Update openssl to 1.0.2g

Signed-off-by: Gary Lin <glin@suse.com>
author: Gary Lin <glin@suse.com> 2016-03-17 14:59:04 +0800
committer: Peter Jones <pjones@redhat.com> 2016-09-06 15:05:36 -0400
commit: 0297aa3cf34ca3a95a6e95db7aff82020aefa0e5 (patch)
tree: d2b0ff4c76d6df0960782c647a33cb30f7a2ef86 /Cryptlib/OpenSSL/crypto/pkcs7
parent: 7b9281af14930040ec6cb333de2d64e0ff91cf3c (diff)
download: efi-boot-shim-0297aa3cf34ca3a95a6e95db7aff82020aefa0e5.tar.gz
efi-boot-shim-0297aa3cf34ca3a95a6e95db7aff82020aefa0e5.zip
1 files changed, 54 insertions, 28 deletions
diff --git a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c
index 75491d12..0bc3d43b 100644
--- a/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c
+++ b/Cryptlib/OpenSSL/crypto/pkcs7/pk7_smime.c
@@ -64,6 +64,9 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+
+#define BUFFERSIZE 4096
+
 static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
 
 PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
@@ -255,7 +258,6 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
     PKCS7_SIGNER_INFO *si;
     X509_STORE_CTX cert_ctx;
     char *buf = NULL;
-    int bufsiz;
     int i, j = 0, k, ret = 0;
     BIO *p7bio = NULL;
     BIO *tmpin = NULL, *tmpout = NULL;
@@ -275,6 +277,29 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
         PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_NO_CONTENT);
         return 0;
     }
+#if 0
+    /*
+     * NB: this test commented out because some versions of Netscape
+     * illegally include zero length content when signing data. Also
+     * Microsoft Authenticode includes a SpcIndirectDataContent data
+     * structure which describes the content to be protected by the
+     * signature, rather than directly embedding that content. So
+     * Authenticode implementations are also expected to use
+     * PKCS7_verify() with explicit external data, on non-detached
+     * PKCS#7 signatures.
+     *
+     * In OpenSSL 1.1 a new flag PKCS7_NO_DUAL_CONTENT has been
+     * introduced to disable this sanity check. For the 1.0.2 branch
+     * this change is not acceptable, so the check remains completely
+     * commented out (as it has been for a long time).
+     */
+
+    /* Check for data and content: two sets of data */
+    if (!PKCS7_get_detached(p7) && indata) {
+        PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT);
+        return 0;
+    }
+#endif
 
     sinfos = PKCS7_get_signer_info(p7);
 
@@ -350,14 +375,13 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
     } else
         tmpout = out;
 
-    bufsiz = 4096;
-    buf = OPENSSL_malloc(bufsiz);
-    if (buf == NULL) {
+    /* We now have to 'read' from p7bio to calculate digests etc. */
+    if ((buf = OPENSSL_malloc(BUFFERSIZE)) == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_MALLOC_FAILURE);
         goto err;
     }
-    /* We now have to 'read' from p7bio to calculate digests etc. */
     for (;;) {
-        i = BIO_read(p7bio, buf, bufsiz);
+        i = BIO_read(p7bio, buf, BUFFERSIZE);
         if (i <= 0)
             break;
         if (tmpout)
@@ -388,16 +412,13 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
     ret = 1;
 
  err:
+    OPENSSL_free(buf);
     if (tmpin == indata) {
         if (indata)
             BIO_pop(p7bio);
     }
     BIO_free_all(p7bio);
     sk_X509_free(signers);
-
-    if (buf != NULL) {
-      OPENSSL_free(buf);
-    }
     return ret;
 }
 
@@ -510,7 +531,7 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
 {
     BIO *tmpmem;
     int ret, i;
-    char buf[4096];
+    char *buf = NULL;
 
     if (!p7) {
         PKCS7err(PKCS7_F_PKCS7_DECRYPT, PKCS7_R_INVALID_NULL_POINTER);
@@ -554,24 +575,29 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
         }
         BIO_free_all(bread);
         return ret;
-    } else {
-        for (;;) {
-            i = BIO_read(tmpmem, buf, sizeof(buf));
-            if (i <= 0) {
-                ret = 1;
-                if (BIO_method_type(tmpmem) == BIO_TYPE_CIPHER) {
-                    if (!BIO_get_cipher_status(tmpmem))
-                        ret = 0;
-                }
-
-                break;
-            }
-            if (BIO_write(data, buf, i) != i) {
-                ret = 0;
-                break;
+    }
+    if ((buf = OPENSSL_malloc(BUFFERSIZE)) == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DECRYPT, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+    for (;;) {
+        i = BIO_read(tmpmem, buf, BUFFERSIZE);
+        if (i <= 0) {
+            ret = 1;
+            if (BIO_method_type(tmpmem) == BIO_TYPE_CIPHER) {
+                if (!BIO_get_cipher_status(tmpmem))
+                    ret = 0;
             }
+
+            break;
+        }
+        if (BIO_write(data, buf, i) != i) {
+            ret = 0;
+            break;
         }
-        BIO_free_all(tmpmem);
-        return ret;
     }
+err:
+    OPENSSL_free(buf);
+    BIO_free_all(tmpmem);
+    return ret;
 }
author	Gary Lin <glin@suse.com>	2016-03-17 14:59:04 +0800
committer	Peter Jones <pjones@redhat.com>	2016-09-06 15:05:36 -0400
commit	0297aa3cf34ca3a95a6e95db7aff82020aefa0e5 (patch)
tree	d2b0ff4c76d6df0960782c647a33cb30f7a2ef86 /Cryptlib/OpenSSL/crypto/pkcs7
parent	7b9281af14930040ec6cb333de2d64e0ff91cf3c (diff)
download	efi-boot-shim-0297aa3cf34ca3a95a6e95db7aff82020aefa0e5.tar.gz efi-boot-shim-0297aa3cf34ca3a95a6e95db7aff82020aefa0e5.zip