Age | Commit message (Collapse) | Author |
|
Some fields in structure 'CertCtx' might be used uninitialized in function
Pkcs7GetCertificatesList().
This commit makes sure that 'CertCtx' gets initialized before being used.
Cc: Long Qin <qin.long@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
(cherry picked from commit 07cae0659795b4d6b59f67eabb8426c7c7742318)
|
|
This commit modifies the code logic to avoid passing NULL pointer to
function BN_bn2bin().
Cc: Long Qin <qin.long@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
(cherry picked from commit 8824c6144c73fe4b6355df6dfaee3e80e068c3b1)
|
|
- availabe to available
Cc: Qin Long <qin.long@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Giri P Mudusuru <giri.p.mudusuru@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
(cherry picked from commit ab6cee31e7dd468f8656d7ca101bf783a0fe9b82)
|
|
Getting openssl 1.0.2g building with ARM RVCT requires a change to
ignore an unset variable used before set was necessary.
(NOTE: This was fixed in OpenSSL 1.1 HEAD with commit
d9b8b89bec4480de3a10bdaf9425db371c19145b, and can be dropped then.)
corrects x509_vfy.c(875): error C3017: ok may be used before being set
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eugene Cohen <eugene@hp.com>
Reviewed-by: Qin Long <qin.long@intel.com>
(cherry picked from commit 179bcd31f320111adde639ebc3f69170be254c73)
|
|
Enable AES cipher support for SmmCryptLib instance.
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
(cherry picked from commit bfba88bc68eed24c71ff500b740c3f563531d49c)
|
|
This patch is used to fix the potential system hang
caused by the NULL 'time' parameter usage.
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Long Qin <qin.long@intel.com>
Cc: Ye Ting <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
(cherry picked from commit 5e2318dd37a51948aaf845c7d920b11f47cdcfe6)
|
|
OpenSSL 1.0.2g was released with several severity fixes at
01-Mar-2016(https://www.openssl.org/news/secadv/20160301.txt).
Upgrade the supported OpenSSL version in CryptoPkg/OpensslLib to
catch the latest release 1.0.2g.
(NOTE: RT4175 from David Woodhouse was included in 1.0.2g. The
new-generated patch will remove this part. And the line
endings were still kept as before in this version for
consistency)
CC: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
(cherry picked from commit ec3a1a11dc90d46c87a70327c87d139d12eccdcb)
|
|
Until we fix the git repository to store line endings properly and then
just check them out in the appropriate form for the platform, let's make
process_files.sh convert the opensslconf.h to DOS line endings when it
creates it.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
(cherry picked from commit f6326d1fba1eb89a21e9831c9d716e5f3f970084)
|
|
This got broken in committing, due to a catalogue of broken practices.
Firstly, we should *pull* git submissions, never recommit them. You
preserve the correct history then, and don't risk rebasing to result in
a history which *never* worked in the form that gets preserved.
That would have kept the authorship attrbution correct too.
Secondly, we shouldn't be storing CRLF line endings in the objects that
git stores in its database. It is designed to store simple LF line endings,
and then check that out as appropriate for the system (resulting in CRLF
in the working tree for Windows users, as they expect). That would avoid
this problem, and all the other problems we have with patches being
exchanged.
Make it executable too, which also got lost in the commit mess.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
(cherry picked from commit 9353c60cea6eeedbbe4b336aea02646e2bf25f47)
|
|
OpenSSL 1.1 (as well as our backport to 1.0.2) now allows us to run its
standard Configure script and import the result into the EDK II source
repository for others to build natively. The opensslconf.h file and the
list of files in OpensslLib.inf don't need to be managed manually.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
(cherry picked from commit f9496167549701f31968fea3b52c05c32689f7b9)
|
|
This is pull request #755 for OpenSSL 1.1, along with a little extra fix
in the RSA_NET code which has been removed from 1.1 so we can't fix it
there.
https://github.com/openssl/openssl/pull/755
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
(cherry picked from commit 42d683426792b34c7538a07ade47a20e3d9929bf)
|
|
Support for the UEFI target has been added to OpenSSL in commit 4d60c7e10.
