tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CryptoPkg/OpensslLib: Switch to upstream fix for OpenSSL RT#3955 

A different fix for the excessive stack usage has been merged into
OpenSSL 1.1 as commit 8e704858f. Drop our own version and use a backport
of what was committed upstream.

Note: This requires the free() function to work correctly when passed
      a NULL argument (qv).

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Tested-by: Qin Long <qin.long@intel.com>
This commit is contained in:
Qin Long 2016-03-05 23:39:47 +08:00
parent e578aa19dc
commit b9dbddd88a
1 changed files with 138 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

158
CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2f.patch
View File

@ -201,6 +201,63 @@ index abc6dc3..3a672e9 100644
# define M_ASN1_New(arg,func) \ # define M_ASN1_New(arg,func) \
if (((arg)=func()) == NULL) return(NULL) if (((arg)=func()) == NULL) return(NULL)
diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
index 1d25687..e933ead 100644
--- a/crypto/bn/bn_prime.c
+++ b/crypto/bn/bn_prime.c
@@ -131,7 +131,7 @@
static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
const BIGNUM *a1_odd, int k, BN_CTX *ctx,
BN_MONT_CTX *mont);
-static int probable_prime(BIGNUM *rnd, int bits);
+static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods);
static int probable_prime_dh(BIGNUM *rnd, int bits,
const BIGNUM *add, const BIGNUM *rem,
BN_CTX *ctx);
@@ -166,9 +166,13 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
BIGNUM *t;
int found = 0;
int i, j, c1 = 0;
- BN_CTX *ctx;
+ BN_CTX *ctx = NULL;
+ prime_t *mods = NULL;
int checks = BN_prime_checks_for_size(bits);
+ mods = OPENSSL_malloc(sizeof(*mods) * NUMPRIMES);
+ if (mods == NULL)
+ goto err;
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
@@ -179,7 +183,7 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
loop:
/* make a random number and set the top and bottom bits */
if (add == NULL) {
- if (!probable_prime(ret, bits))
+ if (!probable_prime(ret, bits, mods))
goto err;
} else {
if (safe) {
@@ -230,6 +234,7 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
/* we have a prime :-) */
found = 1;
err:
+ OPENSSL_free(mods);
if (ctx != NULL) {
BN_CTX_end(ctx);
BN_CTX_free(ctx);
@@ -375,10 +380,9 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
return 1;
}
-static int probable_prime(BIGNUM *rnd, int bits)
+static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods)
{
int i;
- prime_t mods[NUMPRIMES];
BN_ULONG delta, maxdelta;
again:
diff --git a/crypto/conf/conf.h b/crypto/conf/conf.h diff --git a/crypto/conf/conf.h b/crypto/conf/conf.h
index 8d926d5..41cf38e 100644 index 8d926d5..41cf38e 100644
--- a/crypto/conf/conf.h --- a/crypto/conf/conf.h
@ -752,20 +809,29 @@ index 5747c73..fe465cc 100644
* These functions write a private key in PKCS#8 format: it is a "drop in" * These functions write a private key in PKCS#8 format: it is a "drop in"
* replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc' * replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc'
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
index c4d3724..fd531c9 100644 index c4d3724..0bc3d43 100644
--- a/crypto/pkcs7/pk7_smime.c --- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c
@@ -254,7 +254,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, @@ -64,6 +64,9 @@
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+
+#define BUFFERSIZE 4096
+
static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
@@ -254,7 +257,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
STACK_OF(PKCS7_SIGNER_INFO) *sinfos; STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
PKCS7_SIGNER_INFO *si; PKCS7_SIGNER_INFO *si;
X509_STORE_CTX cert_ctx; X509_STORE_CTX cert_ctx;
- char buf[4096]; - char buf[4096];
+ char *buf = NULL; + char *buf = NULL;
+ int bufsiz;
int i, j = 0, k, ret = 0; int i, j = 0, k, ret = 0;
BIO *p7bio = NULL; BIO *p7bio = NULL;
BIO *tmpin = NULL, *tmpout = NULL; BIO *tmpin = NULL, *tmpout = NULL;
@@ -274,12 +275,29 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, @@ -274,12 +277,29 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_NO_CONTENT); PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_NO_CONTENT);
return 0; return 0;
} }
@ -795,32 +861,84 @@ index c4d3724..fd531c9 100644
sinfos = PKCS7_get_signer_info(p7); sinfos = PKCS7_get_signer_info(p7);
@@ -355,9 +373,14 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, @@ -356,8 +376,12 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
} else
tmpout = out; tmpout = out;
+ bufsiz = 4096; /* We now have to 'read' from p7bio to calculate digests etc. */
+ buf = OPENSSL_malloc(bufsiz); + if ((buf = OPENSSL_malloc(BUFFERSIZE)) == NULL) {
+ if (buf == NULL) { + PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_MALLOC_FAILURE);
+ goto err; + goto err;
+ } + }
/* We now have to 'read' from p7bio to calculate digests etc. */
for (;;) { for (;;) {
- i = BIO_read(p7bio, buf, sizeof(buf)); - i = BIO_read(p7bio, buf, sizeof(buf));
+ i = BIO_read(p7bio, buf, bufsiz); + i = BIO_read(p7bio, buf, BUFFERSIZE);
if (i <= 0) if (i <= 0)
break; break;
if (tmpout) if (tmpout)
@@ -394,6 +417,9 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, @@ -388,6 +412,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
} ret = 1;
BIO_free_all(p7bio);
sk_X509_free(signers);
+ if (buf != NULL) {
+ OPENSSL_free(buf);
+ }
return ret;
}
err:
+ OPENSSL_free(buf);
if (tmpin == indata) {
if (indata)
BIO_pop(p7bio);
@@ -506,7 +531,7 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
{
BIO *tmpmem;
int ret, i;
- char buf[4096];
+ char *buf = NULL;
if (!p7) {
PKCS7err(PKCS7_F_PKCS7_DECRYPT, PKCS7_R_INVALID_NULL_POINTER);
@@ -550,24 +575,29 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
}
BIO_free_all(bread);
return ret;
- } else {
- for (;;) {
- i = BIO_read(tmpmem, buf, sizeof(buf));
- if (i <= 0) {
- ret = 1;
- if (BIO_method_type(tmpmem) == BIO_TYPE_CIPHER) {
- if (!BIO_get_cipher_status(tmpmem))
- ret = 0;
- }
-
- break;
- }
- if (BIO_write(data, buf, i) != i) {
- ret = 0;
- break;
+ }
+ if ((buf = OPENSSL_malloc(BUFFERSIZE)) == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DECRYPT, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ for (;;) {
+ i = BIO_read(tmpmem, buf, BUFFERSIZE);
+ if (i <= 0) {
+ ret = 1;
+ if (BIO_method_type(tmpmem) == BIO_TYPE_CIPHER) {
+ if (!BIO_get_cipher_status(tmpmem))
+ ret = 0;
}
+
+ break;
+ }
+ if (BIO_write(data, buf, i) != i) {
+ ret = 0;
+ break;
}
- BIO_free_all(tmpmem);
- return ret;
}
+err:
+ OPENSSL_free(buf);
+ BIO_free_all(tmpmem);
+ return ret;
}
diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c
index 266111e..f60fac6 100644 index 266111e..f60fac6 100644
--- a/crypto/rand/rand_unix.c --- a/crypto/rand/rand_unix.c