Revert lots of Cryptlib updates.

OpenSSL changes quite a bit of the key validation, and most of the keys
I can find in the wild aren't marked as trusted by the new checker.

Intel noticed this too: https://github.com/vathpela/edk2/commit/f536d7c3ed
but instead of fixing the compatibility error, they switched their test
data to match the bug.

So that's pretty broken.

For now, I'm reverting OpenSSL 1.1.0e, because we need those certs in
the wild to work.

This reverts commit 513cbe2aea689bf968f171f894f3d4cdb43524d5.
This reverts commit e9cc33d6f2b7f35c6f5e349fd83fb9ae0bc66226.
This reverts commit 80d49f758ead0180bfe6161931838e0578248303.
This reverts commit 9bc647e2b23bcfd69a0077c0717fbc454c919a57.
This reverts commit ae75df6232ad30f3e8736e9449692d58a7439260.
This reverts commit e883479f35644d17db7efed710657c8543cfcb68.
This reverts commit 97469449fda5ba933a64280917e776487301a127.
This reverts commit e39692647f78e13d757ddbfdd36f440d5f526050.
This reverts commit 0f3dfc01e2d5e7df882c963dd8dc4a0dfbfc96ad.
This reverts commit 4da6ac819510c7cc4ba21d7a735d69b45daa5873.
This reverts commit d064bd7eef201f26cb926450a76260b5187ac689.
This reverts commit 9bc86cfd6f9387f0da9d5c0102b6aa5627e91c91.
This reverts commit ab9a05a10f16b33f7ee1e9da360c7801eebdb9d2.

Signed-off-by: Peter Jones <pjones@redhat.com>

1 files changed, 148 insertions, 27 deletions

diff --git a/Cryptlib/Include/openssl/pem.h b/Cryptlib/Include/openssl/pem.h
index 2375d635..d271ec8b 100644
--- a/Cryptlib/Include/openssl/pem.h
+++ b/Cryptlib/Include/openssl/pem.h
@@ -1,18 +1,71 @@
-/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+/* crypto/pem/pem.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
  *
- * Licensed under the OpenSSL license (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
  */
 
 #ifndef HEADER_PEM_H
 # define HEADER_PEM_H
 
 # include <openssl/e_os2.h>
-# include <openssl/bio.h>
-# include <openssl/stack.h>
+# ifndef OPENSSL_NO_BIO
+#  include <openssl/bio.h>
+# endif
+# ifndef OPENSSL_NO_STACK
+#  include <openssl/stack.h>
+# endif
 # include <openssl/evp.h>
 # include <openssl/x509.h>
 # include <openssl/pem2.h>
@@ -23,8 +76,44 @@ extern "C" {
 
 # define PEM_BUFSIZE             1024
 
+# define PEM_OBJ_UNDEF           0
+# define PEM_OBJ_X509            1
+# define PEM_OBJ_X509_REQ        2
+# define PEM_OBJ_CRL             3
+# define PEM_OBJ_SSL_SESSION     4
+# define PEM_OBJ_PRIV_KEY        10
+# define PEM_OBJ_PRIV_RSA        11
+# define PEM_OBJ_PRIV_DSA        12
+# define PEM_OBJ_PRIV_DH         13
+# define PEM_OBJ_PUB_RSA         14
+# define PEM_OBJ_PUB_DSA         15
+# define PEM_OBJ_PUB_DH          16
+# define PEM_OBJ_DHPARAMS        17
+# define PEM_OBJ_DSAPARAMS       18
+# define PEM_OBJ_PRIV_RSA_PUBLIC 19
+# define PEM_OBJ_PRIV_ECDSA      20
+# define PEM_OBJ_PUB_ECDSA       21
+# define PEM_OBJ_ECPARAMETERS    22
+
+# define PEM_ERROR               30
+# define PEM_DEK_DES_CBC         40
+# define PEM_DEK_IDEA_CBC        45
+# define PEM_DEK_DES_EDE         50
+# define PEM_DEK_DES_ECB         60
+# define PEM_DEK_RSA             70
+# define PEM_DEK_RSA_MD2         80
+# define PEM_DEK_RSA_MD5         90
+
+# define PEM_MD_MD2              NID_md2
+# define PEM_MD_MD5              NID_md5
+# define PEM_MD_SHA              NID_sha
+# define PEM_MD_MD2_RSA          NID_md2WithRSAEncryption
+# define PEM_MD_MD5_RSA          NID_md5WithRSAEncryption
+# define PEM_MD_SHA_RSA          NID_sha1WithRSAEncryption
+
 # define PEM_STRING_X509_OLD     "X509 CERTIFICATE"
 # define PEM_STRING_X509         "CERTIFICATE"
+# define PEM_STRING_X509_PAIR    "CERTIFICATE PAIR"
 # define PEM_STRING_X509_TRUSTED "TRUSTED CERTIFICATE"
 # define PEM_STRING_X509_REQ_OLD "NEW CERTIFICATE REQUEST"
 # define PEM_STRING_X509_REQ     "CERTIFICATE REQUEST"
@@ -49,6 +138,17 @@ extern "C" {
 # define PEM_STRING_PARAMETERS   "PARAMETERS"
 # define PEM_STRING_CMS          "CMS"
 
