From e571428e21280c28d0d591b70f13add7d8dbfe81 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Tue, 15 Dec 2015 10:48:10 +0800 Subject: Update to openssl to 1.0.2e Also update Cryptlib to edk2 r19218 - Undefine NO_BUILTIN_VA_FUNCS in Cryptlib/OpenSSL/ for x86_64 to use the gcc builtins and remove all EFIAPI from the functions - Move the most of defines into the headers instead of Makefile - Remove the global variable 'timeval' - Remove the unused code: crypto/pqueue/* and crypto/ts/* - Include bn.h in MokManager.c due to the changes in openssl Signed-off-by: Gary Lin --- Cryptlib/Pk/CryptTs.c | 102 ++++++++------------------------------------------ 1 file changed, 15 insertions(+), 87 deletions(-) (limited to 'Cryptlib/Pk/CryptTs.c') diff --git a/Cryptlib/Pk/CryptTs.c b/Cryptlib/Pk/CryptTs.c index 7d269b04..d4958122 100644 --- a/Cryptlib/Pk/CryptTs.c +++ b/Cryptlib/Pk/CryptTs.c @@ -136,87 +136,6 @@ ASN1_SEQUENCE (TS_TST_INFO) = { IMPLEMENT_ASN1_FUNCTIONS (TS_TST_INFO) -/** - Verification callback function to override any existing callbacks in OpenSSL - for intermediate TSA certificate supports. - - @param[in] Status Original status before calling this callback. - @param[in] Context X509 store context. - - @retval 1 Current X509 certificate is verified successfully. - @retval 0 Verification failed. - -**/ -int -TSVerifyCallback ( - IN int Status, - IN X509_STORE_CTX *Context - ) -{ - X509_OBJECT *Obj; - INTN Error; - INTN Index; - INTN Count; - - Obj = NULL; - Error = (INTN) X509_STORE_CTX_get_error (Context); - - // - // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_ - // CERT_LOCALLY mean a X509 certificate is not self signed and its issuer - // can not be found in X509_verify_cert of X509_vfy.c. - // In order to support intermediate certificate node, we override the - // errors if the certification is obtained from X509 store, i.e. it is - // a trusted ceritifcate node that is enrolled by user. - // Besides,X509_V_ERR_CERT_UNTRUSTED and X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE - // are also ignored to enable such feature. - // - if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) || - (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) { - Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT)); - if (Obj == NULL) { - return 0; - } - - Obj->type = X509_LU_X509; - Obj->data.x509 = Context->current_cert; - - CRYPTO_w_lock (CRYPTO_LOCK_X509_STORE); - - if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) { - Status = 1; - } else { - // - // If any certificate in the chain is enrolled as trusted certificate, - // pass the certificate verification. - // - if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) { - Count = (INTN) sk_X509_num (Context->chain); - for (Index = 0; Index < Count; Index++) { - Obj->data.x509 = sk_X509_value (Context->chain, (int) Index); - if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) { - Status = 1; - break; - } - } - } - } - - CRYPTO_w_unlock (CRYPTO_LOCK_X509_STORE); - } - - if ((Error == X509_V_ERR_CERT_UNTRUSTED) || - (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) { - Status = 1; - } - - if (Obj != NULL) { - OPENSSL_free (Obj); - } - - return Status; -} - /** Convert ASN.1 GeneralizedTime to EFI Time. @@ -506,10 +425,11 @@ TimestampTokenVerify ( } // - // Register customized X509 verification callback function to support - // trusted intermediate TSA certificate anchor. + // Allow partial certificate chains, terminated by a non-self-signed but + // still trusted intermediate certificate. Also disable time checks. // - CertStore->verify_cb = TSVerifyCallback; + X509_STORE_set_flags (CertStore, + X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME); X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY); @@ -613,6 +533,7 @@ ImageTimestampVerify ( UINTN Index; STACK_OF(X509_ATTRIBUTE) *Sk; X509_ATTRIBUTE *Xa; + ASN1_OBJECT *XaObj; ASN1_TYPE *Asn1Type; ASN1_OCTET_STRING *EncDigest; UINT8 *TSToken; @@ -692,11 +613,18 @@ ImageTimestampVerify ( // Search valid RFC3161 timestamp counterSignature based on OBJID. // Xa = sk_X509_ATTRIBUTE_value (Sk, (int)Index); - if ((Xa->object->length != sizeof (mSpcRFC3161OidValue)) || - (CompareMem (Xa->object->data, mSpcRFC3161OidValue, sizeof (mSpcRFC3161OidValue)) != 0)) { + if (Xa == NULL) { + continue; + } + XaObj = X509_ATTRIBUTE_get0_object(Xa); + if (XaObj == NULL) { + continue; + } + if ((OBJ_length(XaObj) != sizeof (mSpcRFC3161OidValue)) || + (CompareMem (OBJ_get0_data(XaObj), mSpcRFC3161OidValue, sizeof (mSpcRFC3161OidValue)) != 0)) { continue; } - Asn1Type = sk_ASN1_TYPE_value (Xa->value.set, 0); + Asn1Type = X509_ATTRIBUTE_get0_type(Xa, 0); } if (Asn1Type == NULL) { -- cgit v1.2.3