Drop our partial implementation and use a backported version of what's
upstream. This includes a couple of fixes which will be needed when we
automatically generate the file list and opensslconf.h instead of
manually maintaining those.
This includes the subsequent fix in commit fb4844bbc.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
(cherry picked from commit 65213f295538c0de547819b4ed36ca89c71a67b0)
|
|
Instead of commenting out the Signed Certificate Timestamps purely based
on the OPENSSL_SYS_UEFI flag, OpenSSL 1.1 supports a no-sct configuration
option, added in commit 05d7bf6c5. Drop our own hack and use that.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
(cherry picked from commit a62a7cc7f97cc1d9ce1a4fd2cff0bf6bb8506204)
|
|
A more complete implementation of the X509_V_FLAG_NO_CHECK_TIME flag was
added to OpenSSL 1.1 as commit d35ff2c0a. Drop our own version and use a
backport of what was committed upstream.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
(cherry picked from commit e94546e77bcb4ff57c167be06bfbe1d1d5ac0754)
|
|
A more complete fix for the no-cms configuration has been added to
OpenSSL 1.1 as commit e968561d5. Drop our own version and use a
backport of what was committed upstream.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
(cherry picked from commit f0e3cd1927c40e542798dd9a6b697f543c0e8829)
|
|
A different fix for the excessive stack usage has been merged into
OpenSSL 1.1 as commit 8e704858f. Drop our own version and use a backport
of what was committed upstream.
Note: This requires the free() function to work correctly when passed
a NULL argument (qv).
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
(cherry picked from commit b9dbddd88acc645f048b61e240caa6642f80796f)
|
|
A complete implementation of the no-filenames configuration option was
added to OpenSSL 1.1 in commit 02f7114a7. Drop our own version and use
a backport of what was committed upstream.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
(cherry picked from commit e578aa19dcd57734e9b4615e39d8d409384329a0)
|
|
Extensive fixes for the no-stdio configuration have been merged into
OpenSSL 1.1, primarily in commit 984d6c605.
The backport to 1.0.2 is slightly different because we still have a
mixture of no-fp-api and no-stdio in 1.0.2, although they are hopelessly
intertwined. Nevertheless, drop our own original version and switch to
a backported version of what went into 1.1.
This includes subsequent fixes in commit c0cf5b84d for the TS code.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
(cherry picked from commit ca6fa1fe3bdf2f3f7356530166a4f138ba537b98)
|
|
A different fix for the PKCS7_verify() regression on Authenticode
signatures has landed in the OpenSSL 1.0.2 branch as commit c436c990f
and will be present in the 1.0.2g release.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
(cherry picked from commit 503f6e3888ba9f39cb88d689804af62c9dd89ff2)
|
|
All the OpenSSL changes we carry in our EDKII_openssl patch for 1.0.2
are now merged into upstream OpenSSL and will be in the upcoming 1.1
release.
As a first step towards switching out our original hacks for backported
versions of the commits which were actually accepted into OpenSSL 1.1,
just regenerate the *existing* patch against the 1.0.2f release using
'git diff'.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
(cherry picked from commit 3f73ccb37a05ffdfdd8e5fe79190befd11366787)
|
|
This can be an auto-generated file, and it *isn't* in the OpenSSL git tree;
it's only in the generated tarballs. So rather than including it in our
OpenSSL patch, just have the user copy it into place.
This makes it easier to manage changes, and is a step towards better
integration.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
(cherry picked from commit 259d0e71af6888aae81df429d522b661af2b6bd4)
|
|
The standard OpenSSL 1.0.2 configuration and build process will already
symlink or copy the necessary header files to the include/openssl/
directory within the OpenSSL source tree.
When we transition to OpenSSL 1.1 it won't even be necessary to link
or copy the files there; they have just been moved outright.
So let's use them from there. Change the include directory specified
in CryptoPkg/CryptoPkg.dec, and modify the Install.cmd and Install.sh
scripts to copy the files to the normal directory within the OpenSSL
source tree, instead of CryptoPkg/Include/openssl/.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
(cherry picked from commit 6c56c76c75ef24e3ab103494a9236da73ad1ffa5)
|
|
The ISO C standard says about realloc(),
If ptr is a null pointer, the realloc function behaves like the malloc
function for the specified size.
