Update to openssl to 1.0.2e

Also update Cryptlib to edk2 r19218 - Undefine NO_BUILTIN_VA_FUNCS in Cryptlib/OpenSSL/ for x86_64 to use the gcc builtins and remove all EFIAPI from the functions - Move the most of defines into the headers instead of Makefile - Remove the global variable 'timeval' - Remove the unused code: crypto/pqueue/* and crypto/ts/* - Include bn.h in MokManager.c due to the changes in openssl Signed-off-by: Gary Lin <glin@suse.com>
author: Gary Lin <glin@suse.com> 2015-12-15 10:48:10 +0800
committer: Peter Jones <pjones@redhat.com> 2016-09-06 15:05:34 -0400
commit: e571428e21280c28d0d591b70f13add7d8dbfe81 (patch)
tree: fadafcf006016eb83dd989969d2232048048bad8 /Cryptlib/OpenSSL/crypto/x509
parent: 7052e75307553edc8f04eb529b0d37844fbcc30b (diff)
download: efi-boot-shim-e571428e21280c28d0d591b70f13add7d8dbfe81.tar.gz
efi-boot-shim-e571428e21280c28d0d591b70f13add7d8dbfe81.zip
3 files changed, 23 insertions, 14 deletions
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_lu.c b/Cryptlib/OpenSSL/crypto/x509/x509_lu.c
index b0d65390..50120a4d 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_lu.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_lu.c
@@ -536,8 +536,6 @@ STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
     X509_OBJECT *obj, xobj;
     sk = sk_X509_CRL_new_null();
     CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
-    /* Check cache first */
-    idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);
 
     /*
      * Always do lookup to possibly add new CRLs to cache
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c b/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c
index c085c134..259bc065 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_vfy.c
@@ -249,7 +249,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
         if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
             ok = ctx->get_issuer(&xtmp, ctx, x);
             if (ok < 0)
-                return ok;
+                goto end;
             /*
              * If successful for now free up cert so it will be picked up
              * again later.
@@ -347,14 +347,15 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
             ok = ctx->get_issuer(&xtmp, ctx, x);
 
             if (ok < 0)
-                return ok;
+                goto end;
             if (ok == 0)
                 break;
             x = xtmp;
             if (!sk_X509_push(ctx->chain, x)) {
                 X509_free(xtmp);
                 X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
-                return 0;
+                ok = 0;
+                goto end;
             }
             num++;
         }
@@ -752,6 +753,10 @@ static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id)
     int n = sk_OPENSSL_STRING_num(id->hosts);
     char *name;
 
+    if (id->peername != NULL) {
+        OPENSSL_free(id->peername);
+        id->peername = NULL;
+    }
     for (i = 0; i < n; ++i) {
         name = sk_OPENSSL_STRING_value(id->hosts, i);
         if (X509_check_host(x, name, 0, id->hostflags, &id->peername) > 0)
@@ -935,6 +940,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
         ctx->current_crl = crl;
     if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
         ptime = &ctx->param->check_time;
+    else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
+        return 1;
     else
         ptime = NULL;
 
@@ -1653,15 +1660,13 @@ static int check_policy(X509_STORE_CTX *ctx)
 
 static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
 {
-#ifdef OPENSSL_SYS_UEFI
-    /* Bypass Certificate Time Checking for UEFI version. */
-    return 1;
-#else
     time_t *ptime;
     int i;
 
     if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
         ptime = &ctx->param->check_time;
+    else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
+        return 1;
     else
         ptime = NULL;
 
@@ -1696,7 +1701,6 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
     }
 
     return 1;
-#endif
 }
 
 static int internal_verify(X509_STORE_CTX *ctx)
diff --git a/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c b/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c
index 1ea0c69f..592a8a5f 100644
--- a/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c
+++ b/Cryptlib/OpenSSL/crypto/x509/x509_vpm.c
@@ -155,6 +155,7 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
     }
     if (paramid->peername)
         OPENSSL_free(paramid->peername);
+    paramid->peername = NULL;
     if (paramid->email) {
         OPENSSL_free(paramid->email);
         paramid->email = NULL;
@@ -165,7 +166,6 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
         paramid->ip = NULL;
         paramid->iplen = 0;
     }
-
 }
 
 X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
@@ -176,13 +176,20 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
     param = OPENSSL_malloc(sizeof *param);
     if (!param)
         return NULL;
-    paramid = OPENSSL_malloc(sizeof *paramid);
+    memset(param, 0, sizeof(*param));
+
+    paramid = OPENSSL_malloc(sizeof(*paramid));
     if (!paramid) {
         OPENSSL_free(param);
         return NULL;
     }
-    memset(param, 0, sizeof *param);
-    memset(paramid, 0, sizeof *paramid);
+    memset(paramid, 0, sizeof(*paramid));
+    /* Exotic platforms may have non-zero bit representation of NULL */
+    paramid->hosts = NULL;
+    paramid->peername = NULL;
+    paramid->email = NULL;
+    paramid->ip = NULL;
+
     param->id = paramid;
     x509_verify_param_zero(param);
     return param;
author	Gary Lin <glin@suse.com>	2015-12-15 10:48:10 +0800
committer	Peter Jones <pjones@redhat.com>	2016-09-06 15:05:34 -0400
commit	e571428e21280c28d0d591b70f13add7d8dbfe81 (patch)
tree	fadafcf006016eb83dd989969d2232048048bad8 /Cryptlib/OpenSSL/crypto/x509
parent	7052e75307553edc8f04eb529b0d37844fbcc30b (diff)
download	efi-boot-shim-e571428e21280c28d0d591b70f13add7d8dbfe81.tar.gz efi-boot-shim-e571428e21280c28d0d591b70f13add7d8dbfe81.zip