diff options
| author | Qin Long <qin.long@intel.com> | 2016-03-05 23:36:37 +0800 |
|---|---|---|
| committer | Qin Long <qin.long@intel.com> | 2016-03-05 23:36:37 +0800 |
| commit | 503f6e3888ba9f39cb88d689804af62c9dd89ff2 (patch) | |
| tree | a9ef9b3f6aea6eb3e0e7b53bab6b7716d118cd29 /CryptoPkg | |
| parent | 3f73ccb37a05ffdfdd8e5fe79190befd11366787 (diff) | |
| download | edk2-503f6e3888ba9f39cb88d689804af62c9dd89ff2.tar.gz edk2-503f6e3888ba9f39cb88d689804af62c9dd89ff2.tar.bz2 edk2-503f6e3888ba9f39cb88d689804af62c9dd89ff2.zip | |
CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#4175
A different fix for the PKCS7_verify() regression on Authenticode
signatures has landed in the OpenSSL 1.0.2 branch as commit c436c990f
and will be present in the 1.0.2g release.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
Diffstat (limited to 'CryptoPkg')
| -rw-r--r-- | CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2f.patch | 39 |
1 files changed, 28 insertions, 11 deletions
diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2f.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2f.patch index edd2425b11..b93bc2c3f2 100644 --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2f.patch +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2f.patch @@ -163,7 +163,7 @@ index d3b23fc..d61605b 100644 # else
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
-index c4d3724..0996c39 100644
+index c4d3724..fd531c9 100644
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -254,7 +254,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
@@ -176,20 +176,37 @@ index c4d3724..0996c39 100644 int i, j = 0, k, ret = 0;
BIO *p7bio = NULL;
BIO *tmpin = NULL, *tmpout = NULL;
-@@ -275,12 +276,6 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+@@ -274,12 +275,29 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+ PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_NO_CONTENT);
return 0;
}
++#if 0
++ /*
++ * NB: this test commented out because some versions of Netscape
++ * illegally include zero length content when signing data. Also
++ * Microsoft Authenticode includes a SpcIndirectDataContent data
++ * structure which describes the content to be protected by the
++ * signature, rather than directly embedding that content. So
++ * Authenticode implementations are also expected to use
++ * PKCS7_verify() with explicit external data, on non-detached
++ * PKCS#7 signatures.
++ *
++ * In OpenSSL 1.1 a new flag PKCS7_NO_DUAL_CONTENT has been
++ * introduced to disable this sanity check. For the 1.0.2 branch
++ * this change is not acceptable, so the check remains completely
++ * commented out (as it has been for a long time).
++ */
+
+ /* Check for data and content: two sets of data */
+ if (!PKCS7_get_detached(p7) && indata) {
+ PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT);
+ return 0;
+ }
++#endif
-- /* Check for data and content: two sets of data */
-- if (!PKCS7_get_detached(p7) && indata) {
-- PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT);
-- return 0;
-- }
--
sinfos = PKCS7_get_signer_info(p7);
- if (!sinfos || !sk_PKCS7_SIGNER_INFO_num(sinfos)) {
-@@ -355,9 +350,14 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+@@ -355,9 +373,14 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
} else
tmpout = out;
@@ -205,7 +222,7 @@ index c4d3724..0996c39 100644 if (i <= 0)
break;
if (tmpout)
-@@ -394,6 +394,9 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+@@ -394,6 +417,9 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
}
BIO_free_all(p7bio);
sk_X509_free(signers);
|