The realloc() implementation doesn't conform to this currently, so add a
check and call malloc() if appropriate.
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Qin Long <qin.long@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
(cherry picked from commit e89d672110aaf1c5a85404375ca6767b099d3b50)
|
|
The ISO C standard says about free(),
If ptr is a null pointer, no action occurs.
This is not true of the RuntimeFreeMem() internal function. Therefore we
must not forward the argument of free() to RuntimeFreeMem() without
checking.
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Qin Long <qin.long@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
(cherry picked from commit 1246dde58e8a84644ad46679b8767f8643818e31)
|
|
The ISO C standard says about free(),
If ptr is a null pointer, no action occurs.
This is not true of the FreePool() interface of the MemoryAllocationLib
class:
Buffer must have been allocated on a previous call to the pool
allocation services of the Memory Allocation Library. [...] If Buffer
was not allocated with a pool allocation function in the Memory
Allocation Library, then ASSERT().
Therefore we must not forward the argument of free() to FreePool() without
checking.
This bug can be triggered by upstream OpenSSL commit 8e704858f219
("RT3955: Reduce some stack usage"), for example.
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Qin Long <qin.long@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
(cherry picked from commit 211372d63a82861e52250c0f7a5ee78d9dc417ae)
|
|
OpenSSL has released version 1.0.2f with two security fixes
(http://www.openssl.org/news/secadv/20160128.txt) at 28-Jan-2016.
Upgrade the supported OpenSSL version in CryptoPkg/OpensslLib
to catch the latest release 1.0.2f.
(NOTE: The patch file was just re-generated, and no new source
changes was introduced for 1.0.2f enabling)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ting Ye <ting.ye@intel.com>
(cherry picked from commit e6b2c99121963f84b847120044075e7b6ce374cb)
|
|
Although the function qsort receives as an argument a "compare" function
which returns an "int", QuickSortWorker (the function used internally by
qsort to do its job) receives as an argument a "CompareFunction" which
returns an "INTN". In a 32-bit machine, "INTN" is defined as "INT32",
which is defined as "int" and everything works well. However, when qsort
is compiled for a 64-bit machine, "INTN" is defined as "INT64" and the
return values of the compare functions become incompatible ("int" for
qsort and "INT64" for QuickSortWorker), causing malfunction.
For example, let's assume qsort is being compiled for a 64-bit machine.
As stated before, the "compare" function will be returning an "int",
and "CompareFunction" will be returning an "INT64". When, for example,
the "compare" function (which was passed as an argument to qsort and,
then, re-passed as an argument to QuickSortWorker) returns -1 (or
0xffffffff, in a 32-bit integer, its original return type) from inside
a call to QuickSortWorker, its return value is interpreted as being an
"INT64" value - which turns out to be 4294967295 (or 0x00000000ffffffff,
in a 64-bit integer) -, making the function QuickSortWorker to behave
unexpectedly.
Note that this unexpected (or incorrect) conversion does not happen when
casting an "INT32" to an "INT64" directly, but does happen when casting
function types.
The issue is fixed by changing the return type of SORT_COMPARE (the type
of "CompareFunction", used by QuickSortWorker) from "INTN" to "int".
This way, both qsort and QuickSortWorker use compatible definitions for
their compare functions.
Contributed-under: TianoCore Contribution Agreement 1.0
Acked-by: Paulo Alcantara Cavalcanti <paulo.alc.cavalcanti@hp.com>
Signed-off-by: Karyne Mayer <kmayer@hp.com>
Signed-off-by: Rodrigo Dias Correa <rodrigo.dia.correa@hp.com>
Signed-off-by: Arthur Crippa Burigo <acb@hp.com>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19748 6f19259b-4bc3-4df7-8a09-765794883524
(cherry picked from commit 03805fc376239ddc56838d33b20a031734e3e3a1)
|
|
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19670 6f19259b-4bc3-4df7-8a09-765794883524
(cherry picked from commit e7efd897d05198ef079cfc6a0ce08467e5c4d0c3)
|
|
The RVCT compiler chokes on a couple of issues in upstream OpenSSL that
can be confirmed to be non-issues by inspection. So just ignore these
warnings entirely.
