CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8l.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159

--- crypto/bio/bss_file.c	Thu Jan 15 17:14:12 1970
+++ crypto/bio/bss_file.c	Thu Jan 15 17:14:12 1970
@@ -421,6 +421,23 @@
 	return(ret);
 	}
 
+#else
+
+BIO_METHOD *BIO_s_file(void)
+	{
+	return NULL;
+	}
+
+BIO *BIO_new_file(const char *filename, const char *mode)
+	{
+	return NULL;
+	}
+
+BIO *BIO_new_fp(FILE *stream, int close_flag)
+	{
+	return NULL;
+	}
+
 #endif /* OPENSSL_NO_STDIO */
 
 #endif /* HEADER_BSS_FILE_C */
--- crypto/err/err.c
+++ crypto/err/err.c
@@ -313,7 +313,12 @@
 	es->err_data_flags[i]=flags;
 	}
 
+/* Add EFIAPI for UEFI version. */
+#if defined(OPENSSL_SYS_UEFI)
+void EFIAPI ERR_add_error_data(int num, ...)
+#else
 void ERR_add_error_data(int num, ...)
+#endif
 	{
 	va_list args;
 	int i,n,s;
--- crypto/err/err.h
+++ crypto/err/err.h
@@ -286,8 +286,14 @@
 #endif
 #ifndef OPENSSL_NO_BIO
 void ERR_print_errors(BIO *bp);
+
+/* Add EFIAPI for UEFI version. */
+#if defined(OPENSSL_SYS_UEFI)
+void EFIAPI ERR_add_error_data(int num, ...);
+#else
 void ERR_add_error_data(int num, ...);
 #endif
+#endif
 void ERR_load_strings(int lib,ERR_STRING_DATA str[]);
 void ERR_unload_strings(int lib,ERR_STRING_DATA str[]);
 void ERR_load_ERR_strings(void);
--- crypto/opensslconf.h
+++ crypto/opensslconf.h
@@ -162,6 +162,9 @@
 /* The prime number generation stuff may not work when
  * EIGHT_BIT but I don't care since I've only used this mode
  * for debuging the bignum libraries */
+
+/* Bypass following definition for UEFI version. */
+#if !defined(OPENSSL_SYS_UEFI)
 #undef SIXTY_FOUR_BIT_LONG
 #undef SIXTY_FOUR_BIT
 #define THIRTY_TWO_BIT
@@ -169,6 +172,8 @@
 #undef EIGHT_BIT
 #endif
 
+#endif
+
 #if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H)
 #define CONFIG_HEADER_RC4_LOCL_H
 /* if this is defined data[i] is used instead of *data, this is a %20
--- crypto/pkcs7/pk7_smime.c	2009-03-15 21:36:02.000000000 +0800
+++ crypto/pkcs7/pk7_smime.c	2011-09-13 14:11:36.019454700 +0800
@@ -88,7 +88,10 @@
 	if (!PKCS7_content_new(p7, NID_pkcs7_data))
 		goto err;
 
-	if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha1()))) {
+  /* 
+    NOTE: Update to SHA-256 digest algorithm for UEFI version.
+  */
+	if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha256()))) {
 		PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR);
 		goto err;
 	}
--- crypto/rand/rand_egd.c	Thu Jan 15 17:14:12 1970
+++ crypto/rand/rand_egd.c	Thu Jan 15 17:14:12 1970
@@ -95,7 +95,7 @@
  *   RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
  */
 
-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS)
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_UEFI)
 int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
 	{
 	return(-1);
--- crypto/rand/rand_unix.c	Thu Jan 15 17:14:12 1970
+++ crypto/rand/rand_unix.c	Thu Jan 15 17:14:12 1970
@@ -116,7 +116,7 @@
 #include <openssl/rand.h>
 #include "rand_lcl.h"
 
-#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE))
+#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_UEFI))
 
 #include <sys/types.h>
 #include <sys/time.h>
@@ -322,7 +322,7 @@
 #endif /* !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE)) */
 
 
-#if defined(OPENSSL_SYS_VXWORKS)
+#if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)
 int RAND_poll(void)
 	{
 	return 0;
--- crypto/x509/x509_vfy.c	Thu Jan 15 17:14:12 1970
+++ crypto/x509/x509_vfy.c	Thu Jan 15 17:14:12 1970
@@ -391,7 +391,12 @@
 
 static int check_chain_extensions(X509_STORE_CTX *ctx)
 {
-#ifdef OPENSSL_NO_CHAIN_VERIFY
+//#ifdef OPENSSL_NO_CHAIN_VERIFY
+#if defined(OPENSSL_NO_CHAIN_VERIFY) || defined(OPENSSL_SYS_UEFI)
+  /* 
+    NOTE: Bypass KU Flags Checking for UEFI version. There are incorrect KU flag setting
+          in Authenticode Signing Certificates. 
+  */
 	return 1;
 #else
 	int i, ok=0, must_be_ca, plen = 0;
@@ -904,6 +909,10 @@
 
 static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
 	{
+#if defined(OPENSSL_SYS_UEFI)
+  /* Bypass Certificate Time Checking for UEFI version. */
+  return 1;
+#else
 	time_t *ptime;
 	int i;
 
@@ -947,6 +956,7 @@
 		}
 
 	return 1;
+#endif  
 	}
 
 static int internal_verify(X509_STORE_CTX *ctx)