df7-8a09-765794883524
2015-11-30CryptoPkg/OpensslLib: add softfloat dependency for ARMArd Biesheuvel1-1/+4
UEFI on 32-bit ARM does not allow the use of hardware floating point, so in order to be able to run OpenSslLib, we need to fulfil its floating point arithmetic dependencies using a software library. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19033 6f19259b-4bc3-4df7-8a09-765794883524
2015-11-25[CryptoPkg] Correct one typo in the API comments.Qin Long4-5/+5
Correct one typo (SingerChainCerts --> SignerChainCerts) in the comments for Pkcs7GetCertificatesList() API. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Shumin Qiu <shumin.qiu@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18944 6f19259b-4bc3-4df7-8a09-765794883524
2015-11-05CryptoPkg: fix AARCH64 build under CLANG35Ard Biesheuvel1-2/+2
The OpenSSL function sk_X509_delete_ptr() resolves through preprocessor substitution to '(X509 *)sk_delete_ptr()', in which the cast causes the call to be interpreted as an expression (whose value is not used) rather than a statement, resulting in the following error under Clang: ...: error: expression result unused [-Werror,-Wunused-value] Add (VOID) casts to silence the error. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18730 6f19259b-4bc3-4df7-8a09-765794883524
2015-11-05CryptoPkg: Add one new API (Pkcs7GetCertificatesList) for certs retrieving.Qin Long4-0/+386
Adding one new API (Pkcs7GetCertificatesList) to retrieve and sort all embedded certificates from Pkcs7 signedData. This new API will provide the support for UEFI 2.5 Secure-Boot AuditMode feature. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Ting Ye <ting.ye@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18729 6f19259b-4bc3-4df7-8a09-765794883524
2015-10-29CryptoPkg/OpensslLib: Move OPENSSL_NO_xxx defines into opensslconf.hDavid Woodhouse2-44/+317
Putting these on the command line as we do at the moment means that they are *only* visible when actually building the OpenSSL code itself. When building other things like BaseCryptLib, they were missing. Which could lead to discrepancies in structures defined by the header files, between the OpenSSL code and the EDK II code which calls it. Move the definitions into opensslconf.h where they would normally live in a standard build of OpenSSL. Note: Do *not* set OPENSSL_NO_LHASH or OPENSSL_NO_OCSP since those weren't effectively disabled before; the directories was still being included in the build. If we actually disable then, the build breaks. We can hopefully fix at least OCSP upstream later, but one thing at a time... Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18708 6f19259b-4bc3-4df7-8a09-765794883524
2015-10-29CryptoPkg/OpensslLib: Eliminate GETPID_IS_MEANINGLESS definitionDavid Woodhouse2-2/+13
OpenSSL ought to work this out for itself when OPENSSL_SYS_UEFI is set. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18707 6f19259b-4bc3-4df7-8a09-765794883524
2015-10-29CryptoPkg: Fix OpenSSL BN wordsize and OPENSSL_SYS_UEFI handlingDavid Woodhouse5-42/+76
We were manually setting -DSIXTY_FOUR_BIT_LONG or -DTHIRTY_TWO_BIT on the compiler command line when building OpensslLib itself, but not when building BaseCryptLib. But when building BaseCryptLib, we weren't setting OPENSSL_SYS_UEFI *either*. This meant that *that* build was picking up the definition from <openssl/opensslconf.h>, and was thus *different* to the version the library was built with, in some cases. So set OPENSSL_SYS_UEFI consistently in OpensslSupport.h and *also* define either SIXTY_FOUR_BIT or THIRTY_TWO_BIT there too. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Tested-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18706 6f19259b-4bc3-4df7-8a09-765794883524
2015-10-29CryptoPkg/OpensslLib: Undefine NO_BUILTIN_VA_FUNCS to fix varargs breakageDavid Woodhouse2-35/+1
Instead of patching OpenSSL to add EFIAPI to the one varargs function we actually *noticed* breakage in, let's fix the problem in a more coherent way by undefining NO_BUILTIN_VA_FUNCS. That way, the VA_START and similar macros will actually do the right thing for non-EFIAPI functions, which is to use the GCC builtins. It's still fairly broken elsewhere in the tree, with the VA_START macro being used from both EFIAPI and non-EFIAPI functions — and being broken in the latter case. We probably ought to make EFIAPI a no-op everywhere and add -mabi=ms to the GCC builds. But that's a project for another day. For now, just fix the OpenSSL build in a cleaner fashion. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Tested-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18705 6f19259b-4bc3-4df7-8a09-765794883524