Also, move the dummy -J system include from CryptoPkg.dsc to the various
.INF files, since it will not be picked up when building the CryptoPkg
libraries from a platform .DSC
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19328 6f19259b-4bc3-4df7-8a09-765794883524
(cherry picked from commit 5fa05671e2ac0dafc52eb3b8049b4ac95f54d3bf)
|
|
To convert these files I ran:
$ python3 BaseTools/Scripts/ConvertUni.py CryptoPkg
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Reviewed-by: Michael Kinney <michael.d.kinney@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19250 6f19259b-4bc3-4df7-8a09-765794883524
(cherry picked from commit 3af422600fe7bc92ed385907586af8b61db53a74)
|
|
OpenSSL has released version 1.0.2e with security fixes.
Upgrade the supported OpenSSL version in CryptoPkg/OpensslLib
from 1.0.2d to 1.0.2e.
(Note: This is based on Ard's previous patch with extra fix
https://rt.openssl.org/Ticket/Display.html?id=4175)
(Sync patch r19218 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Singed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19571 6f19259b-4bc3-4df7-8a09-765794883524
|
|
This comments out the pqueue and ts_* source files from the OpensslLib
build, since they have no users.
(Sync patch r19147 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19570 6f19259b-4bc3-4df7-8a09-765794883524
|
|
Make mVirtualAddressChangeEvent STATIC to prevent it from conflicting
with other variables of the same name that may be defined in other
libraries (e.g., MdeModulePkg/Universal/Variable/RuntimeDxe)
This also removes the risk of mVirtualAddressChangeEvent being merged with
other uninitialized variables with external linkage by toolchains that perform
COMMON allocation.
(Sync patch r19146 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19569 6f19259b-4bc3-4df7-8a09-765794883524
|
|
In order to build the ARM version of CryptoPkg from its own .DSC file,
it needs a resolution for the ArmSoftFloatLib dependency of OpensslLib.
(Sync patch r19145 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19568 6f19259b-4bc3-4df7-8a09-765794883524
|
|
UEFI on 32-bit ARM does not allow the use of hardware floating point,
so in order to be able to run OpenSslLib, we need to fulfil its
floating point arithmetic dependencies using a software library.
(Sync patch r19033 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19567 6f19259b-4bc3-4df7-8a09-765794883524
|
|
Correct one typo (SingerChainCerts --> SignerChainCerts) in the comments
for Pkcs7GetCertificatesList() API.
(Sync patch r18944 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Shumin Qiu <shumin.qiu@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19566 6f19259b-4bc3-4df7-8a09-765794883524
|
|
Putting these on the command line as we do at the moment means that they
are *only* visible when actually building the OpenSSL code itself. When
building other things like BaseCryptLib, they were missing. Which could
lead to discrepancies in structures defined by the header files, between
the OpenSSL code and the EDK II code which calls it.
Move the definitions into opensslconf.h where they would normally live
in a standard build of OpenSSL.
Note: Do *not* set OPENSSL_NO_LHASH or OPENSSL_NO_OCSP since those weren't
effectively disabled before; the directories was still being included in
the build. If we actually disable then, the build breaks. We can hopefully
fix at least OCSP upstream later, but one thing at a time...
(Sync patch r18708 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19565 6f19259b-4bc3-4df7-8a09-765794883524
|
|
OpenSSL ought to work this out for itself when OPENSSL_SYS_UEFI is set.
(Sync patch r18707 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19564 6f19259b-4bc3-4df7-8a09-765794883524
|
|
We were manually setting -DSIXTY_FOUR_BIT_LONG or -DTHIRTY_TWO_BIT on
the compiler command line when building OpensslLib itself, but not when
building BaseCryptLib.
But when building BaseCryptLib, we weren't setting OPENSSL_SYS_UEFI
*either*. This meant that *that* build was picking up the definition
from <openssl/opensslconf.h>, and was thus *different* to the version
the library was built with, in some cases.