+  /*
+   * Note that this structure is initialised by PEM_SealInit and cleaned up
+   * by PEM_SealFinal (at least for now)
+   */
+typedef struct PEM_Encode_Seal_st {
+    EVP_ENCODE_CTX encode;
+    EVP_MD_CTX md;
+    EVP_CIPHER_CTX cipher;
+} PEM_ENCODE_SEAL_CTX;
+
+/* enc_type is one off */
 # define PEM_TYPE_ENCRYPTED      10
 # define PEM_TYPE_MIC_ONLY       20
 # define PEM_TYPE_MIC_CLEAR      30
@@ -82,7 +182,6 @@ typedef struct pem_ctx_st {
 
     int num_recipient;
     PEM_USER **recipient;
-
 /*-
     XXX(ben): don#t think this is used!
         STACK *x509_chain;      / * certificate chain */
@@ -110,7 +209,7 @@ typedef struct pem_ctx_st {
  * IMPLEMENT_PEM_rw_cb(...)
  */
 
-# ifdef OPENSSL_NO_STDIO
+# ifdef OPENSSL_NO_FP_API
 
 #  define IMPLEMENT_PEM_read_fp(name, type, str, asn1) /**/
 #  define IMPLEMENT_PEM_write_fp(name, type, str, asn1) /**/
@@ -221,7 +320,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
 
 /* These are the same except they are for the declarations */
 
-# if defined(OPENSSL_NO_STDIO)
+# if defined(OPENSSL_NO_FP_API)
 
 #  define DECLARE_PEM_read_fp(name, type) /**/
 #  define DECLARE_PEM_write_fp(name, type) /**/
@@ -244,6 +343,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
 
 # endif
 
+# ifndef OPENSSL_NO_BIO
 #  define DECLARE_PEM_read_bio(name, type) \
         type *PEM_read_bio_##name(BIO *bp, type **x, pem_password_cb *cb, void *u);
 
@@ -257,6 +357,13 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
         int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
              unsigned char *kstr, int klen, pem_password_cb *cb, void *u);
 
+# else
+
+#  define DECLARE_PEM_read_bio(name, type) /**/
+#  define DECLARE_PEM_write_bio(name, type) /**/
+#  define DECLARE_PEM_write_bio_const(name, type) /**/
+#  define DECLARE_PEM_write_cb_bio(name, type) /**/
+# endif
 # define DECLARE_PEM_write(name, type) \
         DECLARE_PEM_write_bio(name, type) \
         DECLARE_PEM_write_fp(name, type)
@@ -278,12 +385,19 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
 # define DECLARE_PEM_rw_cb(name, type) \
         DECLARE_PEM_read(name, type) \
         DECLARE_PEM_write_cb(name, type)
+# if 1
+/* "userdata": new with OpenSSL 0.9.4 */
 typedef int pem_password_cb (char *buf, int size, int rwflag, void *userdata);
+# else
+/* OpenSSL 0.9.3, 0.9.3a */
+typedef int pem_password_cb (char *buf, int size, int rwflag);
+# endif
 
 int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher);
 int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *len,
                   pem_password_cb *callback, void *u);
 
+# ifndef OPENSSL_NO_BIO
 int PEM_read_bio(BIO *bp, char **name, char **header,
                  unsigned char **data, long *len);
 int PEM_write_bio(BIO *bp, const char *name, const char *hdr,
@@ -302,8 +416,9 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk,
 int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
                             unsigned char *kstr, int klen,
                             pem_password_cb *cd, void *u);
+# endif
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 int PEM_read(FILE *fp, char **name, char **header,
              unsigned char **data, long *len);
 int PEM_write(FILE *fp, const char *name, const char *hdr,
@@ -317,8 +432,16 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk,
                                         pem_password_cb *cb, void *u);
 #endif
 
-int PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type);
-int PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *d, unsigned int cnt);
+int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type,
+                 EVP_MD *md_type, unsigned char **ek, int *ekl,
+                 unsigned char *iv, EVP_PKEY **pubk, int npubk);
+void PEM_SealUpdate(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *out, int *outl,
+                    unsigned char *in, int inl);
+int PEM_SealFinal(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *sig, int *sigl,
+                  unsigned char *out, int *outl, EVP_PKEY *priv);
+
+void PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type);
+void PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *d, unsigned int cnt);
 int PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
                   unsigned int *siglen, EVP_PKEY *pkey);
 
@@ -330,6 +453,7 @@ void PEM_dek_info(char *buf, const char *type, int len, char *str);
 