2015-10-29CryptoPkg/BaseCryptLib: Use X509_V_FLAG_NO_CHECK_TIMEDavid Woodhouse4-25/+39
OpenSSL HEAD is in the process of adding this flag to disable the validity time checking. Backport it to 1.0.2 and use it too, for consistency. https://rt.openssl.org/Ticket/Display.html?id=3951&user=guest&pass=guest Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18704 6f19259b-4bc3-4df7-8a09-765794883524
2015-10-29CryptoPkg/BaseCryptLib: Use X509_V_FLAG_PARTIAL_CHAINDavid Woodhouse3-171/+15
Since OpenSSL 1.0.2 we can set this flag on the X509_STORE to instruct OpenSSL to accept non-self-signed certificates as trusted. So we don't need two entirely identical copies of a verify_cb() function which makes it ignore the resulting errors. We also *didn't* use that verify_cb() function for X509VerifyCert(), but probably should have done. So that can get X509_V_FLAG_PARTIAL_CHAIN for consistency, too. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18703 6f19259b-4bc3-4df7-8a09-765794883524
2015-10-29CryptoPkg/BaseCryptLib: Clean up checking of PKCS#7 contents typeDavid Woodhouse1-3/+4
Use the new OBJ_get0_data() accessor to compare the data, and actually check the length of the object too. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Tested-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18702 6f19259b-4bc3-4df7-8a09-765794883524
2015-10-29CryptoPkg/BaseCryptLib: Use accessor functions for ASN1_OBJECTDavid Woodhouse2-3/+10
OpenSSL 1.1 introduces new OBJ_get0_data() and OBJ_length() accessor functions and makes ASN1_OBJECT an opaque type. Unlike the accessors in previous commits which *did* actually exist already but just weren't mandatory, these don't exist in older versions of OpenSSL. So introduce macros which do the right thing, for compatibility. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Tested-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18701 6f19259b-4bc3-4df7-8a09-765794883524
2015-10-29CryptoPkg/BaseCryptLib: Use accessor functions for X509_ATTRIBUTEDavid Woodhouse1-3/+11
In OpenSSL 1.1, the X509_ATTRIBUTE becomes an opaque structure and we will no longer get away with accessing its members directly. Use the accessor functions X509_ATTRIBUTE_get0_object0() and X509_ATTRIBUTE_get0_type() instead. Also be slightly more defensive about unlikely failure modes. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Tested-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18700 6f19259b-4bc3-4df7-8a09-765794883524
2015-10-29CryptoPkg/BaseCryptLib: Use i2d_X509_NAME() instead of abusing X509_NAMEDavid Woodhouse1-4/+6
In OpenSSL 1.1, the X509_NAME becomes an opaque structure and we will no longer get away with accessing its members directly. Use i2d_X509_NAME() instead. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Tested-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18699 6f19259b-4bc3-4df7-8a09-765794883524
2015-10-29CryptoPkg/BaseCryptLib: Add missing OpenSSL includesDavid Woodhouse4-4/+7
OpenSSL 1.1 has cleaned up its include files a little, and it will now be necessary to directly include things like <openssl/bn.h> if we want to use them, rather than assuming they are included indirectly from other headers. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Tested-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18698 6f19259b-4bc3-4df7-8a09-765794883524
2015-09-02CryptoPkg: Fix one wrong parameter for weak key checkingQin Long1-3/+3
Fix one wrong offset which is passed into DES weak key checking in TdesInit(). Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18389 6f19259b-4bc3-4df7-8a09-765794883524
2015-09-02CryptoPkg: Replace string wrapper functions with safe string functionsQin Long1-4/+6
EDKII core suggests to retire unsafe string functions. This patch is to replace string wrapper functions with new-added safe string functions for consistency. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Eric Dong <eric.dong@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18385 6f19259b-4bc3-4df7-8a09-765794883524
2015-08-20CryptoPkg: Add a missed include file to fix the possible build issue.Qin Long1-0/+2
Add a missed include file (UefiBaseType.h) into BaseCryptLib.h, since EFI_TIME was introduced in the new crypto API (ImageTimestampVerify). Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Liming Gao <liming.gao@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18255 6f19259b-4bc3-4df7-8a09-765794883524
2015-08-20CryptoPkg: Update Package version to 0.96Qin Long2-4/+4
Update Package version to 0.9.6 Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18247 6f19259b-4bc3-4df7-8a09-765794883524