So set OPENSSL_SYS_UEFI consistently in OpensslSupport.h and *also*
define either SIXTY_FOUR_BIT or THIRTY_TWO_BIT there too.
(Sync patch r18706 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19563 6f19259b-4bc3-4df7-8a09-765794883524
|
|
Instead of patching OpenSSL to add EFIAPI to the one varargs function we
actually *noticed* breakage in, let's fix the problem in a more coherent
way by undefining NO_BUILTIN_VA_FUNCS.
That way, the VA_START and similar macros will actually do the right
thing for non-EFIAPI functions, which is to use the GCC builtins.
It's still fairly broken elsewhere in the tree, with the VA_START macro
being used from both EFIAPI and non-EFIAPI functions — and being broken
in the latter case. We probably ought to make EFIAPI a no-op everywhere
and add -mabi=ms to the GCC builds. But that's a project for another day.
For now, just fix the OpenSSL build in a cleaner fashion.
(Sync patch r18705 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19562 6f19259b-4bc3-4df7-8a09-765794883524
|
|
OpenSSL HEAD is in the process of adding this flag to disable the validity
time checking. Backport it to 1.0.2 and use it too, for consistency.
https://rt.openssl.org/Ticket/Display.html?id=3951&user=guest&pass=guest
(Sync patch r18704 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19561 6f19259b-4bc3-4df7-8a09-765794883524
|
|
Since OpenSSL 1.0.2 we can set this flag on the X509_STORE to instruct
OpenSSL to accept non-self-signed certificates as trusted. So we don't
need two entirely identical copies of a verify_cb() function which makes
it ignore the resulting errors.
We also *didn't* use that verify_cb() function for X509VerifyCert(), but
probably should have done. So that can get X509_V_FLAG_PARTIAL_CHAIN for
consistency, too.
(Sync patch r18703 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19560 6f19259b-4bc3-4df7-8a09-765794883524
|
|
Use the new OBJ_get0_data() accessor to compare the data, and actually
check the length of the object too.
(Sync patch r18702 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19559 6f19259b-4bc3-4df7-8a09-765794883524
|
|
OpenSSL 1.1 introduces new OBJ_get0_data() and OBJ_length() accessor
functions and makes ASN1_OBJECT an opaque type.
Unlike the accessors in previous commits which *did* actually exist
already but just weren't mandatory, these don't exist in older versions
of OpenSSL. So introduce macros which do the right thing, for
compatibility.
(Sync patch r18701 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19558 6f19259b-4bc3-4df7-8a09-765794883524
|
|
In OpenSSL 1.1, the X509_ATTRIBUTE becomes an opaque structure and we will
no longer get away with accessing its members directly. Use the accessor
functions X509_ATTRIBUTE_get0_object0() and X509_ATTRIBUTE_get0_type()
instead.
Also be slightly more defensive about unlikely failure modes.
(Sync patch r18700 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19557 6f19259b-4bc3-4df7-8a09-765794883524
|
|
In OpenSSL 1.1, the X509_NAME becomes an opaque structure and we will no
longer get away with accessing its members directly. Use i2d_X509_NAME()
instead.
(Sync patch r18699 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19556 6f19259b-4bc3-4df7-8a09-765794883524
|
|
OpenSSL 1.1 has cleaned up its include files a little, and it will now
be necessary to directly include things like <openssl/bn.h> if we want
to use them, rather than assuming they are included indirectly from
other headers.
(Sync patch r18698 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19555 6f19259b-4bc3-4df7-8a09-765794883524
|
|
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jeff Fan <jeff.fan@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19554 6f19259b-4bc3-4df7-8a09-765794883524
|
|
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jeff Fan <jeff.fan@intel.com>
Reviewed-by: Eric Dong <eric.gong@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19547 6f19259b-4bc3-4df7-8a09-765794883524
|
|
The header file OpenSslSupport.h not only defines a type 'struct timeval'
but also defines a global variable 'timeval' of that type. The RVCT compiler
does not merge this definition into a common symbol, resulting in duplicate
definition errors in the final link. So remove the variable definition.
(Sync patch r19135 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/branches/UDK2015@19422 6f19259b-4bc3-4df7-8a09-765794883524
|