 DECLARE_PEM_rw(X509, X509)
 DECLARE_PEM_rw(X509_AUX, X509)
+DECLARE_PEM_rw(X509_CERT_PAIR, X509_CERT_PAIR)
 DECLARE_PEM_rw(X509_REQ, X509_REQ)
 DECLARE_PEM_write(X509_REQ_NEW, X509_REQ)
 DECLARE_PEM_rw(X509_CRL, X509_CRL)
@@ -359,11 +483,6 @@ DECLARE_PEM_write_const(DHxparams, DH)
 DECLARE_PEM_rw_cb(PrivateKey, EVP_PKEY)
 DECLARE_PEM_rw(PUBKEY, EVP_PKEY)
 
-int PEM_write_bio_PrivateKey_traditional(BIO *bp, EVP_PKEY *x,
-                                         const EVP_CIPHER *enc,
-                                         unsigned char *kstr, int klen,
-                                         pem_password_cb *cb, void *u);
-
 int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid,
                                       char *kstr, int klen,
                                       pem_password_cb *cb, void *u);
@@ -378,7 +497,7 @@ int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, EVP_PKEY *x, int nid,
 EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,
                                   void *u);
 
-# ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_FP_API
 int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
                            char *kstr, int klen,
                            pem_password_cb *cb, void *u);
@@ -395,22 +514,21 @@ EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb,
 int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
                               char *kstr, int klen, pem_password_cb *cd,
                               void *u);
-# endif
+#endif
+
 EVP_PKEY *PEM_read_bio_Parameters(BIO *bp, EVP_PKEY **x);
 int PEM_write_bio_Parameters(BIO *bp, EVP_PKEY *x);
 
-# ifndef OPENSSL_NO_DSA
 EVP_PKEY *b2i_PrivateKey(const unsigned char **in, long length);
 EVP_PKEY *b2i_PublicKey(const unsigned char **in, long length);
 EVP_PKEY *b2i_PrivateKey_bio(BIO *in);
 EVP_PKEY *b2i_PublicKey_bio(BIO *in);
 int i2b_PrivateKey_bio(BIO *out, EVP_PKEY *pk);
 int i2b_PublicKey_bio(BIO *out, EVP_PKEY *pk);
-#  ifndef OPENSSL_NO_RC4
+# ifndef OPENSSL_NO_RC4
 EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u);
 int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel,
                 pem_password_cb *cb, void *u);
-#  endif
 # endif
 
 /* BEGIN ERROR CODES */
@@ -419,7 +537,7 @@ int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel,
  * made after this point may be overwritten when the script is next run.
  */
 
-int ERR_load_PEM_strings(void);
+void ERR_load_PEM_strings(void);
 
 /* Error codes for the PEM functions. */
 
@@ -447,7 +565,9 @@ int ERR_load_PEM_strings(void);
 # define PEM_F_PEM_ASN1_WRITE_BIO                         105
 # define PEM_F_PEM_DEF_CALLBACK                           100
 # define PEM_F_PEM_DO_HEADER                              106
+# define PEM_F_PEM_F_PEM_WRITE_PKCS8PRIVATEKEY            118
 # define PEM_F_PEM_GET_EVP_CIPHER_INFO                    107
+# define PEM_F_PEM_PK8PKEY                                119
 # define PEM_F_PEM_READ                                   108
 # define PEM_F_PEM_READ_BIO                               109
 # define PEM_F_PEM_READ_BIO_DHPARAMS                      141
@@ -455,6 +575,8 @@ int ERR_load_PEM_strings(void);
 # define PEM_F_PEM_READ_BIO_PRIVATEKEY                    123
 # define PEM_F_PEM_READ_DHPARAMS                          142
 # define PEM_F_PEM_READ_PRIVATEKEY                        124
+# define PEM_F_PEM_SEALFINAL                              110
+# define PEM_F_PEM_SEALINIT                               111
 # define PEM_F_PEM_SIGNFINAL                              112
 # define PEM_F_PEM_WRITE                                  113
 # define PEM_F_PEM_WRITE_BIO                              114
@@ -480,17 +602,16 @@ int ERR_load_PEM_strings(void);
 # define PEM_R_INCONSISTENT_HEADER                        121
 # define PEM_R_KEYBLOB_HEADER_PARSE_ERROR                 122
 # define PEM_R_KEYBLOB_TOO_SHORT                          123
-# define PEM_R_MISSING_DEK_IV                             129
 # define PEM_R_NOT_DEK_INFO                               105
 # define PEM_R_NOT_ENCRYPTED                              106
 # define PEM_R_NOT_PROC_TYPE                              107
 # define PEM_R_NO_START_LINE                              108
 # define PEM_R_PROBLEMS_GETTING_PASSWORD                  109
+# define PEM_R_PUBLIC_KEY_NO_RSA                          110
 # define PEM_R_PVK_DATA_TOO_SHORT                         124
 # define PEM_R_PVK_TOO_SHORT                              125
 # define PEM_R_READ_KEY                                   111
 # define PEM_R_SHORT_HEADER                               112
-# define PEM_R_UNEXPECTED_DEK_IV                          130
 # define PEM_R_UNSUPPORTED_CIPHER                         113
 # define PEM_R_UNSUPPORTED_ENCRYPTION                     114
 # define PEM_R_UNSUPPORTED_KEY_COMPONENTS                 126