Update to openssl to 1.0.2e

Also update Cryptlib to edk2 r19218
- Undefine NO_BUILTIN_VA_FUNCS in Cryptlib/OpenSSL/ for x86_64 to use
  the gcc builtins and remove all EFIAPI from the functions
- Move the most of defines into the headers instead of Makefile
- Remove the global variable 'timeval'
- Remove the unused code: crypto/pqueue/* and crypto/ts/*
- Include bn.h in MokManager.c due to the changes in openssl

Signed-off-by: Gary Lin <glin@suse.com>

1 files changed, 15 insertions, 87 deletions

diff --git a/Cryptlib/Pk/CryptTs.c b/Cryptlib/Pk/CryptTs.c
index 7d269b04..d4958122 100644
--- a/Cryptlib/Pk/CryptTs.c
+++ b/Cryptlib/Pk/CryptTs.c
@@ -137,87 +137,6 @@ IMPLEMENT_ASN1_FUNCTIONS (TS_TST_INFO)
 

 

 /**

-  Verification callback function to override any existing callbacks in OpenSSL

-  for intermediate TSA certificate supports.

-

-  @param[in]  Status   Original status before calling this callback.

-  @param[in]  Context  X509 store context.

-

-  @retval     1        Current X509 certificate is verified successfully.

-  @retval     0        Verification failed.

-

-**/

-int

-TSVerifyCallback (

-  IN int             Status,

-  IN X509_STORE_CTX  *Context

-  )

-{

-  X509_OBJECT  *Obj;

-  INTN         Error;

-  INTN         Index;

-  INTN         Count;

-

-  Obj   = NULL;

-  Error = (INTN) X509_STORE_CTX_get_error (Context);

-

-  //

-  // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_

-  // CERT_LOCALLY mean a X509 certificate is not self signed and its issuer

-  // can not be found in X509_verify_cert of X509_vfy.c.

-  // In order to support intermediate certificate node, we override the

-  // errors if the certification is obtained from X509 store, i.e. it is

-  // a trusted ceritifcate node that is enrolled by user.

-  // Besides,X509_V_ERR_CERT_UNTRUSTED and X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

-  // are also ignored to enable such feature.

-  //

-  if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) ||

-      (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {

-    Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT));

-    if (Obj == NULL) {

-      return 0;

-    }

-

-    Obj->type      = X509_LU_X509;

-    Obj->data.x509 = Context->current_cert;

-

-    CRYPTO_w_lock (CRYPTO_LOCK_X509_STORE);

-

-    if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {

-      Status = 1;

-    } else {

-      //

-      // If any certificate in the chain is enrolled as trusted certificate,

-      // pass the certificate verification.

-      //

-      if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {

-        Count = (INTN) sk_X509_num (Context->chain);

-        for (Index = 0; Index < Count; Index++) {

-          Obj->data.x509 = sk_X509_value (Context->chain, (int) Index);

-          if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {

-            Status = 1;

-            break;

-          }

-        }

-      }

-    }

-

-    CRYPTO_w_unlock (CRYPTO_LOCK_X509_STORE);

-  }

-

-  if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||

-      (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {

-    Status = 1;

-  }

-

-  if (Obj != NULL) {

-    OPENSSL_free (Obj);

-  }

-

-  return Status;

-}

-

-/**

   Convert ASN.1 GeneralizedTime to EFI Time.

 

   @param[in]  Asn1Time         Pointer to the ASN.1 GeneralizedTime to be converted.

@@ -506,10 +425,11 @@ TimestampTokenVerify (
   }

 

   //

-  // Register customized X509 verification callback function to support

-  // trusted intermediate TSA certificate anchor.

+  // Allow partial certificate chains, terminated by a non-self-signed but

+  // still trusted intermediate certificate. Also disable time checks.

   //

-  CertStore->verify_cb = TSVerifyCallback;

+  X509_STORE_set_flags (CertStore,

+                        X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME);

 

   X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);

 

@@ -613,6 +533,7 @@ ImageTimestampVerify (
   UINTN                        Index;

   STACK_OF(X509_ATTRIBUTE)     *Sk;

   X509_ATTRIBUTE               *Xa;

+  ASN1_OBJECT                  *XaObj;

   ASN1_TYPE                    *Asn1Type;

   ASN1_OCTET_STRING            *EncDigest;

   UINT8                        *TSToken;

@@ -692,11 +613,18 @@ ImageTimestampVerify (
     // Search valid RFC3161 timestamp counterSignature based on OBJID.

     //

     Xa = sk_X509_ATTRIBUTE_value (Sk, (int)Index);

-    if ((Xa->object->length != sizeof (mSpcRFC3161OidValue)) ||

-        (CompareMem (Xa->object->data, mSpcRFC3161OidValue, sizeof (mSpcRFC3161OidValue)) != 0)) {

+    if (Xa == NULL) {

+      continue;

+    }

+    XaObj = X509_ATTRIBUTE_get0_object(Xa);

+    if (XaObj == NULL) {

+      continue;

+    }

+    if ((OBJ_length(XaObj) != sizeof (mSpcRFC3161OidValue)) ||

+        (CompareMem (OBJ_get0_data(XaObj), mSpcRFC3161OidValue, sizeof (mSpcRFC3161OidValue)) != 0)) {

       continue;

     }

-    Asn1Type = sk_ASN1_TYPE_value (Xa->value.set, 0);

+    Asn1Type = X509_ATTRIBUTE_get0_type(Xa, 0);

   }

 

   if (Asn1Type == NULL) {